diff options
-rw-r--r-- | paper/diffinator.py | 6 | ||||
-rw-r--r-- | paper/ihsm_paper.tex | 192 |
2 files changed, 114 insertions, 84 deletions
diff --git a/paper/diffinator.py b/paper/diffinator.py index be856e6..00a5b4f 100644 --- a/paper/diffinator.py +++ b/paper/diffinator.py @@ -64,6 +64,12 @@ def generate_git_tex_diff(texfile, bibliography, revision): def suppress_small_changes(match): old, _1, new, _2 = match.groups() + if len(old) < 12 and len(new) < 12: + return new + + if old.count(' ') < 3 and new.count(' ') < 3: + return new + new_chars = list(new) for char in old: if char not in string.ascii_letters: diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 0358519..56ac7c1 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -146,15 +146,16 @@ HSM continuously monitors itself whereas a physical seal only serves to record t it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex equipment. An HSM in principle has to have this examination equipment built-in. -Physical seals are used in a wide variety of applications. Of interest for this paper are those used for monitoring of -nuclear material under the International Atomic Energy Authority (IAEA). Most of these seals use the same approach that -is used in Physically Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. -The seal is created in a way that intentionally causes large, random device-to-device variations. These variations are -precisely recorded at deployment. At the end of the seal's lifetime, the seal is returned to a lab and closely examined -to check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes -random scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA -seal), the uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well -as the precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. +Physical seals are used in a wide variety of applications. The most interesting ones from a research point of view that +are recorded in public literature are those used for monitoring of nuclear material under the International Atomic +Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically Unclonable Functions +(PUFs), though their development predates that of PUFs by several decades. The seal is created in a way that +intentionally causes large, random device-to-device variations. These variations are precisely recorded at deployment. +At the end of the seal's lifetime, the seal is returned to a lab and closely examined to check for any deviations from +the seal's prior recorded state. The type of variation used in these seals includes random scratches in metal parts and +random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the uncontrollably random +distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the precise three-dimensional +surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a @@ -186,10 +187,11 @@ protection even when powered off, similar to a smart card---but the design is no In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based on a WiFi transceiver inside a conductive enclosure. In their design, a reference signal is sent into the RF cavity formed -by the conductive enclosure. The receiver(s) use the signal's reflections to characterize the phase and frequency -response of the RF cavity. They assume that the RF behavior of the cavity is inscrutable from the outside, and that any -small disturbances within the volume of the cavity will cause a significant change in its RF response. Based on -commodity WiFi hardware, the resulting system is likely both much cheaper and capable of protecting a much larger +by the conductive enclosure. One or more receivers listen for the signal's reflections and use them to characterize the +phase and frequency response of the RF cavity. The assumption underlying their system is that the RF behavior of the +cavity is inscrutable from the outside, and that any small disturbances within the volume of the cavity will cause a +significant change in its RF response. A core component of the work of Tobisch et al.~\cite{tobisch2020} is that they +use commodity WiFi hardware, so the resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound waves traveling on a surface acoustic wave (SAW) device to a similar end. @@ -205,7 +207,10 @@ To the best of our knowledge, we are the first to propose a mechanically moving security module. Most academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance -security barrier and transforming it into a marginally more expensive but high-performance one. +security barrier and transforming it into a marginally more expensive but high-performance one. The closest to a +mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that describes a +mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with +pressurized gas. \section{Inertial HSM construction and operation} \label{sec_ihsm_construction} @@ -252,13 +257,14 @@ challenging. First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main constraint on the HSM's motion pattern is that it needs to be (almost) continuous to not expose any -weak spots. Additionally, it has to stay within a confined space: Linear motion would have to be periodic, like that of -a pendulum. Such periodic linear motion will have to quickly reverse direction at its apex so the device is not -stationary long enough for this to become a weak spot. +weak spots during instantaneous standstill of the HSM. Additionally, it has to stay within a confined space. For space +efficiency, linear motion would have to be periodic, like that of a pendulum. Such periodic linear motion will have to +quickly reverse direction at its apex so the device is not stationary long enough for this to become a weak spot. In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the device. When the axis is fixed, rotation will expose a weak spot close to the axis where tangential velocity is low. -Possible mitigations are faster rotation