jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

First proofreading

Browse source
This commit is contained in:
jaseg 2021-07-09 18:47:42 +02:00
parent 304927c31b
commit 7ea8300468
1 changed files with 129 additions and 122 deletions
Download patch file Download diff file Expand all files Collapse all files

251
paper/ihsm_paper.tex
View file

@ -355,44 +355,46 @@ evolution of our design, the spinning mesh could even be designed to \emph{be} a
Conventional HSMs are limited by the construction of their security meshes which rely on plastics as their main
structural material. The security mesh has to fit the highest components inside the HSM. Since creating a security mesh
with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of
the payload CPU and the inside surface of the mesh. This distance is added to several millimeters of epoxy resin that
the mesh is embedded inside so as to be hard to remove intact. Overall, this leads to a structure approximately a
centimeter thick that includes several millimeters of poorly thermally conductive epoxy resin~\cite{obermaier2019}.
Even if ``thermally conductive'' resins would be used, thermal conductivity is limited to a fraction of what can be
achieved with a heatsink directly attached to the CPU. A modern high-end CPU heatsink with its fan running has a thermal
resistance from CPU junction to air of around $\SI{0.1}{\kelvin\per\watt}$. If one were to make an HSM's security mesh
out of an average thermally conductive epoxy with thermal conductivity
$k=\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal resistance for
a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would $\SI{2}{\kelvin\per\watt}$, a more than
10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields a maximum
power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU cooler.
Given that for modern high core-count CPUs, power dissipation is mostly linear in core count and for multithreaded
applications performance is mostly linear in core count this severely limits the achievable performance in a
traditional, hermetically sealed HSM.
the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that
the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a
centimeter thick that includes several millimeters epoxy resin with particularly poor thermal
conductivity~\cite{obermaier2019}. Even if ``thermally conductive'' resins would be used, thermal conductivity is
limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU
heatsink with its fan running has a thermal resistance from CPU junction to air of around
$\SI{0.1}{\kelvin\per\watt}$~\cite{anandtech2015}.
If one were to make an HSM's security mesh out of an average thermally conductive epoxy with thermal conductivity
$k\approx\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal
resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would $\SI{2}{\kelvin\per\watt}$, a
more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields a
maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU
cooler. Given that for modern high core-count CPUs, both multithreaded performance and power dissipation are mostly
linear in core count, this severely limits the achievable performance.
This estimated performance discrepancy matches up with our observation. Vendor of conventional HSMs Thales reports
$\SI{20}{\kilo Ops\per\second}$ ECC signature operations on NIST Curve P-256 per device of their top-of-range ``Luna HSM
790''~\cite{thales2021}, which compares to be slightly more than half of the $\SI{36}{\kilo Ops\per\second}$ signing
operations that \texttt{openssl speed} in single-thread mode is able to do on an AMD Ryzen 7 PRO 4750U laptop CPU at a
power consumption of $\SI{2.0}{\watt}$ on the active core.
This estimated performance discrepancy matches up with our observation. Thales, a manufacturer of conventional HSMs
reports $\SI{20}{\kilo Ops\per\second}$ ECC signature operations on NIST Curve P-256 on one of their top-of-range
``Luna HSM 790''~\cite{thales2021}, which compares to be slightly more than half of the $\SI{36}{\kilo Ops\per\second}$
signing operations that \texttt{openssl speed} in single-thread mode is able to do on an AMD Ryzen 7 PRO 4750U laptop
CPU using $\SI{2.0}{\watt}$ of power on the active core. Using today's technology, we expect a performance jump of one
to two orders of magnitude in computing power to be feasible in an IHSM compared to a conventional HSM.
\subsection{Long-term Operation}
Like with other HSMs, practical use may require an IHSM to continuously run for a decade or even longer. As with other
setups utilizing HSMs, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs
Like with other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As
with any networked system, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs
does not compromise the system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or
flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and erasure of data
cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, geographically
redundant HSMs~\cite{thales2015hsmha}. The problem of providing fault-tolerance in IHSMs is easier since they are based
on general-purpose computer hardware and use general-purpose operating systems and thus allow for state-of-the-art
database replication techniques to be applied. One example of this approach is a 2019 technology
demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure messenger app. In
this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside Intel SGX to
replicate state between redundant instances.
redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are based on
general-purpose computer hardware and for state-of-the-art database replication techniques to be applied without first
porting them to an embedded operating system or foreign CPU architecture. A practical example of this approach is a 2019
technology demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure
messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside
Intel SGX to replicate state between redundant instances.
There are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and
wear, failure of the external power supply and spurious triggering of the intrusion alarm by changes in the IHSM's
environment. In the following paragraphs we will evaluate each of these categories in its practical impact.
Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components
of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by
changes in the IHSM's environment. In the following paragraphs we will evaluate each of these categories in its
practical impact.
\paragraph{Component failure.}
The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation
@ -411,45 +413,42 @@ considered is power loss. Traditional HSMs solve the need for an always-on backu
batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use
of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its
motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional
Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a small, simple UPS
Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a smaller backup battery
integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an
IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
an IHSM for 10 hours continuously. If a built-in battery is undesirable, or if power outages of more than a few seconds
at a time are unlikely (e.g.\ because the IHSM is connected to an external UPS or generator), the IHSM's rotor itself
can be used as a flywheel for energy storage up to several seconds. By designing the IHSM's rotor to have low friction
loss and high mass (e.g.\ by coupling it to an actual metal flywheel), longer power outages can be bridged. % FIXME
can be used as a flywheel for energy storage up to several seconds.
\paragraph{Spurious alarms.}
A spurious alarm would be as catastrophic as a failure of a critical component of an IHSM. For this reason, the
likelihood of such an alarm failure must be minimized. In principle, there are two possible causes for a spurious alarm.
One is a component failure such as a mesh trace breaking under vibration. This failure mode can be mitigated in the same
way other failure modes are mitigated. The second possible cause is that the device is accelerated in excess of the
range expected by its designers. There are several possible causes why an IHSM might move during normal operation. The
IHSM may have to be transported between datacenters or relocated within a dataceter. Other vibrating machinery such as
backup generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside
into the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may
couple through the ground into the datacenter and into the IHSM. Finally, earthquakes will couple through any reasonable
amount of vibration dampening.
Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason
its alarm would be spuriously activated due to movement of the device. The likelihood of such an alarm failure must be
minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during
normal operation. The IHSM may have to be relocated between datacenters. Other vibrating machinery such as backup
generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside and into
the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may
couple through the ground into the datacenter and into the IHSM. Finally, earthquakes are a common occurrence in some
regions of the world and will couple through any reasonable amount of vibration damping.
There are two key points to note on vibration dampening. One, the instantaneous mechanical power of a vibrating motion
There are two key points to note on vibration damping. One, the instantaneous mechanical power of a vibrating motion
is proportional to the square of its amplitude when fixing frequency and the cube of its frequency when fixing
amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency
vibrating motion compared to lower frequencies. This observation interacts the second key point we want to note here:
An ideal vibration dampener works the better the higher the frequency, and has a lower bound below which it does no
longer dampen vibration transmission~\cite{kelly1993,beards1996,dixon2007}. In conclusion, these two observations mean
that if we wish to reduce the likelihood of false detections by our IHSM tamper alarm we can effectively achieve this
goal by damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach
accelerations large enough to cause a false alarm.
An ideal vibration damper works better with higher frequencies, and has a lower bound below which it does no longer
damp vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we
wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal effectively by
damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations
large enough to cause a false alarm.
To put the above relations into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an
IHSM's tamper sensor to measure an acceleration of about $\SI{100}{g}$. Even the strongest earthquakes rarely reach a
Peak Ground Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku
earthquake was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large
geographic area, they nontheless dissipate a tremendous amound of mechanical power through an absolute acceleration that
may seem low at first glance, but we can largely ignore them for the purposes of our tamper detection system. As
another point of reference, consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly
To put this into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an IHSM's tamper
sensor to measure an acceleration of about $\SI{100}{g}$. Even the strongest earthquakes rarely reach a Peak Ground
Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake
was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large geographic
area, they dissipate a tremendous amound of mechanical power despite this at first glance seemingly low absolute
acceleration. For the purposes of our tamper detection system, we can ignore them. As another point of reference,
consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly
$\SI{30}{\kilo\meter\per\hour}$~\cite{ika2002}. Thus, an IHSM's tamper detection subsystem will be able to clearly
distinguish attempts to stop the IHSM's rotation at an amplitude of $\SI{100}{g}$ from external accelerations. External
distinguish attempts to stop the IHSM's rotation, producing approximately $\SI{100}{g}$ at $\SI{1000}{rpm}$. External
acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of
an IHSM's rotor would likely destroy the IHSM.
@ -461,13 +460,13 @@ respond to tipping with a precession force. This could become an issue when a la
the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM
elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of
precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to
the lower end of the range permitted by its application's security requirements. The IHSM's software could allow for a
the lower end of the range permitted by the application's security requirements. The IHSM's software could allow for a
temporary ``shipping mode'' to be entered that could slow down the IHSM and increase the tamper sensing accelerometer's
thresholds.
During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to
ship the IHSM along with a small backup battery. Following our conservative estimate in Section~\ref{sec-power-failure},
a 48-hour shipping window as is offered by many courier shipping services could easily be bridged with the equivalent of
a 48-hour shipping window as offered by many courier shipping services could easily be bridged with the equivalent of
5-10 laptop batteries. In case a built-in battery backup is not necessary in the IHSM's application, these batteries
could be connected as an external device akin to a ``power bank'' that is disconnected and sent back to the IHSM's
manufacturer after the IHSM has been installed.
@ -477,10 +476,10 @@ manufacturer after the IHSM has been installed.
After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional
HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a
HSMs. This means that ultimately an attacker will have to perform the same steps they would have to perform to attack a
traditional HSM. However, they will either need to perform these attack steps with a tool that follows the HSM's
rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion may require
specialized mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet.
rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion requires
specialized mechanical tools such as CNC actuators or for contactless attack a laser.
\subsection{Attacks that don't work}
@ -494,17 +493,17 @@ attacker willing to invest some effort can also try to uncover the mesh traces b
mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh
traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes
to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach
becomes challenging. Consider a mesh is covering an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An
attacker who circumvents a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh using wires with a low
resistance will change the mesh trace's resistance by approximately
$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25
\%$. Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and
corresponding temperature stability of the mesh material.
becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An
attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh will change the mesh
trace's resistance by approximately
$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$.
Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding
temperature stability of the mesh material.
The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through
the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive
foil that forms the security mesh around the HSM, leaving only the foil's corners and the payload's power and data
foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data
feed-through as potential weak spots.
The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An
@ -515,18 +514,26 @@ any fail-open failure modes.
\subsection{Attacks that work on any HSM}
While an IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous
paragraphs, certain attacks are generic against any HSM technology, conventional or IHSM. One type of such attacks are
contactless attacks such as electromagnetic (EM) sidechannel attacks. EM sidechannel attacks can be mitigated by
shielding and by designing the IHSM's payload such that critical components such as CPUs are physically distant to the
security mesh, preventing EM probes from being brought close. Conducted EMI sidechannels that could be used for power
analysis can be mitigated by placing filters on the inside of the security mesh at the point where the power and network
connections penetrate the
mesh~\cite{anderson2020}.
An IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous
paragraphs. However, there are certain generic attacks that work against any HSM technology, conventional or IHSM.
One type of such attacks are contactless attacks such as electromagnetic (EM) sidechannel attacks.
EM sidechannel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components
such as CPUs are physically distant to the security mesh, preventing EM probes from being brought close.
Conducted EMI sidechannels that could be used for power analysis can be mitigated by placing filters on the inside of
the security mesh at the point where the power and network connections penetrate the mesh~\cite{anderson2020}.
Finally, the API between the HSM's payload and the outside world provides attack surface. Attacks through the network
interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API
surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}.
IHSMs do not provide an inherent benefit against such contactless attacks. However, there are two mitigating factors in
play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using
more primitive technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and
are less space-constrained. This larger volume allows for a greater physical distance between security-critical
components from places accessible to an attacker using an electromagnetic side channel probe. By allowing the use of
conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and
well-audited open source software such as OpenSSL that may be unavailable on the embedded processors found in
conventional HSMs.
\subsection{The Swivel Chair Attack}
\label{sec_swivel_chair_attack}
@ -556,29 +563,28 @@ kind of mechanical tool.
\label{fig_attack_robot}
\end{figure}
While it is certainly possible to create a mechanical tool to attack an IHSM in motion, we also consider this attack
method reasonably remote. Figure~\ref{fig_attack_robot} shows a schematic overview of what such an attack tool would
have to look like. Most fundamentally, the tool itself has to rotate at the IHSM's speed, and cannot simply rotate the
IHSM. If the tool were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed
down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect this attempt. Instead, the
attack tool has to follow the rotation of the IHSM. At the high speeds an IHSM would be rotating at, following the
rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM is not easy. To
stay within $\pm\SI{5}{\milli\meter}$ of a target over a period of $\SI{10}{\second}$ on an IHSM mesh with radius
$r=\SI{100}{\milli\meter}$ requires both speeds to be matched to better than
Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool.
A first point to note is that the tool itself has to rotate at the IHSM's speed.
If we were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed
down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect the manipulation attempt.
To follow an IHSM's rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM
is hard. Let us assume a small IHSM mesh with radius $r=\SI{100}{\milli\meter}$.
To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ window over a period of
$\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than
$\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$.
Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Active servo
control of the attack tool's rotation locked against optical tracking of the IHSM's rotor would likely be the most
realistic option to achieve this precision. This strict accuracy requirement leads to a complex attack setup.
Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$.
Achieving this accuracy would likely require active servo control of the attack tool's rotation that is locked by
optically tracking of the IHSM's rotor.
If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a
remote-controlled manipulator that can be mounted on the attack tool's rotating stage and that is able to actually
disable the IHSM's mesh. Consider that simply bypassing the mesh e.g. by drilling an undetected hole does not gain an
attacker much in this scenario, as the payload is stationary and an attack tool rotating at $\SI{1000}{rpm}$ is useless
against it. Instead, the attacker would have to disable the mesh using the rotating tool, in order to then cut an
opening into it through which they could insert a stationary tool to attack the payload with. Given the degree of manual
skill necessary even for normal soldering work, we estimate that creating a remote-controllable manipulator that can be
used to successfully attack a security mesh is infeasible.
remote-controlled manipulator that can be mounted on the attack tool's rotating stage that is able to disable the IHSM's
mesh.
To complicate matters, the attacker will not succeed by simply drilling a small undetected hole into the mesh.
While both mesh and attack tool are spinning, the payload is stationary.
The attacker thus has to create an opening in the mesh large enough that the attacker can insert a second set of
\emph{stationary} probes to contact the payload.
In conclusion, we estimate that creating a rotating, remote-controllable manipulator that can be used to successfully
attack a security mesh is infeasible given the degree of manual skill necessary even for normal soldering work.
\subsection{Mechanical weak spots}
@ -850,6 +856,27 @@ lines indicate centrifugal acceleration as calculated from rotor speed measureme
measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the
accelerometer's intrinsic errors as well as error in its placement due to construction tolerances.
\begin{figure}
\begin{subfigure}{0.5\textwidth}
\center
\includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf}
\caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time
intervals when we manually adjusted speed.}
\label{fig-acc-steps}
\end{subfigure}
\hfill
\begin{subfigure}{0.45\textwidth}
\center
\includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf}
\caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation
artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to
$\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.}
\label{fig-acc-stacked}
\end{subfigure}
\label{fig-acc-traces}
\caption{Traces of acceleration measurements during one experiment run.}
\end{figure}
The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset
to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between
the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from
@ -884,27 +911,6 @@ without stopping the rotor.
\label{fig-acc-theory}
\end{figure}
\begin{figure}
\begin{subfigure}{0.5\textwidth}
\center
\includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf}
\caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time
intervals when we manually adjusted speed.}
\label{fig-acc-steps}
\end{subfigure}
\hfill
\begin{subfigure}{0.45\textwidth}
\center
\includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf}
\caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation
artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to
$\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.}
\label{fig-acc-stacked}
\end{subfigure}
\label{fig-acc-traces}
\caption{Traces of acceleration measurements during one experiment run.}
\end{figure}
\section{Conclusion}
\label{sec_conclusion}
@ -924,10 +930,11 @@ allow the construction of devices secure against a wide range of practical attac
specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with
traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful
computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more)
secure hardware. We have published all design artifacts of our PoC online, see Appendix~\ref{sec_repo}. The next steps
towards a practical application of our design will be to design a manufacturable stator/rotor interface with inductive
power and data transfer integrated into the motor's magnetics and a custom motor driver tuned for the application that
is able to precisely measure both angular velocity and winding current for an added degree of tamper detection.
secure hardware. We have published all design artifacts of our PoC online, please refer to Appendix~\ref{sec_repo} for
details. The next steps towards a practical application of our design will be to design a manufacturable stator/rotor
interface with inductive power and data transfer integrated into the motor's magnetics and a custom motor driver tuned
for the application that is able to precisely measure both angular velocity and winding current for an added degree of
tamper detection.
\printbibliography[heading=bibintoc]