jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update tech report

Browse source
This commit is contained in:
jaseg 2020-10-22 23:06:33 +02:00
parent db20782ff9
commit 1530b958c3
1 changed files with 120 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

245
doc/quick-tech-report/rotohsm_tech_report.tex
View file

@ -1,4 +1,4 @@
\documentclass[12pt,a4paper]{article}
\documentclass[10pt,journal,a4paper]{IEEEtran}
\usepackage[english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
@ -37,6 +37,7 @@
\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\usepackage{hyperref}
\usepackage{tabularx}
\usepackage{commath}
@ -77,135 +78,110 @@
\date{2020-09-15}
\maketitle
\section{Abstract}
\section*{Abstract}
In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware
security modules. Whereas conventional technology can be categorized into systems monitoring a thin boundary (such as
security meshes) and systems monitoring the interior volume (such as the "enclosure PUF" of Tobisch et al.). What all of
these systems have in common is that they try to detect attacks by crafting sensors responding to increasingly minute
manipulations of the monitored medium. Our approach is novel in that we alleviate the sensitivity requirement of a
security mesh by increasing the complexity of any manipulation at all by orders of magnitude by fastly rotating the
security mesh--presenting a moving target to an attacker. Attempts to modify the rotation itself are easily monitored
with commercial MEMS accelerometers and gyroscopes.
security meshes) and systems monitoring the interior volume (such as the ``enclosure PUF'' of Tobisch et
al.\cite{tobisch2020}). All of these systems have in common that they try to detect attacks by crafting sensors
responding to increasingly minute manipulations of the monitored medium. Our approach is novel in that we reduce the
sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by fastly
rotating the security mesh or sensor--presenting a moving target to an attacker. Attempts to tamper with the rotation
itself are easily monitored with commercial MEMS accelerometers and gyroscopes.
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet is
as secure or more secure than even the best commercial offerings.
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet
offers a level of security that is comparable to even the best commercial offerings.
\section{Introduction}
Since the early days of computers, physical security has often been a core component of any computer system's security
architecture. Physical security in fact predates our modern concept of computer security by decades. Long before
passwords, access control lists, role-based authentication and other modern concepts of information security were
developed, information was secured by physically locking away the computers that held it.
Nowadays, concerns of physical security are mostly limited to certain applications. Credit card processing and medical
data processing are two instances where a combination of smartcards and hardware security modules is used to provide a
higher level of security than what ordinary computers can provide. Meanwhile, in most commercial data processing
applications, the physical security provided by an average datacenter is considered to be appropriate.
Long before passwords, access control lists, role-based authentication and other modern concepts of information security
were developed, information was secured by physically locking away the computers that held it. Nowadays, physical
security concerns have are mostly receded into specialty applications such as credit card processing and medical data
processing. In most other commercial data processing applications, the physical security provided by the average
datacenter is considered to be appropriate.
In modern systems, phyiscal security always is tightly interwoven with the system's overall security architecture.
Beyond the level provided by locks and guards, it is generally considered infeasible to physically secure all parts of a
computer. High-level physical security is usually limited to either a single chip or part of a chip such as a secure
element, enclave or smartcards--or it is limited to a small module acting within a very limited scope, as is the case in
commercial HSMs that largely act as cryptographic co-processors with built-in key management functions.
In modern systems, it is generally considered infeasible to physically secure a whole computer beyond putting a lock on
it. High-level physical security is usually limited to a small physical sizes. Secure enclaves and smartcards provide
security on the scale of a single-chip. Commercial HSMs provide the functions of a cryptographic co-processor from a
physically secure small circuit board\cite{anderson2020,immler2019}.
\subsection{Technical approaches to physical security}
The use of chips as secure elements has recently become popular beyond the smartcards of yesteryear. Apple has carried
over a secure enclave IC from their line of phones into their line of laptops in 2016. Likewise, Google has developed
its own security IC for use in phones and laptops. An issue to consider with all such IC-based security solutions is
that they do not provide any cryptographic security. The real-world security of these solutions solely rests on the
assumption that due to their fine structure, ICs are hard to reverse engineer and manipulate. As of now, this property
holds and in the authors' opinion it will likely be a reasonable assumptions for some years to come. However, in its
essence this is a type of security by obscurity: Obscurity here mostly applying to the rarity of tools that are
necessary for practical attacks such as focused ion beam workstations and accompanying sample preparation equipment. An
important observation in this regard is that already, several people are slowly chipping away at this obscurity: A group
at Ruhr University Bochum is working on advanced tooling for netlist reverse engineering, and there are several
companies offering commercial IC reverse engineering services.
Shrinking things to the nanoscopic level to secure them against tampering is increasing in popularity. Apple today uses
a secure enclave IC in their line of laptops. Likewise, Google has developed its own security IC with a similar
application\cite{frazelle2019}. Any such security IC provides physical security but does not provide any cryptographic
security. The real-world security of such chips solely rests on the assumption that due to their fine structure, they
are hard to reverse engineer or modify. As of now, this property holds and in the authors' opinion it will likely be a
reasonable assumptions for some years to come. However, in its essence this is a type of security by obscurity:
Obscurity here meaning the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}.
\subsection{Hardware Security Modules}
At larger physical dimensions, hardware security modules (HSMs) provide an effective solution to the problem: In
conformity with Kerckhoff's principle, their creators do not try to hide the structure of the system within. Instead,
the HSM monitors it for any manipulation and wipes all key material when one is detected. The most common commercial
realization of this is what we call a "boundary-monitoring" HSM. This is a device uses a microcontroller monitoring the
conductivity of usually two electrical traces that are folded many times to cover the entire area of a plastic enclosure
part or a plastic foil wrapped around the module. The security problem thus gets transformed into a manufacturing
challenge: How fine can these traces be made--so they are disturbed by even the tiniest of holes for say, a fine needle;
and how sensitive can they be made to perturbations--so they break from even gentle attempts at mechanical, chemical or
other physical manipulation.
The other type of HSM that so far has garnered mostly academic interest are what we call "volumetric" HSMs. Where a
boundary-monitoring HSM senses disturbations to a thin boundary between its inside and the outside world, a volumetric
HSM monitors its entire interior volume. Approaches that have been proposed so far include monitoring using
electromagnetic radiation % FIXME: citation (paper1 (this chip thing w/ distributed PAs/LNAs), paper2 (RUB)
and ultrasonic sensing. % FIXME: citation
Common to both approaches is that for technical reasons the wavelength of the employed radiation is in the range of
millimeters or larger. This implies that practical attacks acting on a smaller scale of physical size require sensitive
monitoring circuity to be reliably caught. % FIXME maybe talk to a physicist here.
Since they require advanced transceivers and signal processing, these HSMs incur a high implementation cost compared to
one based on a traditional security mesh, while they in turn promise to be easier and less expensive to scale in
physical size. A severe problem with any previous volumetric designs is that their security analysis is very hard. While
multiple designs have been proposed academically, none of these proposals include an analysis of their physical security
properties that goes beyond guesswork. %FIXME verify this.
The obvious reason for this is that to evaluate the volume inside the HSM that is covered by a given transceiver
combination and a given test signal pattern necessarily requires numerically solving the volumetric electromagnetic
field equations inside the HSM, applying a model of transmitter and receiver to the results that takes into account
receiver sensitivity and ADC resolution, transmitter power and receiver saturation effects and then validating that
every point in space (or at least inside a boundary region) is covered. While the guess that attacks are impractical
might still be true this would be based on the fact that the same problem presents itself to an attacker trying to
circumvent these measures--degrading their security to simple obscurity again.
Hardware security modules (HSMs) approach the problem in a different angle: In conformity with Kerckhoff's principle,
instead of hiding the system's structure, the HSM has monitors that wipes all secrets when the slightest manipulation is
detected. Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical security barrier
that they continuously monitor for holes. Usually, this is a thin foil patterned with two electrical traces that are
folded many times to cover the entire area of the foil--and that are monitored for shorts or breaks. The security
problem thus gets transformed into a manufacturing challenge: How fine can these traces be made so that they break from
even the most gentle attempts at e.g.\ mechanical or chemical manipulation.
In our classification the other type of HSMs are \emph{volumetric} HSMs. Here, the entire interior volume is monitored
for changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited
by the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal
processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost.
A problem with volumetric designs is their security analysis, which is hard to do without significant guesswork. To
ensure full volumetric coverage one has to numerically solve the electromagnetic field equations inside the HSM
according to a model of its sensing transceivers.
\subsection{Inertial HSMs: A new approach to physical security}
We are certain that there is still much work to be done and many insights to be gained from further explorations
of the two concepts described above. Trivially, consider a box with mirrored walls that, suspended on thin wires,
contains a smaller box that has cameras looking outward in all directions at the mirrored walls. Given that the defender
can control lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered
equivalent to or better than the human eye. Thus, a successful physical attack on this system would likely an
"invisibility cloaks"--and the system would remain secure as long as no such thing exists. This example is a useful
point of reference. To be viable, a HSM technology must be either smaller or more sensitive than such a setup.
We are certain that there is still much work to be done and many insights to be gained from further explorations of the
two concepts described above. For example, consider a box with mirrored walls that contains a smaller box suspended on
thin wires that has cameras looking outward in all directions at the mirrored walls. Given that the defender can control
lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered equivalent to or
better than the human eye. Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and
the system would remain secure as long as no such thing exists. This example is a useful point of reference. To be
viable, an HSM technology must be either cheaper, smaller or more sensitive than this strawman setup.
The candidate we wish to introduce in this paper uses a novel approach to side-step the issues of both the concepts
introduced in the previous section and provides radically better security against physical attacks--both in theory and
in practice.
The candidate we wish to introduce in this paper uses a novel approach to sidestep the issues of conventional HSM
concepts and provides radically better security against physical attacks both in theory and in practice.
Our core observation is that given any less expensive but more coarse HSM technology, we can make it radically more
difficult to attack by introducing fast mechanical motion. As a trivial example, consider a HSM as it is used in
ecommerce applications for credit card payments. Focusing on its main defense for simplicity, its physical security is
limited by the structure size of the mesh that is likely used in its shell. If an attacker can tap the mesh's electrical
traces and bridge across the mesh in a way the HSM cannot detect (e.g. by making sure the bridge has the same electrical
impedance as the mesh traces have e.g. by comparing against another device of the same type), they have circumvented the
device's protections. Any such attack would likely involve some fine drill bits, needles, wires, glue, perhaps solder or
even lasers.
Our core observation is that any cheap but coarse HSM technology can be made radically more difficult to attack by
introducing fast mechanical motion. As a trivial example, consider an HSM as it is used in ecommerce applications for
credit card payments. Its physical security level is set by the structure size of its security mesh. If an attacker can
tap the mesh's electrical traces in a way the HSM cannot detect, they have circumvented the device's protections. Such
attacks might involve fine drill bits, needles, wires, glue, solder and lasers.
Now consider the same HSM, but this time mounted on a large flywheel. In this scenario the HSM uses the same
protections as before, but is now additionally equipped with an accelerometer that it uses to verify that it is in fact
rotating at a very high speed. How would an attacker approach this HSM? They would have to either slow down the rotation
(which would quickly be sensed by the accelerometer) or they would have to attack the moving HSM--the HSM literally
becomes a moving target. While rotating the entire attack workbench might be possible for slow speeds, rotating frames
of reference quickly become inhospitable to human life and at some point the technical means to rotate a CNC attack
robot probably weighing several kilograms become inconvenient as well. Contact-less EM or optical attacks are more
limited in the first place, and can effectively be shielded.
Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an
accelerometer that it uses to verify that it is rotating at high speed. How would an attacker approach this HSM? They
would have to either slow down the rotation, which would quickly be sensed by the accelerometer, or they would have to
attack the HSM in motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack
workbench might be possible but rotating frames of reference quickly become inhospitable to human life and at some point
the technical means to rotate a CNC attack robot will become inconvenient as well. Electromagnetic or optical attacks
that do not require mechanical contact are more limited in the first place and can be shielded effectively.
\subsection{Contributions}
This work contains the following contributions:
\begin{enumerate}
\item Presentation of the \emph{Inertial HSM} concept, allowing cost-effective prototype and small-scale production
of highly secure HSMs.
\item Discussion of possible boundary sensing modes in the intertial HSM model.
\item Exploration of the design space of inertial HSMs.
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of
highly secure HSMs.
\item We discuss possible boundary sensing modes for intertial HSMs.
\item We explore the design space our inertial HSM concept.
% FIXME \item Presentation of a prototype inertial HSM.
% FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
\end{enumerate}
\section{Related work}
% summaries of research papers on HSMs.
% I have not found any actual prior art on anything involving mechanical motion beyond ultrasound.
In chapter 18 of the forthcoming 3rd edition of his seminal book on "Security Engineering"\cite{anderson2020}, Ross
Anderson gives a background on physical security in general and on HSMs in particular. As an example he cites the IBM
% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion
% beyond ultrasound.
In \cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
4758 HSM whose details are laid out in depth in \cite{smith1998}. This HSM is an example of an industry-standard
construction. Though it is now a bit dated, the construction techniques of the physical security mechanisms have not
changed much in the last two decades. Apart from some auxiliary temperature and radiation sensors to guard against
attacks on the built-in SRAM memory the module's main security barrier uses the traditional construction of a flexible
mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for
short circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar
to other commercial offerings\cite{obermaier2018}.
evolved much in the last two decades. Apart from some auxiliary temperature and radiation sensors to guard against
attacks on the built-in SRAM memory, the module's main security barrier uses the traditional construction of a flexible
mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for short
circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar to
other commercial offerings\cite{obermaier2018}.
In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 32 in their example).
@ -225,21 +201,19 @@ cheaper and capable of protecting a much larger security envelope than e.g. the
cost of worse and less predictable security guarantees.
While \cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
and Adi\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
and Adi \cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
compound.
\subsection{Comparison to prior research}
Our concept is truly novel in that neither academic literature, nor patent databases contain any mention of mechanical
motion being used as part of a hardware security module. Most academic research concentrates on the issue of creating
new, more sensitive security barriers for HSMs while commercial vendors concentrate on means to cheaply manufacture
these security barriers. Our concept instead focuses on the issue of taking any existing, cheap low-performance security
barrier and transforming it into a marginally more expensive but very high-performance one. The closes to a mechanical
HSM that we were able to find during our research is an 1988 patent\cite{rahman1988} that describes an mechanism to
detect tampering along a communication cable by enclosing the cable inside a conduit filled with pressurized gas.
Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most
academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs while commercial
vendors concentrate on means to cheaply manufacture these security barriers. Our concept instead focuses on the issue of
taking any existing, cheap low-performance security barrier and transforming it into a marginally more expensive but
very high-performance one. The closes to a mechanical HSM that we were able to find during our research is an 1988
patent \cite{rahman1988} that describes an mechanism to detect tampering along a communication cable by enclosing the
cable inside a conduit filled with pressurized gas.
\section{Intertial HSM construction and operation}
\subsection{Using motion for tamper detection}
@ -250,17 +224,17 @@ a primitive tamper detection sensor.
\begin{enumerate}
\item We need the sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human to
follow, it becomes a weak spot.
\item We need the sensor's motion to be periodic to keep it within a reasonable space. Otherwise we could just load
our HSM on an airplane and assume that airplanes are hard to stop non-destructively mid-flight.
\item We need to keep the sensor's motion inside a reasonable space. Otherwise we could just load our HSM on an
airplane and assume that mid-flight, airplanes are hard to stop non-destructively.
\item We need the sensor's motion to be very predictable so that we can detect an attacker trying to stop it.
\end{enumerate}
From this, we can make a few observations.
\begin{enumerate}
\item Linear motion is likely to be a poor choice since it requires a large amount of space, and it is comparatively
easy to follow something moving linearly.
