For twenty years, the video game industry has been investing a substantial amount of money in R&D to fight piracy and counterfeit. This investment is proportional to the potential shortfall, which counts in millions. Therefore, video game consoles are the spearheads of hardware and software security. The current talk explores the history of these platforms through the evolution of defence and offence strategies. As we will see, the security features implemented by the manufacturers have become more and more elaborated, forcing the attackers to develop subtle and innovative techniques. Moreover, it is interesting to observe that the threat model has evolved from large scale piracy prevention to a model where manufacturers want to prevent hackers to take control of their console. We also highlight the advance of the gaming console industry regarding hardware and software security concepts, specifically when considering that they are mass consumption products. Finally, it is to be noticed that these concepts only appeared a few years later on other mass market devices such as smartphones and Set Top Boxes.
In this talk we will present everything you have ever wanted to know about some major game consoles architecture and their security features. In order to achieve this, we will detail both hardware and software architectures of - somehow - old and modern gaming consoles: PS1, Xbox, Xbox360, PS3 and PS4. Based on this, we will explain the reasons why some attacks have failed and why some others have succeeded.
Scaling API-first – The story of a global engineering organization
Security offense and defense strategies : Video-game consoles architecture under microscope
1. Security offense and defense strategies:
Video-game consoles architecture under microscope
Ryad BENADJILA, Mathieu RENARD
forename.name@ssi.gouv.fr
July 2016
2. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Context
Gaming consoles:
Technology showcases regarding security
Video game industry actors are spending a lot of money
Fighting against counterfeiting and piracy
Keeping control of their platform (soft + hard)
1/70 Game consoles security July 2016
3. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
2/70 Game consoles security July 2016
4. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
2/70 Game consoles security July 2016
5. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
New generation consoles
Playstation 4
2/70 Game consoles security July 2016
6. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Context |Objectives |Disclaimer
Objectives
Highlight security best and worst practices
Security features of iconic gaming consoles
Playstation 1: birth of modchips
Xbox: some security concepts are introduced
Xbox360 and PS3: advanced security features are used
New generation consoles
Playstation 4
2/70 Game consoles security July 2016
7. Warning !
This talk discusses jailbreak techniques with purely
defensive aims in mind.
ANSSI encourages publishers to systematically correct any
identified vulnerabilities in the shortest possible time.
Users are invited to apply security updates as soon as
possible.
8. Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
10. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1
Produced by Sony Computer Entertainment in 1994
Mass hacking starting in 1995
5/70 Game consoles security July 2016
11. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: lack of security by design
Processor: custom MIPS R3000
No MMU
Other processors of the family like RS3000E have a MMU
In 1995, Sony does not care about security
The priority is to implement DRM features
6/70 Game consoles security July 2016
12. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM
7/70 Game consoles security July 2016
13. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCEx
A for America (SCEA)
E for Europe (SCEE)
I for Japon (SCEI)
7/70 Game consoles security July 2016
14. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: regional zoning
Games and consoles are specified for only one region
Regional code information is stored:
In the console BIOS
On the (Lead-IN) track of the CD-ROM
Information stored has a string like: SCEx
A for America (SCEA)
E for Europe (SCEE)
I for Japon (SCEI)
Regional information is stored using the Wobble Groove
DRM
Prevent perfect game clones
7/70 Game consoles security July 2016
15. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: wobble groove
No wobble data
Wobble Data (SCEx)
