Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “...
Transcript of Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “...
![Page 1: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/1.jpg)
Aug 13-15, 2002 CHES2002
Keeping Secrets In Hardware
The Microsoft Xbox™ Case StudyS-BOXes and Xboxes
Andrew “bunnie” Huang, [email protected]
![Page 2: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/2.jpg)
Aug 13-15, 2002 CHES2002
OutlineBackground? Subject hardware ? Security motive
Xbox™ Security overviewReverse engineering? Focus on process and methodology
Lessons learned? Summary of known flaws? Summary of possible countermeasures
![Page 3: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/3.jpg)
Aug 13-15, 2002 CHES2002
What is an Xbox?
Xbox is an embedded PC? 733 MHz Intel Pentium III-class processor? nVidia nForce-derivative chipset? 64 MB DDR SDRAM? 100 Base-T ethernet port? VGA graphics capability? USB ports? 10 GB IDE hard drive? IDE DVD-ROM drive
![Page 4: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/4.jpg)
Aug 13-15, 2002 CHES2002
Comparison to Stock PC Hardware
x86 CPU
nVidia GPU/“Northbridge”
DDR SDRAM
nVidia MCP/“Southbridge”
FLASH ROM
Picture fromhttp://www.ocmodshop.com/asusnforce/topboard.jpg
ASUS A7N266-VMXbox Motherboard
![Page 5: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/5.jpg)
Aug 13-15, 2002 CHES2002
Security Rationale: Economics
Hardware is sold at a loss? “Loss Leader”? Make up the difference in sales of games,
services
![Page 6: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/6.jpg)
Aug 13-15, 2002 CHES2002
Economic Details
Sell about 20 games to break even? US$100-200 lost per Xbox console? Microsoft makes ~$7/title for third-party games? Microsoft makes about 3-4x more on first-party
titlesAssuming 1:2 first party:third party sale ratio? Over US$1000 in software
![Page 7: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/7.jpg)
Aug 13-15, 2002 CHES2002
How Much Security?
Sufficient deterrent to ensure that:? $1000 in games, or $200 in game services
are purchased over console lifetime? On-line gaming experience is enjoyable?A billion-dollar investment on Microsoft’s part
![Page 8: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/8.jpg)
Aug 13-15, 2002 CHES2002
Security Rationale: SummaryPrevent the following key scenarios:? Game copying? Game cheating
?Ensure an enjoyable on-line gaming experience? Emulation
?Stock PC booting a copied Xbox game?Modified PC booting a copied Xbox game
? Conversion to stock PC?Subsidized Windows platform?Linux/freeware platform?Embedded controller
![Page 9: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/9.jpg)
Aug 13-15, 2002 CHES2002
Xbox Security OverviewXbox is a Trusted PC Platform? Comparable in spirit to Palladium™ , TCPA? Hardware is trusted, all executables digitally
signed and verified prior to executionPhysical copy protection? 2-Layer DVD-9 format + block scrambling? 2-Layer DVDs are difficult to copy
Encrypted network connections? No details available yet, Xbox Live not yet
launchedMinimal perimeter security, tamper evidence
![Page 10: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/10.jpg)
Aug 13-15, 2002 CHES2002
Focus on Trust Mechanism
Trustable hardware is a cornerstone of Xbox security? If hardware is compromised, there is no
security
![Page 11: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/11.jpg)
Aug 13-15, 2002 CHES2002
Why Trust is RequiredUser attempts torun an executable
computed hashof executable, data
decrypt public-key encryptedexpected hash provided
by Microsoft
computed hashequals expected
hash?
YES
NO
run executable
reject executable
![Page 12: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/12.jpg)
Aug 13-15, 2002 CHES2002
Why Trust is RequiredUser attempts torun an executable
computed hashof executable, data
decrypt public-key encryptedexpected hash provided
by Microsoft
computed hashequals expected
hash?
