October 9, 2024

CD DRM: Attacks on the Player

Alex and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here later in the week. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s excerpt is the last one we will post. By now, you have seen drafts of the all sections of the paper except the introduction, conclusion, and discussion of related work. The deadline for submission is (late) tomorrow night.

Please note that this is a draft and should not be formally quoted or cited. The final version of our entire paper will be posted here when it is ready.

Attacks on the Player

Increasingly, personal computers—and portable playback devices that attach to them—are users’ primary means of organizing, transporting, and enjoying their music collections. Sony and its DRM vendors recognized their trend when they designed their copy protection technologies. Rather than inhibit all use with PCs, as some earlier anti-copying schemes did~cite{}, XCP and MediaMax allow certain limited uses subject to restrictions imposed by DRM software.

XCP and MediaMax facilitate use on PCs using their own proprietary media players that are shipped on each protected CD. The schemes use active (and, with XCP, passive) protection to block other applications from accessing the CD audio, but a back door allows the scheme’s own player to bypass the protections.

The XCP and MediaMax players launch automatically using autorun when a protected disc is inserted into a PC. Both players have similar feature sets. They provide a rudimentary player interface, allowing users to listen to protected albums, and they allow access to “bonus content,” such as album art, liner notes, song lyrics, and links to artist web sites. [Footnote: Curiously, this bonus content is seldom copy protected, perhaps because it is of little value.]

XCP and MediaMax both permit users to burn copies of the entire album a limited number of times (typically 3). These copies are create using a proprietary burning application integrated into the player. They include the player applications and active (and passive, for XCP) protection as the original album, but they do not allow any subsequent generations of copying.

Another feature of the player applications allows users to rip the tracks from the CD to their hard disks, but only in DRM-protected audio formats. Both schemes support the Windows Media Audio format by using a Microsoft product, the Windows Media Data Session Toolkit [citation[, to deliver DRM licenses that are bound to the PC where the files were ripped. The licenses allow the music to be transferred to portable devices that support Windows Media DRM scheme or burned onto CDs, but the Windows Media files will not be usable if they are copied to another PC.

Attacks on Player DRM

The XCP and MediaMax players were designed to enforce usage restrictions specified by content providers. In practice, they provide minimal security, because there are a number of ways that users can bypass the limitations.

Perhaps the most interesting class of attacks targets the limited number of burned copies permitted by the players. Both players are designed to enforce this limit without communicating with any networked server; therefore, the player must keep track of how many allowed copies remain by storing state on the local machine.

It is well known that DRM systems like this are vulnerable to rollback attacks. In a rollback attack, the state of the machine is backed up before performing the limited operation (in this case, burning the copy). When the operation is complete, the old system state is restored, and the DRM software is not able to determine that the operation has occurred. This kind of attack is easy to perform with virtual machine software like VMWare, which allows the entire state of the system to be saved or restored in a few clicks. The XCP and MediaMax both fail under this attack, which allows unlimited copies to be burned with their players.

A refined variation of this attack targets only the specific pieces of state that the DRM system uses to remember the number of copies remaining. The XCP player uses a single file, %windir%system32$sys$filesystem$sys$parking, to record how many copies remain for every XCP album that has been used on the system. [Footnote: We did not determine how the MediaMax player stores the number of copies remaining.] This file is hidden and protected by the XCP rootkit. With the rootkit disabled, a user can back up the file, copy the album, and then restore the backup to set the remaining copy counter back to its original value.

A more advanced attacker can go further and modify the $sys$parking file to set the counter to an arbitrary value. The file consists of a 16 byte header followed by a series of 177 byte records. For each XCP disc used on the machine, the file contains a whole-disc record and an individual record for each track. Each disc record stores the number of permitted copies remaining for the disc as a 32-bit integer beginning 100 bytes from the start of the record.

The file is protected by primitive encryption. Each record is XORed with a repeating 256-bit pad. The pad—a single one is used for all records—is randomly chosen when XCP is first installed and stored in the system registry in the key HKLMSOFTWARE$sys$referenceClassID. Note that this key, which is hidden by the rootkit, is intentionally misnamed “ClassID” to confuse investigators. Instead of a ClassID it contains the 32 bytes of pad data.

Hiding the pad actually doesn’t increase the security of the design. An attacker who knows only the format of the $sys$parking file and the current number of copies remaining can change the counter to an arbitrary value without. Say the counter indicates that there are x copies remaining and the attacker wants to set it to y copies remaining. Without decrypting the record, she can XOR the padded bytes where the counter is stored with the value (x XOR y). If the original value was padded with p, the new value is (x XOR p) XOR (x XOR y) = (y XOR p), which is just y padded with p.

iPod Compatibility

Ironically, Sony itself furnishes directions for carrying out another kind of attack on the player DRM.

Conspicuously absent from the XCP and MediaMax players is support for the Apple iPod—by far the most popular portable music player with more than 80% of the market [citation]. A Sony FAQ blames Apple for this shortcoming and urges users to direct complaints to them:”Unfortunately, in order to directly and smoothly rip content into iTunes it requires the assistance of Apple. To date, Apple has not been willing to cooperate with our protection vendors to make ripping to iTunes and to the iPod a simple experience.” [citation]. Strictly speaking, it is untrue that Sony requires Apple’s cooperation to work with the iPod. They ship thousands of albums that work “smoothly” with iTunes every day: unprotected CDs. What Sony has difficulty doing is moving music to the iPod while keeping it wrapped in copy protection. This is because Apple has so far refused to license its proprietary DRM, a system called FairPlay.

Yet so great is consumer demand for iPod compatibility that Sony gives out—to any customer who fills out a form on its web site [citation] —instructions for working around its own copy protection and transforming the music into a DRM-free format that will work with iTunes. The procedure is simple but cumbersome: users are directed to use the player software to rip the songs into Windows Media DRM files; use Windows Media Player to burn the files to a blank CD, which will be free of copy protection; and then use iTunes to rip the songs once more and transfer them to the iPod.

XCP’s Hidden iPod Support

A further irony came to light in the weeks following the public disclosure of the XCP rootkit when it was discovered that XCP itself apparently infringes on the copyrights to several open source software projects. In one case, Sam Hocevar found strong evidence that part of XCP’s code was copied from a program called DRMS, which he co-authored with Jon Lech Johansen and released under the terms of the GPL open source license. This was particularly curious, because the purpose of DRMS is to break Apple’s FairPlay DRM. Its presence is interesting enough to warrant a brief diversion from our discussion of player-related attacks.

We discovered that XCP utilizes the DRMS code not to remove Apple DRM but to add it, as part of a hidden XCP feature that provides iTunes and iPod compatibility. This functionality shipped on nearly every XCP CD, but it was never enabled or made visible in the XCP user interface. Despite being inactive, the code appears to be fully functional and was compatible with the current version of iTunes when the first XCP CDs were released. [Footnote: XCP’s FairPlay-compatibility code works with iTunes up to iTunes version 4.8. iTunes 4.9, released June 28, 2005, included changes unrelated to FairPlay that cause the XCP code to fail. XCP CDs released after this date do not appear to contain an updated version of the code.] This strongly suggests that the apparently infringing DRMS code was deliberately copied by XCP’s creator, First4Internet, rather than accidentally included as part of a more general purpose media library used for other functions in the copy protection system.

This isn’t the first time another vendor has tried to make its DRM compatible with FairPlay. FairPlay is the only DRM compatible with iPod, and Apple has declined to license it to rival music distributors, effectively locking rivals out from the iPod platform (at least as long as the rivals insist on using DRM). In 2004, RealNetworks attempted to work around Apple and reverse engineered FairPlay so that Real Player could create FairPlay files for use with the iPod [citation]. Apple responded by making vague legal threats and updating iTunes to break this compatibility. The evidence suggests that First4Internet wanted to create their own iPod compatibility system, but rather than take the time to reverse engineer FairPlay themselves, they copied critical pieces of code from DRMS in violation of the GPL license.

Understanding how XCP uses code from DRMS requires a some background information about FairPlay. When a customer purchases a song from the iTunes Music Store, she receives a FairPlay encrypted audio file that can only be played with knowledge of a secret key assigned to her by Apple. iTunes retrieves this key from an Apple server and stores it on the hard drive in an encrypted key database (a file called SC Info.sidb). When the user plays the song again, or if she copies it to an iPod, iTunes reads her key from the database instead of reconnecting to the server.

FairPlay’s security depends on the encrypted key database being difficult anyone but Apple to decipher, so it is protected using a proprietary encryption method and a system-dependent secret key. [Footnote: As security experts predicted, this protection was quickly broken. Today DRMS is able to defeat FairPlay because Jon Lech Johansen reverse engineered the database decryption code in iTunes.] iTunes encrypts the key database using a two step process. First it pads the plaintext database by XORing it with the output of a proprietary pseudorandom number generator (PRNG) using a system-dependent seed; then it applies AES encryption in ECB mode with a system-dependent key. As a consequence of this design, the code for the PRNG is exactly the same whether the file is being encrypted or decrypted. To decrypt, iTunes applies AES decryption, then XORs the same PRNG output again. This explains why parts of the DRMS code—in particular, a function called DoShuffle, which computes the PRNG’s output—are useful for encryption as well as their original purpose, decryption.

The proprietary PRNG must have been especially difficult to reverse engineer. Rather than expend this effort themselves, XCP’s authors appear to have lifted the DoShuffle code verbatim from DRMS. XCP uses this code to manipulate the iTunes key database in the process of adding FairPlay protection. Starting with an unencrypted audio file, such as a track from a protected CD, XCP applies AAC compression in memory, then encrypts using the same algorithm as FairPlay. Instead of using an Apple-assigned user key, XCP creates a new random user key and, with the help of the DRMS code, adds it to the iTunes key database. This ensures that the song file can only be used on the computer where it was created.

The XCP FairPlay compatibility code is contained in a file named ECDPlayerControl.ocx that is installed the first time an XCP CD is played. The code can be tested by jumping to a function at debugger offset 0x10010380 (apparently the start of a thread for transferring music to iTunes). This function takes one parameter, a wide character string of the form <m P 3>< "C:test.mp3">. This syntax causes the function to convert an MP3 file to a FairPlay-protected AAC file. Variations can be used to specify other audio sources: WAV files, raw audio files, standard unprotected audio CDs, and XCP copy-protected CDs. Before calling the function, you must initialize a Windows CriticalSection object and set the ECX register to the object’s address minus 0x6C.

The parent function calls a subroutine (offset 0x10027D20) that converts an audio file into a FairPlay-protected AAC file. A second subroutine (offset 0x1008A470) reads the iTunes key database, decrypts it, and, if necessary, adds the XCP user key to the database and re-saves it in encrypted form. The iTunes database encryption function
(0x1008A0C0) and decryption function (0x1008A300) both made use of the DoShuffle routine (0x10089E00) taken from DRMS.

MediaMax Player Security Risks

Besides suffering from several kinds of attacks that expose the music content to copying, the MediaMax player make the user’s system more vulnerable to attack. When a MediaMax CD is inserted into a computer, Windows autorun launched an installer from the disc. Even before the installer displays a license agreement, it copies almost 12 megabytes of files and data related to the MediaMax player to the hard disk and stores them in a folder named
%programfiles%Common FilesSunnComm Shared. Jesse Burns and Alex Stamos of iSec partners first discovered that the MediaMax installer sets insecure permissions on this directory and the files and programs it contains [citation]. The installer grants “Everyone” (all users) the “Full Control” privilege. Normally, application files shared by all users on a Windows system can only be modified by members of the “Administrators” and “Power Users” groups.

As Burns and Stamos realized, this misconfiguration could lead to a dangerous privilege escalation attack. The incorrect permissions allow a non-privileged user to replace the executable code in the MediaMax player files. A user might plant malicious code deliberately in order to attack the system, or accidentally as the result of an email virus. The next time a user plays a MediaMax-protected CD, the attack code will be executed with that user’s security privileges. The MediaMax player requires Power User or Administrator privileges to run, so it’s likely that the attacker’s code will run with almost complete control of the system.

Normally, this problem could be fixed by manually correcting the errant permissions. However, MediaMax aggressively updates the installed player code each time the software on a protected disc autoruns or is launched manually. As part of this update, the permissions on the installation directory are reset to the insecure state.

We discovered a variation of the attack suggested by Burns and Stamos that allows the attack code to be installed and triggered even more easily—simply by inserting MediaMax CDs without ever consenting to the software’s installation. In the original attack, the user needed to accept the MediaMax license agreement before attack code could be inserted or executed, because the code was placed in a file called MMX.EXE that was not copied to the system until after the agreement was accepted. In our version, the attacker modifies a different file, MediaMax.dll, which MediaMax installs even before displaying a license agreement, and places attack code in the file’s DllMain() procedure. The next time a MediaMax CD is inserted, the installer autoruns and immediately attempts to check the version of the installed MediaMax.dll file. The installer calls the Windows LoadLibrary function on the DLL file, which causes the file’s DllMain() procedure to execute, together with any attack code inserted there.

This problem was exacerbated because part of the MediaMax software are installed automatically and without consent. Users who declined the license agreement would likely assume that MediaMax was not installed, and so most were unaware that they were vulnerable. The same installer code performs the dangerous version check as soon as the CD is inserted. A CD that prompted the user to accept a license before installing would give the user a chance to head off the attack.

Fixing the problem permanently without losing the use of protected discs requires applying a patch from MediaMax. Unfortunately, we discovered, the initial patch released by Sony in response to the iSec report was capable of triggering precisely the kind of attack it attempted to forestall. In the process of updating MediaMax, the patch checks the version of MediaMax.dll just like the MediaMax installer does. If this file has already been booby trapped by an attacker, the process of applying the security patch could execute the attack code. Prior versions of the MediaMax uninstaller had the same vulnerability, though both the uninstaller and the patch have since been replaced with versions that do not suffer from this problem.

CD DRM: Attacks on Installation

Alex and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here later in the week. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s section is part of the technical core of the paper.

Please note that this is a draft and should not be formally quoted or cited. The final version of our entire paper will be posted here when it is ready

Attacks on Installation

Active protection measures cannot begin to operate until the DRM software is installed on the user’s system. In this section we consider attacks that either prevent installation of the DRM software, or try to capture music files from the disc in the interval after the disc has been inserted but before the DRM software is installed on the computer.

Autorun

Both XCP and MediaMax relies on the autorun feature of Windows. Whenever removable media, such as a floppy disc or CD, is inserted into a Windows PC (and autorun is enabled), Windows looks on the disc for a file called autorun.ini; if a file with that name is found, Windows executes commands found in it. Autorun allows a disc to pop up a splash screen or simple menu, for example to offer to install software found on the disc. However, the autorun mechanism will run any program that the disc specifies.

Other popular operating systems, including MacOS and Linux, do not have an autorun feature, so this mechanism does not work on these other systems. XCP ships only Windows code and so has no effect on other operating systems. MediaMax ships with both Windows and MacOS code on the CD, but only the Windows code can autorun. The MacOS code relies on the user to double-click an installer on the CD, which few users will do.

