From e31d7a98d0c4a816270f54af85790a762cd2f44a Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 5 Nov 2020 18:55:21 +0100 Subject: techreport: WIP --- doc/quick-tech-report/rotohsm.bib | 224 +++++++++++++----------- doc/quick-tech-report/rotohsm_tech_report.tex | 235 +++++++++++++++----------- 2 files changed, 261 insertions(+), 198 deletions(-) (limited to 'doc') diff --git a/doc/quick-tech-report/rotohsm.bib b/doc/quick-tech-report/rotohsm.bib index 5bbeff9..0250074 100644 --- a/doc/quick-tech-report/rotohsm.bib +++ b/doc/quick-tech-report/rotohsm.bib @@ -1,99 +1,125 @@ -% Encoding: UTF-8 - -@Book{anderson2020, - author = {Ross Anderson}, - date = {2020-09-16}, - title = {Security Engineering}, -} - -@TechReport{smith1998, - author = {Sean Smith and Steve Weingart}, - date = {1998-02-19}, - institution = {IBM T.J. Watson Research Center}, - title = {Building a High-Performance, Programmable Secure Coprocessor}, - url = {ftp://www6.software.ibm.com/software/cryptocards/rc21102.pdf}, - urldate = {2020-09-16}, -} - -@Article{immler2019, - author = {Vincent Immler and Johannes Obermaier and Kuan Kuan Ng and Fei Xiang Ke and Jin Yu Lee and Yak Peng Lim and Wei Koon Oh and Keng Hoong Wee and Georg Sigl}, - date = {2019}, - journaltitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, - title = {Secure Physical Enclosures from Covers with Tamper-Resistance}, - doi = {https://doi.org/10.13154/tches.v2019.i1.51-96}, - issn = {2569-2925}, - url = {https://tches.iacr.org/index.php/TCHES/article/view/7334/6506}, - urldate = {2020-09-16}, -} - -@Article{obermaier2018, - author = {Johannes Obermaier and Vincent Immler}, - date = {2018}, - journaltitle = {Journal of Hardware and Systems Security}, - title = {The Past, Present, and Future of Physical Security Enclosures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond}, - doi = {10.1007/s41635-018-0045-2}, - issn = {2509-3428}, - pages = {289-296}, - volume = {2}, - year = {2018}, -} - -@Article{tobisch2020, - author = {Johannes Tobisch and Christian Zenger and Christof Paar}, - date = {2020-03-13}, - journaltitle = {TRUDEVICE 2020: 9th Workshop on Trustworthy Manufacturing and Utilization of Secure Devices}, - title = {Electromagnetic Enclosure PUF for Tamper Proofing Commodity Hardware and otherApplications}, - url = {https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2020/05/13/trudevice_submission_enclosure_puf.pdf}, - urldate = {2020-09-17}, -} - -@Article{kreft2012, - author = {Heinz Kreft and Wael Adi}, - date = {2012}, - journaltitle = {2012 NASA/ESA Conference on Adaptive Hardware and Systems (AHS)}, - title = {Cocoon-PUF, a novel mechatronic secure element technology}, - doi = {10.1109/ahs.2012.6268655}, - year = {2012}, -} - -@Patent{rahman1988, - author = {Mujib Rahman}, - date = {1988-03-10}, - number = {US4859024A}, - title = {Optical fiber cable with tampering detecting means}, -} - -@WWW{haines2006, - author = {Lester Haines}, - editor = {The Register}, - date = {2006-09-25}, - title = {US outfit patents 'invisible' UAV: Stealth through persistence of vision}, - url = {https://www.theregister.com/2006/09/25/phantom_sentinel/}, - urldate = {2020-09-17}, -} - -@Article{frazelle2019, - author = {Jessie Frazelle}, - date = {2019-12-01}, - journaltitle = {ACM Queue}, - title = {Securing the Boot Process: The hardware root of trust}, - doi = {https://doi.org/10.1145/3380774.3382016}, - url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, - urldate = {2020-10-22}, -} - -@Article{albartus2020, - author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, - date = {2020}, - title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, - doi = {10.13154/tches.v2020.i4.309-336}, - number = {4}, - pages = {309--336}, - volume = {2020}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, - journal = {{IACR} Trans. Cryptogr. Hardw. Embed. Syst.}, - year = {2020}, -} - -@Comment{jabref-meta: databaseType:biblatex;} +@comment{x-kbibtex-encoding=utf-8} + +@book{anderson2020, + author = {Ross Anderson}, + date = {2020-09-16}, + title = {Security Engineering} +} + +@techreport{smith1998, + author = {Sean Smith and Steve Weingart}, + date = {1998-02-19}, + institution = {IBM T.J. Watson Research Center}, + title = {Building a High-Performance, Programmable Secure Coprocessor}, + url = {ftp://www6.software.ibm.com/software/cryptocards/rc21102.pdf}, + urldate = {2020-09-16} +} + +@article{immler2019, + author = {Vincent Immler and Johannes Obermaier and Kuan Kuan Ng and Fei Xiang Ke and Jin Yu Lee and Yak Peng Lim and Wei Koon Oh and Keng Hoong Wee and Georg Sigl}, + date = {2019}, + doi = {10.13154/tches.v2019.i1.51-96}, + issn = {2569-2925}, + journaltitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, + title = {Secure Physical Enclosures from Covers with Tamper-Resistance}, + url = {https://tches.iacr.org/index.php/TCHES/article/view/7334/6506}, + urldate = {2020-09-16} +} + +@article{obermaier2018, + author = {Johannes Obermaier and Vincent Immler}, + date = {2018}, + doi = {10.1007/s41635-018-0045-2}, + issn = {2509-3428}, + journaltitle = {Journal of Hardware and Systems Security}, + pages = {289–296}, + title = {The Past, Present, and Future of Physical Security Enclosures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond}, + volume = {2}, + year = {2018} +} + +@article{tobisch2020, + author = {Johannes Tobisch and Christian Zenger and Christof Paar}, + date = {2020-03-13}, + journaltitle = {TRUDEVICE 2020: 9th Workshop on Trustworthy Manufacturing and Utilization of Secure Devices}, + title = {Electromagnetic Enclosure PUF for Tamper Proofing Commodity Hardware and otherApplications}, + url = {https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2020/05/13/trudevice_submission_enclosure_puf.pdf}, + urldate = {2020-09-17} +} + +@article{kreft2012, + author = {Heinz Kreft and Wael Adi}, + date = {2012}, + doi = {10.1109/ahs.2012.6268655}, + journaltitle = {2012 NASA/ESA Conference on Adaptive Hardware and Systems (AHS)}, + title = {Cocoon-PUF, a novel mechatronic secure element technology}, + year = {2012} +} + +@patent{rahman1988, + author = {Mujib Rahman}, + date = {1988-03-10}, + number = {US4859024A}, + title = {Optical fiber cable with tampering detecting means} +} + +@www{haines2006, + author = {Lester Haines}, + date = {2006-09-25}, + editor = {The Register}, + title = {US outfit patents 'invisible' UAV: Stealth through persistence of vision}, + url = {https://www.theregister.com/2006/09/25/phantom_sentinel/}, + urldate = {2020-09-17} +} + +@article{frazelle2019, + author = {Jessie Frazelle}, + date = {2019-12-01}, + doi = {10.1145/3380774.3382016}, + journaltitle = {ACM Queue}, + title = {Securing the Boot Process: The hardware root of trust}, + url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, + urldate = {2020-10-22} +} + +@article{albartus2020, + author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, + date = {2020}, + doi = {10.13154/tches.v2020.i4.309-336}, + journal = {{IACR} Trans. Cryptogr. Hardw. Embed. Syst.}, + number = {4}, + pages = {309–336}, + title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, + volume = {2020}, + year = {2020} +} + +@inproceedings{trippel2017, + author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, + booktitle = {2017 IEEE European symposium on security and privacy (EuroS\&P)}, + organization = {IEEE}, + pages = {3–18}, + title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, + x-fetchedfrom = {Google Scholar}, + year = {2017} +} + +@misc{heise2020t2jailbreak, + publisher = {Heise Online}, + title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, + url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html} +} + +@article{kim2018, + author = {Seung Hyun Kim and Su Chang Lim and others}, + journal = {Annals of Nuclear Energy}, + pages = {845–855}, + publisher = {Elsevier}, + title = {Intelligent intrusion detection system featuring a virtual fence, active intruder detection, classification, tracking, and action recognition}, + volume = {112}, + x-fetchedfrom = {Google Scholar}, + year = {2018} +} + diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex index 0f8e8d4..5947fcc 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ b/doc/quick-tech-report/rotohsm_tech_report.tex @@ -81,84 +81,81 @@ \section*{Abstract} In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware -security modules. Whereas conventional technology can be categorized into systems monitoring a thin boundary (such as -security meshes) and systems monitoring the interior volume (such as the ``enclosure PUF'' of Tobisch et -al.\cite{tobisch2020}). All of these systems have in common that they try to detect attacks by crafting sensors -responding to increasingly minute manipulations of the monitored medium. Our approach is novel in that we reduce the -sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by fastly -rotating the security mesh or sensor--presenting a moving target to an attacker. Attempts to tamper with the rotation -itself are easily monitored with commercial MEMS accelerometers and gyroscopes. +security modules. Conventional systems have in common that they try to detect attacks by crafting sensors responding to +increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce +the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by +rotating the security mesh or sensor at high speed--presenting a moving target to an attacker. Attempts to stop the +rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is comparable to even the best commercial offerings. \section{Introduction} -Long before passwords, access control lists, role-based authentication and other modern concepts of information security -were developed, information was secured by physically locking away the computers that held it. Nowadays, physical -security concerns have are mostly receded into specialty applications such as credit card processing and medical data -processing. In most other commercial data processing applications, the physical security provided by the average -datacenter is considered to be appropriate. +While information security technology has matured a great deal in the last half century, physical security has barely +changed. Given the right skills, physical access to a computer still usually equates full compromise. The physical +security of modern server hardware hinges on what lock you put on the room it is in. Systems such as Trusted Platform +Modules attempt to alleviate this problem, but they are hard to use and even with them a system still offers +considerable attack surface\cite{heise2020t2jailbreak}. -In modern systems, it is generally considered infeasible to physically secure a whole computer beyond putting a lock on -it. High-level physical security is usually limited to a small physical sizes. Secure enclaves and smartcards provide -security on the scale of a single-chip. Commercial HSMs provide the functions of a cryptographic co-processor from a -physically secure small circuit board\cite{anderson2020,immler2019}. +In modern systems, high-level physical security is usually limited to small physical dimensions. Secure enclaves and +smartcards provide security on the scale of a single chip. Commercial HSMs have a small circuit +board\cite{anderson2020,immler2019}. Security systems such as TPMs effectively allow tying a larger system's physical +security to that of a small TPM chip embedded inside. The protection that exists at the level of a single server +enclosure is usually limited to a lid switch and some tamper-evident seals. \subsection{Technical approaches to physical security} Shrinking things to the nanoscopic level to secure them against tampering is increasing in popularity. Apple today uses a secure enclave IC in their line of laptops. Likewise, Google has developed its own security IC with a similar -application\cite{frazelle2019}. Any such security IC provides physical security but does not provide any cryptographic -security. The real-world security of such chips solely rests on the assumption that due to their fine structure, they -are hard to reverse engineer or modify. As of now, this property holds and in the authors' opinion it will likely be a -reasonable assumptions for some years to come. However, in its essence this is a type of security by obscurity: +application\cite{frazelle2019}. These chips are an engineering solution to problems that cannot be solved with +cryptographic security. The security of these chips rests on the assumption that due to their fine structure, they are +hard to reverse engineer or modify. As of now, this property holds and in the authors' opinion it will likely be a +reasonable assumption for some years to come. However, in its essence this is a type of security by obscurity: Obscurity here meaning the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}. \subsection{Hardware Security Modules} -Hardware security modules (HSMs) approach the problem in a different angle: In conformity with Kerckhoff's principle, -instead of hiding the system's structure, the HSM has monitors that wipes all secrets when the slightest manipulation is -detected. Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical security barrier -that they continuously monitor for holes. Usually, this is a thin foil patterned with two electrical traces that are -folded many times to cover the entire area of the foil--and that are monitored for shorts or breaks. The security -problem thus gets transformed into a manufacturing challenge: How fine can these traces be made so that they break from -even the most gentle attempts at e.g.\ mechanical or chemical manipulation. - -In our classification the other type of HSMs are \emph{volumetric} HSMs. Here, the entire interior volume is monitored -for changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited -by the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal +Right now, Hardware security modules (HSMs) are the commercial devices offering the highest ``physical +security-volume-product''. Whereas smartcards secure a single chip, HSMs secure a small circuit board. In contrast to a +smartcard, the HSM actively deletes its secrets when it detects a manipulation. Commercial HSMs commonly employ what we +call \emph{boundary monitoring}. They have a physical security barrier that they continuously monitor for holes. +Usually, this barrier is a thin foil that is patterned with at least two electrical traces that are folded many times to +cover the entire area of the foil. The HSM monitors these traces for shorts or breaks. This simple construction +transforms the security problem into a manufacturing challenge. + +In our classification the other type of HSMs are \emph{volumetric} HSMs. They monitor their entire internal volume for +changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited by +the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost. -A problem with volumetric designs is their security analysis, which is hard to do without significant guesswork. To -ensure full volumetric coverage one has to numerically solve the electromagnetic field equations inside the HSM -according to a model of its sensing transceivers. - -\subsection{Inertial HSMs: A new approach to physical security} -We are certain that there is still much work to be done and many insights to be gained from further explorations of the -two concepts described above. For example, consider a box with mirrored walls that contains a smaller box suspended on -thin wires that has cameras looking outward in all directions at the mirrored walls. Given that the defender can control -lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered equivalent to or -better than the human eye. Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and -the system would remain secure as long as no such thing exists. This example is a useful point of reference. To be -viable, an HSM technology must be either cheaper, smaller or more sensitive than this strawman setup. - -The candidate we wish to introduce in this paper uses a novel approach to sidestep the issues of conventional HSM -concepts and provides radically better security against physical attacks both in theory and in practice. - -Our core observation is that any cheap but coarse HSM technology can be made radically more difficult to attack by -introducing fast mechanical motion. As a trivial example, consider an HSM as it is used in ecommerce applications for -credit card payments. Its physical security level is set by the structure size of its security mesh. If an attacker can -tap the mesh's electrical traces in a way the HSM cannot detect, they have circumvented the device's protections. Such -attacks might involve fine drill bits, needles, wires, glue, solder and lasers. +A problem with volumetric designs is their security analysis, which is hard to do without significant guesswork. In +e.g.\ a device that use electromagnetic radiation to monitor its volume, one has to numerically solve the +electromagnetic field equations inside the HSM to validate its impenetrability. + +\subsection{Inertial HSMs: A new approach to physical security} We are certain that there is still much work to be done +and many insights to be gained in both HSM and in smartcard technology\footnote{For example, consider a box with +mirrored walls that contains a smaller box suspended on thin wires that has cameras looking outward in all directions at +the mirrored walls. Given that the defender can control lighting conditions inside this kaleidoscopic box in this +application modern cameras perform better than the human eye. Thus, a successful physical attack on this system would +likely an ``invisibility cloak''--and the system would remain secure as long as no such thing exists. This example is a +useful point of reference. To be viable, an HSM technology must be either cheaper, smaller or more sensitive than this +strawman setup\cite{kim2018}.}. % TODO perhaps misplaced citation and/or poor source? + +Still, we wish to introduce a novel approach to sidestep the issues of conventional HSMs and provide radically better +security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made much +more difficult to attack by moving it very quickly. As a trivial example, consider an HSM as it is used in +ecommerce applications for credit card payments. Its physical security level is set by the structure size of its +security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and lasers. Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an accelerometer that it uses to verify that it is rotating at high speed. How would an attacker approach this HSM? They -would have to either slow down the rotation, which would quickly be sensed by the accelerometer, or they would have to -attack the HSM in motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack -workbench might be possible but rotating frames of reference quickly become inhospitable to human life and at some point -the technical means to rotate a CNC attack robot will become inconvenient as well. Electromagnetic or optical attacks -that do not require mechanical contact are more limited in the first place and can be shielded effectively. +would have to either slow down the rotation, triggering the accelerometer, or they would have to attack the HSM in +motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be +possible but rotating frames of reference quickly become inhospitable to human life\footnote{See Appendix +\label{sec_minimum_angular_velocity}}. Non-contact electromagnetic or optical attacks that do not require mechanical +contact are more limited in the first place and can be shielded, so we have effectively forced the attacker to make an +attack robot. \subsection{Contributions} This work contains the following contributions: @@ -256,14 +253,19 @@ From this, we can make a few observations. \label{fig_schema_one_axis} \end{figure} -In a rotating reference frame, at any point the centrifugal force is proportional to the square of the angular frequency -and linearly proportional to the distance from the axis of rotation. We can exploit this fact to create a sensor that -detects any disturbance of the rotation by simply placing a linear accelerometer at some distance to the axis of -rotation. During constant rotation, the linear acceleration tangential to the rotation will be zero. The centrifugal -force is orthogonal to this, and will be constant as long as the angular velocity remains constant (assuming a fixed -axis of rotation). At high angular velocities, considerable forces can be created this way. This poses the engineering -challenge of preventing the whole thing from flying apart, but also creates an obstacle to any attacker trying to -manipulate the sensor. +In a rotating reference frame centrifugal force is proportional to the square of angular velocity and proportional to +distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the +rotation by simply placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, +both acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will +be constant. At high speeds, this acceleration may become very large. This poses the engineering challenge of preventing +the whole thing from flying apart, but also creates an obstacle to any attacker trying to manipulate the sensor. + +In Appendix \ref{sec_minimum_angular_velocity} we present some back-of-the-envelope calculations on minimum angular +velocity. We conclude that even at moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a +robot. In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis +accelerometer each in the rotor and in the stator are a good baseline configuration. Other configurations such as one +using two two-axis accelerometers in the rotor are also possible. In general, the system will be more sensitive to +disturbances if we over-determine the system of equation determining its motion by using more sensors than necessary. \subsection{Payload mounting mechanisms} @@ -271,7 +273,8 @@ The simplest way to mount a stationary payload in a rotating security mesh is to This allows the payload to be mounted on a fixed rod threaded through this hollow shaft along with wires for power and data. The stationary rod and cables on the axis of rotation inside the hollow shaft are a weak spot of the system, but this weak spot can be alleviated through either careful construction or a second layer of rotating meshes with a -differnt axis of rotation. +different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may require more +bearings to keep the stator from vibrating. \subsection{Rotating mesh power supply} @@ -289,6 +292,8 @@ There are several options to transfer power to the rotor from its stationary fra practical\footnote{See Appendix \ref{sec_energy_calculations}}. \end{enumerate} +% FIXME not prototype implementation here + \subsection{Payload cooling} In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air @@ -306,6 +311,8 @@ they are likely to be too expensive and have too short a life span for our appli needs to pass between payload and rotor are the occassional status report and a high-frequency heartbeat signal that acts as the alarm trigger, a simple optocoupler close to the axis of rotation is a good solution. +% FIXME note prototype implementation here + \section{Design space exploration} \subsection{Other modes of movement} @@ -322,12 +329,14 @@ rotation could be used. A single mesh would still suffice in this case, but when braking detection algorithm would have to superimpose both. \subsection{Means of power transmission} + Power transmission from payload to rotor is another point worth investigating. It may be possible to use some statically mounted permanent magnets with a coil integrated into the rotor's PCB as a low-power generator. While likely inefficient, this setup would be low-cost and would still suffice for the meager power requirements of the rotor's monitoring circuitry. \subsection{Other sensing modes} + Since the security requirement the primary tamper-detection barrier needs to measure up to are much more lenient in the rotating HSM concept than in traditional HSMs, other coarse sensing modes besides low-tech meshes may be attractive. One possibility that would also eliminate the need of any active circuitry on the rotor would be to print the inside of the @@ -337,12 +346,14 @@ measurements against a model of the rotor. Tampering by drilling holes or slots part or all of the pattern. Likewise, the speed of rotation can be deducted directly from a sequence of measurements. \subsection{Longevity} + A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the system's mechanics the primary failure point are the bearings. A good partner for further development or even commercialization might be a manufacturer of industrial ducted fans as they are used e.g.\ in servers for cooling. Small industrial fans usually use BLDC motors and bearings specially optimized for longevity. \subsection{Transportation of an active device} + A rotating mass responds to torque not co-linear with its axis of rotation with a gyroscopic precession force. In practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant forces on both the HSM (posing the danger of false alarms) and on the carrier of the device (potentially making handling @@ -350,6 +361,9 @@ challenging). This effect would have to be taken into account in a real-world de device is to be shipped by post or courier services after spin-up. \subsection{Hardware prototype} + +% FIXME expand & update below w/ hw proto findings + We are currently working on a hardware prototype that demonstrates the fundamental components of our concept. The prototype will be based on a security mesh made with a commercial printed circuit board manufacturing process. In our prototype we intend to use two commercially available hollow-shaft brushless DC (BLDC) motors originally intended for @@ -358,6 +372,7 @@ volume sufficient to house a small form factor PC ($\approx\SI{2}{\liter}$). \section{Attacks} \subsection{Attacks on the mesh} + There are two locations where one can attack a tamper-detection mesh. Either, the mesh itself can be tampered with. This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring circuit itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its contents. Attacks in both @@ -368,6 +383,7 @@ performed on an object rotating at high speed without a complex setup that rotat consider them to be practically infeasible outside of a well-funded, special-purpose laboratory. \subsection{Attacks on the alarm circuitry} + An electronic attack could also target the alarm circuitry inside the stationary payload, or the communication link between rotor and payload. The link can easily be proofed by using a cryptographically secured protocol along with a high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the @@ -377,36 +393,34 @@ system against these is to employ adequate filtering of the incoming power suppl triggering an alarm in case extraordinary environmental variations are detected. \subsection{Fast and violent attacks} -A variation of the above attacks on the alarm circuitry would be an attack that attempts to simply destroy this -circuitry before the alarm can be acted upon. This type of attack might involve things such as a large hammer, or a gun. -Mitigations for this type of attack include putting the entire payload and monitoring circuit in a mechanically robust -enclosure and potting them, and linking all components of the alarm chain in such a way cryptographically and on a -protocol level that the destruction of any of its parts leads to the secrets being destroyed before an attack would be -able to probe them. An implication of this is that the electrical realization of the alarm signal up to its eventual -destination cannot be a simple active-high or active-low line, since neither can be considered fail-safe in this -scenario. + +A variation of the above attacks on the alarm circuitry would be an attack that +attempts to simply destroy this circuitry before the alarm can be acted upon using a tool like a large hammer or a gun. +Mitigations for this type of attack include potting the payload inside a mechanically robust enclosure. The alarm +signalling chain's integrity can be checked continuously using a cryptographic heartbeat protocol. A simple active-high +or active-low alarm signal cannot be considered fail-safe in this scenario. \subsection{Attacks on the rotation sensor} -An attacker trying to stop the rotor to tamper with the mesh may first try to deceive the rotation monitoring circuit -such that it misses the rotor being stopped. In a realization based on a commercial MEMS accelerometer, this attack -could take two forms: An electronic attack on the MEMS sensor, the monitoring microcontroller or the link in between, -and a physical attack on the MEMS sensor itself. The former would be no easier than an electronic attack that attempts -to bridge the mesh traces at the monitoring microcontroller. Thus, we consider it not to be practically feasible outside -of a laboratory built especially for this purpose. - -There are several options for the latter attack. A recent paper %FIXME -has shown that accelerometers respond to certain ultrasonic stimuli with bogus measurements. Since this primitive does -not, however, yield accurate control over these bogus measurements, we deem it to be impractical for our scenario. -Another possible attack scenario would be to somehow stop the rotating motion while subjecting the HSM to an external -linear motion. Given the low error margins in the measurements of commercial accelerometers we consider this attack -infeasible. A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS + +An attacker may try to stop the rotor before tampering with the mesh. To succeed, they would need to fool the rotor's +MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no easier than +directly bridging the mesh traces and would not make sense. Physical attacks on the accelerometer are +possible\cite{trippel2017}, but in the authors' estimate are too hard to control to be practically useful. + +A possible attack scenario would be to instantly stop the rotating motion and accelerate the HSM linearly such that the +linear acceleration as measured equals the previous centrifugal acceleration. Since commercial accelerometers are very +precise we do not consider this type of attack feasible. + +A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS accelerometers usually use a simple cantilever design, where a proof mass moves a cantilever whose precise position can be measured electronically. A possible way to attack such a device might be to first decapsulate it using laser ablation synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the moving MEMS parts in either liquid or gaseous form, locking them in place after hardening. This attack would require direct access to the accelerometer from the outside and can be prevented by mounting the accelerometer inside the -security envelope. This attack only works if the rate of rotation is constant and is trivially detectable if the rate of -rotation is set to change on a schedule. +security envelope. This attack only works if the rate of rotation and thus the accelerometer's readings are constant. +If the rate of rotation is set to change on a schedule, it is trivially detectable. + +% FIXME Appendix \ref{sec_degrees_of_freedom} \section{Prototype implementation} @@ -447,12 +461,8 @@ an energy output from the solar cell of $\SI{1}{\milli\watt}$. Assuming a $\SI{3 $\SI{300}{\micro\ampere}$ for our monitoring circuit. This is enough even with some conversion losses in the step-up converter boosing the solar cell's $\SI{0.6}{\volt}$ working voltage to the monitoring circuit's supply voltage. -\subsection{Minimum angular velocity} - -Let us determine a good target value for our rotating HSM's angular velocity. For simplicity, let us consider two types -of attacker. - -\subsubsection{Rotating human attacker} +\subsection{Minimum angular velocity: Rotating human attacker} +\label{sec_minimum_angular_velocity} An attacker might try to rotate along with the HSM to attack the security mesh without triggering the accelerometer. Let us pessimistically assume that the attacker has the axis of rotation running through their center of mass. The @@ -463,14 +473,41 @@ Wikipedia. Centrifugal acceleration is $a=\omega^2 r$. In our example this resul $\omega_\text{min} = \sqrt{\frac{a}{r}} = \sqrt{\frac{\SI{250}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} \approx 16\frac{\pi}{\si{\second}} \approx 500 \text{rpm}$. -\subsubsection{Rotating robot attacker} +\subsection{Fooling the accelerometer} +\label{sec_degrees_of_freedom} + +Let us consider a general inertial HSM with one or more sensors that is attacked by an attacker. In this scenario, it is +reasonable to assume that the rotating parts of the HSM are rigidly coupled to one another and will stay that way: For +the attacker to decouple parts of the HSM (e.g. to remove one of its accelerometers from the PCB), the attacker would +already have to circumvent the rotor's security mesh. + +Assuming the HSM is stationary, a sensor on the rotating part will experience two significant accelerations: +\begin{enumerate} + \item Gravity $g = 9.8\frac{m}{s^2}$ + \item Centrifugal force $a_C=\omega^2 r$, in the order of $\SI{1000}{\meter\per\second^2}$ or $100 g$ +\end{enumerate} + +Due to the vast differences in both radius and angular velocity, we can neglegt any influence of the earth's rotation on +our system. + +In normal operation, the HSM is stationary ($\mathbf v=0$) and the HSM's motor is tuned to exactly counter-balance +friction so the rotor's angular velocity remains constant. As a rigid body, the rotor's motion is fully defined by its +rotation and translation. In total, this makes for six degrees of freedom. The three degrees of freedom of linear +translation we can measure directly with an accelerometer in the stationary part on the inside of the HSM. This +accelerometer could detect any rapid acceleration of the HSM's rotor. To measure rotation, we could mount a +gyroscope on the rotor to detect deceleration. The issue with this is that like other MEMS acceleration sensors, +commercial MEMS gyroscopes are vulnerable to drift and an attacker could slowly decelerate the rotor without being +detected. -An attacker might try to use a robot to attack the rotating mesh. +A linear accelerometer mounted on the rotor however is able to catch even this attack. Subtracting gravity, it could +determine both magnitude and direction of the centrifugal force, which is proportional to the square of angular velocity +and not its derivative. -\subsubsection{Fooling the accelerometer} +In summary, a single three-axis accelerometer on the rotor combined with a three-axis accelerometer in the stator would +be a good baseline configuration. \subsection{Patents and licensing} -During devlopment, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not +During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not find any mentions of similar concepts either in academic literature or in patents. Thus, we deem ourselves to be the inventors of this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. -- cgit