WIP
This commit is contained in:
jaseg
parent
f05b3ffe87
commit
6d978908e3
2 changed files with 255 additions and 214 deletions
|
|
@ -412,6 +412,16 @@
|
|||
date = {2021},
|
||||
}
|
||||
|
||||
@misc{boak1973,
|
||||
author = {David G. Boak},
|
||||
title = {A History of U.S. Communications Security, Volumes I and II},
|
||||
howpublished = {Lecture Notes},
|
||||
url = {https://www.governmentattic.org/18docs/Hist_US_COMSEC_Boak_NSA_1973u.pdf},
|
||||
urldate = {2021-09-24},
|
||||
publisher = {US National Security Agency (NSA)},
|
||||
date = {1973},
|
||||
}
|
||||
|
||||
@InProceedings{german2007,
|
||||
title = {Event Data Recorders in the Analysis of Frontal Impacts},
|
||||
author = {A. German and J-L. Comeau and K.J. McClafferty, M.J. Shkrum, and P.F. Tiessen},
|
||||
|
|
@ -432,6 +442,15 @@
|
|||
date = {2018-07-11},
|
||||
}
|
||||
|
||||
@InProceedings{ledger2019,
|
||||
title = {Everybody be cool, this is a robbery!},
|
||||
author = {Jean-Baptiste Bédrune and Gabriel Campana},
|
||||
year = {2019},
|
||||
booktitle = {Symposium sur la sécurité des technologies de l'information et des communications 2019},
|
||||
url = {https://www.sstic.org/media/SSTIC2019/SSTIC-actes/hsm/SSTIC2019-Article-hsm-campana_bedrune_neNSDyL.pdf},
|
||||
urldate = {2021-09-24},
|
||||
}
|
||||
|
||||
@InProceedings{tschofenig2015,
|
||||
booktitle = {NIST Lightweight Cryptography Workshop 2015},
|
||||
author = {Hannes Tschofenig and Manuel Pegourie-Gonnard and Hugo Vincent},
|
||||
|
|
|
|||
|
|
@ -54,10 +54,10 @@
|
|||
manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an
|
||||
attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.
|
||||
Our approach leads to an HSM that can easily be built from off-the-shelf parts by any university electronics lab,
|
||||
yet offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware
|
||||
prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of
|
||||
concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an
|
||||
automotive high g-force accelerometer already provides a useful level of security.
|
||||
yet offers a level of security that is comparable to commercial HSMs. We have built a proof-of-concept hardware
|
||||
prototype that demonstrates solutions to the concept's main engineering challenges. As part of this
|
||||
proof-of-concept, we have found that a system using a coarse security mesh made from commercial printed circuit
|
||||
boards and an automotive high g-force accelerometer already provides a useful level of security.
|
||||
\end{abstract}
|
||||
|
||||
\section{Introduction}
|
||||
|
|
@ -112,7 +112,7 @@ This paper contains the following contributions:
|
|||
\center
|
||||
\includegraphics[width=12cm]{prototype_pic2.jpg}
|
||||
\caption{The prototype as we used it to test power transfer and bidirectional communication between stator and
|
||||
rotor. This picture shows the proof of concept prototype's configuration that we used for accelerometer
|
||||
rotor. This picture shows the proof-of-concept prototype's configuration that we used for accelerometer
|
||||
characterization (Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular
|
||||
top and bottom outer meshes.}
|
||||
\label{prototype_picture}
|
||||
|
|
@ -120,9 +120,9 @@ This paper contains the following contributions:
|
|||
|
||||
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this
|
||||
basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will
|
||||
analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware
|
||||
analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof-of-concept hardware
|
||||
prototype.In Section~\ref{sec_proto} we will elaborate the design of this prototype. In Section~\ref{sec_accel_meas} we
|
||||
present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept
|
||||
present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof-of-concept
|
||||
prototype. We conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}.
|
||||
|
||||
\section{Related work}
|
||||
|
|
@ -133,34 +133,40 @@ prototype. We conclude this paper with a general evaluation of our design in Sec
|
|||
In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper
|
||||
detection.
|
||||
|
||||
HSMs are an old technology that traces back decades in its electronic realization. Today's common approach of monitoring
|
||||
meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security
|
||||
problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019,
|
||||
anderson2020}. There has been some research on monitoring the HSM's interior using e.g.\ electromagnetic
|
||||
radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found
|
||||
widespread adoption yet.
|
||||
HSMs are an old technology that traces back decades in its electronic realization, initially being conceived by the US
|
||||
NSA during the second world war~\cite{boak1973}. Today's common approach of monitoring meandering electrical traces on a
|
||||
fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to
|
||||
manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, anderson2020}. There has been
|
||||
some research on monitoring the HSM's interior using e.g.\ electromagnetic radiation~\cite{tobisch2020, kreft2012} or
|
||||
ultrasound~\cite{vrijaldenhoven2004} but none of this research has found widespread adoption yet.
|
||||
|
||||
HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an
|
||||
HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine
|
||||
it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex
|
||||
equipment. An HSM in principle has to have this examination equipment built-in.
|
||||
|
||||
Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view
|
||||
that are recorded in public literature are those used for monitoring of nuclear material under the International Atomic
|
||||
Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically
|
||||
Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a
|
||||
way that intentionally causes large, random device-to-device variations. These variations are precisely recorded at
|
||||
deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to
|
||||
check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random
|
||||
scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the
|
||||
uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the
|
||||
precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}.
|
||||
Physical seals are used in a wide variety of applications. Of interest for this paper are those used for monitoring of
|
||||
nuclear material under the International Atomic Energy Authority (IAEA). Most of these seals use the same approach that
|
||||
is used in Physically Unclonable Functions (PUFs), though their development predates that of PUFs by several decades.
|
||||
The seal is created in a way that intentionally causes large, random device-to-device variations. These variations are
|
||||
precisely recorded at deployment. At the end of the seal's lifetime, the seal is returned to a lab and closely examined
|
||||
to check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes
|
||||
random scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA
|
||||
seal), the uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well
|
||||
as the precise three-dimensional surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}.
|
||||
|
||||
The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote
|
||||
reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a
|
||||
monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in
|
||||
monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil like it is used in
|
||||
commercial HSMs.
|
||||
|
||||
The self-destruct built into an HSM serves as a strong tamper deterrent. For illustration, compare an HSM to a computer
|
||||
inside a locked safe when opposing a well-funded attacker with plenty of time. In~\cite{boak1973}, Boak asserts that
|
||||
absent an HSM's capability to self-destruct, the best safes can only withstand brute force attacks by an expert for
|
||||
several minutes at best. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of
|
||||
steel has not increased correspondingly. Thus, we can conclude that even today, against a "smart, well-equipped opponent
|
||||
with plenty of time" as noted by Boak, this self-destruction functionality is essential.
|
||||
|
||||
In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is
|
||||
the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an
|
||||
industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques
|
||||
|
|
@ -172,22 +178,19 @@ fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer200
|
|||
|
||||
Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an
|
||||
HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to
|
||||
traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
|
||||
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
|
||||
area covered and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
|
||||
core component of their design is that they propose its use as a PUF to allow for protection even when powered off,
|
||||
similar to a smart card---but the design is not limited to this use.
|
||||
traditional meshes, they use a large number of individual traces. Their concept promises a very high degree of
|
||||
protection, but is limited in area covered and component height, as well as the high cost of the advanced analog
|
||||
circuitry required for monitoring. A core component of their design is that they propose its use as a PUF to allow for
|
||||
protection even when powered off, similar to a smart card---but the design is not limited to this use.
|
||||
|
||||
In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
|
||||
around commodity WiFi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference
|
||||
signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
|
||||
and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
|
||||
the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
|
||||
volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et
|
||||
al.~\cite{tobisch2020}\ is that they use commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The
|
||||
resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs
|
||||
using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable
|
||||
security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven
|
||||
In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based on
|
||||
a WiFi transceiver inside a conductive enclosure. In their design, a reference signal is sent into the RF cavity formed
|
||||
by the conductive enclosure. The receiver(s) use the signal's reflections to characterize the phase and frequency
|
||||
response of the RF cavity. They assume that the RF behavior of the cavity is inscrutable from the outside, and that any
|
||||
small disturbances within the volume of the cavity will cause a significant change in its RF response. Based on
|
||||
commodity WiFi hardware, the resulting system is likely both much cheaper and capable of protecting a much larger
|
||||
security envelope than designs using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of
|
||||
worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven
|
||||
in~\cite{vrijaldenhoven2004} uses ultrasound waves traveling on a surface acoustic wave (SAW) device to a similar end.
|
||||
|
||||
While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the
|
||||
|
|
@ -197,14 +200,11 @@ properties of a potting compound that has been loaded with RF-reflective grains.
|
|||
characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains
|
||||
within the potting compound.
|
||||
|
||||
To the best of our knowledge, we are the first to propose a mechanically moving HSM security barrier as part of a
|
||||
hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
|
||||
barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture
|
||||
these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
|
||||
low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
|
||||
closest to a mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that
|
||||
describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
|
||||
with pressurized gas.
|
||||
To the best of our knowledge, we are the first to propose a mechanically moving security barrier as part of a hardware
|
||||
security module. Most academic research concentrates on the issue of creating new, more sensitive security barriers for
|
||||
HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture these security
|
||||
barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance
|
||||
security barrier and transforming it into a marginally more expensive but high-performance one.
|
||||
|
||||
\section{Inertial HSM construction and operation}
|
||||
\label{sec_ihsm_construction}
|
||||
|
|
@ -225,6 +225,23 @@ The core questions in the design of an inertial HSM are the following:
|
|||
We will approach these questions one by one in the following subsections and conclude this section with an exploration
|
||||
of the practical implications that these aspects of IHSM construction have on IHSM operation.
|
||||
|
||||
\subsection{Use Cases and Attacker Model}
|
||||
|
||||
We motivate our work on IHSM security with a number of use cases. For instance, a healthcare provider may wish to
|
||||
perform advanced data analysis on a large database of patient health information. While the processing result may be
|
||||
needed for the common good, accumulating large amounts of sensitive data on a single system for such processing poses a
|
||||
risk. By collecting valuable data in a single computer, this computer is effectively made a target for organized
|
||||
cyber-criminals and other determined attackers. Mitigations such as cryptographic protocols and firewalls are effective
|
||||
for the network security side of things, physical security is difficult to secure against e.g. bribing of insiders. A
|
||||
similar use case would be that of a bank processing customer data. Here, too, a very high level of physical security is
|
||||
necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale group
|
||||
communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes for
|
||||
large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the
|
||||
banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services.
|
||||
|
||||
Our goal with IHSMs is to eventually arrive at a system that, at low-cost, can persist against a smart, well-funded
|
||||
adversary such as a secret service or organized cyber-crime.
|
||||
|
||||
\subsection{Inertial HSM motion}
|
||||
\label{sec_ihsm_motion}
|
||||
|
||||
|
|
@ -256,9 +273,10 @@ shaft against tampering that any production device would have to tackle.
|
|||
|
||||
\subsection{Tamper detection mesh construction}
|
||||
|
||||
Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation
|
||||
of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there
|
||||
is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems
|
||||
IHSMs do not eliminate the need for a security barrier. To prevent an attacker from physically destroying the moving
|
||||
security barrier, tamper detection such as a mesh is still necessary. In this subsection we will consider ways to
|
||||
realize this security barrier. There are two movements that we have observed that are key to our work. On the one hand,
|
||||
there is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems
|
||||
deployed in the field for a variety of use cases from low-security payment processing devices to high-security
|
||||
certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of
|
||||
security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to
|
||||
|
|
@ -284,21 +302,25 @@ able to quickly detect any slowdown of the IHSM's rotation. Ideally, a sufficien
|
|||
any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a
|
||||
manipulation attempt.
|
||||
|
||||
While the obvious choice to monitor rotation would be a tachometer such as a magnetic or optical sensor attached to the
|
||||
IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to
|
||||
contact-less interference from outside. A different option would be to use feedback from the motor driver electronics.
|
||||
When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this
|
||||
approach is that depending on construction, it might invite attacks at the mechanical interface between the mesh and the
|
||||
motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical
|
||||
discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is
|
||||
already standing still.
|
||||
While the obvious choice to monitor rotation would be a magnetic or optical tachometer sensor attached to the IHSM's
|
||||
shaft, this would be a poor choice for our purposes since optical and magnetic sensors are susceptible to contact-less
|
||||
interference from outside. A different option would be to use feedback from the motor driver electronics. When using a
|
||||
BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this approach is
|
||||
that depending on construction, it might allow for attacks at the mechanical interface between the mesh and the motor's
|
||||
shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical discharge
|
||||
machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is already
|
||||
standing still.
|
||||
|
||||
Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an accelerometer placed
|
||||
inside the spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. Modern, fully
|
||||
integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of the device's
|
||||
mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the device's
|
||||
motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS accelerometers
|
||||
are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical
|
||||
Instead of a stator-side sensor like a magnetic tachometer or feedback from the BLDC controller, an inertial sensor such
|
||||
as an accelerometer or gyroscope placed inside the spinning mesh monitoring circuit would be a good component to serve
|
||||
as an IHSM's tamper sensor. A gyroscope would need to be placed close to the IHSM's shaft where centrifugal force is
|
||||
low, and would directly measure changes in angular velocity. An accelerometer could be placed anywhere on the rotor and
|
||||
would measure centrifugal acceleration.
|
||||
|
||||
Modern, fully integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of
|
||||
the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the
|
||||
device's motion. It may also allow remote monitoring of the device's mechanical components such as bearings: MEMS
|
||||
accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical
|
||||
components~\cite{kvk2019,sh2016,adc2019,e2013}.
|
||||
|
||||
In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal
|
||||
|
|
@ -313,13 +335,11 @@ into all accelerometer axes, even those that are tangential to the rotation. Sec
|
|||
accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers mostly used in
|
||||
automotive applications.
|
||||
|
||||
To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an
|
||||
IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The
|
||||
difference in centrifugal acceleration that our accelerometer will need to detect then is a factor of
|
||||
$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any
|
||||
commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid
|
||||
deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we
|
||||
wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics.
|
||||
To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark. Let us assume an IHSM
|
||||
spinning at $\SI{1000}{rpm}$. To detect any attempt to brake it below $\SI{500}{rpm}$, we have to detect a difference in
|
||||
acceleration of a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. Even should sub-optimal placement compromise dynamic
|
||||
range, any commercial MEMS accelerometer will provide this degree of accuracy. The only caveat is that to detect very
|
||||
slow deceleration, we have to take into account the accelerometer's drift characteristics.
|
||||
|
||||
In Section~\ref{sec_accel_meas} below, we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS
|
||||
accelerometer for braking detection in our prototype IHSM.
|
||||
|
|
@ -395,6 +415,14 @@ approach is a 2019 technology demonstration~\cite{signal2019} created by signal.
|
|||
secure messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019}
|
||||
inside Intel SGX to replicate state between geographically redundant enclaves.
|
||||
|
||||
Finely-grained monitoring of operational parameters may be capable of recognizing some types of failure such as backup
|
||||
battery failure, mechanical wear or over/undertemperature conditions some time before alarm levels have been reached and
|
||||
all secrets must be detstroyed. This type of early warning allows for the implementation of a graceful failover
|
||||
mechanism. Similar to hot spares in hard disk arrays, a number of IHSMs might share a hot spare IHSM that is running,
|
||||
but that does not yet contain any secrets. Once an IHSM detects early warning signs of an impending failure, it can then
|
||||
transfer its secrets to the hot spare using one of the technologies listed in the previous paragraph, then delete their
|
||||
local copies. This may allow for the graceful handling of device failures due to both age and disasters such as fires.
|
||||
|
||||
Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components
|
||||
of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by
|
||||
changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in its
|
||||
|
|
@ -428,58 +456,42 @@ a built-in battery is undesirable, or if power outages of more than a few second
|
|||
the IHSM is connected to an external UPS or generator), the IHSM's rotor itself can be used as a flywheel for energy
|
||||
storage.
|
||||
|
||||
\paragraph{Spurious alarms.}
|
||||
Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason
|
||||
its alarm would be spuriously activated due to movement of the device. The likelihood of such an alarm failure must be
|
||||
minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during
|
||||
normal operation. The IHSM may have to be relocated between datacenters. Other vibrating machinery such as backup
|
||||
generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside and into
|
||||
the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may
|
||||
couple through the ground into the datacenter and into the IHSM. Finally, earthquakes are a common occurrence in some
|
||||
regions of the world and will couple through any reasonable amount of vibration damping.
|
||||
\paragraph{Spurious alarms due to vibration.}
|
||||
Beyond the electronic measures mentioned above, IHSMs must employ vibration damping since, during normal operation, they
|
||||
may receive vibration from outside sources such as backup generators, workers bumping the IHSM and nearby traffic.
|
||||
Besides such everyday sources, (usually harmless) earthquakes are a common occurrence in some regions of the world.
|
||||
|
||||
There are two key points to note on vibration damping. First, the instantaneous mechanical power of a vibrating motion
|
||||
is proportional to the square of its amplitude when fixing frequency and the cube of its frequency when fixing
|
||||
amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency
|
||||
vibrating motion compared to lower frequencies. This observation interacts with our other point that, second, an ideal
|
||||
vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp
|
||||
vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations, it follows that if we wish to
|
||||
reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping
|
||||
high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large
|
||||
enough to cause a false alarm.
|
||||
For comparison, consider an IHSM running at an angular velcity of $\SI{1000}{rpm}$. A tamper
|
||||
sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a constant centrifugal
|
||||
acceleration of approximately $\SI{100}{g}$.
|
||||
Literature on car crashes shows that accelerations above $\SI{10}{g}$ in the car's structural components
|
||||
correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. Measurements of the Peak
|
||||
Ground Acceleration (PGA) of severe earthquakes show that even the strongest earthquakes rarely reach a
|
||||
PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake at approximately
|
||||
$\SI{0.3}{g}$.
|
||||
|
||||
To put this into perspective, consider an IHSM running at an angular frequency of $\SI{1000}{rpm}$. If the IHSM's tamper
|
||||
sensor is mounted at a radius of $\SI{100}{\milli\meter}$ from the axis of rotation, it will measure a constant
|
||||
acceleration of approximately $\SI{100}{g}$. Let us first compare this in magnitude to the effects of a car crash.
|
||||
According to literature, accelerations above $\SI{10}{g}$ correspond to the acceleration a car's structural components
|
||||
experience in a car crash at $\SI{30}{\kilo\meter\per\hour}$ and above~\cite{ika2002,german2007}. As another point of
|
||||
reference, take the Peak Ground Acceleration (PGA) of a severe earthquake. Even the strongest earthquakes rarely reach a
|
||||
PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake was approximately
|
||||
$\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's low-frequency vibrations dissipate a
|
||||
tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore
|
||||
them for the purposes of our tamper detection system.
|
||||
|
||||
From these comparisons, we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish
|
||||
attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the
|
||||
operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM.
|
||||
Instantaneous acceleration increases linearly with frequency, but likewise simple vibration dampers work better with
|
||||
higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to
|
||||
damp high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations
|
||||
large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous
|
||||
amount of mechanical power across a large geographic area, but due to the their absolute instantaneous acceleration, we
|
||||
can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able to
|
||||
clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise. Any external acceleration that
|
||||
would come close in order of magnitude to the operating centrifugal acceleration at the periphery of an IHSM's rotor
|
||||
would likely destroy the IHSM.
|
||||
|
||||
\subsection{Transportation}
|
||||
|
||||
While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed,
|
||||
there is an issue when intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will
|
||||
respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\
|
||||
the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM
|
||||
elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of
|
||||
precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to
|
||||
the lower end of the range permitted by the application's security requirements. The IHSM's software could allow for a
|
||||
temporary ``shipping mode'' to be entered that would slow down the IHSM and increase the tamper sensing accelerometer's
|
||||
thresholds.
|
||||
the manufacturer's premises and its destination data center. The simple solution to this problem is to transport the IHSM
|
||||
elastically mounted with its axis pointing upwards inside a heavy shipping box.
|
||||
|
||||
During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to
|
||||
ship the IHSM along with a small backup battery. Following our conservative estimate in Section~\ref{sec-power-failure},
|
||||
a 48-hour shipping window as offered by many courier shipping services could easily be bridged with the equivalent of
|
||||
5-10 laptop batteries. In case a built-in battery backup is not necessary in the IHSM's application, these batteries
|
||||
could be connected as an external device akin to a ``power bank'' that is disconnected and sent back to the IHSM's
|
||||
During shipping, the IHSM will require a continuous power supply. Following our conservative estimate in
|
||||
Section~\ref{sec-power-failure}, 48-hour courier shipping could easily be bridged with the equivalent of 5-10 laptop
|
||||
batteries. In applications that do not require a backup battery built-in to the IHSM (e.g. due to existing UPS backup),
|
||||
the IHSM could be shipped connected to an external battery akin to a ``power bank'' that is sent back to the IHSM's
|
||||
manufacturer after the IHSM has been installed.
|
||||
|
||||
\section{Attacks}
|
||||
|
|
@ -490,27 +502,25 @@ above, in this section, we will detail possible ways to attack it. At the core o
|
|||
security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to
|
||||
perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to
|
||||
perform these attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat
|
||||
the braking sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for
|
||||
contactless attack a laser.
|
||||
the braking sensor.
|
||||
|
||||
\subsection{Attacks that don't work}
|
||||
|
||||
In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective,
|
||||
we will start with a brief overview of attacks on conventional HSMs that the IHSM is defended against.
|
||||
%FIXME \paragraph{...}
|
||||
|
||||
In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the
|
||||
security mesh without triggering the alarm, e.g.\ by using a probe that is finer than the mesh's structure size. An
|
||||
attacker willing to invest some effort can also try to uncover the mesh traces buried in plastic to then hot-wire the
|
||||
mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh
|
||||
traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes
|
||||
to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach
|
||||
becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An
|
||||
attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh will change the mesh
|
||||
trace's resistance by approximately
|
||||
$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$.
|
||||
Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding
|
||||
temperature stability of the mesh material.
|
||||
In principle, there are three ways to attack a conventional HSM. The hard way is to go through the security mesh without
|
||||
triggering the alarm, e.g.\ with a probe that is finer than the mesh's spacing. For larger probes, an attacker can
|
||||
laboriously uncover, then bridge the mesh traces to allow part of the mesh to be removed. Some HSMs attempt to detect
|
||||
such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by the necessary precision.
|
||||
|
||||
% However, if an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the
|
||||
% device, this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$
|
||||
% by $\SI{100}{\milli\meter}$. An attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section
|
||||
% of this mesh will change the mesh trace's resistance by approximately
|
||||
% $\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$.
|
||||
% Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding
|
||||
% temperature stability of the mesh material.
|
||||
|
||||
The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
|
||||
two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through
|
||||
|
|
@ -520,9 +530,9 @@ feed-through as potential weak spots.
|
|||
|
||||
The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An
|
||||
attacker may need to insert several probes or modify the circuit to wiretap the payload processor's secrets, but
|
||||
depending on its implementation they may be able to disable the mesh alarm circuit with only one or two probes. To
|
||||
depending on the implementation they may be able to disable the mesh alarm circuit with only one or two probes. To
|
||||
harden a conventional HSM against this type of attack, the mesh monitoring circuit must be carefully designed to avoid
|
||||
single points of failure as well as any fail-open failure modes.
|
||||
single points of failure.
|
||||
|
||||
\subsection{Attacks that work on any HSM}
|
||||
|
||||
|
|
@ -541,10 +551,15 @@ IHSMs do not provide an inherent benefit against such contactless attacks. Howev
|
|||
play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using
|
||||
simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less
|
||||
space-constrained. This larger volume allows for a greater physical distance between security-critical components and
|
||||
places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. By allowing the use of
|
||||
conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and
|
||||
well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors
|
||||
found in conventional HSMs.
|
||||
places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks.
|
||||
|
||||
Another attack that is possible against all types of HSMs are software attacks. Flaws in an HSM's software such as
|
||||
memory safety errors in its external-facing APIs can lead to a full compromise of the HSM's secrets~\cite{ledger2019}.
|
||||
Like a traditional HSM, an IHSM has to expose some API to the outside world to be useful. For both, the hardening
|
||||
techniques are the same as in any other networked system and include the reduction of attack surface e.g. through
|
||||
firewalling, fuzz testing and formal verification. In IHSMs these mitigations are easier to implement since they allow
|
||||
the use of conventional server hardware and well-audited open source software, instead of hard-to-audit proprietary code
|
||||
on an embedded platform.
|
||||
|
||||
\subsection{The Swivel Chair Attack}
|
||||
\label{sec_swivel_chair_attack}
|
||||
|
|
@ -575,43 +590,35 @@ kind of mechanical tool.
|
|||
\label{fig_attack_robot}
|
||||
\end{figure}
|
||||
|
||||
Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool.
|
||||
A first point to note is that the tool itself has to rotate at the IHSM's speed.
|
||||
If we were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed
|
||||
down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect the manipulation attempt.
|
||||
To follow an IHSM's rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM
|
||||
is hard. Let us assume a small IHSM mesh with radius $r=\SI{100}{\milli\meter}$.
|
||||
To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ window over a period of
|
||||
$\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than
|
||||
Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool. The tool
|
||||
itself has to rotate at the IHSM's speed because counter-rotating the IHSM instead, the accelerometer on the rotor would
|
||||
measure lower centrifugal acceleration and detect the manipulation attempt. Following the IHSM's rotation closely
|
||||
enough to allow for remote-controlled manipulation of the IHSM is hard. Let us assume a small IHSM mesh with radius
|
||||
$r=\SI{100}{\milli\meter}$. To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$
|
||||
window over a period of $\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than
|
||||
$\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$.
|
||||
Relative to a realistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Achieving
|
||||
this accuracy would likely require active servo control of the attack tool's rotation that is locked by optically
|
||||
tracking of the IHSM's rotor.
|
||||
this accuracy would likely require active servo control of the attack tool's rotation.
|
||||
|
||||
If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a
|
||||
remote-controlled manipulator that can be mounted on the attack tool's rotating stage that is able to disable the IHSM's
|
||||
mesh.
|
||||
To complicate matters, the attacker will not succeed by simply drilling a small undetected hole into the mesh.
|
||||
While both mesh and attack tool are spinning, the payload is stationary.
|
||||
The attacker thus has to create an opening in the mesh large enough that the attacker can insert a second set of
|
||||
\emph{stationary} probes to contact the payload.
|
||||
In conclusion, we estimate that creating a rotating, remote-controllable manipulator that can be used to successfully
|
||||
attack a security mesh is infeasible given the degree of manual skill necessary even for normal soldering work.
|
||||
If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a manipulator
|
||||
tolerant to high g forces that is able to disable the IHSM's mesh. Simply drilling a small hole is not enough in this
|
||||
case since the payload is stationary. Instead, using the rotating manipulator, the attacker has to create an opening in
|
||||
the mesh large enough to place a \emph{stationary} probe on the payload. We estimate that creating a rotating,
|
||||
remote-controllable manipulator that can be used to successfully attack a security mesh is infeasible given the degree
|
||||
of manual skill necessary even for normal soldering work.
|
||||
|
||||
\subsection{Mechanical weak spots}
|
||||
|
||||
As we elaborated in the previous paragraphs, we consider a fast-moving mesh to offer a strong tamper detection
|
||||
capability. This evaluation is based on the notion that the security mesh is moving too fast to tamper. However,
|
||||
depending on the type of motion used, the mesh's actual speed may vary by location and over time. Our example
|
||||
configuration of a rotating mesh can keep moving continuously, so it does not have any time-dependent weak spots. It
|
||||
does, however, have a weak spot along its axis of rotation, at the point where the shaft penetrates the mesh. The mesh's
|
||||
tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as
|
||||
probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face
|
||||
with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the
|
||||
PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs, this
|
||||
interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding
|
||||
the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to
|
||||
achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity.
|
||||
capability. However, depending on the type of motion used, the mesh's actual speed may vary by location and over time.
|
||||
Our example configuration of a rotating mesh moves continuously and does not have any time-dependent weak spots. It
|
||||
does, however, have a weak spot where the shaft penetrates the mesh at the axis. The mesh's tangential velocity
|
||||
decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as probes into the device
|
||||
through the opening it creates. Conventional HSMs also have to take precautions to protect their power and data
|
||||
connections, such as flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. As a result of
|
||||
these precautions, in conventional HSMs this interface rarely is a mechanical weak spot. In inertial HSMs, careful
|
||||
engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with
|
||||
increasing complexity.
|
||||
|
||||
\begin{figure}
|
||||
\begin{subfigure}[t]{0.3\textwidth}
|
||||
|
|
@ -644,27 +651,25 @@ achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft in
|
|||
|
||||
To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging
|
||||
its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an
|
||||
alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to
|
||||
parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin
|
||||
needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack
|
||||
avenues may be to rotate an attack tool in sync with the mesh or to use a laser or ion beam fired at the mesh to cut
|
||||
traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting
|
||||
compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the
|
||||
complexity of such attacks.
|
||||
alarm~\cite{dexter2015}. Attacks in both locations require electrical contact to parts of the circuit. Traditionally,
|
||||
this is done by soldering a wire or by placing a probe. We consider this type of attack hard to perform on an object
|
||||
spinning at high speed. Possible remaining attack avenues may be to rotate an attack tool in sync with the mesh or to
|
||||
use a laser or ion beam fired at the mesh to cut traces or carbonize parts of the substrate to create electrical
|
||||
connections. Encapsulating the mesh in a potting compound and shielding it with a metal enclosure as is common in
|
||||
traditional HSMs will significantly increase the complexity of such attacks.
|
||||
|
||||
\subsection{Attacks on the rotation sensor}
|
||||
|
||||
Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need
|
||||
to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the
|
||||
monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be
|
||||
physical attacks of the accelerometer's sensing mechanism.
|
||||
MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is
|
||||
measured electronically. A topic of recent academic interest has been acoustic attacks tampering with these
|
||||
mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. A
|
||||
possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the
|
||||
device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the
|
||||
mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the
|
||||
security envelope and by varying the rate of rotation over time.
|
||||
physical attacks of the accelerometer's sensing mechanism. In a MEMS accelerometer, a proof mass moves a cantilever
|
||||
whose precise position is measured electronically. A topic of recent academic interest has been acoustic attacks
|
||||
tampering with these mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify
|
||||
sensor readings. A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation
|
||||
synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the
|
||||
MEMS, locking the mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded
|
||||
location inside the security envelope and by varying the rate of rotation over time.
|
||||
|
||||
\subsection{Attacks on the alarm circuit}
|
||||
|
||||
|
|
@ -691,13 +696,13 @@ of attack, the HSM must be engineered to be either tough or brittle: Tough enoug
|
|||
will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack,
|
||||
the payload is reliably destroyed before the tamper response circuitry.
|
||||
|
||||
\section{Proof of Concept Prototype implementation}
|
||||
\section{Proof-of-concept Prototype implementation}
|
||||
\label{sec_proto}
|
||||
|
||||
As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even
|
||||
when implemented using only common, off-the-shelf parts. In view of this amplification of design security, we have
|
||||
decided to validate our theoretical studies by implementing a proof of concept prototype IHSM
|
||||
(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype
|
||||
decided to validate our theoretical studies by implementing a proof-of-concept prototype IHSM
|
||||
(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof-of-concept prototype
|
||||
were:
|
||||
|
||||
\begin{enumerate}
|
||||
|
|
@ -711,31 +716,31 @@ We will outline our findings on these challenges one by one in the following par
|
|||
|
||||
\subsection{Mechanical design}
|
||||
|
||||
We sized our proof of concept prototype to have sufficient payload space for up to two full-size Raspberry Pi boards to
|
||||
We sized our proof-of-concept prototype to have sufficient payload space for a Raspberry Pi single-board computer to
|
||||
approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material
|
||||
for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the
|
||||
rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already
|
||||
sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our
|
||||
prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every
|
||||
part of the system once per revolution, so we designed the longitudinal PCBs as narrow strips to save weight.
|
||||
rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is sufficiently
|
||||
narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype
|
||||
incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the
|
||||
system once per revolution, so we designed the longitudinal PCBs as narrow strips to save weight.
|
||||
|
||||
\subsection{PCB security mesh generation}
|
||||
|
||||
% FIXME censor link in peer-review version!
|
||||
Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth
|
||||
PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the
|
||||
generation of this security mesh through a plugin for the KiCAD EDA
|
||||
suite\footnote{\censorIfSubmission{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}}. Figure~\ref{mesh_gen_viz} visualizes the mesh
|
||||
generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree
|
||||
covering the grid. Finally, individual mesh traces are traced according to a depth-first search through this tree.
|
||||
We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD
|
||||
StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files.
|
||||
suite\footnote{\censorIfSubmission{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}}. Figure~\ref{mesh_gen_viz}
|
||||
visualizes the mesh generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a
|
||||
randomized tree covering the grid. Finally, individual mesh traces are traced according to a depth-first search through
|
||||
this tree. We consider the quality of the plugin's output sufficient for practical applications. Together with
|
||||
FreeCAD's KiCAD StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB
|
||||
files.
|
||||
|
||||
\begin{figure}
|
||||
\begin{subfigure}{0.35\textwidth}
|
||||
\center
|
||||
\includegraphics[height=7cm]{proto_3d_design.jpg}
|
||||
\caption{The 3D CAD design of the proof of concept prototype.}
|
||||
\caption{The 3D CAD design of the proof-of-concept prototype.}
|
||||
\end{subfigure}
|
||||
\hfill
|
||||
\begin{subfigure}{0.6\textwidth}
|
||||
|
|
@ -743,7 +748,7 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design
|
|||
\center
|
||||
\caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.}
|
||||
\end{subfigure}
|
||||
\caption{Our proof of concept prototype IHSM's PCB security mesh design}
|
||||
\caption{Our proof-of-concept prototype IHSM's PCB security mesh design}
|
||||
\label{fig_proto_mesh}
|
||||
\end{figure}
|
||||
|
||||
|
|
@ -852,13 +857,31 @@ mechanical design vibrated at higher speeds but despite these unintended vibrati
|
|||
excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the
|
||||
data links continued to function without issue.
|
||||
|
||||
By design, our prototype is not yet a production-ready solution. Its main limitation is the small payload volume that
|
||||
can house one or two Raspberry Pi single-board computers, but does not allow for more powerful hardware such as a
|
||||
contemporary server mainboard. Being constructed without access to a proper mechanical workshop, its imprecise
|
||||
construction leads to vibration at high speeds. Its optical communication links in breadboard construction function and
|
||||
need to be translated into manufacturable PCBs, and its security mesh has to be optimized for security. Finally, a motor
|
||||
driver solution needs to be selected that allows for direct digital control of motor speed. Overall, the prototype
|
||||
soundly demonstrated the viability of the IHSM concept and we are confident that all of these limitations can be
|
||||
conclusively solved in a next version that might be a ``beta'' version of a practical IHSM, built in a mechanical
|
||||
workshop.
|
||||
|
||||
\section{Using MEMS accelerometers for braking detection}
|
||||
\label{sec_accel_meas}
|
||||
|
||||
Using the proof of concept prototype from the previous section, we performed an evaluation of an \partnum{AIS1120}
|
||||
commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of
|
||||
$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS1120} provides
|
||||
a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
|
||||
In our proof-of-concept prototype, for braking detection we chose an accelerometer placed on the circumference of our
|
||||
prototype's rotor for two reasons: First, it avoids the likley issue of high centrifugal acceleration falsifying
|
||||
gyroscope measurements. Second, by orienting one axis of the accelerometer radially, we can avoid exceeding the
|
||||
accelerometer's range even when rapidly accelerating or decelerating. Rapid angular acceleration or deceleration
|
||||
produces high tangential linear acceleration or deceleration in our sensor, but the radially-oriented axis of the
|
||||
accelerometer only experiences an amount of centrifugal acceleration that is bounded by the rotor's momentary angular
|
||||
velocity and never exceeds the device's specified operating conditions.
|
||||
|
||||
Using our prototype, we performed an evaluation of an \partnum{AIS1120} commercial automotive MEMS accelerometer as a
|
||||
braking sensor. The device is mounted inside our prototype at a radius of $\SI{55}{\milli\meter}$ from the axis of
|
||||
rotation to the center of the device's package. The \partnum{AIS1120} provides a measurement range of $\pm 120\,g$. At
|
||||
its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
|
||||
|
||||
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
|
||||
control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed
|
||||
|
|
@ -909,19 +932,19 @@ accelerometer's intrinsic errors as well as error in its placement due to constr
|
|||
\caption{Traces of acceleration measurements during one experiment run.}
|
||||
\end{figure}
|
||||
|
||||
The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset
|
||||
to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between
|
||||
the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from
|
||||
the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept,
|
||||
and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis.
|
||||
Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of
|
||||
the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact,
|
||||
but due to the quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to
|
||||
The accelerometer has two main intrinsic errors. Offset error is a fixed additive offset to all measurements. Scale
|
||||
error is an error proportional to a measurements value that results from a deviation between the device's specified and
|
||||
actual sensitivity. We correct for both errors by first extracting all stable intervals from the time series, then
|
||||
fitting a linear function to the measured data. Offset error is this linear function's intercept, and scale error is its
|
||||
slope. We then apply this correction to all captured data before plotting and later analysis. Despite its simplicity,
|
||||
this approach already leads to a good match of measurements and theory modulo a small part of the device's offset
|
||||
remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, but due to the
|
||||
quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to
|
||||
$\SI{10}{\percent}$ at $\SI{95}{rpm}$.
|
||||
|
||||
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
|
||||
Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity
|
||||
since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that
|
||||
since we tested our proof-of-concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that
|
||||
this harmonic content is a clean intermodulation product of the accelerometer's sample rate and the speed of rotation
|
||||
with no other visible artifacts.
|
||||
|
||||
|
|
@ -936,10 +959,9 @@ the fly, without stopping the rotor.
|
|||
\center
|
||||
\includegraphics[width=0.7\textwidth]{../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf}
|
||||
\caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental
|
||||
measurements are shown after correction for device-specific offset and scale error. Our measurements
|
||||
showed good agreement with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently
|
||||
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error that remains after our first-order
|
||||
corrections has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)}
|
||||
measurements are shown after correction for offset and scale error. Above \SI{300}{rpm}, the relative error is
|
||||
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a strong impact ($0.05\,g$ absolute
|
||||
or $8\%$ relative at $\SI{95}{rpm}$.)}
|
||||
\label{fig-acc-theory}
|
||||
\end{figure}
|
||||
|
||||
|
|
@ -949,7 +971,7 @@ the fly, without stopping the rotor.
|
|||
In this paper, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of
|
||||
advanced hardware security modules from simple components. We analyzed the concept for its security properties and
|
||||
highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design
|
||||
by creating a proof of concept hardware prototype. In this prototype, we have demonstrated practical solutions to the
|
||||
by creating a proof-of-concept hardware prototype. In this prototype, we have demonstrated practical solutions to the
|
||||
major electronics design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation.
|
||||
We have used our prototype to perform several experiments to validate the rotary power and data links and the onboard
|
||||
accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well and that our
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue