diff --git a/content/blog/paper-sampling-mesh-monitor/index.rst b/content/blog/paper-sampling-mesh-monitor/index.rst new file mode 100644 index 0000000..e1cac6f --- /dev/null +++ b/content/blog/paper-sampling-mesh-monitor/index.rst @@ -0,0 +1,42 @@ +--- +title: "New paper: Monitoring Tamper-Sensing Meshes Using Low-Cost, Embedded Time-Domain Reflectometry" +date: 2025-10-20T23:42:00+01:00 +summary: > + foobar +--- + +I've got a new paper accepted at CHES, to be published in TCHES 2026/1 around beginning of December and out +`on eprint now `__. The topic of the paper is a way of monitoring a tamper-sensing +mesh through time-domain reflectometry using very cheap components. The end result is a circuit that costs about 10 € in +parts that is able to measure TDR responses with a few hundred picoseconds of resolution. + +Tamper-Sensing meshes are squiggly circuit traces that are used to tamper-proof high-security devices like hardware +security modules, ATM pin pads and countertop card payment terminals. Any area where you would like to prevent an +attacker from drilling or sawing through in a physical attack, you completely cover with one or more such circuit traces +in a meandering pattern. I've written up some work on a KiCad plugin for creating these meshes `in another post +<{{< ref "blog/kicad-mesh-plugin" >}}>`__. + +Up to now, the state of the art in monitoring these security meshes has mostly been finding ways to precisely monitor +their ohmic resistance in the analog domain. This has the disadvantage of both being fairly complex in circuitry and of +presenting a steep trade-off between sensitivity and false-positive rate since all you get out of the whole mesh is a +single analog measurement containing maybe 12 to 16 bits of entropy. There have been a few papers on using more advanced +RF techniques, but they all either required really expensive circuitry and/or highly customized meshes that for instance +couldn't easily be fitted into arbitrary shapes. + +In this paper, I wrote up a method using the high-resolution timer of an inexpensive `STM32G4-series microcontroller +`__ together with a DisplayPort/HDMI "redriver" chips meant for +amplifying high-speed display signals to create fast pulse edges. I characterized several chips, with the best +performers being TI's `TDP0604 `__ and Diodes' `PI3HDX12211 +`__, coming in at 2 to 5 € depending on where and how much you buy. The +fast edges generated by these drivers are then fed to a set of four-diode sampling gates using cheap RF schottky diodes +to create a really cheap but fast time-domain reflectometer. Using this TDRD circuit, a security mesh can be monitored +much more precisely than before, since the circuit creates a sort of fingerprint of the mesh's trace along its length. + +Have a look into the paper, where I wrote up details on the circuitry as well as a whole bunch of (>1000!) measurements +characterizing the system. As it turns out, it's really sensitive to attacks while being reasonably robust to +environmental disturbances. In fact, it's so sensitive that the circuit can distinguish multiple identical (!) copies of +the same mesh produces by JLCPCB from their manufacturing tolerances such as FR-4 fiber weave alignment. + +You can find a preprint of the paper `on eprint `__, and I'll update this post with a +link to the published version of the paper when it becomes available. The eprint is identical to the published version +as of now.