SECURITY OFFENSE AND DEFENSE STRATEGIES: VIDEO-GAME CONSOLES ARCHITECTURE UNDER MICROSCOPE

Security offense and defense strategies:Video-game consoles architecture under microscope

Ryad BENADJILA, Mathieu RENARD

[email protected]

July 2016

|Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion

|Context |Objectives |Disclaimer

Context

Gaming consoles:I Technology showcases regarding security

Video game industry actors are spending a lot of moneyI Fighting against counterfeiting and piracyI Keeping control of their platform (soft + hard)

1/70 Game consoles security July 2016



Objectives

Highlight security best and worst practicesSecurity features of iconic gaming consoles

I Playstation 1: birth of modchipsI Xbox: some security concepts are introducedI Xbox360 and PS3: advanced security features are used

New generation consolesI Playstation 4




Objectives







Objectives







Objectives





Warning !

This talk discusses jailbreak techniques with purelydefensive aims in mind.ANSSI encourages publishers to systematically correct anyidentified vulnerabilities in the shortest possible time.Users are invited to apply security updates as soon aspossible.

Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!

I am Death incarnate!

Choose your playerPS1

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



|Introduction |Attacks |Conclusion

Playstation 1

Produced by Sony Computer Entertainment in 1994Mass hacking starting in 1995




Playstation 1: lack of security by design

Processor: custom MIPS R3000I No MMUI Other processors of the family like RS3000E have a MMU

In 1995, Sony does not care about security

The priority is to implement DRM features




Playstation 1: regional zoning

Games and consoles are specified for only one region

Regional code information is stored:I In the console BIOSI On the (Lead-IN) track of the CD-ROM

Information stored has a string like: SCExI A for America (SCEA)I E for Europe (SCEE)I I for Japon (SCEI)

Regional information is stored using the Wobble GrooveDRM

I Prevent perfect game clones






















Playstation 1: wobble groove

No wobble data

Wobble Data (SCEx)

Data

00

00

11

1

100

00

0

No Wobble Data

Lead-IN

Lead-OUT Data




Playstation 1: attacks

Lack of security features

Aim: bypass DRM features


1996 1997 1998 1999 20001994

PS1 SCPH-1000

Action ReplayGame Hacking(Hardware Attack)

1995

PS1 SCPH-9000

PS1 SCPH-100

ModchipsGame Hacking(Hardware Attack)

1996 1997 1998 1999 20001994

PS1 SCPH-1000



PS1 SCPH-9000

PS1 SCPH-100

1995



Playstation 1: attacks

Lack of security features

Aim: bypass DRM features


1996 1997 1998 1999 20001994

PS1 SCPH-1000


1995

PS1 SCPH-9000

PS1 SCPH-100


1996 1997 1998 1999 20001994

PS1 SCPH-1000



PS1 SCPH-9000

PS1 SCPH-100

1995



Playstation 1: architecture

CONTROLLER

MEMORY CARD

CONTROLLER

MEMORY CARD

DRAM

4Mbit DRAM

BOOT ROM

CPU AUDIO

CDROM

VIDEO

GPU

CDROM

CPU RS3000

CD-‐ROM CONTROLLER /

SG-‐RAM

/

*Only berore SCPH-900x

MULTIOUT

SERIAL

IO

DAC

DRIVER CD-‐RF

RGB Encorder

PARA

LLEL

I/O*




Playstation 1: architecture & action replay

CONTROLLER

MEMORY CARD

CONTROLLER

MEMORY CARD

DRAM

4Mbit DRAM

BOOT ROM

CPU AUDIO

CDROM

VIDEO

GPU

CDROM

CPU RS3000

CD-‐ROM CONTROLLER /

SG-‐RAM

/

/OE

/OE

*Only berore SCPH-900x

DAC

DRIVER CD-‐RF

RGB Encorder

MULTIOUT

SERIAL

IO

PARA

LLEL

I/O*




Playstation 1: wobble groove architecture


Wobble Groove Signal Emula2on

CDROM Reader

SCEE

CDROM Controller

Lens

cart

Photoelectric cell

Laser

CPU

Tracking Signal

Error Tracking Signal (Wobble Groove)

Data

Data



Playstation 1: modchips origins


CDROM Reader

SCEx

CDROM Controller

Lens

cart

Photoelectric cell

Laser

CPU

Tracking Signal

Data

Data

Wobble Groove Signal Emula@on



Playstation 1: conclusion

No security features

DRM bypassed

Birth of the concept of modchips as mass hacking tools

Explosion of the game hacking market


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your playerXbox

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your playerXbox

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



|Introduction |Architecture |Security features |Attacks |Conclusion

Xbox

Launched in the USA in 2001

Architecture similar to a standard PC

Windows 2000 kernel (stripped)

Embeds some security featuresI All bypassed by the Xbox hacking community




Xbox: architecture


CPU

NV2A (GPU)

SDRAM 64MB

MCPX

Secret BootROM

FLASH ROM

USB Southbridge

Northbridge

GPU

Table Ini?alisa?on Bootloader

Kernel …

Legacy< 10 Mhz

64bits133 Mhz

128bits DDR 200 Mhz

CODEC

SMC

EEPROM

SMBus / I2C

Ethernet

8bits HyperTransport

200 Mhz

HDD (Locked)

LPC Extension



Xbox: security

Signed executable binaries (XBE)

HDD acess restrictedI Using ATA Security features

Secure boot chain




Xbox: bootROM and root of trust

Attempt to create a custom root of trustI Bootloader code is burned in the MCPX (Southbridge)I Storing a custom memory zone in a component is very

expensiveI BootROM code limited to 512 bytes

Problem: DDR Training code size is > 1KB

Solution: adding an external flash memory (NAND)I Problem: this is increasing the attack surfaceI Solution: encrypt the NAND contentI Only some parts of the NAND are effectively encrypted




