Forensic science is the cornerstone of the modern justice system, as it allows us to analyze evidence in order to discover the truth behind a crime scene. As mobile phones became more important to our daily lives they've taken up a bigger part in forensic research as well. These devices contain digital traces telling us the story of our lives. Digital forensic research traditionally focused on recovering data, in particular data from broken or undocumented systems. While security was not the primary concern of most manufacturers, this has changed in recent times. Cryptography has become a major roadblock in forensic science, which has shifted the focus from recovery towards exploitation. Traditionally Digital forensic research focused on physical acquisition. While often tools supported logical extraction, this would leave many deleted traces inside of the memory chip intact. Instead methods such as Flasher tools, JTAG-based acquisition, In-System Programming and Chip-off were often used to make images of the physical contents of the memory chip. This would then be analyzed by data-analysts in order to extract evidence from the images. On many modern devices cryptography has ensured that these methods are no longer effective. Software exploitation techniques such as DirtyCow have proven to become much more important in digital forensic science, but more methods should be developed. JTAG is of particular interest in this regard. It is a testing system that was previously left unsecured and providing attackers with an easy way in. More recently manufacturers have started using novel ways of protecting JTAG from malicious use, but very little research exists testing these new security measures. This is a recipe for vulnerabilities. This thesis focuses on attacking Secure JTAG; Samsung's authentication module for ARM CoreSight. Several potential attacks have been highlighted that are potentially applicable to Secure JTAG. A novel model has been developed that allows an attacker to evaluate the complexity of their attacks. While models such as CVSS and DREAD exist, these focus on threat analysis rather than offensive research. Using this model two attacks were chosen: One focusing on reversing the internal JTAG boundary scan chains and the other attempting to force authentication through fault injection. In order to reverse the JTAG boundary scan chains a new set of tools had to be developed. Existing tools were often incapable of communicating with the internal scan chains or did not provide enough freedom to enable research. After their development these new tools were able to confirm that the internal scan chains were secured. The internal boundary scan chains will not be a viable attack vector until the authentication mechanism is circumvented. The second attack focused on a potential fault injection vulnerability in the Secure JTAG authentication scheme. Because Secure JTAG is a purely hardware component it provided a unique challenge. Where normally firmware is analyzed to prove the existence of a vulnerability, Secure JTAG has no such firmware available. This makes discerning between failure because the device is not vulnerable and failure because of chance nearly impossible. To increase confidence in the attack and decrease attack space this project focused on Electromagnetic Side-channel Analysis. By locating the signals produced by Secure JTAG authentication it is possible to greatly reduce the attack space, thereby increasing confidence in the attack. In the end correlating signals were located near the high-power processor of the chip, albeit not the hashing engine itself. This lowered the attack space enough for an eventual fault injection attack.

Manufacturers of CubeSats prefer the use of COTS electronic components such as microcontrollers (MCU) and SDRAM but these components are vulnerable to errors caused by radiation. A specific type of error caused by radiation are soft errors which can be corrected by Error Detection and Correction (EDAC) methods. Unfortunately, it is uncommon for MCUs to have an (optimal) EDAC solution integrated in their memory controller. In these cases an external solution is required. This work proposes a generic methodology towards transparent FPGA-based correction of soft errors that can be applied given a specific microcontroller and its off-chip main memory. To determine how powerful the EDAC solution must be the methodology uses reliability models to evaluate the MTTF of the memory system. Then, the methodology describes how the EDAC logic must be designed in the FPGA fabric such that the FPGA and its EDAC logic are transparent to the MCU. A method to periodically scrub the memory transparently to the processor is also included. A major trade-off of the FPGA based design is that it requires the clock of the MCU memory controller to be lowered to meet the timing requirements of the SDRAM interface. For some designs it is also necessary to lower the memory capacity or to use more SDRAM devices to store the ECC parity bits. Lastly, a hardware demonstrator was built to provide EDAC capabilities to the onboard computer developed by ISISPACE. The design consisting of an ARM9 microcontroller, an FPGA and two SDRAM devices is capable of correcting a single error in each byte of the 32- bit SDRAM interface of the MCU and can scrub the entire memory in 33 seconds. Software benchmarks showed that computing performance is about half of the original board as a result of halving the memory controller clock.

