From 5af08604d7a54441ad757f4ab9f550c54deb6ce9 Mon Sep 17 00:00:00 2001 From: jaseg Date: Wed, 16 Sep 2020 13:08:38 +0200 Subject: Initial commit --- quick-tech-report/.gitignore | 10 ++ quick-tech-report/Makefile | 36 +++++ quick-tech-report/rotohsm_tech_report.bib | 0 quick-tech-report/rotohsm_tech_report.tex | 222 ++++++++++++++++++++++++++++++ 4 files changed, 268 insertions(+) create mode 100644 quick-tech-report/.gitignore create mode 100644 quick-tech-report/Makefile create mode 100644 quick-tech-report/rotohsm_tech_report.bib create mode 100644 quick-tech-report/rotohsm_tech_report.tex diff --git a/quick-tech-report/.gitignore b/quick-tech-report/.gitignore new file mode 100644 index 0000000..c49262e --- /dev/null +++ b/quick-tech-report/.gitignore @@ -0,0 +1,10 @@ +*.out +*.bbl +*.aux +*.toc +*.blg +*.bcf +*.log +*.run.xml + +version.tex diff --git a/quick-tech-report/Makefile b/quick-tech-report/Makefile new file mode 100644 index 0000000..259f303 --- /dev/null +++ b/quick-tech-report/Makefile @@ -0,0 +1,36 @@ + +LAB_PATH ?= ../lab-windows + +SHELL := bash +.ONESHELL: +.SHELLFLAGS := -eu -o pipefail -c +.DELETE_ON_ERROR: +MAKEFLAGS += --warn-undefined-variables +MAKEFLAGS += --no-builtin-rules + +main_tex ?= rotohsm_tech_report + +VERSION_STRING := $(shell git describe --tags --long --dirty) + +all: ${main_tex}.pdf + +%.pdf: %.tex %.bib version.tex + pdflatex -shell-escape $< + biber $* + pdflatex -shell-escape $< + +.PHONY: preview +preview: + pdflatex -shell-escape ${main_tex}.tex + +version.tex: ${main_tex}.tex ${main_tex}.bib + echo "${VERSION_STRING}" > $@ + +resources/%.pdf: $(LAB_PATH)/%.ipynb + jupyter-nbconvert --to=pdf --output-dir=resources --output=$* --LatexExporter.template_file=resources/nbexport.tplx $^ + +.PHONY: clean +clean: + rm -f ${main_tex}.aux ${main_tex}.bbl ${main_tex}.bcf ${main_tex}.log ${main_tex}.blg + rm -f ${main_tex}.out ${main_tex}.run.xml texput.log + diff --git a/quick-tech-report/rotohsm_tech_report.bib b/quick-tech-report/rotohsm_tech_report.bib new file mode 100644 index 0000000..e69de29 diff --git a/quick-tech-report/rotohsm_tech_report.tex b/quick-tech-report/rotohsm_tech_report.tex new file mode 100644 index 0000000..f37b572 --- /dev/null +++ b/quick-tech-report/rotohsm_tech_report.tex @@ -0,0 +1,222 @@ +\documentclass[12pt,a4paper]{article} +\usepackage[english]{babel} +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=false, + doi=true, + eprint=false + ]{biblatex} +\addbibresource{rotohsm.bib} +\usepackage{amssymb,amsmath} +\usepackage{listings} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{amsthm} +\usepackage{tabularx} +\usepackage{multirow} +\usepackage{multicol} +\usepackage{tikz} +\usepackage{mathtools} +\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} +\DeclarePairedDelimiter{\paren}{(}{)} + +\usetikzlibrary{arrows} +\usetikzlibrary{chains} +\usetikzlibrary{backgrounds} +\usetikzlibrary{calc} +\usetikzlibrary{decorations.markings} +\usetikzlibrary{decorations.pathreplacing} +\usetikzlibrary{fit} +\usetikzlibrary{patterns} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes} + +\usepackage[binary-units]{siunitx} +\DeclareSIUnit{\baud}{Bd} +\usepackage{hyperref} +\usepackage{tabularx} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{ccicons} +\usepackage{subcaption} +\usepackage{float} +\usepackage{footmisc} +\usepackage{array} +\usepackage[underline=false]{pgf-umlsd} +\usetikzlibrary{calc} +%\usepackage[pdftex]{graphicx,color} +\usepackage{epstopdf} +\usepackage{pdfpages} +\usepackage{minted} % pygmentized source code + +\renewcommand{\floatpagefraction}{.8} +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} + +\usepackage{fancyhdr} +\fancyhf{} +\fancyfoot[C]{\thepage} +\newcommand{\includenotebook}[2]{ + \fancyhead[C]{Included Jupyter notebook: #1} + \includepdf[pages=1, + pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} + ]{resources/#2.pdf} + \includepdf[pages=2-, + pagecommand={\thispagestyle{fancy}} + ]{resources/#2.pdf} +} + +\begin{document} + +\title{A High-Security Physical Security Primitive Based On Mechanical Movement} +\author{Jan Götte} +\date{2020-09-15} +\maketitle + +\section{Abstract} +In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware +security modules. Whereas conventional technology can be categorized into systems monitoring a thin boundary (such as +security meshes) and systems monitoring the interior volume (such as the "enclosure PUF" of Tobisch et al.). What all of +these systems have in common is that they try to detect attacks by crafting sensors responding to increasingly minute +manipulations of the monitored medium. Our approach is novel in that we alleviate the sensitivity requirement of a +security mesh by increasing the complexity of any manipulation at all by orders of magnitude by fastly rotating the +security mesh--presenting a moving target to an attacker. Attempts to modify the rotation itself are easily monitored +with commercial MEMS accelerometers and gyroscopes. + +Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet is +as secure or more secure than even the best commercial offerings. + +\section{Introduction} +Since the early days of computers, physical security has often been a core component of any computer system's security +architecture. Physical security in fact predates our modern concept of computer security by decades. Long before +passwords, access control lists, role-based authentication and other modern concepts of information security were +developed, information was secured by physically locking away the computers that held it. + +Nowadays, concerns of physical security are mostly limited to certain applications. Credit card processing and medical +data processing are two instances where a combination of smartcards and hardware security modules is used to provide a +higher level of security than what ordinary computers can provide. Meanwhile, in most commercial data processing +applications, the physical security provided by an average datacenter is considered to be appropriate. + +In modern systems, phyiscal security always is tightly interwoven with the system's overall security architecture. +Beyond the level provided by locks and guards, it is generally considered infeasible to physically secure all parts of a +computer. High-level physical security is usually limited to either a single chip or part of a chip such as a secure +element, enclave or smartcards--or it is limited to a small module acting within a very limited scope, as is the case in +commercial HSMs that largely act as cryptographic co-processors with built-in key management functions. + +\subsection{Technical approaches to physical security} +The use of chips as secure elements has recently become popular beyond the smartcards of yesteryear. Apple has carried +over a secure enclave IC from their line of phones into their line of laptops in 2016. Likewise, Google has developed +its own security IC for use in phones and laptops. An issue to consider with all such IC-based security solutions is +that they do not provide any cryptographic security. The real-world security of these solutions solely rests on the +assumption that due to their fine structure, ICs are hard to reverse engineer and manipulate. As of now, this property +holds and in the authors' opinion it will likely be a reasonable assumptions for some years to come. However, in its +essence this is a type of security by obscurity: Obscurity here mostly applying to the rarity of tools that are +necessary for practical attacks such as focused ion beam workstations and accompanying sample preparation equipment. An +important observation in this regard is that already, several people are slowly chipping away at this obscurity: A group +at Ruhr University Bochum is working on advanced tooling for netlist reverse engineering, and there are several +companies offering commercial IC reverse engineering services. + +\subsection{Hardware Security Modules} +At larger physical dimensions, hardware security modules (HSMs) provide an effective solution to the problem: In +conformity with Kerckhoff's principle, their creators do not try to hide the structure of the system within. Instead, +the HSM monitors it for any manipulation and wipes all key material when one is detected. The most common commercial +realization of this is what we call a "boundary-monitoring" HSM. This is a device uses a microcontroller monitoring the +conductivity of usually two electrical traces that are folded many times to cover the entire area of a plastic enclosure +part or a plastic foil wrapped around the module. The security problem thus gets transformed into a manufacturing +challenge: How fine can these traces be made--so they are disturbed by even the tiniest of holes for say, a fine needle; +and how sensitive can they be made to perturbations--so they break from even gentle attempts at mechanical, chemical or +other physical manipulation. + +The other type of HSM that so far has garnered mostly academic interest are what we call "volumetric" HSMs. Where a +boundary-monitoring HSM senses disturbations to a thin boundary between its inside and the outside world, a volumetric +HSM monitors its entire interior volume. Approaches that have been proposed so far include monitoring using +electromagnetic radiation % FIXME: citation (paper1 (this chip thing w/ distributed PAs/LNAs), paper2 (RUB) +and ultrasonic sensing. % FIXME: citation +Common to both approaches is that for technical reasons the wavelength of the employed radiation is in the range of +millimeters or larger. This implies that practical attacks acting on a smaller scale of physical size require sensitive +monitoring circuity to be reliably caught. % FIXME maybe talk to a physicist here. +Since they require advanced transceivers and signal processing, these HSMs incur a high implementation cost compared to +one based on a traditional security mesh, while they in turn promise to be easier and less expensive to scale in +physical size. A severe problem with any previous volumetric designs is that their security analysis is very hard. While +multiple designs have been proposed academically, none of these proposals include an analysis of their physical security +properties that goes beyond guesswork. %FIXME verify this. +The obvious reason for this is that to evaluate the volume inside the HSM that is covered by a given transceiver +combination and a given test signal pattern necessarily requires numerically solving the volumetric electromagnetic +field equations inside the HSM, applying a model of transmitter and receiver to the results that takes into account +receiver sensitivity and ADC resolution, transmitter power and receiver saturation effects and then validating that +every point in space (or at least inside a boundary region) is covered. While the guess that attacks are impractical +might still be true this would be based on the fact that the same problem presents itself to an attacker trying to +circumvent these measures--degrading their security to simple obscurity again. + +\subsection{A new approach to physical security} +We are certain that there is still much work to be done and many insights to be gained from further explorations +of the two concepts described above. Trivially, consider a box with mirrored walls that, suspended on thin wires, +contains a smaller box that has cameras looking outward in all directions at the mirrored walls. Given that the defender +can control lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered +equivalent to or better than the human eye. Thus, a successful physical attack on this system would likely an +"invisibility cloaks"--and the system would remain secure as long as no such thing exists. This example is a useful +point of reference. To be viable, a HSM technology must be either smaller or more sensitive than such a setup. + +The candidate we wish to introduce in this paper uses a novel approach to side-step the issues of both the concepts +introduced in the previous section and provides radically better security against physical attacks--both in theory and +in practice. + +Our core observation is that given any less expensive but more coarse HSM technology, we can make it radically more +difficult to attack by introducing fast mechanical motion. As a trivial example, consider a HSM as it is used in +ecommerce applications for credit card payments. Focusing on its main defense for simplicity, its physical security is +limited by the structure size of the mesh that is likely used in its shell. If an attacker can tap the mesh's electrical +traces and bridge across the mesh in a way the HSM cannot detect (e.g. by making sure the bridge has the same electrical +impedance as the mesh traces have e.g. by comparing against another device of the same type), they have circumvented the +device's protections. Any such attack would likely involve some fine drill bits, needles, wires, glue, perhaps solder or +even lasers. + +Now consider the same HSM, but this time mounted on a large flywheel. In this scenario the HSM uses the same +protections as before, but is now additionally equipped with an accelerometer that it uses to verify that it is in fact +rotating at a very high speed. How would an attacker approach this HSM? They would have to either slow down the rotation +(which would quickly be sensed by the accelerometer) or they would have to attack the moving HSM--the HSM literally +becomes a moving target. While rotating the entire attack workbench might be possible for slow speeds, rotating frames +of reference quickly become inhospitable to human life and at some point the technical means to rotate a CNC attack +robot probably weighing several kilograms become inconvenient as well. Contact-less EM or optical attacks are more +limited in the first place, and can effectively be shielded. + +\section{Related work} +% summaries of research papers on HSMs. +% I have not found any actual prior art on anything involving mechanical motion beyond ultrasound. + +\section{The physics of hardware security} +% approaching the issue from measurable quantities +\section{Intertial HSMs} +\section{Hardware prototype} +\section{Future work} +\subsection{Other modes of movement} +\subsection{Multiple axes of rotation} +\subsection{Means of power transmission} +\subsection{Other sensing modes} +\subsection{Longeivity} +\section{Conclusion} + +\printbibliography[heading=bibintoc] +\appendix +\section{License} +{\center{ +\begin{minipage}[t][10cm][b]{\textwidth} + \center{\ccbysa} + + \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The + full text of the license can be found at:} + + \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} + + \center{For alternative licensing options, source files, questions or comments please contact the authors.} + + \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:} + + \center{\url{https://git.jaseg.de/rotohsm.git}} +\end{minipage} +}} + +\end{document} -- cgit