Xbox: bootROM and root of trust

Attempt to create a custom root of trustI Bootloader code is burned in the MCPX (Southbridge)I Storing a custom memory zone in a component is very

expensiveI BootROM code limited to 512 bytes

Problem: DDR Training code size is > 1KB

Solution: adding an external flash memory (NAND)I Problem: this is increasing the attack surfaceI Solution: encrypt the NAND contentI Only some parts of the NAND are effectively encrypted




Xbox: secure boot process


MCPX Flash ROM

0xFFFF_FFF00xFFFF_FFF0

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Encrypted

t4

Démarrage de la console

t1 t2

1

2 3 4

t4 t3

RC4 Encrypted

Launching Game

MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Ke

y

Decrypt

Xcod

e Interpretor

t4


t1 t2

1

2 3 4

t4 t3

overlay

Launching Game

RC4 Encrypted RC4 Encrypted

MCPX Flash ROM


t4

Starting the console

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

Executing1

2

RC4 Ke

y

Decrypt

Xcod

e Interpretor

Launching Game


MCPX Flash ROM

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

DecryptingVerifying Executing

1

2 3

t2


RC4 Ke

y

Decrypt

Xcod

e Interpretor


Launching Game


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

DecryptingExecuting

1

2 3 4

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

1

2 3 4 Verifying signature Executing

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor

5






MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Encrypted

t4


t1 t2

1

2 3 4

t4 t3

RC4 Encrypted

Launching Game

MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Ke

y

Decrypt

Xcod

e Interpretor

t4


t1 t2

1

2 3 4

t4 t3

overlay

Launching Game


MCPX Flash ROM


t4


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

Executing1

2

RC4 Ke

y

Decrypt

Xcod

e Interpretor

Launching Game


MCPX Flash ROM

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1


1

2 3

t2


RC4 Ke

y

Decrypt

Xcod

e Interpretor


Launching Game


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

DecryptingExecuting

1

2 3 4

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

1


t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor

5






MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Encrypted

t4


t1 t2

1

2 3 4

t4 t3

RC4 Encrypted

Launching Game

MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Ke

y

Decrypt

Xcod

e Interpretor

t4


t1 t2

1

2 3 4

t4 t3

overlay

Launching Game


MCPX Flash ROM


t4


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

Executing1

2

RC4 Ke

y

Decrypt

Xcod

e Interpretor

Launching Game


MCPX Flash ROM

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1


1

2 3

t2


RC4 Ke

y

Decrypt

Xcod

e Interpretor


Launching Game


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

DecryptingExecuting

1

2 3 4

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

1


t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor

5






MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Encrypted

t4


t1 t2

1

2 3 4

t4 t3

RC4 Encrypted

Launching Game

MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Ke

y

Decrypt

Xcod

e Interpretor

t4


t1 t2

1

2 3 4

t4 t3

overlay

Launching Game


MCPX Flash ROM


t4


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

Executing1

2

RC4 Ke

y

Decrypt

Xcod

e Interpretor

Launching Game


MCPX Flash ROM

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1


1

2 3

t2


RC4 Ke

y

Decrypt

Xcod

e Interpretor


Launching Game


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

DecryptingExecuting

1

2 3 4

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

1


t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor

5






MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Encrypted

t4


t1 t2

1

2 3 4

t4 t3

RC4 Encrypted

Launching Game

MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Ke

y

Decrypt

Xcod

e Interpretor

t4


t1 t2

1

2 3 4

t4 t3

overlay

Launching Game


MCPX Flash ROM


t4


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

Executing1

2

RC4 Ke

y

Decrypt

Xcod

e Interpretor

Launching Game


MCPX Flash ROM

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1


1

2 3

t2


RC4 Ke

y

Decrypt

Xcod

e Interpretor


Launching Game


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

DecryptingExecuting

1

2 3 4

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

1


t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor

5






MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Encrypted

t4


t1 t2

1

2 3 4

t4 t3

RC4 Encrypted

Launching Game

MCPX Flash ROM


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

RC4 Ke

y

Decrypt

Xcod

e Interpretor

t4


t1 t2

1

2 3 4

t4 t3

overlay

Launching Game


MCPX Flash ROM


t4


Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1

Executing1

2

RC4 Ke

y

Decrypt

Xcod

e Interpretor

Launching Game


MCPX Flash ROM

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1


1

2 3

t2


RC4 Ke

y

Decrypt

Xcod

e Interpretor


Launching Game


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

DecryptingExecuting

1

2 3 4

t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor


Flash ROM

0xFFFF_FFF0

t4

Kernel

2BL

(Boo

tLoade

r)

Xcod

e Bytecode

t1 t2

1


t3


Launching Game

MCPX

0xFFFF_FFF0

RC4 Ke

y

Decrypt

Xcod

e Interpretor

5




Xbox: attacks

Basic securityfeatures:

I Secure boot withchain of trust

I Code SigningI DRM

Attackers goals:I Gain full control

of the plateformI Break the secure

boot chain


Hack Firmwarelecteur DVD

2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack

Xbox 1.6 (Fash => ROM)

Softmods

Mist Hack

Xbox 1.1

2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1


2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack

Xbox 1.6 (Flash => ROM)

Softmods

Mist Hack

Xbox 1.1

Hack FirmwareDVD Player



Xbox: attacks



I Code SigningI DRM



boot chain



2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1

2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1


2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1




Xbox: attacks



I Code SigningI DRM



boot chain



2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1

2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1


2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1




Xbox: attacks



I Code SigningI DRM



boot chain



2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1

2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1


2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1




Xbox: attacks



I Code SigningI DRM



boot chain



2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1

2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1


2002 2003 2004 2005 20062001

Xbox 1.0

Dump Flash

Dump BootROM

Visor Backdoor

Modchips

T20 Hack


Softmods

Mist Hack

Xbox 1.1




Xbox : Hypertransport bus eavesdropping


CPU

NV2A(GPU)

SDRAM64MB

MCPX

SecretBootROM

FLASHROM

USBSouthbridge

Northbridge

GPU

TableInitialisation Bootloader

Kernel …

Legacy< 10 Mhz

64bits133 Mhz

128bits DDR 200 Mhz

CODEC

SMC

EEPROM

SMBus / I2C

Ethernet


200 Mhz

HDD(Locked)

LPCExtension

Northbridge

GPU

NV2A(GPU)

SDRAM64MB

MCPX

SecretBootROM

FLASHROM

USBSouthbridge


Kernel …

Legacy< 10 Mhz

64bits133 Mhz

128bits DDR 200 Mhz

CODEC

SMC

EEPROM

SMBus / I2C

Ethernet


200 Mhz

HDD(Locked)

LPCExtension

CPU



Xbox : Hypertransport bus eavesdropping


CPU

NV2A(GPU)

SDRAM64MB

MCPX

SecretBootROM

FLASHROM

USBSouthbridge

Northbridge

GPU


Kernel …

Legacy< 10 Mhz

64bits133 Mhz

128bits DDR 200 Mhz

CODEC

SMC

EEPROM

SMBus / I2C

Ethernet


200 Mhz

HDD(Locked)

LPCExtension

Northbridge

GPU

NV2A(GPU)

SDRAM64MB

MCPX

SecretBootROM

FLASHROM

USBSouthbridge


Kernel …

Legacy< 10 Mhz

64bits133 Mhz

128bits DDR 200 Mhz

CODEC

SMC

EEPROM

SMBus / I2C

Ethernet


200 Mhz

HDD(Locked)

LPCExtension

CPU



Xbox: Hypertransport bus eavesdropping




Xbox: conclusion

Attempt to use a secure boot chain (one of the firstplatforms to implement it)

BootROM size limitationI Fatal for security

Many vulnerabilities in only 512 bytes of codeI 17 Mistakes Microsoft made in the Xbox Security System

by Michael Steil

Security features and DRM fully bypassed




Xbox: conclusion

Attempt to use a secure boot chain (one of the firstplatforms to implement it)

BootROM size limitationI Fatal for security

Many vulnerabilities in only 512 bytes of codeI 17 Mistakes Microsoft made in the Xbox Security System

by Michael Steil

Security features and DRM fully bypassed


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your playerXbox 360

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your playerXbox 360

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



|Hardware architecture |Software architecture |Security |Attacks |Conclusion

Xbox 360: hardware architecture

Triple-core 64-bit PowerPC, close to a PC

GPU

CPU(3,2Ghz)

SOUTHBRIDGE

L1Cache

PowerPCcore

L2Cache(1MB)

USB(4)

Ethernet

Flash

Audio

RAM512MB700Mhz

FSB

PCIE

L1Cache

PowerPCcore

L1Cache

PowerPCcore

HDD

SATA




Xbox 360: cryptographic coprocessor

RAM CPU1 CPU1 CPU1

MMU MMU MMU

L1 L1 L1

L2

Hash

SRAM

@0x87654321 Virtual

@0x00010000-00000010

@0x10

Compute Hash

Verify Hash

@0x00010000-00000010




Xbox 360: cryptographic coprocessor

RAM CPU1 CPU1 CPU1

MMU MMU MMU

L1 L1 L1

L2

Hash

SRAM

@0x87654321 Virtual

@0x00001000-00000010

@0x00001000-00000010

@0x10

Encrypt

DecryptEncrypt




Xbox 360: software architecture


RAM

Execu&ng

MMU

Configuring Page Tables

1

2

3

Data (Kernel & Game)

Code (Kernel & Game)

Hypervisor

NOT PRIVILEGED

PRIVILEGED

Verifying

signature

Loading



Xbox 360: security model


RAM

MMU RW (not X)Not encryptedNo integrity check

MMU RX (not W)EncryptedNo integrity check

DMA

DMA

DMA

Data (Kernel & Game)

Code (Kernel & Game)

Hypervisor ~128KoReal ModeEncryptedIntegrity check



Xbox 360: anti-downgrade feature

Downgrade: decrease the version level of the consolesystem to exploit an old firware vulnerability

Detect the downgrade: hardware eFuses inside the CPU

I eFuses are also used to generate a 128-bit CPU keyunique per console




Xbox 360: anti-downgrade feature

Downgrade: decrease the version level of the consolesystem to exploit an old firware vulnerability

Detect the downgrade: hardware eFuses inside the CPU

I An eFuse is blown at each firmware upgradeI HMAC with the secret CPU key is used for pairing in NAND


fuseNAND

HMAC 0000

fuseNAND

HMAC 0001

Pairing Pairing

Version 1 Version 2UPGRADE

Replay Attack



Xbox 360: secure boot


RAM 4BLEncrypted/Signed

K4BL2

6BL/CFEncrypted/Signed

RSASig(6BL)

Hash(7BL/CG)

K6BL

7BL/CGEncrypted/Signed

Patches

5

5BL/CEEncrypted/Signed

Hypervisor+kernelbase

Hypervisor+Kernelpatched6

3

4

6

CPU

SRAM

ROM(32Ko)1BL

RSAPubKey

2BL/CBEncrypted/Signed

Hash(4BL/CD)

Hash(5BL/CE)

