diff options
Diffstat (limited to 'doc/paper/rotohsm_paper.tex')
| -rw-r--r-- | doc/paper/rotohsm_paper.tex | 742 |
1 files changed, 0 insertions, 742 deletions
diff --git a/doc/paper/rotohsm_paper.tex b/doc/paper/rotohsm_paper.tex deleted file mode 100644 index 8c24274..0000000 --- a/doc/paper/rotohsm_paper.tex +++ /dev/null @@ -1,742 +0,0 @@ -\documentclass[nohyperref]{iacrtrans} -\usepackage[T1]{fontenc} -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false - ]{biblatex} -\addbibresource{rotohsm.bib} -\usepackage{amssymb,amsmath} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{amsthm} - -\usepackage[binary-units]{siunitx} -\DeclareSIUnit{\baud}{Bd} -\DeclareSIUnit{\year}{a} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{subcaption} -\usepackage{array} -\usepackage{hyperref} - -\renewcommand{\floatpagefraction}{.8} -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} -\newcommand{\partnum}[1]{\texttt{#1}} - -\begin{document} - -\title[Can't Touch This]{Inertial HSMs Thwart Advanced Physical Attacks} -\author{Jan Sebastian Götte \and Björn Scheuermann} -\institute{HIIG\\ \email{ihsm@jaseg.de} \and HU Berlin \\ \email{scheuermann@informatik.hu-berlin.de}} -% FIXME keywords -\keywords{hardware security \and implementation \and smart cards \and electronic commerce} -\maketitle - -\begin{abstract} - In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules - (iHSMs). Conventional systems have in common that their security requires the crafting of fine sensor structures - that respond to minute manipulations of the monitored security boundary or volume. Our approach is novel in that we - reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any - manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an - attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. - Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet - offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware - prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of - concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an - automotive high g-force accelerometer already provides a useful level of security. -\end{abstract} - -\section{Introduction} - -While information security technology has matured a great deal in the last half century, physical security not kept up -with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often -allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is -in. - -Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid -switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between -physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key -infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic -co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of -trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured -TPM~\cite{newman2020,frazelle2019,johnson2018}. -Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure -them against tampering is a good engineering solution for some years to come. However, in essence this is a type of -security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern -ICs~\cite{albartus2020,anderson2020}. - -In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with -conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are -designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both -technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically -better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made -much more difficult to attack by moving it very quickly. - -For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set -by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, -solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual -defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high -speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the -accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving -target. At slow speeds, rotating the entire attack workbench might be possible---but rotating frames of reference -quickly become inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic -or optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to -use an ``attack robot''. - -This paper contains the following contributions: -\begin{enumerate} - \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of - highly secure HSMs. - \item We discuss possible tamper sensors for inertial HSMs. - \item We explore the design space of our inertial HSM concept. - \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). - \item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors. - % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. -\end{enumerate} - -\begin{figure} - \center - \includegraphics[width=12cm]{prototype_pic2.jpg} - \caption{The protoype as we used it to test power transfer and bidirectional communication between stator and rotor. - This picture shows the proof of concept prototype's configuration that we used for accelerometer characterization - (Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular top and bottom - outer meshes.} - \label{prototype_picture} -\end{figure} - -In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this -basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will -analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware -prototype that whose design we will elaborate in Section~\ref{sec_proto}. In Section~\ref{sec_accel_meas} we present our -characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept prototype. We -conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}. - -\section{Related work} -\label{sec_related_work} -% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion -% beyond ultrasound. - -In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper -detection. - -HSMs are an old technology that traces back decades in its electronic realization. Today's common approach of monitoring -meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security -problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, -anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic -radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found -widespread adoption yet. - -HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a -HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine -it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment. -An HSM in principle has to have this examination equipment built-in. - -Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view -that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic -Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically -Uncloneable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in -a way that intentionally causes large, random device to device variations. These variations are precisely recorded at -deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to -check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random -scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the -uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the -precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. - -The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote -reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a -monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in -commercial HSMs. - -In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that they cite is -the IBM 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard -construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical -security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation -sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional -construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state that the -module monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper -detection and construction is similar to other commercial -offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. - -Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an -HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to -traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). -Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in -covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A -core component of their design is that they propose its use as a PUF to allow for protection even when powered off, -similar to a smart card---but the design is not limited to this use. - -In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based -around commodity WiFi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference -signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections -and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that -the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the -volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et -al.~\cite{tobisch2020}\ is that they use commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The -resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs -using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable -security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven -in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to a similar end. - -While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the -prior work of Kreft and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume -barely larger than a single chip. They theorize how an array of distributed RF transceivers can measure the physical -properties of a potting compound that has been loaded with RF-reflective grains. In their concept, the RF response -characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains -within the potting compound. - -To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a -hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security -barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture -these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap -low performance security barrier and transforming it into a marginally more expensive but high performance one. The -closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that -describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled -with pressurized gas. - -\subsection{Patent literature} -During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not -find any mentions of similar concepts either in academic literature or in patents. Thus, while we cannot give any -guarantees, we seem likely to be the inventors of this idea and we are fairly sure it is not covered by any patents or -other restrictions at this point in time. - -Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are -already commercially available, we have decided against applying for a patent and we wish to make it available to the -general public without any restrictions on its use. We invite you build on our work as you wish and to base your own -work on our publications without any fees or commercial restrictions. Where possible, we ask you to cite this paper and -attribute the inertial HSM concept to its authors. - -\section{Inertial HSM construction and operation} -\label{sec_ihsm_construction} - -Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and -is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first -to use it in tamper detection. - -The core questions in the design of an inertial HSM are the following: - -\begin{enumerate} - \item What \textbf{type of motion} to use, such as rotation, pendulum motion, or linear motion. - \item How to construct the \textbf{tamper detection sensor}. - \item How to \textbf{detect braking} of the IHSM's movement. - \item The \textbf{mechanical layout} of the system. -\end{enumerate} - -We will approach these questions one by one in the following subsections. - -\subsection{Inertial HSM motion} -\label{sec_ihsm_motion} - -First, there are several ways that we can approach motion. There is periodic, aperiodic and continuous motion. There is -also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main -constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to not expose any weak -spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to stay within a -confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such periodic linear -motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become -a weak spot. - -In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the -device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's -tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power -consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by -adding additional tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed -axis. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled -disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we -call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion -would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from -following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, -this limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force. - -In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on -systems that have a fixed axis of rotation due to their simple construction but we do wish to note the challenge of -hardening the shaft against tampering that any production device would have to tackle. - -\subsection{Tamper detection mesh construction} - -Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation -of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there -is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems -deployed in the field for a variety of use cases from low security payment processing devices to high security -certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of -security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to -fabricate enclosures that embed characteristics of a Physically Uncloneable Function. By using stochastic properties of -the enclosure material to form a PUF, such academic designs effectively leverage signal processing techniques to improve -the system's security level by a significant margin. - -In our research, we focus on security meshes as our IHSM's tamper sensors. Most of the cost in commercial security mesh -implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive -mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse -mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple -construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself -and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the -entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would -require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power -transfer from the outside to the payload. - -\subsection{Braking detection} - -The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one -half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be -able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be able to -measure any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a -manipulation attempt. - -While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the -IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to -contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. -When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this -approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the -motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical -discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is -already standing still. - -Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed -inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully -intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's -mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's -motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers -are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical -components~\cite{kvk2019,sh2016,adc2019,e2013}. - -In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal -acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For -a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A -key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes -very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ at a -$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. While -beneficial for security, this large acceleration leads to two practical constraints. First, off-axis performance of -commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will feed through -into all accelerometer axes, even those that are tangential to the rotation. Second, we either have to place the -accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers mostly used in -automotive applications. - -To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an -IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The -difference in centrifugal acceleration that our accelerometer will have to detect then is a factor of -$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any -commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid -deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we -wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics. - -In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS -accelerometer for braking detection in our prototype IHSM. - -\subsection{Mechanical layout} - -With our IHSM's components taken care of, what remains to be decided is how to put together these individual components -into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the -axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the -area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper -protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be -stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point -where the shaft penetrates the spinning mesh. This trade-off makes for a simple mechanical construction and allows -power and data connections to the stationary payload through a hollow shaft. - -\begin{figure} - \center - \includegraphics{concept_vis_one_axis.pdf} - \caption{Concept of a simple spinning Inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - - Accelerometer. 5 - Shaft penetrating security mesh.} - \label{fig_schema_one_axis} -\end{figure} - -The spinning mesh must be designed to cover the entire surface of the payload, but it suffices if it sweeps over every -part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air -to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious -issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be -solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used -exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. -Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more -powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an -evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan. - -\section{Attacks} -\label{sec_attacks} - -After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to -attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional -HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a -traditional HSM. Only, they will either have to perform these attack steps with a tool that follows the HSMs rotation -at high speed or they will first have to defeat the braking sensor. Attacking the IHSM in motion may require specialized -mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet. - -\subsection{The Swivel Chair Attack} -\label{sec_swivel_chair_attack} - -First we will consider the most basic of all attacks: A human attacker holding a soldering iron trying to rotate -themselves along with the mesh using a very fast swivel chair. Let us pessimistically assume that this co-rotating -attacker has their center of mass on the axis of rotation. The attacker's body is likely on the order of -$\SI{200}{\milli\meter}$ wide along its shortest axis, resulting in a minimum radius from axis of rotation to surface of -about $\SI{100}{\milli\meter}$. Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the -range tolerable by humans for seconds at a time or longer. We thus set our target acceleration to -$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal -acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} = -\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} -\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this we can conclude that even at moderate speeds of -$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some -kind of mechanical tool. - -\subsection{Mechanical weak spots} - -The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion -used, the meshes speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving -continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of -rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft, -and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it -creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In -conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in -between security mesh foil layers. In traditional HSMs this interface rarely is a mechanical weak spot since they use a -thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh layers several -times. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows -variations of the shaft interface with increasing complexity. - -\begin{figure} - \begin{subfigure}[t]{0.3\textwidth} - \center - \includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf} - \caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: Moving - mesh -- Black: Stationary part.} - \label{shaft_cm_a} - \end{subfigure} - \hfill - \begin{subfigure}[t]{0.3\textwidth} - \center - \includegraphics[width=4cm]{ihsm_shaft_countermeasures_b.pdf} - \caption{An internal counter-rotating disc greatly decreases the space available to attackers at the expense of - another moving part and a second moving monitoring circuit.} - \label{shaft_cm_a} - \end{subfigure} - \hfill - \begin{subfigure}[t]{0.3\textwidth} - \center - \includegraphics[width=4cm]{ihsm_shaft_countermeasures_c.pdf} - \caption{A second moving tamper detection mesh also enables more complex topographies.} - \label{shaft_cm_a} - \end{subfigure} - \caption{Mechanical countermeasures to attacks through or close to the shaft of a fixed-axis rotating IHSM.} - \label{shaft_cm} -\end{figure} - -\subsection{Attacking the mesh in motion} - -To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging -its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an -alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to -parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin -needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack -avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut -traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting -compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the -complexity of such attacks. - -\subsection{Attacks on the rotation sensor} - -Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need -to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the -monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be -physical attacks of the accelerometer's sensing mechanism. -MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is -measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these -mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. -A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the -device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the -mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the -security envelope and by varying the rate of rotation over time. - -\subsection{Attacks on the alarm circuit} - -Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry -inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a -cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat -message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. -Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for -temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or -liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. -To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. -% If it were unidirectional, an attacker could -% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed -% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary -% deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and -% break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial -% crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. - -\subsection{Fast and violent attacks} - -A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in -response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this type -of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response circuitry -will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack, -the payload is reliably destroyed before the tamper response circuitry. - -\section{Proof of Concept Prototype implementation} -\label{sec_proto} - -As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even -when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have -decided to validate our theoretical studies by implementing a proof of concept prototype IHSM -(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype -were: - -\begin{enumerate} - \item A mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. - \item The Automatic generation of security mesh PCB layouts for quick adaption to new form factors. - \item Non-contact power transmission from stator to rotor. - \item Non-contact bidirectional data communication between stator and rotor. -\end{enumerate} - -We will outline our findings on these challenges one by one in the following paragraphs. - -\subsection{Mechanical design} - -We sized our proof of concept prototype to have sufficient payload space for up to two full-size Raspberry Pi boards to -approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material -for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the -rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already -sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our -prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every -part of the system once per revolution, so we designed the longituninal PCBs as narrow strips to save weight. - -\subsection{PCB security mesh generation} - -% FIXME censor link in peer-review version! -Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth -PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the -generation of this security mesh through a plugin for the KiCAD EDA -suite\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. Figure~\ref{mesh_gen_viz} visualizes the mesh -generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree -covering the grid. Finally, individual mesh traces are traced according to a depth-first search through this tree. -We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD -StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. - -\begin{figure} - \begin{subfigure}{0.35\textwidth} - \center - \includegraphics[height=7cm]{proto_3d_design.jpg} - \caption{The 3D CAD design of the proof of concept prototype.} - \end{subfigure} - \hfill - \begin{subfigure}{0.6\textwidth} - \includegraphics[width=8cm]{rotor_stator.jpg} - \center - \caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.} - \end{subfigure} - \caption{Our proof of concept prototype IHSM's PCB security mesh design} - \label{fig_proto_mesh} -\end{figure} - -\begin{figure} - \begin{subfigure}{\textwidth} - \center - \includegraphics[width=9cm]{mesh_gen_viz.pdf} - \caption{Overview of the automatic security mesh generation process. 1 - Example target area. 2 - Grid overlay. - 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining cells is - generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.} - \label{mesh_gen_viz} - \end{subfigure} - \begin{subfigure}{\textwidth} - \center - \includegraphics[width=6cm]{mesh_scan_crop.jpg} - \caption{Detail of a PCB produced with a generated mesh.} - \label{mesh_gen_sample} - \end{subfigure} - \caption{Our automatic security mesh generation process} - \label{mesh_gen_fig} -\end{figure} - -\subsection{Power transmission from stator to rotor} - -The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data -connectivity to the stator. To design the power link, we first have to estimate the monitoring circuit's power -consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its -tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At -$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take -$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that -requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of -$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an -energy consumption of $\SI{1.7}{\ampere\hour}$ per year. - -This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. Thus, by either using -several such cells or by optimizing power consumption several years of battery life could easily be reached. In our -proof of concept prototype we decided against using a battery to reduce rotor mass and balancing issues. - -We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as -inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar -cells on the rotor. At the monitoring circuit's low power consumption power transfer efficiency is irrelevant, so this -solution is practical. Our system uses six series-connected solar cells mounted on the end of the cylindrical rotor -that are fed into a large $\SI{33}{\micro\farad}$ ceramic buffer capacitor through a Schottky diode. This solution -provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illuminated using either -a $\SI{60}{\watt}$ incandescent light bulb or a flicker-free LED studio light of similar brightness\footnote{LED lights -intended for room lighting exhibit significant flicker that can cause the monitoring circuit to reset. Incandescent -lighting requires some care in shielding the data link from the light bulb's considerable infrared output.