Security offense and defense strategies : Video-game consoles architecture under microscope

Security offense and defense strategies:
Video-game consoles architecture under microscope
Ryad BENADJILA, Mathieu RENARD
forename.name@ssi.gouv.fr
July 2016

Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles

Objectives
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used

Objectives
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
New generation consoles
Playstation 4

Warning !
This talk discusses jailbreak techniques with purely
defensive aims in mind.
ANSSI encourages publishers to systematically correct any
identified vulnerabilities in the shortest possible time.
Users are invited to apply security updates as soon as
possible.

Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!

Choose your player
PS1
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!

|Introduction |Attacks |Conclusion
Playstation 1
Produced by Sony Computer Entertainment in 1994
Mass hacking starting in 1995

Playstation 1: lack of security by design
Processor: custom MIPS R3000
No MMU
Other processors of the family like RS3000E have a MMU
In 1995, Sony does not care about security
The priority is to implement DRM features

Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM

In the console BIOS
Information stored has a string like: SCEx
A for America (SCEA)
E for Europe (SCEE)
I for Japon (SCEI)

In the console BIOS
Information stored has a string like: SCEx
A for America (SCEA)
E for Europe (SCEE)
I for Japon (SCEI)
Regional information is stored using the Wobble Groove
DRM
Prevent perfect game clones

Playstation 1: wobble groove
No wobble data
Wobble Data (SCEx)
Data
0
0
0
0
1
1
1
10
0
0
0
0
No Wobble Data
Lead-IN
Lead-OUT
Data

Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
1996 1997 1998 1999 20001994
PS1
SCPH-1000
Action Replay
Game Hacking
(Hardware Attack)
1995
PS1
SCPH-9000
PS1
SCPH-100
Modchips
Game Hacking
(Hardware Attack)

Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
1996 1997 1998 1999 20001994
PS1
SCPH-1000
Action Replay
Game Hacking
(Hardware Attack)
Modchips
Game Hacking
(Hardware Attack)
PS1
SCPH-9000
PS1
SCPH-100
1995

Playstation 1: architecture
CONTROLLER

MEMORY
CARD

CONTROLLER

MEMORY
CARD

DRAM

4Mbit

DRAM

BOOT
ROM

CPU
AUDIO

CDROM

VIDEO

GPU

CDROM

CPU

RS3000

CD-‐ROM

CONTROLLER
/

SG-‐RAM

/
*Only berore SCPH-900x
MULTIOUT
SERIAL
IO

DAC

DRIVER
CD-‐RF

RGB
Encorder

PARALLEL
I/O*


Playstation 1: architecture & action replay
CONTROLLER

MEMORY
CARD

CONTROLLER

MEMORY
CARD

DRAM

4Mbit

DRAM

BOOT
ROM

CPU
AUDIO

CDROM

VIDEO

GPU

CDROM

CPU

RS3000

CD-‐ROM

CONTROLLER
/

SG-‐RAM

/
/OE

/OE
*Only berore SCPH-900x
DAC

DRIVER
CD-‐RF

RGB
Encorder

MULTIOUT
SERIAL
IO
PARALLEL
I/O*


Playstation 1: wobble groove architecture
Wobble
Groove
Signal
Emula2on

CDROM
Reader

SCEE
CDROM

Controller

Lens

cart

Photoelectric
cell

Laser

CPU

Tracking
Signal

Error
Tracking
Signal

(Wobble
Groove)

Data
Data

Playstation 1: modchips origins
CDROM
Reader

SCEx
CDROM

Controller

Lens

cart

Photoelectric
cell

Laser

CPU

Tracking
Signal

Data
Data
Wobble
Groove
Signal
Emula@on

Playstation 1: conclusion
No security features
DRM bypassed
Birth of the concept of modchips as mass hacking tools
Explosion of the game hacking market

Choose your player
Xbox
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!

|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox
Launched in the USA in 2001
Architecture similar to a standard PC
Windows 2000 kernel (stripped)
Embeds some security features
All bypassed by the Xbox hacking community

