Interview with Chris Satchell - XNA and Security

[betan]

As I recall, Kutaragi mentioned that it is possible to run multiple OSes at the same time on a Cell (resource permitting). So I assume it is possible to implement the Hypervisor efficiently while making sure its "partition" remains intact under any circumstances.

Hypervisor protecting one OS memory space from another OS is different than protecting one OS from its applications though.

 

[patsu]

Wait... so there is a bug in Xenon's cmplwi instruction ? Thats why their hypervisor has been compromised ? They can't fix it ?

http://www.securityfocus.com/archive/1/461489/30/0/threaded

When accessing memory locations with the most significant address bit
set, the HRMOR setting is not applied. Due to the bug in the "cmplwi"
instruction, setting the corresponding bits in %r0 on syscall entry
allows setting the MSB, thereby overriding the HRMOR setting and tricking
the address lookup of the syscall handler to fetch from memory without
any security features.

EDIT:

Hypervisor protecting one OS memory space from another OS is different than protecting one OS from its applications though.

That's very true. I was hoping it would imply they have some robust hardware mechanism to protect the OSes from slapping each other. We can't really discuss deeper without knowing the details.

e.g., If the game/app can be set up in a totally separate and replicated run-time environment on a HDD "install area". Even if it can trick the run-time to make privileged calls, it may not be able to launch another code from outside the "install area" because these are done by the other segregated OS.

I am probably talking out of my *ss right now. Apologies to the people in the industry for trivializing your work.

 

[assen]

Wait... so there is a bug in Xenon's cmplwi instruction ? Thats why their hypervisor has been compromised ? They can't fix it ?

They can't fix the instruction, but they probably can, and already have, worked around it in software. Judging by the amount of effort directed at downgrading firmware versions in the "homebrew" *ahem* "community", reasonably new firmwares are safe.

There was a nothing-on-the-surface update a few days ago, I'm curious what the security mailing lists will turn up

 

[patsu]

They can't fix the instruction, but they probably can, and already have, worked around it in software. Judging by the amount of effort directed at downgrading firmware versions in the "homebrew" *ahem* "community", reasonably new firmwares are safe.

There was a nothing-on-the-surface update a few days ago, I'm curious what the security mailing lists will turn up

Yes, even with fixed hypervisor, I wonder how far back they need to watch this (e.g., Can old/unpatched games be used to launch a similar attack in other ways if such a low level flaw was found).

If the potential problems are at this level, then I can understand their paranoid. Earlier on, people were saying the Xenon CPU development schedule was compressed. I wonder what mechanism the anonymous hacker used to demo his exploit (XNA or full SDK ?). In any case, XNA is a good move. If they can get around the security issues, I hope they push it fully instead of gimping it commercially or technically.

Where Chris Satchell's comments are concerned, the UT3 user mods and Playstation Home scripting are higher level than the XNA or SDK though. Assuming a robust system, if they allow XNA, I don't see why they fear these high level user tools.

 

[Graham]

XNA is pretty solid in terms of security.
On one level, .net 2.0+ is already well proven in terms of security (Ignoring .net 1.1, which had a total security overhaul for 2) - since then it's only seen 3 minor security problems so far, and these have generally been in outside of the core library.

On top of that, the compact framework, which XNA is a superset, has a much smaller feature set (in terms of potentially dangerous code). Lots of the stuff that deals with system level code is simply not there.
Finally when running an XNA app, two of the six available threads are dedicated to the GC and what I understand is a special hypervisor running just for the .net code.

With that said, I do wonder if the GPU would be a good place to target for potential system attacks. Although given it acts as the system memory controller, I'd hope some form of memory protection is implemented there too - not just the CPU. Given XNA gives access to quite a few xenon specific instructions (such as the ability to read arbitrary memory from vertex buffers with vfetch shader asm)

At the end of the day I'd easily imagine security is microsofts big concern here. They learnt the hard way with the original xbox.

