Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SECURITY OFFENSE AND DEFENSE STRATEGIES: VIDEO-GAME CONSOLES ARCHITECTURE UNDER MICROSCOPE

661 views

Published on

For twenty years, the video game industry has been investing a substantial amount of money in R&D to fight piracy and counterfeit. This investment is proportional to the potential shortfall, which counts in millions. Therefore, video game consoles are the spearheads of hardware and software security. The current talk explores the history of these platforms through the evolution of defence and offence strategies. As we will see, the security features implemented by the manufacturers have become more and more elaborated, forcing the attackers to develop subtle and innovative techniques. Moreover, it is interesting to observe that the threat model has evolved from large scale piracy prevention to a model where manufacturers want to prevent hackers to take control of their console. We also highlight the advance of the gaming console industry regarding hardware and software security concepts, specifically when considering that they are mass consumption products. Finally, it is to be noticed that these concepts only appeared a few years later on other mass market devices such as smartphones and Set Top Boxes.

In this talk we will present everything you have ever wanted to know about some major game consoles architecture and their security features. In order to achieve this, we will detail both hardware and software architectures of - somehow - old and modern gaming consoles: PS1, Xbox, Xbox360 and PS3. Based on this, we will explain the reasons why some attacks have failed and why some others have succeeded.

Published in: Devices & Hardware
  • Be the first to comment

  • Be the first to like this

SECURITY OFFENSE AND DEFENSE STRATEGIES: VIDEO-GAME CONSOLES ARCHITECTURE UNDER MICROSCOPE

  1. 1. Security offense and defense strategies: Video-game consoles architecture under microscope Ryad BENADJILA, Mathieu RENARD forename.name@ssi.gouv.fr July 2016
  2. 2. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Context |Objectives |Disclaimer Context Gaming consoles: Technology showcases regarding security Video game industry actors are spending a lot of money Fighting against counterfeiting and piracy Keeping control of their platform (soft + hard) 1/70 Game consoles security July 2016
  3. 3. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Context |Objectives |Disclaimer Objectives Highlight security best and worst practices Security features of iconic gaming consoles 2/70 Game consoles security July 2016
  4. 4. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Context |Objectives |Disclaimer Objectives Highlight security best and worst practices Security features of iconic gaming consoles Playstation 1: birth of modchips Xbox: some security concepts are introduced Xbox360 and PS3: advanced security features are used 2/70 Game consoles security July 2016
  5. 5. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Context |Objectives |Disclaimer Objectives Highlight security best and worst practices Security features of iconic gaming consoles Playstation 1: birth of modchips Xbox: some security concepts are introduced Xbox360 and PS3: advanced security features are used New generation consoles Playstation 4 2/70 Game consoles security July 2016
  6. 6. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Context |Objectives |Disclaimer Objectives Highlight security best and worst practices Security features of iconic gaming consoles Playstation 1: birth of modchips Xbox: some security concepts are introduced Xbox360 and PS3: advanced security features are used New generation consoles Playstation 4 2/70 Game consoles security July 2016
  7. 7. Warning ! This talk discusses jailbreak techniques with purely defensive aims in mind. ANSSI encourages publishers to systematically correct any identified vulnerabilities in the shortest possible time. Users are invited to apply security updates as soon as possible.
  8. 8. Choose your player Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  9. 9. Choose your player PS1 Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  10. 10. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1 Produced by Sony Computer Entertainment in 1994 Mass hacking starting in 1995 5/70 Game consoles security July 2016
  11. 11. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: lack of security by design Processor: custom MIPS R3000 No MMU Other processors of the family like RS3000E have a MMU In 1995, Sony does not care about security The priority is to implement DRM features 6/70 Game consoles security July 2016
  12. 12. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: regional zoning Games and consoles are specified for only one region Regional code information is stored: In the console BIOS On the (Lead-IN) track of the CD-ROM 7/70 Game consoles security July 2016
  13. 13. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: regional zoning Games and consoles are specified for only one region Regional code information is stored: In the console BIOS On the (Lead-IN) track of the CD-ROM Information stored has a string like: SCEx A for America (SCEA) E for Europe (SCEE) I for Japon (SCEI) 7/70 Game consoles security July 2016
  14. 14. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: regional zoning Games and consoles are specified for only one region Regional code information is stored: In the console BIOS On the (Lead-IN) track of the CD-ROM Information stored has a string like: SCEx A for America (SCEA) E for Europe (SCEE) I for Japon (SCEI) Regional information is stored using the Wobble Groove DRM Prevent perfect game clones 7/70 Game consoles security July 2016
  15. 15. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: wobble groove No wobble data Wobble Data (SCEx) Data 0 0 0 0 1 1 1 10 0 0 0 0 No Wobble Data Lead-IN Lead-OUT Data 8/70 Game consoles security July 2016
  16. 16. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: attacks Lack of security features Aim: bypass DRM features 9/70 Game consoles security July 2016 1996 1997 1998 1999 20001994 PS1 SCPH-1000 Action Replay Game Hacking (Hardware Attack) 1995 PS1 SCPH-9000 PS1 SCPH-100 Modchips Game Hacking (Hardware Attack)
  17. 17. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: attacks Lack of security features Aim: bypass DRM features 9/70 Game consoles security July 2016 1996 1997 1998 1999 20001994 PS1 SCPH-1000 Action Replay Game Hacking (Hardware Attack) Modchips Game Hacking (Hardware Attack) PS1 SCPH-9000 PS1 SCPH-100 1995
  18. 18. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: architecture CONTROLLER   MEMORY  CARD   CONTROLLER   MEMORY  CARD   DRAM   4Mbit   DRAM   BOOT  ROM   CPU   AUDIO   CDROM   VIDEO   GPU   CDROM   CPU   RS3000   CD-­‐ROM   CONTROLLER  /   SG-­‐RAM   / *Only berore SCPH-900x MULTIOUT  SERIAL  IO   DAC   DRIVER   CD-­‐RF   RGB  Encorder   PARALLEL  I/O*   10/70 Game consoles security July 2016
  19. 19. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: architecture & action replay CONTROLLER   MEMORY  CARD   CONTROLLER   MEMORY  CARD   DRAM   4Mbit   DRAM   BOOT  ROM   CPU   AUDIO   CDROM   VIDEO   GPU   CDROM   CPU   RS3000   CD-­‐ROM   CONTROLLER  /   SG-­‐RAM   / /OE   /OE *Only berore SCPH-900x DAC   DRIVER   CD-­‐RF   RGB  Encorder   MULTIOUT  SERIAL  IO  PARALLEL  I/O*   11/70 Game consoles security July 2016
  20. 20. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: wobble groove architecture 12/70 Game consoles security July 2016 Wobble  Groove  Signal  Emula2on   CDROM  Reader   SCEE CDROM   Controller   Lens   cart   Photoelectric  cell   Laser   CPU   Tracking  Signal   Error  Tracking  Signal   (Wobble  Groove)     Data Data
  21. 21. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: modchips origins 13/70 Game consoles security July 2016 CDROM  Reader   SCEx CDROM   Controller   Lens   cart   Photoelectric  cell   Laser   CPU   Tracking  Signal   Data Data Wobble  Groove  Signal  Emula@on  
  22. 22. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Attacks |Conclusion Playstation 1: conclusion No security features DRM bypassed Birth of the concept of modchips as mass hacking tools Explosion of the game hacking market 14/70 Game consoles security July 2016
  23. 23. Choose your player Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  24. 24. Choose your player Xbox Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  25. 25. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox Launched in the USA in 2001 Architecture similar to a standard PC Windows 2000 kernel (stripped) Embeds some security features All bypassed by the Xbox hacking community 16/70 Game consoles security July 2016
  26. 26. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: architecture 17/70 Game consoles security July 2016 CPU   NV2A  (GPU)     SDRAM   64MB   MCPX   Secret     BootROM   FLASH  ROM   USB   Southbridge   Northbridge   GPU   Table   Ini?alisa?on   Bootloader   Kernel   …   Legacy < 10 Mhz 64bits 133 Mhz 128bits DDR 200 Mhz CODEC   SMC   EEPROM   SMBus / I2C Ethernet   8bits HyperTransport 200 Mhz HDD   (Locked)   LPC   Extension      
  27. 27. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: security Signed executable binaries (XBE) HDD acess restricted Using ATA Security features Secure boot chain 18/70 Game consoles security July 2016
  28. 28. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: bootROM and root of trust Attempt to create a custom root of trust Bootloader code is burned in the MCPX (Southbridge) Storing a custom memory zone in a component is very expensive BootROM code limited to 512 bytes Problem: DDR Training code size is > 1KB 19/70 Game consoles security July 2016
  29. 29. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: bootROM and root of trust Attempt to create a custom root of trust Bootloader code is burned in the MCPX (Southbridge) Storing a custom memory zone in a component is very expensive BootROM code limited to 512 bytes Problem: DDR Training code size is > 1KB Solution: adding an external flash memory (NAND) Problem: this is increasing the attack surface Solution: encrypt the NAND content Only some parts of the NAND are effectively encrypted 19/70 Game consoles security July 2016
  30. 30. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: secure boot process 20/70 Game consoles security July 2016 MCPX   Flash  ROM   0xFFFF_FFF00xFFFF_FFF0 Kernel   2BL   (BootLoader)   Xcode   Bytecode     RC4  Encrypted   t4   Démarrage de la console t1   t2   1 2 3 4 t4  t3   RC4  Encrypted   Launching Game
  31. 31. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: secure boot process 20/70 Game consoles security July 2016 MCPX   Flash  ROM   0xFFFF_FFF00xFFFF_FFF0 Kernel   2BL   (BootLoader)   Xcode   Bytecode     RC4  Key   Decrypt   Xcode   Interpretor   t4   Démarrage de la console t1   t2   1 2 3 4 t4  t3   overlay Launching Game RC4  Encrypted   RC4  Encrypted  
  32. 32. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: secure boot process 20/70 Game consoles security July 2016 MCPX   Flash  ROM   0xFFFF_FFF00xFFFF_FFF0 t4   Starting the console Kernel   2BL   (BootLoader)   Xcode   Bytecode     t1   Executing1 2 RC4  Key   Decrypt   Xcode   Interpretor   Launching Game RC4  Encrypted   RC4  Encrypted  
  33. 33. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: secure boot process 20/70 Game consoles security July 2016 MCPX   Flash  ROM   t4   Kernel   2BL   (BootLoader)   Xcode   Bytecode     t1   Decrypting Verifying Executing 1 2 3 t2   0xFFFF_FFF00xFFFF_FFF0 RC4  Key   Decrypt   Xcode   Interpretor   Starting the console Launching Game RC4  Encrypted   RC4  Encrypted  
  34. 34. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: secure boot process 20/70 Game consoles security July 2016 Flash  ROM   0xFFFF_FFF0 t4   Kernel   2BL   (BootLoader)   Xcode   Bytecode     t1   t2   Decrypting Executing 1 2 3 4 t3   Starting the console Launching Game MCPX   0xFFFF_FFF0 RC4  Key   Decrypt   Xcode   Interpretor   RC4  Encrypted   RC4  Encrypted  
  35. 35. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: secure boot process 20/70 Game consoles security July 2016 Flash  ROM   0xFFFF_FFF0 t4   Kernel   2BL   (BootLoader)   Xcode   Bytecode     t1   t2   1 2 3 4 Verifying signature Executing t3   Starting the console Launching Game MCPX   0xFFFF_FFF0 RC4  Key   Decrypt   Xcode   Interpretor   5 RC4  Encrypted   RC4  Encrypted  
  36. 36. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: attacks Basic security features: Secure boot with chain of trust Code Signing DRM 21/70 Game consoles security July 2016
  37. 37. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: attacks Basic security features: Secure boot with chain of trust Code Signing DRM Attackers goals: Gain full control of the plateform Break the secure boot chain 21/70 Game consoles security July 2016
  38. 38. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: attacks Basic security features: Secure boot with chain of trust Code Signing DRM Attackers goals: Gain full control of the plateform Break the secure boot chain 21/70 Game consoles security July 2016 Hack Firmware lecteur DVD 2002 2003 2004 2005 20062001 Xbox 1.0 Dump Flash Dump BootROM Visor Backdoor Modchips T20 Hack Xbox 1.6 (Fash => ROM) Softmods Mist Hack Xbox 1.1
  39. 39. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: attacks Basic security features: Secure boot with chain of trust Code Signing DRM Attackers goals: Gain full control of the plateform Break the secure boot chain 21/70 Game consoles security July 2016 2002 2003 2004 2005 20062001 Xbox 1.0 Dump Flash Dump BootROM Visor Backdoor Modchips T20 Hack Xbox 1.6 (Fash => ROM) Softmods Mist Hack Xbox 1.1 Hack Firmware lecteur DVD
  40. 40. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: attacks Basic security features: Secure boot with chain of trust Code Signing DRM Attackers goals: Gain full control of the plateform Break the secure boot chain 21/70 Game consoles security July 2016 2002 2003 2004 2005 20062001 Xbox 1.0 Dump Flash Dump BootROM Visor Backdoor Modchips T20 Hack Xbox 1.6 (Flash => ROM) Softmods Mist Hack Xbox 1.1 Hack Firmware DVD Player
  41. 41. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox : Hypertransport bus eavesdropping 22/70 Game consoles security July 2016 CPU NV2A (GPU) SDRAM 64MB MCPX Secret BootROM FLASH ROM USB Southbridge Northbridge GPU Table Initialisation Bootloader Kernel … Legacy < 10 Mhz 64bits 133 Mhz 128bits DDR 200 Mhz CODEC SMC EEPROM SMBus / I2C Ethernet 8bits HyperTransport 200 Mhz HDD (Locked) LPC Extension
  42. 42. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox : Hypertransport bus eavesdropping 22/70 Game consoles security July 2016 Northbridge GPU NV2A (GPU) SDRAM 64MB MCPX Secret BootROM FLASH ROM USB Southbridge Table Initialisation Bootloader Kernel … Legacy < 10 Mhz 64bits 133 Mhz 128bits DDR 200 Mhz CODEC SMC EEPROM SMBus / I2C Ethernet 8bits HyperTransport 200 Mhz HDD (Locked) LPC Extension CPU
  43. 43. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: Hypertransport bus eavesdropping 23/70 Game consoles security July 2016
  44. 44. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: conclusion Attempt to use a secure boot chain (one of the first platforms to implement it) 24/70 Game consoles security July 2016
  45. 45. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Introduction |Architecture |Security features |Attacks |Conclusion Xbox: conclusion Attempt to use a secure boot chain (one of the first platforms to implement it) BootROM size limitation Fatal for security Many vulnerabilities in only 512 bytes of code 17 Mistakes Microsoft made in the Xbox Security System by Michael Steil Security features and DRM fully bypassed 24/70 Game consoles security July 2016
  46. 46. Choose your player Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  47. 47. Choose your player Xbox 360 Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  48. 48. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: hardware architecture Triple-core 64-bit PowerPC, close to a PC GPU CPU (3,2Ghz) SOUTHBRIDGE L1 Cache Power PC core L2 Cache (1MB) USB (4) Ethernet Flash Audio RAM 512MB 700Mhz FSB PCIE L1 Cache Power PC core L1 Cache Power PC core HDD SATA 26/70 Game consoles security July 2016
  49. 49. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: cryptographic coprocessor RAM   CPU1   CPU1   CPU1   MMU   MMU   MMU   L1   L1   L1   L2   Hash   SRAM   @0x87654321 Virtual @0x00010000-00000010 @0x10 Compute Hash Verify Hash @0x00010000-00000010 27/70 Game consoles security July 2016
  50. 50. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: cryptographic coprocessor RAM   CPU1   CPU1   CPU1   MMU   MMU   MMU   L1   L1   L1   L2   Hash   SRAM   @0x87654321 Virtual @0x00001000-00000010 @0x00001000-00000010 @0x10 Encrypt DecryptEncrypt   28/70 Game consoles security July 2016
  51. 51. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: software architecture 29/70 Game consoles security July 2016 RAM   Execu&ng   MMU   Configuring Page Tables 1 2 3 Data  (Kernel  &  Game)   Code  (Kernel  &  Game)   Hypervisor   NOT  PRIVILEGED  PRIVILEGED   Verifying signature Loading
  52. 52. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: security model 30/70 Game consoles security July 2016 RAM   MMU RW (not X) Not encrypted No integrity check MMU RX (not W) Encrypted No integrity check DMA DMA DMA Data  (Kernel  &  Game)   Code  (Kernel  &  Game)   Hypervisor   ~128Ko Real Mode Encrypted Integrity check
  53. 53. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: anti-downgrade feature Downgrade: decrease the version level of the console system to exploit an old firware vulnerability Detect the downgrade: hardware eFuses inside the CPU eFuses are also used to generate a 128-bit CPU key unique per console 31/70 Game consoles security July 2016
  54. 54. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: anti-downgrade feature Downgrade: decrease the version level of the console system to exploit an old firware vulnerability Detect the downgrade: hardware eFuses inside the CPU An eFuse is blown at each firmware upgrade HMAC with the secret CPU key is used for pairing in NAND 31/70 Game consoles security July 2016 fuseNAND HMAC 0000 fuseNAND HMAC 0001 Pairing Pairing Version 1 Version 2 UPGRADE Replay Attack
  55. 55. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: secure boot 32/70 Game consoles security July 2016 RAM 4BL Encrypted/Signed K4BL 2 6BL/CF Encrypted/Signed RSASig (6BL) Hash (7BL/CG) K6BL 7BL/CG Encrypted/Signed Patches 5 5BL/CE Encrypted/Signed Hypervisor + kernel base Hypervisor + Kernel patched6 3 4 6 CPU SRAM ROM (32Ko) 1BL RSA PubKey 2BL/CB Encrypted/Signed Hash (4BL/CD) Hash (5BL/CE) RSASig (2BL) K2BL 1 K1BL
  56. 56. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: secure boot 32/70 Game consoles security July 2016 RAM 2 Initialising RAM Encryption/Integrity Initialising PCI Express Desactivating JTAG GPU ACK SMC Verifying fuseset02 versus 2BL Verifying le LDV (HMAC) Loading & Decrypting 4BL en RAM Verifying Hash (4BL/CD) Decrypting & Extracting 7BL/CG Verifying Hash(7BL/CG) Decrypting 6BL/CF with K1BL Extracting 6BL/CF Verifying RSASig(6BL/CF) Verifying LDV 6BL/CF Fuseset 07-11 5 6 Decrypting & Extracting 5BL/CE Verifying Hash(5BL/CE) 3 4 6 CPU SRAM ROM (32Ko) 1BL RSA PubKey 2BL/CB Encrypted/Signed Hash (4BL/CD) Hash (5BL/CE) RSASig (2BL) K2BL 1 K1BL 4BL Encrypted/Signed K4BL 6BL/CF Encrypted/Signed RSASig (6BL) Hash (7BL/CG) K6BL 7BL/CG Encrypted/Signed Patches 5BL/CE Encrypted/Signed Hypervisor + kernel base Hypervisor + Kernel patched
  57. 57. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: attacks chronology Xbox 360 is released 33/70 Game consoles security July 2016 2006 2007 2008 2009 2010 2011 20122005 Xbox360 Xenon King Kong Attack (kernel 4532/4548) SMC/JTAG Attack Timing Attack (downgrade) Glitch Attack 2014 Xbox360 winchester Hack DVD Player
  58. 58. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: attacks chronology Game piracy is made possible 33/70 Game consoles security July 2016 2006 2007 2008 2009 2010 2011 20122005 Xbox360 Xenon Hack DVD Player Kin gKong Attack (kernel 4532/4548) SMC/JTAG Attack Timing Attack (downgrade) Glitch Attack 2014 Xbox360 winchester
  59. 59. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: attacks chronology First software vulnerability exploited (hypervisor mode privilege escalation) 33/70 Game consoles security July 2016 2006 2007 2008 2009 2010 2011 20122005 Xbox360 Xenon King Kong Attack (kernel 4532/4548) SMC/JTAG Attack Timming Attack (downgrade) Glitch Attack 2014 Xbox360 winchester Hack DVD Player
  60. 60. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: attacks chronology Downgrade to exploit the King Kong attack 33/70 Game consoles security July 2016 2006 2007 2008 2009 2010 2011 20122005 Xbox360 Xenon King Kong Attack (kernel 4532/4548) SMC/JTAG Attack Timing Attack (downgrade) Glitch Attack 2014 Xbox360 winchester Hack DVD Player
  61. 61. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: attacks chronology Hardware glitch to bypass the secure boot 33/70 Game consoles security July 2016 2006 2007 2008 2009 2010 2011 20122005 Xbox360 Xenon King Kong Attack (kernel 4532/4548) SMC/JTAG Attack Timing Attack (downgrade) Glitch Attack 2014 Xbox360 winchester Hack DVD Player
  62. 62. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack The King Kong Attack, a purely software attack Improper integer comparison in the hypervisor syscalls handler PSEUDO C CODE extern u32 syscall_table[0x61] void syscall_handler(r0, r3, r4, …) { if((u32)r0 >= 0x61) { goto bad_syscall; } r1 = (void*)syscall_table[(u64)r0]; r1(); } 34/70 Game consoles security July 2016
  63. 63. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack The King Kong Attack, a purely software attack Improper integer comparison in the hypervisor syscalls handler PSEUDO C CODE extern u32 syscall_table[0x61] void syscall_handler(r0, r3, r4, …) { if((u32)r0 >= 0x61) { goto bad_syscall; } r1 = (void*)syscall_table[(u64)r0]; r1(); } 34/70 Game consoles security July 2016
  64. 64. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack 34/70 Game consoles security July 2016 GPU RAM Data (Kernel & Game) Code (Kernel & Game) Hypervisor SHADER syscall0 … t2Code (ROP) Shader (Notcodesigned) MMU RW (not X) Not encrypted No integrity check MMU RX (not W) Encrypted No integrity check ~128Kb Real Mode Encrypted Integrity check DMA
  65. 65. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack 34/70 Game consoles security July 2016 GPU RAM Data (Kernel & Game) Code (Kernel & Game) Hypervisor SHADER syscall0 … 1 DMA t2Code (ROP) syscallx2A MMU RW (not X) Not encrypted No integrity check MMU RX (not W) Encrypted No integrity check ~128Kb Real Mode Encrypted Integrity check
  66. 66. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack 34/70 Game consoles security July 2016 GPU RAM Data (Kernel & Game) Code (Kernel & Game) Hypervisor SHADER syscall0 … DMA 1 2 Thread PC syscallx2A MMU RW (not X) Not encrypted No integrity check MMU RX (not W) Encrypted No integrity check ~128Kb Real Mode Encrypted Integrity check DMA
  67. 67. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack 34/70 Game consoles security July 2016 GPU RAM Data (Kernel & Game) Code (Kernel & Game) Hypervisor SHADER Instruction sc (syscall) syscall0 … DMA 1 2 3 DMA Thread PC syscallx2A MMU RW (not X) Not encrypted No integrity check MMU RX (not W) Encrypted No integrity check ~128Kb Real Mode Encrypted Integrity check Ret2Code (ROP)
  68. 68. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the King Kong attack 34/70 Game consoles security July 2016 GPU RAM Data (Kernel & Game) Code (Kernel & Game) Hypervisor SHADER Thread PC Instruction sc (syscall) syscall0 … syscallx2A DMA 1 2 3 4 DMA Ret2Code (ROP) Exploit Syscall MMU RW (not X) Not encrypted No integrity check MMU RX (not W) Encrypted No integrity check ~128Kb Real Mode Encrypted Integrity check
  69. 69. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack Problem: the King Kong vulnerability has been patched before its public disclosure 35/70 Game consoles security July 2016
  70. 70. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack Problem: the King Kong vulnerability has been patched before its public disclosure Solution: downgrade to a vulnerable kernel and exploit the King Kong attack But: how to bypass the eFuse protection? 35/70 Game consoles security July 2016
  71. 71. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack Problem: the King Kong vulnerability has been patched before its public disclosure Solution: downgrade to a vulnerable kernel and exploit the King Kong attack But: how to bypass the eFuse protection? A non-constant time memcmp in the 2BL is used when checking the eFuse pairing HMAC It is possible to forge a valid HMAC without knowing the CPU secret key 35/70 Game consoles security July 2016
