jaseg/sampling-mesh-monitor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rework WIP

Browse source
This commit is contained in:
jaseg 2025-04-08 21:26:16 +02:00
parent b92610db63
commit b4021b0eb6
6 changed files with 368 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
paper/block_diagram.pdf
View file

Binary file not shown.

214
paper/block_diagram.svg
View file

@ -25,9 +25,9 @@
inkscape:deskcolor="#d1d1d1"
inkscape:document-units="mm"
showguides="true"
inkscape:zoom="0.78074963"
inkscape:cx="682.03683"
inkscape:cy="263.20858"
inkscape:zoom="1.1041467"
inkscape:cx="1284.7024"
inkscape:cy="600.46366"
inkscape:window-width="3840"
inkscape:window-height="2091"
inkscape:window-x="0"
@ -398,9 +398,9 @@
transform="matrix(0.26458333,0,0,0.26458333,40.073512,-16.292442)"
id="text18"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect19);display:inline"><tspan
x="775.70433"
y="325.50328"
id="tspan5">PI3HDX12211</tspan></text>
x="775.66435"
y="324.67931"
id="tspan40">PI3HDX12211</tspan></text>
</g>
<g
id="g39" />
@ -529,27 +529,27 @@
x="-79.89341"
y="0"><tspan
x="746.53906"
y="325.50328"
id="tspan7"><tspan
style="text-align:start;text-anchor:start"
id="tspan6">Clip Line
y="324.67931"
id="tspan42"><tspan
style="text-align:start"
id="tspan41">Clip Line
</tspan></tspan><tspan
x="746.53906"
y="358.83666"
id="tspan9"><tspan
style="text-align:start;text-anchor:start"
id="tspan8">Pulse Shaping</tspan></tspan></text>
y="358.01269"
id="tspan44"><tspan
style="text-align:start"
id="tspan43">Pulse Shaping</tspan></tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,81.948676,189.12517)"
id="text53"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:32px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect53);display:inline"><tspan
x="785.56436"
y="330.16992"
id="tspan10">Sampling </tspan><tspan
x="812.28436"
y="370.16992"
id="tspan11">Gates</tspan></text>
x="785.43634"
y="329.18116"
id="tspan45">Sampling </tspan><tspan
x="812.20438"
y="369.18116"
id="tspan46">Gates</tspan></text>
<g
id="g55"
transform="translate(-229.70933,-22.370647)">
@ -580,16 +580,16 @@
id="text60"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect60);display:inline"><tspan
x="788.2203"
y="325.50328"
id="tspan12">BAT17-04W</tspan></text>
y="324.67931"
id="tspan47">BAT17-04W</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,50.646671,229.58019)"
id="text61"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect61);display:inline"><tspan
x="784.99359"
y="325.50328"
id="tspan13">RF Schottky</tspan></text>
x="784.92689"
y="324.67931"
id="tspan48">RF Schottky</tspan></text>
</g>
<g
id="g67"
@ -882,12 +882,12 @@
transform="matrix(0.26458333,0,0,0.26458333,141.89071,189.12517)"
id="text101"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:32px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect101);display:inline"><tspan
x="751.22833"
y="330.16992"
id="tspan14">Post-Sampling </tspan><tspan
x="787.5484"
y="370.16992"
id="tspan15">Amplifier</tspan></text>
x="751.03632"
y="329.18116"
id="tspan49">Post-Sampling </tspan><tspan
x="787.32437"
y="369.18116"
id="tspan50">Amplifier</tspan></text>
<g
id="g112"
transform="matrix(0,1,1,0,205.41682,-36.104534)">
@ -994,24 +994,24 @@
id="rect119"
width="80.347801"
height="89.451492"
x="438.88074"
x="445.11105"
y="143.6774" />
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,147.10958,-59.532796)"
id="text20"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:32px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect21-8);display:inline"><tspan
x="773.49756"
y="330.16992"
id="tspan16">Pulse Amplifier</tspan></text>
x="773.17755"
y="329.18116"
id="tspan51">Pulse Amplifier</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,260.35802,139.98304)"
id="text18-2"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect19-0);display:inline"><tspan
x="784.97103"
y="325.50328"
id="tspan17">STM32G474</tspan></text>
y="324.67931"
id="tspan52">STM32G474</tspan></text>
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 449.9409,72.391413 v 19.77279 l -17.12372,-9.8864 17.12372,-9.88639"
@ -1032,24 +1032,24 @@
transform="matrix(0.26458333,0,0,0.26458333,246.62564,-38.586937)"
id="text121"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect121-3);display:inline"><tspan
x="782.22437"
y="325.50328"
id="tspan18">74LVC2G157</tspan></text>
x="782.21101"
y="324.67931"
id="tspan53">74LVC2G157</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,213.9914,15.09284)"
id="text122"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect122-8);display:inline"><tspan
x="775.58427"
y="325.50328"
id="tspan19">Single-Ended
x="775.55761"
y="324.67931"
id="tspan54">Single-Ended
</tspan><tspan
x="773.85099"
y="358.83666"
id="tspan20">to Differential </tspan><tspan
x="787.14429"
y="392.17003"
id="tspan21">Conversion</tspan></text>
x="773.75766"
y="358.01269"
id="tspan55">to Differential </tspan><tspan
x="787.10431"
y="391.34606"
id="tspan56">Conversion</tspan></text>
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 449.9409,52.743293 h 29.11374"
@ -1085,15 +1085,15 @@
transform="matrix(0.26458333,0,0,0.26458333,300.87774,-0.17833149)"
id="text127"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect127);display:inline"><tspan
x="773.23937"
y="325.50328"
id="tspan22">Adjustable </tspan><tspan
x="790.70608"
y="358.83666"
id="tspan23">Voltage </tspan><tspan
x="778.07939"
y="392.17003"
id="tspan24">Regulator</tspan></text>
x="773.21267"
y="324.67931"
id="tspan57">Adjustable </tspan><tspan
x="790.66605"
y="358.01269"
id="tspan58">Voltage </tspan><tspan
x="778.02606"
y="391.34606"
id="tspan59">Regulator</tspan></text>
</g>
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
@ -1134,12 +1134,12 @@
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect52-1);display:inline"
x="-79.89341"
y="0"><tspan
x="762.26601"
y="325.50328"
id="tspan25">Resistive </tspan><tspan
x="770.09274"
y="358.83666"
id="tspan26">Splitter</tspan></text>
x="762.19936"
y="324.67931"
id="tspan60">Resistive </tspan><tspan
x="770.03938"
y="358.01269"
id="tspan61">Splitter</tspan></text>
<g
id="g133"
transform="translate(-6.5830348,11.489136)">
@ -1547,9 +1547,9 @@
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:32px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect203);display:inline"
x="-79.89341"
y="0"><tspan
x="769.06436"
y="330.16992"
id="tspan27">Signal Routing &amp; Termination</tspan></text>
x="768.60022"
y="329.18116"
id="tspan62">Signal Routing &amp; Termination</tspan></text>
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 186.08218,116.70594 v 77.91722"
@ -1791,56 +1791,56 @@
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:32px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect52-1-6);display:inline"
x="-79.89341"
y="0"><tspan
x="775.23676"
y="330.16992"
id="tspan29"><tspan
x="775.17279"
y="329.18116"
id="tspan64"><tspan
style="text-anchor:middle"
id="tspan28">Mesh </tspan></tspan><tspan
x="749.89282"
y="370.16992"
id="tspan31"><tspan
id="tspan63">Mesh </tspan></tspan><tspan
x="749.71677"
y="369.18116"
id="tspan66"><tspan
style="text-anchor:middle"
id="tspan30">Interface</tspan></tspan></text>
id="tspan65">Interface</tspan></tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,231.8298,99.725273)"
id="text121-1"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect121-3-4);display:inline"><tspan
x="826.95772"
y="325.50328"
id="tspan32">ADC</tspan></text>
x="826.9444"
y="324.67931"
id="tspan67">ADC</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,243.31841,76.869993)"
id="text256"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect257);display:inline"><tspan
x="813.58437"
y="325.50328"
id="tspan33">HRTIM</tspan></text>
x="813.57104"
y="324.67931"
id="tspan68">HRTIM</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,234.88125,65.602223)"
id="text257"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect258);display:inline"><tspan
x="825.2377"
y="325.50328"
id="tspan34">Ch A</tspan></text>
y="324.67931"
id="tspan69">Ch A</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,254.71038,65.602223)"
id="text258"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect259);display:inline"><tspan
