CD DRM: Attacks on Installation
Monday January 30, 2006 by Ed Felten
http://www.freedom-to-tinker.com/?p=965
Alex and I are working on an academic paper, ³Lessons from the Sony CD DRM
Episode², which will analyze several not-yet-discussed aspects of the XCP
and MediaMax CD copy protection technologies, and will try to put the Sony
CD episode in context and draw lessons for the future. We¹ll post the
complete paper here later in the week. Until then, we¹ll post drafts of a
few sections here. We have two reasons for this: we hope the postings will
be interesting in themselves, and we hope your comments will help us improve
the paper.
Today¹s section is part of the technical core of the paper.
Please note that this is a draft and should not be formally quoted or cited.
The final version of our entire paper will be posted here when it is ready
Attacks on Installation
Active protection measures cannot begin to operate until the DRM software is
installed on the user¹s system. In this section we consider attacks that
either prevent installation of the DRM software, or try to capture music
files from the disc in the interval after the disc has been inserted but
before the DRM software is installed on the computer.
Autorun
Both XCP and MediaMax relies on the autorun feature of Windows. Whenever
removable media, such as a floppy disc or CD, is inserted into a Windows PC
(and autorun is enabled), Windows looks on the disc for a file called
autorun.ini; if a file with that name is found, Windows executes commands
found in it. Autorun allows a disc to pop up a splash screen or simple menu,
for example to offer to install software found on the disc. However, the
autorun mechanism will run any program that the disc specifies.
Other popular operating systems, including MacOS and Linux, do not have an
autorun feature, so this mechanism does not work on these other systems. XCP
ships only Windows code and so has no effect on other operating systems.
MediaMax ships with both Windows and MacOS code on the CD, but only the
Windows code can autorun. The MacOS code relies on the user to double-click
an installer on the CD, which few users will do.
Current versions of Windows ship with autorun enabled by default, but the
user can choose to disable it. Many security experts advise users to disable
autorun, to protect against disc-borne malware. If autorun is disabled, the
XCP or MediaMax active protection software will not load or run.
Even if autorun is enabled, the user can block autorun for a particular disc
by holding down the Shift key while inserting the disc. This will prevent
the active protection software from running.
Even without disabling autorun, a user can prevent the active protection
software from loading by covering up the portion of the disc on which it is
stored. Both XCP and MediaMax discs contain two sessions, with the first
session containing the music files and the second session containing DRM
content, including the active protection
software and the autorun command file. The first session begins at the
center of the disc and extends outward; the second session is near the outer
edge of the disc.
By covering the outer edge of the disc, the user can cover up the second
session¹s files, effectively converting the disc back to an ordinary
single-session disc. The edge of the disc can be covered with nontransparent
material such as masking tape, or by writing over it with a felt-tip marker.
Exactly how much of the disc to cover can be determined by iteratively
covering more and more until the disc¹s behavior changes, or by visually
inspecting the disc to look for a difference in appearance of the disc¹s
surface which is often visible at the boundary between the two sessions.
Temporary Protection
Even if the copy protection software is allowed to autorun, there is a
period of time, between when a protected disc is inserted and when the
active protection software is installed, when the music is vulnerable to
copying. It would be possible to have the discs immediately and
automatically install the active protection software, minimizing this window
of vulnerability, but legal and ethical requirements should preclude this
option. Installing software without first obtaining the user¹s consent
appears to be illegal in the U.S. under the Computer Fraud and Abuse Act
(CFAA) as well as various state anti-spyware laws [citation].
Software vendors conventionally obtain the user¹s consent to installation of
their software by displaying an End User License Agreement (EULA) and asking
the user to agree to it. Only after the user agrees to the EULA is the
software installed. The EULA informs the user, in theory at least, of the
general scope and purpose of the
software being installed, and the user has the option to withhold consent by
declining the EULA, in which case no software is installed. As we will see
below, the DRM vendors do not always follow this procedure.
If the discs didn¹t use any other protection measures, the music would be
vulnerable to copying while the installer waited for the user to accept or
reject the EULA. Users could just ignore the installer¹s EULA window and
switch tasks to a CD ripping or copying application. Both XCP and MediaMax
employ temporary protection mechanisms to
protect the music during this time.
XCP Temporary Protection
The first time an XCP-protected disc is inserted into a Windows machine, the
Windows autorun feature launches the XCP installer, the file go.exe located
in the contents folder on the CD. The installer displays a license agreement
and prompts the user to accept or decline it. If the user accepts the
agreement, the installer installs the XCP active protection software onto
the machine; if the user declines, the installer ejects the CD and exits.
While the EULA is being displayed, the XCP installer continuously monitors
the list of processes running on the system. It compares the image name of
each process to a blacklist of nearly 200 ripping and copying applications
hard coded into the go.exe program. If one or more blacklisted applications
are running, the installer replaces the EULA display with a warning (shown
at right [in the paper version, but not here]) indicating that the
applications need to be closed in order for the installation to continue. It
also initiates a 30-second countdown timer; if the any of the applications
are still running when the countdown reaches zero, the installer ejects the
CD and quits. [Footnote: Similar application blacklisting techniques have
been used in other security contexts. The client software for World of
Warcraft, a massively multiplayer online role playing game, checks running
applications against a regularly updated blacklist of programs used to
cheat. [citation]]
This technique might prevent some unsophisticated users from copying the
disc while the installer is running, but it can be bypassed with a number of
widely known techniques. For instance, users might kill the installer
process (using the Windows Task Manager) before it could eject the CD, or
they might use a ripping or copying application that locks the CD tray,
preventing the installer from ejecting the disc.
The greatest limitation of the XCP temporary protection system is the
blacklist. Users might find ripping or copying applications that are not on
the list, or they might use a blacklisted application but rename its
executable file to prevent the installer from recognizing it. Since there is
no mechanism for updating the blacklist on existing CDs, they will gradually
become easier to rip and copy as new applications not on the blacklist come
into widespread use. Application developers may also adapt their software to
the blacklisting technique by randomizing their process image names or
taking other measures to avoid detection. [Footnote: An extreme extension of
this would be to adopt rootkit-like techniques to conceal the copying
application¹s presence, just as XCP hides its active protection software.]
MediaMax Temporary Protection
The MediaMax system employs a differentand highly controversial, if not
illegaltemporary protection measure. It defends the music while the
installer is running by installing, and at least temporarily activating, the
active protection software before displaying the EULA. The software is
installed without obtaining consent, and it remains installed (and in some
cases, permanently active) even if the user explicitly denies consent by
declining the license agreement. This practice is uncomfortably close to the
behavior of spyware and
may be illegal.
Prior to license acceptance, both MediaMax version 3 and version 5 discs
install the active protection driver. (At this writing, version 5 is the
current version. To our knowledge, there was no version 4.) The driver file
sbcphid.sys is copied to the Windows drivers directory, configured as a
service in the registry, and launched. Initially, the driver¹s startup type
is set to ³Manual,'¹ so it will not re-launch the next time the computer
boots; however, it remains running until the computer is shut down and
remains installed permanently. Albums that use MediaMax version 5
additionally install components of the MediaMax player software before
displaying a license agreementalmost 12 megabytes of programs and data that
are stored in %programfiles%\Common Files\SunnComm Shared. These files are
not removed if the EULA is declined.
Even more troublingly, under some common circumstances the MediaMax
installer will permanently activate the active protection software (by
setting its startup type to ³Auto,'¹ which causes it to be launched every
time the computer boots). This behavior is related to a mechanism in the
installer apparently intended to upgrade the active protection software if
an older version is already installed. Under the following scenarios, it is
triggered even if the user previously declined the EULA:
* The user inserted a CD-3 (older version of MediaMax) album, then
sometime later inserts an MM-5 (current version of MediaMax at this writing)
album.
* The user inserted an MM-5 album, then sometime later inserts a CD-3
album.
* The user inserted an MM-5 album, reboots, then sometime later inserts
the same album or another MM-5 album.
These steps do not have to take place in a single session. They can happen
over a period of weeks or months, as users purchase new albums.
We can think of two possible explanations for this behavior. Perhaps the
vendor, SunnComm, did not test these scenarios to determine what their
software did, and so did not realize that they were activating the software
without consent. Or perhaps they did know what would happen in these cases
and deliberately chose these behaviors. Either possibility is troubling,
indicating either a badly deficient design and testing procedure or a
deliberate decision to install software after the user denied permission to
do so.
Even if poor testing is the explanation for activating the software without
consent, it is clear that SunnComm deliberately chose to install the
MediaMax software code on the user¹s system even if the user did not
consent. These decisions are difficult to reconcile with the ethical and
legal requirements on software companies. But they are easy to reconcile
with the vendor¹s platform building strategy, which rewards the vendor for
placing its software on as many computers as possible.
Even the activation of temporary protection software before the user
consents to anything raises troubling ethical questions. It is hard to argue
that the user has consented to loading and running software merely by the
act of inserting the disc. Most users do not expect the insertion of a
compact disc to load software, and although many (but not all) of the
affected discs did contain a statement about protection software being on
the discs, the statements generally were confusingly worded, were written in
tiny print, and did not say explicitly that software would install or run
immediately upon insertion of the disc. Some in the record industry argue
that the industry¹s need to block potential infringement justifies the
short-term execution of the temporary protection software on every user¹s
computer. We think this issue deserves more ethical and legal debate.
Passive Protection
Another way to prevent copying before active protection software is
installed is to use passive protection measures. Passive protection exploits
subtle differences between the way computers read CDs and the way ordinary
CD players do. By changing the layout of data on the CD, it is sometimes
possible to confuse computers without affecting ordinary players. In
practice, the distinction between computers and CD players is less precise.
Older generations of CD copy protection, which relied entirely on passive
protection, proved easy to copy in some computers and impossible to play on
some CD players [citation]. Furthermore, computer hardware and software has
tended to get better at reading the passive protected CDs over time as it
became more robust to all manner of damaged or poorly formatted discs. For
these reasons, more recent CD DRM schemes rely mainly on active protection.
XCP uses a mild variety of passive protection as an added layer of security
against ripping and copying. This form of passive protection exploits a
quirk in the way Windows handle multisession CDs. When CD burners came to
market in the early 1990s, the multisession CD format was introduced to
allow data to be appended to partially recorded discs. (This was especially
desirable at a time when recordable CD media cost tens of dollars per disc.)
Each time data is added to the disc, it is written as an independent series
of tracks called a session. Multi-session compatible CD drives see all the
sessions, but ordinary CD players, which generally do not support the
multisession format, recognize only the first session.
Some commercial discs use a variant of the multisession format to combine CD
audio and computer accessible on a single CD. These discs adhere to the Blue
Book [citation] or ³stamped multisession'¹ format. According to the Blue
Book specification, stamped multisession discs must contain two sessions: a
first session with 199 CD audio tracks, and a second session with one data
track. The Windows CD audio driver contains special support for Blue Book
discs. It presents the CD to playing and ripping applications as if it was a
normal audio CD. Windows treats other multisession discs as data-only CDs.
XCP discs deviate from the Blue Book format by adding a second data track in
the second session. This causes Windows to treat the disc as a regular
multisession data CD, so the primary data track is mounted as a file system,
but the audio tracks are invisible to player and ripper applications that
use the Windows audio CD driver. This includes Windows Media Player, iTunes,
and most other widely used applications.
Using a specialized procedure, it is possible to create discs with this
flavor of passive protection with standard CD burning hardware and software
[citation].
Limitations
This variety of passive protection provides only limited resistance to
ripping and copying. There are a number of well-known methods for defeating
it. Advanced ripping and copying applications avoid the Windows CD audio
driver altogether and issue MMC commands [citation] directly to the drive.
This allows programs such as Nero [citation] and Exact Audio Copy [citation]
to recognize and read all the audio tracks. Non-Windows platforms, including
Mac and Linux systems, read multisession CD more robustly and don¹t suffer
from the limitation that causes ripping problems on Windows. The felt-tip
marker trick can also defeat this kind of passive protection, as noted
above.
_______________________________________________
Infowarrior mailing list
Infowarrior@attrition.org
https://attrition.org/mailman/listinfo/infowarrior
