1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
|
\documentclass[10pt,journal,a4paper]{IEEEtran}
\usepackage[english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[
backend=biber,
style=numeric,
natbib=true,
url=false,
doi=true,
eprint=false
]{biblatex}
\addbibresource{rotohsm.bib}
\usepackage{amssymb,amsmath}
\usepackage{listings}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage{amsthm}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage{multicol}
\usepackage{tikz}
\usepackage{mathtools}
\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil}
\DeclarePairedDelimiter{\paren}{(}{)}
\usetikzlibrary{arrows}
\usetikzlibrary{chains}
\usetikzlibrary{backgrounds}
\usetikzlibrary{calc}
\usetikzlibrary{decorations.markings}
\usetikzlibrary{decorations.pathreplacing}
\usetikzlibrary{fit}
\usetikzlibrary{patterns}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes}
\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\usepackage{hyperref}
\usepackage{tabularx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
\usepackage{array}
\usepackage[underline=false]{pgf-umlsd}
\usetikzlibrary{calc}
%\usepackage[pdftex]{graphicx,color}
\usepackage{epstopdf}
\usepackage{pdfpages}
\usepackage{minted} % pygmentized source code
\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\usepackage{fancyhdr}
\fancyhf{}
\fancyfoot[C]{\thepage}
\newcommand{\includenotebook}[2]{
\fancyhead[C]{Included Jupyter notebook: #1}
\includepdf[pages=1,
pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}}
]{resources/#2.pdf}
\includepdf[pages=2-,
pagecommand={\thispagestyle{fancy}}
]{resources/#2.pdf}
}
\begin{document}
\title{Can't Touch This: Inerial HSMs Thwart Advanced Physical Attacks}
\author{Jan Götte}
\date{2020-12-20}
\maketitle
\section*{Abstract}
In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules (iHSMs).
Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop
the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that
can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is
comparable to commercial HSMs. By building prototype hardware we have demonstrated solutions to the concept's
engineering challenges.
\section{Introduction}
While information security technology has matured a great deal in the last half century, physical security has barely
changed. Given the right skills, physical access to a computer still often means full compromise. The physical
security of modern server hardware hinges on what lock you put on the room it is in.
Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid
switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between
physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key
infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic
co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of
trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured
TPM~\cite{newman2020,frazelle2019,johnson2018}.
Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure
them against tampering is a good engineering solution for some years to come. However, in essence this is a type of
security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern
ICs~\cite{albartus2020,anderson2020}.
HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain
that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep
the manufacturing issues of both and provide radically better security against physical attacks. Our core observation
is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly.
For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set
by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue,
solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual
defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How
would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow
speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become
inhospitable to human life (see Appendix~\ref{sec_minimum_angular_velocity}). Since non-contact electromagnetic or
optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to use
an attack robot.
This work contains the following contributions:
\begin{enumerate}
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of
highly secure HSMs.
\item We discuss possible boundary sensing modes for inertial HSMs.
\item We explore the design space of our inertial HSM concept.
\item We present our work on a prototype inertial HSM.
% FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
\end{enumerate}
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On
this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We
will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a prototype system that
we will illustrate in Section~\ref{sec_proto}. We conclude this paper with a general evaluation of our design in
Section~\ref{sec_conclusion}.
\section{Related work}
\label{sec_related_work}
% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion
% beyond ultrasound.
In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper
detection.
HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring
meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security
problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019,
anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic
radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research
has found widespread adoption yet.
In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical
security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation
sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module
monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and
construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
In~\cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
core component of their design is that they propose its use as a PUF to allow for protection even when powered off,
similar to a smart card---but the design is not limited to this use.
In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference
signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
volume of the cavity will cause a significant change in its RF response. The core idea in~\cite{tobisch2020} is to use
commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much
cheaper and capable of protecting a much larger security envelope than e.g. the design from~\cite{immler2019}, at the
cost of worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation,
Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to
a similar end.
While~\cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
compound.
To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a
hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture
these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that
describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
with pressurized gas.
\section{Inertial HSM construction and operation}
\label{sec_ihsm_construction}
Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is
routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to
use it in tamper detection. If we consider different ways of moving an HSM to make it harder to tamper with, we find
that making it spin has several advantages.
