jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

survey: add a bunch of citations

Browse source
This commit is contained in:
jaseg 2025-11-04 15:40:01 +01:00
parent a770ea66bf
commit 2321b9e308
4 changed files with 1091 additions and 618 deletions
Download patch file Download diff file Expand all files Collapse all files

200
chapter-hsms/chapter.tex
View file

@ -20,7 +20,7 @@ range of applications.
\section{The History of Tamper Sensing Meshes}
tamper sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
Tamper sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
the manufacturing technology of the mesh and how it is wrapped around the payload during manufacturing up to their
monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs to card
payment terminals have historically used patents on parts of their tamper sensing mesh implementations as a means to
@ -158,11 +158,15 @@ handling, but should not be more robust than that. As a result, more secure mesh
manufacturing processes~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
immlerSecurePhysicalEnclosures2018,
ImprovementProtectingSafes1870}.
\todo{cite hennigApparatusMethodComprising2020 and obermaierPUFfilmMethodProducing2023 on immler et al PUF tech}
ImprovementProtectingSafes1870,
hennigApparatusMethodComprising2020,
obermaierPUFfilmMethodProducing2023,
vasileProtectingSecretsAdvanced2019,
smithBuildingHighperformanceProgrammable1999}.
One more widely cited tamper sensing mesh implementation is a commercial product developed by IBM in collaboration with
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately
2020~\cite{obermaier2018,andersonSecurityEngineeringGuide2020,smithBuildingHighperformanceProgrammable1999}.
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
@ -227,12 +231,12 @@ targeted towards. Since we were unable to acquire a nuclear weapon for our resea
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
meshes.
\subsection{Sample Selection}
\subsection{Specimen Selection}
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices.
Some devices were procured by dumpster diving, while most were sourced from ebay. The majority of these were sold by
electronic waste recycling companies. A complete list of our samples can be found in
electronic waste recycling companies. A complete list of our specimens can be found in
Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in
Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of
@ -275,9 +279,9 @@ devices we selected for this study.
H31 & PED & SumUp & SumUp 3G & 2019 \\
H32 & PED & SumUp & SumUp Air & 2022 \\
\end{tabular}
\caption{The samples we dissected in our survey. PED stands for \emph{Pin Entry Device}, the industry term for card
payment terminals that have sufficient security to handle credit card PINs. EPP stands for \emph{Encrypting Pin
Pad}, the type of keypad used for pin entry on ATMs. HSM stands for Hardware Security Module.}
\caption{The specimens we dissected in our survey. PED stands for \emph{Pin Entry Device}, the industry term for
card payment terminals that have sufficient security to handle credit card PINs. EPP stands for \emph{Encrypting
Pin Pad}, the type of keypad used for pin entry on ATMs. HSM stands for Hardware Security Module.}
\label{tab_hsm_survey_sample_list}
\end{table}
@ -322,7 +326,7 @@ devices we selected for this study.
\surveypic{31}{survey_diag_S31.jpg}\\
\surveypic{32}{survey_diag_S32.jpg}&
\end{tabular}
\caption{External photos of all survey samples.}
\caption{External photos of all survey specimens.}
\label{fig_hsm_survey_sample_pics}
\end{figure}
@ -356,7 +360,7 @@ and are used across application domains. Depending on the application, these HSM
can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we were only able
to procure a single such HSM since these devices are expensive, and even used specimens of older models are usually
listed for several hundreds to several thousands of EUR. The one sample we procured was a 2011 model Utimaco
listed for several hundreds to several thousands of EUR. The one specimen we procured was a 2011 model Utimaco
CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider Irdeto,
presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device from a
recycling company specialized on datacenter components. The device was sold with any HDDs removed. The device consisted
@ -410,9 +414,10 @@ sealed sheet metal enclosure.
We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
disassembly, we photographed each major component. Figure~\ref{fig_hsm_survey_sample_internal_pics} shows a selection of
these photos showing the major internal components of the devices. After photos were taken, we proceeded with
destructive techniques where necessary to obtain microscope photos of each tamper sensing mesh component. PCBs were
sectioned using a sanding drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling,
cutting and prying, and applying heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
destructive techniques where necessary to understand the devices' use of tamper-sensing meshes. We took microscope
photos where we found interesting small structures. PCBs were sectioned using a sanding drum attachment on a Dremel
rotary tool. Potted modules were disassembled using milling, cutting and prying, and applying heat from a heat gun as
necessary to soften polymer compounds and to break glue joints.
\begin{figure}
\begin{tabular}[c]{cccc}
@ -450,7 +455,7 @@ cutting and prying, and applying heat from a heat gun as necessary to soften pol
% overlapping the previous row
\rule{0pt}{25mm}
\end{tabular}
\caption{Internal overview photos of the survey samples.}
\caption{Internal overview photos of the survey specimens.}
\label{fig_hsm_survey_sample_internal_pics}
\end{figure}
@ -463,16 +468,16 @@ supplementary material to this thesis.
\subsubsection{Mesh materials.}
We found meshes constructed from rigid PCBs (e.g.\ samples~\sampleno{H02}, \sampleno{H03} and \sampleno{H08}) as well as
We found meshes constructed from rigid PCBs (e.g.\ specimens~\sampleno{H02}, \sampleno{H03} and \sampleno{H08}) as well as
a number of Flexible Printed Circuit (FPC) processes. Tamper sensing meshes constructed from PCBs sometimes used parts
of an existing PCB (e.g.\ samples~\sampleno{H03} and \sampleno{H10}), and sometimes additional PCBs only containing a
mesh were added (e.g.\ sample~\sampleno{H02} and \sampleno{H08}). In some samples (e.g.\ samples~\sampleno{H08} and
of an existing PCB (e.g.\ specimens~\sampleno{H03} and \sampleno{H10}), and sometimes additional PCBs only containing a
mesh were added (e.g.\ specimen~\sampleno{H02} and \sampleno{H08}). In some samples (e.g.\ specimens~\sampleno{H08} and
\sampleno{H18}), multiple rigid PCB meshes were assembled in a house of cards fashion to enclose a card slot. For
flexible meshes, with the exception of the Utimaco HSM appliance's HSM card (sample~\sampleno{H30}) that used an
flexible meshes, with the exception of the Utimaco HSM appliance's HSM card (specimen~\sampleno{H30}) that used an
off-the-shelf Gore tamper sensing mesh foil, all were clearly manufactured either entirely or mostly in standard
processes. We found printed silver ink (e.g.\ sample~\sampleno{H12}) and printed carbon ink-based foils (e.g.\
sample~\sampleno{H09}) similar to those used for membrane keyboards, as well as conventional photolithographically
etched copper/polyimide Flexible Printed Circuits (FPCs) (e.g.\ samples~\sampleno{H03}, \sampleno{H04} and
processes. We found printed silver ink (e.g.\ specimen~\sampleno{H12}) and printed carbon ink-based foils (e.g.\
specimen~\sampleno{H09}) similar to those used for membrane keyboards, as well as conventional photolithographically
etched copper/polyimide Flexible Printed Circuits (FPCs) (e.g.\ specimens~\sampleno{H03}, \sampleno{H04} and
\sampleno{H08}). Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for
both rigid and flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature
size for screen printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
@ -483,25 +488,25 @@ size for screen printed foil meshes was coarser at between \qtyrange{500}{3000}{
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_offset.jpg}
\caption{Offset layers for more complete coverage (sample~\sampleno{H12}).}
\caption{Offset layers for more complete coverage (specimen~\sampleno{H12}).}
\label{hsm_fig_mesh_layout_offset}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_orthogonal.jpg}
\caption{Orthogonal patterns on subsequent layers (sample~\sampleno{H14}).}
\caption{Orthogonal patterns on subsequent layers (specimen~\sampleno{H14}).}
