jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Minor changes proof #1

Browse source
This commit is contained in:
jaseg 2021-09-27 18:20:08 +02:00
parent fc588530eb
commit 2219846a12
1 changed files with 86 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

170
paper/ihsm_paper.tex
View file

@ -57,7 +57,7 @@
yet offers a level of security that is comparable to commercial HSMs. We have built a proof-of-concept hardware
prototype that demonstrates solutions to the concept's main engineering challenges. As part of this
proof-of-concept, we have found that a system using a coarse security mesh made from commercial printed circuit
boards and an automotive high g-force accelerometer already provides a useful level of security.
boards and an automotive high-g-force accelerometer already provides a useful level of security.
\end{abstract}
\section{Introduction}
@ -163,9 +163,9 @@ commercial HSMs.
The self-destruct built into an HSM serves as a strong tamper deterrent. For illustration, compare an HSM to a computer
inside a locked safe when opposing a well-funded attacker with plenty of time. In~\cite{boak1973}, Boak asserts that
absent an HSM's capability to self-destruct, the best safes can only withstand brute force attacks by an expert for
several minutes at best. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of
steel has not increased correspondingly. Thus, we can conclude that even today, against a "smart, well-equipped opponent
with plenty of time" as noted by Boak, this self-destruction functionality is essential.
several minutes. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of steel
has not increased correspondingly. Thus, we can conclude that even today, against a ``smart, well-equipped opponent with
plenty of time'' as noted by Boak, this self-destruction functionality is essential.
In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is
the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an
@ -173,8 +173,8 @@ industry-standard construction. Although its turn of the century design is now a
of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature
and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the
common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state
that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use a
fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use
similar approaches to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an
HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to
@ -209,9 +209,9 @@ security barrier and transforming it into a marginally more expensive but high-p
\section{Inertial HSM construction and operation}
\label{sec_ihsm_construction}
Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and
is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first
to use it in tamper detection.
Fast mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006}
and is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the
first to use it in tamper detection.
The core questions in the design of an inertial HSM are the following:
@ -232,12 +232,13 @@ perform advanced data analysis on a large database of patient health information
needed for the common good, accumulating large amounts of sensitive data on a single system for such processing poses a
risk. By collecting valuable data in a single computer, this computer is effectively made a target for organized
cyber-criminals and other determined attackers. Mitigations such as cryptographic protocols and firewalls are effective
for the network security side of things, physical security is difficult to secure against e.g. bribing of insiders. A
similar use case would be that of a bank processing customer data. Here, too, a very high level of physical security is
necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale group
communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes for
large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the
banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services.
for the network security side of things, but the physical hardware is difficult to secure against e.g.\ bribing of
insiders. A similar use case would be that of a bank processing customer data. Here, too, a very high level of physical
security is necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale
group communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes
for large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the
banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services
that might attempt physical attacks to extract unencrypted messages from a message broker server.
Our goal with IHSMs is to eventually arrive at a system that, at low-cost, can persist against a smart, well-funded
adversary such as a secret service or organized cyber-crime.
@ -247,7 +248,7 @@ adversary such as a secret service or organized cyber-crime.
First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the
purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this
motion. The main constraints on the HSM's motion pattern are that it needs to be (almost) continuous to not expose any
motion. The main constraint on the HSM's motion pattern is that it needs to be (almost) continuous to not expose any
weak spots. Additionally, it has to stay within a confined space: Linear motion would have to be periodic, like that of
a pendulum. Such periodic linear motion will have to quickly reverse direction at its apex so the device is not
stationary long enough for this to become a weak spot.
@ -257,12 +258,13 @@ device. When the axis is fixed, rotation will expose a weak spot close to the ax
Possible mitigations are faster rotation to lessen the impact, additional tamper protection at the axis, and having the
HSM perform a compound rotation that has no fixed axis.
Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we
call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion
would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from
following the device's motion since doing so would subject them to impractically large centrifugal forces. Essentially,
this limits the approximate maximum size and mass of an attacker under an assumption on tolerable centrifugal force.
High speed gives rise to large centrifugal acceleration, which poses the engineering challenge of preventing rapid
unscheduled disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device
in what we call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow
the motion would have to rotate around the same axis. By choosing a suitable angular frequency we can prevent an
attacker from following the device's motion since doing so would subject them to impractically large centrifugal forces.
