p2p news special / p2pnet: Professor Ed Felten (left) and Alex Halderman are working on an academic paper, ‘Lessons from the Sony CD DRM Episode’ which will, "analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future," they say on Felten’s blog.

They’re posting drafts of a few sections because they, "hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

But the sections are part of the draft and shouldn’t be formally quoted or cited, they emphasise, saying the final, complete version will be posted on Felten’s Freedom to Tinker blog.

For how, below are the three sections published so far, in order of appearance >>>>>>>>>>>>>>>>>>>>>>>

CD DRM: Threat Models and Business Models
Freedom to Tinker – January 24, 2006
[Excerpt from a section early in the paper where we are still setting the scene before the main technical discussion begins]

Before analyzing the security of any system, we need to ask what the system is trying to accomplish: what its threat model is. In the case of CD DRM, the system’s goals are purely economic, and the technical goals of the system exist only to protect or enable the business models of the record label and the DRM vendor. Accordingly, any discussion of threat models must begin and end by talking about business models.

It is important to note that the record label and the DRM vendor are separate entities whose goals and incentives are not always aligned. Indeed, we will see that incentive differences between the label and the DRM vendor can be an important factor in understanding the design and deployment of CD DRM systems.

Record Label Goals

The record label would like to prevent music from the CD from becoming generally available on peer-to-peer file sharing networks, but this goal is clearly infeasible. If even one user succeeds in ripping an unprotected copy of the music and putting that copy onto P2P networks, then the music will be generally available. Clearly no CD DRM system can be nearly strong enough to stop this from happening; and as we will see below, real systems do not even try to achieve the kind of comprehensive coverage of all major computing platforms that we would needed as a prerequisite for stopping P2P sharing of protected music. We conclude that the goal of CD DRM systems cannot be to prevent P2P file sharing.

The record label’s goal must therefore be to stop many users from making disc-to-disc copies or from engaging in other forms of local copying or use of the music. By preventing local copying, the record company might be able to sell more copies of the music. For example, if Alice cannot make a copy of a CD to give to Bob, Bob might buy another copy from the record label.

By controlling other local uses, the record company might be able to charge extra fee for those uses. For example, if the record label can stop Alice from downloading music from a CD into her iPod, the label might be able to charge Alice an extra fee for iPod downloads. Charging extra for iPod downloads creates a new revenue stream for the label, but it also reduces the value to users of the original CD and therefore reduces the revenue that the label can extract from CD sales. Whether the new revenue stream outweighs the loss of CD revenue depends on detailed assumptions about customer preferences, which may not be easy for the label to determine in practice. For our purposes, it suffices to say that the label wants to establish control over the uses made by at least some users, because that control will tend generally to increase the label’s profit.

We note also that the record company’s profit-maximizing strategy in this regard is largely independent of the contours of copyright law. Whether the label would find it more profitable to control a use, as opposed to bundling it with the CD purchase, is a separate question from whether the law gives the label the right to file lawsuits relating to that use. Attempting to enforce copyright law exactly as written is almost certainly not the record label’s profit-maximizing strategy.

Monetizing the Platform

Even beyond its effect on controlling copying and use of content, CD DRM can generate revenue for the record label because it installs and runs software on users’ computers. The label can monetize this installed platform in various ways. For example, the DRM software comes with a special music-player application which is used to listen to the protected disc. This application can display advertisements or other promotional material that creates value for the label. Alternatively, the platform can gather information about the user’s music listening habits, and that information can be exploited for some business purpose. If these tactics are taken too far, the DRM software can become spyware. Even if these tactics are pursued more moderately, users may still object; but the record company may use these tactics anyway if it believes the benefits to it outweigh the costs.

DRM Vendor Goals

The DRM vendor’s primary goal, obviously, is to provide value to the record label, in order to maximize the price that the vendor can charge the label for using the DRM technology. If this were the only factor, then the incentives of the vendor and the label would be perfectly aligned and there would be no need to consider the vendor’s incentives separately.

However, there are at least two ways in which the DRM vendor’s incentives diverge from the record label’s. First, the vendor has a much larger tolerance for risk than the label does. The label is a large, established business with a valuable brand name. The vendor (at least in the cases at issue here) is a start-up company struggling to establish itself. The label has much more to lose than the vendor does if something goes horribly wrong. Accordingly, we can expect the vendor to be much more willing to accept security risks than the label is.

The second incentive difference is that the vendor can monetize the installed platform in ways that are not available to the record label. For example, once the vendor’s software is installed on a user’s system, the software can control copying and use of other labels’ CDs. Having a larger installed base makes the vendor’s product more

attractive to other labels. Because the vendor gets this extra benefit from installing the software, the vendor has an incentive to be more aggressive about pushing the software onto users’ computers than the label would be.

In short, the vendor’s incentives diverge from the label’s incentives in ways that make the vendor more likely to (a) cut corners and accept security and reliability risks, and (b) push its software onto more user’s computers, even in some cases where the label would prefer to do otherwise. If the label knew everything about how the vendor’s technology worked, then this would not be an issue — the label would simply insist that the vendor protect its interests. But if some aspects of the vendor’s design are withheld from the label as proprietary, or if the label is not extremely diligent in monitoring the vendor’s design choices — both of which are likely in practice — then the vendor will sometimes act against the label’s interests.

>>>>>>>>>>>>>>>>>>>>>>>

CD DRM: Attacks on Disc Recognition
Freedom to Tinker – January 26, 2006
[Excerpt is from the middle of the paper where we’re wading through details about the copy protection systems and the techniques they use to recognize protected CDs.]

The active protection mechanisms introduced earlier selectively regulate access to raw CD audio, blocking access to the audio tracks on albums protected with a particular scheme while allowing access to all other titles. To accomplish this, the schemes install a background process that interposes itself between applications and the original CD driver. In MediaMax, this process is a kernel-mode driver called sbcphid.sys. XCP uses a pair of filter drivers attached to the CD-ROM and IDE devices called crater.sys and cor.sys. In both schemes, the active protection drivers examine each disc that is inserted into the computer to see whether access to it should be restricted. If the disc is recognized as copy protected, the drivers monitor for attempts to read the audio tracks, as would occur during a playback, rip, or disc copy operation, and corrupt the audio returned by the drive to degrade the listening experience. MediaMax introduces a large amount of random jitter, making the ripped audio sound like it has come from a badly scratched or damaged CD; XCP replaces the audio with random noise.

Each scheme’s active protection software interferes with attempts to rip or copy any disc that is protected by the same scheme, not merely the disc from which the software was installed. This requires some mechanism for identifying discs that are to be protected. This section discusses the security requirements for such a recognition system, describes the design and limitations of the actual recognition mechanism employed by the MediaMax scheme, and presents an improved design that better satisfies the requirements.

Recognition Requirements

Any disc recognition system must involve detecting some identifying feature on discs protected by a particular scheme. Ideally, such a feature would satisfy these requirements:

1. Uniqueness. The feature should identify protected discs without accidentally triggering the copy protection on unprotected titles.
   
2. Detectability. It should be possible for the active protection drivers running on client systems to reliably and quickly detect the feature in protected discs. In practice, this limits the amount of audio that can be read from the disc before deciding whether to apply protection.
   
3. Indelibility. The feature should be difficult to remove without substantially degrading the quality of the audio; that is, it should be difficult to make a copy of the copy protected disc that does not itself trigger the protection.
   
4. Unforgeability. It should be difficult to apply the feature to an unprotected album without the cooperation of the protection vendor, even if the adversary has access to protected discs.
   

This last requirement stems from the business strategies of the copy protection vendors. As discussed in earlier, many of these vendors are pursuing a platform building strategy. The biggest obstacle to the success of an active protection system is getting the protection software installed on client machines. Once installed, the software can regulate access to all discs protected by the scheme, even if the user learns to disable autorun or refuse future CD DRM installation requests. Thus each completed installation increases the effectiveness of the protection platform and heightens its value to the protection vendor and its music label clients.

Being widely installed adds value to these copy protection systems, but it also exposes them to a new class of attacks. The protection companies earn revenue from record labels who license their schemes, typically paying some fee per title or per copy. This revenue stream may be threatened if disc publishers can mark their discs as protected without paying.

There are advantages and disadvantages for the person placing the unauthorized marks. Copyright would prohibit rogue publishers from distributing an installer for the active protection software, though they might depend on the existing installed base from licensed titles. They would also be prevented from employing the components of the protection software that allow users to access restricted copies of the music; however, they could create their own software to provide this capability if they desired. On the other hand, free riding publishers would not be restricted to marking their disc for only one scheme. By identifying their discs as copy protected with multiple schemes, they could invoke multiple layers of security and provide stronger protection than is available with any single technique, all without paying. (It is possible that protection producers could have legal remedies against such free riders, such as through a patented identification feature, but we are unaware of any patents that cover the identification features known to be in use. Even if some kind of legal remedy is available, it’s worth designing the mark to prevent the problem too, at least if the cost of doing so is low.) Preventing free riding by publishers requires some kind of disc authentication mechanism to control access to installed active protection software—a meta-copy protection technique.

How MediaMax Recognizes Protected Discs

To find out how the disc recognition mechanisms employed by CD DRM systems stack up the ideal requirements, we examined the recognition system built into MediaMax CD-3 and MM-5 systems. The MediaMax system drew our attention because MediaMax’s creators have touted their advanced disc identification capabilities, including the ability to identify individual tracks within a compilation as protected, and well as their platform-building strategy. (The XCP scheme appears to use a less sophisticated disc recognition system based on a marker stored in the data track of protected discs. We may talk more about it later.)

We determined how MediaMax identifies protected albums by tracing the commands sent to the CD drive with and without the active protection software running. These experiments took place on a Windows XP virtual machine running on top of a Fedora Linux host system, which we modified by patching the kernel IDE-SCSI device to log all drive activity.

With this setup we observed that the MediaMax software executes a disc recognition procedure immediately upon the insertion of a CD. The MediaMax driver reads two sectors of audio data at a specific offset from the beginning of audio tracks—approximately 365 and 366 frames in (a CD frame is 1/75 second). On unprotected discs, the software scans through every track in this way, but on MediaMax-protected albums, it stops after the first three tracks, apparently having detected an identifying feature. The software decides whether or not to block read access to the audio solely on the basis of information in this region, so we inferred that the identifying mechanism takes the form of an inaudible watermark embedded in this part of the audio stream. (By locating the watermark nearly five seconds after the start of the track, MediaMax reduces the likelihood that it will occur in a very quiet passage, where it might be more audible, and makes it more difficult to crop out.)

Locating the watermark amid megabytes of audio might have been difficult, but we had the advantage of a virtual Rosetta Stone. The actual Rosetta Stone is a 1500 lb. granite slab unearthed by French archaeologists in Rosetta, Egypt, in 1799. A single Ptolemaic decree is written on the stone in three scripts: ancient hieroglyphics, demotic (simplified) hieroglyphics, and Greek. Comparing these inscriptions provided the key to deciphering Egyptian hieroglyphic texts. Our Rosetta Stone was a single album, Velvet Revolver’s Contraband (BMG, 2004), released in three different versions: a U.S. release protected by MediaMax, a European release protected by a passive scheme developed by Macrovision, and a Japanese release with no copy protection. We decoded the MediaMax watermark by examining the differences between the audio on these three discs. Binary comparison revealed no differences between the releases from Europe and Japan; however, the MediaMax-protected U.S. release differed slightly from the other two in certain parts of the recording. By carefully analyzing these differences—and repeatedly attempting to create new watermarked discs using the MediaMax active protection software as an oracle—we were able to deduce the structure of the watermark.

The MediaMax watermark is embedded into the audio of each track in 30 clusters. Each cluster is made up of 288 marked 16-bit audio samples followed by 104 unaltered samples. Three mark clusters exactly fit into one 2352-byte CD audio frame. The watermark is centered at approximately frame 365 of the track; though the detection routine in the software only reads two frames, the mark extends several frames to either side of the designated read target to allow for imprecise seeking in the audio portion of the disc (a typical shortcoming of inexpensive CD drives). The MediaMax driver detects the watermark if at least one mark cluster is present in the region read by the detector.

