Keeping Secrets In Hardware - IACR

Keeping Secrets In HardwareThe Microsoft Xbox Case StudyS-BOXes and XboxesAndrew “bunnie”Huang, MITbunnie@alum.mit.eduAug 13-15, 2002CHES2002

OutlineBackground?Subject hardwareSecurity motiveXbox Security overviewReverse engineering?Focus on process and methodologyLessons learned?Summary of known flawsSummary of possible countermeasuresAug 13-15, 2002CHES2002

What is an Xbox?Xbox is an embedded PC?733 MHz Intel Pentium III-class processornVidia nForce-derivative chipset64 MB DDR SDRAM100 Base-T ethernet portVGA graphics capabilityUSB ports10 GB IDE hard driveIDE DVD-ROM driveAug 13-15, 2002CHES2002

Comparison to Stock PC HardwareXbox MotherboardASUS A7N266-VMx86 CPUnVidia GPU/“Northbridge”DDR SDRAMnVidia MCP/“Southbridge”FLASH ROMPicture pgAug 13-15, 2002CHES2002

Security Rationale: EconomicsHardware is sold at a loss?“Loss Leader”Make up the difference in sales of games,servicesAug 13-15, 2002CHES2002

Economic DetailsSell about 20 games to break even?US 100-200 lost per Xbox consoleMicrosoft makes 7/title for third-party gamesMicrosoft makes about 3-4x more on first-partytitlesAssuming 1:2 first party:third party sale ratio?Over US 1000 in softwareAug 13-15, 2002CHES2002

How Much Security?Sufficient deterrent to ensure that:? 1000 in games, or 200 in game servicesare purchased over console lifetimeOn-line gaming experience is enjoyable?A billion-dollar investment on Microsoft’s partAug 13-15, 2002CHES2002

Security Rationale: SummaryPrevent the following key scenarios:?Game copyingGame cheating? Ensure an enjoyable on-line gaming experience?Emulation? Stock PC booting a copied Xbox game? Modified PC booting a copied Xbox game?Conversion to stock PC? Subsidized Windows platform? Linux/freeware platform? Embedded controllerAug 13-15, 2002CHES2002

Xbox Security OverviewXbox is a Trusted PC Platform?Comparable in spirit to Palladium , TCPAHardware is trusted, all executables digitallysigned and verified prior to executionPhysical copy protection?2-Layer DVD-9 format block scrambling2-Layer DVDs are difficult to copyEncrypted network connections?No details available yet, Xbox Live not yetlaunchedMinimal perimeter security, tamper evidenceAug 13-15, 2002CHES2002

Focus on Trust MechanismTrustable hardware is a cornerstone ofXbox security?If hardware is compromised, there is nosecurityAug 13-15, 2002CHES2002

Why Trust is RequiredUser attempts torun an executablecomputed hashof executable, dataYESrun executablecomputed hashequals expectedhash?decrypt public-key encryptedexpected hash providedby MicrosoftAug 13-15, 2002NOCHES2002reject executable

Why Trust is RequiredUser attempts torun an executablecomputed hashof executable, dataYEScomputed hashequals expectedhash?decrypt public-key encryptedexpected hash providedby MicrosoftAug 13-15, 2002modifiedkernel codeNOCHES2002run executablereject executable

Establishing TrustRequirements?The program counter (PC) is always within atrusted code region, starting with the reset vectorAll code and data is verified against signed hashesbefore being acceptedCode and hardware is free of bugs? i.e., buffer and segment overruns, protocol weaknesses?Hardware is inviolable? Intrusion detection at a minimum? Tamper resistance preferableAug 13-15, 2002CHES2002

Establishing TrustMicrosoft does theseRequirements?The program counter (PC) is always within atrusted code region, starting with the reset vectorAll code and data is verified against signed hashesbefore being acceptedCode and hardware is free of bugs? i.e., buffer and segment overruns, protocol weaknesses?Hardware is inviolable? Intrusion detection at a minimum? Tamper resistance preferableAug 13-15, 2002CHES2002

Establishing TrustRequirements?The program counter (PC) is always within atrusted code region, starting with the reset vectorAll code and data is verified against signed hashesbefore being acceptedCode and hardware is free of bugs? i.e., buffer and segment overruns, protocol weaknesses?Hardware is inviolable? Intrusion detection at a minimum? Tamper resistance preferableAug 13-15, 2002CHES2002Attempts to do these

Establishing TrustRequirements?The program counter (PC) is always within atrusted code region, starting with the reset vectorAll code and data is verified against signed hashesbefore being acceptedCode is free of bugs? i.e., buffer overruns, protocol weaknesses?Hardware is inviolable? Intrusion detection at a minimum? Tamper resistance preferableAug 13-15, 2002CHES2002Fails to do this

Root of TrustLinear trust mechanism?Chain of trustable, verified code, starting with thesecure boot blockSecure boot block details?Reset vector/init code is contained in a tamperresistant module? ROM overlay within the system peripherals ASIC(“southbridge”ASIC)? Southbridge ASIC implemented in 0.15? , 6 or 7 layers ofmetal?Aug 13-15, 2002Very hard to probe or modifyCHES2002

Tamper Resistance?Aug 13-15, 2002CHES2002

Transferring the TrustRC4/128 used to encrypt bootloader image?RC4/128 is a stream cipher? A ciphertext modification will corrupt the remainder ofthe plaintext stream?Simple “magic number”at the end of thebootloader image, checked to verify integritySo long as the RC4/128 key is secret,attackers are unlikely to generate a valid falsebootloader image?Secondary bootloader continues to transfer trustthrough verification of digitally signed binariesAug 13-15, 2002CHES2002

trusted, secure boot blockbootloader(encrypted)Processor jumpsto boot vector at0xFFFFFFF0"Jam Table"HW initializationgames codejam tables(unencrypted)validategames codecaches turned onjump to kerneldecrypt bootloaderto SDRAMand verifyjump to bootloader"untrusted" code and dataencryptionkeyAug 13-15, 2002decrypt kernel,decompressCHES2002

Breaking the TrustDiscovery of secret key breaks the trust?Secure boot block was discovered whencertain ROM mods did not affect operationKey was extracted by sniffing internalbussesAug 13-15, 2002CHES2002

Aug 13-15, 2002CHES2002

Aug 13-15, 2002CHES2002

secure hardware boundaryBus lerscontrollersdongles w/executeables(DVD player,etc.)Aug 13-15, 200264/32 NV2Anorthbridge gfxHyperTsecurity relationshipnot yet known133MHz8/2MCPXsouthbridgesecret bootROM 10MHzlegacybus clockrateGTL pentiumCPU8/24 FLASHROM(bootloader OS kernel)CHES2002bus width:data/others128/21 SSTL-2200MHzDDRSDRAM64 MBIDEtrusted codeand data:digitally signedwith Microsoftprivate keykey-lockedhard disk(executeables,cached data,save games)DVD drive(game data /executeables)

secure hardware boundary133MHzUSBgamecontrollerscontrollersdongles w/executeables(DVD player,etc.)Aug 13-15, 2002HyperT200MHzDDR100Base-T64/32 NV2Anorthbridge gfx8/2MCPXsouthbridgesecret bootROM 10MHzlegacyPath of secret keyGTL pentiumCPU8/24 FLASHROM(bootloader OS kernel)CHES2002Possible key path128/21 SSTL-2200MHzDDRSDRAM64 MBIDEkey-lockedhard disk(executeables,cached data,save games)DVD drive(game data /executeables)

secure hardware boundary133MHzToo many pinsUSBAug 13-15, 2002HyperT8/2MCPXsouthbridgesecret bootROM 10MHzlegacy100Base-Tdongles w/executeables(DVD player,etc.)64/32 NV2Anorthbridge gfx200MHzDDRgamecontrollerscontrollersGTL pentiumCPU8/24 FLASHROM(bootloader OS kernel)CHES2002128/21 SSTL-2200MHzDDRSDRAM64 MBIDEkey-lockedhard disk(executeables,cached data,save games)DVD drive(game data /executeables)

secure hardware boundary133MHzToo many pins,fast, obscurelayoutAug 13-15, 2002HyperT200MHzDDR8/2MCPXsouthbridgesecret bootROM 10MHzlegacyUSBdongles w/executeables(DVD player,etc.)64/32 NV2Anorthbridge gfx100Base-TgamecontrollerscontrollersGTL pentiumCPU8/24 FLASHROM(bootloader OS kernel)CHES2002128/21 SSTL-2200MHzDDRSDRAM64 MBIDEkey-lockedhard disk(executeables,cached data,save games)DVD drive(game data /executeables)

secure hardware boundary133MHzReasonable pincount, but fastUSBAug 13-15, 2002HyperT8/2MCPXsouthbridgesecret bootROM 10MHzlegacy100Base-Tdongles w/executeables(DVD player,etc.)64/32 NV2Anorthbridge gfx200MHzDDRgamecontrollerscontrollersGTL pentiumCPU8/24 FLASHROM(bootloader OS kernel)CHES2002128/21 SSTL-2200MHzDDRSDRAM64 MBIDEkey-lockedhard disk(executeables,cached data,save games)DVD drive(game data /executeables)

HyperTransport BusRx busFavorable boardlayout, pin count?Fabricate pitchmatched tap boardHigh speed?Use high-end FPGAor logic analyzerTx busAug 13-15, 2002CHES2002

Custom Tap Board 5V power inCTT to FPGA 3.3VLocalregulatorLVDS-TTLconverterEpoxy inplaceLast-minutesignal pairPitchmatched HTconnectorResetsignalAug 13-15, 2002CHES2002

Tap BoardBoard adapts HyperTransport bus toexisting hardware?Virtex-E FPGA board developed for mythesisClean-sheet tap board would lookdifferent?Virtex-II FPGA directly on tap boardWould cost 50- 100 to fabricateAug 13-15, 2002CHES2002

Analyzing the BusTraces of data collected, synchronizedto power-on resetCiphertext sorted from code byhistogramming and eyeballingData in traces organized by cache line?Code path was patched together using adisassembler and cache line groupingsAug 13-15, 2002CHES2002

Data TracesData on busCycles since resetUnaligned dataSENSITIVE DATA DELETED FOR PUBLIC DISTRIBUTIONJump instruction @Boot vectorCode fetchAug 13-15, 2002CHES2002

Piecing it TogetherTraces assembled into an image of thesecure boot ROM?Secure boot ROM image contains?RC4/128 key?Magic number checkAug 13-15, 2002CHES2002

Fragile TrustAll Xboxes use the same secret key?One key extraction applies to all boxesDebug and test features on the Xboxmotherboard enable easy ROM override?Easy to create, encrypt, and deploy massquantities of untrusted hardwareAug 13-15, 2002CHES2002

trusted, secure boot blockBackdoors Galorebootloader(encrypted)Processor jumpsto boot vector at0xFFFFFFF0"Jam Table"HW initializationUnencrypted,Unverified tablesjam tables(unencrypted)validategames codecaches turned onjump to kerneldecrypt bootloaderto SDRAMand verifyjump to bootloaderdecrypt kernel,decompress"untrusted" code and dataencryptionkeyAug 13-15, 2002games codeCHES2002

Jamtable InterpreterWhat it is?Bytecode interpreterOrchestrates dependencies and decisionsrequired for machine initializationWhat it can do?Reads and writes to PCI, memory, I/OspaceConditional jumps, indirect addressingAug 13-15, 2002CHES2002

Jamtable AttacksJamtables are unencrypted andunverified?Can perform attacks without cryptoTwo-phase soft-reset attacks to read outplaintext?Allow machine to power up normally once, thensoft reset with a new jam table that copiescode to an insecure location (courtesy visor)Aug 13-15, 2002CHES2002

Jamtable Attacks IIJamtable weakness hardware bugs allowsprogram counter to be seized?Secure boot block jumps to 0xFFFF FFFA when abad ciphertext image is encounteredPC will roll over from 0xFFFF FFFF to 0x0000 0000without an exception0x0000 0000 is in SDRAM memoryUse jamtable to write at 0x0000 0000 a jumpinstruction to an insecure FLASH region, andcorrupt ciphertext image to sieze the PCCourtesy visorAug 13-15, 2002CHES2002

Lessons LearnedAvoid symmetric ciphers in this scenario?Difficult to guarantee secrecy of keyCost of ASIC mask sets, lead time makekey rotation expensive and difficultUse hashes to verify all code and dataregionsComplex protocols such as x86/PCinitialization are difficult to secureAug 13-15, 2002CHES2002

Alternative SolutionUse digital signatures to verify theFLASH ROM contents?Store signature in off-chip EEPROMUsers cannot run false code withoutsigner’s private keyDoes not prevent plaintext snoopingCan be defeated with a bus override attack?A set of precisely timed pulses on theHyperTransport bus can alter the reset vectorAug 13-15, 2002CHES2002

Bus Override AttackCycles since resetData on busSENSITIVE DATA DELETED FOR PUBLIC DISTRIBUTIONJump instruction @Boot vectorAug 13-15, 2002CHES2002

Bus Override AttackCycles since resetData on busSENSITIVE DATA SCRUBBEDOverride cycle22526 with jumpopcode to insecurecode spaceAug 13-15, 2002CHES2002