diff options
-rw-r--r-- | doc/paper/rotohsm_paper.pdf | bin | 3563845 -> 3563874 bytes | |||
-rw-r--r-- | doc/paper/rotohsm_paper.tex | 253 | ||||
-rw-r--r-- | doc/paper/rotohsm_tech_report.pdf | bin | 112454 -> 112557 bytes |
3 files changed, 122 insertions, 131 deletions
diff --git a/doc/paper/rotohsm_paper.pdf b/doc/paper/rotohsm_paper.pdf Binary files differindex 915b730..e874899 100644 --- a/doc/paper/rotohsm_paper.pdf +++ b/doc/paper/rotohsm_paper.pdf diff --git a/doc/paper/rotohsm_paper.tex b/doc/paper/rotohsm_paper.tex index de1c81a..14551d8 100644 --- a/doc/paper/rotohsm_paper.tex +++ b/doc/paper/rotohsm_paper.tex @@ -80,14 +80,15 @@ defenses the HSM is now equipped with an accelerometer that it uses to verify th would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become -inhospitable to human life (see Section~\ref{sec_ihsm_motion}). Since non-contact electromagnetic or optical attacks are -more limited in the first place and can be shielded, we have effectively forced the attacker to use an attack robot. +inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic or optical +attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to use an +attack robot. This work contains the following contributions: \begin{enumerate} \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of highly secure HSMs. - \item We discuss possible boundary sensing modes for inertial HSMs. + \item We discuss possible tamper sensors for inertial HSMs. \item We explore the design space of our inertial HSM concept. \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). \item We present an anlysis on the viability of using commodity MEMS accelerometers as braking sensors. @@ -106,8 +107,8 @@ This work contains the following contributions: In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a prototype system that -we will illustrate in Section~\ref{sec_proto}. We conclude this paper with a general evaluation of our design in -Section~\ref{sec_conclusion}. +whose design we will elaborate in Section~\ref{sec_proto}. We conclude this paper with a general evaluation of our +design in Section~\ref{sec_conclusion}. \section{Related work} \label{sec_related_work} @@ -132,17 +133,17 @@ principle has to have this examination equipment built-in. Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically -Uncloneable Functions, though their development predates that of PUFs by several decades. The seal is created in a way -that intentionally causes large, random device to device variations. These variations are precisely recorded at -deployment. At the end of the seals lifetime, the device is returned from the field to the lab and closely examined to +Uncloneable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in +a way that intentionally causes large, random device to device variations. These variations are precisely recorded at +deployment. At the end of the seals lifetime, the seal is returned from the field to the lab and closely examined to check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random -scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), -the uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the +scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the +uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a -monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil like it is used in +monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in commercial HSMs. In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM @@ -150,7 +151,7 @@ In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical secu construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional -construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module +construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state the module monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. @@ -162,16 +163,16 @@ core component of their design is that they propose its use as a PUF to allow fo similar to a smart card---but the design is not limited to this use. In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based -around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference +around commodity WiFi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the volume of the cavity will cause a significant change in its RF response. The core idea in~\cite{tobisch2020} is to use -commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much -cheaper and capable of protecting a much larger security envelope than e.g. the design from~\cite{immler2019}, at the -cost of worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, -Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to -a similar end. +commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much +cheaper and capable of protecting a much larger security envelope than designs using finely patterned foil security +meshes such as~\cite{immler2019}, at the cost of worse and less predictable security guarantees. +Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound +waves travelling on a surface acoustic wave (SAW) device to a similar end. While~\cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a @@ -189,7 +190,7 @@ closest to a mechanical HSM that we were able to find during our research is an describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with pressurized gas. -\subsection{Patents literature} +\subsection{Patent literature} During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. @@ -225,75 +226,72 @@ First, there are several ways that we can approach motion. There is periodic, ap also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to stay within a -confined space. This means that linear motion must be periodic, like that of a pendulum. Periodic linear motion will -have to quickly reverse direction at its apex so the device is not stationary long enough for this to become a weak -spot. +confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such periodic linear +motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become +a weak spot. In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's -tangential velocity is low. Faster rotation can lessen the severity of this at the expense of power consumption and -mechanical load but can never eliminate it. This effect can be alleviated in two ways: Either by adding additional -tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed axis. - -A beneficial side-effect of rotation is that an attacker trying to follow the motion would have to rotate around -the same axis. By choosing a suitable rotation frequency we can thus prevent an attacker from following the devices -motion since doing so would subject them to impractically large centrifugal forces. Essentially, this limits the -approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled +tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power +consumption and mechanical load, but it can never eliminate it. This effect can be alleviated in two ways: Either by +adding additional tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed +axis. Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in a -\emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). +\emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion would +have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from following +the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, this +limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force. In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on -systems having a fixed axis of rotation due to their relative simplicity in prototype construction but we note the -challenge of hardening the shaft against tampering. +systems having a fixed axis of rotation due to their relatively simple construction but we do wish to note the challenge +of hardening the shaft against tampering that any production device would have to tackle. \subsection{Tamper detection mesh construction} -Once we have decided on a type of motion our IHSM's security barrier shall perform, what remains is the actual -implementation of that security barrier. There are two movements that we have observed that are key to our work. On the -one hand, there is the widespread industry use of delicate tamper sensing mesh membranes. The widespread usage of such -membranes in systems deployed in the field for a variety of use cases from low-security payment processing devices to -high-security certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a -significant level of security. On the other hand, research has mostly focused on various ways to fabricate enclosures -that embed characteristics of a physically uncloneable function (PUF). By using stochastic properties of the enclosure -material to form a PUF, such academic designs effectively leverage signal processing techniques to improve the system's -hardness by a large factor. +Once we have decided which motion our IHSM's security barrier shall perform, what remains is the actual implementation +of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there +is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems +deployed in the field for a variety of use cases from low-security payment processing devices to high-security +certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a significant level of +security. On the other hand, in contrast to this industry focus, academic research has mostly developed ways to +fabricate enclosures that embed characteristics of a Physically Uncloneable Function that do not employ a traditional +security mesh. By using stochastic properties of the enclosure material to form a PUF, such academic designs effectively +leverage signal processing techniques to improve the system's security level by a significant margin. In our research, we focus on security meshes as our IHSM's tamper sensors. Most of the cost in commercial security mesh implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse -mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to a simple -construction made up from low-cost components. Additionally, use of a mesh allows us to only spin the mesh itself -around and keep the payload stationary in the center of the IHSM. Tamper sensing technologies that use the entire volume -of the HSM such as RF-based systems do not allow for this degree of freedom in their design. They would require the -entire IHSM to spin, including its payload. This would entail costly and complex systems for data and power transfer -from the outside to the payload. +mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple +construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself +and its monitoring circuit and keep the payload inside this mesh stationary. Tamper sensing technologies that use the +entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would +require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power +transfer from the outside to the payload. \subsection{Braking detection} The security mesh is a critical component in the IHSM's primary defense against physical attacks, but its monitoring is only one half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be -able to measure any external force applied to the IHSM's rotor and should already trigger a response on the attempt of -manipulation. +able to measure any external force applied to the IHSM's rotor and should already trigger a response during the +beginning of a manipulation attempt. While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to -contact-less interference from outside. Another option would be to use feedback from the motor driver electronics. When -using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this +contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. +When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is