Include spelling fixes from grammarly
This commit is contained in:
jaseg
parent
5f041bb0ce
commit
f05b3ffe87
1 changed files with 98 additions and 97 deletions
|
|
@ -1,4 +1,4 @@
|
|||
\documentclass[nohyperref,submission]{iacrtrans}
|
||||
\documentclass[nohyperref]{iacrtrans}
|
||||
\usepackage[T1]{fontenc}
|
||||
\usepackage[
|
||||
backend=biber,
|
||||
|
|
@ -53,8 +53,8 @@
|
|||
reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any
|
||||
manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an
|
||||
attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes.
|
||||
Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet
|
||||
offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware
|
||||
Our approach leads to an HSM that can easily be built from off-the-shelf parts by any university electronics lab,
|
||||
yet offers a level of security that is comparable to commercial HSMs. We have built a proof of concept hardware
|
||||
prototype that demonstrates solutions to the concept's main engineering challenges. As part of this proof of
|
||||
concept, we have found that a system using a coarse security mesh made from commercial printed circuit boards and an
|
||||
automotive high g-force accelerometer already provides a useful level of security.
|
||||
|
|
@ -62,7 +62,7 @@
|
|||
|
||||
\section{Introduction}
|
||||
|
||||
While information security technology has matured a great deal in the last half century, physical security did not keep
|
||||
While information security technology has matured a great deal in the last half-century, physical security did not keep
|
||||
up with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often
|
||||
allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is
|
||||
in.
|
||||
|
|
@ -75,12 +75,12 @@ co-processors such as trusted platform modules (TPMs) or hardware security modul
|
|||
trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured
|
||||
TPM~\cite{newman2020,frazelle2019,johnson2018}.
|
||||
Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure
|
||||
them against tampering is a good engineering solution for some years to come. However, in essence this is a type of
|
||||
them against tampering is a good engineering solution for some years to come. However, in essence, this is a type of
|
||||
security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern
|
||||
ICs~\cite{albartus2020,anderson2020}.
|
||||
|
||||
In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with
|
||||
conductive traces. These traces are much larger scale than a smart card IC's microscopic structures, and instead are
|
||||
conductive traces. These traces are much larger scale than a smart card IC's microscopic structures and instead are
|
||||
designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both
|
||||
technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically
|
||||
better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made
|
||||
|
|
@ -88,7 +88,7 @@ much more difficult to attack by moving it very quickly.
|
|||
|
||||
For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set
|
||||
by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue,
|
||||
solder and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual
|
||||
solder, and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual
|
||||
defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high
|
||||
speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the
|
||||
accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving
|
||||
|
|
@ -99,12 +99,12 @@ use an ``attack robot''.
|
|||
|
||||
This paper contains the following contributions:
|
||||
\begin{enumerate}
|
||||
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost effective, small scale production of
|
||||
\item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective, small-scale production of
|
||||
highly secure HSMs.
|
||||
\item We discuss possible tamper sensors for inertial HSMs.
|
||||
\item We explore the design space of our inertial HSM concept.
|
||||
\item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}).
|
||||
\item We present an analysis on the viability of using commodity MEMS accelerometers as braking sensors.
|
||||
\item We present an analysis of the viability of using commodity MEMS accelerometers as braking sensors.
|
||||
% FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
|
||||
\end{enumerate}
|
||||
|
||||
|
|
@ -140,16 +140,16 @@ anderson2020}. There has been some research on monitoring the HSM's interior us
|
|||
radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this research has found
|
||||
widespread adoption yet.
|
||||
|
||||
HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper evident devices. The difference is that a
|
||||
HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an
|
||||
HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine
|
||||
it. This examination can be by eye in the field, but it can also be carried out in a laboratory using complex equipment.
|
||||
An HSM in principle has to have this examination equipment built-in.
|
||||
it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex
|
||||
equipment. An HSM in principle has to have this examination equipment built-in.
|
||||
|
||||
Physical seals are used in a wide variety of applications, but the most interesting ones from a research point of view
|
||||
that are recorded in public literature are those used in monitoring of nuclear material under the International Atomic
|
||||
that are recorded in public literature are those used for monitoring of nuclear material under the International Atomic
|
||||
Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically
|
||||
Unclonable Functions (PUFs), though their development predates that of PUFs by several decades. The seal is created in a
|
||||
way that intentionally causes large, random device to device variations. These variations are precisely recorded at
|
||||
way that intentionally causes large, random device-to-device variations. These variations are precisely recorded at
|
||||
deployment. At the end of the seal's lifetime, the seal is returned from the field to the lab and closely examined to
|
||||
check for any deviations from the seal's prior recorded state. The type of variation used in these seals includes random
|
||||
scratches in metal parts and random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the
|
||||
|
|
@ -161,20 +161,20 @@ reading, similar to an HSM. They are constructed from two components: A cable th
|
|||
monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil such as it is used in
|
||||
commercial HSMs.
|
||||
|
||||
In~\cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example HSM that he cites is
|
||||
the IBM 4758, the details of which are laid out in depth in~\cite{smith1998}. This HSM is an example of an
|
||||
In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is
|
||||
the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an
|
||||
industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques
|
||||
of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature
|
||||
and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the
|
||||
common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state
|
||||
that the module monitors this mesh for short circuits, open circuits and conductivity. Other commercial offerings use a
|
||||
that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use a
|
||||
fundamentally similar approach to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
|
||||
|
||||
Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an
|
||||
HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to
|
||||
traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example).
|
||||
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
|
||||
covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
|
||||
area covered and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A
|
||||
core component of their design is that they propose its use as a PUF to allow for protection even when powered off,
|
||||
similar to a smart card---but the design is not limited to this use.
|
||||
|
||||
|
|
@ -197,12 +197,12 @@ properties of a potting compound that has been loaded with RF-reflective grains.
|
|||
characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains
|
||||
within the potting compound.
|
||||
|
||||
To the best of our knowledge, we are the the first to propose a mechanically moving HSM security barrier as part of a
|
||||
To the best of our knowledge, we are the first to propose a mechanically moving HSM security barrier as part of a
|
||||
hardware security module. Most academic research concentrates on the issue of creating new, more sensitive security
|
||||
barriers for HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture
|
||||
these security barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap
|
||||
low performance security barrier and transforming it into a marginally more expensive but high performance one. The
|
||||
closest to a mechanical HSM that we were able to find during our research is an 1988 patent~\cite{rahman1988} that
|
||||
low-performance security barrier and transforming it into a marginally more expensive but high-performance one. The
|
||||
closest to a mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that
|
||||
describes a mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled
|
||||
with pressurized gas.
|
||||
|
||||
|
|
@ -231,12 +231,12 @@ of the practical implications that these aspects of IHSM construction have on IH
|
|||
First, there are several ways how we can approach motion. Periodic, aperiodic and continuous motion could serve the
|
||||
purpose. There is also linear motion as well as rotation. We can also vary the degree of electronic control in this
|
||||
motion. The main constraints we have on the HSM's motion pattern are that it needs to be (almost) continuous so as to
|
||||
not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency the HSM has to
|
||||
not expose any weak spots during instantaneous standstill of the HSM. Additionally, for space efficiency, the HSM has to
|
||||
stay within a confined space. This means that linear motion would have to be periodic, like that of a pendulum. Such
|
||||
periodic linear motion will have to quickly reverse direction at its apex so the device is not stationary long enough
|
||||
for this to become a weak spot.