\label{hsm_fig_mesh_layout_orthogonal}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_utimaco_mesh_gore.jpg}
\caption{Combining orthogonal layers with area-covering pattern (sample~\sampleno{H30}).}
\caption{Combining orthogonal layers with area-covering pattern (specimen~\sampleno{H30}).}
\label{hsm_fig_mesh_layout_utimaco}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_stack_epp.jpg}
\caption{Spacing mesh layers apart to constrict angular freedom of an attack tool (sample~\sampleno{H28}).}
\caption{Spacing mesh layers apart to constrict angular freedom of an attack tool (specimen~\sampleno{H28}).}
\label{hsm_fig_mesh_layout_epp}
\end{subfigure}
\caption{Mesh trace layout approaches for multi-layer meshes.}
@ -550,32 +555,32 @@ list, we will address several common structural features that we observed across
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_copper_pcb.jpg}
\caption{Standard photolithographic copper PCB process on rigid FR-4 fiberglass substrate
(sample~\sampleno{H10}).}
(specimen~\sampleno{H10}).}
\label{hsm_fig_materials_pcb_rigid}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_copper_flex.jpg}
\caption{Standard photolithographic copper PCB process on flexible polyimide substrate (sample~\sampleno{H15}).}
\caption{Standard photolithographic copper PCB process on flexible polyimide substrate (specimen~\sampleno{H15}).}
\label{hsm_fig_materials_pcb_flex}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_silver.jpg}
\caption{Screen printing process using silver ink with some carbon ink contact pads for embedded buttons
(sample~\sampleno{H14}).}
(specimen~\sampleno{H14}).}
\label{hsm_fig_materials_silver_ink}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_contact_gold_lds.jpg}
\caption{Laser direct structuring using electroless gold plating (sample~\sampleno{H32}).}
\caption{Laser direct structuring using electroless gold plating (specimen~\sampleno{H32}).}
\label{hsm_fig_materials_gold_lds}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_carbon.jpg}
\caption{Screen printing process using carbon ink (sample~\sampleno{H30}).}
\caption{Screen printing process using carbon ink (specimen~\sampleno{H30}).}
\label{hsm_fig_materials_carbon_ink}
\end{subfigure}
\caption[Mesh materials]{Materials and manufacturing processes used for mesh traces and contacts.}
@ -629,38 +634,38 @@ material, usually an elastomeric connector.
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_castellated_edge.jpg}
\caption{Direct soldering (sample~\sampleno{H05}).}
\caption{Direct soldering (specimen~\sampleno{H05}).}
\label{hsm_fig_connector_castellations}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_stacking.jpg}
\caption{Elastomeric connector landing pattern as well as stacking board-to-board connector
(sample~\sampleno{H17}).}
(specimen~\sampleno{H17}).}
\label{hsm_fig_connector_stack}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_zif_fpc_2.jpg}
\caption{Landing pads for tactile contact domes as well as FPC connector (sample~\sampleno{H20}).}
\caption{Landing pads for tactile contact domes as well as FPC connector (specimen~\sampleno{H20}).}
\label{hsm_fig_connector_fpc}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_elastomeric.jpg}
\caption{Direct soldering of an FPC and an elastomeric connector (sample~\sampleno{H31}).}
\caption{Direct soldering of an FPC and an elastomeric connector (specimen~\sampleno{H31}).}
\label{hsm_fig_connector_elastomeric}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_rf_gasket.jpg}
\caption{Soft, conductive EM shielding gaskets used as connectors (sample~\sampleno{H14}).}
\caption{Soft, conductive EM shielding gaskets used as connectors (specimen~\sampleno{H14}).}
\label{hsm_fig_connector_gasket}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_metal_dome.jpg}
\caption{Tactile dome (sample~\sampleno{H06}).}
\caption{Tactile dome (specimen~\sampleno{H06}).}
\label{hsm_fig_connector_dome}
\end{subfigure}
\caption[Mesh connecting methods]{Connecting methods used between tamper sensing mesh assemblies and their base PCBs}
@ -722,31 +727,31 @@ connection while guaranteeing adjacent spheres never touch each other.
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_overlap.jpg}
\caption{Folded with overlap (sample~\sampleno{H03})}
\caption{Folded with overlap (specimen~\sampleno{H03})}
\label{hsm_fig_3d_struct_folded_overlap}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_no_overlap.jpg}
\caption{Folded without overlap (sample~\sampleno{H14})}
\caption{Folded without overlap (specimen~\sampleno{H14})}
\label{hsm_fig_3d_struct_folded_no_overlap}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_vacform.jpg}
\caption{Thermoformed (sample~\sampleno{H12})}
\caption{Thermoformed (specimen~\sampleno{H12})}
\label{hsm_fig_3d_struct_vacuum_form}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_cards_standalone.jpg}
\caption{House-of-Cards construction (sample~\sampleno{H08})}
\caption{House-of-Cards construction (specimen~\sampleno{H08})}
\label{hsm_fig_3d_struct_house_of_cards}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_lds_top.jpg}
\caption{Laser Direct Structuring (sample~\sampleno{H32})}
\caption{Laser Direct Structuring (specimen~\sampleno{H32})}
\label{hsm_fig_3d_struct_lds}
\end{subfigure}
\caption[3D mesh construction styles]{Construction styles used to fit tamper sensing meshes into 3D envelopes. Grids
@ -789,7 +794,7 @@ placing each dome. In these samples, a mesh was integrated into this adhesive sh
and two additional domes were used to provide contact between this integrated mesh and the main PCB. Cavities were
formed into this mesh to enclose the upper side of the main cryptographic processor and associated components.
Figure~\ref{fig_ingenico_forming} shows the mesh of sample~\sampleno{H24} both before and after removing the black
Figure~\ref{fig_ingenico_forming} shows the mesh of specimen~\sampleno{H24} both before and after removing the black
opaque cover lacquer used on the bottom side of these meshes to obscure their features. The lacquer was removed by
gently rubbing it with a cotton swap soaked with acetone. In Figure~\ref{fig_ingenico_forming_after}, we see how the
mesh's structure was adapted around the formed cavities to reduce the risk of a break during the forming process: The
@ -812,11 +817,11 @@ access by probes.
\label{fig_ingenico_forming_after}
\end{subfigure}
\end{center}
\caption{Formed cavities in printed foil mesh in sample~\sampleno{H24}.}
\caption{Formed cavities in printed foil mesh in specimen~\sampleno{H24}.}
\label{fig_ingenico_forming}
\end{figure}
Sample~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a
PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the
PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
@ -825,12 +830,12 @@ A similar design defect was mitigated in the specimens manufactured by Banksys,
ATM encrypting pin pads \sampleno{H03} and \sampleno{H04}. These specimens all have a polyimide/copper FPC mesh glued to
the inside of a casted zinc lid form five sides of a cuboid. These meshes sit atop their base PCBs, and a possible
vulnerability would be the interface between the mesh and the PCB, where there will be an unavoidable gap of at least
several hundred micrometers. In sample~\sampleno{H03}, this was mitigated by milling a slot into the base PCB for the
several hundred micrometers. In specimen~\sampleno{H03}, this was mitigated by milling a slot into the base PCB for the
mesh to sit inside, thereby placing the top layer of the base PCB as well as any internal mesh layers inside the cavity
of the mesh lid. In sample~\sampleno{H04}, the payload circuit was instead placed on a daughterboard sitting inside
of the mesh lid. In specimen~\sampleno{H04}, the payload circuit was instead placed on a daughterboard sitting inside
the lid using board-to-board stacking connectors (cf. Figure~\ref{hsm_fig_connector_stack}). Here, an additional rigid
mesh PCB was soldered flat on top of the base PCB to cover the open side of the mesh lid, creating an overlap at the
edges. In sample~\sampleno{H08}, a card payment terminal, a simpler construction was used with a simple metal ring
edges. In specimen~\sampleno{H08}, a card payment terminal, a simpler construction was used with a simple metal ring
soldered to the base PCB mechanically shielding the edge. We are unable to ascertain why this purely mechanical
shielding technique was used instead of the more secure overlapping technique seen in sample~\ref{H03}, which should
have a similar, low manufacturing cost.
@ -857,25 +862,25 @@ which would be a flaw in a more standard HSM application.
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg}
\caption{Small obstacle mesh coupons (sample~\sampleno{H17}).}
\caption{Small obstacle mesh coupons (specimen~\sampleno{H17}).}
\label{hsm_fig_3d_sandwich_obstacle}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_via_stitch_mesh_delayer_2.jpg}
\caption{Via-fence meshes (sample~\sampleno{H24}).}
\caption{Via-fence meshes (specimen~\sampleno{H24}).}
\label{hsm_fig_3d_sandwich_via_fence}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_planar_stack.jpg}
\caption{Planar sandwich stack protecting the back of a connector (sample~\sampleno{H24}).}
\caption{Planar sandwich stack protecting the back of a connector (specimen~\sampleno{H24}).}
\label{hsm_fig_3d_sandwich_stack}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_cavity_2.jpg}
\caption{PCB lid with routed cavity and embedded planar and via-fence meshes (sample~\sampleno{H14}).}
\caption{PCB lid with routed cavity and embedded planar and via-fence meshes (specimen~\sampleno{H14}).}
\label{hsm_fig_3d_sandwich_lid}
\end{subfigure}
\caption[Sandwich mesh construction styles]{Construction styles used to cover 3D volumes using sandwich-style
@ -914,6 +919,31 @@ via fence layers, at the bottom of the PCB is one more layer containing the pads
\subsubsection{Tabular results}
Below is a table representing which features discussed in the sections above we found in which of our samples. Overall,
we commonly found a combination of a rigid PCB mesh in the specimen's main PCB and and flexible meshes formed into a lid
structure above its main PCB. The mesh inside the rigid PCB would protect the payload components soldered to the top
surface of the PCB such as pin pad buttons or crytographic coprocessors from probing from underneath, while the flexible
mesh lid would protect them from attacks from above or from the side. We only found two specimens that wrapped an entire
payload PCB inside of a mesh, the Utimaco datacenter HSM appliance \sampleno{H30} and an older Ingenico payment
terminal,\sampleno{H18}. Only the datacenter HSM followed this approach through, its manufacturer going to some length
to carefully fold the mesh around corners and the entry point of its Flat Flex Cable (FFC) connections to the outside
world to avoid possible weak points there. The payment terminal module had weak points at the corners of the wrapped
mesh, and its wrapping pattern only covered five of the six sides of a cuboid, with the remaining side left open to
allow for the payload PCB to pass out of the mesh for its external connections.
We found an approximately even split between flexible copper/polyimide printed circuit (FPCs) and silver ink printing
processes being used for flexible meshes. Printed carbon ink processes were less popular, presumably because they offer
no significant cost savings but the resulting mesh has a much higher electrical resistance, limiting possible mesh
length.
We found potting was only infrequently used across our sample, presumably because of the limited protection it provides.
We found conductive ink printed meshes commonly used opaque base foils and opaque lacquer cover layers to obscure their
features, but when dissecting these specimens we noticed that usually these opaque lacquers are easily removed without
damaging the underlying printed mesh traces using a cotton swab soaked in acetone. Additionally, in almost all instances
the trace structure was easily recognizable from the mesh traces' thickness showing through to the surface of the
opaque cover lacquer. In practice it served as electrical insulation, but did not convey meaningful protection against
reverse engineering.
\begin{landscape}
\begin{table}
\footnotesize
@ -1117,7 +1147,7 @@ Integrated contact pads & \ref{hsm_fig_connector_fpc}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(sample~\sampleno{H18}).}
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
@ -1125,18 +1155,17 @@ Integrated contact pads & \ref{hsm_fig_connector_fpc}
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}).
\todo{Pictures/refs of opaque materials, mention sample numbers}
To circumvent such attempts, an obvious attack vector is to use radiographical imaging techniques such as X-ray or CT
imaging. To evaluate CT imaging as an attack method, we experimentally imaged the potted HSM module of
sample~\sampleno{H18}, an Ingenico payment terminal, using an industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows
the module we analyzed and two images exported from the resulting CT scan data.
Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In this cut, we can
clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil, and two unused
contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this information to
target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that the mesh of the
device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the mesh's
traces should be possible without breaking the trace.
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
@ -1148,17 +1177,12 @@ mesh.
\section{Discussion}
% FIXME intro here
%\subsection{tamper sensing meshes then and now}
Concluding both our patent research and our experimental survey, we find that tamper sensing meshes have been a
commonplace technology throughout the past 150 years. While mesh manufacturing technology has experienced some
In our survey, we have seen the technological state of the art to which tamper-sensing meshes have evolved since the
earliest designs evidenced in patents from 150 years ago. While mesh manufacturing technology has experienced some
advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes,
mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent,
state-of-the-art systems, a simple comparator monitoring a mesh arranged in a bridge configuration is still considered
sufficient by manufacturers.