already standing still. -Instead of a stator-side sensor like a magnetic tachometer or feedback from a BLDC controller, an accelerometer placed -inside the rotor's mesh monitoring circuit is a good component to serve as an IHSM's tamper sensor. Modern fully +Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed +inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's -motion. It may also allow remote monitoring of the device's mechanical components such as bearings. MEMS accelerometers +motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical -components~\cite{kvk2019,si2016,adc2019,e2013}. +components~\cite{kvk2019,sh2016,adc2019,e2013}. In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For @@ -311,11 +309,11 @@ IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to b difference in centrifugal acceleration will be a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. This results in a factor-$4$ difference in absolute acceleration that our accelerometer must be able to detect. If we choose our accelerometer's location to maximize its dynamic range, any commercial MEMS accelerometer should suffice for this degree -of accuracy. For rapid deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift -can be ignored. If we wish to also detect very slow deceleration, we have to take into account the accelerometer's drift -characteristics. +of accuracy even over long timespans. For rapid deceleration, commercial accelerometers will be much more sensitive as +effects of long-term drift can be ignored. If we wish to also detect very slow deceleration, we have to take into +account the accelerometer's drift characteristics. -In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ +In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS accelerometer for braking detection in our prototype IHSM. \subsection{Mechanical layout} @@ -323,15 +321,11 @@ accelerometer for braking detection in our prototype IHSM. With our IHSM's components taken care of, what remains to be decided is how to put together these individual components into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the axis of rotation, an accelerometer on the rotating part used to detect braking, the protected payload and the area -covered by the rotating tamper detection mesh. - -A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM. -The HSM's payload and with it most of the HSM's mass can be stationary. This reduces the moment of inertia of the -moving part. - -This basic schema accepts a weak spot at the point where the shaft penetrates the spinning mesh. This trade-off makes -for a simple mechanical construction and allows power and data connections to the stationary payload through a hollow -shaft. +covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper protection +mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be stationary. This +reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point where the shaft +penetrates the spinning mesh. This trade-off makes for a simple mechanical construction and allows power and data +connections to the stationary payload through a hollow shaft. \begin{figure} \center @@ -341,15 +335,15 @@ shaft. \label{fig_schema_one_axis} \end{figure} -The spinning mesh must be designed to cover the entire surface of the payload, but in contrast to a traditional HSM it -suffices if it sweeps over every part of the payload once per rotation. This means we can design longitudinal gaps into -the mesh that allow outside air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the -payload processor is a serious issue since any air duct or heat pipe would have to penetrate the HSM's security -boundary. This problem can only be solved with complex and costly siphon-style constructions, so in commercial systems -heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus -its processing power. Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum -possible power dissipation of the payload and unlocks much more powerful processing capabilities. In an evolution of -our design, the spinning mesh could even be designed to \emph{be} a cooling fan. +The spinning mesh must be designed to cover the entire surface of the payload, but it suffices if it sweeps over every +part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air +to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious +issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be +solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used +exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. +Our setup allows direct air cooling of regular heatsinks. This unlocks much more powerful processing capabilities that +greatly increase the maximum possible power dissipation of the payload. In an evolution of our design, the spinning +mesh could even be designed to \emph{be} a cooling fan. \section{Attacks} \label{sec_attacks} @@ -357,11 +351,11 @@ our design, the spinning mesh could even be designed to \emph{be} a cooling fan. After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security mesh that is also used in traditional HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a traditional HSM. -Only to attack an IHSM, assuming that the braking detection system works they will have to perform these steps with a -tool that follows the HSMs rotation at high speed. This may require specialized mechanical tools, CNC actuators or -even a contactless attack using a laser, plasma jet or water jet. +Only, assuming that the braking detection system works they will have to perform these attack steps with a tool that +follows the HSMs rotation at high speed. This may require specialized mechanical tools, CNC actuators or even a +contactless attack using a laser, plasma jet or water jet. -\subsection{Swivel chair attacks} +\subsection{The Swivel Chair Attack} \label{sec_swivel_chair_attack} First