Current versions of Windows ship with autorun enabled by default, but the user can choose to disable it. Many security experts advise users to disable autorun, to protect against disc-borne malware. If autorun is disabled, the XCP or MediaMax active protection software will not load or run.

Even if autorun is enabled, the user can block autorun for a particular disc by holding down the Shift key while inserting the disc. This will prevent the active protection software from running.

Even without disabling autorun, a user can prevent the active protection software from loading by covering up the portion of the disc on which it is stored. Both XCP and MediaMax discs contain two sessions, with the first session containing the music files and the second session containing DRM content, including the active protection
software and the autorun command file. The first session begins at the center of the disc and extends outward; the second session is near the outer edge of the disc.

By covering the outer edge of the disc, the user can cover up the second session’s files, effectively converting the disc back to an ordinary single-session disc. The edge of the disc can be covered with nontransparent material such as masking tape, or by writing over it with a felt-tip marker. Exactly how much of the disc to cover can be determined by iteratively covering more and more until the disc’s behavior changes, or by visually inspecting the disc to look for a difference in appearance of the disc’s surface which is often visible at the boundary between the two sessions.

Temporary Protection

Even if the copy protection software is allowed to autorun, there is a period of time, between when a protected disc is inserted and when the active protection software is installed, when the music is vulnerable to copying. It would be possible to have the discs immediately and automatically install the active protection software, minimizing this window of vulnerability, but legal and ethical requirements should preclude this option. Installing software without first obtaining the user’s consent appears to be illegal in the U.S. under the Computer Fraud and Abuse Act (CFAA) as well as various state anti-spyware laws [citation].

Software vendors conventionally obtain the user’s consent to installation of their software by displaying an End User License Agreement (EULA) and asking the user to agree to it. Only after the user agrees to the EULA is the software installed. The EULA informs the user, in theory at least, of the general scope and purpose of the
software being installed, and the user has the option to withhold consent by declining the EULA, in which case no software is installed. As we will see below, the DRM vendors do not always follow this procedure.

If the discs didn’t use any other protection measures, the music would be vulnerable to copying while the installer waited for the user to accept or reject the EULA. Users could just ignore the installer’s EULA window and switch tasks to a CD ripping or copying application. Both XCP and MediaMax employ temporary protection mechanisms to
protect the music during this time.

XCP Temporary Protection

The first time an XCP-protected disc is inserted into a Windows machine, the Windows autorun feature launches the XCP installer, the file go.exe located in the contents folder on the CD. The installer displays a license agreement and prompts the user to accept or decline it. If the user accepts the agreement, the installer installs the XCP active protection software onto the machine; if the user declines, the installer ejects the CD and exits.

While the EULA is being displayed, the XCP installer continuously monitors the list of processes running on the system. It compares the image name of each process to a blacklist of nearly 200 ripping and copying applications hard coded into the go.exe program. If one or more blacklisted applications are running, the installer replaces the EULA display with a warning (shown at right [in the paper version, but not here]) indicating that the applications need to be closed in order for the installation to continue. It also initiates a 30-second countdown timer; if the any of the applications are still running when the countdown reaches zero, the installer ejects the CD and quits. [Footnote: Similar application blacklisting techniques have been used in other security contexts. The client software for World of Warcraft, a massively multiplayer online role playing game, checks running applications against a regularly updated blacklist of programs used to cheat. [citation]]

This technique might prevent some unsophisticated users from copying the disc while the installer is running, but it can be bypassed with a number of widely known techniques. For instance, users might kill the installer process (using the Windows Task Manager) before it could eject the CD, or they might use a ripping or copying application that locks the CD tray, preventing the installer from ejecting the disc.

The greatest limitation of the XCP temporary protection system is the blacklist. Users might find ripping or copying applications that are not on the list, or they might use a blacklisted application but rename its executable file to prevent the installer from recognizing it. Since there is no mechanism for updating the blacklist on existing CDs, they will gradually become easier to rip and copy as new applications not on the blacklist come into widespread use. Application developers may also adapt their software to the blacklisting technique by randomizing their process image names or taking other measures to avoid detection. [Footnote: An extreme extension of this would be to adopt rootkit-like techniques to conceal the copying application’s presence, just as XCP hides its active protection software.]

MediaMax Temporary Protection

The MediaMax system employs a different—and highly controversial, if not illegal—temporary protection measure. It defends the music while the installer is running by installing, and at least temporarily activating, the active protection software before displaying the EULA. The software is installed without obtaining consent, and it remains installed (and in some cases, permanently active) even if the user explicitly denies consent by declining the license agreement. This practice is uncomfortably close to the behavior of spyware and
may be illegal.

Prior to license acceptance, both MediaMax version 3 and version 5 discs install the active protection driver. (At this writing, version 5 is the current version. To our knowledge, there was no version 4.) The driver file sbcphid.sys is copied to the Windows drivers directory, configured as a service in the registry, and launched. Initially, the driver’s startup type is set to “Manual,” so it will not re-launch the next time the computer boots; however, it remains running until the computer is shut down and remains installed permanently. Albums that use MediaMax version 5 additionally install components of the MediaMax player software before displaying a license agreement—almost 12 megabytes of programs and data that are stored in %programfiles%Common FilesSunnComm Shared. These files are not removed if the EULA is declined.

Even more troublingly, under some common circumstances the MediaMax installer will permanently activate the active protection software (by setting its startup type to “Auto,” which causes it to be launched every time the computer boots). This behavior is related to a mechanism in the installer apparently intended to upgrade the active protection software if an older version is already installed. Under the following scenarios, it is triggered even if the user previously declined the EULA:

  • The user inserted a CD-3 (older version of MediaMax) album, then sometime later inserts an MM-5 (current version of MediaMax at this writing) album.
  • The user inserted an MM-5 album, then sometime later inserts a CD-3 album.
  • The user inserted an MM-5 album, reboots, then sometime later inserts the same album or another MM-5 album.

These steps do not have to take place in a single session. They can happen over a period of weeks or months, as users purchase new albums.

We can think of two possible explanations for this behavior. Perhaps the vendor, SunnComm, did not test these scenarios to determine what their software did, and so did not realize that they were activating the software without consent. Or perhaps they did know what would happen in these cases and deliberately chose these behaviors. Either possibility is troubling, indicating either a badly deficient design and testing procedure or a deliberate decision to install software after the user denied permission to do so.

Even if poor testing is the explanation for activating the software without consent, it is clear that SunnComm deliberately chose to install the MediaMax software code on the user’s system even if the user did not consent. These decisions are difficult to reconcile with the ethical and legal requirements on software companies. But they are easy to reconcile with the vendor’s platform building strategy, which rewards the vendor for placing its software on as many computers as possible.

Even the activation of temporary protection software before the user consents to anything raises troubling ethical questions. It is hard to argue that the user has consented to loading and running software merely by the act of inserting the disc. Most users do not expect the insertion of a compact disc to load software, and although many (but not all) of the affected discs did contain a statement about protection software being on the discs, the statements generally were confusingly worded, were written in tiny print, and did not say explicitly that software would install or run immediately upon insertion of the disc. Some in the record industry argue that the industry’s need to block potential infringement justifies the short-term execution of the temporary protection software on every user’s computer. We think this issue deserves more ethical and legal debate.

