There’s been a lot of commentary around the breach of Sony’s PlayStation Network. Sadly, there has been no good discussion of how PSN was breached. What this breach means for Sony is largely defined by how it happened. Before we get to that though let’s go over a quick timeline of some of the important points in the breach’s timeline.
HOW DID GEOHOT HACK THE HYPORVISOR
hypervisor lv0 and lv1, and has now updated his blog with a technical writeup here on how it was done written by Nate Lawson at rdist.root.org.
To quote from the article: "The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.
Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.
The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).
George's hack compromises the hypervisor after booting Linux via the "OtherOS" feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.
His approach is clever and is known as a "glitching attack". This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.
George connected an FPGA to a single line on his PS3's memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.
His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let's break this down some more.
The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file's data can still be accessed.
The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor's write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.
At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it's just empty memory.
The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer's address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.
It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.
Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.
It will be interesting to see how Sony responds with future updates to prevent this kind of attack.
[Edit: corrected the description of virtual segment allocation based on a comment by geohot.]"
HOW DID GEOHOT HACK THE HYPORVISOR
hypervisor lv0 and lv1, and has now updated his blog with a technical writeup here on how it was done written by Nate Lawson at rdist.root.org.
To quote from the article: "The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.
Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.
The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).
George's hack compromises the hypervisor after booting Linux via the "OtherOS" feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.
His approach is clever and is known as a "glitching attack". This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.
George connected an FPGA to a single line on his PS3's memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.
His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let's break this down some more.
The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file's data can still be accessed.
The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor's write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.
At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it's just empty memory.
The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer's address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.
It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.
Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.
It will be interesting to see how Sony responds with future updates to prevent this kind of attack.
[Edit: corrected the description of virtual segment allocation based on a comment by geohot.]"
HOW DID SONY RESPOND?
THEY REMOVE THE OTHER OS OPTION PISSING OFF HACKERS ALL OVER THE WORLD AND CODERS AND DEVELOPERS WHO BOUGHT THE PS3 FOR THAT SOUL REASON....LINUX... THE RESULT IS THE SYMBIOTIC WILL AND MOTIVATION TO COMPRIMISE THE PS3 AND RE-ENABLE LINUX USE WITH FULL HARDWARE POTENTIAL
Dec 20, 2010 First Off For Those Who Have Not Seen Team Fail Overflows 27cc presentation
WE URGE YOU TO DO SO...
Anonymous Gets Serious, Attacks Sony Employees
Infamous hacking group, Anonymous, began a series of attacks against Sony earlier today, bringing down several Sony sites and the PlayStation Network. However, a radical offshoot of the main group believe that the attacks aren’t enough, and are prepared to take the fight to a more severe level.
Initially claiming that they would seek revenge against Sony for their legal action against Geohot and other PS3 hackers, the group successfully DDoS’d PlayStation.com and the PlayStation Store under a group called OpSony. Now, a more more aggressive and darker group called SonyRecon have begun a series of more personal attacks.
Speaking on the OpSony IRC, user randomtask announced his new group:
ok i made a chan #sonyrecon for people to gather and contribute dox, and work towards a common goal of finding and information and detailing useful targets
some one got the phone number of the head of the sony company in #sonyrecon
Dox is where a hacker gets another person’s identity, such as the name of the person, telephone number, pictures, home address, email, IP address, family members and relatives names etc. and then uses this to their advantage, mainly fraud.
Update: Other Dox attacks highlighted by the group could include:
Craigslist – Make a ad in the “free stuff” section, or in “erotic services” and “casual encounters” as is evident here there are many horny men who will relentlessly pursue someone who they believe to be 19/f.Currently SonyRecon is only kicking off, but the group have already uncovered Sony employees’ family records and personal details. We’ve left out links to the details, and the actual information included so that the employees details are not further compromised, but it is worrying that the group could uncover information so quickly.
STD Postcards – send one of these e-postcards notifying the target that one of their previous sexual partners has a STD. Makes for an uncomfortable wait for them. Alternatively call an AIDS hotline and ask them to anonymously tell the target they could have HIV, thats a 6 month wait until the test comes back.
Free UPS Boxes create an account and order the target a couple of hundred boxes & labels, fedex also offer free boxes.
Google Maps use Google maps to locate local businesses to mess with the target.
Call them:
Skype – Use skype to call the target. When you first register a skype account you get one free call…
IP Relay – Ask the operator not to announce at the start of the call. This is a service only available to people in the USA.
For example, Robert S. Wiesenthal, Group Executive, Sony Corporation, leading Corporate Development and Mergers and Acquisitions at Sony headquarters’ family history is currently being released onto the internet. His marital status, age, place of address, education and even whether he has children has been discovered. Other main targets include Nicole Seligman and Sony boss Howard Stringer, but multiple Sony employee emails are noted as future targets. In fact, one anon complained “No one found ANY info on Stringers kids?”
SonyRecon founder randomtask stated:
sony , the judge and sonys lawyers are all valid targetsSonyRecon have also began compiling personal information of the lawyers as well as the plaintiffs involved in the case.
