From 2bed326dca70f04fe4e852431aeda18c52d77e45 Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 12 Jul 2021 17:50:22 +0200 Subject: Second proofreading --- paper/ihsm_paper.tex | 141 +++++++++++++++++++++++++++------------------------ 1 file changed, 75 insertions(+), 66 deletions(-) (limited to 'paper/ihsm_paper.tex') diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 074448c..de94ea2 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -222,7 +222,8 @@ The core questions in the design of an inertial HSM are the following: \item The \textbf{mechanical layout} of the system. \end{enumerate} -We will approach these questions one by one in the following subsections. +We will approach these questions one by one in the following subsections and conclude this section with an exploration +of the practical implications that these aspects of IHSM construction have on IHSM operation. \subsection{Inertial HSM motion} \label{sec_ihsm_motion} @@ -364,10 +365,10 @@ heatsink with its fan running has a thermal resistance from CPU junction to air $\SI{0.1}{\kelvin\per\watt}$~\cite{anandtech2015}. If one were to make an HSM's security mesh out of an average thermally conductive epoxy with thermal conductivity $k\approx\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal -resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would $\SI{2}{\kelvin\per\watt}$, a -more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields a -maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU -cooler. Given that for modern high core-count CPUs, both multithreaded performance and power dissipation are mostly +resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would be $\SI{2}{\kelvin\per\watt}$, +a more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields +a maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU +cooler. Given that for modern high core-count CPUs both multithreaded performance and power dissipation are mostly linear in core count, this severely limits the achievable performance. This estimated performance discrepancy matches up with our observation. Thales, a manufacturer of conventional HSMs @@ -379,17 +380,20 @@ to two orders of magnitude in computing power to be feasible in an IHSM compared \subsection{Long-term Operation} -Like with other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As -with any networked system, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs -does not compromise the system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or -flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and erasure of data -cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, geographically -redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are based on -general-purpose computer hardware and for state-of-the-art database replication techniques to be applied without first -porting them to an embedded operating system or foreign CPU architecture. A practical example of this approach is a 2019 -technology demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure -messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside -Intel SGX to replicate state between redundant instances. +Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an +understanding of what an IHSM would look like in practice. In the following paragraphs we will draw some conclusions on +how its design will affect the day-to-day operation of an IHSM. +Like other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As with +any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several +IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs +can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and +erasure of data cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, +geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are +based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied +without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this +approach is a 2019 technology demonstration~\cite{signal2019} created by the signal.org, the organization running the +signal secure messenger app. In this demonstration, signal.org have implemented the Raft consensus +algorithm~\cite{ongaro2019} inside Intel SGX to replicate state between redundant instances. Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by @@ -400,11 +404,11 @@ practical impact. The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must -be balanced. The main mechanical failure mode of an IHSM's is failure of the shaft bearings. By incorporating knowledge -from other rotating devices that have a long lifetime such as cooling fans, this failure mode can be mitigated. A final -noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the communication link. This -failure mode can be mitigated by routing cooling airflow such that it does not go past the communication link's optical -components, as well as by filtering cooling air at the device's intakes. +be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By +incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode +can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the +communication link. This failure mode can be mitigated by routing cooling airflow such that it does not go past the +communication link's optical components, as well as by filtering cooling air at the device's intakes. \paragraph{Power failure.} \label{sec-power-failure} @@ -418,7 +422,7 @@ integrated into its case. Conservatively assuming an average operating power con IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power an IHSM for 10 hours continuously. If a built-in battery is undesirable, or if power outages of more than a few seconds at a time are unlikely (e.g.\ because the IHSM is connected to an external UPS or generator), the IHSM's rotor itself -can be used as a flywheel for energy storage up to several seconds. +can be used as a flywheel for energy storage. \paragraph{Spurious alarms.} Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason @@ -436,32 +440,35 @@ amplitude. This means that to reach a certain instantaneous acceleration, much m vibrating motion compared to lower frequencies. This observation interacts the second key point we want to note here: An ideal vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we -wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal effectively by +wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large enough to cause a false alarm. -To put this into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an IHSM's tamper -sensor to measure an acceleration of about $\SI{100}{g}$. Even the strongest earthquakes rarely reach a Peak Ground -Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake -was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large geographic -area, they dissipate a tremendous amound of mechanical power despite this at first glance seemingly low absolute -acceleration. For the purposes of our tamper detection system, we can ignore them. As another point of reference, -consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly -$\SI{30}{\kilo\meter\per\hour}$~\cite{ika2002}. Thus, an IHSM's tamper detection subsystem will be able to clearly -distinguish attempts to stop the IHSM's rotation, producing approximately $\SI{100}{g}$ at $\SI{1000}{rpm}$. External -acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of -an IHSM's rotor would likely destroy the IHSM. +To put this into perspective, consider an IHSM running at an angular frequency of $\SI{1000}{rpm}$. If the IHSM's tamper +sensor is mounted at a radius of $\SI{100}{\milli\meter}$ from the axis of rotation, it will measure a constant +acceleration of approximately $\SI{100}{g}$. Let us first compare this in magnitude to the effects of a car crash. +According to literature, accelerations above $\SI{10}{g}$ correspond to the acceleration a car's structural components +experience in a car crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. As another point of +reference, take the Peak Ground