diff options
Diffstat (limited to 'doc/paper/rotohsm_paper.tex')
| -rw-r--r-- | doc/paper/rotohsm_paper.tex | 608 |
1 files changed, 327 insertions, 281 deletions
diff --git a/doc/paper/rotohsm_paper.tex b/doc/paper/rotohsm_paper.tex index fb7c347..83846a9 100644 --- a/doc/paper/rotohsm_paper.tex +++ b/doc/paper/rotohsm_paper.tex @@ -1,6 +1,4 @@ -\documentclass[10pt,journal,a4paper]{IEEEtran} -\usepackage[english]{babel} -\usepackage[utf8]{inputenc} +\documentclass[nohyperref]{iacrtrans} \usepackage[T1]{fontenc} \usepackage[ backend=biber, @@ -12,74 +10,34 @@ ]{biblatex} \addbibresource{rotohsm.bib} \usepackage{amssymb,amsmath} -\usepackage{listings} \usepackage{eurosym} \usepackage{wasysym} \usepackage{amsthm} -\usepackage{tabularx} -\usepackage{multirow} -\usepackage{multicol} -\usepackage{tikz} -\usepackage{mathtools} -\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} -\DeclarePairedDelimiter{\paren}{(}{)} - -\usetikzlibrary{arrows} -\usetikzlibrary{chains} -\usetikzlibrary{backgrounds} -\usetikzlibrary{calc} -\usetikzlibrary{decorations.markings} -\usetikzlibrary{decorations.pathreplacing} -\usetikzlibrary{fit} -\usetikzlibrary{patterns} -\usetikzlibrary{positioning} -\usetikzlibrary{shapes} \usepackage[binary-units]{siunitx} \DeclareSIUnit{\baud}{Bd} \DeclareSIUnit{\year}{a} -\usepackage{hyperref} -\usepackage{tabularx} \usepackage{commath} \usepackage{graphicx,color} -\usepackage{ccicons} \usepackage{subcaption} -\usepackage{float} -\usepackage{footmisc} \usepackage{array} -\usepackage[underline=false]{pgf-umlsd} -\usetikzlibrary{calc} -%\usepackage[pdftex]{graphicx,color} -\usepackage{epstopdf} -\usepackage{pdfpages} -\usepackage{minted} % pygmentized source code +\usepackage{hyperref} \renewcommand{\floatpagefraction}{.8} \newcommand{\degree}{\ensuremath{^\circ}} \newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} - -\usepackage{fancyhdr} -\fancyhf{} -\fancyfoot[C]{\thepage} -\newcommand{\includenotebook}[2]{ - \fancyhead[C]{Included Jupyter notebook: #1} - \includepdf[pages=1, - pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} - ]{resources/#2.pdf} - \includepdf[pages=2-, - pagecommand={\thispagestyle{fancy}} - ]{resources/#2.pdf} -} +\newcommand{\partnum}[1]{\texttt{#1}} \begin{document} -\title{Can't Touch This: Inerial HSMs Thwart Advanced Physical Attacks} -\author{Jan Götte} -\date{2020-12-20} +\title[Can't Touch This]{Inertial HSMs Thwart Advanced Physical Attacks} +\author{Jan Sebastian Götte \and Björn Scheuermann} +\institute{HIIG\\ \email{ihsm@jaseg.de} \and Björn Scheuermann \\ \email{scheuermann@informatik.hu-berlin.de}} +% FIXME keywords +\keywords{hardware security \and implementation \and smart cards \and electronic commerce} \maketitle -\section*{Abstract} - +\begin{abstract} In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules (iHSMs). Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the @@ -89,6 +47,7 @@ the rotation are easily monitored with commercial MEMS accelerometers and gyrosc can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is comparable to commercial HSMs. By building prototype hardware we have demonstrated solutions to the concept's engineering challenges. +\end{abstract} \section{Introduction} @@ -235,6 +194,18 @@ tangential velocity is low. Faster rotation can lessen the severity of this at t mechanical load but can never eliminate it. This effect can be alleviated in two ways: Either by adding additional tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed axis. +A beneficial side-effect of rotation is that an attacker trying to follow the motion would have to rotate around +the same axis. By choosing a suitable rotation frequency we can thus prevent an attacker from following the devices +motion since doing so would subject them to impractically large centrifugal forces. Essentially, this limits the +approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force (see Appendix +\ref{sec_minimum_angular_velocity}). + +Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled +disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device. +From a coarse calculation (Appendix \ref{sec_minimum_angular_velocity}) we conclude that even at moderate speeds (above +$\SI{500}{rpm}$), a manual attack is no longer possible and any attack would have to be carried out using either +computer control or precise mechanics. + In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on systems having a fixed axis of rotation due to their relative simplicity in prototype construction but we note the challenge of hardening the shaft against tampering. @@ -270,35 +241,56 @@ able to measure any external force applied to the IHSM's rotor and should alread manipulation. While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the -IHSM's shaft, this would be a poor choice in our application. Both optical and matgnetic sensors are susceptible to +IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to contact-less interference from outside. Instead, an accelerometer is a good component to serve as an IHSM's tamper -sensor. - -%%% - -First, for motion to effectively disincentivize tampering, the HSM has to move fairly fast. -If any point of the HSM's tamper sensing shell moves slow enough for a human to follow, that point becomes a weak spot. -For illustration, consider linear oscillating motion like that of a pendulum. -At its apex, the pendulum becomes stationary and an attacker could use that split second of the device not moving. +sensor. Modern fully intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a +model of the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper +with the device's motion. It may also allow remote monitoring of the device's mechanical components such as bearings. +Accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical +components. % FIXME citation + +In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal +acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For +a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A +key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes +very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}=\SI{17}{\hertz}$ at a +$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. Off-axis +performance of commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will +feed through into all accelerometer axes, even those that are tangential to the rotation. It also means that we either +have to place the accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers +mostly used in automotive applications. + +To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an +IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The +difference in centrifugal acceleration will be a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. This results in a +factor-$4$ difference in absolute acceleration that our accelerometer must be able to detect. If we choose our +accelerometer's location to maximize its dynamic range, any commercial MEMS accelerometer should suffice for this degree +of accuracy. For rapid deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift +can be ignored. If we wish to also detect very slow deceleration, we have to take into account the accelerometer's drift +characteristics. + +% TODO review below paragraph +In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ +accelerometer for braking detection in our prototype IHSM. +In Appendix~\ref{sec_degrees_of_freedom} we consider accelerometer configurations and we conclude that one three-axis +accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more +sensitive to attacks if we over-determine the system of equations describing its motion by using more sensors than +necessary. -Second, a spinning HSM is potentially more compact than some alternatives like a pendulum or more exotic concepts such -as an HSM on wheels. Its main disadvantage is its circular envelope: When using components such as standard server -hardware for its payload, these components likely come in a rectangular form factor leading to dead space inside the -HSM. Mounting the HSM in a standard rackmount enclosure will also lead to significant dead space around the HSM. An -``vibrating'' HSM with a small amplitude of oscillation might potentially lead to a more compact solution, but this -compactness would come at increased engineering complexity and increased material stresses. +\subsection{Mechanical layout} -Third and finally, constant rotation leads to a predictable, constant acceleration anywhere in the rotating part. This -allows the use of an accelerometer for tamper detection with minimal signal post-processing. +With our IHSM's components taken care of, what remains to be decided is how to put together these individual components +into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the +axis of rotation, an accelerometer on the rotating part used to detect braking, the protected payload and the area +covered by the rotating tamper detection mesh. -A beneficial side-effect of spinning the HSM is that an attacker trying to follow the motion would have to rotate around -the same axis, subjecting them to very large centrifugal accleration. -This allows us to limit the approximate maximum size and mass of an attacker using an assumption on tolerable -centrifugal force (see Appendix \ref{sec_minimum_angular_velocity}). +A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM. +The HSM's payload and with it most of the HSM's mass can be stationary. This reduces the moment of inertia of the +moving part. -A basic spinning HSM might look like shown in Figure \ref{fig_schema_one_axis}. Shown are the axis of rotation, an -accelerometer on the rotating part used to detect braking, the protected payload and the area covered by the rotating -tamper detection mesh. +This basic schema accepts a weak spot at the point where the shaft penetrates the spinning mesh. This trade-off makes +for a simple mechanical construction and allows power and data connections to the stationary payload through a hollow +shaft. \begin{figure} \center @@ -308,112 +300,99 @@ tamper detection mesh. \label{fig_schema_one_axis} \end{figure} -\section{Using accelerometers as rotation sensors} - -In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to -distance from the axis of rotation. We can exploit this fact to use an accelerometer as a sensor that detects any -disturbance to the HSM's rotation. We place the accelerometer at a known distance from the axis of rotation. When the -axis of rotation is vertical, during constant rotation tangential acceleration will be zero and acceleration along the -axis of rotation will be $\SI{1}{\g}$. Centrifugal acceleration will be constant. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled -disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device. -A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM. -The HSM's payload and with it most of the HSM's mass can be stationary. -This reduces the moment of inertia of the moving part and it means that we can use cables for power and data connections -to the payload. - -From a coarse calculation (Appendix \ref{sec_minimum_angular_velocity}) we conclude that even at moderate speeds (above -$\SI{500}{rpm}$), a manual attack is no longer possible and any attack would have to be carried out using either -computer control or precise mechanics. - -In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis -accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more -sensitive to attacks if we over-determine the system of equations describing its motion by using more sensors than -necessary. - -\subsection{Mechanical layout} - -Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on -a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow -shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and -data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction -or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft -motor are possible, but may require additional bearings to keep the stator from vibrating. - -The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be -designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over -every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside -air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious -issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be -solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used -exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. -Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation -of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh -could even be designed to \emph{be} a cooling fan. - -\subsection{Spinning mesh power and data transmission} - -On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few -implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need -both a power supply for the spinning monitoring circuit and a data link to the stator. - -We found that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip -rings, this setup is mechanically durable at high speeds and it also provides reasonable output power (see Appendix -\ref{sec_energy_calculations} for an estimation of power consumption). A battery may not provide a useful lifetime -without power-optimization. Likewise, an energy harvesting setup may not provide enough current to supply peak demand. - -Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost -may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra -winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding -an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an -option if it can be integrated into the mechanical design. - -Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to -transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. -As we will elaborate in Section~\ref{sec_proto} a simple infrared optical link turned out to be a good solution for this -purpose. - -\subsection{Tamper detection} +The spinning mesh must be designed to cover the entire surface of the payload, but in contrast to a traditional HSM it +suffices if it sweeps over every part of the payload once per rotation. This means we can design longitudinal gaps into +the mesh that allow outside air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the +payload processor is a serious issue since any air duct or heat pipe would have to penetrate the HSM's security +boundary. This problem can only be solved with complex and costly siphon-style constructions, so in commercial systems +heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus +its processing power. Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum +possible power dissipation of the payload and unlocks much more powerful processing capabilities. In an evolution of +our design, the spinning mesh could even be designed to \emph{be} a cooling fan. \section{Attacks} \label{sec_attacks} After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to -attack it. Fundamentally, attacks on an inertial HSM are the same as those on a traditional HSM since the tamper -detection mesh is the same. Only, in the inertial HSM any attack on the mesh has to be carried out while the mesh is -rotating, which for most types of attack will require some kind of CNC attack robot moving in sync with it. +attack it. At the core of an IHSM's defenses is the same security mesh that is also used in traditional HSMs. This means +that in the end an attacker will have to perform the same steps they would have to perform to attack a traditional HSM. +Only to attack an IHSM, assuming that the braking detection system works they will have to perform these steps with a +tool that follows the HSMs rotation at high speed. This may require specialized mechanical tools, CNC actuators or +even a contactless attack using a laser, plasma jet or water jet. + +\subsection{Mechanical weak spots} + +The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion +used, the meshes speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving +continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of +rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft, +and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it +creates. + +This issue is related to the issue conventional HSMs also face with their power and data connections. In conventional +HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in between +security mesh foil layers. By using a thin substrate and by creating a meandering path by folding the interconnect +substrate/security mesh layers several times, in traditional HSMs this interface rarely is a mechanical weak spot. In +inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations +of the shaft interface of increasing level of complexity. -\subsection{Attacking at the axis of rotation} +\begin{figure} + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf} + \caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: Moving + mesh -- Black: Stationary part.} + \label{shaft_cm_a} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_b.pdf} + \caption{An internal counter-rotating disc greatly decreases the space available to attackers at the expense of + another moving part and a second moving monitoring circuit.} + \label{shaft_cm_a} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_c.pdf} + \caption{A second moving tamper detection mesh also enables more complex topographies.} + \label{shaft_cm_a} + \end{subfigure} + \caption{Mechanical countermeasures to attacks through or close to a rotating IHSM's shaft.} + \label{shaft_cm} +\end{figure} -\subsection{Attacks on the mesh} +\subsection{Attacking the mesh in motion} -There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with. -This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring -circuit itself to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its -contents~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to +To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging + its traces to allow for a hole to be cut. The other option is to tamper with the monitoring +circuit to prevent a damaged mesh from triggering an alarm~\cite{dexter2015}. + +Attacks in both locations are electronic attacks, i.e. they require electrical contact to parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We -consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that -rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be -practically infeasible outside of a well-funded, special-purpose laboratory. +consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack avenues may +be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut traces or +carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting compound and +shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the complexity of such +attacks. \subsection{Attacks on the rotation sensor} Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need -to fool the rotor's MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no -easier than directly bridging the mesh traces. +to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the +monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be +physical attacks of the accelerometer's sensing mechanism. -MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position can be +MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position is measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these -mechanics~\cite{trippel2017}. In the authors' estimate these attacks are too hard to control to be practically useful -against an inertial HSM. +mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. -A possible way to attack the accelerometer inside an inertial HSM may be to first decapsulate it using laser ablation -synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the -moving MEMS parts, locking them in place. To mitigate this type of attack the accelerometer should be mounted in a -shielded place inside the security envelope. Further, this attack can only work if the rate of rotation and thus the -expected accelerometer readings are constant. If the rate of rotation is set to vary over time this type of attack is -quickly detected. In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement. +A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the +device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the +mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the +security envelope and by varying the rate of rotation over time. In Appendix~\ref{sec_degrees_of_freedom} we outline +some constraints on sensor placement. \subsection{Attacks on the alarm circuit} @@ -421,81 +400,80 @@ Besides trying to deactivate the tamper detection mesh, an electronic attack cou inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. -Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks such as ones using -temperature, ionizing radiation, lasers, supply voltage variations, ultrasound or other vibration and gases or liquids. -Conventionally, incoming power rails are filtered thoroughly to prevent electrical attacks and other types of attacks -are prevented by sensors that thrigger an alarm. - -In an inertial HSM, the mesh monitoring circuit's tamper alarm is transmitted from rotor to stator through a wireless -link. Since an attacker may wirelessly spoof this link, it must be cryptographically secured. It also must be -bidirectional to allow the alarm signal receiver to verify link latency: If it were unidirectional, an attacker could -act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed -(say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary -deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and -break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial -crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. +Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks using sensors for +temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or +liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. +To prevent replay attacks this link must be bidirectional so link latency can be measured continuously. +% If it were unidirectional, an attacker could +% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed +% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary +% deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and +% break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial +% crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. \subsection{Fast and violent attacks} A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in -response to tampering before it can finish its job. This attack could use a tool such as a large hammer or a gun. -Mitigations for this type of attack include potting the payload inside a mechanically robust enclosure. Additionally, -the integrity of the entire alarm signalling chain can be checked continuously using a cryptographic heartbeat protocol. -A simple active-high or active-low alarm signal as it is used in traditional HSMs cannot be considered fail-safe in this -scenario as such an attack may well short-circuit or break PCB traces. +response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this +type of attack, the HSM's tamper response circuitry must be mechanically robust enough to withstand an attack for long +enough to carry out its function or else to reliably destory the payload during an attack. \section{Prototype implementation} \label{sec_proto} -After elaborating the design principles of inertial HSMs and researching potential attack vectors we have validated -these theoretical studies by implementing a prototype rotary HSM. The main engineering challenges we solved in our -prototype are: +As we elaboreated above, the mechanical component of an IHSM significantly increases the complexity of any successful +attack even when implemented using only common, off-the-shelf parts. In view of this amplification of design security we +have decided to validate our theoretical studies by implementing a prototype IHSM. The main engineering challenges we +set out to solve in this prototype were: \begin{enumerate} - \item Fundamental mechanical design suitable for rapid prototyping that can withstand a rotation of $\SI{500}{rpm}$. + \item Fundamental mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. \item Automatic generation of security mesh PCB layouts for quick adaption to new form factors. \item Non-contact power transmission from stator to rotor. \item Non-contact bidirectional data communication between stator and rotor. \end{enumerate} +We will outline our findings on these challenges one by one in the following paragraphs. + \subsection{Mechanical design} -We sized our prototype to have space for up to two full-size Raspberry Pi boards. Each one of these boards is already -more powerful than an ordinary HSM, but they are small enough to simplify our prototype's design. For low-cost -prototyping we designed our prototype to use printed circuit boards as its main structural material. The interlocking -parts were designed in FreeCAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were exported to KiCAD -for electrical design before being sent to a commercial PCB manufacturer. Rotor and stator are built from interlocking, -soldered PCBs. The components are mounted to a $\SI{6}{\milli\meter}$ brass tube using FDM 3D printed flanges. The rotor -is driven by a small hobby quadcopter motor. +We sized our prototype to have space for up to two full-size Raspberry Pi boards for an approximation of a traditional +HSM's processing capabilities. We use printed circuit boards as the main structural material for the rotating part, and +2020 aluminium extrusion for its mounting frame. Figure~\ref{proto_3d_design} shows the rotor's mechanical PCB designs +in FreeCAD. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already sufficiently narrow to +pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype incorporates a +functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the system once per +revolution, so we designed the longituninal PCBs as narrow strips to save weight. -Security is provided by a PCB security mesh enveloping the entire system and extending to within a few millimeters of -the shaft. For security it is not necessary to cover the entire circumference of the module with mesh, so we opted to -use only three narrow longitudinal struts to save weight. +\subsection{PCB security mesh generation} -To mount the entire HSM, we chose to use ``2020'' modular aluminium profile. +Our proof-of-concept security mesh covers a total of five interlocking PCBs (cf.\ Figure~\ref{mesh_gen_sample}). A sixth +PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the +generation of this security mesh using a plugin for the KiCAD EDA +suite\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. Figure~\ref{mesh_gen_viz} visualizes the mesh +generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree +covering the grid. Finally, individual mesh traces are then traced according to a depth-first search through this tree. +We consider the quality of the plugin's output sufficient for practical applications. Along with FreeCAD's KiCAD StepUp +plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. \begin{figure} - \center - \includegraphics[height=7cm]{proto_3d_design.jpg} - \caption{The 3D CAD design of the prototype.} - \label{proto_3d_design} + \begin{subfigure}{0.45\textwidth} + \center + \includegraphics[height=7cm]{proto_3d_design.jpg} + \caption{The 3D CAD design of the prototype.} + \label{proto_3d_design} + \end{subfigure} + \hfill + \begin{subfigure}{0.45\textwidth} + \vfil + \includegraphics[width=6cm]{mesh_scan_crop.jpg} + \vfil + \caption{Part of the security mesh PCB we produced with our toolchain for the prototype HSM.} + \label{mesh_gen_sample} + \end{subfigure} + \caption{Our prototype IHSM's PCB security mesh design} \end{figure} -\subsection{PCB security mesh generation} - -The security mesh covers a total of five interlocking PCBs. A sixth PCB contains the monitoring circuit and connects to -these mesh PCBs. To allow us to quickly iterate our design without manually re-routing several large security meshes -for every mechanical chage we wrote a plugin for the KiCAD EDA suite that automatically generates parametrized security -meshes. When KiCAD is used in conjunction with FreeCAD through FreeCAD's KiCAD StepUp plugin, this ends up in an -efficient toolchain from mechanical CAD design to security mesh PCB gerber files. The mesh generation plugin can be -found at its website\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. The meshes it produces have a -practical level of security in our application. - -The mesh generation process starts by overlaying a grid on the target area. It then produces a randomized tree covering -this grid. The individual mesh traces are then traced along a depth-first search through this tree. A visualization of -the steps is shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our prototype is shown in -Figure \ref{mesh_gen_sample}. - \begin{figure} \center \includegraphics[width=9cm]{mesh_gen_viz.pdf} @@ -505,67 +483,57 @@ Figure \ref{mesh_gen_sample}. \label{mesh_gen_viz} \end{figure} -\begin{figure} - \center - \includegraphics[width=6cm]{mesh_scan_crop.jpg} - \caption{A section of the security mesh PCB we produced with our toolchain for the prototype HSM.