 

[Shifty Geezer]

Where Chris Satchell's comments are concerned, the UT3 user mods and Playstation Home scripting are higher level than the XNA or SDK though.

But they're running on a low-level engine, so are only as secure as the UT3 game running the scripts, something that's kinda out of the console company's hands. XNA is MS's engine and they're comfortable that that's secure. Sony OTOH seemed comfortable that their system is secure even allowing third parties to provide whatever access they want.

 

[patsu]

You're right.

Microsoft appears to rely less on low level security mechanisms even though the 360 Hypervisor keeps its run-time suitably locked down. In addition, it limits the exposure to a closed or tightly controlled circle to keep things in order. So far only a handful like Bungie, Microsoft and Bizzare Creation allow user mods. The overall strategy also fits well with XBL's closed nature. At this point, we know of one case where the CPU has allowed a hacker to penetrate their shield.

In theory, Sony may have more hardware and time in securing its run-time at the lowest level. Besides Cell, I wonder if Sony built additional hardware protection into the Blu-ray stack (beyond what MS has done for its own DVD protection). Essentially they may/could have virtualized and partitioned the entire PS3 run-time at the hardware and Hypervisor level (like how XNA did it at the middleware level). This may give them the confidence to allow more open access *if* , from their perspective, the potential impact may be limited to individual applications.

In contrast, the relatively "open" PSN seems more vulnerable (A small number of Playstation accounts were breached from its PC store access). While XBL may well be susceptible to distributed DoS attack, a large part is private to MS and can be controlled better.

If these conjectures are true, it would be interesting to see how both philosophies pan out in real life.

 

[dlm]

Wait... so there is a bug in Xenon's cmplwi instruction ? Thats why their hypervisor has been compromised ? They can't fix it ?

The bug is not in the instruction. The bug was in the use of the incorrect comparison operator in a bit of hypervisor code. The short version is that a security check validated a double-word against a single-word, which caused data in the high order word to not be validated. As it turns out, the high-order bit in the skipped word is what was used to determine whether a memory retrieval was treated as encrypted or not. By setting the bit, you could execute against unencrypted memory.

It can and has been fixed. The fix was quite literally just changing that single comparison instruction to the proper double-word comparer. Additionally, there is hardware protection to prevent users from downgrading firmware (though I believe there's been some research into breaking that).

I wonder what mechanism the anonymous hacker used to demo his exploit (XNA or full SDK ?).

This was done on an SDK. This exploit was never performed on a retail box.

 

[betan]

Additionally, there is hardware protection to prevent users from downgrading firmware (though I believe there's been some research into breaking that).

What is the state of hardware modding on 360?

 

[dlm]

What is the state of hardware modding on 360?

Tried to respond to this yesterday, but the post never completed for some reason.

I don't know that there's all that much of it, honestly. The traditional modchip is pretty ineffective on the 360 because all of the keygen work is done inside chips, so nothing sensitive ever goes onto an easily-sniffable bus.

The most common hack is easily the DVD-ROM firmware hack that allows playing of pirated games. I guess you could call it a hardware hack in that you have to rip the chip out of the drive to reprogram it, but it's really a firmware hack that is the unfortunate result of that bit of the system not using signed firmware.

I'm not sure if you've ever seen it, but Felix Domke was doing some talks about console hardware security and he talked about the irony that the part of the 360 that was broken first (playing copied games) is the one that MS would probably most like to prevent while the one that has yet to be cracked (running homebrew content) is still locked solid. Out of that came the idea that the safest solution is probably to make running homebrew a fun problem, while making cracking the DRM simply a boring one.

In many respects, the design philosophy of the PS3 has been much more successful. Lots of people are spending tons of hours trying to figure out how to program against RSX in Linux, and not one second of that work is helping pirates run copied BluRays on the system.

 

[betan]

Tried to respond to this yesterday, but the post never completed for some reason.

I don't know that there's all that much of it, honestly. The traditional modchip is pretty ineffective on the 360 because all of the keygen work is done inside chips, so nothing sensitive ever goes onto an easily-sniffable bus.