we will consider the most basic of all attacks: A human attacker holding a soldering iron trying to rotate @@ -384,14 +378,12 @@ used, the meshes speed may vary by location and over time. Our example configura continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it -creates. - -This issue is related to the issue conventional HSMs also face with their power and data connections. In conventional -HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in between -security mesh foil layers. By using a thin substrate and by creating a meandering path by folding the interconnect -substrate/security mesh layers several times, in traditional HSMs this interface rarely is a mechanical weak spot. In -inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations -of the shaft interface of increasing level of complexity. +creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In +conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in +between security mesh foil layers. In traditional HSMs this interface rarely is a mechanical weak spot since they use a +thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh layers several +times. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows +variations of the shaft interface with increasing complexity. \begin{figure} \begin{subfigure}[t]{0.3\textwidth} @@ -423,16 +415,14 @@ of the shaft interface of increasing level of complexity. \subsection{Attacking the mesh in motion} To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging - its traces to allow for a hole to be cut. The other option is to tamper with the monitoring -circuit to prevent a damaged mesh from triggering an alarm~\cite{dexter2015}. - -Attacks in both locations are electronic attacks, i.e. they require electrical contact to -parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We -consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack avenues may -be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut traces or -carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting compound and -shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the complexity of such -attacks. +its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an +alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to +parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin +needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack +avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut +traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting +compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the +complexity of such attacks. \subsection{Attacks on the rotation sensor} @@ -440,11 +430,9 @@ Instead of attacking the mesh in motion, an attacker may also try to first stop to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be physical attacks of the accelerometer's sensing mechanism. - MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position is measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. - A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the @@ -456,10 +444,10 @@ Besides trying to deactivate the tamper detection mesh, an electronic attack cou inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. -Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks using sensors for +Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. -To prevent replay attacks this link must be bidirectional so link latency can be measured continuously. +To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. % If it were unidirectional, an attacker could % act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed % (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary @@ -479,12 +467,12 @@ enough to carry out its function or else to reliably destory the payload during As we elaboreated above, the mechanical component of an IHSM significantly increases the complexity of any successful attack even when implemented using only common, off-the-shelf parts. In view of this amplification of design security we -have decided to validate our theoretical studies by implementing a prototype IHSM. The main engineering challenges we -set out to solve in this prototype were: +have decided to validate our theoretical studies by implementing a prototype IHSM (Figure~\ref{prototype_picture}). The +main engineering challenges we set out to solve in this prototype were: \begin{enumerate} - \item Fundamental mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. - \item Automatic generation of security mesh PCB layouts for quick adaption to new form factors. + \item The Fundamental mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. + \item The Automatic generation of security mesh PCB layouts for quick adaption to new form factors. \item Non-contact power transmission from stator to rotor. \item Non-contact bidirectional data communication between stator and rotor. \end{enumerate} @@ -495,22 +483,22 @@ We will outline our findings on these challenges one by one in the following par We sized our prototype to have space for up to two full-size Raspberry Pi boards for an approximation of a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material for the rotating part, and -2020 aluminium extrusion for its mounting frame. Figure~\ref{proto_3d_design} shows the rotor's mechanical PCB designs -in FreeCAD. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already sufficiently narrow to -pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype incorporates a +2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the rotor's mechanical PCB designs. +The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already sufficiently narrow to pose a +challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the system once per revolution, so we designed the longituninal PCBs as narrow strips to save weight. \subsection{PCB security mesh generation} -Our proof-of-concept security mesh covers a total of five interlocking PCBs (cf.