|
||||
|
||||
In contrast to linear motion, rotation is space efficient and can be continuous if the axis of rotation is inside the
|
||||
In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the
|
||||
device. In case it has a fixed axis, rotation will expose a weak spot at the axis of rotation where the surface's
|
||||
tangential velocity is low. Faster rotation can lessen the security impact of this fact at the expense of power
|
||||
consumption and mechanical stress, but it can never eliminate it. This effect can be alleviated in two ways: Either by
|
||||
|
|
@ -247,10 +247,10 @@ Large centrifugal acceleration at high speeds poses the engineering challenge of
|
|||
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device in what we
|
||||
call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow the motion
|
||||
would have to rotate around the same axis. By choosing a suitable rotation frequency we can prevent an attacker from
|
||||
following the devices motion since doing so would subject them to impractically large centrifugal forces. Essentially,
|
||||
this limits the approximate maximum size and mass of an attacker under the an assumption on tolerable centrifugal force.
|
||||
following the device's motion since doing so would subject them to impractically large centrifugal forces. Essentially,
|
||||
this limits the approximate maximum size and mass of an attacker under an assumption on tolerable centrifugal force.
|
||||
|
||||
In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems
|
||||
In this paper, we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems
|
||||
with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the
|
||||
shaft against tampering that any production device would have to tackle.
|
||||
|
||||
|
|
@ -259,7 +259,7 @@ shaft against tampering that any production device would have to tackle.
|
|||
Once we have decided how our IHSM's security barrier should move, what remains is the actual implementation
|
||||
of that security barrier. There are two movements that we have observed that are key to our work. On the one hand, there
|
||||
is the widespread industry use of delicate tamper sensing mesh membranes. The usage of such membranes in systems
|
||||
deployed in the field for a variety of use cases from low security payment processing devices to high security
|
||||
deployed in the field for a variety of use cases from low-security payment processing devices to high-security
|
||||
certificate management at a minimum tells us that a properly implemented mesh \emph{can} provide a practical level of
|
||||
security. On the other hand, in contrast to this industry focus, academic research has largely focused on ways to
|
||||
fabricate enclosures that embed characteristics of a Physically Unclonable Function. By using stochastic properties of
|
||||
|
|
@ -270,10 +270,10 @@ In our research, we focus on security meshes as our IHSM's tamper sensors. Most
|
|||
implementations lies in the advanced manufacturing techniques and special materials necessary to achieve a sensitive
|
||||
mesh at fine structure sizes. The foundation of an IHSM security is that by moving the mesh even a primitive, coarse
|
||||
mesh made e.g.\ from mesh traces on a PCB becomes very hard to attack in practice. This allows us to use a simple
|
||||
construction made up from low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself
|
||||
and its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the
|
||||
entire volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would
|
||||
require the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power
|
||||
construction made up of low-cost components. Additionally, the use of a mesh allows us to only spin the mesh itself and
|
||||
its monitoring circuit and keep the payload inside the mesh stationary. Tamper sensing technologies that use the entire
|
||||
volume of the HSM such as RF-based systems do not allow for this degree of freedom in their design: They would require
|
||||
the entire IHSM to spin, including its payload, which would entail costly and complex systems for data and power
|
||||
transfer from the outside to the payload.
|
||||
|
||||
\subsection{Braking detection}
|
||||
|
|
@ -288,8 +288,8 @@ While the obvious choice to monitor rotation would be a tachometer such as a mag
|
|||
IHSM's shaft, this would be a poor choice for our purposes. Both optical and magnetic sensors are susceptible to
|
||||
contact-less interference from outside. A different option would be to use feedback from the motor driver electronics.
|
||||
When using a BLDC motor, the driver electronics precisely know the rotor's position at all times. The issue with this
|
||||
approach is that depending on construction, it might invite attacks at the mechanical interface between mesh and the
|
||||
motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation or electrical
|
||||
approach is that depending on construction, it might invite attacks at the mechanical interface between the mesh and the
|
||||
motor's shaft. If an attacker can decouple the mesh from the motor e.g.\ by drilling, laser ablation, or electrical
|
||||
discharge machining (EDM) on the motor's shaft, the motor could keep spinning at its nominal frequency while the mesh is
|
||||
already standing still.
|
||||
|
||||
|
|
@ -328,7 +328,7 @@ accelerometer for braking detection in our prototype IHSM.