x="824.65105"
y="325.50328"
id="tspan35">Ch B</tspan></text>
y="324.67931"
id="tspan70">Ch B</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,284.22644,74.171253)"
id="text259"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect260);display:inline"><tspan
x="827.2244"
y="325.50328"
id="tspan36">DAC</tspan></text>
x="827.21107"
y="324.67931"
id="tspan71">DAC</tspan></text>
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 380.13951,227.38536 h 8.58297"
@ -1870,16 +1870,16 @@
id="text262"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect262);display:inline"><tspan
x="825.86438"
y="325.50328"
id="tspan37">Ch 1</tspan></text>
y="324.67931"
id="tspan72">Ch 1</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,231.1694,120.8109)"
id="text263"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect263);display:inline"><tspan
x="825.86438"
y="325.50328"
id="tspan38">Ch 2</tspan></text>
y="324.67931"
id="tspan73">Ch 2</tspan></text>
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:2.99999, 2.99999;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 445.19575,173.48992 h 23.27497 v 39.89789 h -23.27497"
@ -1894,9 +1894,9 @@
transform="matrix(0.26458333,0,0,0.26458333,288.97247,109.58889)"
id="text264"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect264);display:inline"><tspan
x="824.22439"
y="325.50328"
id="tspan39">SWD</tspan></text>
x="824.21106"
y="324.67931"
id="tspan74">SWD</tspan></text>
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:2.99999, 2.99999;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 499.14297,173.48992 v 39.89789 h 26.4006"
@ -1911,33 +1911,33 @@
transform="matrix(0.26458333,0,0,0.26458333,154.24939,78.320263)"
id="text60-0"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect60-2);display:inline"><tspan
x="801.36696"
y="325.50328"
id="tspan40">OPA1656</tspan></text>
x="801.35363"
y="324.67931"
id="tspan75">OPA1656</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,-92.280499,121.88312)"
transform="matrix(0.26458333,0,0,0.26458333,-83.300081,121.88312)"
id="text266"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect266);display:inline"><tspan
x="789.68695"
y="325.50328"
id="tspan41">SKYA21003</tspan></text>
y="324.67931"
id="tspan76">SKYA21003</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,-128.0906,67.153653)"
id="text267"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect267);display:inline"><tspan
x="776.3936"
y="325.50328"
id="tspan42">TMUXHS4212</tspan></text>
x="776.36695"
y="324.67931"
id="tspan77">TMUXHS4212</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,244.61116,159.76563)"
id="text270"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:32px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect271);display:inline"><tspan
x="766.76852"
y="330.16992"
id="tspan43">Core Microcontroller</tspan></text>
x="766.4325"
y="329.18116"
id="tspan78">Core Microcontroller</tspan></text>
<g
id="g273"
transform="translate(-2.8755236)">

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

Before After
Before After

91
paper/paper.bib
View file

@ -2324,6 +2324,17 @@
file = {/home/jaseg/Zotero/storage/K9YRK595/Implementation Security of Quantum Cryptography - .pdf}
}
@online{ISOIEC24759,
title = {{{ISO}}/{{IEC}} 24759:2025},
shorttitle = {{{ISO}}/{{IEC}} 24759},
url = {https://www.iso.org/standard/82424.html},
urldate = {2025-04-08},
abstract = {Information security, cybersecurity and privacy protection — Test requirements for cryptographic modules},
langid = {english},
organization = {ISO},
file = {/home/jaseg/Zotero/storage/WYIQJ3LN/82424.html}
}
@article{ivarssonReviewHardwareSecurity,
title = {A {{Review}} of {{Hardware Security Modules Fall}} 2010},
author = {Ivarsson, Johan and Nilsson, Andreas},
@ -3421,13 +3432,6 @@
abstract = {A look at some machines for printing money... sort of! mikeselectricstuff merch : https://mikeselectricstuff.creator-sp...}
}
@online{MiniaturizedFPGABasedHighResolution,
title = {Miniaturized {{FPGA-Based High-Resolution Time-Domain Reflectometer}} | {{IEEE Journals}} \& {{Magazine}} | {{IEEE Xplore}}},
url = {https://ieeexplore.ieee.org/document/6484979},
urldate = {2025-03-11},
file = {/home/jaseg/Zotero/storage/KCF63LLU/6484979.html}
}
@inproceedings{mishraFaultsOurBus2024,
title = {Faults in {{Our Bus}}: {{Novel Bus Fault Attack}} to {{Break ARM TrustZone}}},
shorttitle = {Faults in {{Our Bus}}},
@ -3717,6 +3721,21 @@
file = {/home/jaseg/Sync/Research/Zotero/Nassi et al_Lamphone.pdf}
}
@report{nationalinstituteofstandardsandtechnologyusSecurityRequirementsCryptographic2019,
title = {Security Requirements for Cryptographic Modules},
author = {{National Institute of Standards and Technology (US)}},
date = {2019},
number = {error: 140-3},
pages = {error: 140-3},
institution = {{National Institute of Standards and Technology (U.S.)}},
location = {Washington, D.C.},
doi = {10.6028/NIST.FIPS.140-3},
url = {https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf},
urldate = {2025-04-08},
abstract = {The selective application of technological and related procedural safeguards is an important responsibility of every federal organization in providing adequate security in its computer and telecommunication systems. This standard is applicable to all federal agencies that use cryptographic-based security systems to provide adequate information security for all agency operations and assets as defined in 15 U.S.C. § 278g-3. This standard shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or are operated for them under contract. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design, implementation and operation of a cryptographic module. These areas include cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operating environment; physical security; non-invasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks.},
file = {/home/jaseg/Sync/Research/Zotero/2019_National Institute of Standards and Technology (US)_Security requirements for cryptographic modules.pdf}
}
@article{navasMTDWhereArt2021,
title = {{{MTD}}, {{Where Art Thou}}? {{A Systematic Review}} of {{Moving Target Defense Techniques}} for {{IoT}}},
shorttitle = {{{MTD}}, {{Where Art Thou}}?},
@ -4139,6 +4158,17 @@
file = {/home/jaseg/Zotero/storage/RLBAU32H/Patra et al. - ABY2.0 Improved Mixed-Protocol Secure Two-Party C.pdf}
}
@standard{pcisecuritystandardscouncilPaymentCardIndustry2021,
title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Security Requirements}}},
author = {{PCI Security Standards Council}},
date = {2021-12},
url = {https://docs-prv.pcisecuritystandards.org/PTS/Standard/PCI_HSM_Security_Requirements_v4.pdf},
urldate = {2025-04-08},
abstract = {HSMs (Hardware Security Modules) play a critical role in helping to ensure the confidentiality and/or data integrity of financial transactions. Therefore, to help engender trust in the legitimacy of the financial transactions being supported, it is imperative that HSMs are appropriately secure during their entire lifecycle. This includes manufacturing, shipment, use, and decommissioning. The purpose of this document is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with financial payments industry. This document provides vendors with a list of all the security requirements against which their products will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device approval. HSMs may support a variety of payment-processing and cardholder-authentication applications and processes. The processes relevant to the full set of requirements outlined in this document are: ▪ PIN processing ▪ 3-D Secure ▪ Card verification ▪ Card production and personalization ▪ EFTPOS ▪ ATM interchange ▪ Cash-card reloading ▪ Data integrity ▪ Chip-card transaction processing ▪ Key generation ▪ Key injection There are many other applications and processes that may utilize general-purpose HSMs, and which may necessitate the adoption of all or a subset of the requirements listed in this document. However, this document does not aim to develop a standard for general-purpose HSMs for use outside of applications such as those listed above that are in support of a variety of payment-processing and cardholder- authentication applications and processes for the financial payments industry.},
