From 1ff05d5a31c83d100369ec72b30a269d695422b3 Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 20 Oct 2025 13:30:57 +0200 Subject: [PATCH] Updfate sampling mesh monitor chapter from paper camera ready --- chapter-sampling-mesh-monitor/chapter.tex | 1120 ++++++++++++--------- 1 file changed, 653 insertions(+), 467 deletions(-) diff --git a/chapter-sampling-mesh-monitor/chapter.tex b/chapter-sampling-mesh-monitor/chapter.tex index bd5d39b..047a72a 100644 --- a/chapter-sampling-mesh-monitor/chapter.tex +++ b/chapter-sampling-mesh-monitor/chapter.tex @@ -1,38 +1,14 @@ \chaptertitle{High Fidelity Security Mesh Monitoring using Low-Cost, Embedded Time Domain Reflectometry} -\begin{abstract} - Security Meshes are patterns of sensing traces covering an area that are used in Hardware Security Modules (HSMs) - and other systems to detect attempts to physically intrude into the device's protective shell. State-of-the-art - solutions manufacture meshes in bespoke processes from carefully chosen materials, which is expensive and makes - replication challenging. Additionally, state-of-the-art monitoring circuits sacrifice either monitoring precision or - cost efficiency. In this paper, we present an embeddable security mesh monitoring circuit constructed from low-cost, - standard components that utilizes Time Domain Reflectometry (TDR) to create a unique fingerprint of a mesh. Our - approach is both low-cost and precise, and enables the use of inexpensive standard Printed Circuit Boards (PCBs) as - security mesh material. We demonstrate a working prototype of our TDR circuit costing less than \price{10}{\euro} in - components that achieves both time resolution and rise time better than \qty{200}{\pico\second}---a $25\times$ - improvement over previous work. We demonstrate our prototype's capability to detect and localize faults in several - practical attack scenarios including probing using a high impedance oscilloscope probe and a patching attempt using - micro soldering. -\end{abstract} - \section{Introduction} -% FIXME cite patent matsunoProtectionCircuitSemiconductor2008 on delay measurements - -% Bei Diss-Citations in der bib dazu schreiben, dass das ne Diss ist. -% 2.2 / 2.3 Wie related? Warum interessant? In Intro erwähnen? -% In Intro herausstellen, dass TDR-Setup neu ist. - -% Storyline für Intro: Wir sind die ersten die die Auflösung hinbekommen, und deshalb geht bei uns TDR. -% Time for 256 times oversampling: 710 ms. 384 times: 1056 ms. - Security meshes continue to be the state of the art for tamper sensing in applications where sophisticated physical attacks such as attempts at drilling or sawing through the device's enclosure to place probes must be prevented. Common applications for such meshes include Hardware Security Modules (HSMs) used to store and process cryptographic keys applying security standards such as -FIPS-140-2\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} or ISO/IEC -24759\cite{ISOIEC24759}. Other applications include card payment terminals where PCI PTS HSM -standards\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} are applicable. Security meshes usually consist of +FIPS-140-2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} or ISO/IEC +24759~\cite{ISOIEC24759}. Other applications include card payment terminals where PCI PTS HSM +standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} are applicable. Security meshes usually consist of two or more conductive traces that are laid out in a meandering pattern to cover a surface. A sensing circuit electrically monitors these traces to detect attempts at penetrating this surface. @@ -46,23 +22,23 @@ lower-security applications such as card payment terminals, simpler approaches a implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed Circuit Boards (PCBs) are used because of the wide availability of manufacturing services. -Several academic approaches exist that target low-cost\cite{ +Several academic approaches exist that target low-cost~\cite{ vasileActiveTamperDetection2017, vasileTemperatureSensitiveActive2017, dupontMiniaturizedUltraLowPowerTamper2022, vasileProtectingSecretsAdvanced2019, -} or high-performance mesh monitoring\cite{ +} or high-performance mesh monitoring~\cite{ immlerBTREPIDBatterylessTamperresistant2018, immlerSecurePhysicalEnclosures2018, garbTamperSensitiveDesignPUFBased, -}. Some academic works even try to replace the security mesh with entirely different tamper sensing primitives\cite{ +}. Some academic works even try to replace the security mesh with entirely different tamper sensing primitives~\cite{ staatAntiTamperRadioSystemLevel2022, vaiSecureArchitectureEmbedded2015,}. High-performance mesh monitoring approaches try to characterize the mesh's physical properties with high accuracy, but often come at the cost of specialized, expensive circuitry. Low-cost approaches utilize advanced analog techniques in their circuitry to extract precise measurements using few components. They trade off measurement precision for lower component cost. Besides simple monitoring, detecting tamper attempts by replacing the mesh with a macro-scale Physically -Unclonable Function (PUF) has also been researched\cite{ +Unclonable Function (PUF) has also been researched~\cite{ immlerBTREPIDBatterylessTamperresistant2018, staatAntiTamperRadioSystemLevel2022, vaiSecureArchitectureEmbedded2015,}, albeit this comes with complex monitoring circuits that utilize expensive, @@ -70,11 +46,10 @@ specialty components. \begin{figure} \centering - \includegraphics[width=0.6\textwidth]{pic_board_setup_2_small_censored.jpg} + \includegraphics[width=0.6\textwidth]{pic_board_setup_2_small.jpg} \caption{Measurement setup. Shown are the test specimen board on the left, and the frontend board with one of the four pulse amplifiers in the center. The frontend board is powered through a USB-C connection, and data is sent to a - computer through a Single-Wire Debug (SWD) interface. The grid in the background has \qty{10}{\milli\meter} pitch. - Note: Author names and institutional affiliation were removed from this picture for peer review.} + computer through a Single-Wire Debug (SWD) interface. The grid in the background has \qty{10}{\milli\meter} pitch.} \label{fig_pic_board} \end{figure} @@ -96,7 +71,7 @@ specimen is shown in Figure\ \ref{fig_pic_board}. Compared to previous academic designs, our approach can be implemented at a lower cost using exclusively inexpensive, commercially available mass-market components. Our TDR frontend improves upon previous, delay-based approaches in -monitoring fidelity\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. Our design achieves +monitoring fidelity~\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. Our design achieves sufficient sensitivity to detect high-impedance oscilloscope probes despite such probes being specifically designed to conduct measurements without disturbing the circuit under test. Unlike previous, capacitance-based approaches, our design is compatible with inexpensive signal switch ICs, enabling the protection of arbitrarily large meshes at minimal @@ -108,7 +83,7 @@ The contributions of our work are as follows: \item To our knowledge, our design is the first to apply a low-cost embedded differential Time Domain Reflectometry (TDR) frontend to security mesh monitoring. Our design achieves pulse rise times below \qty{200}{\pico\second}, a $25\times$ improvement over the closest previous - work\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. + work~\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. \item Our approach provides higher fidelity compared to state-of-the-art security mesh conductivity monitoring or previous low-cost approaches. It enables the use of meshes manufactured using less advanced technologies such as standard FPC or PCB processes. Our TDR frontend produces 70 data points for each meter of mesh length, resulting @@ -126,12 +101,12 @@ The contributions of our work are as follows: \section{Related Work} Tamper sensing meshes are used in numerous applications from Hardware Security Modules (HSMs) to card payment -terminals\cite{andersonCryptographicProcessorsASurvey2006,tehranipoorHardwareSecurityPrimitives2023}. Despite their +terminals~\cite{andersonCryptographicProcessorsASurvey2006,tehranipoorHardwareSecurityPrimitives2023}. Despite their widespread use, security mesh design and monitoring is covered by a sparse research corpus. Commercially, security-by-obscurity is often considered a good idea and little detail is published on physical security -implementations\cite{andersonSecurityEngineeringGuide2020}. +implementations~\cite{andersonSecurityEngineeringGuide2020}. -Patent literature gives a partial view of commercial developments in this area. Even in recent patents such as\cite{ +Patent literature gives a partial view of commercial developments in this area. Even in recent patents such as~\cite{ brodskyTamperRespondentAssemblyFlexible2019, % IBM. ok, mentions conductivity monitoring but mostly on mesh nortonTamperDetectingCases2019, % HP. ok, mentions continuity monitoring only but mostly on mesh razaghiTamperDetectionSystem2020, % Square. ok. mentions what is effectively conductivity monitoring @@ -144,13 +119,13 @@ manufacturers Texas Instruments and Zilog, cited monitoring methods are basic an of resistance or capacitance. Academic research in the area is more advanced and spans both improvements to security meshes and their monitoring -circuits\cite{ +circuits~\cite{ immlerBTREPIDBatterylessTamperresistant2018, dupontMiniaturizedUltraLowPowerTamper2022, vasileProtectingSecretsAdvanced2019}, as well as approaches that entirely replace the security mesh with other primitives based on e.g.\ radio frequency or optical measurements that aim to sense tampering -with a device\cite{staatAntiTamperRadioSystemLevel2022,vaiSecureArchitectureEmbedded2015}. A drawback of techniques +with a device~\cite{staatAntiTamperRadioSystemLevel2022,vaiSecureArchitectureEmbedded2015}. A drawback of techniques aiming to replace security meshes with other sensor types is that it is difficult to prove such sensors do not have blind spots. @@ -166,22 +141,21 @@ security mesh as a Physically Unclonable Function (PUF), combining tamper sensin their design, the mesh consists of a cross-hatch pattern made from several dozen individually addressable capacitive electrodes. They manufacture their meshes in a specialized process that results in unpredictable, random variations in capacitance between electrodes. They propose an analog frontend that measures the precise mutual capacitance of each -pair of electrodes\cite{obermaierMeasurementSystemCapacitive2018} using an approach similar to +pair of electrodes~\cite{obermaierMeasurementSystemCapacitive2018} using an approach similar to \textcite{satoToucheEnhancingTouch2012}, and they use the resulting capacitance matrix as the basis of their PUF. In further work, they demonstrate a custom IC integrating the monitoring -circuit\cite{garbFORTRESSFORtifiedTamperResistant2021}. +circuit~\cite{garbFORTRESSFORtifiedTamperResistant2021}. Advantages of their system include high sensitivity to modifications, as well as that as a PUF, the system does not require a continuous power supply. Disadvantages include the limited mesh size a single circuit can support due to dynamic range constraints, the specialized manufacturing process needed for the mesh as well as the high cost of the monitoring circuit. Common physical security standards require systems to actively destroy all key material when -tampering is detected\cite{ +tampering is detected~\cite{ usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002, ISOIEC24759, pcisecuritystandardscouncilPaymentCardIndustry2021}. Like other PUF-based systems, their system naturally lacks this capability. -% FIXME go more into multiplexing larger meshes in our system below Key differences of our system include: \begin{itemize} \item Our system can cover larger meshes without loss of precision using a single TDR frontend through multiplexing. @@ -217,7 +191,7 @@ to any signal characteristics apart from total signal power. \paragraph{Time domain mesh monitoring.