PS3 Cell Processor Security Architecture

hoyhoy writes "IBM Developerworks is discussing the PS3 Cell Processor Security Architecture today on Developerworks. It details the hardware level security for isolating processes that exists in the Cell processor's architecture." From the article: "The architecture's main strength is its ability to allow an application to protect itself using the hardware security features instead of the conventional method of solely relying on the operating system or other supervisory software for protection. Therefore, if the operating system is compromised by an attack, the hardware security features can still protect the application and its valuable data. As an analogy, consider the protection the supervisory software provides as the castle's moat and the Cell BE security hardware features as the locked safe inside the castle."

Intel equivalent

[IamTheRealMike]

For comparison, the Intel equivalent to this technique (allowing processes to shield themselves even from the kernel) is called LaGrande Technology [intel.com].

I'm not really a fan of this sort of design - it seems to duplicate the purpose of the existing kernel/userspace security architecture, but I can appreciate the pickle we're in with de-facto standard kernels that allow anything to be loaded into them. Windows Vista 64 bit requires all kernel drivers to be signed: correctly so, in my opinion, but this doesn't help the huge 32 bit userbase today.

Not for Windows

[Gates82]

This component of Cell is not for windows, though this type of protection would greatly help windows users. The Cell processor is mainly driven with Linux and Unix I doubt M$ will support the architecture.

--
So who is hotter? Ali or Ali's siter?

Re:Intel equivalent

[flooey]

...but I can appreciate the pickle we're in with de-facto standard kernels that allow anything to be loaded into them.

I think it's more that the "pickle" is that the kernels are software, which is inherantly malleable. This type of security architecture isn't designed to protect the user from outside attackers, though it helps with that as a bonus. It's designed to protect the device from the legitimate user doing something the manufacturer doesn't intend (such as, for instance, decrypting movies or games and then saving them to a hard drive or running non-standard operating systems).

Re:Intel equivalent

[IamTheRealMike]

The fact that software is malleable is a two-sided coin: most people who end up with their machine modified in the ways this technique helps deal with are the victims of malware and viruses.

Regardless of what you believe it was designed for, the only things that actually matter are what it actually does. It's like saying that asymmetric crypto was designed so the military could hide secrets from civilians. Sure they use it for that, does that mean cryptography is bad? No.

Likewise, look at it from the pe

Re:Intel equivalent

[HaloZero]

Signed drivers won't matter in this situation. If the chip is going in the PS3, then I'd hope Sony has a decent handle on the hardware that's going in there with it. I'd also hope that they're competant enough to write an operating system with drivers that take correctly catalogue the hardware and it's functionality. The foray of Kernels doesn't really matter when you have a static configuration in terms of hardware and OS.

Re:Intel equivalent

[powerlord]

Yes, signed drivers won't mater in this situation. On the other hand, IBM is hoping to use this chip in lots of other applications, which is why TFA on IBM's site is entitled "The Cell Broadband Engine processor security architecture" and doesn't mention the PS3.

Re:Intel equivalent

[IamTheRealMike]

Or by allowing apps to bypass the kernel for data transfer directly, by having a secure form of DMA. It's still not going to make people happy but it does get the kernel out of the way.

Re:Intel equivalent

[IamTheRealMike]

The kernel manages DMA today because that's what the hardware design requires. Obviously the kernel driver would still be doing the bulk of the work (set up and so on) but there's nothing stopping hardware vendors from supporting a special mode in which the kernel allows a userspace app and hardware to negotiate a secure dma channel by using a new instruction set.

Re:Intel equivalent

[IamTheRealMike]

And sends audio data?

Nothing stops you writing an application that downloads encrypted media and plays it back on Linux today. It just wouldn't be very secure.

If the audio is decrypted inside the app and then sent direct to the sound card, bypassing the operating system entirely, then you can't just dump the audio to a file with an LD_PRELOAD or kernel patch. You'd have to reverse engineer the internals of the application itself, rather difficult, and something which LaGrande makes even more difficult a

Re:Intel equivalent

[q.kontinuum]

Since the OS (more specifically the audio driver in the OS) maintaines the information, where the soundcard is and to configure the sound card, the application still relies heavily on the opearting system. A CPU instruction set can grant the application a secure channel to a device. But since the OS tells the application which device is the sound card, a dump device can be implemented and propagated as sound card by the OS.

Re:DRM

[IamTheRealMike]

Yes, it can make slightly more effective DRM because an application no longer needs to trust the operating system. But this isn't a black and white issue (realistically, outside of Slashdot groupthink, DRM is never black and white).

For instance, consider this:

• It can make more effective DRM, but it can also make more effective encryption. How do you know your operating system is secure, really? Root kits are not at all uncommon even on desktop machines these days. Have you seen how easy it is to dump form data from Safari before it's encrypted? It's not quite as easy for IE or Firefox because they're written in C++ rather than Objective-C, but it's still possible.

  Personally I wouldn't trust my CC number to an unknown Windows machine these days. SSL/TLS wire security just isn't secure anymore when it's so easy to intercept the data before it's ever encrypted.

• Afraid the government is spying on you? What was that NSAKEY symbol [wikipedia.org] in the Windows crypto libraries anyway? It'd be a LOT harder to put Big Brother style tech into a CPU than an operating system simply because the CPU has much less information to work with. So crypto programs can shield themselves from possibly malicious software in another way.

• DRM exists, a lot of digital media is protected using it, and unless piracy suddenly becomes as unacceptable as murder or somebody invents a new kind of economic system to replace copyright it'll probably be around for a long time to come. Simply saying "we won't accept that" won't cut it with a lot of people, some geeks included (who do you think designs all this DRM anyway? magic programming pixies?).

  Consider - hardware process protection would theoretically allow for Linux-compatible DRM. Right now Windows Media DRM uses the "secure audio path" to try and prevent people using malicious audio drivers to trivially dump the decrypted audio out of the player. Linux has no equivalent, fundamentally cannot, however these kind of hardware features could allow it to get such a thing without breaking the GPL (because the operating system can be GPLd and therefore "untrusted" but the player would not have to trust it to work...)

• Anyway, like most technologies, it cuts both ways. It has uses you'll disagree with and others you will want. Just deal with it.

Re:DRM

[metamatic]

DRM exists, a lot of digital media is protected using it, and unless piracy suddenly becomes as unacceptable as murder or somebody invents a new kind of economic system to replace copyright it'll probably be around for a long time to come.

There's a third possibility you ignore: that DRM reduces software sales. I'm not aware of any credible research on the topic, but I know that there are albums I plan to buy from the iTunes Music Store, but only if JHymn is fixed to allow me to strip the DRM. Similarly, I

Re:DRM

[IamTheRealMike]

There's a third possibility you ignore: that DRM reduces software sales.

It's true I ignored this possibility. The only hard statistics I've seen on this have been done by (drumroll) copy protection vendors, nonetheless, they are at least somewhat pseudo-scientific which is more than the purely anecdotal evidence I've seen to support the opposing view. Essentially copy protection vendors claim that the sales you lose through piracy drop off as time goes by, so for instance if a crack is developed a year a

Re:DRM

[Trinn]

Most people I know like single-player game cheats, and cheats for multi-player-single-console (non-networked) party type games, because both usually allow more freedom in enjoying the game (eliminate tedious "unlocking", give new options, etc.)

Re:DRM

[IamTheRealMike]

Heya Quinn ;) Yeah, I don't mind single player cheats, I was thinking of multiplayer online cheats ... if everybody involved is happy with the new rules then why not ?

Re:DRM

[Kjella]

a) If your machine is rooted, it's trivial to tap the keyboard. Process "iexplore.exe" getting a number that looks like a CC#?

b) If you are running Windows, you still won't know. The chain of trust runs downwards, your apps trust Windows which again trusts the TCPA. Whatever Windows does, you'll never know. And if you don't run Windows, then it's pretty hard to hide something in plain sight code.

c) I'd wager more on the ubiquitousness of piracy to change things. Have you read the stats on the young generati

Re:DRM

[IamTheRealMike]

a) If your machine is rooted, it's trivial to tap the keyboard. Process "iexplore.exe" getting a number that looks like a CC#?

I'd be interested to see an actual implementation of that. But anyway, this is why LaGrande/Cell Security include "measured boot", so the program can check that the system hasn't been rooted.

b) If you are running Windows, you still won't know. The chain of trust runs downwards, your apps trust Windows which again trusts the TCPA. Whatever Windows does, you'll never know. And if y

Re:DRM

[drachenstern]

If you read the article then you can see the way it's intended to be used ... the SPEs decrypt data then either re-encrypt it (eg for multiplayer network packets) or use DMA to move it directly to the output device. The operating system is not involved. I don't know how LaGrande works but it's likely to be either by having "trusted" operating systems that effectively promise not to reroute the audio elsewhere, or by having some similar kind of DMA scheme and sound/video cards that can decrypt video data dir

Then...

[frosty_tsm]

Imagine the Princess inside that Castle.

... or another castle.

Re:Then...

[chord.wav]

If only Sony had the rights for Mario....

Re:Cell Home Workstations

[heinousjay]

Care to elaborate? Your comment is anonymous and fairly generic.

Re:Cell Home Workstations

[Suddenly_Dead]

Add in that it sounds an awful lot like bad marketing, and you've got yourself and obnoxious hat-trick.

Re:Cell Home Workstations

[Slashcrap]

If you are any type of game/graphics/engineering/media engineer you want one of these Cell systems NOW.

Yeah, single precision floating point is just what you need in engineering you astroturfing little fuckstain.

Uhh....whaaat?

[HaloZero]

Ok, so, I get it. The PS3 will have a processor that has an instruction set dedicated to protected the threads of a program from infiltration by something that has already compromised the operating system. The obvious advantage is the protection of the data stored in those threads at a time of either pre or post processing.

That sounds like a great technology. Truly. If used for the right purposes.

WHY are you implementing it on a GAME CONSOLE? (I'm also a little scared of the wording '...allow an application to protect itself... - we're writing sentience into these things, now, too? Might cause some ethical issues with first-person shooters..)

I'd love that sort of protection on a kiosk machine, something we'd send to a trade show, or even the laptops employed by our sales force. But the PS3? Nothing mission-critical is going to happen on the PS3. Nothing. Wait, wait.. I think I figured it out...

Digital Rights Management. Gotcha, gotcha. Thanks, Sony. It's nice to know that the PS3 will have an anti-modchip on it from the getgo.

Re:Uhh....whaaat?

[RingDev]

The Cell processor has much wider market desires then just the PS3. It is likely that the PS3 will not take this feature as an advantage, but the feature will be there for Linux based Cell Processor servers. In those kinds of system, memory protection can be extremely important.

-Rick

Re:Uhh....whaaat?

[powerlord]

Actually considering that the system will most likely have a network connection and some form of persistant storage, Sony might just use this feature to help keep unauthorized access (i.e. anything they haven't approved) to a minimum.

Wouldn't be surprised if this helped limit potential Homebrew activity.

Re:Uhh....whaaat?

[RingDev]

That is actually one of my concerns as a (PC) game modder. A lot of 3rd party add-ons for video games live by reading the game's memory. Depending on how this new feature operates, it could block off an entire array of 3rd party modifications to games.

-Rick

Re:Uhh....whaaat?

[powerlord]

From what I could see it looks like this is something that a given application would have to turn on.

Hopefully most mod-friendly games won't. On the other hand, as another poster mentioned, if this can help eliminate mods for on-line multiplay, then it might be a good thing if it can be enabled under certain circumstances.

Re:Uhh....whaaat?

[KDR_11k]

A lot of 3rd party add-ons for video games live by reading the game's memory.

Really? The only such app I've seen was a cheat program. Usually mods change the game's datafiles.

Re:Uhh....whaaat?

[IamTheRealMike]

If you had RTFA you'd know this isn't about mod chips - the article explicitly states that this kind of protection is not about resisting hardware attacks and only concerns software.

WHY are you implementing it on a GAME CONSOLE?

Maybe because the Cell is designed to be used for more things than just the PlayStation?

Re:Uhh....whaaat?

[frostfreek]

Zonk is contributing to his confusion by posting "PS3 Cell Processor Security Architecture" instead of "Cell Broadband Engine ..."

Re:Uhh....whaaat?

[poot_rootbeer]

WHY are you implementing it on a GAME CONSOLE?

Maybe because the Cell is designed to be used for more things than just the PlayStation?

Correct answer, incorrect question.

Question is: why did Sony choose to put a Cell processor--an architecture that's substantially different from what they used before, and that contains features superfluous to the goals of a gaming console--in their upcoming gaming consoles?

Optional bonus question: why did Slashdot title this story "PS3 CELL PROCESSOR Security Architecture"

Re:Uhh....whaaat?

[powerlord]

Answer: Sony is invested in the Cell architecture along with IBM and hopes it will make a good core for a multi-media hub, by pushing chip holding multiple cores that can handle parallellized multimedia transformations quickly. Time will tell if IBM and Sony got this one right.

Obligatory Bonus Answer: Slashdot editors can't usually be bothered to RTFA or edit. :)

Alternate Bonus Answer: Most readers might recognize "PS3" over "Cell Processor" and wonder what the latter has to do with their lives, while th

Re:Uhh....whaaat?

[bWareiWare.co.uk]

I think the article was taking the academic, cautious approach here. A hardware attacks (modchips) on this system are theoretically possible. However you would have to attach directly to the processor's internal bus.

This would mean attaching to 90nm wires at 3.2 Gigs; that is it going to make mod chips a bit harder.

(The Xbox modchips use a 33Mhz bus and existing solder points on the motherboard (i.e. a 100 times slower and over a 1,000 times larger)

Re:Uhh....whaaat?

[westyx]

The xbox has been hacked only using software - it's a valid place to start hacking the ps3

Re:Uhh....whaaat?

[Krach42]

WHY are you implementing it on a GAME CONSOLE?

Um, because the Cell isn't just a game console processor, it's a multi-purpose vector processor.

IBM, Sony, and... who's the other person working on it? I forget. Anyways, the people involved each want it for various purposes. Yes, Sony wants to use it in the PS3, but IBM wants to do some serious work with the Cell and potentially replace POWER with it.

Re:Uhh....whaaat?

[Kookus]

The lofty goals for the cell processor have it being used in everything from tv's to your microwave. The purpose of this security is to have all of those appliances have the ability to lease out their processing power to other appliances in the event one of them requires it.

Imagine yourself encoding a movie, and your neighbor's ps3 helps you out because it isn't in use... would you like your neighbor having the ability to see what your encoding? Nah, and I'm not saying that this technology will be used in t

Concise summary

[DeadCatX2]

1) The Cell supports a Secure Processing Vault. This is basically hardware-based memory protection; since the OS is software, and software can be compromised, so can the OS. The hardware can't be compromised so easily, so you load up a SPE with some code and data, and then it engages its own memory protection, preventing anyone from reading/writing its memory until it's done, by which time it deletes the important information. So you can't peek at the decrypted results, because they're encrypted when they're loaded, and the decrypted results are deleted when it's done doing its work (which work gets re-encrypted before it leaves the SPE). There's a small communication channel left open, and it's the SPE's duty to protect it.

2) It also has a Runtime Secure Boot. This involves using a cryptographically signed BIOS. This verifies that the BIOS is trusted. From here, any time control is handed over to another program, it first must be cryptographically verified. This prevents unauthorized or compromised code from executing.

3) Once you've securely booted and your SPE is in isolation mode, protected from the eyes of other threads, you have access to The Root Key. The Root Key is stored in hardware, can't be accessed by software, and is used to decrypt other keys. These other keys are then used to do encryption in an individual SPE.

So, we make a key, stick it in some flip flops that you can't read, isolate an SPE to provide memory protection, and then authenticate each and every piece of code from the BIOS through to the currently executing thread. Everything going in is encrypted, isolated when the work is being done, and gets re-encrypted before leaving to the next module, all using encrypted keys. Pretty thick stuff.

KESU offers better protection

[Nefarious Wheel]

Kernel, Executive, Supervisor, User modes, all with their own protected address space. Kernel for the OS, Executive for the drivers, Supervisor for scripts, and User for images with page-in activation.

Now, where have we all heard that before? VMS suffered from some pretty cruddy hardware (hey, that was then) but at least buffer overflows were not exploitable.

Nothing new under the sun, move along, nothing to see here.