Oct 11, 2002 - tems have mobile, wireless nodes, in addition to server nodes. *Faculty of ... 2 Applications. Recent years have seen a tremendous increase in the sales of .... dedicated to the physical aspects of the devices. CMU and.
Design Rationale for Secure Probe Storage based on Patterned Magnetic Media Leon Abelmann
Jordan Chong
Pieter Hartel
Cock Lodder ∗
October 11, 2002
Abstract
kept behind closed doors. To provide secure storage and in particular secure audit logs in a mostly open system is a challenge.
We describe the design rationale for a hardware tamper resistant secure storage system based on probe storage with a patterned magnetic medium. This medium supports normal read/write operations by magnetising individual dots perpendicular to the media plane. We report on an experiment to show that in principle the medium also supports a separate class of read/write-once operations by allowing individual dots in the media to be destroyed irreversibly by precise local heating. Security stems from the fact that bulk-erase is not possible.
Schneier and Kelsey [20] have devised a set of protocols that offer software protection of audit logs, in the sense that tampering with log entries generated before the intrusion is detectable. The attacker is also unable to read the log entries already generated. The protocols are in essence based on linear hash chains [12], and require a trusted host to support a vulnerable client. In our own work we have extended Schneier and Kelseys protocols by using a smart card at the vulnerable client side to strengthen the security of the protocols [6]. However, the protocols remain complex, and the security offered is limited. In particular, cryptographic protocols are unable to prevent tampering with log entries. Schneier and Kelsey state that the deletion of log entries cannot be prevented by using cryptographic methods, but only by using write-only hardware such as CD-ROM, or paper printout, i.e. to turn logical logs into physical logs [20].
1 Introduction Security is never perfect. A good system therefore combines measures to protect information with measures to detect when an intrusion has taken place. To achieve this, it is crucial to be able to record a log of events throughout the life time of a secure system, so that the log can be analysed, so that inferences can be drawn from the log about what has happened, and ultimately so that the log can be used as evidence in court cases. Requirement 4 from the Orange Book [16] clearly states:
Secure audit logging would benefit greatly from hardware protection, especially write once media. These are available in many shapes and sizes, ranging from optical write once disks, to semi conductor bases write-once memory [18]. The security of a log written to a write once medium in essence depends on the destructive nature of the write operation. Once fuses are blown, or holes are burned, there is no way of repairing the damage such that a skilled forensics laboratory could not detect evidence of tampering. We believe that in the range of devices on offer, a particularly useful alternative is missing: the “write once hard disk”. This paper describes the design rationale for such a device using the probe storage technology that we are currently developing in Twente. Probe storage technology promises to deliver high capacity storage devices, while being able to adapt the energy requirements to the bandwidth. This makes probe storage device ideally suited for use in mobile, battery power devices.
Accountability - Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party. A trusted system must be able to record the occurrences of security-relevant events in an audit log. [. . .] Audit data must be protected from modification and unauthorized destruction to permit detection and afterthe-fact investigations of security violations. In the past, reasonably secure storage could be provided by a computer, not connected to any outside networks, and kept behind closed doors. However, even then security was not perfect because of the threat of the three Bs: Blackmail, Burglary and Bribery [2]. The isolated mainframe paradigm has long ceased to be applicable: virtually all modern information systems have mobile, wireless nodes, in addition to server nodes
The paper is organised as follows. Section 2 describes typical applications of a secure probe storage device. A brief introduction into probe storage and the results of our experiment are given in Section 3. Related work is discussed in section 4. The design rationale is given in Section 5. The last section concludes.
