Tamper proof hardware - not resistant

Question

Can you make a TPM (or any piece of hardware) Completely tamper-proof? The “regular” tamper resistant hardware has various physical attacks http://www.milinda-perera.com/pdf/EKKLP12a.pdf

I have been told that conducting-, air-tight-, pressurised- and gas containing metal boxes with sensor triggered explosives(or any other TPM killing function) could counter all known attacks. However I have not been able to find such proofs(article or experiment).

Edit - It might be named "Tamper respondant hardware", however I can only seem to find patterns for this search term.

Even if it was not susceptible to known attacks, that's a far cry from being "tamper proof". Physical security is an arms race, and most likely will never be anything else. Given enough time and effort, physical security will most likely always be defeat-able. What you're asking for is a higher level of tamper resistance. Perhaps I'm splitting linguistic hairs, but IMHO this is one of those facts of life that is easy to hide behind terminology, and thus it pays to remind oneself periodically. — stochastic, Dec 21 '14 at 19:43
Old engineer's rule, "It is impossible to make anything foolproof because fools are so ingenious." Or to put it another way stated by a former boss, "I find his incompetence truly amazing, he's the only person I've ever seen break a ball bearing with a broomstick." — Fiasco Labs, Feb 20 '15 at 23:14

score 2 · Answer 1 · edited Dec 22 '14 at 21:37

2

The only thing I can think of that might be considered tamper-proof is a memory cell (SD-RAM or alike) with a "reset when line break" lock (triggered by resistance change and line break) that is contained in a liquid like phosphor, which is contained in a liquid oxidizer (a.k.a. instant flash when opened with thermal reaction preventing "cold save" of the memory data). The point is why would you want something that is "tamper-proof"... better not store the data at all if you're that concerned with people tampering with your system.

edited Dec 22 '14 at 21:37

thunderblaster

317
2
10

answered Dec 22 '14 at 12:57

LvB

8,217
1
26
43

This may be possible to bypass by using radiation which can cause certain types of RAM to freeze, and this would not trigger any chemical explosives but would completely disable any electronics. – forest Mar 12 '18 at 12:27
that is dependent on how you design this logic. if you make it so that the circuit wans to destroy it self all the time except due to the "safety" mechanism that prevents it. Than you would need a very focused ionization beam to target the logic that does this and destroy it in a specific way. If the IC is using 3d-Logographics to make this logic and the "safety" logic is behind the "trip" logic the IC would probably still be destroyed first. This is by no means a guarantee but guarantees do not exist in this field, only probability. – LvB Mar 13 '18 at 15:10
IT is also possible to make a trigger that is sensitive to ionizing radiation. (e.a. to much radiation will also trigger the fail-safe) . – LvB Mar 13 '18 at 15:11
Well that's the thing. A burst of X-rays can freeze CMOS memory in place. You can't trust any logic when the entire system can zapped at the same time. You'd probably need to use radiation-hardened "rugged" processors. They tend to be pretty expensive though. – forest Mar 14 '18 at 03:12
there are more type of memory circuits than just CMOS (which is indeed vulnerable to x-ray) you could even use a FPGA "memory" to hold the data. an X-ray blast would than "destroy" the whole FPGA setup (to an unknown state), making the data impossible to read. (most likely, the percise response is not possible to predict by me) Temper resistant memory cells are usally not made from CMOS but through other means. – LvB Mar 14 '18 at 20:47
Sure, but my point was that it's not possible to have tamper-_proof_ hardware, even if you can have highly tamper-_resistant_ hardware. – forest Mar 14 '18 at 23:09
1

temper proof is only true in specific use cases and against specific threats. it is not universally temper proof. It is possible to make a piece of hardware that is tamper proof in the practical sense. (e.a. you need a specific set of conditions for it not to have its mechanism trigger when it should). the cost increase with each step you take. but if funds are not a factor you could design such a piece of hardware. This also hinges on your definition of temporing, e.a. your ionizing radiation blast could be considered destroying and not temporing. – LvB Mar 15 '18 at 09:36

score 1 · Answer 2 · answered Dec 22 '14 at 11:52

I don't think you will discover that kind of thing via Google as you have moved into the realm of the security services.

Certainly, I'm sure that someone is using that kind of tamper evident hardware somewhere though it is pretty extreme!

Of course, being electronics, there are other potential risks that would not require physical tampering in order to get some information out - a lot can be discovered from remote scanning with various types of scan and that would not require physical tampering.

On the other hand, anyone with full access to your hardware and the need to get through extreme protection is likely to not care too much about being obvious and would probably, in any case, get what they wanted by asking you some "polite" questions (ref. recent CIA report on interrogation techniques).

score 1 · Answer 3 · answered Feb 20 '15 at 23:28

I don't think it is useful to think of absolutes here. Tamper proofing is something that is done in degrees. What is more useful is to think of the level of tampering that is possible, and the level of determination a user needs to show in order to reverse engineer your product. Is the tamper proofing supposed to stop against grade school kids, industrial spies, or nation states? The methods differ accordingly.

For instance, consider the simple blob. A gooey blob of plastic that sits atop ICs to help prevent identification and tampering. The blob will definitely keep an uniformed attacker, who is not very persistent at bay. He may even destroy a few ICs trying to deblob them. However, a reverse engineer supported by a company, or with sufficient spare time and expertise can remove it. Someone working for a nation state may have a custom tool for the job.

Likewise, an exploding box is certainly not going to be a popular home product, though it is supposedly tamper resistant. People manage to tamper with land mines you know? As others have said, this is an arms race.

People have even had good luck pulling ICs out of their packages and getting information that way. If your product has sensitive info in it, expect it to get x-rayed too, so add "lead box" to the parts list.

If you have infinite time and money, just make things as expensive as you can for the attacker. In that case, only the truly dedicated will try. There are no absolute guarantees.

Except:

One little asterisk to my opinion on this is that complexity in microelectronics is itself a hurdle to tempering with them on a finite level. As in, no, you will most likely not be able to physically tamper with the individual transistors of an Intel CPU (I mean with a physical implement, not be interacting with them electronically of course), nor will you be able to trivially reverse engineer them. There are equipment, and logistics hurdles, and the understanding of chips like that on a fine grain level is very complex.

Tamper proof hardware - not resistant

3 Answers3