Passive Protection

Another way to prevent copying before active protection software is installed is to use passive protection measures. Passive protection exploits subtle differences between the way computers read CDs and the way ordinary CD players do. By changing the layout of data on the CD, it is sometimes possible to confuse computers without affecting ordinary players. In practice, the distinction between computers and CD players is less precise. Older generations of CD copy protection, which relied entirely on passive protection, proved easy to copy in some computers and impossible to play on some CD players [citation]. Furthermore, computer hardware and software has tended to get better at reading the passive protected CDs over time as it became more robust to all manner of damaged or poorly formatted discs. For these reasons, more recent CD DRM schemes rely mainly on active protection.

XCP uses a mild variety of passive protection as an added layer of security against ripping and copying. This form of passive protection exploits a quirk in the way Windows handle multisession CDs. When CD burners came to market in the early 1990s, the multisession CD format was introduced to allow data to be appended to partially recorded discs. (This was especially desirable at a time when recordable CD media cost tens of dollars per disc.) Each time data is added to the disc, it is written as an independent series of tracks called a session. Multi-session compatible CD drives see all the sessions, but ordinary CD players, which generally do not support the multisession format, recognize only the first session.

Some commercial discs use a variant of the multisession format to combine CD audio and computer accessible on a single CD. These discs adhere to the Blue Book [citation] or “stamped multisession” format. According to the Blue Book specification, stamped multisession discs must contain two sessions: a first session with 1–99 CD audio tracks, and a second session with one data track. The Windows CD audio driver contains special support for Blue Book discs. It presents the CD to playing and ripping applications as if it was a normal audio CD. Windows treats other multisession discs as data-only CDs.

XCP discs deviate from the Blue Book format by adding a second data track in the second session. This causes Windows to treat the disc as a regular multisession data CD, so the primary data track is mounted as a file system, but the audio tracks are invisible to player and ripper applications that use the Windows audio CD driver. This includes Windows Media Player, iTunes, and most other widely used applications.

Using a specialized procedure, it is possible to create discs with this flavor of passive protection with standard CD burning hardware and software [citation].

Limitations

This variety of passive protection provides only limited resistance to ripping and copying. There are a number of well-known methods for defeating it. Advanced ripping and copying applications avoid the Windows CD audio driver altogether and issue MMC commands [citation] directly to the drive. This allows programs such as Nero [citation] and Exact Audio Copy [citation] to recognize and read all the audio tracks. Non-Windows platforms, including Mac and Linux systems, read multisession CD more robustly and don’t suffer from the limitation that causes ripping problems on Windows. The felt-tip marker trick can also defeat this kind of passive protection, as noted above.

CD DRM: Unauthorized Deactivation Attacks

Alex and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here next week. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s section is part of the technical core of the paper.

Please note that this is a draft and should not be formally quoted or cited. The final version of our entire paper will be posted here when it is ready.

Unauthorized Deactivation Attacks

As described previously, active protection methods rely on installing and running software components that interfere when ordinary software tries to access the disc. If an adversary can remove or deactivate the active protection software, then the DRM scheme will fail to prevent arbitrary use or ripping of the music on the disc. In this section we discuss such deactivation attacks.

One attack strategy is to manually deactivate or uninstall the active protection software. This can be done by using standard system administration tools, which are designed to find, characterize, and control the programs installed on a machine. This attack is very difficult to stop if the user has system administrator privileges on the machine.

Deactivating MediaMax

The MediaMax active protection software is simple to deactivate since it is comprised of a single device driver with a consistent service name, sbcphid. The driver can be removed by using the Windows command sc delete sbcphid to stop the driver, and then removing the sbcphid.sys file containing the driver code. Once the driver is deactivated, MediaMax-protected albums can be accessed as if they were unprotected.

Defenses Against Deactivation

To counter these deactivation attacks, a vendor might try to use technical tricks to evade detection and frustrate removal of the active protection software. The best example of this kind of defense is the rootkit-like behavior of XCP, famously discovered by Mark Russinovich [citation], as described earlier.

When XCP installs its active protection software, it also installs a second program—the rootkit—that hides the software’s presence. Specifically, it conceals any file, process, or registry key with a name that begins with the prefix $sys$. The result is that XCP’s main installation directory, and most of its registry keys, and almost all of its individual files and processes are made invisible to normal programs and administration tools.

The rootkit is installed as a kernel-level driver named $sys$aries and set to automatically load early in the boot process. When the rootkit starts, it hooks several Windows system calls by modifying the system service dispatch table, the kernel’s KeServiceDescriptorTable structure. This structure is an array of pointers to the kernel functions that implement basic system calls. The rootkit changes five of these addresses so that they point to functions within the rootkit. When an application invokes one of these patched system calls, it is handled by the rootkit instead of the original function in the kernel. The rootkit calls the real kernel function with the same parameters and filters the results before returning them to the application.

The system calls intercepted by the rootkit are:

  • NtQueryDirectoryFile – This function is used to list the contents of a directory; the rootkit version filters out directory entries that begin with $sys$, rendering such files and directories invisible to applications.
  • NtCreateFile – This call is used for creating and opening files. The rootkit version returns an invalid filename error when programs attempt to open existing files with names starting with $sys$, protecting XCP’s files from reading or writing by other programs.
  • NtQuerySystemInformation – One use of this function is to obtain a list of running processes. The rootkit filters out any processes with names prefixed by $sys$, making them invisible to other applications.
  • NtEnumerateKey – This function returns a list of the subkeys of a registry key. The rootkit filters the results to remove subkeys with names starting with $sys$. Note that it does not conceal individual fields within the registry (“values” in Windows parlance) with names starting with $sys$.
  • NtOpenKey – This function opens a registry key for reading or modifying. The rootkit intercepts this function call but does not alter its behavior. Its authors may have intended to restrict access to hidden registry keys in the same way that the hooked NtQueryDirectoryFile call restricts access to hidden files, but for some reason they did not ship a working implementation of this behavior.

The rootkit begins each intercepted function by checking the name of the calling process. If the process’s name begins with $sys$, the rootkit returns the results of the real kernel function without alteration. This allows XCP’s own processes to bypass the rootkit’s filters for a complete view of the system.

The XCP rootkit increases users’ vulnerability to many kinds of attacks because it can be used to hide arbitrary software, not just XCP. The rootkit is indiscriminate about what it conceals—any files, registry keys, or processes with names beginning in $sys$ will be hidden. Spyware and malware authors can leverage this functionality on systems where the rootkit is installed. This saves attackers the trouble of installing their own rootkits, but more importantly, it gives them access to a rootkit in situations where they would not be able to install one themselves because of the system’s security policies.

Only kernel-level processes are allowed to patch the Windows system service dispatch table, and only privileged users—normally, members of the Administrators or Power Users groups—are allowed to install such processes. (XCP iteslf requires these privileges to install.) Malicious code executed by an unprivileged user wouldn’t normally be allowed to install a rootkit that intercepted system calls in the kernel. However, if the XCP rootkit is installed, its cloaking behavior applies to all users regardless of their security privileges. Unprivileged malware can adopt the $sys$ prefix to become invisible to both privileged and unprivileged users. This privilege escalation attack has already been exploited by at least two Trojan horses discovered in the wild [citations].

Another privilege escalation attack facilitated by the XCP rootkit allows an unprivileged application to crash the system. Russinovich demonstrated this problem using an automated testing program he created called NTCRASH2 [citation]. This utility makes repeated system calls with randomly generated invalid parameters. The original Windows kernel functions handle invalid inputs correctly and the system remains stable, but with the XCP rootkit installed, certain invalid inputs result in a system crash.

