1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
\documentclass[12pt,a4paper]{article}
\usepackage[english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[
backend=biber,
style=numeric,
natbib=true,
url=false,
doi=true,
eprint=false
]{biblatex}
\addbibresource{rotohsm.bib}
\usepackage{amssymb,amsmath}
\usepackage{listings}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage{amsthm}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage{multicol}
\usepackage{tikz}
\usepackage{mathtools}
\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil}
\DeclarePairedDelimiter{\paren}{(}{)}
\usetikzlibrary{arrows}
\usetikzlibrary{chains}
\usetikzlibrary{backgrounds}
\usetikzlibrary{calc}
\usetikzlibrary{decorations.markings}
\usetikzlibrary{decorations.pathreplacing}
\usetikzlibrary{fit}
\usetikzlibrary{patterns}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes}
\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\usepackage{hyperref}
\usepackage{tabularx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
\usepackage{array}
\usepackage[underline=false]{pgf-umlsd}
\usetikzlibrary{calc}
%\usepackage[pdftex]{graphicx,color}
\usepackage{epstopdf}
\usepackage{pdfpages}
\usepackage{minted} % pygmentized source code
\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\usepackage{fancyhdr}
\fancyhf{}
\fancyfoot[C]{\thepage}
\newcommand{\includenotebook}[2]{
\fancyhead[C]{Included Jupyter notebook: #1}
\includepdf[pages=1,
pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}}
]{resources/#2.pdf}
\includepdf[pages=2-,
pagecommand={\thispagestyle{fancy}}
]{resources/#2.pdf}
}
\begin{document}
\title{A High-Security Physical Security Primitive Based On Mechanical Movement}
\author{Jan Götte}
\date{2020-09-15}
\maketitle
\section{Abstract}
In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware
security modules. Whereas conventional technology can be categorized into systems monitoring a thin boundary (such as
security meshes) and systems monitoring the interior volume (such as the "enclosure PUF" of Tobisch et al.). What all of
these systems have in common is that they try to detect attacks by crafting sensors responding to increasingly minute
manipulations of the monitored medium. Our approach is novel in that we alleviate the sensitivity requirement of a
security mesh by increasing the complexity of any manipulation at all by orders of magnitude by fastly rotating the
security mesh--presenting a moving target to an attacker. Attempts to modify the rotation itself are easily monitored
with commercial MEMS accelerometers and gyroscopes.
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet is
as secure or more secure than even the best commercial offerings.
\section{Introduction}
Since the early days of computers, physical security has often been a core component of any computer system's security
architecture. Physical security in fact predates our modern concept of computer security by decades. Long before
passwords, access control lists, role-based authentication and other modern concepts of information security were
developed, information was secured by physically locking away the computers that held it.
Nowadays, concerns of physical security are mostly limited to certain applications. Credit card processing and medical
data processing are two instances where a combination of smartcards and hardware security modules is used to provide a
higher level of security than what ordinary computers can provide. Meanwhile, in most commercial data processing
applications, the physical security provided by an average datacenter is considered to be appropriate.
In modern systems, phyiscal security always is tightly interwoven with the system's overall security architecture.
Beyond the level provided by locks and guards, it is generally considered infeasible to physically secure all parts of a
computer. High-level physical security is usually limited to either a single chip or part of a chip such as a secure
element, enclave or smartcards--or it is limited to a small module acting within a very limited scope, as is the case in
commercial HSMs that largely act as cryptographic co-processors with built-in key management functions.
\subsection{Technical approaches to physical security}
The use of chips as secure elements has recently become popular beyond the smartcards of yesteryear. Apple has carried
over a secure enclave IC from their line of phones into their line of laptops in 2016. Likewise, Google has developed
its own security IC for use in phones and laptops. An issue to consider with all such IC-based security solutions is
that they do not provide any cryptographic security. The real-world security of these solutions solely rests on the
assumption that due to their fine structure, ICs are hard to reverse engineer and manipulate. As of now, this property
holds and in the authors' opinion it will likely be a reasonable assumptions for some years to come. However, in its
essence this is a type of security by obscurity: Obscurity here mostly applying to the rarity of tools that are
necessary for practical attacks such as focused ion beam workstations and accompanying sample preparation equipment. An
important observation in this regard is that already, several people are slowly chipping away at this obscurity: A group
at Ruhr University Bochum is working on advanced tooling for netlist reverse engineering, and there are several
companies offering commercial IC reverse engineering services.
\subsection{Hardware Security Modules}
At larger physical dimensions, hardware security modules (HSMs) provide an effective solution to the problem: In
conformity with Kerckhoff's principle, their creators do not try to hide the structure of the system within. Instead,
the HSM monitors it for any manipulation and wipes all key material when one is detected. The most common commercial
realization of this is what we call a "boundary-monitoring" HSM. This is a device uses a microcontroller monitoring the
conductivity of usually two electrical traces that are folded many times to cover the entire area of a plastic enclosure
part or a plastic foil wrapped around the module. The security problem thus gets transformed into a manufacturing
challenge: How fine can these traces be made--so they are disturbed by even the tiniest of holes for say, a fine needle;
and how sensitive can they be made to perturbations--so they break from even gentle attempts at mechanical, chemical or
other physical manipulation.
The other type of HSM that so far has garnered mostly academic interest are what we call "volumetric" HSMs. Where a
boundary-monitoring HSM senses disturbations to a thin boundary between its inside and the outside world, a volumetric
HSM monitors its entire interior volume. Approaches that have been proposed so far include monitoring using
electromagnetic radiation % FIXME: citation (paper1 (this chip thing w/ distributed PAs/LNAs), paper2 (RUB)
and ultrasonic sensing. % FIXME: citation
Common to both approaches is that for technical reasons the wavelength of the employed radiation is in the range of
millimeters or larger. This implies that practical attacks acting on a smaller scale of physical size require sensitive
monitoring circuity to be reliably caught. % FIXME maybe talk to a physicist here.
Since they require advanced transceivers and signal processing, these HSMs incur a high implementation cost compared to
one based on a traditional security mesh, while they in turn promise to be easier and less expensive to scale in
physical size. A severe problem with any previous volumetric designs is that their security analysis is very hard. While
multiple designs have been proposed academically, none of these proposals include an analysis of their physical security
properties that goes beyond guesswork. %FIXME verify this.
The obvious reason for this is that to evaluate the volume inside the HSM that is covered by a given transceiver
combination and a given test signal pattern necessarily requires numerically solving the volumetric electromagnetic
field equations inside the HSM, applying a model of transmitter and receiver to the results that takes into account
receiver sensitivity and ADC resolution, transmitter power and receiver saturation effects and then validating that
every point in space (or at least inside a boundary region) is covered. While the guess that attacks are impractical
might still be true this would be based on the fact that the same problem presents itself to an attacker trying to
circumvent these measures--degrading their security to simple obscurity again.
\subsection{A new approach to physical security}
We are certain that there is still much work to be done and many insights to be gained from further explorations
of the two concepts described above. Trivially, consider a box with mirrored walls that, suspended on thin wires,
contains a smaller box that has cameras looking outward in all directions at the mirrored walls. Given that the defender
can control lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered
equivalent to or better than the human eye. Thus, a successful physical attack on this system would likely an
"invisibility cloaks"--and the system would remain secure as long as no such thing exists. This example is a useful
point of reference. To be viable, a HSM technology must be either smaller or more sensitive than such a setup.
The candidate we wish to introduce in this paper uses a novel approach to side-step the issues of both the concepts
introduced in the previous section and provides radically better security against physical attacks--both in theory and
in practice.
Our core observation is that given any less expensive but more coarse HSM technology, we can make it radically more
difficult to attack by introducing fast mechanical motion. As a trivial example, consider a HSM as it is used in
ecommerce applications for credit card payments. Focusing on its main defense for simplicity, its physical security is
limited by the structure size of the mesh that is likely used in its shell. If an attacker can tap the mesh's electrical
traces and bridge across the mesh in a way the HSM cannot detect (e.g. by making sure the bridge has the same electrical
impedance as the mesh traces have e.g. by comparing against another device of the same type), they have circumvented the
device's protections. Any such attack would likely involve some fine drill bits, needles, wires, glue, perhaps solder or
even lasers.
Now consider the same HSM, but this time mounted on a large flywheel. In this scenario the HSM uses the same
protections as before, but is now additionally equipped with an accelerometer that it uses to verify that it is in fact
rotating at a very high speed. How would an attacker approach this HSM? They would have to either slow down the rotation
(which would quickly be sensed by the accelerometer) or they would have to attack the moving HSM--the HSM literally
becomes a moving target. While rotating the entire attack workbench might be possible for slow speeds, rotating frames
of reference quickly become inhospitable to human life and at some point the technical means to rotate a CNC attack
robot probably weighing several kilograms become inconvenient as well. Contact-less EM or optical attacks are more
limited in the first place, and can effectively be shielded.
\section{Related work}
% summaries of research papers on HSMs.
% I have not found any actual prior art on anything involving mechanical motion beyond ultrasound.
\section{The physics of hardware security}
% approaching the issue from measurable quantities
\section{Intertial HSMs}
\section{Hardware prototype}
\section{Future work}
\subsection{Other modes of movement}
\subsection{Multiple axes of rotation}
\subsection{Means of power transmission}
\subsection{Other sensing modes}
\subsection{Longeivity}
\section{Conclusion}
\printbibliography[heading=bibintoc]
\appendix
\section{License}
{\center{
\begin{minipage}[t][10cm][b]{\textwidth}
\center{\ccbysa}
\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The
full text of the license can be found at:}
\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}
\center{For alternative licensing options, source files, questions or comments please contact the authors.}
\center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:}
\center{\url{https://git.jaseg.de/rotohsm.git}}
\end{minipage}
}}
\end{document}
|