Essentially, this limits the approximate maximum size and mass of an attacker under an assumption on tolerable
centrifugal force.
In this paper, we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems
with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the
@ -271,22 +273,21 @@ shaft against tampering that any production device would have to tackle.
\subsection{Tamper detection mesh construction}
IHSMs do not eliminate the need for a security barrier. To prevent an attacker from physically destroying the moving
security barrier, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to
realize this security barrier. There are two movements that we have observed that are key to our work. On the one hand,
there is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems
deployed in the field for a variety of use cases from low-security payment processing devices to high-security
certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of
security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to
fabricate enclosures that embed characteristics of a Physically Unclonable Function. By using stochastic properties of
the enclosure material to form a PUF, such academic designs effectively leverage signal processing techniques to improve
the system's security level by a significant margin.
part, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to realize this
security barrier. In industry, mesh membranes are commonly used for tamper detection. Such membranes are deployed in
systems for a variety of use cases ranging from low-security payment processing to high-security certificate management.
From this we can conclude that a properly implemented mesh \emph{can} provide a practical level of security. In
contrast to this industry focus, academic research has largely focused on ways to fabricate enclosures that embed
characteristics of a Physically Unclonable Function as a means of tamper detection~\cite{tobisch2020,immler2019}. By
using stochastic properties of the enclosure material to form a PUF, such academic designs leverage signal processing
techniques to improve the system's security level by a significant margin.
In our research, we focus on security meshes as our IHSM's tamper sensors. The cost of advanced manufacturing
techniques and special materials used in commercial meshes poses an obstacle. The foundation of an IHSM security is
that by moving the mesh even a primitive, coarse mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack
in practice. This allows us to use a simple construction made up of low-cost components. Additionally, the use of a
mesh allows us to only spin the mesh itself and its monitoring circuit and keep the payload inside the mesh stationary
for reduced design complexity. RF-based tamper sensing systems do not allow for this degree of freedom.
techniques and special materials used in commercial meshes poses an obstacle to small-scale manufacturing. The
foundation of an IHSM security is that by moving the mesh, even a primitive, coarse mesh such as one made from a
low-cost PCB becomes very hard to attack in practice. Additionally, the use of a mesh allows us to only spin the mesh
itself and its monitoring circuit and keep the payload inside the mesh stationary for reduced design complexity.
Other tamper sensing systems such as RF fingerprinting would not allow for this degree of freedom in an IHSM.
\subsection{Braking detection}
@ -317,8 +318,8 @@ range. A key point here is that for speeds between $500$ and $\SI{1000}{rpm}$, c
very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ and at a
$\SI{10}{\centi\meter}$ radius, centrifugal acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$.
Due to this large acceleration, off-axis performance of the accelerometer has to be considered. Suitable high-$g$
accelerometers for the large accelerations found on the circumference of an IHSM's rotor are ones mostly used in
automotive applications.
accelerometers for the large accelerations found on the circumference of an IHSM's rotor are mostly used in automotive
applications.
To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark. Let us assume an IHSM
spinning at $\SI{1000}{rpm}$. To detect any attempt to brake it below $\SI{500}{rpm}$, we have to detect a difference in
@ -403,8 +404,9 @@ battery failure, mechanical wear or over/undertemperature conditions some time b
all secrets must be detstroyed. This type of early warning allows for the implementation of a graceful failover
mechanism. Similar to hot spares in hard disk arrays, a number of IHSMs might share a hot spare IHSM that is running,
but that does not yet contain any secrets. Once an IHSM detects early warning signs of an impending failure, it can then
transfer its secrets to the hot spare using one of the technologies listed in the previous paragraph, then delete their
local copies. This may allow for the graceful handling of device failures due to both age and disasters such as fires.
transfer its secrets to the hot spare using replicatoin technologies as mentioned in the previous paragraph, then delete
its local copies. This would allow for the graceful handling of device failures due to both age and disasters such as
fires.
Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components
of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by
@ -425,29 +427,30 @@ communication link's optical components, as well as by filtering cooling air at
\label{sec-power-failure}
After engineering an IHSM's components to survive years of continuous operation, the next major failure mode to be
considered is power loss. Traditional HSMs solve the need for an always-on backup power supply by carrying large backup
batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use
of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its
motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional
Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might have a smaller backup battery
integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an
IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are large industrial
fans rated at lower wattages. For example, \partnum{CF2207LBL-000U-HB9}, a $\SI{250}{\milli\meter}$ diameter
$\SI{7.8}{\meter^3\per\minute}$ industrial axial fan made by Sunon is rated at only
$\SI{6.6}{\watt}$\footnote{\url{https://www.digikey.com/en/products/detail/sunon-fans/CF2207LBL-000U-HB9/9083282}}. If
a built-in battery is undesirable, or if power outages of more than a few seconds at a time are unlikely (e.g.\ because
the IHSM is connected to an external UPS or generator), the IHSM's rotor itself can be used as a flywheel for energy
storage.
batteries~\cite{obermaier2019}. The low static power consumption of a traditional HSM's simple tamper detection
circuitry allows for the use of non-replaceable backup batteries. An IHSM in contrast would likely require a
rechargeable backup battery since its motor requires more power than the mesh monitoring circuit of a traditional HSM.
In principle, a conventional Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might
have a smaller battery integrated. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$
for an IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could
already power an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are
large industrial fans rated at lower wattages, e.g. Sunon \partnum{CF2207LBL-000U-HB9}, a $\SI{250}{\milli\meter}$
diameter $\SI{7.8}{\meter^3\per\minute}$ axial fan rated at $\SI{6.6}{\watt}$. If a built-in battery is undesirable or
if power outages of more than a few seconds are unlikely (e.g.\ because of an external UPS), the IHSM's rotor itself can
be used as a flywheel for energy storage.
\paragraph{Spurious alarms due to vibration.}
Beyond the electronic measures mentioned above, IHSMs must employ vibration damping since, during normal operation, they
may receive vibration from outside sources such as backup generators, workers bumping the IHSM and nearby traffic.
Besides such everyday sources, (usually harmless) earthquakes are a common occurrence in some regions of the world.
Beyond the issues mentioned above, the effect of normal mechanical vibration on the IHSM's tamper sensors has to be
considered. During normal operation, IHSMs may receive vibration from outside sources such as backup generators, workers
bumping the IHSM and nearby traffic. Besides such everyday sources, (usually harmless) earthquakes are a common
occurrence in some regions of the world. None of these sources of vibration are likely to cause a false alarm, but
since IHSMs are rotating machines they will themselves cause some amount of vibration and thus vibration isolation is a
reasonable design requirement.
For comparison, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper
For reference, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper
sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a constant centrifugal
acceleration of approximately $\SI{100}{g}$.
Literature on car crashes shows that accelerations above $\SI{10}{g}$ in the car's structural components
acceleration of approximately $100\,g$.
Literature on car crashes shows that accelerations above $10\,g$ in the car's structural components
correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. Measurements of the Peak
Ground Acceleration (PGA) of severe earthquakes show that even the strongest earthquakes rarely reach a
PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake at approximately
@ -457,11 +460,11 @@ Instantaneous acceleration increases linearly with frequency, but likewise simpl
higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to
damp high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations
large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous
amount of mechanical power across a large geographic area, but due to the their absolute instantaneous acceleration, we
can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able to
clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration that
would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's rotor
would likely destroy the IHSM.
amount of mechanical power across a large geographic area, but due to the their low absolute instantaneous acceleration,
we can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able
to clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration
that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's
rotor would likely destroy the IHSM.
\subsection{Transportation}
@ -475,7 +478,8 @@ During shipping, the IHSM will require a continuous power supply. Following our
Section~\ref{sec-power-failure}, 48-hour courier shipping could easily be bridged with the equivalent of 5-10 laptop
batteries. In applications that do not require a backup battery built-in to the IHSM (e.g. due to existing UPS backup),
the IHSM could be shipped connected to an external battery akin to a ``power bank'' that is sent back to the IHSM's
manufacturer after the IHSM has been installed.
manufacturer after the IHSM has been installed. Long-distance shipping can be facilitated through compatibility with
standards used for powered refrigerated shipping containers.
\section{Attacks}
\label{sec_attacks}
@ -495,7 +499,7 @@ we will start with a brief overview of attacks on conventional HSMs that the IHS
In principle, there are three ways to attack a conventional HSM. The hard way is to go through the security mesh without
triggering the alarm, e.g.\ with a probe that is finer than the mesh's spacing. For larger probes, an attacker can
laboriously uncover, then bridge the mesh traces to allow part of the mesh to be removed. Some HSMs attempt to detect
such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by the necessary precision.
such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by available measurement precision.
% However, if an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the
% device, this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$
@ -512,10 +516,9 @@ conductive foil around the HSM that forms the security mesh, leaving only the co
feed-through as potential weak spots.
The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An
attacker may need to insert several probes or modify the circuit to wiretap the payload processor's secrets, but
depending on the implementation they may be able to disable the mesh alarm circuit with only one or two probes. To
harden a conventional HSM against this type of attack, the mesh monitoring circuit must be carefully designed to avoid
single points of failure.
attacker may need to insert several probes to wiretap the payload processor's secrets, but if poorly implemented, they
may be able to disable the mesh monitor with only one. This type of attack can be mitigated by careful electronic
design.
\subsection{Attacks that work on any HSM}
@ -663,7 +666,7 @@ message. The alarm circuitry has to be designed such that it is entirely contain
Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for
temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration, and gases or
liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured.
To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional.
To prevent replay attacks, link latency must continuously be measured, so this link must be bidirectional.
% If it were unidirectional, an attacker could
% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed
% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary
@ -673,11 +676,11 @@ To prevent replay attacks link latency must continuously be measured, so this li
\subsection{Fast and violent attacks}
A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in
response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this type
of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response circuitry
will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack,
the payload is reliably destroyed before the tamper response circuitry.
A variation of the above attacks on the alarm circuitry is to use a tool such as a large hammer or a gun to simply
destroy the part of the HSM that erases data in response to tampering before it can perform its job. To mitigate this
type of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response
circuitry will reliably withstand any attack for long enough to carry out its function or brittle in a way that during
any attack, the payload is reliably destroyed before the tamper response circuitry.
\section{Proof-of-concept Prototype implementation}
\label{sec_proto}
@ -847,7 +850,7 @@ construction leads to vibration at high speeds. Its optical communication links
need to be translated into manufacturable PCBs, and its security mesh has to be optimized for security. Finally, a motor
driver solution needs to be selected that allows for direct digital control of motor speed. Overall, the prototype
soundly demonstrated the viability of the IHSM concept and we are confident that all of these limitations can be
conclusively solved in a next version that might be a ``beta'' version of a practical IHSM, built in a mechanical
conclusively solved in a new iteration that might be a ``beta'' version of a practical IHSM, built in a mechanical
workshop.
\section{Using MEMS accelerometers for braking detection}
@ -868,11 +871,10 @@ its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed
of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using a
USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a
$\SI{1}{\second}$ running average over interval lengths of the debounced captured signal\footnote{A regular frequency
counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office
lab.}.
of rotation using a magnet fixed to the rotor and a reed switch. The reed switch output is digitized using a USB logic
analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a $\SI{1}{\second}$ running
average over interval lengths of the debounced captured signal\footnote{A regular frequency counter or commercial
tachometer would have been easier, but neither was available in our limited COVID-19 home office lab.}.
The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform.
Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are
@ -923,7 +925,7 @@ slope. We then apply this correction to all captured data before plotting and la
this approach already leads to a good match of measurements and theory modulo a small part of the device's offset
remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, but due to the
quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to
$\SI{10}{\percent}$ at $\SI{95}{rpm}$.
$\SI{8}{\percent}$ at $\SI{95}{rpm}$.
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity
@ -943,7 +945,7 @@ the fly, without stopping the rotor.
\includegraphics[width=0.7\textwidth]{../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf}
\caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental
measurements are shown after correction for offset and scale error. Above \SI{300}{rpm}, the relative error is
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a strong impact ($0.05\,g$ absolute
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a large impact ($0.05\,g$ absolute
or $8\%$ relative at $\SI{95}{rpm}$.)}
\label{fig-acc-theory}
\end{figure}