jaseg/sampling-mesh-monitor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sampling-mesh-monitor/paper/paper.tex
jaseg 5e3ac0a1a5 Minor revision WIP
2025-09-28 10:54:17 +02:00

1426 lines
90 KiB
TeX
Raw Blame History

\documentclass[submission]{iacrtrans}
\usepackage[T1]{fontenc}
\usepackage[
backend=biber,
style=numeric,
natbib=true,
url=false,
doi=true,
eprint=false
]{biblatex}
\addbibresource{paper.bib}
\usepackage{amssymb,amsmath}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage[binary-units]{siunitx}
\usepackage{commath}
\usepackage{graphicx}
\usepackage{color}
\usepackage{colortbl}
\usepackage{subcaption}
\usepackage{placeins}
\usepackage{array}
\usepackage{censor}
\usepackage{hyperref}
\usepackage{makecell}
\usepackage{tcolorbox}
\tcbuselibrary{skins}
\tcbuselibrary{breakable}
\usepackage{float}
\definecolor{highlightred}{rgb}{0.6 0.1 0.1}
\definecolor{highlightgreen}{rgb}{0.12 0.07 0.6}
%\definecolor{highlightred}{rgb}{0 0 0}
%\definecolor{highlightgreen}{rgb}{0 0 0}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\DeclareSIUnit{\rpm}{rpm}
\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\newcommand{\partno}[1]{\textsf{\small#1}}
\newcommand{\price}[2]{#1 #2}
\newcommand{\todo}[1]{\textbf{TODO}\footnote{#1}}
% By default, our biblatex style will print "In: [name of proceedings]. [year] [name of event]" for every conference
% paper. Since the name of the proceedings is usually near-identical to the name of the event, this adds a lot of noise.
% Suppress the name of the proceedings when both are given.
\AtEveryBibitem{
\ifentrytype{inproceedings}{
\iffieldundef{booktitle}{
}{
\iffieldundef{eventtitle}{
}{
\clearfield{booktitle}
}
}
}{
}}
\begin{document}
\author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
\institute{Technical University of Darmstadt, Darmstadt, Germany, \email{research@jaseg.de}\and
Technical University of Darmstadt, Darmstadt, Germany, \email{bjoern.scheuermann@kom.tu-darmstadt.de}}
\title{High Fidelity Security Mesh Monitoring using Low-Cost, Embedded Time Domain Reflectometry}
\keywords{Tamper Sensing\and Tamper Response\and Physical Security\and Security Mesh\and Hardware Security Module
(HSM)\and FIPS 140-2/3\and ISO/IEC 24759\and PCI PTS HSM MSR}
\maketitle
%\begin{center}
% \textbf{Note:} This major revision has all shortened parts \color{highlightred}highlighted in red, \color{black}and
% all parts that are new or that have large changes \color{highlightgreen}highlighted in blue.\color{black}
%\end{center}
% FIXME maybe don't use HSM, maybe use active tamper sensing? envelope protection?
\begin{abstract}
Security Meshes are patterns of sensing traces covering an area that are used in Hardware Security Modules (HSMs)
and other systems to detect attempts to physically intrude into the device's protective shell. State-of-the-art
solutions manufacture meshes in bespoke processes from carefully chosen materials, which is expensive and makes
replication challenging. Additionally, state-of-the-art monitoring circuits sacrifice either monitoring precision or
cost efficiency. In this paper, we present an embeddable security mesh monitoring circuit constructed from low-cost,
standard components that utilizes Time Domain Reflectometry (TDR) to create a unique fingerprint of a mesh. Our
approach is both low-cost and precise, and enables the use of inexpensive standard Printed Circuit Boards (PCBs) as
security mesh material. We demonstrate a working prototype of our TDR circuit costing less than \price{10}{\euro} in
components that achieves both time resolution and rise time better than \qty{200}{\pico\second}---a $25\times$
improvement over previous work. We demonstrate a simple classifier that detects several types of advanced attacks
such as probing using an oscilloscope probe or micro-soldering attacks with no false negatives.
\end{abstract}
\section{Introduction}
% Minor revision criteria from shepherd
% =====================================
%
% [ ] Including a section elaborating on the structure of a typical device secured by the proposed system, and defining an explicit threat model.
% [ ] Expanding the literature review.
% [ ] Recalculating CER based on the same fitted distribution for better comparison.
% [ ] Elaborating on why 0.1% FPR was chosen.
% [ ] Interpretation of poor results in particular cases (in response to reviewer C).
%
%
% Bei Diss-Citations in der bib dazu schreiben, dass das ne Diss ist.
% 2.2 / 2.3 Wie related? Warum interessant? In Intro erwähnen?
% In Intro herausstellen, dass TDR-Setup neu ist.
% Storyline für Intro: Wir sind die ersten die die Auflösung hinbekommen, und deshalb geht bei uns TDR.
% Time for 256 times oversampling: 710 ms. 384 times: 1056 ms.
Security meshes continue to be the state of the art for tamper sensing in applications where sophisticated physical
attacks such as attempts at drilling or sawing through the device's enclosure to place probes must be prevented. Common
applications for such meshes include Hardware Security Modules (HSMs) used to store and process cryptographic keys
applying security standards such as
FIPS-140-2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} or ISO/IEC
24759~\cite{ISOIEC24759}. Other applications include card payment terminals where PCI PTS HSM
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} are applicable. Security meshes usually consist of
two or more conductive traces that are laid out in a meandering pattern to cover a surface. A sensing circuit
electrically monitors these traces to detect attempts at penetrating this surface.
As is often the case with security technologies, in practice a tension exists between the level of security offered by a
particular security mesh implementation and its implementation cost. Commercial designs often only coarsely monitor the
conductivity of the mesh traces and are incapable of detecting attacks that manipulate small parts of the mesh. The most
secure meshes are made in custom manufacturing processes. Materials such as polymer substrates are specifically chosen
such that the mesh is difficult to manipulate without breaking it. A drawback of this approach is that the specialized
manufacturing processes are difficult to replicate and that the resulting cost of the mesh is high. In some
lower-security applications such as card payment terminals, simpler approaches are still commonly used for their ease of
implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed Circuit
Boards (PCBs) are used because of the wide availability of manufacturing services.
Several academic approaches exist that target low-cost~\cite{
vasileActiveTamperDetection2017,
vasileTemperatureSensitiveActive2017,
dupontMiniaturizedUltraLowPowerTamper2022,
vasileProtectingSecretsAdvanced2019,
} or high-performance mesh monitoring~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
immlerSecurePhysicalEnclosures2018,
garbTamperSensitiveDesignPUFBased,
}. Some academic works even try to replace the security mesh with entirely different tamper sensing primitives~\cite{
staatAntiTamperRadioSystemLevel2022,
vaiSecureArchitectureEmbedded2015,}.
High-performance mesh monitoring approaches try to characterize the mesh's physical properties with high accuracy, but
often come at the cost of specialized, expensive circuitry. Low-cost approaches utilize advanced analog techniques in
their circuitry to extract precise measurements using few components. They trade off measurement precision for lower
component cost. Besides simple monitoring, detecting tamper attempts by replacing the mesh with a macro-scale Physically
Unclonable Function (PUF) has also been researched~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
staatAntiTamperRadioSystemLevel2022,
vaiSecureArchitectureEmbedded2015,}, albeit this comes with complex monitoring circuits that utilize expensive,
specialty components.
\begin{figure}
\centering
\includegraphics[width=0.6\textwidth]{pic_board_setup_2_small_censored.jpg}
\caption{Measurement setup. Shown are the test specimen board on the left, and the frontend board with one of the
four pulse amplifiers in the center. The frontend board is powered through a USB-C connection, and data is sent to a
computer through a Single-Wire Debug (SWD) interface. The grid in the background has \qty{10}{\milli\meter} pitch.
Note: Author names and institutional affiliation were removed from this picture for peer review.}
\label{fig_pic_board}
\end{figure}
To enable the use of less expensive, commodity materials such as Printed Circuit Boards (PCBs) without compromising
security, mesh integrity must be monitored with high fidelity. In this paper, we present a low-cost monitoring circuit
for security meshes that combines Time Domain Reflectometry (TDR) with equivalent time sampling. Our approach provides
high measurement fidelity and enables the use of meshes made from less expensive materials in high-security
applications.
Our circuit generates a very fast pulse with a rise time lower than \qty{200}{\pico\second} that is broadcast into the
mesh. While the pulse traverses the mesh, parts of its energy are reflected on imperfections inside the mesh, including
those caused by tampering attempts. Our circuit uses a fast, low-cost equivalent time sampling frontend to receive,
amplify and record these reflections to create a \emph{fingerprint} of the mesh that is highly sensitive to changes
caused by tampering.
We demonstrate a working prototype of our design and present practical measurements of its electrical parameters as well
as its performance under several practical attack scenarios. A photo of our prototype setup including a security mesh
specimen is shown in Figure\ \ref{fig_pic_board}.
Compared to previous academic designs, our approach can be implemented at a lower cost using exclusively inexpensive,
commercially available mass-market components. Our TDR frontend improves upon previous, delay-based approaches in
monitoring fidelity~\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. Our design achieves
sufficient sensitivity to detect high-impedance oscilloscope probes despite such probes being specifically designed to
conduct measurements without disturbing the circuit under test. Unlike previous, capacitance-based approaches, our
design is compatible with inexpensive signal switch ICs, enabling the protection of arbitrarily large meshes at minimal
cost without compromising sensitivity.
The contributions of our work are as follows:
\begin{itemize}
\item To our knowledge, our design is the first to apply a low-cost embedded differential Time Domain Reflectometry
(TDR) frontend to security mesh monitoring. Our design achieves pulse rise times below \qty{200}{\pico\second},
a $25\times$ improvement over the closest previous
work~\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}.
