Really good read.

The whole article steers clear of PS3 security implementations.

My keynotes:
-The PPE has a dedicated thread for address management
-The PPE AND SPEs have universal global addressing access
-SPE local stores have no memory protection but you have to get out of cache space. They are in a secured unprivileged mode though that is default from PPE management. They'll run shellcode but are blocked from whatever the PPE obfuscates.
-Each SPE has it's own set of DMAs through EIB
- PPE also has virtualization(Think ARM TrustZone). This was also in old PPC Macs I think too.

One thing I noticed they didn't mention is EPROM or ROM on the PPE. It's probably just a simple BIOS loader on the other systems though, or post bios self check. On the PS3 it seams to do the first decryption routines and load a kernel from flash; if it's not in the locked SPE. In any case though the most likely scenario on PS3 is a boot loader in PPE because the bus points to it as the initialized chip from censor triggers.

Even if we over assumed on the PS3 security the process signing and cryptography we know is implemented from initialization on firewall everything they talk about; including from direct calls from kernel space in otherOS. Also it makes sense to not do locking and allocator filtering on SPE local stores because of latency effecting their functionality, but I'd bet money something is done on main memory, and it's probably better than just allocator filtering(<-I found one of my own PS3 references.)

My view on it is that the PS3 is that it's far more minimalistic and proprietary than the x360, and the only reason the x360 is open is because a single mistake exploited through a generic interface. The syscall upper 30bit attack was the only gateway. All the return to lib vulnerabilities they later found where only revealed by the syscall attack, and would of only seezed the system up through all vectors.

I've been doing work with TI IP cores and TrustZone. It has about the same mechanisms.

I think in that article they where  mostly talking about software vulnerabilities, but it's nice putting it in abstract in relationship to the underlying architecture.

Last edited by 0m1kr0n (2009-07-04 16:35:58)