Improve sampling mesh monitor paper integration
This commit is contained in:
jaseg
parent
7ec5301db5
commit
c028e4bb55
2 changed files with 29 additions and 23 deletions
|
|
@ -3,6 +3,7 @@
|
|||
doing so than legitimate users are willing to spend routinely!
|
||||
}
|
||||
\chaptertitle{Inertial Hardware Security Modules}
|
||||
\label{chapter-ihsm}
|
||||
|
||||
\section{Introduction}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,8 @@ lower-security applications such as card payment terminals, simpler approaches a
|
|||
implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed Circuit
|
||||
Boards (PCBs) are used because of the wide availability of manufacturing services.
|
||||
|
||||
Several academic approaches exist that target low-cost~\cite{
|
||||
Inertial HSMs are one approach that enables the use of less expensive, commodity materials in high-security
|
||||
applications. Several other academic approaches exist that target low-cost~\cite{
|
||||
vasileActiveTamperDetection2017,
|
||||
vasileTemperatureSensitiveActive2017,
|
||||
dupontMiniaturizedUltraLowPowerTamper2022,
|
||||
|
|
@ -54,10 +55,11 @@ specialty components.
|
|||
\end{figure}
|
||||
|
||||
To enable the use of less expensive, commodity materials such as Printed Circuit Boards (PCBs) without compromising
|
||||
security, mesh integrity must be monitored with high fidelity. In this paper, we present a low-cost monitoring circuit
|
||||
security, mesh integrity must be monitored with high fidelity. In this chapter, we present a low-cost monitoring circuit
|
||||
for security meshes that combines Time Domain Reflectometry (TDR) with equivalent time sampling. Our approach provides
|
||||
high measurement fidelity and enables the use of meshes made from less expensive materials in high-security
|
||||
applications.
|
||||
applications. Our design directly applies to IHSM implementations, and complements the security offered by the IHSM's
|
||||
mechanical motion.
|
||||
|
||||
Our circuit generates a very fast pulse with a rise time lower than \qty{200}{\pico\second} that is broadcast into the
|
||||
mesh. While the pulse traverses the mesh, parts of its energy are reflected on imperfections inside the mesh, including
|
||||
|
|
@ -326,9 +328,9 @@ length.
|
|||
|
||||
\subsection{Attacks on a Security Mesh Viewed Using TDR}
|
||||
|
||||
In this paper, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists of
|
||||
a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen to
|
||||
measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a
|
||||
In this chapter, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists
|
||||
of a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen
|
||||
to measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a
|
||||
security mesh with a ground plane underneath that works similarly to previous work~\cite{
|
||||
immlerBTREPIDBatterylessTamperresistant2018,
|
||||
obermaierMeasurementSystemCapacitive2018,
|
||||
|
|
@ -365,9 +367,9 @@ multiplexers.
|
|||
|
||||
A typical system design for an HSM with TDR-based tamper sensing meshes would consist of a PCB assembly containing
|
||||
payload components as well as the mesh monitoring circuit. Tamper-sensing meshes made from rigid or flexible PCBs would
|
||||
enclose this PCB assembly from all directions. In this paper we propose meshes that have a ground plane, which would be
|
||||
on the outer side of the mesh PCBs and shield the system against electromagnetic interference. Mesh monitoring would be
|
||||
battery powered and would periodically check for tamper attempts.
|
||||
enclose this PCB assembly from all directions. In this chapter we propose meshes that have a ground plane, which would
|
||||
be on the outer side of the mesh PCBs and shield the system against electromagnetic interference. Mesh monitoring would
|
||||
be battery powered and would periodically check for tamper attempts.
|
||||
|
||||
We consider an attacker motivated to extract the payload's secrets. Self-destruction by deleting secrets would suffice
|
||||
as tamper response against this type of attacker. Such an attacker might want to probe parts of the payload circuit
|
||||
|
|
@ -397,8 +399,8 @@ attack tools, or specialized tools for large-scale industrial manufacturing such
|
|||
A TDR can be broken down into three basic components: A source of fast stimulus pulses (or edges!), a coupler that
|
||||
separates stimulus pulses and their reflection at the output, and a fast ADC to capture the reflections.
|
||||
|
||||
Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in this
|
||||
paper's supplementary material.}. At the core of our design lies an equivalent time sampling setup, where two
|
||||
Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in the
|
||||
supplementary material of this thesis.}. At the core of our design lies an equivalent time sampling setup, where two
|
||||
diode bridge sampling gates alternately sample the two traces of the mesh.
|
||||
Since physical attacks happen on a time scale of minutes or hours, we do not need a fast acquisition rate. Equivalent
|
||||
time sampling uses fast sampling gates to sample a high-frequency signal at a low frequency that is suitable for direct
|
||||
|
|
@ -444,7 +446,7 @@ determines the pulse width.
|
|||
|
||||
We evaluated multiple options for the pulse shaping amplifier in our design. For both sampling and stimulus, we work
|
||||
with fully differential signals, so Current Mode Logic (CML) devices, which are widely used in high-speed logic, are a
|
||||
natural fit. We settled on four parts for evaluation in this paper: A \partno{74LVC2G157} standard logic IC, two
|
||||
natural fit. We settled on four parts for evaluation in this chapter: A \partno{74LVC2G157} standard logic IC, two
|
||||
HDMI/DisplayPort redrivers, \partno{PI3HDX12211} and \partno{TDP0604}, as well as \partno{MAX3748}, a limiting amplifier
|
||||
for optical networking. Figure\ \ref{fig_pic_amps} shows the four hand-soldered prototypes. We avoided specialty parts
|
||||
such as the CML-output comparators made by Analog Devices due to cost.
