Can we tamper-proof a game that's sold along with the Windows machine it runs on?

Question

We want to protect a game that is basically sold with the computer containing it. The security is done this way:

The HDD is encrypted using hardware TPM 1.2, which holds a unique key to decrypt the OS only in that specific computer. So Windows will boot only in one PC. Also the TPM will not let Windows boot if any hardware change happens.
explorer.exe is replaced by game.exe, The system boots the game at startup. If you exit the game there is no explorer, just a black screen.
Ctrl & Alt & other keys are disabled, so the Task Manager is not accessible.
The ethernet adapter is disabled, autorun is disabled to prevent dumping game.exe.
Deep freeze installed, user can't enter Safe or Repair modes

Is this a secure system? If it is not secure, what can an attacker do?

Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/68062/discussion-on-question-by-younes-can-we-tamper-proof-a-game-thats-sold-along-wi). — Rory Alsop, Nov 02 '17 at 07:34
https://www.microsoft.com/windowsembedded/en-us/windows-embedded-8-pro.aspx — Ben, Nov 02 '17 at 10:05
@Mawg Auto-run from a USB stick can easily be disabled by the defender. Even if it isn't disabled, the disk is still encrypted, and the attacker needs to obtain the keys from the hardware TPM. — S.L. Barth, Nov 02 '17 at 13:39
It is not possible to make anything tamper-proof when others have complete control over the hardware. Not with any hardware or software, it is not possible. — 12431234123412341234123, Nov 02 '17 at 14:44
Side channel attacks would always expose your game to beeing cloned, if someone is willing to and has access to the hardware. — HopefullyHelpful, Nov 02 '17 at 17:16
You might want to look into [WePOS and its successors](https://en.wikipedia.org/wiki/Windows_Embedded_Industry). Locking down what is essentially a Windows kiosk is a (mostly) solved problem in the retail and payment systems industry. You can never do it 100% but you can come close, and point-of-sale has been doing it for decades. — , Nov 02 '17 at 18:59
There are plenty of imaging attacks that take place after the system is already booted. If the key is stored in plaintext in memory, it can be captured then. — Charles Duffy, Nov 02 '17 at 23:34
...sure, these often *do* depend on hardware, but an attacker building custom hardware can make that hardware identify itself as something else at enumeration time. — Charles Duffy, Nov 02 '17 at 23:36
I guess it's convention, but I do find it weird to refer to someone trying to do with what they want with *their own property* an "attacker". And what you're describing isn't a computer. It's basically an arcade cabinet. How instead of treating your customers as your enemy, you make a game people will be willing to pay for? — Acccumulation, Nov 03 '17 at 02:04
"How instead of treating your customers as your enemy" The customer in this case is the company that has the requirement of having it locked down (probably some CBT facility or distributor/operator of arcade-style machines), so you're not making much sense. — pmf, Nov 03 '17 at 09:14
@12431234123412341234123 I would go a step further and say it's not possible to make anything tamper-proof, period. Just tamper resistant. — , Nov 03 '17 at 14:48
Tamper-proof is impossible. Your best hope is to make it as difficult as you can... but, if you are spending more resources on security than your product development, then you have a lopsided business plan. — Phil M, Nov 03 '17 at 15:31
So the arcade machine is basically unmaintainable, since swapping out a bad part will make it not boot? — JDługosz, Nov 04 '17 at 06:58
How well-funded is your adversary? Are you on the scale of, say, satellite TV providers, where folks are willing to spend real money funding a reverse-engineering lab, or are you just worried about hobbyists? — Charles Duffy, Nov 05 '17 at 03:51
...also, to what extent can the game mechanics be boiled down to something that can be encapsulated in a tamper-resistant hardware module? Sure, there are (timing, power, and other) attacks against smartcards, but if you've got one running the core game logic, that at least puts that logic somewhere distinct from your general-purpose computer. — Charles Duffy, Nov 05 '17 at 03:55
@younes It sounds like you are determined to do this, and the question should read, "What are some strategies to make a machine *tamper resistant*?". As you can see from the answers, it will be nowhere close to *tamper **proof***.... — trognanders, Nov 06 '17 at 02:54
Is freezing the RAM (So that the data will contain after removed from the main board), swap the Ram Modul to a other Computer and dump it a possibility? — 12431234123412341234123, Nov 06 '17 at 12:38

score 116 · Answer 1 · answered Nov 01 '17 at 13:57

116

We can analyze your setup by comparing it against a system known to be not tamper proof, the Sony PlayStation 3.

OS control

You have no control over the OS. Sony did write the OS themselves.

Size of the OS

The PS3 OS can be very simple as it just needs to boot games. Windows is a generic OS, with many, many functions. This exposes many API's.

Shell

The PS3 OS shell is intended to just start games. On Windows, the default UI is provided by Explorer. You propose to replace it, which isn't a design goal for Microsoft. It may appear to work, but tearing out Explorer may leave some open interfaces. That is a special problem for you because such open interfaces may become attack vectors.

Hardware

You appear to be working of a standard PC hardware, just with TPM. Sony had designed the PS3 from the start in the assumption that hackers would be attacking the hardware.

Your standard PC probably has PCI-e slots. Those support DMA. Using that, you gain access to the PC's memory. This will be unencrypted. A common way to do this is via FireWire. IIRC, modern consoles now keep the RAM encrypted as well, and they obviously don't grant DMA access to outside hardware.

Conclusion

Your system appears less safe than a PS3, and a PS3 can be hacked, so it is safe to assume yours can be too.

answered Nov 01 '17 at 13:57

MSalters

2,699
1
15
16

61

I like the attack by proxy. While it may be hard to write down *exactly* how your system may be attacked, if you can show that it is provably less secure than another device, and that other device has already been hacked, that gives you a pretty definitive answer! – Cort Ammon Nov 02 '17 at 04:39
1

i would like to mention the PS3 was hacked by linux by famous geohot, linux was alowed to be installed inside any PS3 lower than v 3.15 – younes Nov 02 '17 at 09:47
1

While generally poorly implemented, there is a layer of access control from PCI(e) to the main memory. – PlasmaHH Nov 02 '17 at 12:00
@PlasmaHH PCI(e) is used by the graphics card , removing the card will stop the system from booting , any hardware change including (adding/removing) will cause TPM to stop booting . can you access memory without the OS detecting hardware changes in PCI slots ? – younes Nov 02 '17 at 14:09
1

@younes: Your TPM1.2 can stop booting, but what about PCI-e hotplug? – MSalters Nov 02 '17 at 14:18
@younes: I can, with a bit of liquid nitrogen that is no problem at all. Can you? Not sure though what the point is about the MMU protection layer here... – PlasmaHH Nov 02 '17 at 14:21
@PlasmaHH fortunately ,all suggestions so far can be patched : adding a software that encrypt RAM will do the job – younes Nov 02 '17 at 14:34
5

@younes: Exactly how do you expect that to work? Note that you're running a plain x86 CPU on normal Windows. An x86 `MOV` instruction isn't going to decode its argument. Even stronger, the fact that the x86 knows it's a `MOV` instruction requires that the code segment is not encrypted. And your off-the-shelf videocard will be memory-mapped as well, and expect to do DMA transfers for textures. So will your storage (HDD/SDD). – MSalters Nov 02 '17 at 14:43
https://security.stackexchange.com/questions/109968/ram-encryption-is-it-possible – younes Nov 02 '17 at 15:11
3

@younes: Doesn't SGX still require data to be in ram? And how does the key get into the CPU without ever touching RAM? Also plain SGX can be read out by side channel attacks. Plus all of these things is infeasibly slow to run actual game code. – PlasmaHH Nov 02 '17 at 15:20
49

@younes You seem to think that "if people come up with a specific list of attacks, and after they do so I defend against it, then my system is secure". This is a fundamental misdefinition of secure. This argument is an *attack surface* argument, your attack surface is far too large to be secured, let alone currently secure. Patching over holes in a specific attack vector someone brings up doesn't decrease your attack surface significantly; your attack surface is exponentially large, patches are linear fixes. – Yakk Nov 02 '17 at 17:05
2

The PS3 runs FreeBSD and stuff like WebKit. Totally exploitable. Also, on the PS3 and PS4 you can MITM the PCIe bus. This also works on all PC’s. Also, HDD firmware can be attacked, directly and indirectly, so when it is decrypted you just dump all or the data at will. Same goes for RAM. – John Keates Nov 03 '17 at 16:22
You do realize that ATMs and other service computers like self-checkout desks run WIndows XP right ? – Иво Недев Nov 06 '17 at 12:56
@Иво Недев: All too aware. My company actually cooperated with a major bank in an experiment regarding ATM security. They tend to take physical security rather seriously. Without going into details, it was the sort of experiment where they get out the sand bags. Also, they don't run XP, they run XP Embedded. – MSalters Nov 06 '17 at 13:04

score 89 · Answer 2 · edited Oct 31 '17 at 14:47

89

There are too many things that can be done at the OS level. That's the actual problem. There are numerous ways to launch processes and/or explore the system. One important aspect is that it looks like you failed to consider is running everything from a non-admin account. Also, you did not mention anything about USB, other peripherals, F-keys, default shortcuts and many more aspects.

As a rating: 2/10, which is purely due to the OS. Practically, any tech kid will bypass your current setup.

edited Oct 31 '17 at 14:47

Community

1

answered Oct 31 '17 at 12:36

Overmind

8,779
3
19
28

USB and other peripherals are fixable - Windows can be configured to disallow installing new drivers. If you provide the system with a proper USB keyboard (not a cheap clone, one with a unique VID/PID/serial) you can't swap in a keyboard with extra keys. – MSalters Nov 01 '17 at 08:59
15

True, USB connections can be managed, just like other peripherals, but there are a lot of things to consider since you even can start a file browsing by plugging in audio jacks into the audio card. Everything must be properly configured and considered. – Overmind Nov 01 '17 at 09:04
4

@MSalters It's not difficult to program an arduino as a usb keyboard with any VID/PID pair you want. It would be trivial to find the ID of the existing keyboard and have an arduino emulate the same keyboard and press Ctrl-Alt-Delete or Ctrl-Alt-Esc automatically. – Grant Nov 02 '17 at 19:18
I don't know how TPM works, but I'm assuming once I've booted into a Linux CD it's game over, since I then have access to everything that the Windows kernel would've had access to – Restioson Nov 03 '17 at 15:57
@Restioson TPM holds the encryption key to the HDD. you could mount a usb or live cd linux distro, but you wouldn't be able to decrypt the HDD without circumventing or capturing the key from the tpm – Aaron Nov 03 '17 at 16:03
1

@Aaron ok, so assuming that you could rewrite the boot sector of the HDD with a minimal kernel that extracted the TPM key and wrote it to the screen or otherwise exposed it, then it *would* be game over? – Restioson Nov 03 '17 at 16:05
@Restioson In a nutshell probably yes.. That wouldn't exactly be trivial, but if you own the hardware, there's basically always a way to dump the data. There's a really interesting defcon talk on hacking a cable box to get the stream ciphers that I don't entirely feel like looking up rn, but it shows just how knowledgeable some people are and what they're capable of with too much free time on their hands. – Aaron Nov 03 '17 at 20:07
@Aaron once *one* person does it, the method is out there and usable, which is sort of game over for the security method – Restioson Nov 04 '17 at 07:01
2

@Restioson I presume the system has SecureBoot so such boot sector wouldn't have right signature. This does nothing of course for DMA attacks etc. – Maciej Piechotka Nov 04 '17 at 23:37

twisteroid ambassador · Answer 3 · 2017-11-02T13:36:45.473

It sounds like you're creating an arcade machine. In that case, learn from the companies who actually make and sell arcade machines, and Use Windows Embedded instead of the desktop version.

Using TPM + full-disk encryption is a good start. You should also remove as many Windows components you're not using as possible, and lock down as many access surfaces as possible. It is possible to do this to a Windows desktop installation, but the raison d'être of Windows Embedded is to enable this kind of deep customization.

Mind you, that even arcade machines made "properly" by large game companies using Windows Embedded eventually get hacked and dumped. You can find many "HDD" releases of popular arcade games on the scene. This should tell you how difficult it can be to properly secure an arcade machine against determined hackers.

https://www.microsoft.com/windowsembedded/en-us/windows-embedded-8-pro.aspx — Ben, Nov 02 '17 at 10:05

score 30 · Answer 4 · answered Oct 31 '17 at 11:09

30

This is not secure. The hardware is under the control of the user, so they can always find a way.

I'm assuming that TPM is meant to prevent the user from starting another OS (like Ubuntu) from CD, DVD or USB. This is a good precaution.

However... the user can still remove the harddisk, and put it in another computer. Then they can read the harddisk. So you would have to make the hardware tamper-proof.

Replacing explorer.exe with game.exe is a step, but only in the Windows environment. As soon as the user can get a command prompt (booting in Safe Mode, perhaps), this won't help anymore. All it does is slow the attacker down.

answered Oct 31 '17 at 11:09

S.L. Barth

5,486
8
38
47

21

But if the HDD is encrypted, would removing it help? The key is in the TPM. – Anders Oct 31 '17 at 11:27
1

@Anders Good point. The attacker would have to get the key from the hardware TPM. – S.L. Barth Oct 31 '17 at 11:29
19

If the best available attack is to somehow break the TPM, I would say that the system is pretty secure. (However, there might be easier attacks - I don't really know.) – Anders Oct 31 '17 at 12:09
@Anders Agreed, although I also agree with Lie Ryan's comment under the question - the attacker has unlimited physical access to the machine. I suppose the attacker could also re-wire the Ctrl and Alt keys. OP might have to remove Task Manager entirely. – S.L. Barth Oct 31 '17 at 12:12
I think one can always kill the game exe so one would need to remove task manager also. Then you must disable the safe boot etc – joojaa Nov 02 '17 at 20:12
@joojaa Task Manager was mentioned by the asker in point (3). Your suggestion is an improvement to that point. – S.L. Barth Nov 02 '17 at 20:21

score 27 · Answer 5 · answered Oct 31 '17 at 15:17

Some ideas of attack against that:

Windows normally comes with a Repair mode. It may be more or less easy to activate it (ref., but if it is possible the user can make the computer start in command line mode -> do not forget to filter the cmd.exe program in addition to explorer.exe
TPM may be weaker than what you expect, and successful attacks have already been recorded (ref on wikipedia)
social attack: I assume that the game will be sold and that a hotline will be in place. As user has no access to the normal configuration tools, a possible attack would be to send requests because it does not work. Chances are that at a moment an action leave the system with a shell access
software bug: unless programmed by god itself, game.exe could break in unexpected conditions. That could be a good starting point for methods 1 or 3
social and commercial attacks depending on the way you intend to deliver the system, twits and blog posts claiming that the system will spy everything on the network where it is installed could lower the sales at a point where the protection has nothing to protect.
attacks against the underlying OS. As the user has no accesses to the system, it is likely to remain unpatched

And finally have you really tried it? I would never dare to replace explorer.exe on a Windows system because there is no clean separation between the system and the shell and IMHO this is not supported by Microsoft.

It is a bit unclear what the OP means by "`explorer.exe` is replaced by `game.exe`", but changing the logon shell to the application is pretty much the standard way of implementing a Kiosk type appliance, not just on Windows. — Jörg W Mittag, Nov 01 '17 at 10:29

score 19 · Answer 6 · answered Nov 03 '17 at 12:43

19

Only one attack is enough to prove that it's insecure, right?

Press the Shift key 5 times. A dialog will pop up, asking if you want to activate some feature for disabled persons.
On that dialog, click the link to go to the Control Center for accessibility.
In that dialog, click in the address bar
type cmd Enter

Here's the screenshot in a German system:

You have not mentioned the Shift key explicitly, maybe it's disabled. You could also hold NumLock for 5 seconds as an alternative.

answered Nov 03 '17 at 12:43

Thomas Weller

3,246
3
21
39

2

This is an excellent example of how many back doors there are in Windows. – Carey Gregory Nov 03 '17 at 14:14
3

@CareyGregory It's not really a backdoor if you're already logged in. – mbomb007 Nov 03 '17 at 15:32
7

@mbomb007: I didn't read this as "backdoor" in the security way, more like "open doors" :-) – Thomas Weller Nov 03 '17 at 15:40
Maybe just shortcuts and different ways to do things. – mbomb007 Nov 03 '17 at 16:28
2

FWIW, the shortcut to all of these accessibilities can also be disabled (I had done it because sometimes I need to press Shift key consecutively in a game) – Andrew T. Nov 04 '17 at 05:37

score 6 · Answer 7 · answered Nov 03 '17 at 10:33

As others have said, this cannot be considered secure. You can however remove the 'low hanging fruit', both to reduce the chances of your software being stolen and to ensure your users experience is positive.

Your primary goal is to protect software sold with the hardware.

First, ensure you have designed your hardware in such a way as only authorized persons can access it for maintenance. This is probably as simple as ensuring everything not required by a user is in a locked, sealed box. It may be that the owners require access to this box. A case-intrusion alarm may also be of use here.

Second, Microsoft provide a way of Creating a Kiosk Experience in Windows 10. Following these instructions and taking inboard their security recommendations will result in a Microsoft Supported locked down PC.

Third, A Software Protection Dongle could also be used to protect your software running on the computer. Should an attacker bypass your hardware and software protections across the PC/OS, they will still need to either steal the dongle or crack it.

Whilst this doesn't completely secure your software from theft, it should deter all but the most dedicated attackers.