Data
0
0
0
0
1
1
1
10
0
0
0
0
No Wobble Data
Lead-IN
Lead-OUT
Data
8/70 Game consoles security July 2016
16. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
9/70 Game consoles security July 2016
1996 1997 1998 1999 20001994
PS1
SCPH-1000
Action Replay
Game Hacking
(Hardware Attack)
1995
PS1
SCPH-9000
PS1
SCPH-100
Modchips
Game Hacking
(Hardware Attack)
17. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: attacks
Lack of security features
Aim: bypass DRM features
9/70 Game consoles security July 2016
1996 1997 1998 1999 20001994
PS1
SCPH-1000
Action Replay
Game Hacking
(Hardware Attack)
Modchips
Game Hacking
(Hardware Attack)
PS1
SCPH-9000
PS1
SCPH-100
1995
18. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: architecture
CONTROLLER
MEMORY
CARD
CONTROLLER
MEMORY
CARD
DRAM
4Mbit
DRAM
BOOT
ROM
CPU
AUDIO
CDROM
VIDEO
GPU
CDROM
CPU
RS3000
CD-‐ROM
CONTROLLER
/
SG-‐RAM
/
*Only berore SCPH-900x
MULTIOUT
SERIAL
IO
DAC
DRIVER
CD-‐RF
RGB
Encorder
PARALLEL
I/O*
10/70 Game consoles security July 2016
19. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: architecture & action replay
CONTROLLER
MEMORY
CARD
CONTROLLER
MEMORY
CARD
DRAM
4Mbit
DRAM
BOOT
ROM
CPU
AUDIO
CDROM
VIDEO
GPU
CDROM
CPU
RS3000
CD-‐ROM
CONTROLLER
/
SG-‐RAM
/
/OE
/OE
*Only berore SCPH-900x
DAC
DRIVER
CD-‐RF
RGB
Encorder
MULTIOUT
SERIAL
IO
PARALLEL
I/O*
11/70 Game consoles security July 2016
20. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: wobble groove architecture
12/70 Game consoles security July 2016
Wobble
Groove
Signal
Emula2on
CDROM
Reader
SCEE
CDROM
Controller
Lens
cart
Photoelectric
cell
Laser
CPU
Tracking
Signal
Error
Tracking
Signal
(Wobble
Groove)
Data
Data
21. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: modchips origins
13/70 Game consoles security July 2016
CDROM
Reader
SCEx
CDROM
Controller
Lens
cart
Photoelectric
cell
Laser
CPU
Tracking
Signal
Data
Data
Wobble
Groove
Signal
Emula@on
22. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Attacks |Conclusion
Playstation 1: conclusion
No security features
DRM bypassed
Birth of the concept of modchips as mass hacking tools
Explosion of the game hacking market
14/70 Game consoles security July 2016
23. Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
25. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox
Launched in the USA in 2001
Architecture similar to a standard PC
Windows 2000 kernel (stripped)
Embeds some security features
All bypassed by the Xbox hacking community
16/70 Game consoles security July 2016
27. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: security
Signed executable binaries (XBE)
HDD acess restricted
Using ATA Security features
Secure boot chain
18/70 Game consoles security July 2016
28. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: bootROM and root of trust
Attempt to create a custom root of trust
Bootloader code is burned in the MCPX (Southbridge)
Storing a custom memory zone in a component is very
expensive
BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
19/70 Game consoles security July 2016
29. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: bootROM and root of trust
Attempt to create a custom root of trust
Bootloader code is burned in the MCPX (Southbridge)
Storing a custom memory zone in a component is very
expensive
BootROM code limited to 512 bytes
Problem: DDR Training code size is > 1KB
Solution: adding an external flash memory (NAND)
Problem: this is increasing the attack surface
Solution: encrypt the NAND content
Only some parts of the NAND are effectively encrypted
19/70 Game consoles security July 2016
30. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(BootLoader)
Xcode
Bytecode
RC4
Encrypted
t4
Démarrage de la console
t1
t2
1
2 3 4
t4
t3
RC4
Encrypted
Launching
Game
31. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
0xFFFF_FFF00xFFFF_FFF0
Kernel
2BL
(BootLoader)
Xcode
Bytecode
RC4
Key
Decrypt
Xcode
Interpretor
t4
Démarrage de la console
t1
t2
1
2 3 4
t4
t3
overlay
Launching
Game
RC4
Encrypted
RC4
Encrypted
32. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
0xFFFF_FFF00xFFFF_FFF0
t4
Starting the console
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
Executing1
2
RC4
Key
Decrypt
Xcode
Interpretor
Launching
Game
RC4
Encrypted
RC4
Encrypted
33. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
MCPX
Flash
ROM
t4
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
Decrypting
Verifying
Executing
1
2 3
t2
0xFFFF_FFF00xFFFF_FFF0
RC4
Key
Decrypt
Xcode
Interpretor
Starting the console
Launching
Game
RC4
Encrypted
RC4
Encrypted
34. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
Flash
ROM
0xFFFF_FFF0
t4
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
t2
Decrypting
Executing
1
2 3 4
t3
Starting the console
Launching
Game
MCPX
0xFFFF_FFF0
RC4
Key
Decrypt
Xcode
Interpretor
RC4
Encrypted
RC4
Encrypted
35. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: secure boot process
20/70 Game consoles security July 2016
Flash
ROM
0xFFFF_FFF0
t4
Kernel
2BL
(BootLoader)
Xcode
Bytecode
t1
t2
1
2 3 4 Verifying signature
Executing
t3
Starting the console
Launching
Game
MCPX
0xFFFF_FFF0
RC4
Key
Decrypt
Xcode
Interpretor
5
RC4
Encrypted
RC4
Encrypted
36. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
21/70 Game consoles security July 2016
37. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
38. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
Hack Firmware
lecteur DVD
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
39. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Fash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmware
lecteur DVD
40. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: attacks
Basic security
features:
Secure boot with
chain of trust
Code Signing
DRM
Attackers goals:
Gain full control
of the plateform
Break the secure
boot chain
21/70 Game consoles security July 2016
2002 2003 2004 2005 20062001
Xbox 1.0
Dump
Flash
Dump
BootROM
Visor Backdoor
Modchips
T20 Hack
Xbox 1.6
(Flash => ROM)
Softmods
Mist Hack
Xbox 1.1
Hack Firmware
DVD Player
41. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox : Hypertransport bus eavesdropping
22/70 Game consoles security July 2016
CPU
NV2A (GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH ROM
USB
Southbridge
Northbridge
GPU
Table
Initialisation
Bootloader
Kernel …
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension
42. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox : Hypertransport bus eavesdropping
22/70 Game consoles security July 2016
Northbridge
GPU
NV2A (GPU)
SDRAM
64MB
MCPX
Secret
BootROM
FLASH ROM
USB
Southbridge
Table
Initialisation
Bootloader
Kernel …
Legacy
< 10 Mhz
64bits
133 Mhz
128bits
DDR 200 Mhz
CODEC
SMC
EEPROM
SMBus / I2C
Ethernet
8bits
HyperTransport
200 Mhz
HDD
(Locked)
LPC
Extension
CPU
43. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: Hypertransport bus eavesdropping
23/70 Game consoles security July 2016
44. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: conclusion
Attempt to use a secure boot chain (one of the first
platforms to implement it)
24/70 Game consoles security July 2016
45. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Introduction |Architecture |Security features |Attacks |Conclusion
Xbox: conclusion
Attempt to use a secure boot chain (one of the first
platforms to implement it)
BootROM size limitation
Fatal for security
Many vulnerabilities in only 512 bytes of code
17 Mistakes Microsoft made in the Xbox Security System
by Michael Steil
Security features and DRM fully bypassed
24/70 Game consoles security July 2016
46. Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
47. Choose your player
Xbox 360
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
48. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: hardware architecture
Triple-core 64-bit PowerPC, close to a PC
GPU
CPU (3,2Ghz)
SOUTHBRIDGE
L1 Cache
Power PC
core
L2 Cache (1MB)
USB (4)
Ethernet
Flash
Audio
RAM
512MB 700Mhz
FSB
PCIE
L1 Cache
Power PC
core
L1 Cache
Power PC
core
HDD
SATA
26/70 Game consoles security July 2016
52. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: security model
30/70 Game consoles security July 2016
RAM
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
DMA
DMA
DMA
Data
(Kernel
&
Game)
Code
(Kernel
&
Game)
Hypervisor
~128Ko
Real Mode
Encrypted
Integrity check
53. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the console
system to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
eFuses are also used to generate a 128-bit CPU key
unique per console
31/70 Game consoles security July 2016
54. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: anti-downgrade feature
Downgrade: decrease the version level of the console
system to exploit an old firware vulnerability
Detect the downgrade: hardware eFuses inside the CPU
An eFuse is blown at each firmware upgrade
HMAC with the secret CPU key is used for pairing in NAND
31/70 Game consoles security July 2016
fuseNAND
HMAC 0000
