Top Banner
PS3 Security Julian Wechsler
19

PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Mar 31, 2015

Download

Documents

Mayra Bestwick
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

PS3 Security

Julian Wechsler

Page 2: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

OverviewLegal Issues

◦DMCASecurity OverviewExploits

◦Geohot’s Exploit, PS JailbreakFlaws

◦ECDSA

Page 3: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Legal IssuesSega v. Accolade: Establishes

that Reverse Engineering can count as Fair Use

Lexmark Int’l v. Static Control Components: Ruled that circumvention of Lexmark’s ink cartridge lock does not violate the DMCA.

Page 4: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

The basic questionIf you purchase something, should you be

allowed to do whatever you want with it?

Recently, it was established that people are allowed to jailbreak or root their phones.

From 2010 DMCA Anti-circumvention exemptions:◦ (2) Computer programs that enable wireless telephone handsets to execute

software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

How much of a stretch between cellphones and consoles?◦ Homebrew vs Unofficial Applications

Page 5: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

PS3 Security OverviewHypervisor (aka lv1) controls

access between the Game OS (lv 2) and low level hardware, enforces security.

Signed executables

Page 6: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.
Page 7: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

4 years, why?For 3 years, the PS3 has had an

“OtherOS” feature, which let people run Linux, so there was no reason to hack it.

This feature was removed from the newer PS3 Slim models.

Geohot’s Exploit – Sony responds with removing OtherOS from all units.

From that point, it took one year for the system to be cracked open.

Page 8: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Geohot’s Exploit – Glitching AttackThe exploit is a Linux kernel

module (hence requiring OtherOS) that calls various system calls to the hypervisor dealing with memory management.

A glitching attack involves sending a timed voltage pulse that should cause the hardware to misbehave in some manner. ◦Here, used for glitching memory

read/write

Page 9: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Geohot’s ExploitGoal: Compromise the hashed

page table (HTAB) to get read/write access to the main segment, which maps all memory including the hypervisor.

The kernel module allocates, deallocates, and then tries to use deallocated memory as the HTAB for a virtual segment.

The glitch is meant to prevent the deallocating of the mapped memory.

Page 10: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Geohot’s Exploit – Step 1Allocate a

buffer. Make many requests to create lots of duplicate mappings to this buffer. Any one of these mappings can be used to read or write to it.

Page 11: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Geohot’s Exploit – Step 2 Deallocate the

buffer. The hypervisor will destroy all of the mappings, but if a successful glitch happens here, the mapping will remain intact.

Page 12: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Geohot’s Exploit – Step 3 Lastly, create

virtual segments until it falls in the buffer space that the kernel still has access to.

Since you can still read and write to it, the exploit writes some HTAB entries that gives it full access to the main segment which maps all memory.

Page 13: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Geohot’s Exploit – EffectsThis exploit gives access to all

memory, including the hypervisor.

So what does this mean? Not really too much. You get a lot of interesting memory dumps, but not really much you can do with it at this point.

Regardless, Sony retaliates by removing the OtherOS feature completely to get rid of this exploit.

Page 14: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

PS Jailbreak, and all of its clonesThe PSJailbreak emulates a 6 port

usb hub, and attaches/detacches fake devices to it to mess with the memory allocation and freeing of the various blocks of memory that hold the device and configuration descriptors.

A heap overflow is used to execute shellcode.

Page 15: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

PS Jailbreak EffectsAfter loading the exploit, the

payload patches the lv2 GameOS so that it can run unsigned code. For some reason, the hypervisor doesn’t check to make sure that code is signed.

Lv2 can also be patched to load games from the HDD. (Piracy!)

Lv1/hypervisor is still protected. (Not that they’re doing much at this point)

Page 16: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Signed Executables

Page 17: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Sony’s ECDSAA ECDSA signature consists of R and

S computed by:R = (mG)x

S = (e + kR) / m The first equation can’t be solved

because of the discrete logarithm problem

The second equation can’t be solved because it contains two unknowns.

Page 18: PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Sony’s ECDSAHowever, m is supposed to be a

random number. For some reason, Sony uses the

same random number every time.With two signatures using the same

m, you can easily solve for k, very easily obtaining the private key.

With this information, anyone can sign anything, and run it without having to preload any kind of exploit.