The Internet of Things (IoT) has grown dramatically over the past years. Largely autonomous, lightweight devices with an internet connection have been integrated into many aspects of daily life; from consumer products to industrial processes and from medical applications to critical infrastructures. Cisco predicts that by 2023, more than half of the internet connections will belong to IoT devices. With the impact of cybercrime ever growing, currently leading to a loss of 600 billion US dollar per year according to McAfee, the Internet of Things has become an attractive target. Successful attacks have already been demonstrated on smart cars, home security cameras, heart defibrillators, the Ukrainian power grid and military drones, just to name a few. Attacks of this nature are expected to intensify as more ’things’ are connected to the internet, either by criminals looking for quick money, companies sabotaging com­ petitors or countries waging cyber warfare. This demonstrates the need for strong security for IoT devices. Attacks on IoT devices can come from three distinct direction: The network, the software or the hardware level. Where network protocols and software applications can be updated when issues are found, this is not the case for hardware, which must be designed to be secure from the start. Further­ more, the way IoT devices are installed in the field makes hardware based attacks particularly relevant. Examples include the probing of traces and pins, fault injections to cause unintended behaviour, mod­ ifications of the firmware, side­channel analysis, stealing of data etcetera. Countering many of these attacks requires integrity verification of the attached memory chips of a device, to make sure that the ap­ plications have not been tampered with. Existing security measures implemented in high performance processors, such as Intel SGX and more recently AMD SEV, can encrypt and secure the memory of a system. These implementations however are not available for the lightweight microcontrollers and processors generally found in IoT devices. ARM TrustZone is a common security solution found in embedded devices to provide protection against untrusted software, but does not defend against hard­ ware tampering. As such, a lightweight solution is required aimed at the constrained environments presented by IoT devices, to ensure the integrity of external memory modules. This thesis presents the Embedded Memory Security (EMS) module as a way to ensure the integrity and authenticity of data and applications, as well as its confidentiality if required. It is targeted at lightweight systems with a small hardware budget. The module sits on­die with the central processor of the device and secures all data being transferred between it and external memory. Integrity is verified through Message Authentication Codes (MAC) generated with SipHash for each memory transfer. The lightweight block cipher Prince is used to provide confidentiality through encryption. Five variants of this module with different levels of security and optimizations are developed and integrated into a processor development platform. Benchmark runs showed that under realistic cache conditions, their impact was limited to a 25% increase in execution time at worst. Three attacks were performed on the platform with the modules, indicating that they protect against several types of hardware attacks on memory. Finally, the hardware cost in area requirements was determined and found to be less than half of the microcontroller­class RI5CY core, excluding its caches, and only 3% of the Linux­capable Ariane core. In addition to the EMS modules, two security extensions are proposed that utilize the modules to provide a secure method of updating devices.

Some server hosters facilitate cyber crime either intentionally (so called “bulletproof hosters”) or unintentionally (“bad hosters”). When dealing with uncooperative hosters during forensic investigations, it may sometimes be necessary to collect data or information on the servers without help from the owner of the server. Data within the RAM might prove insightful in, for example, determining active processes or reveal crypto graphically interesting information like encryption keys. The thesis explains key concepts within memory organization and the PCIe standard.Afterwards, it discusses several techniques for RAM acquisition and categorizes and evaluates them using a model-based approach. The thesis then dives deeper into DMA-based memory acquisition using PCIe and proposes several improvements to current DMA attacks in order to create a better memory acquisition technique. A novel memory acquisition technique is created by hot-plugging aPCIe device and skipping over the regular enumeration procedure. This techniqueal lows the memory acquisition to be executed without a reboot and provides a stealth approach to accessing the memory.  