∗ Faculty of Electrical Engineering, Mathematics and Computer Science, Univ. of Twente, P.O. Box 217, 7500 AE Enschede, The Netherlands, email {abelmann, lodder}@el.utwente.nl, {chong, pieter}@cs.utwente.nl
1
2 Applications
3 Probe storage
Recent years have seen a tremendous increase in the sales of hand-held, battery-powered devices, such as handheld computers, digital photo-cameras, mobile phones etc. In 2002, worldwide mobile phone sales are predicted to top 400 Million (mid-year sales have already exceeded 200 Million), and Gartner group predicts PDA sales to be around 15 Million. Most people are happy with the new applications of these devices in every day life, but many also complain about short battery life and lack of (secure) storage capacity. With the arrival of high bandwidth wireless internet access, such as UMTS, and ubiquitous wireless LANs, power consumption and secure storage will become even more critical. Security will become more and more important as people will rely increasingly on their hand held devices to store private data. For example when shopping the receipts of every sale could be stored securely on the handheld device. The number of transactions is likely to increase much beyond what we experience now. For example consider a road pricing scheme, where we pay for every mile travelled, and where prices are based on traffic density and road conditions. Charging by the mile might provide road users with a financial incentive to avoid areas of congestion, and thus to make better use of an expensive infrastructure. In any case, all transactions should be stored securely, so that any dispute can ultimately be resolved in a court of law. Probe recording system will enjoy a lower entry price than hard disk. The reason is that while the price per bit of a hard disk is low, and keeps dropping as the storage density increases, the manufacturing price of the hard-disk unit itself remains constant. The manufacturing cost of probe recording systems is primarily determined by the wafer cost. Since the storage density is not determined by the line width of the technologyused, older lithography processes will be sufficient to produce the devices. This decreases the wafer cost to values that might make it possible to realize relatively low capacity mass storage for prices considerably less than for hard disk drives. Of course the capacity will be lower, but for certain applications the huge hard disk capacity is simply overkill. A good example is the storage modules now available for digital cameras, where there is a choice between a 2 MByte Sandisk CompactFlash card for 23 US$, or the IBM 1 GByte microdrive for 250 US$. A probe recording module of 100 MByte for 100$ could fill the gap between the two. The video rental industry is currently replacing tapes by DVDs. They are both inexpensive but they have to be treated with care, and copy control is virtually impossible to implement reliably [6]. Probe storage chips in some appropriate form factor (like the memory stick) might replace the DVD. With appropriate tamper resistant mounting and packaging (as for smart cards) it will be possible to implement sophisticated, reliable copy control. In the US alone 0.5 Billion videos are rented out every year, thus indicating a considerable business opportunity for new storage technologies for rented videos.
The Twente Micro Scanning Probe Array Memory (µSPAM) (Figure 1) is made out of two or more silicon wafers bonded to each other. One half contains the (magnetic) media (see Section 3.1). A µWalker (described in Section 3.2) is used to move the medium. The other half consists of one large array of probes. One probe can read with a speed of 10 Kbits per second. The number of probes has to be high enough to get sufficient bandwidth. See section 3.3 for more information about the probes. Section 3.4 describes an experiment to measure the temperature that must be achieved to destroy the isotropy of the magnetic medium, i.e. the write-once operation.
500 nm Figure 2: MFM image of the patterned medium.
3.1 The medium The medium for the µSPAM is a regular matrix of magnetic single domain dots. One dot represents one bit. A dot can be magnetized perpendicular to the media plane. Such a discrete medium has several advantages over the continuous media used in the hard disk today. First of all it is expected that a discrete medium will suffer less from thermal instabilities, which eventually will allow much higher bit densities. However, more important is the ability of tracking at extremely high bit densities. Also a single domain dot enables an easier writing process. We have already shown before that a matrix with a period of 200 nm can be achieved [10]. A MFM image is shown in Figure 2. We are currently aiming at a period of 100 nm, being 50 nm dot size and 50 nm spacing. This will give a capacity of 10 Gbit/cm2 (=65 Gbit/inch2 ).
3.2 The µWalker Recently, at the Twente Micromechanical Transducers Group a µWalker, has been developed [22]. The µWalker is a MEMS device, with a size of 200 × 200µm, which is able to generate a stepwise motion over a surface with electrodes. Currently, 2
Figure 1: µSPAM principle.
the µWalker is being adapted to carry a medium. The design is also being changed to increase the positioning accuracy, speed and acceleration. Also, the µWalker should be able to walk in two directions.
90 80 70
3
K [kJ/m ]
60
3.3 The probes For reading, the MFM (Magnetic Force Microscopy)-principle has been chosen [17]. An MFM-probe is made by placing a small magnetic element, the tip, on a cantilever spring. Typical dimensions are a cantilever length of 200 µm, element length of 4 µm and diameter of 50 nm and a distance from the surface of 30 nm. READ
40 30 20 10 0 0
100
200
300 400 500 o Annealing temperature [ C]
600
700
Figure 4: Anisotropy as a function of the annealing temperature
WRITE Tip external field
cantilever
50
tip plane
Patterned magnetic medium
dependence of the K value as a function of the annealing temperature. The K value is 80 kJ/m3 without annealing. This value is maintained up to an annealing temperature of 500 ◦ C. After Figure 3 shows the principle of an MFM-measurement. The 600 ◦ C the value of K drops. This means that after an annealing magnetic tip is attracted or repelled, depending on the stray treatment at a temperature higher than 600 ◦ C, the sample is field of the medium. The tip is affected by the magnetic orien- not any more useful for perpendicular recording. tation of a dot. The displacement might be measured by means Two samples were evaluated by low angle XRD, (a) a samof the change in capacity between the cantilever and the medi- ple without any annealing and (b) a sample annealed at 700 um. ◦ C. A peak around 8 degrees on the 2 θ axis is visible on the sample without annealing. This peak is due to the periodicity of the Co-Ni and Pt multilayers (each layer has a thickness of 6 3.4 Change in anisotropy by annealing Angstrom). In the annealed sample, this peak cannot be found. We have conducted an experiment where the K (anisotropy This suggests that the multilayered-structure (which induces constant) values of six different samples were calculated by perpendicular anisotropy) was destroyed due to the annealing. a Fourier transformation of the torque curve obtained with an The two samples that were used for the low-angle XRD were applied field of 1350kA/m. The graph of Figure 4 shows the also used for the high-angle-XRD measurements. In the anFigure 3: The principle of an MFM-measurement
3
nealed sample, we can find a strong reflection peak around 41.7 degrees in 2 θ axis. This peak can be characterized to a fct Co-Pt (111) plane [24]. It suggests that a new crystalline structure of fct Co-Pt was formed in the film. This crystal exhibits magnetic anisotropy in the [001] direction, i.e. there are tilted magnetic easy axes in the film (not perpendicular, not in plane). Thus, we can conclude that the annealed film does not have perpendicular uni-axial anisotropy.
4 Related Work During the last six years, several recording systems based on probe microscopy technology have been proposed. The most advanced is the IBM Millipede project [23], in which over 1000 probes are used to read and write nanometre sized holes in a thin polymer film. The IBM lead is followed by other companies such as HP (phase change recording, www.hpl.hp.com/research/ storage.html#ATOMIC), Samsung, Seagate (magnetic storage), Hitachi (www.technologyreview.com/ articles/wo leo061102.asp) and universities (Carnegie Mellon[3] and Twente[3, 1], both on magnetic probe storage). These companies and universities have recently organised a Probe recording workshop in Twente (See www.el.utwente.nl/smi/connexions/), with a follow-up at CMU in Pittsburgh (See www.ece.cmu.edu/research/chips). One of the conclusions from the workshop is that we expect the first probe recording systems to enter the market within 3-5 years. World wide only groups from IBM [23], HP [11, 15, 13], CMU [5, 8, 9, 7, 4, 19], and UC Santa Cruz [14, 21] publish work on computer systems with probe storage. Most effort is dedicated to the physical aspects of the devices. CMU and UC Santa Cruz are also working on the levels above the device physics, specifically the system level, but not the application level. To the best of our knowledge no work has been reported on secure probe storage.
Figure 5: X-ray diffraction under a low angle of two samples, one with and one without annealing.
5 Design rationale In the normal mode of operation we have a medium with a regular matrix of magnetic single domain dots. The preferred axis of magnetisation of the dots is perpendicular to the medium. The dots consist of a multilayered structure of ultra thin CoNi alloy and Pt layers. By heating an individual dot by means of an electric current from the probe, this multilayer structure is destroyed and as a result the preferred axis of magnetisation rotates into the medium. This is an irreversible process, thus forming the basis for a write-once operation. The corresponding in-plane read operation would detect the presence or absence of a magnetised dot. While conceptually simple, the
Figure 6: X-ray diffraction under a high angle of the same two samples as for low angle XRD.
4
To simplify the implementations, the interface to the µSPAM will divide the tracks into two categories: one for normal read/write operations and one for read/write-once operations.
judicious mix of the two classes of read/write operations will require a significant amount of further research.
5.1 Heating and cooling We have shown that a dot must be heated to around 600 ◦ C to become isotropic. Further research is needed to determine the amount of energy dissipated. In any case, the energy must be conducted off the medium for it not to bend or warp, and to avoid increasing the error rate of the perpendicular read processes due to thermal noise. Fortunately using the write-once operation sparingly is consistent with intended use of the writeonce facility of the applications: e.g. the storage system might be serving an MP3 for 3 minutes, then it might be recording the fact that the MP3 has been served.
5.5 Tampering and forensics Regardless of the efforts put into securing a storage device, we should be prepared that tampering will occur. However, we expect tampering to be inherently more difficult as MEMS devices are packaged in a manner that is more resistant against tampering than disk drives.
6 Conclusions
5.2 Layout and tracking
Probe storage based on patterned magnetic media is a promising technology for developing secure storage devices. The capacity of such devices would be huge, the energy requirements would be low, and the tamper resistance would be good. The experiment reported in this paper demonstrates that in principle it will be possible to use a patterned magnetic media in two essentially different ways: for normal read-write purposes and for write-once/read purposes. Security stems from the fact that bulk-erase is not possible. Much work remains to be done at all levels of the architecture of secure probe storage devices, ranging from device physics to applications development.
Even on a patterned medium tracking information is required to guide the reading and writing processes. Dedicated tracks guide the µWalker for basic positioning of the tips. Fine positioning in the Z direction is taken care of by a local control loop. Further research is necessary to determine whether fine positioning in X-Y direction will be necessary. Should this be the case, the presence of magnetic dots will be useful, as the fine positioning circuitry can use a local control loop to optimise the perpendicular read and write signals. During the write-one operation, the same fine positioning can be used. Further research is needed to determine how to achieve fine positioning of the in-plane read operation.
Acknowledgements
5.3 Data and control channels
We thank Rogelio Murillo, Sebastiaan Konings, and T. Onoue for their help with the measuerements. Gijs Krijnen of the Transducer Science and Technology Group has provide valuable insights into the working of the µWalker.
The data channel contains read/write amplifiers, signal processing electronics and error correction circuitry. A typical probe storage device will probably have more read/write heads than data channels, thus requiring a flexible organisation of the data channels. The device control system manages the mechanics of the storage device. A flexible control is needed for example to adapt the number of tips and the movement of the media sled to the desired performance of the system.
References [1] L. Abelmann, Th. Bolhuis, and C. Lodder. Large capacity probe recording using storage robots. In Proceedings of the 2002 IEEE International Magnetics Conference, page 189, 2002.
5.4 Interfacing Regular disks offer a block read and write interface, which is appropriate for perpendicular read and write operations. However, this interface might not be appropriate for in-plane read/write operations as these are intended to support secure logging. It will be particularly important to prevent the same block from being written more than once using a write once operation, because this would destroy evidence of some transaction previously written. We intend to achieve this by checking a track for any de-magnetised dots before attempting another write-once operation on a track. Further research is needed to ensure that the checking process errs on the side of caution.
[2] R. J. Anderson. Security Engineering: A guide to building dependable distributed systems. John Wiley & Sons Inc, New York, 2001. [3] L. R. Carley, J. A. Bain, G. K. Fedder, D. W. Greve, D. F. Guillou, M. S. C. Lu, T. Mukherjee, S. Santhanam, L. Abelmann, and S. Min. Single-Chip computers with microelectromechanical Systems-Based magnetic memory (invited). Journal of Applied Physics, 87(9):6680–6685, May 2000. 5
[4] L. R. Carley, G. R. Ganger, D. F. Guillou, and D. Nagle. System design considerations for MEMS-actuated magnetic-probe-based mass storage. IEEE Transactions on Magnetics, 37(2 Part 1):657–662, Mar 2001.
[15] C. Morehouse. Beyond magnetic recording – will it be probe-based storage? In IIST Lake Arrowhead Workshop XVI, Session III, Lake Arrowhead Conf. Center, Oct 2000. The Institute for Information Storage Technology, Santa Clara Univ.
[5] L. R. Carley, G. R. Ganger, and D. F. Nagle. MEMSbased integrated-circuit mass-storage systems. Communications ACM, 43(11):72–80, Nov 2000.
[16] NCSC. Trusted Computer System Evaluation Criteria (Orange Book). U. S. Dept. of Defense, National Computer Security Center, Dec 1985.
[6] C. N. Chong, Z. Peng, and P. H. Hartel. Secure audit logging with tamper resistant hardware. Technical re- [17] S. Porthun, L. Abelmann, and C. Lodder. Magnetic force port TR-CTIT-02-29, Centre for Telematics and Informamicroscopy of thin film media for high density magnetic tion Technology, Univ. of Twente, The Netherlands, Aug recording. Journal of Magnetims and Magnetic Materi2002. als, 182(1-2):238–273, 1998. [7] J. L. Griffin, J. Schindler, S. W. Schlosser, J. S. Bucy, and G. R. Ganger. Timing-accurate storage emulation. In Conf. on File and Storage Technologies (FAST), pages 75–88, Monterey, California, Jan 2002. Usenix Association, Berkely, California.
[18] J. L. Sandvos and K. D. Alton. Write-once read-many memory using EEPROM cells. US Patent 5553019, United States Patent and Trademark Office, Sep 1996. [19] S. W. Schlosser, J. L. Griffin, D. F. Nagle, and G. R. Ganger. Designing computer systems with MEMSbased storage. In 9th Int. Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 1–12, Cambridge, Massachusetts, Nov 2000. ACM Press, New York.
[8] J. L. Griffin, S. W. Schlosser, G. R. Ganger, and D. F. Nagle. Modeling and performance of MEMS-based storage devices. In Int. Conf. on Measurements and Modeling of Computer Systems (SIGMETRICS), pages 56–65, Santa Clara, California, Jun 2000. ACM Press, New York.
[20] B. Schneier and J. Kelsey. Cryptographic Support for Secure Logs on Untrusted Machines, volume 7th USENIX Security Symp. USENIX Press, Jan 1998.
[9] J. L. Griffin, S. W. Schlosser, G. R. Ganger, and D. F. Nagle. Operating system management of MEMS-based storage devices. In 4th Symp. on Operating Systems Design & Implementation (OSDI), pages 227–242, San Diego, California, Oct 2000. Usenix Association, Berkely, California.
[21] M. Sivan-Zimet and T. M. Madhyastha. Workload based optimization of probe-based storage. In Joint Int. Conf. on Measurement and Modeling of Computer Systems, pages 256–257, Marina Del Rey, California, 2002. ACM Press, New York.
[10] M. A. M. Haast, I. R. Heskamp, L. Abelmann, J. C. Lodder, and Th. J. A. Popma. Magnetic characterization of large area arrays of single and multi domain coni/pt multilayer dots. Journal of Magnetism and Magnetic Materials, 193:511–514, 1999.
[22] N.R. Tas, J. Wissink, A.F.M. Sander, T.S.J. Lammerink, and M.C. Elwenspoek. Modeling, design and testing of the electrostatic shuffle motor. Sensors and actuators A (Physical), 70:171–178, 1998.
[11] S. Hoen, P. Merchant, G. Koke, and J. Williams. Electrostatic surface drives: theoretical considerations and fabrication. In Int. Conf. on Solid State Sensors and Actuators (TRANSDUCERS), volume 1, pages 41–44, Chicago, Illinois, Jun 1997. IEEE Computer Society Press, Los Alamitos, California.
[23] P. Vettiger, M. Despont, U. Drechsler, U. D¨urig, W. H¨aberle, M. I. Lutwyche, H. E. Rothuizen, R. Stutz, R. Widmer, and G. K. Binnig. The ’millipede’ – more than one thousand tips for future AFM data storage. IBM Journal of Research and Development, 44(3):323–340, 2000.
[12] L. Lamport. Password authentication with insecure communication. Communications of the ACM, 24(11):770– [24] H. Zeng, M. L. Yang, N. Powers, and D. J. Sellmyer. 772, Nov 1981. Orientation-controlled nonepitaxial L1o CoPt and FePt films. Applied Physics Letters, 80:2350–2352, 2002. [13] A. Leo. The Thousand-Leg race. MIT Technology Review, Jun 2002. [14] T. M. Madhyastha and K. P. Yang. Physical modeling of Probe-Based storage. In 18th IEEE Symp. on Mass Storage Systems, pages 207–224, San Diego, California, Apr 2001. IEEE Computer Society Press, Los Alamitos, California. 6
