From 69daf158fe83e49d420e97fc5bbf91f32798585a Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 15 Mar 2021 11:25:49 +0100 Subject: Repo re-org: rename paper dir --- doc/quick-tech-report/rotohsm_tech_report.tex | 300 -------------------------- 1 file changed, 300 deletions(-) delete mode 100644 doc/quick-tech-report/rotohsm_tech_report.tex (limited to 'doc/quick-tech-report/rotohsm_tech_report.tex') diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex deleted file mode 100644 index e9d571f..0000000 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ /dev/null @@ -1,300 +0,0 @@ -\documentclass[10pt,journal,a4paper]{IEEEtran} -\usepackage[english]{babel} -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false - ]{biblatex} -\addbibresource{rotohsm.bib} -\usepackage{amssymb,amsmath} -\usepackage{listings} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{amsthm} -\usepackage{tabularx} -\usepackage{multirow} -\usepackage{multicol} -\usepackage{tikz} -\usepackage{mathtools} -\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} -\DeclarePairedDelimiter{\paren}{(}{)} - -\usetikzlibrary{arrows} -\usetikzlibrary{chains} -\usetikzlibrary{backgrounds} -\usetikzlibrary{calc} -\usetikzlibrary{decorations.markings} -\usetikzlibrary{decorations.pathreplacing} -\usetikzlibrary{fit} -\usetikzlibrary{patterns} -\usetikzlibrary{positioning} -\usetikzlibrary{shapes} - -\usepackage[binary-units]{siunitx} -\DeclareSIUnit{\baud}{Bd} -\DeclareSIUnit{\year}{a} -\usepackage{hyperref} -\usepackage{tabularx} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{ccicons} -\usepackage{subcaption} -\usepackage{float} -\usepackage{footmisc} -\usepackage{array} -\usepackage[underline=false]{pgf-umlsd} -\usetikzlibrary{calc} -%\usepackage[pdftex]{graphicx,color} -\usepackage{epstopdf} -\usepackage{pdfpages} -\usepackage{minted} % pygmentized source code - -\renewcommand{\floatpagefraction}{.8} -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} - -\usepackage{fancyhdr} -\fancyhf{} -\fancyfoot[C]{\thepage} -\newcommand{\includenotebook}[2]{ - \fancyhead[C]{Included Jupyter notebook: #1} - \includepdf[pages=1, - pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} - ]{resources/#2.pdf} - \includepdf[pages=2-, - pagecommand={\thispagestyle{fancy}} - ]{resources/#2.pdf} -} - -\begin{document} - -\title{Tech Report: Inerial HSMs Thwart Advanced Physical Attacks} -\author{\IEEEauthorblockN{ - Jan Sebastian Götte\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} \and - Björn Scheuermann\IEEEauthorrefmark{1}\IEEEauthorrefmark{2} - }\\ - \IEEEauthorblockA{ - \IEEEauthorrefmark{1}Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG)\\ - \IEEEauthorrefmark{2}Humboldt-Universität zu Berlin\\ - \texttt{\textbf{\small goette@jaseg.de}}, \texttt{\textbf{\small scheuermann@informatik.hu-berlin.de}} - } -} -\date{2021-01-05} -\maketitle - -\section*{Abstract} - -In this tech report, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules -(iHSMs). Conventional systems have in common that they try to detect attacks by crafting sensors responding to -increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce -the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by -rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop -the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that -can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is -comparable to commercial HSMs. - -This tech report is the abridged version of our forthcoming paper. - -\section{Introduction} - -While information security technology has matured a great deal in the last half century, physical security has barely -changed. Given the right skills, physical access to a computer still often means full compromise. The physical -security of modern server hardware hinges on what lock you put on the room it is in. - -Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid -switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between -physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key -infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic -co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of -trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured -TPM~\cite{newman2020,frazelle2019,johnson2018}. - -Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure -them against tampering is a good engineering solution for some years to come. However, in essence this is a type of -security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern -ICs~\cite{albartus2020,anderson2020}. - -HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain -that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep -the manufacturing issues of both and provide radically better security against physical attacks. Our core observation -is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly. - -For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set -by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, -solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual -defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How -would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the -accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow -speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become -inhospitable to human life. Since non-contact electromagnetic or optical attacks are more limited in the first place and -can be shielded, we have effectively forced the attacker to use an attack robot. - -In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On -this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We -conclude this paper with a general evaluation of our concept in Section~\ref{sec_conclusion}. - -\section{Related work} -\label{sec_related_work} -% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion -% beyond ultrasound. - -In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper -detection. - -HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring -meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security -problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, -anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic -radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research -has found widespread adoption yet. - -In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM -4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard -construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical -security mechanisms have not evolved much in the last two decades. Besides auxiliary temperature and radiation sensors -to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional -construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module -monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and -construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. - -To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a -hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security -barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture -these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap -low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The -closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that -describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled -with pressurized gas. - -\section{Inertial HSM construction and operation} -\label{sec_ihsm_construction} - -Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is -routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to -use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find -that making it spin has several advantages. - -First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to -follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second, -a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to easily predictable -accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the -HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear -velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum -size and mass of an attacker using an assumption on tolerable centrifugal force. In this consideration the axis of -rotation is a weak spot, but that can be mitigated using multiple nested layers of protection. - -\begin{figure} - \center - \includegraphics{concept_vis_one_axis.pdf} - \caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - - Accelerometer. 5 - Shaft penetrating security mesh.} - \label{fig_schema_one_axis} -\end{figure} - -In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to -distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the -rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after -subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero. -Centrifugal acceleration will be constant. - -Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying -apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the -entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This -reduces the moment of inertia of the moving part and it means we can use cables for payload power and data. Even at -moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot. - -\subsection{Mechanical layout} - -Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on -a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow -shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and -data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction -or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft -motor are possible, but may require additional bearings to keep the stator from vibrating. - -The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be -designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over -every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside -air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious -issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be -solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used -exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. -Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation -of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh -could even be designed to \emph{be} a cooling fan. - -\subsection{Spinning mesh power and data transmission} - -On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few -implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need -both a power supply for the spinning monitoring circuit and a data link to the stator. - -We think that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip -rings, this setup is mechanically durable at high speeds and it also provides reasonable output power. A battery may not -provide a useful lifetime without power-optimization. Likewise, an energy harvesting setup may not provide enough -current to supply peak demand. - -Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost -may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra -winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding -an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an -option if it can be integrated into the mechanical design. - -\begin{figure} - \center - \includegraphics{ir_tx_schema.pdf} - \caption{Example of a bidirectional IR communication link between rotor and stator, view along axis of rotation. 1 - - Rotor base plate. 2 - Stator base plate. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} - \label{ir_tx_schema} -\end{figure} - -Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to -transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload. -A simple infrared optical link as shown in Figure~\ref{ir_tx_schema} may be a good solution for this purpose. - -\section{Conclusion} - -\label{sec_conclusion} To conclude, in this tech report we introduced inertial hardware security modules (iHSMs), a -novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available -parts. We elaborated the engineering considerations underlying a practical implementation of this concept. - -Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction -of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. We -hope that this simple construction will stimulate academic research into secure hardware. - -\printbibliography[heading=bibintoc] -\appendix - -\subsection{Patents and licensing} -During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not -find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of -this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. - -Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are -already commercially available, we have decided against applying for a patent and we wish to make it available to the -general public without any restrictions on its use. This paper itself is licensed CC-BY-SA (see below). As for the -inertial HSM concept, we invite you to use it as you wish and to base your own work on our publications without any fees -or commercial restrictions. Where possible, we ask you to cite this paper and attribute the inertial HSM concept to its -authors. - -\center{ - \center{\ccbysa} - - \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The - full text of the license can be found at:} - - \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} - - \center{For alternative licensing options, source files, questions or comments please contact the authors.} - - \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. Once the full paper has been - published, this project's git repository will be available at:} - - \center{\url{https://git.jaseg.de/rotohsm.git}} -} -\end{document} -- cgit