From beac9fa44104806625abf055f8b651f019274504 Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 8 Apr 2021 14:14:44 +0200 Subject: Rename files rotohsm -> ihsm --- paper/Makefile | 8 +- paper/ihsm.bib | 258 +++++++++++++++ paper/ihsm_paper.tex | 755 ++++++++++++++++++++++++++++++++++++++++++ paper/ihsm_tech_report.tex | 300 +++++++++++++++++ paper/rotohsm.bib | 258 --------------- paper/rotohsm_paper.tex | 755 ------------------------------------------ paper/rotohsm_tech_report.tex | 300 ----------------- 7 files changed, 1317 insertions(+), 1317 deletions(-) create mode 100644 paper/ihsm.bib create mode 100644 paper/ihsm_paper.tex create mode 100644 paper/ihsm_tech_report.tex delete mode 100644 paper/rotohsm.bib delete mode 100644 paper/rotohsm_paper.tex delete mode 100644 paper/rotohsm_tech_report.tex diff --git a/paper/Makefile b/paper/Makefile index 8a4bc75..1118e71 100644 --- a/paper/Makefile +++ b/paper/Makefile @@ -8,19 +8,19 @@ SHELL := bash MAKEFLAGS += --warn-undefined-variables MAKEFLAGS += --no-builtin-rules -main_tex ?= rotohsm_paper -brief_tex ?= rotohsm_tech_report +main_tex ?= ihsm_paper +brief_tex ?= ihsm_tech_report VERSION_STRING := $(shell git describe --tags --long --dirty) all: ${main_tex}.pdf ${brief_tex}.pdf -%.pdf: %.tex rotohsm.bib version.tex +%.pdf: %.tex ihsm.bib version.tex pdflatex -shell-escape $< biber $* pdflatex -shell-escape $< -version.tex: ${main_tex}.tex ${brief_tex}.tex rotohsm.bib +version.tex: ${main_tex}.tex ${brief_tex}.tex ihsm.bib echo "${VERSION_STRING}" > $@ resources/%.pdf: $(LAB_PATH)/%.ipynb diff --git a/paper/ihsm.bib b/paper/ihsm.bib new file mode 100644 index 0000000..2817088 --- /dev/null +++ b/paper/ihsm.bib @@ -0,0 +1,258 @@ +% Encoding: UTF-8 +@comment{x-kbibtex-encoding=utf-8} + +@Book{anderson2020, + author = {Ross Anderson}, + date = {2020-09-16}, + title = {Security Engineering}, + isbn = {978-1-119-64281-7}, +} + +@techreport{gs21, + author = {{\censorIfSubmission{Jan Sebastian Götte and Björn Scheuermann}}}, + date = {2021-01-14}, + institution = {{\censorIfSubmission{Alexander von Humboldt Institut für Internet und Gesellschaft}}}, + title = {Tech Report: Inerial HSMs Thwart Advanced Physical Attacks}, + url = {https://eprint.iacr.org/2021/055}, + urldate = {2021-04-13} +} + +@techreport{smith1998, + author = {Sean Smith and Steve Weingart}, + date = {1998-02-19}, + institution = {IBM T.J. Watson Research Center}, + title = {Building a High-Performance, Programmable Secure Coprocessor}, + url = {ftp://www6.software.ibm.com/software/cryptocards/rc21102.pdf}, + urldate = {2020-09-16} +} + +@article{immler2019, + author = {Vincent Immler and Johannes Obermaier and Kuan Kuan Ng and Fei Xiang Ke and Jin Yu Lee and Yak Peng Lim and Wei Koon Oh and Keng Hoong Wee and Georg Sigl}, + date = {2019}, + doi = {10.13154/tches.v2019.i1.51-96}, + issn = {2569-2925}, + journal = {IACR transactions on cryptographic hardware and embedded systems.}, + journaltitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, + publisher = {IACR}, + title = {Secure Physical Enclosures from Covers with Tamper-Resistance}, + url = {https://tches.iacr.org/index.php/TCHES/article/view/7334/6506}, + urldate = {2020-09-16} +} + +@article{obermaier2018, + author = {Johannes Obermaier and Vincent Immler}, + date = {2018}, + doi = {10.1007/s41635-018-0045-2}, + issn = {2509-3428}, + journaltitle = {Journal of Hardware and Systems Security}, + pages = {289–296}, + title = {The Past, Present, and Future of Physical Security Enclosures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond}, + volume = {2}, + year = {2018} +} + +@article{tobisch2020, + author = {Johannes Tobisch and Christian Zenger and Christof Paar}, + date = {2020-03-13}, + journaltitle = {TRUDEVICE 2020: 9th Workshop on Trustworthy Manufacturing and Utilization of Secure Devices}, + title = {Electromagnetic Enclosure PUF for Tamper Proofing Commodity Hardware and otherApplications}, + url = {https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2020/05/13/trudevice_submission_enclosure_puf.pdf}, + urldate = {2020-09-17} +} + +@article{kreft2012, + author = {Heinz Kreft and Wael Adi}, + date = {2012}, + doi = {10.1109/ahs.2012.6268655}, + journaltitle = {2012 NASA/ESA Conference on Adaptive Hardware and Systems (AHS)}, + title = {Cocoon-PUF, a novel mechatronic secure element technology}, + year = {2012} +} + +@Patent{rahman1988, + author = {Mujib Rahman}, + date = {1988-03-10}, + number = {US Patent US4859024A}, + title = {Optical fiber cable with tampering detecting means}, +} + +@www{haines2006, + author = {Lester Haines}, + date = {2006-09-25}, + editor = {The Register}, + title = {US outfit patents 'invisible' UAV: Stealth through persistence of vision}, + url = {https://www.theregister.com/2006/09/25/phantom_sentinel/}, + urldate = {2020-09-17} +} + +@article{frazelle2019, + author = {Jessie Frazelle}, + date = {2019-12-01}, + doi = {10.1145/3380774.3382016}, + journaltitle = {ACM Queue}, + title = {Securing the Boot Process: The hardware root of trust}, + url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, + urldate = {2020-10-22} +} + +@Article{albartus2020, + author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, + date = {2020}, + title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, + doi = {10.13154/tches.v2020.i4.309-336}, + number = {4}, + pages = {309–336}, + volume = {2020}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, + journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems}, + year = {2020}, +} + +@InProceedings{trippel2017, + author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, + booktitle = {2017 IEEE European symposium on security and privacy}, + title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, + organization = {IEEE}, + pages = {3–18}, + x-fetchedfrom = {Google Scholar}, + year = {2017}, +} + +@WWW{heise2020t2jailbreak, + author = {Leo Becker}, + date = {2020-03-11}, + title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, + url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html}, + organization = {Heise Online}, + publisher = {Heise Online}, +} + +@article{kim2018, + author = {Seung Hyun Kim and Su Chang Lim and others}, + journal = {Annals of Nuclear Energy}, + pages = {845–855}, + publisher = {Elsevier}, + title = {Intelligent intrusion detection system featuring a virtual fence, active intruder detection, classification, tracking, and action recognition}, + volume = {112}, + x-fetchedfrom = {Google Scholar}, + year = {2018} +} + +@Conference{johnson2018, + author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, + booktitle = {Hot Chips: A Symposium on High Performance Chips}, + date = {2018}, + title = {Titan: enabling a transparent silicon root of trust for Cloud}, + url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf}, + x-fetchedfrom = {Google Scholar}, + year = {2018}, +} + +@TechReport{isaacs2013, + author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, + date = {2013}, + institution = {Surface Mount Technology Association}, + title = {Tamper proof, tamper evident encryption technology}, + booktitle = {Pan Pacific Microelectronics Symposium}, + organization = {Surface Mount Technology Association}, + x-fetchedfrom = {Google Scholar}, + year = {2013}, +} + +@inproceedings{drimer2008, + author = {Saar Drimer and Steven J Murdoch and Ross Anderson}, + booktitle = {2008 IEEE Symposium on Security and Privacy (sp 2008)}, + organization = {IEEE}, + pages = {281–295}, + title = {Thinking inside the box: system-level failures of tamper proofing}, + x-fetchedfrom = {Google Scholar}, + year = {2008} +} + +@WWW{terdiman2013, + author = {Daniel Terdiman}, + date = {2013-07-23}, + title = {Aboard America's Doomsday command and control plane}, + url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, + organization = {cnet.com}, + month = jul, + publisher = {CNET}, + year = {2013}, +} + +@Thesis{vrijaldenhoven2004, + author = {Serge Vrijaldenhoven}, + date = {2004-10-01}, + institution = {Technische Universiteit Eindhoven}, + title = {Acoustical Physical Uncloneable Functions}, + type = {mathesis}, + url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf}, +} + +@WWW{dexter2015, + author = {Karsten Nohl and Fabian Bräunlein and dexter}, + date = {2015-12-27}, + title = {Shopshifting: The potential for payment system abuse}, + url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452}, + organization = {32C3 Chaos Communication Congress}, +} + +@WWW{newman2020, + author = {Lily Hay Newman}, + date = {2020-10-06}, + title = {Apple's T2 Security Chip Has an Unfixable Flaw}, + url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/}, + organization = {Wired Magazine}, +} + +@Article{sh2016, + author = {Maruthi G. S. and Vishwanath Hegde}, + date = {2016}, + journaltitle = {IEEE Sensors Journal}, + title = {Application of MEMS Accelerometer for Detection and Diagnosis of Multiple Faults in the Roller Element Bearings of Three Phase Induction Motor}, + doi = {https://doi.org/10.1109/JSEN.2015.2476561}, + issn = {1558-1748}, + issue = {1}, + url = {https://www.researchgate.net/profile/Vishwanath-Hegde-2/publication/282389149_Application_of_MEMS_Accelerometer_for_Detection_and_Diagnosis_of_Multiple_Faults_in_the_Roller_Element_Bearings_of_Three_Phase_Induction_Motor/links/568bace808aebccc4e1c01fa/Application-of-MEMS-Accelerometer-for-Detection-and-Diagnosis-of-Multiple-Faults-in-the-Roller-Element-Bearings-of-Three-Phase-Induction-Motor.pdf}, + volume = {16}, +} + +@Article{kvk2019, + author = {Ivar Koene and Raine Viitala and Petri Kuosmanen}, + date = {2019}, + journaltitle = {IEEE Access}, + title = {Internet of Things Based Monitoring of Large Rotor Vibration With a Microelectromechanical Systems Accelerometer}, + doi = {https://doi.org/10.1109/ACCESS.2019.2927793}, +} + +@TechReport{adc2019, + author = {Bertrand Campagnie}, + date = {2019}, + institution = {Analog Devices}, + title = {Choose the Right Accelerometer for Predictive Maintenance}, + url = {https://www.analog.com/media/en/technical-documentation/tech-articles/Choose-the-Right-Accelerometer-for-Predictive-Maintenance.pdf}, + urldate = {2021-04-01}, +} + +@PhdThesis{e2013, + author = {Maged Elsaid Elnady}, + date = {2013}, + institution = {University of Manchester}, + title = {On-Shaft Vibration Measurement Using a MEMS Accelerometer for Faults Diagnosis in Rotating Machines}, + url = {https://www.research.manchester.ac.uk/portal/files/54530535/FULL_TEXT.PDF}, + urldate = {2021-04-01}, +} + +@Book{iaea2011, + author = {{{International Atomic Energy Agency}}}, + date = {2011}, + title = {Safeguards, techniques and equipmen.}, + isbn = {978-92-0-118910-3}, + series = {International Nuclear Verification Series}, + url = {https://www-pub.iaea.org/MTCD/Publications/PDF/nvs1_web.pdf}, + urldate = {2021-04-01}, + volume = {1}, +} + +@Comment{jabref-meta: databaseType:biblatex;} diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex new file mode 100644 index 0000000..6bbe362 --- /dev/null +++ b/paper/ihsm_paper.tex @@ -0,0 +1,755 @@ +\documentclass[nohyperref,submission]{iacrtrans} +\usepackage[T1]{fontenc} +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=false, + doi=true, + eprint=false + ]{biblatex} +\addbibresource{rotohsm.bib} +\usepackage{amssymb,amsmath} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{amsthm} +\usepackage{censor} + +\makeatletter +\@ifclasswith{iacrtrans}{submission}{ + \newcommand{\censorIfSubmission}[1]{\censor{#1}{\scriptsize[Author information removed for double-blind peer review]}} +}{ + \newcommand{\censorIfSubmission}[1]{#1} +} +\makeatother + +\usepackage[binary-units]{siunitx} +\DeclareSIUnit{\baud}{Bd} +\DeclareSIUnit{\year}{a} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{subcaption} +\usepackage{array} +\usepackage{hyperref} + +\renewcommand{\floatpagefraction}{.8} +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} +\newcommand{\partnum}[1]{\texttt{#1}} + +\begin{document} + +\title[Can't Touch This: Inertial HSMs Thwart Advanced Physical Attacks]{Can't Touch This: Inertial HSMs Thwart Advanced Physical Attacks} +\author{Jan Sebastian Götte \and Björn Scheuermann} +\institute{HIIG\\ \email{ihsm@jaseg.de} \and HU Berlin \\ \email{scheuermann@informatik.hu-berlin.de}} +% FIXME keywords +\keywords{hardware security \and implementation \and smart cards \and electronic commerce} +\maketitle + +\begin{abstract} + In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules + (iHSMs). Conventional systems have in common that their security requires the crafting of fine sensor structures + that respond to minute manipulations of the monitored security boundary or volume. Our approach is novel in that we + reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any + manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an + attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. + Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet + offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware + prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of + concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an + automotive high g-force accelerometer already provides a useful level of security. +\end{abstract} + +\section{Introduction} + +While information security technology has matured a great deal in the last half century, physical security not kept up +with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often +allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is +in. + +Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid +switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between +physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key +infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic +co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of +trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured +TPM~\cite{newman2020,frazelle2019,johnson2018}. +Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure +them against tampering is a good engineering solution for some years to come. However, in essence this is a type of +security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern +ICs~\cite{albartus2020,anderson2020}. + +In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with +conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are +designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both +technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically +better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made +much more difficult to attack by moving it very quickly. + +For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set +by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, +solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual +defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high +speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the +accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving +target. At slow speeds, rotating the entire attack workbench might be possible---but rotating frames of reference +quickly become inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic +or optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to +use an ``attack robot''. + +This paper contains the following contributions: +\begin{enumerate} + \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of + highly secure HSMs. + \item We discuss possible tamper sensors for inertial HSMs. + \item We explore the design space of our inertial HSM concept. + \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). + \item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors. + % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. +\end{enumerate} + +\begin{figure} + \center + \includegraphics[width=12cm]{prototype_pic2.jpg} + \caption{The protoype as we used it to test power transfer and bidirectional communication between stator and rotor. + This picture shows the proof of concept prototype's configuration that we used for accelerometer characterization + (Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular top and bottom + outer meshes.