Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Security of Classic Game Consoles

The Security of Classic Game Consoles

It's 1986 and you're sitting a few feet away from your 19" CRT television. Blowing the dust out of your Super Mario cartridge you insert it into your Nintendo and push the power button. The familiar music plays and you're sucked into a world of goombas and castles on your quest to save the princess. While engrossed in your game, you probably didn't realize the engineering that went into the security of your game and console.

Join me as we travel back through history and explore the security of classic game consoles. You don't have to be a gamer to appreciate the various security methods that were employed, including hardware, media, and software security measures. Learn how many of these security measures were exploited, either directly or indirectly, as well as the security measures which have yet to be broken.

You'll leave this fun presentation with not only an understanding of the technical details of what went into protecting the security of your favorite classic game consoles and how they were broken, but also how we can apply these historical lessons learned to the modern software and systems we build today.

Kevin Shekleton

May 18, 2017
Tweet

More Decks by Kevin Shekleton

Other Decks in Technology

Transcript

  1. 2 years of exclusivity 5 games per year Content review

    Nintendo controlled all manufacturing, upfront payments, no returns
  2. 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA,

    INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. KEVIN SHEKLETON @KPSHEK
  3. 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA,

    INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. 2017 NEBRASKA.CODE() KEVIN SHEKLETON 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA, INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. KEVIN SHEKLETON @KPSHEK
  4. Intellivision II Executive ROM (EXEC) if bit 6 in $500C

    == 0 halt if copyright_year < 1978 halt if copyright_year > 1982 halt ;load title on copyright screen ;continue loading game code
  5. NES

  6. Trademark Security System (TMSS) ; TMSS first checks for SEGA

    at $100 Main: ; Put the Genesis model version in d0 move.b $A1OOO1, d0 ; Genesis model version is the last four bits andi.b #$0F, d0 ; The 1st Genesis model didn't implement TMSS beq.b Version_0 move.l $'SEGA', $A14000 Version_0:
  7. For attackers, work < value(asset) The Sega Saturn CD security

    represents a very high work factor It has yet to be broken!
  8. “The trouble with the work factor principle is that many

    computer protection mechanisms are not susceptible to direct work factor calculation, since defeating them by systematic attack may be logically impossible. Defeat can be accomplished only by indirect strategies, such as waiting for an accidental hardware failure or searching for an error in implementation. Reliable estimates of the length of such a wait or search are very difficult to make.” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems
  9. Playstation Attacks 1. Read CD-ROM wobble region data Inject proper

    region header into data stream Tell console to change discs 2. Read license title screen text
  10. “Every program and every user of the system should operate

    using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur.” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems
  11. “Keep the design as simple and small as possible… design

    and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths).” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems Playstation (1999)
  12. Connect to a local malicious server via DNS hijacking. OS

    is rooted through execution of malicious code that masquerades as an update to the game.
  13. Malicious save game file results in buffer overflow when reading

    in the name of Link’s horse. OS is rooted through execution of malicious code.