jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Second proofreading

Browse source
This commit is contained in:
jaseg 2021-07-12 17:50:22 +02:00
parent 69fd5c21a2
commit 2bed326dca
2 changed files with 90 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

16
paper/ihsm.bib
View file

@ -136,6 +136,7 @@
date = {2018-05-31},
title = {Pack Safe: Batteries, lithium},
url = {https://www.faa.gov/hazmat/packsafe/more_info/?hazmat=7},
urldate = {2021-07-12},
publisher = {US Federal Aviation Administration},
}
@ -153,6 +154,7 @@
date = {2019-12-19},
title = {Technology Preview for secure value recovery},
url = {https://signal.org/blog/secure-value-recovery/},
urldate = {2021-07-12},
organization = {signal.org},
publisher = {signal.org},
}
@ -173,6 +175,7 @@
@WWW{thales2015hsmha,
author = {Gemalto NV},
date = {2015-12-18},
urldate = {2021-07-12},
title = {SafeNet PCI-E HSM 6.2 Product Documentation: High Availability (HA) Overview},
url = {https://thalesdocs.com/gphsm/luna/6.2/docs/pci/Content/administration/ha/ha_overview.htm},
publisher = {Gemalto NV},
@ -388,7 +391,7 @@
author = {Johannes Obermaier},
title = {Physical Unclonable Functions: The Future Technology for Physical Security Enclosures?},
doi = {https://doi.org/10.5446/43265},
publisher = {Chaos Computer Club e.V.},
organization = {Chaos Computer Club e.V.},
date = {2019-08-24},
}
@ -409,4 +412,15 @@
date = {2021},
}
@InProceedings{german2007,
title = {Event Data Recorders in the Analysis of Frontal Impacts},
author = {A. German and J-L. Comeau and K.J. McClafferty, M.J. Shkrum, and P.F. Tiessen},
date = {2007},
booktitle = {Annual Proceedings of the Association for the Advancement of Automotive Medicine},
issue = {51},
pages = {225-243},
url = {https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3217513/},
urldate = {2021-07-12},
}
@Comment{jabref-meta: databaseType:biblatex;}

141
paper/ihsm_paper.tex
View file

@ -222,7 +222,8 @@ The core questions in the design of an inertial HSM are the following:
\item The \textbf{mechanical layout} of the system.
\end{enumerate}
We will approach these questions one by one in the following subsections.
We will approach these questions one by one in the following subsections and conclude this section with an exploration
of the practical implications that these aspects of IHSM construction have on IHSM operation.
\subsection{Inertial HSM motion}
\label{sec_ihsm_motion}
@ -364,10 +365,10 @@ heatsink with its fan running has a thermal resistance from CPU junction to air
$\SI{0.1}{\kelvin\per\watt}$~\cite{anandtech2015}.
If one were to make an HSM's security mesh out of an average thermally conductive epoxy with thermal conductivity
$k\approx\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal
resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would $\SI{2}{\kelvin\per\watt}$, a
more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields a
maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU
cooler. Given that for modern high core-count CPUs, both multithreaded performance and power dissipation are mostly
resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would be $\SI{2}{\kelvin\per\watt}$,
a more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields
a maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU
cooler. Given that for modern high core-count CPUs both multithreaded performance and power dissipation are mostly
linear in core count, this severely limits the achievable performance.
This estimated performance discrepancy matches up with our observation. Thales, a manufacturer of conventional HSMs
@ -379,17 +380,20 @@ to two orders of magnitude in computing power to be feasible in an IHSM compared
\subsection{Long-term Operation}
Like with other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As
with any networked system, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs
does not compromise the system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or
flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and erasure of data
cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, geographically
redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are based on
general-purpose computer hardware and for state-of-the-art database replication techniques to be applied without first
porting them to an embedded operating system or foreign CPU architecture. A practical example of this approach is a 2019
technology demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure
messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside
Intel SGX to replicate state between redundant instances.
Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an
understanding of what an IHSM would look like in practice. In the following paragraphs we will draw some conclusions on
how its design will affect the day-to-day operation of an IHSM.
Like other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As with
any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several
IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs
can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and
erasure of data cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple,
geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are
based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied
without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this
approach is a 2019 technology demonstration~\cite{signal2019} created by the signal.org, the organization running the
signal secure messenger app. In this demonstration, signal.org have implemented the Raft consensus
algorithm~\cite{ongaro2019} inside Intel SGX to replicate state between redundant instances.
Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components
of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by
@ -400,11 +404,11 @@ practical impact.
The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation
techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by
reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must
be balanced. The main mechanical failure mode of an IHSM's is failure of the shaft bearings. By incorporating knowledge
from other rotating devices that have a long lifetime such as cooling fans, this failure mode can be mitigated. A final
noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the communication link. This
failure mode can be mitigated by routing cooling airflow such that it does not go past the communication link's optical
components, as well as by filtering cooling air at the device's intakes.
be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By
incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode
can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the
communication link. This failure mode can be mitigated by routing cooling airflow such that it does not go past the
communication link's optical components, as well as by filtering cooling air at the device's intakes.
\paragraph{Power failure.}
\label{sec-power-failure}
@ -418,7 +422,7 @@ integrated into its case. Conservatively assuming an average operating power con
IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
an IHSM for 10 hours continuously. If a built-in battery is undesirable, or if power outages of more than a few seconds
at a time are unlikely (e.g.\ because the IHSM is connected to an external UPS or generator), the IHSM's rotor itself
can be used as a flywheel for energy storage up to several seconds.
can be used as a flywheel for energy storage.
\paragraph{Spurious alarms.}
Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason
@ -436,32 +440,35 @@ amplitude. This means that to reach a certain instantaneous acceleration, much m
vibrating motion compared to lower frequencies. This observation interacts the second key point we want to note here:
An ideal vibration damper works better with higher frequencies, and has a lower bound below which it does no longer
damp vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we
wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal effectively by
wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by
damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations
large enough to cause a false alarm.
To put this into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an IHSM's tamper
sensor to measure an acceleration of about $\SI{100}{g}$. Even the strongest earthquakes rarely reach a Peak Ground
Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake
was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large geographic
area, they dissipate a tremendous amound of mechanical power despite this at first glance seemingly low absolute
acceleration. For the purposes of our tamper detection system, we can ignore them. As another point of reference,
consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly
$\SI{30}{\kilo\meter\per\hour}$~\cite{ika2002}. Thus, an IHSM's tamper detection subsystem will be able to clearly
distinguish attempts to stop the IHSM's rotation, producing approximately $\SI{100}{g}$ at $\SI{1000}{rpm}$. External
acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of
an IHSM's rotor would likely destroy the IHSM.
To put this into perspective, consider an IHSM running at an angular frequency of $\SI{1000}{rpm}$. If the IHSM's tamper
sensor is mounted at a radius of $\SI{100}{\milli\meter}$ from the axis of rotation, it will measure a constant
acceleration of approximately $\SI{100}{g}$. Let us first compare this in magnitude to the effects of a car crash.
According to literature, accelerations above $\SI{10}{g}$ correspond to the acceleration a car's structural components
experience in a car crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. As another point of
reference, take the Peak Ground Acceleration (PGA) of a severe earthquake. Even the strongest earthquakes rarely reach a
PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake was approximately
$\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's low-frequency vibrations dissipate a
tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore
them for the purposes of our tamper detection system.
From these comparisons we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish
attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the
operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM.
\subsection{Transportation}
While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed,
there is an issue with intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will
there is an issue when intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will
respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\
the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM
elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of
precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to
the lower end of the range permitted by the application's security requirements. The IHSM's software could allow for a
temporary ``shipping mode'' to be entered that could slow down the IHSM and increase the tamper sensing accelerometer's
temporary ``shipping mode'' to be entered that would slow down the IHSM and increase the tamper sensing accelerometer's
thresholds.
During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to
@ -474,12 +481,13 @@ manufacturer after the IHSM has been installed.
\section{Attacks}
\label{sec_attacks}
After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional
HSMs. This means that ultimately an attacker will have to perform the same steps they would have to perform to attack a
traditional HSM. However, they will either need to perform these attack steps with a tool that follows the HSM's
rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion requires
specialized mechanical tools such as CNC actuators or for contactless attack a laser.
After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation
above, in this section we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security
mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform
the same steps they would have to perform to attack a traditional HSM. However, they will either need to perform these
attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat the braking
sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for contactless
attack a laser.
\subsection{Attacks that don't work}
@ -501,16 +509,16 @@ Detecting this change would require a resistance measurement of at least $\SI{9}
temperature stability of the mesh material.
The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through
the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive
foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data
two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through
the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned
conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data
feed-through as potential weak spots.
The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An
attacker may need to insert several probes to wiretap the payload processor's secrets, but depending on its
implementation they may be able to disable the mesh alarm circuit with only one. To harden a conventional HSM against
this type of attack, the mesh monitoring circuit must be carefully designed to avoid single points of failure as well as
any fail-open failure modes.
attacker may need to insert several probes or modify the circuit to wiretap the payload processor's secrets, but
depending on its implementation they may be able to disable the mesh alarm circuit with only one or two probes. To
harden a conventional HSM against this type of attack, the mesh monitoring circuit must be carefully designed to avoid
single points of failure as well as any fail-open failure modes.
\subsection{Attacks that work on any HSM}
@ -527,12 +535,12 @@ surface to the outside world, and by carefully vetting this remaining attack sur
IHSMs do not provide an inherent benefit against such contactless attacks. However, there are two mitigating factors in
play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using
more primitive technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and
are less space-constrained. This larger volume allows for a greater physical distance between security-critical
components from places accessible to an attacker using an electromagnetic side channel probe. By allowing the use of
simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less
space-constrained. This larger volume allows for a greater physical distance between security-critical components and
places accessible to an attacker using an electromagnetic probe for EM side channel attacks. By allowing the use of
conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and
well-audited open source software such as OpenSSL that may be unavailable on the embedded processors found in
conventional HSMs.
well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors
found in conventional HSMs.
\subsection{The Swivel Chair Attack}
\label{sec_swivel_chair_attack}
@ -588,17 +596,18 @@ attack a security mesh is infeasible given the degree of manual skill necessary
\subsection{Mechanical weak spots}
The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion
used, the mesh's speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving
continuously, so it does not have any time-dependent weak spots. It does, however, have a weak spot along its axis of
rotation, at the point where the shaft penetrates the mesh. The mesh's tangential velocity decreases close to the shaft,
and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it
creates. This issue is related to the issue conventional HSMs also face with their power and data connections. In
conventional HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in
between security mesh foil layers~\cite{smith1998}. In conventional HSMs this interface rarely is a mechanical weak
spot since they use a thin mesh substrate and create a meandering path by folding the interconnect substrate/security
mesh layers several times. In inertial HSMs, careful engineering is necessary to achieve the same effect.
Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity.
As we elaborated in the previous paragraphs, we consider a fast-moving mesh to offer a strong tamper detection
capability. This evaluation is based on the notion that the security mesh is moving too fast to tamper. However,
depending on the type of motion used, the mesh's actual speed may vary by location and over time. Our example
configuration of a rotating mesh can keep moving continuously, so it does not have any time-dependent weak spots. It
does, however, have a weak spot along its axis of rotation, at the point where the shaft penetrates the mesh. The mesh's
tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as
probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face
with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the
PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs this
interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding
the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to
achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity.
\begin{figure}
\begin{subfigure}[t]{0.3\textwidth}
@ -934,7 +943,7 @@ secure hardware. We have published all design artifacts of our PoC online, pleas
details. The next steps towards a practical application of our design will be to design a manufacturable stator/rotor
interface with inductive power and data transfer integrated into the motor's magnetics and a custom motor driver tuned
for the application that is able to precisely measure both angular velocity and winding current for an added degree of
tamper detection.
tamper detection through the measurement of external forces acting on the rotor.
\printbibliography[heading=bibintoc]