Small fixes

4 files changed, 42 insertions, 45 deletions

diff --git a/doc/quick-tech-report/rotohsm_paper.pdf b/doc/quick-tech-report/rotohsm_paper.pdf
index 62a3fc6..8ef4900 100644
--- a/doc/quick-tech-report/rotohsm_paper.pdf
+++ b/doc/quick-tech-report/rotohsm_paper.pdf
diff --git a/doc/quick-tech-report/rotohsm_paper.tex b/doc/quick-tech-report/rotohsm_paper.tex
index e71b305..e2f3928 100644
--- a/doc/quick-tech-report/rotohsm_paper.tex
+++ b/doc/quick-tech-report/rotohsm_paper.tex
@@ -80,7 +80,7 @@
 
 \section*{Abstract}
 
-In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules.
+In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules (iHSMs).
 Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
 minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
 sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
@@ -154,12 +154,12 @@ meandering electrical traces on a fragile foil that is wrapped around the HSM es
 problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019,
 anderson2020}.  There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic
 radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research
-has found widespread adoption.
+has found widespread adoption yet.
 
 In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
-construction. Though its turn of the century design is now a bit dated, the construction techniques of the physical
-security mechanisms have not evolved much in the last two decades. Apart from some auxiliary temperature and radiation
+construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical
+security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation
 sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
 construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module
 monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and
@@ -193,11 +193,11 @@ compound.
 
 To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a
 hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
-barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to cheaply manufacture and certify
+barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture 
 these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
-low-performance security barrier and transforming it into a marginally more expensive but very high-performance one. The
+low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
 closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that
-describes an mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
+describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
 with pressurized gas.
 
 \section{Inertial HSM construction and operation}
@@ -208,9 +208,9 @@ routinely used in military applications to make things harder to hit~\cite{terdi
 use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find
 that making it spin has several advantages.
 
-First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mehs moves slow enough for a human to
+First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to
 follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex.  Second,
-a spinning HSM is compact compared to alternatives like an HSM on wheels.  Finally, rotation leads to predictable
+a spinning HSM is compact compared to alternatives like an HSM on wheels.  Finally, rotation leads to easily predictable
 accelerometer measurements.  A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the
 HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear
 velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum
@@ -228,9 +228,9 @@ mitigated using multiple nested layers of protection.
 
 In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to
 distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the
-rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, both
-acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will be
-constant.
+rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after
+subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero.
+Centrifugal acceleration will be constant.
 
 Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying
 apart, but it also creates an obstacle to any attacker trying to manipulate the sensor.  We do not need to move the
@@ -263,7 +263,7 @@ solved with complex and costly siphon-style constructions, so in commercial syst
 exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
 Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation
 of the payload and unlocks much more powerful processing capabilities.  In an evolution of our design, the spinning mesh
-could even be designed to *be* a cooling fan.
+could even be designed to \emph{be} a cooling fan.
 
 \subsection{Spinning mesh power and data transmission}
 
@@ -273,12 +273,12 @@ both a power supply for the spinning monitoring circuit and a data link to the s
 
 We found that a bright lamp shining at a rotating solar panel is a good starting point.  In contrast to e.g.\ slip
 rings, this setup is mechanically durable at high speeds and it also provides reasonable output power (see Appendix
-\ref{sec_energy_calculations} for some calculations on power consumption). A battery may not provide a useful lifetime
+\ref{sec_energy_calculations} for an estimation of power consumption). A battery may not provide a useful lifetime
 without power-optimization. Likewise, an energy harvesting setup may not provide enough current to supply peak demand.
 
 Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost
 may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra
-winding on the rotor of the BLDC motor driving the spinning mesh. This rotor is likely to be a custom part, so adding
+winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding
 an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an
 option if it can be integrated into the mechanical design.
 
diff --git a/doc/quick-tech-report/rotohsm_tech_report.pdf b/doc/quick-tech-report/rotohsm_tech_report.pdf
index cddf634..c6a9e0e 100644
--- a/doc/quick-tech-report/rotohsm_tech_report.pdf
+++ b/doc/quick-tech-report/rotohsm_tech_report.pdf
diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex
index 4b1a563..e5a9bd0 100644
--- a/doc/quick-tech-report/rotohsm_tech_report.tex
+++ b/doc/quick-tech-report/rotohsm_tech_report.tex
@@ -80,10 +80,10 @@
 
 \section*{Abstract}
 
-In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules.
-Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
-minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
-sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
+In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules
+(iHSMs).  Conventional systems have in common that they try to detect attacks by crafting sensors responding to
+increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce
+the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
 rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop
 the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.  Our approach leads to a HSM that
 can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is
@@ -122,14 +122,12 @@ defenses the HSM is now equipped with an accelerometer that it uses to verify th
 would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
 accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow
 speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become
-inhospitable to human life (see Appendix~\ref{sec_minimum_angular_velocity}). Since non-contact electromagnetic or
-optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to use
-an attack robot.
+inhospitable to human life. Since non-contact electromagnetic or optical attacks are more limited in the first place and
+can be shielded, we have effectively forced the attacker to use an attack robot.
 
 In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On
-this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We
-will analyze its weaknesses in Section~\ref{sec_attacks}.  We conclude this paper with a general evaluation of our
-concept in Section~\ref{sec_conclusion}.
+this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach.  We
+conclude this paper with a general evaluation of our concept in Section~\ref{sec_conclusion}.
 
 \section{Related work} 
 \label{sec_related_work}
@@ -144,24 +142,24 @@ meandering electrical traces on a fragile foil that is wrapped around the HSM es
 problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019,
 anderson2020}.  There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic
 radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research
-has found widespread adoption.
+has found widespread adoption yet.
 
 In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
-construction. Though its turn of the century design is now a bit dated, the construction techniques of the physical
-security mechanisms have not evolved much in the last two decades. Apart from some auxiliary temperature and radiation
-sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
+construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical
+security mechanisms have not evolved much in the last two decades. Besides auxiliary temperature and radiation sensors
+to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
 construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module
 monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and
 construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
 
 To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a
 hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
-barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to cheaply manufacture and certify
+barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture 
 these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
-low-performance security barrier and transforming it into a marginally more expensive but very high-performance one. The
+low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
 closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that
-describes an mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
+describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
 with pressurized gas.
 
 \section{Inertial HSM construction and operation}
@@ -172,15 +170,14 @@ routinely used in military applications to make things harder to hit~\cite{terdi
 use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find
 that making it spin has several advantages.
 
-First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mehs moves slow enough for a human to
+First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to
 follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex.  Second,
-a spinning HSM is compact compared to alternatives like an HSM on wheels.  Finally, rotation leads to predictable
+a spinning HSM is compact compared to alternatives like an HSM on wheels.  Finally, rotation leads to easily predictable
 accelerometer measurements.  A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the
 HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear
 velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum
-size and mass of an attacker using an assumption on tolerable centrifugal force (see Appendix
-\ref{sec_minimum_angular_velocity}).  In this consideration the axis of rotation is a weak spot, but that can be
-mitigated using multiple nested layers of protection.
+size and mass of an attacker using an assumption on tolerable centrifugal force.  In this consideration the axis of
+rotation is a weak spot, but that can be mitigated using multiple nested layers of protection.
 
 \begin{figure}
     \center
@@ -192,9 +189,9 @@ mitigated using multiple nested layers of protection.
 
 In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to
 distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the
-rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, both
-acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will be
-constant.
+rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after
+subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero.
+Centrifugal acceleration will be constant.
 
 Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying
 apart, but it also creates an obstacle to any attacker trying to manipulate the sensor.  We do not need to move the
@@ -220,7 +217,7 @@ solved with complex and costly siphon-style constructions, so in commercial syst
 exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
 Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation
 of the payload and unlocks much more powerful processing capabilities.  In an evolution of our design, the spinning mesh
-could even be designed to *be* a cooling fan.
+could even be designed to \emph{be} a cooling fan.
 
 \subsection{Spinning mesh power and data transmission}
 
@@ -229,13 +226,13 @@ implementation challenges. Since the spinning mesh must be monitored for breaks
 both a power supply for the spinning monitoring circuit and a data link to the stator.
 
 We think that a bright lamp shining at a rotating solar panel is a good starting point.  In contrast to e.g.\ slip
-rings, this setup is mechanically durable at high speeds and it also provides reasonable output power (see Appendix
-\ref{sec_energy_calculations} for some calculations on power consumption). A battery may not provide a useful lifetime
-without power-optimization. Likewise, an energy harvesting setup may not provide enough current to supply peak demand.
+rings, this setup is mechanically durable at high speeds and it also provides reasonable output power. A battery may not
+provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not provide enough
+current to supply peak demand.
 
 Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost
 may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra
-winding on the rotor of the BLDC motor driving the spinning mesh. This rotor is likely to be a custom part, so adding
+winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding
 an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an
 option if it can be integrated into the mechanical design.