} Time-Domain Reflectometry has been proposed for tamper sensing in nuclear arms control -applications\cite{parsonsTamperRadiationResistant1977}. However, compared to our design, the systems proposed in this +applications~\cite{parsonsTamperRadiationResistant1977}. However, compared to our design, the systems proposed in this field are usually much larger, using standard benchtop measurement equipment to perform TDR. Additionally, they target lower time resolution since they are designed to monitor spans of cable up to several hundred meters in length. @@ -257,7 +231,7 @@ downconverting mixers. This development was enabled by both the increasing avail hundreds of megasamples per second at a reasonable resolution, and by the increase in speed of CPUs, FPGAs, and other components of the digital processing chain. However, this is largely a development of this millennium--meanwhile, signals far into the gigahertz range have been studied since the advent of radar technology in -the Second World War\cite{kahrs50YearsRF2003}. Enabled by the progress from vacuum tubes to semiconductor devices, +the Second World War~\cite{kahrs50YearsRF2003}. Enabled by the progress from vacuum tubes to semiconductor devices, equivalent time sampling became the technology of choice for the latter half of the twentieth century until around the turn of the millennium the introduction of high-speed digital processing and fast ADCs enabled real-time conversion up into higher microwave frequencies, today reaching beyond the \qty{100}{\giga\hertz} boundary. @@ -265,10 +239,10 @@ into higher microwave frequencies, today reaching beyond the \qty{100}{\giga\her \textcite{kahrs50YearsRF2003} trace back the style of four-diode balanced bridge sampling gate that we use to a vacuum tube implementation presented in \textcite{chanceWaveforms1949}. This style of sampling gate found application in a number of sampling oscilloscopes throughout the twentieth century in several oscilloscope sampling frontends such as -HP's 187B\cite{HP187BDualTrace1962}. +HP's 187B~\cite{HP187BDualTrace1962}. While initially equivalent time sampling was used to circumvent technological limitations, more recently it has also -been used to achieve cost-optimized designs\cite{houtman1GHzSamplingOscilloscope2000}. Going along similar principles, +been used to achieve cost-optimized designs~\cite{houtman1GHzSamplingOscilloscope2000}. Going along similar principles, \textcite{polasekReflektometrCasoveOblasti2020} presents a design for a minimal sampling TDR circuit that uses a CMOS clock generator IC along with a CML fanout buffer for pulse generation. The circuit improves upon the double sampling design first presented by \textcite{houtman1GHzSamplingOscilloscope2000} to reconstruct a downsampled copy of the input @@ -295,6 +269,50 @@ nanosecond-scale stimulus rise time--not by frontend time resolution. Compared w our proposed system is not only faster, but presents a more balanced trade-off between time resolution and analog bandwidth. +\subsection{Device Fingerprinting through Impedance Sensing} + +Recently, impedance analysis on the Power Distribution Network (PDN) of PCB assemblies has been proposed as a +fingerprinting technique aimed at detecting Hardware Trojans (HT) inserted into a board~\cite{ + fujimotoDemonstrationHTDetectionMethod2018, + mosavirikImpedanceVerifOnChipImpedance2022}. +Usually, all chips on a board are directly connected to the board's PDN. Thus, characterizing the board's PDN does not +only yield information on possible modifications to the board's PDN itself---such as modified traces or removed passive +components---it also reflects information about the internal structure of chips connected to the PDN. Impedance analysis +techniques generally probe the circuit during operation using high-frequency signals. They have been proven using an +external Vector Network Analyzer in one-Port~\cite{mosavirikSiliconEchoesNonInvasive2023} configuration measuring +reflected signal components as well as using two or more ports measuring transmitted signal +components~\cite{zhuPDNPulseSensingPCB2023}. Both Time Domain +Reflectometry~\cite{fujimotoDemonstrationHTDetectionMethod2018} and conventional frequency-domain VNA +measurements~\cite{mosavirikImpedanceVerifOnChipImpedance2022} have been shown to be effective. From a signal theory +point of view, both techniques can be considered equivalent. + +While using an external VNA is feasible for validation in a factory setting, several research works embed the measuring +system into the PCB as either a discrete circuit~\cite{fujimotoDemonstrationHTDetectionMethod2018} or as part of an FPGA +gateware~\cite{ + mosavirikImpedanceVerifOnChipImpedance2022, + mosavirikBackMonICBackside2024}. +With such a system, boards can self-verify in the field after deployment, enabling the use of the system for active +tamper sensing. While at less than \qty{2}{\giga\hertz} the achievable bandwith of such systems is lower than that +provided by an external, research-grade VNA, it turns out that the frequencies of interest in the impedance profile of +practical boards lie inside of this small bandwidth~\cite{mosavirikImpedanceVerifOnChipImpedance2022}. + +Variations of impedance analysis techniques have been demonstrated that detect changes inside individual chips using +board-level measurements~\cite{luCorrelatedRandomnessTeleportation2021}, that detect manipulatoins using non-contact +near-field Radio Frequency (RF) measurements~\cite{saadatsafaNearFieldMicrowaveSensing2025}, that detect the mechanical +preparation of a target chip for backside attacks using onboard measurements~\cite{mosavirikBackMonICBackside2024}, and +that adapt the technique as an offensive tool for side-channel analysis (SCA) +attacks~\cite{monfaredLeakyOhmSecretBits2023}. + +Similar to PDN impedance analysis, our proposed technique also embeds a RF measurement circuit in a target board. TDR +and frequency-domain VNA measurements resolve the same information about a target circuit from a signal theory +perspective. Our system reaches a significantly higher bandwidth than embedded measurement setups from differs from PDN +impedance analysis literature, and that our proposed tamper-sensing meshes are specifically built as sensors. Our +technique is better suited to active tamper-sensing applications where the sensing circuit is continuously powered. In +contrast to PDN impedance analysis techniques that need the entire PDN to be powered, our proposed technique can be +applied to protect an unpowered payload circuit. In a practical application, both PDN impedance analysis and TDR-based +tamper-sensing meshes could complement each other to form a comprehensive defense where PDN impedance analysis checks +the core system's integrity, with TDR-based meshes covering everything outside the purview of PDN impedance analysis. + \section{Monitoring a Security Mesh using Time Domain Reflectometry} Time Domain Reflectometry (TDR) is a well-known technique that is used to locate faults along a signal channel such as a @@ -310,7 +328,7 @@ length. In this paper, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists of a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen to measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a -security mesh with a ground plane underneath that works similarly to previous work\cite{ +security mesh with a ground plane underneath that works similarly to previous work~\cite{ immlerBTREPIDBatterylessTamperresistant2018, obermaierMeasurementSystemCapacitive2018, garbTamperSensitiveDesignPUFBased}. @@ -324,16 +342,46 @@ the mesh's traces both ways, at which point we expect a large response whose pol termination on the far end of the mesh. In our prototype circuit, we made this termination configurable to expand the range of possible measurement configurations and to enable self-calibration of the circuit. -When an attacker attempts to tamper with the mesh, they will cause an impedance discontinuity. Cuts of one or both -traces or a short circuit between both traces will result in a total reflection of the incident pulse at the location -of the fault, which our circuit will easily detect as the delay of the response changes. However, beyond these simple -cases, our approach can also detect more subtle changes. For instance, a short circuit between two points along the same -mesh trace will also result in a change in delay along this trace. Furthermore, even just probing a mesh trace with an -oscilloscope probe will add the probe's input capacitance, which is usually in the order of several Picofarad, to one -point along the trace, resulting in an impedance step that can be detected by TDR. The TDR approach is thus able to not -only detect but distinguish and even localize several types of faults or attacks in a mesh. +Tampering with the mesh is likely to cause an impedance discontinuity. Cuts of one or both traces or a short circuit +between both traces will result in a total reflection of the incident pulse at the location of the fault, which our +circuit will easily detect as the delay of the response changes. However, beyond these simple cases, our approach can +also detect more subtle changes. For instance, a short circuit between two points along the same mesh trace will result +in a change in delay along this trace. Furthermore, even just probing a mesh trace with an oscilloscope probe will add +the probe's input capacitance, resulting in an impedance step. The TDR approach is thus able to not only detect but +distinguish and even localize several types of faults or attacks in a mesh. -% FIXME subsection on routing and daisychaining +\subsection{Signal Routing} + +The stimulus pulse in a TDR-based design is a high-speed signal not unlike any other high-speed data or radio signal. +This enables the use of signal switch and multiplexer ICs marketed for RF or high-speed data bus applications. Due to +their mass-market applications, such devices are inexpensive. Using a tree-shaped topology of multiplexers, several mesh +segments can be monitored by a single frontend, enabling the monitoring of arbitrarily large volumes. As a proof of +concept, in our prototype we implemented software-controllable flipping of the mesh using \partno{TMUXHS4212} bus +multiplexers. + +\subsection{Typical System Design and Threat Model} +\label{sec_system_design} + +A typical system design for an HSM with TDR-based tamper sensing meshes would consist of a PCB assembly containing +payload components as well as the mesh monitoring circuit. Tamper-sensing meshes made from rigid or flexible PCBs would +enclose this PCB assembly from all directions. In this paper we propose meshes that have a ground plane, which would be +on the outer side of the mesh PCBs and shield the system against electromagnetic interference. Mesh monitoring would be +battery powered and would periodically check for tamper attempts. + +We consider an attacker motivated to extract the payload's secrets. Self-destruction by deleting secrets would suffice +as tamper response against this type of attacker. Such an attacker might want to probe parts of the payload circuit +using either conventional electrical contacts or using electromagnetic near-field probes that must be placed right on +top of the feature to be probed. An attacker might further attempt to manipulate the payload circuit, such as by +removing capacitors to enable a later power side-channel attack. In preparation for an optical fault-injection attack, +an attacker might attempt decapsulating some of the payload circuit's ICs either using laser ablation or using chemical +etching. An attacker might also attempt fault injection attacks using either electrical contacts or electromagnetic +fault injection probes near a target feature. + +We consider attackers that have access to industry-standard SMD rework equipment such as microscopes, microsoldering +irons, and fine tweezers. We also consider attackers that have access to more advanced equipment, such as laboratory +measurement equipment like high-bandwidth oscilloscopes and waveform generators. We consider attackers with standard +equipment for mechanical manipulation including precision milling machines and cutters. We do not consider bespoke +attack tools, or specialized tools for large-scale industrial manufacturing such as industrial drilling machines. \section{Circuit Design and Driving Approach} @@ -345,72 +393,60 @@ only detect but distinguish and even localize several types of faults or attacks \label{fig_block_diagram} \end{figure} -A TDR can be broken down into three basic components. First, we need a source of fast pulses (or fast edges!) to -stimulate the mesh. Second, we need a coupler that allows us to couple the stimulus pulses into the mesh, and their -reflections out of it. Finally, we need a fast ADC to capture the reflections. +A TDR can be broken down into three basic components: A source of fast stimulus pulses (or edges!), a coupler that +separates stimulus pulses and their reflection at the output, and a fast ADC to capture the reflections. Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in this paper's supplementary material.}. At the core of our design lies an equivalent time sampling setup, where two diode bridge sampling gates alternately sample the two traces of the mesh. Since physical attacks happen on a time scale of minutes or hours, we do not need a fast acquisition rate. Equivalent time sampling uses fast sampling gates to sample a high-frequency signal at a low frequency that is suitable for direct -conversion through an ADC. This reduces the requirements of our data acquisition and signal processing fronted from -gigasamples per second to mere megasamples, well within the range that a commodity microcontroller can handle. +conversion through an ADC. Using equivalent-time sampling, we can sample \unit{\giga\hertz}-Scale signals at the +\unit{\mega\hertz}-scale sampling rate of the internal ADCs of the commodity microcontroller we use. We use two of the +microcontroller's ADCs interleaved, each of which provides approximately \qty{1.7}{\mega Sp\per\second} at +\qty{12}{\bit} resolution. Due to the high conversion speed of the modern ADC cores in this microcontroller, we are able +to use up to $384\times$ oversampling for increased precision. -A challenge in equivalent time sampling is precisely phase-synchronizing the sampling pulse to the fundamental frequency -of the input signal, which is usually implemented by using a high-speed comparator. In a TDR-style frontend like ours, -this expensive component can be avoided because the stimulus signal is generated in the frontend, simplifying the -challenge of generating a synchronized sampling pulse at an adjustable phase to the stimulus pulse. +%A challenge in equivalent time sampling is precisely phase-synchronizing the sampling pulse to the fundamental +%frequency of the input signal, which is usually implemented by using a high-speed comparator. In a TDR-style frontend +%like ours, this expensive component can be avoided because the stimulus signal is generated in the frontend, +%simplifying the challenge of generating a synchronized sampling pulse at an adjustable phase to the stimulus pulse. -Since an intact mesh has low insertion loss, the amplitude of the response of an intact mesh is large. Thus, we do not -need a high dynamic range in either the frontend amplifiers or in the ADC, enabling the use of commodity operational -amplifiers (opamps) and the built-in ADC of a commodity microcontroller. Further, the strong signal allows us to use a -comparatively lossy \qty{-6}{\deci\bel} resistive tee instead of a directional coupler. A resistive tee does not provide -directionality, but in our case, the incident pulse can never interfere with reflections at the sampling output of the -divider because of causality. +The mesh has low insertion loss. Thanks to the resulting large amplitude of the reflection signal, the noise floor of +our frontend based on commodity operational amplifiers (opamps) is below the resolution limit of the built-in ADCs of +our chosen microcontroller. The main source of frontend noise stems from timing jitter between the sampling gate and the +ADC due to the clock generation of the