diff options
Diffstat (limited to 'paper')
-rw-r--r-- | paper/ihsm_paper.tex | 96 |
1 files changed, 48 insertions, 48 deletions
diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 5e1a797..13e0f11 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -122,8 +122,8 @@ This paper contains the following contributions: In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof-of-concept hardware -prototype.In Section~\ref{sec_proto} we will elaborate the design of this prototype. In Section~\ref{sec_accel_meas} we -present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof-of-concept +prototype. In Section~\ref{sec_proto} we will elaborate on the design of this prototype. In Section~\ref{sec_accel_meas} +we present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof-of-concept prototype. We conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}. \section{Related work} @@ -147,7 +147,7 @@ it. This examination can be done by eye in the field, but it can also be carried equipment. An HSM in principle has to have this examination equipment built-in. Physical seals are used in a wide variety of applications. The most interesting ones from a research point of view that -are recorded in public literature are those used for monitoring of nuclear material under the International Atomic +are recorded in public literature are those used for the monitoring of nuclear material under the International Atomic Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a way that intentionally causes large, random device-to-device variations. These variations are precisely recorded at deployment. @@ -181,16 +181,16 @@ similar approaches to tamper detection~\cite{obermaier2018,drimer2008,anderson20 Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to traditional meshes, they use a large number of individual traces (more than 30 in their example). Their concept -promises a very high degree of protection, but is limited in area covered and component height, as well as the high cost -of the advanced analog circuitry required for monitoring. A core component of their design is that they propose its use -as a PUF to allow for protection even when powered off, similar to a smart card---but the design is not limited to this -use. +promises a very high degree of protection but is limited in the board area covered and component height, as well as the +high cost of the advanced analog circuitry required for monitoring. A core component of their design is that they +propose its use as a PUF to allow for protection even when powered off, similar to a smart card---but the design is not +limited to this use. In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based on a WiFi transceiver inside a conductive enclosure. In their design, a reference signal is sent into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections and use them to characterize the phase and frequency response of the RF cavity. The assumption underlying their system is that the RF behavior of the -cavity is inscrutable from the outside, and that any small disturbances within the volume of the cavity will cause a +cavity is inscrutable from the outside and that any small disturbances within the volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et al.~\cite{tobisch2020} is that they use commodity WiFi hardware, so the resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of @@ -209,7 +209,7 @@ security module. Most academic research concentrates on the issue of creating ne HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The closest to a -mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that describes a +mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with pressurized gas. @@ -230,8 +230,8 @@ The core questions in the design of an inertial HSM are the following: \end{enumerate} We will approach these questions one by one in the following subsections and conclude this section with an exploration -of the practical implications that these aspects of IHSM construction have on IHSM operation, but first we will motivate -our concept with two use cases and outline our attacker model. +of the practical implications that these aspects of IHSM construction have on IHSM operation, but first, we will +motivate our concept with two use cases and outline our attacker model. \subsection{Use Cases and Attacker Model} @@ -280,7 +280,7 @@ quickly reverse direction at its apex so the device is not stationary long enoug In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the device. When the axis is fixed, rotation will expose a weak spot close to the axis where tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power consumption and mechanical stress, -but it can never elimitate it. More effective mitigations are additional tamper protection at the axis, and having the +but it can never eliminate it. More effective mitigations are additional tamper protection at the axis and having the HSM perform a compound rotation that has no fixed axis. High speed gives rise to large centrifugal acceleration, which poses the engineering challenge of preventing rapid @@ -298,10 +298,10 @@ shaft against tampering that any production device would have to tackle. \subsection{Tamper detection mesh construction} IHSMs do not eliminate the need for a security barrier. To