Interview with Chris Satchell - XNA and Security

[Shifty Geezer]

Dangerous ?

http://www.eurogamer.net/article.php?article_id=131495

Eurogamer: The peer-review system seems like it has the potential to be used outside XNA. One of the things that's in the headlines a lot is Epic's problem of wanting to do modifications for Unreal Tournament 3. Is the peer-review system something that could be reused to allow modified content of that nature?


Chris Satchell: There's two parts to that question. Let me address the first one. I think, assuming we're successful, I think the pipeline really is an incredible piece of innovation that will definitely enable other scenarios, and what's important about it is it's really addressing some of the problems with user-generated content.
I think we're seeing from some of the lawsuits out there - outside of our industry - that just saying you have reactive takedown isn't enough. You need to be more proactive about protecting people's IP and having content that's acceptable. So I think that's a major innovation. I absolutely believe that our pipeline, if successful, can help inform the design of those or even be used directly for other parts of our business.
Now the modding's a little different. Yes it could help rate mods, but the core issue of modding is what we talked about earlier - if you're not running in that sandbox, how do you guarantee security?
That's really where we've got stuck - making sure that nothing will hurt the user's system, and I'm a little disturbed when I think about other systems and people using what we call native code - code that goes right down to the metal - and then allowing people to run script mods on top of that without the right security measures. It could be really dangerous.
We've drawn a hard line because we very much care about security, and it seems like some other platforms don't seem to care quite as much. That kind of worries me for consumers. But all I can control is what we do on our platform, so that's where I'm going to focus - we're going to keep you safe because that's really important to us.

It's not really appropriate to class UT3 mods as dangerous, and Satchell took the chance for bit of FUDing to question system security of other platforms, but the whole topic of user mods has been downplayed as 'dodgy'. MS reviewed mods could make it, but I don't think open mod supported will ever feature - it was announced for PS3 but never XB360, and MS seem to be against it, against very open public content creation outside of XNA.

 

[patsu]

There are many dangers:
* Obscenity
* Stolen IPs (during modding)
* Piracy
* Denial of service

Sony and the developers should already be aware of such exploits and are prepared to address them. Where UT3 mods are concerned, it's an overblown issue. Since Xbox 360 has built-in network, Microsoft is already on the hook. I don't see Xbox Live removing the messaging feature because people have been sending obscene attachments to others who defeated them (You can't peer review messages).

Whats more, some of these community and modding stuff need not be run by Sony themselves (Sony, go partner with Atari if you have not already done so. Keep your corporate lawyers at bay).

It is also not an all-or-nothing endeavour. Sony's parental control offers multiple ways and levels, but it's too confusing to use at this point.

Community-wise, I don't know whether Sony realize it or not, the Home beta is important in more than one way. They should be able to build a community management framework from the s-l-o-w beta (by identifying the right people to help enforce moderation). They have the time to do so now.


EDIT: Microsoft's attitude towards modding is likely based on other economical and marketing reasons.

 

[BoardBonobo]

Well Microsoft would much prefer to charge for mods, calling them secutiry risks is just putting spin on it. If they can't get cash off you then they're not going to bother.

 

[betan]

Well Microsoft would much prefer to charge for mods, calling them secutiry risks is just putting spin on it. If they can't get cash off you then they're not going to bother.

That's not XBL but a XNA guy, raising a reasonably valid point regarding security.
.net framework shift the security responsibility from application to runtime environement (bytecode interpreter, or even compiler) which is easer to manage.

I have been long curious about mod security on PS3, surely Sony cannot put too much faith on 3rd party applications like Unrealscript interpreter or virtual machine. There needs to be OS level restrictions applied to "user" application.

I'm sure there are many in place, yet if I was to hack PS3 I would probably start with investigating UT3 bugs.

 

[patsu]

He seems to be mixing up the issues though. Peer review is not going to catch security bugs in XNA programs. There is no incentive to do so. It's back to square one: How can Microsoft trust a third party to do his/her job ?

Peer review works better to identify obscene content.

Where security is concerned, the best way is to ensure user scripts run in a hardware-enforced sandbox/VM. Whether it's enough or not, we will need to investigate deeper.

.net framework shift the security responsibility from application to runtime environement

Betan, this is in general not true. The weakest link is always the problem. An application must be fully responsible for its own action. The middleware has its own security issues to deal with.

 

[Shifty Geezer]

Where security is concerned, the best way is to ensure user scripts run in a hardware-enforced sandbox/VM. Whether it's enough or not, we will need to investigate deeper.

Isn't that the nature of PS3 though, with the Hypervisor and OS running in a discrete process that's inaccessible from other software? The risks are basically either someone crumming your machine or data, or stealing info like your credit card details or account. Do any titles have access to those subsystems outside of Sony's libraries? If not, the worst a game mod can do is mess up the game it's running in.

This is the same in principle as XNA, isn't it? XNA provides a limited access framework and software running within that has no access beyond the resources being offered. It seems to me that the concerns perhaps arise from the fact MS haven't isolated the hardware as much as PS3 has done, and for them mods would have (unrestricted) access to the core systems, and MS needed to create the XNA 'sandbox' to keep out code in a way PS3 does. I may be understanding this all wrong, but if code had a way to pick through PS3's OS systems, I'd have thought the open Linux platform would have thrown up the holes, certainly if they're obviously enough that a UT3 mod can make use of them. Or does Linux run in a different 'mode' to games?

 

[patsu]

Probably an open issue.

The XNA guy was talking about UT3's modding engine running outside of MS's sandbox. If so, the solution is to come up with a good enough sandbox for this sort of thing. PS3 may have something that fits the bill, but it really depends on the actual implementation.

 

[Shifty Geezer]

The XNA guy was talking about UT3's modding engine running outside of MS's sandbox. If so, the solution is to come up with a good enough sandbox for this sort of thing. PS3 may have something that fit the bills, but it really depends on the actual implementation.

Right, but isn't the PS3 'sandbox' intrinsic in the hardware design? The areas MS want to keep developers out of with their sandbox are already off-limits in PS3, so there's no risk, other than the sandbox being hacked which is an inherent risk with any system. I think PS3 has the security in check and so Sony are more open to modding, whereas XB360 doesn't so MS are more reticent, instead creating a separate sandbox for user creation activities. I don't see how UT3 mods can be a serious security thread, but if MS are taking this stance, isn't that going to impact the machine across all titles? Then again if barely any titles have that much low-level user-created content, they're not really missing much! User created content using in-engine tools are the principal form of UGC and that's fine and dandy.

 

[betan]

Betan, this is in general not true. The weakest link is always the problem.
An application must be fully responsible for its own action.

I disagree naturally.
There is a big difference between range of security bugs in a poorly written "managed code" running under a secure runtime environment and range of security bugs in a poorly written low level code running under OS.

 

[patsu]

Yes, there are some problems you can take away from the developers, but the problem still exist in the app space.

What managed code does best is to minimize sloppy code, pointer errors and recover from exceptions, but they can't assume all the security responsibilities. The app designer/developer has to understand the issues on hand too (especially domain specific logic checks).

What a sandbox does best is to prevent compromise to the underlying system, but it does not guarantee that the app (data) cannot be compromised. For example, UT3 high score may be changed via some high level means, but the PS3 is still fine.


EDIT:
Shifty, I see what you're saying. I am somewhat surprised at MS's comment about lack of sandbox though.

 

[betan]

Yes, there are some problems you can take away from the developers, but the problem still exist in the app space.

What managed code does best is to minimize sloppy code, pointer errors and recover from exceptions, but they can't assume all the security responsibilities. The app designer/developer has to understand the issues on hand too (especially domain specific logic checks).

What a sandbox does best is to prevent compromise to the underlying system, but it does not guarantee that the app (data) cannot be compromised.

I agree with that, and although it wasn't clear in my first post, I tried to make it clearer in the subsequent one that security problems for managed code can still exist.
However, most of the security problems do stem from buffer overflows and other poor memory management practices anyway. And this is just for applications' address space.
Managed code still does better at protecting the lower level compared to low level code.

For example, UT3 high score may be changed via some high level means, but the PS3 is still fine.

Are you saying PS3 game applications run in a fully sandbox environment?

 

[Shifty Geezer]

Are you saying PS3 game applications run in a fully sandbox environment?

That depends on what people mean by 'sandbox'. I think the term is being somewhat misapplied. PS3 has a distinct division between gaming systems and OS systems, AFAIK, with OS functions performed on a SPE with locked-out security, via the Hypervisor functionality on Cell. This I think is different to XB360 where the OS functions are running on the same cores as the game, and so some funky register accessing may allow hacks into the system resources. The creation of a sandbox is a software controlled regulation of code with the applicable resources overhead.

Though I'm not a hardware securities expert, or even moderately clued up on all this jazz, so clarification from those more in the know would be welcome!

 

[BoardBonobo]

In terms of software control the Cell has a quite acapable set of security systems built in to manage software and access to other parts of the system. Link. Then again it depends on how much of this Sony have decided to implement.