|
|||
|
||||
With our IHSM's components taken care of, what remains to be decided is how to put together these individual components
|
||||
into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the
|
||||
axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload and the
|
||||
axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload, and the
|
||||
area covered by the rotating tamper detection mesh. A key observation is that we only have to move the tamper
|
||||
protection mesh, not the entire contents of the HSM. The HSM's payload and with it most of the HSM's mass can be
|
||||
stationary. This reduces the moment of inertia of the moving part. This basic schema accepts a weak spot at the point
|
||||
|
|
@ -347,7 +347,7 @@ The spinning mesh must be designed to cover the entire surface of the payload, b
|
|||
part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air
|
||||
to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious
|
||||
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be
|
||||
solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used
|
||||
solved with complex and costly siphon-style constructions, so in commercial systems, heat conduction is used
|
||||
exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
|
||||
Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more
|
||||
powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an
|
||||
|
|
@ -358,7 +358,7 @@ structural material. The security mesh has to fit the highest components inside
|
|||
with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of
|
||||
the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that
|
||||
the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a
|
||||
centimeter thick that includes several millimeters epoxy resin with particularly poor thermal
|
||||
centimeter thick that includes several millimeters of epoxy resin with particularly poor thermal
|
||||
conductivity~\cite{obermaier2019}. Even if ``thermally conductive'' resins would be used, thermal conductivity is
|
||||
limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU
|
||||
heatsink with its fan running has a thermal resistance from CPU junction to air of around
|
||||
|
|
@ -381,9 +381,9 @@ to two orders of magnitude in computing power to be feasible in an IHSM compared
|
|||
\subsection{Long-term Operation}
|
||||
|
||||
Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an
|
||||
understanding of what an IHSM would look like in practice. In the following paragraphs we will draw some conclusions on
|
||||
understanding of what an IHSM would look like in practice. In the following paragraphs, we will draw some conclusions on
|
||||
how its design will affect the day-to-day operation of an IHSM.
|
||||
Like other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As with
|
||||
Like other HSMs, in a practical application, an IHSM may have to run continuously for a decade or even longer. As with
|
||||
any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several
|
||||
IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs
|
||||
can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and
|
||||
|
|
@ -391,19 +391,19 @@ erasure of data cannot~\cite{heise2021ovh}. Traditionally, this problem is solve
|
|||
geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are
|
||||
based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied
|
||||
without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this
|
||||
approach is a 2019 technology demonstration~\cite{signal2019} created by the signal.org, the organization running the
|
||||
signal secure messenger app. In this demonstration, signal.org have implemented the Raft consensus
|
||||
algorithm~\cite{ongaro2019} inside Intel SGX to replicate state between geographically redundant enclaves.
|
||||
approach is a 2019 technology demonstration~\cite{signal2019} created by signal.org, the organization running the signal
|
||||
secure messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019}
|
||||
inside Intel SGX to replicate state between geographically redundant enclaves.
|
||||
|
||||
Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components
|
||||
of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by
|
||||
changes in the IHSM's environment. In the following paragraphs we will evaluate each of these categories in its
|
||||
Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components
|
||||
of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by
|
||||
changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in its
|
||||
practical impact.
|
||||
|
||||
\paragraph{Component failure.}
|
||||
The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation
|
||||
techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by
|
||||
reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must
|
||||
reducing thermal, mechanical, and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must
|
||||
be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By
|
||||
incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode
|
||||
can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the
|
||||
|
|
@ -417,7 +417,7 @@ considered is power loss. Traditional HSMs solve the need for an always-on backu
|
|||
batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use
|
||||
of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its
|
||||
motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional
|
||||
Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a smaller backup battery
|
||||
Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might have a smaller backup battery
|
||||
integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an
|
||||
IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
|
||||
an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are large industrial
|
||||
|
|
@ -443,7 +443,7 @@ is proportional to the square of its amplitude when fixing frequency and the cub
|
|||
amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency
|
||||
vibrating motion compared to lower frequencies. This observation interacts with our other point that, second, an ideal
|
||||
vibration damper works better with higher frequencies, and has a lower bound below which it does no longer damp
|
||||
vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we wish to
|
||||
vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations, it follows that if we wish to
|
||||
reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal efficiently by damping
|
||||
high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations large
|
||||
enough to cause a false alarm.
