PS3 security is "epic fail"

[ejstans]

I know I said I wouldn't post again, but just to correct this, that this is not true, Sony did release a limited edition Metal Gear Soild 80Gb PS3 without both ps2 gpu or cpu and it allowed you to run PS2 games, I believe it was so you could run Metal Gear Soild 2 and 3 but had a lot of trouble running many other games and was dropped, I believe Sony would have to custom make the way the emulator work for each PS2 game run. However I think this same software is used to power the recent HD PS2 re-releases version of games we've seen, like Metal of Honour and God of War 1 & 2 both have come out since.

I don't think this is correct but feel free to prove me wrong. Sony did release an 80GB PS3 MGS4 bundle that had PS2 compatibility (product code PS398011) but this was the CECHE motherboard, the last revision to include the PS2 "Graphics Synthesizer" hardware. There were other MGS4 bundles based on later motherboard revisions lacking PS2 hardware but, far as I know, these do not include any PS2 compatibility.

[ejstans]

when you have the master key you can make the ps3 accept any media as original bought one even if it is homebrew or pirated dosent mater. sony cant do anything about it, they must make a new ps4 with better security to figth this one...

I was peripherally involved the ps3 scene before, but I lost interest when the USB hack came out and I haven't really read up on the recent breakthrough, but I still think it's premature to say Sony can't do anything about it.

I remember when people were saying the same thing about the PSP after  PSAR dumper came out, but Sony managed to come up with many countermeasures. True, these were eventually also broken, but that took some hard work (and a bit of luck!)

Without really reading more than the headlines of the recent hack, here are my thoughts:

The security of the PS3 relies on the isolated SPU. The SPU is protected by a hardware cipher (probably AES) with an embedded root key. Far as I know, this root key is NOT what's been captured.

Various "loaders" can be executed on the isolated SPU. These loaders takes the place of the hardware crypto engine in the PSP, with the advantage that they can be easily updated. They contain the public half of asymmetric cipher keys, and when an application wants to run on the PS3, it is fed to the right loader which verifies the signature and decrypts the application and schedules it to run. Not a valid signature -> no go.

From the little I've read, I surmise that they managed to break the SPU isolation by finding a bug in one of the loaders (not such a trivial feat!) Once inside the isolated vault they could grab the public keys of the loader, which ought to not be so valuable had Sony not screwed up majorly by letting the private keys be easily derivable from the public keys!

But, while having the private keys of a loader allows one to sign one's own executable, it does not necessarily (actually, with proper security, it definitely ought not to!) allow one to run a patched/modified loader in SPU isolation! So, Sony ought to be able to release updated loaders minus the bug and with new keys, properly created, and a whitelist of old official software allowed to run. If so, the captured keys are only useful with the old firmware.

But who knows? There have been many assumptions (reasonable ones!) about how the PS3 security ought to work, only to be shown that Sony had opted for somethign worse...

I think we'll just have to wait and see if this hack has enough strength to best all of Sony's countermeasures, but one thing is for sure though: Sony is in total control of PSN at least, and I'll bet they go to lengths to lock out hacked consoles from it! Even if possible to masquarade a hacked console, it'll be an arms race at the very least...

[ejstans]

they got the rootkey.... if you bother to read you would have known that by now.....

Well, I did take the time now, and you're wrong. The root key is the one thing they didn't get (it's embedded in silicon after all, and each console has its own unique key) but they do claim to have broken the chain of trust anyway. Let's see how effective it is.

[ejstans]

If I remember correctly, the 27C3 presentation made a point of describing the PS3 as not having key verification in hardware, like the XBOX 360 has (signature goes in, hardware answers if it matches the private key: you cannot read the private key from the hardware).

Instead the work is being done by a dedicated SPE, which because it is not a specialized key verification device, must be programmed to do the job. And it is vulnerable to attack, because the chain of trust protecting it has been broken.

