diff options
Diffstat (limited to 'paper')
-rw-r--r-- | paper/ihsm_paper.tex | 172 |
1 files changed, 87 insertions, 85 deletions
diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index dc018cb..d52543a 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -57,7 +57,7 @@ yet offers a level of security that is comparable to commercial HSMs. We have built a proof-of-concept hardware prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof-of-concept, we have found that a system using a coarse security mesh made from commercial printed circuit - boards and an automotive high g-force accelerometer already provides a useful level of security. + boards and an automotive high-g-force accelerometer already provides a useful level of security. \end{abstract} \section{Introduction} @@ -163,9 +163,9 @@ commercial HSMs. The self-destruct built into an HSM serves as a strong tamper deterrent. For illustration, compare an HSM to a computer inside a locked safe when opposing a well-funded attacker with plenty of time. In~\cite{boak1973}, Boak asserts that absent an HSM's capability to self-destruct, the best safes can only withstand brute force attacks by an expert for -several minutes at best. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of -steel has not increased correspondingly. Thus, we can conclude that even today, against a "smart, well-equipped opponent -with plenty of time" as noted by Boak, this self-destruction functionality is essential. +several minutes. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of steel +has not increased correspondingly. Thus, we can conclude that even today, against a ``smart, well-equipped opponent with +plenty of time'' as noted by Boak, this self-destruction functionality is essential. In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an @@ -173,8 +173,8 @@ industry-standard construction. Although its turn of the century design is now a of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state -that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use a -fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. +that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use +similar approaches to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to @@ -209,9 +209,9 @@ security barrier and transforming it into a marginally more expensive but high-p \section{Inertial HSM construction and operation} \label{sec_ihsm_construction} -Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and -is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first -to use it in tamper detection. +Fast mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} +and is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the +first to use it in tamper detection. The core questions in the design of an inertial HSM are the following: @@ -232,12 +232,13 @@ perform advanced data analysis on a large database of patient health information needed for the common good, accumulating large amounts of sensitive data on a single system for such processing poses a risk. By collecting valuable data in a single computer, this computer is effectively made a target for organized cyber-criminals and other determined attackers. Mitigations such as cryptographic protocols and firewalls are effective -for the network security side of things, physical security is difficult to secure against e.g. bribing of insiders. A -similar use case would be that of a bank processing customer data. Here, too, a very high level of physical security is -necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale group -communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes for -large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the -banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services. +for the network security side of things, but the physical hardware is difficult to secure against e.g.\ bribing of +insiders. A similar use case would be that of a bank processing customer data. Here, too, a very high level of physical +security is necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale +group communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes +for large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the +banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services +that might attempt physical attacks to extract unencrypted messages from a message broker server. Our goal with IHSMs is to eventually arrive at a system that, at low-cost, can persist against a smart, well-funded adversary such as a secret service or organized cyber-crime. @@ -247,7 +248,7 @@ adversary such as a secret service or organized cyber-crime. First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this -motion. The main constraints on the HSM's motion pattern are that it needs to be (almost) continuous to not expose any +motion. The main constraint on the HSM's motion pattern is that it needs to be (almost) continuous to not expose any weak spots. Additionally, it has to stay within a confined space: Linear motion would have to be periodic, like that of a pendulum. Such periodic linear motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become a weak spot. @@ -257,12 +258,13 @@ device. When the axis is fixed, rotation will expose a weak spot close to the ax Possible mitigations are faster rotation to lessen the impact, additional tamper protection at the axis, and having the HSM perform a compound rotation that has no fixed axis. -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled -disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we -call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion -would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from -following the device's motion since doing so would subject them to impractically large centrifugal forces. Essentially, -this limits the approximate maximum size and mass of an attacker under an assumption