} + \label{prototype_picture} +\end{figure} + +In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this +basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will +analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware +prototype that whose design we will elaborate in Section~\ref{sec_proto}. In Section~\ref{sec_accel_meas} we present our +characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept prototype. We +conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}. + +\section{Related work} +\label{sec_related_work} +% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion +% beyond ultrasound. + +In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper +detection. + +HSMs are an old technology that traces back decades in its electronic realization. Today's common approach of monitoring +meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security +problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, +anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic +radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found +widespread adoption yet. + +HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a +HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine +it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment. +An HSM in principle has to have this examination equipment built-in. + +Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view +that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic +Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically +Uncloneable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in +a way that intentionally causes large, random device to device variations. These variations are precisely recorded at +deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to +check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random +scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the +uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the +precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. + +The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote +reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a +monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in +commercial HSMs. + +In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that they cite is +the IBM 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard +construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical +security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation +sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional +construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state that the +module monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper +detection and construction is similar to other commercial +offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. + +Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an +HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to +traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). +Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in +covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A +core component of their design is that they propose its use as a PUF to allow for protection even when powered off, +similar to a smart card---but the design is not limited to this use. + +In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based +around commodity WiFi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference +signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections +and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that +the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the +volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et +al.~\cite{tobisch2020}\ is that they use commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The +resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs +using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable +security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven +in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to a similar end. + +While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the +prior work of Kreft and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume +barely larger than a single chip. They theorize how an array of distributed RF transceivers can measure the physical +properties of a potting compound that has been loaded with RF-reflective grains. In their concept, the RF response +characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains +within the potting compound. + +To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a +hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security +barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture +these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap +low performance security barrier and transforming it into a marginally more expensive but high performance one. The +closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that +describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled +with pressurized gas. + +In January 2020, we have uploaded an eprint of a short tech report with a rough description of the inertial HSM +concept\cite{gs21}. Up to the time this paper was written, we have not received communication in response to this eprint +that would indicate prior art. + +\subsection{Patent literature} +During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not +find any mentions of similar concepts either in academic literature or in patents. Thus, while we cannot give any +guarantees, we seem likely to be the inventors of this idea and we are fairly sure it is not covered by any patents or +other restrictions at this point in time. + +Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are +already commercially available, we have decided against applying for a patent and we wish to make it available to the +general public without any restrictions on its use. We invite you build on our work as you wish and to base your own +work on our publications without any fees or commercial restrictions. Where possible, we ask you to cite this paper and +attribute the inertial HSM concept to its authors. + +\section{Inertial HSM construction and operation} +\label{sec_ihsm_construction} + +Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and +is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first +to use it in tamper detection. + +The core questions in the design of an inertial HSM are the following: + +\begin{enumerate} + \item What \textbf{type of motion} to use, such as rotation, pendulum motion, or linear motion. + \item How to construct the \textbf{tamper detection sensor}. + \item How to \textbf{detect braking} of the IHSM's movement. + \item The \textbf{mechanical layout} of the system. +\end{enumerate} + +We will approach these questions one by one in the following subsections. + +\subsection{Inertial HSM motion} +\label{sec_ihsm_motion} + +First, there are several ways that we can approach motion. There is periodic, aperiodic and continuous motion. There is +also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main +constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to not expose any weak +spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to stay within a +confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such periodic linear +motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become +a weak spot. + +In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the +device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's +tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power +consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by +adding additional tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed +axis. + +Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled +disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we +call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion +would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from +following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, +this limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force. + +In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on +systems that have a fixed axis of rotation due to their simple construction but we do wish to note the challenge of +hardening the shaft against tampering that any production device would have to tackle. + +\subsection{Tamper detection mesh construction} + +Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation +of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there +is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems +deployed in the field for a variety of use cases from low security payment processing devices to high security +certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of +security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to +fabricate enclosures that embed characteristics of a Physically Uncloneable Function. By using stochastic properties of +the enclosure material to form a PUF, such academic designs effectively leverage signal processing techniques to improve +the system's security level by a significant margin. + +In our research, we focus on security meshes as our IHSM's tamper sensors. Most of the cost in commercial security mesh +implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive +mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse +mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple +construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself +and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the +entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would +require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power +transfer from the outside to the payload. + +\subsection{Braking detection} + +The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one +half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be +able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be able to +measure any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a +manipulation attempt. + +While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the +IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to +contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. +When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this +approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the +motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical +discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is +already standing still. + +Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed +inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully +intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's +mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's +motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers +are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical +components~\cite{kvk2019,sh2016,adc2019,e2013}. + +In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal +acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For +a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A +key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes +very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ at a +$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. While +beneficial for security, this large acceleration leads to two practical constraints. First, off-axis performance of +commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will feed through +into all accelerometer axes, even those that are tangential to the rotation. Second, we either have to place the +accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers mostly used in +automotive applications. + +To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an +IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The +difference in centrifugal acceleration that our accelerometer will have to detect then is a factor of +$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any +commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid +deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we +wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics. + +In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS +accelerometer for braking detection in our prototype IHSM. + +\subsection{Mechanical layout} + +With our IHSM's components taken care of, what remains to be decided is how to put together these individual components +into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the +axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the +area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper +protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be +stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point +where the shaft penetrates the spinning mesh. This trade-off makes for a simple mechanical construction and allows +power and data connections to the stationary payload through a hollow shaft. + +\begin{figure} + \center + \includegraphics{concept_vis_one_axis.pdf} + \caption{Concept of a simple spinning Inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - + Accelerometer. 5 - Shaft penetrating security mesh.} + \label{fig_schema_one_axis} +\end{figure} + +The spinning mesh must be designed to cover the entire surface of the payload, but it suffices if it sweeps over every +part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air +to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious +issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be +solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used +exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. +Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more +powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an +evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan. + +\section{Attacks} +\label{sec_attacks} + +After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to +attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional +HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a +traditional HSM. Only, they will either have to perform these attack steps with a tool that follows the HSMs rotation +at high speed or they will first have to defeat the braking sensor. Attacking the IHSM in motion may require specialized +mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet. + +\subsection{The Swivel Chair Attack} +\label{sec_swivel_chair_attack} + +First we will consider the most basic of all attacks: A human attacker holding a soldering iron trying to rotate +themselves along with the mesh using a very fast swivel chair. Let us pessimistically assume that this co-rotating +attacker has their center of mass on the axis of rotation. The attacker's body is likely on the order of +$\SI{200}{\milli\meter}$ wide along its shortest axis, resulting in a minimum radius from axis of rotation to surface of +about $\SI{100}{\milli\meter}$. Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the +range tolerable by humans for seconds at a time or longer. We thus set our target acceleration to +$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal +acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} = +\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} +\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this we can conclude that even at moderate speeds of +$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some +kind of mechanical tool. + +\subsection{Mechanical weak spots} + +The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion +used, the meshes speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving +continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of +rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft, +and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it +creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In +conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in +between security mesh foil layers. In traditional HSMs this interface rarely is a mechanical weak spot since they use a +thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh layers several +times. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows +variations of the shaft interface with increasing complexity. + +\begin{figure} + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf} + \caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: Moving + mesh -- Black: Stationary part.} + \label{shaft_cm_a} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_b.pdf} + \caption{An internal, independently rotating disc greatly decreases the space available to attackers at the + expense of another moving part and a second moving monitoring circuit.} + \label{shaft_cm_a} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_c.pdf} + \caption{A second moving tamper detection mesh also enables more complex topographies.} + \label{shaft_cm_a} + \end{subfigure} + \caption{Mechanical countermeasures to attacks through or close to the shaft of a fixed-axis rotating IHSM.} + \label{shaft_cm} +\end{figure} + +\subsection{Attacking the mesh in motion} + +To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging +its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an +alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to +parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin +needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack +avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut +traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting +compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the +complexity of such attacks. + +\subsection{Attacks on the rotation sensor} + +Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need +to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the +monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be +physical attacks of the accelerometer's sensing mechanism. +MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is +measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these +mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. +A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the +device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the +mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the +security envelope and by varying the rate of rotation over time. + +\subsection{Attacks on the alarm circuit} + +Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry +inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a +cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat +message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. +Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for +temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or +liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. +To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. +% If it were unidirectional, an attacker could +% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed +% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary +% deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and +% break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial +% crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. + +\subsection{Fast and violent attacks} + +A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in +response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this type +of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response circuitry +will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack, +the payload is reliably destroyed before the tamper response circuitry. + +\section{Proof of Concept Prototype implementation} +\label{sec_proto} + +As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even +when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have +decided to validate our theoretical studies by implementing a proof of concept prototype IHSM +(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype +were: + +\begin{enumerate} + \item A mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. + \item The Automatic generation of security mesh PCB layouts for quick adaption to new form factors. + \item Non-contact power transmission from stator to rotor. + \item Non-contact bidirectional data communication between stator and rotor. +\end{enumerate} + +We will outline our findings on these challenges one by one in the following paragraphs. + +\subsection{Mechanical design} + +We sized our proof of concept prototype to have sufficient payload space for up to two full-size Raspberry Pi boards to +approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material +for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the +rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already +sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our +prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every +part of the system once per revolution, so we designed the longituninal PCBs as narrow strips to save weight. + +\subsection{PCB security mesh generation} + +% FIXME censor link in peer-review version! +Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth +PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the +generation of this security mesh through a plugin for the KiCAD EDA +suite\footnote{\censorIfSubmission{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}}. Figure~\ref{mesh_gen_viz} visualizes the mesh +generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree +covering the grid. Finally, individual mesh traces are traced according to a depth-first search through this tree. +We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD +StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. + +\begin{figure} + \begin{subfigure}{0.35\textwidth} + \center + \includegraphics[height=7cm]{proto_3d_design.jpg} + \caption{The 3D CAD design of the proof of concept prototype.} + \end{subfigure} + \hfill + \begin{subfigure}{0.6\textwidth} + \includegraphics[width=8cm]{rotor_stator.jpg} + \center + \caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.} + \end{subfigure} + \caption{Our proof of concept prototype IHSM's PCB security mesh design} + \label{fig_proto_mesh} +\end{figure} + +\begin{figure} + \begin{subfigure}{\textwidth} + \center + \includegraphics[width=9cm]{mesh_gen_viz.pdf} + \caption{Overview of the automatic security mesh generation process. 1 - Example target area. 2 - Grid overlay. + 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining cells is + generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.} + \label{mesh_gen_viz} + \end{subfigure} + \begin{subfigure}{\textwidth} + \center + \includegraphics[width=6cm]{mesh_scan_crop.jpg} + \caption{Detail of a PCB produced with a generated mesh.} + \label{mesh_gen_sample} + \end{subfigure} + \caption{Our automatic security mesh generation process} + \label{mesh_gen_fig} +\end{figure} + +\subsection{Power transmission from stator to rotor} + +The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data +connectivity to the stator. To design the power link, we first have to estimate the monitoring circuit's power +consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its +tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At +$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take +$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that +requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of +$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an +energy consumption of $\SI{1.7}{\ampere\hour}$ per year. + +This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. Thus, by either using +several such cells or by optimizing power consumption several years of battery life could easily be reached. In our +proof of concept prototype we decided against using a battery to reduce rotor mass and balancing issues. + +We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as +inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar +cells on the rotor. At the monitoring circuit's low power consumption power transfer efficiency is irrelevant, so this +solution is practical. Our system uses six series-connected solar cells mounted on the end of the cylindrical rotor +that are fed into a large $\SI{33}{\micro\farad}$ ceramic buffer capacitor through a Schottky diode. This solution +provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illuminated using either +a $\SI{60}{\watt}$ incandescent light bulb or a flicker-free LED studio light of similar brightness\footnote{LED lights +intended for room lighting exhibit significant flicker that can cause the monitoring circuit to reset. Incandescent +lighting requires some care in shielding the data link from the light bulb's considerable infrared output.}. + +\subsection{Data transmission between stator and rotor} + +Besides power transfer from stator to rotor, we need a reliable, bidirectional data link to transmit mesh status and a +low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a +quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a +transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an +\texttt{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in +Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a +comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by +using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the +stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and +are shielded from one another by the motor's body in the center of the PCB. + +% We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current +% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a +% useful transimpedance in the photodiode-facing TIA stage. + +\begin{figure} + \begin{subfigure}{0.3\textwidth} + \includegraphics[width=4.5cm]{ir_tx_schema.pdf} + \caption{Basic layout, view along axis of rotation. 1 + - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} + \label{ir_tx_schema} + \end{subfigure} + \hfill + \begin{subfigure}{0.65\textwidth} + \includegraphics[width=9cm]{photolink_schematic.pdf} + \caption{Schematic with sample component values. C2 is highly dependent on the photodiode characteristics and + stray capacitances.} + \label{photolink_schematic} + \end{subfigure} + \caption{IR data link implementation} +\end{figure} + +\subsection{Evaluation} + +The compoleted proof of concept hardware worked as intended. Both rotating power and data links worked well. As we +expected, the mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach +speeds in excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link +and the data links continued to function without issue. + +\section{Using MEMS accelerometers for braking detection} +\label{sec_accel_meas} + +Using the proof of concept prototype from the previous section, we performed an evaluation of an \partnum{AIS1120} +commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of +$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS1120} provides +a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. + +Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually +control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed +of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an +USB logic analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a +$\SI{1}{\second}$ running average over debounced interval lengths of this captured signal\footnote{A regular frequency +counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office +lab.}. + +The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform. +Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are +accumulated in a small memory buffer, which is continuously transmitted out through the prototype platform's infrared +link. Data is packetized with a sequence number indicating the buffer's position in the data stream and a CRC-32 +checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an +SQLite database. + +Data analysis is done separately from data capture. An analysis IPython Notebook reads captured packets and reassembles +the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sampling rate and high +$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare. +This allowed us to avoid writing retransmission logic or data interpolation. + +Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at +standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually +adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady. +Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange +lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that +measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the +accelerometer's intrinsic errors as well as error in its placement due to construction tolerances. + +The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset +to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between +the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from +the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, +and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. +Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of +the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but +due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to +$\SI{10}{\percent}$ at $\SI{95}{rpm}$. + +After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. +Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity +since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that +this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of rotation +with no other visible artifacts. + +Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark +blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good +choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal +force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic +controlled changes in the IHSM's speed of rotation allow an offset and scale calibration of the accelerometer on the +fly, without stopping the rotor. + +\begin{figure} + \center + \includegraphics[width=0.7\textwidth]{../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf} + \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental + measurements are shown after correction for device-specific offset and scale error. Our measurements + showed good agreement with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently + below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error that remains after our first-order + corrections has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)} + \label{fig-acc-theory} +\end{figure} + +\begin{figure} + \begin{subfigure}{0.5\textwidth} + \center + \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf} + \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time + intervals when we manually adjusted speed.