Presentation is loading. Please wait.

Presentation is loading. Please wait.

PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Published byMayra Bestwick Modified over 10 years ago

Similar presentations

Presentation on theme: "PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA."— Presentation transcript:

1 PS3 Security Julian Wechsler

2 Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA

3 Legal Issues Sega v. Accolade: Establishes that Reverse Engineering can count as Fair Use Lexmark Intl v. Static Control Components: Ruled that circumvention of Lexmarks ink cartridge lock does not violate the DMCA.

4 The basic question If you purchase something, should you be allowed to do whatever you want with it? Recently, it was established that people are allowed to jailbreak or root their phones. From 2010 DMCA Anti-circumvention exemptions: (2) Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset. How much of a stretch between cellphones and consoles? Homebrew vs Unofficial Applications

5 PS3 Security Overview Hypervisor (aka lv1) controls access between the Game OS (lv 2) and low level hardware, enforces security. Signed executables

6

7 4 years, why? For 3 years, the PS3 has had an OtherOS feature, which let people run Linux, so there was no reason to hack it. This feature was removed from the newer PS3 Slim models. Geohots Exploit – Sony responds with removing OtherOS from all units. From that point, it took one year for the system to be cracked open.

8 Geohots Exploit – Glitching Attack The exploit is a Linux kernel module (hence requiring OtherOS) that calls various system calls to the hypervisor dealing with memory management. A glitching attack involves sending a timed voltage pulse that should cause the hardware to misbehave in some manner. Here, used for glitching memory read/write

9 Geohots Exploit Goal: Compromise the hashed page table (HTAB) to get read/write access to the main segment, which maps all memory including the hypervisor. The kernel module allocates, deallocates, and then tries to use deallocated memory as the HTAB for a virtual segment. The glitch is meant to prevent the deallocating of the mapped memory.

10 Geohots Exploit – Step 1 Allocate a buffer. Make many requests to create lots of duplicate mappings to this buffer. Any one of these mappings can be used to read or write to it.

11 Geohots Exploit – Step 2 Deallocate the buffer. The hypervisor will destroy all of the mappings, but if a successful glitch happens here, the mapping will remain intact.

12 Geohots Exploit – Step 3 Lastly, create virtual segments until it falls in the buffer space that the kernel still has access to. Since you can still read and write to it, the exploit writes some HTAB entries that gives it full access to the main segment which maps all memory.

13 Geohots Exploit – Effects This exploit gives access to all memory, including the hypervisor. So what does this mean? Not really too much. You get a lot of interesting memory dumps, but not really much you can do with it at this point. Regardless, Sony retaliates by removing the OtherOS feature completely to get rid of this exploit.

14 PS Jailbreak, and all of its clones The PSJailbreak emulates a 6 port usb hub, and attaches/detacches fake devices to it to mess with the memory allocation and freeing of the various blocks of memory that hold the device and configuration descriptors. A heap overflow is used to execute shellcode.

15 PS Jailbreak Effects After loading the exploit, the payload patches the lv2 GameOS so that it can run unsigned code. For some reason, the hypervisor doesnt check to make sure that code is signed. Lv2 can also be patched to load games from the HDD. (Piracy!) Lv1/hypervisor is still protected. (Not that theyre doing much at this point)

16 Signed Executables

17 Sonys ECDSA A ECDSA signature consists of R and S computed by: R = (mG) x S = (e + kR) / m The first equation cant be solved because of the discrete logarithm problem The second equation cant be solved because it contains two unknowns.

18 Sonys ECDSA However, m is supposed to be a random number. For some reason, Sony uses the same random number every time. With two signatures using the same m, you can easily solve for k, very easily obtaining the private key. With this information, anyone can sign anything, and run it without having to preload any kind of exploit.

19 Resources https://ps3wiki.lan.st/index.php/Main_Page http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_cons ole_hacking_2010.pdf http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_cons ole_hacking_2010.pdf http://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/ http://www.copyright.gov/1201/ https://www.eff.org/cases/lexmark-v-static-control-case-archive http://bulk.resource.org/courts.gov/c/F2/977/977.F2d.1510.92-15655.html

Download ppt "PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA."

Similar presentations

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching, 80286.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
May 7, 20151 A Real Problem  What if you wanted to run a program that needs more memory than you have?

May 7, A Real Problem  What if you wanted to run a program that needs more memory than you have?
1 A Real Problem  What if you wanted to run a program that needs more memory than you have?

1 A Real Problem  What if you wanted to run a program that needs more memory than you have?
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Memory Management (II)

Memory Management (II)
Threads vs. Processes April 7, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Threads vs. Processes April 7, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Inter Process Communication:  It is an essential aspect of process management. By allowing processes to communicate with each other: 1.We can synchronize.

Inter Process Communication:  It is an essential aspect of process management. By allowing processes to communicate with each other: 1.We can synchronize.
Informationsteknologi Friday, November 16, 2007Computer Architecture I - Class 121 Today’s class Operating System Machine Level.

Informationsteknologi Friday, November 16, 2007Computer Architecture I - Class 121 Today’s class Operating System Machine Level.
CSI 400/500 Operating Systems Spring 2009 Lecture #9 – Paging and Segmentation in Virtual Memory Monday, March 2 nd and Wednesday, March 4 th, 2009.

CSI 400/500 Operating Systems Spring 2009 Lecture #9 – Paging and Segmentation in Virtual Memory Monday, March 2 nd and Wednesday, March 4 th, 2009.
Chapter 5: Memory Management Dhamdhere: Operating Systems— A Concept-Based Approach Slide No: 1 Copyright ©2005 Memory Management Chapter 5.

Chapter 5: Memory Management Dhamdhere: Operating Systems— A Concept-Based Approach Slide No: 1 Copyright ©2005 Memory Management Chapter 5.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Computer Organization Review and OS Introduction CS550 Operating Systems.

Computer Organization Review and OS Introduction CS550 Operating Systems.
Real-Time Concepts for Embedded Systems Author: Qing Li with Caroline Yao ISBN: 1-57820-124-1 CMPBooks.

Real-Time Concepts for Embedded Systems Author: Qing Li with Caroline Yao ISBN: CMPBooks.
ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.

ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.
Sony Computer Entertainment America LLC vs George Hotz Your freedom to understand, discuss, repair, and modify the technological devices you own.

Sony Computer Entertainment America LLC vs George Hotz Your freedom to understand, discuss, repair, and modify the technological devices you own.
OpenJailbreak.org WTF is it?. Who Am i? And why are you following me? Joshua Hill

OpenJailbreak.org WTF is it?. Who Am i? And why are you following me? Joshua Hill
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

Similar presentations

Ads by Google