fuseNAND
HMAC 0001
Pairing Pairing
Version 1 Version 2
UPGRADE
Replay Attack
57. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Xbox 360 is released
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
58. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Game piracy is made possible
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
Hack DVD Player
Kin gKong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
59. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
First software vulnerability exploited (hypervisor mode
privilege escalation)
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timming Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
60. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Downgrade to exploit the King Kong attack
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
61. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: attacks chronology
Hardware glitch to bypass the secure boot
33/70 Game consoles security July 2016
2006 2007 2008 2009 2010 2011 20122005
Xbox360
Xenon
King Kong Attack
(kernel 4532/4548)
SMC/JTAG Attack
Timing Attack
(downgrade)
Glitch Attack
2014
Xbox360 winchester
Hack DVD Player
62. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscalls
handler
PSEUDO C CODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {
goto bad_syscall;
}
r1 = (void*)syscall_table[(u64)r0];
r1();
}
34/70 Game consoles security July 2016
63. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
The King Kong Attack, a purely software attack
Improper integer comparison in the hypervisor syscalls
handler
PSEUDO C CODE
extern u32 syscall_table[0x61]
void syscall_handler(r0, r3, r4, …) {
if((u32)r0 >= 0x61) {
goto bad_syscall;
}
r1 = (void*)syscall_table[(u64)r0];
r1();
}
34/70 Game consoles security July 2016
64. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
t2Code (ROP)
Shader
(Notcodesigned)
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
DMA
65. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
1 DMA
t2Code (ROP)
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
66. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
syscall0
…
DMA
1
2
Thread PC
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
DMA
67. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
Instruction sc (syscall)
syscall0
…
DMA
1
2
3
DMA
Thread PC
syscallx2A
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
Ret2Code
(ROP)
68. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the King Kong attack
34/70 Game consoles security July 2016
GPU
RAM
Data (Kernel & Game)
Code (Kernel & Game)
Hypervisor
SHADER
Thread PC
Instruction sc (syscall)
syscall0
…
syscallx2A
DMA
1
2
3
4
DMA
Ret2Code
(ROP)
Exploit
Syscall
MMU RW (not X)
Not encrypted
No integrity check
MMU RX (not W)
Encrypted
No integrity check
~128Kb
Real Mode
Encrypted
Integrity check
69. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure
35/70 Game consoles security July 2016
70. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure
Solution: downgrade to a vulnerable kernel and exploit
the King Kong attack
But: how to bypass the eFuse protection?
35/70 Game consoles security July 2016
71. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
Problem: the King Kong vulnerability has been patched
before its public disclosure
Solution: downgrade to a vulnerable kernel and exploit
the King Kong attack
But: how to bypass the eFuse protection?
A non-constant time memcmp in the 2BL is used when
checking the eFuse pairing HMAC
It is possible to forge a valid HMAC without knowing the
CPU secret key
35/70 Game consoles security July 2016
72. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
New Try
FALSE
0.22ms0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
TestHMAC = 0000000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 0
TRUE
73. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
0.22ms
TestHMAC = 0100000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 1
FALSE TRUE
New Try
74. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
0.22ms
TestHMAC = 0200000000000000000000000000000
GuessedHMAC = 0000000000000000000000000000000
I = 2
FALSE TRUE
New Try
75. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.22ms0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 3
FALSE TRUE
New Try
76. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
0.21ms
CheckHMAC(char
*
RealHMAC,
char
*
TestHMAC,
int
len){
[..]
for(
i=0
;
i
<
len
;
i++)
if
(
RealHMAC[i]
!=
TestHMAC[i]
)
break;
[..]