First, the HSM has to move fairly fast. If any point of the HSM's tamper sensing mesh moves slow enough for a human to
follow, it becomes a weak spot. E.g.\ in a linear pendulum motion, the pendulum becomes stationary at its apex. Second,
a spinning HSM is compact compared to alternatives like an HSM on wheels. Finally, rotation leads to easily predictable
accelerometer measurements. A beneficial side-effect of spinning the HSM is that if the axis of rotation is within the
HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Their tangential linear
velocity would rise linearly with the radius from the axis of rotation, which allows us to limit the approximate maximum
size and mass of an attacker using an assumption on tolerable centrifugal force (see Appendix
\ref{sec_minimum_angular_velocity}). In this consideration the axis of rotation is a weak spot, but that can be
mitigated using multiple nested layers of protection.
\begin{figure}
\center
\includegraphics{concept_vis_one_axis.pdf}
\caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 -
Accelerometer. 5 - Shaft penetrating security mesh.}
\label{fig_schema_one_axis}
\end{figure}
In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to
distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the
rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, after
subtracting gravity both acceleration tangential to the rotation and along the axis of rotation will be zero.
Centrifugal acceleration will be constant.
Large centrifugal acceleration at high speeds poses the engineering challenge of preventing the whole thing from flying
apart, but it also creates an obstacle to any attacker trying to manipulate the sensor. We do not need to move the
entire contents of the HSM. It suffices if we move the tamper detection barrier around a stationary payload. This
reduces the moment of inertia of the moving part and it means we can use cables for payload power and data.
From our back-of-the-envelope calculation in Appendix \ref{sec_minimum_angular_velocity} we conclude that even at
moderate speeds above $\SI{500}{rpm}$, an attack would have to be carried out using a robot.
In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis
accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more
sensitive to attacks if we over-determine the system of equations describing its motion by using more sensors than
necessary.
\subsection{Mechanical layout}
Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on
a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow
shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and
data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction
or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft
motor are possible, but may require additional bearings to keep the stator from vibrating.
The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be
designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over
every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside
air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be
solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used
exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation
of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh
could even be designed to \emph{be} a cooling fan.
\subsection{Spinning mesh power and data transmission}
On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few
implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need
both a power supply for the spinning monitoring circuit and a data link to the stator.
We found that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip
rings, this setup is mechanically durable at high speeds and it also provides reasonable output power (see Appendix
\ref{sec_energy_calculations} for an estimation of power consumption). A battery may not provide a useful lifetime
without power-optimization. Likewise, an energy harvesting setup may not provide enough current to supply peak demand.
Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost
may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra
winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding
an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an
option if it can be integrated into the mechanical design.
Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to
transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload.
As we will elaborate in Section~\ref{sec_proto} a simple infrared optical link turned out to be a good solution for this
purpose.
\section{Attacks}
\label{sec_attacks}
After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
attack it. Fundamentally, attacks on an inertial HSM are the same as those on a traditional HSM since the tamper
detection mesh is the same. Only, in the inertial HSM any attack on the mesh has to be carried out while the mesh is
rotating, which for most types of attack will require some kind of CNC attack robot moving in sync with it.
\subsection{Attacks on the mesh}
There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with.
This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring
circuit itself to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its
contents~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to
parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We
consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that
rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be
practically infeasible outside of a well-funded, special-purpose laboratory.
\subsection{Attacks on the rotation sensor}
Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need
to fool the rotor's MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no
easier than directly bridging the mesh traces.
MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position can be
measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these
mechanics~\cite{trippel2017}. In the authors' estimate these attacks are too hard to control to be practically useful
against an inertial HSM.
A possible way to attack the accelerometer inside an inertial HSM may be to first decapsulate it using laser ablation
synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the
moving MEMS parts, locking them in place. To mitigate this type of attack the accelerometer should be mounted in a
shielded place inside the security envelope. Further, this attack can only work if the rate of rotation and thus the
expected accelerometer readings are constant. If the rate of rotation is set to vary over time this type of attack is
quickly detected. In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement.
\subsection{Attacks on the alarm circuitry}
Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry
inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a
cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat
message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope.
Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks such as ones using
temperature, ionizing radiation, lasers, supply voltage variations, ultrasound or other vibration and gases or liquids.
Conventionally, incoming power rails are filtered thoroughly to prevent electrical attacks and other types of attacks
are prevented by sensors that thrigger an alarm.
In an inertial HSM, the mesh monitoring circuit's tamper alarm is transmitted from rotor to stator through a wireless
link. Since an attacker may wirelessly spoof this link, it must be cryptographically secured. It also must be
bidirectional to allow the alarm signal receiver to verify link latency: If it were unidirectional, an attacker could
act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed
(say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary
deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and
break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial
crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time.
\subsection{Fast and violent attacks}
A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in
response to tampering before it can finish its job. This attack could use a tool such as a large hammer or a gun.
Mitigations for this type of attack include potting the payload inside a mechanically robust enclosure. Additionally,
the integrity of the entire alarm signalling chain can be checked continuously using a cryptographic heartbeat protocol.
A simple active-high or active-low alarm signal as it is used in traditional HSMs cannot be considered fail-safe in this
scenario as such an attack may well short-circuit or break PCB traces.
\section{Prototype implementation}
\label{sec_proto}
After elaborating the design principles of inertial HSMs and researching potential attack vectors we have validated
these theoretical studies by implementing a prototype rotary HSM. The main engineering challenges we solved in our
prototype are:
\begin{enumerate}
\item Fundamental mechanical design suitable for rapid prototyping that can withstand a rotation of $\SI{500}{rpm}$.
\item Automatic generation of security mesh PCB layouts for quick adaption to new form factors.
\item Non-contact power transmission from stator to rotor.
\item Non-contact bidirectional data communication between stator and rotor.
\end{enumerate}
\subsection{Mechanical design}
We sized our prototype to have space for up to two full-size Raspberry Pi boards. Each one of these boards is already
more powerful than an ordinary HSM, but they are small enough to simplify our prototype's design. For low-cost
prototyping we designed our prototype to use printed circuit boards as its main structural material. The interlocking
parts were designed in FreeCAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were exported to KiCAD
for electrical design before being sent to a commercial PCB manufacturer. Rotor and stator are built from interlocking,
soldered PCBs. The components are mounted to a $\SI{6}{\milli\meter}$ brass tube using FDM 3D printed flanges. The rotor
is driven by a small hobby quadcopter motor.
Security is provided by a PCB security mesh enveloping the entire system and extending to within a few millimeters of
the shaft. For security it is not necessary to cover the entire circumference of the module with mesh, so we opted to
use only three narrow longitudinal struts to save weight.
To mount the entire HSM, we chose to use ``2020'' modular aluminium profile.
\begin{figure}
\center
\includegraphics[height=7cm]{proto_3d_design.jpg}
\caption{The 3D CAD design of the prototype.}
\label{proto_3d_design}
\end{figure}
\subsection{PCB security mesh generation}
The security mesh covers a total of five interlocking PCBs. A sixth PCB contains the monitoring circuit and connects to
these mesh PCBs. To allow us to quickly iterate our design without manually re-routing several large security meshes
for every mechanical chage we wrote a plugin for the KiCAD EDA suite that automatically generates parametrized security
meshes. When KiCAD is used in conjunction with FreeCAD through FreeCAD's KiCAD StepUp plugin, this ends up in an
efficient toolchain from mechanical CAD design to security mesh PCB gerber files. The mesh generation plugin can be
found at its website\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. The meshes it produces have a
practical level of security in our application.
The mesh generation process starts by overlaying a grid on the target area. It then produces a randomized tree covering
this grid. The individual mesh traces are then traced along a depth-first search through this tree. A visualization of
the steps is shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our prototype is shown in
Figure \ref{mesh_gen_sample}.
\begin{figure}
\center
\includegraphics[width=9cm]{mesh_gen_viz.pdf}
\caption{Overview of the automatic security mesh generation process. 1 - the blob is the example target area. 2 - A
grid is overlayed. 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining
cells is generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.}
\label{mesh_gen_viz}
\end{figure}
\begin{figure}
\center
\includegraphics[width=6cm]{mesh_scan_crop.jpg}
\caption{A section of the security mesh PCB we produced with our toolchain for the prototype HSM.}
\label{mesh_gen_sample}
\end{figure}
\subsection{Data transmission through rotating joint}
With the mesh done, the next engineering challenge was the mesh monitoring data link between rotor and stator. As a
baseline solution, we settled on a $\SI{115}{\kilo\baud}$ UART signal sent through a simple bidirectional infrared link.
In the transmitter, the UART TX line on-off modulates a $\SI{920}{\nano\meter}$ IR LED through a common-emitter driver
transistor. In the receiver, an IR PIN photodiode reverse-biased to $\frac{1}{2}V_\text{CC}$ is connected to a
reasonably wideband transimpedance amplifier (TIA) with a $\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure
\ref{photolink_schematic}, the output of this TIA is fed through another $G=100$ amplifier whose output is then squared
up by a comparator. We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current
consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a
useful transimpedance in the photodiode-facing TIA stage.
To reduce the requirements on power transmission to the rotor, we have tried to reduce power consumption of the
rotor-side receiver/transmitter pair trading off stator-side power consumption. One part of this is that we use
a wide-angle photodiode and IR LED on the stator, but use narrow-angle components on the rotor. The two rx/tx pairs are
arranged next to the motor on opposite sides. By placing the narrow-angle rotor rx/tx components on the outside as
shown in Figure \ref{ir_tx_schema}, the motor shields both IR links from crosstalk. The rotor transmitter LED is
driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at $\SI{20}{\milli\ampere}$.
\begin{figure}
\center
\includegraphics{ir_tx_schema.pdf}
\caption{Schema of our bidirectional IR communication link between rotor and stator, view along axis of rotation. 1
- Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.}
\label{ir_tx_schema}
\end{figure}
\begin{figure}
\center
\includegraphics[width=9cm]{photolink_schematic.pdf}
\caption{Schematic of the IR communication link. Component values are only examples. In particular C2 depends highly
on the photodiode used and stray capacitances due to the component layout.}
\label{photolink_schematic}
\end{figure}
\subsection{Power transmission through rotating joint}
Besides the data link, the other electrical interface we need between rotor and stator is for power transmission. We
power Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power
transmission: solar cells. We mounted six series-connected solar cells in three commercially available modules on the
circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with buffering
by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around $\SI{3.0}{\volt}$ at
several tens of $\si{\milli\ampere}$ given sufficient illumination.
For simplicity and weight reduction, at this point we chose to forego large buffer capacitors on the rotor. This means
variations in solar cell illumination directly couple into the microcontroller's supply rail. Initially, we experimented
with regular residential LED light bulbs, but those turned out to have too much flicker and lead to our microcontroller
frequently rebooting. Trials using an incandecent light produced a stable supply, but the large amount of infrared light
emitted by the incandecent light bulb severely disturbed our near-infrared communication link. As a consequence of
this, we settled on a small LED light intended for use as a studio light that provdided us with almost flicker-free
light at lower frequencies, leading to a sufficiently stable microcontroller VCC rail without any disturbance to the IR
link.
\subsection{Evaluation}
After building our prototype inertial HSM according to the design decisions we outlined above, we performed a series of
experiments to validate the critical components of the design.
During these experiments, our prototype performed as intended. Both power and data transmission through the rotating
joint were working reliably. Figure \ref{prototype_early_comms} shows our prototype performing reliably at maximum speed
for the first time. Our improvised IR link is open in both directions for about $\SI{60}{\degree}$ of the rotation,
which allows us to reliably transfer several tens of bytes in each direction during the receivers' fly-by even at high
speed of rotation. As a result of our prototype experiments, we consider a larger-scale implementation of the inertial
HSM concept practical.
\begin{figure}
\center
\includegraphics[width=8cm]{prototype_early_comms_small.jpg}
\caption{The protoype when we first achieved reliable power transfer and bidirectional communication between stator
and rotor. In the picture, the prototype was communicating reliably up to the maximum $\approx\SI{1500}{rpm}$ that
we could get out of its hobby quadcopter parts.}
\label{prototype_early_comms}
\end{figure}
\section{Conclusion}
\label{sec_conclusion} To conclude, in this paper we introduced inertial hardware security modules (iHSMs), a
novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available
parts. We elaborated the engineering considerations underlying a practical implementation of this concept. We
implemented a prototype demonstrating practical solutions to the significant engineering challenges of this concept. We
analyzed the concept for its security properties and highlighted its ability to significantly strengthen otherwise weak
tamper detection barriers.
Inertial HSMs offer a high level of security beyond what traditional techniques can offer. They allow the construction
of devices secure against a wide range of practical attacks at prototype quantities and without specialized tools. We
hope that this simple construction will stimulate academic research into secure hardware.
\printbibliography[heading=bibintoc]
\appendix
\subsection{Spinning mesh energy calculations}
\label{sec_energy_calculations}
Assume that the spinning mesh sensor should send its tamper status to the static monitoring circuit at least once every
$T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a one-byte message in standard UART
framing would take $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF
transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an
energy consumption of $\SI{1.7}{\ampere\hour\per\year}$.
\subsubsection{Battery power}
\label{sec_energy_calculations_battery}
The annual energy consumption we calculated above is about equivalent to the capacity of a single CR123A
lithium primary cell. Using several such cells or optimizing power consumption would thus easily yield several years of
battery life.
\subsubsection{LED and solar cell}
\label{sec_energy_calculations_led}
Let us assume an LED with a light output of $\SI{1}{W}$ illuminating a small solar cell. Let us pessimistically assume a
$\SI{5}{\percent}$ conversion efficiency in the solar cell. Let us assume that when the rotor is at its optimal
rotational angle, $\SI{20}{\percent}$ of the LED's light output couple into the solar cell. Let us assume that we loose
another $\SI{90}{\percent}$ of light output on average during one rotation when the rotor is in motion. This results in
an energy output from the solar cell of $\SI{1}{\milli\watt}$. Assuming a $\SI{3.3}{\volt}$ supply this yields
$\SI{300}{\micro\ampere}$ for our monitoring circuit. This is enough even with some conversion losses in the step-up
converter boosing the solar cell's $\SI{0.6}{\volt}$ working voltage to the monitoring circuit's supply voltage.
\subsection{Minimum angular velocity: Rotating human attacker}
\label{sec_minimum_angular_velocity}
An attacker might try to rotate along with the HSM to attack the security mesh without triggering the accelerometer. Let
us pessimistically assume that the attacker has the axis of rotation running through their center of mass. The
attacker's body is probably at least $\SI{200}{\milli\meter}$ wide along its shortest axis, resulting in a minimum
radius from axis of rotation to surface of about $\SI{100}{\milli\meter}$. We choose $\SI{250}{\meter\per\second^2}$ as
an arbitrary acceleration well past the range tolerable by humans according to Wikipedia. Centrifugal acceleration is
$a=\omega^2 r$. In our example this results in a minimum angular velocity of $\omega_\text{min} = \sqrt{\frac{a}{r}} =
\sqrt{\frac{\SI{250}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} \approx 8\cdot 2\pi\frac{1}{\si{\second}} \approx 500
\text{rpm}$.
\subsection{Fooling the accelerometer}
\label{sec_degrees_of_freedom}
Let us consider a general inertial HSM with one or more sensors that is attacked by an attacker. In this scenario, it is
reasonable to assume that the rotating parts of the HSM are rigidly coupled to one another and will stay that way: For
the attacker to decouple parts of the HSM (e.g. to remove one of its accelerometers from the PCB), the attacker would
already have to circumvent the rotor's security mesh.
Assuming the HSM is stationary, a sensor on the rotating part will experience two significant accelerations:
\begin{enumerate}
\item Gravity $g = 9.8\frac{m}{s^2}$
\item Centrifugal force $a_C=\omega^2 r$, in the order of $\SI{1000}{\meter\per\second^2}$ or $100 g$ at
$r=\SI{100}{\milli\meter}$ and $\SI{1000}{rpm}$
\end{enumerate}
Due to the vast differences in both radius and angular velocity, we can neglegt any influence of the earth's rotation on
our system.
In normal operation, the HSM is stationary ($\mathbf v=0$) and the HSM's motor is tuned to exactly counter-balance
friction so the rotor's angular velocity remains constant. As a rigid body, the rotor's motion is fully defined by its
rotation and translation. In total, this makes for six degrees of freedom. The three degrees of freedom of linear
translation we can measure directly with an accelerometer in the stationary part on the inside of the HSM. This
accelerometer could detect any rapid acceleration of the HSM's rotor. To measure rotation, we could mount a
gyroscope on the rotor to detect deceleration. The issue with this is that like other MEMS acceleration sensors,
commercial MEMS gyroscopes are vulnerable to drift and an attacker could slowly decelerate the rotor without being
detected.
A linear accelerometer mounted on the rotor however is able to catch even this attack. Subtracting gravity, it could
determine both magnitude and direction of the centrifugal force, which is proportional to the square of angular velocity
and not its derivative.
In summary, a single three-axis accelerometer on the rotor combined with a three-axis accelerometer in the stator would
be a good baseline configuration.
\subsection{Patents and licensing}
During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not
find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of
this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time.
Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are
already commercially available, we have decided against applying for a patent and we wish to make it available to the
general public without any restrictions on its use. This paper itself is licensed CC-BY-SA (see below). As for the
inertial HSM concept, we invite you to use it as you wish and to base your own work on our publications without any fees
or commercial restrictions. Where possible, we ask you to cite this paper and attribute the inertial HSM concept to its
authors.
\center{
\center{\ccbysa}
\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The
full text of the license can be found at:}
\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}
\center{For alternative licensing options, source files, questions or comments please contact the authors.}
\center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:}
\center{\url{https://git.jaseg.de/rotohsm.git}}
}
\end{document}
|