From f05b3ffe876a22fc6b36d58bc48e22e967b3d47f Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 20 Sep 2021 16:54:20 +0200 Subject: Include spelling fixes from grammarly --- paper/ihsm_paper.tex | 195 ++++++++++++++++++++++++++------------------------- 1 file changed, 98 insertions(+), 97 deletions(-) diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index e69cec3..8119fe2 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -1,4 +1,4 @@ -\documentclass[nohyperref,submission]{iacrtrans} +\documentclass[nohyperref]{iacrtrans} \usepackage[T1]{fontenc} \usepackage[ backend=biber, @@ -53,8 +53,8 @@ reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. - Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet - offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware + Our approach leads to an HSM that can easily be built from off-the-shelf parts by any university electronics lab, + yet offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an automotive high g-force accelerometer already provides a useful level of security. @@ -62,7 +62,7 @@ \section{Introduction} -While information security technology has matured a great deal in the last half century, physical security did not keep +While information security technology has matured a great deal in the last half-century, physical security did not keep up with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is in. @@ -75,12 +75,12 @@ co-processors such as trusted platform modules (TPMs) or hardware security modul trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured TPM~\cite{newman2020,frazelle2019,johnson2018}. Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure -them against tampering is a good engineering solution for some years to come. However, in essence this is a type of +them against tampering is a good engineering solution for some years to come. However, in essence, this is a type of security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern ICs~\cite{albartus2020,anderson2020}. In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with -conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are +conductive traces. These traces are much larger scale than a smart card IC's microscopic structures and instead are designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made @@ -88,7 +88,7 @@ much more difficult to attack by moving it very quickly. For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, -solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual +solder, and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving @@ -99,12 +99,12 @@ use an ``attack robot''. This paper contains the following contributions: \begin{enumerate} - \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of + \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective, small-scale production of highly secure HSMs. \item We discuss possible tamper sensors for inertial HSMs. \item We explore the design space of our inertial HSM concept. \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). - \item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors. + \item We present an analysis of the viability of using commodity MEMS accelerometers as braking sensors. % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. \end{enumerate} @@ -140,16 +140,16 @@ anderson2020}. There has been some research on monitoring the HSM's interior us radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found widespread adoption yet. -HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a +HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine -it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment. -An HSM in principle has to have this examination equipment built-in. +it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex +equipment. An HSM in principle has to have this examination equipment built-in. Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view -that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic +that are recorded in public literature are those used for monitoring of nuclear material under the International Atomic Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a -way that intentionally causes large, random device to device variations. These variations are precisely recorded at +way that intentionally causes large, random device-to-device variations. These variations are precisely recorded at deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the @@ -161,20 +161,20 @@ reading, similar to an HSM. They are constructed from two components: A cable th monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in commercial HSMs. -In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that he cites is -the IBM 4758, the details of which are laid out in depth in~\cite{smith1998}. This HSM is an example of an +In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is +the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state -that the module monitors this mesh for short circuits, open circuits and conductivity. Other commercial offerings use a +that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use a fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in -covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A +area covered and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A core component of their design is that they propose its use as a PUF to allow for protection even when powered off, similar to a smart card---but the design is not limited to this use. @@ -197,12 +197,12 @@ properties of a potting compound that has been loaded with RF-reflective grains. characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting compound. -To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a +To the best of our knowledge, we are the first to propose a mechanically moving HSM security barrier as part of a hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap -low performance security barrier and transforming it into a marginally more expensive but high performance one. The -closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that +low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The +closest to a mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with pressurized gas. @@ -231,12 +231,12 @@ of the practical implications that these aspects of IHSM construction have on IH First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to -not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to +not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency, the HSM has to stay within a confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such periodic linear motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become a weak spot. -In contrast to linear motion, rotation is space efficient and can be continuous if the axis of rotation is inside the +In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by @@ -247,10 +247,10 @@ Large centrifugal acceleration at high speeds poses the engineering challenge of disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from -following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, -this limits the approximate maximum size and mass of an attacker under the an assumption on tolerable centrifugal force. +following the device's motion since doing so would subject them to impractically large centrifugal forces. Essentially, +this limits the approximate maximum size and mass of an attacker under an assumption on tolerable centrifugal force. -In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems +In this paper, we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the shaft against tampering that any production device would have to tackle. @@ -259,7 +259,7 @@ shaft against tampering that any production device would have to tackle. Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems -deployed in the field for a variety of use cases from low security payment processing devices to high security +deployed in the field for a variety of use cases from low-security payment processing devices to high-security certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to fabricate enclosures that embed characteristics of a Physically Unclonable Function. By using stochastic properties of @@ -270,10 +270,10 @@ In our research, we focus on security meshes as our IHSM's tamper sensors. Most implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple -construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself -and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the -entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would -require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power +construction made up of low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself and +its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the entire +volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would require +the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power transfer from the outside to the payload. \subsection{Braking detection} @@ -288,8 +288,8 @@ While the obvious choice to monitor rotation would be a tachometer such as a mag IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this -approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the -motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical +approach is that depending on construction, it might invite attacks at the mechanical interface between the mesh and the +motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is already standing still. @@ -328,7 +328,7 @@ accelerometer for braking detection in our prototype IHSM. With our IHSM's components taken care of, what remains to be decided is how to put together these individual components into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the -axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the +axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload, and the area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point @@ -347,7 +347,7 @@ The spinning mesh must be designed to cover the entire surface of the payload, b part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be -solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used +solved with complex and costly siphon-style constructions, so in commercial systems, heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an @@ -358,7 +358,7 @@ structural material. The security mesh has to fit the highest components inside with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a -centimeter thick that includes several millimeters epoxy resin with particularly poor thermal +centimeter thick that includes several millimeters of epoxy resin with particularly poor thermal conductivity~\cite{obermaier2019}. Even if ``thermally conductive'' resins would be used, thermal conductivity is limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU heatsink with its fan running has a thermal resistance from CPU junction to air of around @@ -381,9 +381,9 @@ to two orders of magnitude in computing power to be feasible in an IHSM compared \subsection{Long-term Operation} Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an -understanding of what an IHSM would look like in practice. In the following paragraphs we will draw some conclusions on +understanding of what an IHSM would look like in practice. In the following paragraphs, we will draw some conclusions on how its design will affect the day-to-day operation of an IHSM. -Like other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As with +Like other HSMs, in a practical application, an IHSM may have to run continuously for a decade or even longer. As with any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and @@ -391,19 +391,19 @@ erasure of data cannot~\cite{heise2021ovh}. Traditionally, this problem is solve geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this -approach is a 2019 technology demonstration~\cite{signal2019} created by the signal.org, the organization running the -signal secure messenger app. In this demonstration, signal.org have implemented the Raft consensus -algorithm~\cite{ongaro2019} inside Intel SGX to replicate state between geographically redundant enclaves. +approach is a 2019 technology demonstration~\cite{signal2019} created by signal.org, the organization running the signal +secure messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} +inside Intel SGX to replicate state between geographically redundant enclaves. -Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components -of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by -changes in the IHSM's environment. In the following paragraphs we will evaluate each of these categories in its +Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components +of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by +changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in its practical impact. \paragraph{Component failure.} The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by -reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must +reducing thermal, mechanical, and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the @@ -417,7 +417,7 @@ considered is power loss. Traditional HSMs solve the need for an always-on backu batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional -Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a smaller backup battery +Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might have a smaller backup battery integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are large industrial @@ -443,7 +443,7 @@ is proportional to the square of its amplitude when fixing frequency and the cub amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency vibrating motion compared to lower frequencies. This observation interacts with our other point that, second, an ideal vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp -vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we wish to +vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations, it follows that if we wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large enough to cause a false alarm. @@ -459,7 +459,7 @@ $\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's lo tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore them for the purposes of our tamper detection system. -From these comparisons we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish +From these comparisons, we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM. @@ -486,17 +486,17 @@ manufacturer after the IHSM has been installed. \label{sec_attacks} After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation -above, in this section we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security -mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform -the same steps they would have to perform to attack a traditional HSM. However, they will either need to perform these -attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat the braking -sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for contactless -attack a laser. +above, in this section, we will detail possible ways to attack it. At the core of an IHSM's defenses is the same +security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to +perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to +perform these attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat +the braking sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for +contactless attack a laser. \subsection{Attacks that don't work} In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective, -we will start with a brief overview on attacks on conventional HSMs that the IHSM is defended against. +we will start with a brief overview of attacks on conventional HSMs that the IHSM is defended against. %FIXME \paragraph{...} In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the @@ -512,7 +512,7 @@ $\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdo Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding temperature stability of the mesh material. -The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between +The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data @@ -541,7 +541,7 @@ IHSMs do not provide an inherent benefit against such contactless attacks. Howev play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less space-constrained. This larger volume allows for a greater physical distance between security-critical components and -places accessible to an attacker using an electromagnetic probe for EM side channel attacks. By allowing the use of +places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. By allowing the use of conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors found in conventional HSMs. @@ -558,9 +558,9 @@ shortest axis, resulting in a minimum radius from axis of rotation to surface of Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the range tolerable by humans for a duration of seconds or above. We thus set our target acceleration to $\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal -acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} = +acceleration is $a=\omega^2 r$. In our example, this results in a minimum angular velocity of $f_\text{min} = \frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} -\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this we can conclude that even at moderate speeds of +\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this, we can conclude that even at moderate speeds of $\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some kind of mechanical tool. @@ -569,7 +569,7 @@ kind of mechanical tool. \includegraphics[width=6cm]{attack-robot.pdf} \caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a - remote controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5). + remote-controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5). Through this opening, a human operator can then insert tools such as probes to read out sensitive information from the actual payload (6).} \label{fig_attack_robot} @@ -608,7 +608,7 @@ does, however, have a weak spot along its axis of rotation, at the point where t tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the -PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs this +PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs, this interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. @@ -647,7 +647,7 @@ its traces. The other option is to tamper with the monitoring circuit to prevent alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack -avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut +avenues may be to rotate an attack tool in sync with the mesh or to use a laser or ion beam fired at the mesh to cut traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the complexity of such attacks. @@ -659,9 +659,9 @@ to falsify the rotor's MEMS accelerometer measurements. We can disregard electro monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be physical attacks of the accelerometer's sensing mechanism. MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is -measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these -mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. -A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the +measured electronically. A topic of recent academic interest has been acoustic attacks tampering with these +mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. A +possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the security envelope and by varying the rate of rotation over time. @@ -669,11 +669,11 @@ security envelope and by varying the rate of rotation over time. \subsection{Attacks on the alarm circuit} Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry -inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a +inside the stationary payload or the communication link between rotor and payload. The link can be secured using a cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for -temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or +temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration, and gases or liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. % If it were unidirectional, an attacker could @@ -695,7 +695,7 @@ the payload is reliably destroyed before the tamper response circuitry. \label{sec_proto} As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even -when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have +when implemented using only common, off-the-shelf parts. In view of this amplification of design security, we have decided to validate our theoretical studies by implementing a proof of concept prototype IHSM (Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype were: @@ -773,10 +773,10 @@ connectivity to the stator. To design the power link, we first need to estimate consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take -$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that +$\SI{100}{\micro\second}$ and yield a $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of $\SI{100}{\micro\ampere}$. This value is comparable to a reasonable estimation of the current consumption of the -monitoring circuit itself. In our prototype we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To +monitoring circuit itself. In our prototype, we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To get an estimate on the current consumption of an energy-optimized design we will refer to the datasheet of the \partnum{STM32L486JG}\footnote{\url{https://www.st.com/resource/en/datasheet/stm32l486jg.pdf}}, a representative member of ST's \partnum{STM32L4} low-power sub-family that provides hardware acceleration for AES256. A good target for an @@ -784,7 +784,7 @@ implementation of a secure cryptographic channel on this device would be the noi While the initial handshake for key establishment uses elliptic-curve cryptography and may take several hundred milliseconds~\cite{tschofenig2015}, the following payload data transfer messages require only symmetric cryptographic primitives. The \partnum{STM32L486JG} datasheet lists the microcontroller's typical operating current at around -$\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed, and lists a sleep current of less than +$\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed and lists a sleep current of less than $\SI{1}{\micro\ampere}$ in low-power standby mode with RTC enabled. The AES peripheral is listed with less than $\SI{2}{\micro\ampere\per\mega\hertz}$ typical current consumption. A typical high-$g$ accelerometer for an IHSM application would be ST Microelectronics' \partnum{H3LIS331DL}. Its @@ -799,7 +799,7 @@ we arrive at an energy consumption of $\SI{1.7}{\ampere\hour}$ per year. This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. By either using several such cells or by optimizing power consumption, several years of battery life could easily be reached. In our proof of -concept prototype we decided against using a battery to reduce rotor mass and avoid balancing issues. +concept prototype, we decided against using a battery to reduce rotor mass and avoid balancing issues. We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar @@ -817,7 +817,7 @@ Besides power transfer from stator to rotor, we need a reliable, bidirectional d low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an -\partnum{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in +\partnum{MCP6494} general purpose opamp configured as a $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the @@ -848,9 +848,9 @@ are shielded from one another by the motor's body in the center of the PCB. \subsection{Evaluation} The proof-of-concept hardware worked as intended. Both rotating power and data links performed well. As we expected, the -mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach speeds in excess -of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the data links -continued to function without issue. +mechanical design vibrated at higher speeds but despite these unintended vibrations, we were able to reach speeds in +excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the +data links continued to function without issue. \section{Using MEMS accelerometers for braking detection} \label{sec_accel_meas} @@ -861,8 +861,8 @@ $\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually -control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed -of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an +control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed +of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using a USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a $\SI{1}{\second}$ running average over interval lengths of the debounced captured signal\footnote{A regular frequency counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office @@ -882,7 +882,7 @@ This allowed us to avoid writing retransmission logic or data interpolation. Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually -adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady. +adjust the rotor's speed. The unshaded areas in between are intervals when the rotor speed is steady. Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the @@ -915,22 +915,22 @@ the device's specified and actual sensitivity. We correct for both errors by fir the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of -the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but -due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to +the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, +but due to the quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to $\SI{10}{\percent}$ at $\SI{95}{rpm}$. After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that -this harmonic content is a clean intermodulation product of the accelerometers sample rate and the speed of rotation +this harmonic content is a clean intermodulation product of the accelerometer's sample rate and the speed of rotation with no other visible artifacts. Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark -blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good -choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal -force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic -controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on the fly, -without stopping the rotor. +blue, and theoretical behavior is shown in orange. From our measurements, we can conclude that an accelerometer is a +good choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected +centrifugal force should be sufficient to reliably detect manipulation attempts without resulting in false positives. +Periodic controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on +the fly, without stopping the rotor. \begin{figure} \center @@ -946,15 +946,16 @@ without stopping the rotor. \section{Conclusion} \label{sec_conclusion} -In this paper we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of advanced -hardware security modules from simple components. We analyzed the concept for its security properties and highlighted -its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a -proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics -design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our -prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our -measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link -already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer -showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario. +In this paper, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of +advanced hardware security modules from simple components. We analyzed the concept for its security properties and +highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design +by creating a proof of concept hardware prototype. In this prototype, we have demonstrated practical solutions to the +major electronics design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. +We have used our prototype to perform several experiments to validate the rotary power and data links and the onboard +accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well and that our +simple IR data link already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive +MEMS accelerometer showed that this part is well-suited for braking detection in the range of rotation speed relevant to +the IHSM scenario. Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs offer a high level of security beyond what traditional techniques can offer even when built from simple components. They @@ -975,7 +976,7 @@ tamper detection through the measurement of external forces acting on the rotor. \label{sec_repo} During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD -model of our prototype IHSM, schematics and PCB layouts for all of its PCBs including the prototype security mesh +model of our prototype IHSM, schematics, and PCB layouts for all of its PCBs including the prototype security mesh monitor PCB as well as firmware and data analysis scripts for the experiments we ran on the prototype IHSM. All of these digital artifacts as well as the sources to this paper are included in the git repository linked below. -- cgit