Cell's Security Architecture: Ibm's Prize And Sony's Achilles Heel

H

hey69

i have a monster
Veteran
The whole article can be read here
Cell aims to prevent attacks by having the hardware itself protect each individual application from other applications, and even from the OS. Any of Cell's eight synergistic processing elements (SPEs) can be booted, on-the-fly, in secure mode, so that the code and data stored in each SPE's local store is walled off from the rest of the system. This partitioning is enforced in various ways by Cell's hardware, with the end result being that the integrity of the code running on a secure SPE can be verified by the SPE; i.e. the SPE can check a thread at load-time and periodically during runtime to see if its code has been modified either in memory or in storage. Verified code can then be trusted to handle sensitive data, like digital media content.

Cell uses three primary security mechanisms and one auxiliary one to ensure code and data integrity at the hardware level. Here's a very brief rundown of these mechanisms; for more information check the paper linked above:

* Secure processing vault (SPV): An SPV is essentially an SPE running in secure mode. When in secure mode, the SPE's local store cannot be read from or written to by any other agent on the Cell's internal element interconnect bus (EIB). Only the SPE to which the local store is attached can access it. This means that encrypted data can be moved from main memory or storage into the secure local store, where the SPE can safely decrypt it out of sight of the rest of the system.
* Runtime secure boot: It does no good to create an SPV and move encrypted data into it if the code that's running on the secured SPE has been tampered with. Cell's runtime secure boot feature allows the SPE hardware to check periodically to ensure that the application it's running hasn't been modified. IBM is vague on exactly how this works, other than stating that it involves a hardware key and a cryptographic algorithm.
* Hardware root of secrecy: This feature is the heart of Cell's approach to software security. Cell stores a root key in hardware, and when an SPE boots in secure mode it must access that key in order to unseal the set of keys that it will use to decrypt the code and data that will go into its LS. Only an SPE running in secure mode with code that has been verified via runtime secure boot may ever access the root key.
* Hardware random number generator (RNG): Cell's hardware RNG can be used for a variety of cryptographic functions, and it will work in conjunction with the three previously described features. The paper suggests that it will be mainly used to timestamp messages so that replay attacks can be prevented.

The PS3's Achilles heel

A thorough and accurate evaluation of Cell's security mechanisms would be out of my league, even if it were possible given the information provided in the new paper (which it isn't). Nonetheless, I can draw a few significant conclusions from the general and somewhat spotty description provided by IBM.

First, IBM starts out the paper with an acknowledgment that Cell's security architecture is designed to thwart only software-based attacks. It's a truism in the infosec world that once an attacker has on-site, physical access to the hardware it's game over, so Cell sensibly doesn't even try to tackle that one. This being the case, I have one, hyphenated word for Sony headquarters: "mod-chip."

Because of Cell's high level of integration, where the bulk of the security architecture is on a single die, I'm not sure at the moment how mod-chipping will work on the PS3. However, it's a near certainty that someone will figure out how to compromise the box with a hardware modification of some sort. When a successful hardware-based attack is formulated, then Sony and IBM can't just release a patch that fixes the problem, and therein lies the weakness of hardware-based security.

...

Conclusions

...

If the PS3 were the only vehicle in the world for consuming Sony's and the *AA's digital content, then a perfectly secure, hacker-proof console design would ensure that none of that content leaks out onto the Internet in unsecured form. We all know, however, that this isn't the case. Sony will never see enough market penetration with the PS3 to profitably release PS3-only nongaming content. The company, like other content providers, will always have to deal with a multi-format, multi-platform world.

Thus the same songs, images, and movies that we'll see on the PS3 will also be made available on a wide variety of platforms with varying levels of security. All it takes is for one of those content delivery mechanisms to be compromised by someone with access to an Internet connection, and the cat is out of the bag. So in spite of Sony's best efforts with Blu-Ray and the PS3, consumers will always have the option of getting the same content for free off the Internet if Sony tries to price PS3 content too high or if they impose draconian usage restrictions.

source: Arstechnica (edit thanx for diamond G to point it out)
Click to expand...

Edit: Link to the article added and only parts of the article are kept. - Vysez
 
Last edited by a moderator:
Arstechnica was the source... I just finished reading that article. Even browsed the discussion.

I'm kind of at a loss. So is Ars saying that another SPE is going to be used for security?
It sounds like a noble effort though. I wonder how long before it is cracked, or at least circumvented. Oh, one last question. Someone in Ars asked why they couldn't update the firmeware to fix the hole. Is this a viable solution. Or are they stuck with what they have?
 
Diamond.G said:
I'm kind of at a loss. So is Ars saying that another SPE is going to be used for security?
Click to expand...

No. The OS SPE could be totally isolated from the rest of the system though, all the time, or when performing sensitive operations.

Also, the achille's heel they seem to suggest is that a hardware mod-chip could be produced to circumvent Cell's hardware security. This is obviously true, but the whole point is that this kind of attack is much more sophisticated and much less accessible than a software-based attack would be. If a software exploit is found, really anyone can take advantage of it by following the right steps. A mod-chip requires expertise, time and/or money spent on someone else's, to install one on your system, and it's quite a lot easier to zoom in on those providing such chips or installing them, and taking legal action.

Every system is vulnerable to software and hardware (mod-chip) exploits. The Cell security mechanisms are aimed minimising the possibility for the former, since they are the ones that are easier to implement and that are most likely to lead to widespread exploitation.

Also, as for hardware root keys - what's to stop each PS3 having a unique one? Ars seems to suggest once one system was cracked with a mod-chip, that same chip would work for them all. If the hardware root keys are all different, exposing it and configuring each mod-chip appropriately would be a lot of overhead for cracking each and every system.

To be honest, I'm not exactly sure what Ars's point is. No system is invulnerable. You can only keep raising the barrier to entry, so to speak, for aspiring hackers. IBM claims that Cell closes the door on slightly less-sophisticated, software-based attacks, and that would probably put exploits out of the reach of most people. IBM isn't claiming it's invulnerable, simply that they've added more and more security, such that it'll be less commonly easy to exploit.

By the way, IBM's own article on Cell security is here:

http://www.ibm.com/developerworks/power/library/pa-cellsecurity/
 
Last edited by a moderator:
Hardware root of secrecy: This feature is the heart of Cell's approach to software security. Cell stores a root key in hardware, and when an SPE boots in secure mode it must access that key in order to unseal the set of keys that it will use to decrypt the code and data that will go into its LS. Only an SPE running in secure mode with code that has been verified via runtime secure boot may ever access the root key.

the usual ars techinica armchair analysis...

genius...pure genius
 
What reason have Ars to believe that PS3 will only be using this Hardware Cell level security and not bother to have any patchable software security in place through the OS?
 
Running security software on semi-secure hardware is always better than running security software on insecure hardware ... in both cases the hardware is a fixed quantity which can not be upgraded, but in the latter you are screwed immediately and with the former you have some time.

Calling it an achilles heel is a bit silly.

If they did their job right it should at least be possible to guarantuee security for the online components of games, including additional content (because that could all be crypted for the specific machine, rather than be crypted with a universal code).
 
Is this type of security really that different than the type MS uses? From the little that I understand, it doesn't seem to be. Also worth noting is how they have moved most of the sensitive stuff to the CPU itself. I reckon it would be quite difficult to find holes, unless they make mistakes like MS did with the demo disk thing. All in all I am not too worried as I don't ever plan on hacking any of the systems I will own.

What do you guys think?
 
MfA said:
Running security software on semi-secure hardware is always better than running security software on insecure hardware ... in both cases the hardware is a fixed quantity which can not be upgraded, but in the latter you are screwed immediately and with the former you have some time.

Calling it an achilles heel is a bit silly.

If they did their job right it should at least be possible to guarantuee security for the online components of games, including additional content (because that could all be crypted for the specific machine, rather than be crypted with a universal code).
Click to expand...
Well, an Achilles Heel is the only single tiny weak spot in an otherwise inpenetrable defense, so I'd call that single way of cracking Cell's security an Achilles Heel myself.
 
Thought 'Achille's Heel' also means a weakspot that completely negates all other defenses and defeats the supposedly undefeatable. I certainly felt Ars were saying for all these security features, they'll do no good for PS3 security, and ignored the possibility of further OS securities being employed. I don't think it's fair to say this is the point to target that will utterly compromise the entire platform just yet.
 
predicate said:
Well, an Achilles Heel is the only single tiny weak spot in an otherwise inpenetrable defense, so I'd call that single way of cracking Cell's security an Achilles Heel myself.
Click to expand...

As opposed to the Achille's leg or lower body you might normally find ;)

There's no such thing as perfect security. The best you can hope for is that your system is so difficult to compromise, and so difficult to compromise on a wide scale, that only a few try and/or succeed. Limiting opportunity for software exploits is a good step in that direction. If Cell exploits were wholly limited to just hardware-based exploits (mod-chips), that'd be quite amazing, actually (though I have my doubts that'll actually be the case).
 
Last edited by a moderator:
Great article thanks for the post :) But one thing that strikes me about the "MOD" chip is the detection, could'nt the original X-box detect if a MOD chip was installed on the board?? Im sure of this as the penalty was being banned from XBL.

Could'nt Sony do the same thing?? Like while your connected to the internet playing a game etc... etc... they run some sort of a system hardware scan to search for foriegn objects on the board that are'nt supposed to be there? And then take the aporopriate action?
 
well compare it with the xbox and apparetnly the xbox360 where the achille is the dvd firmware.
you can now connect the xbox dvd drive to your pc, flash the firmare of it and voila you can play backups on it. (you can't execute unsigned code but thats not the main concern of the average pirat)
and this has been proven working also on the xbox360!
 
!eVo!-X Ant UK said:
Great article thanks for the post :) But one thing that strikes me about the "MOD" chip is the detection, could'nt the original X-box detect if a MOD chip was installed on the board?? Im sure of this as the penalty was being banned from XBL.

Could'nt Sony do the same thing?? Like while your connected to the internet playing a game etc... etc... they run some sort of a system hardware scan to search for foriegn objects on the board that are'nt supposed to be there? And then take the aporopriate action?
Click to expand...

sony has already something like that to prevent people from playing online with backups. it compares the serial or something like that with their database when a user is connected online
 
Shifty Geezer said:
Thought 'Achille's Heel' also means a weakspot that completely negates all other defenses and defeats the supposedly undefeatable. I certainly felt Ars were saying for all these security features, they'll do no good for PS3 security, and ignored the possibility of further OS securities being employed. I don't think it's fair to say this is the point to target that will utterly compromise the entire platform just yet.
Click to expand...
Nah, it doesn't negate the other security since unless you hit the Achilles Heel it's inpenetrable.
 
hey69 said:
sony has already something like that to prevent people from playing online with backups. it compares the serial or something like that with their database when a user is connected online
Click to expand...

No i mean scanning the PS3 HW it-self and running tests to see if anything is there that is'nt suposed to be there, or if some components are behaving abnormally because of a foreign MOD chip.

Think of it like a Extreme version of Valve's VAC2, only its scans the hardware and not the memory process's for anything dodegey ;)
 
hey69 said:
source: Arstechnica
Click to expand...

What can I say, I got to maybe the third or fourth paragraph and immediately I knew I would be seeing this at the bottom of the post. Maybe the alarmist article title should have alerted me? Ah well, it certainly is an interesting article and I think we might finally have an idea of what this 'OS reserved' SPE is being used for.
 
Mmmkay said:
What can I say, I got to maybe the third or fourth paragraph and immediately I knew I would be seeing this at the bottom of the post. Maybe the alarmist article title should have alerted me?
Click to expand...
Me too.

I can tell an article from Ars, just like I can tell an article from Anand's... It's automatic.
I don't know if it's something positive though.


And yeah, the article while informative is quite alarmist. How can a CPU with numerous hardwired security functions running a software layer of other security checks could be any worse then a CPU without hardwired security relying on software only?

It's a truism in the infosec world that once an attacker has on-site, physical access to the hardware it's game over, so Cell sensibly doesn't even try to tackle that one. This being the case, I have one, hyphenated word for Sony headquarters: "mod-chip."

Because of Cell's high level of integration, where the bulk of the security architecture is on a single die, I'm not sure at the moment how mod-chipping will work on the PS3. However, it's a near certainty that someone will figure out how to compromise the box with a hardware modification of some sort.
Click to expand...
A modchip for the internal functions of a CPU? In other words, inside the CPU?

It will take more than one of these "aha!" moments, the article is talking about, to come up with a feasible method to bypass CPU hardwired functions with a hand soldered chip.

About the conclusion. Let me ask, what kind of conclusion is that?
Since other DRM systems can be cracked, there's no use for Sony to provide a better protection for their PS3? What type of logic is that...
 
!eVo!-X Ant UK said:
No i mean scanning the PS3 HW it-self and running tests to see if anything is there that is'nt suposed to be there, or if some components are behaving abnormally because of a foreign MOD chip.

Think of it like a Extreme version of Valve's VAC2, only its scans the hardware and not the memory process's for anything dodegey ;)
Click to expand...

There is no need because the root-key is stored in hardware and you'll have to find someone with a very good forensics setup to retrieve the value.

If you do comprimise the root key, potentially, you can't do much. If they use PKC and the hardware root key is the public part you have to then back work the corresponding private part to have a pair that will allow you to encrypt/decrypt/verify arbitrary content. Now, unless you are a mathematical genius (and not yet been 'disposed' of by various parties) who can solve what is most likely problems in the field of discrete logarithms (ECC is the best bet for an on-chip solution) or numerical factorisation of large numbers (RSA) you're stuffed.

If, on the other hand, you are called Sony you can easily encrypt what you want with the secret ECC key and have it decrypt things straight into an SPE. Then you simply place another set of keys in your code and encrypt it all up and no one will be able to see them. This is cheap with ECC (even mobile phones can do this) and you very quickly set up a secure authentication system, as described in the original white paper, with whoever/whatever device you want. Things get even more complex if instead of the keys stored in the ROM being dynamic the ECC key is unique to each box also in which case you could crack one console but no more. So, to get your code to load you have to be signed and then you can quickly establish secure communication with any device on the system (and with things like Rambus bus probing will be tricky, also see how MS foiled it with the motherboard design with wires going everywhere) possibly using a OTP.

The Xbox360's only slip up in this plan was to leave the drive firmware unencrypted and allow you to patch the detection mechanism. MS can't fix this in old models (people can always emulate/patch around it) but in newer revisions they could easily put some secure loading mechanism (for a price) in the drive that prevents it.


Ars writes a few 'nice' articles for the masses occasionally but often there is a large helping of mis-understanding with a side order of bullshit on top which highlight his ignorance. It just so happens his 'nice' articles have gained him a reputation for being a credible technology informant.

EDIT:

Vysez said:
How can a CPU with numerous hardwired security functions running a software layer of other security checks could be any worse then a CPU without hardwired security relying on software only?
Click to expand...

Because a CPU with hardwired public key cryptography can start itself into a known trusted state.

This is the problem with TSR rootkits now, the OS is essentially inside a VM (which the rootkit controls) and is at the whim of it. Simply loading code from some ROM and executing it gives you this kind of problem because, contrary to it's name and popular belief, you can modify the ROM image. By signing the ROM (and having hardware which you cannot tamper with because it's in the bowels of the chip) you can do this because you know the ROM can only have come from one place: you (unless, as I say, you've done some very clever maths).

The point of the TPM/TCM and the Fritz chip that has been touted (see any new Intel Mac) is the ability to use this to eliminate the rootkit problem. It is an unfortunate consequence that, as MS has told everyone, you get amazing DRM powers and properitery format lock-in capabilities if you do this. Most people don't object to the concept of further security but in an open platform (rather than the closed platform console world) these things have the potential to be extremely damaging to customer choice and competition. Though the activists have been vocal, this hardware is being rolled out and used in OSX (for verification of legitimate Apple hardware) and in the upcoming Vista in BitLocker (which will cause problems because even the NSA/CIA/Police will be unable to decrypt things though technically they can't now). Where it will go is anyones guess.
 
Last edited by a moderator:
MfA said:
Calling it an achilles heel is a bit silly.
Click to expand...
It's completely ludicrous. PS3's security is no more an achilles heel than the 360s is, and considerably better than any previous console's.
 
You must log in or register to reply here.

Similar threads

P
The Nobel Prize in Physics 2024: John Hopfield and Geoffrey Hinton. They trained artificial neural networks using physics
Replies
8
Views
493
Davros
D
A
Understanding game performance through profiler trace graphs *spawn
2 3 4
Replies
66
Views
3K
XboxKING
X
D
AI Desktop Tools - Training and Inferencing
2
Replies
37
Views
6K
Deleted member 2197
D
R
State of GDeflate *spawn
2
Replies
25
Views
2K
Remij
R
S
Discussion about lighting (usage of lighting techniques).
2
Replies
21
Views
3K
Frenetic Pony
F
Back
Top