|
||||
|
|
@ -459,7 +459,7 @@ $\SI{0.3}{g}$. As they happen across a large geographic area, an earthquake's lo
|
|||
tremendous amount of mechanical power despite their at first glance low absolute acceleration. However, we can ignore
|
||||
them for the purposes of our tamper detection system.
|
||||
|
||||
From these comparisons we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish
|
||||
From these comparisons, we can conclude that an IHSM's tamper detection subsystem will be able to clearly distinguish
|
||||
attempts to stop the IHSM's rotation. Any external acceleration that would come close in order of magnitude to the
|
||||
operating centrifugal acceleration at the periphery of an IHSM's rotor would likely destroy the IHSM.
|
||||
|
||||
|
|
@ -486,17 +486,17 @@ manufacturer after the IHSM has been installed.
|
|||
\label{sec_attacks}
|
||||
|
||||
After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation
|
||||
above, in this section we will detail possible ways to attack it. At the core of an IHSM's defenses is the same security
|
||||
mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to perform
|
||||
the same steps they would have to perform to attack a traditional HSM. However, they will either need to perform these
|
||||
attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat the braking
|
||||
sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for contactless
|
||||
attack a laser.
|
||||
above, in this section, we will detail possible ways to attack it. At the core of an IHSM's defenses is the same
|
||||
security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to
|
||||
perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to
|
||||
perform these attack steps with a tool that follows the HSM's rotation at high speed or they will first need to defeat
|
||||
the braking sensor. Attacking the IHSM in motion requires specialized mechanical tools such as CNC actuators or for
|
||||
contactless attack a laser.
|
||||
|
||||
\subsection{Attacks that don't work}
|
||||
|
||||
In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective,
|
||||
we will start with a brief overview on attacks on conventional HSMs that the IHSM is defended against.
|
||||
we will start with a brief overview of attacks on conventional HSMs that the IHSM is defended against.
|
||||
%FIXME \paragraph{...}
|
||||
|
||||
In principle, there are three ways to attack a conventional HSM. The hard way is to find a way to go through the
|
||||
|
|
@ -512,7 +512,7 @@ $\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdo
|
|||
Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding
|
||||
temperature stability of the mesh material.
|
||||
|
||||
The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
|
||||
The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
|
||||
two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through
|
||||
the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned
|
||||
conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data
|
||||
|
|
@ -541,7 +541,7 @@ IHSMs do not provide an inherent benefit against such contactless attacks. Howev
|
|||
play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using
|
||||
simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less
|
||||
space-constrained. This larger volume allows for a greater physical distance between security-critical components and
|
||||
places accessible to an attacker using an electromagnetic probe for EM side channel attacks. By allowing the use of
|
||||
places accessible to an attacker using an electromagnetic probe for EM sidechannel attacks. By allowing the use of
|
||||
conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and
|
||||
well-audited open source software such as OpenSSL both of which may not be available on the smaller embedded processors
|
||||
found in conventional HSMs.
|
||||
|
|
@ -558,9 +558,9 @@ shortest axis, resulting in a minimum radius from axis of rotation to surface of
|
|||
Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the range tolerable by humans for a
|
||||
duration of seconds or above. We thus set our target acceleration to
|
||||
$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal
|
||||
acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of $f_\text{min} =
|
||||
acceleration is $a=\omega^2 r$. In our example, this results in a minimum angular velocity of $f_\text{min} =
|
||||
\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}}
|
||||
\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this we can conclude that even at moderate speeds of
|
||||
\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this, we can conclude that even at moderate speeds of
|
||||
$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some
|
||||
kind of mechanical tool.
|
||||
|
||||
|
|
@ -569,7 +569,7 @@ kind of mechanical tool.
|
|||
\includegraphics[width=6cm]{attack-robot.pdf}
|
||||
\caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation
|
||||
and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a
|
||||
remote controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5).
|
||||
remote-controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5).
|
||||
Through this opening, a human operator can then insert tools such as probes to read out sensitive information from
|
||||
the actual payload (6).}
|
||||
\label{fig_attack_robot}
|
||||
|
|
@ -608,7 +608,7 @@ does, however, have a weak spot along its axis of rotation, at the point where t
|
|||
tangential velocity decreases close to the shaft, and the shaft itself may allow an attacker to insert tools such as
|
||||
probes into the device through the opening it creates. This issue is related to the issue conventional HSMs also face
|
||||
with their power and data connections. In conventional HSMs, power and data are routed into the enclosure through the
|
||||
PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs this
|
||||
PCB or flat flex cables sandwiched in between security mesh foil layers~\cite{smith1998}. In conventional HSMs, this
|
||||
interface rarely is a mechanical weak spot since they use a thin mesh substrate and create a meandering path by folding
|
||||
the interconnect substrate/security mesh layers several times. In inertial HSMs, careful engineering is necessary to
|
||||
achieve the same effect. Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity.
|
||||
|
|
@ -647,7 +647,7 @@ its traces. The other option is to tamper with the monitoring circuit to prevent
|
|||
alarm~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e.\ they require electrical contact to
|
||||
parts of the circuit. Traditionally, this contact is made by soldering a wire or by placing a probe such as a thin
|
||||
needle. We consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack
|
||||
avenues may be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut
|
||||
avenues may be to rotate an attack tool in sync with the mesh or to use a laser or ion beam fired at the mesh to cut
|
||||
traces or carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting
|
||||
compound and shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the
|
||||
complexity of such attacks.
|
||||
|
|
@ -659,9 +659,9 @@ to falsify the rotor's MEMS accelerometer measurements. We can disregard electro
|
|||
monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be
|
||||
physical attacks of the accelerometer's sensing mechanism.
|
||||
MEMS accelerometers usually use a cantilever design in which a proof mass moves a cantilever whose precise position is
|
||||
measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these
|
||||
mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings.
|
||||
A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the
|
||||
measured electronically. A topic of recent academic interest has been acoustic attacks tampering with these
|
||||
mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings. A
|
||||
possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the
|
||||
device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the
|
||||
mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the
|
||||
security envelope and by varying the rate of rotation over time.
|
||||
|
|
@ -669,11 +669,11 @@ security envelope and by varying the rate of rotation over time.
|
|||
\subsection{Attacks on the alarm circuit}
|
||||
|
||||
Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry
|
||||
inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a
|
||||
inside the stationary payload or the communication link between rotor and payload. The link can be secured using a
|
||||
cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat
|
||||
message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope.
|
||||
Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for
|
||||
temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or
|
||||
temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration, and gases or
|
||||
liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured.
|
||||
To prevent replay attacks link latency must continuously be measured, so this link must be bidirectional.
|
||||
% If it were unidirectional, an attacker could
|
||||
|
|
@ -695,7 +695,7 @@ the payload is reliably destroyed before the tamper response circuitry.
