From 4a25d96235aa1b323be566cb9e17fe77e0bb7486 Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 29 Mar 2021 20:38:39 +0200 Subject: Paper: More blurb --- doc/paper/rotohsm_paper.pdf | Bin 1191965 -> 1194057 bytes doc/paper/rotohsm_paper.tex | 148 ++++++++++++++++++++++++++++++-------- doc/paper/rotohsm_tech_report.pdf | Bin 112307 -> 112812 bytes 3 files changed, 119 insertions(+), 29 deletions(-) diff --git a/doc/paper/rotohsm_paper.pdf b/doc/paper/rotohsm_paper.pdf index 2a52783..e1260c4 100644 Binary files a/doc/paper/rotohsm_paper.pdf and b/doc/paper/rotohsm_paper.pdf differ diff --git a/doc/paper/rotohsm_paper.tex b/doc/paper/rotohsm_paper.tex index bb9beaa..fb7c347 100644 --- a/doc/paper/rotohsm_paper.tex +++ b/doc/paper/rotohsm_paper.tex @@ -132,6 +132,7 @@ This work contains the following contributions: \item We discuss possible boundary sensing modes for inertial HSMs. \item We explore the design space of our inertial HSM concept. \item We present our work on a prototype inertial HSM. + \item We present an anlysis on the viability of using commodity MEMS accelerometers as braking sensors. % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. \end{enumerate} @@ -203,20 +204,101 @@ with pressurized gas. \section{Inertial HSM construction and operation} \label{sec_ihsm_construction} -Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is -routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to -use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find -that making it spin has several advantages. - -First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to -follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second, -a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to easily predictable -accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the -HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear -velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum -size and mass of an attacker using an assumption on tolerable centrifugal force (see Appendix -\ref{sec_minimum_angular_velocity}). In this consideration the axis of rotation is a weak spot, but that can be -mitigated using multiple nested layers of protection. +Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and +is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first +to use it in tamper detection. + +The core questions in the design of an inertial HSM are the following: + +\begin{enumerate} + \item What \textbf{type of motion} to use: Rotation, pendulum, linear. + \item How to construct the \textbf{tamper detection mesh}. + \item How to \textbf{detect braking} of the HSM's movement. + \item The \textbf{mechanical layout} of the HSM. +\end{enumerate} + +We will approach these questions one by one in the following subsections. + +\subsection{Inertial HSM motion} + +First, there are several ways that we can approach motion. There is periodic, aperiodic and continuous motion. There is +also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main +constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to not expose any weak +spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to stay within a +confined space. This means that linear motion must be periodic, like that of a pendulum. Periodic linear motion will +have to quickly reverse direction at its apex so the device is not stationary long enough for this to become a weak +spot. + +In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the +device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's +tangential velocity is low. Faster rotation can lessen the severity of this at the expense of power consumption and +mechanical load but can never eliminate it. This effect can be alleviated in two ways: Either by adding additional +tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed axis. + +In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on +systems having a fixed axis of rotation due to their relative simplicity in prototype construction but we note the +challenge of hardening the shaft against tampering. + +\subsection{Tamper detection mesh construction} + +Once we have decided on a type of motion our IHSM's security barrier shall perform, what remains is the actual +implementation of that security barrier. There are two movements that we have observed that are key to our work. On the +one hand, there is the widespread industry use of delicate tamper sensing mesh membranes. The widespread usage of such +membranes in systems deployed in the field for a variety of use cases from low-security payment processing devices to +high-security certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a +significant level of security. On the other hand, research has mostly focused on various ways to fabricate enclosures +that embed characteristics of a physically uncloneable function (PUF). By using stochastic properties of the enclosure +material to form a PUF, such academic designs effectively leverage signal processing techniques to improve the system's +hardness by a large factor. + +In our research, we focus on security meshes as our IHSM's tamper sensors. Most of the cost in commercial security mesh +implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive +mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse +mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to a simple +construction made up from low-cost components. Additionally, use of a mesh allows us to only spin the mesh itself +around and keep the payload stationary in the center of the IHSM. Tamper sensing technologies that use the entire volume +of the HSM such as RF-based systems do not allow for this degree of freedom in their design. They would require the +entire IHSM to spin, including its payload. This would entail costly and complex systems for data and power transfer +from the outside to the payload. + +\subsection{Braking detection} + +The security mesh is a critical component in the IHSM's primary defense against physical attacks, but its monitoring is +only one half of this defense. The other half consists of a reliable and sensitive braking detection system. This system +must be able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be +able to measure any external force applied to the IHSM's rotor and should already trigger a response on the attempt of +manipulation. + +While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the +IHSM's shaft, this would be a poor choice in our application. Both optical and matgnetic sensors are susceptible to +contact-less interference from outside. Instead, an accelerometer is a good component to serve as an IHSM's tamper +sensor. + +%%% + +First, for motion to effectively disincentivize tampering, the HSM has to move fairly fast. +If any point of the HSM's tamper sensing shell moves slow enough for a human to follow, that point becomes a weak spot. +For illustration, consider linear oscillating motion like that of a pendulum. +At its apex, the pendulum becomes stationary and an attacker could use that split second of the device not moving. + +Second, a spinning HSM is potentially more compact than some alternatives like a pendulum or more exotic concepts such +as an HSM on wheels. Its main disadvantage is its circular envelope: When using components such as standard server +hardware for its payload, these components likely come in a rectangular form factor leading to dead space inside the +HSM. Mounting the HSM in a standard rackmount enclosure will also lead to significant dead space around the HSM. An +``vibrating'' HSM with a small amplitude of oscillation might potentially lead to a more compact solution, but this +compactness would come at increased engineering complexity and increased material stresses. + +Third and finally, constant rotation leads to a predictable, constant acceleration anywhere in the rotating part. This +allows the use of an accelerometer for tamper detection with minimal signal post-processing. + +A beneficial side-effect of spinning the HSM is that an attacker trying to follow the motion would have to rotate around +the same axis, subjecting them to very large centrifugal accleration. +This allows us to limit the approximate maximum size and mass of an attacker using an assumption on tolerable +centrifugal force (see Appendix \ref{sec_minimum_angular_velocity}). + +A basic spinning HSM might look like shown in Figure \ref{fig_schema_one_axis}. Shown are the axis of rotation, an +accelerometer on the rotating part used to detect braking, the protected payload and the area covered by the rotating +tamper detection mesh. \begin{figure} \center @@ -226,19 +308,24 @@ mitigated using multiple nested layers of protection. \label{fig_schema_one_axis} \end{figure} -In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to -distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the -rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after -subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero. -Centrifugal acceleration will be constant. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying -apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the -entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This -reduces the moment of inertia of the moving part and it means we can use cables for payload power and data. +\section{Using accelerometers as rotation sensors} -From our back-of-the-envelope calculation in Appendix \ref{sec_minimum_angular_velocity} we conclude that even at -moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot. +In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to +distance from the axis of rotation. We can exploit this fact to use an accelerometer as a sensor that detects any +disturbance to the HSM's rotation. We place the accelerometer at a known distance from the axis of rotation. When the +axis of rotation is vertical, during constant rotation tangential acceleration will be zero and acceleration along the +axis of rotation will be $\SI{1}{\g}$. Centrifugal acceleration will be constant. + +Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled +disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device. +A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM. +The HSM's payload and with it most of the HSM's mass can be stationary. +This reduces the moment of inertia of the moving part and it means that we can use cables for power and data connections +to the payload. + +From a coarse calculation (Appendix \ref{sec_minimum_angular_velocity}) we conclude that even at moderate speeds (above +$\SI{500}{rpm}$), a manual attack is no longer possible and any attack would have to be carried out using either +computer control or precise mechanics. In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more @@ -287,6 +374,8 @@ transmit the occassional status report along with a low-latency alarm trigger (` As we will elaborate in Section~\ref{sec_proto} a simple infrared optical link turned out to be a good solution for this purpose. +\subsection{Tamper detection} + \section{Attacks} \label{sec_attacks} @@ -295,6 +384,8 @@ attack it. Fundamentally, attacks on an inertial HSM are the same as those on a detection mesh is the same. Only, in the inertial HSM any attack on the mesh has to be carried out while the mesh is rotating, which for most types of attack will require some kind of CNC attack robot moving in sync with it. +\subsection{Attacking at the axis of rotation} + \subsection{Attacks on the mesh} There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with. @@ -324,7 +415,7 @@ shielded place inside the security envelope. Further, this attack can only work expected accelerometer readings are constant. If the rate of rotation is set to vary over time this type of attack is quickly detected. In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement. -\subsection{Attacks on the alarm circuitry} +\subsection{Attacks on the alarm circuit} Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a @@ -457,6 +548,7 @@ driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at \end{figure} \subsection{Power transmission through rotating joint} + Besides the data link, the other electrical interface we need between rotor and stator is for power transmission. We power Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power transmission: solar cells. We mounted six series-connected solar cells in three commercially available modules on the @@ -485,8 +577,6 @@ which allows us to reliably transfer several tens of bytes in each direction dur speed of rotation. As a result of our prototype experiments, we consider a larger-scale implementation of the inertial HSM concept practical. -\section{Using accelerometers as rotation sensors} - \begin{figure} \center \includegraphics[width=8cm]{prototype_early_comms_small.jpg} diff --git a/doc/paper/rotohsm_tech_report.pdf b/doc/paper/rotohsm_tech_report.pdf index 780bfb0..aae2445 100644 Binary files a/doc/paper/rotohsm_tech_report.pdf and b/doc/paper/rotohsm_tech_report.pdf differ -- cgit