- 精华
- 0
- 帖子
- 3
- 威望
- 0 点
- 积分
- 3 点
- 种子
- 0 点
- 注册时间
- 2005-7-20
- 最后登录
- 2012-9-30
|
发表于 2010-2-3 22:00 · 北京
|
显示全部楼层
发外面被删了,不知道发这里行不行,虽然这楼已经歪的厉害,还是拉回技术方面看看吧……
下面是破解者blog上链接的一个比较详细的描述,简单看一下其中几段:
January 27, 2010
How the PS3 hypervisor was hacked
Filed under: Embedded, Hacking, Hardware, Security, Software protection — Nate Lawson @ 1:59 am
George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.
The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.
这里说了PS3是在硬件上面有一层管理程序,Hypervisor类似一个虚拟机,它管理硬件,并且提供了所有的应用程序使用的API。也可以把这个管理程序想象成Windows,所以一般的用户模式应用程序可以运行,但是需要直接访问硬件的程序或者修改系统的特权程序就不能运行了。在Windows上这种特权程序要么是用DDK写成驱动程序从而获得Ring0权限,要么是利用系统漏洞,比如病毒程序。但Windows是一个太普及的系统,各种调试工具非常完备,所以即便微软没有公开源代码,还是很容易找到系统的漏洞。PS3就不行了,一般人对Cell架构的了解程度远不如X86架构,调试工具就更不用说了,再这种情况下找出Hypervisor的漏洞几乎不可能,甚至得到Hypervisor的二进制代码都不行。PS3虽然可以运行Linux,但其实是运行在Hypervisor之上的,就好象Windows上用Vmware装了一个Linux,它看到的硬件是Vmware虚拟出来的,比如你想在这个Linux里控制Windows上的显卡就不可能。试想你在Vmware里能得到Windows中的系统文件吗?所以这个装在Hypervisor上的Linux的性能是受了很大限制的,就好象一般人不会特地用Vmware里的Windows玩3D游戏。而如果可以绕过Windows,在物理硬件上安装另一个操作系统,就可以获得完全控制硬件的能力。这就是这个破解做的事情:绕过Hypervisor直接读写内存。
Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.
但事情没这么简单,要运行盗版游戏,只绕过Hypervisor是不行的。因为正版游戏光盘中包含有密钥,这个密钥被光驱固件读出并交给Hypervisor,由Hypervisor使用这个密钥解密游戏。现在问题就明白了,必须破解Hypervisor,因为解密方法,也就是解密代码是在Hypervisor里,就算破解了光驱固件从而得到了光盘里的密钥,不知道解密方法也是不行的。这还只是第一步,因为密钥之下还有什么软件保护措施还不清楚,有人认为还有SecuROM之类的潜藏保护。
The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).
这里说了,主CPU和它的另外7个核心各自都有硬件密钥,用于解密启动装载程序和hypervisor的密钥是写在CPU各自的硬件中的,要的到解密后的hypervisor必须等它被CPU解密并且装载到内存之后。举个例子,就像假设Windows,在硬盘上的系统文件是加了密的,把硬盘拆出来拿去分析这些文件是不行的,只有等Windows在原来的机器上启动,文件被载入内存并通过CPU解密之后才能想办法复制内存中已经解密的程序,但这时候计算机又已经处于Windows的控制中。 而且hypervisor运行在各核心上的线程彼此独立,也就是想得到解密后的hypervisor二进制代码用来破解是非常困难的,因为hypervisor在装载时才被硬件解密,而装载后各个线程又彼此独立,就算控制了一个线程也不能得到其他线程内存中已经被解密了的代码。
George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.
天才George的破解其实是在启动Linux之后绕过了hypervisor添加了一些特权函数,从而获得了读取任意物理内存的权限,因此就可以复制内存中的hypervisor,应该就是解密后的hypervisor。
His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.
George connected an FPGA to a single line on his PS3’s memory bus. He programmed the chip with very simple logic: send a 40 ns pulse via the output pin when triggered by a pushbutton. This can be done with a few lines of Verilog. While the length of the pulse is relatively short (but still about 100 memory clock cycles of the PS3), the triggering is extremely imprecise. However, he used software to setup the RAM to give a higher likelihood of success than it would first appear.
His goal was to compromise the hashed page table (HTAB) in order to get read/write access to the main segment, which maps all memory including the hypervisor. The exploit is a Linux kernel module that calls various system calls in the hypervisor dealing with memory management. It allocates, deallocates, and then tries to use the deallocated memory as the HTAB for a virtual segment. If the glitch successfully desynchronizes the hypervisor from the actual state of the RAM, it will allow the attacker to overwrite the active HTAB and thus control access to any memory region. Let’s break this down some more.
The first step is to allocate a buffer. The exploit then requests that the hypervisor create lots of duplicate HTAB mappings pointing to this buffer. Any one of these mappings can be used to read or write to the buffer, which is fine since the kernel owns it. In Unix terms, think of these as multiple file handles to a single temporary file. Any file handle can be closed, but as long as one open file handle remains, the file’s data can still be accessed.
The next step is to deallocate the buffer without first releasing all the mappings to it. This is ok since the hypervisor will go through and destroy each mapping before it returns. Immediately after calling lv1_release_memory(), the exploit prints a message for the user to press the glitching trigger button. Because there are so many HTAB mappings to this buffer, the user has a decent chance of triggering the glitch while the hypervisor is deallocating a mapping. The glitch probably prevents one or more of the hypervisor’s write cycles from hitting memory. These writes were intended to deallocate each mapping, but if they fail, the mapping remains intact.
At this point, the hypervisor has an HTAB with one or more read/write mappings pointing to a buffer it has deallocated. Thus, the kernel no longer owns that buffer and supposedly cannot write to it. However, the kernel still has one or more valid mappings pointing to the buffer and can actually modify its contents. But this is not yet useful since it’s just empty memory.
The exploit then creates a virtual segment and checks to see if the associated HTAB is located in a region spanning the freed buffer’s address. If not, it keeps creating virtual segments until one does. Now, the user has the ability to write directly to this HTAB instead of the hypervisor having exclusive control of it. The exploit writes some HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.
It is quite possible someone will package this attack into a modchip since the glitch, while somewhat narrow, does not need to be very precisely timed. With a microcontroller and a little analog circuitry for the pulse, this could be quite reliable. However, it is more likely that a software bug will be found after reverse-engineering the dumped hypervisor and that is what will be deployed for use by the masses.
介绍了如何绕过hypervisor之后,还是要说,这个方法虽然可以做成IC,但是更好的方法还是破解hypervisor,因为既然能得到解密了的hypervisor,那么就可以逆向工程,在hypervisor提供的大量API中找到一个可以利用的BUG。
Sony appears to have done a great job with the security of the PS3. It all hangs together well, with no obvious weak points. However, the low level access given to guest OS kernels means that any bug in the hypervisor is likely to be accessible to attacker code due to the broad API it offers. One simple fix would be to read back the state of each mapping after changing it. If the write failed for some reason, the hypervisor would see this and halt.
必须承认Sony在PS3的安全性上做的很好,然而既然运行在hypervisor之上的其他OS可以绕过hypervisor读写物理内存,就可以利用hypervisor提供的API中的漏洞进行攻击。但是通过升级hypervisor是可以发现攻击并且强制停机的(攻击是利用内存页表,而hypervisor可以发现页表的问题并且恢复之)。
It will be interesting to see how Sony responds with future updates to prevent this kind of attack.
[Edit: corrected the description of virtual segment allocation based on a comment by geohot.]
简单看了一下,自己也不是技术宅,只是说说个人想法,发出来大家讨论。
从这篇文章看,这次还是有不小的突破的,但是个人觉得距离能玩盗版还需要时间。
|
|
楼主: greyranger
川公网安备 51019002005286号