RSASig(2BL)

K2BL

1

K1BL

RAM

2Initialising RAM Encryption/IntegrityInitialising PCI ExpressDesactivating JTAG GPUACK SMCVerifying fuseset02 versus 2BLVerifying le LDV (HMAC)Loading & Decrypting 4BL en RAMVerifying Hash (4BL/CD)

Decrypting & Extracting 7BL/CGVerifying Hash(7BL/CG)

Decrypting 6BL/CF with K1BL Extracting 6BL/CF Verifying RSASig(6BL/CF)Verifying LDV6BL/CFFuseset 07-11

5

6

Decrypting & Extracting 5BL/CE Verifying Hash(5BL/CE) 3

4

6

CPU

SRAM

ROM(32Ko)1BL

RSAPubKey


Hash(4BL/CD)

Hash(5BL/CE)

RSASig(2BL)

K2BL

1

K1BL

4BLEncrypted/Signed

K4BL


RSASig(6BL)

Hash(7BL/CG)

K6BL


Patches



Hypervisor+Kernelpatched



Xbox 360: secure boot


RAM 4BLEncrypted/Signed

K4BL2


RSASig(6BL)

Hash(7BL/CG)

K6BL


Patches

5



Hypervisor+Kernelpatched6

3

4

6

CPU

SRAM

ROM(32Ko)1BL

RSAPubKey


Hash(4BL/CD)

Hash(5BL/CE)

RSASig(2BL)

K2BL

1

K1BL

RAM

2Initialising RAM Encryption/IntegrityInitialising PCI ExpressDesactivating JTAG GPUACK SMCVerifying fuseset02 versus 2BLVerifying le LDV (HMAC)Loading & Decrypting 4BL en RAMVerifying Hash (4BL/CD)

Decrypting & Extracting 7BL/CGVerifying Hash(7BL/CG)

Decrypting 6BL/CF with K1BL Extracting 6BL/CF Verifying RSASig(6BL/CF)Verifying LDV6BL/CFFuseset 07-11

5

6

Decrypting & Extracting 5BL/CE Verifying Hash(5BL/CE) 3

4

6

CPU

SRAM

ROM(32Ko)1BL

RSAPubKey


Hash(4BL/CD)

Hash(5BL/CE)

RSASig(2BL)

K2BL

1

K1BL

4BLEncrypted/Signed

K4BL


RSASig(6BL)

Hash(7BL/CG)

K6BL


Patches



Hypervisor+Kernelpatched



Xbox 360: attacks chronology

Xbox 360 is released


2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon

King Kong Attack(kernel 4532/4548)

SMC/JTAG Attack

Timing Attack(downgrade)

Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon

Hack DVD Player

Kin gKong Attack(kernel 4532/4548)

SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack

Timming Attack(downgrade)

Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player




Game piracy is made possible


2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon

Hack DVD Player


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player




First software vulnerability exploited (hypervisor modeprivilege escalation)


2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon

Hack DVD Player


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player




Downgrade to exploit the King Kong attack


2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon

Hack DVD Player


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player




Hardware glitch to bypass the secure boot


2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon

Hack DVD Player


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player

2006 2007 2008 2009 2010 2011 20122005

Xbox360Xenon


SMC/JTAG Attack


Glitch Attack

2014

Xbox360 winchester

Hack DVD Player



Xbox 360: the King Kong attack

The King Kong Attack, a purely software attack

Improper integer comparison in the hypervisor syscallshandler

PSEUDOCCODE

extern u32 syscall_table[0x61]

void syscall_handler(r0, r3, r4, …) {

if((u32)r0 >= 0x61) {goto bad_syscall;

}r1 = (void*)syscall_table[(u64)r0];r1();

}





The King Kong Attack, a purely software attack

Improper integer comparison in the hypervisor syscallshandler

PSEUDOCCODE

extern u32 syscall_table[0x61]

void syscall_handler(r0, r3, r4, …) {

if((u32)r0 >= 0x61) {goto bad_syscall;

}r1 = (void*)syscall_table[(u64)r0];r1();

}






GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

Ret2Code (ROP)

Shader

(Not code signed)



~128KbReal ModeEncryptedIntegrity check

DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

1 DMA

Ret2Code (ROP)

syscallx2A




GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

DMA

1

2ThreadPC

syscallx2A




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

Instruction sc (syscall)

syscall0

…

DMA

1

23

DMA

ThreadPC

syscallx2A




Ret2Code (ROP)

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADERThreadPC


syscall0

…

syscallx2A

DMA

1

23

4

DMA

Ret2Code (ROP)

Exploit Syscall








GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

Ret2Code (ROP)

Shader

(Not code signed)




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

1 DMA

Ret2Code (ROP)

syscallx2A




GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

DMA

1

2ThreadPC

syscallx2A




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER


syscall0

…

DMA

1

23

DMA

ThreadPC

syscallx2A




Ret2Code (ROP)

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADERThreadPC


syscall0

…

syscallx2A

DMA

1

23

4

DMA

Ret2Code (ROP)

Exploit Syscall








GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

Ret2Code (ROP)

Shader

(Not code signed)




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

1 DMA

Ret2Code (ROP)

syscallx2A




GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

DMA

1

2ThreadPC

syscallx2A




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER


syscall0

…

DMA

1

23

DMA

ThreadPC

syscallx2A




Ret2Code (ROP)

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADERThreadPC


syscall0

…

syscallx2A

DMA

1

23

4

DMA

Ret2Code (ROP)

Exploit Syscall








GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

Ret2Code (ROP)

Shader

(Not code signed)




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

1 DMA

Ret2Code (ROP)

syscallx2A




GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

DMA

1

2ThreadPC

syscallx2A




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER


syscall0

…

DMA

1

23

DMA

ThreadPC

syscallx2A




Ret2Code (ROP)

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADERThreadPC


syscall0

…

syscallx2A

DMA

1

23

4

DMA

Ret2Code (ROP)

Exploit Syscall








GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

Ret2Code (ROP)

Shader

(Not code signed)




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

1 DMA

Ret2Code (ROP)

syscallx2A




GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER

syscall0

…

DMA

1

2ThreadPC

syscallx2A




DMA

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADER


syscall0

…

DMA

1

23

DMA

ThreadPC

syscallx2A




Ret2Code (ROP)

GPURAM

Data(Kernel&Game)

Code (Kernel&Game)

Hypervisor

SHADERThreadPC


syscall0

…

syscallx2A

DMA

1

23

4

DMA

Ret2Code (ROP)

Exploit Syscall






Xbox 360: the timing attack

Problem: the King Kong vulnerability has been patchedbefore its public disclosure

Solution: downgrade to a vulnerable kernel and exploitthe King Kong attack

I But: how to bypass the eFuse protection?

A non-constant time memcmp in the 2BL is used whenchecking the eFuse pairing HMAC

I It is possible to forge a valid HMAC without knowing theCPU secret key
























New Try

FALSE

0.22ms 0.21ms

CheckHMAC(char * RealHMAC, char * TestHMAC, int len){ [..] for( i=0 ; i < len ; i++) if ( RealHMAC[i] != TestHMAC[i] ) break; [..] }

TestHMAC = 0000000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 0

TRUE

0.21ms


0.22ms

TestHMAC = 0100000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 1

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0200000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 2

FALSE TRUE

New Try

0.22ms 0.21ms


TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 3

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 0

TRUE FALSE

New Try





New Try

FALSE

0.22ms 0.21ms


TestHMAC = 0000000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 0

TRUE

0.21ms


0.22ms

TestHMAC = 0100000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 1

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0200000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 2

FALSE TRUE

New Try

0.22ms 0.21ms


TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 3

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 0

TRUE FALSE

New Try





New Try

FALSE

0.22ms 0.21ms


TestHMAC = 0000000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 0

TRUE

0.21ms


0.22ms

TestHMAC = 0100000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 1

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0200000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 2

FALSE TRUE

New Try

0.22ms 0.21ms


TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 3

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 0

TRUE FALSE

New Try





New Try

FALSE

0.22ms 0.21ms


TestHMAC = 0000000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 0

TRUE

0.21ms


0.22ms

TestHMAC = 0100000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 1

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0200000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 2

FALSE TRUE

New Try

0.22ms 0.21ms


TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 3

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 0

TRUE FALSE

New Try





New Try

FALSE

0.22ms 0.21ms


TestHMAC = 0000000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 0

TRUE

0.21ms


0.22ms

TestHMAC = 0100000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 1

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0200000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 2

FALSE TRUE

New Try

0.22ms 0.21ms


TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 3

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 0

TRUE FALSE

New Try





New Try

FALSE

0.22ms 0.21ms


TestHMAC = 0000000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 0

TRUE

0.21ms


0.22ms

TestHMAC = 0100000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 1

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0200000000000000000000000000000

GuessedHMAC = 0000000000000000000000000000000

I = 2

FALSE TRUE

New Try

0.22ms 0.21ms


TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 3

FALSE TRUE

New Try

0.21ms


0.22ms

TestHMAC = 0300000000000000000000000000000

GuessedHMAC = 0300000000000000000000000000000

I = 0

TRUE FALSE

New Try



Xbox 360: the glitch attackThe integrity check of the 4BL by the 2BL can beglitched with a pulse inserted at the right time





100ns glitch

CLK

0x36 0x39 POST

ATTACK

/RESET

/CPU_ PLL-BYPASS

FALSE TRUE

Not Glitched

isHashValid( h1,h2 ,len) {

[…]

Res = memcmp(h1,h2,len)

If (res == 0 ){ return TRUE } return FALSE

}

Glitched

RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)





100ns glitch

CLK

0x36 0x39 POST

ATTACK

/RESET

/CPU_ PLL-BYPASS

FALSE TRUE

Not Glitched

isHashValid( h1,h2 ,len) {

[…]

Res = memcmp(h1,h2,len)

If (res == 0 ){ return TRUE } return FALSE

}

Glitched

RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)








Xbox 360: conclusion

A good software architecture:I Tiny and auditable hypersvisorI W�XI Any executable piece of code is authenticated

Secure boot process, eFuses against downgrade ...

... but some DMA attacks are still possible (threadsstates unprotected)Some data are not authenticatedSome cryptographic weaknesses have been exploited(timing attack, RC4)The console has not been designed with hardware attacksin mind (glitch)




Xbox 360: conclusion

A good software architecture:I Tiny and auditable hypersvisorI W�XI Any executable piece of code is authenticated

Secure boot process, eFuses against downgrade ...

