jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

major review work

Browse source
This commit is contained in:
jaseg 2021-07-07 17:26:50 +02:00
parent 63040fbade
commit ab8b56fa00
2 changed files with 355 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

416
paper/ihsm.bib
View file

@ -1,12 +1,12 @@
% Encoding: UTF-8 % Encoding: UTF-8
@comment{x-kbibtex-encoding=utf-8} @comment{x-kbibtex-encoding=utf-8}
@Book{anderson2020, @Book{anderson2020,
author = {Ross Anderson}, author = {Ross Anderson},
date = {2020-09-16}, date = {2020-09-16},
title = {Security Engineering}, title = {Security Engineering},
isbn = {978-1-119-64281-7}, isbn = {978-1-119-64281-7},
} }
@techreport{gs21, @techreport{gs21,
author = {{\censorIfSubmission{Jan Sebastian Götte and Björn Scheuermann}}}, author = {{\censorIfSubmission{Jan Sebastian Götte and Björn Scheuermann}}},
@ -71,13 +71,13 @@
title = {Cocoon-PUF, a novel mechatronic secure element technology}, title = {Cocoon-PUF, a novel mechatronic secure element technology},
year = {2012} year = {2012}
} }
@Patent{rahman1988, @Patent{rahman1988,
author = {Mujib Rahman}, author = {Mujib Rahman},
date = {1988-03-10}, date = {1988-03-10},
number = {US Patent US4859024A}, number = {US Patent US4859024A},
title = {Optical fiber cable with tampering detecting means}, title = {Optical fiber cable with tampering detecting means},
} }
@www{haines2006, @www{haines2006,
author = {Lester Haines}, author = {Lester Haines},
@ -97,39 +97,86 @@
url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016},
urldate = {2020-10-22} urldate = {2020-10-22}
} }
@Article{albartus2020, @Article{albartus2020,
author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar},
date = {2020}, date = {2020},
title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering},
doi = {10.13154/tches.v2020.i4.309-336}, doi = {10.13154/tches.v2020.i4.309-336},
number = {4}, number = {4},
pages = {309336}, pages = {309336},
volume = {2020}, volume = {2020},
bibsource = {dblp computer science bibliography, https://dblp.org}, bibsource = {dblp computer science bibliography, https://dblp.org},
biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib},
journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems}, journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems},
year = {2020}, year = {2020},
} }
@InProceedings{trippel2017, @InProceedings{trippel2017,
author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu},
booktitle = {2017 IEEE European symposium on security and privacy}, booktitle = {2017 IEEE European symposium on security and privacy},
title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks},
organization = {IEEE}, organization = {IEEE},
pages = {318}, pages = {318},
x-fetchedfrom = {Google Scholar}, x-fetchedfrom = {Google Scholar},
year = {2017}, year = {2017},
} }
@WWW{heise2020t2jailbreak, @WWW{heise2020t2jailbreak,
author = {Leo Becker}, author = {Leo Becker},
date = {2020-03-11}, date = {2020-03-11},
title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier},
url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html}, url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html},
organization = {Heise Online}, organization = {Heise Online},
publisher = {Heise Online}, publisher = {Heise Online},
} }
@WWW{faa2018,
author = {US Federal Aviation Administration},
date = {2018-05-31},
title = {Pack Safe: Batteries, lithium},
url = {https://www.faa.gov/hazmat/packsafe/more_info/?hazmat=7},
publisher = {US Federal Aviation Administration},
}
@WWW{heise2021ovh,
author = {Martin Holland},
date = {2021-03-10},
title = {Cloud-Dienstleister OVH: Feuer zerstört Rechenzentrum, ein weiteres beschädigt},
url = {https://www.heise.de/news/OVH-Feuer-zerstoert-Rechenzentrum-in-Strassburg-ein-weiteres-beschaedigt-5076320.html},
organization = {Heise Online},
publisher = {Heise Online},
}
@WWW{signal2019,
author = {Joshua Lund},
date = {2019-12-19},
title = {Technology Preview for secure value recovery},
url = {https://signal.org/blog/secure-value-recovery/},
organization = {signal.org},
publisher = {signal.org},
}
@InProceedings{ongaro2019,
author = {Diego Ongaro and John Ousterhout},
title = {In Search of an Understandable Consensus Algorithm},
booktitle = {2014 {USENIX} Annual Technical Conference ({USENIX} {ATC} 14)},
year = {2014},
isbn = {978-1-931971-10-2},
address = {Philadelphia, PA},
pages = {305--319},
url = {https://www.usenix.org/conference/atc14/technical-sessions/presentation/ongaro},
publisher = {{USENIX} Association},
month = jun,
}
@WWW{thales2015hsmha,
author = {Gemalto NV},
date = {2015-12-18},
title = {SafeNet PCI-E HSM 6.2 Product Documentation: High Availability (HA) Overview},
url = {https://thalesdocs.com/gphsm/luna/6.2/docs/pci/Content/administration/ha/ha_overview.htm},
publisher = {Gemalto NV},
}
@article{kim2018, @article{kim2018,
author = {Seung Hyun Kim and Su Chang Lim and others}, author = {Seung Hyun Kim and Su Chang Lim and others},
@ -141,27 +188,27 @@
x-fetchedfrom = {Google Scholar}, x-fetchedfrom = {Google Scholar},
year = {2018} year = {2018}
} }
@Conference{johnson2018, @Conference{johnson2018,
author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho},
booktitle = {Hot Chips: A Symposium on High Performance Chips}, booktitle = {Hot Chips: A Symposium on High Performance Chips},
date = {2018}, date = {2018},
title = {Titan: enabling a transparent silicon root of trust for Cloud}, title = {Titan: enabling a transparent silicon root of trust for Cloud},
url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf}, url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf},
x-fetchedfrom = {Google Scholar}, x-fetchedfrom = {Google Scholar},
year = {2018}, year = {2018},
} }
@TechReport{isaacs2013, @TechReport{isaacs2013,
author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert},
date = {2013}, date = {2013},
institution = {Surface Mount Technology Association}, institution = {Surface Mount Technology Association},
title = {Tamper proof, tamper evident encryption technology}, title = {Tamper proof, tamper evident encryption technology},
booktitle = {Pan Pacific Microelectronics Symposium}, booktitle = {Pan Pacific Microelectronics Symposium},
organization = {Surface Mount Technology Association}, organization = {Surface Mount Technology Association},
x-fetchedfrom = {Google Scholar}, x-fetchedfrom = {Google Scholar},
year = {2013}, year = {2013},
} }
@inproceedings{drimer2008, @inproceedings{drimer2008,
author = {Saar Drimer and Steven J Murdoch and Ross Anderson}, author = {Saar Drimer and Steven J Murdoch and Ross Anderson},
@ -172,90 +219,145 @@
x-fetchedfrom = {Google Scholar}, x-fetchedfrom = {Google Scholar},
year = {2008} year = {2008}
} }
@WWW{terdiman2013, @WWW{terdiman2013,
author = {Daniel Terdiman}, author = {Daniel Terdiman},
date = {2013-07-23}, date = {2013-07-23},
title = {Aboard America's Doomsday command and control plane}, title = {Aboard America's Doomsday command and control plane},
url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane},
organization = {cnet.com}, organization = {cnet.com},
month = jul, month = jul,
publisher = {CNET}, publisher = {CNET},
year = {2013}, year = {2013},
} }
@Thesis{vrijaldenhoven2004, @Thesis{vrijaldenhoven2004,
author = {Serge Vrijaldenhoven}, author = {Serge Vrijaldenhoven},
date = {2004-10-01}, date = {2004-10-01},
institution = {Technische Universiteit Eindhoven}, institution = {Technische Universiteit Eindhoven},
title = {Acoustical Physical Uncloneable Functions}, title = {Acoustical Physical Uncloneable Functions},
type = {mathesis}, type = {mathesis},
url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf}, url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf},
} }
@WWW{dexter2015, @WWW{dexter2015,
author = {Karsten Nohl and Fabian Bräunlein and dexter}, author = {Karsten Nohl and Fabian Bräunlein and dexter},
date = {2015-12-27}, date = {2015-12-27},
title = {Shopshifting: The potential for payment system abuse}, title = {Shopshifting: The potential for payment system abuse},
url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452}, url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452},
organization = {32C3 Chaos Communication Congress}, organization = {32C3 Chaos Communication Congress},
} }
@WWW{newman2020, @WWW{newman2020,
author = {Lily Hay Newman}, author = {Lily Hay Newman},
date = {2020-10-06}, date = {2020-10-06},
title = {Apple's T2 Security Chip Has an Unfixable Flaw}, title = {Apple's T2 Security Chip Has an Unfixable Flaw},
url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/}, url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/},
organization = {Wired Magazine}, organization = {Wired Magazine},
} }
@Article{sh2016, @Article{sh2016,
author = {Maruthi G. S. and Vishwanath Hegde}, author = {Maruthi G. S. and Vishwanath Hegde},
date = {2016}, date = {2016},
journaltitle = {IEEE Sensors Journal}, journaltitle = {IEEE Sensors Journal},
title = {Application of MEMS Accelerometer for Detection and Diagnosis of Multiple Faults in the Roller Element Bearings of Three Phase Induction Motor}, title = {Application of MEMS Accelerometer for Detection and Diagnosis of Multiple Faults in the Roller Element Bearings of Three Phase Induction Motor},
doi = {https://doi.org/10.1109/JSEN.2015.2476561}, doi = {https://doi.org/10.1109/JSEN.2015.2476561},
issn = {1558-1748}, issn = {1558-1748},
issue = {1}, issue = {1},
url = {https://www.researchgate.net/profile/Vishwanath-Hegde-2/publication/282389149_Application_of_MEMS_Accelerometer_for_Detection_and_Diagnosis_of_Multiple_Faults_in_the_Roller_Element_Bearings_of_Three_Phase_Induction_Motor/links/568bace808aebccc4e1c01fa/Application-of-MEMS-Accelerometer-for-Detection-and-Diagnosis-of-Multiple-Faults-in-the-Roller-Element-Bearings-of-Three-Phase-Induction-Motor.pdf}, url = {https://www.researchgate.net/profile/Vishwanath-Hegde-2/publication/282389149_Application_of_MEMS_Accelerometer_for_Detection_and_Diagnosis_of_Multiple_Faults_in_the_Roller_Element_Bearings_of_Three_Phase_Induction_Motor/links/568bace808aebccc4e1c01fa/Application-of-MEMS-Accelerometer-for-Detection-and-Diagnosis-of-Multiple-Faults-in-the-Roller-Element-Bearings-of-Three-Phase-Induction-Motor.pdf},
volume = {16}, volume = {16},
} }
@Article{kvk2019, @Article{kvk2019,
author = {Ivar Koene and Raine Viitala and Petri Kuosmanen}, author = {Ivar Koene and Raine Viitala and Petri Kuosmanen},
date = {2019}, date = {2019},
journaltitle = {IEEE Access}, journaltitle = {IEEE Access},
title = {Internet of Things Based Monitoring of Large Rotor Vibration With a Microelectromechanical Systems Accelerometer}, title = {Internet of Things Based Monitoring of Large Rotor Vibration With a Microelectromechanical Systems Accelerometer},
doi = {https://doi.org/10.1109/ACCESS.2019.2927793}, doi = {https://doi.org/10.1109/ACCESS.2019.2927793},
} }
@TechReport{adc2019, @TechReport{adc2019,
author = {Bertrand Campagnie}, author = {Bertrand Campagnie},
date = {2019}, date = {2019},
institution = {Analog Devices}, institution = {Analog Devices},
title = {Choose the Right Accelerometer for Predictive Maintenance}, title = {Choose the Right Accelerometer for Predictive Maintenance},
url = {https://www.analog.com/media/en/technical-documentation/tech-articles/Choose-the-Right-Accelerometer-for-Predictive-Maintenance.pdf}, url = {https://www.analog.com/media/en/technical-documentation/tech-articles/Choose-the-Right-Accelerometer-for-Predictive-Maintenance.pdf},
urldate = {2021-04-01}, urldate = {2021-04-01},
} }
@PhdThesis{e2013, @PhdThesis{e2013,
author = {Maged Elsaid Elnady}, author = {Maged Elsaid Elnady},
date = {2013}, date = {2013},
institution = {University of Manchester}, institution = {University of Manchester},
title = {On-Shaft Vibration Measurement Using a MEMS Accelerometer for Faults Diagnosis in Rotating Machines}, title = {On-Shaft Vibration Measurement Using a MEMS Accelerometer for Faults Diagnosis in Rotating Machines},
url = {https://www.research.manchester.ac.uk/portal/files/54530535/FULL_TEXT.PDF}, url = {https://www.research.manchester.ac.uk/portal/files/54530535/FULL_TEXT.PDF},
urldate = {2021-04-01}, urldate = {2021-04-01},
} }
@Book{iaea2011, @Book{iaea2011,
author = {{{International Atomic Energy Agency}}}, author = {{{International Atomic Energy Agency}}},
date = {2011}, date = {2011},
title = {Safeguards, techniques and equipment}, title = {Safeguards, techniques and equipment},
isbn = {978-92-0-118910-3}, isbn = {978-92-0-118910-3},
series = {International Nuclear Verification Series}, series = {International Nuclear Verification Series},
url = {https://www-pub.iaea.org/MTCD/Publications/PDF/nvs1_web.pdf}, url = {https://www-pub.iaea.org/MTCD/Publications/PDF/nvs1_web.pdf},
urldate = {2021-04-01}, urldate = {2021-04-01},
volume = {1}, volume = {1},
} }
@Comment{jabref-meta: databaseType:biblatex;} @Book{kelly1993,
author = {S. Graham Kelly},
edition = {2},
date = {1993},
title = {Fundamentals of Mechanical Vibrations},
isbn = {0-07-230092-2},
publisher = {McGraw-Hill},
series = {McGraw-Hill Series in Mechanical Engineering},
}
@Book{dixon2007,
author = {John C. Dixon},
title = {The Shock Absorber Handbook},
date = {2007},
isbn = {978-0-470-51020-9},
publisher = {Wiley},
}
@Book{beards1996,
author = {C. F. Beards},
title = {Structural Vibration: Analysis and Damping},
date = {1996},
publisher = {Wiley},
isbn = {0-340-64580-6},
}
@InProceedings{irikura2012,
title = {High Acceleration Motions generated from the 2011 Pacific coast off Tohoku, Japan Earthquake},
author = {Irikura, K and Kurahashi, S},
date = {2012},
booktitle = {Proceedings of the 15th World Conference on Earthquake Engineering},
pages = {24-28},
}
@WWW{ika2002,
title = {A test procedure for airbags},
year = {2002},
organization = {Rheinisch-Westfälischen Technischen Hochschule (RWTH) Aachen, Institut für Kraftfahrwesen Aachen (IKA)},
publisher = {International Motor Vehicle Inspection Commitee},
series = {CITA Research study programme on Electronically controlled systems on vehicles},
}
@article{yoshimitsu1990,
author = {Fukushima, Yoshimitsu and Tanaka, Teiji},
date = {1990},
journaltitle = {Bulletin of the Seismological Society of America},
volume = {80},
issue = {4},
pages = {757 - 783},
issn = {0037-1106},
title = {A new attenuation relation for peak horizontal acceleration of strong earthquake ground motion in Japan},
url = {https://pubs.geoscienceworld.org/ssa/bssa/article-abstract/80/4/757/102395/A-new-attenuation-relation-for-peak-horizontal},
urldate = {2021-07-07}
}
@Comment{jabref-meta: databaseType:biblatex;}

96
paper/ihsm_paper.tex
View file

@ -352,6 +352,102 @@ Using longitudinal gaps in the mesh, our setup allows direct air cooling of regu
powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an
evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan. evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan.
\subsection{Long-term Operation}
Like with other HSMs, practical use may require an IHSM to continuously run for a decade or even longer. As with other
setups utilizing HSMs, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs
does not compromise the system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or
flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and erasure of data
cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, geographically
redundant HSMs~\cite{thales2015hsmha}. The problem of providing fault-tolerance in IHSMs is easier since they are based
on general-purpose computer hardware and use general-purpose operating systems and thus allow for state-of-the-art
database replication techniques to be applied. One example of this approach is a 2019 technology
demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure messenger app. In
this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside Intel SGX to
replicate state between redundant instances.
There are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and
wear, failure of the external power supply and spurious triggering of the intrusion alarm by changes in the IHSM's
environment. In the following paragraphs we will evaluate each of these categories in its practical impact.
\paragraph{Component failure.}
The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation
techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by
reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must
be balanced. The main mechanical failure mode of an IHSM's is failure of the shaft bearings. By incorporating knowledge
from other rotating devices that have a long lifetime such as cooling fans, this failure mode can be mitigated. A final
noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the communication link. This
failure mode can be mitigated by routing cooling airflow such that it does not go past the communication link's optical
components, as well as by filtering cooling air at the device's intakes.
\paragraph{Power failure.}
\label{sec-power-failure}
After engineering an IHSM's components to survive years of continuous operation, the next major failure mode to be
considered is power loss. Traditional HSMs solve the need for an always-on backup power supply by carrying large backup
batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use
of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its
motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional
Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a small, simple UPS
integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an
IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
an IHSM for 10 hours continuously. If a built-in battery is undesirable, or if power outages of more than a few seconds
at a time are unlikely (e.g.\ because the IHSM is connected to an external UPS or generator), the IHSM's rotor itself
can be used as a flywheel for energy storage up to several seconds. By designing the IHSM's rotor to have low friction
loss and high mass (e.g.\ by coupling it to an actual metal flywheel), longer power outages can be bridged. % FIXME
\paragraph{Spurious alarms.}
A spurious alarm would be as catastrophic as a failure of a critical component of an IHSM. For this reason, the
likelihood of such an alarm failure must be minimized. In principle, there are two possible causes for a spurious alarm.
One is a component failure such as a mesh trace breaking under vibration. This failure mode can be mitigated in the same
way other failure modes are mitigated. The second possible cause is that the device is accelerated in excess of the
range expected by its designers. There are several possible causes why an IHSM might move during normal operation. The
IHSM may have to be transported between datacenters or relocated within a dataceter. Other vibrating machinery such as
backup generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside
into the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may
couple through the ground into the datacenter and into the IHSM. Finally, earthquakes will couple through any reasonable
amount of vibration dampening.
There are two key points to note on vibration dampening. One, the instantaneous mechanical power of a vibrating motion
is proportional to the square of its amplitude when fixing frequency and the cube of its frequency when fixing
amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency
vibrating motion compared to lower frequencies. This observation interacts the second key point we want to note here:
An ideal vibration dampener works the better the higher the frequency, and has a lower bound below which it does no
longer dampen vibration transmission~\cite{kelly1993,beards1996,dixon2007}. In conclusion, these two observations mean
that if we wish to reduce the likelihood of false detections by our IHSM tamper alarm we can effectively achieve this
goal by damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach
accelerations large enough to cause a false alarm.
To put the above relations into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an
IHSM's tamper sensor to measure an acceleration of about $\SI{100}{g}$. Even the strongest earthquakes rarely reach a
Peak Ground Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest measured PGA of the 2011 Tohoku
earthquake was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large
geographic area, they nontheless dissipate a tremendous amound of mechanical power through an absolute acceleration that
may seem low at first glance, but we can largely ignore them for the purposes of our tamper detection system. As
another point of reference, consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly
$\SI{30}{\kilo\meter\per\hour}$~\cite{ika2002}. Thus, an IHSM's tamper detection subsystem will be able to clearly
distinguish attempts to stop the IHSM's rotation at an amplitude of $\SI{100}{g}$ from external accelerations. External
acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of
an IHSM's rotor would likely destroy the IHSM.
\subsection{Transportation}
While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed,
there is an issue with intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will
respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\
the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM
elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of
precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to
the lower end of the range permitted by its application's security requirements. The IHSM's software could allow for a
temporary ``shipping mode'' to be entered that could slow down the IHSM and increase the tamper sensing accelerometer's
thresholds.
During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to
ship the IHSM along with a small backup battery. Following our conservative estimate in Section~\ref{sec-power-failure},
a 48-hour shipping window as is offered by many courier shipping services could easily be bridged with the equivalent of
5-10 laptop batteries. In case a built-in battery backup is not necessary in the IHSM's application, these batteries
could be connected as an external device that is disconnected and sent back to the IHSM's manufacturer after the IHSM
has been installed.
\section{Attacks} \section{Attacks}
\label{sec_attacks} \label{sec_attacks}