
Analysis of PS4's security and the state of hacking - jsnell
http://cturt.github.io/ps4.html
======
amluto
FreeBSD was vulnerable to BadIRET. Oddly, they never seem to have published an
advisory, but the fix was here:

[https://reviews.freebsd.org/rS275833](https://reviews.freebsd.org/rS275833)

I thought the handling of that issue was very strange. I notified CERT, who
apparently coordinated with FreeBSD, but no one ever really responded. The
closest thing to an advisory that I can find at all is my post:

[http://www.openwall.com/lists/oss-
security/2015/07/09/1](http://www.openwall.com/lists/oss-
security/2015/07/09/1)

which contains a PoC that crashes the system. It's almost certainly possible
to turn it into privilege escalation, though.

Go figure. I suspect that the security community just doesn't pay as much
attention to FreeBSD as they do to Linux.

~~~
feld
Probably has to do a lot with timing. At the time of your report, the Security
Officer was DES. Life happened, and he wasn't able to keep up or respond to
events as quickly.

As of June, Xin Li (previously Deputy Security Officer) has taken over as
security officer and things have been handled very promptly and succinctly.

[https://lists.freebsd.org/pipermail/freebsd-
announce/2015-Ju...](https://lists.freebsd.org/pipermail/freebsd-
announce/2015-June/001646.html)

edit: I'm passing word to FreeBSD security officers to see if they can review
this

------
feld
Capsicum is part of FreeBSD itself so it doesn't have to be listed separately
in the list of Open Source Software.

I'm also surprised anyone thought it was using ASLR -- it's a huge effort to
get that completed and working sanely, which is being handled by the
HardenedBSD folks. Their work didn't even exist when the PS4 was released.

I think it's possible for Sony to backport it and use it, but seems unlikely
they would do that at this stage.

I'd also like to point out that FreeBSD jails on PS4 means there are ~23
million units in the wild deploying that technology. Will take quite a while
for Docker containers to catch up, haha :-)

~~~
zurn
The article says userspace ASLR is used, and indeed presented a speed bump
along the way.

~~~
feld
I think it's unlikely they would fork from the upstream FreeBSD kernel that
much without contributing ASLR back. They would end up having to repeat it all
again for Playstation 5.

Stranger things have happened, though.

------
nickpsecurity
Lots of good detail here. Raise your hand if you knew the switch to AMD would
greatly benefit hacking vs custom, PPC chips. (raises hand) Now you know why I
deployed security-focused stuff on PPC at one point. The economics of hacking
alone work in your favor. :)

Personally, I think they should've tried to license Cavium's Octeon III
processors: RISC (MIPS) ISA; 48 cores at 2.5GHz; many pre-made accelerator
engines; huge I/O bandwidth. A royalty deal that made Cavium money for profit
& continued R&D, while letting Sony have them cheap in PS4, would've made for
one, badass gaming rig. Cavium might have had upgrades ready for PS5, too,
given all the improvements they made going from Octeon II to III.

Everyone went with AMD instead. So, we get the real benefits of reuse of x86
code, low-costs, and reduced production issues. However, we also get all the
black-boxes of risk in x86, a monoculture where an attack on AMD
CPU's/firmware might break all game systems, inherent inefficiencies of x86,
and lack of hardware differentiation (mainly accelerators) that developers can
benefit from. Only time will tell if it was a good trade.

~~~
saidajigumi
> Now you know why I deployed security-focused stuff on PPC at one point. The
> economics of hacking alone work in your favor.

Perhaps true for a small-time, individual hacker. Over a decade ago, I recall
being quite impressed by a professional pentest team whose tools included a
lovely exploit authoring DSL embedded in a popular scripting language. That
DSL allowed them to write "abstract" descriptions of specific software
exploits, ala vs openssh vX.YpZ, then "render" (~~ compile) the exploit code
automatically against any of their supported target architectures and/or OSes.
(i.e. all of them.) Even though perfectly capable of it, they got tired of
manually porting everything around.

This has also been a strong reminder for me that exploits are usually against
the software, irrespective of the hardware architecture. It's easy for folks
to get mixed up about that.

For something like hacking a PS4, the "obscure platform" logic might apply(
__), but never assume it applies to any attacker who can _afford_ (n.b.: not
just _build_ ) a sophisticated attack platform.

( __) With the caveat that now it 's a numbers game, and you're up against
bored teens/tweens with way too much time to throw at the problem.

~~~
spott
So, I'm kind of curious: It seems that the whole ROP thing depends on X86's
CISC architecture in order to allow turing complete programming. Am I wrong in
this understanding?

~~~
nickpsecurity
Oh, the attackers in academia have been clever for a long time. Check out this
old gem:

Automatic Patch-based Exploit Generation is Possible
[http://bitblaze.cs.berkeley.edu/papers/apeg.pdf](http://bitblaze.cs.berkeley.edu/papers/apeg.pdf)

Gave me a sly grin when I saw it years ago. And to think I thought I was
clever because I always tried to compromise networks via whatever they trusted
for security. These jokers straight-up turned patches into weapons. I realized
at that point, along with all the hacks in media, that computer security was
fundamentally (censored).

Started focusing on clean-slate approaches where possible with obfuscation,
diversity, and strong interface protection everywhere else.

------
tptacek
FreeBSD's default x86-64 calling convention doesn't pass arguments in
registers?

~~~
pcwalton
Presumably the _function_ calling convention does, but not syscalls.

~~~
pbsd
Neither does; the author is linking to the i386 documents, where there is
indeed a difference between syscall and C calling conventions on some
operating systems. On x86_64, everyone follows the SysV ABI and uses registers
for both purposes.

------
bagels
The section on ROP is fascinating. Has anyone done a ROP compiler?

Some program that takes a binary + c code -> address list?

If you think of the gadgets as being like assembler instructions, it seems
like it'd be possible, though tricky to do.

------
maxjus
When was this published?

~~~
paulannesley
Originally on 2015-06-29, updated frequently and as recently as three days
ago.

Commits:
[https://github.com/CTurt/cturt.github.io/commits/master/ps4....](https://github.com/CTurt/cturt.github.io/commits/master/ps4.html)

Blame:
[https://github.com/CTurt/cturt.github.io/blame/master/ps4.ht...](https://github.com/CTurt/cturt.github.io/blame/master/ps4.html)