version = {4.0},
file = {/home/jaseg/Zotero/storage/CZF34DDM/PCI_HSM_Security_Requirements_v4.pdf}
}
@article{perrigTESLABroadcastAuthentication,
title = {The {{TESLA Broadcast Authentication Protocol}}},
author = {Perrig, Adrian and Canetti, Ran and Tygar, J D and Song, Dawn},
@ -4912,6 +4942,13 @@
file = {/home/jaseg/Sync/Research/Zotero/2021_Spro et al_High-Voltage Insulation Design of Coreless, Planar PCB Transformers for.pdf;/home/jaseg/Zotero/storage/I2H9EHKJ/9314282.html}
}
@misc{stmicroelectronicsSTM32G474xBDatasheet2021,
title = {{{STM32G474xB}}/{{C}}/{{E Datasheet}}},
author = {{ST Microelectronics}},
date = {2021-11},
annotation = {DS12288 Rev 6}
}
@book{struttVerstarkerUndEmpfanger1951,
title = {Verstärker Und {{Empfänger}}},
author = {Strutt, M. J. O.},
@ -5081,12 +5118,38 @@
file = {/home/jaseg/Zotero/storage/QX3DYZC3/Tehranipoor and Wang - 2012 - Introduction to Hardware Security and Trust.pdf}
}
@misc{tektronixinc.TektronixS6Sampling1982,
title = {Tektronix {{S-6 Sampling Head Instruction Manual}}},
author = {{Tektronix Inc.}},
date = {1982-09},
url = {https://w140.com/tekwiki/images/2/22/070-1128-01_1987.pdf},
urldate = {2025-04-08},
file = {/home/jaseg/Zotero/storage/SXP7TBFQ/070-1128-01_1987.pdf}
}
@article{tobischPhysicalSystemsIntegrity,
title = {Physical Systems for Integrity Protection and Authentication},
author = {Tobisch, Johannes},
langid = {english}
}
@article{trebbelsMiniaturizedFPGABasedHighResolution2013,
title = {Miniaturized {{FPGA-Based High-Resolution Time-Domain Reflectometer}}},
author = {Trebbels, Dennis and Kern, Alois and Fellhauer, Felix and Huebner, Christof and Zengerle, Roland},
date = {2013-07},
journaltitle = {IEEE Transactions on Instrumentation and Measurement},
volume = {62},
number = {7},
pages = {2101--2113},
issn = {1557-9662},
doi = {10.1109/TIM.2013.2245190},
url = {https://ieeexplore.ieee.org/document/6484979},
urldate = {2025-04-08},
abstract = {Time-domain reflectometry (TDR) is a well-known measurement principle for evaluating frequency-dependent electric and dielectric properties of various materials and substances. Although TDR is a proven method, the high price for TDR measurement equipment and complex laboratory setups is often a limiting factor for cost-sensitive applications or large-scale field experiments, where a large number of TDR meters is required. This paper reports on the development of a new miniaturized low-cost TDR meter capable of sampling a repetitive rectangular waveform, which is used as an excitation signal. The developed sampling circuit is based on a digital delta modulator (DM) and allows for capturing the waveform of a repetitive measurement signal. A 1-MHz signal can be captured with a virtual sampling resolution of 1 ps within a measurement interval of 1 s. The generated pulses have a rise time of 2 ns and can be captured with an amplitude resolution of approximately 10 bit and an accuracy of approximately 8 bit. The developed digital DM architecture is implemented inside a small field programmable gate array and integrated into a miniaturized low-power TDR meter prototype for battery-powered outdoor applications. The captured measurement data are stored on integrated micro-SD card memory and can be read out either via a Universal Serial Bus, an RS-485 bus system, or a wireless interface. The TDR meter is controlled by an integrated microcontroller and a real-time clock and therefore can operate completely independent from any additional control setup. The TDR meter targets applications within the field of geoscience and agricultural monitoring, where large-scale measurement systems are required.},
keywords = {Delta-modulation,Impedance,Power cables,Signal resolution,time-domain reflectometry (TDR),Time-frequency analysis,Transmission line measurements,undersampling},
file = {/home/jaseg/Zotero/storage/ZCJLJ7JB/6484979.html}
}
@article{tyagiOrcaBlocklistingSenderAnonymous,
title = {Orca: {{Blocklisting}} in {{Sender-Anonymous Messaging}}},
author = {Tyagi, Nirvan and Len, Julia and Miers, Ian and Ristenpart, Thomas},
@ -5095,6 +5158,20 @@
file = {/home/jaseg/Sync/Research/Zotero/Tyagi et al_Orca.pdf}
}
@report{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002,
title = {Security {{Requirements}} for {{Cryptographic Modules}}},
author = {{(US) National Institute of Standards and Technology}},
date = {2002-12-03},
number = {Federal Information Processing Standard (FIPS) 140-2},
institution = {U.S. Department of Commerce},
doi = {10.6028/NIST.FIPS.140-2},
url = {https://csrc.nist.gov/pubs/fips/140-2/upd2/final},
urldate = {2025-04-08},
abstract = {This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.},
langid = {english},
file = {/home/jaseg/Sync/Research/Zotero/2002_Technology_Security Requirements for Cryptographic Modules.pdf}
}
@inproceedings{uzunCryptographicKeyDerivation2021,
title = {Cryptographic {{Key Derivation}} from {{Biometric Inferences}} for {{Remote Authentication}}},
booktitle = {Proceedings of the 2021 {{ACM Asia Conference}} on {{Computer}} and {{Communications Security}}},

342
paper/paper.tex
View file

@ -31,6 +31,7 @@
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\newcommand{\partno}[1]{\textsf{\small#1}}
\newcommand{\price}[2]{#1 #2}
\newcommand{\todo}[1]{\textbf{TODO}\footnote{#1}}
% Set to 1.0 for final two-column export
\newlength{\figurescale}
@ -64,22 +65,28 @@
\section{Introduction}
Security meshes continue to be the state of the art for tamper sensing in in applications where sophisticated physical
attacks must be prevented. Security meshes usually consist of two or more conductive traces that are laid out in a
meandering pattern to cover a surface, and which are monitored electrically to detect attempts at penetrating this
surface. While commercial designs often only monitor for short circuits or breaks in the mesh traces, monitoring this
coarse is incapable of detecting even less sophisticated attacks attempting to circumvent part of the mesh, thus
requring the mesh to be made from a special material that is difficult to manipulate without breaking it.
attacks such as attempts at drilling or sawing through the device's enclosure to place probes must be prevented. Common
applications for such meshes include Hardware Security Modules (HSMs) used to store and process cryptographic keys while
applying certain security standards such as
FIPS-140-2\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} or ISO/IEC
24759\cite{ISOIEC24759}, as well as card payment terminals where PCI PTS HSM
standards\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} are applicable. Security meshes usually consist of
two or more conductive traces that are laid out in a meandering pattern to cover a surface, and which are monitored
electrically to detect attempts at penetrating this surface. While commercial designs often only monitor for short
circuits or breaks in the mesh traces, monitoring this coarse is incapable of detecting even less sophisticated attacks
attempting to circumvent part of the mesh, thus requring the mesh to be made from a special material that is difficult
to manipulate without breaking it.
To enable the ues of less expensive, commodity materials such as Printed Circuit Boards (PCBs), the mesh's integrity
must be monitored with higher fidelity. In this paper, we present a low-cost monitoring circuit for security meshes
based on a Time-Domain Reflectometry (TDR) approach that provides such improved measurement fidelity compared to
commercial systems, and enables the use of less sophisticated meshes made from less expensive materials. We demonstrate
a working prototype of our design, and present practical measurements of its electrical parameters as well as its
performance under a number of practical attack scenarios. A photo of our prototype setup including a security mesh
specimen is shown in Figure\ \ref{fig_pic_board}.
performance under several practical attack scenarios. A photo of our prototype setup including a security mesh specimen
is shown in Figure\ \ref{fig_pic_board}.
Compared to previous academic designs, our approach can be implemented at much lower cost since it exclusively uses
inexpensive, commercially available mass-market components. Utilizing a proper TDR frontend, we improve over previous,
Compared to previous academic designs, our approach can be implemented at lower cost since it exclusively uses
inexpensive, commercially available mass-market components. Utilizing a TDR frontend, we improve over previous,
delay-based approaches in monitoring fidelity, achieving sufficient sensitivity for the detection of high-impedance
oscilloscope probes despite such probes being specifically designed to conduct measurements without disturbing the
circuit under test. Unlike previous, capacitance-based approaches, our design is compatible with inexpensive signal
@ -87,10 +94,11 @@ switch ICs, enabling the protection of arbitrarily large meshes at minimal cost
\begin{figure}
\centering
\includegraphics[width=0.6\textwidth]{pic_board_setup_2_small.jpg}
\includegraphics[width=0.6\textwidth]{pic_board_setup_2_small_censored.jpg}
\caption{Measurement setup. Shown are the test specimen board on the left, and the frontend board with one of the
four pulse amplifiers in the center. The frontend board is powered through a USB-C connection, and data is sent to a
computer through an Single-Wire Debug (SWD) interface.}
computer through an Single-Wire Debug (SWD) interface. The grid in the background has \qty{10}{\milli\meter} pitch.
Note: Author names and institutional affiliation were censored from this picture for peer review.}
\label{fig_pic_board}
\end{figure}
@ -99,17 +107,15 @@ Security meshes can be implemented at the macro scale, covering entire Printed C
at the micro scale to prevent the readout of secrets from Integrated Circuits (ICs) such as smartcards or Trusted
Platform Modules (TPMs). Commercial implementations of macro-scale security mesh monitoring circuits are largely limited
to simple trace continuity monitoring due to cost constraints. A limited amount of academic work on higher-fidelity
monitoring approaches exists, but comes with the use of expensive, specialty components and has not yet found practical
monitoring approaches exists, but comes with the use of expensive, specialty components and has not yet found widespread
adoption.
Micro-scale tamper sensing meshes are usually implemented as passive sensors without a continuous power supply, and are
only checked once during system powerup, while macro-scale meshes are usually implemented as active sensors with a
continuous backup power supply so as to not give the attacker a window of attack when the remaining system is powered
down. There are some academic works suggesting the use of security meshes as Physically Uncloneable Functions (PUFs) to
down. There are academic works proposing the use of security meshes as Physically Uncloneable Functions (PUFs) to
provide a high-fidelity tamper sensor that can even detect attempts at patching the mesh to fix traces broken in a
drilling attack. While early work in this area was limited in the size of the protected envelope, recent advancements
allow for the protection of entire PCBAs similar in size to common commercial systems such as HSMs or the processing
subsystems of card payment terminals\cite{gotteCantTouchThis2022,obermaierMeasurementSystemCapacitive2018}.
drilling attack\cite{immlerBTREPIDBatterylessTamperresistant2018,immlerBTREPIDBatterylessTamperresistant2018}.
As is often the case with security technologies, in practice a tension exists between the level of security offered by a
particular security mesh implementation, and its implementation cost. The most secure meshes require specialized
@ -117,20 +123,18 @@ manufacturing techniques that aim to produce what is essentially a Flexible Prin
specifically chosen to be as fragile as possible such that it breaks even during careful manipulation by an attacker. In
contrast to this, industrially simpler approaches are still commonly used for their ease of implementation. Often,
standard copper/polyimide FPCs are used because of the wide availability of manufacturing services. In some
lower-security applications such as card payment terminals, meshes manufactured from simple PCBs are used without
enclosing the whole PCBA.
lower-security applications such as card payment terminals, meshes manufactured from simple PCBs are used.
In this paper, we introduce an approach for the design of security mesh monitoring circuitry that provides dramatically
higher fidelity compared to state-of-the-art conductivity monitoring and improves the sensitivity of meshes even when
manufactured using less advanced technologies such as standard FPC or PCB processes. Our approach consists of an
optimized, low-cost differential Time Domain Reflectometry (TDR) frontend built around a commodity microcontroller and
an amplifier IC originally intended for digital video applications that together achieve pulse risetimes below
\qty{200}{\pico\second}, corresponding to only \qty{3}{\centi\meter} of wave propagation inside the mesh at the speed of
light in PCB material. Using our TDR frontend, mesh integrity can be characterized at high fidelity, producing 70 data
points for each meter of mesh length, resulting in a measurement density per mesh area of
\qty{150}{\bit\per\centi\meter^2} when using a mesh manufactured in a commercial PCB process.
\todo{Section overview, point out prototype, measurements and tamper experiments}
\todo{citations for applications}
In this paper, we introduce an approach for the design of improved, higher fidelity security mesh monitoring circuitry.
Our approach provides higher fidelity compared to state-of-the-art conductivity monitoring and improves the sensitivity
of meshes including when manufactured using less advanced technologies such as standard FPC or PCB processes. Our
approach consists of an optimized, low-cost differential Time Domain Reflectometry (TDR) frontend built around a
commodity microcontroller and an amplifier IC originally intended for digital video applications that together achieve
pulse risetimes below \qty{200}{\pico\second}, corresponding to only \qty{3}{\centi\meter} of wave propagation inside
the mesh at the speed of light in PCB material. Using our TDR frontend, mesh integrity can be characterized at high
fidelity, producing 70 data points for each meter of mesh length, resulting in a measurement density per mesh area of
\qty{150}{\bit\per\centi\meter^2} when using a mesh manufactured in a commercial PCB process. \todo{Section overview,
point out prototype, measurements and tamper experiments} \todo{citations for applications}
%HSMs predate modern cryptography.
%\cite{nsaHistoryUSCommunications1973, nsaHistoryUSCommunications1981}
@ -139,11 +143,10 @@ points for each meter of mesh length, resulting in a measurement density per mes
A general introduction into Hardware Security Modules can be found in
\textcite{andersonCryptographicProcessorsASurvey2006} as well as \textcite{tehranipoorHardwareSecurityPrimitives2023}.
While security meshes are widely used in practice, their design is only covered by a sparse research corpus. As
\textcite{andersonSecurityEngineeringGuide2020} notes, while a lot of research in this area happens in the commercial
sphere, there, security-by-obscurity is often considered a good idea and often no detail is published on physical
security implementation. The academic work listed below should be understood with this caveat in mind. One of the goals
\textcite{andersonSecurityEngineeringGuide2020} notes, while this area is actively researched commercially, there,
security-by-obscurity is often considered a good idea and with few exceptions, little detail is published on physical
security implementations. The academic work listed below should be understood with this caveat in mind. One of the goals
of this paper is raising the bar in the academic state of the art to a level that likely lies beyond the current state
of the art in the commercial sphere.
@ -160,31 +163,30 @@ Patent literature gives a partial view on commercial developments in this area.
wernerFabricatingTamperrespondentSensors2024,
busbyTamperDetectionEnclosuretoboard2020,
chockPointSaleTerminal2009}
\todo{Individually closely check each of these!} from HSM manufacturers IBM and HP, ATM component manufacturer Cryptera
as well as paymemnt terminal manufacturer Stripe as well as industry
publications\cite{nisargaSystemLevelTamperProtection2016} continue to cite security mesh monitoring techniques that are
no more sophisticated than trace resistance monitoring at best, suggesting that commercial systems might not be more
sophisticated than current academic proposals.
\todo{Individually closely check each of these!} from HSM manufacturers IBM and HP, ATM component manufacturer Cryptera,
payment terminal manufacturer Stripe as well as industry publications\cite{nisargaSystemLevelTamperProtection2016}
continue to cite security mesh monitoring techniques that are no more sophisticated than trace resistance monitoring at
best, suggesting that commercial systems might not be more sophisticated than current academic proposals.