... but some DMA attacks are still possible (threadsstates unprotected)Some data are not authenticatedSome cryptographic weaknesses have been exploited(timing attack, RC4)The console has not been designed with hardware attacksin mind (glitch)


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



|Hardware architecture |Software architecture and security |Attacks |Conclusion

PS3: architecture


SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPE

BEI

Element Interconect Bus (EIB)

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPU

PXU L2 L1

SPE – Synergistic Processor ElementSPU – Synergistic Processor UnitSXU – Synergistic Execution UnitLS – Local StoreMFC – Memory Flow Controller

BEI

MIC

Dual XDRDDR2

FlexIO

PPU – Power Processor UnitPXU – Power Execution UnitBEI – Broadband Engine InterfaceMIC – Memory Interface ControllerXDR/DDR2 – Extreme Data Rate / Double Data Rate 2

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPE

BEI


SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPU

PXU L2 L1


BEI

MIC

Dual XDRDDR2

FlexIO


CELL BroadBand Engine (PPE + 8 SPE)

PPE: classical 64-bit PowerPC architecture



PS3: architecture


SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPE

BEI


SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPU

PXU L2 L1


BEI

MIC

Dual XDRDDR2

FlexIO


SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPE

BEI


SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPU

PXU L2 L1


BEI

MIC

Dual XDRDDR2

FlexIO




PS3: isolated SPE mode

SPE: code isolation/bootstraping (root of trust)


SPE

SPU

MFC

Local storage

Public

BOOTROM (KCPU)

EIB PPE

SPE

SPU

MFC

Local storage

BOOTROM (KCPU)

EIB PPE

Code KCPU

Public

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU






SPE

SPU

MFC

Local storage

Public

BOOTROM (KCPU)

EIB PPE

SPE

SPU

MFC

Local storage

BOOTROM (KCPU)

EIB PPE

Code KCPU

Public

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU






SPE

SPU

MFC

Local storage

Public

BOOTROM (KCPU)

EIB PPE

SPE

SPU

MFC

Local storage

BOOTROM (KCPU)

EIB PPE

Code KCPU

Public

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU






SPE

SPU

MFC

Local storage

Public

BOOTROM (KCPU)

EIB PPE

SPE

SPU

MFC

Local storage

BOOTROM (KCPU)

EIB PPE

Code KCPU

Public

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU

SPE

SPU (Isolated Mode)

MFC

Local storage

Private Public

BOOTROM (KCPU)

EIB PPE

Code

Code

KCPU



PS3: software architecture

(ldr*) bootloaders:I First level: they bootstrap SPE in isolated modeI Second level: they are executed by first level loaders

Hypervisor (lv1) : PPE in hypervisor mode

GameOS/OtherOS (lv2/-) : PPE in supervisor modeI OtherOS = Linux (removed after the first attack on the

console)

Applications : PPE in user mode








console)









console)









console)





PS3: secure boot


metldr

rvkldr isoldr appldr lv2ldr lv1ldr lv0

bootldr

Lv1.self

lv2_kernel.self ps2_emu.self ps2_gxemu.self ps2_so9emu.self

vsh.self

sv_iso_spu_module.self sb_iso_spu_module.self mc_iso_spu_module.self me_iso_spu_module.self

HypervisorGameOSappisorvk

ldrldr *ldr *ldr *ldr *ldr *

SP

E0

PP

E

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

BootROM SPE 1

2

3

4

5

6

7

3

PP

E

PP

E

PP

E

PP

E

PP

E

Rvklist / rvkprg

metldr


bootldr

Lv1.self


vsh.self




SP

E0

PP

E

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

BootROM SPE 1

2

3

4

5

6

7

3

PP

E

PP

E

PP

E

PP

E

PP

E

Rvklist / rvkprg



PS3: secure boot


metldr


bootldr

Lv1.self


vsh.self




SP

E0

PP

E

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

BootROM SPE 1

2

3

4

5

6

7

3

PP

E

PP

E

PP

E

PP

E

PP

E

Rvklist / rvkprg

metldr


bootldr

Lv1.self


vsh.self




SP

E0

PP

E

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

SP

E2

BootROM SPE 1

2

3

4

5

6

7

3

PP

E

PP

E

PP

E

PP

E

PP

E

Rvklist / rvkprg

CPU

Key

ECDS

A/AE

S



PS3: anti-downgrade and revocationNo hardware anchor (such as eFuse) for anti-downgrade

CPU/Mode Update RevocationbootROM Cell No No

bootldr SPE0 No Nolv0 PPE/HV Yes No

metldr SPE2 No Nolv1ldr SPE2 Yes No

lv1 PPE/HV Yes Nolv2ldr SPE2 Yes No

lv2 PPE/SP Yes Yesisoldr SPE2 Yes Noappldr SPE2 Yes Yes

games/applications PPE/USR Yes Yes




PS3: security model

PPE/hypervisor is outside the TCBI Sensitive elements are executed on the SPEI Any code is encrypted and signedI Security through obscurity

Encryption of the EIB bus (RAM, peripherals)I DMA attacks are limited

No W�X, the hypervisor verifies almost nothing




PS3: security model







PS3: security model







PS3: hello hypervisor, I’m geohot

Glitch ) take control of the hypervisor fromOtherOS/Linux

Does not allow to control other elementsI No possible game piracy


Other OS

2007 2008 2009 2010 20112006

PS3Fat

Hypervisor Glitch hack

PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Bootldr key attack

ECDSA Attack + lv2ldr keyMtldr key attack

Other OS

2007 2008 2009 2010 20112006

PS3Fat


PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Bootldr key attack




PS3: hello hypervisor, I’m geohot

Glitch ) take control of the hypervisor fromOtherOS/Linux

Does not allow to control other elementsI No possible game piracy


Other OS

2007 2008 2009 2010 20112006

PS3Fat


PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Bootldr key attack


Other OS

2007 2008 2009 2010 20112006

PS3Fat


PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Bootldr key attack




PS3: PSJailbreak

First attack that allows game piracy

Attack on the USB stack of the lv2 (GameOS)I No W�X: hypervisor fail


2007 2008 2009 2010 20112006

PS3Fat

PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Other OS


Bootldr key attack




PS3: attacking the bootloaders

2010: major vulnerability in Sony’s ECDSAimplementation

I Same nonces for different firmware versionsI With two signatures, one can compute the private key!

I Boot chain is completely and forever broken


2007 2008 2009 2010 20112006

PS3Fat

PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Other OS


Bootldr key attack


2007 2008 2009 2010 20112006

PS3Fat

PSJailbreak

USB/JIGDowngrade

bootldr key attack

ECDSA Attack + lv2ldr keymtldr key attack

PS3 Ultraslim

2012

Other OS




PS3: attacking the bootloaders

2010: major vulnerability in Sony’s ECDSAimplementation

I Same nonces for different firmware versionsI With two signatures, one can compute the private key!

I Boot chain is completely and forever broken


2007 2008 2009 2010 20112006

PS3Fat

PSJailbreak

USB/JIGDowngrade

PS3 Ultraslim

2012

Other OS


Bootldr key attack


2007 2008 2009 2010 20112006

PS3Fat

PSJailbreak

USB/JIGDowngrade

bootldr key attack

ECDSA Attack + lv2ldr keymtldr key attack

PS3 Ultraslim

2012

Other OS




PS3: conclusion

Interesting exotic hardware platform (isolated SPE)DMA attacks mitigationsBootROM with a dedicated CPU key

Limited hypervisor, not designed with security in mindNo defense in depth (no W�X)Cryptographic fail (ECDSA)Boot chain with limited revocation and downgradefeaturesSecurity through obscurity (SPE code)Not designed with hardware attacks in mind (glitch)




PS3: conclusion

Interesting exotic hardware platform (isolated SPE)DMA attacks mitigationsBootROM with a dedicated CPU key

Limited hypervisor, not designed with security in mindNo defense in depth (no W�X)Cryptographic fail (ECDSA)Boot chain with limited revocation and downgradefeaturesSecurity through obscurity (SPE code)Not designed with hardware attacks in mind (glitch)


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!


Choose your player

Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



Can I play, Daddy?

Skill

Lev

el

Don't hurt me.

Bring 'em on!



|Hardware and Software architecture |Security |Attacks |Conclusion

Playstation 4

Produced by Sony Computer Entertainment in 2013Public Hacking starting 2015




PS4: architecture

Hardware architecture :I SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)I Same as Xbox One

Software architecture :I Kernel based on FreeBSD 9.0 kernel (2012)I Unlike for the Playstation 3, Sony bases its system now

on open source software:* Webkit* OpenSSL, Cairo . . .* LLVM/Clang




PS4: architecture

Hardware architecture :I SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)I Same as Xbox One

Software architecture :I Kernel based on FreeBSD 9.0 kernel (2012)I Unlike for the Playstation 3, Sony bases its system now

on open source software:* Webkit* OpenSSL, Cairo . . .* LLVM/Clang




PS4: security

Security features:I Secure bootI Encrypted binaries (SELF) (like on PS3)I Using modern security features:

* W�X (with x86 hardware help)* ASLR* FreeBSD Jails

I Few or no information about hardware security features(DMA, encrypted bus, . . . )




PS4: security

Security features:I Secure bootI Encrypted binaries (SELF) (like on PS3)I Using modern security features:

* W�X (with x86 hardware help)* ASLR* FreeBSD Jails

I Few or no information about hardware security features(DMA, encrypted bus, . . . )




PS4: SPI flash cloning

First hardware attack : Brasilian PS4 flash dumpI It is possible to clone metadata stored in the flashI No pairing between SPI Flash and console

I Exploit kit based on Raspberry Pi/TeensyI Quickly patched




PS4: SPI flash cloning

First hardware attack : Brasilian PS4 flash dumpI It is possible to clone metadata stored in the flashI No pairing between SPI Flash and consoleI Exploit kit based on Raspberry Pi/TeensyI Quickly patched




PS4: software exploit chain

WebKit

0xffffffff8 0000000

0xfffffffff ffffffff

0x00000000 00000000

Kernellandcode execution

Kernel land

User land

1

Userland ROP2

3 Privilege escalation

User input




PS4: Webkit vulnerability

First true software attack (same on PSVita)First entry point for reverse engineering

I CVE-2012-3748, heap overfow in Javascript VMI JS object corruption in JSArray:sort(...)

* Gives read and write primitives inside the browseraddress space

* Allows arbitrary code execution (overwriting returnaddress and some function pointers . . . )

I Problem : Sony uses ASLR and W�X (FreeBSD)






















PS4: userland ASLR/W�X bypass


Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

Attacker

@?

@?

@?

@?

@?

@?

Browser(Process Memory)

syscalls

Kernel

Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

Address leak

1

Browser (Process Memory)

Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable


RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

ROP

Stack

2

Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

3Syscalls

Stack


Attacker

syscalls

Kernel





Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

Attacker

@?

@?

@?

@?

@?

@?


syscalls

Kernel

Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

Address leak

1


Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable


RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

ROP

Stack

2

Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

3Syscalls

Stack


Attacker

syscalls

Kernel





Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

Attacker

@?

@?

@?

@?

@?

@?


syscalls

Kernel

Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

Address leak

1


Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable


RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

ROP

Stack

2

Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

3Syscalls

Stack


Attacker

syscalls

Kernel





Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

Attacker

@?

@?

@?

@?

@?

