From c028e4bb55f79a8b8f06da4275612898cd890f7d Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 23 Oct 2025 18:57:56 +0200 Subject: [PATCH] Improve sampling mesh monitor paper integration --- chapter-ihsm/chapter.tex | 1 + chapter-sampling-mesh-monitor/chapter.tex | 51 +++++++++++++---------- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/chapter-ihsm/chapter.tex b/chapter-ihsm/chapter.tex index db0a9f7..e815a45 100644 --- a/chapter-ihsm/chapter.tex +++ b/chapter-ihsm/chapter.tex @@ -3,6 +3,7 @@ doing so than legitimate users are willing to spend routinely! } \chaptertitle{Inertial Hardware Security Modules} +\label{chapter-ihsm} \section{Introduction} diff --git a/chapter-sampling-mesh-monitor/chapter.tex b/chapter-sampling-mesh-monitor/chapter.tex index 4eeaa28..05384aa 100644 --- a/chapter-sampling-mesh-monitor/chapter.tex +++ b/chapter-sampling-mesh-monitor/chapter.tex @@ -22,7 +22,8 @@ lower-security applications such as card payment terminals, simpler approaches a implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed Circuit Boards (PCBs) are used because of the wide availability of manufacturing services. -Several academic approaches exist that target low-cost~\cite{ +Inertial HSMs are one approach that enables the use of less expensive, commodity materials in high-security +applications. Several other academic approaches exist that target low-cost~\cite{ vasileActiveTamperDetection2017, vasileTemperatureSensitiveActive2017, dupontMiniaturizedUltraLowPowerTamper2022, @@ -54,10 +55,11 @@ specialty components. \end{figure} To enable the use of less expensive, commodity materials such as Printed Circuit Boards (PCBs) without compromising -security, mesh integrity must be monitored with high fidelity. In this paper, we present a low-cost monitoring circuit +security, mesh integrity must be monitored with high fidelity. In this chapter, we present a low-cost monitoring circuit for security meshes that combines Time Domain Reflectometry (TDR) with equivalent time sampling. Our approach provides high measurement fidelity and enables the use of meshes made from less expensive materials in high-security -applications. +applications. Our design directly applies to IHSM implementations, and complements the security offered by the IHSM's +mechanical motion. Our circuit generates a very fast pulse with a rise time lower than \qty{200}{\pico\second} that is broadcast into the mesh. While the pulse traverses the mesh, parts of its energy are reflected on imperfections inside the mesh, including @@ -326,9 +328,9 @@ length. \subsection{Attacks on a Security Mesh Viewed Using TDR} -In this paper, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists of -a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen to -measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a +In this chapter, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists +of a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen +to measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a security mesh with a ground plane underneath that works similarly to previous work~\cite{ immlerBTREPIDBatterylessTamperresistant2018, obermaierMeasurementSystemCapacitive2018, @@ -365,9 +367,9 @@ multiplexers. A typical system design for an HSM with TDR-based tamper sensing meshes would consist of a PCB assembly containing payload components as well as the mesh monitoring circuit. Tamper-sensing meshes made from rigid or flexible PCBs would -enclose this PCB assembly from all directions. In this paper we propose meshes that have a ground plane, which would be -on the outer side of the mesh PCBs and shield the system against electromagnetic interference. Mesh monitoring would be -battery powered and would periodically check for tamper attempts. +enclose this PCB assembly from all directions. In this chapter we propose meshes that have a ground plane, which would +be on the outer side of the mesh PCBs and shield the system against electromagnetic interference. Mesh monitoring would +be battery powered and would periodically check for tamper attempts. We consider an attacker motivated to extract the payload's secrets. Self-destruction by deleting secrets would suffice as tamper response against this type of attacker. Such an attacker might want to probe parts of the payload circuit @@ -397,8 +399,8 @@ attack tools, or specialized tools for large-scale industrial manufacturing such A TDR can be broken down into three basic components: A source of fast stimulus pulses (or edges!), a coupler that separates stimulus pulses and their reflection at the output, and a fast ADC to capture the reflections. -Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in this -paper's supplementary material.}. At the core of our design lies an equivalent time sampling setup, where two +Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in the +supplementary material of this thesis.}. At the core of our design lies an equivalent time sampling setup, where two diode bridge sampling gates alternately sample the two traces of the mesh. Since physical attacks happen on a time scale of minutes or hours, we do not need a fast acquisition rate. Equivalent time sampling uses fast sampling gates to sample a high-frequency signal at a low frequency that is suitable for direct @@ -444,7 +446,7 @@ determines the pulse width. We evaluated multiple options for the pulse shaping amplifier in our design. For both sampling and stimulus, we work with fully differential signals, so Current Mode Logic (CML) devices, which are widely used in high-speed logic, are a -natural fit. We settled on four parts for evaluation in this paper: A \partno{74LVC2G157} standard logic IC, two +natural fit. We settled on four parts for evaluation in this chapter: A \partno{74LVC2G157} standard logic IC, two HDMI/DisplayPort redrivers, \partno{PI3HDX12211} and \partno{TDP0604}, as well as \partno{MAX3748}, a limiting amplifier for optical networking. Figure\ \ref{fig_pic_amps} shows the four hand-soldered prototypes. We avoided specialty parts such as the CML-output comparators made by Analog Devices due to cost. @@ -798,8 +800,8 @@ lines here and for \partno{TDP0604} since the other amplifiers' output did not c \qty{26}{\nano\second}\\ \end{tabular} \end{center} - \caption{Specifications of mesh test specimens used in the experiments in this paper. Approximate signal delays were - calculated using wave velocity + \caption{Specifications of mesh test specimens used in the experiments in this chapter. Approximate signal delays + were calculated using wave velocity $v=\frac{c}{\sqrt{\epsilon_r}}\approx\frac{c}{2}$~\cite{wheelerTransmissionLinePropertiesParallel1965} assuming $\epsilon_r\approx 4$~\cite{mumbyDielectricPropertiesFR41989} for the test specimens' \partno{FR-4} substrate.} \label{tab_mesh_spec} @@ -939,7 +941,7 @@ might be sensitive enough to pick up on manufacturing variations from one copy t evaluate this scenario, in Figure~\ref{fig_layout_identity_identity} we show the result of repeated measurements of three copies of the same mesh. The measurements were taken interleaved ($1, 2, 3, 1, 2, \hdots$) to exclude systematic errors. We found our system can indeed distinguish multiple copies of the same mesh at a 1.7\% FNR at 0.1\% FPR. We -leave a detailed analysis of this effect to future work. For the scope of this paper, the presence of this effect +leave a detailed analysis of this effect to future work. For the scope of this chapter, the presence of this effect indicates good performance of our design, and increases the detection efficiency of our approach. \begin{figure} @@ -1214,7 +1216,7 @@ classification performance remaining approximately constant at 69.0\% FNR at 0.1 \hspace*{2mm} \caption{Classifier similarity scores of measurements in different environments, 10 measurements each. For scale, measurements from Figure~\ref{fig_patch_large_scale} are included on the - bottom/right. FNR 69.0\% at 0.1\% FPR, CER=22\%.} + bottom/right. FNR 69.0\% at 0.1\% FPR, CER=22\%.}~ \label{fig_env_covar} \end{figure} @@ -1264,8 +1266,8 @@ timing to focus attention on the parts of the response signal that are most susc single-shot classifier that only observes measurements in isolation to a more advanced approach that considers the full history of measurements during the mesh's lifetime would also likely improve performance. -\paragraph{Auxiliary applications.} The low-cost, embedded TDR frontend presented in this paper could be used for other -monitoring tasks from tamper sensing to system health monitoring. For instance, +\paragraph{Auxiliary applications.} The low-cost, embedded TDR frontend presented in this chapter could be used for +other monitoring tasks from tamper sensing to system health monitoring. For instance, \textcite{vaiSecureArchitectureEmbedded2015} propose checking the integrity of a PCBA using an external Vector Network Analyzer (VNA) attached to test points on the PCBA's Power Distribution Network (PDN). TDR can produce fingerprints similar to a VNA and it would be interesting to measure parts of the secure subsystem other than its security mesh using @@ -1278,10 +1280,10 @@ it indeed rises to the level of a PUF in entropy and repeatability. \section{Conclusion} -In this paper, we presented a design for a low-cost frontend for integrity monitoring of security meshes in applications -such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an inexpensive -HDMI redriver IC and uses a microwave clip line to form fast pulses for TDR sampling. Our design creates a detailed -fingerprint of the intact mesh's condition that not only captures the length of the mesh's traces but that can +In this chapter, we presented a design for a low-cost frontend for integrity monitoring of security meshes in +applications such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an +inexpensive HDMI redriver IC and uses a microwave clip line to form fast pulses for TDR sampling. Our design creates a +detailed fingerprint of the intact mesh's condition that not only captures the length of the mesh's traces but that can distinguish copies of the same mesh. We have demonstrated our prototype circuit's capability to reliably detect and distinguish a wide range of practical @@ -1290,5 +1292,8 @@ detecting tiny, micro-soldered patch wires. Compared to the state of the art, our approach enables the monitoring of larger meshes, at higher sensitivity and lower cost. Our is easy to replicate, does not require any specialized or custom components, and unlocks high-security -applications for security meshes made using low-cost, standard PCB manufacturing processes. +applications for security meshes made using low-cost, standard PCB manufacturing processes. The improved monitoring +approach we presented in this chapter directly complements the IHSM concept we introduced in Chapter~\ref{chapter-ihsm}. +Both designs can be combined into a joint system that provides a level of tamper resistance beyond the state of the art +in both acadmic designs and in commercial offerings.