We investigated the specific circumstances when these crashes occur. The rootkit’s implementation of NtCreateFile can cause a crash if it is passed an invalid pointer as its ObjectAttribute argument, or if it is passed a valid ObjectAttributes structure that points to a ObjectName structure with an invalid Buffer pointer. We do not believe that an attacker could exploit these flaws to execute code; however, they do allow an unprivileged user to bring the system to a halt. As Russinovich and other have pointed out, these problem illustrates the security danger of installing software in secret. Users experiencing system instability due to these rootkit bugs would have great difficulty diganosing the problem, since they likely would be unaware of the rootkit’s presence.

Deactivating XCP

Deactivating XCP’s active protection software is more complicated because it is comprised of a number of processes that are more deeply entagled in the system configuration, and because these files are hidden by the XCP rootkit. Deactivation can be accomplished by a three-step procedure.

The first step is to deactivate and remove the rootkit. This is the same procedure used to deactivate MediaMax. The only change is that the driver’s name is aries.sys. Disabling the rootkit and then rebooting the system exposes the previously hidden files, registry entries, and processes (ones with names prefixed with $sys).

The second step is to edit the system registry to remove references to XCP’s filter drivers and CoDeviceInstallers. XCP uses the Windows filter driver facility to intercept commands to the CD drives and IDE bus. If these filter drivers are not removed, the CD and IDE device drivers will fail to initialize after the program files for the filter drivers are deleted. This can cause the CD drives to malfunction, or, worse, cause the system to fail to boot because the IDE device driver is disabled. XCP’s filter drivers can be neutralized by editing the
Windows Registry to remove any reference to a driver named $sys$cor from any registry entries named UpperDrivers or LowerDrivers. The CoDeviceInstallers can be neutralized by removing any lines containing $sys$caj from any list of CoDeviceInstallers.

The third step is to delete the XCP services and remove the XCP program files. Services named $sys$lim, $sys$oct, cd_proxy, $sys$drmserver, and $sys$cor can be deactivated using the sc delete command, and then files named crater.sys, lim.sys, oct.sys, $sys$cor.sys, $sys$caj.dll, and $sys$upgtool.exe can be deleted. After the system is rebooted, the two remaining files, named CDProxyServ.exe and $sys$DRMServer.exe can be removed.

After performing these steps, XCP will now deactivated, and only the passive protection on XCP CDs will continue to be in force. Of course, these steps could easily be automated, creating a point-and-click tool for removing XCP.

CD DRM as Spyware

Tactics like the rootkit function, and the engineering of programs so that removal attempts can system instabilty, iare often used by spyware programs. That active DRM systems would be drawn to the same tactics as spyware should come as no surprise, as the two have the same goal: to prevent a user from removing unwanted software. In both cases, the user wants to remove the software (if he can find it) because the software provides no value to the user and can only harm him.

These tactics harm users, primarily by undermining users’ ability to manage their computers. If users lose track of which programs are running on their computers, they lose the opportunity to remove or patch programs that are malfunction and to remove unneeded programs. Maintaining a secure configuration is difficult already, and spyware tactics make it even more difficult. Though it is not surprising that spyware tactics would have attraction for DRM designers, it was a bit surprising that mass-market DRM vendors chose to use those tactics despite the risk of harming users. If only one vendor had chosen to use such tactics, we could write it off as an aberration. But two vendors made that choice, which is probably not a coincidence.

We suspect that the explanation may lie in the DRM vendors’ platform building strategy, which relies on keeping the software installed on as many computers as possible, coupled with the risk tolerance of DRM startup companies. The vendors may not have realized the extent of damage they could be causing, but they must have known that they were doing some harm. Our hypothesis is that the vendors allowed the lure of platform building to override the risk to users.

Authorized Uninstallers

Once users began to complain about the spyware-like behavior of the XCP and MediaMax software, the vendors offered access to uninstallers that would remove their software from users’ systems. Uninstallers had been available previously, but they were very difficult to obtain. For example, to get the original XCP uninstaller, a user had to fill out an online form involving some personal information, then wait a few days for a reply email, then fill out another online form and install some software, then wait a few days for yet another email, and then finally click a URL in the last email. We can think of no explanation for the complexity of this procedure, other than a desire to deter users from uninstalling the software.

The uninstallers, when a user did succeed in getting one of them, did not behave like ordinary software uninstallers. Normally an uninstaller is a standalone program that the user runs, either by double-clicking it or by using a system-provided user interface to designate the program to be removed. One advantage of ordinary uninstallers is that they can be acquired and used by any user who has the software.

The first XCP uninstaller did not work this way. Instead, the uninstaller was customized for each user, so that it would work only for a limited time and only on the computer on which the user had filled out the second form. This meant, for example, that if a user uninstalled the XCP software but it got reinstalled later—as might happen if the user inserted an XCP-bearing CD—the user could not use the same uninstaller again but would have to go through the entire process again to request a new one.

Customizing the uninstaller in this way is more difficult for the vendor and increases customer support costs, compared to a more traditional uninstaller, so a rational vendor would not do it unless there was some benefit. Most likely, the benefit is to the vendor’s platform building strategy, which takes a step backward every time a user uninstalls the vendor’s software. Customizing the uninstaller allows the vendor to contol who receives the uninstaller and to change the terms under which it is delivered in the future.

As user complaints mounted, Sony-BMG announced that unrestricted uninstallers for both XCP and MediaMax would be made available to all users from the vendors’ web sites. Both vendors chose to make these uninstallers available as ActiveX controls accessed via a web site.

By an unfortunate coincidence, both uninstallers turned out to open the same serious vulnerability on any computer where they were used.

MediaMax Uninstaller Vulnerability

The MediaMax uninstaller employed a proprietary ActiveX control called AxWebRemove.ocx created and signed by MediaMax author SunnComm. When users visited the MediaMax uninstaller web page, Internet Explorer prompted them to install the control. Then the web page invoked one of the control’s methods to uninstall MediaMax. This method, Remove, took two parameters: key, and validate_url. The key parameter was a single-use code provided by MediaMax technical support, and the validate_url parameter specified a web page that would validate the key and deliver executable code to perform the actual uninstallation.

When Remove is called from the web page, is issues an HTTP GET request to the provided url to validate the key. If it is valid, the server responds with the message true, {uninstall_url, where uninstall_url is the URL of a DLL file containing code to uninstall MediaMax. The control retries this DLL file from the Internet and saves it to a temporary location, then calls a function in the DLL named ECF7() to perform the uninstallation. If the function returns sucess, the control issues a second HTTP GET request to validate_url to report that the uninstall was sucessful and that the single-use key should be retired.

This design is vulnerable because the control accepts an arbitrary validate_url parameter and does not check that the DLL specified by the key validation server is authentic. The ActiveX control is not itself removed during the uninstallation process, so its methods can be invoked later by any web page without further browser security warnings. A attacker can create a web page that invokes the Remove method and provides a validate_url pointing to a page under the attacker’s control. This page can return an uninstall_url pointing to a DLL created by the attacker. When the MediaMax control executes the uninstall function in this file, arbitrary attacker code will execute on the user’s machine.

XCP Uninstaller Vulnerability

The XCP uninstaller contains the same design flaw and is only slightly more difficult to exploit. XCP’s ActiveX-based uninstaller invokes a proprietary ActiveX control named CodeSupport.ocx. (Early versions of XCP’s rootkit removal patch utilized the same control.) Usually this control is installed when users perform the second step in the three-step XCP uninstall process. In this step, the user is prompted to explain why they are requesting to uninstall XCP. The user’s response is sent to an XCP server along with a pseudorandom code generated by the ActiveX control. The same code is written to the system registry. Eventually the user receives an email with a link to another web page that uses the ActiveX control to remove XCP, but only after verifying that the code sent with the request matches the code in the local system registry. This check ensures that the uninstaller is only used on the machine from which the uninstallation request was made. As a consequence of this design, the control may be present on a user’s system even if she never performed the step in the uninstallation process where XCP is removed.

Matti Nikki first noted that the XCP ActiveX control contains some suspiciously-named methods, including InstallUpdate(url), Uninstall(url), and RebootMachine() [citation]. He demonstrated that the control remained installed after the XCP uninstallation was complete, and that its methods (including one that restarted the computer) were scriptable from any web page without further browser security warnings.

We found that the InstallUpdate and Uninstall methods have an even more serious flaw. Each takes as an argument a URL pointing to a specially formatted archive that contains updater or uninstaller code and data files. When these methods are invoked, the archive is retrieved from the provided URL and stored in a temporary location. For the InstallUpdate() method, the ActiveX control extract from the archive a file named InstallLite.dll and calls a function in this DLL named InstallXCP().

Like the MediaMax ActiveX control, the XCP control does not validate the download URL or the downloaded archive. The only barrier to using the control to execute arbitrary code is the proprietary format of the archive file. We determined the format by disassembling the control. The archive file consists of several blocks of gzip-compressed data, each storing a seperate file and preceded with a short header. At the end of the archive, a catalog structure lists metadata for each of the blocks, including a 32-bit CRC. The control verifies this CRC before executing code from the DLL.

With knowledge of this file format, we constructed an archive containing sample (benign) exploit code. The most difficult detail was the CRC, which is computed with an apparently proprietary algorithm that proved tedious to reverse engineer. We saved the trouble by having the ActiveX control compute the CRC for us. The control checks the CRC by computing a CRC for the file data in the archive and verifying that it matches the CRC specified in the archive catalog. We inserted a break point where the comparison occurs and ran the control on an archive containing code we prepared. We then took the CRC computed by the control and placed it in the archive catalog. Thus modified, the archive passed the CRC check and the ActiveX control executed our code. (This illustrated why digital signatures, rather than CRCs, must be used to validate code from untrusted sources.)

This procedure would allow a malicious web site to execute arbitrary code on the user’s machine. Like the MediaMax uninstaller flaw, it is especially dangerous because users who have completed the uninstallation may not be aware that they are still vulnerable.

Obviously, these vulnerabilities could have been prevented by careful design and programming. But they would not have been possible at all if not for the decision to deliver the uninstallers via this ActiveX method rather than using an ordinary download. We conjecture that the vendors chose to use ActiveX in this way because they wanted to retain the ability to rewrite, modify, or cancel the uninstaller later, and that this desire was driven at least in part by the vendors’ platform building strategy.

Summary of Deactivation Attacks

When all is said and done, there is little a CD DRM vendor can do to stop users from deactivating active protection software. A user can do this via ordinary security and system administration tools; attempts by the vendor to interfere with these tools are harmful and will trigger a strong backlash from users. In practice, vendors will probably have to provide some kind of uninstaller – users will insist on it, and some users will need it to deal with the bugs and incompatibilities that crop up occasionally in any complex software. Once an uninstaller is released, users will be able use it to remove the DRM software. Ultimately, determined users will be able to keep CD DRM software off their machines.

CD DRM: Compatibility and Software Updates

Alex and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here next week. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s section will be (in the final paper) the last part of the technical core of the paper. Readers of the final paper will have seen the rest of our technical analysis by this point. Blog readers haven’t seen it all yet – stay tuned.

Please note that this is a draft and should not be formally quoted or cited. The final version of our entire paper will be posted here when it is ready.

Compatibility and Software Updates

Compared to other media on which software is distributed, compact discs have a very long life. Many compact discs will still be inserted into computers and other players twenty years or more after they are first bought. If a particular version of (say) active protection software is burned onto a new CD, that software version may well try to install and run itself decades after it was first developed.

The same is not true of conventional software, even when it ships on a CD-ROM. Very few if any of today’s Windows XP CDs will be inserted into computers in 2026; but CDs containing today’s CD DRM software will be. Accordingly, CD DRM software faces a much more serious issue of compatibility with future systems.

The future compatibility problem has two distinct aspects: safety, or how to avoid incompatibilities that cause crashes or malfunction of other software, and efficacy, or how to ensure that the desired anti-copying features remain effective.

Protecting Safety by Deactivating Old Software

Safety is the easier attribute to protect, and in most respects the more important. One way to protect safety is to design the DRM software so that it is likely to be inert and harmless on future systems. Both XCP and MediaMax do this by relying on the Windows Autorun feature, which is unlikely to be supported in future Windows versions for security reasons. If, say, the upcoming Windows Vista does not support Autorun (or supports it but disables it by default), then XCP and MediaMax will have no effect on Vista systems. Perhaps the use of Autorun by XCP and MediaMax was a deliberate design decision to ensure safety; but we suspect that it was a side-effect of a design choice that was expedient for other reasons.

Another way to protect safety is to build a sunset date into the software, and to program the software to be as inert as possible once the sunset date is reached. Building in a sunset after (say) three years would protect against many safety problems; and it would have little effect on the record label’s business model, as we would expect nearly all revenue from monetizing new uses of the music to have been extracted within the first three years after the disc is pressed. If a customer is ever going to pay for iPod downloading, she is likely to do so within the first three years after the CD is pressed.

Updating the Software

Like any software vendor, a DRM vendor can issue new verions of its products. A new version can be shipped on newly pressed CDs, but existing CDs cannot be modified retroactively.

Instead, the vendor can offer updates, which can be delivered either by download or on new CDs. Downloads can occur immediately, but only on machines that are connected to the Internet. CD delivery can potentially reach more machines, but is slower and less certain.

Either mode of distribution can be used straightforwardly if the user wants to cooperate. Users will generally cooperate with updates that only provide safety on new systems, or that otherwise increase the software’s value to the user. But updates that merely retain the efficacy of the software’s usage restriction mechanisms will not be welcomed by users.

Users have many ways to block the downloading or installation of updates. They can write-protect the software’s code, so that it cannot be updated. They can configure the system to block network connections to the vendor’s servers. They can use standard security tools, such as personal firewalls, to stop the downloads. System security tools are often well suited for such a task, being programmed to block unwanted network connections, downloads, and code installation. If a current security tool does not block updates of CD DRM software, the tool vendor has an incentive to make future versions do so.

A DRM vendor who wants to offer efficacy-related updates, recognizing that users will not want those updates, has two options. The vendor can offer updates and hope that many users will not bother to block them. From the record label’s standpoint, prolonging the system’s efficacy for some users is better than nothing. Alternatively, the vendor can try to force users to accept updates.

Forcing Updates

If a user can block updates of the DRM software on his machine, the vendor’s best strategy for forcing an update is somehow to convince the user that the update is in his best interest. This can be done by making a non-updated system painful to use.

If we rule out dangerous and almost certainly illegal approaches such as logic bombs that destroy a noncompliant user’s files or hold his computer hostage, the vendor’s best option is to make the DRM software block all access to protected CDs until the user updates the software. The software might check periodically with some server on the Internet, which would produce some kind of cryptographic assertion saying which versions are allowed to continue operating without an update, as of some date time. If the software on the user’s system noticed that no recent certificate existed that allowed its own version to keep operating, it would go into a locked down mode that blocked all
access to protected discs but allowed software updates. The user would then have to update to a new version in order to get access to his protected CDs.

This approach could force updates on some users and thereby prolong the efficacy of the DRM for those users. However, it also has several drawbacks. If the computer is not connected to the Internet, the software will eventually lock down the user’s music because it cannot see any certificates that allow it to continue. (The software could continue working if it can’t see the Internet, but that would allow users to block updates indefinitely by configuring their systems to stop the DRM software from making network connections.) A bug in the software could cause it to lock itself down irreversibly, perhaps by accident. The software could lock itself down if the vendor’s Internet site is shut down, for example if the vendor goes bankrupt.

Locking down the music, or forcing a restrictive software update, can also be counterproductive, by giving the user a reason to defeat or remove the DRM software. (Users could also defeat the timeout mechanism by misleading the DRM software about the date and time, but we expect that most users with the inclination to do that would choose instead to remove the DRM software altogether.) The software is more likely to remain on the user’s system if it does not behave annoyingly. Automatic update can reduce the DRM system’s efficacy if it just drives users to remove the DRM software. From the user’s standpoint, every software update is a security risk, because it might carry hostile or buggy code.

Given the difficulties associated with forced updates, and the user backlash it likely would have triggered, we are not surprised that neither XCP nor MediaMax chose to use forced updates.

CD DRM: Attacks on Disc Recognition

Ed and I are working on an academic paper, “Lessons from the Sony CD DRM Episode”, which will analyze several not-yet-discussed aspects of the XCP and MediaMax CD copy protection technologies, and will try to put the Sony CD episode in context and draw lessons for the future. We’ll post the complete paper here next Friday. Until then, we’ll post drafts of a few sections here. We have two reasons for this: we hope the postings will be interesting in themselves, and we hope your comments will help us improve the paper.

Today’s excerpt is from the middle of the paper, where we’re wading through details about the copy protection systems and the techniques they use to recognize protected CDs.

Please note that this is a draft and should not be formally quoted or cited. The final version of our entire paper will be posted here when it is ready.

Attacks on Disk Recognition

The active protection mechanisms introduced earlier selectively regulate access to raw CD audio, blocking access to the audio tracks on albums protected with a particular scheme while allowing access to all other titles. To accomplish this, the schemes install a background process that interposes itself between applications and the original CD driver. In MediaMax, this process is a kernel-mode driver called sbcphid.sys. XCP uses a pair of filter drivers attached to the CD-ROM and IDE devices called crater.sys and cor.sys. In both schemes, the active protection drivers examine each disc that is inserted into the computer to see whether access to it should be restricted. If the disc is recognized as copy protected, the drivers monitor for attempts to read the audio tracks, as would occur during a playback, rip, or disc copy operation, and corrupt the audio returned by the drive to degrade the listening experience. MediaMax introduces a large amount of random jitter, making the ripped audio sound like it has come from a badly scratched or damaged CD; XCP replaces the audio with random noise.

Each scheme’s active protection software interferes with attempts to rip or copy any disc that is protected by the same scheme, not merely the disc from which the software was installed. This requires some mechanism for identifying discs that are to be protected. This section discusses the security requirements for such a recognition system, describes the design and limitations of the actual recognition mechanism employed by the MediaMax scheme, and presents an improved design that better satisfies the requirements.

Recognition Requirements

Any disc recognition system must involve detecting some identifying feature on discs protected by a particular scheme. Ideally, such a feature would satisfy these requirements:

  1. Uniqueness. The feature should identify protected discs without accidentally triggering the copy protection on unprotected titles.
  2. Detectability. It should be possible for the active protection drivers running on client systems to reliably and quickly detect the feature in protected discs. In practice, this limits the amount of audio that can be read from the disc before deciding whether to apply protection.
  3. Indelibility. The feature should be difficult to remove without substantially degrading the quality of the audio; that is, it should be difficult to make a copy of the copy protected disc that does not itself trigger the protection.
  4. Unforgeability. It should be difficult to apply the feature to an unprotected album without the cooperation of the protection vendor, even if the adversary has access to protected discs.

This last requirement stems from the business strategies of the copy protection vendors. As discussed in earlier, many of these vendors are pursuing a platform building strategy. The biggest obstacle to the success of an active protection system is getting the protection software installed on client machines. Once installed, the software can regulate access to all discs protected by the scheme, even if the user learns to disable autorun or refuse future CD DRM installation requests. Thus each completed installation increases the effectiveness of the protection platform and heightens its value to the protection vendor and its music label clients.

Being widely installed adds value to these copy protection systems, but it also exposes them to a new class of attacks. The protection companies earn revenue from record labels who license their schemes, typically paying some fee per title or per copy. This revenue stream may be threatened if disc publishers can mark their discs as protected without paying.

There are advantages and disadvantages for the person placing the unauthorized marks. Copyright would prohibit rogue publishers from distributing an installer for the active protection software, though they might depend on the existing installed base from licensed titles. They would also be prevented from employing the components of the protection software that allow users to access restricted copies of the music; however, they could create their own software to provide this capability if they desired. On the other hand, free riding publishers would not be restricted to marking their disc for only one scheme. By identifying their discs as copy protected with multiple schemes, they could invoke multiple layers of security and provide stronger protection than is available with any single technique, all without paying. (It is possible that protection producers could have legal remedies against such free riders, such as through a patented identification feature, but we are unaware of any patents that cover the identification features known to be in use. Even if some kind of legal remedy is available, it’s worth designing the mark to prevent the problem too, at least if the cost of doing so is low.) Preventing free riding by publishers requires some kind of disc authentication mechanism to control access to installed active protection software—a meta-copy protection technique.

How MediaMax Recognizes Protected Discs

To find out how the disc recognition mechanisms employed by CD DRM systems stack up the ideal requirements, we examined the recognition system built into MediaMax CD-3 and MM-5 systems. The MediaMax system drew our attention because MediaMax’s creators have touted their advanced disc identification capabilities, including the ability to identify individual tracks within a compilation as protected, and well as their platform-building strategy. (The XCP scheme appears to use a less sophisticated disc recognition system based on a marker stored in the data track of protected discs. We may talk more about it later.)

We determined how MediaMax identifies protected albums by tracing the commands sent to the CD drive with and without the active protection software running. These experiments took place on a Windows XP virtual machine running on top of a Fedora Linux host system, which we modified by patching the kernel IDE-SCSI device to log all drive activity.

With this setup we observed that the MediaMax software executes a disc recognition procedure immediately upon the insertion of a CD. The MediaMax driver reads two sectors of audio data at a specific offset from the beginning of audio tracks—approximately 365 and 366 frames in (a CD frame is 1/75 second). On unprotected discs, the software scans through every track in this way, but on MediaMax-protected albums, it stops after the first three tracks, apparently having detected an identifying feature. The software decides whether or not to block read access to the audio solely on the basis of information in this region, so we inferred that the identifying mechanism takes the form of an inaudible watermark embedded in this part of the audio stream. (By locating the watermark nearly five seconds after the start of the track, MediaMax reduces the likelihood that it will occur in a very quiet passage, where it might be more audible, and makes it more difficult to crop out.)

Locating the watermark amid megabytes of audio might have been difficult, but we had the advantage of a virtual Rosetta Stone. The actual Rosetta Stone is a 1500 lb. granite slab unearthed by French archaeologists in Rosetta, Egypt, in 1799. A single Ptolemaic decree is written on the stone in three scripts: ancient hieroglyphics, demotic (simplified) hieroglyphics, and Greek. Comparing these inscriptions provided the key to deciphering Egyptian hieroglyphic texts. Our Rosetta Stone was a single album, Velvet Revolver’s Contraband (BMG, 2004), released in three different versions: a U.S. release protected by MediaMax, a European release protected by a passive scheme developed by Macrovision, and a Japanese release with no copy protection. We decoded the MediaMax watermark by examining the differences between the audio on these three discs. Binary comparison revealed no differences between the releases from Europe and Japan; however, the MediaMax-protected U.S. release differed slightly from the other two in certain parts of the recording. By carefully analyzing these differences—and repeatedly attempting to create new watermarked discs using the MediaMax active protection software as an oracle—we were able to deduce the structure of the watermark.

The MediaMax watermark is embedded into the audio of each track in 30 clusters. Each cluster is made up of 288 marked 16-bit audio samples followed by 104 unaltered samples. Three mark clusters exactly fit into one 2352-byte CD audio frame. The watermark is centered at approximately frame 365 of the track; though the detection routine in the software only reads two frames, the mark extends several frames to either side of the designated read target to allow for imprecise seeking in the audio portion of the disc (a typical shortcoming of inexpensive CD drives). The MediaMax driver detects the watermark if at least one mark cluster is present in the region read by the detector.

A sequence of 288 bits we call the raw watermark is embedded into the 288 marked audio samples of each mark cluster. A single bit of the raw watermark is embedded into an unmarked audio sample by setting one of the three least significant bits to the new bit value (as shown in bold) and then patching up the two other bits, according to this table:

(This design seems to be intended to lessen the audible distortion caused by by setting one of the bits to the watermark value. The change in the other two bits reduces the magnitude of the difference from the original audio sample, but it also introduces a highly uneven distribution in the three LSBs that makes the watermark easier to detect or remove.)

The position of the embedded bit in each sample follows a fixed sequence for every mark cluster. Each of the 288 bits is embedded in the first-, second-, or third-least-significant bit position of the sample according to this sequence:

2,3,1,1,2,2,3,3,2,3,3,3,1,3,2,3,2,1,3,2,2,3,2,2,2,1,3,3,2,1,2,3,3,1,2,2,3,
1,2,3,3,1,1,2,2,1,1,3,3,1,2,3,1,2,3,3,1,3,3,2,1,1,2,3,2,2,3,3,3,1,1,3,1,2,
1,2,3,3,2,2,3,2,1,2,2,1,3,1,3,2,1,1,2,1,1,1,2,3,2,1,1,2,3,2,1,3,2,2,2,3,1,
2,1,3,3,3,3,1,1,1,2,1,1,2,2,2,2,3,1,2,3,2,1,3,1,2,2,3,1,1,3,1,1,1,1,2,2,3,
2,3,2,3,2,1,2,3,1,3,1,3,3,3,1,1,2,1,1,2,1,3,3,2,3,3,2,2,1,1,1,2,2,1,3,3,3,
3,3,1,3,1,1,3,2,2,3,1,2,1,2,3,3,2,1,1,3,2,1,1,2,2,1,3,3,2,2,3,1,3,2,2,2,3,
1,1,1,1,3,2,1,3,1,1,2,2,3,2,3,1,1,2,1,3,2,3,3,1,1,3,2,1,3,1,2,2,3,1,1,3,2,
1,2,2,2,1,3,3,1,2,3,3,3,1,2,2,3,1,2,3,1,1,3,2,2,1,3,2,1,3

The 288-bit raw watermark is detected by the active protection software only when it has certain properties, as shown in the sequence below. In the 288-bit sequence, 96 positions have fixed bit values, either 0 or 1. The trailing 32 positions have arbitrary values (as indicated by _), and can be used to store a 32-bit disc-specific value. The other 192 positions are divided into 32 groups of linked values (denoted az and alpha-zeta). In each group, three positions share the same value and three share the complement value. This allows the scheme to encode a second 32-bit value, though in actual discs it appears to be a different random value in each of the 30 mark clusters.

Attacks on the MediaMax Watermark

The MediaMax watermark fails to satisfy the indelibility and unforgeability requirements of an ideal disc recognition system. Far from being indelible, the mark is surprisingly brittle. Most advanced designs for robust audio watermarks manipulate the audio in the frequency domain and attempt to resist removal by lossy compression, multiple conversions between digital and analog formats, and other common transformation. In contrast, the MediaMax watermark is applied in the time domain and is rendered undetectable by even minor changes to the file. An adversary without any knowledge of the watermark’s design could remove it by converting the tracks to a lossy format like MP3 and then burning them back to a CD, which can be accomplished easily with standard consumer applications. This would result in some minor loss of fidelity, but a more sophisticated adversary could prevent the mark from being detected with almost no degradation by flipping the least significant of one carefully chosen sample from each of the 30 watermark clusters, thereby preventing the mark from exhibiting the pattern required by the detector.

The MediaMax watermark also fails to satisfy the unforgeability requirement. The mark’s only defense against forgery is its complicated, unpublished design, but as is often the case this security by obscurity has proved tedious rather than impossible to defeat. As it turns out, an adversary needs only limited knowledge of the watermark–its location within a protected track and its confinement to the three LSBs of each sample–to forge it with minimal loss of fidelity. Such an attacker could transplant the three LSBs of each sample within the watermarked region of a protected track to the corresponding sample from an unprotected one. Transplanting these bits would cause distortion more audible that that caused by embedding the watermark since the copied bits are likely to differ by a greater amount from the original sample values; however, the damage to the audio quality would be limited since the marked region is only 0.4 seconds in duration. A more sophisticated adversary could apply a watermark to an unprotected track by deducing the full details of the structure of the watermark, as we did; she could then embed the mark in an arbitrary audio file just as well a licensed disc producer.

Secure Disc Recognition

Having shown that the MediaMax watermark fails to provide either strong resistance to removal or strong resistance to forgery, we ask whether it is possible to securely accomplish either or both of these goals.

As far as indelibility is concerned, watermarking schemes have a poor history of resisting removal. This is especially true against an adversary who has oracle access to the watermark detector, as was the case with a previous application of watermarks to audio copy protection, SDMI, and with CD DRM systems. Making marks that are both indelible and unforgeable is likely much more difficult. There seems to be tension between marks that are difficult to remove and ones that are hard to forge. Enforcing both requirements creates two ways to fool the detector–by rendering the mark invisible and by making it appear forged. If, as in CD DRM, either situation leads to the same result (no protection), the attacker’s power is multiplied.

In contrast, a mark strongly robust to forgery is simple to create based on digital signatures if we aren’t concerned with its being easy to remove. A very simple scheme works as follows:

  • To sign an audio track, the licensed publisher reads a fixed portion L1 of the audio data (say, the first ten seconds), then computes a cryptographic hash of L1 and signs it using a public key signature algorithm to derive the signature SL1 := SignKS(Hash(L1)). SL1 is then stored at a second location in the track by setting the LSB of each sample in the region to the corresponding bit in the signature. A 320-bit DSA signature could be embedded in this way using approximately the same space as one mark cluster of the MediaMax watermark.

  • The publisher keeps the signing key KS secret, and builds the corresponding verification key KV into the client software. When presented with a CD, the software checks for a valid signature. First it reads the audio from the signed area of the track and hashes it, and it locates and extracts the signature stored in the LSBs in the second mark location. Next, it verifies the signature on the hash using KV. If the signature is correct, the watermark is valid and genuine; otherwise, forgery or data corruption is indicated.

Forging such a mark would require defeating the digital signature scheme or splicing both L1 and SL1 from a legitimately marked album. We set L1 to be several seconds of audio to make such splicing less appealing.

Clearly this watermark is highly vulnerable to removal. If even a single bit of the hashed region is changed, the mark will not be recognized as valid. Yet the watermark MediaMax actually uses is also vulnerable to corruption by a single bit too while being far less resistant to forgery. Robustness to removal, while desirable in principle, is of limited value in real CD DRM applications. Removal of the watermark is unlikely to be the weakest link protecting the audio, and while the gains from creating a more indelible watermark are slight, the loss to free riders from an easily forgeable mark is potentially much larger.