\ Figure~\ref{mesh_gen_sample}). A sixth +Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the generation of this security mesh using a plugin for the KiCAD EDA suite\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. Figure~\ref{mesh_gen_viz} visualizes the mesh generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree covering the grid. Finally, individual mesh traces are then traced according to a depth-first search through this tree. -We consider the quality of the plugin's output sufficient for practical applications. Along with FreeCAD's KiCAD StepUp -plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. +We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD +StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. \begin{figure} \begin{subfigure}{0.35\textwidth} @@ -524,8 +512,8 @@ plugin, this results in an efficient toolchain from mechanical CAD design to pro \center \caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.} \end{subfigure} - \label{proto_3d_design} \caption{Our prototype IHSM's PCB security mesh design} + \label{fig_proto_mesh} \end{figure} \begin{figure} @@ -543,8 +531,8 @@ plugin, this results in an efficient toolchain from mechanical CAD design to pro \caption{Detail of a PCB produced with a generated mesh.} \label{mesh_gen_sample} \end{subfigure} - \label{mesh_gen_fig} \caption{Our automatic security mesh generation process} + \label{mesh_gen_fig} \end{figure} \subsection{Power transmission through the rotating joint} @@ -557,9 +545,9 @@ $\SI{100}{\kilo\baud}$ a transmission of a one-byte message in standard UART fra $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of $\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an -energy consumption of $\SI{1.7}{\ampere\hour\per\year}$ (Ampère hour per year). +energy consumption of $\SI{1.7}{\ampere\hour}$ per year. -The annual energy consumption we calculated above is about equivalent to the capacity of a single CR123A lithium primary +The annual energy consumption we calculated above is close to the capacity of a single CR123A lithium primary cell. Using several such cells or optimizing power consumption would thus easily yield several years of battery life. In our prototype we decided against using a battery to reduce rotor mass and balancing issues. @@ -571,11 +559,11 @@ that are fed into a large $\SI{33}{\micro\farad}$ ceramic buffer capacitor throu provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illumination using either a $\SI{60}{\watt}$ incandescent light bulb or a flicker-free LED studio light of similar brightness\footnote{LED lights intended for room lighting exhibit significant flicker that can cause the monitoring circuit to reset. Incandescent -lighting requires some care in shielding the IR data link from interference.}. +lighting requires some care in shielding the data link from the light bulb's considerable infrared output.}. \subsection{Data transmission through the rotating joint} -Besides power transfer from stator to rotor we need a reliable, bidirectional data link to transmit mesh status and a +Besides power transfer from stator to rotor, we need a reliable, bidirectional data link to transmit mesh status and a low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into a an @@ -608,6 +596,7 @@ are shielded by the motor's body in the center of the PCB. \end{figure} \section{Using MEMS accelerometers for braking detection} +\label{sec_accel_meas} Using the prototype from the previous section, we performed an evaluation of an \partnum{AIS1120} commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of @@ -694,7 +683,7 @@ blue, and theoretical behavior is shown in orange. \section{Conclusion} \label{sec_conclusion} -In this paper we introduced inertial hardware security modules (iHSMs), a novel concept for the construction of advanced +In this paper we introduced Inertial Hardware Security Modules (iHSMs), a novel concept for the construction of advanced hardware security modules from simple components. We analyzed the concept for its security properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics design @@ -702,14 +691,16 @@ challenges: Data and power transfer through a rotating joint, and mechanized mes to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well. Our simple IR data link already is sufficiently reliable for telemetry. Our experiments with the \partnum{AIS1120} off-the-shelf automotive accelerometer -showed that this part is well-suited for braking detection in the range of rotation speed relevant to the -IHSM scenario. - -Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction -of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. The -rotating mesh allows longitudinal gaps, which enables new applications that are impossible with traditional HSMs. Such -gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful computing hardware inside -the HSM. We hope that this simple construction will stimulate academic research into secure hardware. +showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM +scenario. + +Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs +offer a high level of security beyond what traditional techniques can offer even when built from simple components. They +allow the construction of devices secure against a wide range of practical attacks in small quantities and without +specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with +traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful +computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into secure +hardware. \printbibliography[heading=bibintoc] diff --git a/doc/paper/rotohsm_tech_report.pdf b/doc/paper/rotohsm_tech_report.pdf Binary files differindex 22a205a..9cedf4d 100644 --- a/doc/paper/rotohsm_tech_report.pdf +++ b/doc/paper/rotohsm_tech_report.pdf |