In this paper, we investigate the advanced circuit features such as wordline-(WL) underdrive (prevents retention failure) and overdrive (assists write) employed in the peripherals of Dynamic RAM (DRAM) memories from a security perspective. In an ideal environment, these features ensure fast and reliable read and write operations. However, an adversary can re-purpose them by inserting Trojans to deliver malicious payloads such as, fault injections, Denialof-Service (DoS), and information leakage attacks when activated by the adversary. Simulation results indicate that wordline voltage can be increased to cause retention failure and thereby launch a DoS attack in DRAM memory. Furthermore, two wordlines or bitlines can be shorted to leak information or inject faults by exploiting the DRAM's refresh operation. We demonstrate an information leakage system exploit by implementing TrappeD on RocketChip SoC.
I. INTRODUCTION
Integrated Circuit (IC) fabrication has become increasingly vulnerable to malicious modifications in the form of Hardware Trojans [1] due to the outsourcing of semiconductor design and fabrication to third party fabrication houses. Ideally, these modifications need to be detected during pre-Silicon verification and post-Silicon testing. But, it is possible to design these Trojans to remain dormant during the test phase and only activate under rare conditions. Once activated, the Trojans perform undesirable operations such as write/retention failures or even leak sensitive data. This threat is of special concern to government agencies, military [2], technology developers, finance, and energy sectors. Recent news regarding the tampering of server motherboards by Chinese manufacturers that affected top US companies like Amazon, Apple etc. [3] provides as a strong motivation to investigate the possibility of hidden components in each step of the design and manufacturing process.
Memory Trojan can lead to read/write/retention failures and information leakage. In prior works, authors have proposed memory Trojan Trigger circuits and payloads that can evade testing phase and cause different failures. A Trojan for embedded SRAM is proposed in [4] . The authors use unique data patterns written to pre-selected address to trigger their Trojan. Note that these unique patterns are not tested during standard post-manufacturing memory tests and thereby remains undetected. That data pattern feeds the input of the Trojan payload transistors which short the data node of a victim SRAM cell to ground and corrupts the data. The feasibility of this Trojan [4] is limited since the payloads require tapping the bitcells which might not be possible since they are very compact. [5] introduces an NVM-based Trojan trigger that leverages the non-volatility of Resistive RAM (RRAM). It possesses unique characteristics e.g., non-volatility and gradual drift in resistance with pulsing voltage. The triggers presented exploits RRAM's gradual resistance drift under pulsing current and its non-volatility to ensure that the hammering need not be consecutive. This allows the trigger to evade system-level detection techniques.
Designing a small, controllable and undetectable Trojan is the key element to deploy an efficient one. In [6] , a capacitor-based analog Trojan trigger, A2, is presented which is controllable, stealthy and small. In [7] , another capacitor-based Trojan trigger is proposed which gets activated if a pre-selected address is written with specific data patterns for a specific number of times. The proposed trigger circuit is shown in Fig. 1 . The circuit has two inputs, EnAdd (the address enable signal of a pre-selected address) and V p (a logic circuit generates V p based on the data pattern). The work also presents payloads of the Trojan such as fault injection, Denial of Service (DoS) and information leakage attacks on emerging Non-Volatile Memories (NVMs). The advantage of such trigger lies in the fact that it can be hidden in the filler areas of the non-memory logic (e.g., address pre-decoding and pipelining units, also called midlogic) [8] . However, the payload of this Trojan also requires tapping the bitcell.
Proposed Attack Model: In this work, we assume an untrusted manufacturing house located outside the US that can alter the chip GDS-II file to introduce the malicious Trojan trigger and payload. This assumption is widely accepted in the hardware security community because of large filler areas present in the chip and the adversary's access to the raw design. We propose the use of a capacitor-based hardware Trojan trigger [7] and novel payload circuits and perform detailed analysis to guarantee that the Trojan is, (i) triggered even under worst-case process and temperature conditions with correct inputs; (ii) able to bypass conventional post-manufacturing test. The Trojan is activated if a particular preselected address of L1 Cache is accessed for ∼1800 times. Note that the proposed Trojan trigger directly taps the wordline of the preselected address to leverage the existing decoder design framework and hence, does not incur any overhead for address decoding.
In summary, the following contributions are made in this paper. The paper is organized as follows: Section II reviews the basics of DRAM design and operation; Section III describes the proposed trojan trigger design and analysis; Section IV describes the DRAM vulnerabilities and the attack details; Section V describes the system implementation to validate the proposed Trojan attacks; Section VI presents discussions on the practicality, assumptions, and countermeasures to TrappeD; and finally Section VII draws the conclusion.
II. BACKGROUND
A. Basics of DRAM Fig. 2a shows a basic one-transistor, one-capacitor (1T1C) DRAM cell. The data is stored as charge in the capacitor Cs.
The charge corresponding to V dd (0V) is considered as data '1' ('0'). The capacitor Cs gradually leaks or charges up over time and thereby, it requires to be read and written-back (i.e., refresh).
Architecture: Fig. 2b shows the column structure of an open bitline architecture [9] . It includes DRAM bitcell, BL, reference bitline (BLref), sense amp, precharge circuit, column select, write driver and Half _V cc generator.
The column circuit is implemented with the following features: a) Sense amp is placed on per-local-column basis to enable read/refresh of the selected column during read and refresh half-selected columns during write; b) Sense amp is activated by enabling both the header and footer transistors to prevent static current due to Half _V cc bitline precharge; c) The precharge and equalization circuit (equalizes BL and BLref voltages) consists of full CMOS pass transistors; and d) W L is boosted (to 1.6V in this paper) to write a full '1' through the NMOS access transistor and underdriven (to -0.2V in this paper) to reduce sub-threshold leakage during retention. Positive and negative charge pumps are used for W L overdrive and underdrive respectively; and e) Column selection uses PMOS switch.
DRAM operation: The DRAM operation can be classified into the following categories [10] :
Write: During write, the access transistor M 1 (Fig. 2a ) is turned ON by asserting the W L. The BL is driven to V dd (0V) for writing data 1 (0). The storage capacitor Cs charges up (discharges) to V dd (0V) based on BL voltage. Writing data '0' is accomplished by first writing a good '1' on the BLref while the BL stays close to (threshold voltage of PMOS transistor) and then firing the sense amp. Once the sense amp is ON, it pulls the BL all the way to 0V and a good '0' is written to the bitcell.
Read: This begins with pre-charging the BL and BLref to V dd/2 and then the W L is turned ON. The charge stored in Cs charges (discharges) the BL if the stored data is '1' ('0'). Therefore, Cs also develops a differential and loses its stored value (destructive read). The resulting voltage differential in the BL is converted to a digital value by the sense amp that compares the BL to the reference voltage BLref.
Write-back: Following the BL differential development, the sense amp is enabled. The BL resolves to V dd (0V) and BLref resolves to 0V (V dd) if the read value is '1' ('0'). The bitcell is restored to original value since the W L is still ON after BL resolves to the read value.
Stand-by (Retention): A data '1' would lose its value once the charge reduces below V dd/2. Note that this very optimistic assumption. In reality, the sense amp requires ∼70mV of Sense Margin (SM) which puts maximum leakage of data '1' to ∼0.640V. Three major sources of leakage are sub-threshold (Isub), junction (Ij), and gate leakage (Ig) through the access transistor ( Fig. 2a ). Data '0' can lose its value if it charges above ∼0.360V (to guarantee 70mV of SM). The only source of leakage for data '0' is Isub. In our model, the charge stored in Cs only rises up to 30mV after which the rate of charging due to Isub equals the rate of capacitor discharge. Therefore, data '0' does not suffer from retention issues.
III. TROJAN TRIGGER DESIGN
Design [7] : The trigger circuit ( Fig. 1) [7] is designed to be activated if a particular memory address (chosen during design phase, let's call it AddSET ) is accessed for at least NSET times. The trigger has two inputs namely, V (AddSET) and V (P SET). V (AddSET) (= 1V in this work) is the wordline enable signal of AddSET and V (P SET) is a constant voltage source of 1V. For a more complex Trojan with a superior stealthiness, V (P SET) can be programmable (refer to Section IV-B for details).
Whenever AddSET is accessed, V (AddSET) is asserted and MOSFETs M1 and M3 are activated. M2 has a thinner gate oxide compared to other MOSFETs and its source and drain are shorted. Therefore, M2 works as a capacitor and charges CTrojan from the P SET source through Fowler Nordheim (FN) tunneling [11] if V (AddSET) is asserted. M4 is an OFF transistor which offsets gate leakage of M5 and prevents unwanted charging-up of node X2. M7 keeps node X3 as low as possible until node X2 charges up sufficiently. The node X4, that is charged up during the hammering process, is used as the SET input of a SR latch. The output of the SR latch (VT rigger ) transitions from 0 → 1 when X4 charges up to 0.5V. The signal VT rigger is then used to activate the Trojan. The charge at node X2 leaks away (due to capacitance leakage of CT rojan), once the hammering is discontinued. However, VT rigger will still be asserted due to the SR latch. In order to deactivate the Trojan, VRESET needs to be asserted. VRESET can be generated by accessing a different address (let's say AddRESET ) for at least NRESET times and using a circuit similar to the trigger one. Note that a smaller CT rojan (∼1fF) can be used in the RESET circuit to minimize the area overhead which leads to N RESET = 92. However, the AND'ed output of V (AddRESET ) and V (PRESET ) can also serve as VRESET which further reduces the area overhead.
Simulation results: Node X2 charges up to 125mV (steady state) from all the leakage considering V (P SET) = 1V (worst-case charging due to leakage). This value is not enough to trigger the circuit. For the rest of the simulation, we have considered that V (AddSET) is a pulse source with ON/OFF time of 10ns/1ns. We consider the circuit to be triggered when V Trigger reaches up to 0.5V. We started our analysis with CT rojan = 20fF. Fig. 4a shows the design space exploration of trigger circuit considering two variables, the (W/L) ratios of MOSFETs M1 and M2. For a lower (W/L) ratio for both the MOSFETs, NSET increases. We have chosen (W/L) of M1 and M2 as 4 and 2 respectively for a sufficiently higher NSET .
Next, we considered that the adversary accesses the preselected address for T ON = 10ns and then stays idle for T OFF = 1/3/.../21/23 ns and repeats this cycle. We found that the CT rojan does not significantly leak in the OFF cycle and the circuit can still be triggered with a higher NSET (Fig. 4b ). We observe that the circuit will trigger even with a low TON of 30%. This means that it becomes harder to prevent Trojan activation using system level techniques such as limiting repeated access to one address.
Note that the attack gets auto reset without the SR latch since the node X2 discharges (due to charge leak of CT rigger ) and eventually node X4 goes down once the adversary stops the hammering after the trigger activates. Results indicate that the attack (charge at node X4) lasts for 163.73µs if AddSET is accessed for 18µs. However, by adding the SR latch, the attack can last indefinitely until AddSET access is discontinued and VRESET is asserted.
A small CT rigger will require a low NSET to get the trigger activated. For example, the required number of access, NSET = 464 for CT rigger = 5fF (Fig. 4c ). This is still significantly high enough to evade the test phase. The value of CT rigger is chosen as 20fF since it offers a high NSET (= 1837) under nominal conditions, successfully triggers under all process corners and temperatures (-10 • C to 90 • C) and minimum NSET in the worst-case (= 68) is still high to evade testing phase. Table I summarizes 6.24×10 -5 % of a typical memory chip area and static power [12] , respectively. Therefore, the overhead due to the trigger is negligible to be detected via optical inspection or side channel analysis. 
IV. DRAM VULNERABILITIES AND TROJANS
In this section, We present methods to exploit the vulnerabilities of the DRAM assist techniques and refresh mechanisms.
A. DRAM assist and vulnerabilities
Wordline Underdrive and DoS: Fig. 5a shows that the retention time of data '1' changes as the W L voltage during retention is swept. The worst case retention occurs at higher temperature. We consider retention failure if the capacitor discharges below V dd/2. Note that retention time decreases below -0.2V (due to Gate Induced Drain Leakage (GIDL)) and above 0.3V (due to subthreshold leakage) for each of the operating temperatures. The adversary cannot lower the W L voltage below -0.2V since this is the lowest voltage available in the chip. However, adversary can increase the W L voltage during retention. The W L can be connected to V dd through the transistor M T (Fig. 6a) . The gate of M T is controlled by the AND'ed signal of V Tr (from Fig. 1 ) and W L (Fig. 6a) . W L is used in order to ensure that the W L underdrive only occurs during retention. We have performed 1000 point Monte-Carlo simulation with the same setup as SRAM to investigate the impact of increased W L voltage during retention. We consider retention time below 5ms as failure. From Fig. 5b , we note that if the adversary increases W L voltage to 0.3V and 0.4V respectively from -0.2V during retention, the corresponding retention failure is 4.8% and 43.6% respectively, causing polarity fault injection attack.
Information Leakage -W L Shorting and Refresh: Fig. 3a shows the method to short W L [1] and W L[2]. It is assumed that victim and adversary have control over Cell 1 and Cell 3, respectively. The shorting transistor is controlled by the AND'ed signal of V Tr and SAEN. SAEN is used to ensure that the W Ls are shorted only after the sense amp is fired. This delay gives the sense amp sufficient differential between BL and BL ref and ensures Cell 3 value does not corrupt Cell 1 (during sensing) that is being copied. In the AND Trojan, we get a delay of 40ps which provides a SM of 69mV. For larger SM an inverter chain can be used. Fig.  6b shows that SM for both data type increases with delay. Note that W L[2] driver should be disabled during the shorting period.
When W L[1] is asserted to 1.6V during a read operation of Cell 2, W L[2] is also pulled to 1.6V after the sense amp firing. Since DRAM read operation is destructive and needs a write-back at the end of read operation, BL [1] will resolve according to the stored value in Cell 1. Therefore, both Cell 1 and Cell 3 will get written to the previously stored value in Cell 1 since their W Ls are asserted. This will effectively copy the data to Cell 3. Fig. 7a shows when Cell 3 is initialized to '0' and data in Cell 1 is read as '0'. Both Cell 1 (due to write-back) and Cell 3 are written to '0'. Similarly, Fig 7b shows that data in Cell 1 is read as '1' and both Cell 1 and Cell 3 are written to '1'. This data leak also applies when Cell 3 is initialized to '1'. If W L shorting occurs with no delay after the sense amp activation, both Cell 1 and Cell 3 are written to Cell 3 data irrespective of the original Cell 1 data as shown in Fig. 8a . This can be done to inject a polarity dependent fault to Cell 1. Furthermore, the information leakage attack also works if write operation is performed to Cell 1 since the BL [1] will be driven to V dd or 0V based on the write data and both W L [1] and W L[2] are shorted. One important point to note that all the cells sharing W L[2] will be corrupted in this process.
Information Leakage -BL Shorting and Refresh: BL shorting is carried out in a similar way to W L shorting (Fig. 3b) . It is assumed that victim and adversary have control over Cell 1 and Cell 2, respectively. The explanation for W L shorting holds true for BL shorting except none of the cells will be corrupted (since all the cells sharing W L[1] will be refreshed). Fig. 7c shows that the data in Cell 1 is read as '0' and both Cell 1 (due to write-back) and Cell 2 (due to BL[2] shorting) are written to '0'. Fig. 7d shows the copy of data '1'. Similar to W L shorting, BL shorting can also be leveraged to inject a polarity dependent fault in Cell 1 as shown in Fig. 8b . We restrict our discussion on this for the sake of brevity.
B. Trojan design space exploration
We choose the capacitor-based trigger proposed in [7] to generate the trigger signal (VT r ) required to induce the retention failures ( Fig. 6a ) and information leakage (Fig. 3) attacks. This is because the design allows easy change of trigger parameters to vary the number of address accesses (denoted by En Add ) required to assert VT r . We modify the design parameters shown in Fig. 1 to allow the trigger design to stay undetected at all fast and slow corner cases and work under multiple temperatures (-10 • C,25 • C, and 90 • C). The modified design is shown in Fig. 1 . Additionally, we include an SR latch to capture the trigger output.Note that the attack gets auto reset without the SR latch since the node X2 discharges (due to charge leak of CT rojan) and eventually node X4 discharges once the adversary stops the hammering after the trigger activates. Results indicate that the attack (charge at node X4) lasts for 163.73µs if AddSET is written for 18µs with V (AddSET) = 1V, V (P SET) = 1V. However, by adding the SR latch, the attack can last indefinitely until AddSET access is discontinued and VRESET is asserted.
V. SYSTEM EXPLOITS USING TRAPPED

A. Overview of systems architecture
For the purposes of demonstration, we show a simple information leakage attack using TrappeD. We use a RISC-V based RocketChip [13] SoC template for implementing the TrappeD system. Our RocketChip SoC is configured with an in-order Rocket Core, a fast L1 data cache, and connects to an external DRAM on the AXI port (mapped to 0x80000000), which serves as the main memory for the system.
