jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

report: update with björn's input

Browse source
This commit is contained in:
jaseg 2020-12-18 15:37:59 +01:00
parent e1060ec4c7
commit dbb030a29f
1 changed files with 81 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

168
doc/quick-tech-report/rotohsm_tech_report.tex
View file

@ -80,87 +80,47 @@
\section*{Abstract}
In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware
security modules. Conventional systems have in common that they try to detect attacks by crafting sensors responding to
increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce
the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules.
Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop
the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet
offers a level of security that is comparable to even the best commercial offerings. By building prototype hardware we
have demonstrated solutions to the concept's engineering challenges.
the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that
can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is
comparable to commercial HSMs. By building prototype hardware we have demonstrated solutions to the concept's
engineering challenges.
\section{Introduction}
While information security technology has matured a great deal in the last half century, physical security has barely
changed. Given the right skills, physical access to a computer still often equates full compromise. The physical
changed. Given the right skills, physical access to a computer still often means full compromise. The physical
security of modern server hardware hinges on what lock you put on the room it is in.
Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid
switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between
physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key
infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic
co-processors in form of smartcard-like trusted platform modules (TPMs) or hardware security modules (HSMs). Using a
limited amount of trust in components such as the CPU, the larger system's security can be reduced to that of its
physically secured TPM\cite{heise2020t2jailbreak,frazelle2019,johnson2018}. Being physcially small, physical security is
less of a challenge on the scale of a TPM.
co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of
trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured
TPM~\cite{heise2020t2jailbreak,frazelle2019,johnson2018}.
\subsection{Technical approaches to physical security}
Like smartcards, TPMs rely on an IC's nanoscopic structures being hard to tamper with. HSMs rely on a fragile foil with
much larger-scale conductive traces being hard to remove intact. While we are certain that there still are many
insights to be gained in both technologies, we wish to introduce a novel approach to sidestep the manufacturing issues
of both and provide radically better security against physical attacks. Our core observation is that any cheap but
coarse HSM technology can be made much more difficult to attack by moving it very quickly.
Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that
cannot be solved (yet) with cryptographic security. The security of chips like smartcards and TPMs often rests on the
assumption that their fine structures are hard to reverse engineer and modify. As of now, this property holds and in the
authors' opinion it will likely be a reasonable assumption for some years to come. However, in essence this is a type
of security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack these
chips\cite{albartus2020,anderson2020}.
For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set
by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue,
solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual
defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How
would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow
speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become
inhospitable to human life (see Appendix~\ref{sec_minimum_angular_velocity}). Since non-contact electromagnetic or
optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to use
an attack robot.
\subsection{Hardware Security Modules}
Right now, Hardware security modules (HSMs) are the class of commercial devices offering the highest ``physical
security-to-volume-product''. Where smartcards physically secure a single chip, HSMs secure a small circuit board. In
contrast to a smartcard, in a tradeoff between security and convenience the HSM actively deletes its secrets when it
detects a manipulation. Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical
security barrier that they continuously monitor for holes. Usually, this barrier is a thin foil that is patterned with
at least two meandering electrical traces that is folded in layers to cover the entire area of the foil. The HSM
monitors these traces for shorts or breaks. This simple construction transforms the security problem into a
manufacturing challenge\cite{isaacs2013,immler2019,anderson2020}.
In our classification the other type of HSMs are \emph{volumetric} HSMs. They monitor their entire internal volume for
changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound\cite{vrijaldenhoven2004}. Their
security is limited by the analog sensitivity of their transceivers. Their practicality is limited by their complex
transceiver and signal processing circuitry. They promise to secure larger volumes than boundary monitoring at higher
parts cost. A problem with volumetric designs is their security analysis, which is hard to do without significant
guesswork. In e.g.\ a device that use electromagnetic radiation to monitor its volume, one might have to numerically
solve the electromagnetic field equations inside the HSM to validate its impenetrability.
\subsection{Inertial HSMs: A new approach to physical security}
We are certain that there is still much work to be done and many insights to be gained in both HSM and in smartcard
technology\footnote{
As a baseline, consider a box with mirrored walls that contains a smaller box suspended on thin wires that has
cameras looking outward in all directions at the mirrored walls. Given that the defender can control lighting
conditions inside this kaleidoscopic box in this application modern cameras perform better than the human eye.
Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and the system would
remain secure as long as no such thing exists. To be viable, an HSM technology must be either cheaper, smaller or
more sensitive than this strawman setup\cite{kim2018}.
}. % TODO perhaps misplaced citation and/or poor source?
Still, we wish to introduce a novel approach to sidestep the issues of conventional HSMs and provide radically better
security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made much
more difficult to attack by moving it very quickly. As a trivial example, consider an HSM as it is used in
ecommerce applications for credit card payments. Its physical security level is set by the structure size of its
security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and
lasers\cite{drimer2008}.
Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an
accelerometer that it uses to verify that it is spinning at high speed. How would an attacker approach this HSM? They
would have to either slow down the rotation, triggering the accelerometer, or they would have to attack the HSM in
motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be
possible but rotating frames of reference quickly become inhospitable to human life\footnote{See Appendix
\ref{sec_minimum_angular_velocity}}. Since non-contact electromagnetic or optical attacks are more limited in the first
place and can be shielded, we have effectively forced the attacker to use an attack robot.
\subsection{Contributions}
This work contains the following contributions:
\begin{enumerate}
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of
@ -171,59 +131,89 @@ This work contains the following contributions:
% FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
\end{enumerate}
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On
this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We
will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a prototype system that
we will illustrate in Section~\ref{sec_proto}. Before we conclude this paper in Section~\ref{sec_conclusion} we will