  72. 72. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack 36/70 Game consoles security July 2016 New Try FALSE 0.22ms0.21ms CheckHMAC(char  *  RealHMAC,  char  *  TestHMAC,  int  len){                                [..]                          for(  i=0  ;  i  <  len  ;  i++)                    if  (  RealHMAC[i]  !=  TestHMAC[i]  )                                break;        [..]   }   TestHMAC = 0000000000000000000000000000000 GuessedHMAC = 0000000000000000000000000000000 I = 0 TRUE
  73. 73. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack 36/70 Game consoles security July 2016 0.21ms CheckHMAC(char  *  RealHMAC,  char  *  TestHMAC,  int  len){                                [..]                          for(  i=0  ;  i  <  len  ;  i++)                    if  (  RealHMAC[i]  !=  TestHMAC[i]  )                                break;        [..]   }   0.22ms TestHMAC = 0100000000000000000000000000000 GuessedHMAC = 0000000000000000000000000000000 I = 1 FALSE TRUE New Try
  74. 74. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack 36/70 Game consoles security July 2016 0.21ms CheckHMAC(char  *  RealHMAC,  char  *  TestHMAC,  int  len){                                [..]                          for(  i=0  ;  i  <  len  ;  i++)                    if  (  RealHMAC[i]  !=  TestHMAC[i]  )                                break;        [..]   }   0.22ms TestHMAC = 0200000000000000000000000000000 GuessedHMAC = 0000000000000000000000000000000 I = 2 FALSE TRUE New Try
  75. 75. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack 36/70 Game consoles security July 2016 0.22ms0.21ms CheckHMAC(char  *  RealHMAC,  char  *  TestHMAC,  int  len){                                [..]                          for(  i=0  ;  i  <  len  ;  i++)                    if  (  RealHMAC[i]  !=  TestHMAC[i]  )                                break;        [..]   }   TestHMAC = 0300000000000000000000000000000 GuessedHMAC = 0300000000000000000000000000000 I = 3 FALSE TRUE New Try
  76. 76. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack 36/70 Game consoles security July 2016 0.21ms CheckHMAC(char  *  RealHMAC,  char  *  TestHMAC,  int  len){                                [..]                          for(  i=0  ;  i  <  len  ;  i++)                    if  (  RealHMAC[i]  !=  TestHMAC[i]  )                                break;        [..]   }   0.22ms TestHMAC = 0300000000000000000000000000000 GuessedHMAC = 0300000000000000000000000000000 I = 0 TRUEFALSE New Try
  77. 77. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the timing attack 36/70 Game consoles security July 2016
  78. 78. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the glitch attack The integrity check of the 4BL by the 2BL can be glitched with a pulse inserted at the right time 37/70 Game consoles security July 2016
  79. 79. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the glitch attack The integrity check of the 4BL by the 2BL can be glitched with a pulse inserted at the right time 100ns glitch CLK 0x36 0x39POST ATTACK /RESET /CPU_ PLL-BYPASS 37/70 Game consoles security July 2016
  80. 80. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the glitch attack The integrity check of the 4BL by the 2BL can be glitched with a pulse inserted at the right time 100ns glitch CLK 0x36 0x39POST ATTACK /RESET /CPU_ PLL-BYPASS FALSE TRUE Not Glitched isHashValid(  h1,h2  ,len)  {      […]      Res  =  memcmp(h1,h2,len)      If  (res  ==  0  ){      return  TRUE    }    return  FALSE   }   Glitched RAZ des registresReseting all registers >> Res = memcmp(h1,h2,len) 37/70 Game consoles security July 2016
  81. 81. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: the glitch attack The integrity check of the 4BL by the 2BL can be glitched with a pulse inserted at the right time 37/70 Game consoles security July 2016
  82. 82. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: conclusion A good software architecture: Tiny and auditable hypersvisor W¨X Any executable piece of code is authenticated Secure boot process, eFuses against downgrade ... 38/70 Game consoles security July 2016
  83. 83. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture |Security |Attacks |Conclusion Xbox 360: conclusion A good software architecture: Tiny and auditable hypersvisor W¨X Any executable piece of code is authenticated Secure boot process, eFuses against downgrade ... ... but some DMA attacks are still possible (threads states unprotected) Some data are not authenticated Some cryptographic weaknesses have been exploited (timing attack, RC4) The console has not been designed with hardware attacks in mind (glitch) 38/70 Game consoles security July 2016
  84. 84. Choose your player Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  85. 85. Choose your player PS3 Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  86. 86. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: architecture 40/70 Game consoles security July 2016 SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   PPE   BEI   Element  Interconect  Bus  (EIB)   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   PPU   PXU   L2  L1   SPE – Synergistic Processor Element SPU – Synergistic Processor Unit SXU – Synergistic Execution Unit LS – Local Store MFC – Memory Flow Controller BEI   MIC   Dual XDR DDR2 FlexIO PPU – Power Processor Unit PXU – Power Execution Unit BEI – Broadband Engine Interface MIC – Memory Interface Controller XDR/DDR2 – Extreme Data Rate / Double Data Rate 2 CELL BroadBand Engine (PPE + 8 SPE) PPE: classical 64-bit PowerPC architecture
  87. 87. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: architecture 40/70 Game consoles security July 2016 SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   PPE   BEI   Element  Interconect  Bus  (EIB)   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   SPE   SPU   MFC   SXU   LS   PPU   PXU   L2  L1   SPE – Synergistic Processor Element SPU – Synergistic Processor Unit SXU – Synergistic Execution Unit LS – Local Store MFC – Memory Flow Controller BEI   MIC   Dual XDR DDR2 FlexIO PPU – Power Processor Unit PXU – Power Execution Unit BEI – Broadband Engine Interface MIC – Memory Interface Controller XDR/DDR2 – Extreme Data Rate / Double Data Rate 2
  88. 88. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: isolated SPE mode SPE: code isolation/bootstraping (root of trust) 41/70 Game consoles security July 2016 SPE   SPU   MFC   Local  storage   Public   BOOTROM   (KCPU)   EIB   PPE  
  89. 89. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: isolated SPE mode SPE: code isolation/bootstraping (root of trust) 41/70 Game consoles security July 2016 SPE   SPU   MFC   Local  storage   BOOTROM   (KCPU)   EIB   PPE   Code   KCPU Public  
  90. 90. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: isolated SPE mode SPE: code isolation/bootstraping (root of trust) 41/70 Game consoles security July 2016 SPE   SPU  (Isolated  Mode)   MFC   Local  storage   Private   Public   BOOTROM   (KCPU)   EIB   PPE   Code   Code   KCPU
  91. 91. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: isolated SPE mode SPE: code isolation/bootstraping (root of trust) 41/70 Game consoles security July 2016 SPE   SPU  (Isolated  Mode)   MFC   Local  storage   Private   Public   BOOTROM   (KCPU)   EIB   PPE   Code   Code   KCPU
  92. 92. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: software architecture (ldr*) bootloaders: First level: they bootstrap SPE in isolated mode Second level: they are executed by first level loaders 42/70 Game consoles security July 2016
  93. 93. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: software architecture (ldr*) bootloaders: First level: they bootstrap SPE in isolated mode Second level: they are executed by first level loaders Hypervisor (lv1) : PPE in hypervisor mode 42/70 Game consoles security July 2016
  94. 94. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: software architecture (ldr*) bootloaders: First level: they bootstrap SPE in isolated mode Second level: they are executed by first level loaders Hypervisor (lv1) : PPE in hypervisor mode GameOS/OtherOS (lv2/-) : PPE in supervisor mode OtherOS = Linux (removed after the first attack on the console) 42/70 Game consoles security July 2016
  95. 95. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: software architecture (ldr*) bootloaders: First level: they bootstrap SPE in isolated mode Second level: they are executed by first level loaders Hypervisor (lv1) : PPE in hypervisor mode GameOS/OtherOS (lv2/-) : PPE in supervisor mode OtherOS = Linux (removed after the first attack on the console) Applications : PPE in user mode 42/70 Game consoles security July 2016
  96. 96. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: secure boot 43/70 Game consoles security July 2016 metldr   rvkldr   isoldr   appldr   lv2ldr   lv1ldr   lv0   bootldr   Lv1.self   lv2_kernel.self   ps2_emu.self   ps2_gxemu.self   ps2_so9emu.self   vsh.self   sv_iso_spu_module.self   sb_iso_spu_module.self   mc_iso_spu_module.self   me_iso_spu_module.self     HypervisorGameOSappisorvk ldrldr *ldr *ldr *ldr *ldr * SPE0PPE SPE2 SPE2 SPE2 SPE2 SPE2 SPE2 BootROM  SPE   1 2 3 4 5 6 7 3 PPE PPE PPE PPE PPE Rvklist  /   rvkprg  
  97. 97. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: secure boot 43/70 Game consoles security July 2016 metldr   rvkldr   isoldr   appldr   lv2ldr   lv1ldr   lv0   bootldr   Lv1.self   lv2_kernel.self   ps2_emu.self   ps2_gxemu.self   ps2_so9emu.self   vsh.self   sv_iso_spu_module.self   sb_iso_spu_module.self   mc_iso_spu_module.self   me_iso_spu_module.self     HypervisorGameOSappisorvk ldrldr *ldr *ldr *ldr *ldr * SPE0PPE SPE2 SPE2 SPE2 SPE2 SPE2 SPE2 BootROM  SPE   1 2 3 4 5 6 7 3 PPE PPE PPE PPE PPE Rvklist  /   rvkprg   CPUKey ECDSA/AES
  98. 98. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: anti-downgrade and revocation No hardware anchor (such as eFuse) for anti-downgrade CPU/Mode Update Revocation bootROM Cell No No bootldr SPE0 No No lv0 PPE/HV Yes No metldr SPE2 No No lv1ldr SPE2 Yes No lv1 PPE/HV Yes No lv2ldr SPE2 Yes No lv2 PPE/SP Yes Yes isoldr SPE2 Yes No appldr SPE2 Yes Yes games/applications PPE/USR Yes Yes 44/70 Game consoles security July 2016
  99. 99. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: security model PPE/hypervisor is outside the TCB Sensitive elements are executed on the SPE Any code is encrypted and signed Security through obscurity 45/70 Game consoles security July 2016
  100. 100. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: security model PPE/hypervisor is outside the TCB Sensitive elements are executed on the SPE Any code is encrypted and signed Security through obscurity Encryption of the EIB bus (RAM, peripherals) DMA attacks are limited 45/70 Game consoles security July 2016
  101. 101. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: security model PPE/hypervisor is outside the TCB Sensitive elements are executed on the SPE Any code is encrypted and signed Security through obscurity Encryption of the EIB bus (RAM, peripherals) DMA attacks are limited No W¨X, the hypervisor verifies almost nothing 45/70 Game consoles security July 2016
  102. 102. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: hello hypervisor, I’m geohot Glitch A take control of the hypervisor from OtherOS/Linux 46/70 Game consoles security July 2016 Other OS 2007 2008 2009 2010 20112006 PS3 Fat Hypervisor Glitch hack PSJailbreak USB/JIG Downgrade PS3 Ultraslim 2012 Bootldr key attack ECDSA Attack + lv2ldr key Mtldr key attack
  103. 103. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: hello hypervisor, I’m geohot Glitch A take control of the hypervisor from OtherOS/Linux Does not allow to control other elements No possible game piracy 46/70 Game consoles security July 2016 Other OS 2007 2008 2009 2010 20112006 PS3 Fat Hypervisor Glitch hack PSJailbreak USB/JIG Downgrade PS3 Ultraslim 2012 Bootldr key attack ECDSA Attack + lv2ldr key Mtldr key attack
  104. 104. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: PSJailbreak First attack that allows game piracy Attack on the USB stack of the lv2 (GameOS) No W¨X: hypervisor fail 47/70 Game consoles security July 2016 2007 2008 2009 2010 20112006 PS3 Fat PSJailbreak USB/JIG Downgrade PS3 Ultraslim 2012 Other OS Hypervisor Glitch hack Bootldr key attack ECDSA Attack + lv2ldr key Mtldr key attack
  105. 105. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: attacking the bootloaders 2010: major vulnerability in Sony’s ECDSA implementation Same nonces for different firmware versions With two signatures, one can compute the private key! 48/70 Game consoles security July 2016 2007 2008 2009 2010 20112006 PS3 Fat PSJailbreak USB/JIG Downgrade PS3 Ultraslim 2012 Other OS Hypervisor Glitch hack Bootldr key attack ECDSA Attack + lv2ldr key Mtldr key attack
  106. 106. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: attacking the bootloaders 2010: major vulnerability in Sony’s ECDSA implementation Same nonces for different firmware versions With two signatures, one can compute the private key! Boot chain is completely and forever broken 48/70 Game consoles security July 2016 2007 2008 2009 2010 20112006 PS3 Fat PSJailbreak USB/JIG Downgrade bootldr key attack ECDSA Attack + lv2ldr key mtldr key attack PS3 Ultraslim 2012 Other OS Hypervisor Glitch hack
  107. 107. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: conclusion Interesting exotic hardware platform (isolated SPE) DMA attacks mitigations BootROM with a dedicated CPU key 49/70 Game consoles security July 2016
  108. 108. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware architecture |Software architecture and security |Attacks |Conclusion PS3: conclusion Interesting exotic hardware platform (isolated SPE) DMA attacks mitigations BootROM with a dedicated CPU key Limited hypervisor, not designed with security in mind No defense in depth (no W¨X) Cryptographic fail (ECDSA) Boot chain with limited revocation and downgrade features Security through obscurity (SPE code) Not designed with hardware attacks in mind (glitch) 49/70 Game consoles security July 2016
  109. 109. Choose your player Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  110. 110. Choose your player PS4 Can I play, Daddy? SkillLevel Don't hurt me. Bring 'em on! I am Death incarnate!
  111. 111. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion Playstation 4 Produced by Sony Computer Entertainment in 2013 Public Hacking starting 2015 51/70 Game consoles security July 2016
  112. 112. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: architecture Hardware architecture : SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores) Same as Xbox One 52/70 Game consoles security July 2016
  113. 113. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: architecture Hardware architecture : SoC/APU AMD Jaguar (x86-64, 1.6 GHz, 8 cores) Same as Xbox One Software architecture : Kernel based on FreeBSD 9.0 kernel (2012) Unlike for the Playstation 3, Sony bases its system now on open source software: * Webkit * OpenSSL, Cairo . . . * LLVM/Clang 52/70 Game consoles security July 2016
  114. 114. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: security Security features: Secure boot Encrypted binaries (SELF) (like on PS3) Using modern security features: * W¨X (with x86 hardware help) * ASLR * FreeBSD Jails 53/70 Game consoles security July 2016
  115. 115. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: security Security features: Secure boot Encrypted binaries (SELF) (like on PS3) Using modern security features: * W¨X (with x86 hardware help) * ASLR * FreeBSD Jails Few or no information about hardware security features (DMA, encrypted bus, . . . ) 53/70 Game consoles security July 2016
  116. 116. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: SPI flash cloning First hardware attack : Brasilian PS4 flash dump It is possible to clone metadata stored in the flash No pairing between SPI Flash and console 54/70 Game consoles security July 2016
  117. 117. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: SPI flash cloning First hardware attack : Brasilian PS4 flash dump It is possible to clone metadata stored in the flash No pairing between SPI Flash and console Exploit kit based on Raspberry Pi/Teensy Quickly patched 54/70 Game consoles security July 2016
  118. 118. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: software exploit chain WebKit 0xffffffff8 0000000 0xfffffffff ffffffff 0x00000000 00000000 Kernelland code execution Kernel land User land 1 Userland ROP2 3 Privilege escalation User input 55/70 Game consoles security July 2016
  119. 119. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: Webkit vulnerability First true software attack (same on PSVita) First entry point for reverse engineering 56/70 Game consoles security July 2016
  120. 120. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: Webkit vulnerability First true software attack (same on PSVita) First entry point for reverse engineering CVE-2012-3748, heap overfow in Javascript VM JS object corruption in JSArray:sort(...) * Gives read and write primitives inside the browser address space * Allows arbitrary code execution (overwriting return address and some function pointers . . . ) 56/70 Game consoles security July 2016
  121. 121. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: Webkit vulnerability First true software attack (same on PSVita) First entry point for reverse engineering CVE-2012-3748, heap overfow in Javascript VM JS object corruption in JSArray:sort(...) * Gives read and write primitives inside the browser address space * Allows arbitrary code execution (overwriting return address and some function pointers . . . ) Problem : Sony uses ASLR and W¨X (FreeBSD) 56/70 Game consoles security July 2016
  122. 122. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: userland ASLR/W¨X bypass 57/70 Game consoles security July 2016 Libkernel Heap Stack Lib2 Lib 1 Executable RX RX RX RW RW RX Attacker @? @? @? @? @? @? Browser (Process Memory) syscalls Kernel
  123. 123. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: userland ASLR/W¨X bypass 57/70 Game consoles security July 2016 Libkernel Heap Stack Lib2 Lib 1 Executable RX RX RX RW RW RX @ @ @ @ @ @ Address leak 1 Browser (Process Memory) Attacker syscalls Kernel
  124. 124. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: userland ASLR/W¨X bypass 57/70 Game consoles security July 2016 Libkernel Heap Lib2 Lib 1 Executable Browser (Process Memory) RX RX RX RW RW RX @ @ @ @ @ @ ROP Stack 2 Attacker syscalls Kernel
  125. 125. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: userland ASLR/W¨X bypass 57/70 Game consoles security July 2016 Libkernel Heap Lib2 Lib 1 Executable RX RX RX RW RW RX @ @ @ @ @ @ 3 Syscalls Stack Browser (Process Memory) Attacker syscalls Kernel
  126. 126. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: sandboxing Attacker is jailed inside process memory FreeBSD jails JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL JAIL Libkernel Heap Stack Lib2 Lib 1 Executable syscalls Browser (Process Memory) Attacker Kernel 58/70 Game consoles security July 2016
  127. 127. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: native code execution by CTurt (@CTurtE) ROP chain is limited: native code execution is required 59/70 Game consoles security July 2016 LibKernel User land WebKit Kernel land syscalls Memory aliasing with different access rights • P1 => payload with RW rights • P2 => same payload with RX rights Request an RX shared memory allocation sys_jitshm_create()
  128. 128. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: native code execution by CTurt (@CTurtE) ROP chain is limited: native code execution is required 59/70 Game consoles security July 2016 Memory aliasing with different access rights • P1 => payload with RW rights • P2 => same payload with RX rights LibKernel User land WebKit Request an RX shared memory allocation sys_jitshm_create() syscalls Payload (RX) Kernel land P1
  129. 129. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: native code execution by CTurt (@CTurtE) ROP chain is limited: native code execution is required 59/70 Game consoles security July 2016 Request an RX shared memory allocation sys_jitshm_create() LibKernel User land WebKit Create an RW alias sys_jitshm_alias() syscalls Payload (RX) Payload (RW) Memory aliasing with different access rights Kernel land P2
  130. 130. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: native code execution by CTurt (@CTurtE) ROP chain is limited: native code execution is required 59/70 Game consoles security July 2016 Request an RX shared memory allocation sys_jitshm_create() LibKernel User land WebKit syscalls Memory aliasing with different access rights • P1 => payload with RW rights • P2 => same payload with RX rights Payload (RX) P1 Payload (RW) P2 Physical aliases Kernel land
  131. 131. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: syscalls fuzzing and reverse engineering At this point attackers want kernel privileges Syscall reverse engineering results: 532 FreeBSD syscalls 85 proprietary syscalls (Sony) jail filtering calls to critical syscalls (ex ptrace) Unoficial SDK have been released by the community 60/70 Game consoles security July 2016
  132. 132. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: exploit chain user by CTurt (@CTurtE) WebKit 0xffffffff8 0000000 0xfffffffff ffffffff 0x00000000 00000000 Kernelland code execution Kernel land User land 1 Userland ROP2 3 Privilege escalation User input 61/70 Game consoles security July 2016
  133. 133. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: exploit chain kernel by CTurt (@CTurtE) IDT RW (FreeBSD) BadIRET WebKit 0xffffffff8 0000000 0xfffffffff ffffffff 0x00000000 00000000 1 Userland ROP 4 2 Payload 5 Kernel Write primitive (With constraints) Kernelland code execution Kernel land LibKernel User land 3 Userland code execution 62/70 Game consoles security July 2016
  134. 134. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: BadIRET kernel exploit Originally discovered in Linux and later found to affect FreeBSD too: Fixed back in 2014 on FreeBSD Not fixed on PS4 until firmware version > v2.01 * Rumor: Sony security officer being replaced around this time . . . 63/70 Game consoles security July 2016
  135. 135. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion Linux / BSD: BadIRET kernel vulnerability 64/70 Game consoles security July 2016 MemoryMemory Kernel User GS: Thread User SWAP GS SWAP GS GS: KThread GS: GS: Kernel # interrupt IRET
  136. 136. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion Linux / BSD: BadIRET kernel vulnerability 64/70 Game consoles security July 2016 Memory GS Confusion Payload IDT Kernel User GS: Thread GS:
  137. 137. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion Linux / BSD: BadIRET kernel vulnerability 64/70 Game consoles security July 2016 Memory GS Confusion GS: Thread Payload IDT Kernel User IDT RW + NO SMEP + NO SMAP
  138. 138. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: update IDT 65/70 Game consoles security July 2016 Memory #13 #PF 14 #15 IDT Userland Kernel payload Address to interup vector
  139. 139. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: update IDT 65/70 Game consoles security July 2016 Memory #13 #PF 14 #15 Userland Kernel payload Address to interup vector IDT
  140. 140. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: exploit chain kernel IDT RW (FreeBSD) BadIRET WebKit 0xffffffff8 0000000 0xfffffffff ffffffff 0x00000000 00000000 1 Userland ROP 4 2 Payload 5 Kernel Write primitive (With constraints) Kernelland code execution Kernel land LibKernel User land 3 Userland code execution 66/70 Game consoles security July 2016
  141. 141. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: conclusion Sony has moved to classical hardware platform Defense in depth (Mostly FreeBSD features): W¨X Userland ASLR Sony has removed vulnerable kernel modules (SCTP) 67/70 Game consoles security July 2016
  142. 142. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Hardware and Software architecture |Security |Attacks |Conclusion PS4: conclusion Sony has moved to classical hardware platform Defense in depth (Mostly FreeBSD features): W¨X Userland ASLR Sony has removed vulnerable kernel modules (SCTP) Hardware probably not designed with security in mind Big holes in the defensive features: BadiRet not patched Interrupt Descriptor Table (IDT) RW, no SMAP/SMEP 67/70 Game consoles security July 2016
  143. 143. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Conclusion |Questions |Paper Conclusion Every penny worths it when it comes to security Attackers always target the weakest point Attackers mix software and hardware, they do not distinguish them Security must be seen as a whole and complex system issue Hardware and software design teams must communicate 68/70 Game consoles security July 2016
  144. 144. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Conclusion |Questions |Paper Questions 69/70 Game consoles security July 2016
  145. 145. |Introduction |Playstation |Xbox |Xbox 360 |Playstation 3 |Playstation 4 |Conclusion |Conclusion |Questions |Paper Full paper (in French) can be downloaded here: http://goo.gl/J37lSK 70/70 Game consoles security July 2016

×