HSM survey: add text and CT scans

chapter-hsms/Makefile

@@ -0,0 +1 @@
+../Chapter_Makefile

chapter-hsms/chapter.tex

@@ -304,11 +304,98 @@ Sometimes, tamper-sensing meshes show up in other types of devices. We acquired
 Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
 conventional postage stamp.
 
-\section{Methodology}
+\subsection{Methodology}
+
+We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
+disassembly, we photographed each major component. After photos were taken, we proceeded with destructive techniques
+where necessary to obtain microscope photos of each tamper-sensing mesh component. PCBs were sectioned using a sanding
+drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling, cutting and prying, applying
+heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
+
+\subsection{Results}
+
+\subsubsection{Overall observations}
+
+\paragraph{Mesh materials.}
+We found meshes constructed from rigid PCBs as well as a number of Flexible Printed Circuit (FPC) processes.
+Tamper-sensing meshes constructed from PCBs sometimes used parts of an existing PCB, and sometimes additional PCBs only
+containing a mesh were added. Sometimes, multiple rigid PCB meshes were assembled in a house of cards fashion to enclose
+part of a device. For flexible meshes, with the exception of the Utimaco HSM appliance's HSM card that used an
+off-the-shelf Gore tamper sensing mesh foil were all clearly manufactured either entirely or mostly in standard
+processes. We found silkscreened silver ink and silkscreened carbon ink-based foils similar to those used for membrane
+keyboards, as well as conventional photolithographically etched copper/polyimide Flexible Printed Circuits (FPCs).
+Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for both rigid and
+flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature size for
+printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
+
+\paragraph{Mesh layout.}
+
+\paragraph{Contact construction.}
+
+\subsubsection{Payment Terminal Construction}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=0.7\textwidth]{mesh_fold_screenshot.pdf}
+    \caption[HSM appliance CT scan]{Computed Tomography (CT) scan of a corner of the PCIe HSM module from an Utimaco
+    rackmount HSM appliance. Visible are several capacitors, the edge of a large IC, and a large Flat Flexible Cable
+    (FFC) connector. Two layers of metal enclosures with resin potting in between are visible, and the security mesh can
+    be seen folded between layers of the folded FFC cable connecting to the outside.}
+    \label{hsm_fig_utimaco_ct}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{cut_chip_scene.pdf}
+    \caption[Ingenico Payment Terminal HSM CT Section Cut]{CT Section cut across the Ingenico potted module sample. The fold pattern of the mesh foil can be seen
+    clearly. The mesh traces can be seen on both sides of the foil. The two-layer PCB and the lead frame and bond wires
+    of a chip soldered on its top side are visible.}
+    \label{fig_ingenico_cut}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{mesh_pitch.pdf}
+    \caption[Ingenico Payment Terminal HSM Mesh Pitch]{A horizontal cut through the Ingenico potted module with
+    millimeter scale next to the mesh foil. As is visible, the mesh has a trace pitch of \qty{1.0}{\milli\meter} and
+    traces are offset between the two mesh layers to reduce the amount of gaps between traces.}
+    \label{fig_ingenico_pitch}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{mesh_contact_joint.pdf}
+    \caption[Ingenico Payment Terminal HSM Mesh Contacts]{Mesh contact joints in the Ingenico potted module sample. The
+    mesh is a foil that is attached to the PCB through bent stamped metal contacts. The contacts are riveted into large
+    contact pads patterend onto the mesh foil, and are soldered to the PCB. Next to the contacts, the mesh layout is
+    visble clearly.}
+    \label{fig_ingenico_contacts}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{open_end_detail.pdf}
+    \caption[Ingenico Payment Terminal HSM End Closure]{Connector end of the Ingenico potted module sample. This cut
+    shows that the mesh only encloses the PCB on three sides, and the connector side is left unprotected.}
+    \label{fig_ingenico_end}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=\textwidth]{mesh_geom.pdf}
+    \caption[Ingenico Payment Terminal HSM Mesh 3D]{3D reconstruction of the mesh from the Ingenico potted module
+    sample. The mesh layout can clearly be seen. From this 3D view, the mesh construction is evident: A T-shaped mesh
+    foil is wrapped around the PCB on three sides, with PCB tabs at two corners acting as locating and fixturing
+    features. In the corners, cylindrical components are visible that likely serve as an attempt at sensing intrusion
+    through the corners.}
+    \label{fig_ingenico_3d}
+\end{figure}
 
 
 
-\section{Findings}
+\section{Discussion}
+
+% FIXME intro here
 
 \subsection{Tamper-sensing meshes then and now}
 
@@ -335,6 +422,41 @@ in the field. Practical monitoring circuitry seems basic. Particularly the datac
 contrast between a mesh manufactured in a bespoke process combined with a unsophisticated, discrete monitoring circuit
 based around a number of voltage comparators.
 
+\subsection{Computed Tomography Imaging}
+
+CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
+the Gore tamper-sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
+are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
+unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
+to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production
+tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
+
+\paragraph{Low-contrast trace materials.}
+CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace
+material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh sample used a
+carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure
+solution.
+
+\paragraph{Use of X-ray attenuating materials.}
+We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult since it
+makes using higher-energy X-rays necessary, which lead to poorer contrast on X-ray-transparent features like polymers.
+The result of this difference can be seen in the difference in image fidelity between the Utimaco HSM appliance and
+Ingenico potted module samples. The Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh
+foil and encased in resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray
+energy and we were able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. In contrast, the
+Utimaco HSM module was potted inside a metal shell open on one side and had a second, spot-welded metal shell enclosing
+the PCB right underneath the mesh foil. While the outer metal shell could have been removed through e.g.\ milling, this
+inner metal shell was inaccessible. The Utimaco CT scans look worse because we chose a higher X-ray energy due to the
+large amount of metal, leading to poorer image contrast. In a practical application, a sheed made from elementary tin or
+a tin alloy would be a suitable choice for such an X-ray absorbing feature since tin is cheap, non-hazardous and absorbs
+X-rays almost as well as lead. Alternatively to a sheet-metal enclosure, an X-ray absorbing material could also be
+incorporated into a potting compound as a powder.
+
+\paragraph{Size.}
+Finally, we found that a larger module size makes CT imaging more difficult simply due to the thickness of material that
+the X-rays need to penetrate. Ideally, a HSM should aim for a cuboid form factor, as the common flat construction style
+is easily penetrated by X-rays along at least one axis.
+
 \section{Conclusion}
 
 In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly