Non-volatile memories (NVMs) such as Spin-Transfer Torque RAM (STTRAM) have drawn significant attention due to complete elimination of bitcell leakage. In addition to the plethora of benefits such as density, non-volatility, low-power and high speed, majority of Non-Volatile Memories (NVMs) are also compatible with CMOS technology enabling easy integration. Although promising, NVM brings new security challenges that were absent in their conventional volatile memory counterparts such as Static RAM (SRAM) and embedded Dynamic RAM (eDRAM). The root cause is persistent data that may allow the adversary to retrieve sensitive information like password or cryptographic keys. This is primarily due to the fundamental dependency of these memory technologies on environmental parameters such as magnetic fields and temperature which can be exploited by the adversary to tamper with the stored data. This paper investigates the data security and privacy challenges in NVMs by exploring the security specific properties and novel security primitives realized using spintronic building blocks. A thorough analysis is done on the vulnerabilities, data security and privacy issues, threats and possible countermeasures to enable safe computing environment using spintronics.
Security and Privacy Threats to On-Chip Non-Volatile
Memories and Countermeasures
INTRODUCTION
NVMs such as STTRAM, MRAM, ferroelectric RAM (FeRAM), Resistive RAM (ReRAM), Phase Change RAM (PCRAM) and Domain Wall Memory (DWM) [1] have drawn significant attention due to complete elimination of bitcell leakage. In addition to benefits such as high density, non-volatility, lowpower and high-speed, majority of non-volatile memories are also compatible with CMOS technology [2] . ReRAM and PCRAM are found more suitable to replace main memory due to limited write endurance whereas possible applications of STTRAM range from Last Level Cache (LLC) to ultra-low power Internet-of-Things (IoTs) [3] . Fig 1 shows the STTRAM cell schematic with Magnetic Tunnel Junction (MTJ) as the storage element. It contains a free and a pinned magnetic layer. The resistance of the MTJ stack is high (low) if free layer magnetic orientation is antiparallel (parallel) compared to the fixed layer. The MTJ can be toggled from parallel to anti-parallel (or vice versa) by injecting current from source-line to bitline (or vice versa).
Although promising, NVM brings new security challenges [4] [5] that were absent in their conventional volatile memory counterparts such as SRAM and eDRAM. The security challenges of STTRAM pertain to persistent data and its sensitivity to ambient parameters that can be exploited for low-cost tampering. Broadly, there are two major threats to NVMs' security:
(i) Threat to data integrity: It pertains to data corruption (functional/timing) or destruction with the intention to launch Denial-of-Service (DoS). The fixed layer of STTRAM is robust, however, the free layer could be toggled using both spin polarized current and magnetic field. Thus, it is susceptible to manipulation through external magnetic field. The polarity of STTRAM free layer could flip either using current or with 250Oe magnetic field [6] . Similar results can also be obtained through temperature modulation. Ensuring data integrity against malicious attacks through ambient effect is particularly critical in deployed systems where enforcing and maintaining physical security are difficult.
(ii) Threat to data privacy: It pertains to compromise of sensitive data present in raw form through unauthorized access or side channels. The desire to have larger LLC for performance gain Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. presents more persistent data that becomes vulnerable. Hard Disk Drive has been the non-volatile part of memory system. Volatile memory (like SRAM) is considered safe due to randomization of data at power down. Replacing traditional volatile memory stack at higher levels with NVMs, makes more data vulnerable that were originally safe. As the memory level moves closer to Central Processing Unit (CPU) it becomes more sensitive to latency. Therefore, application of encryption in LLC is difficult. Thus, addressing data privacy in higher levels of memory stack while maintaining performance is a challenge. Designing a magnetic/heat shield around the device can be a possible solution but due to its cost and weight, it may not be suitable for a range of applications including IoTs. High and asymmetric write current, and, long and asymmetric write latency (common in NVMs) can serve as side channels, exposing information such as, number of '1's or '0's in a memory word weakening the data privacy.
Rest of the paper is organized as follows. Section 2 provides vulnerabilities. Section 3 focuses on the data security threats and prevention techniques. Section 4 describes data privacy threats and countermeasures. Considerations to security of other NVMs is presented in Section 5. Conclusions are drawn in Section 6.
VULNERABILITIES IN STTRAM 2.1 Sensitivity to Magnetic Field
The magnetization orientation of the pinned layer is fixed using an anti-ferromagnetic coupling and cannot be changed using nominal current/external magnetic field. However, the free layer could be toggled by passing current/applying magnetic field and this layer's magnetization dynamics is governed by LLG equation [6] .