\item Our approach provides higher fidelity compared to state-of-the-art security mesh conductivity monitoring or
previous low-cost approaches. It enables the use of meshes manufactured using less advanced technologies such as
standard FPC or PCB processes. Our TDR frontend produces 70 data points for each meter of mesh length, resulting
in a measurement density per mesh area of \qty{200}{\bit\per\centi\meter^2} when using a
$\qty{200}{\micro\meter}$ pitch mesh manufactured in a standard low-cost PCB process.
\item We present a working prototype along with extensive experimental results, including laboratory performance
measurements. We practically demonstrate that our design is able to not only detect but distinguish and even
localize attacks in several realistic attack scenarios.
\item Our design is based entirely on commercially available, inexpensive mass-market components. It can be
replicated and improved without access to bespoke production equipment or semiconductor manufacturing
capabilities. To facilitate further research and practical applications, we publish our prototype under an Open
Source license.
\end{itemize}
\section{Related Work}
Tamper sensing meshes are used in numerous applications from Hardware Security Modules (HSMs) to card payment
terminals~\cite{andersonCryptographicProcessorsASurvey2006,tehranipoorHardwareSecurityPrimitives2023}. Despite their
widespread use, security mesh design and monitoring is covered by a sparse research corpus. Commercially,
security-by-obscurity is often considered a good idea and little detail is published on physical security
implementations~\cite{andersonSecurityEngineeringGuide2020}.
Patent literature gives a partial view of commercial developments in this area. Even in recent patents such as~\cite{
brodskyTamperRespondentAssemblyFlexible2019, % IBM. ok, mentions conductivity monitoring but mostly on mesh
nortonTamperDetectingCases2019, % HP. ok, mentions continuity monitoring only but mostly on mesh
razaghiTamperDetectionSystem2020, % Square. ok. mentions what is effectively conductivity monitoring
wesselhoffTamperResponsiveSensor2020, % Cryptera. ok. Very basic, only uses the mesh in the power supply.
leekTamperDetection2021, % Texas Instruments. ok. Monitors capacitance.
chockPointSaleTerminal2009, % Zilog. ok. Monitors conductivity and tries to detect emulation.
}
from HSM manufacturers IBM and HP, ATM component manufacturer Cryptera, payment terminal manufacturer Stripe, and chip
manufacturers Texas Instruments and Zilog, cited monitoring methods are basic and do not go beyond a simple measurement
of resistance or capacitance.
Academic research in the area is more advanced and spans both improvements to security meshes and their monitoring
circuits~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
dupontMiniaturizedUltraLowPowerTamper2022,
vasileProtectingSecretsAdvanced2019},
as well as approaches that entirely replace the security mesh with other primitives based on e.g.\ radio frequency or
optical measurements that aim to sense tampering
with a device~\cite{staatAntiTamperRadioSystemLevel2022,vaiSecureArchitectureEmbedded2015}. A drawback of techniques
aiming to replace security meshes with other sensor types is that it is difficult to prove such sensors do not have
blind spots.
\subsection{Security Mesh Monitoring and Design}
\paragraph{Meshes as capacitive PUFs.}
\textcite{
immlerBTREPIDBatterylessTamperresistant2018,
obermaierMeasurementSystemCapacitive2018,
garbTamperSensitiveDesignPUFBased}
propose one of the most advanced security mesh designs in the current academic state of the art. They use a specialized
security mesh as a Physically Unclonable Function (PUF), combining tamper sensing with cryptographic key storage. In
their design, the mesh consists of a cross-hatch pattern made from several dozen individually addressable capacitive
electrodes. They manufacture their meshes in a specialized process that results in unpredictable, random variations in
capacitance between electrodes. They propose an analog frontend that measures the precise mutual capacitance of each
pair of electrodes~\cite{obermaierMeasurementSystemCapacitive2018} using an approach similar to
\textcite{satoToucheEnhancingTouch2012}, and they use the resulting capacitance matrix as the basis of their PUF. In
further work, they demonstrate a custom IC integrating the monitoring
circuit~\cite{garbFORTRESSFORtifiedTamperResistant2021}.
Advantages of their system include high sensitivity to modifications, as well as that as a PUF, the system does not
require a continuous power supply. Disadvantages include the limited mesh size a single circuit can support due to
dynamic range constraints, the specialized manufacturing process needed for the mesh as well as the high cost of the
monitoring circuit. Common physical security standards require systems to actively destroy all key material when
tampering is detected~\cite{
usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002,
ISOIEC24759,
pcisecuritystandardscouncilPaymentCardIndustry2021}.
Like other PUF-based systems, their system naturally lacks this capability.
% FIXME go more into multiplexing larger meshes in our system below
Key differences of our system include:
\begin{itemize}
\item Our system can cover larger meshes without loss of precision using a single TDR frontend through multiplexing.
\item Our system supports meshes manufactured using standard, low-cost PCB processes.
\item Our design requires only widely available, low-cost commodity components, for each of which alternatives
from other manufacturers are available.
\item Our approach has improved resiliency to electromagnetic interference and works with unshielded meshes.
\end{itemize}
\paragraph{Bridge measurement of capacitive interdigital meshes.} \textcite{dupontMiniaturizedUltraLowPowerTamper2022}
introduce a simple analog circuit approach for monitoring meshes laid out as a set of capacitive interdigital structures
not unlike the combs found in Micro-Electromechanical System (MEMS) accelerometers and gyroscopes. They subdivide the
mesh into four equal-size quadrants, each containing two equal-size interdigital electrodes. They connect the resulting
eight electrodes in a capacitive bridge configuration and measure the bridge's balance using a simple analog monitoring
circuit based on homodyne detection. Advantages of their system include the simple, low-power monitoring circuit made
from basic, cheap components and the capability to work with single-layer meshes such as those produced using Laser
Direct Structuring (LDS). From a security point of view, a drawback of their approach is that to achieve its low-power
usage, measurement resolution is sacrificed and all information on the mesh's state is collapsed into a single, scalar
measurement.
\paragraph{Frequency-domain mesh characterization.}
\textcite{vasileProtectingSecretsAdvanced2019} introduce a monitoring method where they feed a variable-frequency signal
into one end of a continuous mesh trace, and measure the power of the signal coming out of the other end. In essence,
their setup measures $S_{12}$ magnitude in a similar way to a network analyzer.
Advantages of their design include the simple implementation and the potentially robust nature of frequency-domain
measurements. Disadvantages include a nonstandard three-layer mesh stackup, as well as the susceptibility of the system
to attack by emulation given that the log power sensor they are using at the mesh output is designed to be insensitive
to any signal characteristics apart from total signal power.
\paragraph{Time domain mesh monitoring.}
Time-Domain Reflectometry has been proposed for tamper sensing in nuclear arms control
applications~\cite{parsonsTamperRadiationResistant1977}. However, compared to our design, the systems proposed in this
field are usually much larger, using standard benchtop measurement equipment to perform TDR. Additionally, they target
lower time resolution since they are designed to monitor spans of cable up to several hundred meters in length.
Closest to our proposal in the academic corpus is the work of
\textcite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}, where they propose monitoring the time
domain response of a mesh using a circuit made from a pulse generator and a fast Analog-to-Digital Converter (ADC). To
avoid an expensive, high-speed digital processing pipeline, their design is centered around a specialized high-speed ADC
that has a built-in sample memory. Using this part, they capture a pulse at high speed after it traverses the mesh.
Subsequently, they slowly process the captured data from memory.
Advantages of their design include better sensitivity to changes in total mesh trace length compared to simple
continuity monitoring and the low complexity of their analog frontend. Disadvantages include the reliance on a specialty
ADC that cannot easily be replaced with any other commercially available component and the coarse time resolution.
Key differences between their design and our proposal include:
\begin{itemize}
\item Their design is sensitive to total length, but not to the location of faults. Their design measures the mesh's
\emph{transmission} characteristic, which collapses detail about faults along the mesh into a small number of
ADC samples at the pulse edge. Using such a measurement, it is not possible to localize faults. In contrast, our
approach measures the signal's \emph{reflected} component, which spreads information over time and enables us to
localize faults.
\item Our design uses only inexpensive, widely available parts. All parts in our design can easily be substituted
for other, similar parts from different manufacturers.
\item Our approach provides $25\times$ higher time resolution through Equivalent Time Sampling. This is a
fundamental limitation of their design, as the cost of ADCs and their associated circuitry increases steeply
with speed\footnote{ For reference, the least expensive ADC available at distributor DigiKey that would match
the \qty{200}{\pico\second} time resolution of our approach would cost \price{320}{\euro} at quantity 100 and
require national security clearance for export from its manufacturer in the USA.}.
\end{itemize}
\subsection{Equivalent Time Sampling}
Today, systems that digitize high-speed signals usually use a fast ADC, sometimes preceded by one or several
downconverting mixers. This development was enabled by both the increasing availability of ADCs capable of digitizing
hundreds of megasamples per second at a reasonable resolution, and by the increase in speed of CPUs,
FPGAs, and other components of the digital processing chain. However, this is largely a development of this
millennium--meanwhile, signals far into the gigahertz range have been studied since the advent of radar technology in
the Second World War~\cite{kahrs50YearsRF2003}. Enabled by the progress from vacuum tubes to semiconductor devices,
equivalent time sampling became the technology of choice for the latter half of the twentieth century until around the
turn of the millennium the introduction of high-speed digital processing and fast ADCs enabled real-time conversion up
into higher microwave frequencies, today reaching beyond the \qty{100}{\giga\hertz} boundary.
\textcite{kahrs50YearsRF2003} trace back the style of four-diode balanced bridge sampling gate that we use to a vacuum
tube implementation presented in \textcite{chanceWaveforms1949}. This style of sampling gate found application in a
number of sampling oscilloscopes throughout the twentieth century in several oscilloscope sampling frontends such as
HP's 187B~\cite{HP187BDualTrace1962}.
While initially equivalent time sampling was used to circumvent technological limitations, more recently it has also
been used to achieve cost-optimized designs~\cite{houtman1GHzSamplingOscilloscope2000}. Going along similar principles,
\textcite{polasekReflektometrCasoveOblasti2020} presents a design for a minimal sampling TDR circuit that uses a CMOS
clock generator IC along with a CML fanout buffer for pulse generation. The circuit improves upon the double sampling
design first presented by \textcite{houtman1GHzSamplingOscilloscope2000} to reconstruct a downsampled copy of the input
signal in the analog domain before digitization.
\subsection{Low-Cost Time Domain Reflectometry}
\textcite{bencivenniTimeDomainReflectometer2013} present an FPGA-based embedded reflectometer design. Since their design
is based on an early FPGA family dating back to 2003 that lacked the speed and the adjustable I/O delay features of more
modern FPGA families, their design uses the FPGA's logic resources to achieve adjustable delays.
\textcite{negreaSequentialSamplingTime2009} show an equivalent time sampling TDR that uses specialized adjustable delay
line ICs for pulse generation. \textcite{lee16psresolutionRandomEquivalent2003} achieve very high time resolution in an
equivalent time sampling TDR system by using a vernier approach to pulse generation, such that their system is limited
by analog bandwidth, not time resolution. \textcite{trebbelsMiniaturizedFPGABasedHighResolution2013} show another
FPGA-based TDR. Their system also uses a part from the same early FPGA family as
\textcite{bencivenniTimeDomainReflectometer2013}, and they work around its lack of precise timing primitives by
generating a low-frequency sine wave through DDS, which they filter, and then sample using a comparator - a similar
approach to the timing generation in \textcite{houtman1GHzSamplingOscilloscope2000}. Additionally, they avoid the need
for a discrete ADC by implementing a $\Delta\Sigma$ loop around a fast comparator, trading off slower acquisition time
for lower hardware complexity. They use a \qty{5.5}{\volt\per\nano\second} slew rate wideband amplifier IC to generate
their stimulus pulse, achieving a rise time of \qty{2}{\nano\second}. As a result, similar to
\textcite{lee16psresolutionRandomEquivalent2003}, their design is limited by analog bandwidth--here resulting from the
nanosecond-scale stimulus rise time--not by frontend time resolution. Compared with this and other previous approaches,
our proposed system is not only faster, but presents a more balanced trade-off between time resolution and analog
bandwidth.
\color{highlightgreen}
\subsection{Device Fingerprinting through Impedance Sensing}
Recently, impedance analysis on the Power Distribution Network (PDN) of PCB assemblies has been proposed as a
fingerprinting technique aimed at detecting Hardware Trojans (HT) inserted into a board.
% cite: 10.1109/TCSII.2018.2858798 [Fujimoto TDR HT detection, onboard VNA]
% cite: https://doi.org/10.46586/tches.v2023.i1.301-325 [ImpedanceVerif, gateware VNA]
Usually, all chips on a board are directly connected to the board's PDN. Thus, characterizing the board's PDN does not
only yield information on possible modifications to the board's PDN itself such as modified traces or removed passive
components such as capacitors, it also reflects information about the internal structure of any chips or other
components connected to the PDN. Impedance analysis techniques generally probe the circuit during operation using
high-frequency signals. They have been proven using an external Vector Network Analyzer in one-Port
% cite: https://doi.org/10.46586/tches.v2023.i4.238-261 [external VNA]
configuration measuring reflected signal components as well as using two or more ports measuring transmitted signal
components.
% cite: 10.1109/TIFS.2023.3285490 [exterenal VNA, different people]
Both Time Domain Reflectometry
% cite: 10.1109/TCSII.2018.2858798 [Fujimoto TDR HT detection, onboard VNA]
and conventional frequency-domain VNA measurements
% cite: https://doi.org/10.46586/tches.v2023.i1.301-325 [ImpedanceVerif, gateware VNA]
have been shown to be effective. From a signal theory point of view, both techniques can be considered equivalent.
While using an external VNA is feasible for validation in a factory setting, several research works embed the measuring
system into the PCB as either a discrete circuit
% cite: 10.1109/TCSII.2018.2858798 [Fujimoto TDR HT detection, onboard VNA]
or as part of an FPGA gateware.
% cite: https://doi.org/10.46586/tches.v2023.i1.301-325 [ImpedanceVerif, gateware VNA]
% cite: https://doi.org/10.1145/3689939.3695784 [backside tamper detection, gateware VNA]
With such a system, boards can self-verify in the field after deployment, enabling the use of the system for active
tamper sensing. While at less than \qty{2}{\giga\hertz} the achievable bandwith of such systems is lower than that
provided by an external, research-grade VNA, it turns out that the frequencies of interest in the impedance profile of
practical boards lie inside of this small bandwidth.
% cite: https://doi.org/10.46586/tches.v2023.i1.301-325 [ImpedanceVerif, gateware VNA]
Variations of impedance analysis techniques have been demonstrated that detect changes inside individual chips using
board-level measurements,
% cite: 10.1109/DDECS57882.2023.10139623 [chip fp, using external VNA]
that detect manipulatoins using non-contact near-field Radio Frequency (RF) measurements,
% cite: https://doi.org/10.3390/s25134188 [near-field antenna]
that detect the mechanical preparation of a target chip for backside attacks using onboard measurements,
% cite: https://doi.org/10.1145/3689939.3695784 [backside tamper detection, gateware VNA]
and that adapt the technique as an offensive tool for side-channel analysis (SCA) attacks.
% cite: https://doi.org/10.1145/3576915.3623092 [SCA attack]
The technique we propose in this work is related in that it also embeds a RF measurement circuit in a target board, and
that TDR and frequency-domain VNA measurements resolve the same information about a target circuit from a signal theory
perspective. Our system differs from the PDN impedance analysis literature in that it reaches a significantly higher
bandwidth than other embedded measurement setups, and that our proposed tamper-sensing meshes are specifically built as
sensors. Our technique is better suited to active tamper-sensing applications where the sensing circuit is continuously
powered, since in contrast to PDN impedance analysis techniques that need the entire PDN to be powered, our proposed
technique can be applied to protect an unpowered payload circuit. In a practical application, both PDN impedance
analysis and TDR-based tamper-sensing meshes could complement each other to form a comprehensive defense where PDN
impedance analysis checks the core system's integrity, with TDR-based meshes covering everything outside the purview of
PDN impedance analysis.
\color{black}
\section{Monitoring a Security Mesh using Time Domain Reflectometry}
Time Domain Reflectometry (TDR) is a well-known technique that is used to locate faults along a signal channel such as a
copper cable, or an optical fiber. In TDR, a pulse is sent into the beginning of the channel. While the pulse traverses
the channel, any fault such as a discontinuity in electrical impedance or optical density causes part of the pulse to
travel back in a partial reflection. TDR monitors these reflections returning to the beginning of the channel by
recording the signal measured at it after the pulse has been sent. When the pulse reaches the end of the channel,
depending on termination it can be reflected to travel back to the beginning, which allows measurement of the channel's
length.
\subsection{Attacks on a Security Mesh Viewed Using TDR}
In this paper, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists of
a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen to
measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a
security mesh with a ground plane underneath that works similarly to previous work~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
obermaierMeasurementSystemCapacitive2018,
garbTamperSensitiveDesignPUFBased}.
When viewed in the microwave domain, such meshes constitute what is essentially a delay line. Security meshes commonly
use a pair of two traces to capture short circuit conditions between adjacent traces, which we treat as a differential
pair for improved resiliency against electromagnetic interference. We constructed our frontend such that it excites the
two traces differentially, but allows for both single-ended and differential measurements.
In an intact mesh, we expect our frontend to record no significant reflections until the stimulus pulse has traversed
the mesh's traces both ways, at which point we expect a large response whose polarity and amplitude depend on the
termination on the far end of the mesh. In our prototype circuit, we made this termination configurable to expand the
range of possible measurement configurations and to enable self-calibration of the circuit.
Tampering with the mesh is likely to cause an impedance discontinuity. Cuts of one or both traces or a short circuit
between both traces will result in a total reflection of the incident pulse at the location of the fault, which our
circuit will easily detect as the delay of the response changes. However, beyond these simple cases, our approach can
also detect more subtle changes. For instance, a short circuit between two points along the same mesh trace will result
in a change in delay along this trace. Furthermore, even just probing a mesh trace with an oscilloscope probe will add
the probe's input capacitance, resulting in an impedance step. The TDR approach is thus able to not only detect but
distinguish and even localize several types of faults or attacks in a mesh.
\subsection{Signal Routing}
The stimulus pulse in a TDR-based design is a high-speed signal not unlike any other high-speed data or radio signal.
This enables the use of signal switch and multiplexer ICs marketed for RF or high-speed data bus applications. Due to
their mass-market applications, such devices are inexpensive. Using a tree-shaped topology of multiplexers, several mesh
segments can be monitored by a single frontend, enabling the monitoring of arbitrarily large volumes. As a proof of
concept, in our prototype we implemented software-controllable flipping of the mesh using \partno{TMUXHS4212} bus
multiplexers.
\color{highlightgreen}
\subsection{Typical System Design and Threat Model}
A typical system design for a device like an HSM that employs TDR-based tamper sensing meshes would consist of a payload
PCB assembly enveloped from all directions in tamper sensing mesh PCBs. The payload PCB assembly would contain both the
TDR mesh monitoring circuit as well as payload circuitry such as the HSM's cryptographic coprocessor. The tamper-sensing
meshes we analyze in this paper have the mesh trace layer adjacent to a continuous ground plane to provide a clean,
constant impedance along the mesh trace. In a practical design, the mesh trace would be on the payload-facing side of
the mesh PCB(s), and the ground plane on the outside-facing side. This way, the ground plane simultaneously shields both
the mesh's traces and the payload circuitry from electromagnetic interference. At the same time, putting the mesh trace
on the inside makes it significantly harder to manipulate without disturbing its TDR response. In such a system, the
mesh monitoring circuit would be battery powered and would check for tamper attempts periodically even when the payload
is powered off, e.g.\ during shipping.
In this paper, we tested meshes made from inexpensive rigid FR-4 PCBs, multiple of which could be arranged around a
payload to protect it from all angles, or which could be used in an Inertial HSM as proposed by
% FIXME cite IHSM paper
Flexible Printed Circuits (FPCs) made with an industry-standard polyimide substrate could also be used, and would be
suitable for wrapping around a payload.
% FIXME TODO Minor revision system design and threat model
\color{black}
\section{Circuit Design and Driving Approach}
% FIXME peer review only, for major revision @ TCHES
\begin{figure}
\centering
\hspace*{-7mm}
\includegraphics[height=80mm]{block_diagram.pdf}
\caption{Block diagram of our prototype sampling TDR security mesh monitoring circuit.}
\label{fig_block_diagram}
\end{figure}
A TDR can be broken down into three basic components: A source of fast stimulus pulses (or edges!), a coupler that
separates stimulus pulses and their reflection at the output, and a fast ADC to capture the reflections.
Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in this
paper's supplementary material.}. At the core of our design lies an equivalent time sampling setup, where two
diode bridge sampling gates alternately sample the two traces of the mesh.
Since physical attacks happen on a time scale of minutes or hours, we do not need a fast acquisition rate. Equivalent
time sampling uses fast sampling gates to sample a high-frequency signal at a low frequency that is suitable for direct
conversion through an ADC. Using equivalent-time sampling, we can sample \unit{\giga\hertz}-Scale signals at the
\unit{\mega\hertz}-scale sampling rate of the internal ADCs of the commodity microcontroller we use. We use two of the
microcontroller's ADCs interleaved, each of which provides approximately \qty{1.7}{\mega Sp\per\second} at
\qty{12}{\bit} resolution. Due to the high conversion speed of the modern ADC cores in this microcontroller, we are able
to use up to $384\times$ oversampling for increased precision.
%A challenge in equivalent time sampling is precisely phase-synchronizing the sampling pulse to the fundamental
%frequency of the input signal, which is usually implemented by using a high-speed comparator. In a TDR-style frontend
%like ours, this expensive component can be avoided because the stimulus signal is generated in the frontend,
%simplifying the challenge of generating a synchronized sampling pulse at an adjustable phase to the stimulus pulse.
The mesh has low insertion loss. Thanks to the resulting large amplitude of the reflection signal, the noise floor of
our frontend based on commodity operational amplifiers (opamps) is below the resolution limit of the built-in ADCs of
our chosen microcontroller. The main source of frontend noise stems from timing jitter between the sampling gate and the
ADC due to the clock generation of the ADC, which could be reduced through firmware changes. The strong signal allows us
to use a comparatively lossy but simple \qty{-6}{\deci\bel} resistive tee instead of a directional coupler.
We implemented the sub-nanosecond sampler using a four-diode bridge sampling gate made from commodity \partno{BAT17-04W}
RF Schottky diodes, which offer turn-on times better than \qty{100}{\pico\second} at \price{0.13}{\euro} per device at
quantity 1000. In contrast to prior
work~\cite{polasekReflektometrCasoveOblasti2020,houtman1GHzSamplingOscilloscope2000}, we precisely control the timing of
our ADC and avoid the need for a second sampling stage.
We base our circuit around an \partno{STM32G474RB} microcontroller, \price{5}{\euro}-class commodity ARM
microcontroller. This is a recent part, which has internal ADCs that are both higher resolution and faster than those of
older parts. Furthermore, it includes a \emph{high-resolution timer} (\partno{HRTIM}) peripheral that provides better
than \qty{200}{\pico\second} timing resolution through self-calibrating delay lines. We use this peripheral to produce
adjustable, phase-locked stimulus and sampling pulses.
While the HRTIM peripheral provides sub-nanosecond phase adjustment, the digital outputs of the \partno{STM32G4} series
are limited to a minimum transition time of $t_r=t_f=\qty{1.7}{\nano\second}$\footnote{Datasheet specification, when
driving a \qty{10}{\pico\farad} load~\cite{stmicroelectronicsSTM32G474xBDatasheet2021}.}. We work around this issue with
two circuit tricks. First, we send the output through a fast amplifier to square up the edges to a rise time better than
\qty{500}{\pico\second}. We then reduce the \qty{10}{\nano\second} minimum pulse width supported by the \partno{HRTIM}
peripheral by applying a clip line~\cite{tektronixinc.TektronixS6Sampling1982} pulse forming network--i.e.\ we connect
the amplifier's output to the load in parallel with a short, terminated transmission line stub. The length of this stub
determines the pulse width.
\subsection{Driver Selection}
We evaluated multiple options for the pulse shaping amplifier in our design. For both sampling and stimulus, we work
with fully differential signals, so Current Mode Logic (CML) devices, which are widely used in high-speed logic, are a
natural fit. We settled on four parts for evaluation in this paper: A \partno{74LVC2G157} standard logic IC, two
HDMI/DisplayPort redrivers, \partno{PI3HDX12211} and \partno{TDP0604}, as well as \partno{MAX3748}, a limiting amplifier
for optical networking. Figure\ \ref{fig_pic_amps} shows the four hand-soldered prototypes. We avoided specialty parts
such as the CML-output comparators made by Analog Devices due to cost.
\begin{figure}
\centering
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_74lvc_small.jpg}
\caption{74LVC2G157}
\end{subfigure}
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_max3748_small.jpg}
\caption{MAX3748}
\end{subfigure}
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_tdp0604_small.jpg}
\caption{TDP0604}
\end{subfigure}
\begin{subfigure}{0.23\textwidth}
\centering
\includegraphics[width=0.9\textwidth]{pic_pi3hdx_small.jpg}
\caption{PI3HDX12211}
\end{subfigure}
\caption{Implementation of the pulse amplifier variants of the design. Amplifiers were mounted dead bug style on
copper tape and connected with \qty{120}{\micro\meter} wire. Supply rails were connected with copper tape where
possible to reduce impedance. MLCC power supply decoupling capacitors were placed on the copper tape to reduce loop
area.}
\label{fig_pic_amps}
\end{figure}
\paragraph{Standard logic ICs.}
As a baseline, we evaluated the \partno{74LVC2G157} CMOS multiplexer configured to provide complementary outputs.
According to manufacturer specifications, this part provides slightly faster rise and fall times than
oumicrocontroller~\cite{renesaselectronicscorporationApplicationNoteAN2242019}.
\paragraph{Optical Networking Chipsets.}
Optical transceivers use CML-output limiting amplifiers and laser drivers, some of which are still available as discrete
components despite the industry moving from PCB implementations to direct bonding. We evaluated the \partno{MAX3748}
limiting amplifier as a representative part from this category.
\paragraph{Bus Redrivers.}
Most modern, high-speed buses like USB 3, PCI Express, HDMI, and Display Port use CML drivers. \emph{Redriver} ICs
intended to amplify such signals to compensate for loss in connectors or cables contain amplifiers that are suitable for
our application. HDMI/DisplayPort redrivers are most suitable since they can be configured as simple amplifiers,
turning off any signal-dependent power saving features.
In our evaluation below, we include \partno{PI3HDX12211} and \partno{TPD0604}, two inexpensive, consumer mass market
redrivers\footnote{
\partno{PI3HDX12211} is available at \price{2.11}{\euro} in single quantity and less than \price{1.30}{\euro} at a
quantity of several hundred at distributor LCSC, and \partno{TPD0604} is available at \price{4.72}{\euro} and
\price{3.44}{\euro}, respectively, at distributor Mouser}.
Both parts have four independent channels, so only one chip is needed for the two pulse paths.
\subsection{Cost Breakdown}
Table\ \ref{tab_bom} shows a breakdown of the cost of the main components of our prototype, totalling less than
\price{10}{\euro}. We did not include power supply components in this breakdown since our circuit is meant to be
embedded into a payload circuit that will already have sufficient power supplies. Our design works with strong signal
levels, and does not have special power supply requirements. In a practical implementation, it is unlikely that the
power supply would negatively affect performance.
Due to its \partno{HRTIM} peripheral, the \partno{STM32G4} microcontroller is the component of our design that is
hardest to replace. However, this part can still be replaced with a wide range of FPGAs, which commonly include
digitally configurable delay lines on their IO pins for signal de-skewing. For instance, the \partno{ODELAY} primitive
of Xilinx 7 Series FPGAs provides the same $\frac{1}{32}$ clock cycle resolution that the \partno{STM32G4}
\partno{HRTIM} peripheral provides while supporting higher input clock frequencies.
\begin{table}
\centering
\begin{tabular}{c|c|c|l}
\textbf{Part number}&\textbf{Amount}&\textbf{Cost in \euro}&\textbf{Description}\\\hline
PI3HDX12211&1&1.37&Pulse amplifier\\
STM32G474RB&1&3.51&Main microcontroller\\
OPA1656&1&1.25&Sampling post-amplifier\\
TMUXHS4212&2&0.64&Signal routing switch\\
SKYA21003&2&0.49&Termination switch\\
74LVC2G157&2&0.15&Pulse pre-conditioning\\
BAT17-04W&4&0.12&Sampling gates\\
N/A&25&0.01&Various MLCC capacitors\\
N/A&25&0.01&Various resistors\\\hline
\multicolumn{2}{r}{}&\textbf{9.67}&\textbf{Total}
\end{tabular}
\caption{Cost breakdown of our prototype design. Prices are listed at order quantity 1000 to make prices more
comparable between distributors.}
\label{tab_bom}
\end{table}
\subsection{Measurement Principle and Scan Scheduling}
\label{sec_scan_schedule}
The goal of a time domain reflectometer is to send a pulse into the Device Under Test (DUT)--i.e.\ in our application,
the mesh--and to record all reflections returning from the DUT afterwards. In a security mesh with a few meters of total
trace length, the time span between the pulse being sent and the last reflections arriving from the end of the mesh is
in the order of tens of nanoseconds. Directly recording a response at this timescale would be infeasible in a commodity
microcontroller, so we use equivalent time sampling.
As shown in Figure\ \ref{fig_block_diagram}, our analog frontend contains amplifiers that produce the stimulus pulse, a
sampling gate with amplifiers, and a coupler that couples the pulse into the mesh and couples the reflections back into
the sampling gate. A microcontroller controls this frontend with two main signals: A stimulus pulse, and a sampling
pulse. By adjusting the timing between these two pulses every time a stimulus pulse is sent, the microcontroller can
sample the response at any chosen point in time. By sweeping across the whole time span, the microcontroller can
reconstruct the waveform of the reflected signal at the sampling gate.
In our prototype, we sample the response once after each stimulus pulse. We conservatively decided on a sampling rate of
\qty{1}{MSps} across both channels of the mesh's differential pair. This sampling rate leaves some headroom to the
\qty{50}{\mega\hertz} Gain-Bandwidth Product (GBP) of the \partno{OPA1656} frontend opamp, as well as the \qty{4}{MSps}
that the ADCs can reach. The processing speed of the microcontroller allows individual control of the timing of each
sampling pulse.
% major revision: Since we did all measurements for the majR with only 768 samples, we re-scaled the numbers in this
% paragraph accordingly.
% FIXME mention in majR letter.
In our prototype, one sweep of a \qty{141}{\nano\second} time span consisting of $768$ data points took
\qty{825}{\milli\second} at $384\times$ oversampling. The time span corresponds to \qty{21}{\meter} of mesh length,
which at a \qty{200}{\micro\meter} pitch corresponds to a mesh area of \qty{85}{\centi\meter\squared} and at a
\qty{1}{\milli\meter} pitch corresponds to \qty{426}{\centi\meter\squared}. By optimizing timing, moving oversampling
processing out of the interrupt handler, and by interleaving four instead of two of the microcontroller's five ADC
peripherals, the lower limit of acquisition time of a $768$-point scan is \qty{37}{\milli\second} for $384\times$
oversampling.
\subsection{ADC accuracy and noise immunity}
Our system uses high-frequency pulses for measurement, which inherently reject low-frequency noise components. Through
our TDR approach, both the stimulus and the sampling pulses are phase-locked, functioning similarly to a lock-in
amplifier. This significantly attenuates asynchronous noise. We excite the mesh with a differential signal, similar to
standards such as Ethernet or HDMI. Differential signaling cancels out external interference, which tends to affect both
lines equally\cite{bogatinSignalPowerIntegrity2018}.
Our front-end circuit is designed such that the analog signal entering the ADCs is strong and low in noise. Due to the
high sample rate of the microcontroller's internal ADCs, we can apply extensive oversampling ($384\times$) to enhance
resolution.
\section{Experimental Evaluation}
We evaluated our design in two phases. In the first phase, we measured the electrical performance of our sampling
circuit. The key figure in our application is the pulse generators' rise time, which determines the level of detail that
we are able to extract. Since we aim at fingerprinting a connected mesh, not at performing absolute measurements, we do
not need to characterize or de-embed the transfer function of our TDR frontend.
In the second phase, we evaluated the actual performance of our design on a set of 500 mesh test specimens of different
layouts and structure sizes. We include detailed performance figures for a simple baseline classifier for attack
detection.
% FIXME more intro here
\subsection{Rise Time Measurement}
The level of detail our frontend can extract from a mesh is limited by the rise time of the pulses it generates. We
characterized this rise time both externally, using a wideband spectrum analyzer (Section~\ref{sec_spec_risetime}), and
through self-characterization of the circuit (Section~\ref{sec_spec_risetime_selfchar}). Both measurements differ
because of the non-linear characteristic of the sampling Schottky pairs. Depending on the IC, our pulse generator
produces output waveforms with \qtyrange{470}{3200}{\milli\volt} differential voltage swing. Since the sampling diode
pairs start to conduct at a combined forward voltage of approximately \qty{300}{\milli\volt}, they will transition from
high impedance to low impedance during a corresponding \qty{300}{\milli\volt} window at the middle of the strobe pulse's
edge. Thus, even if the strobe pulse shows a low-pass response with rounding at both ends, as long as its slew rate
$\frac{\mathrm{d}V}{\mathrm{d}t}$ during the zero crossing is fast enough, the pulse will still result in a sharp
turn-on knee of the sampling diodes.
\subsubsection{Stimulus Pulse Rise Time at the Mesh}
\label{sec_spec_risetime}
\begin{figure}
\begin{center}
\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_spec_risetime_74lvc.pdf}
\vspace*{-5mm}
\caption{74LVC2G157}
\label{fig_spec_risetime_74lvc}
\end{subfigure}
\unskip\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_spec_risetime_max3748.pdf}
\vspace*{-5mm}
\caption{MAX3748}
\label{fig_spec_risetime_max3748}
\end{subfigure}
\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_spec_risetime_tdp0604.pdf}
\vspace*{-5mm}
\caption{TDP0604}
\label{fig_spec_risetime_tdp0604}
\end{subfigure}
\unskip\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_spec_risetime_pi3hdx.pdf}
\vspace*{-5mm}
\caption{PI3HDX12211}
\label{fig_spec_risetime_pi3hdx}
\end{subfigure}
\end{center}
\vspace*{-5mm}
\caption{Spectrum measurements and reconstructed time domain edge shape of the stimulus pulse
measured at the mesh interface for each of the four driver ICs, captured using a spectrum analyzer. Vertical
scale shows arbitrary units. Spectrum plots include a $\frac{1}{f}$ curve indicating the frequency components of
an ideal infinite-bandwidth square wave. Horizontal gray lines in the time domain plots indicate thresholds used
for rise time calculation.}
\label{fig_spec_risetime}
\end{figure}
To determine the rise time of our frontend's pulse generator, we measured the stimulus output at the mesh interface
using a Keysight N9020A MXA \qty{26.5}{\giga\hertz} signal analyzer\footnote{The spectrum analyzer used significantly
exceeded the capabilities of the fastest oscilloscopes we had access to, so it was the more appropriate choice of
measurement instrument.}. All measurements were taken with the prototype's mesh interface connected to the spectrum
analyzer through a bias tee configured for DC blocking followed by a \qty{20}{\deci\bel} attenuator for protection.
Figure\ \ref{fig_spec_risetime} and Table\ \ref{tab_edge_risetime} show the resulting measurements both in the frequency
domain (upper traces), and projected back into the time domain (lower traces) along with measured rise times. As
expected, the bare \partno{74LVC}-series logic gate has the slowest rise time at approximately \qty{500}{\pico\second}.
All three amplifier variants we implemented showed significantly improved rise time, with the \partno{PI4HDX12211}
achieving below \qty{200}{\pico\second}, and the other two showing around \qty{120}{\pico\second}. \partno{MAX3748} and
\partno{TDP0604} only achieved a low output signal amplitude, which stems from a combination of them having low output
amplitude by design and of our circuit loading their outputs heavily. Since their amplitude is only marginally within
the knee region of the RF Schottky diodes used in the sampling bridges, in these variants, the sampling gates end up
slower than the raw pulse rise time value alone would suggest.
\subsubsection{Self-Characterization}
\label{sec_spec_risetime_selfchar}
\begin{figure}
\begin{center}
\includegraphics[width=\textwidth]{fig_edge_risetime.pdf}\vspace*{-7mm}
\end{center}
\caption{One edge of the stimulus pulse with no mesh connected measured by the board itself, using different
amplifier ICs. For each IC, ten traces are shown. The vertical scale is in Volts at the sampling amplifier output.}
\label{fig_edge_risetime}
\end{figure}
\begin{table}
\begin{center}
\begin{tabular}{r|cccc}
\textbf{IC}
&\partno{74LVC2G157}
&\partno{MAX3748}
&\partno{TDP0604}
&\partno{PI3HDX12211}\\\hline
\textbf{$t_r$ (Self-Characterization)}&
\qty{916}{\pico\second}&
\qty{743}{\pico\second}&
\qty{333}{\pico\second}&
\qty{264}{\pico\second}\\
\textbf{$t_r$ (Stimulus at Mesh)}&
\qty{573}{\pico\second}&
\qty{125}{\pico\second}&
\qty{119}{\pico\second}&
\qty{191}{\pico\second}\\
\textbf{Stimulus Pulse $V_{pp}$}&
\qty{1600}{\milli\volt}&
\qty{236}{\milli\volt}&
\qty{254}{\milli\volt}&
\qty{430}{\milli\volt}\\
\textbf{Effective Slew Rate}&
\qty{2.79}{\volt\per\nano\second}&
\qty{1.89}{\volt\per\nano\second}&
\qty{2.13}{\volt\per\nano\second}&
\qty{2.25}{\volt\per\nano\second}
\end{tabular}
\end{center}
\caption{Single-ended stimulus edge rise times for different amplifier ICs. The single-ended rise times of both
positive and negative half of the differential pair have been averaged. External measurements are from Figure\
\ref{fig_spec_risetime}, measuring the stimulus pulse at the mesh interface. $V_{pp}$ measurements are taken at the
mesh interface. Effective slew rates are calculated from the external measurements and pulse $V{pp}$.}
\label{tab_edge_risetime}
\end{table}
While a fast edge is a necessary component for a fast sampling gate, the concrete speed of the sampling gate also
depends on other factors such as the pulse's amplitude. Figure\ \ref{fig_edge_risetime} shows the result of our
self-characterization experiments, where we used the frontend to measure its own pulse shape representing its concrete
sampling performance. In these experiments, we used $256\times$ oversampling at \qty{12}{b} ADC resolution. The plots
show the voltage at the ADC input against time in \unit{\nano\second}. The absolute voltage levels are not relevant here
- only the rise time is. Since we use some of these amplifiers--particularly the redriver ICs--well outside of their
intended application, the actual voltage they develop across the nonlinear load that our sampling gate's diode bridge
presents depends on implementation details of the amplifier's CML output stage. To maximize ADC resolution and minimize
ringing, we tuned gain and bandwidth of each post-sampling amplifier for each IC. Ringing in the amplifier output leads
to jitter in the ADC's sampling period to directly feeding through to the ADC output value. Since in \partno{STM32}
MCUs, the ADC is clocked independently of the rest of the system, its sampling timing is poorly
controlled and this jitter causes a significant error unless the amplifier is well-compensated.
Table\ \ref{tab_edge_risetime} shows rise times calculated from each trace, averaged across both traces of the
differential pair. Our results show that the optical networking limiting amplifier produces slower edges than the
measurements from Figure\ \ref{fig_spec_risetime} would suggest. We suspect that this is caused by its low output
amplitude resulting in part from its specifications and in part from a poor match between its CML output structure and
the nonlinear impedance presented by the sampling diode bridges. Surprisingly, even the \partno{74LVC2G157} baseline
unit has a rise time of less than \qty{1}{\nano\second}. We estimate that this is caused by the large output voltage
swing of this part, going from ground to its $V_{CC}$ at \qty{3.3}{\volt}. Due to the construction of our sampling gate,
its switching happens in the short period between its input differential voltage crossing zero and it rising above the
combined forward voltage of the Schottky diodes. Thus, while the \partno{74LVC} might produce slow edges overall, its
large output swing results in a high slew rate in the critical region around the zero crossing.
We observed the best result overall with the \partno{PI3HDX12211} redriver, resulting in a rise time of
\qty{264}{\pico\second}. In this test specimen, we fed the pulse through the amplifier twice since we had two unused
channels, and we used \qty{200}{\pico\second} clip lines on the amplifier's output for pulse shaping. We only used clip
lines here and for \partno{TDP0604} since the other amplifiers' output did not contain sufficient harmonic content.
\subsection{Mesh Specimen Characterization}
\begin{table}
\begin{center}
\begin{tabular}{r|cccc}
\textbf{Mesh}
&1
&2
&3
&4\\\hline
\textbf{Size}&
$35\times\qty{70}{\milli\meter}$&
$35\times\qty{70}{\milli\meter}$&
$35\times\qty{70}{\milli\meter}$&
$35\times\qty{70}{\milli\meter}$\\
\textbf{Area}&
$\qty{24.5}{\centi\meter^2}$&
$\qty{24.5}{\centi\meter^2}$&
$\qty{24.5}{\centi\meter^2}$&
$\qty{24.5}{\centi\meter^2}$\\\hline
\textbf{Trace width}&
\qty{150}{\micro\meter}&
\qty{200}{\micro\meter}&
\qty{300}{\micro\meter}&
\qty{500}{\micro\meter}\\
\textbf{Trace spacing}&
\qty{150}{\micro\meter}&
\qty{200}{\micro\meter}&
\qty{300}{\micro\meter}&
\qty{500}{\micro\meter}\\
\textbf{Trace pitch}&
\qty{300}{\micro\meter}&
\qty{400}{\micro\meter}&
\qty{600}{\micro\meter}&
\qty{1.00}{\milli\meter}\\\hline
\textbf{Trace length}&
\qty{1.07}{\meter}&
\qty{1.93}{\meter}&
\qty{2.86}{\meter}&
\qty{3.86}{\meter}\\
\textbf{Approximate Delay}&
\qty{7.1}{\nano\second}&
\qty{13}{\nano\second}&
\qty{19}{\nano\second}&
\qty{26}{\nano\second}\\
\end{tabular}
\end{center}
\caption{Specifications of mesh test specimens used in the experiments in this paper. Approximate signal delays were
calculated using wave velocity
$v=\frac{c}{\sqrt{\epsilon_r}}\approx\frac{c}{2}$~\cite{wheelerTransmissionLinePropertiesParallel1965} assuming
$\epsilon_r\approx 4$~\cite{mumbyDielectricPropertiesFR41989} for the test specimens' \partno{FR-4} substrate.}
\label{tab_mesh_spec}
\end{table}
To measure the practical performance of our prototype, we created a set of tamper sensing mesh test specimens. Each
specimen contains four separate meshes with the same area. Table~\ref{tab_mesh_spec} shows the design specifications.
Each specimen contains four separate meshes on the outer layers of a four-layer, \qty{1.0}{\milli\meter} thickness PCB,
two equal-size meshes on each side. The inner layers were used as ground. Figure\ \ref{fig_mesh_length} shows the
results of a baseline measurement of each mesh using each design variant. The step response resulting from an edge
entering the mesh and its reflection arriving back at the start after traversing the mesh back and forth is clearly
visible.
We validated the results from Figure\ \ref{fig_mesh_length} by calculating speed of light in our mesh specimen's
substrate based on them. The resulting measurements are shown in Table\ \ref{tab_speed_of_light}. All amplifier
configurations yield comparable measurements of approximately \qty{1.6}{\meter\per\second}, which corresponds with the
expected signal propagation velocity in \partno{FR-4} PCB material of
\qty{1.5d8}{\meter\per\second}~\cite{wheelerTransmissionLinePropertiesParallel1965,mumbyDielectricPropertiesFR41989}.
The graphs in Figure~\ref{fig_mesh_length} show a dispersion effect that increasingly rounds off the trailing edge of
the response with longer mesh lengths. This effect stems from higher-frequency components coupling into adjacent trace
segments further up or down the mesh, spreading high-frequency components of the response signal out throughout time.
This effect is less visible in the \partno{74LVC} measurements, which we suspect is a result of this variant's large
pulse amplitude, which enables reflected response components to forward-bias the sampling gate's diode bridges,
resulting in amplitude clipping.
From this dispersion effect follows a key point for the design of practical security meshes: To increase the temporal
resolution of TDR mesh monitoring, meshes should be broken up into segments that are multiplexed through signal
switching.
\begin{figure}
\begin{center}
\includegraphics[width=.8\textwidth]{fig_mesh_length.pdf}
\vspace*{-10mm}
\end{center}
\caption{TDR responses captured by the microcontroller's internal ADCs with each of four
candidate pulse amplifier ICs and four test meshes. The shown time range covers the primary reflection of the
stimulus pulse's falling edge. The vertical scale of the graphs is in Volts at the ADC. For clarity, only one
channel of the differential response is shown.}
\label{fig_mesh_length}
\end{figure}
\begin{table}
\begin{center}
\begin{tabular}{r|cccc|c}
&\multicolumn{4}{c|}{Mesh}&\\
Pulse amplifier IC&
1&
2&
3&
4&
Calculated speed of light $c$
\\\hline
\partno{PI3HDX12211}&
\qty{16.9}{\nano\second}&
\qty{26.0}{\nano\second}&
\qty{36.4}{\nano\second}&
\qty{46.1}{\nano\second}&
$\qty{1.59d8}{\meter\per\second}$\\
\partno{74LVC2G157}&
\qty{17.1}{\nano\second}&
\qty{26.4}{\nano\second}&
\qty{36.6}{\nano\second}&
\qty{48.2}{\nano\second}&
$\qty{1.55d8}{\meter\per\second}$\\
\partno{MAX3748}&
\qty{17.2}{\nano\second}&
\qty{26.4}{\nano\second}&
\qty{36.6}{\nano\second}&
\qty{45.6}{\nano\second}&
$\qty{1.59d8}{\meter\per\second}$\\
\partno{TDP0604}&
\qty{17.0}{\nano\second}&
\qty{26.2}{\nano\second}&
\qty{36.5}{\nano\second}&
\qty{45.8}{\nano\second}&
$\qty{1.59d8}{\meter\per\second}$\\
\end{tabular}
\end{center}
\caption{Speed of light and time offset calculated from delays read from the graphs in Figure\
\ref{fig_mesh_length}. $c$ is the speed of light determined by linear fit.}
\label{tab_speed_of_light}
\end{table}
\subsection{Classification performance}
\label{sec-class-perf}
To evaluate the practical performance of our system, we captured approximately 1250 measurement series under a variety
of environmental and attack conditions and evaluated its performance using a simple template-matching classifier. In
each measurement series, we captured 7 differential traces with $2\times768$ points per trace. One differential trace
served as a calibration reference with the multiplexers configured to disconnect the mesh. The other six traces cover
each of open circuit, short circuit, and matched load termination measuring each of the two traces of the mesh once from
each of both ends for 12 channels total ($\{\text{open}, \text{short}, \text{load}\} \times \{\text{forward},
\text{reverse}\} \times \{\text{mesh trace A}, \text{mesh trace B}\}$).
Our classifier is designed to compare two measurement series and produce a scalar score indicating their similarity. A
simple threshold can then be applied on the similarity score to decide the class. Type 1 and type 2 error rates can be
tuned by adjusting this threshold.
Our classifier proceeds in four steps: B-spline smoothing, per-channel Pearson Correlation Coefficient, averaging all
channel results, and applying a threshold. B-spline smoothing serves as a low-pass filter, evening out random noise. We
calculate the Pearson Correlation Coefficient for each measurement channel separately, producing a vector with 12
entries. We average the components of this vector to a single, scalar similarity score.
\subsubsection{Interpreting these performance plots}
Figure~\ref{fig_layout_identity} shows the similarity score of multiple intact meshes. For each performance measurement,
we show the similarity scores for each pair of measurements as a matrix, with each measurement appearing once in each
row and column. High values indicate similarity, low values indicate differences. We show the baseline measurement set
in the top left quadrant of the plot (1), and the experiment set bottom right (4), separated by white lines. Uniform
color within the top left quadrant (1) indicates high similarity between baseline measurements. Nonuniform color in the
bottom right (4) is expected, and indicates that mutliple experiment (attack) measurements are unlike each other.
Classification performance is indicated by the top right (2) and bottom left (3) quadrants, which indicate
misclassification probability. Misclassification is likely when the top left (1) and top right (2) quadrants look alike.
Misclassification is less likely the more they differ. Under each figure, we give the False Negative Rate (FNR), i.e.
the rate of missed alarms, when the threshold is adjusted for a False Positive Rate, i.e. a false alarm rate, of
$0.1\%$. These values are calculated assuming the similarity scores are normally distributed. Additionally, we provide
the Crossover Error Rate (CER) derived from the empirical cumulative distribution function of the results, i.e. the
error rate where for some threshold FPR is equal to FNR. A CER near $50\%$ indicates the classifier cannot distinguish
the classes, lower values indicate good performance.
Figure~\ref{fig_layout_identity_layout} compares several copies of the same mesh (top left quadrant, 1) to four variants
that have the same pitch and area, but different randomized layout of the traces (bottom right). Our classifier can
distinguish mesh layouts with a 18\% FNR at 0.1\% FPR.
The variance between samples of the baseline group in Figure~\ref{fig_layout_identity_layout} alerted us to the
possibility that while all mesh samples of the same layout were supposed to be identical copies, our measurement circuit
might be sensitive enough to pick up on manufacturing variations from one copy to another in a PUF-like manner. To
evaluate this scenario, in Figure~\ref{fig_layout_identity_identity} we show the result of repeated measurements of
three copies of the same mesh. The measurements were taken interleaved ($1, 2, 3, 1, 2, \hdots$) to exclude systematic
errors. We found our system can indeed distinguish multiple copies of the same mesh at a 1.7\% FNR at 0.1\% FPR. We
leave a detailed analysis of this effect to future work. For the scope of this paper, the presence of this effect
indicates good performance of our design, and increases the detection efficiency of our approach.
\begin{figure}
\centering
\begin{subfigure}[t]{0.4\textwidth}
\includegraphics[width=\textwidth]{fig_covar_distinguish_layouts.pdf}
\caption{Five copies of the same layout compared to four other layouts. FNR 18\% at 0.1\% FPR, CER=0\%.}
\label{fig_layout_identity_layout}
\end{subfigure}
\hspace*{5mm}
\begin{subfigure}[t]{0.4\textwidth}
\centering
\includegraphics[width=0.7\textwidth]{fig_covar_distinguish_copies_large_run.pdf}
\caption{Three identical copies, 20 measurements each. FNR 1.7\% at 0.1\% FPR, CER=0\%.}
\label{fig_layout_identity_identity}
\end{subfigure}
\hfill
\caption{Similarity matrices of measurement series on intact meshes.}
\label{fig_layout_identity}
\end{figure}
\subsubsection{Basic attacks}
\begin{figure}
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_open_p0.3.pdf}
\caption{One trace interrupted, p=\qty{0.3}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_short_across_traces_p0.3.pdf}
\caption{Both traces shorted, p=\qty{0.3}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_open_p0.4.pdf}
\caption{One trace interrupted, p=\qty{0.4}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_short_across_traces_p0.4.pdf}
\caption{Both traces shorted, p=\qty{0.4}{\milli\meter}. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\end{subfigure}
\caption{Similarity matrix of 10 intact and 10 modified meshes with two pitch sizes under two
different attack scenarios: An interrupted trace, and both mesh traces shorted.}
\label{fig_covar_basic_attacks}
\end{figure}
Figure~\ref{fig_covar_basic_attacks} shows the performance of our classifier under the two basic attack scenarios of an
interrupted trace, and a short circuit between the mesh's differential traces. Such attacks lead to large changes in the
location of the reflected pulse edge, resulting in 0\% Crossover Error Rate.
\subsubsection{Trace shortening}
\begin{figure}
\centering
\includegraphics[width=0.33\textwidth,trim=0 5mm 0 5mm]{fig_covar_short_within_0.3.pdf}
\caption{Similarity matrix of several mesh specimens that have one trace shorted to an
adjacent location on the same trace. Classification FNR 18\% at 0.1\% FPR, CER=17\%.}
\label{fig_short_within}
\end{figure}
Figure~\ref{fig_short_within} shows classification results when one trace is short circuited to another location within
the same trace. Here, the resulting distortion in response shape is harder to detect. Depending on the length of the
shorted-out section, the timing skew such modifications introduce may be as little as a few picoseconds. For some
samples which have longer sections of mesh trace shorted out, this attack is easy to distinguish, but for others, our
classifier cannot distinguish it leading to an overall FNR of 18\% at 0.1\% FPR, with some specimens reliably detected,
and others never detected.
\subsubsection{Advanced attacks}
\begin{figure}
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_probe_0.3.pdf}
\caption{Oscilloscope probe contacting mesh. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\label{fig_covar_adv_probe}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_soldering_p0.3.pdf}
\caption{Soldering iron touching mesh. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\label{fig_covar_adv_soldering}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_antenna_wire_30mm_p0.3.pdf}
\caption{30mm wire soldered to mesh. FNR 9.6\% at 0.1\% FPR, CER=1\%.}
\label{fig_covar_adv_antenna}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.23\textwidth}
\includegraphics[width=\textwidth]{fig_covar_probe_points_p0.3.pdf}
\caption{Baseline vs. experiment specimens with no attack.}
\label{fig_covar_adv_baseline}
\end{subfigure}
\caption{Classifier performance under advanced attack scenarios.}
\label{fig_covar_adv_attack}
%too much: fig_covar_soldering_p0.3_minmax.pdf
%too much: fig_covar_antenna_wire_30mm_p0.3_minmax.pdf
\end{figure}
Figure~\ref{fig_covar_adv_attack} shows our classifier's performance under conditions similar to actions an attacker
would perform during an attack: An oscilloscope probe\footnote{Part number Rigol PVP3150.} touching one mesh trace
(Figure~\ref{fig_covar_adv_probe}), a soldering iron touching one mesh trace (Figure~\ref{fig_covar_adv_soldering}), and
a mesh where one trace has a $l=\qty{30}{\milli\meter},d=\qty{120}{\micro\meter}$ piece of copper wire soldered to one
trace (Figure~\ref{fig_covar_adv_probe}). Our classifier is able to clearly distinguish the probing and soldering iron
cases at 0\% FNR, with a maximum of 9.6\% FPR at 0.1\% FNR in the soldered wire case.
\subsubsection{Patching attacks}
\label{sec_attack_probe}
\begin{figure}
\begin{subfigure}[t]{0.27\textwidth}
\includegraphics[width=\textwidth]{fig_covar_patch_interleave_baseline.pdf}
\caption{Test boards before experiment.}
\label{fig_covar_patch_attack_baseline}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.27\textwidth}
\includegraphics[width=\textwidth]{fig_covar_patch_ref_exp_interleave_direct.pdf}
\caption{Experiment specimen compared to reference before and after attack.}
\label{fig_covar_patch_attack_direct}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.4\textwidth}
\includegraphics[width=\textwidth]{fig_patch_interleave_scatter.pdf}
\caption{Trajectory of relative difference to reference specimens.}
\label{fig_covar_patch_attack_scatter}
\end{subfigure}
\hfill
\caption{Classifier performance under a patching attack that bridges a short gap within a mesh
trace using wire.}
\label{fig_covar_patch_attack}
\end{figure}
PCB tamper sensing meshes are susceptible to industry-standard PCB rework techniques. If we assume a standard PCB
process with \qty{100}{\micro\meter} trace/space design rules, a drilling attack targeting a \qty{300}{\micro\meter}
hole size requires cutting and patching at least one trace~\cite{immlerSecurePhysicalEnclosures2018}. We performed such
an attack on a set of \qty{300}{\micro\meter} pitch meshes. Figure\ \ref{fig_drill_mod_shape} shows our modification and
the resulting change in the time-domain response.
Figure~\ref{fig_covar_patch_attack} shows the classification result of this attack. To extract the subtle effect of this
attack, we measured two reference specimens, one control, and one experiment specimen twice: Once before the attack, and
once after. Measurements were interleaved and repeated 10 times. Factors such as temperature drift can be excluded by
comparing both control and experiment measurements against the two references before and after the modification.
Figure~\ref{fig_covar_patch_attack_baseline} shows the four samples before the attack, exhibiting the same subtle
PUF-like effect that we described in Section~\ref{sec-class-perf}. Since we peform both before and after measurements on
the same sample, we can separate this effect from the effect of the attack. Figure~\ref{fig_covar_patch_attack_direct}
compares both control and experiment samples before and after the attack, and shows a clear change in the experiment
sample during the attack. Figure~\ref{fig_covar_patch_attack_scatter} plots the similarity scores of both samples to
each of the two reference samples. We can see that the control distribution stays in one place, while the experiment
distribution shifts.
\begin{figure}
\centering
\begin{subfigure}{0.78\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_drill_mod_shape_new.pdf}
\label{fig_drill_mod_shape_plot}
\end{subfigure}
\begin{subfigure}{0.2\textwidth}
\centering
\includegraphics[width=\textwidth]{pic_manip_microsoldering_new_small.jpg}
\vspace*{2mm}
\label{fig_drill_mod_shape_pic}
\end{subfigure}
\caption{The mesh response under a manipulation attack patching across a drill location for a
\qty{300}{\micro\meter} drill, as captured by the microcontroller's ADCs. The mesh pitch is
\qty{300}{\micro\meter}. B-spline smoothing was applied for readability.}
\label{fig_drill_mod_shape}
\end{figure}
Based on the above results, we peformed a larger-scale experiment using seven samples with patches applied compared
against baseline measurements taken before and after measuring the experiment samples. Each sample was measured ten
times, interleaved. Figure~\ref{fig_patch_large_scale} shows the results of this experiment, resulting in a FNR of
71.5\% at 0.1\% FPR. Since such patches only affect few data points along the reflection response, we included a variant
of our classifier that uses the maximum difference across all channels instead of the averaged Pearson Correlation
Coefficient to improve sensitivity to the subtle, localized effects of such patches. Using this classifier variant, FNR
improves to 51.1\%, detecting half of all attack attempts in a single measurement when fixing the false alarm rate at
0.1\%.
\begin{figure}
\centering
\begin{subfigure}{0.3\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_covar_patch_repeat_p0.3.pdf}
\caption{Micro-soldering patching attack. FNR 71.5\% at 0.1\% FPR, CER=34\%.}
\label{fig_patch_large_scale_corr}
\end{subfigure}
\hspace*{5mm}
\begin{subfigure}{0.3\textwidth}
\centering
\includegraphics[width=\textwidth]{fig_covar_patch_repeat_p0.3_minmax.pdf}
\caption{\emph{maximum} classifier variant. FNR 51.1\% at 0.1\% FPR, CER=15\%.}
\label{fig_patch_large_scale_minmax}
\end{subfigure}
\caption{Classification performance in a larger-scale experiment using 10 measurements each of
7 samples with traces patched through micro-soldering.}
\label{fig_patch_large_scale}
\end{figure}
\subsubsection{Environmental susceptibility}
Figure~\ref{fig_env_effects} shows the results of a series of experiments evaluating the effect of environmental factors
such as handling or electromagnetic interference on our measurements. Figure~\ref{fig_env_effects_time} shows our
measurements exhibit little time drift (CER=60\%). Figure~\ref{fig_env_effects_touch} shows that touching the mesh is
easily detected (FNR=0\%), but the system is insensitive to touching other parts of the circuit. Our tamper-sensing mesh
uses a continous ground plane. In a practical application the mesh would be on the inside of the protected envelope,
with the ground plane on the outside, shielding it from touch.
As shown in Figure~\ref{fig_env_effects_heat}, heating the mesh distors its measurements (FNR=0.6\%, CER=0\%).
Figure~\ref{fig_tempco_time} shows the difference caused by heating the mesh to \qty{70}{\degree C} in the time domain.
This temperature dependence stems from the resistance of the mesh's copper traces increasing with temperature, and the
dielectric properties of the FR-4 PCB substrate changing. Both dielectric constant and dissipation factor of FR-4 change
with temperature~\cite{sagarStudiesTemperatureDependent2024, hinagaThermalEffectsPCB2010}. The increase in copper
resistance causes a shift of the response curve. An increase in the dielectric dissipation factor affects the slope of
the difference in Figure~\ref{fig_tempco_time} since pulse energy is dissipated more the longer the pulse travels
through the material. A change in dielectric constant moves the response's trailing edge in time, with the pulse
propagating slightly slower at high temperature.
Since these effects are consistent with physical predictions and only reach problematic levels at large temperature
differences, it would be possible to design a classifier that is insensitive to temperature effects. Furthermore, given
the predictable, physical nature of these effects, they could also be compensated before classification in the digital
domain based on a temperature measurement.
\begin{figure}
\begin{subfigure}[t]{0.25\textwidth}
\includegraphics[width=\textwidth,trim=0 5mm 0 5mm]{fig_covar_time_drift.pdf}
\caption{Time drift (2.5h). FNR 100\% at 0.1\% FPR, CER=60\%.}
\label{fig_env_effects_time}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.35\textwidth}
\includegraphics[width=\textwidth]{fig_covar_touch_combined.pdf}
\caption{Touch sensitivity. FNR 0.0\% at 0.1\% FPR, CER=0\%.}
\label{fig_env_effects_touch}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.25\textwidth}
\includegraphics[width=\textwidth,trim=0 5mm 0 5mm]{fig_covar_hot_mesh.pdf}
\caption{Mesh heated (\qty{70}{\degree C}). FNR 0.6\% at 0.1\% FPR, CER=0\%.}
\label{fig_env_effects_heat}
\end{subfigure}
\caption{Classification results of the same mesh under various environmental factors.}
\label{fig_env_effects}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=1.0\textwidth]{fig_tempco_edited.pdf}
\caption{The effect of heating on a time-domain trace. One of 12 channels shown. Gray: Raw data. Black: Relative
difference between hot and cool cases.}
\label{fig_tempco_time}
\end{figure}
Besides temperature, other environmental factors such as electromagnetic interference could theoretically also influence
our measurements. Although our system's equivalent-time sampling setup inherently cancels out EMI since it is not
synchronous to the sampling clock, the setup is unshielded so we verified its actual susceptibility in several
scenarios. Figure~\ref{fig_env_covar} shows the result of these measurement series. For comparison, we included several
measurements from Figure~\ref{fig_patch_large_scale}. From these figures, we can see that there are some environmental
effects, but these effects are small even when compared against a subtle attack like a patching attack with the
classification performance remaining approximately constant at 69.0\% FNR at 0.1\% FPR and a slightly reduced CER of
20\%.
\begin{figure}
\centering
% NOTE: not actually "tridelta" data, I'm just too lazy to rename these and fix up the notebook.
\includegraphics[width=0.6\textwidth]{fig_covar_patch_repeat_tridelta_all_the_data_p0.3.pdf}
\hspace*{2mm}
\caption{Classifier similarity scores of measurements in different environments, 10
measurements each. For scale, measurements from Figure~\ref{fig_patch_large_scale} are included on the
bottom/right. FNR 69.0\% at 0.1\% FPR, CER=20\%.}
\label{fig_env_covar}
\end{figure}
\subsection{Countermeasures}
As shown above, PCB security meshes can be manipulated through micro-soldering. Keeping the modifications as physically
small as possible, their impact on TDR response can potentially be kept below detection thresholds of our single-shot
baseline classifier. However, even with such a simple classifier, the entire attack would have to be carried out without
raising an alarm, e.g. by touching the mesh or contacting a trace with the soldering iron. Soldering would have to be
done using a minimal amount of solder as well as a bespoke, insulated soldering iron tip. While manufacturing such a
tool out of a material like sintered ceramic is conceivable, to our knowledge, no such tool exists on the market.
Furthermore, the actual drilling would have to happen with a dielectric drill bit, placing special attention on
evacuating conductive copper chips before they can create short circuits to nearby traces. Again, it is conceivable that
such a tool could be manufactured, but to our knowledge, such a tool is not currently available as a standard component
on the market.
Finally, any probes penetrating the mesh would have to be placed such that their presence in the vicinity of the mesh
traces does not disturb the TDR response. Modifications would have to be carried out with great care, likely using
micromanipulators or similar specialized equipment.
The PCI PTS HSM DTR standard~\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} contains a useful framework for
thinking about attacker capabilities. Applying their taxonomy, our monitoring system raises the skill level required for
a patching attack from a \emph{skilled} attacker to an \emph{expert} attacker, and the equipment requirement from
\emph{standard} equipment to \emph{bespoke} equipment.
% fig_covar_short_within_0.3.pdf % FIXME repeat these runs, we have conflicting data. Do runs in both .3 and .4, .4
% seems to work better.
% FIXME peer review only, for major revision @ TCHES
\section{Future Work}
%\paragraph{Design variants.} We found that the timing jitter of our sampling frontend is low enough to reach the
%\qty{184}{\pico\second} resolution limit of the \partno{STM32G4} \partno{HRTIM} peripheral. In our prototype, we
%implemented a -- so far unused -- adjustable power supply for the \partno{74LVC} series buffer in between the
%\partno{HRTIM} outputs and the pulse amplifier. By adjusting this buffer's power supply through one of the
%microcontroller's digital-to-analog converter (DAC) channels, we expect that it should be possible to exploit the supply
%voltage dependency of the propagation delay of \partno{74LVC} series CMOS logic to create a digitally controllable delay
%with picosecond resolution.
%\paragraph{Non-sequential sampling.} Not all parts of the reflected signal are equally sensitive to tampering atttempts.
%For instance, the reflection's trailing edge corresponds contains information on both the length of the mesh and on its
%attenuation. Instead of recording the response waveform in a linear scan, in a practical application, more relevant
%parts of the response such as this trailing edge could be scanned at a higher rate than other, less relevant parts.
%Similarly, fast scans at a coarse time resolution could be interleaved with slow scans at a finer time resolution to
%detect large changes more quickly.
\paragraph{Advanced attack classification.} While we proposed a simple baseline classifier, there is a large parameter
space for more advanced designs. For instance, a classifier could apply machine learning techniques to adapt to the
response of a particular mesh, learn its benigh behavior under temperature changes, and dynamically schedule sample
timing to focus attention on the parts of the response signal that are most susceptible to attacks. Moving from a
single-shot classifier that only observes measurements in isolation to a more advanced approach that considers the full
history of measurements during the mesh's lifetime would also likely improve performance.
\paragraph{Auxiliary applications.} The low-cost, embedded TDR frontend presented in this paper could be used for other
monitoring tasks from tamper sensing to system health monitoring. For instance,
\textcite{vaiSecureArchitectureEmbedded2015} propose checking the integrity of a PCBA using an external Vector Network
Analyzer (VNA) attached to test points on the PCBA's Power Distribution Network (PDN). TDR can produce fingerprints
similar to a VNA and it would be interesting to measure parts of the secure subsystem other than its security mesh using
our TDR frontend.
\paragraph{Characterization of PUF-like effects.} In Section~\ref{sec-class-perf}, we have described a PUF-like effect,
where our classifier was able to distinguish supposedly identical copies of the same mesh. It would be interesting to
precisely characterize this effect and its dependence on factors such as the chosen PCB manufacturer, and to quantify if
it indeed rises to the level of a PUF in entropy and repeatability.
\section{Conclusion}
In this paper, we presented a design for a low-cost frontend for integrity monitoring of security meshes in applications
such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an inexpensive
HDMI redriver IC and uses a microwave clip line to form fast pulses for TDR sampling. Our design creates a detailed
fingerprint of the intact mesh's condition that not only captures the length of the mesh's traces but that can
distinguish copies of the same mesh.
We have demonstrated our prototype circuit's capability to reliably detect and distinguish a wide range of practical
attacks with no classification erros in most attack classes, and a worst-case FNR of $71.5\%$ at $0.1\%$ FPR when
detecting tiny, micro-soldered patch wires.
Compared to the state of the art, our approach enables the monitoring of larger meshes, at higher sensitivity and lower
cost. Our is easy to replicate, does not require any specialized or custom components, and unlocks high-security
applications for security meshes made using low-cost, standard PCB manufacturing processes.
\section*{Availability}
This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository with the
LaTeX source for this paper, all hardware design files, and firmware and analysis source code can be found at:
\center{Note: URL elided for peer review. Source code and design files have been uploaded as supplementary material. A
link to the raw data has been provided to the Editors-In-Chief as this was a larger file.}
% \center{\url{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git}}
\FloatBarrier
\printbibliography[heading=bibintoc]
\end{document}
Reference in a new issue View git blame Copy permalink