From a13fd9f969e7adf4b3ab874556f642da2b2972fb Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 9 Jul 2021 17:33:47 +0200 Subject: More detail on attacks, future work --- paper/attack-robot.pdf | Bin 0 -> 6266 bytes paper/attack-robot.svg | 463 +++++++++++++++++++++++++++++++++++++++++++++++++ paper/ihsm_paper.tex | 94 ++++++++-- 3 files changed, 542 insertions(+), 15 deletions(-) create mode 100644 paper/attack-robot.pdf create mode 100644 paper/attack-robot.svg diff --git a/paper/attack-robot.pdf b/paper/attack-robot.pdf new file mode 100644 index 0000000..543fe66 Binary files /dev/null and b/paper/attack-robot.pdf differ diff --git a/paper/attack-robot.svg b/paper/attack-robot.svg new file mode 100644 index 0000000..a491edd --- /dev/null +++ b/paper/attack-robot.svg @@ -0,0 +1,463 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + 2 + + + + 3 + + + + 4 + + + + 7 + + + + 6 + + + + 5 + + + diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 6b6109f..e426306 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -488,19 +488,44 @@ In the sections below, we will go into detail on such attacks on IHSMs. To put t we will start with a brief overview on attacks on conventional HSMs that the IHSM is defended against. %FIXME \paragraph{...} -\subsection{Contactless probing of the payload} - -Irrespective of the HSM's technology (conventional or IHSM), there are some types of attack bypassing the HSM's security -mesh that in principle cannot be prevented. One such type are contactless attacks such as electromagnetic (EM) -sidechannel attacks, but attacks through the HSM's application interface such as Ethernet also follow this theme. While -IHSMs allow for the use of off-the-shelf server hardware as their payload, the combination of payload hardware and the -software running on top of this hardware still has to be evaluated for fitness in this particular application. EM -sidechannel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components such -as CPUs are physically distant to the security mesh, preventing EM probes from being brought close. Conducted EMI -sidechannels that could be used for power analysis can be mitigated by placing filters on the inside of the security -mesh at the point where the power and network connections penetrate the mesh. Attacks through the network interface must -be prevented as in any other networked system by only exposing the minimum necessary amount of API surface to the -outside world, and by carefully vetting this remaining attack surface. +In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the +security mesh without triggering the alarm, e.g.\ by using a probe that is finer than the mesh's structure size. An +attacker willing to invest some effort can also try to uncover the mesh traces buried in plastic to then hot-wire the +mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh +traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes +to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach +becomes challenging. Consider a mesh is covering an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An +attacker who circumvents a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh using wires with a low +resistance will change the mesh trace's resistance by approximately +$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 +\%$. Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and +corresponding temperature stability of the mesh material. + +The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between +two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through +the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive +foil that forms the security mesh around the HSM, leaving only the foil's corners and the payload's power and data +feed-through as potential weak spots. + +The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An +attacker may need to insert several probes to wiretap the payload processor's secrets, but depending on its +implementation they may be able to disable the mesh alarm circuit with only one. To harden a conventional HSM against +this type of attack, the mesh monitoring circuit must be carefully designed to avoid single points of failure as well as +any fail-open failure modes. + +\subsection{Attacks that work on any HSM} + +While an IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous +paragraphs, certain attacks are generic against any HSM technology, conventional or IHSM. One type of such attacks are +contactless attacks such as electromagnetic (EM) sidechannel attacks. EM sidechannel attacks can be mitigated by +shielding and by designing the IHSM's payload such that critical components such as CPUs are physically distant to the +security mesh, preventing EM probes from being brought close. Conducted EMI sidechannels that could be used for power +analysis can be mitigated by placing filters on the inside of the security mesh at the point where the power and network +connections penetrate the +mesh~\cite{anderson2020}. +Finally, the API between the HSM's payload and the outside world provides attack surface. Attacks through the network +interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API +surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}. \subsection{The Swivel Chair Attack} \label{sec_swivel_chair_attack} @@ -520,6 +545,41 @@ acceleration is $a=\omega^2 r$. In our example this results in a minimum angular $\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some kind of mechanical tool. +\begin{figure} + \center + \includegraphics[width=6cm]{attack-robot.pdf} + \caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation + and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a + remote controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5). + Through this opening, a human operator can then insert tools such as probes to read out sensitive information from + the actual payload (6).} + \label{fig_attack_robot} +\end{figure} + + +While it is certainly possible to create a mechanical tool to attack an IHSM in motion, we also consider this attack +method reasonably remote. Figure~\ref{fig_attack_robot} shows a schematic overview of what such an attack tool would +have to look like. Most fundamentally, the tool itself has to rotate at the IHSM's speed, and cannot simply rotate the +IHSM. If the tool were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed +down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect this attempt. Instead, the +attack tool has to follow the rotation of the IHSM. At the high speeds an IHSM would be rotating at, following the +rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM is not easy. To +stay within $\pm\SI{5}{\milli\meter}$ of a target over a period of $\SI{10}{\second}$ on an IHSM mesh with radius +$r=\SI{100}{\milli\meter}$ requires both speeds to be matched to better than +$\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$. +Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Active servo +control of the attack tool's rotation locked against optical tracking of the IHSM's rotor would likely be the most +realistic option to achieve this precision. This strict accuracy requirement leads to a complex attack setup. + +If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a +remote-controlled manipulator that can be mounted on the attack tool's rotating stage and that is able to actually +disable the IHSM's mesh. Consider that simply bypassing the mesh e.g. by drilling an undetected hole does not gain an +attacker much in this scenario, as the payload is stationary and an attack tool rotating at $\SI{1000}{rpm}$ is useless +against it. Instead, the attacker would have to disable the mesh using the rotating tool, in order to then cut an +opening into it through which they could insert a stationary tool to attack the payload with. Given the degree of manual +skill necessary even for normal soldering work, we estimate that creating a remote-controllable manipulator that can be +used to successfully attack a security mesh is infeasible. + \subsection{Mechanical weak spots} The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion @@ -864,12 +924,16 @@ allow the construction of devices secure against a wide range of practical attac specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) -secure hardware. +secure hardware. We have published all design artifacts of our PoC online, see Appendix~\ref{sec_repo}. The next steps +towards a practical application of our design will be to design a manufacturable stator/rotor interface with inductive +power and data transfer integrated into the motor's magnetics and a custom motor driver tuned for the application that +is able to precisely measure both angular velocity and winding current for an added degree of tamper detection. \printbibliography[heading=bibintoc] \appendix -\section{Source code and Design artifacts} +\section{Source code and design artifacts} +\label{sec_repo} During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD model of our prototype IHSM, schematics and PCB layouts for all of its PCBs including the prototype security mesh -- cgit