prevent an attacker from physically destroying the moving -part, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to realize this +part, tamper detection such as a mesh is still necessary. In this subsection, we will consider ways to realize this security barrier. In industry, mesh membranes are commonly used for tamper detection. Such membranes are deployed in systems for a variety of use cases ranging from low-security payment processing to high-security certificate management. -From this we can conclude that a properly implemented mesh \emph{can} provide a practical level of security. In +From this, we can conclude that a properly implemented mesh \emph{can} provide a practical level of security. In contrast to this industry focus, academic research has largely focused on ways to fabricate enclosures that embed characteristics of a Physically Unclonable Function as a means of tamper detection~\cite{tobisch2020,immler2019}. By using stochastic properties of the enclosure material to form a PUF, such academic designs leverage signal processing @@ -310,11 +310,11 @@ techniques to improve the system's security level by a significant margin. In our research, we focus on security meshes as our IHSM's tamper sensors. The cost of advanced manufacturing techniques and special materials used in fine commercial meshes poses an obstacle to small-scale manufacturing and academic research. The foundation of an IHSM security is that by moving the mesh, even a primitive, coarse mesh such as -one made from a low-cost PCB becomes very hard to attack in practice. This allows us to use a simple construction made -up from low-cost components. Additionally, the use of a mesh enables us to only spin the mesh itself and its monitoring -circuit and keep the payload inside the mesh stationary for reduced design complexity. Tamper sensing systems such as -RF fingerprinting that monitor the entire volume of the HSM instead of only a thin boundary layer would not allow for -this degree of freedom in an IHSM. They would instead require the entire IHSM to spin including its payload, which would +one made from a low-cost PCB becomes very hard to attack in practice. This allows us to use a simple construction using +low-cost components. Additionally, the use of a mesh enables us to only spin the mesh itself and its monitoring circuit +and keep the payload inside the mesh stationary for reduced design complexity. Tamper sensing systems such as RF +fingerprinting that monitor the entire volume of the HSM instead of only a thin boundary layer would not allow for this +degree of freedom in an IHSM. They would instead require the entire IHSM to spin including its payload, which would entail costly and complex systems for data and power transfer from the outside to the spinning payload. \subsection{Braking detection} @@ -330,7 +330,7 @@ shaft, this would be a poor choice for our purposes since optical and magnetic s interference from outside. We could use feedback from the motor driver electronics to determine the speed. When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. However, this approach might allow for attacks at the mechanical interface between the mesh and the motor's shaft. If an attacker can decouple the mesh -from the motor e.g.\ by drilling, laser ablation or electrical discharge machining (EDM) on the motor's shaft, the +from the motor e.g.\ by drilling, laser ablation, or electrical discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is already standing still. Instead of a stator-side sensor, a rotor-side inertial sensor such as an accelerometer or gyroscope placed inside the @@ -350,7 +350,7 @@ a given accelerometer and target speed of rotation, the accelerometer's location range. A key point here is that for speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ and at a $\SI{10}{\centi\meter}$ radius, centrifugal acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. -Due to this large acceleration, off-axis performance of the accelerometer has to be considered. Suitable high-$g$ +Due to this large acceleration, the off-axis performance of the accelerometer has to be considered. Suitable high-$g$ accelerometers for the large accelerations found on the circumference of an IHSM's rotor are mostly used in automotive applications. @@ -405,10 +405,10 @@ $\SI{0.1}{\kelvin\per\watt}$~\cite{anandtech2015}. If one were to make an HSM's security mesh out of an average thermally conductive epoxy with thermal conductivity $k\approx\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would be $\SI{2}{\kelvin\per\watt}$, -a more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields -a maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU -cooler. Given that for modern high core-count CPUs both multithreaded performance and power dissipation are mostly -linear in core count, this severely limits the achievable performance. +a more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$, this +yields a maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a +conventional CPU cooler. Given that for modern high core-count CPUs both multithreaded performance and power +dissipation are mostly linear in core count, this severely limits the achievable performance. This estimated performance discrepancy matches up with our observation. Thales, a manufacturer of conventional HSMs reports $\SI{20}{\kilo Ops\per\second}$ ECC signature operations on NIST Curve P-256 on one of their top-of-range @@ -436,7 +436,7 @@ inside Intel SGX to replicate state between geographically redundant enclaves. Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by -changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in its +changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in their practical impact. \paragraph{Component failure.} @@ -469,7 +469,7 @@ be used as a flywheel for energy storage. Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason its alarm would be spuriously activated due to movement of the device. The likelihood of such an alarm failure must be minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during normal -operation. The IHSM may have to be relocated between datacenters, or a worker may bump the IHSM. Additionally, the +operation. The IHSM may have to be relocated between data centers, or a worker may bump the IHSM. Additionally, the effect of normal mechanical vibration on the IHSM's tamper sensors has to be considered. During normal operation, vibration from outside sources such as backup generators and nearby traffic (e.g. trains) may couple into the IHSM through the building. Since IHSMs are rotating machines they will themselves cause some amount of vibration and thus @@ -485,11 +485,11 @@ above~\cite{ika2002,german2007}. Measurements of the Peak Ground Acceleration ( even the strongest earthquakes rarely reach a PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake at approximately $\SI{0.3}{g}$. -Instantaneous acceleration increases linearly with frequency, but likewise simple vibration dampers work better with +Instantaneous acceleration increases linearly with frequency, but likewise, simple vibration dampers work better with higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to damp high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous -amount of mechanical power across a large geographic area, but due to the their low absolute instantaneous acceleration, +amount of mechanical power across a large geographic area, but due to their low absolute instantaneous acceleration, we can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able to clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise by their magnitude. Any external acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the @@ -514,12 +514,12 @@ standards used for powered refrigerated shipping containers. \subsection{Graceful Failover and Maintenance} As described above, failure can never be fully prevented. However, finely-grained monitoring of operational parameters -may be capable of recognizing some types of failure such as backup battery failure, mechanical wear or +may be capable of recognizing some types of failure such as backup battery failure, mechanical wear, or over/undertemperature conditions some time before alarm levels have been reached and all secrets must be destroyed. This type of early warning allows for the implementation of a graceful failover mechanism. Similar to hot spares in hard disk arrays, a number of IHSMs might share a hot spare IHSM that is running, but that does not yet contain any secrets. Once an IHSM detects early warning signs of an impending failure, it can then transfer its secrets to the hot spare -using replicatoin technologies as mentioned in the previous paragraph, then delete its local copies. This would allow +using replication technologies as mentioned in the previous paragraph, then delete its local copies. This would allow for the graceful handling of device failures due to both age and disasters such as fires. When such failovers happen, IHSMs provide a key benefit compared to traditional HSMs. Since an IHSM is not permanently @@ -537,7 +537,7 @@ into service, after which the operator can use the IHSM's identity to verify tha Using a physical token instead of powering off the IHSM remotely prevents the accidental unsupervised stopping of an IHSM due to operator error. -To decrease the risk posed by a rogue technician, similar to the DNSSEC root key signing ceremonies~\cite{iana21} +To decrease the risk posed by a rogue technician, similar to the DNSSEC root key signing ceremonies~\cite{iana21}, arbitrarily complex procedures can be implemented that could, for example, require each maintenance procedure to be accompanied by several independent witnesses. @@ -584,10 +584,10 @@ design that avoids single points of failure as well as fail-open failure modes. An IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous paragraphs. However, there are certain generic attacks that work against any HSM technology, conventional or IHSM. -One type of such attacks are contactless attacks such as electromagnetic (EM) sidechannel attacks. -EM sidechannel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components +One type of these attacks are contactless attacks such as electromagnetic (EM) side-channel attacks. +EM side-channel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components such as CPUs are physically distant to the security mesh, preventing EM probes from being brought close. -Conducted EMI sidechannels that could be used for power analysis can be mitigated by placing filters on the inside of +Conducted EMI side-channels that could be used for power analysis can be mitigated by placing filters on the inside of the security mesh at the point where the power and network connections penetrate the mesh~\cite{anderson2020}. Finally, the API between the HSM's payload and the outside world provides attack surface. Attacks through the network interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API @@ -597,15 +597,15 @@ IHSMs do not provide an inherent benefit against such contactless attacks. Howev play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less space-constrained. This larger volume allows for a greater physical distance between security-critical components and -places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. +places accessible to an attacker using an electromagnetic probe for EM side-channel attacks. -Another attack that is possible against all types of HSMs are software attacks. Flaws in an HSM's software such as -memory safety errors in its external-facing APIs can lead to a full compromise of the HSM's secrets~\cite{ledger2019}. -Like a traditional HSM, an IHSM has to expose some API to the outside world to be useful. For both, the hardening -techniques are the same as in any other networked system and include the reduction of attack surface e.g. through -firewalling, fuzz testing and formal verification. In IHSMs these mitigations are easier to implement since they allow -the use of conventional server hardware and well-audited open source software, instead of hard-to-audit proprietary code -on an embedded platform. +Another type of attack that is possible against all types of HSMs are software attacks. Flaws in an HSM's software such +as memory safety errors in its external-facing APIs can lead to a full compromise of the HSM's +secrets~\cite{ledger2019}. Like a traditional HSM, an IHSM has to expose some API to the outside world to be useful. +For both, the hardening techniques are the same as in any other networked system and include the reduction of attack +surface e.g. through firewalling, fuzz testing, and formal verification. In IHSMs these mitigations are easier to +implement since they allow the use of conventional server hardware and well-audited open source software, instead of +hard-to-audit proprietary code on an embedded platform. \subsection{The Swivel Chair Attack} \label{sec_swivel_chair_attack} @@ -665,7 +665,7 @@ penetrates the mesh at the axis. The mesh's tangential velocity decreases close allow an attacker to insert tools such as probes into the device through the opening it creates. Conventional HSMs also have to take precautions to protect their power and data connections. In conventional HSMs, power and data are routed into the enclosure along a meandering path through the PCB or through flat flex cables sandwiched in between security -mesh foil layers~\cite{smith1998}. As a result of these precautions, in conventional HSMs this interface rarely is a +mesh foil layers~\cite{smith1998}. As a result of these precautions, in conventional HSMs, this interface rarely is a mechanical weak spot. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. @@ -908,7 +908,7 @@ excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high data links continued to function without issue. By design, our prototype is not yet a production-ready solution. Its main limitation is the small payload volume that -can house one or two Raspberry Pi single-board computers, but does not allow for more powerful hardware such as a +can house one or two Raspberry Pi single-board computers but does not allow for more powerful hardware such as a contemporary server mainboard. Being constructed without access to a proper mechanical workshop, its imprecise construction leads to vibration at high speeds. Its optical communication links in breadboard construction function and need to be translated into manufacturable PCBs, and its security mesh has to be optimized for security. Finally, a motor @@ -921,7 +921,7 @@ workshop. \label{sec_accel_meas} In our proof-of-concept prototype, for braking detection we chose an accelerometer placed on the circumference of our -prototype's rotor for two reasons: First, it avoids the likley issue of high centrifugal acceleration falsifying +prototype's rotor for two reasons: First, it avoids the likely issue of high centrifugal acceleration falsifying gyroscope measurements. Second, by orienting one axis of the accelerometer radially, we can avoid exceeding the accelerometer's range even when rapidly accelerating or decelerating. Rapid angular acceleration or deceleration produces high tangential linear acceleration or deceleration in our sensor, but the radially-oriented axis of the @@ -988,8 +988,8 @@ fitting a linear function to the measured data. Offset error is this linear func slope. We then apply this correction to all captured data before plotting and later analysis. Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, but due to the -quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to -$\SI{8}{\percent}$ at $\SI{95}{rpm}$. +quadratic nature of centrifugal acceleration, at low speed, it causes a large relative error of up to $\SI{8}{\percent}$ +at $\SI{95}{rpm}$. After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity |