From 6d978908e3a16619b562d2cdd2a4de600e0b1f3e Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 24 Sep 2021 20:16:06 +0200 Subject: WIP --- paper/ihsm.bib | 19 +++ paper/ihsm_paper.tex | 464 +++++++++++++++++++++++++++------------------------ 2 files changed, 262 insertions(+), 221 deletions(-) diff --git a/paper/ihsm.bib b/paper/ihsm.bib index d19b432..5dabfb8 100644 --- a/paper/ihsm.bib +++ b/paper/ihsm.bib @@ -412,6 +412,16 @@ date = {2021}, } +@misc{boak1973, + author = {David G. Boak}, + title = {A History of U.S. Communications Security, Volumes I and II}, + howpublished = {Lecture Notes}, + url = {https://www.governmentattic.org/18docs/Hist_US_COMSEC_Boak_NSA_1973u.pdf}, + urldate = {2021-09-24}, + publisher = {US National Security Agency (NSA)}, + date = {1973}, +} + @InProceedings{german2007, title = {Event Data Recorders in the Analysis of Frontal Impacts}, author = {A. German and J-L. Comeau and K.J. McClafferty, M.J. Shkrum, and P.F. Tiessen}, @@ -432,6 +442,15 @@ date = {2018-07-11}, } +@InProceedings{ledger2019, + title = {Everybody be cool, this is a robbery!}, + author = {Jean-Baptiste Bédrune and Gabriel Campana}, + year = {2019}, + booktitle = {Symposium sur la sécurité des technologies de l'information et des communications 2019}, + url = {https://www.sstic.org/media/SSTIC2019/SSTIC-actes/hsm/SSTIC2019-Article-hsm-campana_bedrune_neNSDyL.pdf}, + urldate = {2021-09-24}, +} + @InProceedings{tschofenig2015, booktitle = {NIST Lightweight Cryptography Workshop 2015}, author = {Hannes Tschofenig and Manuel Pegourie-Gonnard and Hugo Vincent}, diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 8119fe2..78b7d5e 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -54,10 +54,10 @@ manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to an HSM that can easily be built from off-the-shelf parts by any university electronics lab, - yet offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware - prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of - concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an - automotive high g-force accelerometer already provides a useful level of security. + yet offers a level of security that is comparable to commercial HSMs. We have built a proof-of-concept hardware + prototype that demonstrates solutions to the concept's main engineering challenges. As part of this + proof-of-concept, we have found that a system using a coarse security mesh made from commercial printed circuit + boards and an automotive high g-force accelerometer already provides a useful level of security. \end{abstract} \section{Introduction} @@ -112,7 +112,7 @@ This paper contains the following contributions: \center \includegraphics[width=12cm]{prototype_pic2.jpg} \caption{The prototype as we used it to test power transfer and bidirectional communication between stator and - rotor. This picture shows the proof of concept prototype's configuration that we used for accelerometer + rotor. This picture shows the proof-of-concept prototype's configuration that we used for accelerometer characterization (Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular top and bottom outer meshes.} \label{prototype_picture} @@ -120,9 +120,9 @@ This paper contains the following contributions: In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will -analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware +analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof-of-concept hardware prototype.In Section~\ref{sec_proto} we will elaborate the design of this prototype. In Section~\ref{sec_accel_meas} we -present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept +present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof-of-concept prototype. We conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}. \section{Related work} @@ -133,34 +133,40 @@ prototype. We conclude this paper with a general evaluation of our design in Sec In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper detection. -HSMs are an old technology that traces back decades in its electronic realization. Today's common approach of monitoring -meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security -problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, -anderson2020}. There has been some research on monitoring the HSM's interior using e.g.\ electromagnetic -radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found -widespread adoption yet. +HSMs are an old technology that traces back decades in its electronic realization, initially being conceived by the US +NSA during the second world war~\cite{boak1973}. Today's common approach of monitoring meandering electrical traces on a +fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to +manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, anderson2020}. There has been +some research on monitoring the HSM's interior using e.g.\ electromagnetic radiation~\cite{tobisch2020, kreft2012} or +ultrasound~\cite{vrijaldenhoven2004} but none of this research has found widespread adoption yet. HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex equipment. An HSM in principle has to have this examination equipment built-in. -Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view -that are recorded in public literature are those used for monitoring of nuclear material under the International Atomic -Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically -Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a -way that intentionally causes large, random device-to-device variations. These variations are precisely recorded at -deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to -check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random -scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the -uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the -precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. +Physical seals are used in a wide variety of applications. Of interest for this paper are those used for monitoring of +nuclear material under the International Atomic Energy Authority (IAEA). Most of these seals use the same approach that +is used in Physically Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. +The seal is created in a way that intentionally causes large, random device-to-device variations. These variations are +precisely recorded at deployment. At the end of the seal's lifetime, the seal is returned to a lab and closely examined +to check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes +random scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA +seal), the uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well +as the precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a -monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in +monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil like it is used in commercial HSMs. +The self-destruct built into an HSM serves as a strong tamper deterrent. For illustration, compare an HSM to a computer +inside a locked safe when opposing a well-funded attacker with plenty of time. In~\cite{boak1973}, Boak asserts that +absent an HSM's capability to self-destruct, the best safes can only withstand brute force attacks by an expert for +several minutes at best. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of +steel has not increased correspondingly. Thus, we can conclude that even today, against a "smart, well-equipped opponent +with plenty of time" as noted by Boak, this self-destruction functionality is essential. + In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques @@ -172,22 +178,19 @@ fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer200 Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to -traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). -Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in -area covered and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A -core component of their design is that they propose its use as a PUF to allow for protection even when powered off, -similar to a smart card---but the design is not limited to this use. - -In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based -around commodity WiFi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference -signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections -and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that -the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the -volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et -al.~\cite{tobisch2020}\ is that they use commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The -resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs -using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable -security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven +traditional meshes, they use a large number of individual traces. Their concept promises a very high degree of +protection, but is limited in area covered and component height, as well as the high cost of the advanced analog +circuitry required for monitoring. A core component of their design is that they propose its use as a PUF to allow for +protection even when powered off, similar to a smart card---but the design is not limited to this use. + +In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based on +a WiFi transceiver inside a conductive enclosure. In their design, a reference signal is sent into the RF cavity formed +by the conductive enclosure. The receiver(s) use the signal's reflections to characterize the phase and frequency +response of the RF cavity. They assume that the RF behavior of the cavity is inscrutable from the outside, and that any +small disturbances within the volume of the cavity will cause a significant change in its RF response. Based on +commodity WiFi hardware, the resulting system is likely both much cheaper and capable of protecting a much larger +security envelope than designs using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of +worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound waves traveling on a surface acoustic wave (SAW) device to a similar end. While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the @@ -197,14 +200,11 @@ properties of a potting compound that has been loaded with RF-reflective grains. characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting compound. -To the best of our knowledge, we are the first to propose a mechanically moving HSM security barrier as part of a -hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security -barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture -these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap -low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The -closest to a mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that -describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled -with pressurized gas. +To the best of our knowledge, we are the first to propose a mechanically moving security barrier as part of a hardware +security module. Most academic research concentrates on the issue of creating new, more sensitive security barriers for +HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture these security +barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance +security barrier and transforming it into a marginally more expensive but high-performance one. \section{Inertial HSM construction and operation} \label{sec_ihsm_construction} @@ -225,6 +225,23 @@ The core questions in the design of an inertial HSM are the following: We will approach these questions one by one in the following subsections and conclude this section with an exploration of the practical implications that these aspects of IHSM construction have on IHSM operation. +\subsection{Use Cases and Attacker Model} + +We motivate our work on IHSM security with a number of use cases. For instance, a healthcare provider may wish to +perform advanced data analysis on a large database of patient health information. While the processing result may be +needed for the common good, accumulating large amounts of sensitive data on a single system for such processing poses a +risk. By collecting valuable data in a single computer, this computer is effectively made a target for organized +cyber-criminals and other determined attackers. Mitigations such as cryptographic protocols and firewalls are effective +for the network security side of things, physical security is difficult to secure against e.g. bribing of insiders. A +similar use case would be that of a bank processing customer data. Here, too, a very high level of physical security is +necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale group +communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes for +large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the +banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services. + +Our goal with IHSMs is to eventually arrive at a system that, at low-cost, can persist against a smart, well-funded +adversary such as a secret service or organized cyber-crime. + \subsection{Inertial HSM motion} \label{sec_ihsm_motion} @@ -256,9 +273,10 @@ shaft against tampering that any production device would have to tackle. \subsection{Tamper detection mesh construction} -Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation -of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there -is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems +IHSMs do not eliminate the need for a security barrier. To prevent an attacker from physically destroying