From cca02fce5b4986dc8544ee91bffc9a239bae7eed Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 18 Dec 2020 18:09:46 +0100 Subject: Include Björn's inline remarks, comb through bibliography MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/quick-tech-report/rotohsm.bib | 168 ++++++++------- doc/quick-tech-report/rotohsm_tech_report.pdf | Bin 1195060 -> 1190662 bytes doc/quick-tech-report/rotohsm_tech_report.tex | 283 +++++++++++--------------- 3 files changed, 214 insertions(+), 237 deletions(-) diff --git a/doc/quick-tech-report/rotohsm.bib b/doc/quick-tech-report/rotohsm.bib index 0401c1e..1092c3a 100644 --- a/doc/quick-tech-report/rotohsm.bib +++ b/doc/quick-tech-report/rotohsm.bib @@ -1,11 +1,12 @@ % Encoding: UTF-8 -@comment{x-kbibtex-encoding=utf-8} - -@book{anderson2020, - author = {Ross Anderson}, - date = {2020-09-16}, - title = {Security Engineering} -} +@comment{x-kbibtex-encoding=utf-8} + +@Book{anderson2020, + author = {Ross Anderson}, + date = {2020-09-16}, + title = {Security Engineering}, + isbn = {978-1-119-64281-7}, +} @techreport{smith1998, author = {Sean Smith and Steve Weingart}, @@ -58,13 +59,13 @@ title = {Cocoon-PUF, a novel mechatronic secure element technology}, year = {2012} } - -@patent{rahman1988, - author = {Mujib Rahman}, - date = {1988-03-10}, - number = {US4859024A}, - title = {Optical fiber cable with tampering detecting means} -} + +@Patent{rahman1988, + author = {Mujib Rahman}, + date = {1988-03-10}, + number = {US Patent US4859024A}, + title = {Optical fiber cable with tampering detecting means}, +} @www{haines2006, author = {Lester Haines}, @@ -84,36 +85,39 @@ url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, urldate = {2020-10-22} } - -@article{albartus2020, - author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, - date = {2020}, - doi = {10.13154/tches.v2020.i4.309-336}, - journal = {{IACR} Trans. Cryptogr. Hardw. Embed. Syst.}, - number = {4}, - pages = {309–336}, - title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, - volume = {2020}, - year = {2020} -} - -@inproceedings{trippel2017, - author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, - booktitle = {2017 IEEE European symposium on security and privacy (EuroS\&P)}, - organization = {IEEE}, - pages = {3–18}, - title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, - x-fetchedfrom = {Google Scholar}, - year = {2017} -} - -@misc{heise2020t2jailbreak, - publisher = {Heise Online}, - title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, - url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html} -} + +@Article{albartus2020, + author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, + date = {2020}, + title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, + doi = {10.13154/tches.v2020.i4.309-336}, + number = {4}, + pages = {309–336}, + volume = {2020}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, + journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems}, + year = {2020}, +} + +@InProceedings{trippel2017, + author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, + booktitle = {2017 IEEE European symposium on security and privacy}, + title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, + organization = {IEEE}, + pages = {3–18}, + x-fetchedfrom = {Google Scholar}, + year = {2017}, +} + +@WWW{heise2020t2jailbreak, + author = {Leo Becker}, + date = {2020-03-11}, + title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, + url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html}, + organization = {Heise Online}, + publisher = {Heise Online}, +} @article{kim2018, author = {Seung Hyun Kim and Su Chang Lim and others}, @@ -125,22 +129,27 @@ x-fetchedfrom = {Google Scholar}, year = {2018} } - -@inproceedings{johnson2018, - author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, - booktitle = {Hot Chips: A Symposium on High Performance Chips}, - title = {Titan: enabling a transparent silicon root of trust for Cloud}, - x-fetchedfrom = {Google Scholar}, - year = {2018} -} - -@inproceedings{isaacs2013, - author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, - booktitle = {Pan Pacific Symposium}, - title = {Tamper proof, tamper evident encryption technology}, - x-fetchedfrom = {Google Scholar}, - year = {2013} -} + +@Conference{johnson2018, + author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, + booktitle = {Hot Chips: A Symposium on High Performance Chips}, + date = {2018}, + title = {Titan: enabling a transparent silicon root of trust for Cloud}, + url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf}, + x-fetchedfrom = {Google Scholar}, + year = {2018}, +} + +@TechReport{isaacs2013, + author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, + date = {2013}, + institution = {Surface Mount Technology Association}, + title = {Tamper proof, tamper evident encryption technology}, + booktitle = {Pan Pacific Microelectronics Symposium}, + organization = {Surface Mount Technology Association}, + x-fetchedfrom = {Google Scholar}, + year = {2013}, +} @inproceedings{drimer2008, author = {Saar Drimer and Steven J Murdoch and Ross Anderson}, @@ -151,15 +160,17 @@ x-fetchedfrom = {Google Scholar}, year = {2008} } - -@misc{terdiman2013, - author = {Daniel Terdiman}, - month = jul, - publisher = {CNET}, - title = {Aboard America's Doomsday command and control plane}, - url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, - year = {2013} -} + +@WWW{terdiman2013, + author = {Daniel Terdiman}, + date = {2013-07-23}, + title = {Aboard America's Doomsday command and control plane}, + url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, + organization = {cnet.com}, + month = jul, + publisher = {CNET}, + year = {2013}, +} @Thesis{vrijaldenhoven2004, author = {Serge Vrijaldenhoven}, @@ -170,11 +181,20 @@ url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf}, } -@Unpublished{dexter2015, - author = {Karsten Nohl and Fabian Bräunlein and dexter}, - date = {2015-12-27}, - title = {Shopshifting: The potential for payment system abuse}, - url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452}, +@WWW{dexter2015, + author = {Karsten Nohl and Fabian Bräunlein and dexter}, + date = {2015-12-27}, + title = {Shopshifting: The potential for payment system abuse}, + url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452}, + organization = {32C3 Chaos Communication Congress}, +} + +@WWW{newman2020, + author = {Lily Hay Newman}, + date = {2020-10-06}, + title = {Apple's T2 Security Chip Has an Unfixable Flaw}, + url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/}, + organization = {Wired Magazine}, } @Comment{jabref-meta: databaseType:biblatex;} diff --git a/doc/quick-tech-report/rotohsm_tech_report.pdf b/doc/quick-tech-report/rotohsm_tech_report.pdf index 4ea7c48..257676b 100644 Binary files a/doc/quick-tech-report/rotohsm_tech_report.pdf and b/doc/quick-tech-report/rotohsm_tech_report.pdf differ diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex index e56ed76..bf39256 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ b/doc/quick-tech-report/rotohsm_tech_report.tex @@ -73,7 +73,7 @@ \begin{document} -\title{Can't touch this: Inerial HSMs Foil Advanced Physical Attacks} +\title{Can't Touch This: Inerial HSMs Foil Advanced Physical Attacks} \author{Jan Götte} \date{2020-09-15} \maketitle @@ -102,13 +102,17 @@ physical security and ease of maintenance. To handle highly sensitive data in ap infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured -TPM~\cite{heise2020t2jailbreak,frazelle2019,johnson2018}. +TPM~\cite{newman2020,frazelle2019,johnson2018}. -Like smartcards, TPMs rely on an IC's nanoscopic structures being hard to tamper with. HSMs rely on a fragile foil with -much larger-scale conductive traces being hard to remove intact. While we are certain that there still are many -insights to be gained in both technologies, we wish to introduce a novel approach to sidestep the manufacturing issues -of both and provide radically better security against physical attacks. Our core observation is that any cheap but -coarse HSM technology can be made much more difficult to attack by moving it very quickly. +Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure +them against tampering is a good engineering solution for some years to come. However, in essence this is a type of +security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern +ICs~\cite{albartus2020,anderson2020}. + +HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain +that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep +the manufacturing issues of both and provide radically better security against physical attacks. Our core observation +is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly. For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, @@ -134,34 +138,20 @@ This work contains the following contributions: In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a prototype system that -we will illustrate in Section~\ref{sec_proto}. Before we conclude this paper in Section~\ref{sec_conclusion} we will -present some inspiration for future work in Section~\ref{sec_future_work}. +we will illustrate in Section~\ref{sec_proto}. We conclude this paper with a general evaluation of our design in +Section~\ref{sec_conclusion}. \section{Related work} \label{sec_related_work} % summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion % beyond ultrasound. -HSMs are an old technology tracing back decades in their electronic realization. - - -% FIXME integrate this -Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that -cannot be solved (yet) with cryptographic security. The security of chips like smartcards and TPMs often rests on the -assumption that their fine structures are hard to reverse engineer and modify. As of now, this property holds and it -will likely be a reasonable assumption for some years to come. However, in essence this is a type of security by -obscurity: Obscurity here referring to the rarity of the equipment necessary to attack these -chips~\cite{albartus2020,anderson2020}. - -Hardware security modules (HSMs) are the class of commercial devices offering the highest ``physical -security-to-volume-product''. HSMs continuously monitor a small circuit board and actively delete their secrets when a -manipulation is detected. Commercial HSMs are usually \emph{boundary monitoring}. They monitor meandering electrical -traces on a fragile foil that is wrapped around the HSM. This construction transforms the security problem into the -challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013,immler2019,anderson2020}. -There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic -radiation~\cite{tobisch2020,kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of it has found widespread adoption. -% FIXME end - +HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring +meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security +problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, +anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic +radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research +has found widespread adoption. In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard @@ -210,36 +200,20 @@ pressurized gas. \section{Inertial HSM construction and operation} \label{sec_ihsm_construction} -\subsection{Using motion for tamper detection} - Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to -use it in tamper detection. Let us think about the constraints of our approach. - -\begin{enumerate} - \item We need the tamper sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human - to follow, it becomes a weak spot. - \item We need to keep the entire apparatus compact. - \item We need the sensor's motion to be very predictable so that we can detect an attacker trying to stop it. -\end{enumerate} - -From this, we can make a few observations. - -\begin{enumerate} - \item Non-periodic linear motion (like a train on wheels) is likely to be a poor choice since it requires a large - amount of space, and it is comparatively easy to follow something moving linearly. - \item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate would there not be - the moment at its apex when the vibration reverses direction the object is stationary. This is a weak spot. - \item Rotation is a very good choice. It does not require much space to execute. Additionally, if the axis of - rotation is within the HSM itself, an attacker trying to follow the motion would have to rotate around the same - axis. Since their tangential linear velocity would rise linearly with the radius from the axis of rotation, an - assumption on tolerable centrifugal force allows one to limit the approximate maximum size and mass of an - attacker (see Appendix \ref{sec_minimum_angular_velocity}). The axis of rotation is a weak spot, but we can - simply nest multiple layers of protection at an angle to each other. - \item We do not have to move the entire contents of the HSM. It suffices if we move the tamper detection barrier - around a stationary payload. This reduces the moment of inertia of the moving part and it means we can use - cables for payload power and data. -\end{enumerate} +use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find +that making it spin has several advantages. + +First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mehs moves slow enough for a human to +follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second, +a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to predictable +accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the +HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear +velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum +size and mass of an attacker using an assumption on tolerable centrifugal force (see Appendix +\ref{sec_minimum_angular_velocity}). In this consideration the axis of rotation is a weak spot, but that can be +mitigated using multiple nested layers of protection. \begin{figure} \center @@ -249,70 +223,75 @@ From this, we can make a few observations. \label{fig_schema_one_axis} \end{figure} -In a rotating reference frame centrifugal force is proportional to the square of angular velocity and proportional to +In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, both acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will be -constant. At high speeds, this acceleration may become very large. This poses the engineering challenge of preventing -the whole thing from flying apart, but also creates an obstacle to any attacker trying to manipulate the sensor. - -In Appendix \ref{sec_minimum_angular_velocity} we present some back-of-the-envelope calculations on minimum angular -velocity. We conclude that even at moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a -robot. In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis -accelerometer each in the rotor and in the stator are a good baseline configuration. Other configurations such as one -using two two-axis accelerometers in the rotor are also possible. In general, the system will be more sensitive to -attacks if we over-determine the system of equations describing its motion by using more sensors than necessary. - -\subsection{Payload mounting mechanisms} - -The simplest way to mount a stationary payload in a spinning security mesh is to drive the rotor using a hollow shaft. -This allows the payload to be mounted on a fixed rod threaded through this hollow shaft along with wires for power and -data. The stationary rod and cables on the axis of rotation inside the hollow shaft are a weak spot of the system, but -this weak spot can be alleviated through either careful construction or a second layer of rotating meshes with a -different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may require -additional bearings to keep the stator from vibrating. - -\subsection{Spinning mesh power supply} - -There are several options to transfer power to the rotor from its stationary frame. - -\begin{enumerate} - \item Slip ring contacts are a poor candidate as they are limited in their maximum speed and lifetime, and as - precision mechanical components are expensive. - \item Inductive power transfer as used in inductive charging systems can be used without modification if both coils - are mounted axially. - \item A second brushless motor on the axis of rotation can be used as a generator, with its axis connected to the - fixed frame and its stator mounted and connected to the rotor. Likewise, a custom-made drive motor that includes - some auxiliary rotor windings for power transfer in addition to the rotor's magnets would be possible. - \item A bright lamp along with some small solar cells may be a practical approach for small amounts of - energy\footnote{See Appendix \ref{sec_energy_calculations} for a back-of-the-envelope calculation}. - \item For a very low-power security mesh, a battery specified to last for the lifetime of the device may be - practical\footnote{See Appendix \ref{sec_energy_calculations}}. -\end{enumerate} - -In our prototype, we settled on a solar cell-based solution for its simplicity. - -\subsection{Payload cooling} - -In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air duct or heat pipe would have -to penetrate the HSM's security boundary. This problem can be solved with complex and costly siphon-style constructions, -but in commercial systems heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power -dissipation of the payload and thus its processing power. In our spinning HSM concept, the spinning mesh can have -longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation, -and one could even integrate an actual fan into the rotor. This greatly increases the maximum possible power dissipation -of the payload and unlocks much more powerful processing capabilities. - -\subsection{Spinning mesh data communication} - -As for power, slip rings are the obvious choice to couple data signals through the rotating joint. Like for power, ones -that match our reliability and speed constraints are expensive. - -Our design has a stationary payload and only the security mesh and sensors are spinning. The rotor only needs to send -occassional status reports and a high-frequency alarm trigger heartbeat signal to the stator. For -this, a simple optocoupler close to the axis of rotation is a good solution that we implemented in our prototype. +constant. + +Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying +apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the +entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This +reduces the moment of inertia of the moving part and it means we can use cables for payload power and data. + +From our back-of-the-envelope calculation in Appendix \ref{sec_minimum_angular_velocity} we conclude that even at +moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot. + +In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis +accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more +sensitive to attacks if we over-determine the system of equations describing its motion by using more sensors than +necessary. + +\subsection{Mechanical layout} + +The simplest way to mount a stationary payload in a spinning security mesh is to use a hollow shaft. The payload can be +mounted on a fixed rod threaded through this hollow shaft along with wires for power and data. The shaft is a weak spot +of the system, but this weak spot can be alleviated through either careful construction or a second layer of rotating +meshes with a different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may +require additional bearings to keep the stator from vibrating. + +The spinning mesh must be designed to cover the entire surface of the payload during one revolution. Still, it can be +designed with longitudinal gaps to allow outside air to flow through to the payload. In boundary-sensing HSMs, cooling +of the processor inside is a serious issue since any air duct or heat pipe would have to penetrate the HSM's security +boundary. This problem can only be solved with complex and costly siphon-style constructions, so in commercial systems +heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus +its processing power. Our setup allows direct air cooling, which increases the maximum possible power dissipation of +the payload and unlocks much more powerful processing capabilities. Instead of gaps one could even integrate an actual +fan into the rotor. + +\subsection{Spinning mesh power and data transmission} + +The basic concept of a security mesh spinning at more than $\SI{500}{rpm}$ around a payload leaves us with a few +implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need +both a power supply for the spinning monitoring circuit and a data link back to the stator. + +A good starting point for power transfer is a simple setup of a stationary bright lamp shining at a rotating solar +panel. In contrast to e.g.\ slip rings, this setup is mechanically durable at high speeds and it also provides +reasonable output power (see Appendix \ref{sec_energy_calculations} for some calculations on power consumption). A +battery may not provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not +provide enough current to supply peak demand. + +Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost +may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra +windings on the rotor of the BLDC motor driving the spinning mesh. This rotor is likely to be a custom part, so adding +these windings is unlikely to increase cost significantly. Inductive power transfer may also be an option given that one +can integrate it into the mechanical design. + +Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to +transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. +As we will elaborate in Section~\ref{sec_proto} a simple infrared optical link turned out to be a good solution for this +purpose. \section{Attacks} \label{sec_attacks} + +After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to +attack it. Fundamentally, attacks on an inertial HSM are the same as those on a traditional HSM, since the tamper +detection mesh is the same. Only in the inertial HSM any attack on the mesh has to be carried out while the mesh is +rotating, which for most types of attack will require a CNC attack robot moving in sync with it. In comparison to +traditional designs, the data link between mesh and payload is an additional weak spot in the rotating desing. If it is +optical, non-contact attacks are possible. + \subsection{Attacks on the mesh} There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with. @@ -335,12 +314,13 @@ system against these is to employ adequate filtering of the incoming power suppl triggering an alarm in case extraordinary environmental variations are detected. If the alarm link between rotor and stator uses a spoofable interface such as an optical link, this link must be -bidirectional to allow the alarm signal receiver to verify link latency. In a purely unidirectional spoofable link, an -attacker could record the authenticated "no alarm" signal from the transmitter while simultaneously replaying it just -slightly slower (say at $\SI{99}{\percent}$ speed) to the receiver. The receiver would not be able to distinguish -between this attack and ordinary deviations in the transmitter's local clock frequency. However, the attacker can at any -point simply stop the rotor and replay the leftover recorded "no alarm" signal. Given the frequency stability of -commercial crystals, this would allow for an attack duration of several seconds per hour of recording time. +cryptographically verified. It also must be bidirectional to allow the alarm signal receiver to verify link latency. In +a purely unidirectional spoofable link, an attacker could record the authenticated ``no alarm'' signal from the +transmitter while simultaneously replaying it just slightly slower (say at $\SI{99}{\percent}$ speed) to the receiver. +The receiver would not be able to distinguish between this attack and ordinary deviations in the transmitter's local +clock frequency. However, the attacker can at any point simply stop the rotor and replay the leftover recorded ``no +alarm'' signal. Given the frequency stability of commercial crystals, this would allow for an attack duration of several +seconds per hour of recording time. \subsection{Fast and violent attacks} @@ -364,15 +344,14 @@ synchronized with the device's rotation. Then, a fast-setting glue such as a cya moving MEMS parts, locking them in place. This attack would require direct access to the accelerometer from the outside and can be prevented by mounting the accelerometer in a shielded place inside the security envelope. This attack can only work if the rate of rotation and thus the accelerometer's readings are constant. If the rate of rotation is set to -change on a schedule, it is trivially detectable. - -In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement. +change on a schedule, this type of attack can be detected easily. In Appendix \ref{sec_degrees_of_freedom} we outline +the constraints on sensor placement. \section{Prototype implementation} \label{sec_proto} -To validate our theoretical design, we have implemented a prototype rotary HSM. The main engineering challenges we -solved in our prototype are: +To validate our theoretical design, we implemented a prototype rotary HSM. The main engineering challenges we solved in +our prototype are: \begin{enumerate} \item Fundamental mechanical design suitable for rapid prototyping that can withstand a rotation of $\SI{500}{rpm}$. \item Automatic generation of security mesh PCB layouts for quick adaption to new form factors. @@ -382,7 +361,7 @@ solved in our prototype are: \subsection{Mechanical design} -We sized our prototype to have space for one or two full-size Raspberry Pi boards. Each one of these boards is already +We sized our prototype to have space for up to two full-size Raspberry Pi boards. Each one of these boards is already more powerful than an ordinary HSM, but they are small enough to simplify our prototype's design. For low-cost prototyping we designed our prototype to use printed circuit boards as its main structural material. The interlocking parts were designed in FreeCAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were exported to KiCAD @@ -439,7 +418,7 @@ bidirectional infrared link. In the transmitter, the UART TX line on-off modulat through a common-emitter driver transistor. In the receiver, an IR PIN photodiode reverse-biased to $\frac{1}{2}V_\text{CC}$ is connected to a reasonably wideband transimpedance amplifier (TIA) with a $\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure \ref{photolink_schematic}, the output of this TIA is fed -through another $G=100$ amplifier whose output is then squared up by a comparator. We used an \textsf{MCP6494} quad +through another $G=100$ amplifier whose output is then squared up by a comparator. We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a useful transimpedance in the photodiode-facing TIA stage. @@ -469,10 +448,10 @@ driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at \subsection{Power transmission through rotating joint} Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power -transmission: Solar cells. We mounted six series-connected solar cells made up from three commercially available modules -on the circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with -buffering by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around -$\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ given sufficient illumination. +transmission: solar cells. We mounted six series-connected solar cells in three commercially available modules on the +circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with buffering +by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around $\SI{3.0}{\volt}$ at +several tens of $\si{\milli\ampere}$ given sufficient illumination. For simplicity and weight reduction, at this point we chose to forego large buffer capacitors on the rotor. This means variations in solar cell illumination directly couple into the microcontroller's supply rail. Initially, we experimented @@ -501,38 +480,16 @@ larger-scale implementation of the inertial HSM concept practical. \label{prototype_early_comms} \end{figure} -\section{Future Work} -\label{sec_future_work} - -\subsection{Design space exploration} - -There are several aspects of intertial HSM design that we wish to explore in future work. - -\paragraph{Other modes of movement} An oscillating iHSM might enable power and data transfer to the moving part using -cables. - -\paragraph{Multiple axes of rotation} The weak spot of our prototype design at the stationary shaft can be alleviated -using gyroscope mechanics. - -\paragraph{Other sensing modes} By printing the inside of the rotor with a pattern that is observed by a linear CCD a -completely passive rotor may be possible. - -\paragraph{Bearing longevity} - -\paragraph{Handling of gyroscopic precession forces during shipping} - -\subsection{Penetration testing} -We intend to refine our prototype design to production quality. As part of this, we wish to try out a range of attacks -on our prototype. +\section{Conclusion} \label{sec_conclusion} In this paper, we introduced inertial hardware security modules (iHSMs), a +novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available +parts. We elaborated the engineering considerations underlying a practical implementation of this concept. We +implemented a prototype demonstrating practical solutions to the significant engineering challenges of this concept. We +analyzed the concept for its security properties and highlighted its ability to significantly strengthen otherwise weak +tamper detection barriers. -\section{Conclusion} -\label{sec_conclusion} -In this paper, we have presented inertial hardware security modules (iHSMs), a novel concept for the construction of -highly secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering -considerations underlying a practical implementation of this concept. We have implemented a prototype demonstrating -practical solutions to the significant engineering challenges of this concept. We have analyzed the concept for its -security properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We -have laid out some ideas for future research on the concept. +Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction +of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. We +hope that this simple construction will stimulate academic research into secure hardware. \printbibliography[heading=bibintoc] \appendix -- cgit