Documente Academic
Documente Profesional
Documente Cultură
Secure Systems
Lecture Overview
Secure Systems & Patch Sets
OpenBSD
SELinux
Grsecurity
Current Generation
MBE - 03/17/2015
Secure Systems
OpenBSD
The OpenBSD project produces a FREE, multi-platform 4.4BSDbased UNIX-like operating system. Our efforts emphasize
portability, standardization, correctness, proactive
security and integrated cryptography.
openbsd.org
MBE - 03/17/2015
Secure Systems
OpenBSD
Started in 1995 forking from NetBSD 1.0
Try to be the #1 most secure operating
system openbsd.org
MBE - 03/17/2015
Secure Systems
MBE - 03/17/2015
Secure Systems
MBE - 03/17/2015
Secure Systems
MBE - 03/17/2015
Secure Systems
Secure Systems
SELinux Overview
Open sourced by the NSA in 2000
Extended filesystem permissions controls
Users and services should only have access to
exactly what they need
MBE - 03/17/2015
Secure Systems
Grsecurity (GRSEC)
Secure Systems
10
GRSEC Overview
Started in 2001 as a port of OpenWall
Free, relatively easy to setup
Besides robust access control like SELinux,
GRSEC has a large focus on hardening against
memory corruption based exploits
High quality PAX ASLR, Memory Sanitization, Heap
Hardening, Active Response, to name a few
MBE - 03/17/2015
Secure Systems
11
Lecture Overview
Secure Systems & Patch Sets
OpenBSD
SELinux
Grsecurity
Current Generation
MBE - 03/17/2015
Secure Systems
12
GAME CONSOLES
A closer look at the bugs that brought down consoles of our generation
MBE - 03/17/2015
Secure Systems
13
Game Consoles
Evolving entertainment platforms
Play games, stream media, browse the web
Secure Systems
14
MBE - 03/17/2015
Secure Systems
15
MBE - 03/17/2015
Secure Systems
16
MBE - 03/17/2015
Secure Systems
17
Secure Systems
18
MBE - 03/17/2015
Secure Systems
19
MBE - 03/17/2015
Secure Systems
20
Physical Memory
Game Code
Kernel
Hypervisor
MBE - 03/17/2015
Secure Systems
0x00000000
0xFFFFFFFF
21
MBE - 03/17/2015
Secure Systems
22
...
MBE - 03/17/2015
Secure Systems
23
The Oops
Only the lower 32 bits of
the syscall number are
sanity checked
The whole 64 bit number
is used in address
calculation
Physical Memory
Game Code
(Userland Memory)
syscall_table[syscall_num](...);
Kernel
Hypervisor
MBE - 03/17/2015
Secure Systems
0x00000000
0xFFFFFFFF
24
Game Over
MBE - 03/17/2015
Secure Systems
25
MBE - 03/17/2015
Secure Systems
26
Secure Systems
27
MBE - 03/17/2015
Secure Systems
28
Secure Systems
29
MBE - 03/17/2015
Secure Systems
30
MBE - 03/17/2015
Secure Systems
31
Secure Systems
32
SysCore ARM9
Micro Kernel
Micro Kernel
PXI
Games / Apps
MBE - 03/17/2015
PROCESS9
Secure Systems
33
PXI
Pipeline for the cores to talk to each other
MBE - 03/17/2015
Secure Systems
34
MBE - 03/17/2015
Secure Systems
35
MBE - 03/17/2015
Secure Systems
36
Secure Systems
37
State of Control
AppCore - ARM11
SysCore ARM9
Micro Kernel
Micro Kernel
PXI
Games / Apps
PROCESS9
MBE - 03/17/2015
Secure Systems
38
SysCore ARM9
Micro Kernel
Micro Kernel
PXI
Games / Apps
MBE - 03/17/2015
PROCESS9
Secure Systems
39
SysCore ARM9
verify this sig plz
PXI
Games / Apps
MBE - 03/17/2015
Micro Kernel
PROCESS9
Secure Systems
40
MBE - 03/17/2015
SysCore ARM9
verify this sig plz
PXI
signature is good!
Secure Systems
Micro Kernel
PROCESS9
41
MBE - 03/17/2015
Secure Systems
42
SysCore ARM9
malicious request
PXI
Games / Apps
Micro Kernel
PROCESS9
MBE - 03/17/2015
Secure Systems
43
SysCore ARM9
malicious request
PXI
Games / Apps
MBE - 03/17/2015
Micro Kernel
PROCESS9
Secure Systems
44
MBE - 03/17/2015
Secure Systems
45
return result;
}
MBE - 03/17/2015
Secure Systems
46
Secure Systems
47
MBE - 03/17/2015
Secure Systems
48
Secure Systems
49
MBE - 03/17/2015
Secure Systems
50
FreeBSD Based OS
Only runs signed code or executables
Rigorous chain of trust, secure bootstrapping
Cell Architecture
Isolates cores from each other, HV
Dedicated System / Security Cell
MBE - 03/17/2015
Secure Systems
51
MBE - 03/17/2015
Secure Systems
52
MBE - 03/17/2015
Secure Systems
53
Secure Systems
54
More Privileged
GeoHot
MBE - 03/17/2015
Secure Systems
55
MBE - 03/17/2015
Secure Systems
56
Secure Systems
57
MBE - 03/17/2015
Secure Systems
58
MBE - 03/17/2015
Secure Systems
59
More Privileged
PS3 Jailbreak
MBE - 03/17/2015
Secure Systems
60
MBE - 03/17/2015
Secure Systems
61
SELF
MBE - 03/17/2015
ELF
Secure Systems
62
MBE - 03/17/2015
Secure Systems
63
Secure Systems
64
MBE - 03/17/2015
Secure Systems
65
MBE - 03/17/2015
Secure Systems
66
Effects of Missteps
With only TWO signatures from the Crypto SPE,
you can compute Sonys Private ECDSA Key
With the ECDSA Key, the floodgates are opened
You can sign anything as Sony
This key is embedded in hardware
MBE - 03/17/2015
Secure Systems
67
metldr Owned
Geohot releases metldr decryption keys
MBE - 03/17/2015
Secure Systems
68
More Privileged
GeoHot
MBE - 03/17/2015
Secure Systems
69
MBE - 03/17/2015
Secure Systems
70
MBE - 03/17/2015
Secure Systems
71
More Privileged
OWNED
MBE - 03/17/2015
Secure Systems
72
MBE - 03/17/2015
Secure Systems
73
Secure Systems
74
MBE - 03/17/2015
Secure Systems
75
MBE - 03/17/2015
More Privileged
Secure Systems
76
MBE - 03/17/2015
Secure Systems
77
MBE - 03/17/2015
Secure Systems
78
PS3 Aftermath
Sony drops lawsuit against Geohot
Must never hack Sony products again
MBE - 03/17/2015
Secure Systems
79
Lecture Overview
Secure Systems & Patch Sets
OpenBSD
SELinux
Grsecurity
Current Generation
MBE - 03/17/2015
Secure Systems
80
CURRENT GENERATION
A peek at the current generation of consoles
MBE - 03/17/2015
Secure Systems
81
Current Generation
Xbox One
I did some reversing over winter break (-:
PS4
I dont know as much about, sorry ):
MBE - 03/17/2015
Secure Systems
82
MBE - 03/17/2015
Secure Systems
83
Xbox One OS
Ditches the 360s custom operating system
Xbox OS (XOS) is forked from Windows 8(ish)
MBE - 03/17/2015
Secure Systems
84
Secure Systems
85
MBE - 03/17/2015
Secure Systems
86
MBE - 03/17/2015
Secure Systems
87
Secure Systems
88
MBE - 03/17/2015
Secure Systems
89
PS4 Details
I really dont know as much about the PS4 OS
or its security features
I do know that it has a very similar AMD CPU
as the Xbox One
An ARM PSP is also present in the CPU
MBE - 03/17/2015
Secure Systems
90
https://www.youtube.com/watch?v=82vf0JQS1Sk
http://www.securityfocus.com/archive/1/461489
https://www.youtube.com/watch?v=XtDTNnEvlf8
https://www.youtube.com/watch?v=uxjpmc8ZIxM
http://beta.ivc.no/wiki/index.php/Xbox_360_King_Kong_Shader_Exploit
http://free60.org/wiki/SMC_Hack
http://pastebin.com/gDLyZ6DU
http://www.ibm.com/developerworks/power/library/pa-cellsecurity/
http://www.eurasia.nu/wiki/index.php/PS3_Glitch_Hack
http://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/
https://www.youtube.com/watch?v=4loZGYqaZ7I
http://www.ps3news.com/PS3-Hacks/Fail0verflow-27C3-PS3-Exploit-Hacker-Conference-2010Highlights/
http://www.ps3news.com/PS3-Dev/ps-jailbreak-ps3-exploit-reverse-engineering-is-detailed/
http://www.ps3devwiki.com/ps3/Boot_Order
http://3dbrew.org/
MBE - 03/17/2015
Secure Systems
91