Well, the PS3 does have hardware verification; it's what provides the basis of the chain of trust. The loaders (or at least one of them) are verified by the hardware as part of entering the isolated SPU (SPE) state. In the 27C3 slides (which I read but didn't watch the presentation) it is claimed that the bootldr is not updatable (residing in ROM?). Perhaps only the bootldr is verified by hardware, and it in turn is responsible for the rest of the loaders and they have broken that chain.

It's kind of stupid, because then this system basically offers no more protection than a hardware cipher as in the PSP (I am not familiar at all with the X360), whereas if all the loaders were updatable, it'd offer protection precisely against this sort of thing where the chain of trust is broken along the way (which is also fascilitated by writing a critical piece of software in such insecure language as C...)

But it's not really unbelievable, there are other strange design decisions too, like the PPU apparently being in control of address translation, even for the isolated SPU...

[ejstans]

i am wrong?... what about this then..



read it here...
http://kotaku.com/5723105/hacker-claims-to-have-the-ps3s-front-door-keys

Some confusion in these reports. Geohot apparently managed to break into metldr via an exploit. Then he could grab the public metldr key and derive the private one in the exact same manner fail0ver did with the other loader. The difference is metldr is lower-level and I think can be used to compromise the rest of the loaders without requiring an exploitable bug in them.

metldr is also supposed to not be updatable and I think I understand their reasoning behind that now: it seems to be verified by the hardware key, but the hardware key is supposed to be unique per console so "how can Sony update it"? Well, who knows, but the proof of the pudding is in the eating...

[ejstans]

Yes, the hardware verification is there. I confused it with how and where the keys are stored. On the XBOX360 the keys are on the die, which is why you cannot extract them by means of a software exploit. The PS3 does not store the keys on the die.

The presentation complements the slides. You might want to take a look, as the slides alone tell only part of the story.

Yeah, I had a look last night and it clarified some things.

If I understand this correctly, the one loader bootstrapping the system cannot be updated, and because the private key it uses has been recovered, it is possible to replace the code the bootstrap loader will load.

This is apparently what the situation is presented as. However, it is worth pointing out that at the time of the conference this was not exactly so, because they hadn't compromised metldr at that time. Actually, what they said then was that a non-revokable downgrade method exists, which if true (and before I quit, I was actually working on one myself so I believe it is not impossible for one to exist!), does mean unlimited homebrew on all currently extant PS3s. It does not necessarily mean unlimited piracy (because new games could require a new firmware with new keys and whitelist to block the old compromised ones), but this situation would actually be quite nice

But the claim that it's impossible to even securely upgrade the firmware relies on whether metldr really cannot be updated. As far as I can tell, they claim that it can't be updated because it's being signed and encrypted with the per console hardware keys, and how could Sony release an update encrypted with the right unique keys? Well, even one of their members acknowledged that Sony can do it if they happen to have a database of the hardware keys mapped to eg serial number or something. But even if Sony doesn't have that, I still say wait and see, because even if I, or even the talented hackers of fail0verflow are unable to realize how Sony could counter this, that's an argument from ignorance.  Similar circumstances existed on the PSP, and although the argument for Sony being screwed then seemed reasonable at first, it turned out somewhat differently when they managed to scrounge up a new secret key that put them back in control. Actually they managed to do this twice, the second time even when their hardware key had been compromised!

But I'm certainly not saying that Sony definitely will be able to pull such a rabbit out of the hat with the PS3, and if history is anything to judge by, even if they do, it might well be just a stopgap measure (especially considering the sorry state of the PS3 security model in reality rather than on paper), but somehow Sony seems to be quite a bit clever in actually getting the horses back in the barn. Or at least they seem to be more clever in getting them back, than they are in making sure they never leave in the first place, hehehe

The use of the 'C' programming language made the security architecture vulnerable. But even then the vulnerability ought to have had limited impact. As you wrote, the overall design is strange, and how certain parts are implemented (the 27C3 presentation raises questions about encrypted storage, and how the hypervisor design is unsuitable as a security measure) make you wonder how it was designed and reviewed.