}
0.22ms
TestHMAC = 0300000000000000000000000000000
GuessedHMAC = 0300000000000000000000000000000
I = 0
TRUEFALSE
New Try
77. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the timing attack
36/70 Game consoles security July 2016
78. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
37/70 Game consoles security July 2016
79. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
100ns glitch
CLK
0x36 0x39POST
ATTACK
/RESET
/CPU_
PLL-BYPASS
37/70 Game consoles security July 2016
80. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
100ns glitch
CLK
0x36 0x39POST
ATTACK
/RESET
/CPU_
PLL-BYPASS
FALSE TRUE
Not Glitched
isHashValid(
h1,h2
,len)
{
[…]
Res
=
memcmp(h1,h2,len)
If
(res
==
0
){
return
TRUE
}
return
FALSE
}
Glitched
RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len)
37/70 Game consoles security July 2016
81. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: the glitch attack
The integrity check of the 4BL by the 2BL can be
glitched with a pulse inserted at the right time
37/70 Game consoles security July 2016
82. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: conclusion
A good software architecture:
Tiny and auditable hypersvisor
W¨X
Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
38/70 Game consoles security July 2016
83. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture |Security |Attacks |Conclusion
Xbox 360: conclusion
A good software architecture:
Tiny and auditable hypersvisor
W¨X
Any executable piece of code is authenticated
Secure boot process, eFuses against downgrade ...
... but some DMA attacks are still possible (threads
states unprotected)
Some data are not authenticated
Some cryptographic weaknesses have been exploited
(timing attack, RC4)
The console has not been designed with hardware attacks
in mind (glitch)
38/70 Game consoles security July 2016
84. Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
86. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
40/70 Game consoles security July 2016
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element
Interconect
Bus
(EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU
L2
L1
SPE – Synergistic Processor Element
SPU – Synergistic Processor Unit
SXU – Synergistic Execution Unit
LS – Local Store
MFC – Memory Flow Controller
BEI
MIC
Dual
XDR
DDR2
FlexIO
PPU – Power Processor Unit
PXU – Power Execution Unit
BEI – Broadband Engine Interface
MIC – Memory Interface Controller
XDR/DDR2 – Extreme Data Rate / Double Data Rate 2
CELL BroadBand Engine (PPE + 8 SPE)
PPE: classical 64-bit PowerPC architecture
87. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: architecture
40/70 Game consoles security July 2016
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPE
BEI
Element
Interconect
Bus
(EIB)
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
SPE
SPU
MFC
SXU
LS
PPU
PXU
L2
L1
SPE – Synergistic Processor Element
SPU – Synergistic Processor Unit
SXU – Synergistic Execution Unit
LS – Local Store
MFC – Memory Flow Controller
BEI
MIC
Dual
XDR
DDR2
FlexIO
PPU – Power Processor Unit
PXU – Power Execution Unit
BEI – Broadband Engine Interface
MIC – Memory Interface Controller
XDR/DDR2 – Extreme Data Rate / Double Data Rate 2
88. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local
storage
Public
BOOTROM
(KCPU)
EIB
PPE
89. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
MFC
Local
storage
BOOTROM
(KCPU)
EIB
PPE
Code
KCPU
Public
90. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
(Isolated
Mode)
MFC
Local
storage
Private
Public
BOOTROM
(KCPU)
EIB
PPE
Code
Code
KCPU
91. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: isolated SPE mode
SPE: code isolation/bootstraping (root of trust)
41/70 Game consoles security July 2016
SPE
SPU
(Isolated
Mode)
MFC
Local
storage
Private
Public
BOOTROM
(KCPU)
EIB
PPE
Code
Code
KCPU
92. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
42/70 Game consoles security July 2016
93. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
42/70 Game consoles security July 2016
94. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor mode
OtherOS = Linux (removed after the first attack on the
console)
42/70 Game consoles security July 2016
95. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: software architecture
(ldr*) bootloaders:
First level: they bootstrap SPE in isolated mode
Second level: they are executed by first level loaders
Hypervisor (lv1) : PPE in hypervisor mode
GameOS/OtherOS (lv2/-) : PPE in supervisor mode
OtherOS = Linux (removed after the first attack on the
console)
Applications : PPE in user mode
42/70 Game consoles security July 2016
96. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: secure boot
43/70 Game consoles security July 2016
metldr
rvkldr
isoldr
appldr
lv2ldr
lv1ldr
lv0
bootldr
Lv1.self
lv2_kernel.self
ps2_emu.self
ps2_gxemu.self
ps2_so9emu.self
vsh.self
sv_iso_spu_module.self
sb_iso_spu_module.self
mc_iso_spu_module.self
me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SPE0PPE
SPE2
SPE2
SPE2
SPE2
SPE2
SPE2
BootROM
SPE
1
2
3
4
5
6
7
3
PPE
PPE
PPE
PPE
PPE
Rvklist
/
rvkprg
97. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: secure boot
43/70 Game consoles security July 2016
metldr
rvkldr
isoldr
appldr
lv2ldr
lv1ldr
lv0
bootldr
Lv1.self
lv2_kernel.self
ps2_emu.self
ps2_gxemu.self
ps2_so9emu.self
vsh.self
sv_iso_spu_module.self
sb_iso_spu_module.self
mc_iso_spu_module.self
me_iso_spu_module.self
HypervisorGameOSappisorvk
ldrldr *ldr *ldr *ldr *ldr *
SPE0PPE
SPE2
SPE2
SPE2
SPE2
SPE2
SPE2
BootROM
SPE
1
2
3
4
5
6
7
3
PPE
PPE
PPE
PPE
PPE
Rvklist
/
rvkprg
CPUKey
ECDSA/AES
98. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: anti-downgrade and revocation
No hardware anchor (such as eFuse) for anti-downgrade
CPU/Mode Update Revocation
bootROM Cell No No
bootldr SPE0 No No
lv0 PPE/HV Yes No
metldr SPE2 No No
lv1ldr SPE2 Yes No
lv1 PPE/HV Yes No
lv2ldr SPE2 Yes No
lv2 PPE/SP Yes Yes
isoldr SPE2 Yes No
appldr SPE2 Yes Yes
games/applications PPE/USR Yes Yes
44/70 Game consoles security July 2016
99. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity
45/70 Game consoles security July 2016
100. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity
Encryption of the EIB bus (RAM, peripherals)
DMA attacks are limited
45/70 Game consoles security July 2016
101. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: security model
PPE/hypervisor is outside the TCB
Sensitive elements are executed on the SPE
Any code is encrypted and signed
Security through obscurity
Encryption of the EIB bus (RAM, peripherals)
DMA attacks are limited
No W¨X, the hypervisor verifies almost nothing
45/70 Game consoles security July 2016
102. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: hello hypervisor, I’m geohot
Glitch A take control of the hypervisor from
OtherOS/Linux
46/70 Game consoles security July 2016
Other OS
2007 2008 2009 2010 20112006
PS3
Fat
Hypervisor
Glitch hack
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack
103. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: hello hypervisor, I’m geohot
Glitch A take control of the hypervisor from
OtherOS/Linux
Does not allow to control other elements
No possible game piracy
46/70 Game consoles security July 2016
Other OS
2007 2008 2009 2010 20112006
PS3
Fat
Hypervisor
Glitch hack
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack
104. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: PSJailbreak
First attack that allows game piracy
Attack on the USB stack of the lv2 (GameOS)
No W¨X: hypervisor fail
47/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack
105. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSA
implementation
Same nonces for different firmware versions
With two signatures, one can compute the private key!
48/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
Bootldr key attack
ECDSA Attack + lv2ldr key
Mtldr key attack
106. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: attacking the bootloaders
2010: major vulnerability in Sony’s ECDSA
implementation
Same nonces for different firmware versions
With two signatures, one can compute the private key!