}. - -\subsection{Data transmission between stator and rotor} - -Besides power transfer from stator to rotor, we need a reliable, bidirectional data link to transmit mesh status and a -low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a -quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a -transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an -\texttt{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in -Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a -comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by -using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the -stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and -are shielded from one another by the motor's body in the center of the PCB. - -% We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current -% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a -% useful transimpedance in the photodiode-facing TIA stage. - -\begin{figure} - \begin{subfigure}{0.3\textwidth} - \includegraphics[width=4.5cm]{ir_tx_schema.pdf} - \caption{Basic layout, view along axis of rotation. 1 - - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} - \label{ir_tx_schema} - \end{subfigure} - \hfill - \begin{subfigure}{0.65\textwidth} - \includegraphics[width=9cm]{photolink_schematic.pdf} - \caption{Schematic with sample component values. C2 is highly dependent on the photodiode characteristics and - stray capacitances.} - \label{photolink_schematic} - \end{subfigure} - \caption{IR data link implementation} -\end{figure} - -\subsection{Evaluation} - -The compoleted proof of concept hardware worked as intended. Both rotating power and data links worked well. As we -expected, the mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach -speeds in excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link -and the data links continued to function without issue. - -\section{Using MEMS accelerometers for braking detection} -\label{sec_accel_meas} - -Using the proof of concept prototype from the previous section, we performed an evaluation of an \partnum{AIS1120} -commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of -$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS1120} provides -a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. - -Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually -control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed -of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an -USB logic analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a -$\SI{1}{\second}$ running average over debounced interval lengths of this captured signal\footnote{A regular frequency -counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office -lab.}. - -The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform. -Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are -accumulated in a small memory buffer, which is continuously transmitted out through the prototype platform's infrared -link. Data is packetized with a sequence number indicating the buffer's position in the data stream and a CRC-32 -checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an -SQLite database. - -Data analysis is done separately from data capture. An analysis IPython Notebook reads captured packets and reassembles -the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sampling rate and high -$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare. -This allowed us to avoid writing retransmission logic or data interpolation. - -Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at -standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually -adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady. -Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange -lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that -measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the -accelerometer's intrinsic errors as well as error in its placement due to construction tolerances. - -The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset -to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between -the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from -the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, -and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. -Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of -the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but -due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to -$\SI{10}{\percent}$ at $\SI{95}{rpm}$. - -After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. -Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity -since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that -this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of rotation -with no other visible artifacts. - -Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark -blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good -choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal -force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic -controlled changes in the IHSM's speed of rotation allow an offset and scale calibration of the accelerometer on the -fly, without stopping the rotor. - -\begin{figure} - \center - \includegraphics[width=0.7\textwidth]{../../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf} - \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental - measurements are shown after correction for device-specific offset and scale error. Our measurements - showed good agreement with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently - below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error that remains after our first-order - corrections has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)} - \label{fig-acc-theory} -\end{figure} - -\begin{figure} - \begin{subfigure}{0.5\textwidth} - \center - \includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf} - \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time - intervals when we manually adjusted speed.} - \label{fig-acc-steps} - \end{subfigure} - \hfill - \begin{subfigure}{0.45\textwidth} - \center - \includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf} - \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation - artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to - $\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.} - \label{fig-acc-stacked} - \end{subfigure} - \label{fig-acc-traces} - \caption{Traces of acceleration measurements during one experiment run.} -\end{figure} - -\section{Conclusion} -\label{sec_conclusion} - -In this paper we introduced Inertial Hardware Security Modules (iHSMs), a novel concept for the construction of advanced -hardware security modules from simple components. We analyzed the concept for its security properties and highlighted -its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a -proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics -design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our -prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our -measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link -already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer -showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario. - -Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs -offer a high level of security beyond what traditional techniques can offer even when built from simple components. They -allow the construction of devices secure against a wide range of practical attacks in small quantities and without -specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with -traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful -computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) -secure hardware. - -\printbibliography[heading=bibintoc] - - -%%% FIXME remove appendix and work into text. - -\center{ - \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository - can be found at:} - - \center{\url{https://git.jaseg.de/rotohsm.git}} -} -\end{document} |