|
||||
|
|
@ -798,8 +800,8 @@ lines here and for \partno{TDP0604} since the other amplifiers' output did not c
|
|||
\qty{26}{\nano\second}\\
|
||||
\end{tabular}
|
||||
\end{center}
|
||||
\caption{Specifications of mesh test specimens used in the experiments in this paper. Approximate signal delays were
|
||||
calculated using wave velocity
|
||||
\caption{Specifications of mesh test specimens used in the experiments in this chapter. Approximate signal delays
|
||||
were calculated using wave velocity
|
||||
$v=\frac{c}{\sqrt{\epsilon_r}}\approx\frac{c}{2}$~\cite{wheelerTransmissionLinePropertiesParallel1965} assuming
|
||||
$\epsilon_r\approx 4$~\cite{mumbyDielectricPropertiesFR41989} for the test specimens' \partno{FR-4} substrate.}
|
||||
\label{tab_mesh_spec}
|
||||
|
|
@ -939,7 +941,7 @@ might be sensitive enough to pick up on manufacturing variations from one copy t
|
|||
evaluate this scenario, in Figure~\ref{fig_layout_identity_identity} we show the result of repeated measurements of
|
||||
three copies of the same mesh. The measurements were taken interleaved ($1, 2, 3, 1, 2, \hdots$) to exclude systematic
|
||||
errors. We found our system can indeed distinguish multiple copies of the same mesh at a 1.7\% FNR at 0.1\% FPR. We
|
||||
leave a detailed analysis of this effect to future work. For the scope of this paper, the presence of this effect
|
||||
leave a detailed analysis of this effect to future work. For the scope of this chapter, the presence of this effect
|
||||
indicates good performance of our design, and increases the detection efficiency of our approach.
|
||||
|
||||
\begin{figure}
|
||||
|
|
@ -1214,7 +1216,7 @@ classification performance remaining approximately constant at 69.0\% FNR at 0.1
|
|||
\hspace*{2mm}
|
||||
\caption{Classifier similarity scores of measurements in different environments, 10
|
||||
measurements each. For scale, measurements from Figure~\ref{fig_patch_large_scale} are included on the
|
||||
bottom/right. FNR 69.0\% at 0.1\% FPR, CER=22\%.}
|
||||
bottom/right. FNR 69.0\% at 0.1\% FPR, CER=22\%.}~
|
||||
\label{fig_env_covar}
|
||||
\end{figure}
|
||||
|
||||
|
|
@ -1264,8 +1266,8 @@ timing to focus attention on the parts of the response signal that are most susc
|
|||
single-shot classifier that only observes measurements in isolation to a more advanced approach that considers the full
|
||||
history of measurements during the mesh's lifetime would also likely improve performance.
|
||||
|
||||
\paragraph{Auxiliary applications.} The low-cost, embedded TDR frontend presented in this paper could be used for other
|
||||
monitoring tasks from tamper sensing to system health monitoring. For instance,
|
||||
\paragraph{Auxiliary applications.} The low-cost, embedded TDR frontend presented in this chapter could be used for
|
||||
other monitoring tasks from tamper sensing to system health monitoring. For instance,
|
||||
\textcite{vaiSecureArchitectureEmbedded2015} propose checking the integrity of a PCBA using an external Vector Network
|
||||
Analyzer (VNA) attached to test points on the PCBA's Power Distribution Network (PDN). TDR can produce fingerprints
|
||||
similar to a VNA and it would be interesting to measure parts of the secure subsystem other than its security mesh using
|
||||
|
|
@ -1278,10 +1280,10 @@ it indeed rises to the level of a PUF in entropy and repeatability.
|
|||
|
||||
\section{Conclusion}
|
||||
|
||||
In this paper, we presented a design for a low-cost frontend for integrity monitoring of security meshes in applications
|
||||
such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an inexpensive
|
||||
HDMI redriver IC and uses a microwave clip line to form fast pulses for TDR sampling. Our design creates a detailed
|
||||
fingerprint of the intact mesh's condition that not only captures the length of the mesh's traces but that can
|
||||
In this chapter, we presented a design for a low-cost frontend for integrity monitoring of security meshes in
|
||||
applications such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an
|
||||
inexpensive HDMI redriver IC and uses a microwave clip line to form fast pulses for TDR sampling. Our design creates a
|
||||
detailed fingerprint of the intact mesh's condition that not only captures the length of the mesh's traces but that can
|
||||
distinguish copies of the same mesh.
|
||||
|
||||
We have demonstrated our prototype circuit's capability to reliably detect and distinguish a wide range of practical
|
||||
|
|
@ -1290,5 +1292,8 @@ detecting tiny, micro-soldered patch wires.
|
|||
|
||||
Compared to the state of the art, our approach enables the monitoring of larger meshes, at higher sensitivity and lower
|
||||
cost. Our is easy to replicate, does not require any specialized or custom components, and unlocks high-security
|
||||
applications for security meshes made using low-cost, standard PCB manufacturing processes.
|
||||
applications for security meshes made using low-cost, standard PCB manufacturing processes. The improved monitoring
|
||||
approach we presented in this chapter directly complements the IHSM concept we introduced in Chapter~\ref{chapter-ihsm}.
|
||||
Both designs can be combined into a joint system that provides a level of tamper resistance beyond the state of the art
|
||||
in both acadmic designs and in commercial offerings.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue