I'm gonna be honest, I thought the story was over when they started talking about "oh hey here's this hypervisor code that loads extensions", because obviously extensions are going to be a massive increase in attack surface. But even then, the system wasn't actually broken by the extension being badly designed; the extension was just the most useful target to use the actual attack on.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
- if you hack a console, you can make a fair money, by selling your exploit as a package piece of software. Much like modchip vendors do. In fact, there have been a few software exploits that were sold with ties to a specific console. Funny if you think about it
- If you hack an iPhone, you can sell your exploit to many governments and government agencies for millions of dollars
If i were a profit motivated attacker, i know which I’d focus on
That is true today, but back in 2005 when the Xbox 360 launched we didn't have every government buying up security vulnerabilities by the truckload. The market for zero-days didn't really get established until the early 2010s when the 360 was on its way out. Every contemporary competitor to the Xbox 360 got hacked within its commercial lifespan, due to having comically awful security practices. Microsoft certainly was, at the time, 'better' than Sony or Nintendo; but the task they were doing was just plain impossible.
A game console is, effectively, a Point of Presence[0] for a DRM vendor. It's job is to tie the owner's hands so that they don't copy games, and that they don't buy games from competing companies. This is an incredibly difficult, if not impossible task. In contrast, while the iPhone's security also does DRM and developer lockout; their main concern is keeping you from getting hacked by nation states. Those are certainly more sophisticated and well-financed attackers; but they (usually) don't have physical access to or ownership over what you're trying to protect.
[0] In telecom, a PoP is the dividing line between your systems and someone else's. If that sounds really arbitrary, it's because that's how they untangled the Bell monopoly.
> How the hell has this the Xbox 360 hypervisor remained basically impenetrable?
Conspiracy theorist in me thinks that since it was a games console, the NSA didn't mandate backdoors, so MS software and hardware security guys could just make the toughest hardware and software they could dream of. Sprinkled with a decent serving of luck.
So the Xbox360 was essentially a playground for MS hypervisor team, without needing to worry about national security or interference.
A perfect breeding ground for developing an actually secure product they could potentially use in the future, if they were allowed.
> You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug.
I'd hazard a guess that the Apple hardware is easier to work on than a video game console. Your already sitting in front of a general purpose computer running programming tools. A video game console is the antitheses of that.
It sounds like the hypervisor extensions are more like one-shot payloads, which probably have much less attack surface than normal kernel modules that are exposing new functionality to userspace.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.