Where m ⃗ represents unit vector of local magnetic moment, Is is spin current, G(ψ) is transmission co-efficient, ℏ is reduced planck's constant, α is Gilbert damping parameter and e ⃗ is unit vector along fixed layer. The effective field is H ⃗ = H ⃗ + H ⃗ + H ⃗ + H ⃗ , where Ha, Hk, Hd and Hex are applied, anisotropy, demagnetization and exchange field respectively.
Writing a bit is done using STT term (low power consumption) and external field Ha is kept 0. However, Ha can also be used to toggle the magnetization in absence of charge current (field term, eq (1)). As magnetic field-based toggling is the foundation of MRAM, the attacker (using permanent magnet or electromagnet) can exploit this extra knob to corrupt the free layer data.
Read/Write Latency
The write latency of STTRAM is a function of thermal stability factor (Δt) which depends on the retention time. [7] which corresponds to a write latency of 0.67ns at 1V supply. Furthermore, STTRAM is susceptible to process variation (PV) [7] which increases the thermal stability of bits randomly especially for larger arrays. Therefore, some bits suffer from excessive high read and write latencies. Fig. 2(a-b) shows the read and write latency distribution of a 40nm x 40nm x 4nm STTRAM under PV. A 5000 point Monte Carlo simulation is performed and the data is extrapolated to 8MB using extreme value theory in Matlab. It is observed that the worst case write (read) latency is 1.3X (3.4X) the mean value. The longer read/write latency gives more opportunity to the adversary to analyze the side channels and weaken the data privacy.
Read/Write Current
Another aspect of STTRAM is the high write current which is dependent on thermal stability, retention time and the polarity of the stored data. Constant voltage write is assumed which is commonly employed to simplify the write driver design [7] . STTRAM resistance is high, RH (low, RL) during state '1' ('0'). Fig. 3 (a) shows the supply current waveform for single bit write '1' when the previous value stored is '0'. Initially the current is high (STTRAM resistance low) and it goes low after successful write. Fig. 3 (b) shows the supply current waveform for write '0' with previous value stored as '1', in this case the current is initially low and goes high after successful write. The high and low states of current are very distinct and they reveal the information about the previous and new data. The current difference between the states depends on the Tunnel Magneto Resistance (TMR) of STTRAM which is given by (RH-RL)/RL. Higher TMR ensures robust read operation which adversely affects the data privacy. The read current is comparatively less than the write current ( Fig. 3(c) ), thus the read and write operation can be distinctly identified from the current waveforms. The source degeneration based read sensing is used in this work [8] .
Temperature Sensitivity
The thermal stability (Δt) is also a function of ambient temperature. Colder temperature increases Δt which in turn increases the write current and latency. Fig 3(d) shows the write latency w.r.t. delta values. The write latency increases with the increase in thermal barrier. This can be exploited by the adversary to strengthen the side channel signature from STTRAM.
Data Persistence
Retention time of STTRAM can be modulated using temperature for tampering and stealth. Higher retention can cause write failures and increase persistent data. Lower retention can cause read disturb failure.
DATA SECURITY
This section presents a qualitative analysis of data security issues in volatile and nonvolatile memories that can be used as cache. 
DoS Threat using Magnetic Field
STTRAM could face threats from static (DC) magnetic field or alternating (AC) magnetic field. The DC field is less detrimental as it can only create unipolar failures. However, the AC field could cause more damage as it will affect both storage polarities.
Tampering on STTRAM could be launched either during ideal (retention) or functional mode (read/write). Read current is unipolar irrespective to the storage polarity whereas write current polarity is data dependent. The impact of field during functional mode (especially read) could be more detrimental than retention due to two factors: (a) presence of disturb current; and (b) higher frequency of reads compared to writes. Both storage polarity will be affected under AC magnetic field. During write operation, the AC field will either assist (current polarity matches with the applied field) or suppress the threat (current polarity is opposite to field). In all of the above scenarios the magnetic field could either manifest as hard failure (i.e., flipping bitcell content) or soft failure (i.e., delay in write or degraded sense margin). The soft failures could be mitigated by slowing down the read/write operation but the hard failures need to be avoided or corrected through error correction. The frequency of the AC magnetic field is important in failures during functional mode. If the frequency is faster than the write time, it can affect writing both data polarities. It can also affect both storage polarities in read operation. If frequency is slow, impact will be less harmful.