\item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate, but for the
\item Non-periodic linear motion is likely to be a poor choice since it requires a large amount of space, and it is
comparatively easy to follow something moving linearly.
\item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate but for the
instant at its apex when the vibration reverses direction the object is stationary, which is a weak spot.
\item Rotation is a very good choice. Not only does it not require much space to execute, but also if the axis of
rotation is within the HSM itself, an attacker trying to follow the motion would have to rotate around the same
@ -270,12 +244,11 @@ From this, we can make a few observations.
rotates too fast for a human to be able to follow it. The axis of rotation is a weak spot, but this can be
alleviated by placing additional internal sensors around it and locating all sensitive parts of the sensing
circuit radially away from it.
\item We do not have to move the entire contents of the HSM. It suffices if we move the tamper detection barrier
around a stationary payload. This reduces the inertial mass of the moving part and eases data communication and
power supply of the payload.
\end{enumerate}
Another important observation is that we do not have to move the entire contents of the HSM. It suffices if we can
somehow move the tamper detection barrier around these contents while keeping the contents stationary. This reduces the
inertial mass of the moving part and eases data communication and power supply of the payload.
In a rotating reference frame, at any point the centrifugal force is proportional to the square of the angular frequency
and linearly proportional to the distance from the axis of rotation. We can exploit this fact to create a sensor that
detects any disturbance of the rotation by simply placing a linear accelerometer at some distance to the axis of
@ -334,10 +307,10 @@ monitoring circuitry.
\subsection{Payload cooling}
An issue with existing HSM concepts is that the mesh has to fully envelope the payload, and thus traditional air cooling
or heat pipes cannot be used. Existing systems rely on heat conduction through the mesh alone for cooling, severly
limiting the maximum power dissipation of the payload. In our rotating HSM concept, the rotating mesh can have radial
gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation, and a future
evolution of the concept could even integrate a fan into the rotating component. This greatly increases the maximum
possible power dissipation of the payload, allowing for much more powerful processing.
limiting the maximum power dissipation of the payload. In our rotating HSM concept, the rotating mesh can have
longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation,
and a future evolution of the concept could even integrate a fan into the rotating component. This greatly increases the
maximum possible power dissipation of the payload, allowing for much more powerful processing.
\subsection{Other sensing modes}
Since the security requirement the primary tamper-detection barrier needs to measure up to are much more lenient in the
@ -429,6 +402,28 @@ laid out some ideas for future research on the concept, and we will continue our
\printbibliography[heading=bibintoc]
\appendix
\section{Rotating mesh energy calculations}
Assume that the rotating mesh sensor should send its tamper status to the static monitoring circuit at least once every
$T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a single byte in standard UART
framing would take $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF
transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an
energy consumption of $\SI{1.7}{\ampere\hour\per\year}$.
\subsection{Battery power}
The annual energy consumption we calculated above is about equivalent to the capacity of a single CR123A
lithium primary cell. Using several such cells or optimizing power consumption would thus easily yield several years of
battery life.
\subsection{LED and solar cell}
Let us assume an LED with a light output of $\SI{1}{W}$ illuminating a small solar cell. Let us pessimistically assume a
$\SI{5}{\percent}$ conversion efficiency in the solar cell. Let us assume that when the rotor is at its optimal
rotational angle, $\SI{20}{\percent}$ of the LED's light output couple into the solar cell. Let us assume that we loose
another $\SI{90}{\percent}$ of light output on average during one rotation when the rotor is in motion. This results in
an energy output from the solar cell of $\SI{1}{\milli\watt}$. Assuming a $\SI{3.3}{\volt}$ supply this yields
$\SI{300}{\micro\ampere}$ for our monitoring circuit. This is enough even with some conversion losses in the step-up
converter boosing the solar cell's $\SI{0.6}{\volt}$ working voltage to the monitoring circuit's supply voltage.
\section{Patents and licensing}
During devlopment, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not
find any mentions of similar concepts either in academic literature or in patents. Thus, we deem ourselves to be the