\documentclass[12pt,a4paper]{article} \usepackage[english]{babel} \usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage[ backend=biber, style=numeric, natbib=true, url=false, doi=true, eprint=false ]{biblatex} \addbibresource{rotohsm.bib} \usepackage{amssymb,amsmath} \usepackage{listings} \usepackage{eurosym} \usepackage{wasysym} \usepackage{amsthm} \usepackage{tabularx} \usepackage{multirow} \usepackage{multicol} \usepackage{tikz} \usepackage{mathtools} \DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} \DeclarePairedDelimiter{\paren}{(}{)} \usetikzlibrary{arrows} \usetikzlibrary{chains} \usetikzlibrary{backgrounds} \usetikzlibrary{calc} \usetikzlibrary{decorations.markings} \usetikzlibrary{decorations.pathreplacing} \usetikzlibrary{fit} \usetikzlibrary{patterns} \usetikzlibrary{positioning} \usetikzlibrary{shapes} \usepackage[binary-units]{siunitx} \DeclareSIUnit{\baud}{Bd} \usepackage{hyperref} \usepackage{tabularx} \usepackage{commath} \usepackage{graphicx,color} \usepackage{ccicons} \usepackage{subcaption} \usepackage{float} \usepackage{footmisc} \usepackage{array} \usepackage[underline=false]{pgf-umlsd} \usetikzlibrary{calc} %\usepackage[pdftex]{graphicx,color} \usepackage{epstopdf} \usepackage{pdfpages} \usepackage{minted} % pygmentized source code \renewcommand{\floatpagefraction}{.8} \newcommand{\degree}{\ensuremath{^\circ}} \newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} \usepackage{fancyhdr} \fancyhf{} \fancyfoot[C]{\thepage} \newcommand{\includenotebook}[2]{ \fancyhead[C]{Included Jupyter notebook: #1} \includepdf[pages=1, pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}} ]{resources/#2.pdf} \includepdf[pages=2-, pagecommand={\thispagestyle{fancy}} ]{resources/#2.pdf} } \begin{document} \title{A High-Security Physical Security Primitive Based On Mechanical Movement} \author{Jan Götte} \date{2020-09-15} \maketitle \section{Abstract} In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware security modules. Whereas conventional technology can be categorized into systems monitoring a thin boundary (such as security meshes) and systems monitoring the interior volume (such as the "enclosure PUF" of Tobisch et al.). What all of these systems have in common is that they try to detect attacks by crafting sensors responding to increasingly minute manipulations of the monitored medium. Our approach is novel in that we alleviate the sensitivity requirement of a security mesh by increasing the complexity of any manipulation at all by orders of magnitude by fastly rotating the security mesh--presenting a moving target to an attacker. Attempts to modify the rotation itself are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet is as secure or more secure than even the best commercial offerings. \section{Introduction} Since the early days of computers, physical security has often been a core component of any computer system's security architecture. Physical security in fact predates our modern concept of computer security by decades. Long before passwords, access control lists, role-based authentication and other modern concepts of information security were developed, information was secured by physically locking away the computers that held it. Nowadays, concerns of physical security are mostly limited to certain applications. Credit card processing and medical data processing are two instances where a combination of smartcards and hardware security modules is used to provide a higher level of security than what ordinary computers can provide. Meanwhile, in most commercial data processing applications, the physical security provided by an average datacenter is considered to be appropriate. In modern systems, phyiscal security always is tightly interwoven with the system's overall security architecture. Beyond the level provided by locks and guards, it is generally considered infeasible to physically secure all parts of a computer. High-level physical security is usually limited to either a single chip or part of a chip such as a secure element, enclave or smartcards--or it is limited to a small module acting within a very limited scope, as is the case in commercial HSMs that largely act as cryptographic co-processors with built-in key management functions. \subsection{Technical approaches to physical security} The use of chips as secure elements has recently become popular beyond the smartcards of yesteryear. Apple has carried over a secure enclave IC from their line of phones into their line of laptops in 2016. Likewise, Google has developed its own security IC for use in phones and laptops. An issue to consider with all such IC-based security solutions is that they do not provide any cryptographic security. The real-world security of these solutions solely rests on the assumption that due to their fine structure, ICs are hard to reverse engineer and manipulate. As of now, this property holds and in the authors' opinion it will likely be a reasonable assumptions for some years to come. However, in its essence this is a type of security by obscurity: Obscurity here mostly applying to the rarity of tools that are necessary for practical attacks such as focused ion beam workstations and accompanying sample preparation equipment. An important observation in this regard is that already, several people are slowly chipping away at this obscurity: A group at Ruhr University Bochum is working on advanced tooling for netlist reverse engineering, and there are several companies offering commercial IC reverse engineering services. \subsection{Hardware Security Modules} At larger physical dimensions, hardware security modules (HSMs) provide an effective solution to the problem: In conformity with Kerckhoff's principle, their creators do not try to hide the structure of the system within. Instead, the HSM monitors it for any manipulation and wipes all key material when one is detected. The most common commercial realization of this is what we call a "boundary-monitoring" HSM. This is a device uses a microcontroller monitoring the conductivity of usually two electrical traces that are folded many times to cover the entire area of a plastic enclosure part or a plastic foil wrapped around the module. The security problem thus gets transformed into a manufacturing challenge: How fine can these traces be made--so they are disturbed by even the tiniest of holes for say, a fine needle; and how sensitive can they be made to perturbations--so they break from even gentle attempts at mechanical, chemical or other physical manipulation. The other type of HSM that so far has garnered mostly academic interest are what we call "volumetric" HSMs. Where a boundary-monitoring HSM senses disturbations to a thin boundary between its inside and the outside world, a volumetric HSM monitors its entire interior volume. Approaches that have been proposed so far include monitoring using electromagnetic radiation % FIXME: citation (paper1 (this chip thing w/ distributed PAs/LNAs), paper2 (RUB) and ultrasonic sensing. % FIXME: citation Common to both approaches is that for technical reasons the wavelength of the employed radiation is in the range of millimeters or larger. This implies that practical attacks acting on a smaller scale of physical size require sensitive monitoring circuity to be reliably caught. % FIXME maybe talk to a physicist here. Since they require advanced transceivers and signal processing, these HSMs incur a high implementation cost compared to one based on a traditional security mesh, while they in turn promise to be easier and less expensive to scale in physical size. A severe problem with any previous volumetric designs is that their security analysis is very hard. While multiple designs have been proposed academically, none of these proposals include an analysis of their physical security properties that goes beyond guesswork. %FIXME verify this. The obvious reason for this is that to evaluate the volume inside the HSM that is covered by a given transceiver combination and a given test signal pattern necessarily requires numerically solving the volumetric electromagnetic field equations inside the HSM, applying a model of transmitter and receiver to the results that takes into account receiver sensitivity and ADC resolution, transmitter power and receiver saturation effects and then validating that every point in space (or at least inside a boundary region) is covered. While the guess that attacks are impractical might still be true this would be based on the fact that the same problem presents itself to an attacker trying to circumvent these measures--degrading their security to simple obscurity again. \subsection{A new approach to physical security} We are certain that there is still much work to be done and many insights to be gained from further explorations of the two concepts described above. Trivially, consider a box with mirrored walls that, suspended on thin wires, contains a smaller box that has cameras looking outward in all directions at the mirrored walls. Given that the defender can control lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered equivalent to or better than the human eye. Thus, a successful physical attack on this system would likely an "invisibility cloaks"--and the system would remain secure as long as no such thing exists. This example is a useful point of reference. To be viable, a HSM technology must be either smaller or more sensitive than such a setup. The candidate we wish to introduce in this paper uses a novel approach to side-step the issues of both the concepts introduced in the previous section and provides radically better security against physical attacks--both in theory and in practice. Our core observation is that given any less expensive but more coarse HSM technology, we can make it radically more difficult to attack by introducing fast mechanical motion. As a trivial example, consider a HSM as it is used in ecommerce applications for credit card payments. Focusing on its main defense for simplicity, its physical security is limited by the structure size of the mesh that is likely used in its shell. If an attacker can tap the mesh's electrical traces and bridge across the mesh in a way the HSM cannot detect (e.g. by making sure the bridge has the same electrical impedance as the mesh traces have e.g. by comparing against another device of the same type), they have circumvented the device's protections. Any such attack would likely involve some fine drill bits, needles, wires, glue, perhaps solder or even lasers. Now consider the same HSM, but this time mounted on a large flywheel. In this scenario the HSM uses the same protections as before, but is now additionally equipped with an accelerometer that it uses to verify that it is in fact rotating at a very high speed. How would an attacker approach this HSM? They would have to either slow down the rotation (which would quickly be sensed by the accelerometer) or they would have to attack the moving HSM--the HSM literally becomes a moving target. While rotating the entire attack workbench might be possible for slow speeds, rotating frames of reference quickly become inhospitable to human life and at some point the technical means to rotate a CNC attack robot probably weighing several kilograms become inconvenient as well. Contact-less EM or optical attacks are more limited in the first place, and can effectively be shielded. \subsection{Contributions} This work contains the following contributions: \begin{enumerate} \item Presentation of the \emph{Inertial HSM} concept, allowing cost-effective prototype and small-scale production of highly secure HSMs. \item Discussion of possible boundary sensing modes in the intertial HSM model. \item Exploration of the design space of inertial HSMs. % FIXME \item Presentation of a prototype inertial HSM. % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. \end{enumerate} \section{Related work} % summaries of research papers on HSMs. % I have not found any actual prior art on anything involving mechanical motion beyond ultrasound. \section{The physics of hardware security} % approaching the issue from measurable quantities \section{Intertial HSMs} \section{Future work} \subsection{Other modes of movement} \subsection{Multiple axes of rotation} \subsection{Means of power transmission} \subsection{Other sensing modes} \subsection{Longeivity} \section{Hardware prototype} % FIXME \section{Conclusion} \printbibliography[heading=bibintoc] \appendix \section{License} {\center{ \begin{minipage}[t][10cm][b]{\textwidth} \center{\ccbysa} \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The full text of the license can be found at:} \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}} \center{For alternative licensing options, source files, questions or comments please contact the authors.} \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:} \center{\url{https://git.jaseg.de/rotohsm.git}} \end{minipage} }} \end{document}