Xbox: architecture
CPU

NV2A
(GPU)

SDRAM

64MB

MCPX

Secret

BootROM

FLASH
ROM

USB

Southbridge

Northbridge

GPU

Table

Ini?alisa?on

Bootloader

Kernel
…

Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC

SMC

EEPROM

SMBus / I2C
Ethernet

8bits
HyperTransport
200 Mhz
HDD

(Locked)

LPC

Extension

Xbox: security
Signed executable binaries (XBE)
HDD acess restricted
Using ATA Security features
Secure boot chain

Xbox: bootROM and root of trust
Attempt to create a custom root of trust
Bootloader code is burned in the MCPX (Southbridge)
Storing a custom memory zone in a component is very
expensive
BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB

Xbox: bootROM and root of trust
Attempt to create a custom root of trust
Bootloader code is burned in the MCPX (Southbridge)
Storing a custom memory zone in a component is very
expensive
BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
Solution: adding an external flash memory (NAND)
Problem: this is increasing the attack surface
Solution: encrypt the NAND content
Only some parts of the NAND are effectively encrypted

Xbox: secure boot process
MCPX
Flash
ROM

0xFFFF_FFF00xFFFF_FFF0
Kernel

2BL

(BootLoader)

Xcode

Bytecode

RC4
Encrypted

t4

Démarrage de la console
t1
t2

1
2 3 4
t4
t3

RC4
Encrypted

Launching
Game

MCPX
Flash
ROM

Kernel

2BL

(BootLoader)

Xcode

Bytecode

RC4
Key

Decrypt

Xcode

Interpretor

t4

Démarrage de la console
t1
t2

1
2 3 4
t4
t3

overlay
Launching
Game
RC4
Encrypted
RC4
Encrypted

MCPX
Flash
ROM

t4

Starting the console
Kernel

2BL

(BootLoader)

Xcode

Bytecode

t1

Executing1
2
RC4
Key

Decrypt

Xcode

Interpretor

Launching
Game
RC4
Encrypted
RC4
Encrypted

MCPX
Flash
ROM

t4

Kernel

2BL

(BootLoader)

Xcode

Bytecode

t1

Decrypting
Verifying
Executing
1
2 3
t2

RC4
Key

Decrypt

Xcode

Interpretor

Launching
Game
RC4
Encrypted
RC4
Encrypted

Flash
ROM

0xFFFF_FFF0
t4

Kernel

2BL

(BootLoader)

Xcode

Bytecode

t1
t2

Decrypting
Executing
1
2 3 4
t3

Launching
Game
MCPX

0xFFFF_FFF0
RC4
Key

Decrypt

Xcode

Interpretor

RC4
Encrypted
RC4
Encrypted

Flash
ROM

0xFFFF_FFF0
t4

Kernel

2BL

(BootLoader)

Xcode

Bytecode

t1
t2

1
2 3 4 Verifying signature
Executing
t3

Launching
Game
MCPX

0xFFFF_FFF0
RC4
Key

Decrypt

Xcode

Interpretor

5
RC4
Encrypted
RC4
Encrypted

Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM

Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain

Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
Hack Firmware
lecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Fash => ROM)
Softmods
Mist Hack
Xbox 1.1

Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmware
lecteur DVD

Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmware
DVD Player

Xbox : Hypertransport bus eavesdropping
CPU
NV2A (GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH ROM
USB
Southbridge
Northbridge
GPU
Table
Initialisation
Bootloader
Kernel …
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension

Xbox : Hypertransport bus eavesdropping
Northbridge
GPU
NV2A (GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH ROM
USB
Southbridge
Table
Initialisation
Bootloader
Kernel …
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension
CPU

Xbox: Hypertransport bus eavesdropping

Xbox: conclusion
Attempt to use a secure boot chain (one of the first
platforms to implement it)

Xbox: conclusion
Attempt to use a secure boot chain (one of the first
platforms to implement it)
BootROM size limitation
Fatal for security
Many vulnerabilities in only 512 bytes of code
17 Mistakes Microsoft made in the Xbox Security System
by Michael Steil
Security features and DRM fully bypassed

Choose your player
Xbox 360
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!

|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: hardware architecture
Triple-core 64-bit PowerPC, close to a PC
GPU
CPU (3,2Ghz)
SOUTHBRIDGE
L1 Cache
Power PC
core
L2 Cache (1MB)
USB (4)
Ethernet
Flash
Audio
RAM
512MB 700Mhz
FSB
PCIE
L1 Cache
Power PC
core
L1 Cache
Power PC
core
HDD
SATA

Xbox 360: cryptographic coprocessor
RAM

CPU1
CPU1
CPU1

MMU
MMU
MMU

L1
L1
L1

L2

Hash

SRAM

@0x87654321 Virtual
@0x00010000-00000010
@0x10
Compute Hash
Verify Hash
@0x00010000-00000010

Xbox 360: cryptographic coprocessor
RAM

CPU1
CPU1
CPU1

MMU
MMU
MMU

L1
L1
L1

L2

Hash

SRAM

@0x87654321 Virtual
@0x00001000-00000010
@0x00001000-00000010
@0x10
Encrypt
DecryptEncrypt


Xbox 360: software architecture
RAM

Execu&ng

MMU

Configuring
Page Tables
1
2
3
Data
(Kernel
&
Game)

Code
(Kernel
&
Game)

Hypervisor

NOT
PRIVILEGED
PRIVILEGED

Verifying
signature
Loading

Xbox 360: security model
RAM

MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
DMA
DMA
DMA
Data
(Kernel
&
Game)

Code
(Kernel
&
Game)

Hypervisor

~128Ko
Real Mode
Encrypted
Integrity check

Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the console
system to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
eFuses are also used to generate a 128-bit CPU key
unique per console

Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the console
system to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
An eFuse is blown at each firmware upgrade
HMAC with the secret CPU key is used for pairing in NAND
fuseNAND
HMAC 0000
fuseNAND
HMAC 0001
Pairing Pairing
Version 1 Version 2
UPGRADE
Replay Attack

Xbox 360: secure boot
RAM 4BL
Encrypted/Signed
K4BL
2
6BL/CF
Encrypted/Signed
RSASig (6BL)
Hash (7BL/CG)
K6BL
7BL/CG
Encrypted/Signed
Patches
5
5BL/CE
Encrypted/Signed
Hypervisor + kernel base
Hypervisor
+ Kernel patched6
3
4
6
CPU
SRAM
ROM (32Ko)
1BL
RSA PubKey
2BL/CB
Encrypted/Signed
Hash (4BL/CD)
Hash (5BL/CE)
RSASig (2BL)
K2BL
1
K1BL

Xbox 360: secure boot
RAM
2
Initialising RAM Encryption/Integrity
Initialising PCI Express
Desactivating JTAG GPU
ACK SMC
Verifying fuseset02 versus 2BL
Verifying le LDV (HMAC)
Loading & Decrypting 4BL en RAM
Verifying Hash (4BL/CD)
Decrypting & Extracting 7BL/CG
Verifying Hash(7BL/CG)
Decrypting 6BL/CF with
K1BL
Extracting 6BL/CF
Verifying RSASig(6BL/CF)
Verifying LDV
6BL/CF
Fuseset 07-11
5
6
Decrypting & Extracting 5BL/CE
Verifying Hash(5BL/CE) 3
4
6
CPU
SRAM
ROM (32Ko)
1BL
RSA PubKey
2BL/CB
Encrypted/Signed
Hash (4BL/CD)
Hash (5BL/CE)
RSASig (2BL)
K2BL
1
K1BL
4BL
Encrypted/Signed
K4BL
6BL/CF
Encrypted/Signed
RSASig (6BL)
Hash (7BL/CG)
K6BL
7BL/CG
Encrypted/Signed
Patches
5BL/CE
Encrypted/Signed
Hypervisor + kernel base
Hypervisor
+ Kernel patched