Resistive Random-Access Memory (RRAM) is an emerging memory technology that has the possibility to compete with mainstream memory technologies such as Dynamic Random-Access Memory (DRAM) and flash memory. The reason why RRAM has not seen mass adoption yet is due to its defect-prone nature. The resistance of RRAM can assume any value within its operating range and its resistance can be divided into five states instead of the regular two logic states. Conventional test techniques are incapable of detecting unique faults due to their inability to distinguish between all five cell states, resulting in a large number of test escapes. Therefore, new test methods, such as Design-For-Testability (DFT), need to be developed to reduce the number of test escapes and ensure customer satisfaction. This work proposes two new DFTs: Parallel-Reference Read (PRR) and Closed-Loop Write (CLW). The PRR DFT is a replacement for the regular read circuit, which enables the detection of all five cell states, while the CLW DFT is an addition to the regular write circuit, which introduces feedback during the write operation. From these two DFTs, the PRR DFT is selected for further development and its design is validated. From the validation, it is concluded that the PRR DFT can detect all five cell states. Moreover, under process variations, the PRR DFT will provide the correct output in 95.90% of the cases. Furthermore, the PRR DFT improves the overall resistive-defect detection capability by 14.79% when compared to a regular read circuit. Finally, the PRR DFT offers 100% identified fault coverage while only requiring 4N write operations, 5N read operations and an area overhead of 14Nc transistors, where N and Nc are the total number of cells and the total number of columns in the RRAM array, respectively.

Rowhammer is a security exploit used to cause bit errors DRAM chips. Newer DRAM technologies are becoming more vulnerable to rowhammer attacks, and existing protec- tion methods are starting to reach their limits. This thesis provides methods for DRAM characterization by means of reverse engineering, an in-depth analysis of vulnerable cells during rowhammer and a novel protection method. First the DRAM module is characterized by performing a retention test and a one- sided rowhammer attack throughout the memory. The resilience to rowhammer of vul- nerable victim cells has been analysed by using various data patterns in the victim cell itself in combination with its direct and diagonal neighbours. The impact of the pro- posed protection method is measured by flipping the data in the attacker row during a simulated rowhammer attack. Various rowhammer sequences are investigated. The results following the DRAM characterization show that only a one-sided rowham- mer attack is possible. Rows that impact one another during rowhammer come in pairs of two, one attacker row impacts only one neighbouring row. The results of the in-depth analysis of cells during rowhammer shows evidence of negative horizontal impact com- ing from uncharged neighbouring cells in the same row and negative diagonal impact coming from charged cells neighbouring the attacker cell in the attacker row. The hori- zontal impact is mirrored in symmetrical cells whilst the diagonal impact is not. Results following the proposed protection method experiments show that using the protection method improves the overall resilience to rowhammer ranging from 50%, 65% to 100% depending on the hammer sequence.

We propose a novel, dynamic analysis-based detection solution for formjackers. The operating principle of these formjackers, or card skimmers on the web, is typically simple, yet effective: when making a payment on webshop that has been infected with a formjacker, the submitted payment information is not just transmitted to the webshop, but also silently to the involved malicious actor. Incidents in the past few years with large numbers of potentially affected customers, in the order of hundreds of thousands to millions, and high fines, in the order of tens of millions, have shown the urgency of addressing the issue of card skimming on the web. Currently, the state of the art in detecting formjackers is that of the cybersecurity industry, whose proprietary detection strategies appear to heavily rely on classical, static-analysis techniques. A drawback of these techniques is that they are less suited to detect new or unknown strands of formjackers. To advance the state of the art and enable a comprehensive, large-scale study of formjackers on the web, we wish to go beyond the traditional `Indicators of Compromise' approach. Instead of building on relatively shallow indicators, such as what formjacker typically look like, or which domains are commonly associated with formjacking campaigns, we propose to look at the underlying, more rudimentary behavior of formjackers, such as accessing data entered into the page. To this end, we introduce and study a detection strategy that ties into these more fundamental behavioral patterns of formjackers by applying dynamic analysis of client-side JavaScript. As an important prerequisite in dynamic analysis, we identify which conditions must be satisfied to elicit malicious behavior in formjackers. We implement two types of dynamic analysis, showing how these conditions can be met in practice. Finally, by crawling various collections of URLs we study the extent to which the proposed detection solution is suited to detect formjackers.