Update 2: The website of the company handling Sony’s case has been brought down.
Update 3: One SonyRecon member boasted on the IRC (unconfirmed that he actually did it):
lol well like 30 min ago i left chocolate rain on the judge’s voicemail lawlThe extent of the attacks remains to be seen, but PlayStation LifeStyle will keep you updated.
Craigslist – Make a ad in the “free stuff” section, or in “erotic services” and “casual encounters” as is evident here there are many horny men who will relentlessly pursue someone who they believe to be 19/f.
STD Postcards – send one of these e-postcards notifying the target that one of their previous sexual partners has a STD. Makes for an uncomfortable wait for them. Alternatively call an AIDS hotline and ask them to anonymously tell the target they could have HIV, thats a 6 month wait until the test comes back.
Free UPS Boxes create an account and order the target a couple of hundred boxes & labels, fedex also offer free boxes.
Google Maps use Google maps to locate local businesses to mess with the target. Use searches such as:-
“Pizza 78130″
“Locksmith London,UK”
“Emergency Plumber Toronto,Canada”
To locate businesses that will be able to visit the target at all hours. Be sure to have the targets dox to hand and to know nearby cross streets in order to give directions. When making an order, make it plausible e.g. 2 pizzas so that no suspicions are aroused. Occasionally businesses ask for a telephone number, unless you have a skype in number, it’s best just to give the target’s.
[edit]Call them Skype – Use skype to call the target. When you first register a skype account you get one free call, however call rates are fairly cheap and you can purchase skype credit in stores such as wallmart or purchase unlimited calls to numbers in N.America for just $3/month. It is possible to call many businesses for free, without requiring any credits, with GOOG411, simply dial +1.800.4664.411 in skype & state the city, state & then the business name or type.
IP Relay – read up on the terminology here here. Ask the operator not to announce at the start of the call. This is a service only available to people in the USA. Sites:- ip-relay.com, sprintip.com, siprelay.com.
iCall – If you don’t feel like abusing a service intended for the disabled you can make a free 3 min call in your browser at iCall. You can also download a client to make slightly longer calls for free.
EarthCaller – Use earth caller to make free calls to anywhere in N.America, note that you have to use Internet Explorer to use it, install the IE Tab addon if you wish to use Firefox. Unlike other VOIP services it does give a proper telephone number on caller IDs.
DukaDial – –DEAD– Use DukaDial to call two numbers at once, be they your target & the white house situation room number ( 202-456-9431 ) , perhaps the local FBI / Police department or maybe just a random hooker off craigslist.
DukaUS – Can be used to make free conference calls with up to 6 participants, it gives you the option to individually mute participants. Why not get it to dial two numbers as well as a partyline, so that you can listen in on the chaos.
STD Postcards – send one of these e-postcards notifying the target that one of their previous sexual partners has a STD. Makes for an uncomfortable wait for them. Alternatively call an AIDS hotline and ask them to anonymously tell the target they could have HIV, thats a 6 month wait until the test comes back.
Free UPS Boxes create an account and order the target a couple of hundred boxes & labels, fedex also offer free boxes.
Google Maps use Google maps to locate local businesses to mess with the target. Use searches such as:-
“Pizza 78130″
“Locksmith London,UK”
“Emergency Plumber Toronto,Canada”
To locate businesses that will be able to visit the target at all hours. Be sure to have the targets dox to hand and to know nearby cross streets in order to give directions. When making an order, make it plausible e.g. 2 pizzas so that no suspicions are aroused. Occasionally businesses ask for a telephone number, unless you have a skype in number, it’s best just to give the target’s.
[edit]Call them Skype – Use skype to call the target. When you first register a skype account you get one free call, however call rates are fairly cheap and you can purchase skype credit in stores such as wallmart or purchase unlimited calls to numbers in N.America for just $3/month. It is possible to call many businesses for free, without requiring any credits, with GOOG411, simply dial +1.800.4664.411 in skype & state the city, state & then the business name or type.
IP Relay – read up on the terminology here here. Ask the operator not to announce at the start of the call. This is a service only available to people in the USA. Sites:- ip-relay.com, sprintip.com, siprelay.com.
iCall – If you don’t feel like abusing a service intended for the disabled you can make a free 3 min call in your browser at iCall. You can also download a client to make slightly longer calls for free.
EarthCaller – Use earth caller to make free calls to anywhere in N.America, note that you have to use Internet Explorer to use it, install the IE Tab addon if you wish to use Firefox. Unlike other VOIP services it does give a proper telephone number on caller IDs.
DukaDial – –DEAD– Use DukaDial to call two numbers at once, be they your target & the white house situation room number ( 202-456-9431 ) , perhaps the local FBI / Police department or maybe just a random hooker off craigslist.
DukaUS – Can be used to make free conference calls with up to 6 participants, it gives you the option to individually mute participants. Why not get it to dial two numbers as well as a partyline, so that you can listen in on the chaos.
Jan 2, 2011: Months of battles between Sony and PS3 hackers reaches a climax when George Hotz aka GeoHot publishes the Root Key for the PS3. Among other things this allows users to sign and run any code they want on the PS3.
Jan 11, 2011: Sony responds to the releases of the Root Key by filing suit against Hotz and several other prominent PS3 enthusiasts in Sony Computer Entertainment of America LLC v. Hotz et al. Sony brought charges against the hackers on multiple charges including violation of the DMCA and Computer Fraud and Abuse Act, breach of contract, and trespass.
March 31, 2011: Rebug custom firmware released. Rebug allows access to many of the features only found in PS3 developer kits (PS3 dev kits were notoriously expensive. At one point the PS3 Reference Tool cost upwards of 10,000 USD.)
March 31, 2011: Sony Online Entertainment lays off 205 employees, an estimated 1/3 of the division.
Early April 2011: Internet group Anonymous responds to SCEA v. Hotz by launching OpSony, a DDoS of PSN and other Sony owned properties with a web presence.
April 20, 2011: Sony detects an intrusion and PlayStationNetwork and Qriocity servers are taken offline.
From there Sony’s missive to Congress pretty well documents what happened.
So, with that background laid, we now need to ask how the attacker actually got in. Sony held a press conference on May 1st 2011, during which they issued this diagram describing how they believed the intrusion happened:
This seems like a roundabout way of saying that there was a SQL injection issue in one of PSN’s applications or that the database server could have been publicly accessible and exploitable from there. That’s not very descriptive or helpful though so let’s take a minute to take a look some of the alternative ideas on how the breach happened. Please take all of this with a grain of salt as some of this is speculation or cannot be confirmed.
- Unpatched server: A chat log of several PS3 modders probing PSN has been making the rounds. In it they claim that some of PSN’s webservers were running outdated versions of Apache and Linux (2.2.15 and 2.6.9-2.6.24 respectively). It is a solid bet that if those packages were outdated, the rest of the server hadn’t been patched in the last 5 years either. If that was the case, then the intrusion would have been as simple as firing up Metasploit and going to work. As a side note, Google’s web cache shows that Sony’s servers were up to date, so this whole theory may be bunk.
- Physical attack: Several of Sony’s press releases and blog posts have talked about moving the PSN servers into a single secure location. There have been suggestions that this indicates that there was a physical component to the attack. While this certainly is a possibility, it seems much more likely that this was already happening and Sony is merely highlighting it to promote the image of a security conscious company.
- Insider attack: While this is a threat actor, not an attack, it still merits mentioning. There is a possibility that one of the 205 SOE employees who were terminated on March 31st could have used their access to attack Sony. The retaliatory attacks over the GeoHot lawsuit would have provided the perfect cover for an employee who was angry with being terminated to leverage their access against Sony.
- Leveraging a PS3 against PSN: One of the interesting features of the Rebug firmware was the ability to switch which set of PSN servers the console connected to. For instance, in one attack modders found it was possible to force a PS3 to connect to the prod-qa instance of PSN. On this particular instance, the servers would not authenticate credit card information before adding credit to the account, so attackers could simply add unlimited credit for the PSN store. Much of this information was publicly available before the breach happened. Also an IRC chat log claimed that there were 45 Internet accessible PSN instances at the time of the breach. It is possible that one of the PSN instances meant for internal use only had certain flaws or was configured in such a way that a rogue PS3 could have leveraged it against the rest of Sony’s network.
And that’s all working on the assumption that there was just one breach! Perhaps the reason why Sony’s response has seemed a little disjointed is that we keep trying to shoehorn their actions to fit our notion of them responding to a single unrealistically complicated multi-vector attack, and not them responding to a slew of simple attacks that all happen to be coming from different vectors simultaneously. In the weeks that followed PSN being taken down, we have learned that other Sony-owned resources have been compromised and taken offline (e.g. DC Universe Online, Star Wars: Galaxies, Free Realms, EverQuest, and even Sony-run Facebook games like Fortune League) and that more personal information was lost than originally reported (plus an additional 12,700 credit card numbers were discovered stolen on May 2nd). It is unlikely that this is all the work of a single attacker. Even with a best case scenario of there being only two independent simultaneous breaches, so much went on in Sony’s network during those few days that trying to assess, attribute, and respond to what happened is quite a task. Expecting them to know exactly how to best respond to a breach of this magnitude and complexity without tilting their heads a little about what happened is just unrealistic.
Finally, I would bet that this was more a crime of opportunity than a targeted attack. Much of the work that modders were doing on exploring the different PSN instances was publicly available. If someone wanted to attack PSN, the recon was done for them and the tools were already made. Since several less-than-honest modders were using the aforementioned free content trick, someone who wanted to use this information to attack would need to do it before Sony responded and nullified all of that work. Also Sony was still shoring up their defenses from the DDoS BY HACKTIVIST over the Geohot Law Suit of the prior weeks, so there was perfect cover for the attack.
All in all, we probably won’t ever know all of the details surrounding this breach. This should provide a little bit of insight into what probably happened and help a bit to interpret Sony’s response to the breach.
Source:
http://www.veracode.com/
No comments:
Post a Comment