\subsection{Security Mesh Monitoring and Design}
% TODO more citations to their papers here
\paragraph{Meshes as capacitive PUFs.}
The most advanced mesh designs such as
\textcite{immlerBTREPIDBatterylessTamperresistant2018,obermaierMeasurementSystemCapacitive2018,garbTamperSensitiveDesignPUFBased}
use a specialized security mesh as a Physically Uncloneable Function (PUF), combining tamper sensing with cryptographic
key storage. In their design, the mesh consists of a cross-hatch pattern made up from several dozen individually
adressable capacitive electrodes. Their analog frontend measures the precise mutual capacitance of each pair of
electrodes using an approach similar to \textcite{satoToucheEnhancingTouch2012}, and they use the resulting capacitance
matrix as the basis of their PUF.
propose one of the most advanced security mesh designs in the current academic state of the art. They use a specialized
security mesh as a Physically Uncloneable Function (PUF), combining tamper sensing with cryptographic key storage. In
their design, the mesh consists of a cross-hatch pattern made from several dozen individually adressable capacitive
electrodes. Their analog frontend measures the precise mutual capacitance of each pair of electrodes using an approach
similar to \textcite{satoToucheEnhancingTouch2012}, and they use the resulting capacitance matrix as the basis of their
PUF.
Advantages of their system include high sensitivity to modifications, as well as that as a PUF, the system does not
require a continuous power supply. However, there are a number of significant differences between their proposed system
and our design.
require a continuous power supply. However, there are several significant differences between their proposed system and
our design.
\begin{itemize}
\item Their system is limited by sensing circuit dynamic range, which they compensate by using a large number (64) of
electrodes in parallel. Covering larger volumes with such a system would require increasing electrode count
\item Their system is limited by sensing circuit dynamic range, which they compensate by using a large number (32)
of electrodes in parallel. Covering larger volumes with such a system would require increasing electrode count
further, resulting in a linear increase in frontend cost when targeting the same scanning speed. In contrast to
this, our system can cover larger volumes by the addition of inexpensive signal switches.
\item Their system requires a mesh manufactured in a specialized manufacturing process. Additionally, precise
@ -193,8 +195,8 @@ and our design.
responses.
\item Their system requires a complex frontend circuit. Initial prototypes used a large number (one per channel) of
not inexpensive operational amplifiers along with a particular Junction Field Effect Transistor (JFET) that has
become unavailable due to obsolescence. Later, they developed a custom IC containing the frontend circuit for an
envelope foil measuring approximately \qty{18}{\centi\meter} by
since become unavailable due to obsolescence. Later, they developed a custom IC containing the frontend circuit
for an envelope foil measuring approximately \qty{18}{\centi\meter} by
\qty{10}{\centi\meter}\cite{obermaierMeasurementSystemCapacitive2018,garbFORTRESSFORtifiedTamperResistant2021}.
In contrast, our system requires only widely available, low-cost commodity components, for each of which
alternative substitutes from other manufacturers are available. Furthermore, in our design, a single sensing
@ -209,7 +211,7 @@ laid out as a set of capacitive interdigital structures not unlike the combs fou
equal-size interdigital electrodes. They connect the resulting eight electrodes in a capacitive bridge configuration,
and measure the bridge's balance using a simple analog monitoring circuit.
Advantages of their system include the simple, low power monitoring circuit made up from basic, cheap components and the
Advantages of their system include the simple, low power monitoring circuit made from basic, cheap components and the
capability to work with single-layer meshes such as those produced using Laser Direct Structuring (LDS).
\paragraph{Frequency-domain mesh characterization.}
@ -224,35 +226,35 @@ to any signal characteristics apart from total signal power.
\paragraph{Time-domain mesh monitoring.}
The prior work in the academic corpus that is probably closes to our proposal is the work of
\textcite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}, where they propose monitoring the time-domain
response of a mesh using a circuit made up from a pulse generator and a fast analog-to-digital converter (ADC). To avoid
the need for a full high-speed data processing pipeline, their design is centered around a specialized high-speed ADC
that has a small built-in sample memory, allowing them to capture a pulse at high speed before slowly processing it from
sample memory.
\textcite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}, where they propose monitoring the
time-domain response of a mesh using a circuit made from a pulse generator and a fast Analog-to-Digital Converter (ADC).
To avoid the need for a full high-speed data processing pipeline, their design is centered around a specialized
high-speed ADC that has a small built-in sample memory, allowing them to capture a pulse at high speed before slowly
processing it from sample memory.
Advantages of their design include better sensitivity to changes in total mesh trace length compared to simple
continuity monitoring and the low complexity of their analog frontend. However, their proposed design differs from our
work in a number of fundamental aspects.
work in several fundamental aspects.
\begin{itemize}
\item The design from \textcite{vasileActiveTamperDetection2017} is hinges on a specialized high-speed ADC
that has a large internal sample buffer. Not only is this part expensive at \qty{15.95}{\euro} at quantity 1000,
to our knowledge it is also the only part of its kind available on the market. Foregoing this part, and going
for a comparable fast ADC without this sample buffer would require a fast digital processing frontend, resulting
in even greater system cost. In contrast, our design uses widely available parts, all of which can easily be
substituted for other, similar parts from different manufacturers.
\item Their system is limited in time resolution by their choice of ADC. Even with the expensive part they chose,
their system only achieves a time resolution of \qty{5}{\nano\second}, less than \qty{1}{25} of our design.
Because the cost of ADCs quickly escalates with sampling speed, achieving sub-nanosecond resolution would be
difficult to achieve with their approach. For instance, the cheapest ADC available at distributor digikey that
would enable \qty{1}{\nano\second} resolution, still less than \qty{1}{5} of our design, would already cost more
than \qty{110}{\euro} at quantity 1000 and, due to its relevance to electronic warfare and radar applications,
require specialized clearance for export from countries such as the USA.
\item Their system only measures the mesh's \emph{transmission} characteristic, corresponding to a a $S_{12}$ S
parameter measurement configuration. This configuration is sensitive to changes in total mesh length, but is
that has a large internal sample buffer. Not only is this part expensive at \price{15.95}{\euro} at quantity
1000, to our knowledge it is also the only part of its kind available on the market. Foregoing this part, and
going for a comparable fast ADC without this sample buffer would require a fast digital processing frontend,
resulting in greater system cost. In contrast, our design uses widely available parts, all of which can easily
be substituted for other, similar parts from different manufacturers.
\item Their system is limited in time resolution by their choice of ADC. Despite using a high performance ADC, their
system only achieves a time resolution of \qty{5}{\nano\second}, less than $\frac{1}{25}$ of our design. Because
the cost of ADCs quickly escalates with sampling speed, achieving sub-nanosecond resolution would be difficult
to achieve with their approach. For instance, the cheapest ADC available at distributor digikey that would
enable \qty{1}{\nano\second} resolution--still less than $\frac{1}{5}$ of our design--would already cost more
than \price{110}{\euro} at quantity 1000 and due to its relevance to electronic warfare and radar applications
might require specialized clearance for export from countries such as the USA.
\item Their system only measures the mesh's \emph{transmission} characteristic, corresponding to a a $S_{12}$
S-parameter measurement configuration. This configuration is sensitive to changes in total mesh length, but is
insensitive to changes in impedance along this length. While the transmitted signal strength will be affected by
changes in impedance, all such changes manifest only in the height of the output pulse, resulting in the whole
information being mapped to only a few sparse ADC samples. Using such a measurement, it is not possible to
changes in impedance, such changes manifest only in the height of the output pulse, resulting in the whole
information being mapped to a small number of ADC samples. Using such a measurement, it is not possible to
localize faults. In contrast, our approach measures the signal's \emph{reflected} component, which is sensitive
to both length, and to changes in impedance along the length. Additionally, our approach enables the
localization of faults.
@ -268,12 +270,12 @@ real time. However, this is largely a development of this millennium--meanwhile,
have been studied since the advent of radar technology in the second world war\cite{kahrs50YearsRF2003}. Enabled by the
progress from vacuum tubes to semiconductor devices, equivalent-time sampling became the technology of choice for the
latter half of the twentieth century until around the turn of the millenium the introduction of high-speed digital
processing and fast ADCs enabled real-time conversion up into higher microwave frequencies, reaching beyond the
\qty{100}{\giga\hertz} boundary these days.
processing and fast ADCs enabled real-time conversion up into higher microwave frequencies, today reaching beyond the
\qty{100}{\giga\hertz} boundary.
\textcite{kahrs50YearsRF2003} trace back the style of four-diode balanced bridge sampling gate that we use to a vacuum
tube implementation presented in \textcite{chanceWaveforms1949}. This style of sampling gate found application in a
number of sampling oscilloscopes throughout the twentieth century in a number of oscilloscope sampling frontends such as
number of sampling oscilloscopes throughout the twentieth century in several oscilloscope sampling frontends such as
HP's 187B\cite{HP187BDualTrace1962}.
While initially equivalent-time sampling was used to circumvent technological limitations, more recently it has also
@ -296,13 +298,13 @@ modern FPGA families, their design uses the FPGA's logic resources to achieve ad
that uses specialized adjustable delay line ICs for pulse generation. \textcite{lee16psresolutionRandomEquivalent2003}
achieve very high time resolution in an equivalent-time sampling TDR system by using a vernier approach to pulse
generation, such that their system is limited by analog bandwidth, not time resolution.
\textcite{MiniaturizedFPGABasedHighResolution} show another FPGA-based TDR. Their system also uses a part from the same
early FPGA family as \textcite{bencivenniTimeDomainReflectometer2013}, and they work around its lack of precise timing
primitives by generating a low-frequency sine wave through DDS, which they filter, and then sample using a comparator -
a similar approach to the timing generation in \textcite{houtman1GHzSamplingOscilloscope2000}. Additionally, they avoid
the need for a discrete ADC by implementing a $\Delta\Sigma$ loop around a fast comparator, trading off slower
acquisition time for lower hardware complexity. They use a \qty{5.5}{\volt\per\nano\second} wideband amplifier IC to
generate their stimulus pulse, achieving a rise time of \qty{2}{\nano\second}. As a result, similar to
\textcite{trebbelsMiniaturizedFPGABasedHighResolution2013} show another FPGA-based TDR. Their system also uses a part
from the same early FPGA family as \textcite{bencivenniTimeDomainReflectometer2013}, and they work around its lack of
precise timing primitives by generating a low-frequency sine wave through DDS, which they filter, and then sample using
a comparator - a similar approach to the timing generation in \textcite{houtman1GHzSamplingOscilloscope2000}.
Additionally, they avoid the need for a discrete ADC by implementing a $\Delta\Sigma$ loop around a fast comparator,
trading off slower acquisition time for lower hardware complexity. They use a \qty{5.5}{\volt\per\nano\second} wideband
amplifier IC to generate their stimulus pulse, achieving a rise time of \qty{2}{\nano\second}. As a result, similar to
\textcite{lee16psresolutionRandomEquivalent2003}, their design is limited by analog bandwidth--here resulting from the
nanosecond-scale stimulus risetime--not by frontend time resolution.
@ -320,13 +322,14 @@ length.
In this paper, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists of
a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen to
measure its response. If we construct a security mesh with a ground plane underneath similar to previous
measure its response. We construct a security mesh with a ground plane underneath similar to previous
work\cite{immlerBTREPIDBatterylessTamperresistant2018,
obermaierMeasurementSystemCapacitive2018,
garbTamperSensitiveDesignPUFBased}, we have effectively constructed a delay line.
Security meshes commonly use a pair of two traces to capture short circuit condition between adjacent traces, which we
treat as a differential pair for improved resiliency against electromagnetic interference. We constructed our frontend
such that it excites the two traces differentially, but allows for both single-ended and for differential measurements.
garbTamperSensitiveDesignPUFBased}, which when viewed in the microwave domain constitutes what is essentially a delay
line. Security meshes commonly use a pair of two traces to capture short circuit condition between adjacent traces,
which we treat as a differential pair for improved resiliency against electromagnetic interference. We constructed our
frontend such that it excites the two traces differentially, but allows for both single-ended and for differential
measurements.
In an intact mesh, we expect our frontend to record no significant reflections until the stimulus pulse has traversed
the mesh's traces both ways, at which point we expect a large response whose polarity and amplitude depends on the
@ -334,11 +337,11 @@ termination on the far end of the mesh. In our prototype circuit, we made this t
range of possible measurement configurations and to enable self-calibration of the circuit.
When an attacker attempts to tamper with the mesh, they will cause an impedance discontinuity. Cuts of one or both
traces as well as a short circuit between both traces will result in a total reflection of the incident pulse at the
location of the fault, which our circuit will easily detect as the delay of the response changes. However, beyond these
simple cases, our approach can also detect more subtle changes. For instance, short circuit between two points along the
same mesh trace will also result in a change in delay along this trace. Furthermore, even just probing a mesh trace with
an oscilloscope probe will add the probe's input capacitance, which is usually in the order of several Picofarad, to one
traces, or a short circuit between both traces will result in a total reflection of the incident pulse at the location
of the fault, which our circuit will easily detect as the delay of the response changes. However, beyond these simple
cases, our approach can also detect more subtle changes. For instance, short circuit between two points along the same
mesh trace will also result in a change in delay along this trace. Furthermore, even just probing a mesh trace with an
oscilloscope probe will add the probe's input capacitance, which is usually in the order of several Picofarad, to one
point along the trace, result in an impedance step that can be detected by TDR. The TDR approach is thus able to not
only detect, but distinguish and even localize several types of faults or attacks in a mesh.
@ -346,7 +349,8 @@ only detect, but distinguish and even localize several types of faults or attack
\begin{figure}
\centering
\includegraphics[height=70mm]{block_diagram.pdf}
\hspace*{-7mm}
\includegraphics[height=80mm]{block_diagram.pdf}
\caption{Block diagram of our prototype sampling TDR security mesh monitoring circuit.}
\label{fig_block_diagram}
\end{figure}
@ -355,14 +359,13 @@ A TDR can be broken down into three basic components. First, we need a source of
stimulate the mesh. Second, we need a coupler that allows us to couple the stimulus pulses into the mesh, and their
reflections out of it. Finally, we need a fast ADC to capture the reflections.
The focus of our circuit design is on cost. Since physical attacks happen on a time scale of minutes or hours, we do not
need a fast acquisition rate. Thus, we chose an equivalent-time sampling setup instead of direct conversion, reducing
the requirements of our data acquisition and signal processing fronted from gigasamples per second to mere megasamples,
well within the range what a commodity microcontroller can handle. An example of a direct-conversion setup is
\textcite{vasileActiveTamperDetection2017}, where they used a specialty discrete Analog-to-Digital Converter (ADC) that
has a large internal buffer to avoid the need for a high-speed digital data processing chain. Compared to our design,
their ADC alone at \qty{15.95}{\euro} at quantity 1000 costs more than our entire circuit while providing more than
$25\times$ worse time resolution.
Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in this
paper's supplementary material.}. At the core of our design lies an equivalent-time sampling setup, where two
diode bridge sampling gates alternately sample the two traces of the mesh.
Since physical attacks happen on a time scale of minutes or hours, we do not need a fast acquisition rate. Equivalent
time sampling uses fast sampling gates to sample a high-frequency signal at a low frequency that is suitable for direct
conversion through an ADC. This reduces the requirements of our data acquisition and signal processing fronted from
gigasamples per second to mere megasamples, well within the range what a commodity microcontroller can handle.
A challenge in equivalent-time sampling is precisely phase-synchronizing the sampling pulse to the fundamental frequency
of the input signal, which is usually implemented by using a high-speed comparator. In a TDR-style frontend like ours,
@ -376,31 +379,31 @@ comparativeky lossy \qty{-6}{\deci\bel} resistive tee instead of a directional c
directionality, but in our case the incident pulse can never interfere with reflections at the sampling output of the
divider because of causality.
To implement a sub-nanosecond sampler, we chose a simple four-diode bridge sampling gate made from contemporary
To implement our sub-nanosecond sampler, we chose a simple four-diode bridge sampling gate made from contemporary
commodity \partno{BAT17-04W} RF schottky diodes, which offer turn-on times better than \qty{100}{\pico\second} at
\qty{0.13}{\euro} per device at quantity 1000. The four-diode configuration requires only two dual diode packages. In
contrast to \todo{cite magazine article and that one thesis here}, in our system, double sampling is not necessary -
instead, we follow the sampling gate directly with an amplifier feeding into the internal ADC of our microcontroller. We
use an internal timer peripheral of the same microcontroller to generate both stimulus and sample pulses, so we can
easily phase-lock the internal ADC to the same timer.
\price{0.13}{\euro} per device at quantity 1000. The four-diode configuration requires only two dual diode packages. In
contrast to \textcite{polasekReflektometrCasoveOblasti2020,houtman1GHzSamplingOscilloscope2000}, in our system, double
sampling is not necessary - instead, we follow the sampling gate directly with an amplifier feeding into the internal
ADC of our microcontroller. We use an internal timer peripheral of the same microcontroller to generate both stimulus
and sample pulses such that we can easily phase-lock the internal ADC to the same timer.
We base our circuit around a STM32G474RB microcontroller, a 5€-class commodity ARM microcontroller. Besides adequate
processing speed for its price class, this microcontroller offers two features that are critical to our design. First,
its internal ADCs are both higher resolution and faster than those of many older parts. % FIXME concrete numbers
Second, it is one of a few parts in its series that include a \emph{high-resolution timer} (HRTIM) peripheral that
provides several outputs that can be controlled with better than \qty{200}{\pico\second} resolution through per-output,
self-calibrating delay line circuitry. We use this peripheral to produce both the stimulus pulse and the
We base our circuit around a \partno{STM32G474RB} microcontroller, a \price{5}{\euro}-class commodity ARM
microcontroller. Besides adequate processing speed for its price class, this microcontroller offers two features that
are critical to our design. First, its internal ADCs are both higher resolution and faster than those of older parts.
Second, it is one of a few parts in its series that include a \emph{high-resolution timer} (\partno{HRTIM}) peripheral
that provides several outputs that can be controlled with better than \qty{200}{\pico\second} resolution through
per-output, self-calibrating delay line circuitry. We use this peripheral to produce both the stimulus pulse and the
phase-adjustable sampling pulse.
While the HRTIM peripheral allows us to finely adjust the phase of its output waveform, the digital output structures of
the STM32G4 series are still limited to nanosecond-scale rise and fall times with the datasheet quoting
the \partno{STM32G4} series are still limited to nanosecond-scale rise and fall times with the datasheet quoting
$t_r=t_f=\qty{1.7}{\nano\second}$ into a \qty{10}{\pico\farad} load when using the fastest GPIO output drive strength
setting and a \qty{3.3}{\volt} supply\todo{cite datasheet properly}. We work around this issue applying two circuit
tricks. First, we send its output through a fast amplifier to square up the edges to a rise time better than
\qty{500}{\pico\second}. The remaining challenge is that while we now have pulses with crisp edges, due to constraints
of the HRTIM peripheral, at more than \qty{10}{\nano\second}, these pulses are still much too wide to be useful. We
solve this issue by applying a clip line pulse forming network at the output of the amplifier similar to the one used in
\todo{some tek sampling head}--i.e.\ we connect the amplifier's output to the load in parallel with a short, terminated
setting and a \qty{3.3}{\volt} supply\cite{stmicroelectronicsSTM32G474xBDatasheet2021}. We work around this issue
applying two circuit tricks. First, we send its output through a fast amplifier to square up the edges to a rise time
better than \qty{500}{\pico\second}. The remaining challenge is that while we now have pulses with crisp edges, due to
constraints of the HRTIM peripheral, at more than \qty{10}{\nano\second}, these pulses are still too wide to be useful.
We solve this issue by applying a clip line\cite{tektronixinc.TektronixS6Sampling1982} pulse forming network at the
output of the amplifier--i.e.\ we connect the amplifier's output to the load in parallel with a short, terminated
transmission line stub. The length of this stub determines pulse width.
\subsection{Driver Selection}
@ -421,11 +424,6 @@ prototype using a steady hand under a microscope as shown in Figure\ \ref{fig_pi
\begin{figure}
\centering
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_pi3hdx_small.jpg}
\caption{PI3HDX12211}
\end{subfigure}
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_74lvc_small.jpg}
@ -441,6 +439,11 @@ prototype using a steady hand under a microscope as shown in Figure\ \ref{fig_pi
\includegraphics[width=0.9\textwidth]{pic_tdp0604_small.jpg}
\caption{TDP0604}
\end{subfigure}
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_pi3hdx_small.jpg}
\caption{PI3HDX12211}
\end{subfigure}
\caption{Circuit-board implementation of the four pulse amplifier variants of the design. Amplifiers were mounted
dead bug style on a piece of copper tape connected to one of the supply rails, and hooked up with
\qty{120}{\micro\meter} diameter wire according to their respective datasheets. Supply rails were hooked up using
@ -453,14 +456,14 @@ prototype using a steady hand under a microscope as shown in Figure\ \ref{fig_pi
As a baseline, we evaluated the \partno{74LVC2G157} standard logic IC. This IC contains a single multiplexer, however,
we are not interested in the multiplexer functionality. The interesting trivia about this chip is that it also is one of
the only \partno{74} series standard logic parts that has complimentary outputs. According to manufacturer
specifications, at a comparable \qty{20}{\pico\farad} load, 74LVC series parts have slightly faster rise and fall times
compared to our STM32 micrcontroller's digital IO pins\todo{cite
specifications, at a comparable \qty{20}{\pico\farad} load, \partno{74LVC} series parts have slightly faster rise and
fall times compared to our \partno{STM32} micrcontroller's digital IO pins\todo{cite
\url{https://www.renesas.com/en/document/apn/224-alvclvc-logic-characteristics-and-apps}}.
\paragraph{CML-Output Comparators.} Fast comparators with CML outputs such as Analog's \partno{ADCMP606} are
easily-available, general purpose components and are easy to interface given their universal input topology. A
disadvantage of this path is that we would need one comparator each for the stimulus and strobe pulses, and these parts
are not cheap at \qtyrange{5}{10}{\euro} for one, or about \qty{3}{\euro} at a hundreds quantity.
are not cheap at \price{10}{\euro} for one, or about \qty{3}{\euro} at a hundreds quantity.
\paragraph{Optical Networking Chipsets.}
Another category of CML-output drivers suitable for our application are a class of optical networking chipset ICs. While
@ -468,7 +471,7 @@ today, the construction of optical transmitters has moved to direct bonding of o
minimize parasitics, discrete driver ICs for some chipsets from the mid-2000s era are still available at reasonable
cost. Both the laser driver used to drive the transmitter laser diode, and the limiting amplifier used to amplify the
receiver photodiode's output can be used in our application, with the limiting amplifier part requiring less additional
circuitry in our application due to its lack of output bias control. In our evaluation below, we include
circuitry in our application due to its lack of output bias control. In our evaluation below, we include the
\partno{MAX3748} limiting amplifier as a representative part from this category that is still commercially available. A
drawback of relying on a part like this is that its future availability is uncertain given the evolution of the
industry.
@ -507,33 +510,21 @@ applications, as well as \partno{TPD0604} as a ``hybrid'' linear or limiting red
for limiting mode in our experiments. An attractive feature of both of these chips as well as comparable devices is that
they usually include at least four independent channels, so only one chip is needed for both pulse paths. Additionally,
they are consumer mass market parts, resulting in a low price. For instance, \partno{PI3HDX12211} is available at
\qty{2.11}{\euro} in single quantity and less than \qty{1.30}{\euro} at several hundred quantity at distributor LCSC,
and \partno{TPD0604} is available at \qty{4.72}{\euro} and \qty{3.44}{\euro}, respectively, at distributor Mouser.
\subsection{Analog Delay Control}
While the STM32's \partno{HRTIM} peripheral offers edge position control at a precision of $\frac{1}{32}$ system clock
cycle using an automatically adjusted delay-locked loop at each output driver, due to the comparatively slow maximum
system clock speed of \qty{168}{\mega\hertz}, this still only results in a timing resolution of \qty{184}{\pico\second}.
In our measurements, we observed that end-to-end jitter of our sampler is low enough that our circuit would benefit from
finer delay control. For this reason, we decided to implement a \partno{74LVC} series buffer in between of the
\partno{HRTIM} outputs and the pulse amplifier. By feeding this buffer from an adjustable power supply controlled
through one of the microcontroller's digital-to-analog converter (DAC) channels, we can exploit the supply voltage
dependency of the propagation delay of \partno{74LVC} series CMOS logic to create a digitally controllable delay with
picosecond resolution. It is likely that the internal DLL of the \partno{HRTIM} peripheral is implemented in a similar
way.
\todo{How should we clarify here that this is future work?}
\price{2.11}{\euro} in single quantity and less than \price{1.30}{\euro} at several hundred quantity at distributor
LCSC, and \partno{TPD0604} is available at \price{4.72}{\euro} and \price{3.44}{\euro}, respectively, at distributor
Mouser.
\subsection{Cost Breakdown}
Table\ \ref{tab_bom} shows a breakdown of the cost of the main components of our prototype, resulting in a total
component cost of less than \qty{10}{\euro}. We did not include power supply components in this breakdown as our circuit
is meant to be embedded into a payload circuit that will already have sufficient power supplies.
component cost of less than \price{10}{\euro}. We did not include power supply components in this breakdown as our
circuit is meant to be embedded into a payload circuit that will already have sufficient power supplies.
Due to its \partno{HRTIM} peripheral, the STM32 microcontroller is the component of our design that is hardest to
replace. However, this part can still be replaced with a wide range of FPGAs, which commonly include digitally
configurable delay lines on their IO pins for signal de-skewing. For instance, the \partno{ODELAY} primitive of Xilinx 7
Series FPGAs provides the same $\frac{1}{32}$ clock cycle resolution that the STM32 \partno{HRTIM} peripheral provides.
Due to its \partno{HRTIM} peripheral, the \partno{STM32G4} microcontroller is the component of our design that is
hardest to replace. However, this part can still be replaced with a wide range of FPGAs, which commonly include
digitally configurable delay lines on their IO pins for signal de-skewing. For instance, the \partno{ODELAY} primitive
of Xilinx 7 Series FPGAs provides the same $\frac{1}{32}$ clock cycle resolution that the \partno{STM32G4}
\partno{HRTIM} peripheral provides.
\begin{table}
\begin{tabular}{c|c|c|l}
@ -618,12 +609,12 @@ able to extract from a connected mesh during one scan. Since we aim at fingerpri
performing absolute measurements, we do not need to characterize the transfer function of our TDR frontend.
Second, we will characterize the end-to-end performance of our design on a mesh test specimen, and we will evaluate its
performance on a number of realistic tamper attempts. As a baseline characterization, we will show measurements of both
performance on several realistic tamper attempts. As a baseline characterization, we will show measurements of both
short and open mesh traces, allowing us to evaluate our designs' capacity to spatially localize faults. Building upon
this baseline, we will then demonstrate a probing attack, in which we will measure our design's response to a standard
\qty{100}{\mega\hertz} bandwidth $\qty{10}{\mega\ohm}||\qty{10}{\pico\farad}$ oscilloscope probe. Compared to the
baseline open/short test, this provides a much greater challenge due to the probe's intentionally high impedance and
minimal capacitive loading.
baseline open/short test, this provides a greater challenge due to the probe's intentionally high impedance and minimal
capacitive loading.
\subsection{Rise Time Measurement}
@ -757,10 +748,10 @@ here - only the rise time is. Since we use some of these amplifiers--particularl
their intended application, the actual voltage they develop across the nonlinear load our sampling gate's diode bridge
presents depends on implementation details of the amplifiers's CML output stage. To maximize ADC resolution and minimize
ringing, we tuned gain and bandwidth of each post-sampling amplifier for each IC. Ringing in the amplifier output leads
tojitter in the ADC's sampling period to directly feeding through to the ADC output value. Since in STM32 MCUs, the ADC
is clocked independently of the rest of the system, its sampling timing is poorly controlled and this jitter causes a
significant error unless the amplifier is well-compensated. The key figure for us is how fast our sampling gate turns
on, not how hard, so we can largely ignore the units on the graph's vertical scale.
tojitter in the ADC's sampling period to directly feeding through to the ADC output value. Since in \partno{STM32} MCUs,
the ADC is clocked independently of the rest of the system, its sampling timing is poorly controlled and this jitter
causes a significant error unless the amplifier is well-compensated. The key figure for us is how fast our sampling gate
turns on, not how hard, so we can largely ignore the units on the graph's vertical scale.
Table\ \ref{tab_edge_risetime} shows rise times calculated from each trace, averaged across both traces of the
differential pair. From these results and from graphs in Figure\ \ref{fig_edge_risetime} we can see that both the
@ -1000,8 +991,8 @@ Using the \partno{PI3HDX12211} variant of our prototype, we measured the mesh's
\ref{fig_manip_shape} shows the resulting TDR traces. Oscilloscope probes are specifically designed to disturb the
circuit under test as little as possible, with this one being specified as presenting as a \qty{10}{\mega\ohm} resistive
load in parallel with a \qty{10}{\pico\farad} capacitance when used in $\times 10$ mode as we did here. Since the
resulting disturbance to the TDR traces is much smaller than those in Figure\ \ref{fig_manip_shape}, we post-processed
the traces by subtracting a baseline trace taken before the measurements. To highlight drift in the baseline trace, we
resulting disturbance to the TDR traces is smaller than those in Figure\ \ref{fig_manip_shape}, we post-processed the
traces by subtracting a baseline trace taken before the measurements. To highlight drift in the baseline trace, we
include additional baseline traces taken in between and after measurements using the same post-processing.
In each traces, the mesh was probed in one of three locations as in Figure\ \ref{fig_manip_shape}, and on one of the
@ -1016,17 +1007,36 @@ measurement.
\section{Countermeasures}
\todo{this whole section}
\section{Future Work}
While the \partno{STM32G4}'s \partno{HRTIM} peripheral offers edge position control at a precision of $\frac{1}{32}$
system clock cycle using an automatically adjusted delay-locked loop at each output driver, due to the comparatively
slow maximum system clock speed of \qty{168}{\mega\hertz}, this still only results in a timing resolution of
\qty{184}{\pico\second}. While we have demonstrated this is sufficient to detect and localize several attack variants,
it would be interesting to increase time resolution since in our measurements, we observed that end-to-end jitter of our
sampler is low enough that our circuit would benefit from finer delay control. In our prototype, we implemented a--so
far unused--adjustable power supply for the \partno{74LVC} series buffer in between of the \partno{HRTIM} outputs and
the pulse amplifier. By adjusting this buffer's power supply through one of the microcontroller's digital-to-analog
converter (DAC) channels, we expect that it should be possible to exploit the supply voltage dependency of the
propagation delay of \partno{74LVC} series CMOS logic to create a digitally controllable delay with picosecond
resolution. It is likely that the internal DLL of the \partno{HRTIM} peripheral is implemented in a similar way.
The work we presented in this paper is complementary to the work previously presented by
\textcite{gotteCantTouchThis2022}, where the authors improved security of a simple security mesh made from standard PCBs
through mechanical motion. We are currently working on a prototype combining both approaches for a cost-efficient yet
powerful physical security primitive.
\section{Conclusion}
In this paper, we presented a design for a low-cost frontend for the integrity monitoring security meshes in
applications such as HSMs based on the principles of sub-nanosecond Time-Domain Reflectometry. Our design
repurposes an inexpensive HDMI redriver IC to produce sharp edges for the TDR stimulus, and applies a microwave clip
line to form fast pulses for TDR sampling. Our design not only enables the monitoring of continuity and length of the
mesh's traces, but also allows monitoring the impedance at every point along the mesh. Our approach will not only detect
faults or manipulations that disturb the mesh without causing breaks, but it will also physically localize the point
where the fault occurs along the mesh. Compared to previous work, our approach provides an additional time dimension in
its characterization of a security mesh while simultaneously being less expensive, enabling more sophisticated tamper
detection algorithms.
mesh's traces, but also allows monitoring the impedance at every point along the mesh. Beyond simply detecting faults or
manipulations that disturb the mesh without causing breaks, we have demonstrated our prototype circuit's capability to
distinguish and physically localize faults inside the mesh in several practical attack scenarios. Compared to previous
work, our approach provides an additional time dimension in its characterization of a security mesh while simultaneously
being less expensive, enabling more sophisticated tamper detection algorithms.
\section*{Availability}
This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today.

BIN
paper/pic_board_setup_2_small_censored.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.3 MiB

2
paper/version.tex
View file

@ -1 +1 @@
v-spectrum-measurements-47-g7db8382
v0-draft-13-gb92610d-dirty