% FIXME todo above: show wheatstone bridge schematic
sufficient in high-security applications~\cite{obermaier2018}.
\subsection{Mesh construction techniques}
@ -1168,14 +1192,17 @@ integrated a mesh layer produced in a carbon printing process into a membrane ke
We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke
process turns out to be a turnkey solution used by at least two HSM vendors. Underscoring stagnating development in the
field, this particular mesh manufacturing process seems to have seen only minimal changes since the first patents
covering it were published in the late 1990ies.\todo{source}
covering it were published in the late
1990ies~\cite{macphersonTamperRespondentEnclosure1999,macphersonImprovementsSecurityEnclosures1993,obermaier2018}.
\subsection{Mesh monitoring circuits}
We observed that in general, academic research leads before patent literature, which is ahead of actual implementations
in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined showed a
contrast between a mesh manufactured in a bespoke process combined with an unsophisticated, discrete monitoring circuit
based around a number of voltage comparators.\todo{refer sample number}
in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined
(specimen~\sampleno{H30}) showed a contrast between a mesh manufactured in a bespoke process combined with an
unsophisticated, discrete monitoring circuit based around a number of voltage comparators~\cite{obermaier2018}. We will
go into more detail on improved monitoring methods as well as the academic state of the art in this field in
Chapter~\ref{chapter_sampling_mesh_mon}.
\subsection{Computed Tomography Imaging}
@ -1183,7 +1210,7 @@ CT imaging presents a serious threat to any HSM design that relies on its mesh l
the Gore tamper sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production
to provide sub-millimeter accurate positioning for an attack, even if the specimen to be attacked has large production
tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
\begin{figure}
@ -1198,16 +1225,16 @@ tolerances. We found that CT imaging can be made more difficult using three comp
\paragraph{Low-contrast trace materials.}
CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace
material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh sample used a
material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh specimen used a
carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure
solution.
solution~\cite{andersonSecurityEngineeringGuide2020,smithBuildingHighperformanceProgrammable1999}.
\paragraph{Use of X-ray attenuating materials.}
We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult.
Figure~\ref{hsm_fig_utimaco_ct} shows a CT image taken from an Utimaco HSM. The device has two thick metal layers with a
potting resin and the tamper sensing mesh in between, so high-energy X-rays were necessary to penetrate both metal
layers and image the device. As a result, the contrast on X-ray-transparent features like polymers is low. In
comparison, the Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in
comparison, the Ingenico specimen was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in
resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray energy and we were
able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. To apply X-ray dense materials for
defense in a practical design, a sheet made from elementary tin or a tin alloy would be a suitable choice for such an
@ -1256,9 +1283,10 @@ The weakest systems we found completely omitted a tamper sensing mesh. Ironicall
marketed as hardware security modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
sensing meshes despite their low cost. The primary security standard that is most often cited for the certification of
HSMs is the US government's FIPS-140\todo{cite}, now in its third version. A peculiarity of this standard is that it
only requires active tamper sensing meshes in the highest of the four security levels it defeies. Overall, we can
conclude that the term ``HSM'' does not imply state-of-the-art physical tamper sensing.
HSMs is the US government's FIPS-140, now in its third
version~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}. A peculiarity of this
standard is that it only requires active tamper sensing meshes in the highest of the four security levels it defeies.
Overall, we can conclude that the term ``HSM'' does not imply state-of-the-art physical tamper sensing.
From an academic point of view, the core finding of our survey is that for academic research on mesh manufacturing,
monitoring or attacks on meshese, realistic tamper sensing mesh samples can easily be created. A number of commercial
@ -1268,8 +1296,8 @@ inexpensive PCB manufacturing processes, none of the devices we examined utilize
techniques.
From an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
be achievable to most engineers.
construction techniques for both the mesh itself and for its monitoring circuit. Implementing such a system that matches
the security of devices seen in the wild should be achievable to most engineers.
We find that the IHSM approach is a natural extension of the state of the art that we saw reflected in tamper sensing
mesh implementations in the field, and that the construction techniques that have been applied to improve their security

14
chapter-ihsm/chapter.tex
View file

@ -24,7 +24,7 @@ TPM~\cite{newman2020,frazelle2019,johnson2018}.
Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure
them against tampering is a good engineering solution for some years to come. However, in essence, this is a type of
security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern
ICs~\cite{albartus2020,anderson2020}.
ICs~\cite{albartus2020,andersonSecurityEngineeringGuide2020}.
In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with
conductive traces. These traces are much larger scale than a smart card IC's microscopic structures and instead are
@ -83,11 +83,11 @@ detection.
HSMs are an old technology that traces back decades in its electronic realization, initially being conceived by the US
NSA during the second world war~\cite{boak1973}. Today's common approach of monitoring meandering electrical traces on a
fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to
manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, anderson2020}. There has been
manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, andersonSecurityEngineeringGuide2020}. There has been
some research on monitoring the HSM's interior using e.g.\ electromagnetic radiation~\cite{tobisch2020, kreft2012} or
ultrasound~\cite{vrijaldenhoven2004} but none of this research has found widespread adoption yet.
HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an
HSMs can be compared to physical seals~\cite{andersonSecurityEngineeringGuide2020}. Both are tamper-evident devices. The difference is that an
HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine
it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex
equipment. An HSM in principle has to have this examination equipment built-in.
@ -115,14 +115,14 @@ several minutes. While the state of electronics has advanced rapidly since Boak'
has not increased correspondingly. Thus, we can conclude that even today, against a ``smart, well-equipped opponent with
plenty of time'' as noted by Boak, this self-destruction functionality is essential.
In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is
In~\cite{andersonSecurityEngineeringGuide2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is
the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an
industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques
of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature
and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the
common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state
that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use
similar approaches to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
similar approaches to tamper detection~\cite{obermaier2018,drimer2008,andersonSecurityEngineeringGuide2020,isaacs2013}.
Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an
HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to
@ -534,10 +534,10 @@ One type of these attacks are contactless attacks such as electromagnetic (EM) s
EM side-channel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components
such as CPUs are physically distant to the security mesh, preventing EM probes from being brought close.
Conducted EMI side-channels that could be used for power analysis can be mitigated by placing filters on the inside of
the security mesh at the point where the power and network connections penetrate the mesh~\cite{anderson2020}.
the security mesh at the point where the power and network connections penetrate the mesh~\cite{andersonSecurityEngineeringGuide2020}.
Finally, the API between the HSM's payload and the outside world provides attack surface. Attacks through the network
interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API
surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}.
surface to the outside world, and by carefully vetting this remaining attack surface~\cite{andersonSecurityEngineeringGuide2020}.
IHSMs do not provide an inherent benefit against such contactless attacks. However, there are two mitigating factors in
play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using

7
chapter-sampling-mesh-monitor/chapter.tex
View file

@ -2,12 +2,12 @@
\chapterquote{Stewart Brand~\cite{internetarchiveWholeEarthCatalog1969}}{We are as gods and might as well get good at
it.}
\chaptertitle{High Fidelity Security Mesh Monitoring using Low-Cost, Embedded Time Domain Reflectometry}
\label{chapter_sampling_mesh_mon}
\section{Introduction}
\sourceattrib{This part is adapted from a paper written by me that will be presented by me at CHES
2026.}
\todo{FIXME: Proper citation in source attribution}
\sourceattrib{This chapter is adapted from a paper written by me that will be presented by me at CHES
2026~\cite{gotteHighFidelitySecurity2026}.}
Security meshes continue to be the state of the art for tamper sensing in applications where sophisticated physical
attacks such as attempts at drilling or sawing through the device's enclosure to place probes must be prevented. Common
applications for such meshes include Hardware Security Modules (HSMs) used to store and process cryptographic keys
@ -107,6 +107,7 @@ The contributions of our work are as follows:
\end{itemize}
\section{Related Work}
\label{sec_sampling_mesh_mon_related_work}
Tamper sensing meshes are used in numerous applications from Hardware Security Modules (HSMs) to card payment
terminals~\cite{andersonCryptographicProcessorsASurvey2006,tehranipoorHardwareSecurityPrimitives2023}. Despite their

1488
main.bib
View file

File diff suppressed because it is too large Load diff