Xbox one security: a talk from Tony Chen (development lead at M$)

Discussion in 'User Submitted News' started by contezero, Oct 3, 2019.

  1. contezero
    OP

    contezero GBAtemp Regular

    Member
    5
    Jul 25, 2016
    Italy
    [​IMG]

    For the first time ever the hardware security engineer Tony Chen talked about Xbox One security at the Platform Security Summit 2019.

    Who is this guy? Have a look at his CV:

    https://www.microsoft.com/en-us/research/people/tonychen/

    This is the presentation of his talk on the homepage of the summit
    https://www.platformsecuritysummit.com/#chen

    Clearly mr Chen is not well informed about PS4 :-)

    Many game consoles were never hacked thru their commercial lifespan (or for most of it, think about PSVITA) but none of them was very successful :D
    Anyway from an engineering point of view this is a great achievement.

    The talk wasn't streamed and is not available for download yet (if it's going to appear online you will see it here, probably https://www.youtube.com/channel/UCoYjwcb3p7DDeE_B1KneGFw)

    You can watch the entire talk here. The last segment, with Q&A is very interesting...

    The slides surfaced on discord so, in a nutshell, those were the topics:
    • they care about piracy and online cheating (not homebrew, apparently, this makes sense since they give DEVmode)
    • security by obscurity (if you do not know how it works you cannot hack it)
    • from an hardware point of view, the platform is uber-secure: hardware attack, glitch, bus sniffing, jtag, they know their stuff
    • they know you will try to attack "any exposed pin on the motherboard"...
    • ...and also non exposed pins (kamikaze attack, with some images taken from Xecuter forums...)
    • nothing is trustable, ODD, HDD, NAND, DRAM, Southbridge; only the CPU die (28nm, not easy to mod)
    • everything is encrypted, only the CPU die can see plaintext
    • multiple layer of software security, signature required for every executable memory page
    • between ERA (gameOS), SRA (systemOS) and the security processor there are other two layers: the hostOS (HW access) and Hypervisor (the bad guy)
    • "Critical component (bootrom, hypervisor) as simple as possibile" to check for bugs and mistakes
    • Lots of "penetration testing, threat modeling"
    And, anyway, if you succeed, they will release an update so you should be "de-motivated" to attack the console (consider Xbox one as a device that needs to stay always online).

    To summarize: they learned from past mistakes done on the original Xbox (for sure they have read very well this: 17 Mistakes Microsoft Made in the Xbox Security System https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf) and from what was working on Xbox 360 (apart from the glitch hack the 360 was never compromised).
    The only unrecoverable attack would be finding a bug in the bootrom (is located inside the CPU die with the security processor). Everything else can be patched assuming an attacker can go thru the multiple layer of security.
     
    Last edited by contezero, Oct 28, 2019
  2. Bimmel

    Bimmel ~ Game Soundtrack Collector ~

    Member
    10
    Jan 28, 2014
    Gambia, The
    Well played Xbox One, no buy for me. Good thing I have a PC - and that you are out of exclusives.
     
  3. Abstract3000

    Abstract3000 Advanced Member

    Newcomer
    4
    May 24, 2007
    United States
    Salem, OR
    Just curious..... How many people are actually "trying" to hack the Xbox One? Seems like a waste of time.
     
    IncredulousP likes this.
  4. contezero
    OP

    contezero GBAtemp Regular

    Member
    5
    Jul 25, 2016
    Italy
    Research on hack are always a waste of time...unless you succeed. AFAIK there are people working on bypassing DEV mode limitations but nothing related to piracy. Xecuter in the past claimed they were working on something but nothing surfaced. There was some sort of extended mode game sharing thru nand cloning but the exact procedure never appeared and I think it was patched somehow.
     
    IncredulousP likes this.
  5. chrisrlink

    chrisrlink Intel Pentium III Hamster inside

    Member
    9
    Aug 27, 2009
    United States
    inside your crappy old PC
    they just love stroking their ego don't they?
     
  6. contezero
    OP

    contezero GBAtemp Regular

    Member
    5
    Jul 25, 2016
    Italy
    In the end there is the Q&A segment and it's very interesting. It starts from here.

    Highlights:
    • they created the security processor in house, no involvement with AMD
    • it's not possible to have a complete Xbox one- PC integration because the root of the Xbone security is the secure boot, not yet implemented on PCs
    • having legacy software running could compromise security
    • they rushed the ODD support because they were told about it only 6 months before launch. Xbone was meant to have no ODD
    • it could be possible to cheat with ROP but not to pirate anything.
     
  7. osaka35

    osaka35 Instructional Designer

    Moderator
    12
    GBAtemp Patron
    osaka35 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Nov 20, 2009
    United States
    Silent Hill
    Since they embraced Kodi for playing videos/streaming, and more-or-less allowing emulators in their dev mode, I wonder if that deterred a bit of the motivate for hackers.
     
    contezero likes this.
Quick Reply
Draft saved Draft deleted
Loading...