ADC, which could be reduced through firmware changes. The strong signal allows us +to use a comparatively lossy but simple \qty{-6}{\deci\bel} resistive tee instead of a directional coupler. -To implement our sub-nanosecond sampler, we chose a simple four-diode bridge sampling gate made from commodity -\partno{BAT17-04W} RF Schottky diodes, which offer turn-on times better than \qty{100}{\pico\second} at -\price{0.13}{\euro} per device at quantity 1000. The four-diode configuration requires only two dual diode packages. In -contrast to \textcite{polasekReflektometrCasoveOblasti2020,houtman1GHzSamplingOscilloscope2000}, in our system, double -sampling is not necessary - instead, we follow the sampling gate directly with an amplifier feeding into the internal -ADC of our microcontroller. We use an internal timer peripheral of the same microcontroller to generate both stimulus -and sample pulses such that we can easily phase-lock the internal ADC to the same timer. +We implemented the sub-nanosecond sampler using a four-diode bridge sampling gate made from commodity \partno{BAT17-04W} +RF Schottky diodes, which offer turn-on times better than \qty{100}{\pico\second} at \price{0.13}{\euro} per device at +quantity 1000. In contrast to prior +work~\cite{polasekReflektometrCasoveOblasti2020,houtman1GHzSamplingOscilloscope2000}, we precisely control the timing of +our ADC and avoid the need for a second sampling stage. -We base our circuit around an \partno{STM32G474RB} microcontroller, a \price{5}{\euro}-class commodity ARM -microcontroller. Besides adequate processing speed for its price class, this microcontroller offers two features that -are critical to our design. First, its internal ADCs are both higher resolution and faster than those of older parts. -Second, it is one of a few parts in its series that include a \emph{high-resolution timer} (\partno{HRTIM}) peripheral -that provides several outputs that can be controlled with better than \qty{200}{\pico\second} resolution through -per-output, self-calibrating delay line circuitry. We use this peripheral to produce both the stimulus pulse and the -phase-adjustable sampling pulse. +We base our circuit around an \partno{STM32G474RB} microcontroller, \price{5}{\euro}-class commodity ARM +microcontroller. This is a recent part, which has internal ADCs that are both higher resolution and faster than those of +older parts. Furthermore, it includes a \emph{high-resolution timer} (\partno{HRTIM}) peripheral that provides better +than \qty{200}{\pico\second} timing resolution through self-calibrating delay lines. We use this peripheral to produce +adjustable, phase-locked stimulus and sampling pulses. -While the HRTIM peripheral allows us to finely adjust the phase of its output waveform, the digital output structures of -the \partno{STM32G4} series are still limited to nanosecond-scale rise and fall times with the datasheet quoting -$t_r=t_f=\qty{1.7}{\nano\second}$ into a \qty{10}{\pico\farad} load when using the fastest GPIO output drive strength -setting and a \qty{3.3}{\volt} supply\cite{stmicroelectronicsSTM32G474xBDatasheet2021}. We work around this issue by -applying two circuit tricks. First, we send its output through a fast amplifier to square up the edges to a rise time -better than \qty{500}{\pico\second}. The remaining challenge is that while we now have pulses with crisp edges, due to -constraints of the HRTIM peripheral, at more than \qty{10}{\nano\second}, these pulses are still too wide to be useful. -We solve this issue by applying a clip line\cite{tektronixinc.TektronixS6Sampling1982} pulse forming network at the -output of the amplifier--i.e.\ we connect the amplifier's output to the load in parallel with a short, terminated -transmission line stub. The length of this stub determines the pulse width. +While the HRTIM peripheral provides sub-nanosecond phase adjustment, the digital outputs of the \partno{STM32G4} series +are limited to a minimum transition time of $t_r=t_f=\qty{1.7}{\nano\second}$\footnote{Datasheet specification, when +driving a \qty{10}{\pico\farad} load~\cite{stmicroelectronicsSTM32G474xBDatasheet2021}.}. We work around this issue with +two circuit tricks. First, we send the output through a fast amplifier to square up the edges to a rise time better than +\qty{500}{\pico\second}. We then reduce the \qty{10}{\nano\second} minimum pulse width supported by the \partno{HRTIM} +peripheral by applying a clip line~\cite{tektronixinc.TektronixS6Sampling1982} pulse forming network--i.e.\ we connect +the amplifier's output to the load in parallel with a short, terminated transmission line stub. The length of this stub +determines the pulse width. \subsection{Driver Selection} -Several types of amplifiers can be used in our pulse shaping application. Common to all options, we require differential -outputs. In practice, for most parts, this means we are looking for a part with Current Mode Logic (CML) outputs. CML is -a differential signaling standard that is widely used in high-speed logic. In CML, a current source feeds a pair of -transistors that steer current between the two outputs of the differential pair. By steering current between the two -outputs, common-mode currents are minimized which both reduces the effect of power supply impedance at the transmitter -and reduces electromagnetic emissions from the differential pair's PCB traces. In our experiments, we considered several -parts and settled on four parts for evaluation in this paper: A \partno{74LVC2G157} standard logic IC, two display -protocol redrivers, \partno{PI3HDX12211} and \partno{TDP0604}, as well as \partno{MAX3748}, a limiting amplifier for -optical networking applications. We implemented four variants of our prototype using a steady hand under a microscope as -shown in Figure\ \ref{fig_pic_amps}. - -One notable omission from our tests was the series of CML-output comparators made by Analog Devices due to the cost of -these devices. +We evaluated multiple options for the pulse shaping amplifier in our design. For both sampling and stimulus, we work +with fully differential signals, so Current Mode Logic (CML) devices, which are widely used in high-speed logic, are a +natural fit. We settled on four parts for evaluation in this paper: A \partno{74LVC2G157} standard logic IC, two +HDMI/DisplayPort redrivers, \partno{PI3HDX12211} and \partno{TDP0604}, as well as \partno{MAX3748}, a limiting amplifier +for optical networking. Figure\ \ref{fig_pic_amps} shows the four hand-soldered prototypes. We avoided specialty parts +such as the CML-output comparators made by Analog Devices due to cost. \begin{figure} \centering @@ -434,74 +470,43 @@ these devices. \includegraphics[width=0.9\textwidth]{pic_pi3hdx_small.jpg} \caption{PI3HDX12211} \end{subfigure} - \caption{Circuit-board implementation of the four pulse amplifier variants of the design. Amplifiers were mounted - dead bug style on a piece of copper tape connected to one of the supply rails and hooked up with - \qty{120}{\micro\meter} diameter wire according to their respective datasheets. Supply rails were hooked up using - copper tape where possible to reduce series impedance. Additional \qty{10}{\micro\farad} MLCC power supply - decoupling capacitors were placed close to the ICs on the copper tape to reduce loop area.} + \caption{Implementation of the pulse amplifier variants of the design. Amplifiers were mounted dead bug style on + copper tape and connected with \qty{120}{\micro\meter} wire. Supply rails were connected with copper tape where + possible to reduce impedance. MLCC power supply decoupling capacitors were placed on the copper tape to reduce loop + area.} \label{fig_pic_amps} \end{figure} \paragraph{Standard logic ICs.} -As a baseline, we evaluated the \partno{74LVC2G157} standard logic IC. This IC contains a single multiplexer, however, -we are not interested in the multiplexer functionality. The interesting trivia about this chip is that it also is one of -the only \partno{74} series standard logic parts that have complimentary outputs. According to manufacturer -specifications, at a comparable \qty{20}{\pico\farad} load, \partno{74LVC} series parts have slightly faster rise and -fall times compared to our \partno{STM32} microcontroller's digital IO -pins\cite{renesaselectronicscorporationApplicationNoteAN2242019}. +As a baseline, we evaluated the \partno{74LVC2G157} CMOS multiplexer configured to provide complementary outputs. +According to manufacturer specifications, this part provides slightly faster rise and fall times than +oumicrocontroller~\cite{renesaselectronicscorporationApplicationNoteAN2242019}. \paragraph{Optical Networking Chipsets.} -A category of CML-output drivers suitable for our application is a class of optical networking chipset ICs. While -today, the construction of optical transmitters has moved to direct bonding of optical components and driver ICs to -minimize parasitics, discrete driver ICs for some chipsets from the mid-2000s era are still available at reasonable -cost. Both the laser driver used to drive the transmitter laser diode, and the limiting amplifier used to amplify the -receiver photodiode's output can be used in our application, with the limiting amplifier part requiring less additional -circuitry in our application due to its lack of output bias control. In our evaluation below, we include the -\partno{MAX3748} limiting amplifier as a representative part from this category that is still commercially available. A -drawback of relying on a part like this is that its future availability is uncertain given the evolution of the -industry. +Optical transceivers use CML-output limiting amplifiers and laser drivers, some of which are still available as discrete +components despite the industry moving from PCB implementations to direct bonding. We evaluated the \partno{MAX3748} +limiting amplifier as a representative part from this category. \paragraph{Bus Redrivers.} -The final category of amplifiers suitable for our pulse shaping needs is redrivers intended for high-speed data -interfaces such as USB 3, PCI Express, HDMI, or DisplayPort. All of these interfaces use CML drivers, with differential -voltage levels usually in the order of \qtyrange{600}{1000}{\milli\volt}. \emph{Redriver} ICs are intended to be used to -amplify the sensitive high-speed bus signal at the edge of a PCBA, either before it leaves the board through a connector -to ensure adequate signal levels at the connector, or after it enters through a connector to compensate for loss in the -PCB traces between the connector and the signal's destination. For our application, redrivers intended for HDMI and -DisplayPort applications are most suitable, as they can usually be configured to act as simple amplifiers without -processing any protocol logic on the signals that are amplified. In contrast, both USB 3 and PCIe redrivers often -implement power saving features that try to parse parts of the actual signal transmitted through them, which are hard to -bypass in our application. +Most modern, high-speed buses like USB 3, PCI Express, HDMI, and Display Port use CML drivers. \emph{Redriver} ICs +intended to amplify such signals to compensate for loss in connectors or cables contain amplifiers that are suitable for +our application. HDMI/DisplayPort redrivers are most suitable since they can be configured as simple amplifiers, +turning off any signal-dependent power saving features. -Redrivers can be classified according to their way of operation. \emph{Retimers} include a full -serialization/deserialization (SerDes) setup and parse the low-level protocol of the bus to reconstruct bit-level -timing. We focus only on simpler redrivers that only contain amplifiers and (analog) equalizers here. - -Amplifying redrivers can be separated into two classes: Limiting and linear redrivers. A limiting redriver is configured -to have a high gain such that a small input signal will be amplified to the full output voltage swing. Limiting -redrivers are well-suited for our application, but they have come out of fashion since they interfere with link training -and with power saving features of protocols like USB 3. - -Linear redrivers are constructed with a low gain instead. Sufficient to compensate for wiring losses, their gain is low -enough to leave them transparent to bus protocol features such as link training or power saving features. To compensate -for their reduced gain, linear redrivers usually contain configurable equalizers that can be used to apply targeted -enhancements for particular signal defects, such as boosting high-frequency gain or providing a set amount of overshoot. -Where available, in our prototype variants we set these equalization features to provide maximum gain. - -In our evaluation below, we include \partno{PI3HDX12211} as a linear redriver intended for DisplayPort and HDMI -applications, as well as \partno{TPD0604} as a ``hybrid'' linear or limiting redriver for HDMI applications, configured -for limiting mode in our experiments. An attractive feature of both of these chips as well as comparable devices is that -they usually include at least four independent channels, so only one chip is needed for both pulse paths. Additionally, -they are consumer mass market parts, resulting in a low price. For instance, \partno{PI3HDX12211} is available at -\price{2.11}{\euro} in single quantity and less than \price{1.30}{\euro} at a quantity of several hundred at distributor -LCSC, and \partno{TPD0604} is available at \price{4.72}{\euro} and \price{3.44}{\euro}, respectively, at distributor -Mouser. +In our evaluation below, we include \partno{PI3HDX12211} and \partno{TPD0604}, two inexpensive, consumer mass market +redrivers\footnote{ + \partno{PI3HDX12211} is available at \price{2.11}{\euro} in single quantity and less than \price{1.30}{\euro} at a + quantity of several hundred at distributor LCSC, and \partno{TPD0604} is available at \price{4.72}{\euro} and + \price{3.44}{\euro}, respectively, at distributor Mouser}. +Both parts have four independent channels, so only one chip is needed for the two pulse paths. \subsection{Cost Breakdown} -Table\ \ref{tab_bom} shows a breakdown of the cost of the main components of our prototype, resulting in a total -component cost of less than \price{10}{\euro}. We did not include power supply components in this breakdown as our -circuit is meant to be embedded into a payload circuit that will already have sufficient power supplies. +Table\ \ref{tab_bom} shows a breakdown of the cost of the main components of our prototype, totalling less than +\price{10}{\euro}. We did not include power supply components in this breakdown since our circuit is meant to be +embedded into a payload circuit that will already have sufficient power supplies. Our design works with strong signal +levels, and does not have special power supply requirements. In a practical implementation, it is unlikely that the +power supply would negatively affect performance. Due to its \partno{HRTIM} peripheral, the \partno{STM32G4} microcontroller is the component of our design that is hardest to replace. However, this part can still be replaced with a wide range of FPGAs, which commonly include @@ -520,14 +525,12 @@ of Xilinx 7 Series FPGAs provides the same $\frac{1}{32}$ clock cycle resolution SKYA21003&2&0.49&Termination switch\\ 74LVC2G157&2&0.15&Pulse pre-conditioning\\ BAT17-04W&4&0.12&Sampling gates\\ - &25&0.01&Various MLCC capacitors\\ - &25&0.01&Various resistors\\\hline + N/A&25&0.01&Various MLCC capacitors\\ + N/A&25&0.01&Various resistors\\\hline \multicolumn{2}{r}{}&\textbf{9.67}&\textbf{Total} \end{tabular} - \caption{A cost breakdown of the major components of our design. Listed prices are for 1000 pieces order quantity to - make prices more comparable between distributors. The number of switches necessary for signal routing and - termination depends on the specific mesh signal routing of the application. Numbers shown here are for our - prototype, which can measure a mesh from both ends and supports short, open and matched termination.} + \caption{Cost breakdown of our prototype design. Prices are listed at order quantity 1000 to make prices more + comparable between distributors.} \label{tab_bom} \end{table} @@ -535,93 +538,67 @@ of Xilinx 7 Series FPGAs provides the same $\frac{1}{32}$ clock cycle resolution \label{sec_scan_schedule} The goal of a time domain reflectometer is to send a pulse into the Device Under Test (DUT)--i.e.\ in our application, -the mesh--and to record all reflections returning from the DUT afterwards. In something like a security mesh whose -traces might only be a few meters long in total, the time span between the pulse being sent and the last reflections -from the very end of the mesh arriving is in the order of several tens of nanoseconds. Directly recording a response at -this timescale would be infeasible using a commodity microcontroller, so we utilize an equivalent time sampling -approach. +the mesh--and to record all reflections returning from the DUT afterwards. In a security mesh with a few meters of total +trace length, the time span between the pulse being sent and the last reflections arriving from the end of the mesh is +in the order of tens of nanoseconds. Directly recording a response at this timescale would be infeasible in a commodity +microcontroller, so we use equivalent time sampling. As shown in Figure\ \ref{fig_block_diagram}, our analog frontend contains amplifiers that produce the stimulus pulse, a sampling gate with amplifiers, and a coupler that couples the pulse into the mesh and couples the reflections back into -the sampling gate. A microcontroller controls this frontend with two primary signals: A stimulus pulse, and a sampling +the sampling gate. A microcontroller controls this frontend with two main signals: A stimulus pulse, and a sampling pulse. By adjusting the timing between these two pulses every time a stimulus pulse is sent, the microcontroller can -select a particular point in time after the stimulus pulse to record using the sampling gate. By slowly sweeping across -the whole time span, the microcontroller can reconstruct the waveform of the reflected signal at the sampling gate -across one period of the stimulus pulse. The recording rate of this waveform is limited by the repetition rate of the -stimulus pulse as well as the time step size. +sample the response at any chosen point in time. By sweeping across the whole time span, the microcontroller can +reconstruct the waveform of the reflected signal at the sampling gate. -The attainable repetition rate of our stimulus and sampling circuits is limited by two main components. First, the -sampling post-amplifier's bandwidth limits the maximum sample rate. In our design, we chose an \partno{OPA1656} -\qty{50}{\mega\hertz} Gain-Bandwidth Product (GBP) FET input low noise operational amplifier. We need a FET input part -to avoid loading the sampling gate. The comparatively high GBP and the low noise input stage of this device allow us to -amplify small signals that could result from weak reflections in small impedance discontinuities inside the mesh. +In our prototype, we sample the response once after each stimulus pulse. We conservatively decided on a sampling rate of +\qty{1}{MSps} across both channels of the mesh's differential pair. This sampling rate leaves some headroom to the +\qty{50}{\mega\hertz} Gain-Bandwidth Product (GBP) of the \partno{OPA1656} frontend opamp, as well as the \qty{4}{MSps} +that the ADCs can reach. The processing speed of the microcontroller allows individual control of the timing of each +sampling pulse. -The second major factor limiting repetition rate is the microcontroller's ADC speed, as well as the speed of the -software processing the ADC's output. At full \qty{12}{b} resolution, this corresponds to a sampling rate of -approximately \qty{4}{MSps}. The microcontroller contains five ADCs, which can be interleaved to achieve higher rates. +% major revision: Since we did all measurements for the majR with only 768 samples, we re-scaled the numbers in this +% paragraph accordingly. +In our prototype, one sweep of a \qty{141}{\nano\second} time span consisting of $768$ data points took +\qty{825}{\milli\second} at $384\times$ oversampling. The time span corresponds to \qty{21}{\meter} of mesh length, +which at a \qty{200}{\micro\meter} pitch corresponds to a mesh area of \qty{85}{\centi\meter\squared} and at a +\qty{1}{\milli\meter} pitch corresponds to \qty{426}{\centi\meter\squared}. By optimizing timing, moving oversampling +processing out of the interrupt handler, and by interleaving four instead of two of the microcontroller's five ADC +peripherals, the lower limit of acquisition time of a $768$-point scan is \qty{37}{\milli\second} for $384\times$ +oversampling. -Combining these factors, we conservatively decided on a sampling rate of \qty{1}{MSps} across both channels of the -differential pair. At this sampling rate, it is feasible to control the sample timing on a sample-by-sample basis. For -all measurements in this paper, we use a sequential sampling approach where the microcontroller takes a series of -measurements for oversampling at a particular delay, and then increases the delay by one \partno{HRTIM} output clock -interval. +\subsection{ADC accuracy and noise immunity} -In our prototype, one sweep of a \qty{188}{\nano\second} time span consisting of $1024$ data points took -\qty{710}{\milli\second} at $256\times$ oversampling and \qty{1.1}{\second} at $384\times$ oversampling. The time span -corresponds to \qty{28}{\meter} of mesh length, which at a \qty{200}{\micro\meter} pitch corresponds to a mesh area of -\qty{113}{\centi\meter\squared} and at a \qty{1}{\milli\meter} pitch corresponds to -\qty{565}{\centi\meter\squared}. Using the same microcontroller, by optimizing timing, moving oversampling processing -out of the interrupt handler, and by interleaving four of the microcontroller's five ADC peripherals, the lower limit of -acquisition time of a $1024$-point scan is \qty{33}{\milli\second} for $256\times$ oversampling and -\qty{49}{\milli\second} for $384\times$ oversampling. +Our system uses high-frequency pulses for measurement, which inherently reject low-frequency noise components. Through +our TDR approach, both the stimulus and the sampling pulses are phase-locked, functioning similarly to a lock-in +amplifier. This significantly attenuates asynchronous noise. We excite the mesh with a differential signal, similar to +standards such as Ethernet or HDMI. Differential signaling cancels out external interference, which tends to affect both +lines equally\cite{bogatinSignalPowerIntegrity2018}. -While for our development, sequential scanning is adequate, in a future practical application, two simple optimizations -would decrease the time to detection for an attack. First, in a practical application, the range of scanned delays -should be adjusted to the length of the particular security mesh in use. For this paper, we always -scanned a time range of $1024$ points at \qty{184}{\pico\second} spacing starting before one stimulus pulse and ending -shortly before the next stimulus pulse so that any waveform artifacts will be visible. In a practical application, there -would be little information gained by sampling much beyond the edges of the expected mesh response, so the scan window -should be kept small to increase scan rate. - -Secondly, in a practical application, the feature that is most relevant to detect tamper attempts is the trailing edge -of the mesh's response. This trailing edge corresponds to the return of the stimulus pulse's reflection at the far end -of the mesh. Any attack that affects the impedance even only of part of the mesh has a high chance of affecting its -delay, and thus this trailing edge is likely to move. In a practical application, it would thus be efficient to use a -heuristic scan schedule instead of the sequential scan we are using in our research prototype. Such a heuristic schedule -would sample delays near the expected trailing edge of the particular mesh in use more frequently compared to delays -that lie somewhere else, such as in the middle of the mesh's return window. +Our front-end circuit is designed such that the analog signal entering the ADCs is strong and low in noise. Due to the +high sample rate of the microcontroller's internal ADCs, we can apply extensive oversampling ($384\times$) to enhance +resolution. \section{Experimental Evaluation} -To validate our design, we performed a two-fold evaluation. First, we measured the performance of our sampling circuit -as a time-domain reflectometer. The most relevant figure to our mesh monitoring application is the pulse generators' -rise time, which determines the frontend's bandwidth and consequently the level of detail that we are able to extract -from a connected mesh during one scan. Since we aim at fingerprinting a connected mesh, not at performing absolute -measurements, we do not need to characterize or de-embed the transfer function of our TDR frontend. +We evaluated our design in two phases. In the first phase, we measured the electrical performance of our sampling +circuit. The key figure in our application is the pulse generators' rise time, which determines the level of detail that +we are able to extract. Since we aim at fingerprinting a connected mesh, not at performing absolute measurements, we do +not need to characterize or de-embed the transfer function of our TDR frontend. -Second, we characterized the end-to-end performance of our design on a mesh test specimen, and we evaluated its -performance on several realistic tamper attempts. As a baseline characterization, in Section\ \ref{sec_attack_short} we -will show measurements of both short and open mesh traces, allowing us to evaluate our designs' capacity to spatially -localize faults. Building upon this baseline, in Section\ \ref{sec_attack_probe} we will then demonstrate a probing -attack, in which we measured our design's response to a standard \qty{100}{\mega\hertz} bandwidth -$\qty{10}{\mega\ohm}||\qty{10}{\pico\farad}$ oscilloscope probe. Compared to the baseline open/short test, this provides -a greater challenge due to the probe's intentionally high impedance and minimal capacitive loading. Concluding our -attack tests, in Section\ \ref{sec_attack_bridge} we demonstrate a bridging attack that attempts to repair a break -created in the mesh through drilling. +In the second phase, we evaluated the actual performance of our design on a set of 500 mesh test specimens of different +layouts and structure sizes. We include detailed performance figures for a simple baseline classifier for attack +detection. \subsection{Rise Time Measurement} -We measured two figures of merit to characterize frontend speed. First, as shown in Section\ \ref{sec_spec_risetime} -below, we measured pulse rise time at the mesh interface using a Keysight N9020A MXA \qty{26.5}{\giga\hertz} signal -analyzer to evaluate the rise time of our pulse generator. This figure indicates the raw performance of our pulse -generator. Second, we used our circuit to perform a TDR measurement of a mesh test specimen and measured the rise time -of the sampling pulse as seen by the circuit itself. This figure indicates the actual measurement performance of our -circuit. In general, this rise time is different from the raw pulse rise time because of the non-linear characteristic -of the sampling Schottky pairs. Depending on the IC, our pules generator produces output waveforms with -\qtyrange{470}{3200}{\milli\volt} differential voltage swing. Since the sampling diode pairs start to conduct at a -combined forward voltage of approximately \qty{300}{\milli\volt}, they will transition from high impedance to low -impedance during a corresponding \qty{300}{\milli\volt} window at the middle of the strobe pulse's edge. Thus, even if -the strobe pulse shows a low-pass response with rounding at both ends, as long as its slew rate +The level of detail our frontend can extract from a mesh is limited by the rise time of the pulses it generates. We +characterized this rise time both externally, using a wideband spectrum analyzer (Section~\ref{sec_spec_risetime}), and +through self-characterization of the circuit (Section~\ref{sec_spec_risetime_selfchar}). Both measurements differ +because of the non-linear characteristic of the