Xbox 360: attacks chronology
Xbox 360 is released
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

Game piracy is made possible
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
Hack DVD Player
Kin gKong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester

First software vulnerability exploited (hypervisor mode
privilege escalation)
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

Downgrade to exploit the King Kong attack
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

Hardware glitch to bypass the secure boot
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player

Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscalls
handler
PSEUDO C CODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {
goto bad_syscall;
}
r1 = (void*)syscall_table[(u64)r0];
r1();
}

GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
t2Code (ROP)
Shader
(Notcodesigned)
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
DMA

GPU
RAM
Hypervisor
SHADER
syscall0
…
1 DMA
t2Code (ROP)
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check

GPU
RAM
Hypervisor
SHADER
syscall0
…
DMA
1
2
Thread PC
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
DMA

GPU
RAM
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
2
3
DMA
Thread PC
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
Ret2Code
(ROP)

GPU
RAM
Hypervisor
SHADER
Thread PC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
2
3
4
DMA
Ret2Code
(ROP)
Exploit
Syscall
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check

Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure

Solution: downgrade to a vulnerable kernel and exploit
the King Kong attack
But: how to bypass the eFuse protection?

Solution: downgrade to a vulnerable kernel and exploit
the King Kong attack
But: how to bypass the eFuse protection?
A non-constant time memcmp in the 2BL is used when
checking the eFuse pairing HMAC
It is possible to forge a valid HMAC without knowing the
CPU secret key

New Try
FALSE
0.22ms0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){

[..]

for(
i=0
;
i
<
len
;
i++)

if
(
RealHMAC[i]
!=
TestHMAC[i]
)

break;

[..]

}

TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE

0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){

[..]

for(
i=0
;
i
<
len
;
i++)

if
(
RealHMAC[i]
!=
TestHMAC[i]
)

break;

[..]

}

0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try

0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){

[..]

for(
i=0
;
i
<
len
;
i++)

if
(
RealHMAC[i]
!=
TestHMAC[i]
)

break;

[..]

}

0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try

0.22ms0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){

[..]

for(
i=0
;
i
<
len
;
i++)

if
(
RealHMAC[i]
!=
TestHMAC[i]
)

break;

[..]

}

TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try

0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){

[..]

for(
i=0
;
i
<
len
;
i++)

if
(
RealHMAC[i]
!=
TestHMAC[i]
)

break;

[..]

}

0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUEFALSE
New Try

Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time

100ns glitch
CLK
0x36 0x39POST
ATTACK
/RESET
/CPU_
PLL-BYPASS

100ns glitch
CLK
0x36 0x39POST
ATTACK
/RESET
/CPU_
PLL-BYPASS
FALSE TRUE
Not Glitched
isHashValid(
h1,h2
,len)
{

[…]

Res
=
memcmp(h1,h2,len)

If
(res
==
0
){

return
TRUE

}

return
FALSE

}

Glitched
RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)

Xbox 360: conclusion
A good software architecture:
Tiny and auditable hypersvisor
W¨X
Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...

Xbox 360: conclusion
A good software architecture:
Tiny and auditable hypersvisor
W¨X
Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
... but some DMA attacks are still possible (threads
states unprotected)
Some data are not authenticated
Some cryptographic weaknesses have been exploited
(timing attack, RC4)
The console has not been designed with hardware attacks
in mind (glitch)

Choose your player
PS3
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!

|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPE

BEI

Element
Interconect
Bus
(EIB)

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPU

PXU
L2
L1

SPE – Synergistic Processor Element
SPU – Synergistic Processor Unit
SXU – Synergistic Execution Unit
LS – Local Store
MFC – Memory Flow Controller
BEI

MIC

Dual
XDR
DDR2
FlexIO
PPU – Power Processor Unit
PXU – Power Execution Unit
BEI – Broadband Engine Interface
MIC – Memory Interface Controller
XDR/DDR2 – Extreme Data Rate / Double Data Rate 2
CELL BroadBand Engine (PPE + 8 SPE)
PPE: classical 64-bit PowerPC architecture

PS3: architecture
SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPE

BEI

Element
Interconect
Bus
(EIB)

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

SPE

SPU

MFC

SXU

LS

PPU

PXU
L2
L1

SPE – Synergistic Processor Element
SPU – Synergistic Processor Unit
SXU – Synergistic Execution Unit
LS – Local Store
MFC – Memory Flow Controller
BEI

MIC

Dual
XDR
DDR2
FlexIO
PPU – Power Processor Unit
PXU – Power Execution Unit
BEI – Broadband Engine Interface
MIC – Memory Interface Controller
XDR/DDR2 – Extreme Data Rate / Double Data Rate 2

PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
SPE

SPU

MFC

Local
storage

Public

BOOTROM

(KCPU)

EIB
PPE

SPE

SPU

MFC

Local
storage

BOOTROM

(KCPU)

EIB
PPE

Code

KCPU
Public

SPE

SPU
(Isolated
Mode)

MFC

Local
storage

Private
Public

BOOTROM

(KCPU)

EIB
PPE

Code

Code

KCPU

PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders

(ldr*) bootloaders:
Hypervisor (lv1) : PPE in hypervisor mode

(ldr*) bootloaders:
GameOS/OtherOS (lv2/-) : PPE in supervisor mode
OtherOS = Linux (removed after the first attack on the
console)

(ldr*) bootloaders:
GameOS/OtherOS (lv2/-) : PPE in supervisor mode
OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode

PS3: secure boot
metldr

rvkldr
isoldr
appldr
lv2ldr
lv1ldr
lv0

bootldr

Lv1.self

lv2_kernel.self

ps2_emu.self

ps2_gxemu.self

ps2_so9emu.self

vsh.self

sv_iso_spu_module.self

sb_iso_spu_module.self

mc_iso_spu_module.self

me_iso_spu_module.self

HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SPE0PPE
SPE2
SPE2
SPE2
SPE2
SPE2
SPE2
BootROM
SPE

1
2
3
4
5
6
7
3
PPE
PPE
PPE
PPE
PPE
Rvklist
/

rvkprg

PS3: secure boot
metldr

rvkldr
isoldr
appldr
lv2ldr
lv1ldr
lv0

bootldr

Lv1.self

lv2_kernel.self

ps2_emu.self

ps2_gxemu.self

ps2_so9emu.self

vsh.self

sv_iso_spu_module.self

sb_iso_spu_module.self

mc_iso_spu_module.self

me_iso_spu_module.self

HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SPE0PPE
SPE2
SPE2
SPE2
SPE2
SPE2
SPE2
BootROM
SPE

1
2
3
4
5
6
7
3
PPE
PPE
PPE
PPE
PPE
Rvklist
/

rvkprg

CPUKey
ECDSA/AES

PS3: anti-downgrade and revocation
No hardware anchor (such as eFuse) for anti-downgrade
CPU/Mode Update Revocation
bootROM Cell No No
bootldr SPE0 No No
lv0 PPE/HV Yes No
metldr SPE2 No No
lv1ldr SPE2 Yes No
lv1 PPE/HV Yes No
lv2ldr SPE2 Yes No
lv2 PPE/SP Yes Yes
isoldr SPE2 Yes No
appldr SPE2 Yes Yes
games/applications PPE/USR Yes Yes

PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity

PS3: security model
Encryption of the EIB bus (RAM, peripherals)
DMA attacks are limited

PS3: security model
Encryption of the EIB bus (RAM, peripherals)
DMA attacks are limited
No W¨X, the hypervisor verifies almost nothing

PS3: hello hypervisor, I’m geohot
Glitch A take control of the hypervisor from
OtherOS/Linux
Other OS
2007 2008 2009 2010 20112006
PS3
Fat
Hypervisor
Glitch hack
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack

PS3: hello hypervisor, I’m geohot
Glitch A take control of the hypervisor from
OtherOS/Linux
Does not allow to control other elements
No possible game piracy
Other OS
2007 2008 2009 2010 20112006
PS3
Fat
Hypervisor
Glitch hack
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Bootldr key attack
Mtldr key attack

PS3: PSJailbreak
First attack that allows game piracy
Attack on the USB stack of the lv2 (GameOS)
No W¨X: hypervisor fail
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
Bootldr key attack
Mtldr key attack

PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSA
implementation
Same nonces for different firmware versions
With two signatures, one can compute the private key!
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
Bootldr key attack
Mtldr key attack

PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSA
implementation
Same nonces for different firmware versions
With two signatures, one can compute the private key!
Boot chain is completely and forever broken
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
bootldr key attack
mtldr key attack
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack

PS3: conclusion
Interesting exotic hardware platform (isolated SPE)
DMA attacks mitigations
BootROM with a dedicated CPU key

PS3: conclusion
Interesting exotic hardware platform (isolated SPE)
DMA attacks mitigations
BootROM with a dedicated CPU key
Limited hypervisor, not designed with security in mind
No defense in depth (no W¨X)
Cryptographic fail (ECDSA)
Boot chain with limited revocation and downgrade
features
Security through obscurity (SPE code)
Not designed with hardware attacks in mind (glitch)

Choose your player
PS4
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!

|Hardware and Software architecture |Security |Attacks |Conclusion
Playstation 4
Produced by Sony Computer Entertainment in 2013
Public Hacking starting 2015

PS4: architecture
Hardware architecture :
SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)
Same as Xbox One

PS4: architecture
Hardware architecture :
SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)
Same as Xbox One
Software architecture :
Kernel based on FreeBSD 9.0 kernel (2012)
Unlike for the Playstation 3, Sony bases its system now
on open source software:
* Webkit
* OpenSSL, Cairo . . .
* LLVM/Clang

PS4: security
Security features:
Secure boot
Encrypted binaries (SELF) (like on PS3)
Using modern security features:
* W¨X (with x86 hardware help)
* ASLR
* FreeBSD Jails

PS4: security
Security features:
Secure boot
Encrypted binaries (SELF) (like on PS3)
Using modern security features:
* W¨X (with x86 hardware help)
* ASLR
* FreeBSD Jails
Few or no information about hardware security features
(DMA, encrypted bus, . . . )

PS4: SPI ﬂash cloning
First hardware attack : Brasilian PS4 flash dump
It is possible to clone metadata stored in the flash
No pairing between SPI Flash and console

PS4: SPI ﬂash cloning
First hardware attack : Brasilian PS4 flash dump
It is possible to clone metadata stored in the flash
No pairing between SPI Flash and console
Exploit kit based on Raspberry Pi/Teensy
Quickly patched

PS4: software exploit chain
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernelland
code execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input

PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering

CVE-2012-3748, heap overfow in Javascript VM
JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browser
address space
* Allows arbitrary code execution (overwriting return
address and some function pointers . . . )

CVE-2012-3748, heap overfow in Javascript VM
JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browser
address space
* Allows arbitrary code execution (overwriting return
address and some function pointers . . . )
Problem : Sony uses ASLR and W¨X (FreeBSD)

PS4: userland ASLR/W¨X bypass
Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
Attacker
@?
@?
@?
@?
@?
@?
Browser
(Process Memory)
syscalls
Kernel

Libkernel
Heap
Stack
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
Address leak
1
Browser
(Process Memory)
Attacker
syscalls
Kernel

Libkernel
Heap
Lib2
Lib 1
Executable
Browser
(Process Memory)
RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
ROP
Stack
2
Attacker
syscalls
Kernel

Libkernel
Heap
Lib2
Lib 1
Executable RX
RX
RX
RW
RW
RX
@
@
@
@
@
@
3
Syscalls
Stack
Browser
(Process Memory)
Attacker
syscalls
Kernel

PS4: sandboxing
Attacker is jailed inside process memory
FreeBSD jails
JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL
JAIL JAIL JAIL JAIL JAIL JAIL
Libkernel
Heap
Stack
Lib2
Lib 1
Executable
syscalls
Browser
(Process Memory)
Attacker
Kernel

PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
Request an RX shared
memory allocation
sys_jitshm_create()

Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
LibKernel
User land
WebKit
memory allocation
sys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1

memory allocation
sys_jitshm_create()
LibKernel
User land
WebKit
Create an RW alias
sys_jitshm_alias()
syscalls
Payload (RX)
Payload (RW)
Memory aliasing
with different
access rights
Kernel land
P2

memory allocation
sys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
Payload (RX) P1
Payload (RW)
P2
Physical aliases
Kernel land

PS4: syscalls fuzzing and reverse engineering
At this point attackers want kernel privileges
Syscall reverse engineering results:
532 FreeBSD syscalls
85 proprietary syscalls (Sony)
jail filtering calls to critical syscalls (ex ptrace)
Unoficial SDK have been released by the community

PS4: exploit chain user by CTurt (@CTurtE)
WebKit
0xffffffff8 0000000
0x00000000 00000000
Kernelland
code execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input

PS4: exploit chain kernel by CTurt (@CTurtE)
IDT RW
(FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0x00000000 00000000
1
Userland ROP
4
2
Payload
5
Kernel Write primitive
(With constraints)
Kernelland
code execution
Kernel land
LibKernel
User land
3 Userland
code execution

PS4: BadIRET kernel exploit
Originally discovered in Linux and later found to
affect FreeBSD too:
Fixed back in 2014 on FreeBSD
Not fixed on PS4 until firmware version > v2.01
* Rumor: Sony security officer being replaced around
this time . . .

Linux / BSD: BadIRET kernel vulnerability
MemoryMemory
Kernel
User
GS: Thread
User
SWAP GS SWAP GS
GS: KThread
GS: GS:
Kernel
# interrupt IRET

Memory
GS Confusion
Payload
IDT
Kernel
User
GS: Thread
GS:

Memory
GS Confusion
GS: Thread
Payload
IDT
Kernel
User
IDT RW
+ NO SMEP
+ NO SMAP

PS4: update IDT
Memory
#13
#PF 14
#15
IDT
Userland
Kernel payload
Address
to interup vector

PS4: update IDT
Memory
#13
#PF 14
#15
Userland
Kernel payload
Address
to interup vector
IDT

PS4: exploit chain kernel
IDT RW
(FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0x00000000 00000000
1
Userland ROP
4
2
Payload
5
Kernel Write primitive
(With constraints)
Kernelland
code execution
Kernel land
LibKernel
User land
3 Userland
code execution

PS4: conclusion
Sony has moved to classical hardware platform
Defense in depth (Mostly FreeBSD features):
W¨X
Userland ASLR
Sony has removed vulnerable kernel modules (SCTP)

PS4: conclusion
Sony has moved to classical hardware platform
Defense in depth (Mostly FreeBSD features):
W¨X
Userland ASLR
Sony has removed vulnerable kernel modules (SCTP)
Hardware probably not designed with security in mind
Big holes in the defensive features:
BadiRet not patched
Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP

|Conclusion |Questions |Paper
Conclusion
Every penny worths it when it comes to security
Attackers always target the weakest point
Attackers mix software and hardware, they do not
distinguish them
Security must be seen as a whole and complex system
issue
Hardware and software design teams must communicate

Questions

Full paper (in French) can be downloaded here:
http://goo.gl/J37lSK

Security offense and defense strategies : Video-game consoles architecture under microscope

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Security offense and defense strategies : Video-game consoles architecture under microscope

Similar to Security offense and defense strategies : Video-game consoles architecture under microscope (20)

Recently uploaded

Recently uploaded (20)

Security offense and defense strategies : Video-game consoles architecture under microscope