} + \label{fig-acc-steps} + \end{subfigure} + \hfill + \begin{subfigure}{0.45\textwidth} + \center + \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf} + \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation + artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to + $\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.} + \label{fig-acc-stacked} + \end{subfigure} + \label{fig-acc-traces} + \caption{Traces of acceleration measurements during one experiment run.} +\end{figure} + +\section{Conclusion} +\label{sec_conclusion} + +In this paper we introduced Inertial Hardware Security Modules (iHSMs), a novel concept for the construction of advanced +hardware security modules from simple components. We analyzed the concept for its security properties and highlighted +its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a +proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics +design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our +prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our +measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link +already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer +showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario. + +Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs +offer a high level of security beyond what traditional techniques can offer even when built from simple components. They +allow the construction of devices secure against a wide range of practical attacks in small quantities and without +specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with +traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful +computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) +secure hardware. + +\printbibliography[heading=bibintoc] + + +%%% FIXME remove appendix and work into text. + +\center{ + \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository + can be found at:} + + \center{\censorIfSubmission{\url{https://git.jaseg.de/rotohsm.git}}} +} +\end{document} diff --git a/paper/ihsm_tech_report.tex b/paper/ihsm_tech_report.tex new file mode 100644 index 0000000..e9d571f --- /dev/null +++ b/paper/ihsm_tech_report.tex @@ -0,0 +1,300 @@ +\documentclass[10pt,journal,a4paper]{IEEEtran} +\usepackage[english]{babel} +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=false, + doi=true, + eprint=false + ]{biblatex} +\addbibresource{rotohsm.bib} +\usepackage{amssymb,amsmath} +\usepackage{listings} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{amsthm} +\usepackage{tabularx} +\usepackage{multirow} +\usepackage{multicol} +\usepackage{tikz} +\usepackage{mathtools} +\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} +\DeclarePairedDelimiter{\paren}{(}{)} + +\usetikzlibrary{arrows} +\usetikzlibrary{chains} +\usetikzlibrary{backgrounds} +\usetikzlibrary{calc} +\usetikzlibrary{decorations.markings} +\usetikzlibrary{decorations.pathreplacing} +\usetikzlibrary{fit} +\usetikzlibrary{patterns} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes} + +\usepackage[binary-units]{siunitx} +\DeclareSIUnit{\baud}{Bd} +\DeclareSIUnit{\year}{a} +\usepackage{hyperref} +\usepackage{tabularx} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{ccicons} +\usepackage{subcaption} +\usepackage{float} +\usepackage{footmisc} +\usepackage{array} +\usepackage[underline=false]{pgf-umlsd} +\usetikzlibrary{calc} +%\usepackage[pdftex]{graphicx,color} +\usepackage{epstopdf} +\usepackage{pdfpages} +\usepackage{minted} % pygmentized source code + +\renewcommand{\floatpagefraction}{.8} +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} + +\usepackage{fancyhdr} +\fancyhf{} +\fancyfoot[C]{\thepage} +\newcommand{\includenotebook}[2]{ + \fancyhead[C]{Included Jupyter notebook: #1} + \includepdf[pages=1, + pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} + ]{resources/#2.pdf} + \includepdf[pages=2-, + pagecommand={\thispagestyle{fancy}} + ]{resources/#2.pdf} +} + +\begin{document} + +\title{Tech Report: Inerial HSMs Thwart Advanced Physical Attacks} +\author{\IEEEauthorblockN{ + Jan Sebastian Götte\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} \and + Björn Scheuermann\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} + }\\ + \IEEEauthorblockA{ + \IEEEauthorrefmark{1}Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ + \IEEEauthorrefmark{2}Humboldt-Universität zu Berlin\\ + \texttt{\textbf{\small goette@jaseg.de}}, \texttt{\textbf{\small scheuermann@informatik.hu-berlin.de}} + } +} +\date{2021-01-05} +\maketitle + +\section*{Abstract} + +In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules +(iHSMs). Conventional systems have in common that they try to detect attacks by crafting sensors responding to +increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce +the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by +rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop +the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that +can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is +comparable to commercial HSMs. + +This tech report is the abridged version of our forthcoming paper. + +\section{Introduction} + +While information security technology has matured a great deal in the last half century, physical security has barely +changed. Given the right skills, physical access to a computer still often means full compromise. The physical +security of modern server hardware hinges on what lock you put on the room it is in. + +Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid +switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between +physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key +infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic +co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of +trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured +TPM~\cite{newman2020,frazelle2019,johnson2018}. + +Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure +them against tampering is a good engineering solution for some years to come. However, in essence this is a type of +security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern +ICs~\cite{albartus2020,anderson2020}. + +HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain +that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep +the manufacturing issues of both and provide radically better security against physical attacks. Our core observation +is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly. + +For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set +by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, +solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual +defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How +would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the +accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow +speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become +inhospitable to human life. Since non-contact electromagnetic or optical attacks are more limited in the first place and +can be shielded, we have effectively forced the attacker to use an attack robot. + +In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On +this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We +conclude this paper with a general evaluation of our concept in Section~\ref{sec_conclusion}. + +\section{Related work} +\label{sec_related_work} +% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion +% beyond ultrasound. + +In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper +detection. + +HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring +meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security +problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, +anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic +radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research +has found widespread adoption yet. + +In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM +4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard +construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical +security mechanisms have not evolved much in the last two decades. Besides auxiliary temperature and radiation sensors +to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional +construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module +monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and +construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. + +To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a +hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security +barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture +these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap +low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The +closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that +describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled +with pressurized gas. + +\section{Inertial HSM construction and operation} +\label{sec_ihsm_construction} + +Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is +routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to +use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find +that making it spin has several advantages. + +First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to +follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second, +a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to easily predictable +accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the +HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear +velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum +size and mass of an attacker using an assumption on tolerable centrifugal force. In this consideration the axis of +rotation is a weak spot, but that can be mitigated using multiple nested layers of protection. + +\begin{figure} + \center + \includegraphics{concept_vis_one_axis.pdf} + \caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - + Accelerometer. 5 - Shaft penetrating security mesh.} + \label{fig_schema_one_axis} +\end{figure} + +In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to +distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the +rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after +subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero. +Centrifugal acceleration will be constant. + +Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying +apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the +entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This +reduces the moment of inertia of the moving part and it means we can use cables for payload power and data. Even at +moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot. + +\subsection{Mechanical layout} + +Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on +a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow +shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and +data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction +or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft +motor are possible, but may require additional bearings to keep the stator from vibrating. + +The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be +designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over +every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside +air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious +issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be +solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used +exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. +Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation +of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh +could even be designed to \emph{be} a cooling fan. + +\subsection{Spinning mesh power and data transmission} + +On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few +implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need +both a power supply for the spinning monitoring circuit and a data link to the stator. + +We think that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip +rings, this setup is mechanically durable at high speeds and it also provides reasonable output power. A battery may not +provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not provide enough +current to supply peak demand. + +Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost +may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra +winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding +an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an +option if it can be integrated into the mechanical design. + +\begin{figure} + \center + \includegraphics{ir_tx_schema.pdf} + \caption{Example of a bidirectional IR communication link between rotor and stator, view along axis of rotation. 1 + - Rotor base plate. 2 - Stator base plate. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} + \label{ir_tx_schema} +\end{figure} + +Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to +transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. +A simple infrared optical link as shown in Figure~\ref{ir_tx_schema} may be a good solution for this purpose. + +\section{Conclusion} + +\label{sec_conclusion} To conclude, in this tech report we introduced inertial hardware security modules (iHSMs), a +novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available +parts. We elaborated the engineering considerations underlying a practical implementation of this concept. + +Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction +of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. We +hope that this simple construction will stimulate academic research into secure hardware. + +\printbibliography[heading=bibintoc] +\appendix + +\subsection{Patents and licensing} +During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not +find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of +this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. + +Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are +already commercially available, we have decided against applying for a patent and we wish to make it available to the +general public without any restrictions on its use. This paper itself is licensed CC-BY-SA (see below). As for the +inertial HSM concept, we invite you to use it as you wish and to base your own work on our publications without any fees +or commercial restrictions. Where possible, we ask you to cite this paper and attribute the inertial HSM concept to its +authors. + +\center{ + \center{\ccbysa} + + \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The + full text of the license can be found at:} + + \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} + + \center{For alternative licensing options, source files, questions or comments please contact the authors.