jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Paper: Update with corrections from second read

Browse source
This commit is contained in:
jaseg 2021-04-07 19:41:18 +02:00
parent 7d573bfedf
commit e18b67ae4b
3 changed files with 208 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
doc/paper/rotohsm_paper.pdf
View file

Binary file not shown.

390
doc/paper/rotohsm_paper.tex
View file

@ -38,22 +38,25 @@
\maketitle
\begin{abstract}
In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules (iHSMs).
Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by
rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop
the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that
can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is
comparable to commercial HSMs. By building prototype hardware we have demonstrated solutions to the concept's
engineering challenges.
In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules
(iHSMs). Conventional systems have in common that their security requires the crafting of fine sensor structures
that respond to minute manipulations of the monitored security boundary or volume. Our approach is novel in that we
reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any
manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an
attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet
offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware
prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of
concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an
automotive high g-force accelerometer already provides a useful level of security.
\end{abstract}
\section{Introduction}
While information security technology has matured a great deal in the last half century, physical security has barely
changed. Given the right skills, physical access to a computer still often means full compromise. The physical
security of modern server hardware hinges on what lock you put on the room it is in.
While information security technology has matured a great deal in the last half century, physical security not kept up
with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often
allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is
in.
Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid
switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between
@ -62,53 +65,56 @@ infrastructure, general-purpose and low-security servers are augmented with dedi
co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of
trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured
TPM~\cite{newman2020,frazelle2019,johnson2018}.
Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure
them against tampering is a good engineering solution for some years to come. However, in essence this is a type of
security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern
ICs~\cite{albartus2020,anderson2020}.
HSMs rely on a fragile foil with much larger-scale conductive traces being hard to remove intact. While we are certain
that there still are many insights to be gained in both technologies, we wish to introduce a novel approach to sidestep
the manufacturing issues of both and provide radically better security against physical attacks. Our core observation
is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly.
In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with
conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are
designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both
technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically
better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made
much more difficult to attack by moving it very quickly.
For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set
by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue,
solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual
defenses the HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high speed. How
would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
accelerometer---or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow
speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become
inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic or optical
attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to use an
attack robot.
defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high
speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving
target. At slow speeds, rotating the entire attack workbench might be possible---but rotating frames of reference
quickly become inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic
or optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to
use an ``attack robot''.
This work contains the following contributions:
This paper contains the following contributions:
\begin{enumerate}
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of
highly secure HSMs.
\item We discuss possible tamper sensors for inertial HSMs.
\item We explore the design space of our inertial HSM concept.
\item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}).
\item We present an anlysis on the viability of using commodity MEMS accelerometers as braking sensors.
\item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors.
% FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
\end{enumerate}
\begin{figure}
\center
\includegraphics[width=12cm]{prototype_pic2.jpg}
\caption{The protoype as we used it to test power transfer and bidirectional communication between stator
and rotor. In the picture, the prototype is missing the vertical security mesh struts connecting the circular top
and bottom outer meshes that rotate around the stationary payload in the center.}
\caption{The protoype as we used it to test power transfer and bidirectional communication between stator and rotor.
This picture shows the proof of concept prototype's configuration that we used for accelerometer characterization
(Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular top and bottom
outer meshes.}
\label{prototype_picture}
\end{figure}
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in the physical security of HSMs. On
this basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our inertial HSM approach. We
will analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a prototype system that
whose design we will elaborate in Section~\ref{sec_proto}. We conclude this paper with a general evaluation of our
design in Section~\ref{sec_conclusion}.
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this
basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will
analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof of concept hardware
prototype that whose design we will elaborate in Section~\ref{sec_proto}. In Section~\ref{sec_accel_meas} we present our
characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof of concept prototype. We
conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}.
\section{Related work}
\label{sec_related_work}
@ -118,24 +124,24 @@ design in Section~\ref{sec_conclusion}.
In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper
detection.
HSMs are an old technology tracing back decades in their electronic realization. Today's common approach of monitoring
HSMs are an old technology that traces back decades in its electronic realization. Today's common approach of monitoring
meandering electrical traces on a fragile foil that is wrapped around the HSM essentially transforms the security
problem into the challenge to manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019,
anderson2020}. There has been some research on monitoring the HSM's inside using e.g.\ electromagnetic
radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research
has found widespread adoption yet.
radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found
widespread adoption yet.
HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a
HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine
it. This examination can be by eye in the field, but it can also be using complex equipment in a laboratory. An HSM in
principle has to have this examination equipment built-in.
it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment.
An HSM in principle has to have this examination equipment built-in.
Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view
that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic
Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically
Uncloneable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in
a way that intentionally causes large, random device to device variations. These variations are precisely recorded at
deployment. At the end of the seals lifetime, the seal is returned from the field to the lab and closely examined to
deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to
check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random
scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the
uncontrollably random distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the
@ -146,16 +152,18 @@ reading, similar to an HSM. They are constructed from two components: A cable th
monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in
commercial HSMs.
In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that they cite is
the IBM 4758 HSM whose details are laid out in depth in~\cite{smith1998}. This HSM is an example of an industry-standard
construction. Although its turn of the century design is now a bit dated, the construction techniques of the physical
security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature and radiation
sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional
construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state the module
monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and
construction is similar to other commercial offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state that the
module monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper
detection and construction is similar to other commercial
offerings~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
In~\cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an
HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
@ -167,39 +175,40 @@ around commodity WiFi hardware inside a conductive enclosure. In their design, a
signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
volume of the cavity will cause a significant change in its RF response. The core idea in~\cite{tobisch2020} is to use
commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much
cheaper and capable of protecting a much larger security envelope than designs using finely patterned foil security
meshes such as~\cite{immler2019}, at the cost of worse and less predictable security guarantees.
Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven in~\cite{vrijaldenhoven2004} uses ultrasound
waves travelling on a surface acoustic wave (SAW) device to a similar end.
volume of the cavity will cause a significant change in its RF response. A core component of the work of Tobisch et
al.~\cite{tobisch2020}\ is that they use commodity WiFi hardware to reduce the cost of the HSM's sensing circuitry. The
resulting system is likely both much cheaper and capable of protecting a much larger security envelope than designs
using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of worse and less predictable
security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven
in~\cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to a similar end.
While~\cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
compound.
While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the
prior work of Kreft and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume
barely larger than a single chip. They theorize how an array of distributed RF transceivers can measure the physical
properties of a potting compound that has been loaded with RF-reflective grains. In their concept, the RF response
characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains
within the potting compound.
To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a
hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture
these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
low performance security barrier and transforming it into a marginally more expensive but high performance one. The
closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that
describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
with pressurized gas.
\subsection{Patent literature}
During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not
find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of
this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time.
find any mentions of similar concepts either in academic literature or in patents. Thus, while we cannot give any
guarantees, we seem likely to be the inventors of this idea and we are fairly sure it is not covered by any patents or
other restrictions at this point in time.
Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are
already commercially available, we have decided against applying for a patent and we wish to make it available to the
general public without any restrictions on its use. We invite you to use it as you wish and to base your own work on our
publications without any fees or commercial restrictions. Where possible, we ask you to cite this paper and attribute
the inertial HSM concept to its authors.
general public without any restrictions on its use. We invite you build on our work as you wish and to base your own
work on our publications without any fees or commercial restrictions. Where possible, we ask you to cite this paper and
attribute the inertial HSM concept to its authors.
\section{Inertial HSM construction and operation}
\label{sec_ihsm_construction}
@ -211,10 +220,10 @@ to use it in tamper detection.
The core questions in the design of an inertial HSM are the following:
\begin{enumerate}
\item What \textbf{type of motion} to use: Rotation, pendulum, linear.
\item How to construct the \textbf{tamper detection mesh}.
\item How to \textbf{detect braking} of the HSM's movement.
\item The \textbf{mechanical layout} of the HSM.
\item What \textbf{type of motion} to use, such as rotation, pendulum motion, or linear motion.
\item How to construct the \textbf{tamper detection sensor}.
\item How to \textbf{detect braking} of the IHSM's movement.
\item The \textbf{mechanical layout} of the system.
\end{enumerate}
We will approach these questions one by one in the following subsections.
@ -233,48 +242,50 @@ a weak spot.