sampling Schottky pairs. Depending on the IC, our pulse generator +produces output waveforms with \qtyrange{470}{3200}{\milli\volt} differential voltage swing. Since the sampling diode +pairs start to conduct at a combined forward voltage of approximately \qty{300}{\milli\volt}, they will transition from +high impedance to low impedance during a corresponding \qty{300}{\milli\volt} window at the middle of the strobe pulse's +edge. Thus, even if the strobe pulse shows a low-pass response with rounding at both ends, as long as its slew rate $\frac{\mathrm{d}V}{\mathrm{d}t}$ during the zero crossing is fast enough, the pulse will still result in a sharp turn-on knee of the sampling diodes. @@ -630,63 +607,66 @@ turn-on knee of the sampling diodes. \begin{figure} \begin{center} - \begin{subfigure}{0.48\textwidth} + \begin{subfigure}{0.45\textwidth} \centering \includegraphics[width=\textwidth]{fig_spec_risetime_74lvc.pdf} + \vspace*{-5mm} \caption{74LVC2G157} \label{fig_spec_risetime_74lvc} \end{subfigure} - \unskip\begin{subfigure}{0.48\textwidth} + \unskip\begin{subfigure}{0.45\textwidth} \centering \includegraphics[width=\textwidth]{fig_spec_risetime_max3748.pdf} + \vspace*{-5mm} \caption{MAX3748} \label{fig_spec_risetime_max3748} \end{subfigure} - \begin{subfigure}{0.48\textwidth} + \begin{subfigure}{0.45\textwidth} \centering \includegraphics[width=\textwidth]{fig_spec_risetime_tdp0604.pdf} + \vspace*{-5mm} \caption{TDP0604} \label{fig_spec_risetime_tdp0604} \end{subfigure} - \unskip\begin{subfigure}{0.48\textwidth} + \unskip\begin{subfigure}{0.45\textwidth} \centering \includegraphics[width=\textwidth]{fig_spec_risetime_pi3hdx.pdf} + \vspace*{-5mm} \caption{PI3HDX12211} \label{fig_spec_risetime_pi3hdx} \end{subfigure} \end{center} - \caption{Spectrum measurements and re-constructed time domain pulse edge shape of the stimulus pulse measured at the - mesh interface for each of the four driver ICs. Amplitudes were normalized for rise time plots. The $\frac{1}{f}$ - curve in the spectrum plots shows the peak amplitude of the frequency components of an ideal infinite-bandwidth - square wave. The horizontal gray lines in the time domain plots show thresholds used for rise time calculation.} + \vspace*{-5mm} + \caption{Spectrum measurements and reconstructed time domain edge shape of the stimulus pulse + measured at the mesh interface for each of the four driver ICs, captured using a spectrum analyzer. Vertical + scale shows arbitrary units. Spectrum plots include a $\frac{1}{f}$ reference curve indicating an ideal + infinite-bandwidth square wave.} \label{fig_spec_risetime} \end{figure} -To measure the rise time of our frontend's pulse generator, we measured the stimulus output at the mesh interface using -a Keysight N9020A MXA \qty{26.5}{\giga\hertz} signal analyzer\footnote{The spectrum analyzer used significantly exceeded -the capabilities of the fastest oscilloscopes we had access to, so it was the more appropriate choice of measurement -instrument.}. All measurements were taken with the prototype's mesh interface connected to the spectrum analyzer through -a bias tee configured for DC blocking followed by a \qty{20}{\deci\bel} attenuator for protection. Since both stimulus -and sampling pulses are generated using identical circuits, we can transfer those results to the sampling pulse modulo -amplifier output loading effects. +To determine the rise time of our frontend's pulse generator, we measured the stimulus output at the mesh interface +using a Keysight N9020A MXA \qty{26.5}{\giga\hertz} signal analyzer\footnote{The spectrum analyzer used significantly +exceeded the capabilities of the fastest oscilloscopes we had access to, so it was the more appropriate choice of +measurement instrument.}. All measurements were taken with the prototype's mesh interface connected to the spectrum +analyzer through a bias tee configured for DC blocking followed by a \qty{20}{\deci\bel} attenuator for protection. -Figure\ \ref{fig_spec_risetime} and Table\ \ref{tab_edge_risetime} show the resulting measurements. For ease of -interpretation, we projected the measurements from the frequency domain (upper traces) back into the time domain (lower -traces), and extracted rise time measurements from those traces. Our measurements show that, as expected, the bare -\partno{74LVC}-series logic gate has the slowest rise time at approximately \qty{500}{\pico\second}. All three amplifier -variants we implemented showed significantly improved rise time, with the \partno{PI4HDX12211} achieving below -\qty{200}{\pico\second}, and the other two showing around \qty{120}{\pico\second}. A noteworthy detail is that -\partno{MAX3748} and \partno{TDP0604} only achieved a low output signal amplitude, which stems from a combination of -them having low output amplitude by design and of our circuit loading their outputs heavily. Since their amplitude is -only marginally within the knee region of the RF Schottky diodes used in the sampling bridges, in these variants, -the sampling gates end up slower than the raw pulse rise time value alone would suggest. +Figure\ \ref{fig_spec_risetime} and Table\ \ref{tab_edge_risetime} show the resulting measurements both in the frequency +domain (upper traces), and projected back into the time domain (lower traces) along with measured rise times. As +expected, the bare \partno{74LVC}-series logic gate has the slowest rise time at approximately \qty{500}{\pico\second}. +All three amplifier variants we implemented showed significantly improved rise time, with the \partno{PI4HDX12211} +achieving below \qty{200}{\pico\second}, and the other two showing around \qty{120}{\pico\second}. \partno{MAX3748} and +\partno{TDP0604} only achieved a low output signal amplitude, which stems from a combination of them having low output +amplitude by design and of our circuit loading their outputs heavily. Since their amplitude is only marginally within +the knee region of the RF Schottky diodes used in the sampling bridges, in these variants, the sampling gates end up +slower than the raw pulse rise time value alone would suggest. \subsubsection{Self-Characterization} +\label{sec_spec_risetime_selfchar} \begin{figure} \begin{center} - \includegraphics[width=\textwidth]{fig_edge_risetime.pdf} + \includegraphics[width=\textwidth]{fig_edge_risetime.pdf}\vspace*{-7mm} \end{center} \caption{One edge of the stimulus pulse with no mesh connected measured by the board itself, using different amplifier ICs. For each IC, ten traces are shown. The vertical scale is in Volts at the sampling amplifier output.} @@ -734,43 +714,41 @@ the sampling gates end up slower than the raw pulse rise time value alone would \label{tab_edge_risetime} \end{table} -Figure\ \ref{fig_edge_risetime} shows the result of our self-characterization experiments, where we used the frontend to -measure its own pulse shape. These results correspond to the actual rise time we can expect in practical measurements. -In these experiments, we ran a measurement using $256\times$ oversampling at \qty{12}{b} ADC resolution. The plots show -voltage at the amplifier output voltage against time in \unit{\nano\second}. The absolute value of the amplifier output -voltage is not relevant here - only the rise time is. Since we use some of these amplifiers--particularly the redriver -ICs--well outside of their intended application, the actual voltage they develop across the nonlinear load that our -sampling gate's diode bridge presents depends on implementation details of the amplifier's CML output stage. To maximize -ADC resolution and minimize ringing, we tuned gain and bandwidth of each post-sampling amplifier for each IC. Ringing in -the amplifier output leads to jitter in the ADC's sampling period to directly feeding through to the ADC output value. -Since in \partno{STM32} MCUs, the ADC is clocked independently of the rest of the system, its sampling timing is poorly -controlled and this jitter causes a significant error unless the amplifier is well-compensated. The key figure for us is -how fast our sampling gate turns on, not how hard, so we can largely ignore the units on the graph's vertical scale. +While a fast edge is a necessary component for a fast sampling gate, the concrete speed of the sampling gate also +depends on other factors such as the pulse's amplitude. Figure\ \ref{fig_edge_risetime} shows the result of our +self-characterization experiments, where we used the frontend to measure its own pulse shape representing its concrete +sampling performance. In these experiments, we used $256\times$ oversampling at \qty{12}{b} ADC resolution. The plots +show the voltage at the ADC input against time in \unit{\nano\second}. The absolute voltage levels are not relevant here +- only the rise time is. Since we use some of these amplifiers--particularly the redriver ICs--well outside of their +intended application, the actual voltage they develop across the nonlinear load that our sampling gate's diode bridge +presents depends on implementation details of the amplifier's CML output stage. To maximize ADC resolution and minimize +ringing, we tuned gain and bandwidth of each post-sampling amplifier for each IC. Ringing in the amplifier output leads +to jitter in the ADC's sampling period to directly feeding through to the ADC output value. Since in \partno{STM32} +MCUs, the ADC is clocked independently of the rest of the system, its sampling timing is poorly +controlled and this jitter causes a significant error unless the amplifier is well-compensated. Table\ \ref{tab_edge_risetime} shows rise times calculated from each trace, averaged across both traces of the -differential pair. From these results and from the graphs in Figure\ \ref{fig_edge_risetime} we can see that in the -optical networking limiting amplifier produces slower edges than the measurements from Figure\ \ref{fig_spec_risetime} -would suggest. We suspect that this is caused by its low output amplitude resulting in part from its specifications and -in part from a poor match between its CML output structure and the nonlinear impedance presented by the sampling diode -bridges. Surprisingly, even the \partno{74LVC2G157} baseline unit has a rise time of less than \qty{1}{\nano\second}. We -estimate that this is caused by the large output voltage swing of this part, going from ground to its $V_{CC}$ at -\qty{3.3}{\volt}. Due to the construction of our sampling gate, its switching happens in the short period between its -input differential voltage crossing zero and it rising above the combined forward voltage of the Schottky diodes. Thus, -while the \partno{74LVC} might produce slow edges overall, its large output swing results in a high slew rate in the -critical region around the zero crossing that mostly determines the speed of the sampling gates. +differential pair. Our results show that the optical networking limiting amplifier produces slower edges than the +measurements from Figure\ \ref{fig_spec_risetime} would suggest. We suspect that this is caused by its low output +amplitude resulting in part from its specifications and in part from a poor match between its CML output structure and +the nonlinear impedance presented by the sampling diode bridges. Surprisingly, even the \partno{74LVC2G157} baseline +unit has a rise time of less than \qty{1}{\nano\second}. We estimate that this is caused by the large output voltage +swing of this part, going from ground to its $V_{CC}$ at \qty{3.3}{\volt}. Due to the construction of our sampling gate, +its switching happens in the short period between its input differential voltage crossing zero and it rising above the +combined forward voltage of the Schottky diodes. Thus, while the \partno{74LVC} might produce slow edges overall, its +large output swing results in a high slew rate in the critical region around the zero crossing. We observed the best result overall with the \partno{PI3HDX12211} redriver, resulting in a rise time of \qty{264}{\pico\second}. In this test specimen, we fed the pulse through the amplifier twice since we had two unused -channels, and we used \qty{200}{\pico\second} clip lines on the amplifier's output for pulse shaping. We could only use -the clip lines in this specimen as in all other specimens, the amplifiers' output did not contain sufficient harmonic -content such that it was still able to turn on the sampling gate's diode bridge when used with the clip line. +channels, and we used \qty{200}{\pico\second} clip lines on the amplifier's output for pulse shaping. We only used clip +lines here and for \partno{TDP0604} since the other amplifiers' output did not contain sufficient harmonic content. \subsection{Mesh Specimen Characterization} \begin{table} \begin{center} \begin{tabular}{r|cccc} - \textbf{Specimen} + \textbf{Mesh} &1 &2 &3 @@ -819,55 +797,53 @@ content such that it was still able to turn on the sampling gate's diode bridge \qty{26}{\nano\second}\\ \end{tabular} \end{center} - \caption{Specifications of mesh test specimens used in the experiments in this paper. All four specimens were placed - on a single, four-layer, \qty{1.0}{\milli\meter} thickness PCB. The meshes were placed two per side on the outer - layers, and the inner layers were used as ground. Approximate signal delays were calculated using wave velocity - $v=\frac{c}{\sqrt{\epsilon_r}}\approx\frac{c}{2}$\cite{wheelerTransmissionLinePropertiesParallel1965} assuming - $\epsilon_r\approx 4$\cite{mumbyDielectricPropertiesFR41989} for the test specimens' \partno{FR-4} substrate.} + \caption{Specifications of mesh test specimens used in the experiments in this paper. Approximate signal delays were + calculated using wave velocity + $v=\frac{c}{\sqrt{\epsilon_r}}\approx\frac{c}{2}$~\cite{wheelerTransmissionLinePropertiesParallel1965} assuming + $\epsilon_r\approx 4$~\cite{mumbyDielectricPropertiesFR41989} for the test specimens' \partno{FR-4} substrate.