present some inspiration for future work in Section~\ref{sec_future_work}.
\section{Related work}
\label{sec_related_work}
% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion
% beyond ultrasound.
In \cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
4758 HSM whose details are laid out in depth in \cite{smith1998}. This HSM is an example of an industry-standard
HSMs are an old technology tracing back decades in their electronic realization.
% FIXME integrate this
Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that
cannot be solved (yet) with cryptographic security. The security of chips like smartcards and TPMs often rests on the
assumption that their fine structures are hard to reverse engineer and modify. As of now, this property holds and it
will likely be a reasonable assumption for some years to come. However, in essence this is a type of security by
obscurity: Obscurity here referring to the rarity of the equipment necessary to attack these
chips~\cite{albartus2020,anderson2020}.
Hardware security modules (HSMs) are the class of commercial devices offering the highest ``physical
security-to-volume-product''. HSMs continuously monitor a small circuit board and actively delete their secrets when a
manipulation is detected. Commercial HSMs are usually \emph{boundary monitoring}. They monitor meandering electrical
traces on a fragile foil that is wrapped around the HSM. This construction transforms the security problem into the
challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013,immler2019,anderson2020}.
There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic
radiation~\cite{tobisch2020,kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of it has found widespread adoption.
% FIXME end
In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
construction. Though its turn of the century design is now a bit dated, the construction techniques of the physical
security mechanisms have not evolved much in the last two decades. Apart from some auxiliary temperature and radiation
sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
construction of a flexible mesh wrapped around the module's core. In \cite{smith1998}, the authors state the module
construction of a flexible mesh wrapped around the module's core. In~\cite{smith1998}, the authors state the module
monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and
construction is similar to other commercial offerings\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
In~\cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
core component of their design is that they propose its use as a PUF to allow for protection even when powered off,
similar to a smart card---but the design is not limited to this use.
In \cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference
signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
volume of the cavity will cause a significant change in its RF response. The core idea in \cite{tobisch2020} is to use
volume of the cavity will cause a significant change in its RF response. The core idea in~\cite{tobisch2020} is to use
commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much
cheaper and capable of protecting a much larger security envelope than e.g. the design from \cite{immler2019}, at the
cost of worse and less predictable security guarantees. Where \cite{tobisch2020} use electromagnetic radiation,
Vrijaldenhoven in \cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to
cheaper and capable of protecting a much larger security envelope than e.g. the design from~\cite{immler2019}, at the
cost of worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation,
Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to
a similar end.
While \cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
and Adi \cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
While~\cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
compound.
Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most
academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs\cite{immler2019}
academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs~\cite{immler2019}
while commercial vendors concentrate on means to cheaply manufacture and certify these security
barriers\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance
barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance
security barrier and transforming it into a marginally more expensive but very high-performance one. The closest to a
mechanical HSM that we were able to find during our research is an 1988 patent \cite{rahman1988} that describes an
mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that describes an
mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with
pressurized gas.
\section{Inertial HSM construction and operation}
\label{sec_ihsm_construction}
\subsection{Using motion for tamper detection}
Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} and is
routinely used in military applications to make things harder to hit\cite{terdiman2013} but we seem to be the first to
Mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} and is
routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the first to
use it in tamper detection. Let us think about the constraints of our approach.
\begin{enumerate}
@ -306,7 +296,7 @@ In our prototype, we settled on a solar cell-based solution for its simplicity.
In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air duct or heat pipe would have
to penetrate the HSM's security boundary. This problem can be solved with complex and costly siphon-style constructions,
but in commercial systems heat conduction is used exclusively\cite{isaacs2013}. This limits the maximum power
but in commercial systems heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power
dissipation of the payload and thus its processing power. In our spinning HSM concept, the spinning mesh can have
longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation,
and one could even integrate an actual fan into the rotor. This greatly increases the maximum possible power dissipation
@ -322,12 +312,13 @@ occassional status reports and a high-frequency alarm trigger heartbeat signal t
this, a simple optocoupler close to the axis of rotation is a good solution that we implemented in our prototype.
\section{Attacks}
\label{sec_attacks}
\subsection{Attacks on the mesh}
There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with.
This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring
circuit itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its
contents\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to
contents~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to
parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We
consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that
rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be
@ -363,7 +354,7 @@ or active-low alarm signal cannot be considered fail-safe in this scenario.
An attacker may try to stop the rotor before tampering with the mesh. To succeed, they would need to fool the rotor's
MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no easier than
directly bridging the mesh traces. Physical attacks on the accelerometer are possible\cite{trippel2017}, but in the
directly bridging the mesh traces. Physical attacks on the accelerometer are possible~\cite{trippel2017}, but in the
authors' estimate are too hard to control to be practically useful.
A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS
@ -378,6 +369,7 @@ change on a schedule, it is trivially detectable.
In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement.
\section{Prototype implementation}
\label{sec_proto}
To validate our theoretical design, we have implemented a prototype rotary HSM. The main engineering challenges we
solved in our prototype are:
@ -510,6 +502,7 @@ larger-scale implementation of the inertial HSM concept practical.
\end{figure}
\section{Future Work}
\label{sec_future_work}
\subsection{Design space exploration}
@ -533,6 +526,7 @@ We intend to refine our prototype design to production quality. As part of this,
on our prototype.
\section{Conclusion}
\label{sec_conclusion}
In this paper, we have presented inertial hardware security modules (iHSMs), a novel concept for the construction of
highly secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering
considerations underlying a practical implementation of this concept. We have implemented a prototype demonstrating