the moving +security barrier, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to +realize this security barrier. There are two movements that we have observed that are key to our work. On the one hand, +there is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems deployed in the field for a variety of use cases from low-security payment processing devices to high-security certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to @@ -284,21 +302,25 @@ able to quickly detect any slowdown of the IHSM's rotation. Ideally, a sufficien any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a manipulation attempt. -While the obvious choice to monitor rotation would be a tachometer such as a magnetic or optical sensor attached to the -IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to -contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. -When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this -approach is that depending on construction, it might invite attacks at the mechanical interface between the mesh and the -motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical -discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is -already standing still. - -Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed -inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully -integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's -mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's -motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers -are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical +While the obvious choice to monitor rotation would be a magnetic or optical tachometer sensor attached to the IHSM's +shaft, this would be a poor choice for our purposes since optical and magnetic sensors are susceptible to contact-less +interference from outside. A different option would be to use feedback from the motor driver electronics. When using a +BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this approach is +that depending on construction, it might allow for attacks at the mechanical interface between the mesh and the motor's +shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical discharge +machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is already +standing still. + +Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an inertial sensor such +as an accelerometer or gyroscope placed inside the spinning mesh monitoring circuit would be a good component to serve +as an IHSM's tamper sensor. A gyroscope would need to be placed close to the IHSM's shaft where centrifugal force is +low, and would directly measure changes in angular velocity. An accelerometer could be placed anywhere on the rotor and +would measure centrifugal acceleration. + +Modern, fully integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of +the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the +device's motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS +accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical components~\cite{kvk2019,sh2016,adc2019,e2013}. In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal @@ -313,13 +335,11 @@ into all accelerometer axes, even those that are tangential to the rotation. Sec accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers mostly used in automotive applications. -To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an -IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The -difference in centrifugal acceleration that our accelerometer will need to detect then is a factor of -$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any -commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid -deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we -wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics. +To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark. Let us assume an IHSM +spinning at $\SI{1000}{rpm}$. To detect any attempt to brake it below $\SI{500}{rpm}$, we have to detect a difference in +acceleration of a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. Even should sub-optimal placement compromise dynamic +range, any commercial MEMS accelerometer will provide this degree of accuracy. The only caveat is that to detect very +slow deceleration, we have to take into account the accelerometer's drift characteristics. In Section~\ref{sec_accel_meas} below, we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS accelerometer for braking detection in our prototype IHSM. @@ -395,6 +415,14 @@ approach is a 2019 technology demonstration~\cite{signal2019} created by signal. secure messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside Intel SGX to replicate state between geographically redundant enclaves. +Finely-grained monitoring of operational parameters may be capable of recognizing some types of failure such as backup +battery failure, mechanical wear or over/undertemperature conditions some time before alarm levels have been reached and +all secrets must be detstroyed. This type of early warning allows for the implementation of a graceful failover +mechanism. Similar to hot spares in hard disk arrays, a number of IHSMs might share a hot spare IHSM that is running, +but that does not yet contain any secrets. Once an IHSM detects early warning signs of an impending failure, it can then +transfer its secrets to the hot spare using one of the technologies listed in the previous paragraph, then delete their +local copies. This may allow for the graceful handling of device failures due to both age and disasters such as fires. + Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in its @@ -428,58 +456,42 @@ a built-in battery is undesirable, or if power outages of more than a few second the IHSM is connected to an external UPS or generator), the IHSM's rotor itself can be used as a flywheel for energy storage. -\paragraph{Spurious alarms.} -Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason -its alarm would be spuriously activated due to movement of the device. The likelihood of such an alarm failure must be -minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during -normal operation. The IHSM may have to be relocated between datacenters. Other vibrating machinery such as backup -generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside and into -the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may -couple through the ground into the datacenter and into the IHSM. Finally, earthquakes are a common occurrence in some -regions of the world and will couple through any reasonable amount of vibration damping. - -There are two key points to note on vibration damping. First, the instantaneous mechanical power of a vibrating motion -is proportional to the square of its amplitude when fixing frequency and the cube of its frequency when fixing -amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency -vibrating motion compared to lower frequencies. This observation interacts with our other point that, second, an ideal -vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp -vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations, it follows that if we wish to -reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping -high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large -enough to cause a false alarm. - -To put this into perspective, consider an IHSM running at an angular frequency of $\SI{1000}{rpm}$. If the IHSM's tamper -sensor is mounted at a radius of $\SI{100}{\milli\meter}$ from the axis of rotation, it will measure a constant -acceleration of approximately $\SI{100}{g}$. Let us first compare this in magnitude to the effects of a car crash. -According to literature, accelerations above $\SI{10}{g}$ correspond to the acceleration a car's structural components -experience in a car crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. As another point of -reference, take the Peak Ground Acceleration (PGA) of a severe earthquake. Even the strongest earthquakes rarely reach a -PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake was approximately -$\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's low-frequency vibrations dissipate a -tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore -them for the purposes of our tamper detection system. - -From these comparisons, we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish -attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the -operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM. +\paragraph{Spurious alarms due to vibration.} +Beyond the electronic measures mentioned above, IHSMs must employ vibration damping since, during normal operation, they +may receive vibration from outside sources such as backup generators, workers bumping the IHSM and nearby traffic. +Besides such everyday sources, (usually harmless) earthquakes are a common occurrence in some regions of the world. + +For comparison, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper +sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a constant centrifugal +acceleration of approximately $\SI{100}{g}$. +Literature on car crashes shows that accelerations above $\SI{10}{g}$ in the car's structural components +correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. Measurements of the Peak +Ground Acceleration (PGA) of severe earthquakes show that even the strongest earthquakes rarely reach a +PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake at approximately +$\SI{0.3}{g}$. + +Instantaneous acceleration increases linearly with frequency, but likewise simple vibration dampers work better with +higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to +damp high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations +large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous +amount of mechanical power across a large geographic area, but due to the their absolute instantaneous acceleration, we +can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able to +clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration that +would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's rotor +would likely destroy the IHSM. \subsection{Transportation} While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed, there is an issue when intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\ -the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM -elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of -precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to -the lower end of the range permitted by the application's security requirements. The IHSM's software could allow for a -temporary ``shipping mode'' to be entered that would slow down the IHSM and increase the tamper sensing accelerometer's -thresholds. - -During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to -ship the IHSM along with a small backup battery. Following our conservative estimate in Section~\ref{sec-power-failure}, -a 48-hour shipping window as offered by many courier shipping services could easily be bridged with the equivalent of -5-10 laptop batteries. In case a built-in battery backup is not necessary in the IHSM's application, these batteries -could be connected as an external device akin to a ``power bank'' that is disconnected and sent back to the IHSM's +the manufacturer's premises and its destination data center. The simple solution to this problem is to transport the IHSM +elastically mounted with its axis pointing upwards inside a heavy shipping box. + +During shipping, the IHSM will require a continuous power supply. Following our conservative estimate in +Section~\ref{sec-power-failure}, 48-hour courier shipping could easily be bridged with the equivalent of 5-10 laptop +batteries. In applications that do not require a backup battery built-in to the IHSM (e.g. due to existing UPS backup), +the IHSM could be shipped connected to an external battery akin to a ``power bank'' that is sent back to the IHSM's manufacturer after the IHSM has been installed. \section{Attacks} @@ -490,27 +502,25 @@ above, in this section, we will detail possible ways to attack it. At the core o security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to perform these attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat -the braking sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for -contactless attack a laser. +the braking sensor. \subsection{Attacks that don't work} In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective, we will start with a brief overview of attacks on conventional HSMs that the IHSM is defended against. -%FIXME \paragraph{...} - -In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the -security mesh without triggering the alarm, e.g.\ by using a probe that is finer than the mesh's structure size. An -attacker willing to invest some effort can also try to uncover the mesh traces buried in plastic to then hot-wire the -mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh -traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes -to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach -becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An -attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh will change the mesh -trace's resistance by approximately -$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$. -Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding -temperature stability of the mesh material. + +In principle, there are three ways to attack a conventional HSM. The hard way is to go through the security mesh without +triggering the alarm, e.g.\ with a probe that is finer than the mesh's spacing. For larger probes, an attacker can +laboriously uncover, then bridge the mesh traces to allow part of the mesh to be removed. Some HSMs attempt to detect +such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by the necessary precision. + +% However, if an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the +% device, this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ +% by $\SI{100}{\milli\meter}$. An attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section +% of this mesh will change the mesh trace's resistance by approximately +% $\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$. +% Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding +% temperature stability of the mesh material. The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through @@ -520,9 +530,9 @@ feed-through as potential weak spots. The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An attacker may need to insert several probes or modify the circuit to wiretap the payload processor's secrets, but -depending on its implementation they may be able to disable the mesh alarm circuit with only one or two probes. To +depending on the implementation they may be able to disable the mesh alarm circuit with only one or two probes. To harden a conventional HSM against this type of attack, the mesh monitoring circuit must be carefully designed to avoid -single points of failure as well as any fail-open failure modes. +single points of failure. \subsection{Attacks that work on any HSM} @@ -541,10 +551,15 @@ IHSMs do not provide an inherent benefit against such contactless attacks. Howev play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less space-constrained. This larger volume allows for a greater physical distance between security-critical components and -places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. By allowing the use of -conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and -well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors -found in conventional HSMs. +places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. + +Another attack that is possible against all types of HSMs are software attacks. Flaws in an HSM's software such as +memory safety errors in its external-facing APIs can lead to a full compromise of the HSM's secrets~\cite{ledger2019}. +Like a traditional HSM, an IHSM has to expose some API to the outside world to be useful. For both, the hardening +techniques are the same as in any other networked system and include the reduction of attack surface e.g. through +firewalling, fuzz testing and formal verification. In IHSMs these mitigations are easier to implement since they allow +the use of conventional server hardware and well-audited open source software, instead of hard-to-audit proprietary code +on an embedded platform. \subsection{The Swivel Chair Attack} \label{sec_swivel_chair_attack} @@ -575,43 +590,35 @@ kind of mechanical tool. \label{fig_attack_robot} \end{figure} -Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool. -A first point to note is that the tool itself has to rotate at the IHSM's speed. -If we were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed -down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect the manipulation attempt. -To follow an IHSM's rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM -is hard. Let us assume a small IHSM mesh with radius $r=\SI{100}{\milli\meter}$. -To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ window over a period of -$\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than +Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool. The tool +itself has to rotate at the IHSM's speed because counter-rotating the IHSM instead, the accelerometer on the rotor would +measure lower centrifugal acceleration and detect the manipulation attempt. Following the IHSM's rotation closely +enough to allow for remote-controlled manipulation of the IHSM is hard. Let us assume a small IHSM mesh with radius +$r=\SI{100}{\milli\meter}$. To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ +window over a period of $\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than $\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$. Relative to a realistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Achieving -this accuracy would likely require active servo control of the attack tool's rotation that is locked by optically -tracking of the IHSM's rotor. - -If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a -remote-controlled manipulator that can be mounted on the attack tool's rotating stage that is able to disable the IHSM's -mesh. -To complicate matters, the attacker will not succeed by simply drilling a small undetected hole into the mesh. -While both mesh and attack tool are spinning, the payload is stationary. -The attacker thus has to create an opening in the mesh large enough that the attacker can insert a second set of -\emph{stationary} probes to contact the payload. -In conclusion, we estimate that creating a rotating, remote-controllable manipulator that can be used to successfully -attack a security mesh is infeasible given the degree of manual skill necessary even for normal soldering work. +this accuracy would likely require active servo control of the attack tool's rotation. + +If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a manipulator +tolerant to high g forces that is able to disable the IHSM's mesh. Simply drilling a small hole is not enough in this +case since the payload is stationary. Instead, using the rotating manipulator, the attacker has to create an opening in +the mesh large enough to place a \emph{stationary} probe on the payload. We estimate that creating a rotating, +remote-controllable manipulator that can be used to successfully attack a security mesh is infeasible given the degree +of manual skill necessary even for normal soldering work. \subsection{Mechanical weak spots} As we elaborated in the previous paragraphs, we consider a fast-moving mesh to offer a strong tamper detection -capability. This evaluation is based on the notion that the security mesh is moving too fast to tamper. However, -depending on the type of motion used, the mesh's actual speed may vary by location and over time. Our example -configuration of a rotating mesh can keep moving continuously, so it does not have any time-dependent weak spots. It -does, however, have a weak spot along its axis of rotation, at the point where the shaft penetrates the mesh. The mesh's -tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as -probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face -with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the -PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs, this -interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding -the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to -achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. +capability. However, depending on the type of motion used, the mesh's actual speed may vary by location and over time. +Our example configuration of a rotating mesh moves continuously and does not have any time-dependent weak spots. It +does, however, have a weak spot where the shaft penetrates the mesh at the axis. The mesh's tangential velocity +decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as probes into the device +through the opening it creates. Conventional HSMs also have to take precautions to protect their power and data +connections, such as flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. As a result of +these precautions, in conventional HSMs this interface rarely is a mechanical weak spot. In inertial HSMs, careful +engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with +increasing complexity. \begin{figure} \begin{subfigure}[t]{0.3\textwidth} @@ -644,27 +651,25 @@ achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft in To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an -alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to -parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin -needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack -avenues may be to rotate an attack tool in sync with the mesh or to use a laser or ion beam fired at the mesh to cut -traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting -compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the -complexity of such attacks. +alarm~\cite{dexter2015}. Attacks in both locations require electrical contact to parts of the circuit. Traditionally, +this is done by soldering a wire or by placing a probe. We consider this type of attack hard to perform on an object +spinning at high speed. Possible remaining attack avenues may be to rotate an attack tool in sync with the mesh or to +use a laser or ion beam fired at the mesh to cut traces or carbonize parts of the substrate to create electrical +connections. Encapsulating the mesh in a potting compound and shielding it with a metal enclosure as is common in +traditional HSMs will significantly increase the complexity of such attacks. \subsection{Attacks on the rotation sensor} Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be -physical attacks of the accelerometer's sensing mechanism. -MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is -measured electronically. A topic of recent academic interest has been acoustic attacks tampering with these -mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. A -possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the -device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the -mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the -security envelope and by varying the rate of rotation over time. +physical attacks of the accelerometer's sensing mechanism. In a MEMS accelerometer, a proof mass moves a cantilever +whose precise position is measured electronically. A topic of recent academic interest has been acoustic attacks +tampering with these mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify +sensor readings. A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation +synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the +MEMS, locking the mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded +location inside the security envelope and by varying the rate of rotation over time. \subsection{Attacks on the alarm circuit} @@ -691,13 +696,13 @@ of attack, the HSM must be engineered to be either tough or brittle: Tough enoug will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack, the payload is reliably destroyed before the tamper response circuitry. -\section{Proof of Concept Prototype implementation} +\section{Proof-of-concept Prototype implementation} \label{sec_proto} As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even when implemented using only common, off-the-shelf parts. In view of this amplification of design security, we have -decided to validate our theoretical studies by implementing a proof of concept prototype IHSM -(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype +decided to validate our theoretical studies by implementing a proof-of-concept prototype IHSM +(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof-of-concept prototype were: \begin{enumerate} @@ -711,31 +716,31 @@ We will outline our findings on these challenges one by one in the following par \subsection{Mechanical design} -We sized our proof of concept prototype to have sufficient payload space for up to two full-size Raspberry Pi boards to +We sized our proof-of-concept prototype to have sufficient payload space for a Raspberry Pi single-board computer to approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the -rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already -sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our -prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every -part of the system once per revolution, so we designed the longitudinal PCBs as narrow strips to save weight. +rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is sufficiently +narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype +incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the +system once per revolution, so we designed the longitudinal PCBs as narrow strips to save weight. \subsection{PCB security mesh generation} -% FIXME censor link in peer-review version! Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the generation of this security mesh through a plugin for the KiCAD EDA -suite\footnote{\censorIfSubmission{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}}. Figure~\ref{mesh_gen_viz} visualizes the mesh -generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree -covering the grid. Finally, individual mesh traces are traced according to a depth-first search through this tree. -We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD -StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. +suite\footnote{\censorIfSubmission{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}}. Figure~\ref{mesh_gen_viz} +visualizes the mesh generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a +randomized tree covering the grid. Finally, individual mesh traces are traced according to a depth-first search through +this tree. We consider the quality of the plugin's output sufficient for practical applications. Together with +FreeCAD's KiCAD StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB +files. \begin{figure} \begin{subfigure}{0.35\textwidth} \center \includegraphics[height=7cm]{proto_3d_design.jpg} - \caption{The 3D CAD design of the proof of concept prototype.} + \caption{The 3D CAD design of the proof-of-concept prototype.} \end{subfigure} \hfill \begin{subfigure}{0.6\textwidth} @@ -743,7 +748,7 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design \center \caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.} \end{subfigure} - \caption{Our proof of concept prototype IHSM's PCB security mesh design} + \caption{Our proof-of-concept prototype IHSM's PCB security mesh design} \label{fig_proto_mesh} \end{figure} @@ -852,13 +857,31 @@ mechanical design vibrated at higher speeds but despite these unintended vibrati excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the data links continued to function without issue. +By design, our prototype is not yet a production-ready solution. Its main limitation is the small payload volume that +can house one or two Raspberry Pi single-board computers, but does not allow for more powerful hardware such as a +contemporary server mainboard. Being constructed without access to a proper mechanical workshop, its imprecise +construction leads to vibration at high speeds. Its optical communication links in breadboard construction function and +need to be translated into manufacturable PCBs, and its security mesh has to be optimized for security. Finally, a motor +driver solution needs to be selected that allows for direct digital control of motor speed. Overall, the prototype +soundly demonstrated the viability of the IHSM concept and we are confident that all of these limitations can be +conclusively solved in a next version that might be a ``beta'' version of a practical IHSM, built in a mechanical +workshop. + \section{Using MEMS accelerometers for braking detection} \label{sec_accel_meas} -Using the proof of concept prototype from the previous section, we performed an evaluation of an \partnum{AIS1120} -commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of -$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS1120} provides -a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. +In our proof-of-concept prototype, for braking detection we chose an accelerometer placed on the circumference of our +prototype's rotor for two reasons: First, it avoids the likley issue of high centrifugal acceleration falsifying +gyroscope measurements. Second, by orienting one axis of the accelerometer radially, we can avoid exceeding the +accelerometer's range even when rapidly accelerating or decelerating. Rapid angular acceleration or deceleration +produces high tangential linear acceleration or deceleration in our sensor, but the radially-oriented axis of the +accelerometer only experiences an amount of centrifugal acceleration that is bounded by the rotor's momentary angular +velocity and never exceeds the device's specified operating conditions. + +Using our prototype, we performed an evaluation of an \partnum{AIS1120} commercial automotive MEMS accelerometer as a +braking sensor. The device is mounted inside our prototype at a radius of $\SI{55}{\milli\meter}$ from the axis of +rotation to the center of the device's package. The \partnum{AIS1120} provides a measurement range of $\pm 120\,g$. At +its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed @@ -909,19 +932,19 @@ accelerometer's intrinsic errors as well as error in its placement due to constr \caption{Traces of acceleration measurements during one experiment run.} \end{figure} -The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset -to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between -the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from -the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, -and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. -Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of -the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, -but due to the quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to +The accelerometer has two main intrinsic errors. Offset error is a fixed additive offset to all measurements. Scale +error is an error proportional to a measurements value that results from a deviation between the device's specified and +actual sensitivity. We correct for both errors by first extracting all stable intervals from the time series, then +fitting a linear function to the measured data. Offset error is this linear function's intercept, and scale error is its +slope. We then apply this correction to all captured data before plotting and later analysis. Despite its simplicity, +this approach already leads to a good match of measurements and theory modulo a small part of the device's offset +remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, but due to the +quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to $\SI{10}{\percent}$ at $\SI{95}{rpm}$. After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity -since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that +since we tested our proof-of-concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that this harmonic content is a clean intermodulation product of the accelerometer's sample rate and the speed of rotation with no other visible artifacts. @@ -936,10 +959,9 @@ the fly, without stopping the rotor. \center \includegraphics[width=0.7\textwidth]{../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf} \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental - measurements are shown after correction for device-specific offset and scale error. Our measurements - showed good agreement with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently - below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error that remains after our first-order - corrections has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)} + measurements are shown after correction for offset and scale error. Above \SI{300}{rpm}, the relative error is + below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a strong impact ($0.05\,g$ absolute + or $8\%$ relative at $\SI{95}{rpm}$.)} \label{fig-acc-theory} \end{figure} @@ -949,7 +971,7 @@ the fly, without stopping the rotor. In this paper, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of advanced hardware security modules from simple components. We analyzed the concept for its security properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design -by creating a proof of concept hardware prototype. In this prototype, we have demonstrated practical solutions to the +by creating a proof-of-concept hardware prototype. In this prototype, we have demonstrated practical solutions to the major electronics design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well and that our -- cgit