} \label{tab_mesh_spec} \end{table} -To measure the practical performance of our prototype, we created a set of security mesh test specimens. Four specimens -each cover the same area using four different mesh pitches using two, looped mesh traces according to the design -specifications listed in Table\ \ref{tab_mesh_spec}. The four specimens have a trace length ratio of approximately -$1:2:3:4$. As a baseline validation of our prototype as well as the mesh design, we performed TDR measurements of each -mesh specimen using each amplifier variant of our prototype. Figure\ \ref{fig_mesh_length} shows the results of these -measurements. The graphs show the step response resulting from an edge entering the mesh, and its reflection arriving -back at the start after traversing the mesh back and forth. +To measure the practical performance of our prototype, we created a set of tamper sensing mesh test specimens. Each +specimen contains four separate meshes with the same area. Table~\ref{tab_mesh_spec} shows the design specifications. +Each specimen contains four separate meshes on the outer layers of a four-layer, \qty{1.0}{\milli\meter} thickness PCB, +two equal-size meshes on each side. The inner layers were used as ground. Figure\ \ref{fig_mesh_length} shows the +results of a baseline measurement of each mesh using each design variant. The step response resulting from an edge +entering the mesh and its reflection arriving back at the start after traversing the mesh back and forth is clearly +visible. We validated the results from Figure\ \ref{fig_mesh_length} by calculating speed of light in our mesh specimen's substrate based on them. The resulting measurements are shown in Table\ \ref{tab_speed_of_light}. All amplifier -configurations yield comparable measurements of approximately \qty{1.6}{\meter\per\second}, which corresponds well with -the expected signal propagation velocity in \partno{FR-4} PCB material of -\qty{1.5d8}{\meter\per\second}\cite{wheelerTransmissionLinePropertiesParallel1965,mumbyDielectricPropertiesFR41989}. +configurations yield comparable measurements of approximately \qty{1.6}{\meter\per\second}, which corresponds with the +expected signal propagation velocity in \partno{FR-4} PCB material of +\qty{1.5d8}{\meter\per\second}~\cite{wheelerTransmissionLinePropertiesParallel1965,mumbyDielectricPropertiesFR41989}. -An interesting aspect of the graphs in Figure\ \ref{fig_mesh_length} is that all except the \partno{74LVC} graph show a -dispersion effect increasingly rounding out the trailing edge of the response with longer mesh lengths. We suspect this -effect stems from higher-frequency components coupling into adjacent trace segments further up or down the mesh more -easily, spreading high-frequency components of the response signal out throughout time and effectively creating a -low-pass response. We suspect the poor visibility of this effect in the \partno{74LVC} measurements is a result of this -variant's pulse amplifier output amplitude being very large, allowing reflected response components to forward-bias the -sampling gate's diode bridges, resulting in amplitude clipping. +The graphs in Figure~\ref{fig_mesh_length} show a dispersion effect that increasingly rounds off the trailing edge of +the response with longer mesh lengths. This effect stems from higher-frequency components coupling into adjacent trace +segments further up or down the mesh, spreading high-frequency components of the response signal out throughout time. +This effect is less visible in the \partno{74LVC} measurements, which we suspect is a result of this variant's large +pulse amplitude, which enables reflected response components to forward-bias the sampling gate's diode bridges, +resulting in amplitude clipping. From this dispersion effect follows a key point for the design of practical security meshes: To increase the temporal -resolution of TDR mesh monitoring, meshes should be broken up into relatively short segments that are multiplexed -through signal switching. Where this is not desirable, the mesh can be treated as a microwave circuit design that can be -optimized through the electronic CAD/electromagnetic simulation co-design approach used for such circuits. +resolution of TDR mesh monitoring, meshes should be broken up into segments that are multiplexed through signal +switching. \begin{figure} \begin{center} - \includegraphics[width=\textwidth]{fig_mesh_length.pdf} + \includegraphics[width=.8\textwidth]{fig_mesh_length.pdf} + \vspace*{-10mm} \end{center} - \caption{TDR responses captured using our design with each of four candidate pulse amplifier ICs and four mesh test - specimens. The shown time range covers the primary reflection of the stimulus pulse's falling edge. The vertical - scale of all four graphs is in Volts at the ADC. For clarity, only one channel of the response is shown.} + \caption{TDR responses captured by the microcontroller's internal ADCs with each of four candidate pulse amplifier + ICs and four test meshes. The shown time range covers the primary reflection of the stimulus pulse's falling + edge. For clarity, only one channel of the differential response is shown.} \label{fig_mesh_length} \end{figure} \begin{table} \begin{center} \begin{tabular}{r|cccc|c} - &\multicolumn{4}{c|}{Specimen}&\\ + &\multicolumn{4}{c|}{Mesh}&\\ Pulse amplifier IC& 1& 2& @@ -910,198 +886,408 @@ optimized through the electronic CAD/electromagnetic simulation co-design approa \label{tab_speed_of_light} \end{table} -\subsection{Tamper tests} +\subsection{Classification performance} +\label{sec-class-perf} -After validating our prototype's electrical performance as well as our mesh specimen designs in the previous sections, -we performed a series of experiments where we performed tampering attempts on a mesh specimen while monitoring it using -our TDR prototype, capturing responses both before and after tampering. We performed two sets of experiments. +To evaluate the practical performance of our system, we captured approximately 1250 measurement series under a variety +of environmental and attack conditions and evaluated its performance using a simple template-matching classifier. In +each measurement series, we captured 7 differential traces with $2\times768$ points per trace. One differential trace +served as a calibration reference with the multiplexers configured to disconnect the mesh. The other six traces cover +each of open circuit, short circuit, and matched load termination measuring each of the two traces of the mesh once from +each of both ends for 12 channels total ($\{\text{open}, \text{short}, \text{load}\} \times \{\text{forward}, +\text{reverse}\} \times \{\text{mesh trace A}, \text{mesh trace B}\}$). -\subsubsection{Short and Open Circuits} -\label{sec_attack_short} +Our classifier is designed to compare two measurement series and produce a scalar score indicating their similarity. A +simple threshold can then be applied on the similarity score to decide the class. Type 1 and type 2 error rates can be +tuned by adjusting this threshold. + +Our classifier proceeds in four steps: B-spline smoothing, per-channel Pearson Correlation Coefficient, averaging all +channel results, and applying a threshold. B-spline smoothing serves as a low-pass filter, evening out random noise. We +calculate the Pearson Correlation Coefficient for each measurement channel separately, producing a vector with 12 +entries. We average the components of this vector to a single, scalar similarity score. + +\subsubsection{Interpreting these performance plots} +Figure~\ref{fig_layout_identity} shows the similarity score of multiple intact meshes. For each performance measurement, +we show the similarity scores for each pair of measurements as a matrix, with each measurement appearing once in each +row and column. High values indicate similarity, low values indicate differences. We show the baseline measurement set +in the top left quadrant of the plot (1), and the experiment set bottom right (4), separated by white lines. Uniform +color within the top left quadrant (1) indicates high similarity between baseline measurements. Nonuniform color in the +bottom right (4) is expected, and indicates that mutliple experiment (attack) measurements are unlike each other. +Classification performance is indicated by the top right (2) and bottom left (3) quadrants, which indicate +misclassification probability. Misclassification is likely when the top left (1) and top right (2) quadrants look alike. +Misclassification is less likely the more they differ. + +Under each figure, we give the False Negative Rate (FNR) when the threshold is adjusted for a False Positive Rate (FPR) +of $0.1\%$ as a reference point\footnote{We denote the rate of missed alarms as FNR and the false alarm rate as FPR.}. +We also provide the Crossover Error Rate (CER) at which for some threshold FPR is equal to FNR. We calculate all error +rates assuming the similarity scores are normally distributed. We chose a reference point of $0.1\%$ FPR since it allows +for a meaningful comparison based on the hundreds of measurements our data is based on. In a practical application, the +end-to-end FPR of the alarm system would need to be significantly lower, probably in the range from $10^{-12}$ to +$10^{-9}$ for a Mean Time Between Failures (MTBF) of several years. A practical system would likely include additional +components filtering the output of our proposed baseline classifier analyzing not just the last, but multiple previous +measurements. Experimentally evaluating a classifier to this degree of precision would require a large-scale experiment +to account for the long tail of the error distribution. + +Figure~\ref{fig_layout_identity_layout} compares several copies of the same mesh (top left quadrant, 1) to four variants +that have the same pitch and area, but different randomized layout of the traces (bottom right). Our classifier can +distinguish mesh layouts with a 18\% FNR at 0.1\% FPR. + +The variance between samples of the baseline group in Figure~\ref{fig_layout_identity_layout} alerted us to the +possibility that while all mesh samples of the same layout were supposed to be identical copies, our measurement circuit +might be sensitive enough to pick up on manufacturing variations from one copy to another in a PUF-like manner. To +evaluate this scenario, in Figure~\ref{fig_layout_identity_identity} we show the result of repeated measurements of +three copies of the same mesh. The measurements were taken interleaved ($1, 2, 3, 1, 2, \hdots$) to exclude systematic +errors. We found our system can indeed distinguish multiple copies of the same mesh at a 1.7\% FNR at 0.1\% FPR. We +leave a detailed analysis of this effect to future work. For the scope of this paper, the presence of this effect +indicates good performance of our design, and increases the detection efficiency of our approach. \begin{figure} - \begin{center} - \includegraphics[width=\textwidth]{fig_manip_shape.pdf} - \end{center} - \caption{TDR responses captured using our design under three short- and one open-circuit scenario. The distance from - mesh start to Location 1, 2, and 3 is \qty{558}{\milli\meter}, \qty{125}{\milli\meter} and \qty{850}{\milli\meter}, - respectively. The cut is approximately halfway through the mesh. Left and right plots show the positive and negative - trace of the differential pair, respectively. Black traces show baseline measurements in between attacks. The - baselines show vertical offsets due to temperature drift, which causes a small DC offset in our design. The vertical - scale is in Volts at the ADC.} - \label{fig_manip_shape} + \centering + \begin{subfigure}[t]{0.4\textwidth} + \includegraphics[width=\textwidth]{fig_covar_distinguish_layouts.pdf} + \caption{Five copies of the same layout compared to four other layouts. FNR 18\% at 0.1\% FPR, CER=8.3\%.} + \label{fig_layout_identity_layout} + \end{subfigure} + \hspace*{5mm} + \begin{subfigure}[t]{0.4\textwidth} + \centering + \includegraphics[width=0.7\textwidth]{fig_covar_distinguish_copies_large_run.pdf} + \caption{Three identical copies, 20 measurements each. FNR 1.7\% at 0.1\% FPR, CER=1.1\%.} + \label{fig_layout_identity_identity} + \end{subfigure} + \hfill + \caption{Similarity matrices of measurement series on intact meshes.} + \label{fig_layout_identity} \end{figure} -In our first experiment, we tested both short and open-circuit conditions. We tested a short circuit between the two -mesh traces in three locations as well as a cut trace halfway through the mesh. Figure\ \ref{fig_pic_specimens} in -Appendix\ \ref{appendix_photos} shows photos of our test specimen. Figure\ \ref{fig_manip_shape} shows the result of our -experiment. The graphs show a clear response of our monitoring circuit to all four tampering scenarios. Short and open -circuit conditions can clearly be distinguished from each other, and in all cases, the fault location can be determined -with sub-nanosecond precision, corresponding to several centimeters in distance along the mesh. +\subsubsection{Basic attacks} -\subsubsection{Probing by Oscilloscope Probe} +\begin{figure} + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_open_p0.3.pdf} + \caption{One trace interrupted, p=\qty{0.3}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0.0\%.} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_short_across_traces_p0.3.pdf} + \caption{Both traces shorted, p=\qty{0.3}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0.0\%.} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_open_p0.4.pdf} + \caption{One trace interrupted, p=\qty{0.4}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0.0\%.} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_short_across_traces_p0.4.pdf} + \caption{Both traces shorted, p=\qty{0.4}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0\%.} + \end{subfigure} + \caption{Similarity matrix of 10 intact and 10 modified meshes with two pitch sizes under two + different attack scenarios: An interrupted trace, and both mesh traces shorted.} + \label{fig_covar_basic_attacks} +\end{figure} + +Figure~\ref{fig_covar_basic_attacks} shows the performance of our classifier under the two basic attack scenarios of an +interrupted trace, and a short circuit between the mesh's differential traces. Such attacks lead to large changes in the +location of the reflected pulse edge, resulting in 0\% Crossover Error Rate. + +\subsubsection{Trace shortening} + +\begin{figure} + \centering + \includegraphics[width=0.33\textwidth,trim=0 5mm 0 5mm]{fig_covar_short_within_0.3.pdf} + \caption{Similarity matrix of several mesh specimens that have one trace shorted to an + adjacent location on the same trace. Classification FNR 23\% at 0.1\% FPR, CER=22\%.} + \label{fig_short_within} +\end{figure} + +Figure~\ref{fig_short_within} shows classification results when one trace is short circuited to another location within +the same trace. Here, the resulting distortion in response shape is harder to detect. Depending on the length of the +shorted-out section, the timing skew such modifications introduce may be as little as a few picoseconds. For some +samples which have longer sections of mesh trace shorted out, this attack is easy to distinguish, but for others, our +classifier cannot distinguish it leading to an overall FNR of 18\% at 0.1\% FPR, with some specimens reliably detected, +and others never detected. + +\subsubsection{Advanced attacks} +\label{sec_advanced_attack} + +\begin{figure} + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_probe_0.3.pdf} + \caption{Oscilloscope probe contacting mesh. FNR 0.0\% at 0.1\% FPR, CER=0.0\%.} + \label{fig_covar_adv_probe} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_soldering_p0.3.pdf} + \caption{Soldering iron touching mesh. FNR 0.0\% at 0.1\% FPR, CER=0.0\%.} + \label{fig_covar_adv_soldering} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_antenna_wire_30mm_p0.3.pdf} + \caption{30mm wire soldered to mesh. FNR 9.6\% at 0.1\% FPR, CER=6.7\%.} + \label{fig_covar_adv_antenna} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.23\textwidth} + \includegraphics[width=\textwidth]{fig_covar_probe_points_p0.3.pdf} + \caption{Baseline vs. experiment specimens with no attack.} + \label{fig_covar_adv_baseline} + \end{subfigure} + \caption{Classifier performance under advanced attack scenarios.} + \label{fig_covar_adv_attack} + %too much: fig_covar_soldering_p0.3_minmax.pdf + %too much: fig_covar_antenna_wire_30mm_p0.3_minmax.pdf +\end{figure} + +Figure~\ref{fig_covar_adv_attack} shows our classifier's performance under conditions similar to actions an attacker +would perform during an attack: An oscilloscope probe\footnote{Part number Rigol PVP3150.} touching one mesh trace +(Figure~\ref{fig_covar_adv_probe}), a soldering iron touching one mesh trace (Figure~\ref{fig_covar_adv_soldering}), and +a mesh where one trace has a $l=\qty{30}{\milli\meter},d=\qty{120}{\micro\meter}$ piece of copper wire soldered to one +trace (Figure~\ref{fig_covar_adv_probe}). Our classifier is able to clearly distinguish the probing and soldering iron +cases at 0\% FNR, with a maximum of 9.6\% FPR at 0.1\% FNR in the soldered wire case. + +\subsubsection{Patching attacks} \label{sec_attack_probe} \begin{figure} - \begin{center} - \includegraphics[width=\textwidth]{fig_probe_shape.pdf} - \end{center} - \caption{The circuit's TDR response under a probing attack using an oscilloscope probe. Black traces are a series of - un-probed baseline measurements taken between attacks. All traces are plotted relative to a separate baseline trace - taken at the beginning of the experiment. The top and bottom plots show the two halves of the differential pair.} - \label{fig_probe_shape} + \begin{subfigure}[t]{0.27\textwidth} + \includegraphics[width=\textwidth]{fig_covar_patch_interleave_baseline.pdf} + \caption{Test boards before experiment.} + \label{fig_covar_patch_attack_baseline} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.27\textwidth} + \includegraphics[width=\textwidth]{fig_covar_patch_ref_exp_interleave_direct.pdf} + \caption{Experiment specimen compared to reference before and after attack.} + \label{fig_covar_patch_attack_direct} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.4\textwidth} + \includegraphics[width=\textwidth]{fig_patch_interleave_scatter.pdf} + \caption{Trajectory of relative difference to reference specimens.} + \label{fig_covar_patch_attack_scatter} + \end{subfigure} + \hfill + \caption{Classifier performance under a patching attack that bridges a short gap within a mesh + trace using wire.} + \label{fig_covar_patch_attack} \end{figure} -In our second experiment, we probed each of the three locations from the test specimen shown in Figure\ -\ref{fig_pic_specimens} in the Appendix once at each trace of the trace pair using a Rigol \partno{PVP3150} $\times -1/\times 10$ oscilloscope probe set to $\times 10$ mode. We grounded the probe's ground clip to the mesh ground and used -the probe without tip attachment. +PCB tamper sensing meshes are susceptible to industry-standard PCB rework techniques. If we assume a standard PCB +process with \qty{100}{\micro\meter} trace/space design rules, a drilling attack targeting a \qty{300}{\micro\meter} +hole size requires cutting and patching at least one trace~\cite{immlerSecurePhysicalEnclosures2018}. We performed such +an attack on a set of \qty{300}{\micro\meter} pitch meshes. Figure\ \ref{fig_drill_mod_shape} shows our modification and +the resulting change in the time-domain response. -Using the \partno{PI3HDX12211} variant of our prototype, we measured the mesh's TDR response while probing. Figure\ -\ref{fig_manip_shape} shows the resulting TDR traces. Oscilloscope probes are specifically designed to disturb the -circuit under test as little as possible, with this one being specified as presenting as a \qty{10}{\mega\ohm} resistive -load in parallel with a \qty{10}{\pico\farad} capacitance when used in $\times 10$ mode as we did here. Since the -resulting disturbance to the TDR traces is smaller than those in Figure\ \ref{fig_manip_shape}, we post-processed the -traces by subtracting a baseline trace taken before the measurements. To highlight drift in the baseline trace, we -include additional baseline traces taken in between and after measurements using the same post-processing. - -In each trace, the mesh was probed in one of three locations as in Figure\ \ref{fig_manip_shape}, and on one of the two -mesh traces. The time range shown in the graph covers the primary reflection of the stimulus pulse's rising edge. We can -clearly see a distinct response to each of the three probing attempts with the only caveat being that the response of -the two mesh traces is asymmetrical due to asymmetry in our sampling frontend when measuring such low signal levels. -Interestingly, this asymmetry is fully compensated by the fact that we excite the mesh differentially, and as a result -probing either trace distorts their shared electromagnetic field, and impacts measurements on \emph{both} traces. -Particularly on the first trace, we can distinguish which trace was probed, as well as where it was probed, in a single -measurement. - -\subsubsection{Circumvention Through Micro-Soldering} -\label{sec_attack_bridge} +Figure~\ref{fig_covar_patch_attack} shows the classification result of this attack. To extract the subtle effect of this +attack, we measured two reference specimens, one control, and one experiment specimen twice: Once before the attack, and +once after. Measurements were interleaved and repeated 10 times. Factors such as temperature drift can be excluded by +comparing both control and experiment measurements against the two references before and after the modification. +Figure~\ref{fig_covar_patch_attack_baseline} shows the four samples before the attack, exhibiting the same subtle +PUF-like effect that we described in Section~\ref{sec-class-perf}. Since we peform both before and after measurements on +the same sample, we can separate this effect from the effect of the attack. Figure~\ref{fig_covar_patch_attack_direct} +compares both control and experiment samples before and after the attack, and shows a clear change in the experiment +sample during the attack. Figure~\ref{fig_covar_patch_attack_scatter} plots the similarity scores of both samples to +each of the two reference samples. We can see that the control distribution stays in one place, while the experiment +distribution shifts. \begin{figure} \centering \begin{subfigure}{0.78\textwidth} \centering - \includegraphics[width=\textwidth]{fig_drill_mod_shape.pdf} + \includegraphics[width=\textwidth]{fig_drill_mod_shape_new.pdf} \label{fig_drill_mod_shape_plot} \end{subfigure} \begin{subfigure}{0.2\textwidth} \centering - \includegraphics[width=\textwidth]{pic_manip_microsoldering_small.jpg} + \includegraphics[width=\textwidth]{pic_manip_microsoldering_new_small.jpg} \vspace*{2mm} \label{fig_drill_mod_shape_pic} \end{subfigure} - \caption{The circuit's TDR response under a manipulation attack bridging part of a trace to allow a - \qty{300}{\micro\meter} drill to penetrate. The mesh pitch is \qty{240}{\micro\meter}. Red traces show - measurements with a looped wire patch comparable to \textcite{immlerSecurePhysicalEnclosures2018}, black traces - show the same gap bridged with a minimally short straight piece of wire. The left and right plots show the two - halves of the differential pair. The photo shows the looped wire patch with a \qty{1}{\milli\meter} pitch ruler - for reference. Traces are normalized as in Figure\ \ref{fig_probe_shape}.} + \caption{The mesh response under a manipulation attack patching across a drill location for a + \qty{300}{\micro\meter} drill, as captured by the microcontroller's ADCs. The mesh pitch is + \qty{300}{\micro\meter}. B-spline smoothing was applied for readability.} \label{fig_drill_mod_shape} \end{figure} -While our proposed measurement setup significantly increases the level of effort required from an attacker, as long as -standard PCBs are used, PCB rework techniques that are widely used in the industry for PCB repair can be applied. If we -assume a standard PCB process with \qty{100}{\micro\meter} trace/space design rules, a drilling attack targeting a -\qty{300}{\micro\meter} hole size as proposed by \textcite{immlerSecurePhysicalEnclosures2018} will break at least one -trace. Patching the resulting break using a wire is possible, but with increasing wire length, the TDR response of the -mesh is increasingly distorted. We experimentally performed an attack comparable to the one shown by -\textcite{immlerSecurePhysicalEnclosures2018} on a \qty{240}{\micro\meter} pitch mesh specimen. Figure\ -\ref{fig_drill_mod_shape} shows our modification and the resulting change in TDR response. As we can see, adding even -just a few millimeters of wire will measurably and consistently distort the TDR response. +Based on the above results, we peformed a larger-scale experiment using ten interleaved measurements each of seven +samples with patches applied compared against baseline measurements taken before and after measuring the experiment +samples.. Figure~\ref{fig_patch_large_scale} shows the results of this experiment, resulting in a FNR of 71.5\% at 0.1\% +FPR. Since such patches only affect few data points along the reflection response, we included a variant of our +classifier that uses the maximum difference across all channels instead of the averaged Pearson Correlation Coefficient +to improve sensitivity to the subtle, localized effects of such patches. Using this classifier variant, FNR improves to +51.1\%, detecting half of all attack attempts in a single measurement when fixing the false alarm rate at 0.1\%. +In a practical application, detection rates would be higher since the system would be able to observe the entire process +of patching. As shown in Section~\ref{sec_advanced_attack}, soldering for instance is highly detectable, while here we +only benchmark a momentary snapshot after the patch was completed. + +\begin{figure} + \centering + \begin{subfigure}{0.3\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_covar_patch_repeat_p0.3.pdf} + \caption{Micro-soldering patching attack. FNR 71.5\% at 0.1\% FPR, CER=29\%.} + \label{fig_patch_large_scale_corr} + \end{subfigure} + \hspace*{5mm} + \begin{subfigure}{0.3\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_covar_patch_repeat_p0.3_minmax.pdf} + \caption{\emph{maximum} classifier variant. FNR 51.1\% at 0.1\% FPR, CER=15\%.} + \label{fig_patch_large_scale_minmax} + \end{subfigure} + \caption{Classification performance in a larger-scale experiment using 10 measurements each of + 7 samples with traces patched through micro-soldering.} + \label{fig_patch_large_scale} +\end{figure} + +\subsubsection{Environmental susceptibility} + +Figure~\ref{fig_env_effects} shows the results of a series of experiments evaluating the effect of environmental factors +such as handling or electromagnetic interference on our measurements. Figure~\ref{fig_env_effects_time} shows our +measurements exhibit little time drift (CER=60\%). Figure~\ref{fig_env_effects_touch} shows that touching the mesh is +easily detected (FNR=0\%), but the system is insensitive to touching other parts of the circuit. +We classify touching the mesh as an attack since the mesh would be shielded from touch by the ground plane in a +practical scenario (cf.\ Section~\ref{sec_system_design}). + +As shown in Figure~\ref{fig_env_effects_heat}, heating the mesh distors its measurements (FNR=0.6\%, CER=0\%). +Figure~\ref{fig_tempco_time} shows the difference caused by heating the mesh to \qty{70}{\degree C} in the time domain. +This temperature dependence stems from the resistance of the mesh's copper traces increasing with temperature, and the +dielectric properties of the FR-4 PCB substrate changing. Both dielectric constant and dissipation factor of FR-4 change +with temperature~\cite{sagarStudiesTemperatureDependent2024, hinagaThermalEffectsPCB2010}. The increase in copper +resistance causes a shift of the response curve. An increase in the dielectric dissipation factor affects the slope of +the difference in Figure~\ref{fig_tempco_time} since pulse energy is dissipated more the longer the pulse travels +through the material. A change in dielectric constant moves the response's trailing edge in time, with the pulse +propagating slightly slower at high temperature. + +Since these effects are consistent with physical predictions and only reach problematic levels at large temperature +differences, it would be possible to design a classifier that is insensitive to temperature effects. Furthermore, given +the predictable, physical nature of these effects, they could also be compensated before classification in the digital +domain based on a temperature measurement. + +\begin{figure} + \begin{subfigure}[t]{0.25\textwidth} + \includegraphics[width=\textwidth,trim=0 5mm 0 5mm]{fig_covar_time_drift.pdf} + \caption{Time drift (2.5h). FNR 100\% at 0.1\% FPR, CER=61\%.