jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Björn's fixes

Browse source
This commit is contained in:
jaseg 2021-04-15 23:57:25 +02:00
parent 3f3db46c69
commit 058268efb5
3 changed files with 57 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

7
paper/ihsm.bib
View file

@ -17,9 +17,12 @@
urldate = {2021-04-13}
}
@techreport{smith1998,
@article{smith1998,
author = {Sean Smith and Steve Weingart},
date = {1998-02-19},
date = {1999},
journaltitle = {Computer Networks},
volume = {31},
issue = {8},
institution = {IBM T.J. Watson Research Center},
title = {Building a High-Performance, Programmable Secure Coprocessor},
url = {ftp://www6.software.ibm.com/software/cryptocards/rc21102.pdf},

118
paper/ihsm_paper.tex
View file

@ -8,7 +8,7 @@
doi=true,
eprint=false
]{biblatex}
\addbibresource{rotohsm.bib}
\addbibresource{ihsm.bib}
\usepackage{amssymb,amsmath}
\usepackage{eurosym}
\usepackage{wasysym}
@ -121,8 +121,8 @@ This paper contains the following contributions:
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this
basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will
analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware
prototype that whose design we will elaborate in Section~\ref{sec_proto}. In Section~\ref{sec_accel_meas} we present our
characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept prototype. We
prototype the design of which we will elaborate in Section~\ref{sec_proto}. In Section~\ref{sec_accel_meas} we present
our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept prototype. We
conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}.
\section{Related work}
@ -207,22 +207,6 @@ closest to a mechanical HSM that we were able to find during our research is an
describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
with pressurized gas.
In January 2020, we have uploaded an eprint of a short tech report with a rough description of the inertial HSM
concept\cite{gs21}. Up to the time this paper was written, we have not received communication in response to this eprint
that would indicate prior art.
\subsection{Patent literature}
During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not
find any mentions of similar concepts either in academic literature or in patents. Thus, while we cannot give any
guarantees, we seem likely to be the inventors of this idea and we are fairly sure it is not covered by any patents or
other restrictions at this point in time.
Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are
already commercially available, we have decided against applying for a patent and we wish to make it available to the
general public without any restrictions on its use. We invite you build on our work as you wish and to base your own
work on our publications without any fees or commercial restrictions. Where possible, we ask you to cite this paper and
attribute the inertial HSM concept to its authors.
\section{Inertial HSM construction and operation}
\label{sec_ihsm_construction}
@ -244,15 +228,15 @@ We will approach these questions one by one in the following subsections.
\subsection{Inertial HSM motion}
\label{sec_ihsm_motion}
First, there are several ways that we can approach motion. There is periodic, aperiodic and continuous motion. There is
also linear motion as well as rotation. We can also vary the degree of electronic control in this motion. The main
constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to not expose any weak
spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to stay within a
confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such periodic linear
motion will have to quickly reverse direction at its apex so the device is not stationary long enough for this to become
a weak spot.
First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the
purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this
motion. The main constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to
not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to
stay within a confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such
periodic linear motion will have to quickly reverse direction at its apex so the device is not stationary long enough
for this to become a weak spot.
In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the
In contrast to linear motion, rotation is space efficient and can be continuous if the axis of rotation is inside the
device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's
tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power
consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by
@ -264,11 +248,11 @@ disassembly of the device, but it also creates an obstacle to any attacker tryin
call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion
would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from
following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially,
this limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force.
this limits the approximate maximum size and mass of an attacker under the an assumption on tolerable centrifugal force.
In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on
systems that have a fixed axis of rotation due to their simple construction but we do wish to note the challenge of
hardening the shaft against tampering that any production device would have to tackle.
In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems
with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the
shaft against tampering that any production device would have to tackle.
\subsection{Tamper detection mesh construction}
@ -296,12 +280,12 @@ transfer from the outside to the payload.
The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one
half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be
able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be able to
measure any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a
able to quickly detect any slowdown of the IHSM's rotation. Ideally, a sufficiently sensitive sensor is able to measure
any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a
manipulation attempt.
While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the
IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to
While the obvious choice to monitor rotation would be a tachometer such as a magnetic or optical sensor attached to the
IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to
contact-less interference from outside. A different option would be to use feedback from the motor driver electronics.
When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this
approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the
@ -311,7 +295,7 @@ already standing still.
Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed
inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully
intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's
integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's
mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's
motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers
are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical
@ -321,8 +305,8 @@ In a spinning IHSM, an accelerometer mounted at a known radius with its axis poi
acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For
a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A
key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes
very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ at a
$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. While
very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ and at a
$\SI{10}{\centi\meter}$ radius, acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. While
beneficial for security, this large acceleration leads to two practical constraints. First, off-axis performance of
commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will feed through
into all accelerometer axes, even those that are tangential to the rotation. Second, we either have to place the
@ -331,19 +315,19 @@ automotive applications.
To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an
IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The
difference in centrifugal acceleration that our accelerometer will have to detect then is a factor of
difference in centrifugal acceleration that our accelerometer will need to detect then is a factor of
$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any
commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid
deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we
wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics.
In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS
In Section~\ref{sec_accel_meas} below, we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS
accelerometer for braking detection in our prototype IHSM.
\subsection{Mechanical layout}
With our IHSM's components taken care of, what remains to be decided is how to put together these individual components
into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the
into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the
axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the
area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper
protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be
@ -375,19 +359,19 @@ evolution of our design, the spinning mesh could even be designed to \emph{be} a
After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional
HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a
traditional HSM. Only, they will either have to perform these attack steps with a tool that follows the HSMs rotation
at high speed or they will first have to defeat the braking sensor. Attacking the IHSM in motion may require specialized
mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet.
traditional HSM. However, they will either need to perform these attack steps with a tool that follows the HSM's
rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion may require
specialized mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet.
\subsection{The Swivel Chair Attack}
\label{sec_swivel_chair_attack}
First we will consider the most basic of all attacks: A human attacker holding a soldering iron trying to rotate
themselves along with the mesh using a very fast swivel chair. Let us pessimistically assume that this co-rotating
First we will consider the most basic of all attacks: a human attacker holding a soldering iron trying to rotate
herself along with the mesh using a very fast swivel chair. Let us pessimistically assume that this co-rotating
attacker has their center of mass on the axis of rotation. The attacker's body is likely on the order of
$\SI{200}{\milli\meter}$ wide along its shortest axis, resulting in a minimum radius from axis of rotation to surface of
about $\SI{100}{\milli\meter}$. Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the
range tolerable by humans for seconds at a time or longer. We thus set our target acceleration to
range tolerable by humans for a duration of seconds or above. We thus set our target acceleration to
$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal
acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} =
\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}}
@ -398,23 +382,23 @@ kind of mechanical tool.
\subsection{Mechanical weak spots}
The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion
used, the meshes speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving
continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of
rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft,
used, the mesh's speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving
continuously, so it does not have any time-dependent weak spots. It does, however, have a weak spot along its axis of
rotation, at the point where the shaft penetrates the mesh. The mesh's tangential velocity decreases close to the shaft,
and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it
creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In
conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in
between security mesh foil layers. In traditional HSMs this interface rarely is a mechanical weak spot since they use a
thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh layers several
times. In inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows
variations of the shaft interface with increasing complexity.
between security mesh foil layers~\cite{smith1998}. In traditional HSMs this interface rarely is a mechanical weak spot
since they use a thin mesh substrate and create a meandering path by folding the interconnect substrate/security mesh
layers several times. In inertial HSMs, careful engineering is necessary to achieve the same effect.
Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity.
\begin{figure}
\begin{subfigure}[t]{0.3\textwidth}
\center
\includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf}
\caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: Moving
mesh -- Black: Stationary part.}
\caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: moving
mesh -- Black: stationary part.}
\label{shaft_cm_a}
\end{subfigure}
\hfill
@ -498,7 +482,7 @@ were:
\begin{enumerate}
\item A mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$.
\item The Automatic generation of security mesh PCB layouts for quick adaption to new form factors.
\item The automatic generation of security mesh PCB layouts for quick adaption to new form factors.
\item Non-contact power transmission from stator to rotor.
\item Non-contact bidirectional data communication between stator and rotor.
\end{enumerate}
@ -513,7 +497,7 @@ for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figu
rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already
sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our
prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every
part of the system once per revolution, so we designed the longituninal PCBs as narrow strips to save weight.
part of the system once per revolution, so we designed the longitudinal PCBs as narrow strips to save weight.
\subsection{PCB security mesh generation}
@ -565,7 +549,7 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design
\subsection{Power transmission from stator to rotor}
The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data
connectivity to the stator. To design the power link, we first have to estimate the monitoring circuit's power
connectivity to the stator. To design the power link, we first need to estimate the monitoring circuit's power
consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its
tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At
$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take
@ -624,10 +608,10 @@ are shielded from one another by the motor's body in the center of the PCB.
\subsection{Evaluation}
The compoleted proof of concept hardware worked as intended. Both rotating power and data links worked well. As we
expected, the mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach
speeds in excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link
and the data links continued to function without issue.
The proof-of-concept hardware worked as intended. Both rotating power and data links performed well. As we expected, the
mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach speeds in excess
of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the data links
continued to function without issue.
\section{Using MEMS accelerometers for braking detection}
\label{sec_accel_meas}
@ -640,7 +624,7 @@ a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB correspon
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed
of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an
USB logic analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a
USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a
$\SI{1}{\second}$ running average over debounced interval lengths of this captured signal\footnote{A regular frequency
counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office
lab.}.
@ -652,8 +636,8 @@ link. Data is packetized with a sequence number indicating the buffer's position
checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an
SQLite database.
Data analysis is done separately from data capture. An analysis IPython Notebook reads captured packets and reassembles
the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sampling rate and high
Data analysis is done separately from data capture. An analysis IPython notebook reads captured packets and reassembles
the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sample rate and high
$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare.
This allowed us to avoid writing retransmission logic or data interpolation.
@ -678,7 +662,7 @@ $\SI{10}{\percent}$ at $\SI{95}{rpm}$.
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity
since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that
this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of rotation
this harmonic content is a clean intermodulation product of the accelerometers sample rate and the speed of rotation
with no other visible artifacts.
Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark

2
paper/ihsm_tech_report.tex
View file

@ -10,7 +10,7 @@
doi=true,
eprint=false
]{biblatex}
\addbibresource{rotohsm.bib}
\addbibresource{ihsm.bib}
\usepackage{amssymb,amsmath}
\usepackage{listings}
\usepackage{eurosym}