diff options
Diffstat (limited to 'paper/ihsm_tech_report.tex')
| -rw-r--r-- | paper/ihsm_tech_report.tex | 300 |
1 files changed, 300 insertions, 0 deletions
diff --git a/paper/ihsm_tech_report.tex b/paper/ihsm_tech_report.tex new file mode 100644 index 0000000..e9d571f --- /dev/null +++ b/paper/ihsm_tech_report.tex @@ -0,0 +1,300 @@ +\documentclass[10pt,journal,a4paper]{IEEEtran} +\usepackage[english]{babel} +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=false, + doi=true, + eprint=false + ]{biblatex} +\addbibresource{rotohsm.bib} +\usepackage{amssymb,amsmath} +\usepackage{listings} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{amsthm} +\usepackage{tabularx} +\usepackage{multirow} +\usepackage{multicol} +\usepackage{tikz} +\usepackage{mathtools} +\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} +\DeclarePairedDelimiter{\paren}{(}{)} + +\usetikzlibrary{arrows} +\usetikzlibrary{chains} +\usetikzlibrary{backgrounds} +\usetikzlibrary{calc} +\usetikzlibrary{decorations.markings} +\usetikzlibrary{decorations.pathreplacing} +\usetikzlibrary{fit} +\usetikzlibrary{patterns} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes} + +\usepackage[binary-units]{siunitx} +\DeclareSIUnit{\baud}{Bd} +\DeclareSIUnit{\year}{a} +\usepackage{hyperref} +\usepackage{tabularx} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{ccicons} +\usepackage{subcaption} +\usepackage{float} +\usepackage{footmisc} +\usepackage{array} +\usepackage[underline=false]{pgf-umlsd} +\usetikzlibrary{calc} +%\usepackage[pdftex]{graphicx,color} +\usepackage{epstopdf} +\usepackage{pdfpages} +\usepackage{minted} % pygmentized source code + +\renewcommand{\floatpagefraction}{.8} +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} + +\usepackage{fancyhdr} +\fancyhf{} +\fancyfoot[C]{\thepage} +\newcommand{\includenotebook}[2]{ + \fancyhead[C]{Included Jupyter notebook: #1} + \includepdf[pages=1, + pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} + ]{resources/#2.pdf} + \includepdf[pages=2-, + pagecommand={\thispagestyle{fancy}} + ]{resources/#2.pdf} +} + +\begin{document} + +\title{Tech Report: Inerial HSMs Thwart Advanced Physical Attacks} +\author{\IEEEauthorblockN{ + Jan Sebastian Götte\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} \and + Björn Scheuermann\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} + }\\ + \IEEEauthorblockA{ + \IEEEauthorrefmark{1}Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ + \IEEEauthorrefmark{2}Humboldt-Universität zu Berlin\\ + \texttt{\textbf{\small goette@jaseg.de}}, \texttt{\textbf{\small scheuermann@informatik.hu-berlin.de}} + } +} +\date{2021-01-05} +\maketitle + +\section*{Abstract} + +In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules +(iHSMs). Conventional systems have in common that they try to detect attacks by crafting sensors responding to +increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce +the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by +rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop +the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that +can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is +comparable to commercial HSMs. + +This tech report is the abridged version of our forthcoming paper. + +\section{Introduction} + +While information security technology has matured a great deal in the last half century, physical security has barely +changed. Given the right skills, physical access to a computer still often means full compromise. The physical +security of modern server hardware hinges on what lock you put on the room it is in. + +Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid +switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between +physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key +infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic +co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of +trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured +TPM~\cite{newman2020,frazelle2019,johnson2018}. + +Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure +them against tampering is a good engineering solution for some years to come. However, in essence this is a type of +security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern +ICs~\cite{albartus2020,anderson2020}. + +HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain +that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep +the manufacturing issues of both and provide radically better security against physical attacks. Our core observation +is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly. + +For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set +by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, +solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual +defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How +would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the +accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow +speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become +inhospitable to human life. Since non-contact electromagnetic or optical attacks are more limited in the first place and +can be shielded, we have effectively forced the attacker to use an attack robot. + +In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On +this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We +conclude this paper with a general evaluation of our concept in Section~\ref{sec_conclusion}. + +\section{Related work} +\label{sec_related_work} +% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion +% beyond ultrasound. + +In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper +detection. + +HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring +meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security +problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, +anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic +radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research +has found widespread adoption yet. + +In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM +4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard +construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical +security mechanisms have not evolved much in the last two decades. Besides auxiliary temperature and radiation sensors +to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional +construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module +monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and +construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. + +To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a +hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security +barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture +these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap +low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The +closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that +describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled +with pressurized gas. + +\section{Inertial HSM construction and operation} +\label{sec_ihsm_construction} + +Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is +routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to +use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find +that making it spin has several advantages. + +First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to +follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second, +a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to easily predictable +accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the +HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear +velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum +size and mass of an attacker using an assumption on tolerable centrifugal force. In this consideration the axis of +rotation is a weak spot, but that can be mitigated using multiple nested layers of protection. + +\begin{figure} + \center + \includegraphics{concept_vis_one_axis.pdf} + \caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - + Accelerometer. 5 - Shaft penetrating security mesh.} + \label{fig_schema_one_axis} +\end{figure} + +In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to +distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the +rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after +subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero. +Centrifugal acceleration will be constant. + +Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying +apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the +entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This +reduces the moment of inertia of the moving part and it means we can use cables for payload power and data. Even at +moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot. + +\subsection{Mechanical layout} + +Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on +a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow +shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and +data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction +or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft +motor are possible, but may require additional bearings to keep the stator from vibrating. + +The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be +designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over +every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside +air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious +issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be +solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used +exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. +Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation +of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh +could even be designed to \emph{be} a cooling fan. + +\subsection{Spinning mesh power and data transmission} + +On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few +implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need +both a power supply for the spinning monitoring circuit and a data link to the stator. + +We think that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip +rings, this setup is mechanically durable at high speeds and it also provides reasonable output power. A battery may not +provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not provide enough +current to supply peak demand. + +Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost +may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra +winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding +an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an +option if it can be integrated into the mechanical design. + +\begin{figure} + \center + \includegraphics{ir_tx_schema.pdf} + \caption{Example of a bidirectional IR communication link between rotor and stator, view along axis of rotation. 1 + - Rotor base plate. 2 - Stator base plate. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} + \label{ir_tx_schema} +\end{figure} + +Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to +transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. +A simple infrared optical link as shown in Figure~\ref{ir_tx_schema} may be a good solution for this purpose. + +\section{Conclusion} + +\label{sec_conclusion} To conclude, in this tech report we introduced inertial hardware security modules (iHSMs), a +novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available +parts. We elaborated the engineering considerations underlying a practical implementation of this concept. + +Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction +of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. We +hope that this simple construction will stimulate academic research into secure hardware. + +\printbibliography[heading=bibintoc] +\appendix + +\subsection{Patents and licensing} +During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not +find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of +this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. + +Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are +already commercially available, we have decided against applying for a patent and we wish to make it available to the +general public without any restrictions on its use. This paper itself is licensed CC-BY-SA (see below). As for the +inertial HSM concept, we invite you to use it as you wish and to base your own work on our publications without any fees +or commercial restrictions. Where possible, we ask you to cite this paper and attribute the inertial HSM concept to its +authors. + +\center{ + \center{\ccbysa} + + \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The + full text of the license can be found at:} + + \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} + + \center{For alternative licensing options, source files, questions or comments please contact the authors.} + + \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. Once the full paper has been + published, this project's git repository will be available at:} + + \center{\url{https://git.jaseg.de/rotohsm.git}} +} +\end{document} |