jaseg/sampling-mesh-monitor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Include Konrad's feedback

Browse source
This commit is contained in:
jaseg 2025-09-30 17:59:04 +02:00
parent 4989092c72
commit 3377460791
1 changed files with 31 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

63
paper/paper.tex
View file

@ -386,12 +386,12 @@ fingerprinting technique aimed at detecting Hardware Trojans (HT) inserted into
fujimotoDemonstrationHTDetectionMethod2018, fujimotoDemonstrationHTDetectionMethod2018,
mosavirikImpedanceVerifOnChipImpedance2022}. mosavirikImpedanceVerifOnChipImpedance2022}.
Usually, all chips on a board are directly connected to the board's PDN. Thus, characterizing the board's PDN does not Usually, all chips on a board are directly connected to the board's PDN. Thus, characterizing the board's PDN does not
only yield information on possible modifications to the board's PDN itself such as modified traces or removed passive only yield information on possible modifications to the board's PDN itself---such as modified traces or removed passive
components such as capacitors, it also reflects information about the internal structure of any chips or other components---it also reflects information about the internal structure of chips connected to the PDN. Impedance analysis
components connected to the PDN. Impedance analysis techniques generally probe the circuit during operation using techniques generally probe the circuit during operation using high-frequency signals. They have been proven using an
high-frequency signals. They have been proven using an external Vector Network Analyzer in external Vector Network Analyzer in one-Port~\cite{mosavirikSiliconEchoesNonInvasive2023} configuration measuring
one-Port~\cite{mosavirikSiliconEchoesNonInvasive2023} configuration measuring reflected signal components as well as reflected signal components as well as using two or more ports measuring transmitted signal
using two or more ports measuring transmitted signal components~\cite{zhuPDNPulseSensingPCB2023}. Both Time Domain components~\cite{zhuPDNPulseSensingPCB2023}. Both Time Domain
Reflectometry~\cite{fujimotoDemonstrationHTDetectionMethod2018} and conventional frequency-domain VNA Reflectometry~\cite{fujimotoDemonstrationHTDetectionMethod2018} and conventional frequency-domain VNA
measurements~\cite{mosavirikImpedanceVerifOnChipImpedance2022} have been shown to be effective. From a signal theory measurements~\cite{mosavirikImpedanceVerifOnChipImpedance2022} have been shown to be effective. From a signal theory
point of view, both techniques can be considered equivalent. point of view, both techniques can be considered equivalent.
@ -413,16 +413,15 @@ preparation of a target chip for backside attacks using onboard measurements~\ci
that adapt the technique as an offensive tool for side-channel analysis (SCA) that adapt the technique as an offensive tool for side-channel analysis (SCA)
attacks~\cite{monfaredLeakyOhmSecretBits2023}. attacks~\cite{monfaredLeakyOhmSecretBits2023}.
The technique we propose in this work is related in that it also embeds a RF measurement circuit in a target board, and Similar to PDN impedance analysis, our proposed technique also embeds a RF measurement circuit in a target board. TDR
that TDR and frequency-domain VNA measurements resolve the same information about a target circuit from a signal theory and frequency-domain VNA measurements resolve the same information about a target circuit from a signal theory
perspective. Our system differs from the PDN impedance analysis literature in that it reaches a significantly higher perspective. Our system reaches a significantly higher bandwidth than embedded measurement setups from differs from PDN
bandwidth than other embedded measurement setups, and that our proposed tamper-sensing meshes are specifically built as impedance analysis literature, and that our proposed tamper-sensing meshes are specifically built as sensors. Our
sensors. Our technique is better suited to active tamper-sensing applications where the sensing circuit is continuously technique is better suited to active tamper-sensing applications where the sensing circuit is continuously powered. In
powered, since in contrast to PDN impedance analysis techniques that need the entire PDN to be powered, our proposed contrast to PDN impedance analysis techniques that need the entire PDN to be powered, our proposed technique can be
technique can be applied to protect an unpowered payload circuit. In a practical application, both PDN impedance applied to protect an unpowered payload circuit. In a practical application, both PDN impedance analysis and TDR-based
analysis and TDR-based tamper-sensing meshes could complement each other to form a comprehensive defense where PDN tamper-sensing meshes could complement each other to form a comprehensive defense where PDN impedance analysis checks
impedance analysis checks the core system's integrity, with TDR-based meshes covering everything outside the purview of the core system's integrity, with TDR-based meshes covering everything outside the purview of PDN impedance analysis.
PDN impedance analysis.
\color{black} \color{black}
@ -477,10 +476,10 @@ multiplexers.
\label{sec_system_design} \label{sec_system_design}
A typical system design for an HSM with TDR-based tamper sensing meshes would consist of a PCB assembly containing A typical system design for an HSM with TDR-based tamper sensing meshes would consist of a PCB assembly containing
payload components as well as the mesh monitoring circuit, and enclosed from all directions in rigid or flexible tamper payload components as well as the mesh monitoring circuit. Tamper-sensing meshes made from rigid or flexible PCBs would
sensing mesh PCBs. In this paper we propose meshes that have a ground plane, which would be on the outer side of the enclose this PCB assembly from all directions. In this paper we propose meshes that have a ground plane, which would be
mesh PCBs and shield electromagnetic interference from outside. Mesh monitoring would be battery powered and would on the outer side of the mesh PCBs and shield the system against electromagnetic interference. Mesh monitoring would be
periodically check for tamper attempts. battery powered and would periodically check for tamper attempts.
% FIXME cite IHSM paper % FIXME cite IHSM paper
@ -488,8 +487,8 @@ We consider an attacker motivated to extract the payload's secrets. Self-destruc
as tamper response against this type of attacker. Such an attacker might want to probe parts of the payload circuit as tamper response against this type of attacker. Such an attacker might want to probe parts of the payload circuit
using either conventional electrical contacts or using electromagnetic near-field probes that must be placed right on using either conventional electrical contacts or using electromagnetic near-field probes that must be placed right on
top of the feature to be probed. An attacker might further attempt to manipulate the payload circuit, such as by top of the feature to be probed. An attacker might further attempt to manipulate the payload circuit, such as by
removing capacitors to enable a later power sidechannel attack. In preparation for an optical fault-injection attack, an removing capacitors to enable a later power side-channel attack. In preparation for an optical fault-injection attack,
attacker might attempt decapsulating some of the payload circuit's ICs either using laser ablation or using chemical an attacker might attempt decapsulating some of the payload circuit's ICs either using laser ablation or using chemical
etching. An attacker might also attempt fault injection attacks using either electrical contacts or electromagnetic etching. An attacker might also attempt fault injection attacks using either electrical contacts or electromagnetic
fault injection probes near a target feature. fault injection probes near a target feature.
@ -1038,16 +1037,16 @@ Classification performance is indicated by the top right (2) and bottom left (3)
misclassification probability. Misclassification is likely when the top left (1) and top right (2) quadrants look alike. misclassification probability. Misclassification is likely when the top left (1) and top right (2) quadrants look alike.
Misclassification is less likely the more they differ. Misclassification is less likely the more they differ.
\color{highlightgreen} \color{highlightgreen}
Under each figure, we give the False Negative Rate (FNR), i.e. the rate of missed alarms, when the threshold is adjusted Under each figure, we give the False Negative Rate (FNR) when the threshold is adjusted for a False Positive Rate (FPR)
for a False Positive Rate, i.e. a false alarm rate, of $0.1\%$ as a reference point. We also provide the Crossover Error of $0.1\%$ as a reference point\footnote{We denote the rate of missed alarms as FNR and the false alarm rate as FPR.}.
Rate (CER) at which for some threshold FPR is equal to FNR. We calculate all error rates assuming the similarity scores We also provide the Crossover Error Rate (CER) at which for some threshold FPR is equal to FNR. We calculate all error
are normally distributed. We chose a reference point of $0.1\%$ FPR since it allows for a meaningful comparison based on rates assuming the similarity scores are normally distributed. We chose a reference point of $0.1\%$ FPR since it allows
the hundreds of measurements our data is based on. In a practical application, the end-to-end FPR of the alarm system for a meaningful comparison based on the hundreds of measurements our data is based on. In a practical application, the
would need to be significantly lower, probably in the range from $10^{-12}$ to $10^{-9}$ for a Mean Time Between Failures end-to-end FPR of the alarm system would need to be significantly lower, probably in the range from $10^{-12}$ to
(MTBF) of several years. A practical system would likely include additional components filtering the output of our $10^{-9}$ for a Mean Time Between Failures (MTBF) of several years. A practical system would likely include additional
proposed baseline classifier analyzing not just the last, but multiple previous measurements. Experimentally evaluating components filtering the output of our proposed baseline classifier analyzing not just the last, but multiple previous
a classifier to this degree of precision would require a large-scale experiment to account for the long tail of the measurements. Experimentally evaluating a classifier to this degree of precision would require a large-scale experiment
error distribution. to account for the long tail of the error distribution.
\color{black} \color{black}
Figure~\ref{fig_layout_identity_layout} compares several copies of the same mesh (top left quadrant, 1) to four variants Figure~\ref{fig_layout_identity_layout} compares several copies of the same mesh (top left quadrant, 1) to four variants