|
|||
\label{sec_proto}
|
||||
|
||||
As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even
|
||||
when implemented using only common, off-the-shelf parts. In view of this amplification of design security we have
|
||||
when implemented using only common, off-the-shelf parts. In view of this amplification of design security, we have
|
||||
decided to validate our theoretical studies by implementing a proof of concept prototype IHSM
|
||||
(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof of concept prototype
|
||||
were:
|
||||
|
|
@ -773,10 +773,10 @@ connectivity to the stator. To design the power link, we first need to estimate
|
|||
consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its
|
||||
tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At
|
||||
$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take
|
||||
$\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that
|
||||
$\SI{100}{\micro\second}$ and yield a $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that
|
||||
requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
|
||||
$\SI{100}{\micro\ampere}$. This value is comparable to a reasonable estimation of the current consumption of the
|
||||
monitoring circuit itself. In our prototype we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To
|
||||
monitoring circuit itself. In our prototype, we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To
|
||||
get an estimate on the current consumption of an energy-optimized design we will refer to the datasheet of the
|
||||
\partnum{STM32L486JG}\footnote{\url{https://www.st.com/resource/en/datasheet/stm32l486jg.pdf}}, a representative member
|
||||
of ST's \partnum{STM32L4} low-power sub-family that provides hardware acceleration for AES256. A good target for an
|
||||
|
|
@ -784,7 +784,7 @@ implementation of a secure cryptographic channel on this device would be the noi
|
|||
While the initial handshake for key establishment uses elliptic-curve cryptography and may take several hundred
|
||||
milliseconds~\cite{tschofenig2015}, the following payload data transfer messages require only symmetric cryptographic
|
||||
primitives. The \partnum{STM32L486JG} datasheet lists the microcontroller's typical operating current at around
|
||||
$\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed, and lists a sleep current of less than
|
||||
$\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed and lists a sleep current of less than
|
||||
$\SI{1}{\micro\ampere}$ in low-power standby mode with RTC enabled. The AES peripheral is listed with less than
|
||||
$\SI{2}{\micro\ampere\per\mega\hertz}$ typical current consumption. A typical high-$g$ accelerometer for an IHSM
|
||||
application would be ST Microelectronics' \partnum{H3LIS331DL}. Its
|
||||
|
|
@ -799,7 +799,7 @@ we arrive at an energy consumption of $\SI{1.7}{\ampere\hour}$ per year.
|
|||
|
||||
This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. By either using several
|
||||
such cells or by optimizing power consumption, several years of battery life could easily be reached. In our proof of
|
||||
concept prototype we decided against using a battery to reduce rotor mass and avoid balancing issues.
|
||||
concept prototype, we decided against using a battery to reduce rotor mass and avoid balancing issues.
|
||||
|
||||
We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as
|
||||
inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar
|
||||
|
|
@ -817,7 +817,7 @@ Besides power transfer from stator to rotor, we need a reliable, bidirectional d
|
|||
low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a
|
||||
quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a
|
||||
transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an
|
||||
\partnum{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in
|
||||
\partnum{MCP6494} general purpose opamp configured as a $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in
|
||||
Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a
|
||||
comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by
|
||||
using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the
|
||||
|
|
@ -848,9 +848,9 @@ are shielded from one another by the motor's body in the center of the PCB.
|
|||
\subsection{Evaluation}
|
||||
|
||||
The proof-of-concept hardware worked as intended. Both rotating power and data links performed well. As we expected, the
|
||||
mechanical design vibrated at higher speeds but despite these unintended vibrations we were able reach speeds in excess
|
||||
of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the data links
|
||||
continued to function without issue.
|
||||
mechanical design vibrated at higher speeds but despite these unintended vibrations, we were able to reach speeds in
|
||||
excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the
|
||||
data links continued to function without issue.
|
||||
|
||||
\section{Using MEMS accelerometers for braking detection}
|
||||
\label{sec_accel_meas}
|
||||
|
|
@ -861,8 +861,8 @@ $\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's
|
|||
a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
|
||||
|
||||
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
|
||||
control this motor controller through an RC servo tester. In our experiments we externally measured the device's speed
|
||||
of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using an
|
||||
control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed
|
||||
of rotation using a magnet fixed to the rotor and a reed switch held close. The reed switch output is digitized using a
|
||||
USB logic analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a
|
||||
$\SI{1}{\second}$ running average over interval lengths of the debounced captured signal\footnote{A regular frequency
|
||||
counter or commercial tachometer would have been easier, but neither was available in our limited COVID-19 home office
|
||||
|
|
@ -882,7 +882,7 @@ This allowed us to avoid writing retransmission logic or data interpolation.
|
|||
|
||||
Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at
|
||||
standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually
|
||||
adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady.
|
||||
adjust the rotor's speed. The unshaded areas in between are intervals when the rotor speed is steady.
|
||||
Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange
|
||||
lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that
|
||||
measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the
|
||||
|
|
@ -915,22 +915,22 @@ the device's specified and actual sensitivity. We correct for both errors by fir
|
|||
the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept,
|
||||
and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis.
|
||||
Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of
|
||||
the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but
|
||||
due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to
|
||||
the device's offset remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact,
|
||||
but due to the quadratic nature of centrifugal acceleration, at low speeds it causes a large relative error of up to
|
||||
$\SI{10}{\percent}$ at $\SI{95}{rpm}$.
|
||||
|
||||
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
|
||||
Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity
|
||||
since we tested our proof of concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that
|
||||
this harmonic content is a clean intermodulation product of the accelerometers sample rate and the speed of rotation
|
||||
this harmonic content is a clean intermodulation product of the accelerometer's sample rate and the speed of rotation
|
||||
with no other visible artifacts.
|
||||
|
||||
Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark
|
||||
blue, and theoretical behavior is shown in orange. From our measurements we can conclude that an accelerometer is a good
|
||||
choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected centrifugal
|
||||
force should be sufficient to reliably detect manipulation attempts without resulting in false positives. Periodic
|
||||
controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on the fly,
|
||||
without stopping the rotor.
|
||||
blue, and theoretical behavior is shown in orange. From our measurements, we can conclude that an accelerometer is a
|
||||
good choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected
|
||||
centrifugal force should be sufficient to reliably detect manipulation attempts without resulting in false positives.
|
||||
Periodic controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on
|
||||
the fly, without stopping the rotor.
|
||||
|
||||
\begin{figure}
|
||||
\center
|
||||
|
|
@ -946,15 +946,16 @@ without stopping the rotor.
|
|||
\section{Conclusion}
|
||||
\label{sec_conclusion}
|
||||
|
||||
In this paper we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of advanced
|
||||
hardware security modules from simple components. We analyzed the concept for its security properties and highlighted
|
||||
its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design by creating a
|
||||
proof of concept hardware prototype. In this prototype we have demonstrated practical solutions to the major electronics
|
||||
design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. We have used our
|
||||
prototype to perform several experiments to validate the rotary power and data links and the onboard accelerometer. Our
|
||||
measurements have shown that our proof-of-concept solar cell power link works well and that our simple IR data link
|
||||
already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive MEMS accelerometer
|
||||
showed that this part is well-suited for braking detection in the range of rotation speed relevant to the IHSM scenario.
|
||||
In this paper, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of
|
||||
advanced hardware security modules from simple components. We analyzed the concept for its security properties and
|
||||
highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design
|
||||
by creating a proof of concept hardware prototype. In this prototype, we have demonstrated practical solutions to the
|
||||
major electronics design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation.
|
||||
We have used our prototype to perform several experiments to validate the rotary power and data links and the onboard
|
||||
accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well and that our
|
||||
simple IR data link already is sufficiently reliable for telemetry. Our experiments with an \partnum{AIS1120} automotive
|
||||
MEMS accelerometer showed that this part is well-suited for braking detection in the range of rotation speed relevant to
|
||||
the IHSM scenario.
|
||||
|
||||
Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs
|
||||
offer a high level of security beyond what traditional techniques can offer even when built from simple components. They
|
||||
|
|
@ -975,7 +976,7 @@ tamper detection through the measurement of external forces acting on the rotor.
|
|||
\label{sec_repo}
|
||||
|
||||
During our research on this paper, we have created a number of digital design artifacts including a 3D mechanical CAD
|
||||
model of our prototype IHSM, schematics and PCB layouts for all of its PCBs including the prototype security mesh
|
||||
model of our prototype IHSM, schematics, and PCB layouts for all of its PCBs including the prototype security mesh
|
||||
monitor PCB as well as firmware and data analysis scripts for the experiments we ran on the prototype IHSM. All of these
|
||||
digital artifacts as well as the sources to this paper are included in the git repository linked below.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue