DevSecCon Boston 2018: Busted computing by Conor Walsh

1. BOSTON 10-11
SEPT 2018
Busted Computing
Conor Walsh

2. Busted Computing
Analyzing the Console Gaming Threat Model
DevSecCon Boston 2018
Conor Walsh
September, 2018

3. $whoami
● Conor Walsh
● Lodestone Security LLC
○ Principal Security Engineer, Head of R&D
● Modding since ‘95
○ Aware of it since ‘00
● Previous Employment
2
Agenda

4. Lodestone Security LLC
● HQ: Westport, CT
● Information Security Professional Services Firm
● Founded in Jan 2017 by Beazley Plc
○ London-based insurance provider
3
Agenda

5. 4
Agenda

6. $$$$
5
Agenda

7. Why Video Game Security?
● Game consoles were some of the first “IoT”
● Trusted Computing is everywhere
○ IoT, Medical devices, ICS/SCADA
● Concepts apply to all execution stacks
● Video Games are awesome!
○ Massive, complex, distributed, resource intensive
○ Modding can be both harmful, and awesome!
6
Agenda

8. Why?
7
Agenda

9. Agenda
● Gaming Threat Landscape
● Defining Trusted Computing
● Console Gaming Threat Modelling
● Looking to the Future
● Solving The Problem
8
Agenda

10. Gaming Threat Landscape
9

11. Who Are They?
Establishing our lexicon…
● ‘Mod’, ‘Modding’
○ Modifying the physical or logical aspects of a game system
● Modder
○ An individual who ‘mods’
■ Not a hacker
○ Includes producers and users
● Not all games are considered equal
○ Focused on consoles today
○ Massively Multiplayer Online Games
○ Sony, Microsoft specifically
10
Threat Landscape

12. What Do They Want?
● Free Games
● #Winning
● Notoriety
● Profit
11
Threat Landscape

13. How Do They Do This?
● 80/20 rule
● ‘SPT’ - Simple Persistent Threat
● Operating in public
● Reputation, and respect thereof, plays a major role
12
Threat Landscape

14. Where Are They?
● Forums, Websites
○ Next Gen Update
○ Se7ensins
○ Multiplayer Gaming Hacking
○ Ps3Hax
○ Many more...
● Chat Groups
○ IRC
○ Slack
○ Skype
○ Discord
13
Threat Landscape

15. David v. Goliath
14
Threat Landscape
● Gaming == Safe Zone
● MMO: Active user account -> User experience
Histories’ first reported critical hit.

16. Sony v. George “Geohot” Hotz
15
Threat Landscape
● January 26, 2010
○ Hotz releases first PS3 jailbreak
● March 28, 2010
○ Sony releases firmware update
● December 29, 2010
○ fail0verflow presents PS3 exploit developments at CCC
● January 2, 2011
○ Hotz posts PS3 root keys on website
● January 11, 2011
○ Sony sues Hotz and others
● Then…...

17. Anon?
16
Threat Landscape

18. Is Sony Down?
17
Threat Landscape
We discovered that the intruders had planted a file on one of our
Sony Online Entertainment servers named “Anonymous” with the
words “We are Legion.”
-Patrick Seybold, Sr. Director, Corporate Communications & Social Media

19. Fighting Your Customers
18
Threat Landscape
● Blades in the crowd
● Not everyone is a pirate
● Signal in the Data in the Noise
○ False Positives more severe!
● Security vs Usability

20. Trusted Computing
19

21. Trusted Computing
With Trusted Computing, the computer will consistently behave in
expected ways, and those behaviors will be enforced by computer
hardware and software.
20
Trusted Computing

22. Trusted Computing (cont.)
21
Trusted Computing
● Internet of Things (IoT)
● Medical Devices
● Industrial Control Systems (ICS)
● Payment Processing Systems (PCI)

23. Mobile Computing
22
Trusted Computing
● Application Sandboxing
● Trusted Application Sources
● Restricted User Interface
● OWASP Mobile Top-10
○ M1: Improper Platform Usage
○ M2: Insecure Data Storage
○ M3: Insecure Communication
○ M4: Insecure Authentication
○ M5: Insufficient Cryptography
○ M6: Insecure Authorization
○ M9: Reverse Engineering
○ M10: Extraneous Functionality

24. Video Game Consoles
● Restricted user interface
● Signed Physical Media and Binaries
○ By 1st Party (Sony, MS)
● Peer-based network sessions
○ 1st Party handles QoS, sessioning
○ Peer chosen as session “Host”
○ Devs may employ game service API
● Network Session State
○ All must agree
○ One conclusion must be reached...
23
Trusted Computing

25. Developer Consoles
● Powerful, unlocked hardware
● Unrestricted user interface
● No code signing required
● Platform SDK’s and Tools
● Can sometimes disappear...
○ Just like my socks
24
Trusted Computing

26. Console Exploits and Modifications
● Hardware
○ Disk drive emulators - xk3y, 3k3y (X360, PS3)
○ Joint Test Action Group (JTAG) Interfaces (X360)
○ Reset Glitch Hack (RGH) (X360)
● Software
○ PS3 Firmware version 3.55 Exploits
■ CEX, DEX, Rebug, Rogero, etc.
○ Xenon Linux Loader (Xell) (X360)
○ Xecuter Fusion (X360)
25
Trusted Computing

27. Modder Recap
What We’ve Covered So Far
● Modders are many, relentless, and not always $$ driven
● Finding and stopping them is hard
● Trusted Computing is a security control, but not perfect
● The tools available allow the user developer-level access
○ Just like on a PC!
26
Busted Computing

28. Console Gaming Threat Model
27

29. Console Threat Model
28
Threat Model
Hold on...

30. Attack Vectors
● File Modification
○ “ISO Modding”
○ Editing static files found on disk
○ Low barrier to entry
● Binary Patching
○ Modifying instructions of executable
○ “Crack” - DRM bypass
○ Higher complexity
29
Threat Model

31. Attack Vectors
● Memory Manipulation
○ R/W memory of game process
○ API’s expose RAM to companion PC
■ TMAPI, CCAPI (PS3)
■ Xbox Neighborhood, XMDB (X360)
● Process Injection
○ Mimics DLL injection
○ SPRX (PS3), XEX (X360)
○ Complex to produce
○ High portability
30
Threat Model

32. ● Business Logic (Scripting)
○ Games employ scripting engines
■ Lua, Python, Perl, home grown, etc.
○ Updates without compilation
○ Stored, consumed in plaintext
○ “Sideload” custom script files
○ Forwards compatibility
○ Strap on your own interpreter
Attack Vectors
31
Threat Model

33. ● Script file extension for CoD Games
○ At least as far back as CoD:MW (2007)
● Rendered in plaintext
○ Community made GSC editors available
● API extensively documented by Modders
GSC Scripting
32
Threat Model

34. 33
Threat Model

35. 34
Threat Model

36. Attack Vectors
● API Server Attacks
○ Standard Web-service AppSec
● Peer-based Attacks
○ Console peer-to-peer channels
■ Communicated over UDP
■ Not encrypted by default
■ Little modder focus
○ Denial of Service attacks
35
Threat Model

37. Network Attacks
● Charles Proxy
● MS DoS Notice
36
Threat Model

38. Into The Future
37

39. XboxOne
● Hyper-V-based Hypervisor OS
○ Windows 10, Metro-UI Based Environment
○ Xenon (Xbox) processes run in separate sandbox
○ Public developer program
● Exploit released, then patched
○ Based on MS Edge exploits; ‘Chakra’
38
Into the Future

40. PlayStation 4
● FreeBSD-based OS
● PS4 SDK leaked to the public
● ‘CTurt’ discovers Webkit exploit
○ Releases ‘PS4-Playground’ toolkit
39
Into the Future

41. Then vs Now
● Now: MS Edge, Webkit, SDK
● Then: JTAG, RGH, E3 Flasher
40
Into the Future

42. SSL Certificate Hunter
● SSL Certificate Pinning
○ Hard-set certificate for a client to expect
41
Into the Future

43. Solving the Problem
42

44. What can we do?
43
Solving the Problem
● Fight the Good Fight
○ Security for Breakfast
○ Security in Layers
○ Player Profile
○ It’s a Game
○ Build Your Tool Set
○ Another Perspective
● Not Just Video Games!

45. Security for Breakfast
● Address security from the start
○ Cheaper, faster and easier
● Threat Modeling
● Cook in your session state
44
Solving the Problem

46. Security in Layers
● Trust Boundaries
● User Data
○ Input Validation
○ Output Sanitization
● All the things, everywhere, everytime
45
Solving the Problem

47. Player Profile
● Assumption: player data is already being collected
● One log to rule them all
● Behavior Profiling
● Piggyback on what’s exists
○ Or, build your own
46
Solving the Problem

48. It’s a Game
● Keep it fun
● Aim for perfect; Accept reality
● Old tricks, new label
47
Solving the Problem

49. Man is a tool-using animal. Without tools he is nothing, with tools he is all
-Thomas Carlyle
● Don’t bring malware home to see mom
● Build into your environment
● Start simple
● Use what’s available
● Build a team
Build Your Tool Set
48
Solving the Problem

50. Another Perspective
● Builders can’t assess their own work
○ Just like QA or AppSec
● Good developers fix the issues they find
○ It’s the ones they didn’t see...
● A Dev, QA, and a Hacker walk into a bar...
● Hired guns
○ [SHAMELESS SELF PLUG]
49
Solving the Problem

51. Fight the Good Fight
● Security for Breakfast
● Security in Layers
● Player Profile
● It’s a Game
● Build a Toolset
● Another Perspective
50
Solving the Problem

52. Tell Them Goodbye
51

53. Questions?
52
Goodbye
● conor@lodestonesecurity.com
● https://github.com/myfoostrong/busted-comp-preso
● Twitter: @drtrik