Upload
gotohack
View
111
Download
3
Embed Size (px)
Citation preview
Security offense and defense strategies:Video-game consoles architecture under microscope
Ryad BENADJILA, Mathieu RENARD
July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Context
Gaming consoles:I Technology showcases regarding security
Video game industry actors are spending a lot of moneyI Fighting against counterfeiting and piracyI Keeping control of their platform (soft + hard)
1/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practicesSecurity features of iconic gaming consoles
I Playstation 1: birth of modchipsI Xbox: some security concepts are introducedI Xbox360 and PS3: advanced security features are used
New generation consolesI Playstation 4
2/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practicesSecurity features of iconic gaming consoles
I Playstation 1: birth of modchipsI Xbox: some security concepts are introducedI Xbox360 and PS3: advanced security features are used
New generation consolesI Playstation 4
2/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practicesSecurity features of iconic gaming consoles
I Playstation 1: birth of modchipsI Xbox: some security concepts are introducedI Xbox360 and PS3: advanced security features are used
New generation consolesI Playstation 4
2/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practicesSecurity features of iconic gaming consoles
I Playstation 1: birth of modchipsI Xbox: some security concepts are introducedI Xbox360 and PS3: advanced security features are used
New generation consolesI Playstation 4
2/70 Game consoles security July 2016
Warning !
This talk discusses jailbreak techniques with purelydefensive aims in mind.ANSSI encourages publishers to systematically correct anyidentified vulnerabilities in the shortest possible time.Users are invited to apply security updates as soon aspossible.
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerPS1
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerPS1
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1
Produced by Sony Computer Entertainment in 1994Mass hacking starting in 1995
5/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: lack of security by design
Processor: custom MIPS R3000I No MMUI Other processors of the family like RS3000E have a MMU
In 1995, Sony does not care about security
The priority is to implement DRM features
6/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:I In the console BIOSI On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCExI A for America (SCEA)I E for Europe (SCEE)I I for Japon (SCEI)
Regional information is stored using the Wobble GrooveDRM
I Prevent perfect game clones
7/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:I In the console BIOSI On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCExI A for America (SCEA)I E for Europe (SCEE)I I for Japon (SCEI)
Regional information is stored using the Wobble GrooveDRM
I Prevent perfect game clones
7/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:I In the console BIOSI On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCExI A for America (SCEA)I E for Europe (SCEE)I I for Japon (SCEI)
Regional information is stored using the Wobble GrooveDRM
I Prevent perfect game clones
7/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: wobble groove
No wobble data
Wobble Data (SCEx)
Data
00
00
11
1
100
00
0
No Wobble Data
Lead-IN
Lead-OUT Data
8/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
9/70 Game consoles security July 2016
1996 1997 1998 1999 20001994
PS1 SCPH-1000
Action ReplayGame Hacking(Hardware Attack)
1995
PS1 SCPH-9000
PS1 SCPH-100
ModchipsGame Hacking(Hardware Attack)
1996 1997 1998 1999 20001994
PS1 SCPH-1000
Action ReplayGame Hacking(Hardware Attack)
ModchipsGame Hacking(Hardware Attack)
PS1 SCPH-9000
PS1 SCPH-100
1995
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
9/70 Game consoles security July 2016
1996 1997 1998 1999 20001994
PS1 SCPH-1000
Action ReplayGame Hacking(Hardware Attack)
1995
PS1 SCPH-9000
PS1 SCPH-100
ModchipsGame Hacking(Hardware Attack)
1996 1997 1998 1999 20001994
PS1 SCPH-1000
Action ReplayGame Hacking(Hardware Attack)
ModchipsGame Hacking(Hardware Attack)
PS1 SCPH-9000
PS1 SCPH-100
1995
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: architecture
CONTROLLER
MEMORY CARD
CONTROLLER
MEMORY CARD
DRAM
4Mbit DRAM
BOOT ROM
CPU AUDIO
CDROM
VIDEO
GPU
CDROM
CPU RS3000
CD-‐ROM CONTROLLER /
SG-‐RAM
/
*Only berore SCPH-900x
MULTIOUT
SERIAL
IO
DAC
DRIVER CD-‐RF
RGB Encorder
PARA
LLEL
I/O*
10/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: architecture & action replay
CONTROLLER
MEMORY CARD
CONTROLLER
MEMORY CARD
DRAM
4Mbit DRAM
BOOT ROM
CPU AUDIO
CDROM
VIDEO
GPU
CDROM
CPU RS3000
CD-‐ROM CONTROLLER /
SG-‐RAM
/
/OE
/OE
*Only berore SCPH-900x
DAC
DRIVER CD-‐RF
RGB Encorder
MULTIOUT
SERIAL
IO
PARA
LLEL
I/O*
11/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: wobble groove architecture
12/70 Game consoles security July 2016
Wobble Groove Signal Emula2on
CDROM Reader
SCEE
CDROM Controller
Lens
cart
Photoelectric cell
Laser
CPU
Tracking Signal
Error Tracking Signal (Wobble Groove)
Data
Data
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: modchips origins
13/70 Game consoles security July 2016
CDROM Reader
SCEx
CDROM Controller
Lens
cart
Photoelectric cell
Laser
CPU
Tracking Signal
Data
Data
Wobble Groove Signal Emula@on
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: conclusion
No security features
DRM bypassed
Birth of the concept of modchips as mass hacking tools
Explosion of the game hacking market
14/70 Game consoles security July 2016
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerXbox
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerXbox
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox
Launched in the USA in 2001
Architecture similar to a standard PC
Windows 2000 kernel (stripped)
Embeds some security featuresI All bypassed by the Xbox hacking community
16/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: architecture
17/70 Game consoles security July 2016
CPU
NV2A (GPU)
SDRAM 64MB
MCPX
Secret BootROM
FLASH ROM
USB Southbridge
Northbridge
GPU
Table Ini?alisa?on Bootloader
Kernel …
Legacy< 10 Mhz
64bits133 Mhz
128bits DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits HyperTransport
200 Mhz
HDD (Locked)
LPC Extension
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: security
Signed executable binaries (XBE)
HDD acess restrictedI Using ATA Security features
Secure boot chain
18/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: bootROM and root of trust
Attempt to create a custom root of trustI Bootloader code is burned in the MCPX (Southbridge)I Storing a custom memory zone in a component is very
expensiveI BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
Solution: adding an external flash memory (NAND)I Problem: this is increasing the attack surfaceI Solution: encrypt the NAND contentI Only some parts of the NAND are effectively encrypted
19/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: bootROM and root of trust
Attempt to create a custom root of trustI Bootloader code is burned in the MCPX (Southbridge)I Storing a custom memory zone in a component is very
expensiveI BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
Solution: adding an external flash memory (NAND)I Problem: this is increasing the attack surfaceI Solution: encrypt the NAND contentI Only some parts of the NAND are effectively encrypted
19/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Encrypted
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
RC4 Encrypted
Launching Game
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Ke
y
Decrypt
Xcod
e Interpretor
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
overlay
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
Executing1
2
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
DecryptingVerifying Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Starting the console
Launching Game
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
DecryptingExecuting
1
2 3 4
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
1
2 3 4 Verifying signature Executing
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
5
RC4 Encrypted RC4 Encrypted
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Encrypted
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
RC4 Encrypted
Launching Game
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Ke
y
Decrypt
Xcod
e Interpretor
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
overlay
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
Executing1
2
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
DecryptingVerifying Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Starting the console
Launching Game
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
DecryptingExecuting
1
2 3 4
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
1
2 3 4 Verifying signature Executing
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
5
RC4 Encrypted RC4 Encrypted
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Encrypted
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
RC4 Encrypted
Launching Game
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Ke
y
Decrypt
Xcod
e Interpretor
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
overlay
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
Executing1
2
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
DecryptingVerifying Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Starting the console
Launching Game
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
DecryptingExecuting
1
2 3 4
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
1
2 3 4 Verifying signature Executing
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
5
RC4 Encrypted RC4 Encrypted
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Encrypted
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
RC4 Encrypted
Launching Game
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Ke
y
Decrypt
Xcod
e Interpretor
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
overlay
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
Executing1
2
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
DecryptingVerifying Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Starting the console
Launching Game
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
DecryptingExecuting
1
2 3 4
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
1
2 3 4 Verifying signature Executing
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
5
RC4 Encrypted RC4 Encrypted
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Encrypted
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
RC4 Encrypted
Launching Game
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Ke
y
Decrypt
Xcod
e Interpretor
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
overlay
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
Executing1
2
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
DecryptingVerifying Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Starting the console
Launching Game
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
DecryptingExecuting
1
2 3 4
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
1
2 3 4 Verifying signature Executing
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
5
RC4 Encrypted RC4 Encrypted
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Encrypted
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
RC4 Encrypted
Launching Game
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
RC4 Ke
y
Decrypt
Xcod
e Interpretor
t4
Démarrage de la console
t1 t2
1
2 3 4
t4 t3
overlay
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
Executing1
2
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Launching Game
RC4 Encrypted RC4 Encrypted
MCPX Flash ROM
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1
DecryptingVerifying Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
Starting the console
Launching Game
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
DecryptingExecuting
1
2 3 4
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
RC4 Encrypted RC4 Encrypted
Flash ROM
0xFFFF_FFF0
t4
Kernel
2BL
(Boo
tLoade
r)
Xcod
e Bytecode
t1 t2
1
2 3 4 Verifying signature Executing
t3
Starting the console
Launching Game
MCPX
0xFFFF_FFF0
RC4 Ke
y
Decrypt
Xcod
e Interpretor
5
RC4 Encrypted RC4 Encrypted
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic securityfeatures:
I Secure boot withchain of trust
I Code SigningI DRM
Attackers goals:I Gain full control
of the plateformI Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack FirmwareDVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic securityfeatures:
I Secure boot withchain of trust
I Code SigningI DRM
Attackers goals:I Gain full control
of the plateformI Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack FirmwareDVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic securityfeatures:
I Secure boot withchain of trust
I Code SigningI DRM
Attackers goals:I Gain full control
of the plateformI Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack FirmwareDVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic securityfeatures:
I Secure boot withchain of trust
I Code SigningI DRM
Attackers goals:I Gain full control
of the plateformI Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack FirmwareDVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic securityfeatures:
I Secure boot withchain of trust
I Code SigningI DRM
Attackers goals:I Gain full control
of the plateformI Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmwarelecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump Flash
Dump BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6 (Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack FirmwareDVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox : Hypertransport bus eavesdropping
22/70 Game consoles security July 2016
CPU
NV2A(GPU)
SDRAM64MB
MCPX
SecretBootROM
FLASHROM
USBSouthbridge
Northbridge
GPU
TableInitialisation Bootloader
Kernel …
Legacy< 10 Mhz
64bits133 Mhz
128bits DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits HyperTransport
200 Mhz
HDD(Locked)
LPCExtension
Northbridge
GPU
NV2A(GPU)
SDRAM64MB
MCPX
SecretBootROM
FLASHROM
USBSouthbridge
TableInitialisation Bootloader
Kernel …
Legacy< 10 Mhz
64bits133 Mhz
128bits DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits HyperTransport
200 Mhz
HDD(Locked)
LPCExtension
CPU
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox : Hypertransport bus eavesdropping
22/70 Game consoles security July 2016
CPU
NV2A(GPU)
SDRAM64MB
MCPX
SecretBootROM
FLASHROM
USBSouthbridge
Northbridge
GPU
TableInitialisation Bootloader
Kernel …
Legacy< 10 Mhz
64bits133 Mhz
128bits DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits HyperTransport
200 Mhz
HDD(Locked)
LPCExtension
Northbridge
GPU
NV2A(GPU)
SDRAM64MB
MCPX
SecretBootROM
FLASHROM
USBSouthbridge
TableInitialisation Bootloader
Kernel …
Legacy< 10 Mhz
64bits133 Mhz
128bits DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits HyperTransport
200 Mhz
HDD(Locked)
LPCExtension
CPU
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: Hypertransport bus eavesdropping
23/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: conclusion
Attempt to use a secure boot chain (one of the firstplatforms to implement it)
BootROM size limitationI Fatal for security
Many vulnerabilities in only 512 bytes of codeI 17 Mistakes Microsoft made in the Xbox Security System
by Michael Steil
Security features and DRM fully bypassed
24/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: conclusion
Attempt to use a secure boot chain (one of the firstplatforms to implement it)
BootROM size limitationI Fatal for security
Many vulnerabilities in only 512 bytes of codeI 17 Mistakes Microsoft made in the Xbox Security System
by Michael Steil
Security features and DRM fully bypassed
24/70 Game consoles security July 2016
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerXbox 360
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerXbox 360
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: hardware architecture
Triple-core 64-bit PowerPC, close to a PC
GPU
CPU(3,2Ghz)
SOUTHBRIDGE
L1Cache
PowerPCcore
L2Cache(1MB)
USB(4)
Ethernet
Flash
Audio
RAM512MB700Mhz
FSB
PCIE
L1Cache
PowerPCcore
L1Cache
PowerPCcore
HDD
SATA
26/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: cryptographic coprocessor
RAM CPU1 CPU1 CPU1
MMU MMU MMU
L1 L1 L1
L2
Hash
SRAM
@0x87654321 Virtual
@0x00010000-00000010
@0x10
Compute Hash
Verify Hash
@0x00010000-00000010
27/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: cryptographic coprocessor
RAM CPU1 CPU1 CPU1
MMU MMU MMU
L1 L1 L1
L2
Hash
SRAM
@0x87654321 Virtual
@0x00001000-00000010
@0x00001000-00000010
@0x10
Encrypt
DecryptEncrypt
28/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: software architecture
29/70 Game consoles security July 2016
RAM
Execu&ng
MMU
Configuring Page Tables
1
2
3
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
NOT PRIVILEGED
PRIVILEGED
Verifying
signature
Loading
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: security model
30/70 Game consoles security July 2016
RAM
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
DMA
DMA
DMA
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor ~128KoReal ModeEncryptedIntegrity check
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the consolesystem to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
I eFuses are also used to generate a 128-bit CPU keyunique per console
31/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the consolesystem to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
I An eFuse is blown at each firmware upgradeI HMAC with the secret CPU key is used for pairing in NAND
31/70 Game consoles security July 2016
fuseNAND
HMAC 0000
fuseNAND
HMAC 0001
Pairing Pairing
Version 1 Version 2UPGRADE
Replay Attack
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: secure boot
32/70 Game consoles security July 2016
RAM 4BLEncrypted/Signed
K4BL2
6BL/CFEncrypted/Signed
RSASig(6BL)
Hash(7BL/CG)
K6BL
7BL/CGEncrypted/Signed
Patches
5
5BL/CEEncrypted/Signed
Hypervisor+kernelbase
Hypervisor+Kernelpatched6
3
4
6
CPU
SRAM
ROM(32Ko)1BL
RSAPubKey
2BL/CBEncrypted/Signed
Hash(4BL/CD)
Hash(5BL/CE)
RSASig(2BL)
K2BL
1
K1BL
RAM
2Initialising RAM Encryption/IntegrityInitialising PCI ExpressDesactivating JTAG GPUACK SMCVerifying fuseset02 versus 2BLVerifying le LDV (HMAC)Loading & Decrypting 4BL en RAMVerifying Hash (4BL/CD)
Decrypting & Extracting 7BL/CGVerifying Hash(7BL/CG)
Decrypting 6BL/CF with K1BL Extracting 6BL/CF Verifying RSASig(6BL/CF)Verifying LDV6BL/CFFuseset 07-11
5
6
