CPU Security Flaws MELTDOWN and SPECTRE in the Console Realm *spawn*

Discussion in 'Console Industry' started by iroboto, Jan 5, 2018.

  1. iroboto

    iroboto Daft Funk
    Legend Regular Subscriber

    Joined:
    Mar 6, 2014
    Messages:
    7,566
    Likes Received:
    5,835
  2. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    To be clear, all consoles are impacted by this. AMD cores are less susceptible, not immune.
     
  3. iroboto

    iroboto Daft Funk
    Legend Regular Subscriber

    Joined:
    Mar 6, 2014
    Messages:
    7,566
    Likes Received:
    5,835
    To be clear, his exact words are:
    The security architecture of Xbox already _mitigates_ against the recent chip-related security vulnerabilities.
     
    Shifty Geezer likes this.
  4. AlBran

    AlBran Ferro-Fibrous
    Moderator Legend

    Joined:
    Feb 29, 2004
    Messages:
    20,492
    Likes Received:
    5,599
    Location:
    ಠ_ಠ
    Speculation on what that means ? :p
     
    DSoup likes this.
  5. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,293
    Likes Received:
    10,589
    Location:
    Under my bridge
    Yes, he's not saying AMD makes them immune, but XB1's security overall isn't affected.

    Edit: Why is this in the KB+M thread??
     
    RootKit and iroboto like this.
  6. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    I'm just clarifying that mitigate means to lessen. The papers published and comments made by AMD, Apple, ARM and Intel detail the problem in sufficient detail that it's known there is no definitive fix to most processor cores without an impact to performance. Microsoft will certainly have deployed the same patches to Xbox One's hypervisor as they have to their other software. Fuller solutions have yet to be deployed - then the performance impact will be known.

    Of all products that might be targeted with a compromise, consoles are likely on the bottom of that list given the limited avenues for new software to be deployed on them and that there is very little sensitive data is every stored on them.
     
    Shifty Geezer likes this.
  7. BRiT

    BRiT (╯°□°)╯
    Moderator Legend Alpha Subscriber

    Joined:
    Feb 7, 2002
    Messages:
    12,007
    Likes Received:
    8,105
    Location:
    Cleveland
    I don't think that's what they're concerned about. MS and Sony should maybe be more concerned about these flaws being used to abuse/crack/hack their console into the sea of pirates. All it takes is to pick up the $100 Self-Dev License and flip the Xbox One console into Developer mode and then the hackers can run whatever exploits they want and try to glean more super secret sauce from the Console OS. Though maybe Sony isn't too worried because they already had their entire 4.05 kernel dumped (16 bytes at a time).

    EDIT: They also might not be concerned about Games breaking out but more of the Apps breaking out, since the games already need to undergo certain certification steps. On the MS side they're already in a UWP confined space, so perhaps adding more protection to that wouldn't have any consumer-facing impacts unless there are Games running under the UWP framework.
     
    Grall likes this.
  8. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    I'm sure there is a degree of piracy on the console market but, judging by the sales numbers of most games, it's marginal at most. As for hackers, they'll be trying to crack the systems regardless and not necessarily for any malevolent intent.

    But to what end? To get rogue code onto the console it either has to be done by the user themselves utilising another exploit, or it has to slip through the certification programmes of Microsoft and Sony. Discovery would lead to instant developer rights banishment and you'd have to invest in developing a genuinely appealing application concealing the rogue code to begin with. And for what?

    I don't get it. Exploits on desktop computers and phones are worrisome because people store the most sensitive information in their lives on those devices, sufficient information to commit convincing identify fraud or even access banking information. Who has that kind of information on a console? The payoff has to be worth the effort.

    Danny Ocean wouldn't have assembled Brad Pitt, Matt Damon and Don Cheadle to steal your Xbox Live account details :nope:

    yesterday's xkcd :mrgreen:

    [​IMG]
     
    #8 DSoup, Jan 6, 2018
    Last edited: Jan 6, 2018
    Andre Siqueira, Grall, Malo and 2 others like this.
  9. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,061
    Likes Received:
    2,717
    Location:
    Well within 3d
    There's a number of possible factors that could go into that claim.
    AMD seems insistent that none of its cores perform the sort of speculation that leads to Meltdown.
    In terms of the kernel, there's 2 or 3 depending on how one considers the hypervisor.
    The game partition has its OS, and effectively one user process space. The bulk of the Spectre scenarios involve leaking data from other processes within an OS without leaving the current privilege level.
    Leaking into another OS, be it the application or hypervisor one, is outside the scope of Spectre as we know it.

    Some variations on getting the kernel to mispredict and run the wrong code can be partially mitigated from within the application or game partition for a subset of services that either console maker might be running behind some kind of queue or API and might be running on a reserved CPU.

    Microsoft, by using some form of Windows, is likely using KASLR in some of the partitions. The PS4 jailbreak has indicated that for some time Sony hasn't bothered with KASLR. I believe its virtualization is container-based which to my recollection might not be sufficient to isolate domains to prevent Spectre.
    There is a potential in specific areas like decoding media that Sony has hidden behind a secure API and other services that might run on the reserved core, helping mitigate certain forms of Spectre.
     
    AlBran, BRiT and DSoup like this.
  10. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,293
    Likes Received:
    10,589
    Location:
    Under my bridge
    To be clear then, this isn't about people gaining access through secret little programmes, but about programs running on the system being able to hijack it. So the only worry is if some published game is screwing around trying to hack your console? The fear here is that, post Lootboxgate, EA is going to try to steal your credit card details directly?
     
  11. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    The researchers demonstrated Spectre can be utilised to undermine the integrity of virtual machines and sandboxes, the extent of the compromises aren't yet known because it's more complex to achieve. Everybody is freaking out over Meltdown because it looks worse. It looks worse because it is fully understood. How far Spectre reaches isn't fully known and is far more complicated to fix. It may never be fixed until new processor designs.

    Right now, it's just fear fuelled by poor media coverage. Well it's not all bad, but mostly. Every device you own is full of exploits but they're not an issue unless somebody is trying to exploit them. For somebody to want to do that there needs to be a reason and a vector of attack. Consoles are not good targets for either. Established games publishers are not going to be doing this. No, not even EA. :nope:

    The only information of worth on a console is probably your credit card and login details for any services you use. So not really much. Well not on PlayStation, I don't know what the UWP application scene on Xbox One is like. The ability to run UWP apps both increases the vector of attack (a rogue UWP app) and possibly increases the likelihood that somebody has more sensitive information on their console in another UWP app.

    It still seems pretty far fetched. Why go through all the hurdles of getting an rogue app on a relatively small console base when there are juicy pickings to be had with smartphones and desktop operating systems?
     
    #11 DSoup, Jan 6, 2018
    Last edited: Jan 6, 2018
  12. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,061
    Likes Received:
    2,717
    Location:
    Well within 3d
    Neither type of attack on its own can hijack the system, as they only leak data. Some of that could provide data valuable outside of the system, like leaking password entry or any stored user or account data.
    Other pieces of data may be useful in finding a function or attack vector, or some key values.

    The PS4's inability to isolate its javascript engine in its browser partially mirrors the javascript proofs of concept for Spectre, although the jailbreak had much lower-hanging fruit in the form of available system calls that would dump kernel information and a security exploit that could elevate permissions. Part of the hack involved corrupting an system-level interrupt descriptor table that at least at that version was not properly gated from being modified. Maybe it could be better isolated with virtualization, if the hypervisor might have prompted the guest OS to make the structure's write access restricted, or the hypervisor might have caught the attempt. Also, if the KASLR changes being made for Meltdown were in effect, and Sony had bothered to use KASLR, the various leaked kernel addresses would be more randomized or hidden, and possibly some of the call chain would run into problems with kernel pages not being available to the web browser.

    However, since AMD doesn't want those KASLR changes, I guess things would stay non-random and more hackable.
     
    DSoup likes this.
  13. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,061
    Likes Received:
    2,717
    Location:
    Well within 3d
    I missed the patches indicating Spectre could get to another VM, but it makes sense.

    There's also the overall goal of hacking the platform, which may mean piracy or getting to some of the keys that might be useful for creating more potent attacks on the services or malware.
     
    DSoup likes this.
  14. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    Yup. You're obviously in the industry so you're likely seeing the same non-published material I'm seeing - if anybody can keep it with it all - or you soon will. 5715 presents a challenge.

    Yeah, BRiT's point too. I'm still not sure many people, apart from folks like us on boards like this, care that much. Generally you're hacking for one of two reasons: curiosity or piracy. Is the piracy scene really that big on consoles? It doesn't feel it compared to when I recall owning a PlayStation where everybody I knew had a modded unit and a pile of burned pirates games.
     
    BRiT likes this.
  15. 3dilettante

    Legend Alpha

    Joined:
    Sep 15, 2003
    Messages:
    8,061
    Likes Received:
    2,717
    Location:
    Well within 3d
    Distant periphery perhaps, although I do recall reading advisories for AWS and Azure clients indicating there was no cross-instance leakage, but that was probably after their downtime that probably patched the hosts.
    In that regard, the Xbox One's multiple partitions might function in a similar manner, and could allow a hypervisor patch without perturbing the game or application OS.

    I'm not sure where that leaves the other consoles, or if fixing just the hypervisor can leave the game OS without the penalties associated with some of the mitigations.

    Piracy is usually a question that soon follows, but I don't know the extent. In countries where the hobby is more expensive, it seems to be more prevalent. The PS3's hack showed there's always the chance of a more titanic screw-up that might leave some more powerful and useful credentials available if you dig deep enough.
    That also showed that there's a motivation to safeguard a device that media companies fear might bypass their protections, given Sony yanked Linux after the fact.
    Maybe it could serve as a PSN hack vector as well.
     
  16. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    Publicly, folks are working with the attack the researchers developed but Spectre is a method of attack, similar to virii and malware. Unlike Meltdown, where the OS vendor can change code (with some performance hit), there will inevitably be variations of Spectre that work around whatever mitigations operating systems vendors put in place.

    Personally I am not worried about my IT. I'll continue not installing untrusted software on my machines or visiting shady places on the internet. :yes: Well, apart from Beyond3D.
     
    Andre Siqueira and BRiT like this.
  17. Shifty Geezer

    Shifty Geezer uber-Troll!
    Moderator Legend

    Joined:
    Dec 7, 2004
    Messages:
    40,293
    Likes Received:
    10,589
    Location:
    Under my bridge
    So when piracy was easy, piracy was rife, and when it wasn't easy, it wasn't. So if it becomes easy again, what's gonna happen?
     
    BRiT likes this.
  18. DSoup

    DSoup meh
    Legend Veteran Subscriber

    Joined:
    Nov 23, 2007
    Messages:
    10,732
    Likes Received:
    5,552
    Location:
    London, UK
    People will likely have to chose between piracy and having an online console.
     
  19. Tkumpathenurpahl

    Regular Newcomer

    Joined:
    Apr 3, 2016
    Messages:
    963
    Likes Received:
    684
    So a multi-console household will take on a different meaning.
     
  20. iroboto

    iroboto Daft Funk
    Legend Regular Subscriber

    Joined:
    Mar 6, 2014
    Messages:
    7,566
    Likes Received:
    5,835
    Xbox OS mimics fairly closely Windows 10 S. Locked to run UWP apps in a container signed by Microsoft. UWP apps in particular which can be deployed on any windows 10 device with particular ease, when you open up m/kb to a console to run the very same apps that run on your desktop, laptop, surface, hololens, smart phone, then a console can become a vector for attack onto your other areas of your ecosystem. Obtaining access to someone's microsoft account is painful when we put into consideration how many products that they have that has monthly subscriptions for service (and thus microsoft accounts act as a single sign on).

    It's not far fetched, it's reassurance that the platform as a whole is secure. Especially if you intend to make future announcements about the types of software that could be coming to the device in the near future that could involve say the use of mouse and keyboard.
     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...