A sequence of 288 bits we call the raw watermark is embedded into the 288 marked audio samples of each mark cluster. A single bit of the raw watermark is embedded into an unmarked audio sample by setting one of the three least significant bits to the new bit value (as shown in bold) and then patching up the two other bits, according to this table:

(This design seems to be intended to lessen the audible distortion caused by by setting one of the bits to the watermark value. The change in the other two bits reduces the magnitude of the difference from the original audio sample, but it also introduces a highly uneven distribution in the three LSBs that makes the watermark easier to detect or remove.)

The position of the embedded bit in each sample follows a fixed sequence for every mark cluster. Each of the 288 bits is embedded in the first-, second-, or third-least-significant bit position of the sample according to this sequence:

2,3,1,1,2,2,3,3,2,3,3,3,1,3,2,3,2,1,3,2,2,3,2,2,2,1,3,3,2,1,2,3,3,1,2,2,3,

1,2,3,3,1,1,2,2,1,1,3,3,1,2,3,1,2,3,3,1,3,3,2,1,1,2,3,2,2,3,3,3,1,1,3,1,2,

1,2,3,3,2,2,3,2,1,2,2,1,3,1,3,2,1,1,2,1,1,1,2,3,2,1,1,2,3,2,1,3,2,2,2,3,1,

2,1,3,3,3,3,1,1,1,2,1,1,2,2,2,2,3,1,2,3,2,1,3,1,2,2,3,1,1,3,1,1,1,1,2,2,3,

2,3,2,3,2,1,2,3,1,3,1,3,3,3,1,1,2,1,1,2,1,3,3,2,3,3,2,2,1,1,1,2,2,1,3,3,3,

3,3,1,3,1,1,3,2,2,3,1,2,1,2,3,3,2,1,1,3,2,1,1,2,2,1,3,3,2,2,3,1,3,2,2,2,3,

1,1,1,1,3,2,1,3,1,1,2,2,3,2,3,1,1,2,1,3,2,3,3,1,1,3,2,1,3,1,2,2,3,1,1,3,2,

1,2,2,2,1,3,3,1,2,3,3,3,1,2,2,3,1,2,3,1,1,3,2,2,1,3,2,1,3

The 288-bit raw watermark is detected by the active protection software only when it has certain properties, as shown in the sequence below. In the 288-bit sequence, 96 positions have fixed bit values, either 0 or 1. The trailing 32 positions have arbitrary values (as indicated by _), and can be used to store a 32-bit disc-specific value. The other 192 positions are divided into 32 groups of linked values (denoted a-z and alpha-zeta). In each group, three positions share the same value and three share the complement value. This allows the scheme to encode a second 32-bit value, though in actual discs it appears to be a different random value in each of the 30 mark clusters.

Attacks on the MediaMax Watermark

The MediaMax watermark fails to satisfy the indelibility and unforgeability requirements of an ideal disc recognition system. Far from being indelible, the mark is surprisingly brittle. Most advanced designs for robust audio watermarks manipulate the audio in the frequency domain and attempt to resist removal by lossy compression, multiple conversions between digital and analog formats, and other common transformation. In contrast, the MediaMax watermark is applied in the time domain and is rendered undetectable by even minor changes to the file. An adversary without any knowledge of the watermark’s design could remove it by converting the tracks to a lossy format like MP3 and then burning them back to a CD, which can be accomplished easily with standard consumer applications. This would result in some minor loss of fidelity, but a more sophisticated adversary could prevent the mark from being detected with almost no degradation by flipping the least significant of one carefully chosen sample from each of the 30 watermark clusters, thereby preventing the mark from exhibiting the pattern required by the detector.

The MediaMax watermark also fails to satisfy the unforgeability requirement. The mark’s only defense against forgery is its complicated, unpublished design, but as is often the case this security by obscurity has proved tedious rather than impossible to defeat. As it turns out, an adversary needs only limited knowledge of the watermark–its location within a protected track and its confinement to the three LSBs of each sample–to forge it with minimal loss of fidelity. Such an attacker could transplant the three LSBs of each sample within the watermarked region of a protected track to the corresponding sample from an unprotected one. Transplanting these bits would cause distortion more audible that that caused by embedding the watermark since the copied bits are likely to differ by a greater amount from the original sample values; however, the damage to the audio quality would be limited since the marked region is only 0.4 seconds in duration. A more sophisticated adversary could apply a watermark to an unprotected track by deducing the full details of the structure of the watermark, as we did; she could then embed the mark in an arbitrary audio file just as well a licensed disc producer.

Secure Disc Recognition

Having shown that the MediaMax watermark fails to provide either strong resistance to removal or strong resistance to forgery, we ask whether it is possible to securely accomplish either or both of these goals.

As far as indelibility is concerned, watermarking schemes have a poor history of resisting removal. This is especially true against an adversary who has oracle access to the watermark detector, as was the case with a previous application of watermarks to audio copy protection, SDMI, and with CD DRM systems. Making marks that are both indelible and unforgeable is likely much more difficult. There seems to be tension between marks that are difficult to remove and ones that are hard to forge. Enforcing both requirements creates two ways to fool the detector–by rendering the mark invisible and by making it appear forged. If, as in CD DRM, either situation leads to the same result (no protection), the attacker’s power is multiplied.

In contrast, a mark strongly robust to forgery is simple to create based on digital signatures if we aren’t concerned with its being easy to remove. A very simple scheme works as follows:

• To sign an audio track, the licensed publisher reads a fixed portion L₁ of the audio data (say, the first ten seconds), then computes a cryptographic hash of L₁ and signs it using a public key signature algorithm to derive the signature S_L1 := Sign_KS(Hash(L₁)). S_L1 is then stored at a second location in the track by setting the LSB of each sample in the region to the corresponding bit in the signature. A 320-bit DSA signature could be embedded in this way using approximately the same space as one mark cluster of the MediaMax watermark.
  
• The publisher keeps the signing key K_S secret, and builds the corresponding verification key K_V into the client software. When presented with a CD, the software checks for a valid signature. First it reads the audio from the signed area of the track and hashes it, and it locates and extracts the signature stored in the LSBs in the second mark location. Next, it verifies the signature on the hash using K_V. If the signature is correct, the watermark is valid and genuine; otherwise, forgery or data corruption is indicated.
  

Forging such a mark would require defeating the digital signature scheme or splicing both L₁ and S_L1 from a legitimately marked album. We set L₁ to be several seconds of audio to make such splicing less appealing.

Clearly this watermark is highly vulnerable to removal. If even a single bit of the hashed region is changed, the mark will not be recognized as valid. Yet the watermark MediaMax actually uses is also vulnerable to corruption by a single bit too while being far less resistant to forgery. Robustness to removal, while desirable in principle, is of limited value in real CD DRM applications. Removal of the watermark is unlikely to be the weakest link protecting the audio, and while the gains from creating a more indelible watermark are slight, the loss to free riders from an easily forgeable mark is potentially much larger.

>>>>>>>>>>>>>>>>>>>>>>>

CD DRM: Compatibility and Software Updates
Freedom to Tinker – January 28, 2006
[This part will be (in the final paper) the last part of the technical core of the paper. Readers of the final paper will have seen the rest of our technical analysis by this point. Blog readers haven’t seen it all yet - stay tuned.]

Compared to other media on which software is distributed, compact discs have a very long life. Many compact discs will still be inserted into computers and other players twenty years or more after they are first bought. If a particular version of (say) active protection software is burned onto a new CD, that software version may well try to install and run itself decades after it was first developed.

The same is not true of conventional software, even when it ships on a CD-ROM. Very few if any of today’s Windows XP CDs will be inserted into computers in 2026; but CDs containing today’s CD DRM software will be. Accordingly, CD DRM software faces a much more serious issue of compatibility with future systems.

The future compatibility problem has two distinct aspects: safety, or how to avoid incompatibilities that cause crashes or malfunction of other software, and efficacy, or how to ensure that the desired anti-copying features remain effective.

Protecting Safety by Deactivating Old Software

Safety is the easier attribute to protect, and in most respects the more important. One way to protect safety is to design the DRM software so that it is likely to be inert and harmless on future systems. Both XCP and MediaMax do this by relying on the Windows Autorun feature, which is unlikely to be supported in future Windows versions for security reasons. If, say, the upcoming Windows Vista does not support Autorun (or supports it but disables it by default), then XCP and MediaMax will have no effect on Vista systems. Perhaps the use of Autorun by XCP and MediaMax was a deliberate design decision to ensure safety; but we suspect that it was a side-effect of a design choice that was expedient for other reasons.

Another way to protect safety is to build a sunset date into the software, and to program the software to be as inert as possible once the sunset date is reached. Building in a sunset after (say) three years would protect against many safety problems; and it would have little effect on the record label’s business model, as we would expect nearly all revenue from monetizing new uses of the music to have been extracted within the first three years after the disc is pressed. If a customer is ever going to pay for iPod downloading, she is likely to do so within the first three years after the CD is pressed.

Updating the Software

Like any software vendor, a DRM vendor can issue new verions of its products. A new version can be shipped on newly pressed CDs, but existing CDs cannot be modified retroactively.

Instead, the vendor can offer updates, which can be delivered either by download or on new CDs. Downloads can occur immediately, but only on machines that are connected to the Internet. CD delivery can potentially reach more machines, but is slower and less certain.

Either mode of distribution can be used straightforwardly if the user wants to cooperate. Users will generally cooperate with updates that only provide safety on new systems, or that otherwise increase the software’s value to the user. But updates that merely retain the efficacy of the software’s usage restriction mechanisms will not be welcomed by users.

Users have many ways to block the downloading or installation of updates. They can write-protect the software’s code, so that it cannot be updated. They can configure the system to block network connections to the vendor’s servers. They can use standard security tools, such as personal firewalls, to stop the downloads. System security tools are often well suited for such a task, being programmed to block unwanted network connections, downloads, and code installation. If a current security tool does not block updates of CD DRM software, the tool vendor has an incentive to make future versions do so.

A DRM vendor who wants to offer efficacy-related updates, recognizing that users will not want those updates, has two options. The vendor can offer updates and hope that many users will not bother to block them. From the record label’s standpoint, prolonging the system’s efficacy for some users is better than nothing. Alternatively, the vendor can try to force users to accept updates.

Forcing Updates

If a user can block updates of the DRM software on his machine, the vendor’s best strategy for forcing an update is somehow to convince the user that the update is in his best interest. This can be done by making a non-updated system painful to use.

If we rule out dangerous and almost certainly illegal approaches such as logic bombs that destroy a noncompliant user’s files or hold his computer hostage, the vendor’s best option is to make the DRM software block all access to protected CDs until the user updates the software. The software might check periodically with some server on the Internet, which would produce some kind of cryptographic assertion saying which versions are allowed to continue operating without an update, as of some date time. If the software on the user’s system noticed that no recent certificate existed that allowed its own version to keep operating, it would go into a locked down mode that blocked all

access to protected discs but allowed software updates. The user would then have to update to a new version in order to get access to his protected CDs.

This approach could force updates on some users and thereby prolong the efficacy of the DRM for those users. However, it also has several drawbacks. If the computer is not connected to the Internet, the software will eventually lock down the user’s music because it cannot see any certificates that allow it to continue. (The software could continue working if it can’t see the Internet, but that would allow users to block updates indefinitely by configuring their systems to stop the DRM software from making network connections.) A bug in the software could cause it to lock itself down irreversibly, perhaps by accident. The software could lock itself down if the vendor’s Internet site is shut down, for example if the vendor goes bankrupt.

Locking down the music, or forcing a restrictive software update, can also be counterproductive, by giving the user a reason to defeat or remove the DRM software. (Users could also defeat the timeout mechanism by misleading the DRM software about the date and time, but we expect that most users with the inclination to do that would choose instead to remove the DRM software altogether.) The software is more likely to remain on the user’s system if it does not behave annoyingly. Automatic update can reduce the DRM system’s efficacy if it just drives users to remove the DRM software. From the user’s standpoint, every software update is a security risk, because it might carry hostile or buggy code.

Given the difficulties associated with forced updates, and the user backlash it likely would have triggered, we are not surprised that neither XCP nor MediaMax chose to use forced updates.

This entry was posted on Sunday, January 29th, 2006 at 10:14 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 5141 times