@?


syscalls

Kernel

Libkernel

Heap

Stack

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

Address leak

1


Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable


RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

ROP

Stack

2

Attacker

syscalls

Kernel

Libkernel

Heap

Lib2

Lib 1

Executable RX

RX

RX

RW

RW

RX

@

@

@

@

@

@

3Syscalls

Stack


Attacker

syscalls

Kernel



PS4: sandboxingAttacker is jailed inside process memoryFreeBSD jails

JAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAIL

JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL

JAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAILJAILJAIL JAILJAIL JAILJAIL JAILJAIL

Libkernel

Heap

Stack

Lib2

Lib 1

Executable

syscalls


Attacker

Kernel




PS4: native code execution by CTurt (@CTurtE)

ROP chain is limited: native code execution is required


LibKernel

User land

WebKit

Kernel land

syscalls

Memory aliasing with different access rights• P1 => payload

with RW rights• P2 => same

payload with RX rights

Request an RX sharedmemory allocationsys_jitshm_create()




LibKernel

User land

WebKit


syscalls

Payload (RX)

Kernel land

P1


LibKernel

User land

WebKit

Create an RW aliassys_jitshm_alias()

syscalls

Payload (RX)Payload (RW)

Memory aliasing with different access rights

Kernel land

P2


LibKernel

User land

WebKit

syscalls




Payload (RX) P1Payload (RW)

P2Physical aliases

Kernel land






LibKernel

User land

WebKit

Kernel land

syscalls








LibKernel

User land

WebKit


syscalls

Payload (RX)

Kernel land

P1


LibKernel

User land

WebKit


syscalls



Kernel land

P2


LibKernel

User land

WebKit

syscalls





P2Physical aliases

Kernel land






LibKernel

User land

WebKit

Kernel land

syscalls








LibKernel

User land

WebKit


syscalls

Payload (RX)

Kernel land

P1


LibKernel

User land

WebKit


syscalls



Kernel land

P2


LibKernel

User land

WebKit

syscalls





P2Physical aliases

Kernel land






LibKernel

User land

WebKit

Kernel land

syscalls








LibKernel

User land

WebKit


syscalls

Payload (RX)

Kernel land

P1


LibKernel

User land

WebKit


syscalls



Kernel land

P2


LibKernel

User land

WebKit

syscalls





P2Physical aliases

Kernel land



PS4: syscalls fuzzing and reverse engineering

At this point attackers want kernel privileges

Syscall reverse engineering results:I 532 FreeBSD syscallsI 85 proprietary syscalls (Sony)I jail filtering calls to critical syscalls (ex ptrace)

Unoficial SDK have been released by the community




PS4: exploit chain user by CTurt (@CTurtE)

WebKit

0xffffffff8 0000000


0x00000000 00000000


Kernel land

User land

1

Userland ROP2

3 Privilege escalation

User input




PS4: exploit chain kernel by CTurt (@CTurtE)

IDT RW (FreeBSD)

BadIRET

WebKit

0xffffffff8 0000000


0x00000000 00000000

1

Userland ROP

4

2Payload

5

Kernel Write primitive(With constraints)


Kernel land

LibKernel

User land 3 Userlandcode execution




PS4: BadIRET kernel exploit

Originally discovered in Linux and later found toaffect FreeBSD too:

I Fixed back in 2014 on FreeBSDI Not fixed on PS4 until firmware version > v2.01

* Rumor: Sony security officer being replaced aroundthis time . . .




Linux / BSD: BadIRET kernel vulnerability


MemoryMemory

KernelUser

GS: Thread

User

SWAP GS SWAP GS

GS: KThread

GS: GS:

Kernel

# interrupt IRET

Memory

GS Confusion

Payload

IDT

KernelUser

GS: Thread

GS: Memory

GS Confusion

GS: Thread

Payload

IDT

KernelUser

IDT RW + NO SMEP + NO SMAP





MemoryMemory

KernelUser

GS: Thread

User

SWAP GS SWAP GS

GS: KThread

GS: GS:

Kernel

# interrupt IRET

Memory

GS Confusion

Payload

IDT

KernelUser

GS: Thread

GS:

Memory

GS Confusion

GS: Thread

Payload

IDT

KernelUser






MemoryMemory

KernelUser

GS: Thread

User

SWAP GS SWAP GS

GS: KThread

GS: GS:

Kernel

# interrupt IRET

Memory

GS Confusion

Payload

IDT

KernelUser

GS: Thread

GS:

Memory

GS Confusion

GS: Thread

Payload

IDT

KernelUser




PS4: update IDT


Memory

#13#PF 14#15

IDT

UserlandKernel payload

Addresstointerup vector

Memory

#13#PF 14#15



IDT



PS4: update IDT


Memory

#13#PF 14#15

IDT



Memory

#13#PF 14#15



IDT



PS4: exploit chain kernel

IDT RW (FreeBSD)

BadIRET

WebKit

0xffffffff8 0000000


0x00000000 00000000

1

Userland ROP

4

2Payload

5

Kernel Write primitive(With constraints)


Kernel land

LibKernel

User land 3 Userlandcode execution




PS4: conclusion

Sony has moved to classical hardware platformDefense in depth (Mostly FreeBSD features):

I W�XI Userland ASLRI Sony has removed vulnerable kernel modules (SCTP)

Hardware probably not designed with security in mindBig holes in the defensive features:

I BadiRet not patchedI Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP




PS4: conclusion

Sony has moved to classical hardware platformDefense in depth (Mostly FreeBSD features):

I W�XI Userland ASLRI Sony has removed vulnerable kernel modules (SCTP)

Hardware probably not designed with security in mindBig holes in the defensive features:

I BadiRet not patchedI Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP



|Conclusion |Questions |Paper

Conclusion

Every penny worths it when it comes to securityAttackers always target the weakest pointAttackers mix software and hardware, they do notdistinguish them

I Security must be seen as a whole and complex systemissue

I Hardware and software design teams must communicate




Questions




Full paper (in French) can be downloaded here:http://goo.gl/J37lSK


http://goo.gl/J37lSK

http://goo.gl/J37lSK

Devices & Hardware

SECURITY OFFENSE AND DEFENSE STRATEGIES: VIDEO-GAME CONSOLES ARCHITECTURE UNDER MICROSCOPE