diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/quick-tech-report/rotohsm_tech_report.tex | 210 |
1 files changed, 113 insertions, 97 deletions
diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex index 76a9eb7..fea0a1c 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ b/doc/quick-tech-report/rotohsm_tech_report.tex @@ -146,6 +146,9 @@ Section~\ref{sec_conclusion}. % summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion % beyond ultrasound. +In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper +detection. + HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, @@ -188,7 +191,7 @@ compound that has been loaded with RF-reflective grains. In their concept, the R transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting compound. -Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most +We are the the first to propose a mechanically moving HSM security barrier as part of a hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to cheaply manufacture and certify these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance @@ -244,38 +247,40 @@ necessary. \subsection{Mechanical layout} -The simplest way to mount a stationary payload in a spinning security mesh is to use a hollow shaft. The payload can be -mounted on a fixed rod threaded through this hollow shaft along with wires for power and data. The shaft is a weak spot -of the system, but this weak spot can be alleviated through either careful construction or a second layer of rotating -meshes with a different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may -require additional bearings to keep the stator from vibrating. - -The spinning mesh must be designed to cover the entire surface of the payload during one revolution. Still, it can be -designed with longitudinal gaps to allow outside air to flow through to the payload. In boundary-sensing HSMs, cooling -of the processor inside is a serious issue since any air duct or heat pipe would have to penetrate the HSM's security -boundary. This problem can only be solved with complex and costly siphon-style constructions, so in commercial systems -heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus -its processing power. Our setup allows direct air cooling, which increases the maximum possible power dissipation of -the payload and unlocks much more powerful processing capabilities. Instead of gaps one could even integrate an actual -fan into the rotor. +Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on +a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow +shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and +data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction +or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft +motor are possible, but may require additional bearings to keep the stator from vibrating. + +The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be +designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over +every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside +air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious +issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be +solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used +exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. +Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation +of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh +could even be designed to *be* a cooling fan. \subsection{Spinning mesh power and data transmission} -The basic concept of a security mesh spinning at more than $\SI{500}{rpm}$ around a payload leaves us with a few +On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need -both a power supply for the spinning monitoring circuit and a data link back to the stator. +both a power supply for the spinning monitoring circuit and a data link to the stator. -A good starting point for power transfer is a simple setup of a stationary bright lamp shining at a rotating solar -panel. In contrast to e.g.\ slip rings, this setup is mechanically durable at high speeds and it also provides -reasonable output power (see Appendix \ref{sec_energy_calculations} for some calculations on power consumption). A -battery may not provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not -provide enough current to supply peak demand. +We found that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip +rings, this setup is mechanically durable at high speeds and it also provides reasonable output power (see Appendix +\ref{sec_energy_calculations} for some calculations on power consumption). A battery may not provide a useful lifetime +without power-optimization. Likewise, an energy harvesting setup may not provide enough current to supply peak demand. Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra -windings on the rotor of the BLDC motor driving the spinning mesh. This rotor is likely to be a custom part, so adding -these windings is unlikely to increase cost significantly. Inductive power transfer may also be an option given that one -can integrate it into the mechanical design. +winding on the rotor of the BLDC motor driving the spinning mesh. This rotor is likely to be a custom part, so adding +an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an +option if it can be integrated into the mechanical design. Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. @@ -286,76 +291,79 @@ purpose. \label{sec_attacks} After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to -attack it. Fundamentally, attacks on an inertial HSM are the same as those on a traditional HSM, since the tamper -detection mesh is the same. Only in the inertial HSM any attack on the mesh has to be carried out while the mesh is -rotating, which for most types of attack will require a CNC attack robot moving in sync with it. In comparison to -traditional designs, the data link between mesh and payload is an additional weak spot in the rotating desing. If it is -optical, non-contact attacks are possible. +attack it. Fundamentally, attacks on an inertial HSM are the same as those on a traditional HSM since the tamper +detection mesh is the same. Only, in the inertial HSM any attack on the mesh has to be carried out while the mesh is +rotating, which for most types of attack will require some kind of CNC attack robot moving in sync with it. \subsection{Attacks on the mesh} There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with. This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring -circuit itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its +circuit itself to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its contents~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be practically infeasible outside of a well-funded, special-purpose laboratory. -\subsection{Attacks on the alarm circuitry} +\subsection{Attacks on the rotation sensor} -An electronic attack could also target the alarm circuitry inside the stationary payload, or the communication link -between rotor and payload. The link can easily be proofed by using a cryptographically secured protocol along with a -high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the -HSM's security envelope and has to tolerate environmental attacks such as ones using temperature, ionizing radiation, -lasers, supply voltage variations, ultrasound or other vibration and gases or liquids. The easiest way to proof an alarm -system against these is to employ adequate filtering of the incoming power supply and use sensors for the others, -triggering an alarm in case extraordinary environmental variations are detected. - -If the alarm link between rotor and stator uses a spoofable interface such as an optical link, this link must be -cryptographically verified. It also must be bidirectional to allow the alarm signal receiver to verify link latency. In -a purely unidirectional spoofable link, an attacker could record the authenticated ``no alarm'' signal from the -transmitter while simultaneously replaying it just slightly slower (say at $\SI{99}{\percent}$ speed) to the receiver. -The receiver would not be able to distinguish between this attack and ordinary deviations in the transmitter's local -clock frequency. However, the attacker can at any point simply stop the rotor and replay the leftover recorded ``no -alarm'' signal. Given the frequency stability of commercial crystals, this would allow for an attack duration of several -seconds per hour of recording time. +Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need +to fool the rotor's MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no +easier than directly bridging the mesh traces. -\subsection{Fast and violent attacks} +MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position can be +measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these +mechanics~\cite{trippel2017}. In the authors' estimate these attacks are too hard to control to be practically useful +against an inertial HSM. -A variation of the above attacks on the alarm circuitry would be an attack that -attempts to simply destroy this circuitry before the alarm can be acted upon using a tool like a large hammer or a gun. -Mitigations for this type of attack include potting the payload inside a mechanically robust enclosure. The alarm -signalling chain's integrity can be checked continuously using a cryptographic heartbeat protocol. A simple active-high -or active-low alarm signal cannot be considered fail-safe in this scenario. +A possible way to attack the accelerometer inside an inertial HSM may be to first decapsulate it using laser ablation +synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the +moving MEMS parts, locking them in place. To mitigate this type of attack the accelerometer should be mounted in a +shielded place inside the security envelope. Further, this attack can only work if the rate of rotation and thus the +expected accelerometer readings are constant. If the rate of rotation is set to vary over time this type of attack is +quickly detected. In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement. -\subsection{Attacks on the rotation sensor} +\subsection{Attacks on the alarm circuitry} -An attacker may try to stop the rotor before tampering with the mesh. To succeed, they would need to fool the rotor's -MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no easier than -directly bridging the mesh traces. Physical attacks on the accelerometer are possible~\cite{trippel2017}, but in the -authors' estimate are too hard to control to be practically useful. +Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry +inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a +cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat +message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. +Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks such as ones using +temperature, ionizing radiation, lasers, supply voltage variations, ultrasound or other vibration and gases or liquids. +Conventionally, incoming power rails are filtered thoroughly to prevent electrical attacks and other types of attacks +are prevented by sensors that thrigger an alarm. + +In an inertial HSM, the mesh monitoring circuit's tamper alarm is transmitted from rotor to stator through a wireless +link. Since an attacker may wirelessly spoof this link, it must be cryptographically secured. It also must be +bidirectional to allow the alarm signal receiver to verify link latency: If it were unidirectional, an attacker could +act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed +(say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary +deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and +break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial +crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. -A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS -accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position can be -measured electronically. A possible way to attack such a device might be to first decapsulate it using laser ablation -synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the -moving MEMS parts, locking them in place. This attack would require direct access to the accelerometer from the outside -and can be prevented by mounting the accelerometer in a shielded place inside the security envelope. This attack can -only work if the rate of rotation and thus the accelerometer's readings are constant. If the rate of rotation is set to -change on a schedule, this type of attack can be detected easily. In Appendix \ref{sec_degrees_of_freedom} we outline -the constraints on sensor placement. +\subsection{Fast and violent attacks} + +A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in +response to tampering before it can finish its job. This attack could use a tool such as a large hammer or a gun. +Mitigations for this type of attack include potting the payload inside a mechanically robust enclosure. Additionally, +the integrity of the entire alarm signalling chain can be checked continuously using a cryptographic heartbeat protocol. +A simple active-high or active-low alarm signal as it is used in traditional HSMs cannot be considered fail-safe in this +scenario as such an attack may well short-circuit or break PCB traces. \section{Prototype implementation} \label{sec_proto} -To validate our theoretical design, we implemented a prototype rotary HSM. The main engineering challenges we solved in -our prototype are: +After elaborating the design principles of inertial HSMs and researching potential attack vectors we have validated +these theoretical studies by implementing a prototype rotary HSM. The main engineering challenges we solved in our +prototype are: + \begin{enumerate} \item Fundamental mechanical design suitable for rapid prototyping that can withstand a rotation of $\SI{500}{rpm}$. \item Automatic generation of security mesh PCB layouts for quick adaption to new form factors. - \item Non-contact power transmission to rotor. + \item Non-contact power transmission from stator to rotor. \item Non-contact bidirectional data communication between stator and rotor. \end{enumerate} @@ -384,16 +392,18 @@ To mount the entire HSM, we chose to use ``2020'' modular aluminium profile. \subsection{PCB security mesh generation} -To allow a quick iteration of our design while producing results with a realistic level of security, we wrote a plugin -for the KiCAD EDA suite that automatically generates parametrized security meshes. When KiCAD is used in conjunction -with FreeCAD through FreeCAD's KiCAD StepUp plugin, this ends up in an efficient toolchain from mechanical CAD design to -security mesh PCB gerber files. The mesh generation plugin can be found at its -website\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. +The security mesh covers a total of five interlocking PCBs. A sixth PCB contains the monitoring circuit and connects to +these mesh PCBs. To allow us to quickly iterate our design without manually re-routing several large security meshes +for every mechanical chage we wrote a plugin for the KiCAD EDA suite that automatically generates parametrized security +meshes. When KiCAD is used in conjunction with FreeCAD through FreeCAD's KiCAD StepUp plugin, this ends up in an +efficient toolchain from mechanical CAD design to security mesh PCB gerber files. The mesh generation plugin can be +found at its website\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. The meshes it produces have a +practical level of security in our application. -Our mesh generation plugin overlays a grid on the target area and then produces a randomized tree covering this grid. -The individual mesh traces are then traced along a depth-first search through this tree. A visualization of the steps is -shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our prototype is shown in Figure -\ref{mesh_gen_sample}. +The mesh generation process starts by overlaying a grid on the target area. It then produces a randomized tree covering +this grid. The individual mesh traces are then traced along a depth-first search through this tree. A visualization of +the steps is shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our prototype is shown in +Figure \ref{mesh_gen_sample}. \begin{figure} \center @@ -413,14 +423,15 @@ shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our \subsection{Data transmission through rotating joint} -As a baseline solution for data transmission, we settled on a $\SI{115}{\kilo\baud}$ UART signal sent through a simple -bidirectional infrared link. In the transmitter, the UART TX line on-off modulates a $\SI{920}{\nano\meter}$ IR LED -through a common-emitter driver transistor. In the receiver, an IR PIN photodiode reverse-biased to -$\frac{1}{2}V_\text{CC}$ is connected to a reasonably wideband transimpedance amplifier (TIA) with a -$\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure \ref{photolink_schematic}, the output of this TIA is fed -through another $G=100$ amplifier whose output is then squared up by a comparator. We used an \texttt{MCP6494} quad -CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current consumption it is within our rotor's power budget, and its -Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a useful transimpedance in the photodiode-facing TIA stage. +With the mesh done, the next engineering challenge was the mesh monitoring data link between rotor and stator. As a +baseline solution, we settled on a $\SI{115}{\kilo\baud}$ UART signal sent through a simple bidirectional infrared link. +In the transmitter, the UART TX line on-off modulates a $\SI{920}{\nano\meter}$ IR LED through a common-emitter driver +transistor. In the receiver, an IR PIN photodiode reverse-biased to $\frac{1}{2}V_\text{CC}$ is connected to a +reasonably wideband transimpedance amplifier (TIA) with a $\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure +\ref{photolink_schematic}, the output of this TIA is fed through another $G=100$ amplifier whose output is then squared +up by a comparator. We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current +consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a +useful transimpedance in the photodiode-facing TIA stage. To reduce the requirements on power transmission to the rotor, we have tried to reduce power consumption of the rotor-side receiver/transmitter pair trading off stator-side power consumption. One part of this is that we use @@ -446,8 +457,8 @@ driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at \end{figure} \subsection{Power transmission through rotating joint} - -Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power +Besides the data link, the other electrical interface we need between rotor and stator is for power transmission. We +power Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power transmission: solar cells. We mounted six series-connected solar cells in three commercially available modules on the circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with buffering by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around $\SI{3.0}{\volt}$ at @@ -464,12 +475,15 @@ link. \subsection{Evaluation} -During experiments, our prototype performed as intended. After some experimentation, we got both power and data -transmission through the rotating joint working reliably. Figure \ref{prototype_early_comms} shows our prototype -performing reliably at maximum speed for the first time. Our improvised IR link is open in both directions for about -$\SI{60}{\degree}$ of the rotation, which allows us to reliably transfer several tens of bytes in each direction during -each receiver's fly-by even at high speed of rotation. As a result of our prototype experiments, we consider a -larger-scale implementation of the inertial HSM concept practical. +After building our prototype inertial HSM according to the design decisions we outlined above, we performed a series of +experiments to validate the critical components of the design. + +During these experiments, our prototype performed as intended. Both power and data transmission through the rotating +joint were working reliably. Figure \ref{prototype_early_comms} shows our prototype performing reliably at maximum speed +for the first time. Our improvised IR link is open in both directions for about $\SI{60}{\degree}$ of the rotation, +which allows us to reliably transfer several tens of bytes in each direction during the receivers' fly-by even at high +speed of rotation. As a result of our prototype experiments, we consider a larger-scale implementation of the inertial +HSM concept practical. \begin{figure} \center @@ -480,7 +494,9 @@ larger-scale implementation of the inertial HSM concept practical. \label{prototype_early_comms} \end{figure} -\section{Conclusion} \label{sec_conclusion} In this paper, we introduced inertial hardware security modules (iHSMs), a +\section{Conclusion} + +\label{sec_conclusion} To conclude, in this paper we introduced inertial hardware security modules (iHSMs), a novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available parts. We elaborated the engineering considerations underlying a practical implementation of this concept. We implemented a prototype demonstrating practical solutions to the significant engineering challenges of this concept. We |