1 files changed, 79 insertions, 15 deletions

diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex
index 6b6109f..e426306 100644
--- a/paper/ihsm_paper.tex
+++ b/paper/ihsm_paper.tex
@@ -488,19 +488,44 @@ In the sections below, we will go into detail on such attacks on IHSMs. To put t
 we will start with a brief overview on attacks on conventional HSMs that the IHSM is defended against.
 %FIXME \paragraph{...}
 
-\subsection{Contactless probing of the payload}
-
-Irrespective of the HSM's technology (conventional or IHSM), there are some types of attack bypassing the HSM's security
-mesh that in principle cannot be prevented. One such type are contactless attacks such as electromagnetic (EM)
-sidechannel attacks, but attacks through the HSM's application interface such as Ethernet also follow this theme. While
-IHSMs allow for the use of off-the-shelf server hardware as their payload, the combination of payload hardware and the
-software running on top of this hardware still has to be evaluated for fitness in this particular application. EM
-sidechannel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components such
-as CPUs are physically distant to the security mesh, preventing EM probes from being brought close. Conducted EMI
-sidechannels that could be used for power analysis can be mitigated by placing filters on the inside of the security
-mesh at the point where the power and network connections penetrate the mesh. Attacks through the network interface must
-be prevented as in any other networked system by only exposing the minimum necessary amount of API surface to the
-outside world, and by carefully vetting this remaining attack surface.
+In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the
+security mesh without triggering the alarm, e.g.\ by using a probe that is finer than the mesh's structure size. An
+attacker willing to invest some effort can also try to uncover the mesh traces buried in plastic to then hot-wire the
+mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh
+traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes
+to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach
+becomes challenging. Consider a mesh is covering an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An
+attacker who circumvents a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh using wires with a low
+resistance will change the mesh trace's resistance by approximately
+$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25
+\%$. Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and
+corresponding temperature stability of the mesh material.
+
+The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
+two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through
+the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive
+foil that forms the security mesh around the HSM, leaving only the foil's corners and the payload's power and data
+feed-through as potential weak spots.
+
+The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An
+attacker may need to insert several probes to wiretap the payload processor's secrets, but depending on its
+implementation they may be able to disable the mesh alarm circuit with only one. To harden a conventional HSM against
+this type of attack, the mesh monitoring circuit must be carefully designed to avoid single points of failure as well as
+any fail-open failure modes.
+
+\subsection{Attacks that work on any HSM}
+
+While an IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous
+paragraphs, certain attacks are generic against any HSM technology, conventional or IHSM.  One type of such attacks are
+contactless attacks such as electromagnetic (EM) sidechannel attacks. EM sidechannel attacks can be mitigated by
+shielding and by designing the IHSM's payload such that critical components such as CPUs are physically distant to the
+security mesh, preventing EM probes from being brought close. Conducted EMI sidechannels that could be used for power
+analysis can be mitigated by placing filters on the inside of the security mesh at the point where the power and network
+connections penetrate the
+mesh~\cite{anderson2020}.
+Finally, the API between the HSM's payload and the outside world provides attack surface.  Attacks through the network
+interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API
+surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}.
 
 \subsection{The Swivel Chair Attack}
 \label{sec_swivel_chair_attack}
@@ -520,6 +545,41 @@ acceleration is $a=\omega^2 r$. In our example this results in a minimum angular
 $\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some
 kind of mechanical tool.
 
+\begin{figure}
+    \center
+    \includegraphics[width=6cm]{attack-robot.pdf}
+    \caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation
+    and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a
+    remote controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5).
+    Through this opening, a human operator can then insert tools such as probes to read out sensitive information from
+    the actual payload (6).}
+    \label{fig_attack_robot}
+\end{figure}
+
+
+While it is certainly possible to create a mechanical tool to attack an IHSM in motion, we also consider this attack
+method reasonably remote. Figure~\ref{fig_attack_robot} shows a schematic overview of what such an attack tool would
+have to look like. Most fundamentally, the tool itself has to rotate at the IHSM's speed, and cannot simply rotate the
+IHSM. If the tool were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed
+down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect this attempt. Instead, the
+attack tool has to follow the rotation of the IHSM.  At the high speeds an IHSM would be rotating at, following the
+rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM is not easy. To
+stay within $\pm\SI{5}{\milli\meter}$ of a target over a period of $\SI{10}{\second}$ on an IHSM mesh with radius
+$r=\SI{100}{\milli\meter}$ requires both speeds to be matched to better than
+$\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$.
+Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Active servo
+control of the attack tool's rotation locked against optical tracking of the IHSM's rotor would likely be the most
+realistic option to achieve this precision. This strict accuracy requirement leads to a complex attack setup.
+
+If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a
+remote-controlled manipulator that can be mounted on the attack tool's rotating stage and that is able to actually
+disable the IHSM's mesh. Consider that simply bypassing the mesh e.g. by drilling an undetected hole does not gain an
+attacker much in this scenario, as the payload is stationary and an attack tool rotating at $\SI{1000}{rpm}$ is useless
+against it. Instead, the attacker would have to disable the mesh using the rotating tool, in order to then cut an
+opening into it through which they could insert a stationary tool to attack the payload with. Given the degree of manual
+skill necessary even for normal soldering work, we estimate that creating a remote-controllable manipulator that can be
+used to successfully attack a security mesh is infeasible.
+
 \subsection{Mechanical weak spots}
 
 The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion
@@ -864,12 +924,16 @@ allow the construction of devices secure against a wide range of practical attac
 specialized tools.  The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with
 traditional HSMs.  Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful
 computing hardware inside the HSM.  We hope that this simple construction will stimulate academic research into (more)
-secure hardware.
+secure hardware. We have published all design artifacts of our PoC online, see Appendix~\ref{sec_repo}. The next steps
+towards a practical application of our design will be to design a manufacturable stator/rotor interface with inductive
+power and data transfer integrated into the motor's magnetics and a custom motor driver tuned for the application that
+is able to precisely measure both angular velocity and winding current for an added degree of tamper detection.
 
 \printbibliography[heading=bibintoc]
 
 \appendix
-\section{Source code and Design artifacts}
+\section{Source code and design artifacts}
+\label{sec_repo}
 
 During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD
 model of our prototype IHSM, schematics and PCB layouts for all of its PCBs including the prototype security mesh