to lessen the impact, additional tamper protection at the axis, and having the +Faster rotation can lessen the security impact of this fact at the expense of power consumption and mechanical stress, +but it can never elimitate it. More effective mitigations are additional tamper protection at the axis, and having the HSM perform a compound rotation that has no fixed axis. High speed gives rise to large centrifugal acceleration, which poses the engineering challenge of preventing rapid @@ -286,33 +292,41 @@ using stochastic properties of the enclosure material to form a PUF, such academ techniques to improve the system's security level by a significant margin. In our research, we focus on security meshes as our IHSM's tamper sensors. The cost of advanced manufacturing -techniques and special materials used in commercial meshes poses an obstacle to small-scale manufacturing. The -foundation of an IHSM security is that by moving the mesh, even a primitive, coarse mesh such as one made from a -low-cost PCB becomes very hard to attack in practice. Additionally, the use of a mesh allows us to only spin the mesh -itself and its monitoring circuit and keep the payload inside the mesh stationary for reduced design complexity. -Other tamper sensing systems such as RF fingerprinting would not allow for this degree of freedom in an IHSM. +techniques and special materials used in fine commercial meshes poses an obstacle to small-scale manufacturing and +academic research. The foundation of an IHSM security is that by moving the mesh, even a primitive, coarse mesh such as +one made from a low-cost PCB becomes very hard to attack in practice. This allows us to use a simple construction made +up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself and its monitoring +circuit and keep the payload inside the mesh stationary for reduced design complexity. Tamper sensing systems such as +RF fingerprinting that monitor the entire volume of the HSM instead of only a thin boundary layer would not allow for +this degree of freedom in an IHSM. They would instead require the entire IHSM to spin including its payload, which would +entail costly and complex systems for data and power transfer from the outside to the spinning payload. \subsection{Braking detection} The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be -able to quickly detect any slowdown of the IHSM's rotation. +able to quickly detect any slowdown of the IHSM's rotation. Ideally, a sufficiently sensitive sensor is able to measure +any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a +manipulation attempt. While the obvious choice to monitor rotation would be a magnetic or optical tachometer sensor attached to the IHSM's shaft, this would be a poor choice for our purposes since optical and magnetic sensors are susceptible to contact-less -interference from outside. We could use feedback from the motor driver electronics to determine the speed, but this -might allow for attacks at the mechanical interface between the mesh and the motor's shaft that decouple the mesh from -the motor. +interference from outside. We could use feedback from the motor driver electronics to determine the speed. When using a +BLDC motor, the driver electronics precisely know the rotor's position at all times. However, this apporach might allow +for attacks at the mechanical interface between the mesh and the motor's shaft. If an attacker can decouple the mesh +from the motor e.g.\ by drilling, laser ablation or electrical discharge machining (EDM) on the motor's shaft, the +motor could keep spinning at its nominal frequency while the mesh is already standing still. -Instead of a stator-side sensor, a rotor-side inertial sensor such as an accelerometer or gyroscope would be a good -component to serve as an IHSM's tamper sensor. A gyroscope would need to be placed close to the IHSM's shaft where -centrifugal force is low, and would directly measure changes in angular velocity. An accelerometer could be placed -anywhere on the rotor and would measure centrifugal acceleration. +Instead of a stator-side sensor, a rotor-side inertial sensor such as an accelerometer or gyroscope placed inside the +spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. A gyroscope would need +to be placed close to the IHSM's shaft where centrifugal force is low, and would directly measure changes in angular +velocity. An accelerometer could be placed anywhere on the rotor and would measure centrifugal acceleration. Modern, fully integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the -device's motion. It may also allow remote monitoring of wear of the device's mechanical components such as -bearings~\cite{kvk2019,sh2016,adc2019,e2013}. +device's motion. It may also allow remote monitoring of wear of the device's mechanical components such as bearings: +MEMS accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing +mechanical components~\cite{kvk2019,sh2016,adc2019,e2013}. In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For @@ -326,9 +340,9 @@ applications. To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark. Let us assume an IHSM spinning at $\SI{1000}{rpm}$. To detect any attempt to brake it below $\SI{500}{rpm}$, we have to detect a difference in -acceleration of a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. Even in case of sub-optimal placement, any commercial -MEMS accelerometer will provide this degree of dynamic range and accuracy. To detect slow deceleration drift -characteristics have to be taken into account. +acceleration of a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. Even without maximizing the accelerometer's dynamic range +through optimal placement, any commercial MEMS accelerometer will suffice. Only to detect slow deceleration, the +sensor's drift characteristics may have to be taken into account. In Section~\ref{sec_accel_meas} below, we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS accelerometer for braking detection in our prototype IHSM. @@ -339,8 +353,10 @@ With our IHSM's components taken care of, what remains to be decided is how to p into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload, and the area covered by the rotating tamper detection mesh. Note that we only have to move the tamper protection mesh, not the -entire contents of the HSM, keeping most of the HSM's mass stationary. In our proof-of-concept prototype, we accept a -weak spot at the point where the shaft penetrates the mesh to simplify mechanical construction. +entire contents of the HSM, keeping most of the HSM's mass stationary. This reduces the moment of inertia of the +rotating part. It also eliminates the need for rotating data and power connections to the payload, which can be +supplied through a hollow shaft instead. In our proof-of-concept prototype, we accept a weak spot at the point where the +shaft penetrates the mesh to simplify mechanical construction. \begin{figure} \center @@ -443,21 +459,26 @@ if power outages of more than a few seconds are unlikely (e.g.\ because of an ex be used as a flywheel for energy storage. \paragraph{Spurious alarms due to vibration.} -Beyond the issues mentioned above, the effect of normal mechanical vibration on the IHSM's tamper sensors has to be -considered. During normal operation, IHSMs may receive vibration from outside sources such as backup generators, workers -bumping the IHSM and nearby traffic. Besides such everyday sources, (usually harmless) earthquakes are a common -occurrence in some regions of the world. None of these sources of vibration are likely to cause a false alarm, but -since IHSMs are rotating machines they will themselves cause some amount of vibration and thus vibration isolation is a -reasonable design requirement. - -For reference, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper -sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a constant centrifugal -acceleration of approximately $100\,g$. -Literature on car crashes shows that accelerations above $10\,g$ in the car's structural components -correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. Measurements of the Peak -Ground Acceleration (PGA) of severe earthquakes show that even the strongest earthquakes rarely reach a -PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake at approximately -$\SI{0.3}{g}$. + + +Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason +its alarm would be spuriously activated due to movement of the device. The likelihood of such an alarm failure must be +minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during normal +operation. The IHSM may have to be relocated between datacenters, or a worker may bump the IHSM. Additionally, the +effect of normal mechanical vibration on the IHSM's tamper sensors has to be considered. During normal operation, +vibration from outside sources such as backup generators and nearby traffic (e.g. trains) may couple into the IHSM +through the building. Since IHSMs are rotating machines they will themselves cause some amount of vibration and thus +vibration isolation is a reasonable design requirement. Besides everyday sources of mechanical noise, (usually +harmless) earthquakes are a common occurrence in some regions of the world and will couple through any reasonable amount +of vibration damping. + +None of these sources of mechanical noise are likely to cause a false alarm. For reference, consider an IHSM running at +an angular velocity of $\SI{1000}{rpm}$. A tamper sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a +constant centrifugal acceleration of approximately $100\,g$. Literature on car crashes shows that accelerations above +$10\,g$ in the car's structural components correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and +above~\cite{ika2002,german2007}. Measurements of the Peak Ground Acceleration (PGA) of severe earthquakes show that +even the strongest earthquakes rarely reach a PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake +at approximately $\SI{0.3}{g}$. Instantaneous acceleration increases linearly with frequency, but likewise simple vibration dampers work better with higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to @@ -465,17 +486,18 @@ damp high-frequency shock and vibration, as low-frequency shock or vibration com large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous amount of mechanical power across a large geographic area, but due to the their low absolute instantaneous acceleration, we can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able -to clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration -that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's -rotor would likely destroy the IHSM. +to clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise by their magnitude. Any +external acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the +periphery of an IHSM's rotor would likely destroy the IHSM. \subsection{Transportation} While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed, there is an issue when intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\ -the manufacturer's premises and its destination data center. The simple solution to this problem is to transport the IHSM -elastically mounted with its axis pointing upwards inside a heavy shipping box. +the manufacturer's premises and its destination data center. The simple solution to this problem is to transport the +IHSM elastically mounted with its axis pointing upwards inside a shipping box that is weighted to resist precession +forces. During shipping, the IHSM will require a continuous power supply. Following our conservative estimate in Section~\ref{sec-power-failure}, 48-hour courier shipping could easily be bridged with the equivalent of 5-10 laptop @@ -491,8 +513,8 @@ After outlining the basic mechanical design of an inertial HSM as well as the fu above, in this section, we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to -perform these attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat -the braking sensor. +perform these attack steps with a tool such as a CNC actuator or a laser that follows the HSM's rotation at high speed, +or they will first need to defeat the braking sensor. \subsection{Attacks that don't work} @@ -503,14 +525,13 @@ In principle, there are three ways to attack a conventional HSM. The hard way is triggering the alarm, e.g.