The most common hack is easily the DVD-ROM firmware hack that allows playing of pirated games. I guess you could call it a hardware hack in that you have to rip the chip out of the drive to reprogram it, but it's really a firmware hack that is the unfortunate result of that bit of the system not using signed firmware.

I'm not sure if you've ever seen it, but Felix Domke was doing some talks about console hardware security and he talked about the irony that the part of the 360 that was broken first (playing copied games) is the one that MS would probably most like to prevent while the one that has yet to be cracked (running homebrew content) is still locked solid. Out of that came the idea that the safest solution is probably to make running homebrew a fun problem, while making cracking the DRM simply a boring one.

In many respects, the design philosophy of the PS3 has been much more successful. Lots of people are spending tons of hours trying to figure out how to program against RSX in Linux, and not one second of that work is helping pirates run copied BluRays on the system.

Thanks, interesting view, but I have to ask, was it the homebrew guys who figured out the firmware hack on 360 drive?

 

[dlm]

Thanks, interesting view, but I have to ask, was it the homebrew guys who figured out the firmware hack on 360 drive?

I don't actually know who found the flaw, but its find was certainly the result of a lot of scrutiny on the box as a whole by the big hats in homebrew.

Because the flaw was found, it's hard to say if it would have been found as quickly or at all if it wasn't being investigated as an obvious vector for getting code on to the box. History tells us that most of the pirate crowd get their best benefit from piggybacking on the work of others, at least when it comes to hardware protection (obviously the defeat of things like CSS and Fairplay show that there's no shortage of takers on cracking software encryption).

My guess is that in the particular case of the 360, someone was going to find this flaw sooner or later. It was too fundamental of an issue. Unsigned firmware is a giant red flag. However, despite that, I don't think it would have been found as quickly had it not been such a juicy target in the first place.

 

[aaronspink]

In contrast, the relatively "open" PSN seems more vulnerable (A small number of Playstation accounts were breached from its PC store access). While XBL may well be susceptible to distributed DoS attack, a large part is private to MS and can be controlled better.

If these conjectures are true, it would be interesting to see how both philosophies pan out in real life.

Another thing to consider is that MS is probably a lot more skittish about security in general due to their past experience than sony. Sony has very little experience with consumer level security issues compared with MS. And one of the easiest ways to improve security is tight control on what is even allowed in the environment and what is allowed to run in the environment.

At the end of the day though there is no such thing as an impenetrable hypervisor or a secure system this is especially true if you open up the environment to anyone that wants to play around.

Aaron Spink
speaking for myself inc.

 

[aaronspink]

In many respects, the design philosophy of the PS3 has been much more successful. Lots of people are spending tons of hours trying to figure out how to program against RSX in Linux, and not one second of that work is helping pirates run copied BluRays on the system.

Some of that is probably related to the current very high costs of using BR to copy a game. To copy 10 games you are looking at an outlay right now of ~$360 and that doesn't include any hardware modding that would be required. In comparison it would cost between ~$10 and ~$30 (assuming you don't already have a burner) to copy 10 XB360 games.

So there is much more incentive to copy XB360 games atm.

BTW for a laugh check out the prices on BR-DL and BR-RE DL media! So even when the copy protection gets cracked, just make sure your game needs more than 25GB and no one will ever copy it

Aaron Spink
speaking for myself inc.

 

[Rangers]

I dont know, the whole mod thing seems rather overblown as another chance to bash ms because they dont have it and the other guy does imo.

I mean currently you've got one PS3 game (UT3) with an fairly borked modding system (since you cannot find and download mods via in-game browser, but must use a fairly cumbersome outside system) and as I understand it, you cannot generally find a public game on any of those modded levels anyway since the game didn't sell that well (unless you actually plan a get together online with friends). So the number of people actually using and enjoying the mods must be what, dozens?

So really, overblown imo.

But one of the latest interview with one of the Epic guys, Rein or Capps there are so many floating around right now, seemed once again very positive on the likelyhood of getting some sort of mod system in UT3 sanctioned by MS, for what it's worth (although that seems to change as often as the weather, and the game is nearing 360 release).

 

[patsu]

Another thing to consider is that MS is probably a lot more skittish about security in general due to their past experience than sony. Sony has very little experience with consumer level security issues compared with MS. And one of the easiest ways to improve security is tight control on what is even allowed in the environment and what is allowed to run in the environment.

What about stuff they learnt from PSP, PS1 and PS2 ? PS3 seems pretty well locked down for now.

At the end of the day though there is no such thing as an impenetrable hypervisor or a secure system this is especially true if you open up the environment to anyone that wants to play around.

Sure, they will have to make it very very costly to do so. We will see what kind of troubles UT3, Echochrome, LBP invite over time.

I mean currently you've got one PS3 game (UT3) with an fairly borked modding system (since you cannot find and download mods via in-game browser, but must use a fairly cumbersome outside system) and as I understand it, you cannot generally find a public game on any of those modded levels anyway since the game didn't sell that well (unless you actually plan a get together online with friends). So the number of people actually using and enjoying the mods must be what, dozens?

UT3 is not the only one and certainly won't be the last. We can either stop at the broken mod system or improve further. I opt for the latter. I don't think every developer will have borked mods.

 

[aaronspink]

What about stuff they learnt from PSP, PS1 and PS2 ? PS3 seems pretty well locked down for now.

I'm mainly referring to the online aspects and user generated content. PS3 will probably be cracked open like all consoles when there is a financial reason for it. Right now the cost of BR duplication are too high for it to have any real payback.

Aaron spink
speaking for myself inc.

 

[betan]

Some of that is probably related to the current very high costs of using BR to copy a game. To copy 10 games you are looking at an outlay right now of ~$360 and that doesn't include any hardware modding that would be required. In comparison it would cost between ~$10 and ~$30 (assuming you don't already have a burner) to copy 10 XB360 games.

The fact that avarage Joe cannot write BD should make a better financial motivation for people who earns of piracy.

I dont know, the whole mod thing seems rather overblown as another chance to bash ms because they dont have it and the other guy does imo.

Correct me if I'm wrong but we are discussing a XNA guy bashing MOD security on PS3.

But one of the latest interview with one of the Epic guys, Rein or Capps there are so many floating around right now, seemed once again very positive on the likelyhood of getting some sort of mod system in UT3 sanctioned by MS, for what it's worth (although that seems to change as often as the weather, and the game is nearing 360 release).

If 360 gets a mod browser before PS3, Mark Rein and/or Sony can go enjoy themselves. :|

 

[patsu]

I'm mainly referring to the online aspects and user generated content. PS3 will probably be cracked open like all consoles when there is a financial reason for it. Right now the cost of BR duplication are too high for it to have any real payback.

Yes, BR is a new technology. Besides cost, Sony may also employ additional lock down here to protect themselves. It will take more time to understand and experiment.

User generated content (mod files) are like movie files. If they allow all sorts of media file playback, the Pandora box has already been opened. All Sony and MS can do is to make sure they have the best hardware and software layer to protect themselves. If third party app are full of holes, they will be found whether there is user mod or not. Security by obscurity/limiting access is not really a valid option in security context.

 

[aaronspink]

User generated content (mod files) are like movie files. If they allow all sorts of media file playback, the Pandora box has already been opened. All Sony and MS can do is to make sure they have the best hardware and software layer to protect themselves. If third party app are full of holes, they will be found whether there is user mod or not. Security by obscurity/limiting access is not really a valid option in security context.

Some mod files are just like movies, but a lot actually contain some scripting, etc. Its this scripting and not trusting the 3rd party code that likely concerns MS. In general MS has been burned on 3rd party code and now has a bunch of security people with TLA backgrounds as well who are always nervous of 3rd party code and exploit s of such code.

Aaron Spink
speaking for myself inc.