} - \label{mesh_gen_sample} -\end{figure} - -\subsection{Data transmission through rotating joint} - -With the mesh done, the next engineering challenge was the mesh monitoring data link between rotor and stator. As a -baseline solution, we settled on a $\SI{115}{\kilo\baud}$ UART signal sent through a simple bidirectional infrared link. -In the transmitter, the UART TX line on-off modulates a $\SI{920}{\nano\meter}$ IR LED through a common-emitter driver -transistor. In the receiver, an IR PIN photodiode reverse-biased to $\frac{1}{2}V_\text{CC}$ is connected to a -reasonably wideband transimpedance amplifier (TIA) with a $\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure -\ref{photolink_schematic}, the output of this TIA is fed through another $G=100$ amplifier whose output is then squared -up by a comparator. We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current -consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a -useful transimpedance in the photodiode-facing TIA stage. - -To reduce the requirements on power transmission to the rotor, we have tried to reduce power consumption of the -rotor-side receiver/transmitter pair trading off stator-side power consumption. One part of this is that we use -a wide-angle photodiode and IR LED on the stator, but use narrow-angle components on the rotor. The two rx/tx pairs are -arranged next to the motor on opposite sides. By placing the narrow-angle rotor rx/tx components on the outside as -shown in Figure \ref{ir_tx_schema}, the motor shields both IR links from crosstalk. The rotor transmitter LED is -driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at $\SI{20}{\milli\ampere}$. - -\begin{figure} - \center - \includegraphics{ir_tx_schema.pdf} - \caption{Schema of our bidirectional IR communication link between rotor and stator, view along axis of rotation. 1 - - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} - \label{ir_tx_schema} -\end{figure} +\subsection{Power transmission through the rotating joint} + +The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data +connectivity to the stator. At the monitoring circuit's low power consumption (see +Appendix~\ref{sec_energy_calculations}), power transfer efficiency is irrelevant so we decided against mechanically +complex solutions such as slip rings or electronically complex ones such as inductive power transfer. Instead we opted +to use six series-connected solar cells mounted on the end of our cylindrical rotor that are directly fed into a large +$\SI{33}{\micro\farad}$ ceramic buffer capacitor. This solution provides around $\SI{3.0}{\volt}$ at several tens of +$\si{\milli\ampere}$ to the payload when illumination using either a $\SI{60}{\watt}$ incandescent light bulb or a +flicker-free LED studio light of similar brightness\footnote{LED lights intended for room lighting exhibit significant +flicker that can cause the monitoring circuit to reset. Incandescent lighting requires some care in shielding the IR +jata link from interference.}. + +\subsection{Data transmission through the rotating joint} + +Besides power transfer from stator to rotor we need a reliable, bidirectional data link to transmit mesh status and a +low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a +quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a +transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into a an +\texttt{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in +Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time, before being squared up by a +comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by +using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the +stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and +are shielded by the motor's body in the center of the PCB. + +% We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current +% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a +% useful transimpedance in the photodiode-facing TIA stage. \begin{figure} - \center - \includegraphics[width=9cm]{photolink_schematic.pdf} - \caption{Schematic of the IR communication link. Component values are only examples. In particular C2 depends highly - on the photodiode used and stray capacitances due to the component layout.} - \label{photolink_schematic} + \begin{subfigure}{0.3\textwidth} + \includegraphics[width=4.5cm]{ir_tx_schema.pdf} + \caption{Basic layout, view along axis of rotation. 1 + - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} + \label{ir_tx_schema} + \end{subfigure} + \hfill + \begin{subfigure}{0.65\textwidth} + \includegraphics[width=9cm]{photolink_schematic.pdf} + \caption{Schematic with sample component values. C2 is highly dependent on the photodiode characteristics and + stray capacitances.} + \label{photolink_schematic} + \end{subfigure} + \caption{IR data link implementation} \end{figure} -\subsection{Power transmission through rotating joint} - -Besides the data link, the other electrical interface we need between rotor and stator is for power transmission. We -power Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power -transmission: solar cells. We mounted six series-connected solar cells in three commercially available modules on the -circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with buffering -by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around $\SI{3.0}{\volt}$ at -several tens of $\si{\milli\ampere}$ given sufficient illumination. - -For simplicity and weight reduction, at this point we chose to forego large buffer capacitors on the rotor. This means -variations in solar cell illumination directly couple into the microcontroller's supply rail. Initially, we experimented -with regular residential LED light bulbs, but those turned out to have too much flicker and lead to our microcontroller -frequently rebooting. Trials using an incandecent light produced a stable supply, but the large amount of infrared light -emitted by the incandecent light bulb severely disturbed our near-infrared communication link. As a consequence of -this, we settled on a small LED light intended for use as a studio light that provdided us with almost flicker-free -light at lower frequencies, leading to a sufficiently stable microcontroller VCC rail without any disturbance to the IR -link. +%%% FIXME rework parts below \subsection{Evaluation} +% FIXME maybe move this to last chapter (conclusion)? to be in line with new mems evaluation chapter? After building our prototype inertial HSM according to the design decisions we outlined above, we performed a series of experiments to validate the critical components of the design. @@ -586,6 +554,93 @@ HSM concept practical. \label{prototype_early_comms} \end{figure} +% FIXME rework parts above +% new section follows. + +\section{Using MEMS accelerometers for braking detection} + +Using the prototype from the previous section, we performed an evaluation of an \partnum{AIS 1120} commercial automotive +MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of +$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS 1120} provides +a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. + +Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually +control this motor controller through an RC servo tester. We measure the devices rotation speed using a magnet fixed to +the rotor and a reed switch held closeby by an articulating arm. The reed switch output is digitized using an USB logic +analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a $\SI{1}{\second}$ running +average over debounced interval lengths of this captured signal. + +The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform. +Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are +accumulated in a small memory buffer, which is continuously transmitted out through the prototype platform's infrared +link. Data is packetized with a sequence number indicating the buffer's position in the data stream and a CRC-32 +checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an +SQLite database. + +Data analysis is done separately from data capture. An analysis IPython Notebook reads captured packets and reassembles +the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sampling rate and high +$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare. +This allowed us to avoid writing retransmission logic or data interpolation. + +Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at +standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually +adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady. +Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange +lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that +measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the +accelerometer's intrinsic errors as well as error in its placement due to construction tolerances. + +The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset +to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between +the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from +the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, +and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. +Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of +the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but +due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to +$\SI{10}{\percent}$ (at $\SI{95}{rpm}$). + +After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. +Raw data contains significant harmonic content. This content is due to vibrations in our prototype. FFT analysis shows +that this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of +rotation with no other visible artifacts. + +Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark +blue, and theoretical behavior is shown in orange. + +\begin{figure} + \center + \includegraphics[width=0.7\textwidth]{../../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf} + \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental + measurements are shown after correction for device-specific offset and scale error. As is evident, our measurements + agree very well with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently + below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, residual offset error remaining after our first-order corrections + has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.} + \label{fig-acc-theory} +\end{figure} +% FIXME note how to sense actual rotation frequency somewhere -> falls out of motor driver + +\begin{figure} + \begin{subfigure}{0.5\textwidth} + \center + \includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf} + \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time + intervals when we manually adjusted speed, leading to invalid measurements.} + \label{fig-acc-steps} + \end{subfigure} + \hfill + \begin{subfigure}{0.45\textwidth} + \center + \includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf} + \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation + artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SIrange{3}{18}{\hertz}$ + rotation frequency due to device vibration are clearly visible.} + \label{fig-acc-stacked} + \end{subfigure} + \label{fig-acc-traces} + \caption{Traces of acceleration measurements during one experiment run.} +\end{figure} + \section{Conclusion} \label{sec_conclusion} To conclude, in this paper we introduced inertial hardware security modules (iHSMs), a @@ -685,15 +740,6 @@ or commercial restrictions. Where possible, we ask you to cite this paper and at authors. \center{ - \center{\ccbysa} - - \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The - full text of the license can be found at:} - - \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} - - \center{For alternative licensing options, source files, questions or comments please contact the authors.} - \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:} \center{\url{https://git.jaseg.de/rotohsm.git}} |