From a13fd9f969e7adf4b3ab874556f642da2b2972fb Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 9 Jul 2021 17:33:47 +0200 Subject: [PATCH] More detail on attacks, future work --- paper/attack-robot.pdf | Bin 0 -> 6266 bytes paper/attack-robot.svg | 463 +++++++++++++++++++++++++++++++++++++++++ paper/ihsm_paper.tex | 92 ++++++-- 3 files changed, 541 insertions(+), 14 deletions(-) create mode 100644 paper/attack-robot.pdf create mode 100644 paper/attack-robot.svg diff --git a/paper/attack-robot.pdf b/paper/attack-robot.pdf new file mode 100644 index 0000000000000000000000000000000000000000..543fe66e09c9e74bbea3167e2d2bb83e0b986871 GIT binary patch literal 6266 zcmY!laB+we}b0YaQ05Uyn90GRO6` z@wdHs-WHhuAd=z#K4qoJQ&z3I{X){`d&;yEF*B?sugU)Zr}m(K#$&PXK~*v5&p%zB zdfmVN-`!t_?|=Uqzh9>?d*zcU*Zx0Re*f|Qdj0xX^`bxL?{9b}?;ZDl!@n(TZxia1 zPFEb!eX^nL#`ay)zZTD(u_52~>er3Og0?B&6{wH=@8Y+uWYunoA zrVppjxOQiIa{ue||6}Z@)t>%k_Tu%mZTGmsWTP2o&lgv_svA0C)r}?<&AOZe-`C32 z9#WsN^2T00;Zm9CuF7`?4(f$*9SZAe_Wrw995vnZkl^#9Ey;S@YP-b^&wV}pN$=M2 zBaH_F`)6<2nfK5_ZLZMvy~i|HH=75_KA!X=tG(v4W;&O}Z@Z&CtRnpzzZ*U9KJoG3 zgR9f+H`h%s@cO**&z655j_?2f>$QFTze3yk$oe1tvGtbqGGbPyo7g38#Qxb(9(8)@ zvprjFW7FS$_`62d^xP%0850C&Xl0~&H^?);E7X3uqwIC9_man7WcGv@)s>eWFJiC# zUL3ox#`ReLQ-AK7oYxk{%x}EOE+7pv1!a{zu&i3KC#y@&wa-XX@i#R zCA)ome2Y$PY;0~mWGQHyZ5P9Ep@#$}luuN@P z#Wjjvt%6GhCU47kTiSNNte||!TDeU#lW#NEGTVsG(>$kP9>F9k$C+LeaJ|j=u%k^F z$He{}F&xL%m|LCSU9*n&Blm6Ru6@OU_eDs-AN~NAedjwaIye|JGCsPnN}&AYw1m44S~m9f)vpt@TJZJo z8KJuV2pN`xrxI!z=PTMZO**(D- z*35d*Y`zi&ZF}7BGo9m57fYDKH#fV{m|s9pNGk&E;!X zW>6(^*x}{I!!ffCC^NgfxnrDoMO63XjTXlKA4U�!ke28$F2I#&o^E=aET7%R<>R z%3X?H+jlLj7H_1?BwGj?8$`TBqRFNQpG z=A@Li{KDUj2R|-996B%3o+0?*JDVv-1X!GJ3ZAMts>Jg7r=@wP!by)W6H<#Nm-B=d zMk}`jwM$1Hc{+2ejH{*7fo#uvr~LYN8XWuYT(s|0i^IiUj}SfUYfc{E-2+(V$zCZe#T#X^>3V*Cu|&19V7Al?)H*{^R6iL*9P)j+2!u- zuhG>cWWAU}`QiZ^H8z(Sew{D4RK%J7hnHP*yRlAQP1fw)*S4RZM3cr z(xt+4u4nb{JR|6TI!{xM@Ba4#i#qNs*03u1wPJh3ea56WOeF^S@~?EFzO3W&O+C_B zklQGJZN;0mS0W38p604CxPFW_;b=|ZZe(!Q-tXcV*8Pd|wb8p>3cJ%cG*qO^aeWPM z;lC2MCDL-c=5n>mp+L0tHX+Gb7Z3F;lw{;#^qpLpZfhVX^@4Cgj@u4tIa9gy1;H2GR$ zV$igxSEmjY=B^P+EY5kl_UuAShnG>D{X93lR6aEYUl-i)YXNJB;~SxXOJY;Bo-0Kb zsofS!Nc?eQ!l4Fsm14anrpme>n!;RhA$AA5!ydInWE{+}@n=ffS-mPsc*bh2vQ<9~ z!jt~;*%l^>duwbibZS3qywCk~`P@34H!TVAKe~_ez2*;Gn)dz7@c;!sL5FT9POH!^ zmiBk6@;WRI9hz};+w6{2+a7L6x+fs>`vJF@7=KXm``fxJFMW)^`NQs*#A3d(S}wy5 zN!eZwi@V9iEPQDX)u*K&jtgO1JZ}TDN>e&JOKVMs>Z=OkMv*0gL>~_n4RAe0cs2SCBysyHC<bI)LcbmgO!~#cW_@Kf^W>&)-cm|tXVq^iY>3P} z&N@F#Z#8?7hU zvM~q@uzI6)?eIR+?EhH{CaWHitui(|^Sfp5kC!(c)+;ae+8eB~wI{GqQ*%++S@kSE ze*-Cwcmo5GzlDcq-0b37E~sP6yJVK7Kw_W$(XxIgiQc)qN0XE%=jkq2(_xD`E}6Bj zwt?leP@i>3qo&lsyEZCs&+git5iE6R4tpj~^A7(VUB?$(DfHTHI<2#E#y;WGPC7!1 zcW>{R)H2uKbl1U2Z!~)hua$R`^){T*v1YO4x$oKBp!5dLiZYL)6s z#%U}&J^4SbmRMaRfBI~p%u>CNS7+|iW^kSIc8l~9vr_$z8O+N3URi1x?uM(pIkXO_ zb(pQm4%>W&KPvpjoY(AcM9y(DM+f}BSbMAa&ZO)JJ*l>U_0N4Q(u`h4@99c>dv|q) z|HXEfD=m*JZkW}tnwYfI-k|Yq)no;!OUxk^tY;`RC*wF=)$JsTTQd zQ~%4Q&{J$E_hy?zv%X?UAo~O+uQgv--Yt9G8K|H1_Me04=X%qCK!e%hL2oy5fBUI% zb5V*%+L}j4zAfCi#k6#jjpXWs%X+Mz6&_C6`T6lSt!Onfk@d-cq=l|+WcD-ZN#1@_ zI3X=Gx!37~TZ?IH%f(vX4Q5va8x~KS=PwcF-!H9pqoQMWQNgJhQZFKxc-uQ&c=~nT z#ncnZZDGF0c2C*m-}|G3%5{zR%y6wPfeW zyw1SgC$G0zN)^!ag)tz{#o`TKE5sNS62lZF7{gM zGsPie(_U}RV{GkpkE4PYWfVne9vHms*{mwyYqcdHsQ9 z?-zfvnaML#XCb5E|MudngAI=-JZd|6^h{F1q^YuN=9bR(PJVnrtV8IIjdRJagS=PX zu{PgTFRBwcbFlQj#EmTZ?%Byxe~bFM?O=5_=5}`rZV>BR9lw3j+6By+c8|PyBD*b1 zc$pRFzhC=9=$V>Jt*&`0cw^7bw+A;aC^Qk2y8ThEVR}!$>3bfI)6#C!KbFinzQjmSW7>op zKZ_XV&f`5W>F!>>Bgsk&%-Jp+x0>d2B)shBI_76zcL!ktfUnx@P1 z{oQ12mU^~%IS1samd58ayshyoc>X0zr=|GSxeMlH1(xbhKORiD9Al6F+}s+Z@v6b>&>E zqS)-4dy2l*rn4PRxwR%V_t0}I0U569kH!}J=sj1 z@(bJT^^fHBF4v7OY`IpH@jLav^Ck9n5^sKeN`F^cwVugVUY_H_UxvOP0T0jgwT7qk z1=ROFxvFL@Z78{*+;z<@r=!)9Q`~2KB={eU57b;{q%BFu%xLY=L4WFL& z`kj4`?tf<9{k`hW!w0rDvliT%nsnt?lbOTfZ32g@cn)6Fo1HN22W!?0{w-Y&NA(Y8 zm}GCAbG%ROrtiMH-O&N8HZ7gA?uS-?b6fH9-+{cVx{k~#8rI9Fet6iRombVet-jvs-MR5rPkjG< zkNx?NHDwepAF~ulz}zhf58+mMi|0W|N#Xcfm$A=gqHXu944Mn8U(glyS%B zhE4J;i}OD={a61#!I@XY*GVooB3eR2caiNAZAHmS)9;*8$r6Ug8jn@ZeP*27HT4vW zV%hz(oN7*2*{7RF?vMY!m=lO!PcCUfa|em%A0zr+oF#ue-eTx`3P)Bo_s8zKQ!^G+H3xU$$HRHSWV`_guG zp?jBKR?S^6?y>c@WTp9$lkB^@A1s_X=ekjXv>5-sW9pAzeePSx-fwGqEJHk0?$tf9 z=OI0XKaTR{7s%O^@ZXf#HmiB@*5Bd+r{x4!G|0VDGB(}GwAOBA+%=ck4Q*Na*_CQ% z<(#gEO)tDwnxHaEv25}`Mai#sp2{AcHr+9KBL1FI=8Q!oP!3V~GE*}?2Eg4>~>A5vM6s-Pc` zn4YSjs$d8*Mn532C^fG{!4RYoEa01(l9}j~U!f4KV4z^2U~FurXJlkvUUf#kR9TcXZ z(1H$;S-?F74JNQ_ApUkjc+tebK*7+!0P3lT;F8n=1rq}UkgfWWV4fkA7m}HinU{`a zNPAAdf}(CuOB3mw=P#`HNC|H7IL2QsAAR1&oG~f(DF%OAQH!OpTpjZTZS|92j za8L!8CY6BGms@^OE?5L-7$ZDo3Gx9b7NPE}n4|r~=)&dz1BOG3N?8B8Ft>h5(qm?g z4Q6I_W@ctpR?zbb^?1zngo$CtERJm;FF-XyJqUI=$Ty&zW(JZ6aX_|!Xh^owCo!KP z@)9VQK+HkTOT}Q%dS|8-D?}@RvRe=|?ws>WL0JprJ(%;5O$aE;Pbp1KEmF`(PRuOI zS1{BwG}kjx(8wq$DJZtm*9VKH7bO;CWF{BuuUpy~d6P21afWY(~gjkezM@2IfWv24?0421b_Pf=M6jyv+PO7f?Z_;bLWEU}R`u zZeVF>VrpS%qHSQLZeXB^944S3Lk(5u#FE6E{B*EyL8VnOw0uIuL`6|*8kd2Bp)r>M z94MHXni`ubq$xnfOihi<6u`0yc`z{(GYcaOF;Izyrp~~?&=gahsU?P(rJ)JBn5mJG zIi{EarkIH-rd|_c4ELFuS{h=QXJLk9UP)16W=?7mczPf>vnmx7E}%>rl%HRsUISX2TINmENB11?onSARDy0Nx@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + 2 + + + + 3 + + + + 4 + + + + 7 + + + + 6 + + + + 5 + + + diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 6b6109f..e426306 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -488,19 +488,44 @@ In the sections below, we will go into detail on such attacks on IHSMs. To put t we will start with a brief overview on attacks on conventional HSMs that the IHSM is defended against. %FIXME \paragraph{...} -\subsection{Contactless probing of the payload} +In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the +security mesh without triggering the alarm, e.g.\ by using a probe that is finer than the mesh's structure size. An +attacker willing to invest some effort can also try to uncover the mesh traces buried in plastic to then hot-wire the +mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh +traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes +to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach +becomes challenging. Consider a mesh is covering an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An +attacker who circumvents a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh using wires with a low +resistance will change the mesh trace's resistance by approximately +$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 +\%$. Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and +corresponding temperature stability of the mesh material. -Irrespective of the HSM's technology (conventional or IHSM), there are some types of attack bypassing the HSM's security -mesh that in principle cannot be prevented. One such type are contactless attacks such as electromagnetic (EM) -sidechannel attacks, but attacks through the HSM's application interface such as Ethernet also follow this theme. While -IHSMs allow for the use of off-the-shelf server hardware as their payload, the combination of payload hardware and the -software running on top of this hardware still has to be evaluated for fitness in this particular application. EM -sidechannel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components such -as CPUs are physically distant to the security mesh, preventing EM probes from being brought close. Conducted EMI -sidechannels that could be used for power analysis can be mitigated by placing filters on the inside of the security -mesh at the point where the power and network connections penetrate the mesh. Attacks through the network interface must -be prevented as in any other networked system by only exposing the minimum necessary amount of API surface to the -outside world, and by carefully vetting this remaining attack surface. +The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between +two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through +the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive +foil that forms the security mesh around the HSM, leaving only the foil's corners and the payload's power and data +feed-through as potential weak spots. + +The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An +attacker may need to insert several probes to wiretap the payload processor's secrets, but depending on its +implementation they may be able to disable the mesh alarm circuit with only one. To harden a conventional HSM against +this type of attack, the mesh monitoring circuit must be carefully designed to avoid single points of failure as well as +any fail-open failure modes. + +\subsection{Attacks that work on any HSM} + +While an IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous +paragraphs, certain attacks are generic against any HSM technology, conventional or IHSM. One type of such attacks are +contactless attacks such as electromagnetic (EM) sidechannel attacks. EM sidechannel attacks can be mitigated by +shielding and by designing the IHSM's payload such that critical components such as CPUs are physically distant to the +security mesh, preventing EM probes from being brought close. Conducted EMI sidechannels that could be used for power +analysis can be mitigated by placing filters on the inside of the security mesh at the point where the power and network +connections penetrate the +mesh~\cite{anderson2020}. +Finally, the API between the HSM's payload and the outside world provides attack surface. Attacks through the network +interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API +surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}. \subsection{The Swivel Chair Attack} \label{sec_swivel_chair_attack} @@ -520,6 +545,41 @@ acceleration is $a=\omega^2 r$. In our example this results in a minimum angular $\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some kind of mechanical tool. +\begin{figure} + \center + \includegraphics[width=6cm]{attack-robot.pdf} + \caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation + and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a + remote controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5). + Through this opening, a human operator can then insert tools such as probes to read out sensitive information from + the actual payload (6).} + \label{fig_attack_robot} +\end{figure} + + +While it is certainly possible to create a mechanical tool to attack an IHSM in motion, we also consider this attack +method reasonably remote. Figure~\ref{fig_attack_robot} shows a schematic overview of what such an attack tool would +have to look like. Most fundamentally, the tool itself has to rotate at the IHSM's speed, and cannot simply rotate the +IHSM. If the tool were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed +down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect this attempt. Instead, the +attack tool has to follow the rotation of the IHSM. At the high speeds an IHSM would be rotating at, following the +rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM is not easy. To +stay within $\pm\SI{5}{\milli\meter}$ of a target over a period of $\SI{10}{\second}$ on an IHSM mesh with radius +$r=\SI{100}{\milli\meter}$ requires both speeds to be matched to better than +$\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$. +Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Active servo +control of the attack tool's rotation locked against optical tracking of the IHSM's rotor would likely be the most +realistic option to achieve this precision. This strict accuracy requirement leads to a complex attack setup. + +If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a +remote-controlled manipulator that can be mounted on the attack tool's rotating stage and that is able to actually +disable the IHSM's mesh. Consider that simply bypassing the mesh e.g. by drilling an undetected hole does not gain an +attacker much in this scenario, as the payload is stationary and an attack tool rotating at $\SI{1000}{rpm}$ is useless +against it. Instead, the attacker would have to disable the mesh using the rotating tool, in order to then cut an +opening into it through which they could insert a stationary tool to attack the payload with. Given the degree of manual +skill necessary even for normal soldering work, we estimate that creating a remote-controllable manipulator that can be +used to successfully attack a security mesh is infeasible. + \subsection{Mechanical weak spots} The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion @@ -864,12 +924,16 @@ allow the construction of devices secure against a wide range of practical attac specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) -secure hardware. +secure hardware. We have published all design artifacts of our PoC online, see Appendix~\ref{sec_repo}. The next steps +towards a practical application of our design will be to design a manufacturable stator/rotor interface with inductive +power and data transfer integrated into the motor's magnetics and a custom motor driver tuned for the application that +is able to precisely measure both angular velocity and winding current for an added degree of tamper detection. \printbibliography[heading=bibintoc] \appendix -\section{Source code and Design artifacts} +\section{Source code and design artifacts} +\label{sec_repo} During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD model of our prototype IHSM, schematics and PCB layouts for all of its PCBs including the prototype security mesh