 

[betan]

That depends on what people mean by 'sandbox'. I think the term is being somewhat misapplied. PS3 has a distinct division between gaming systems and OS systems, AFAIK, with OS functions performed on a SPE with locked-out security, via the Hypervisor functionality on Cell. This I think is different to XB360 where the OS functions are running on the same cores as the game, and so some funky register accessing may allow hacks into the system resources. The creation of a sandbox is a software controlled regulation of code with the applicable resources overhead.

I think this discussion needs a new thread, but I'm going to be really surprised if OS runs on SPUs.
There is interrupt and exception handling, possibly context switching and other typical OS responsibilities that would not be feasible from SPUs. Those would not be suitable for a regular hypervisor either.

 

[AlNom]

I think this discussion needs a new thread

Done.

 

[patsu]

Where is the PS3 Hypervisor ? http://forum.beyond3d.com/showthread.php?t=45715

 

[Shifty Geezer]

Thanks AlStrong for beating me to the punch!

I think this discussion needs a new thread, but I'm going to be really surprised if OS runs on SPUs.
There is interrupt and exception handling, possibly context switching and other typical OS responsibilities that would not be feasible from SPUs. Those would not be suitable for a regular hypervisor either.

Okay, patsu thread revision is very useful, in a 'not really clarifying anything' way Ignoring terms like Hypervisor and OS, which are too broad to be covered within a single Cell feature and somewhat muddled terms to boot, the SPE's can run in a hardware lock-down mode, and the reserved SPE is seen as performing security doodads for the OS. The scope of which we don't know. But there is still a hardware security measure in effect which, common sense would tell us, has to be there to prevent the usual hacks from working. If a scripting overflow bug can cause the system to be compromised, what is the SPE doing?

Perhaps public information on the workings of the SPE won't ever come to light, unless they're hacked, because no-one involved is going to want to tell the hackers where to target! Without that knowledge, I still understand there to be a hardware separation between core OS security and the access games and Other OSes have to the hardware which provides security that Satchell's comments hit upon.

 

[betan]

Thanks AlStrong for beating me to the punch!

Okay, patsu thread revision is very useful, in a 'not really clarifying anything' way Ignoring terms like Hypervisor and OS, which are too broad to be covered within a single Cell feature and somewhat muddled terms to boot, the SPE's can run in a hardware lock-down mode, and the reserved SPE is seen as performing security doodads for the OS. The scope of which we don't know. But there is still a hardware security measure in effect which, common sense would tell us, has to be there to prevent the usual hacks from working. If a scripting overflow bug can cause the system to be compromised, what is the SPE doing?

Encryption/decryption and authentication of executables and data?
I think there is more than enough work for that SPE, but that doesn't necessarily mean it provides protection outside storage based attacks.

 

[patsu]

Ah, the link serves as a reference for questions like interrupts and exception handling in SPUs. If the Hypervisor also runs on the PPU and is "integrated" with the SPUs, the security should apply system-wide (rather than just to the SPUs).

For memory protection, I remember the PPU set up some sort of global memory map/boundary for all the cores. Perhaps the DMA model also make it harder to corrupt the main memory. I don't know enough about the details to comment. As I recall, Kutaragi mentioned that it is possible to run multiple OSes at the same time on a Cell (resource permitting). So I assume it is possible to implement the Hypervisor efficiently while making sure its "partition" remains intact under any circumstances.

With respect to the "dangerous" comments, as long as a system like Xbox 360 takes in user files (e.g., an MP4 movie), it is already vulnerable. Atom-based files are generally leaky (open-ended), so a lot of things can go wrong there. Parsing and using a user mod would be similar.

The only real difference is "MS's/Sony's code quality and control" (reading and playing an MP4 file) vs "developer's code quality and control" (reading and playing a user mod). I think both are equally vested to fight piracy. MS may have more comfort knowing it has full control over the code and people. But then again, it can also be a false sense of security. Fundamentally, it is still about people doing a good job.

Fortunately, this is not like the PC industry. Sony and MS have tight control over who can deploy on their platform. They have relatively tight control over external developers too.

 

[arhra]

That depends on what people mean by 'sandbox'. I think the term is being somewhat misapplied. PS3 has a distinct division between gaming systems and OS systems, AFAIK, with OS functions performed on a SPE with locked-out security, via the Hypervisor functionality on Cell. This I think is different to XB360 where the OS functions are running on the same cores as the game, and so some funky register accessing may allow hacks into the system resources. The creation of a sandbox is a software controlled regulation of code with the applicable resources overhead.

Though I'm not a hardware securities expert, or even moderately clued up on all this jazz, so clarification from those more in the know would be welcome!

I'm fairly certain the 360 uses a hypervisor as well, although apparently exploitable flaws exist in a few specific kernel versions.