B. TrappeD trojan deployment
We modified the RocketChip code to inject the Trapped trigger and payload. The trigger logic is introduced in the D-cache and the payload logic in the DRAM. For modelling the effects of trigger, we instantiate a 32-bit register (AccessCounter) that is initialized to '0'. Accesses to the trigger address (= 0x80022328) increments the register value by '1'. We introduce logic to detect if these increments have reached our NSET threshold of 1837, to active the trigger signal (trigger_en). The trigger signal is sent to the payload logic. Once triggered, the signal stays asserted to facilitate the attack till the adversary accesses the trigger address an additional 163 times. The waveform generated from the RocketChip hardware emulation depicting trigger_en enabled and disabled is shown in Fig. 9 . The payload activates when trigger_en is high. To model the effects of the payload, we select two addresses: (i) an adversary controlled address, adversary (= 0x800222E8), and (ii) a victim address, victim (= 0x800222A8). The payload logic shorts the two addresses, effectively copying the data from victim to adversary, facilitating an information leakage attack.
C. Attack demonstration
We demonstrate the attack with the help of a simple C program as shown in Listing 1. The code is compiled with the riscv-gcc compiler to generate a RISC-V ELF binary that can be run on the cycle-accurate emulator for the RocketChip system. For simplicity, we have assumed that the adversary and victim addresses are part of the same process, and the adversary can access adversary, but not victim. We also assume that the adversary has control over the number of times the trigger address can be accessed. The program initializes contents of adversary to '0' and victim to the confidential information '8575309'. The program loops over and accesses trigger 1837 times, which is greater than the minimum accesses required by the Trojan trigger as set by NSET , thus activating the trigger_en signal. The payload causes an information leakage by copying the confidential contents of victim to adversary. The adversary can now read out from adversary address and thus reveal the confidential information '8675309', as shown in Fig. 10 .
VI. DISCUSSION
A. Fault injection and DoS Attack
If read/write/retention failure occurs for one polarity (either for data '0' or '1'), it is considered as fault injection. Such attack can leak system assets [14] such as, keys. One example is setting plaintext to all 0 or 1 by injecting faults during crypto operation which makes the ciphertext (that is sent out) same as keys, and can be recovered by the adversary. However, if failure occurs for both polarities, it is considered as DoS attack.
B. Bypassing error detection
In state-of-the-art memory, techniques like Cyclic Redundancy Check (CRC) or Error Correcting Code (ECC) [15] is implemented. The ECC and/or CRC word is computed for the raw data and written along with data during write operation. During read operation, CRC/ECC is again calculated based-on the read data and matched with the stored CRC/ECC. If read or even write operation incurs an error, CRCs/ECCs will not match and the data can be discarded. Furthermore, ECC can correct 1/2 bits of error (based on the implementation). Therefore, fault injection will fail and adversary can only launch DoS attack. However, if the CRC or ECC bits are also tampered to match the data with injected fault, the manipulated data will be considered as valid data.
C. Possible defenses
i) Dummy Bits: Each row of the memory can be designed with few dummy bits. During run-time, each row can be written with known dummy bits and read to validate. During Trojan induced fault/DoS, the dummy bits will fail which can be detected as an attack. However, information leakage cannot be detected. Note that this will incur slight area and power overhead.
ii) Trusted ECC: The current implementation of ECC adds a few global columns in the memory. For example, if the data width is 64 bit and ECC needs 5 bits, a total of 69 global columns are implemented in the memory array. This is a vulnerability since the ECC bits can also be tampered. We propose to separate the ECC bits from the data bits and store them in a trusted memory known to be Trojan free through rigorous validation (possible due to small size). This way the fault injection, DoS and information leakage attacks can be detected since ECC bits can be checked to detect the tampering at run-time (once Trojan is activated).
VII. CONCLUSIONS
In this paper, we investigated the advanced circuit features employed in the peripherals of nanometer memories e.g., WLUD and wordline overdrive for DRAM from a security perspective. We show that an adversary can manipulate these features to launch fault injection attacks and DoS. The adversary can also leverage wordline shorting and bitline shorting in order to leak sensitive information. We also demonstrated the feasibility of launching system exploits leveraging TrappeD on RocketChip SoC platform.