\ with a probe that is finer than the mesh's spacing. For larger probes, an attacker can laboriously uncover, then bridge the mesh traces to allow part of the mesh to be removed. Some HSMs attempt to detect such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by available measurement precision. - -% However, if an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the -% device, this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ -% by $\SI{100}{\milli\meter}$. An attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section -% of this mesh will change the mesh trace's resistance by approximately -% $\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$. -% Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding -% temperature stability of the mesh material. +If an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the device, +this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ by +$\SI{100}{\milli\meter}$. An attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of +this mesh will change the mesh trace's resistance by approximately +$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$. +Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding +temperature stability of the mesh material. The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through @@ -587,27 +608,30 @@ $r=\SI{100}{\milli\meter}$. To keep a manipulator stationary within a $\SI{5}{\ window over a period of $\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than $\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$. Relative to a realistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Achieving -this accuracy would likely require active servo control of the attack tool's rotation. +this accuracy would likely require active servo control of the attack tool's rotation that is locked, e.g.\ optically, +to the IHSM's rotor. -If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a manipulator -tolerant to high g forces that is able to disable the IHSM's mesh. Simply drilling a small hole is not enough in this -case since the payload is stationary. Instead, using the rotating manipulator, the attacker has to create an opening in -the mesh large enough to place a \emph{stationary} probe on the payload. We estimate that creating a rotating, -remote-controllable manipulator that can be used to successfully attack a security mesh is infeasible given the degree -of manual skill necessary even for normal soldering work. +If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a +remote-controlled manipulator that is able to disable the IHSM's mesh. This manipulator would have to be tolerant to +high g forces so that it can be mounted on the attack tool's rotating stage. Drilling only a small hole is not enough +in this case since, while the mesh is moving, the payload is stationary. Instead, using the rotating manipulator, the +attacker has to create an opening in the mesh large enough to place a \emph{stationary} probe on the payload. We +estimate that creating a rotating, remote-controllable manipulator that can be used to successfully attack a security +mesh is infeasible given the degree of manual skill necessary even for normal soldering work. \subsection{Mechanical weak spots} As we elaborated in the previous paragraphs, we consider a fast-moving mesh to offer a strong tamper detection -capability. However, depending on the type of motion used, the mesh's actual speed may vary by location and over time. -Our example configuration of a rotating mesh moves continuously and does not have any time-dependent weak spots. It -does, however, have a weak spot where the shaft penetrates the mesh at the axis. The mesh's tangential velocity -decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as probes into the device -through the opening it creates. Conventional HSMs also have to take precautions to protect their power and data -connections, such as flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. As a result of -these precautions, in conventional HSMs this interface rarely is a mechanical weak spot. In inertial HSMs, careful -engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with -increasing complexity. +capability based on the assumption that the mesh is moving too fast to tamper. However, depending on the type of motion +used, the mesh's actual speed may vary by location and over time. Our example configuration of a rotating mesh moves +continuously and does not have any time-dependent weak spots. It does, however, have a weak spot where the shaft +penetrates the mesh at the axis. The mesh's tangential velocity decreases close to the shaft, and the shaft itself may +allow an attacker to insert tools such as probes into the device through the opening it creates. Conventional HSMs also +have to take precautions to protect their power and data connections. In conventional HSMs, power and data are routed +into the enclosure along a meandering path through the PCB or through flat flex cables sandwiched in between security +mesh foil layers~\cite{smith1998}. As a result of these precautions, in conventional HSMs this interface rarely is a +mechanical weak spot. In inertial HSMs, careful engineering is necessary to achieve the same effect. +Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. \begin{figure} \begin{subfigure}[t]{0.3\textwidth} |