Thursday, January 28, 2010

Hacking embedded systems - March update

Big news recently was the exploit against the PS3 hypervisor developed by George Hotz. Nate Lawson has a good writeup explaining the attach on his blog. He fills a section of memory with duplicate pointers to a buffer of memory that he controls. He then deallocates the section of memory with the duplicate pointers but interrupts the system in hardware before it completes the deallocation. Thus the hypervisor now has memory pointing to a buffer controlled by the Linux kernel, which is under the attacker's control. The attacker then creates virtual memory buffers until the Hypervisor creates one that overlaps the section that is controlled by the attacker. Once this is complete, the magic completes when the exploit creates:

HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

The attack requires the attacker to run a timed voltage in the nanoseconds on a particular line (shown by the red circle on the graphic above) on the PS3 memory bus to confuse the system and interrupt the memory deallocation. George has not compromised the secret keys, and much work remains. But, attackers can now access all of the hypervisor code and should be able to operate in memory outside of the hypervisor on the main Cell processor (PPE). There are seven other Cell (SPE) coprocessors, including one dedicated to security functions.

It's a testament to the level of security engineering put in by Sony that it's lasted this long. Their willingness to allow dual booting Linux potentially subverted intense analysis, since some of the objectives in hacking the system were eliminated.

On a personal note George Hotz is developing an impressive track record. He is one of the key developers behind the iPhone/Ipod Touch hacks and released the primary tool for "jailbreaking" those systems. For a 21-year old he has a bright future in the field...

UPDATE (March 29th, 2010):
Sony has responded to George's research by announcing that on April 1st they will be disabling the "Other OS" feature on all deployed Sony PS3s. Since this was a feature advertised when they sold the devices, some users are speculating that Sony will be sued for retroactively removing a feature that many people paid for. George is being blamed by some users and is planning to create a workaround. Interesting unintended consequence and heavy handed response by Sony.