Add prior art and engineering constraints
This commit is contained in:
jaseg
parent
704bdcfe3b
commit
b3a6b004be
1 changed files with 121 additions and 7 deletions
|
|
@ -152,7 +152,7 @@ every point in space (or at least inside a boundary region) is covered. While th
|
|||
might still be true this would be based on the fact that the same problem presents itself to an attacker trying to
|
||||
circumvent these measures--degrading their security to simple obscurity again.
|
||||
|
||||
\subsection{A new approach to physical security}
|
||||
\subsection{Inertial HSMs: A new approach to physical security}
|
||||
We are certain that there is still much work to be done and many insights to be gained from further explorations
|
||||
of the two concepts described above. Trivially, consider a box with mirrored walls that, suspended on thin wires,
|
||||
contains a smaller box that has cameras looking outward in all directions at the mirrored walls. Given that the defender
|
||||
|
|
@ -197,10 +197,119 @@ This work contains the following contributions:
|
|||
\section{Related work}
|
||||
% summaries of research papers on HSMs.
|
||||
% I have not found any actual prior art on anything involving mechanical motion beyond ultrasound.
|
||||
In chapter 18 of the forthcoming 3rd edition of his seminal book on "Security Engineering"\cite{anderson2020}, Ross
|
||||
Anderson gives a background on physical security in general and on HSMs in particular. As an example he cites the IBM
|
||||
4758 HSM whose details are laid out in depth in \cite{smith1998}. This HSM is an example of an industry-standard
|
||||
construction. Though it is now a bit dated, the construction techniques of the physical security mechanisms have not
|
||||
changed much in the last two decades. Apart from some auxiliary temperature and radiation sensors to guard against
|
||||
attacks on the built-in SRAM memory the module's main security barrier uses the traditional construction of a flexible
|
||||
mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for
|
||||
short circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar
|
||||
to other commercial offerings\cite{obermaier2018}.
|
||||
|
||||
In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
|
||||
traditional meshes, the mesh they use consists of a large number of individual traces (more than 32 in their example).
|
||||
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
|
||||
both covered area and component height, as well as the high cost of the advanced analog circuitry required for
|
||||
monitoring. A core component of their design is that they propose its use as a PUF to allow for protection even when
|
||||
powered off, similar to a smart card--but the design is not limited to this use.
|
||||
|
||||
In \cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
|
||||
around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference
|
||||
signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
|
||||
and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
|
||||
the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
|
||||
volume of the cavity will cause a significant change in its RF response. The core idea in \cite{tobisch2020} is to use
|
||||
commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much
|
||||
cheaper and capable of protecting a much larger security envelope than e.g. the design from \cite{immler2019}, at the
|
||||
cost of worse and less predictable security guarantees.
|
||||
|
||||
While \cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
|
||||
and Adi\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
|
||||
single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
|
||||
compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
|
||||
transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
|
||||
compound.
|
||||
|
||||
\subsection{Comparison to prior research}
|
||||
|
||||
Our concept is truly novel in that neither academic literature, nor patent databases contain any mention of mechanical
|
||||
motion being used as part of a hardware security module. Most academic research concentrates on the issue of creating
|
||||
new, more sensitive security barriers for HSMs while commercial vendors concentrate on means to cheaply manufacture
|
||||
these security barriers. Our concept instead focuses on the issue of taking any existing, cheap low-performance security
|
||||
barrier and transforming it into a marginally more expensive but very high-performance one. The closes to a mechanical
|
||||
HSM that we were able to find during our research is an 1988 patent\cite{rahman1988} that describes an mechanism to
|
||||
detect tampering along a communication cable by enclosing the cable inside a conduit filled with pressurized gas.
|
||||
|
||||
\section{Intertial HSM construction and operation}
|
||||
\subsection{Using motion for tamper detection}
|
||||
Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} but we
|
||||
seem to be the first to use it in tamper detection. Let us think about how one would go about increasing the security of
|
||||
a primitive tamper detection sensor.
|
||||
|
||||
\begin{enumerate}
|
||||
\item We need the sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human to
|
||||
follow, it becomes a weak spot.
|
||||
\item We need the sensor's motion to be periodic to keep it within a reasonable space. Otherwise we could just load
|
||||
our HSM on an airplane and assume that airplanes are hard to stop non-destructively mid-flight.
|
||||
\item We need the sensor's motion to be very predictable so that we can detect an attacker trying to stop it.
|
||||
\end{enumerate}
|
||||
|
||||
From this, we can make a few observations.
|
||||
|
||||
\begin{enumerate}
|
||||
\item Linear motion is likely to be a poor choice since it requires a large amount of space, and it is comparatively
|
||||
easy to follow something moving linearly.
|
||||
\item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate, but for the
|
||||
instant at its apex when the vibration reverses direction the object is stationary, which is a weak spot.
|
||||
\item Rotation is a very good choice. Not only does it not require much space to execute, but also if the axis of
|
||||
rotation is within the HSM itself, an attacker trying to follow the motion would have to rotate around the same
|
||||
axis. Since their tangential linear velocity would rise linearly with the radius from the axis of rotation, an
|
||||
assumption on tolerable centrifugal force allows one to limit the approximate maximum size and mass of an
|
||||
attacker. For an HSM measuring at most a few tens of centimeters across, it is easy to build something that
|
||||
rotates too fast for a human to be able to follow it. The axis of rotation is a weak spot, but this can be
|
||||
alleviated by placing additional internal sensors around it and locating all sensitive parts of the sensing
|
||||
circuit radially away from it.
|
||||
\end{enumerate}
|
||||
|
||||
Another important observation is that we do not have to move the entire contents of the HSM. It suffices if we can
|
||||
somehow move the tamper detection barrier around these contents while keeping the contents stationary. This reduces the
|
||||
inertial mass of the moving part and eases data communication and power supply of the payload.
|
||||
|
||||
In a rotating reference frame, at any point the centrifugal force is proportional to the square of the angular frequency
|
||||
and linearly proportional to the distance from the axis of rotation. We can exploit this fact to create a sensor that
|
||||
detects any disturbance of the rotation by simply placing a linear accelerometer at some distance to the axis of
|
||||
rotation. During constant rotation, the linear acceleration tangential to the rotation will be zero. The centrifugal
|
||||
force is orthogonal to this, and will be constant as long as the angular velocity remains constant (assuming a fixed
|
||||
axis of rotation). At high angular velocities, considerable forces can be created this way. This poses the engineering
|
||||
challenge of preventing the whole thing from flying apart, but also creates an obstacle to any attacker trying to
|
||||
manipulate the sensor.
|
||||
|
||||
\subsection{Payload mounting mechanisms}
|
||||
The simplest way to mount a stationary payload in a rotating security mesh is to drive the rotor through a
|
||||
hollow axis. This allows the payload to be mounted on a fixed rod threaded through the hollow axis, along with wires for
|
||||
power and data.
|
||||
|
||||
\subsection{Rotating mesh power supply}
|
||||
There are several options to transfer power to the rotor from its stationary frame.
|
||||
|
||||
\begin{enumerate}
|
||||
\item Slip ring contacts are a poor candidate as they are limited in their maximum speed and lifetime, and as
|
||||
precision mechanical components are expensive.
|
||||
\item Inductive power transfer as used in inductive charging systems can be used without modification.
|
||||
\item A second brushless motor on the axis of rotation can be used as a generator, with its axis connected to the
|
||||
fixed frame and its stator mounted and connected to the rotor.
|
||||
\item A bright LED along with some small solar cells may be a practical approach for small amounts of energy.
|
||||
\item For a very low-power security mesh, a battery specified to last for the lifetime of the device may be
|
||||
practical.
|
||||
\end{enumerate}
|
||||
|
||||
\subsection{Rotating mesh data communication}
|
||||
As we discussed above, while slip rings are the obvious choice to couple electrical signals through a rotating joint,
|
||||
they are likely to be too expensive and have too short a life span for our application. Since the only information that
|
||||
needs to pass between payload and rotor are the occassional status report and a high-frequency heartbeat signal that
|
||||
acts as the alarm trigger, a simple optocoupler close to the axis of rotation is a good solution.
|
||||
|
||||
\section{The physics of hardware security}
|
||||
% approaching the issue from measurable quantities
|
||||
\section{Intertial HSMs}
|
||||
\section{Future work}
|
||||
\subsection{Other modes of movement}
|
||||
\subsection{Multiple axes of rotation}
|
||||
|
|
@ -208,6 +317,12 @@ This work contains the following contributions:
|
|||
\subsection{Other sensing modes}
|
||||
\subsection{Longeivity}
|
||||
|
||||
\section{Attacks}
|
||||
\subsection{Attacks on the rotation sensor}
|
||||
\subsection{Attacks on the mesh}
|
||||
\subsection{Attacks on the alarm circuitry}
|
||||
\subsection{Fast and violent attacks}
|
||||
|
||||
\section{Hardware prototype}
|
||||
% FIXME
|
||||
|
||||
|
|
@ -216,7 +331,7 @@ This work contains the following contributions:
|
|||
\printbibliography[heading=bibintoc]
|
||||
\appendix
|
||||
\section{License}
|
||||
{\center{
|
||||
\center{
|
||||
\begin{minipage}[t][10cm][b]{\textwidth}
|
||||
\center{\ccbysa}
|
||||
|
||||
|
|
@ -231,6 +346,5 @@ This work contains the following contributions:
|
|||
|
||||
\center{\url{https://git.jaseg.de/rotohsm.git}}
|
||||
\end{minipage}
|
||||
}}
|
||||
|
||||
}
|
||||
\end{document}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue