PS3 Security Julian Wechsler. Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA.

Slides:



Advertisements
Similar presentations
1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Advertisements

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
May 7, A Real Problem  What if you wanted to run a program that needs more memory than you have?
1 A Real Problem  What if you wanted to run a program that needs more memory than you have?
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Memory Management (II)
Threads vs. Processes April 7, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Inter Process Communication:  It is an essential aspect of process management. By allowing processes to communicate with each other: 1.We can synchronize.
Informationsteknologi Friday, November 16, 2007Computer Architecture I - Class 121 Today’s class Operating System Machine Level.
CSI 400/500 Operating Systems Spring 2009 Lecture #9 – Paging and Segmentation in Virtual Memory Monday, March 2 nd and Wednesday, March 4 th, 2009.
Chapter 5: Memory Management Dhamdhere: Operating Systems— A Concept-Based Approach Slide No: 1 Copyright ©2005 Memory Management Chapter 5.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Computer Organization Review and OS Introduction CS550 Operating Systems.
Real-Time Concepts for Embedded Systems Author: Qing Li with Caroline Yao ISBN: CMPBooks.
ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.
Sony Computer Entertainment America LLC vs George Hotz Your freedom to understand, discuss, repair, and modify the technological devices you own.
OpenJailbreak.org WTF is it?. Who Am i? And why are you following me? Joshua Hill
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
8.4 paging Paging is a memory-management scheme that permits the physical address space of a process to be non-contiguous. The basic method for implementation.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
1 Computer and Network Bottlenecks Author: Rodger Burgess 27th October 2008 © Copyright reserved.
Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
CE Operating Systems Lecture 14 Memory management.
OPERATING SYSTEMS Lecture 3: we will explore the role of the operating system in a computer Networks and Communication Department 1.
The Ethics of Emulation David Gale February 24 th.
Reducing Trust Domain with TXT Daniel De Graaf. TXT overview Original TPM – Static Root of Trust – BIOS, all boot ROMs, bootloader, hypervisor, OS TPM.
Bart Miller – October 22 nd,  TCB & Threat Model  Xen Platform  Xoar Architecture Overview  Xoar Components  Design Goals  Results  Security.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
1 Some Real Problem  What if a program needs more memory than the machine has? —even if individual programs fit in memory, how can we run multiple programs?
Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.
IT tools to communicate By Suleman Kalam. Podcast What is Podcasts? A podcasts is a downloadable media file which can be downloaded into many electronic.
Windows XP & Vista Memory Management
Operating Systems Security
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Interrupt driven I/O Computer Organization and Assembly Language: Module 12.
Page Replacement Implementation Issues Text: –Tanenbaum ch. 4.7.
CSCI 156: Lab 11 Paging. Our Simple Architecture Logical memory space for a process consists of 16 pages of 4k bytes each. Your program thinks it has.
COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.
Lecture 10 Page 1 CS 111 Online Memory Management CS 111 On-Line MS Program Operating Systems Peter Reiher.
By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.
Lecture 5 Page 1 CS 111 Online Process Creation Processes get created (and destroyed) all the time in a typical computer Some by explicit user command.
Compilers and Security
Shellcode COSC 480 Presentation Alison Buben.
Basic Paging (1) logical address space of a process can be made noncontiguous; process is allocated physical memory whenever the latter is available. Divide.
Chapter 2: The Linux System Part 4
Protecting Memory What is there to protect in memory?
Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Protecting Memory What is there to protect in memory?
Lesson Objectives Aims Key Words
Some Real Problem What if a program needs more memory than the machine has? even if individual programs fit in memory, how can we run multiple programs?
Process Creation Processes get created (and destroyed) all the time in a typical computer Some by explicit user command Some by invocation from other running.
Swapping Segmented paging allows us to have non-contiguous allocations
CIT 480: Securing Computer Systems
MEMORY MANAGEMENT & their issues
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Operating Systems Lecture 1.
How to Jailbreak Your iDevice
TPM, UEFI, Trusted Boot, Secure Boot
Paging and Segmentation
CS703 - Advanced Operating Systems
CSE 153 Design of Operating Systems Winter 2019
COMP755 Advanced Operating Systems
Cache writes and examples
Presentation transcript:

PS3 Security Julian Wechsler

Overview Legal Issues DMCA Security Overview Exploits Geohots Exploit, PS Jailbreak Flaws ECDSA

Legal Issues Sega v. Accolade: Establishes that Reverse Engineering can count as Fair Use Lexmark Intl v. Static Control Components: Ruled that circumvention of Lexmarks ink cartridge lock does not violate the DMCA.

The basic question If you purchase something, should you be allowed to do whatever you want with it? Recently, it was established that people are allowed to jailbreak or root their phones. From 2010 DMCA Anti-circumvention exemptions: (2) Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset. How much of a stretch between cellphones and consoles? Homebrew vs Unofficial Applications

PS3 Security Overview Hypervisor (aka lv1) controls access between the Game OS (lv 2) and low level hardware, enforces security. Signed executables

4 years, why? For 3 years, the PS3 has had an OtherOS feature, which let people run Linux, so there was no reason to hack it. This feature was removed from the newer PS3 Slim models. Geohots Exploit – Sony responds with removing OtherOS from all units. From that point, it took one year for the system to be cracked open.

Geohots Exploit – Glitching Attack The exploit is a Linux kernel module (hence requiring OtherOS) that calls various system calls to the hypervisor dealing with memory management. A glitching attack involves sending a timed voltage pulse that should cause the hardware to misbehave in some manner. Here, used for glitching memory read/write

Geohots Exploit Goal: Compromise the hashed page table (HTAB) to get read/write access to the main segment, which maps all memory including the hypervisor. The kernel module allocates, deallocates, and then tries to use deallocated memory as the HTAB for a virtual segment. The glitch is meant to prevent the deallocating of the mapped memory.

Geohots Exploit – Step 1 Allocate a buffer. Make many requests to create lots of duplicate mappings to this buffer. Any one of these mappings can be used to read or write to it.

Geohots Exploit – Step 2 Deallocate the buffer. The hypervisor will destroy all of the mappings, but if a successful glitch happens here, the mapping will remain intact.

Geohots Exploit – Step 3 Lastly, create virtual segments until it falls in the buffer space that the kernel still has access to. Since you can still read and write to it, the exploit writes some HTAB entries that gives it full access to the main segment which maps all memory.

Geohots Exploit – Effects This exploit gives access to all memory, including the hypervisor. So what does this mean? Not really too much. You get a lot of interesting memory dumps, but not really much you can do with it at this point. Regardless, Sony retaliates by removing the OtherOS feature completely to get rid of this exploit.

PS Jailbreak, and all of its clones The PSJailbreak emulates a 6 port usb hub, and attaches/detacches fake devices to it to mess with the memory allocation and freeing of the various blocks of memory that hold the device and configuration descriptors. A heap overflow is used to execute shellcode.

PS Jailbreak Effects After loading the exploit, the payload patches the lv2 GameOS so that it can run unsigned code. For some reason, the hypervisor doesnt check to make sure that code is signed. Lv2 can also be patched to load games from the HDD. (Piracy!) Lv1/hypervisor is still protected. (Not that theyre doing much at this point)

Signed Executables

Sonys ECDSA A ECDSA signature consists of R and S computed by: R = (mG) x S = (e + kR) / m The first equation cant be solved because of the discrete logarithm problem The second equation cant be solved because it contains two unknowns.

Sonys ECDSA However, m is supposed to be a random number. For some reason, Sony uses the same random number every time. With two signatures using the same m, you can easily solve for k, very easily obtaining the private key. With this information, anyone can sign anything, and run it without having to preload any kind of exploit.

Resources ole_hacking_2010.pdf ole_hacking_2010.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.