It probably was not independently reviewed.

Yes. I think people really overestimate the importance of security to these companies. Geohot, for example, claimed that he was able to defeat Sony's billions of dollars spent on PS3 security. A good ego stroke perhaps, but that dollar claim doesn't have anything to do with reality

Heh, with the PSP, they originally even forgot to turn on their security scheme! Yeah, that's right, the first PSPs would happily ignore all the authentication mechanism and run any old unsigned code, straight out of the box! I'm pretty sure billions of dollars were not spent on that either

[ejstans]

when sony start suing instead of plugging the security hole, then you know they cant fix the problem and have lost.

Something to consider:

Reminder: do NOT update to future versions. PS3s are permanently owned  through hardware, but Sony can throw roadblocks in your way via SW.

[ejstans]

I have no doubt Sony will attempt to plug this via some "security" related update. And once they have they will insist that in order to access PSN you must have that update installed.
So Sony's security/protection scheme has failed. And its neat that we will have the full access to hardware that was previously blocked by the hypervisor.
But I think labeling this as "epic" is premature and I don't think this is over yet (not by a long shot).

It is epic, there is no other word for it, and it's certainly not premature to call it that. If you read the slides or watched the presentation, you'll see. It's an unbelieable screw up by Sony, simply unbelievable...

A conspiracy-inclined mind might well suspect it was intentional...

[ejstans]

Yes, the level of stupidity here makes it seem almost suspicious. But Sony has gone out of their way to prevent this in the past, so it probably is what it seems on the surface, a mistake.
And with time and consideration I wouldn't put it past Sony to devise a counter strategy. Its hard to anticipate how they might be able to plug this hole, but since they haven't responded yet I think its more than fair to consider calling this fight over to be premature..

I have no doubt it's were are talking "mistakes" here. But if they were really serious about security, it's something that wouldn't have occurred. Really. Regardless of whether Sony has the ability to rewrite a completely new and 100% secure firmware, the way they mucked up the crypto makes them deserve an "epic fail" stamped on their foreheads anyway.

And, even though fail0verflow were kind enough to classify it as  "just a bug in a loader", I'd say blindly copying user supplied data  with a user supplied size in a security-critical loader is pretty "epic  fail" that too. It's not like buffer overflows are unknown, or have been  for the last decades, geez!

It's kind of obvious that junior programmers are responsible for these things. If Sony really cared about security, they would hire better people to design and implement the security systems. And I don't mean they have to hire Geohot either.

What little I've seen of the 360, it's a LOT better designed (as well as implemented.)

[ejstans]

Wide spread piracy leading to MS banning modded consoles, and the first generation of 360's coughing and dying on a regular basis?

Im not sure I'd take the 360 as an example of better design

It is indeed dangerous to speak out when I only know so very little, but I did mean security model, not hardware design of course And yeah, I forgot about the foul up with the insecure DVD drive, but other than that, what little I've seen of the design seems pretty good, no? Certainly not without flaws (I think the most serious the bug that allowed extraction of the CPU key, but unlike the PS3, this was not due to failure of the whole security model, and did require pretty impressive sophistication to hack, well, far as I know at least...) but the security model seems cohesive, whereas Sony just seems to have tossed together bits and pieces without caring how they support (or in Sony's case, don't!) each other.

 One nifty thing, for example, X360 memory is apparently protected with secure hashes and no code/data ever goes outside the CPU in clear text. Unlike the PS3 which places all faith in the XDR mem being out of reach to attackers due to its high speed. Geohot's original supervisor hack (XDR glitching) is just a special case of manipulating the XDR, and really, Sony can do nothing (like removing OtherOS) to protect against that. For sure! So yeah, someone could "just" hook up to the XDR and inject any code they want to run, unlike the 360 where this is impossible, by design.