} + \label{fig_env_effects_time} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.35\textwidth} + \includegraphics[width=\textwidth]{fig_covar_touch_combined.pdf} + \caption{Touch sensitivity. FNR 0.0\% at 0.1\% FPR, CER=0.0\%.} + \label{fig_env_effects_touch} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.25\textwidth} + \includegraphics[width=\textwidth,trim=0 5mm 0 5mm]{fig_covar_hot_mesh.pdf} + \caption{Mesh heated (\qty{70}{\degree C}).} + \label{fig_env_effects_heat} + \end{subfigure} + \caption{Classification results of the same mesh under various environmental factors.} + \label{fig_env_effects} +\end{figure} + +\begin{figure} + \centering + \includegraphics[width=1.0\textwidth]{fig_tempco_edited.pdf} + \caption{The effect of heating on a time-domain trace. One of 12 channels shown. Gray: Raw data. Black: Relative + difference between hot and cool cases.} + \label{fig_tempco_time} +\end{figure} + +Besides temperature, other environmental factors such as electromagnetic interference could theoretically also influence +our measurements. Although our system's equivalent-time sampling setup inherently cancels out EMI since it is not +synchronous to the sampling clock, the setup is unshielded so we verified its actual susceptibility in several +scenarios. Figure~\ref{fig_env_covar} shows the result of these measurement series. For comparison, we included several +measurements from Figure~\ref{fig_patch_large_scale}. From these figures, we can see that there are some environmental +effects, but these effects are small even when compared against a subtle attack like a patching attack with the +classification performance remaining approximately constant at 69.0\% FNR at 0.1\% FPR and a slightly reduced CER of +20\%. + +\begin{figure} + \centering + % NOTE: not actually "tridelta" data, I'm just too lazy to rename these and fix up the notebook. + \includegraphics[width=0.6\textwidth]{fig_covar_patch_repeat_tridelta_all_the_data_p0.3.pdf} + \hspace*{2mm} + \caption{Classifier similarity scores of measurements in different environments, 10 + measurements each. For scale, measurements from Figure~\ref{fig_patch_large_scale} are included on the + bottom/right. FNR 69.0\% at 0.1\% FPR, CER=22\%.} + \label{fig_env_covar} +\end{figure} \subsection{Countermeasures} -As shown above, PCB security meshes can be manipulated using industry-standard micro-soldering techniques. Keeping the -length of any patch wires as short as possible, it is conceivable that the impact on TDR response could be kept below -detection thresholds. Our setup provides increased resistance against such attacks since the entire attack would have to -be carried out without electrically contacting either mesh trace. In particular, soldering would have to be done using a -minimal amount of solder as well as a bespoke, insulated soldering iron tip. While manufacturing such a tool out of a -material like sintered ceramic is conceivable, to our knowledge, no such tool exists on the market. +As shown above, PCB security meshes can be manipulated through micro-soldering. Keeping the modifications as physically +small as possible, their impact on TDR response can potentially be kept below detection thresholds of our single-shot +baseline classifier. However, even with such a simple classifier, the entire attack would have to be carried out without +raising an alarm, e.g. by touching the mesh or contacting a trace with the soldering iron. Soldering would have to be +done using a minimal amount of solder as well as a bespoke, insulated soldering iron tip. While manufacturing such a +tool out of a material like sintered ceramic is conceivable, to our knowledge, no such tool exists on the market. Furthermore, the actual drilling would have to happen with a dielectric drill bit, placing special attention on -evacuating conductive copper chips before they can create shorts to nearby traces. Again, it is conceivable that such a -tool could be manufactured, but to our knowledge, such a tool is not currently available as a standard component on the -market. +evacuating conductive copper chips before they can create short circuits to nearby traces. Again, it is conceivable that +such a tool could be manufactured, but to our knowledge, such a tool is not currently available as a standard component +on the market. Finally, any probes penetrating the mesh would have to be placed such that their presence in the vicinity of the mesh -traces does not disturb the TDR response. In particular, we have observed that even touching the mesh will distort the -response, so modifications would have to be carried out with great care, likely using micromanipulators or similar -specialized equipment. +traces does not disturb the TDR response. Modifications would have to be carried out with great care, likely using +micromanipulators or similar specialized equipment. -The PCI PTS HSM DTR standard\cite{pcisecuritystandardscouncilPaymentCardIndustry2021a} contains a useful framework for +The PCI PTS HSM DTR standard~\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} contains a useful framework for thinking about attacker capabilities. Applying their taxonomy, our monitoring system raises the skill level required for a patching attack from a \emph{skilled} attacker to an \emph{expert} attacker, and the equipment requirement from -\emph{standard} equipment to \emph{bespoke} equipment such as dielectric drill bits and ceramic soldering tips. +\emph{standard} equipment to \emph{bespoke} equipment. \section{Future Work} -\paragraph{Design variants.} While the \partno{STM32G4}'s \partno{HRTIM} peripheral offers edge position control at a -precision of $\frac{1}{32}$ system clock cycle using an automatically adjusted delay-locked loop at each output driver, -due to the comparatively slow maximum system clock speed of \qty{168}{\mega\hertz}, this still only results in a timing -resolution of \qty{184}{\pico\second}. While we have demonstrated this is sufficient to detect and localize several -attack variants, it would be interesting to increase time resolution since in our measurements, we observed that the -end-to-end jitter of our sampler is low enough that our circuit would benefit from finer delay control. In our -prototype, we implemented a--so far unused--adjustable power supply for the \partno{74LVC} series buffer in between the -\partno{HRTIM} outputs and the pulse amplifier. By adjusting this buffer's power supply through one of the -microcontroller's digital-to-analog converter (DAC) channels, we expect that it should be possible to exploit the supply -voltage dependency of the propagation delay of \partno{74LVC} series CMOS logic to create a digitally controllable delay -with picosecond resolution. The internal DLL of the \partno{HRTIM} peripheral is likely implemented similarly. +%\paragraph{Design variants.} We found that the timing jitter of our sampling frontend is low enough to reach the +%\qty{184}{\pico\second} resolution limit of the \partno{STM32G4} \partno{HRTIM} peripheral. In our prototype, we +%implemented a -- so far unused -- adjustable power supply for the \partno{74LVC} series buffer in between the +%\partno{HRTIM} outputs and the pulse amplifier. By adjusting this buffer's power supply through one of the +%microcontroller's digital-to-analog converter (DAC) channels, we expect that it should be possible to exploit the supply +%voltage dependency of the propagation delay of \partno{74LVC} series CMOS logic to create a digitally controllable delay +%with picosecond resolution. -% FIXME reword for publication -\paragraph{System design.} The work we presented in this paper is complementary to the work previously presented by -\textcite{gotteCantTouchThis2022}, where the authors improved security of a simple security mesh made from standard PCBs -through mechanical motion. We are currently working on a prototype combining both approaches and incorporating heuristic -scan scheduling as mentioned in Section\ \ref{sec_scan_schedule} for a cost-efficient yet powerful physical security -primitive. +%\paragraph{Non-sequential sampling.} Not all parts of the reflected signal are equally sensitive to tampering atttempts. +%For instance, the reflection's trailing edge corresponds contains information on both the length of the mesh and on its +%attenuation. Instead of recording the response waveform in a linear scan, in a practical application, more relevant +%parts of the response such as this trailing edge could be scanned at a higher rate than other, less relevant parts. +%Similarly, fast scans at a coarse time resolution could be interleaved with slow scans at a finer time resolution to +%detect large changes more quickly. +\paragraph{Advanced attack classification.} While we proposed a simple baseline classifier, there is a large parameter +space for more advanced designs. For instance, a classifier could apply machine learning techniques to adapt to the +response of a particular mesh, learn its benigh behavior under temperature changes, and dynamically schedule sample +timing to focus attention on the parts of the response signal that are most susceptible to attacks. Moving from a +single-shot classifier that only observes measurements in isolation to a more advanced approach that considers the full +history of measurements during the mesh's lifetime would also likely improve performance. -\paragraph{Auxiliary applications.} In this work, we have presented a design for a low-cost, embedded TDR frontend. -Besides security mesh monitoring, through multiplexing this TDR frontend could be used for other system monitoring -tasks from tamper sensing to system health monitoring. For instance, \textcite{vaiSecureArchitectureEmbedded2015} -propose an approach for checking the integrity of a PCBA using an external Vector Network Analyzer (VNA) attached to -test points on the PCBA's Power Distribution Network (PDN). TDR can produce fingerprints similar to a VNA, and it would -be interesting to measure parts of the secure subsystem other than its security mesh using our TDR frontend. +\paragraph{Auxiliary applications.} The low-cost, embedded TDR frontend presented in this paper could be used for other +monitoring tasks from tamper sensing to system health monitoring. For instance, +\textcite{vaiSecureArchitectureEmbedded2015} propose checking the integrity of a PCBA using an external Vector Network +Analyzer (VNA) attached to test points on the PCBA's Power Distribution Network (PDN). TDR can produce fingerprints +similar to a VNA and it would be interesting to measure parts of the secure subsystem other than its security mesh using +our TDR frontend. + +\paragraph{Characterization of PUF-like effects.} In Section~\ref{sec-class-perf}, we have described a PUF-like effect, +where our classifier was able to distinguish supposedly identical copies of the same mesh. It would be interesting to +precisely characterize this effect and its dependence on factors such as the chosen PCB manufacturer, and to quantify if +it indeed rises to the level of a PUF in entropy and repeatability. \section{Conclusion} In this paper, we presented a design for a low-cost frontend for integrity monitoring of security meshes in applications such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an inexpensive -HDMI redriver IC to produce sharp edges for the TDR stimulus, and applies a microwave clip line to form fast pulses for -TDR sampling. Our design creates a detailed fingerprint of the intact mesh's condition that not only captures the length -of the mesh's traces but also reflects the impedance at every point along the mesh. +HDMI redriver IC and uses a microwave clip line to form fast pulses for TDR sampling. Our design creates a detailed +fingerprint of the intact mesh's condition that not only captures the length of the mesh's traces but that can +distinguish copies of the same mesh. -Beyond simply detecting faults or manipulations that disturb the mesh without causing breaks, we have demonstrated our -prototype circuit's capability to distinguish and physically localize faults inside the mesh in several practical attack -scenarios with even careful attacks causing strong disturbances in the generated fingerprint. +We have demonstrated our prototype circuit's capability to reliably detect and distinguish a wide range of practical +attacks with no classification erros in most attack classes, and a worst-case FNR of $71.5\%$ at $0.1\%$ FPR when +detecting tiny, micro-soldered patch wires. Compared to the state of the art, our approach enables the monitoring of larger meshes, at higher sensitivity and lower cost. Our is easy to replicate, does not require any specialized or custom components, and unlocks high-security applications for security meshes made using low-cost, standard PCB manufacturing processes. -% FIXME put into actual appendix -%\appendix -%\section{Additional photos} -%\label{appendix_photos} -% -%\begin{figure}[h!] -% \centering -% \begin{subfigure}{0.45\textwidth} -% \centering -% \includegraphics[width=0.8\textwidth]{pic_short_2_small.jpg} -% \label{fig_pic_specimens_short} -% \caption{Short circuit test specimen} -% \end{subfigure} -% \begin{subfigure}{0.45\textwidth} -% \centering -% \includegraphics[width=0.8\textwidth]{pic_cut_1_small.jpg} -% \label{fig_pic_specimens_open} -% \caption{Cut trace test specimen} -% \end{subfigure} -% \caption{Photos of the short circuit and cut trace test specimens. In the specimen shown on the left, in each of the -% three marked locations, both traces of the mesh were exposed. To measure short circuit response, the traces were -% shorted in one of the locations using a soldering iron. In the specimen shown on the right, one trace was -% exposed and cut in the marked location. To measure baseline values, the test specimen shown on the right was -% used with the trace temporarily repaired.} -% \label{fig_pic_specimens} -%\end{figure} -% -%