YES
NO
run executable
reject executable
modifiedkernel code
![Page 13: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/13.jpg)
Aug 13-15, 2002 CHES2002
Establishing Trust
Requirements? The program counter (PC) is always within a
trusted code region, starting with the reset vector? All code and data is verified against signed hashes
before being accepted? Code and hardware is free of bugs
? i.e., buffer and segment overruns, protocol weaknesses? Hardware is inviolable
? Intrusion detection at a minimum?Tamper resistance preferable
![Page 14: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/14.jpg)
Aug 13-15, 2002 CHES2002
Establishing Trust
Requirements? The program counter (PC) is always within a
trusted code region, starting with the reset vector? All code and data is verified against signed hashes
before being accepted? Code and hardware is free of bugs
? i.e., buffer and segment overruns, protocol weaknesses? Hardware is inviolable
? Intrusion detection at a minimum?Tamper resistance preferable
Microsoft does these
![Page 15: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/15.jpg)
Aug 13-15, 2002 CHES2002
Establishing Trust
Requirements? The program counter (PC) is always within a
trusted code region, starting with the reset vector? All code and data is verified against signed hashes
before being accepted? Code and hardware is free of bugs
? i.e., buffer and segment overruns, protocol weaknesses? Hardware is inviolable
? Intrusion detection at a minimum?Tamper resistance preferable
Attempts to do these
![Page 16: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/16.jpg)
Aug 13-15, 2002 CHES2002
Establishing Trust
Requirements? The program counter (PC) is always within a
trusted code region, starting with the reset vector? All code and data is verified against signed hashes
before being accepted? Code is free of bugs
? i.e., buffer overruns, protocol weaknesses? Hardware is inviolable
? Intrusion detection at a minimum?Tamper resistance preferable
Fails to do this
![Page 17: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/17.jpg)
Aug 13-15, 2002 CHES2002
Root of TrustLinear trust mechanism? Chain of trustable, verified code, starting with the
secure boot blockSecure boot block details? Reset vector/init code is contained in a tamper-
resistant module?ROM overlay within the system peripherals ASIC
(“southbridge” ASIC)?Southbridge ASIC implemented in 0.15? , 6 or 7 layers of
metal? Very hard to probe or modify
![Page 18: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/18.jpg)
Aug 13-15, 2002 CHES2002
Tamper Resistance?
![Page 19: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/19.jpg)
Aug 13-15, 2002 CHES2002
Transferring the TrustRC4/128 used to encrypt bootloader image? RC4/128 is a stream cipher
?A ciphertext modification will corrupt the remainder of the plaintext stream
? Simple “magic number” at the end of the bootloader image, checked to verify integrity
So long as the RC4/128 key is secret, attackers are unlikely to generate a valid false bootloader image? Secondary bootloader continues to transfer trust
through verification of digitally signed binaries
![Page 20: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/20.jpg)
Aug 13-15, 2002 CHES2002
"untrusted" code and data
Processor jumpsto boot vector at
0xFFFFFFF0
"Jam Table"HW initialization
caches turned on
decrypt bootloaderto SDRAMand verify
jump to bootloader decrypt kernel,decompress
jump to kernel
games code
trus
ted,
sec
ure
boot
blo
ck
jam tables(unencrypted)
bootloader(encrypted)
encryptionkey
validategames code
![Page 21: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/21.jpg)
Aug 13-15, 2002 CHES2002
Breaking the Trust
Discovery of secret key breaks the trust? Secure boot block was discovered when
certain ROM mods did not affect operation? Key was extracted by sniffing internal
busses
![Page 22: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/22.jpg)
Aug 13-15, 2002 CHES2002
![Page 23: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/23.jpg)
Aug 13-15, 2002 CHES2002
![Page 24: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/24.jpg)
Aug 13-15, 2002 CHES2002
controllers
key-lockedhard disk
(executeables,cached data,save games)
pentiumCPU
NV2Anorthbridge
+ gfx
MCPXsouthbridge
SDRAM64 MB
FLASHROM
(bootloader+ OS kernel)
secret bootROM
DVD drive(game data /
executeables)
gamecontrollers
dongles w/executeables(DVD player,
etc.)
IDE
Hyp
erT
SSTL-2
GTL
+ 64/32+
128/21+
8/2
lega
cy
8/24+
133MHz
200MHzDDR200
MHzDDR
< 10MHz
secure hardware boundary
security relationshipnot yet known
trusted codeand data:
digitally signedwith Microsoft
private key
bus width:data/others
bus clockrate
100Base-T
USB
Bus SniffingCandidates
![Page 25: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/25.jpg)
Aug 13-15, 2002 CHES2002
controllers
key-lockedhard disk
(executeables,cached data,save games)
pentiumCPU
NV2Anorthbridge
+ gfx
MCPXsouthbridge
SDRAM64 MB
FLASHROM
(bootloader+ OS kernel)
secret bootROM
DVD drive(game data /
executeables)
gamecontrollers
dongles w/executeables(DVD player,
etc.)
IDE
Hyp
erT
SSTL-2
GTL
+ 64/32+
128/21+
8/2
lega
cy
8/24+
133MHz
200MHzDDR200
MHzDDR
< 10MHz
secure hardware boundary
100Base-T
USB
Path of secret key
Possible key path
![Page 26: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/26.jpg)
Aug 13-15, 2002 CHES2002
controllers
key-lockedhard disk
(executeables,cached data,save games)
pentiumCPU
NV2Anorthbridge
+ gfx
MCPXsouthbridge
SDRAM64 MB
FLASHROM
(bootloader+ OS kernel)
secret bootROM
DVD drive(game data /
executeables)
gamecontrollers
dongles w/executeables(DVD player,
etc.)
IDE
Hyp
erT
SSTL-2
GTL
+ 64/32+
128/21+
8/2
lega
cy
8/24+
133MHz
200MHzDDR200
MHzDDR
< 10MHz
secure hardware boundary
100Base-T
USB
Too many pins
![Page 27: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/27.jpg)
Aug 13-15, 2002 CHES2002
controllers
key-lockedhard disk
(executeables,cached data,save games)
pentiumCPU
NV2Anorthbridge
+ gfx
MCPXsouthbridge
SDRAM64 MB
FLASHROM
(bootloader+ OS kernel)
secret bootROM
DVD drive(game data /
executeables)
gamecontrollers
dongles w/executeables(DVD player,
etc.)
IDE
Hyp
erT
SSTL-2
GTL
+ 64/32+
128/21+
8/2
lega
cy
8/24+
133MHz
200MHzDDR200
MHzDDR
< 10MHz
secure hardware boundary
100Base-T
USB
Too many pins,fast, obscurelayout
![Page 28: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/28.jpg)
Aug 13-15, 2002 CHES2002
controllers
key-lockedhard disk
(executeables,cached data,save games)
pentiumCPU
NV2Anorthbridge
+ gfx
MCPXsouthbridge
SDRAM64 MB
FLASHROM
(bootloader+ OS kernel)
secret bootROM
DVD drive(game data /
executeables)
gamecontrollers
dongles w/executeables(DVD player,
etc.)
IDE
Hyp
erT
SSTL-2
GTL
+ 64/32+
128/21+
8/2
lega
cy
8/24+
133MHz
200MHzDDR200
MHzDDR
< 10MHz
secure hardware boundary
100Base-T
USB
Reasonable pincount, but fast
![Page 29: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/29.jpg)
Aug 13-15, 2002 CHES2002
HyperTransport Bus
Favorable board layout, pin count? Fabricate pitch-
matched tap boardHigh speed? Use high-end FPGA
or logic analyzer
Rx bus
Tx bus
![Page 30: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/30.jpg)
Aug 13-15, 2002 CHES2002
Custom Tap Board
Pitch-matched HT connector
Last-minutesignal pair
Epoxy inplace
+5V power in
+3.3VLocalregulator
Reset signal
LVDS-TTLconverter
CTT to FPGA
![Page 31: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/31.jpg)
Aug 13-15, 2002 CHES2002
Tap Board
Board adapts HyperTransport bus to existing hardware? Virtex-E FPGA board developed for my
thesisClean-sheet tap board would look different? Virtex-II FPGA directly on tap board? Would cost $50-$100 to fabricate
![Page 32: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/32.jpg)
Aug 13-15, 2002 CHES2002
Analyzing the Bus
Traces of data collected, synchronized to power-on resetCiphertext sorted from code by histogramming and eyeballingData in traces organized by cache line? Code path was patched together using a
disassembler and cache line groupings
![Page 33: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/33.jpg)
Aug 13-15, 2002 CHES2002
Data TracesSENSITIVE DATA DELETED FOR PUBLIC DISTRIBUTION
Cycles since resetData on bus Unaligned data
Code fetch
Jump instruction @Boot vector
![Page 34: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/34.jpg)
Aug 13-15, 2002 CHES2002
Piecing it Together
Traces assembled into an image of the secure boot ROM? Secure boot ROM image contains ?RC4/128 key?Magic number check
![Page 35: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/35.jpg)
Aug 13-15, 2002 CHES2002
Fragile Trust
All Xboxes use the same secret key? One key extraction applies to all boxes? Debug and test features on the Xbox
motherboard enable easy ROM override?Easy to create, encrypt, and deploy mass
quantities of untrusted hardware
![Page 36: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/36.jpg)
Aug 13-15, 2002 CHES2002
Backdoors Galore
"untrusted" code and data
Processor jumpsto boot vector at
0xFFFFFFF0
"Jam Table"HW initialization
caches turned on
decrypt bootloaderto SDRAMand verify
jump to bootloader decrypt kernel,decompress
jump to kernel
games code
trus
ted,
sec
ure
boot
blo
ck
jam tables(unencrypted)
bootloader(encrypted)
encryptionkey
validategames code
Unencrypted,Unverified tables
![Page 37: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/37.jpg)
Aug 13-15, 2002 CHES2002
Jamtable Interpreter
What it is? Bytecode interpreter? Orchestrates dependencies and decisions
required for machine initializationWhat it can do? Reads and writes to PCI, memory, I/O
space? Conditional jumps, indirect addressing
![Page 38: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/38.jpg)
Aug 13-15, 2002 CHES2002
Jamtable Attacks
Jamtables are unencrypted and unverified? Can perform attacks without crypto? Two-phase soft-reset attacks to read out
plaintext?Allow machine to power up normally once, then
soft reset with a new jam table that copies code to an insecure location (courtesy visor)
![Page 39: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/39.jpg)
Aug 13-15, 2002 CHES2002
Jamtable Attacks IIJamtable weakness + hardware bugs allows program counter to be seized? Secure boot block jumps to 0xFFFF FFFA when a
bad ciphertext image is encountered? PC will roll over from 0xFFFF FFFF to 0x0000 0000
without an exception? 0x0000 0000 is in SDRAM memory? Use jamtable to write at 0x0000 0000 a jump
instruction to an insecure FLASH region, and corrupt ciphertext image to sieze the PC
? Courtesy visor
![Page 40: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/40.jpg)
Aug 13-15, 2002 CHES2002
Lessons Learned
Avoid symmetric ciphers in this scenario? Difficult to guarantee secrecy of key? Cost of ASIC mask sets, lead time make
key rotation expensive and difficultUse hashes to verify all code and data regionsComplex protocols such as x86/PC initialization are difficult to secure
![Page 41: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/41.jpg)
Aug 13-15, 2002 CHES2002
Alternative Solution
Use digital signatures to verify the FLASH ROM contents? Store signature in off-chip EEPROM? Users cannot run false code without
signer’s private key? Does not prevent plaintext snooping? Can be defeated with a bus override attack?A set of precisely timed pulses on the
HyperTransport bus can alter the reset vector
![Page 42: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/42.jpg)
Aug 13-15, 2002 CHES2002
Bus Override AttackSENSITIVE DATA DELETED FOR PUBLIC DISTRIBUTION
Cycles since resetData on bus
Jump instruction @Boot vector
![Page 43: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/43.jpg)
Aug 13-15, 2002 CHES2002
Bus Override AttackSENSITIVE DATA SCRUBBED
Cycles since resetData on bus
Override cycle 22526 with jumpopcode to insecurecode space
![Page 44: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/44.jpg)
Aug 13-15, 2002 CHES2002
Alternative Solution, Cont’dUse digital signatures to verify the FLASH ROM contents? Can be defeated with a snoop & modify memory
?Most effective in a PC using standard memory sockets?Present trust introspection routines with benign code
images?Present malicious memory image at other times?Also use to snoop and extract plaintexts?Snoop-RAM can be fairly inexpensive to manufacture? Inspired by entries about Palladium in Seth Schoen’s
online diary
![Page 45: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/45.jpg)
Aug 13-15, 2002 CHES2002
“Snoop-RAM”
Standard SDRAM DIMMsocket
InterceptorFPGA
Memory Stock PCmotherboard
Snoop capturecard
![Page 46: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/46.jpg)
Aug 13-15, 2002 CHES2002
Even More Security MeasuresEmbed secret boot block on processor silicon? Bus override attack extremely difficult? Possible Vcc, photonic attacks (c.f. R. Anderson /
smartcards)Employ tamper-evidence? Expect tampering, disable system if tampered? Possible yield hit and field service issues
Physical tamper-resistance? Potting, tamper-detecting membranes? Expensive, impractical, thermal issues
![Page 47: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/47.jpg)
Aug 13-15, 2002 CHES2002
Other Ideas
Encrypt all chip-chip busses? Severe power consumption implications? Reliability can be impacted? Performance is degraded
![Page 48: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/48.jpg)
Aug 13-15, 2002 CHES2002
Other Ideas
Don’t use a PC? “Security through obscurity” –c.f. Nintendo? Patent proprietary formats
?Well-understood legal protections? The end goal is not crypto-security
?An economic or legal barrier is a sufficient deterrent?Unfortunately, the DMCA presents a significant
psychological threat to many researchers in the US
![Page 49: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/49.jpg)
Aug 13-15, 2002 CHES2002
SummaryXbox is a PC architecture with trust enhancements? Trust relies on the secrecy of a key, contained in
the user hardware?Demonstrated key extraction
? Other protocol attacks (i.e., jamtable attacks) can bypass the trust mechanism
Creating a trusted PC architecture is not trivial? Like turning a college campus into a fortress
![Page 50: Keeping Secrets In Hardware · The Microsoft Xbox Case Study S-BOXes and Xboxes Andrew “ bunnie” Huang, MIT bunnie@alum.mit.edu Aug 13-15, 2002 CHES2002 Outline Background? Subject](https://reader033.fdocuments.net/reader033/viewer/2022052012/6028f560ec323c62bc033848/html5/thumbnails/50.jpg)
Aug 13-15, 2002 CHES2002
Thank you for your attention.