Resistive RAM, or RRAM, is one of the emerging non-volatile memory (NVM) technologies, which could be used in the near future to fill the gap in the memory hierarchy between dynamic RAM (DRAM) and Flash, or even completely replace Flash. RRAM operates faster than Flash, but is still non-volatile, which enables it to be used in a dense 3D NVM array. It is also a suitable candidate for computation-in-memory, neuromorphic computing and reconfigurable computing. However, the show stopping problem of RRAM is that it suffers from unique defects, which is the reason why RRAM is still not widely commercially adopted. These defects differ from those that appear in CMOS technology, due to the arbitrary nature of the forming process. They can not be detected by conventional tests and cause defective devices to go unnoticed. Therefore, new tests need to be developed that properly include the physics of a defective device in a RRAM model. Device-aware testing (DAT) is the state-of-the-art solution to this problem. By accounting for the unique physics of an RRAM device, DAT is able to detect unique RRAM defects. However, DAT bases its results on relatively compact electrical models, which do not account for randomness present in e.g. the forming of the filament and local temperature fluctuations. Meanwhile, many low-level physical models exist already that can model this randomness and provide accurate insights into the physical specifics of RRAM. These models do, however, hardly ever analyze the effects of defects. The contribution of this work is to expand and improve one of the state-of-the-art physical models to analyse manufacturing defects on a low, near atomic-level scale. For the first time, the characteristics of a defect can be described in the physical shape of the defect, rather than only the electrical consequences of a black box device. This enables deep level analysis and characterization of defects, the results of which improves DAT to detect even more unique defects. The model is applied to four types of RRAM-related defects: oxygen vacancy density fluctuation, oxide thickness variation, electrode roughness, and contamination by impurities. The effect of the defects on the conductivity of the device are observed and explained, and their unique non-linear behavior is confirmed by simulation. Dynamic defects are not yet included, but the model does provide an extensive static characterization of unique RRAM defects, providing insights into their behavior and improving the quality of DAT. Finally, a discussion is presented which criticizes the reproducability of the referenced defect-free model, but also shows the potential of this work's model to be improved.

An increasing amount of critical applications use DRAM as main memory in its computing systems. It it therefore extremely important that these memories function correctly during their lifetime in order to prevent catastrophic failures. Already during the design phase, the reliability of the circuit needs to be predicted so that a reasonable lifetime expectation can be given. Although the importance of reliability analysis is clear, in literature not much research on DRAM reliability is available to designers. This thesis proposes a two phased DRAM reliability prediction model that can be used in the circuit design phase. During the first phase, the circuit performance is analyzed for different wear-out mechanisms affecting different subcomponents in the design. In the second phase, the results of the first phase are then used to determine the reliability of the circuit. In the first phase, the wear-out effects of Bias Temperature Instability (BTI) Hot Carrier Injection (HCI) and radiation trapping as well as transistor mismatch are examined. BTI is modeled using the RD-model, HCI with the lucky electron model, transistor mismatch with Pelgrom’s model. Wear-out caused by radiation trapping is modeled as Gate Induced Drain Leakage (GIDL), the data for which are derived from retention time degradation measurements of an irradiated commercial DRAM. The circuit performance is analyzed per subcomponent of the DRAM design in a range of different metrics. Furthermore, the aging effects on a dwonscaled version of the circuit are investigated. In the second phase, reliability functions are derived from the results from phase one per wear-out mechanism and per subcomponent. These reliability functions are used in an analytical reliability model which yields the overall circuit reliability. The results from the first phase show degradation of the retention time as well as degradation of sensing delay metrics. Due to the relative low duty factor of memory cells, BTI and HCI have minor impact on the memory cell circuit performance. Radiation however, renders the circuit useless once the Total Ionizing Dose (TID) becomes more than 126 krad. On other subcomponents than the memory cells, BTI and HCI shift the reference voltage which results in an increase of retention time. BTI and HCI stressing of the sense amplifier also slightly increases retention time but mainly increases sensing delay. For both reference cells and the sense amplifier it holds that higher radiation doses break down the circuit completely. The same effects hold for the downscaled circuit, although the observed effects are more severe than in the unscaled device. The system reliability prediction in the second phase shows the importance of individual reliability prediction of the subcircuits and wear-out mechanisms. Via the individual analysis, it becomes clear that the system reliability is mostly impacted by the degradation of the sense amplifier delay due to BTI and HCI. Other metric variations, like the increase in retention time caused by the reference cells, have less impact. It was found that the system reliability decreases to 0.84 after 1·108s at a stressing temperature of 300K.

This thesis focuses on identifying and classifying defects in STT-MRAM technology using novel and machine learning approaches. The thesis discusses the basic principles of STT-MRAM and the semiconductor chip manufacturing process and test stages. The research aims to develop novel methods and explore machine-learning approaches to diagnose defects in STT-MRAM devices. The current defect identification methodologies have shown certain cost, speed, and scalability limitations. The thesis presents DAT-based and ML-based Diagnosis methodologies to identify and classify STT-MRAM unique defects to address these challenges. The methods are evaluated and validated on experimental wafers performed at IMEC in Leuven, Belgium. DAT-based Diagnosis involves automated defect identification in STT-MRAM based on identifying features automatically extracted from specialized measurements targeting the unique defects, Pinhole, Intermediate State, SAF Flip, and Back-Hopping. ML-based Diagnosis uses machine learning techniques to classify defects using MTJ features extracted from low-cost measurements. Data collected from electrical measurements on experimental STT-MRAM devices serve as the basis for evaluating the developed methodologies. The thesis also discusses data analysis, including data visualization, feature correlations, and outlier analysis for future research. Furthermore, a machine learning training process is performed, including hyperparameter optimization and evaluation using F-score and B-accuracy metrics to assess the model's performance and the ability to generalize on unseen data. DAT-based Diagnosis aims to maximize the defect detection accuracy at the expense of measurement costs. In contrast, ML-based Diagnosis minimizes the measurement cost while maximizing the detection accuracy for robust and balanced classification. However, the DAT-based Diagnosis is not verified using PFA to validate the defect types identified by the developed methodology. Furthermore, the ML-based Diagnosis uses training data labeled by the unverified DAT-based Diagnosis approach to train machine learning models. Despite these limitations, the results have shown valuable insights into defect identification and classification, proving a robust framework for diagnosing STT-MRAM devices. Additionally, a scientific paper is submitted on march-based diagnosis, adapting the DAT-based Diagnosis method to industrial chips that are limited in extracting the identifying features.

Forensics is the art of gathering evidence, which for electronics amounts to accurately recovering data. Often, this can only be archived with state-of-the-art hacking techniques. However, replicating state-of-the-art research in hardware security can be difficult, due to the large number of components and connections. To counter this, a custom Printed Circuit Board (PCB) is presented, that aids with hardware attacks, and allows them to be executed in a reliable and reproducible way. The PCB is targeted specifically towards hardware encrypted USB drives, and provides accessible ways to break out and interact with the target’s electrical components. In the first part of this thesis, the design and fabrication of the platform, called LUPIn, short for Lawful Unlocking of PIN-protected USB drives, is established. The design integrates commonly-used components and functions, making it suitable for a wide range of different attacks and devices. It also incorporates robust and traceable connections to the target. In the second part, LUPIn is verified by implementing it in a real attack. The target is a PIN-protected USB drive, which contains an IC performing key derivation. Since the debug port is not fully secured, a technique called Cold-Boot Stepping is used. This method is specifically designed to circumvent partially disabled debug ports. To analyse the gathered data, it first must be filtered. This filtering is done using a graph-based algorithm. In one crytographic function, an input parameter is used twice with different XOR masks. By analyzing all the filtered data, it is possible to find masked values, and use those to recover the original input value. Concluding, a hardware tooling PCB (LUPIn) is successfully designed, assembled and tested. It proves to be a reliable platform for performing hardware attacks against encrypted USB drives. It makes development of hardware attacks simpler and less time-consuming. In the validation of LUPIN, a real-life USB drive is successfully attacked. Thousands of RAM snapshots are collected and an algorithm is developed to filter this data. A single variable can be extracted, but it ultimately proved insufficient to fully crack the target.

Resistive random access memory (RRAM) is a promising emerging memory technology that offers dense, non-volatile memories that do not consume any static power. Furthermore, RRAMdevices can be written and read out in nanoseconds, and it is possible to use them to performcomputation-in-memory (CIM). These benefits make this technology a potential replacement for Flash or even dynamic random access memory (DRAM). This is also clearly seen by the community; both universities and companies are prototyping RRAMs, and there are already some commercial RRAMs available. In order to deliver high-quality products, the RRAMs need to be tested properly so that a manufacturer can guarantee the quality. This dissertation focuses on test development for RRAMs. Traditionally, production defects in memories, such as DRAM, are modeled as linear resistors in or between two nodes of the circuit. In literature, many researchers have applied a similar approach for RRAMs. However, we demonstrate that this method of modeling defects is inappropriate, because the models fail to describe the defective behavior of the RRAM device. Instead, those models describe defects in the interconnections that surround the RRAM device. To overcome this, we propose the Device-Aware Test (DAT) approach that consists of three steps. First, the approach models the actual physics of defective devices and thus leads to realistic defectmodels. Second, the defect models are used to performaccurate faultmodeling and analysis. Third, the results from this step are used to develop high-quality RRAM tests. We do this by first characterizing the defect. We analyze the complete production process of a RRAM. During this analysis, we identify what can go wrong in every step, and in what kind of defects this may result. All identified defects need to be properly modeled, so that a high-quality test can be developed.Next,we analyze howit affects the performance of a defect-free device, and incorporate the resulting defective behavior in a compact defect model. This model is calibrated and accurately describes the effects of the defect. Second, we apply this defect model in a RRAM circuit to perform fault modeling and analysis. We systematically define the complete space of all faults that could occur, and then apply an analysis methodology to validate which faults actually occur in the circuit. Third, we develop a test for the validated faults. This test only needs to detect faults that are actually sensitized, and thus is shorter than generic tests, while it also has a better fault coverage. We apply the DAT approach to RRAM forming defects and RRAM intermittent undefined state faults. The results show that these two defect models sensitize different faults than the traditional defect models do. Since the DAT defect models describe the actual physics of the defects, we can conclude that the traditional approach will lead to lowquality tests that generate test escapes and reduce the production yield. Furthermore, we demonstrate that the faults cannot easily be detected by existing test algorithms, and that special tests need to be developed to detect them. We also apply the DAT approach to a RRAM-based computation-in-memory (CIM) architecture to develop a test for it. We shows that a CIM device needs to be tested both in its memory and computation configuration, as there are unique faults in both configurations. We define the complete fault space for CIM faults and validate it using the DAT approach. Subsequently, we develop a test that detects the faults in both configurations. Furthermore, we study how process, voltage and temperature variations affect the performance of the CIM architecture. We demonstrate that certain operations are more susceptible to these variations than other ones. @en

Memristive devices are promising candidates as a complement to CMOS devices. These devices come with several advantages such as non-volatility, high density, good scalability, and CMOS compatibility. They enable in-memory computing paradigms since they can be used for both storing and computing. However, building in-memory computing systems using memristive devices is still in an early research stage. Therefore, challenges still exist with respect to the development of devices, circuits, architectures, design automation, and applications. This thesis focuses on developing memristive device-based circuits, their usage in in-memory computing architectures, and design automation methodologies to create or use such circuits. Circuit Level – We propose two logical operation schemes based on memristive devices. The first one uses resistive sensing to perform logical operations. It modifies the sense amplifier in such a way that it can compare the overall current with references and output the logical operation result. During sensing, the resistance of memristive devices remains unchanged. Therefore, endurance and lifetime are not reduced. This scheme provides a solution for maintaining a relatively long lifetime in logic operations for memristive devices that have low endurance. The second scheme is the enhanced version of the first one. It uses two different sensing paths for AND and OR operations. In this way, the correctness of logic operations can be guaranteed even if large resistance variation exists in memristive devices. Architecture Level – We present three in-memory computing architectures based on memristive devices. The first one is a heterogeneous architecture containing an accelerator for vector bit-wise logical operations and a CPU. The accelerator communicates with the CPU or accesses the external memory directly. The second one is to accelerate automata processing. In this architecture, memristive memory arrays store configuration information and conduct computation as well. This architecture outperforms similar ones that are built with conventional memory technologies. The third one is an improved version of the second one. It breaks the routing network into multiple pipeline stages, each processing a different input sequence. In this way, the architecture achieves a higher throughput with a negligible area overhead. Design Automation – A synthesis flow for computation-in-memory architectures and a compiler for automata processors are presented. The synthesis flow is proposed based on the concept of skeletons, which relates an algorithmic structure to a pre-defined solution template. This solution template contains scheduling, placement, and routing information needed for the hardware generation. After the user rewrites the algorithm using skeletons, the tool generates the desired circuit by instantiating the solution template. The automata processor compiler generates configuration bits according to the input automata. It uses multiple strategies to transform given automata, so that constraint conflicts can be resolved automatically. It also optimizes the mapping for storage utilization. @en