Decrypting & Extracting 5BL/CE Verifying Hash(5BL/CE) 3
4
6
CPU
SRAM
ROM(32Ko)1BL
RSAPubKey
2BL/CBEncrypted/Signed
Hash(4BL/CD)
Hash(5BL/CE)
RSASig(2BL)
K2BL
1
K1BL
4BLEncrypted/Signed
K4BL
6BL/CFEncrypted/Signed
RSASig(6BL)
Hash(7BL/CG)
K6BL
7BL/CGEncrypted/Signed
Patches
5BL/CEEncrypted/Signed
Hypervisor+kernelbase
Hypervisor+Kernelpatched
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: secure boot
32/70 Game consoles security July 2016
RAM 4BLEncrypted/Signed
K4BL2
6BL/CFEncrypted/Signed
RSASig(6BL)
Hash(7BL/CG)
K6BL
7BL/CGEncrypted/Signed
Patches
5
5BL/CEEncrypted/Signed
Hypervisor+kernelbase
Hypervisor+Kernelpatched6
3
4
6
CPU
SRAM
ROM(32Ko)1BL
RSAPubKey
2BL/CBEncrypted/Signed
Hash(4BL/CD)
Hash(5BL/CE)
RSASig(2BL)
K2BL
1
K1BL
RAM
2Initialising RAM Encryption/IntegrityInitialising PCI ExpressDesactivating JTAG GPUACK SMCVerifying fuseset02 versus 2BLVerifying le LDV (HMAC)Loading & Decrypting 4BL en RAMVerifying Hash (4BL/CD)
Decrypting & Extracting 7BL/CGVerifying Hash(7BL/CG)
Decrypting 6BL/CF with K1BL Extracting 6BL/CF Verifying RSASig(6BL/CF)Verifying LDV6BL/CFFuseset 07-11
5
6
Decrypting & Extracting 5BL/CE Verifying Hash(5BL/CE) 3
4
6
CPU
SRAM
ROM(32Ko)1BL
RSAPubKey
2BL/CBEncrypted/Signed
Hash(4BL/CD)
Hash(5BL/CE)
RSASig(2BL)
K2BL
1
K1BL
4BLEncrypted/Signed
K4BL
6BL/CFEncrypted/Signed
RSASig(6BL)
Hash(7BL/CG)
K6BL
7BL/CGEncrypted/Signed
Patches
5BL/CEEncrypted/Signed
Hypervisor+kernelbase
Hypervisor+Kernelpatched
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Xbox 360 is released
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
Hack DVD Player
Kin gKong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Game piracy is made possible
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
Hack DVD Player
Kin gKong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
First software vulnerability exploited (hypervisor modeprivilege escalation)
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
Hack DVD Player
Kin gKong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Downgrade to exploit the King Kong attack
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
Hack DVD Player
Kin gKong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Hardware glitch to bypass the secure boot
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
Hack DVD Player
Kin gKong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
2006 2007 2008 2009 2010 2011 20122005
Xbox360Xenon
King Kong Attack(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscallshandler
PSEUDOCCODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {goto bad_syscall;
}r1 = (void*)syscall_table[(u64)r0];r1();
}
34/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscallshandler
PSEUDOCCODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {goto bad_syscall;
}r1 = (void*)syscall_table[(u64)r0];r1();
}
34/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
Ret2Code (ROP)
Shader
(Not code signed)
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
1 DMA
Ret2Code (ROP)
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
23
DMA
ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
Ret2Code (ROP)
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADERThreadPC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
23
4
DMA
Ret2Code (ROP)
Exploit Syscall
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
Ret2Code (ROP)
Shader
(Not code signed)
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
1 DMA
Ret2Code (ROP)
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
23
DMA
ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
Ret2Code (ROP)
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADERThreadPC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
23
4
DMA
Ret2Code (ROP)
Exploit Syscall
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
Ret2Code (ROP)
Shader
(Not code signed)
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
1 DMA
Ret2Code (ROP)
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
23
DMA
ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
Ret2Code (ROP)
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADERThreadPC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
23
4
DMA
Ret2Code (ROP)
Exploit Syscall
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
Ret2Code (ROP)
Shader
(Not code signed)
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
1 DMA
Ret2Code (ROP)
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
23
DMA
ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
Ret2Code (ROP)
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADERThreadPC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
23
4
DMA
Ret2Code (ROP)
Exploit Syscall
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
Ret2Code (ROP)
Shader
(Not code signed)
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
1 DMA
Ret2Code (ROP)
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
DMA
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
23
DMA
ThreadPC
syscallx2A
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
Ret2Code (ROP)
GPURAM
Data(Kernel&Game)
Code (Kernel&Game)
Hypervisor
SHADERThreadPC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
23
4
DMA
Ret2Code (ROP)
Exploit Syscall
MMU RW (not X)Not encryptedNo integrity check
MMU RX (not W)EncryptedNo integrity check
~128KbReal ModeEncryptedIntegrity check
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patchedbefore its public disclosure
Solution: downgrade to a vulnerable kernel and exploitthe King Kong attack
I But: how to bypass the eFuse protection?
A non-constant time memcmp in the 2BL is used whenchecking the eFuse pairing HMAC
I It is possible to forge a valid HMAC without knowing theCPU secret key
35/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patchedbefore its public disclosure
Solution: downgrade to a vulnerable kernel and exploitthe King Kong attack
I But: how to bypass the eFuse protection?
A non-constant time memcmp in the 2BL is used whenchecking the eFuse pairing HMAC
I It is possible to forge a valid HMAC without knowing theCPU secret key
35/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patchedbefore its public disclosure
Solution: downgrade to a vulnerable kernel and exploitthe King Kong attack
I But: how to bypass the eFuse protection?
A non-constant time memcmp in the 2BL is used whenchecking the eFuse pairing HMAC
I It is possible to forge a valid HMAC without knowing theCPU secret key
35/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUE FALSE
New Try
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUE FALSE
New Try
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUE FALSE
New Try
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUE FALSE
New Try
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUE FALSE
New Try
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
0.22ms 0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
0.21ms
CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUE FALSE
New Try
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attackThe integrity check of the 4BL by the 2BL can beglitched with a pulse inserted at the right time
37/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attackThe integrity check of the 4BL by the 2BL can beglitched with a pulse inserted at the right time
100ns glitch
CLK
0x36 0x39 POST
ATTACK
/RESET
/CPU_ PLL-BYPASS
FALSE TRUE
Not Glitched
isHashValid( h1,h2 ,len) {
[…]
Res = memcmp(h1,h2,len)
If (res == 0 ){ return TRUE } return FALSE
}
Glitched
RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)
37/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attackThe integrity check of the 4BL by the 2BL can beglitched with a pulse inserted at the right time
100ns glitch
CLK
0x36 0x39 POST
ATTACK
/RESET
/CPU_ PLL-BYPASS
FALSE TRUE
Not Glitched
isHashValid( h1,h2 ,len) {
[…]
Res = memcmp(h1,h2,len)
If (res == 0 ){ return TRUE } return FALSE
}
Glitched
RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)
37/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attackThe integrity check of the 4BL by the 2BL can beglitched with a pulse inserted at the right time
37/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: conclusion
A good software architecture:I Tiny and auditable hypersvisorI W�XI Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
... but some DMA attacks are still possible (threadsstates unprotected)Some data are not authenticatedSome cryptographic weaknesses have been exploited(timing attack, RC4)The console has not been designed with hardware attacksin mind (glitch)
38/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: conclusion
A good software architecture:I Tiny and auditable hypersvisorI W�XI Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
... but some DMA attacks are still possible (threadsstates unprotected)Some data are not authenticatedSome cryptographic weaknesses have been exploited(timing attack, RC4)The console has not been designed with hardware attacksin mind (glitch)
38/70 Game consoles security July 2016
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerPS3
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerPS3
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
40/70 Game consoles security July 2016
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element Interconect Bus (EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU L2 L1
SPE – Synergistic Processor ElementSPU – Synergistic Processor UnitSXU – Synergistic Execution UnitLS – Local StoreMFC – Memory Flow Controller
BEI
MIC
Dual XDRDDR2
FlexIO
PPU – Power Processor UnitPXU – Power Execution UnitBEI – Broadband Engine InterfaceMIC – Memory Interface ControllerXDR/DDR2 – Extreme Data Rate / Double Data Rate 2
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element Interconect Bus (EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU L2 L1
SPE – Synergistic Processor ElementSPU – Synergistic Processor UnitSXU – Synergistic Execution UnitLS – Local StoreMFC – Memory Flow Controller
BEI
MIC
Dual XDRDDR2
FlexIO
PPU – Power Processor UnitPXU – Power Execution UnitBEI – Broadband Engine InterfaceMIC – Memory Interface ControllerXDR/DDR2 – Extreme Data Rate / Double Data Rate 2
CELL BroadBand Engine (PPE + 8 SPE)
PPE: classical 64-bit PowerPC architecture
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
40/70 Game consoles security July 2016
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element Interconect Bus (EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU L2 L1
SPE – Synergistic Processor ElementSPU – Synergistic Processor UnitSXU – Synergistic Execution UnitLS – Local StoreMFC – Memory Flow Controller
BEI
MIC
Dual XDRDDR2
FlexIO
PPU – Power Processor UnitPXU – Power Execution UnitBEI – Broadband Engine InterfaceMIC – Memory Interface ControllerXDR/DDR2 – Extreme Data Rate / Double Data Rate 2
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element Interconect Bus (EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU L2 L1
SPE – Synergistic Processor ElementSPU – Synergistic Processor UnitSXU – Synergistic Execution UnitLS – Local StoreMFC – Memory Flow Controller
BEI
MIC
Dual XDRDDR2
FlexIO
PPU – Power Processor UnitPXU – Power Execution UnitBEI – Broadband Engine InterfaceMIC – Memory Interface ControllerXDR/DDR2 – Extreme Data Rate / Double Data Rate 2
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local storage
Public
BOOTROM (KCPU)
EIB PPE
SPE
SPU
MFC
Local storage
BOOTROM (KCPU)
EIB PPE
Code KCPU
Public
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local storage
Public
BOOTROM (KCPU)
EIB PPE
SPE
SPU
MFC
Local storage
BOOTROM (KCPU)
EIB PPE
Code KCPU
Public
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local storage
Public
BOOTROM (KCPU)
EIB PPE
SPE
SPU
MFC
Local storage
BOOTROM (KCPU)
EIB PPE
Code KCPU
Public
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local storage
Public
BOOTROM (KCPU)
EIB PPE
SPE
SPU
MFC
Local storage
BOOTROM (KCPU)
EIB PPE
Code KCPU
Public
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
SPE
SPU (Isolated Mode)
MFC
Local storage
Private Public
BOOTROM (KCPU)
EIB PPE
Code
Code
KCPU
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:I First level: they bootstrap SPE in isolated modeI Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor modeI OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode
42/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:I First level: they bootstrap SPE in isolated modeI Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor modeI OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode
42/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:I First level: they bootstrap SPE in isolated modeI Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor modeI OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode
42/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:I First level: they bootstrap SPE in isolated modeI Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor modeI OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode
42/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: secure boot
43/70 Game consoles security July 2016
metldr
rvkldr isoldr appldr lv2ldr lv1ldr lv0
bootldr
Lv1.self
lv2_kernel.self ps2_emu.self ps2_gxemu.self ps2_so9emu.self
vsh.self
sv_iso_spu_module.self sb_iso_spu_module.self mc_iso_spu_module.self me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SP
E0
PP
E
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
BootROM SPE 1
2
3
4
5
6
7
3
PP
E
PP
E
PP
E
PP
E
PP
E
Rvklist / rvkprg
metldr
rvkldr isoldr appldr lv2ldr lv1ldr lv0
bootldr
Lv1.self
lv2_kernel.self ps2_emu.self ps2_gxemu.self ps2_so9emu.self
vsh.self
sv_iso_spu_module.self sb_iso_spu_module.self mc_iso_spu_module.self me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SP
E0
PP
E
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
BootROM SPE 1
2
3
4
5
6
7
3
PP
E
PP
E
PP
E
PP
E
PP
E
Rvklist / rvkprg
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: secure boot
43/70 Game consoles security July 2016
metldr
rvkldr isoldr appldr lv2ldr lv1ldr lv0
bootldr
Lv1.self
lv2_kernel.self ps2_emu.self ps2_gxemu.self ps2_so9emu.self
vsh.self
sv_iso_spu_module.self sb_iso_spu_module.self mc_iso_spu_module.self me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SP
E0
PP
E
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
BootROM SPE 1
2
3
4
5
6
7
3
PP
E
PP
E
PP
E
PP
E
PP
E
Rvklist / rvkprg
metldr
rvkldr isoldr appldr lv2ldr lv1ldr lv0
bootldr
Lv1.self
lv2_kernel.self ps2_emu.self ps2_gxemu.self ps2_so9emu.self
vsh.self
sv_iso_spu_module.self sb_iso_spu_module.self mc_iso_spu_module.self me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SP
E0
PP
E
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
SP
E2
BootROM SPE 1
2
3
4
5
6
7
3
PP
E
PP
E
PP
E
PP
E
PP
E
Rvklist / rvkprg
CPU
Key
ECDS
A/AE
S
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: anti-downgrade and revocationNo hardware anchor (such as eFuse) for anti-downgrade
CPU/Mode Update RevocationbootROM Cell No No
bootldr SPE0 No Nolv0 PPE/HV Yes No
metldr SPE2 No Nolv1ldr SPE2 Yes No
lv1 PPE/HV Yes Nolv2ldr SPE2 Yes No
lv2 PPE/SP Yes Yesisoldr SPE2 Yes Noappldr SPE2 Yes Yes
games/applications PPE/USR Yes Yes
44/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCBI Sensitive elements are executed on the SPEI Any code is encrypted and signedI Security through obscurity
Encryption of the EIB bus (RAM, peripherals)I DMA attacks are limited
No W�X, the hypervisor verifies almost nothing
45/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCBI Sensitive elements are executed on the SPEI Any code is encrypted and signedI Security through obscurity
Encryption of the EIB bus (RAM, peripherals)I DMA attacks are limited
No W�X, the hypervisor verifies almost nothing
45/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCBI Sensitive elements are executed on the SPEI Any code is encrypted and signedI Security through obscurity
Encryption of the EIB bus (RAM, peripherals)I DMA attacks are limited
No W�X, the hypervisor verifies almost nothing
45/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: hello hypervisor, I’m geohot
Glitch ) take control of the hypervisor fromOtherOS/Linux
Does not allow to control other elementsI No possible game piracy
46/70 Game consoles security July 2016
Other OS
2007 2008 2009 2010 20112006
PS3Fat
Hypervisor Glitch hack
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
Other OS
2007 2008 2009 2010 20112006
PS3Fat
Hypervisor Glitch hack
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: hello hypervisor, I’m geohot
Glitch ) take control of the hypervisor fromOtherOS/Linux
Does not allow to control other elementsI No possible game piracy
46/70 Game consoles security July 2016
Other OS
2007 2008 2009 2010 20112006
PS3Fat
Hypervisor Glitch hack
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
Other OS
2007 2008 2009 2010 20112006
PS3Fat
Hypervisor Glitch hack
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: PSJailbreak
First attack that allows game piracy
Attack on the USB stack of the lv2 (GameOS)I No W�X: hypervisor fail
47/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3Fat
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Other OS
Hypervisor Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSAimplementation
I Same nonces for different firmware versionsI With two signatures, one can compute the private key!
I Boot chain is completely and forever broken
48/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3Fat
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Other OS
Hypervisor Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
2007 2008 2009 2010 20112006
PS3Fat
PSJailbreak
USB/JIGDowngrade
bootldr key attack
ECDSA Attack + lv2ldr keymtldr key attack
PS3 Ultraslim
2012
Other OS
Hypervisor Glitch hack
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSAimplementation
I Same nonces for different firmware versionsI With two signatures, one can compute the private key!
I Boot chain is completely and forever broken
48/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3Fat
PSJailbreak
USB/JIGDowngrade
PS3 Ultraslim
2012
Other OS
Hypervisor Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr keyMtldr key attack
2007 2008 2009 2010 20112006
PS3Fat
PSJailbreak
USB/JIGDowngrade
bootldr key attack
ECDSA Attack + lv2ldr keymtldr key attack
PS3 Ultraslim
2012
Other OS
Hypervisor Glitch hack
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: conclusion
Interesting exotic hardware platform (isolated SPE)DMA attacks mitigationsBootROM with a dedicated CPU key
Limited hypervisor, not designed with security in mindNo defense in depth (no W�X)Cryptographic fail (ECDSA)Boot chain with limited revocation and downgradefeaturesSecurity through obscurity (SPE code)Not designed with hardware attacks in mind (glitch)
49/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: conclusion
Interesting exotic hardware platform (isolated SPE)DMA attacks mitigationsBootROM with a dedicated CPU key
Limited hypervisor, not designed with security in mindNo defense in depth (no W�X)Cryptographic fail (ECDSA)Boot chain with limited revocation and downgradefeaturesSecurity through obscurity (SPE code)Not designed with hardware attacks in mind (glitch)
49/70 Game consoles security July 2016
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerPS4
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your player
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
Choose your playerPS4
Can I play, Daddy?
Skill
Lev
el
Don't hurt me.
Bring 'em on!
I am Death incarnate!
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Playstation 4
Produced by Sony Computer Entertainment in 2013Public Hacking starting 2015
51/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: architecture
Hardware architecture :I SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)I Same as Xbox One
Software architecture :I Kernel based on FreeBSD 9.0 kernel (2012)I Unlike for the Playstation 3, Sony bases its system now
on open source software:* Webkit* OpenSSL, Cairo . . .* LLVM/Clang
52/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: architecture
Hardware architecture :I SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)I Same as Xbox One
Software architecture :I Kernel based on FreeBSD 9.0 kernel (2012)I Unlike for the Playstation 3, Sony bases its system now
on open source software:* Webkit* OpenSSL, Cairo . . .* LLVM/Clang
52/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: security
Security features:I Secure bootI Encrypted binaries (SELF) (like on PS3)I Using modern security features:
* W�X (with x86 hardware help)* ASLR* FreeBSD Jails
I Few or no information about hardware security features(DMA, encrypted bus, . . . )
53/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: security
Security features:I Secure bootI Encrypted binaries (SELF) (like on PS3)I Using modern security features:
* W�X (with x86 hardware help)* ASLR* FreeBSD Jails
I Few or no information about hardware security features(DMA, encrypted bus, . . . )
53/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: SPI flash cloning
First hardware attack : Brasilian PS4 flash dumpI It is possible to clone metadata stored in the flashI No pairing between SPI Flash and console
I Exploit kit based on Raspberry Pi/TeensyI Quickly patched
54/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: SPI flash cloning
First hardware attack : Brasilian PS4 flash dumpI It is possible to clone metadata stored in the flashI No pairing between SPI Flash and consoleI Exploit kit based on Raspberry Pi/TeensyI Quickly patched
54/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: software exploit chain
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernellandcode execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input
55/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)First entry point for reverse engineering
I CVE-2012-3748, heap overfow in Javascript VMI JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browseraddress space
* Allows arbitrary code execution (overwriting returnaddress and some function pointers . . . )
I Problem : Sony uses ASLR and W�X (FreeBSD)
56/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)First entry point for reverse engineering
I CVE-2012-3748, heap overfow in Javascript VMI JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browseraddress space
* Allows arbitrary code execution (overwriting returnaddress and some function pointers . . . )
I Problem : Sony uses ASLR and W�X (FreeBSD)
56/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)First entry point for reverse engineering
I CVE-2012-3748, heap overfow in Javascript VMI JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browseraddress space
* Allows arbitrary code execution (overwriting returnaddress and some function pointers . . . )
I Problem : Sony uses ASLR and W�X (FreeBSD)
56/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W�X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
Attacker
@?
@?
@?
@?
@?
@?
Browser(Process Memory)
syscalls
Kernel
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
Address leak
1
Browser (Process Memory)
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable
Browser (Process Memory)
RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
ROP
Stack
2
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
3Syscalls
Stack
Browser (Process Memory)
Attacker
syscalls
Kernel
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W�X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
Attacker
@?
@?
@?
@?
@?
@?
Browser(Process Memory)
syscalls
Kernel
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
Address leak
1
Browser (Process Memory)
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable
Browser (Process Memory)
RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
ROP
Stack
2
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
3Syscalls
Stack
Browser (Process Memory)
Attacker
syscalls
Kernel
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W�X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
Attacker
@?
@?
@?
@?
@?
@?
Browser(Process Memory)
syscalls
Kernel
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
Address leak
1
Browser (Process Memory)
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable
Browser (Process Memory)
RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
ROP
Stack
2
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
3Syscalls
Stack
Browser (Process Memory)
Attacker
syscalls
Kernel
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: userland ASLR/W�X bypass
57/70 Game consoles security July 2016
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
Attacker
@?
@?
@?
@?
@?
@?
Browser(Process Memory)
syscalls
Kernel
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
Address leak
1
Browser (Process Memory)
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable
Browser (Process Memory)
RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
ROP
Stack
2
Attacker
syscalls
Kernel
Libkernel
Heap
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
3Syscalls
Stack
Browser (Process Memory)
Attacker
syscalls
Kernel
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: sandboxingAttacker is jailed inside process memoryFreeBSD jails
JAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAIL
JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL
JAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAIL
Libkernel
Heap
Stack
Lib2
Lib 1
Executable
syscalls
Browser (Process Memory)
Attacker
Kernel
58/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Request an RX sharedmemory allocationsys_jitshm_create()
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
LibKernel
User land
WebKit
Request an RX sharedmemory allocationsys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
Create an RW aliassys_jitshm_alias()
syscalls
Payload (RX)Payload (RW)
Memory aliasing with different access rights
Kernel land
P2
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Payload (RX) P1Payload (RW)
P2Physical aliases
Kernel land
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Request an RX sharedmemory allocationsys_jitshm_create()
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
LibKernel
User land
WebKit
Request an RX sharedmemory allocationsys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
Create an RW aliassys_jitshm_alias()
syscalls
Payload (RX)Payload (RW)
Memory aliasing with different access rights
Kernel land
P2
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Payload (RX) P1Payload (RW)
P2Physical aliases
Kernel land
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Request an RX sharedmemory allocationsys_jitshm_create()
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
LibKernel
User land
WebKit
Request an RX sharedmemory allocationsys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
Create an RW aliassys_jitshm_alias()
syscalls
Payload (RX)Payload (RW)
Memory aliasing with different access rights
Kernel land
P2
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Payload (RX) P1Payload (RW)
P2Physical aliases
Kernel land
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Request an RX sharedmemory allocationsys_jitshm_create()
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
LibKernel
User land
WebKit
Request an RX sharedmemory allocationsys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
Create an RW aliassys_jitshm_alias()
syscalls
Payload (RX)Payload (RW)
Memory aliasing with different access rights
Kernel land
P2
Request an RX sharedmemory allocationsys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing with different access rights• P1 => payload
with RW rights• P2 => same
payload with RX rights
Payload (RX) P1Payload (RW)
P2Physical aliases
Kernel land
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: syscalls fuzzing and reverse engineering
At this point attackers want kernel privileges
Syscall reverse engineering results:I 532 FreeBSD syscallsI 85 proprietary syscalls (Sony)I jail filtering calls to critical syscalls (ex ptrace)
Unoficial SDK have been released by the community
60/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain user by CTurt (@CTurtE)
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernellandcode execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input
61/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain kernel by CTurt (@CTurtE)
IDT RW (FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
1
Userland ROP
4
2Payload
5
Kernel Write primitive(With constraints)
Kernellandcode execution
Kernel land
LibKernel
User land 3 Userlandcode execution
62/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: BadIRET kernel exploit
Originally discovered in Linux and later found toaffect FreeBSD too:
I Fixed back in 2014 on FreeBSDI Not fixed on PS4 until firmware version > v2.01
* Rumor: Sony security officer being replaced aroundthis time . . .
63/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
MemoryMemory
KernelUser
GS: Thread
User
SWAP GS SWAP GS
GS: KThread
GS: GS:
Kernel
# interrupt IRET
Memory
GS Confusion
Payload
IDT
KernelUser
GS: Thread
GS: Memory
GS Confusion
GS: Thread
Payload
IDT
KernelUser
IDT RW + NO SMEP + NO SMAP
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
MemoryMemory
KernelUser
GS: Thread
User
SWAP GS SWAP GS
GS: KThread
GS: GS:
Kernel
# interrupt IRET
Memory
GS Confusion
Payload
IDT
KernelUser
GS: Thread
GS:
Memory
GS Confusion
GS: Thread
Payload
IDT
KernelUser
IDT RW + NO SMEP + NO SMAP
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
MemoryMemory
KernelUser
GS: Thread
User
SWAP GS SWAP GS
GS: KThread
GS: GS:
Kernel
# interrupt IRET
Memory
GS Confusion
Payload
IDT
KernelUser
GS: Thread
GS:
Memory
GS Confusion
GS: Thread
Payload
IDT
KernelUser
IDT RW + NO SMEP + NO SMAP
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: update IDT
65/70 Game consoles security July 2016
Memory
#13#PF 14#15
IDT
UserlandKernel payload
Addresstointerup vector
Memory
#13#PF 14#15
UserlandKernel payload
Addresstointerup vector
IDT
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: update IDT
65/70 Game consoles security July 2016
Memory
#13#PF 14#15
IDT
UserlandKernel payload
Addresstointerup vector
Memory
#13#PF 14#15
UserlandKernel payload
Addresstointerup vector
IDT
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain kernel
IDT RW (FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
1
Userland ROP
4
2Payload
5
Kernel Write primitive(With constraints)
Kernellandcode execution
Kernel land
LibKernel
User land 3 Userlandcode execution
66/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: conclusion
Sony has moved to classical hardware platformDefense in depth (Mostly FreeBSD features):
I W�XI Userland ASLRI Sony has removed vulnerable kernel modules (SCTP)
Hardware probably not designed with security in mindBig holes in the defensive features:
I BadiRet not patchedI Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP
67/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: conclusion
Sony has moved to classical hardware platformDefense in depth (Mostly FreeBSD features):
I W�XI Userland ASLRI Sony has removed vulnerable kernel modules (SCTP)
Hardware probably not designed with security in mindBig holes in the defensive features:
I BadiRet not patchedI Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP
67/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Conclusion
Every penny worths it when it comes to securityAttackers always target the weakest pointAttackers mix software and hardware, they do notdistinguish them
I Security must be seen as a whole and complex systemissue
I Hardware and software design teams must communicate
68/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Questions
69/70 Game consoles security July 2016
|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Full paper (in French) can be downloaded here:http://goo.gl/J37lSK
70/70 Game consoles security July 2016