Acceleration (PGA) of a severe earthquake. Even the strongest earthquakes rarely reach a +PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake was approximately +$\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's low-frequency vibrations dissipate a +tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore +them for the purposes of our tamper detection system. + +From these comparisons we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish +attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the +operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM. \subsection{Transportation} While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed, -there is an issue with intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will +there is an issue when intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\ the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to the lower end of the range permitted by the application's security requirements. The IHSM's software could allow for a -temporary ``shipping mode'' to be entered that could slow down the IHSM and increase the tamper sensing accelerometer's +temporary ``shipping mode'' to be entered that would slow down the IHSM and increase the tamper sensing accelerometer's thresholds. During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to @@ -474,12 +481,13 @@ manufacturer after the IHSM has been installed. \section{Attacks} \label{sec_attacks} -After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to -attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional -HSMs. This means that ultimately an attacker will have to perform the same steps they would have to perform to attack a -traditional HSM. However, they will either need to perform these attack steps with a tool that follows the HSM's -rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion requires -specialized mechanical tools such as CNC actuators or for contactless attack a laser. +After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation +above, in this section we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security +mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform +the same steps they would have to perform to attack a traditional HSM. However, they will either need to perform these +attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat the braking +sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for contactless +attack a laser. \subsection{Attacks that don't work} @@ -501,16 +509,16 @@ Detecting this change would require a resistance measurement of at least $\SI{9} temperature stability of the mesh material. The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between -two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through -the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive -foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data +two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through +the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned +conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data feed-through as potential weak spots. The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An -attacker may need to insert several probes to wiretap the payload processor's secrets, but depending on its -implementation they may be able to disable the mesh alarm circuit with only one. To harden a conventional HSM against -this type of attack, the mesh monitoring circuit must be carefully designed to avoid single points of failure as well as -any fail-open failure modes. +attacker may need to insert several probes or modify the circuit to wiretap the payload processor's secrets, but +depending on its implementation they may be able to disable the mesh alarm circuit with only one or two probes. To +harden a conventional HSM against this type of attack, the mesh monitoring circuit must be carefully designed to avoid +single points of failure as well as any fail-open failure modes. \subsection{Attacks that work on any HSM} @@ -527,12 +535,12 @@ surface to the outside world, and by carefully vetting this remaining attack sur IHSMs do not provide an inherent benefit against such contactless attacks. However, there are two mitigating factors in play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using -more primitive technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and -are less space-constrained. This larger volume allows for a greater physical distance between security-critical -components from places accessible to an attacker using an electromagnetic side channel probe. By allowing the use of +simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less +space-constrained. This larger volume allows for a greater physical distance between security-critical components and +places accessible to an attacker using an electromagnetic probe for EM side channel attacks. By allowing the use of conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and -well-audited open source software such as OpenSSL that may be unavailable on the embedded processors found in -conventional HSMs. +well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors +found in conventional HSMs. \subsection{The Swivel Chair Attack} \label{sec_swivel_chair_attack} @@ -588,17 +596,18 @@ attack a security mesh is infeasible given the degree of manual skill necessary \subsection{Mechanical weak spots} -The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion -used, the mesh's speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving -continuously, so it does not have any time-dependent weak spots. It does, however, have a weak spot along its axis of -rotation, at the point where the shaft penetrates the mesh. The mesh's tangential velocity decreases close to the shaft, -and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it -creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In -conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in -between security mesh foil layers~\cite{smith1998}. In conventional HSMs this interface rarely is a mechanical weak -spot since they use a thin mesh substrate and create a meandering path by folding the interconnect substrate/security -mesh layers several times. In inertial HSMs, careful engineering is necessary to achieve the same effect. -Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. +As we elaborated in the previous paragraphs, we consider a fast-moving mesh to offer a strong tamper detection +capability. This evaluation is based on the notion that the security mesh is moving too fast to tamper. However, +depending on the type of motion used, the mesh's actual speed may vary by location and over time. Our example +configuration of a rotating mesh can keep moving continuously, so it does not have any time-dependent weak spots. It +does, however, have a weak spot along its axis of rotation, at the point where the shaft penetrates the mesh. The mesh's +tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as +probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face +with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the +PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs this +interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding +the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to +achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. \begin{figure} \begin{subfigure}[t]{0.3\textwidth} @@ -934,7 +943,7 @@ secure hardware. We have published all design artifacts of our PoC online, pleas details. The next steps towards a practical application of our design will be to design a manufacturable stator/rotor interface with inductive power and data transfer integrated into the motor's magnetics and a custom motor driver tuned for the application that is able to precisely measure both angular velocity and winding current for an added degree of -tamper detection. +tamper detection through the measurement of external forces acting on the rotor. \printbibliography[heading=bibintoc] -- cgit