} + + \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. Once the full paper has been + published, this project's git repository will be available at:} + + \center{\url{https://git.jaseg.de/rotohsm.git}} +} +\end{document} diff --git a/paper/rotohsm.bib b/paper/rotohsm.bib deleted file mode 100644 index 2817088..0000000 --- a/paper/rotohsm.bib +++ /dev/null @@ -1,258 +0,0 @@ -% Encoding: UTF-8 -@comment{x-kbibtex-encoding=utf-8} - -@Book{anderson2020, - author = {Ross Anderson}, - date = {2020-09-16}, - title = {Security Engineering}, - isbn = {978-1-119-64281-7}, -} - -@techreport{gs21, - author = {{\censorIfSubmission{Jan Sebastian Götte and Björn Scheuermann}}}, - date = {2021-01-14}, - institution = {{\censorIfSubmission{Alexander von Humboldt Institut für Internet und Gesellschaft}}}, - title = {Tech Report: Inerial HSMs Thwart Advanced Physical Attacks}, - url = {https://eprint.iacr.org/2021/055}, - urldate = {2021-04-13} -} - -@techreport{smith1998, - author = {Sean Smith and Steve Weingart}, - date = {1998-02-19}, - institution = {IBM T.J. Watson Research Center}, - title = {Building a High-Performance, Programmable Secure Coprocessor}, - url = {ftp://www6.software.ibm.com/software/cryptocards/rc21102.pdf}, - urldate = {2020-09-16} -} - -@article{immler2019, - author = {Vincent Immler and Johannes Obermaier and Kuan Kuan Ng and Fei Xiang Ke and Jin Yu Lee and Yak Peng Lim and Wei Koon Oh and Keng Hoong Wee and Georg Sigl}, - date = {2019}, - doi = {10.13154/tches.v2019.i1.51-96}, - issn = {2569-2925}, - journal = {IACR transactions on cryptographic hardware and embedded systems.}, - journaltitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, - publisher = {IACR}, - title = {Secure Physical Enclosures from Covers with Tamper-Resistance}, - url = {https://tches.iacr.org/index.php/TCHES/article/view/7334/6506}, - urldate = {2020-09-16} -} - -@article{obermaier2018, - author = {Johannes Obermaier and Vincent Immler}, - date = {2018}, - doi = {10.1007/s41635-018-0045-2}, - issn = {2509-3428}, - journaltitle = {Journal of Hardware and Systems Security}, - pages = {289–296}, - title = {The Past, Present, and Future of Physical Security Enclosures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond}, - volume = {2}, - year = {2018} -} - -@article{tobisch2020, - author = {Johannes Tobisch and Christian Zenger and Christof Paar}, - date = {2020-03-13}, - journaltitle = {TRUDEVICE 2020: 9th Workshop on Trustworthy Manufacturing and Utilization of Secure Devices}, - title = {Electromagnetic Enclosure PUF for Tamper Proofing Commodity Hardware and otherApplications}, - url = {https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2020/05/13/trudevice_submission_enclosure_puf.pdf}, - urldate = {2020-09-17} -} - -@article{kreft2012, - author = {Heinz Kreft and Wael Adi}, - date = {2012}, - doi = {10.1109/ahs.2012.6268655}, - journaltitle = {2012 NASA/ESA Conference on Adaptive Hardware and Systems (AHS)}, - title = {Cocoon-PUF, a novel mechatronic secure element technology}, - year = {2012} -} - -@Patent{rahman1988, - author = {Mujib Rahman}, - date = {1988-03-10}, - number = {US Patent US4859024A}, - title = {Optical fiber cable with tampering detecting means}, -} - -@www{haines2006, - author = {Lester Haines}, - date = {2006-09-25}, - editor = {The Register}, - title = {US outfit patents 'invisible' UAV: Stealth through persistence of vision}, - url = {https://www.theregister.com/2006/09/25/phantom_sentinel/}, - urldate = {2020-09-17} -} - -@article{frazelle2019, - author = {Jessie Frazelle}, - date = {2019-12-01}, - doi = {10.1145/3380774.3382016}, - journaltitle = {ACM Queue}, - title = {Securing the Boot Process: The hardware root of trust}, - url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, - urldate = {2020-10-22} -} - -@Article{albartus2020, - author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, - date = {2020}, - title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, - doi = {10.13154/tches.v2020.i4.309-336}, - number = {4}, - pages = {309–336}, - volume = {2020}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, - journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems}, - year = {2020}, -} - -@InProceedings{trippel2017, - author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, - booktitle = {2017 IEEE European symposium on security and privacy}, - title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, - organization = {IEEE}, - pages = {3–18}, - x-fetchedfrom = {Google Scholar}, - year = {2017}, -} - -@WWW{heise2020t2jailbreak, - author = {Leo Becker}, - date = {2020-03-11}, - title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, - url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html}, - organization = {Heise Online}, - publisher = {Heise Online}, -} - -@article{kim2018, - author = {Seung Hyun Kim and Su Chang Lim and others}, - journal = {Annals of Nuclear Energy}, - pages = {845–855}, - publisher = {Elsevier}, - title = {Intelligent intrusion detection system featuring a virtual fence, active intruder detection, classification, tracking, and action recognition}, - volume = {112}, - x-fetchedfrom = {Google Scholar}, - year = {2018} -} - -@Conference{johnson2018, - author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, - booktitle = {Hot Chips: A Symposium on High Performance Chips}, - date = {2018}, - title = {Titan: enabling a transparent silicon root of trust for Cloud}, - url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf}, - x-fetchedfrom = {Google Scholar}, - year = {2018}, -} - -@TechReport{isaacs2013, - author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, - date = {2013}, - institution = {Surface Mount Technology Association}, - title = {Tamper proof, tamper evident encryption technology}, - booktitle = {Pan Pacific Microelectronics Symposium}, - organization = {Surface Mount Technology Association}, - x-fetchedfrom = {Google Scholar}, - year = {2013}, -} - -@inproceedings{drimer2008, - author = {Saar Drimer and Steven J Murdoch and Ross Anderson}, - booktitle = {2008 IEEE Symposium on Security and Privacy (sp 2008)}, - organization = {IEEE}, - pages = {281–295}, - title = {Thinking inside the box: system-level failures of tamper proofing}, - x-fetchedfrom = {Google Scholar}, - year = {2008} -} - -@WWW{terdiman2013, - author = {Daniel Terdiman}, - date = {2013-07-23}, - title = {Aboard America's Doomsday command and control plane}, - url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, - organization = {cnet.com}, - month = jul, - publisher = {CNET}, - year = {2013}, -} - -@Thesis{vrijaldenhoven2004, - author = {Serge Vrijaldenhoven}, - date = {2004-10-01}, - institution = {Technische Universiteit Eindhoven}, - title = {Acoustical Physical Uncloneable Functions}, - type = {mathesis}, - url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf}, -} - -@WWW{dexter2015, - author = {Karsten Nohl and Fabian Bräunlein and dexter}, - date = {2015-12-27}, - title = {Shopshifting: The potential for payment system abuse}, - url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452}, - organization = {32C3 Chaos Communication Congress}, -} - -@WWW{newman2020, - author = {Lily Hay Newman}, - date = {2020-10-06}, - title = {Apple's T2 Security Chip Has an Unfixable Flaw}, - url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/}, - organization = {Wired Magazine}, -} - -@Article{sh2016, - author = {Maruthi G. S. and Vishwanath Hegde}, - date = {2016}, - journaltitle = {IEEE Sensors Journal}, - title = {Application of MEMS Accelerometer for Detection and Diagnosis of Multiple Faults in the Roller Element Bearings of Three Phase Induction Motor}, - doi = {https://doi.org/10.1109/JSEN.2015.2476561}, - issn = {1558-1748}, - issue = {1}, - url = {https://www.researchgate.net/profile/Vishwanath-Hegde-2/publication/282389149_Application_of_MEMS_Accelerometer_for_Detection_and_Diagnosis_of_Multiple_Faults_in_the_Roller_Element_Bearings_of_Three_Phase_Induction_Motor/links/568bace808aebccc4e1c01fa/Application-of-MEMS-Accelerometer-for-Detection-and-Diagnosis-of-Multiple-Faults-in-the-Roller-Element-Bearings-of-Three-Phase-Induction-Motor.pdf}, - volume = {16}, -} - -@Article{kvk2019, - author = {Ivar Koene and Raine Viitala and Petri Kuosmanen}, - date = {2019}, - journaltitle = {IEEE Access}, - title = {Internet of Things Based Monitoring of Large Rotor Vibration With a Microelectromechanical Systems Accelerometer}, - doi = {https://doi.org/10.1109/ACCESS.2019.2927793}, -} - -@TechReport{adc2019, - author = {Bertrand Campagnie}, - date = {2019}, - institution = {Analog Devices}, - title = {Choose the Right Accelerometer for Predictive Maintenance}, - url = {https://www.analog.com/media/en/technical-documentation/tech-articles/Choose-the-Right-Accelerometer-for-Predictive-Maintenance.pdf}, - urldate = {2021-04-01}, -} - -@PhdThesis{e2013, - author = {Maged Elsaid Elnady}, - date = {2013}, - institution = {University of Manchester}, - title = {On-Shaft Vibration Measurement Using a MEMS Accelerometer for Faults Diagnosis in Rotating Machines}, - url = {https://www.research.manchester.ac.uk/portal/files/54530535/FULL_TEXT.PDF}, - urldate = {2021-04-01}, -} - -@Book{iaea2011, - author = {{{International Atomic Energy Agency}}}, - date = {2011}, - title = {Safeguards, techniques and equipmen.}, - isbn = {978-92-0-118910-3}, - series = {International Nuclear Verification Series}, - url = {https://www-pub.iaea.org/MTCD/Publications/PDF/nvs1_web.pdf}, - urldate = {2021-04-01}, - volume = {1}, -} - -@Comment{jabref-meta: databaseType:biblatex;} diff --git a/paper/rotohsm_paper.tex b/paper/rotohsm_paper.tex deleted file mode 100644 index 6bbe362..0000000 --- a/paper/rotohsm_paper.tex +++ /dev/null @@ -1,755 +0,0 @@ -\documentclass[nohyperref,submission]{iacrtrans} -\usepackage[T1]{fontenc} -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false - ]{biblatex} -\addbibresource{rotohsm.bib} -\usepackage{amssymb,amsmath} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{amsthm} -\usepackage{censor} - -\makeatletter -\@ifclasswith{iacrtrans}{submission}{ - \newcommand{\censorIfSubmission}[1]{\censor{#1}{\scriptsize[Author information removed for double-blind peer review]}} -}{ - \newcommand{\censorIfSubmission}[1]{#1} -} -\makeatother - -\usepackage[binary-units]{siunitx} -\DeclareSIUnit{\baud}{Bd} -\DeclareSIUnit{\year}{a} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{subcaption} -\usepackage{array} -\usepackage{hyperref} - -\renewcommand{\floatpagefraction}{.8} -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} -\newcommand{\partnum}[1]{\texttt{#1}} - -\begin{document} - -\title[Can't Touch This: Inertial HSMs Thwart Advanced Physical Attacks]{Can't Touch This: Inertial HSMs Thwart Advanced Physical Attacks} -\author{Jan Sebastian Götte \and Björn Scheuermann} -\institute{HIIG\\ \email{ihsm@jaseg.de} \and HU Berlin \\ \email{scheuermann@informatik.hu-berlin.de}} -% FIXME keywords -\keywords{hardware security \and implementation \and smart cards \and electronic commerce} -\maketitle - -\begin{abstract} - In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules - (iHSMs). Conventional systems have in common that their security requires the crafting of fine sensor structures - that respond to minute manipulations of the monitored security boundary or volume. Our approach is novel in that we - reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any - manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an - attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. - Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet - offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware - prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of - concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an - automotive high g-force accelerometer already provides a useful level of security. -\end{abstract} - -\section{Introduction} - -While information security technology has matured a great deal in the last half century, physical security not kept up -with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often -allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is -in. - -Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid -switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between -physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key -infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic -co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of -trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured -TPM~\cite{newman2020,frazelle2019,johnson2018}. -Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure -them against tampering is a good engineering solution for some years to come. However, in essence this is a type of -security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern -ICs~\cite{albartus2020,anderson2020}. - -In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with -conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are -designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both -technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically -better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made -much more difficult to attack by moving it very quickly. - -For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set -by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, -solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual -defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high -speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the -accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving -target. At slow speeds, rotating the entire attack workbench might be possible---but rotating frames of reference -quickly become inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic -or optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to -use an ``attack robot''. - -This paper contains the following contributions: -\begin{enumerate} - \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of - highly secure HSMs. - \item We discuss possible tamper sensors for inertial HSMs. - \item We explore the design space of our inertial HSM concept. - \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). - \item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors. - % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. -\end{enumerate} - -\begin{figure} - \center - \includegraphics[width=12cm]{prototype_pic2.jpg} - \caption{The protoype as we used it to test power transfer and bidirectional communication between stator and rotor. - This picture shows the proof of concept prototype's configuration that we used for accelerometer characterization - (Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular top and bottom - outer meshes.} - \label{prototype_picture} -\end{figure} - -In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this -basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will -analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware -prototype that whose design we will elaborate in Section~\ref{sec_proto}. In Section~\ref{sec_accel_meas} we present our -characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept prototype. We -conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}. - -\section{Related work} -\label{sec_related_work} -% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion -% beyond ultrasound. - -In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper -detection. - -HSMs are an old technology that traces back decades in its electronic realization. Today's common approach of monitoring -meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security -problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, -anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic -radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found -widespread adoption yet. - -HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a -HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine -it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment. -An HSM in principle has to have this examination equipment built-in. - -Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view -that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic -Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically -Uncloneable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in -a way that intentionally causes large, random device to device variations. These variations are precisely recorded at -deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to -check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random -scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the -uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the -precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. - -The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote -reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a -monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in -commercial HSMs. - -In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that they cite is -the IBM 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard -construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical -security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation -sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional -construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state that the -module monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper -detection and construction is similar to other commercial -offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. - -Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an -HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to -traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). -Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in -covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A -core component of their design is that they propose its use as a PUF to allow for protection even when powered off, -similar to a smart card---but the design is not limited to this use. - -In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based -around commodity WiFi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference -signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections -and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that -the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the -volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et -al.~\cite{tobisch2020}\ is that they use commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The -resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs -using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable -security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven -in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to a similar end. - -While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the -prior work of Kreft and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume -barely larger than a single chip. They theorize how an array of distributed RF transceivers can measure the physical -properties of a potting compound that has been loaded with RF-reflective grains. In their concept, the RF response -characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains -within the potting compound. - -To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a -hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security -barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture -these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap -low performance security barrier and transforming it into a marginally more expensive but high performance one. The -closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that -describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled -with pressurized gas. - -In January 2020, we have uploaded an eprint of a short tech report with a rough description of the inertial HSM -concept\cite{gs21}. Up to the time this paper was written, we have not received communication in response to this eprint -that would indicate prior art. - -\subsection{Patent literature} -During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not -find any mentions of similar concepts either in academic literature or in patents. Thus, while we cannot give any -guarantees, we seem likely to be the inventors of this idea and we are fairly sure it is not covered by any patents or -other restrictions at this point in time. - -Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are -already commercially available, we have decided against applying for a patent and we wish to make it available to the -general public without any restrictions on its use. We invite you build on our work as you wish and to base your own -work on our publications without any fees or commercial restrictions. Where possible, we ask you to cite this paper and -attribute the inertial HSM concept to its authors. - -\section{Inertial HSM construction and operation} -\label{sec_ihsm_construction} - -Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and -is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first -to use it in tamper detection. - -The core questions in the design of an inertial HSM are the following: - -\begin{enumerate} - \item What \textbf{type of motion} to use, such as rotation, pendulum motion, or linear motion. - \item How to construct the \textbf{tamper detection sensor}. - \item How to \textbf{detect braking} of the IHSM's movement. - \item The \textbf{mechanical layout} of the system. -\end{enumerate} - -We will approach these questions one by one in the following subsections. - -\subsection{Inertial HSM motion} -\label{sec_ihsm_motion} - -First, there are several ways that we can approach motion. There is periodic, aperiodic and continuous motion. There is -also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main -constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to not expose any weak -spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to stay within a -confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such periodic linear -motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become -a weak spot. - -In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the -device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's -tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power -consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by -adding additional tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed -axis. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled -disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we -call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion -would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from -following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, -this limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force. - -In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on -systems that have a fixed axis of rotation due to their simple construction but we do wish to note the challenge of -hardening the shaft against tampering that any production device would have to tackle. - -\subsection{Tamper detection mesh construction} - -Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation -of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there -is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems -deployed in the field for a variety of use cases from low security payment processing devices to high security -certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of -security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to -fabricate enclosures that embed characteristics of a Physically Uncloneable Function. By using stochastic properties of -the enclosure material to form a PUF, such academic designs effectively leverage signal processing techniques to improve -the system's security level by a significant margin. - -In our research, we focus on security meshes as our IHSM's tamper sensors. Most of the cost in commercial security mesh -implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive -mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse -mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple -construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself -and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the -entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would -require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power -transfer from the outside to the payload. - -\subsection{Braking detection} - -The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one -half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be -able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be able to -measure any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a -manipulation attempt. - -While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the -IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to -contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. -When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this -approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the -motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical -discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is -already standing still. - -Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed -inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully -intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's -mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's -motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers -are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical -components~\cite{kvk2019,sh2016,adc2019,e2013}. - -In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal -acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For -a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A -key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes -very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ at a -$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. While -beneficial for security, this large acceleration leads to two practical constraints. First, off-axis performance of -commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will feed through -into all accelerometer axes, even those that are tangential to the rotation. Second, we either have to place the -accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers mostly used in -automotive applications. - -To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an -IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The -difference in centrifugal acceleration that our accelerometer will have to detect then is a factor of -$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any -commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid -deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we -wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics. - -In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS -accelerometer for braking detection in our prototype IHSM. - -\subsection{Mechanical layout} - -With our IHSM's components taken care of, what remains to be decided is how to put together these individual components -into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the -axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the -area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper -protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be -stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point -where the shaft penetrates the spinning mesh. This trade-off makes for a simple mechanical construction and allows -power and data connections to the stationary payload through a hollow shaft. - -\begin{figure} - \center - \includegraphics{concept_vis_one_axis.pdf} - \caption{Concept of a simple spinning Inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - - Accelerometer. 5 - Shaft penetrating security mesh.} - \label{fig_schema_one_axis} -\end{figure} - -The spinning mesh must be designed to cover the entire surface of the payload, but it suffices if it sweeps over every -part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air -to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious -issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be -solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used -exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. -Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more -powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an -evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan. - -\section{Attacks} -\label{sec_attacks} - -After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to -attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional -HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a -traditional HSM. Only, they will either have to perform these attack steps with a tool that follows the HSMs rotation -at high speed or they will first have to defeat the braking sensor. Attacking the IHSM in motion may require specialized -mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet. - -\subsection{The Swivel Chair Attack} -\label{sec_swivel_chair_attack} - -First we will consider the most basic of all attacks: A human attacker holding a soldering iron trying to rotate -themselves along with the mesh using a very fast swivel chair. Let us pessimistically assume that this co-rotating -attacker has their center of mass on the axis of rotation. The attacker's body is likely on the order of -$\SI{200}{\milli\meter}$ wide along its shortest axis, resulting in a minimum radius from axis of rotation to surface of -about $\SI{100}{\milli\meter}$. Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the -range tolerable by humans for seconds at a time or longer. We thus set our target acceleration to -$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal -acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} = -\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} -\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this we can conclude that even at moderate speeds of -$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some -kind of mechanical tool. - -\subsection{Mechanical weak spots} - -The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion -used, the meshes speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving -continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of -rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft, -and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it -creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In -conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in -between security mesh foil layers. In traditional HSMs this interface rarely is a mechanical weak spot since they use a -thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh layers several -times. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows -variations of the shaft interface with increasing complexity. - -\begin{figure} - \begin{subfigure}[t]{0.3\textwidth} - \center - \includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf} - \caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: Moving - mesh -- Black: Stationary part.} - \label{shaft_cm_a} - \end{subfigure} - \hfill - \begin{subfigure}[t]{0.3\textwidth} - \center - \includegraphics[width=4cm]{ihsm_shaft_countermeasures_b.pdf} - \caption{An internal, independently rotating disc greatly decreases the space available to attackers at the - expense of another moving part and a second moving monitoring circuit.} - \label{shaft_cm_a} - \end{subfigure} - \hfill - \begin{subfigure}[t]{0.3\textwidth} - \center - \includegraphics[width=4cm]{ihsm_shaft_countermeasures_c.pdf} - \caption{A second moving tamper detection mesh also enables more complex topographies.} - \label{shaft_cm_a} - \end{subfigure} - \caption{Mechanical countermeasures to attacks through or close to the shaft of a fixed-axis rotating IHSM.} - \label{shaft_cm} -\end{figure} - -\subsection{Attacking the mesh in motion} - -To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging -its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an -alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to -parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin -needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack -avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut -traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting -compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the -complexity of such attacks. - -\subsection{Attacks on the rotation sensor} - -Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need -to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the -monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be -physical attacks of the accelerometer's sensing mechanism. -MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is -measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these -mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. -A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the -device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the -mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the -security envelope and by varying the rate of rotation over time. - -\subsection{Attacks on the alarm circuit} - -Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry -inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a -cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat -message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. -Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for -temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or -liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. -To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. -% If it were unidirectional, an attacker could -% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed -% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary -% deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and -% break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial -% crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. - -\subsection{Fast and violent attacks} - -A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in -response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this type -of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response circuitry -will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack, -the payload is reliably destroyed before the tamper response circuitry. - -\section{Proof of Concept Prototype implementation} -\label{sec_proto} - -As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even -when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have -decided to validate our theoretical studies by implementing a proof of concept prototype IHSM -(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype -were: - -\begin{enumerate} - \item A mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. - \item The Automatic generation of security mesh PCB layouts for quick adaption to new form factors. - \item Non-contact power transmission from stator to rotor. - \item Non-contact bidirectional data communication between stator and rotor. -\end{enumerate} - -We will outline our findings on these challenges one by one in the following paragraphs. - -\subsection{Mechanical design} - -We sized our proof of concept prototype to have sufficient payload space for up to two full-size Raspberry Pi boards to -approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material -for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the -rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already -sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our -prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every -part of the system once per revolution, so we designed the longituninal PCBs as narrow strips to save weight. - -\subsection{PCB security mesh generation} - -% FIXME censor link in peer-review version! -Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth -PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the -generation of this security mesh through a plugin for the KiCAD EDA -suite\footnote{\censorIfSubmission{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}}. Figure~\ref{mesh_gen_viz} visualizes the mesh -generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree -covering the grid. Finally, individual mesh traces are traced according to a depth-first search through this tree. -We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD -StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files. - -\begin{figure} - \begin{subfigure}{0.35\textwidth} - \center - \includegraphics[height=7cm]{proto_3d_design.jpg} - \caption{The 3D CAD design of the proof of concept prototype.} - \end{subfigure} - \hfill - \begin{subfigure}{0.6\textwidth} - \includegraphics[width=8cm]{rotor_stator.jpg} - \center - \caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.} - \end{subfigure} - \caption{Our proof of concept prototype IHSM's PCB security mesh design} - \label{fig_proto_mesh} -\end{figure} - -\begin{figure} - \begin{subfigure}{\textwidth} - \center - \includegraphics[width=9cm]{mesh_gen_viz.pdf} - \caption{Overview of the automatic security mesh generation process. 1 - Example target area. 2 - Grid overlay. - 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining cells is - generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.} - \label{mesh_gen_viz} - \end{subfigure} - \begin{subfigure}{\textwidth} - \center - \includegraphics[width=6cm]{mesh_scan_crop.jpg} - \caption{Detail of a PCB produced with a generated mesh.} - \label{mesh_gen_sample} - \end{subfigure} - \caption{Our automatic security mesh generation process} - \label{mesh_gen_fig} -\end{figure} - -\subsection{Power transmission from stator to rotor} - -The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data -connectivity to the stator. To design the power link, we first have to estimate the monitoring circuit's power -consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its -tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At -$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take -$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that -requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of -$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an -energy consumption of $\SI{1.7}{\ampere\hour}$ per year. - -This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. Thus, by either using -several such cells or by optimizing power consumption several years of battery life could easily be reached. In our -proof of concept prototype we decided against using a battery to reduce rotor mass and balancing issues. - -We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as -inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar -cells on the rotor. At the monitoring circuit's low power consumption power transfer efficiency is irrelevant, so this -solution is practical. Our system uses six series-connected solar cells mounted on the end of the cylindrical rotor -that are fed into a large $\SI{33}{\micro\farad}$ ceramic buffer capacitor through a Schottky diode. This solution -provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illuminated using either -a $\SI{60}{\watt}$ incandescent light bulb or a flicker-free LED studio light of similar brightness\footnote{LED lights -intended for room lighting exhibit significant flicker that can cause the monitoring circuit to reset. Incandescent -lighting requires some care in shielding the data link from the light bulb's considerable infrared output.}. - -\subsection{Data transmission between stator and rotor} - -Besides power transfer from stator to rotor, we need a reliable, bidirectional data link to transmit mesh status and a -low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a -quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a -transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an -\texttt{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in -Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a -comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by -using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the -stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and -are shielded from one another by the motor's body in the center of the PCB. - -% We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current -% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a -% useful transimpedance in the photodiode-facing TIA stage. - -\begin{figure} - \begin{subfigure}{0.3\textwidth} - \includegraphics[width=4.5cm]{ir_tx_schema.pdf} - \caption{Basic layout, view along axis of rotation. 1 - - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} - \label{ir_tx_schema} - \end{subfigure} - \hfill - \begin{subfigure}{0.65\textwidth} - \includegraphics[width=9cm]{photolink_schematic.pdf} - \caption{Schematic with sample component values. C2 is highly dependent on the photodiode characteristics and - stray capacitances.} - \label{photolink_schematic} - \end{subfigure} - \caption{IR data link implementation} -\end{figure} - -\subsection{Evaluation} - -The compoleted proof of concept hardware worked as intended. Both rotating power and data links worked well. As we -expected, the mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach -speeds in excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link -and the data links continued to function without issue. - -\section{Using MEMS accelerometers for braking detection} -\label{sec_accel_meas} - -Using the proof of concept prototype from the previous section, we performed an evaluation of an \partnum{AIS1120} -commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of -$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS1120} provides -a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. - -Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually -control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed -of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an -USB logic analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a -$\SI{1}{\second}$ running average over debounced interval lengths of this captured signal\footnote{A regular frequency -counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office -lab.}. - -The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform. -Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are -accumulated in a small memory buffer, which is continuously transmitted out through the prototype platform's infrared -link. Data is packetized with a sequence number indicating the buffer's position in the data stream and a CRC-32 -checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an -SQLite database. - -Data analysis is done separately from data capture. An analysis IPython Notebook reads captured packets and reassembles -the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sampling rate and high -$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare. -This allowed us to avoid writing retransmission logic or data interpolation. - -Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at -standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually -adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady. -Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange -lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that -measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the -accelerometer's intrinsic errors as well as error in its placement due to construction tolerances. - -The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset -to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between -the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from -the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, -and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. -Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of -the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but -due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to -$\SI{10}{\percent}$ at $\SI{95}{rpm}$. - -After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. -Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity -since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that -this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of rotation -with no other visible artifacts. - -Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark -blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good -choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal -force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic -controlled changes in the IHSM's speed of rotation allow an offset and scale calibration of the accelerometer on the -fly, without stopping the rotor. - -\begin{figure} - \center - \includegraphics[width=0.7\textwidth]{../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf} - \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental - measurements are shown after correction for device-specific offset and scale error. Our measurements - showed good agreement with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently - below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error that remains after our first-order - corrections has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)} - \label{fig-acc-theory} -\end{figure} - -\begin{figure} - \begin{subfigure}{0.5\textwidth} - \center - \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf} - \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time - intervals when we manually adjusted speed.