Hacking the Xbox
Hacking the Xbox
Hacking the Xbox
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
204<br />
<strong>Hacking</strong> <strong>the</strong> <strong>Xbox</strong>: An Introduction to Reverse Engineering<br />
<strong>Hacking</strong> <strong>the</strong> Trusted PC<br />
The current proposals for <strong>the</strong> trusted PC are weak against some fairly simple<br />
hardware attacks, even in <strong>the</strong> absence of any integration oversight or bugrelated<br />
back doors.<br />
The first attack is one that I call <strong>the</strong> “Surreptitious BIOS,” or SPIOS<br />
(pronounced “Spy OS”) attack. SPIOS can be used to defeat DRM<br />
policies that rely on <strong>the</strong> cryptographically sealed storage feature of <strong>the</strong><br />
trusted PC to prevent unauthorized user access to data. The basic idea is<br />
to boot <strong>the</strong> PC with an unmodified BIOS into trusted mode and extract<br />
all <strong>the</strong> desired data into system RAM, <strong>the</strong>n to perform a warm reset of<br />
<strong>the</strong> system while swapping <strong>the</strong> BIOS image.<br />
The modified BIOS image can be used to read out <strong>the</strong> desired data from<br />
system RAM. The desired data may be a session key stored in memory,<br />
or <strong>the</strong> actual decrypted data itself, depending upon how <strong>the</strong> program<br />
structures and caches its data in memory. Since <strong>the</strong> current trusted PC<br />
specifications call for an LPC bus based BIOS, inexpensive alternate<br />
firmware devices (similar to those used on <strong>the</strong> <strong>Xbox</strong>) can be used to<br />
execute this attack. There are techniques that application programmers<br />
can use to complicate this attack, such as only decrypting a single block<br />
of data each time into system memory, but many of <strong>the</strong>se techniques<br />
severely degrade system performance. The degradation of system<br />
performance may be especially pronounced if file caching and<br />
prefetching is disabled.<br />
Ano<strong>the</strong>r attack is one that I call <strong>the</strong> “Surreptitious RAM,” or SPAM<br />
attack. The goal of this attack is to spoof <strong>the</strong> trusted routines responsible<br />
for measuring <strong>the</strong> fitness of <strong>the</strong> system state. A device, such as an FPGA<br />
or ASIC, is installed on <strong>the</strong> plug-in memory cards in between <strong>the</strong> DRAM<br />
chips and <strong>the</strong> memory connector. This device monitors <strong>the</strong> pattern of<br />
addresses going by, or it may have an extra connector that sniffs <strong>the</strong> state<br />
of <strong>the</strong> wires connected to <strong>the</strong> I/O pins of <strong>the</strong> cryptomodule responsible<br />
for au<strong>the</strong>nticating <strong>the</strong> system.<br />
Ei<strong>the</strong>r way, when a system measurement is in progress, <strong>the</strong> SPAM device<br />
presents a memory image that is consistent with an unmodified, trusted<br />
system state. However, during all o<strong>the</strong>r operating modes, <strong>the</strong> SPAM<br />
device presents a memory image that is modified to do whatever <strong>the</strong> user<br />
pleases. This modification can be very subtle: Just a couple of bits flipped<br />
at <strong>the</strong> right locations is all it takes to modify key branch instructions in<br />
<strong>the</strong> security kernel.<br />
This device is more powerful than <strong>the</strong> SPIOS since it works on a system<br />
that is powered-up and supposedly trustworthy. It can be applied to<br />
effectively defeat a wider range of DRM schemes as well as some<br />
au<strong>the</strong>nticated transactions between <strong>the</strong> local machine and <strong>the</strong> server.<br />
SPAM alone cannot be used, however, to falsely identify a system as<br />
ano<strong>the</strong>r registered, trusted system, since SPAM lacks <strong>the</strong> secret shared