report: update with björn's input

1 files changed, 83 insertions, 89 deletions

diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex
index f69301a..e56ed76 100644
--- a/doc/quick-tech-report/rotohsm_tech_report.tex
+++ b/doc/quick-tech-report/rotohsm_tech_report.tex
@@ -80,87 +80,47 @@
 
 \section*{Abstract}
 
-In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware
-security modules. Conventional systems have in common that they try to detect attacks by crafting sensors responding to
-increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce
-the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
+In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules.
+Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
+minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
+sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
 rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop
-the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.
-
-Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet
-offers a level of security that is comparable to even the best commercial offerings. By building prototype hardware we
-have demonstrated solutions to the concept's engineering challenges.
+the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.  Our approach leads to a HSM that
+can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is
+comparable to commercial HSMs. By building prototype hardware we have demonstrated solutions to the concept's
+engineering challenges.
 
 \section{Introduction}
 
 While information security technology has matured a great deal in the last half century, physical security has barely
-changed. Given the right skills, physical access to a computer still often equates full compromise. The physical
+changed. Given the right skills, physical access to a computer still often means full compromise. The physical
 security of modern server hardware hinges on what lock you put on the room it is in.
 
 Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid
 switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between
 physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key
 infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic
-co-processors in form of smartcard-like trusted platform modules (TPMs) or hardware security modules (HSMs). Using a
-limited amount of trust in components such as the CPU, the larger system's security can be reduced to that of its
-physically secured TPM\cite{heise2020t2jailbreak,frazelle2019,johnson2018}. Being physcially small, physical security is
-less of a challenge on the scale of a TPM.
-
-\subsection{Technical approaches to physical security}
+co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of
+trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured
+TPM~\cite{heise2020t2jailbreak,frazelle2019,johnson2018}.
+
+Like smartcards, TPMs rely on an IC's nanoscopic structures being hard to tamper with. HSMs rely on a fragile foil with
+much larger-scale conductive traces being hard to remove intact.  While we are certain that there still are many
+insights to be gained in both technologies, we wish to introduce a novel approach to sidestep the manufacturing issues
+of both and provide radically better security against physical attacks.  Our core observation is that any cheap but
+coarse HSM technology can be made much more difficult to attack by moving it very quickly.
+
+For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set
+by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue,
+solder and lasers~\cite{drimer2008}.  Now consider the same HSM mounted on a large flywheel. In addition to its usual
+defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How
+would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
+accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow
+speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become
+inhospitable to human life (see Appendix~\ref{sec_minimum_angular_velocity}). Since non-contact electromagnetic or
+optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to use
+an attack robot.
 
-Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that
-cannot be solved (yet) with cryptographic security. The security of chips like smartcards and TPMs often rests on the
-assumption that their fine structures are hard to reverse engineer and modify. As of now, this property holds and in the
-authors' opinion it will likely be a reasonable assumption for some years to come.  However, in essence this is a type
-of security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack these
-chips\cite{albartus2020,anderson2020}.
-
-\subsection{Hardware Security Modules}
-
-Right now, Hardware security modules (HSMs) are the class of commercial devices offering the highest ``physical
-security-to-volume-product''. Where smartcards physically secure a single chip, HSMs secure a small circuit board. In
-contrast to a smartcard, in a tradeoff between security and convenience the HSM actively deletes its secrets when it
-detects a manipulation.  Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical
-security barrier that they continuously monitor for holes.  Usually, this barrier is a thin foil that is patterned with
-at least two meandering electrical traces that is folded in layers to cover the entire area of the foil. The HSM
-monitors these traces for shorts or breaks. This simple construction transforms the security problem into a
-manufacturing challenge\cite{isaacs2013,immler2019,anderson2020}.
-
-In our classification the other type of HSMs are \emph{volumetric} HSMs. They monitor their entire internal volume for
-changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound\cite{vrijaldenhoven2004}. Their
-security is limited by the analog sensitivity of their transceivers. Their practicality is limited by their complex
-transceiver and signal processing circuitry. They promise to secure larger volumes than boundary monitoring at higher
-parts cost.  A problem with volumetric designs is their security analysis, which is hard to do without significant
-guesswork.  In e.g.\ a device that use electromagnetic radiation to monitor its volume, one might have to numerically
-solve the electromagnetic field equations inside the HSM to validate its impenetrability.
-
-\subsection{Inertial HSMs: A new approach to physical security}
-
-We are certain that there is still much work to be done and many insights to be gained in both HSM and in smartcard
-technology\footnote{
-    As a baseline, consider a box with mirrored walls that contains a smaller box suspended on thin wires that has
-    cameras looking outward in all directions at the mirrored walls. Given that the defender can control lighting
-    conditions inside this kaleidoscopic box in this application modern cameras perform better than the human eye.
-    Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and the system would
-    remain secure as long as no such thing exists. To be viable, an HSM technology must be either cheaper, smaller or
-    more sensitive than this strawman setup\cite{kim2018}.
-}. % TODO perhaps misplaced citation and/or poor source?
-Still, we wish to introduce a novel approach to sidestep the issues of conventional HSMs and provide radically better
-security against physical attacks.  Our core observation is that any cheap but coarse HSM technology can be made much
-more difficult to attack by moving it very quickly. As a trivial example, consider an HSM as it is used in
-ecommerce applications for credit card payments. Its physical security level is set by the structure size of its
-security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and
-lasers\cite{drimer2008}.
-
-Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an
-accelerometer that it uses to verify that it is spinning at high speed. How would an attacker approach this HSM? They
-would have to either slow down the rotation, triggering the accelerometer, or they would have to attack the HSM in
-motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be
-possible but rotating frames of reference quickly become inhospitable to human life\footnote{See Appendix
-\ref{sec_minimum_angular_velocity}}. Since non-contact electromagnetic or optical attacks are more limited in the first
-place and can be shielded, we have effectively forced the attacker to use an attack robot.
-
-\subsection{Contributions}
 This work contains the following contributions:
 \begin{enumerate}
     \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of
@@ -171,59 +131,89 @@ This work contains the following contributions:
     % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
 \end{enumerate}
 
+In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On
+this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We
+will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a prototype system that
+we will illustrate in Section~\ref{sec_proto}. Before we conclude this paper in Section~\ref{sec_conclusion} we will
+present some inspiration for future work in Section~\ref{sec_future_work}.
+
 \section{Related work} 
+\label{sec_related_work}
 % summaries of research papers on HSMs.  I have not found any actual prior art on anything involving mechanical motion
 % beyond ultrasound.
-In \cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
-4758 HSM whose details are laid out in depth in \cite{smith1998}. This HSM is an example of an industry-standard
+
+HSMs are an old technology tracing back decades in their electronic realization.
+
+
+% FIXME integrate this
+Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that
+cannot be solved (yet) with cryptographic security. The security of chips like smartcards and TPMs often rests on the
+assumption that their fine structures are hard to reverse engineer and modify. As of now, this property holds and it
+will likely be a reasonable assumption for some years to come.  However, in essence this is a type of security by
+obscurity: Obscurity here referring to the rarity of the equipment necessary to attack these
+chips~\cite{albartus2020,anderson2020}.
+
+Hardware security modules (HSMs) are the class of commercial devices offering the highest ``physical
+security-to-volume-product''. HSMs continuously monitor a small circuit board and actively delete their secrets when a
+manipulation is detected.  Commercial HSMs are usually \emph{boundary monitoring}.  They monitor meandering electrical
+traces on a fragile foil that is wrapped around the HSM.  This construction transforms the security problem into the
+challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013,immler2019,anderson2020}.
+There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic
+radiation~\cite{tobisch2020,kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of it has found widespread adoption.
+% FIXME end
+
+
+In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
+4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
 construction. Though its turn of the century design is now a bit dated, the construction techniques of the physical
 security mechanisms have not evolved much in the last two decades. Apart from some auxiliary temperature and radiation
 sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
-construction of a flexible mesh wrapped around the module's core. In \cite{smith1998}, the authors state the module
+construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module
 monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and
-construction is similar to other commercial offerings\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
+construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
 
-In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
+In~\cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
 traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
 Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
 covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
 core component of their design is that they propose its use as a PUF to allow for protection even when powered off,
 similar to a smart card---but the design is not limited to this use.
 
-In \cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
+In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
 around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference
 signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
 and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
 the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
-volume of the cavity will cause a significant change in its RF response. The core idea in \cite{tobisch2020} is to use
+volume of the cavity will cause a significant change in its RF response. The core idea in~\cite{tobisch2020} is to use
 commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much
-cheaper and capable of protecting a much larger security envelope than e.g. the design from \cite{immler2019}, at the
-cost of worse and less predictable security guarantees.  Where \cite{tobisch2020} use electromagnetic radiation,
-Vrijaldenhoven in \cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to
+cheaper and capable of protecting a much larger security envelope than e.g. the design from~\cite{immler2019}, at the
+cost of worse and less predictable security guarantees.  Where~\cite{tobisch2020} use electromagnetic radiation,
+Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to
 a similar end.
 
-While \cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
-and Adi \cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
+While~\cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
+and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
 single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
 compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
 transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
 compound.
 
 Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most
-academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs\cite{immler2019}
+academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs~\cite{immler2019}
 while commercial vendors concentrate on means to cheaply manufacture and certify these security
-barriers\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance
+barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance
 security barrier and transforming it into a marginally more expensive but very high-performance one. The closest to a
-mechanical HSM that we were able to find during our research is an 1988 patent \cite{rahman1988} that describes an
+mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that describes an
 mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with
 pressurized gas.
 
 \section{Inertial HSM construction and operation}
+\label{sec_ihsm_construction}
 
 \subsection{Using motion for tamper detection}
 
-Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} and is
-routinely used in military applications to make things harder to hit\cite{terdiman2013} but we seem to be the first to
+Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is
+routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to
 use it in tamper detection. Let us think about the constraints of our approach.
 
 \begin{enumerate}
@@ -306,7 +296,7 @@ In our prototype, we settled on a solar cell-based solution for its simplicity.
 
 In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air duct or heat pipe would have
 to penetrate the HSM's security boundary. This problem can be solved with complex and costly siphon-style constructions,
-but in commercial systems heat conduction is used exclusively\cite{isaacs2013}. This limits the maximum power
+but in commercial systems heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power
 dissipation of the payload and thus its processing power. In our spinning HSM concept, the spinning mesh can have
 longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation,
 and one could even integrate an actual fan into the rotor. This greatly increases the maximum possible power dissipation
@@ -322,12 +312,13 @@ occassional status reports and a high-frequency alarm trigger heartbeat signal t
 this, a simple optocoupler close to the axis of rotation is a good solution that we implemented in our prototype.
 
 \section{Attacks}
+\label{sec_attacks}
 \subsection{Attacks on the mesh}
 
 There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with.
 This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring
 circuit itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its
-contents\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to
+contents~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to
 parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle.  We
 consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that
 rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be
@@ -363,7 +354,7 @@ or active-low alarm signal cannot be considered fail-safe in this scenario.
 
 An attacker may try to stop the rotor before tampering with the mesh. To succeed, they would need to fool the rotor's
 MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no easier than
-directly bridging the mesh traces.  Physical attacks on the accelerometer are possible\cite{trippel2017}, but in the
+directly bridging the mesh traces.  Physical attacks on the accelerometer are possible~\cite{trippel2017}, but in the
 authors' estimate are too hard to control to be practically useful.
 
 A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS
@@ -378,6 +369,7 @@ change on a schedule, it is trivially detectable.
 In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement.
 
 \section{Prototype implementation}
+\label{sec_proto}
 
 To validate our theoretical design, we have implemented a prototype rotary HSM. The main engineering challenges we
 solved in our prototype are:
@@ -510,6 +502,7 @@ larger-scale implementation of the inertial HSM concept practical.
 \end{figure}
 
 \section{Future Work}
+\label{sec_future_work}
 
 \subsection{Design space exploration}
 
@@ -533,6 +526,7 @@ We intend to refine our prototype design to production quality. As part of this,
 on our prototype.
 
 \section{Conclusion}
+\label{sec_conclusion}
 In this paper, we have presented inertial hardware security modules (iHSMs), a novel concept for the construction of
 highly secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering
 considerations underlying a practical implementation of this concept. We have implemented a prototype demonstrating