} - \label{fig-acc-steps} - \end{subfigure} - \hfill - \begin{subfigure}{0.45\textwidth} - \center - \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf} - \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation - artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to - $\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.} - \label{fig-acc-stacked} - \end{subfigure} - \label{fig-acc-traces} - \caption{Traces of acceleration measurements during one experiment run.} -\end{figure} - -\section{Conclusion} -\label{sec_conclusion} - -In this paper we introduced Inertial Hardware Security Modules (iHSMs), a novel concept for the construction of advanced -hardware security modules from simple components. We analyzed the concept for its security properties and highlighted -its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a -proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics -design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our -prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our -measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link -already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer -showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario. - -Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs -offer a high level of security beyond what traditional techniques can offer even when built from simple components. They -allow the construction of devices secure against a wide range of practical attacks in small quantities and without -specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with -traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful -computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) -secure hardware. - -\printbibliography[heading=bibintoc] - - -%%% FIXME remove appendix and work into text. - -\center{ - \center{This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository - can be found at:} - - \center{\censorIfSubmission{\url{https://git.jaseg.de/rotohsm.git}}} -} -\end{document} diff --git a/paper/rotohsm_tech_report.tex b/paper/rotohsm_tech_report.tex deleted file mode 100644 index e9d571f..0000000 --- a/paper/rotohsm_tech_report.tex +++ /dev/null @@ -1,300 +0,0 @@ -\documentclass[10pt,journal,a4paper]{IEEEtran} -\usepackage[english]{babel} -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false - ]{biblatex} -\addbibresource{rotohsm.bib} -\usepackage{amssymb,amsmath} -\usepackage{listings} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{amsthm} -\usepackage{tabularx} -\usepackage{multirow} -\usepackage{multicol} -\usepackage{tikz} -\usepackage{mathtools} -\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} -\DeclarePairedDelimiter{\paren}{(}{)} - -\usetikzlibrary{arrows} -\usetikzlibrary{chains} -\usetikzlibrary{backgrounds} -\usetikzlibrary{calc} -\usetikzlibrary{decorations.markings} -\usetikzlibrary{decorations.pathreplacing} -\usetikzlibrary{fit} -\usetikzlibrary{patterns} -\usetikzlibrary{positioning} -\usetikzlibrary{shapes} - -\usepackage[binary-units]{siunitx} -\DeclareSIUnit{\baud}{Bd} -\DeclareSIUnit{\year}{a} -\usepackage{hyperref} -\usepackage{tabularx} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{ccicons} -\usepackage{subcaption} -\usepackage{float} -\usepackage{footmisc} -\usepackage{array} -\usepackage[underline=false]{pgf-umlsd} -\usetikzlibrary{calc} -%\usepackage[pdftex]{graphicx,color} -\usepackage{epstopdf} -\usepackage{pdfpages} -\usepackage{minted} % pygmentized source code - -\renewcommand{\floatpagefraction}{.8} -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} - -\usepackage{fancyhdr} -\fancyhf{} -\fancyfoot[C]{\thepage} -\newcommand{\includenotebook}[2]{ - \fancyhead[C]{Included Jupyter notebook: #1} - \includepdf[pages=1, - pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} - ]{resources/#2.pdf} - \includepdf[pages=2-, - pagecommand={\thispagestyle{fancy}} - ]{resources/#2.pdf} -} - -\begin{document} - -\title{Tech Report: Inerial HSMs Thwart Advanced Physical Attacks} -\author{\IEEEauthorblockN{ - Jan Sebastian Götte\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} \and - Björn Scheuermann\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} - }\\ - \IEEEauthorblockA{ - \IEEEauthorrefmark{1}Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ - \IEEEauthorrefmark{2}Humboldt-Universität zu Berlin\\ - \texttt{\textbf{\small goette@jaseg.de}}, \texttt{\textbf{\small scheuermann@informatik.hu-berlin.de}} - } -} -\date{2021-01-05} -\maketitle - -\section*{Abstract} - -In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules -(iHSMs). Conventional systems have in common that they try to detect attacks by crafting sensors responding to -increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce -the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by -rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop -the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that -can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is -comparable to commercial HSMs. - -This tech report is the abridged version of our forthcoming paper. - -\section{Introduction} - -While information security technology has matured a great deal in the last half century, physical security has barely -changed. Given the right skills, physical access to a computer still often means full compromise. The physical -security of modern server hardware hinges on what lock you put on the room it is in. - -Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid -switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between -physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key -infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic -co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of -trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured -TPM~\cite{newman2020,frazelle2019,johnson2018}. - -Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure -them against tampering is a good engineering solution for some years to come. However, in essence this is a type of -security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern -ICs~\cite{albartus2020,anderson2020}. - -HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain -that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep -the manufacturing issues of both and provide radically better security against physical attacks. Our core observation -is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly. - -For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set -by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, -solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual -defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How -would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the -accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow -speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become -inhospitable to human life. Since non-contact electromagnetic or optical attacks are more limited in the first place and -can be shielded, we have effectively forced the attacker to use an attack robot. - -In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On -this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We -conclude this paper with a general evaluation of our concept in Section~\ref{sec_conclusion}. - -\section{Related work} -\label{sec_related_work} -% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion -% beyond ultrasound. - -In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper -detection. - -HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring -meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security -problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, -anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic -radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research -has found widespread adoption yet. - -In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM -4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard -construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical -security mechanisms have not evolved much in the last two decades. Besides auxiliary temperature and radiation sensors -to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional -construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module -monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and -construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. - -To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a -hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security -barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture -these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap -low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The -closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that -describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled -with pressurized gas. - -\section{Inertial HSM construction and operation} -\label{sec_ihsm_construction} - -Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is -routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to -use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find -that making it spin has several advantages. - -First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to -follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second, -a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to easily predictable -accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the -HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear -velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum -size and mass of an attacker using an assumption on tolerable centrifugal force. In this consideration the axis of -rotation is a weak spot, but that can be mitigated using multiple nested layers of protection. - -\begin{figure} - \center - \includegraphics{concept_vis_one_axis.pdf} - \caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - - Accelerometer. 5 - Shaft penetrating security mesh.} - \label{fig_schema_one_axis} -\end{figure} - -In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to -distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the -rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after -subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero. -Centrifugal acceleration will be constant. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying -apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the -entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This -reduces the moment of inertia of the moving part and it means we can use cables for payload power and data. Even at -moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot. - -\subsection{Mechanical layout} - -Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on -a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow -shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and -data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction -or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft -motor are possible, but may require additional bearings to keep the stator from vibrating. - -The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be -designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over -every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside -air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious -issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be -solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used -exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. -Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation -of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh -could even be designed to \emph{be} a cooling fan. - -\subsection{Spinning mesh power and data transmission} - -On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few -implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need -both a power supply for the spinning monitoring circuit and a data link to the stator. - -We think that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip -rings, this setup is mechanically durable at high speeds and it also provides reasonable output power. A battery may not -provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not provide enough -current to supply peak demand. - -Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost -may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra -winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding -an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an -option if it can be integrated into the mechanical design. - -\begin{figure} - \center - \includegraphics{ir_tx_schema.pdf} - \caption{Example of a bidirectional IR communication link between rotor and stator, view along axis of rotation. 1 - - Rotor base plate. 2 - Stator base plate. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} - \label{ir_tx_schema} -\end{figure} - -Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to -transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. -A simple infrared optical link as shown in Figure~\ref{ir_tx_schema} may be a good solution for this purpose. - -\section{Conclusion} - -\label{sec_conclusion} To conclude, in this tech report we introduced inertial hardware security modules (iHSMs), a -novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available -parts. We elaborated the engineering considerations underlying a practical implementation of this concept. - -Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction -of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. We -hope that this simple construction will stimulate academic research into secure hardware. - -\printbibliography[heading=bibintoc] -\appendix - -\subsection{Patents and licensing} -During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not -find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of -this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. - -Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are -already commercially available, we have decided against applying for a patent and we wish to make it available to the -general public without any restrictions on its use. This paper itself is licensed CC-BY-SA (see below). As for the -inertial HSM concept, we invite you to use it as you wish and to base your own work on our publications without any fees -or commercial restrictions. Where possible, we ask you to cite this paper and attribute the inertial HSM concept to its -authors. - -\center{ - \center{\ccbysa} - - \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The - full text of the license can be found at:} - - \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} - - \center{For alternative licensing options, source files, questions or comments please contact the authors.} - - \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. Once the full paper has been - published, this project's git repository will be available at:} - - \center{\url{https://git.jaseg.de/rotohsm.git}} -} -\end{document} -- cgit