on tolerable centrifugal force. +High speed gives rise to large centrifugal acceleration, which poses the engineering challenge of preventing rapid +unscheduled disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device +in what we call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow +the motion would have to rotate around the same axis. By choosing a suitable angular frequency we can prevent an +attacker from following the device's motion since doing so would subject them to impractically large centrifugal forces. +Essentially, this limits the approximate maximum size and mass of an attacker under an assumption on tolerable +centrifugal force. In this paper, we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the @@ -271,22 +273,21 @@ shaft against tampering that any production device would have to tackle. \subsection{Tamper detection mesh construction} IHSMs do not eliminate the need for a security barrier. To prevent an attacker from physically destroying the moving -security barrier, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to -realize this security barrier. There are two movements that we have observed that are key to our work. On the one hand, -there is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems -deployed in the field for a variety of use cases from low-security payment processing devices to high-security -certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of -security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to -fabricate enclosures that embed characteristics of a Physically Unclonable Function. By using stochastic properties of -the enclosure material to form a PUF, such academic designs effectively leverage signal processing techniques to improve -the system's security level by a significant margin. +part, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to realize this +security barrier. In industry, mesh membranes are commonly used for tamper detection. Such membranes are deployed in +systems for a variety of use cases ranging from low-security payment processing to high-security certificate management. +From this we can conclude that a properly implemented mesh \emph{can} provide a practical level of security. In +contrast to this industry focus, academic research has largely focused on ways to fabricate enclosures that embed +characteristics of a Physically Unclonable Function as a means of tamper detection~\cite{tobisch2020,immler2019}. By +using stochastic properties of the enclosure material to form a PUF, such academic designs leverage signal processing +techniques to improve the system's security level by a significant margin. In our research, we focus on security meshes as our IHSM's tamper sensors. The cost of advanced manufacturing -techniques and special materials used in commercial meshes poses an obstacle. The foundation of an IHSM security is -that by moving the mesh even a primitive, coarse mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack -in practice. This allows us to use a simple construction made up of low-cost components. Additionally, the use of a -mesh allows us to only spin the mesh itself and its monitoring circuit and keep the payload inside the mesh stationary -for reduced design complexity. RF-based tamper sensing systems do not allow for this degree of freedom. +techniques and special materials used in commercial meshes poses an obstacle to small-scale manufacturing. The +foundation of an IHSM security is that by moving the mesh, even a primitive, coarse mesh such as one made from a +low-cost PCB becomes very hard to attack in practice. Additionally, the use of a mesh allows us to only spin the mesh +itself and its monitoring circuit and keep the payload inside the mesh stationary for reduced design complexity. +Other tamper sensing systems such as RF fingerprinting would not allow for this degree of freedom in an IHSM. \subsection{Braking detection} @@ -317,8 +318,8 @@ range. A key point here is that for speeds between $500$ and $\SI{1000}{rpm}$, c very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ and at a $\SI{10}{\centi\meter}$ radius, centrifugal acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. Due to this large acceleration, off-axis performance of the accelerometer has to be considered. Suitable high-$g$ -accelerometers for the large accelerations found on the circumference of an IHSM's rotor are ones mostly used in -automotive applications. +accelerometers for the large accelerations found on the circumference of an IHSM's rotor are mostly used in automotive +applications. To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark. Let us assume an IHSM spinning at $\SI{1000}{rpm}$. To detect any attempt to brake it below $\SI{500}{rpm}$, we have to detect a difference in @@ -403,8 +404,9 @@ battery failure, mechanical wear or over/undertemperature conditions some time b all secrets must be detstroyed. This type of early warning allows for the implementation of a graceful failover mechanism. Similar to hot spares in hard disk arrays, a number of IHSMs might share a hot spare IHSM that is running, but that does not yet contain any secrets. Once an IHSM detects early warning signs of an impending failure, it can then -transfer its secrets to the hot spare using one of the technologies listed in the previous paragraph, then delete their -local copies. This may allow for the graceful handling of device failures due to both age and disasters such as fires. +transfer its secrets to the hot spare using replicatoin technologies as mentioned in the previous paragraph, then delete +its local copies. This would allow for the graceful handling of device failures due to both age and disasters such as +fires. Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by @@ -425,29 +427,30 @@ communication link's optical components, as well as by filtering cooling air at \label{sec-power-failure} After engineering an IHSM's components to survive years of continuous operation, the next major failure mode to be considered is power loss. Traditional HSMs solve the need for an always-on backup power supply by carrying large backup -batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use -of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its -motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional -Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might have a smaller backup battery -integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an -IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power -an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are large industrial -fans rated at lower wattages. For example, \partnum{CF2207LBL-000U-HB9}, a $\SI{250}{\milli\meter}$ diameter -$\SI{7.8}{\meter^3\per\minute}$ industrial axial fan made by Sunon is rated at only -$\SI{6.6}{\watt}$\footnote{\url{https://www.digikey.com/en/products/detail/sunon-fans/CF2207LBL-000U-HB9/9083282}}. If -a built-in battery is undesirable, or if power outages of more than a few seconds at a time are unlikely (e.g.\ because -the IHSM is connected to an external UPS or generator), the IHSM's rotor itself can be used as a flywheel for energy -storage. +batteries~\cite{obermaier2019}. The low static power consumption of a traditional HSM's simple tamper detection +circuitry allows for the use of non-replaceable backup batteries. An IHSM in contrast would likely require a +rechargeable backup battery since its motor requires more power than the mesh monitoring circuit of a traditional HSM. +In principle, a conventional Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might +have a smaller battery integrated. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ +for an IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could +already power an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are +large industrial fans rated at lower wattages, e.g. Sunon \partnum{CF2207LBL-000U-HB9}, a $\SI{250}{\milli\meter}$ +diameter $\SI{7.8}{\meter^3\per\minute}$ axial fan rated at $\SI{6.6}{\watt}$. If a built-in battery is undesirable or +if power outages of more than a few seconds are unlikely (e.g.\ because of an external UPS), the IHSM's rotor itself can +be used as a flywheel for energy storage. \paragraph{Spurious alarms due to vibration.} -Beyond the electronic measures mentioned above, IHSMs must employ vibration damping since, during normal operation, they -may receive vibration from outside sources such as backup generators, workers bumping the IHSM and nearby traffic. -Besides such everyday sources, (usually harmless) earthquakes are a common occurrence in some regions of the world. - -For comparison, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper +Beyond the issues mentioned above, the effect of normal mechanical vibration on the IHSM's tamper sensors has to be +considered. During normal operation, IHSMs may receive vibration from outside sources such as backup generators, workers +bumping the IHSM and nearby traffic. Besides such everyday sources, (usually harmless) earthquakes are a common +occurrence in some regions of the world. None of these sources of vibration are likely to cause a false alarm, but +since IHSMs are rotating machines they will themselves cause some amount of vibration and thus vibration isolation is a +reasonable design requirement. + +For reference, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a constant centrifugal -acceleration of approximately $\SI{100}{g}$. -Literature on car crashes shows that accelerations above $\SI{10}{g}$ in the car's structural components +acceleration of approximately $100\,g$. +Literature on car crashes shows that accelerations above $10\,g$ in the car's structural components correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. Measurements of the Peak Ground Acceleration (PGA) of severe earthquakes show that even the strongest earthquakes rarely reach a PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake at approximately @@ -457,11 +460,11 @@ Instantaneous acceleration increases linearly with frequency, but likewise simpl higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to damp high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous -amount of mechanical power across a large geographic area, but due to the their absolute instantaneous acceleration, we -can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able to -clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration that -would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's rotor -would likely destroy the IHSM. +amount of mechanical power across a large geographic area, but due to the their low absolute instantaneous acceleration, +we can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able +to clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration +that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's +rotor would likely destroy the IHSM. \subsection{Transportation} @@ -475,7 +478,8 @@ During shipping, the IHSM will require a continuous power supply. Following our Section~\ref{sec-power-failure}, 48-hour courier shipping could easily be bridged with the equivalent of 5-10 laptop batteries. In applications that do not require a backup battery built-in to the IHSM (e.g. due to existing UPS backup), the IHSM could be shipped connected to an external battery akin to a ``power bank'' that is sent back to the IHSM's -manufacturer after the IHSM has been installed. +manufacturer after the IHSM has been installed. Long-distance shipping can be facilitated through compatibility with +standards used for powered refrigerated shipping containers. \section{Attacks} \label{sec_attacks} @@ -495,7 +499,7 @@ we will start with a brief overview of attacks on conventional HSMs that the IHS In principle, there are three ways to attack a conventional HSM. The hard way is to go through the security mesh without triggering the alarm, e.g.\ with a probe that is finer than the mesh's spacing. For larger probes, an attacker can laboriously uncover, then bridge the mesh traces to allow part of the mesh to be removed. Some HSMs attempt to detect -such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by the necessary precision. +such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by available measurement precision. % However, if an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the % device, this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ @@ -512,10 +516,9 @@ conductive foil around the HSM that forms the security mesh, leaving only the co feed-through as potential weak spots. The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An -attacker may need to insert several probes or modify the circuit to wiretap the payload processor's secrets, but -depending on the implementation they may be able to disable the mesh alarm circuit with only one or two probes. To -harden a conventional HSM against this type of attack, the mesh monitoring circuit must be carefully designed to avoid -single points of failure. +attacker may need to insert several probes to wiretap the payload processor's secrets, but if poorly implemented, they +may be able to disable the mesh monitor with only one. This type of attack can be mitigated by careful electronic +design. \subsection{Attacks that work on any HSM} @@ -663,7 +666,7 @@ message. The alarm circuitry has to be designed such that it is entirely contain Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration, and gases or liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. -To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. +To prevent replay attacks, link latency must continuously be measured, so this link must be bidirectional. % If it were unidirectional, an attacker could % act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed % (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary @@ -673,11 +676,11 @@ To prevent replay attacks link latency must continuously be measured, so this li \subsection{Fast and violent attacks} -A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in -response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this type -of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response circuitry -will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack, -the payload is reliably destroyed before the tamper response circuitry. +A variation of the above attacks on the alarm circuitry is to use a tool such as a large hammer or a gun to simply +destroy the part of the HSM that erases data in response to tampering before it can perform its job. To mitigate this +type of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response +circuitry will reliably withstand any attack for long enough to carry out its function or brittle in a way that during +any attack, the payload is reliably destroyed before the tamper response circuitry. \section{Proof-of-concept Prototype implementation} \label{sec_proto} @@ -847,7 +850,7 @@ construction leads to vibration at high speeds. Its optical communication links need to be translated into manufacturable PCBs, and its security mesh has to be optimized for security. Finally, a motor driver solution needs to be selected that allows for direct digital control of motor speed. Overall, the prototype soundly demonstrated the viability of the IHSM concept and we are confident that all of these limitations can be -conclusively solved in a next version that might be a ``beta'' version of a practical IHSM, built in a mechanical +conclusively solved in a new iteration that might be a ``beta'' version of a practical IHSM, built in a mechanical workshop. \section{Using MEMS accelerometers for braking detection} @@ -868,11 +871,10 @@ its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed -of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using a -USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a -$\SI{1}{\second}$ running average over interval lengths of the debounced captured signal\footnote{A regular frequency -counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office -lab.}. +of rotation using a magnet fixed to the rotor and a reed switch. The reed switch output is digitized using a USB logic +analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a $\SI{1}{\second}$ running +average over interval lengths of the debounced captured signal\footnote{A regular frequency counter or commercial +tachometer would have been easier, but neither was available in our limited COVID-19 home office lab.}. The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform. Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are @@ -923,7 +925,7 @@ slope. We then apply this correction to all captured data before plotting and la this approach already leads to a good match of measurements and theory modulo a small part of the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, but due to the quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to -$\SI{10}{\percent}$ at $\SI{95}{rpm}$. +$\SI{8}{\percent}$ at $\SI{95}{rpm}$. After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity @@ -943,7 +945,7 @@ the fly, without stopping the rotor. \includegraphics[width=0.7\textwidth]{../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf} \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental measurements are shown after correction for offset and scale error. Above \SI{300}{rpm}, the relative error is - below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a strong impact ($0.05\,g$ absolute + below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a large impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)} \label{fig-acc-theory} \end{figure} |