In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the
device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's
tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power
consumption and mechanical load, but it can never eliminate it. This effect can be alleviated in two ways: Either by
consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by
adding additional tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed
axis. Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in a
\emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion would
have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from following
the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, this
limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force.
axis.
Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we
call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion
would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from
following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially,
this limits the approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force.
In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on
systems having a fixed axis of rotation due to their relatively simple construction but we do wish to note the challenge
of hardening the shaft against tampering that any production device would have to tackle.
systems that have a fixed axis of rotation due to their simple construction but we do wish to note the challenge of
hardening the shaft against tampering that any production device would have to tackle.
\subsection{Tamper detection mesh construction}
Once we have decided which motion our IHSM's security barrier shall perform, what remains is the actual implementation
Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation
of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there
is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems
deployed in the field for a variety of use cases from low-security payment processing devices to high-security
certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a significant level of
security. On the other hand, in contrast to this industry focus, academic research has mostly developed ways to
fabricate enclosures that embed characteristics of a Physically Uncloneable Function that do not employ a traditional
security mesh. By using stochastic properties of the enclosure material to form a PUF, such academic designs effectively
leverage signal processing techniques to improve the system's security level by a significant margin.
deployed in the field for a variety of use cases from low security payment processing devices to high security
certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of
security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to
fabricate enclosures that embed characteristics of a Physically Uncloneable Function. By using stochastic properties of
the enclosure material to form a PUF, such academic designs effectively leverage signal processing techniques to improve
the system's security level by a significant margin.
In our research, we focus on security meshes as our IHSM's tamper sensors. Most of the cost in commercial security mesh
implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive
mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse
mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple
construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself
and its monitoring circuit and keep the payload inside this mesh stationary. Tamper sensing technologies that use the
and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the
entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would
require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power
transfer from the outside to the payload.
\subsection{Braking detection}
The security mesh is a critical component in the IHSM's primary defense against physical attacks, but its monitoring is
only one half of this defense. The other half consists of a reliable and sensitive braking detection system. This system
must be able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be
able to measure any external force applied to the IHSM's rotor and should already trigger a response during the
beginning of a manipulation attempt.
The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one
half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be
able to quickly detect any slowing of the IHSM's rotation. Ideally, a sufficiently sensitive sensor should be able to
measure any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a
manipulation attempt.
While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the
IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to
@ -297,21 +308,21 @@ In a spinning IHSM, an accelerometer mounted at a known radius with its axis poi
acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For
a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A
key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes
very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}=\SI{17}{\hertz}$ at a
$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. Off-axis
performance of commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will
feed through into all accelerometer axes, even those that are tangential to the rotation. It also means that we either
have to place the accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers
mostly used in automotive applications.
very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ at a
$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. While
beneficial for security, this large acceleration leads to two practical constraints. First, off-axis performance of
commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will feed through
into all accelerometer axes, even those that are tangential to the rotation. Second, we either have to place the
accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers mostly used in
automotive applications.
To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an
IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The
difference in centrifugal acceleration will be a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. This results in a
factor-$4$ difference in absolute acceleration that our accelerometer must be able to detect. If we choose our
accelerometer's location to maximize its dynamic range, any commercial MEMS accelerometer should suffice for this degree
of accuracy even over long timespans. For rapid deceleration, commercial accelerometers will be much more sensitive as
effects of long-term drift can be ignored. If we wish to also detect very slow deceleration, we have to take into
account the accelerometer's drift characteristics.
difference in centrifugal acceleration that our accelerometer will have to detect then is a factor of
$\frac{\omega_2^2}{\omega_1^2}=4$. If we choose our accelerometer's location to maximize its dynamic range, any
commercial MEMS accelerometer should suffice for this degree of accuracy even over long timespans. For rapid
deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift can be ignored. If we
wish to also detect very slow deceleration, we have to take into account the accelerometer's drift characteristics.
In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS
accelerometer for braking detection in our prototype IHSM.
@ -320,17 +331,17 @@ accelerometer for braking detection in our prototype IHSM.
With our IHSM's components taken care of, what remains to be decided is how to put together these individual components
into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the
axis of rotation, an accelerometer on the rotating part used to detect braking, the protected payload and the area
covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper protection
mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be stationary. This
reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point where the shaft
penetrates the spinning mesh. This trade-off makes for a simple mechanical construction and allows power and data
connections to the stationary payload through a hollow shaft.
axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the
area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper
protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be
stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point
where the shaft penetrates the spinning mesh. This trade-off makes for a simple mechanical construction and allows
power and data connections to the stationary payload through a hollow shaft.
\begin{figure}
\center
\includegraphics{concept_vis_one_axis.pdf}
\caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 -
\caption{Concept of a simple spinning Inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 -
Accelerometer. 5 - Shaft penetrating security mesh.}
\label{fig_schema_one_axis}
\end{figure}
@ -341,19 +352,19 @@ to flow through to the payload. In traditional boundary-sensing HSMs, cooling o
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be
solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used
exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
Our setup allows direct air cooling of regular heatsinks. This unlocks much more powerful processing capabilities that
greatly increase the maximum possible power dissipation of the payload. In an evolution of our design, the spinning
mesh could even be designed to \emph{be} a cooling fan.
Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more
powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an
evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan.
\section{Attacks}
\label{sec_attacks}
After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
attack it. At the core of an IHSM's defenses is the same security mesh that is also used in traditional HSMs. This means
that in the end an attacker will have to perform the same steps they would have to perform to attack a traditional HSM.
Only, assuming that the braking detection system works they will have to perform these attack steps with a tool that
follows the HSMs rotation at high speed. This may require specialized mechanical tools, CNC actuators or even a
contactless attack using a laser, plasma jet or water jet.
attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional
HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a
traditional HSM. Only, they will either have to perform these attack steps with a tool that follows the HSMs rotation
at high speed or they will first have to defeat the braking sensor. Attacking the IHSM in motion may require specialized
mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet.
\subsection{The Swivel Chair Attack}
\label{sec_swivel_chair_attack}
@ -408,7 +419,7 @@ variations of the shaft interface with increasing complexity.
\caption{A second moving tamper detection mesh also enables more complex topographies.}
\label{shaft_cm_a}
\end{subfigure}
\caption{Mechanical countermeasures to attacks through or close to a rotating IHSM's shaft.}
\caption{Mechanical countermeasures to attacks through or close to the shaft of a fixed-axis rotating IHSM.}
\label{shaft_cm}
\end{figure}
@ -430,7 +441,7 @@ Instead of attacking the mesh in motion, an attacker may also try to first stop
to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the
monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be
physical attacks of the accelerometer's sensing mechanism.
MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position is
MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is
measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these
mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings.
A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the
@ -458,20 +469,22 @@ To prevent replay attacks link latency must continuously be measured, so this li
\subsection{Fast and violent attacks}
A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in
response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this
type of attack, the HSM's tamper response circuitry must be mechanically robust enough to withstand an attack for long
enough to carry out its function or else to reliably destory the payload during an attack.
response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this type
of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response circuitry
will reliably withstand any attack for long enough to carry out its function or brittle in a way that during any attack,
the payload is reliably destroyed before the tamper response circuitry.
\section{Prototype implementation}
\section{Proof of Concept Prototype implementation}
\label{sec_proto}
As we elaboreated above, the mechanical component of an IHSM significantly increases the complexity of any successful
attack even when implemented using only common, off-the-shelf parts. In view of this amplification of design security we
have decided to validate our theoretical studies by implementing a prototype IHSM (Figure~\ref{prototype_picture}). The
main engineering challenges we set out to solve in this prototype were:
As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even
when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have
decided to validate our theoretical studies by implementing a proof of concept prototype IHSM
(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype
were:
\begin{enumerate}
\item The Fundamental mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$.
\item A mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$.
\item The Automatic generation of security mesh PCB layouts for quick adaption to new form factors.
\item Non-contact power transmission from stator to rotor.
\item Non-contact bidirectional data communication between stator and rotor.
@ -481,22 +494,23 @@ We will outline our findings on these challenges one by one in the following par
\subsection{Mechanical design}
We sized our prototype to have space for up to two full-size Raspberry Pi boards for an approximation of a traditional
HSM's processing capabilities. We use printed circuit boards as the main structural material for the rotating part, and
2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the rotor's mechanical PCB designs.
The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already sufficiently narrow to pose a
challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype incorporates a
functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the system once per
revolution, so we designed the longituninal PCBs as narrow strips to save weight.
We sized our proof of concept prototype to have sufficient payload space for up to two full-size Raspberry Pi boards to
approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material
for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the
rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already
sufficiently narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our
prototype incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every
part of the system once per revolution, so we designed the longituninal PCBs as narrow strips to save weight.
\subsection{PCB security mesh generation}
% FIXME censor link in peer-review version!
Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth
PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the
generation of this security mesh using a plugin for the KiCAD EDA
generation of this security mesh through a plugin for the KiCAD EDA
suite\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. Figure~\ref{mesh_gen_viz} visualizes the mesh
generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree
covering the grid. Finally, individual mesh traces are then traced according to a depth-first search through this tree.
covering the grid. Finally, individual mesh traces are traced according to a depth-first search through this tree.
We consider the quality of the plugin's output sufficient for practical applications. Together with FreeCAD's KiCAD
StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files.
@ -504,7 +518,7 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design
\begin{subfigure}{0.35\textwidth}
\center
\includegraphics[height=7cm]{proto_3d_design.jpg}
\caption{The 3D CAD design of the prototype.}
\caption{The 3D CAD design of the proof of concept prototype.}
\end{subfigure}
\hfill
\begin{subfigure}{0.6\textwidth}
@ -512,7 +526,7 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design
\center
\caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.}
\end{subfigure}
\caption{Our prototype IHSM's PCB security mesh design}
\caption{Our proof of concept prototype IHSM's PCB security mesh design}
\label{fig_proto_mesh}
\end{figure}
@ -520,9 +534,9 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design
\begin{subfigure}{\textwidth}
\center
\includegraphics[width=9cm]{mesh_gen_viz.pdf}
\caption{Overview of the automatic security mesh generation process. 1 - the blob is the example target area. 2 - A
grid is overlayed. 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining
cells is generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.}
\caption{Overview of the automatic security mesh generation process. 1 - Example target area. 2 - Grid overlay.
3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining cells is
generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.}
\label{mesh_gen_viz}
\end{subfigure}
\begin{subfigure}{\textwidth}
@ -535,44 +549,44 @@ StepUp plugin, this results in an efficient toolchain from mechanical CAD design
\label{mesh_gen_fig}
\end{figure}
\subsection{Power transmission through the rotating joint}
\subsection{Power transmission from stator to rotor}
The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data
connectivity to the stator. To design the power link, we first have to estimate the monitoring circuit's power
consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its
tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At
$\SI{100}{\kilo\baud}$ a transmission of a one-byte message in standard UART framing would take
$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take
$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that
requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an
energy consumption of $\SI{1.7}{\ampere\hour}$ per year.
The annual energy consumption we calculated above is close to the capacity of a single CR123A lithium primary
cell. Using several such cells or optimizing power consumption would thus easily yield several years of battery life.
In our prototype we decided against using a battery to reduce rotor mass and balancing issues.
This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. Thus, by either using
several such cells or by optimizing power consumption several years of battery life could easily be reached. In our
proof of concept prototype we decided against using a battery to reduce rotor mass and balancing issues.
We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as
inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar
cells on the rotor. At the monitoring circuit's low power consumption, power transfer efficiency is irrelevant, so this
cells on the rotor. At the monitoring circuit's low power consumption power transfer efficiency is irrelevant, so this
solution is practical. Our system uses six series-connected solar cells mounted on the end of the cylindrical rotor
that are fed into a large $\SI{33}{\micro\farad}$ ceramic buffer capacitor through a Schottky diode. This solution
provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illumination using either
provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illuminated using either
a $\SI{60}{\watt}$ incandescent light bulb or a flicker-free LED studio light of similar brightness\footnote{LED lights
intended for room lighting exhibit significant flicker that can cause the monitoring circuit to reset. Incandescent
lighting requires some care in shielding the data link from the light bulb's considerable infrared output.}.
\subsection{Data transmission through the rotating joint}
\subsection{Data transmission between stator and rotor}
Besides power transfer from stator to rotor, we need a reliable, bidirectional data link to transmit mesh status and a
low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a
quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a
transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into a an
transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an
\texttt{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in
Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time, before being squared up by a
Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a
comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by
using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the
stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and
are shielded by the motor's body in the center of the PCB.
are shielded from one another by the motor's body in the center of the PCB.
% We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current
% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a
@ -595,20 +609,28 @@ are shielded by the motor's body in the center of the PCB.
\caption{IR data link implementation}
\end{figure}
\subsection{Evaluation}
The compoleted proof of concept hardware worked as intended. Both rotating power and data links worked well. As we
expected, the mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach
speeds in excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link
and the data links continued to function without issue.
\section{Using MEMS accelerometers for braking detection}
\label{sec_accel_meas}
Using the prototype from the previous section, we performed an evaluation of an \partnum{AIS1120} commercial automotive
MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of
Using the proof of concept prototype from the previous section, we performed an evaluation of an \partnum{AIS1120}
commercial automotive MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of
$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS1120} provides
a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
control this motor controller through an RC servo tester. We measure the devices rotation speed using a magnet fixed to
the rotor and a reed switch held closeby by an articulating arm. The reed switch output is digitized using an USB logic
analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a $\SI{1}{\second}$ running
average over debounced interval lengths of this captured signal\footnote{A regular frequency counter or commercial
tachometer would have been easier, but were not available in our limited COVID-19 home office lab.}.
control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed
of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an
USB logic analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a
$\SI{1}{\second}$ running average over debounced interval lengths of this captured signal\footnote{A regular frequency
counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office
lab.}.
The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform.
Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are
@ -638,24 +660,29 @@ and scale error is its slope. We then apply this correction to all captured data
Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of
the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but
due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to
$\SI{10}{\percent}$ (at $\SI{95}{rpm}$).
$\SI{10}{\percent}$ at $\SI{95}{rpm}$.
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
Raw data contains significant harmonic content. This content is due to vibrations in our prototype. FFT analysis shows
that this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of
rotation with no other visible artifacts.
Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity
since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that
this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of rotation
with no other visible artifacts.
Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark
blue, and theoretical behavior is shown in orange.
blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good
choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal
force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic
controlled changes in the IHSM's speed of rotation allow an offset and scale calibration of the accelerometer on the
fly, without stopping the rotor.
\begin{figure}
\center
\includegraphics[width=0.7\textwidth]{../../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf}
\caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental
measurements are shown after correction for device-specific offset and scale error. As is evident, our measurements
agree very well with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, residual offset error remaining after our first-order corrections
has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.}
measurements are shown after correction for device-specific offset and scale error. Our measurements
showed good agreement with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error that remains after our first-order
corrections has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.)}
\label{fig-acc-theory}
\end{figure}
@ -664,7 +691,7 @@ blue, and theoretical behavior is shown in orange.
\center
\includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf}
\caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time
intervals when we manually adjusted speed, leading to invalid measurements.}
intervals when we manually adjusted speed.}
\label{fig-acc-steps}
\end{subfigure}
\hfill
@ -672,8 +699,8 @@ blue, and theoretical behavior is shown in orange.
\center
\includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf}
\caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation
artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SIrange{3}{18}{\hertz}$
rotation frequency due to device vibration are clearly visible.}
artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to
$\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.}
\label{fig-acc-stacked}
\end{subfigure}
\label{fig-acc-traces}
@ -686,21 +713,20 @@ blue, and theoretical behavior is shown in orange.
In this paper we introduced Inertial Hardware Security Modules (iHSMs), a novel concept for the construction of advanced
hardware security modules from simple components. We analyzed the concept for its security properties and highlighted
its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a
hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics design
challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our prototype
to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our
measurements have shown that our proof-of-concept solar cell power link works well. Our simple IR data link already is
sufficiently reliable for telemetry. Our experiments with the \partnum{AIS1120} off-the-shelf automotive accelerometer
showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM
scenario.
proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics
design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our
prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our
measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link
already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer
showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario.
Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs
offer a high level of security beyond what traditional techniques can offer even when built from simple components. They
allow the construction of devices secure against a wide range of practical attacks in small quantities and without
specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with
traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful
computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into secure
hardware.
computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more)
secure hardware.
\printbibliography[heading=bibintoc]

BIN
doc/paper/rotohsm_tech_report.pdf
View file

Binary file not shown.