Threat Analysis
Micro-magnetic simulator OOMMF [9] was used to analyze the impact of DC/AC magnetic field tampering on STTRAM. The MTJ parameters used for sim is shown in Table 1 . Fig. 4(a) shows that the MTJ polarity could be flipped in retention mode. The flip time reduces with increasing strength of AC field. The impact of AC field is plotted in Fig. 4(b) . For this simulation, AC field with frequency ranging from 150MHz to 2GHz was used. It shows that higher frequency AC field can cause more damage even with smaller amplitude than lower frequency and high amplitude.
The comparison of MTJ stability between retention and functional mode is considered in Fig. 4(c)-(d) . For DC field, the bits can fail easily when the current polarity and magnetic field are in the same direction (assistive). The flip time is higher when current and magnetic field are in opposite direction (suppressive). Similar observation also holds true for AC field. The stability of MTJ free layer is a function of its volume. So, it is possible to enhance the robustness of the MTJ against tampering by increasing the size. MTJ thickness was swept and flip time was plotted w.r.t. volume in Fig. 4(e) . The plot shows bitcell is able to withstand weak magnetic field with higher volume. However, it fails to provide protection against strong magnetic field (>400Oe). Fig. 4(f) indicates that higher volume can protect against low frequency magnetic field whereas high frequency field can cause failure regardless of MTJ volume.
Attack Sensor
To mitigate attack, it is essential to detect magnetic field or thermal attack 'proactively' and trigger corrective steps. In [8] , a small replica of the STTRAM array is used as a sensor. Although functionally equivalent to the actual array, the sensor is designed to fail early (through lowering of thermal barrier Δ) for proactive sensing. We note that the sensor can capture the angle and frequency of magnetic attack as well as high temperature thermal attack. The cooling type attack can be sensed using conventional thermal processor. Fig. 4(g) shows the top level schematic of the proposed sensing and compensation methodology. . To capture the spatial variation we high distribute the sensors along the array. The error rate and failing polarities collected from sensors are provided to a control unit that triggers compensation techniques. 
Inherent Resilience Enhancement
As STTRAM bits are more robust to attack in retention mode than functional, the array can be put in retention mode till the attack subsides. Although simple, this technique may result in performance loss due to stall and may still experience attack induced corruption of bits. For further resilience, this technique can be combined with variable-strength ECC (VS-ECC) to ensure strong encoding before the enabling sleep and correction after wake-up. As reading, encoding and writing the bits is associated with significant power overhead, this technique should be suitable only to protect "important" segment of cache.
The VS-ECC can dynamically change error correction capability with the magnitude of attack to provide the right amount of error protection against failures. Bose-Chaudhuri-Hocquenghem (BCH) cyclic code with 128 bit data-length was used to enhance the multi-bit tolerance. The VS-ECC offers four different error correction capabilities (1/ 2/4/8 bit), and the correction capability can be automatically adapted based on the intensity/polarity of the magnetic attack measured by sensor. When there is no magnetic attack, ECC can be completely turned off or it can be working with simplest ECC (1 bit). As the magnitude of attack becomes intense, the control unit in Fig. 5(a) can adapt ECC to provide stronger error corrections (2/4/8 bit). When smaller error correction options are selected, the unused modules in the ECC can be easily turned off to save computation energy.
BCH encoder has two parts: Galois field adders and dividers. Four different division parts are used in the reconfigurable encoder (1/2/4/8 bit). The VC-EC decoder is basically similar to 8 bit correction BCH decoder. Fig. 5 (b) shows syndrome generator for 1/2/4 bit correction BCH can be expressed as a subset for 8 bit correction BCH. However, the architecture is designed scalable such that simple control logics can easily turn off the unused modules when the correction capability is 1/2/4/8 bits. The VS-ECC encoder/decoder module is described in detail in [6] .
The correction mode can be controlled using 2 bit mode selection signal as shown in Fig. 4(g) and Fig. 5(c) . This mode selection signal is generated from control logic at runtime by monitoring the magnetic attack strength by sensor. For protection of on-chip cache memory, the 2-bit mode selection is stored per cache block to indicate the encoding type, and the number of ways to store ECC bits is dynamically adjusted during runtime [10] . The two bit overhead for the mode selection storage is negligible (< 0.3% area overhead) considering a typical cache block size (e.g. 512bits). If a block cannot be corrected due to inadequate correction capability, we can set its dirty bit and fetch it from the next level.
If we're using the memory as last level of memory, higher protection is needed. Another way of checking the occurrence of STTRAM failures by ECC itself is to monitor the outputs of syndrome generator since any non-zero syndrome indicates memory failure. This syndrome monitoring scheme can be used to check the frequency of STTRAM failures in the functional mode.
DATA PRIVACY
This section presents a qualitative analysis of data privacy issues in volatile and nonvolatile memories that can be used as cache.
Threats

System under Consideration and Assumptions:
The data in the nonvolatile LLC is assumed to be in raw format reasonably due to lack of encryption. We consider both scenarios when the data can leave cache and move to CPU or main memory and become susceptible to stealth. We also assume drop-in replacement of SRAM with STTRAM as LLC in terms of security features. In other words, such as valid bit we assume lack of features such as valid bit erasure after power ON and encryption of cache to main memory bus. We also assume that the adversary can probe the data bus between cache and main memory.
Threats from CPU side:
i) Read Hit ( Fig. 6 (a) ): CPU issues a read signal and the address is present in the cache (step 1), the corresponding valid bit can be found to be set indicating the data in the address is valid data. Thus, it produces a read hit (step 2) and the data from the cache moves to the CPU (step 3). This is the easiest approach the adversary can use to retrieve raw user data from last login.
ii) Write Hit: This is not actually a threat, but we show the write hit case for completeness. Adversary can force a write signal and the address generated by the CPU matches both the index and tag resulting in write hit. So, the new data from the CPU overwrites the existing data and thus cannot be obtained by the adversary.
Threats from Main Memory Side
In this mode the objective is to access the persistent data when it moves from LLC to main memory.
i) Read Miss, Dirty=1 (Fig. 6(b) ): Adversary forces a read signal and snoops the cache data when it is being replaced by the new data from the main memory. The address generated by the CPU matches one of the index (step 1) but the tag match fails and results in read miss (step 2). The data in the cache needs to be replaced with data from main memory, and if the corresponding dirty bit is '1' the existing data must be copied to the main memory. The data is thus accessible to the adversary who keeps snooping the bus between cache and main memory (step 3).
ii) Write Miss, Dirty=1, Write-Allocate: Adversary forces a write signal that results in write miss and tries to access the data when it is being replaced by new data from main memory (Fig. 6(b) ). The address generated by the CPU matches one of the valid index (step 1), but the tag match fails and it results in write miss (step 2). If the dirty bit is found to be '1' and the cache is assumed to follow write allocate policy, existing data in the cache must be copied to the main memory or victim cache and new data must be brought from main memory. Thus, the adversary can retrieve the data when it is being sent from cache to the main memory.
Tamper Assisted Threats:
The adversary can deliberately alter the cache content through non-invasive tampering. The purpose is to set as many valid (or dirty) bits as possible to increase the chances of hit (or miss) and ease the attack. Following knobs can be used to tamper the bits:
i) Magnetic Tampering: Cache can be exposed to external DC magnetic field in a direction that will flip the bits to '1' [6] . Although it will corrupt some of the data bits, small amount of error in data can be tolerated and the original data can still be recovered [13] . The adversary can keep scanning through LLC after each round of tampering to get as much data as possible.
ii) Thermal Tampering: Adversary can deliberately modulate the operating temperature with the intention to prolong the retention time to increase the number of persistent bits that can be compromised through unauthorized access at power-ON [11] .
Countermeasures
Semi NVM (SNVM) Cache:
As cache does not require high (typically 10 yrs) retention time, it can be lowered to improve the write latency/energy [13] . The write energy can be lowered by reducing the thermal stability. The switching current (I) decreases linearly with the reduction in thermal barrier (Δ), which in turn decreases the retention. The retention time (t) is related to Δ by t=C × e k∆ , (C, k fitting constants). As Δ is proportional to MTJ free layer volume, downsizing the free layer lowers the retention providing fast write latency/lower write energy. Lower retention is good for data privacy as the data will be lost by the time adversary tries to get it. Thus, SNVM can be used as first line of defense to protect the data. Fig. 7(a) shows the retention time w.r.t. the volume of the MTJ. As the size of the MTJ is lowered by 2X, retention time decreases from a few decades to few seconds. Fig. 7(b) shows the retention time dependence on temperature. Monte Carlo analysis was performed with 3σ of 5% for MTJ dimensions and with 10s mean retention time. Result shows retention can be very low at high temperature (min@100 o C=9ms), but increases dramatically by lowering the temperature (max@-50 o C≈33 days). This can be exploited to freeze the chip, increase the retention and perform more exhaustive reverse engineering to access the data. Thus, SNVM can be first line of defense but cannot be standalone method to guarantee the privacy of LLC data. [14] Access to LLC can be prevented by clearing the valid bit and tag. Erasing valid bit ensures an unauthorized read results in a miss and erasing the tag will ensure that even if the valid is found set (random retention errors), the tag match will result in a mismatch (except when tag=0) and access is prevented. Finally, data is erased to ensure that even in the event of a hit due to random failures invalid tag or tamper-assisted attack, the data obtained by the adversary is not authentic. We propose to perform erasing at power OFF in order to prevent against power failure attack. i) Clearing tag and data: Fig. 8 shows the proposed architecture. The multiplexer (MUX 1) is used to select the address coming from CPU (normal operation) or from the erase counter-I (during erasing). When the system is turned OFF the erase signal ER is asserted (step 1) and a read signal is forced from CPU. The erase counter has two parts: i) index part (used to loop through the cache address space) ii) tag part (erases the tag array (step 2)). The zero index points to the 1st location and the corresponding tag may or may not match, in either of the situation our objective is not hampered. We add ( ) as input to the AND gate that generates Hit/Miss. Since ( ) is low it forces a read miss (step 3). A decoder with ER and Hit/Miss as input is used to bypass main memory and take the input from registers containing '0'. Data from the erase register will be written in the data cache at index-0 and the tag (all 0's) will be written in the tag array. Thus, the first location of the tag and data cache is erased successfully. Next the erase counter is incremented and repeated to erase all tag/data bits. Although we are able to erase the tag/data bits but the valid bit is set for all locations after the erasing. During normal operation the ER signal is low and the main memory is selected instead of the erase register.
Data Erasure
ii) Clearing valid: Valid bits eraser is shown in (dotted box) Fig.  8 . A mux (MUX2) is used to select the address from CPU (normal operation) or the erase counter II (during erasing). The valid bits should be erased after the tag and data bits have been erased (erasing tag/data sets the valid bit). Therefore, the multiplexer is controlled (step 6) by the END signal of the erase counter I. The erase counter II is initialized to zero (reset on system ON) thus points to the 1 st address (step 7) in valid bit memory. The write 
Simulation Result
The proposed architecture is simulated in gem5 [16] with processor configuration provided in Table 2 . Simulations are performed to measure the degradation in instruction per cycle (IPC) on a wide range of Splash benchmark suite [17] . The energy overhead is calculated using the multicore power simulator McPAT [18] with modified CACTI [19] . The results are 0.6% IPC loss and 1.2% energy overhead during normal operation.
The asymmetric write behavior of most of the NVMs, make them susceptible to side channel analysis. Low-cost solutions such as SNVM, obfuscation of side channel using 1-bit parity and multibit random write, and, neutralizing the side channel using constant current write driver were studied in [20] to mitigate the attack.
APPLICATION BEYOND LLC 5.1 Physically Unclonable Functions (PUFs)
A low power 7T SRAM PUF with embedded STTRAM has been proposed in [21] to enhance the robustness (2.3X to 20X) with lower leakage power/area overhead. A strong arbiter PUF based on 1T-1R bitcell has also been proposed in [22] which is obtained from ReRAM with minimally invasive changes. The process variations in the nanowire (NW) have been utilized to design two flavors of PUFs [23] for secure key generation, with higher degree of complexity against cloning, and a lower overhead/power.
Replacing embedded Flash in IoTs
In embedded application like microcontroller SoC of IoT, embedded Flash (eFlash) is widely employed. However, eFlash is also associated with cost. Thus, replacing eFlash with STTRAM is desirable in IoTs for power-efficiency. However, STTRAM is prone to temperature and magnetic fields that can be exploited by an adversary to tamper with the program and data. Active and passive attack sensors can be designed by modifying the STTRAM array at periodic row intervals to place low-retention MTJ cells that are sensitive to magnetic attacks. The information redundancy of the program memory present in a homogeneous peer-to-peer connected IoT network can be exploited to restore the corrupted STTRAM (technique also applicable to ReRAM, PCRAM) memory of any IoT node when under attack [24] .
Consideration to other NVMs
Apart from Spintronics memories, ReRAM, MRAM, FeRAM and PCM are some other emerging non-volatile memories. MRAM and FeRAM families are susceptible to external magnetic field attack like STTRAM. The mitigation techniques discussed in previous sections are also applicable for MRAM and FeRAM.
CONCLUSIONS
We have explored the vulnerabilities, data security and privacy of STTRAM, potential threats and possible countermeasures to ensure a safe computing environment. Application of STTRAM for security primitive design is also studied.
