cd drm & sony-bmg: a case study muhammed afzal hussain digital rights management seminar 17 th...
Post on 18-Dec-2015
214 views
TRANSCRIPT
CD DRM & SONY-BMG:a case study
Muhammed Afzal HussainDigital Rights Management Seminar
17th May, 2006
Sony-BMG is the worlds second largest record company.
Fall 2005, problems discovered in two Sony-BMG CD copy protection systems: XCP & MediaMax
These two systems made the user’s computers more vulnerable to attacks
Had other DRM issues
As a result…
Created public uproar Recall of millions of discs Compensation to the users (both in monetary
form and others) Class action lawsuits Severe damage of company goodwill
Contents
CD DRM overview How XCP and MediaMax work Security threat caused by them Their weaknesses Requirements of a good CD DRM system Conclusion
CD DRM
A system to protect CD contents from being copied
Should protect an audio CD from disc to disc copy, converting to mp3, copying single track etc.
Purely economic Goals can be divided in two categories:
Record Label Goal and DRM Vendor Goal
Record Label Goals
CD DRM can not stop P2P file-sharing To stop disc to disc copy and other local copying
and use of the music If Alice cannot copy a CD to give to Bob, Bob might buy the
CD himself Portable audio player version
Show advertisement and other promotional values Increase market power for parent company
DRM Vendor Goals
Create value for the record label DRM Vendors have higher risk tolerance More aggressive to create a wider user base Record labels have imperfect knowledge
about DRM technology used Sometime acts against record labels interest XCP was developed by First4Internet MediaMax was developed by SunnComm
CD DRM Requirements
CD should be playable in ordinary CD players
CD must be unreadable by almost all computer programs to avoid copying
CD must be recognizable as a protected disc DRM vendor’s own software must be able to
read it and give controlled access
CD DRM - How it works
Two types of protections: Passive Protection Active Protection
Passive measure changes the disc’s contents to confuse computer
Active protection uses software for scanning and restrict access to a protected disc
Passive Protection
Exploits subtle difference in the way computer and ordinary CD Players read CDs
The distinctions between these two are imprecise
Computer hardware and software has became more robust reading poorly formatted discs
Recent CD DRM mainly rely on active protection
Passive Protection (cont…) XCP (Extended Copy Protection) deviates from
Bluebook specification to create passive protection Bluebook contains one audio session with multiple
tracks and another session with one data track XCP has one session with audio tracks and another
session with two data tracks Windows assumes it’s a data-only CD Audio tracks become invisible Ordinary CD players do not support multi-session
CD and recognizes only the first session
XCP Passive Protection
Provides limited protection only: Advanced ripping and copying Non-Windows platforms The felt-tip marker trick
Felt-tip marker trick: Hide the second session using felt-tip marker or masking
tape The second session is near the outer edge of the disc Can be done using trial and error method, or visually
analyzing the disc
Active Protection
Active protection requires a software to be installed Both XCP and MediaMax rely on the autorun feature
of Windows. MacOS X and Linux do not have autorun. XCP has only Windows code. MediaMax has MacOS code but the user must
execute the installer (intentionally or unintentionally) to install it. Usually users don’t do that
Temporary Protection Protection for the time while the installer is running
but not yet installed When the EULA is being displayed
XCP checks for about 200 ripping and copying application Names are hard coded
If any of these application is found running in the system, it asks the user to close it in order to continue the installation
If the ripping or copying application is not closed within 30 seconds, the installer ejects the CD and quits
XCP Temporary protection – Screen Shot
MediaMax Temporary Protection
It installs the software and activates it at least temporarily while the EULA is still displayed
The software remains installed even if the user explicitly denies consent by declining the EULA
In cases the software even remains active while the user denies consent
Temporary Protection
Installation of software by MediaMax before consent is highly controversial
Temporary activation of the DRM software without consent raises ethical questions
Most user do not expect the insertion of a music CD to load a software
Some discs contained statements about software being on the disk, but were written in tiny font and did not mention anything explicitly
Active Protection basics
Depends on background process This process checks whether access should be
restricted to a disc For any recognized protected disc, monitors CD
access and corrupts returned audio data to any other application other than its own player
XCP replaces audio with random noise MediaMax adds large random jitter Requires mechanism to recognize protected discs
Disc Recognition
XCP stores a marker in the data track MediaMax uses more sophisticated method It puts a watermark The watermark is created after about 4
second from the start of an audio track to avoid audible noise in silence
Modifies the audio track according to a special algorithm
CD DRM Players Provides rudimentary playback interface to the
protected discs Allows bonus contents
Album arts, lyrics, notes, links to websites Allows integrated burning application to copy the
disc three times Subsequent copies can not be made
Supports ripping the tracks only in DRM-protected formats so can only be run in the same computer. Uses Windows Media DRM
What Went Wrong? Controversial temporary protection schemes XCP infringes copyrights of open source software
projects Contains code from the project DRMS, licensed under GPL Uses this code to create FairPlay protected file for playing
in iPod Although this functionality is hidden to user
Performs phoning home Sends information about listening habit. Allows to log user’s IP, date, time and album name. Receives images or banner ads to display Fits to consensus definition of spyware.
Rootkit behavior of XCP
XCP shows rootkit behavior Rootkits are software designed to hide processes,
files, or system data Used to hide intrusion
XCP’s rootkit is used to hide its main installation directory, registry keys, files and processes So they can not be removed, modified or even noticed by
the user Conceals any file, process or registry key whose
name begins with $Sys$
XCP as a Security Threat
Any malware can use XCP’s rootkit behavior to hide its existence in the system
Modifies Windows kernel Modifies system functions for creating file, list
running process etc. Modified kernel is not as stable as the original
kernel Can be used to crash the computer
MediaMax as a Security Threat MediaMax sets file permission that allows anybody
to modify contents of its installation directory Any user can replace its own code with malicious
code Next time any other user will insert a MediaMax
disc, the malicious code will be executed with his user privileges MediaMax requires Administrator privileges
Resets permission every time MediaMax is run Manually correcting the errant permission is not very
effective
MediaMax as a Security Threat (cont…)
Installs MediaMax.dll even if the user denies the EULA
Next time a MediaMax disc is inserted, it checks the version of MediaMax by calling the DLL
Attacker can place hostile code in this DLL so next time a MediaMax disc is inserted, the malicious code will run with that user’s privilege
Sony-BMG released patch to solve this problem Initial patch did not solve the problem
Uninstall
Initially neither of the DRM systems contained uninstaller
After public demand, they provided uninstaller, but was very hard to acquire Had to fill up a sequence of forms and wait few days.
The uninstaller was customized for the user Worked only in the PC where the forms were filled.
Worked for a limited number of times Later unrestricted uninstaller were published
But they had their own vulnerabilities
MediaMax Uninstaller Vulnerability
Uses proprietary ActiveX control Users had to install it to uninstall MediaMax Has a “Remove” method which takes an URL A HTTP Get to this URL returns a second URL A DLL file is downloaded from the second URL and
executed to uninstall MediaMax The ActiveX control itself remains installed Any web page can invoke the “Remove” method of
the ActiveX control with an arbitrary first URL to execute a malicious DLL without warning
XCP Uninstaller Vulnerability
Has the same flaw, only a little harder to exploit
Instead of downloading a DLL, it downloads an archive file made using a proprietary algorithm
The DLL is extracted from this archive Using reverse engineering, a valid archive
can be made
As a result… Sony-BMG had to recall all discs containing XCP or
MediaMax XCP was deployed on 52 CD titles representing about 4.7
million CD’s MediaMax was deployed on 37 titles representing about 20
million CD’s Compensation to the buyers
Lawsuits were filed in New York, California and Texas
“It's your intellectual property but it's not your computer” Department of Homeland Security, USA
Was it enough?
With so many aggressive strategies and controversial methods, are the XCP and MediaMax sufficient to protect the audio CD in all situation? NO
We have already discussed the weaknesses of passive protections
Weaknesses
Autorun can be disabled or avoided Felt-tip marker method can be used XCP’s temporary protection: Uses constant
scanning for ripper application Users can kill the application Can use application that locks CD tray The hard coded lists of application will get
obsolete and the ripper applications may use randomize process name to avoid such protections.
Weaknesses (cont...)
XCP disc recognition: Uses a marker in data session: once ripped, it has no effect
MediaMax disc recognition: Uses watermark in the audio track: lossy compression
removes such watermark Both Players allows limited number of copies to be
burned Vulnerable to rollback attacks User can modify the saved states to burn unlimited number
of discs
Ideal Disc Recognition Requirement
Uniqueness: Identify protected discs without accidentally triggering protection on an unprotected disc.
Detectability: It should be quickly detectable Indelibility: The feature should be hard to
remove Unforgeability: Should be hard to forge.
Other requirements of a good CD DRM software
Audio CD has longer shelf life Deactivating old software
Old software should deactivate themselves Updating the software
User cooperate with updates that help them Download and CD delivery
Forcing updates Making the non-updated system painful to use
Conclusion
DRM Vendors goal differs from Label’s goal DRM of even major Label’s can cause security and
privacy risks. Efficacy of DRM are sometimes inversely related to
user’s ability to defend his system. CD DRM systems are mostly ineffective DRM systems not always focus on copyright law The stakes are high.
Questions?
Thank You