Boot chain is completely and forever broken
48/70 Game consoles security July 2016
2007 2008 2009 2010 20112006
PS3
Fat
PSJailbreak
USB/JIG
Downgrade
bootldr key attack
ECDSA Attack + lv2ldr key
mtldr key attack
PS3
Ultraslim
2012
Other OS
Hypervisor
Glitch hack
107. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: conclusion
Interesting exotic hardware platform (isolated SPE)
DMA attacks mitigations
BootROM with a dedicated CPU key
49/70 Game consoles security July 2016
108. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware architecture |Software architecture and security |Attacks |Conclusion
PS3: conclusion
Interesting exotic hardware platform (isolated SPE)
DMA attacks mitigations
BootROM with a dedicated CPU key
Limited hypervisor, not designed with security in mind
No defense in depth (no W¨X)
Cryptographic fail (ECDSA)
Boot chain with limited revocation and downgrade
features
Security through obscurity (SPE code)
Not designed with hardware attacks in mind (glitch)
49/70 Game consoles security July 2016
109. Choose your player
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
110. Choose your player
PS4
Can I play, Daddy?
SkillLevel
Don't hurt me.
Bring 'em on!
I am Death incarnate!
111. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Playstation 4
Produced by Sony Computer Entertainment in 2013
Public Hacking starting 2015
51/70 Game consoles security July 2016
112. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: architecture
Hardware architecture :
SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)
Same as Xbox One
52/70 Game consoles security July 2016
113. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: architecture
Hardware architecture :
SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores)
Same as Xbox One
Software architecture :
Kernel based on FreeBSD 9.0 kernel (2012)
Unlike for the Playstation 3, Sony bases its system now
on open source software:
* Webkit
* OpenSSL, Cairo . . .
* LLVM/Clang
52/70 Game consoles security July 2016
114. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: security
Security features:
Secure boot
Encrypted binaries (SELF) (like on PS3)
Using modern security features:
* W¨X (with x86 hardware help)
* ASLR
* FreeBSD Jails
53/70 Game consoles security July 2016
115. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: security
Security features:
Secure boot
Encrypted binaries (SELF) (like on PS3)
Using modern security features:
* W¨X (with x86 hardware help)
* ASLR
* FreeBSD Jails
Few or no information about hardware security features
(DMA, encrypted bus, . . . )
53/70 Game consoles security July 2016
116. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: SPI flash cloning
First hardware attack : Brasilian PS4 flash dump
It is possible to clone metadata stored in the flash
No pairing between SPI Flash and console
54/70 Game consoles security July 2016
117. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: SPI flash cloning
First hardware attack : Brasilian PS4 flash dump
It is possible to clone metadata stored in the flash
No pairing between SPI Flash and console
Exploit kit based on Raspberry Pi/Teensy
Quickly patched
54/70 Game consoles security July 2016
118. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: software exploit chain
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernelland
code execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input
55/70 Game consoles security July 2016
119. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering
56/70 Game consoles security July 2016
120. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering
CVE-2012-3748, heap overfow in Javascript VM
JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browser
address space
* Allows arbitrary code execution (overwriting return
address and some function pointers . . . )
56/70 Game consoles security July 2016
121. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: Webkit vulnerability
First true software attack (same on PSVita)
First entry point for reverse engineering
CVE-2012-3748, heap overfow in Javascript VM
JS object corruption in JSArray:sort(...)
* Gives read and write primitives inside the browser
address space
* Allows arbitrary code execution (overwriting return
address and some function pointers . . . )
Problem : Sony uses ASLR and W¨X (FreeBSD)
56/70 Game consoles security July 2016
127. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
LibKernel
User land
WebKit
Kernel land
syscalls
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
Request an RX shared
memory allocation
sys_jitshm_create()
128. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
LibKernel
User land
WebKit
Request an RX shared
memory allocation
sys_jitshm_create()
syscalls
Payload (RX)
Kernel land
P1
129. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
Request an RX shared
memory allocation
sys_jitshm_create()
LibKernel
User land
WebKit
Create an RW alias
sys_jitshm_alias()
syscalls
Payload (RX)
Payload (RW)
Memory aliasing
with different
access rights
Kernel land
P2
130. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: native code execution by CTurt (@CTurtE)
ROP chain is limited: native code execution is required
59/70 Game consoles security July 2016
Request an RX shared
memory allocation
sys_jitshm_create()
LibKernel
User land
WebKit
syscalls
Memory aliasing
with different
access rights
• P1 => payload
with RW rights
• P2 => same
payload with RX
rights
Payload (RX) P1
Payload (RW)
P2
Physical aliases
Kernel land
131. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: syscalls fuzzing and reverse engineering
At this point attackers want kernel privileges
Syscall reverse engineering results:
532 FreeBSD syscalls
85 proprietary syscalls (Sony)
jail filtering calls to critical syscalls (ex ptrace)
Unoficial SDK have been released by the community
60/70 Game consoles security July 2016
132. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain user by CTurt (@CTurtE)
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
Kernelland
code execution
Kernel land
User land
1
Userland ROP2
3 Privilege escalation
User input
61/70 Game consoles security July 2016
133. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: exploit chain kernel by CTurt (@CTurtE)
IDT RW
(FreeBSD)
BadIRET
WebKit
0xffffffff8 0000000
0xfffffffff ffffffff
0x00000000 00000000
1
Userland ROP
4
2
Payload
5
Kernel Write primitive
(With constraints)
Kernelland
code execution
Kernel land
LibKernel
User land
3 Userland
code execution
62/70 Game consoles security July 2016
134. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: BadIRET kernel exploit
Originally discovered in Linux and later found to
affect FreeBSD too:
Fixed back in 2014 on FreeBSD
Not fixed on PS4 until firmware version > v2.01
* Rumor: Sony security officer being replaced around
this time . . .
63/70 Game consoles security July 2016
135. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
MemoryMemory
Kernel
User
GS: Thread
User
SWAP GS SWAP GS
GS: KThread
GS: GS:
Kernel
# interrupt IRET
136. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
Memory
GS Confusion
Payload
IDT
Kernel
User
GS: Thread
GS:
137. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
Linux / BSD: BadIRET kernel vulnerability
64/70 Game consoles security July 2016
Memory
GS Confusion
GS: Thread
Payload
IDT
Kernel
User
IDT RW
+ NO SMEP
+ NO SMAP
138. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: update IDT
65/70 Game consoles security July 2016
Memory
#13
#PF 14
#15
IDT
Userland
Kernel payload
Address
to interup vector
139. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: update IDT
65/70 Game consoles security July 2016
Memory
#13
#PF 14
#15
Userland
Kernel payload
Address
to interup vector
IDT
141. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: conclusion
Sony has moved to classical hardware platform
Defense in depth (Mostly FreeBSD features):
W¨X
Userland ASLR
Sony has removed vulnerable kernel modules (SCTP)
67/70 Game consoles security July 2016
142. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Hardware and Software architecture |Security |Attacks |Conclusion
PS4: conclusion
Sony has moved to classical hardware platform
Defense in depth (Mostly FreeBSD features):
W¨X
Userland ASLR
Sony has removed vulnerable kernel modules (SCTP)
Hardware probably not designed with security in mind
Big holes in the defensive features:
BadiRet not patched
Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP
67/70 Game consoles security July 2016
143. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Conclusion
Every penny worths it when it comes to security
Attackers always target the weakest point
Attackers mix software and hardware, they do not
distinguish them
Security must be seen as a whole and complex system
issue
Hardware and software design teams must communicate
68/70 Game consoles security July 2016
145. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion
|Conclusion |Questions |Paper
Full paper (in French) can be downloaded here:
http://goo.gl/J37lSK
70/70 Game consoles security July 2016