jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Include spelling fixes from grammarly

Browse source
This commit is contained in:
jaseg 2021-09-20 16:54:20 +02:00
parent 5f041bb0ce
commit f05b3ffe87
1 changed files with 98 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

195
paper/ihsm_paper.tex
View file

@ -1,4 +1,4 @@
\documentclass[nohyperref,submission]{iacrtrans} \documentclass[nohyperref]{iacrtrans}
\usepackage[T1]{fontenc} \usepackage[T1]{fontenc}
\usepackage[ \usepackage[
backend=biber, backend=biber,
@ -53,8 +53,8 @@
reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any
manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an
attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet Our approach leads to an HSM that can easily be built from off-the-shelf parts by any university electronics lab,
offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware yet offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware
prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of
concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an
automotive high g-force accelerometer already provides a useful level of security. automotive high g-force accelerometer already provides a useful level of security.
@ -62,7 +62,7 @@
\section{Introduction} \section{Introduction}
While information security technology has matured a great deal in the last half century, physical security did not keep While information security technology has matured a great deal in the last half-century, physical security did not keep
up with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often up with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often
allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is
in. in.
@ -75,12 +75,12 @@ co-processors such as trusted platform modules (TPMs) or hardware security modul
trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured
TPM~\cite{newman2020,frazelle2019,johnson2018}. TPM~\cite{newman2020,frazelle2019,johnson2018}.
Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure
them against tampering is a good engineering solution for some years to come. However, in essence this is a type of them against tampering is a good engineering solution for some years to come. However, in essence, this is a type of
security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern
ICs~\cite{albartus2020,anderson2020}. ICs~\cite{albartus2020,anderson2020}.
In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with
conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are conductive traces. These traces are much larger scale than a smart card IC's microscopic structures and instead are
designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both
technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically
better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made
@ -88,7 +88,7 @@ much more difficult to attack by moving it very quickly.
For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set
by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue,
solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual solder, and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual
defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high
speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving
@ -99,12 +99,12 @@ use an ``attack robot''.
This paper contains the following contributions: This paper contains the following contributions:
\begin{enumerate} \begin{enumerate}
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective, small-scale production of
highly secure HSMs. highly secure HSMs.
\item We discuss possible tamper sensors for inertial HSMs. \item We discuss possible tamper sensors for inertial HSMs.
\item We explore the design space of our inertial HSM concept. \item We explore the design space of our inertial HSM concept.
\item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}).
\item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors. \item We present an analysis of the viability of using commodity MEMS accelerometers as braking sensors.
% FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
\end{enumerate} \end{enumerate}
@ -140,16 +140,16 @@ anderson2020}. There has been some research on monitoring the HSM's interior us
radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found
widespread adoption yet. widespread adoption yet.
HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an
HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine
it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment. it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex
An HSM in principle has to have this examination equipment built-in. equipment. An HSM in principle has to have this examination equipment built-in.
Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view
that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic that are recorded in public literature are those used for monitoring of nuclear material under the International Atomic
Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically
Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a
way that intentionally causes large, random device to device variations. These variations are precisely recorded at way that intentionally causes large, random device-to-device variations. These variations are precisely recorded at
deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to
check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random
scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the
@ -161,20 +161,20 @@ reading, similar to an HSM. They are constructed from two components: A cable th
monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in
commercial HSMs. commercial HSMs.
In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that he cites is In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is
the IBM 4758, the details of which are laid out in depth in~\cite{smith1998}. This HSM is an example of an the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an
industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques
of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature
and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the
common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state
that the module monitors this mesh for short circuits, open circuits and conductivity. Other commercial offerings use a that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use a
fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an
HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A area covered and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
core component of their design is that they propose its use as a PUF to allow for protection even when powered off, core component of their design is that they propose its use as a PUF to allow for protection even when powered off,
similar to a smart card---but the design is not limited to this use. similar to a smart card---but the design is not limited to this use.
@ -197,12 +197,12 @@ properties of a potting compound that has been loaded with RF-reflective grains.
characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains
within the potting compound. within the potting compound.
To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a To the best of our knowledge, we are the first to propose a mechanically moving HSM security barrier as part of a
hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture
these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
low performance security barrier and transforming it into a marginally more expensive but high performance one. The low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that closest to a mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that
describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
with pressurized gas. with pressurized gas.
@ -231,12 +231,12 @@ of the practical implications that these aspects of IHSM construction have on IH
First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the
purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this
motion. The main constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to motion. The main constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to
not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency, the HSM has to
stay within a confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such stay within a confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such
periodic linear motion will have to quickly reverse direction at its apex so the device is not stationary long enough periodic linear motion will have to quickly reverse direction at its apex so the device is not stationary long enough
for this to become a weak spot. for this to become a weak spot.
In contrast to linear motion, rotation is space efficient and can be continuous if the axis of rotation is inside the In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the
device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's
tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power
consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by
@ -247,10 +247,10 @@ Large centrifugal acceleration at high speeds poses the engineering challenge of
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we
call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion
would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from
following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially, following the device's motion since doing so would subject them to impractically large centrifugal forces. Essentially,
this limits the approximate maximum size and mass of an attacker under the an assumption on tolerable centrifugal force. this limits the approximate maximum size and mass of an attacker under an assumption on tolerable centrifugal force.
In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems In this paper, we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems
with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the
shaft against tampering that any production device would have to tackle. shaft against tampering that any production device would have to tackle.
@ -259,7 +259,7 @@ shaft against tampering that any production device would have to tackle.
Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation
of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there
is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems
deployed in the field for a variety of use cases from low security payment processing devices to high security deployed in the field for a variety of use cases from low-security payment processing devices to high-security
certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of
security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to
fabricate enclosures that embed characteristics of a Physically Unclonable Function. By using stochastic properties of fabricate enclosures that embed characteristics of a Physically Unclonable Function. By using stochastic properties of
@ -270,10 +270,10 @@ In our research, we focus on security meshes as our IHSM's tamper sensors. Most
implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive
mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse
mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple
construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself construction made up of low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself and
and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the entire
entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would require
require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power
transfer from the outside to the payload. transfer from the outside to the payload.
\subsection{Braking detection} \subsection{Braking detection}
@ -288,8 +288,8 @@ While the obvious choice to monitor rotation would be a tachometer such as a mag
IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to
contact-less interference from outside. A different option would be to use feedback from the motor driver electronics. contact-less interference from outside. A different option would be to use feedback from the motor driver electronics.
When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this
approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the approach is that depending on construction, it might invite attacks at the mechanical interface between the mesh and the
motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical
discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is
already standing still. already standing still.
@ -328,7 +328,7 @@ accelerometer for braking detection in our prototype IHSM.
With our IHSM's components taken care of, what remains to be decided is how to put together these individual components With our IHSM's components taken care of, what remains to be decided is how to put together these individual components
into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the
axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload, and the
area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper
protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be
stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point
@ -347,7 +347,7 @@ The spinning mesh must be designed to cover the entire surface of the payload, b
part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air
to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be
solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used solved with complex and costly siphon-style constructions, so in commercial systems, heat conduction is used
exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more
powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an
@ -358,7 +358,7 @@ structural material. The security mesh has to fit the highest components inside
with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of
the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that
the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a
centimeter thick that includes several millimeters epoxy resin with particularly poor thermal centimeter thick that includes several millimeters of epoxy resin with particularly poor thermal
conductivity~\cite{obermaier2019}. Even if ``thermally conductive'' resins would be used, thermal conductivity is conductivity~\cite{obermaier2019}. Even if ``thermally conductive'' resins would be used, thermal conductivity is
limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU
heatsink with its fan running has a thermal resistance from CPU junction to air of around heatsink with its fan running has a thermal resistance from CPU junction to air of around
@ -381,9 +381,9 @@ to two orders of magnitude in computing power to be feasible in an IHSM compared
\subsection{Long-term Operation} \subsection{Long-term Operation}
Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an
understanding of what an IHSM would look like in practice. In the following paragraphs we will draw some conclusions on understanding of what an IHSM would look like in practice. In the following paragraphs, we will draw some conclusions on
how its design will affect the day-to-day operation of an IHSM. how its design will affect the day-to-day operation of an IHSM.
Like other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As with Like other HSMs, in a practical application, an IHSM may have to run continuously for a decade or even longer. As with
any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several
IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs
can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and
@ -391,19 +391,19 @@ erasure of data cannot~\cite{heise2021ovh}. Traditionally, this problem is solve
geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are
based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied
without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this
approach is a 2019 technology demonstration~\cite{signal2019} created by the signal.org, the organization running the approach is a 2019 technology demonstration~\cite{signal2019} created by signal.org, the organization running the signal
signal secure messenger app. In this demonstration, signal.org have implemented the Raft consensus secure messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019}
algorithm~\cite{ongaro2019} inside Intel SGX to replicate state between geographically redundant enclaves. inside Intel SGX to replicate state between geographically redundant enclaves.
Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components
of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by
changes in the IHSM's environment. In the following paragraphs we will evaluate each of these categories in its changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in its
practical impact. practical impact.
\paragraph{Component failure.} \paragraph{Component failure.}
The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation
techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by
reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must reducing thermal, mechanical, and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must
be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By
incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode
can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the
@ -417,7 +417,7 @@ considered is power loss. Traditional HSMs solve the need for an always-on backu
batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use
of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its
motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional
Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a smaller backup battery Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might have a smaller backup battery
integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an
IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are large industrial an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are large industrial
@ -443,7 +443,7 @@ is proportional to the square of its amplitude when fixing frequency and the cub
amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency
vibrating motion compared to lower frequencies. This observation interacts with our other point that, second, an ideal vibrating motion compared to lower frequencies. This observation interacts with our other point that, second, an ideal
vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp
vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we wish to vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations, it follows that if we wish to
reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping
high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large
enough to cause a false alarm. enough to cause a false alarm.
@ -459,7 +459,7 @@ $\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's lo
tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore
them for the purposes of our tamper detection system. them for the purposes of our tamper detection system.
From these comparisons we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish From these comparisons, we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish
attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the
operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM. operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM.
@ -486,17 +486,17 @@ manufacturer after the IHSM has been installed.
\label{sec_attacks} \label{sec_attacks}
After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation
above, in this section we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security above, in this section, we will detail possible ways to attack it. At the core of an IHSM's defenses is the same
mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to
the same steps they would have to perform to attack a traditional HSM. However, they will either need to perform these perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to
attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat the braking perform these attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat
sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for contactless the braking sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for
attack a laser. contactless attack a laser.
\subsection{Attacks that don't work} \subsection{Attacks that don't work}
In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective, In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective,
we will start with a brief overview on attacks on conventional HSMs that the IHSM is defended against. we will start with a brief overview of attacks on conventional HSMs that the IHSM is defended against.
%FIXME \paragraph{...} %FIXME \paragraph{...}
In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the
@ -512,7 +512,7 @@ $\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdo
Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding
temperature stability of the mesh material. temperature stability of the mesh material.
The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through
the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned
conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data
@ -541,7 +541,7 @@ IHSMs do not provide an inherent benefit against such contactless attacks. Howev
play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using
simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less
space-constrained. This larger volume allows for a greater physical distance between security-critical components and space-constrained. This larger volume allows for a greater physical distance between security-critical components and
places accessible to an attacker using an electromagnetic probe for EM side channel attacks. By allowing the use of places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. By allowing the use of
conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and
well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors
found in conventional HSMs. found in conventional HSMs.
@ -558,9 +558,9 @@ shortest axis, resulting in a minimum radius from axis of rotation to surface of
Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the range tolerable by humans for a Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the range tolerable by humans for a
duration of seconds or above. We thus set our target acceleration to duration of seconds or above. We thus set our target acceleration to
$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal $\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal
acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} = acceleration is $a=\omega^2 r$. In our example, this results in a minimum angular velocity of $f_\text{min} =
\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} \frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}}
\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this we can conclude that even at moderate speeds of \approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this, we can conclude that even at moderate speeds of
$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some $\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some
kind of mechanical tool. kind of mechanical tool.
@ -569,7 +569,7 @@ kind of mechanical tool.
\includegraphics[width=6cm]{attack-robot.pdf} \includegraphics[width=6cm]{attack-robot.pdf}
\caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation \caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation
and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a
remote controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5). remote-controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5).
Through this opening, a human operator can then insert tools such as probes to read out sensitive information from Through this opening, a human operator can then insert tools such as probes to read out sensitive information from
the actual payload (6).} the actual payload (6).}
\label{fig_attack_robot} \label{fig_attack_robot}
@ -608,7 +608,7 @@ does, however, have a weak spot along its axis of rotation, at the point where t
tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as
probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face
with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the
PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs this PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs, this
interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding
the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to
achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity.
@ -647,7 +647,7 @@ its traces. The other option is to tamper with the monitoring circuit to prevent
alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to
parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin
needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack
avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut avenues may be to rotate an attack tool in sync with the mesh or to use a laser or ion beam fired at the mesh to cut
traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting
compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the
complexity of such attacks. complexity of such attacks.
@ -659,9 +659,9 @@ to falsify the rotor's MEMS accelerometer measurements. We can disregard electro
monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be
physical attacks of the accelerometer's sensing mechanism. physical attacks of the accelerometer's sensing mechanism.
MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is
measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these measured electronically. A topic of recent academic interest has been acoustic attacks tampering with these
mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. A
A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the
device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the
mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the
security envelope and by varying the rate of rotation over time. security envelope and by varying the rate of rotation over time.
@ -669,11 +669,11 @@ security envelope and by varying the rate of rotation over time.
\subsection{Attacks on the alarm circuit} \subsection{Attacks on the alarm circuit}
Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry
inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a inside the stationary payload or the communication link between rotor and payload. The link can be secured using a
cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat
message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope.
Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for
temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration, and gases or
liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured.
To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional. To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional.
% If it were unidirectional, an attacker could % If it were unidirectional, an attacker could
@ -695,7 +695,7 @@ the payload is reliably destroyed before the tamper response circuitry.
\label{sec_proto} \label{sec_proto}
As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even
when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have when implemented using only common, off-the-shelf parts. In view of this amplification of design security, we have
decided to validate our theoretical studies by implementing a proof of concept prototype IHSM decided to validate our theoretical studies by implementing a proof of concept prototype IHSM
(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype (Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype
were: were:
@ -773,10 +773,10 @@ connectivity to the stator. To design the power link, we first need to estimate
consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its
tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At
$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take $\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take
$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that $\SI{100}{\micro\second}$ and yield a $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that
requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
$\SI{100}{\micro\ampere}$. This value is comparable to a reasonable estimation of the current consumption of the $\SI{100}{\micro\ampere}$. This value is comparable to a reasonable estimation of the current consumption of the
monitoring circuit itself. In our prototype we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To monitoring circuit itself. In our prototype, we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To
get an estimate on the current consumption of an energy-optimized design we will refer to the datasheet of the get an estimate on the current consumption of an energy-optimized design we will refer to the datasheet of the
\partnum{STM32L486JG}\footnote{\url{https://www.st.com/resource/en/datasheet/stm32l486jg.pdf}}, a representative member \partnum{STM32L486JG}\footnote{\url{https://www.st.com/resource/en/datasheet/stm32l486jg.pdf}}, a representative member
of ST's \partnum{STM32L4} low-power sub-family that provides hardware acceleration for AES256. A good target for an of ST's \partnum{STM32L4} low-power sub-family that provides hardware acceleration for AES256. A good target for an
@ -784,7 +784,7 @@ implementation of a secure cryptographic channel on this device would be the noi
While the initial handshake for key establishment uses elliptic-curve cryptography and may take several hundred While the initial handshake for key establishment uses elliptic-curve cryptography and may take several hundred
milliseconds~\cite{tschofenig2015}, the following payload data transfer messages require only symmetric cryptographic milliseconds~\cite{tschofenig2015}, the following payload data transfer messages require only symmetric cryptographic
primitives. The \partnum{STM32L486JG} datasheet lists the microcontroller's typical operating current at around primitives. The \partnum{STM32L486JG} datasheet lists the microcontroller's typical operating current at around
$\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed, and lists a sleep current of less than $\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed and lists a sleep current of less than
$\SI{1}{\micro\ampere}$ in low-power standby mode with RTC enabled. The AES peripheral is listed with less than $\SI{1}{\micro\ampere}$ in low-power standby mode with RTC enabled. The AES peripheral is listed with less than
$\SI{2}{\micro\ampere\per\mega\hertz}$ typical current consumption. A typical high-$g$ accelerometer for an IHSM $\SI{2}{\micro\ampere\per\mega\hertz}$ typical current consumption. A typical high-$g$ accelerometer for an IHSM
application would be ST Microelectronics' \partnum{H3LIS331DL}. Its application would be ST Microelectronics' \partnum{H3LIS331DL}. Its
@ -799,7 +799,7 @@ we arrive at an energy consumption of $\SI{1.7}{\ampere\hour}$ per year.
This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. By either using several This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. By either using several
such cells or by optimizing power consumption, several years of battery life could easily be reached. In our proof of such cells or by optimizing power consumption, several years of battery life could easily be reached. In our proof of
concept prototype we decided against using a battery to reduce rotor mass and avoid balancing issues. concept prototype, we decided against using a battery to reduce rotor mass and avoid balancing issues.
We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as
inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar
@ -817,7 +817,7 @@ Besides power transfer from stator to rotor, we need a reliable, bidirectional d
low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a
quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a
transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an
\partnum{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in \partnum{MCP6494} general purpose opamp configured as a $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in
Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a
comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by
using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the
@ -848,9 +848,9 @@ are shielded from one another by the motor's body in the center of the PCB.
\subsection{Evaluation} \subsection{Evaluation}
The proof-of-concept hardware worked as intended. Both rotating power and data links performed well. As we expected, the The proof-of-concept hardware worked as intended. Both rotating power and data links performed well. As we expected, the
mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach speeds in excess mechanical design vibrated at higher speeds but despite these unintended vibrations, we were able to reach speeds in
of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the data links excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the
continued to function without issue. data links continued to function without issue.
\section{Using MEMS accelerometers for braking detection} \section{Using MEMS accelerometers for braking detection}
\label{sec_accel_meas} \label{sec_accel_meas}
@ -861,8 +861,8 @@ $\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's
a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed
of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using a
USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a
$\SI{1}{\second}$ running average over interval lengths of the debounced captured signal\footnote{A regular frequency $\SI{1}{\second}$ running average over interval lengths of the debounced captured signal\footnote{A regular frequency
counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office
@ -882,7 +882,7 @@ This allowed us to avoid writing retransmission logic or data interpolation.
Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at
standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually
adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady. adjust the rotor's speed. The unshaded areas in between are intervals when the rotor speed is steady.
Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange
lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that
measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the
@ -915,22 +915,22 @@ the device's specified and actual sensitivity. We correct for both errors by fir
the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept, the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept,
and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis. and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis.
Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of
the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact,
due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to but due to the quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to
$\SI{10}{\percent}$ at $\SI{95}{rpm}$. $\SI{10}{\percent}$ at $\SI{95}{rpm}$.
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity
since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that
this harmonic content is a clean intermodulation product of the accelerometers sample rate and the speed of rotation this harmonic content is a clean intermodulation product of the accelerometer's sample rate and the speed of rotation
with no other visible artifacts. with no other visible artifacts.
Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark
blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good blue, and theoretical behavior is shown in orange. From our measurements, we can conclude that an accelerometer is a
choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal good choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected
force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic centrifugal force should be sufficient to reliably detect manipulation attempts without resulting in false positives.
controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on the fly, Periodic controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on
without stopping the rotor. the fly, without stopping the rotor.
\begin{figure} \begin{figure}
\center \center
@ -946,15 +946,16 @@ without stopping the rotor.
\section{Conclusion} \section{Conclusion}
\label{sec_conclusion} \label{sec_conclusion}
In this paper we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of advanced In this paper, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of
hardware security modules from simple components. We analyzed the concept for its security properties and highlighted advanced hardware security modules from simple components. We analyzed the concept for its security properties and
its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design
proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics by creating a proof of concept hardware prototype. In this prototype, we have demonstrated practical solutions to the
design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our major electronics design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation.
prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our We have used our prototype to perform several experiments to validate the rotary power and data links and the onboard
measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well and that our
already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer simple IR data link already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive
showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario. MEMS accelerometer showed that this part is well-suited for braking detection in the range of rotation speed relevant to
the IHSM scenario.
Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs
offer a high level of security beyond what traditional techniques can offer even when built from simple components. They offer a high level of security beyond what traditional techniques can offer even when built from simple components. They
@ -975,7 +976,7 @@ tamper detection through the measurement of external forces acting on the rotor.
\label{sec_repo} \label{sec_repo}
During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD
model of our prototype IHSM, schematics and PCB layouts for all of its PCBs including the prototype security mesh model of our prototype IHSM, schematics, and PCB layouts for all of its PCBs including the prototype security mesh
monitor PCB as well as firmware and data analysis scripts for the experiments we ran on the prototype IHSM. All of these monitor PCB as well as firmware and data analysis scripts for the experiments we ran on the prototype IHSM. All of these
digital artifacts as well as the sources to this paper are included in the git repository linked below. digital artifacts as well as the sources to this paper are included in the git repository linked below.