se-4128, drm: from software secrets to hardware protection, by rod schultz

DRM: From Software Secrets to Hardware

Protection

Rod Schultz Adobe Primetime DRM

Adobe Primetime

Interesting DRM

lessons

What is DRM?

Digital Rights Management is not security

Security and DRM are made of the same blocks• Same Encryption algorithms

• Same Protocols

• Same Key exchange mechanisms

• Environments each run in (security vs DRM) are very different

• What they are designed to protect are different

Public perception of DRM:

And this:

Technology created to control the usage of a device or

content after its sale

What is it really?

Companies don’t want their products to be thought of like this

A DRM is intended to slow down the

commoditization of the object or thing it is

protecting

Why use a DRM?

Downloaded music has now gone DRM free

Why have we not seen this in the movie industry?

• Different types of content have different business models

• What movie won the best picture in 2010?

• When’s the last time you watched it?

• Movies are usually watched once

• Music is listened to over and over

• Music has transitioned from scarcity of product (CDs and tracks) to scarcity of experience (concerts)

• Music artists have switched to a new revenue stream

• The movie industry still relies on scarcity of product and delivers that to you via different mechanisms

Consumption of music and movies is different

The impact of changing availability

The changing face of music revenue

2011 US vs European Bandwidth Usage (Give users choice, reduce piracy)

DRM Architecture

Lessons on single points of failure from WW II

• The French thought an attack through the forest in the north was impossible

• That defense was neutralized by German tanks

Key takeaways for DRM

• Motivated attackers are smarter than you

• They will find your weakest defense

• Single points of failure are really bad

DRMs are designed like biological systems

RenewabilityDiversityRevocation

Lessons from the Masai: Design for confusion

Key Takeaway for DRM: Good software design is not necessarily good DRM design

Module 1 Module 2 Module 3

Module 4 Module 5 Module 6

Module 1

Module 2

Module 3

Module 4

Module 5

Module 6

• The fundamental building block of protection in a DRM is encryption/decryption

• Mathematically protect the assets you want to control

To build a DRM you need cryptography

Protect your assets with a castle, not a single wall

DRM$Key

The castle concept for a DRM: Keys protecting keys protecting keys

Device&Key

Content&Key

To understand the DRM threat, let’s first look at the traditional crypto security threat

Both built with the same blocks

Traditional Cryptography:

• Design of algorithms and protocols to protect a communication channel (secret messages, credit cards...)

• End points are assumed to be trusted and safe

• Attacker has access to what it can capture on the wire

• Delivery of key to end points is very hard

Trusted(End(Point

Trusted(End(Point

Untrusted(World(/(Untrusted(Network

Secret&Key Secret&Key

Dear NSA,Please stop listening to my fu**ing phone calls.Love, Angela Merkel ....................../´¯/) !

....................,/¯../ !

.................../..../ !

............./´¯/'...'/´¯¯`·¸ !

........../'/.../..../......./¨¯\ !

........('(...´...´.... ̄ ~/'...') !

.........\.................'...../ !

..........''...\.......... _.·´ !

............\..............( !

..............\.............\...!

Let’s create a secret message and see how it would be traditionally

attacked:

Translate text to ASCIIThis: Dear NSA, Please stop listening to my fu**ing phone calls. Love, Angela Merkel

Becomes this: 44 65 61 72 20 4E 53 41 2C 20 50 6C 65 61 73 65 20 73 74 6F 70 20 6C 69 73 74 65 6E 69 6E 67 20 74 6F 20 6D 79 20 66 75 63 6B 69 6E 67 20 70 68 6F 6E 65 20 63 61 6C 6C 73 2E 20 4C 6F 76 65 2C 20 41 6E 67 65 6C 61 20 4D 65 72 6B 65

Now we need to encrypt it

• Can encrypt with any algorithm that both the sender and receiver have

• We will use the NIST algorithm: AES

• Use a standard encryption algorithm so that only the key needs to be exchanged between the sender and receiver

Details of AES

• Advanced Encryption System

• Symmetric key algorithm that comes in three flavors: 128, 192, and 256 bit

• Those bit lengths represent the length of the keys

• Would take 1 billion billion years to force break 128 bit AES

Now encrypt the message with 128 bit AES (Operates on 16 byte blocks)

Plain Text: 44 65 61 72 20 4E 53 41 2C 20 50 6C 65 61 73 65

Key: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

Cipher Text: 0D 1E 8A C7 87 B2 14 9D 47 A2 71 3D 2D 27 1F 5E

Plain&Text

Key

Cryptographic&Algorithm Ciphertext

Message&to&encrypt

Encrypted&Message

How would the NSA attack this?

• Attacker lives in the untrusted world

• Assume the message is intercepted

• The more messages the secret key is used to protect, the more at risk the key is for discovery

Trusted(End(Point

Trusted(End(Point

Untrusted(World(/(Untrusted(Network

The NSA shifts the trust boundaries

The DRM threat model

DRM Threat: The person who purchased the device or content is attacking it

The DRM threat model:

• Attacker has total visibility into the system and cryptographic algorithm

• Binary is completely visible to an attacker

• Attacker has full control over the execution environment (CPU calls, memory registers...)

• If you want a point of trust in the system, you must build

Components of an encryption algorithm

• Code that defines the algorithm

• Variables and constants of the algorithm

• Encryption/Decryption key (a special type of variable)

• The key determines the behavior of the algorithm

At any time the algorithm that is running in software is in one of three states: !1. Stored on disk 2. Loaded into memory 3. Executing

On#Disk In#Memory Execu3ng

On#Disk In#Memory Execu3ng

State of the algorithm determines the best way to protect it

• The closer you get to the CPU with the algorithm, the harder it is to protect it

• As you move to the CPU, you can’t just protect, you also need to hide things

Cryptographic,Program

Code(Algorithm)

Variables/Constants

Key

How do you hide something in plan sight?

How do you hide something like this?

Defenses of the DRM trade

Defense 1: Disk Encryption

• Very secure, as long as you never need to actually run the algorithm

• The algorithm can’t be run in its encrypted form (CPU won’t understand it)

• Only effective at static analysis attacks

Defense 2: Code Obfuscation

• A defense against reverse engineering

• Modified source and machine code that is difficult for a human to understand

Take code that looks like this:

{ toSub = (y<<4 ^ y>>5) + y ^ sum + k[sum>>11 & 3]; if(toSub > z) { // printf("Underflow toSub: 0x%0x current: 0x%0x\n", toSub, z); z = (MAX - toSub) + (z + 1); } else z-= (y<<4 ^ y>>5) + y ^ sum + k[sum>>11 & 3]; sum -= delta; toSub = (z<<4 ^ z>>5) + z ^ sum + k[sum & 3]; if(toSub > y) y = (MAX - toSub) + (y + 1); else y-= (z<<4 ^ z>>5) + z ^ sum + k[sum & 3]; }

And make it look like this:L_6qy : r_6zj = r_6qz; r_7jB = (r_7Fv + (int)2025346621) % (int)2147483647; r_7Fv = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Fv); r_7jB = r_7GO ^ (int)1371670574; r_7GO = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7GO); r_7jB = (r_7Gn + (int)1943683037) % (int)2147483647; r_7Gn = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Gn); r_7jB = r_7HG ^ (int)901639918; r_7HG = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7HG); r_7jB = (r_7Hf + (int)-972842542) % (int)2147483647; r_7Hf = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Hf); r_7jB = r_7I8 ^ (int)1359792831; r_7I8 = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7I8); r_7jB = r_7Ly ^ (int)1790006316; r_7Ly = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Ly); r_7jB = r_7Mq ^ (int)832772716; r_7Mq = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Mq); r_7jB = (r_7NF + (int)230490512) % (int)2147483647; r_7NF = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7NF); r_7jB = r_7Ni ^ (int)2059133929; r_7Ni = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Ni); r_7jB = (r_7O7 + (int)1830422574) % (int)2147483647; r_7O7 = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7O7); r_7jB = r_7Oa ^ (int)20264946; r_7Oa = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7Oa); r_7jB = (r_7gp + (int)-827978944) % (int)2147483647; r_7gp = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7gp); r_7jB = (r_7hK + (int)1387135918) % (int)2147483647; r_7hK = ((int)((av_7Eh & (int)64) == (int)0) * r_7jB) + ((int)!(((av_7Eh & (int)64) == (int)0)) * r_7hK); av_7Eh = (av_7Eh | (int)64); switch(r_6zc) { case (int)0: goto L_6qx; case (int)1: goto L_6rJ; case (int)2: goto L_6rK;

Defense 3: Code Flattening

• Inputs and outputs of the algorithm are the exact same

• Binds blocks of code into a single and very difficult to understand monolithic block

• Used to force the attacker into spending time pruning down the call tree

Block&1

Block&2

Block&5

Block&4Block&3

if(x&>10&) else&if(x&==&10) else

Input

Output

Normal  Control  Flow  Graph  Before  Obfusca8on  and  Fla:ening

Change the code flow logic:

if (x > 10) do Block 2 !if (x == 10) do Block 3 !if none of those: do Block 4

Switch

Block+1 Block+2 Block+3 Block+4 Block+5 Block+6 Block+7 Block+8

Condi7on

Input

Output

Control  Flow  Graph  A>er  Obfusca8on  and  Fla:ening  Have  Been  Added

To something much harder to understand by a human:

Defense 4: Data Transforms (Creating islands of trust in an

untrusted system)

• Map your data from one value to another (think about it like changing the color of a number)

• Creates a mathematical barrier for the attacker

• That barrier is the boundary between your trusted and untrusted world.

• Attacker must reverse engineer the transform before they can get access to the true values

• Attacked by watching the CPU add and remove transform values

When the attacker has access to everything:

• Hiding a key in software is almost impossible

• Hiding a standard cryptographic algorithm in software is almost impossible

• Hiding a key + a standard cryptographic algorithm is something that mathematicians have figured out how to do

Defense 5: White-box Cryptography

• A technique that allows you to hide a key inside an algorithm

• First published in late 2002

• The breakthrough mathematical technique that makes software DRMs possible

Lesson from elementary school: Lookup tables are more powerful

than you think

An example with multiplication:

Just find the intersection4 X 3

0 1 2 3 4

0

1

2

3

0 0 0 0 0

0 1 2 3 4

0 2 4 6 8

0 3 6 9 12

0 4 8 16124

What is this really doing?

• It applies a mathematical transform to our numbers

• Multiplication: The mathematical operation of scaling one number by another

• Generally taught to children using a lookup table (the times tables)

Why is this so cool?

• It allows us to ‘embed’ a mathematical transform into a lookup table

• As we do our lookup, the transform is magically applied

• Map numbers into different spaces, while executing the encryption algorithm

• We don’t even need to know the math

Huge lookup tables allow us to hide our key

Let’s take a look under the hood of AES

White-box AESAES

S"box

Shi(

Mix

Add

Input

AES)Output

White&Box*AES

S1 S2

MC1 MC2

A1 A2

S3

MC3

A3

Input

AES*Output

Shi*

As we move from box to box, we apply transforms and then migrate to new ones

White&Box*AES

S1 S2

MC1 MC2

A1 A2

S3

MC3

A3

Input

AES*Output

Shi*

There is one very important dependency

• For white-boxing to really work, the input needs to have a transform already on it

• This works well for DRM, content already has a transform on it (encryption)

Now we have a really nice binary tank

Costs of using these DRM defenses

• White-box cryptography increases the binary size

• Obfuscation increases the binary size

• Execution of a cryptographic algorithm in white-box form is very slow

• When viewed in context of video, slow decryption can slow the video decode

Hardware DRM

• No need to use white-box encryption

• Keys and algorithms are protected inside of hardware

• Faster decrypt performance

Adobe Primetime DRM on AMD Hardware

What we get

• A trust point has been created in the system using AMD hardware protection

• Hide secrets inside of the hardware instead of hiding them in white-boxes

• Execution of crypto algorithms in hardware is much faster than white-box

The most important step is seeding the root key

• AMD provisions the root DRM key into the the HW

• The root key is used as the base protection for all keys

Hardware Protection

DRM Key(AES, RSA, ECC)

Machine Key(1024 bit RSA)

Domain Key(1024 bit RSA)

Key Encryption Key(128 bit AES)

Content Encryption Key

(128 bit AES)

Rotation Key(128 bit AES)

Shared Domain Keys

(1024 RSA)

Adobe Primetime HW DRM on AMD Hardware

Remember keys protecting keys protecting keys?

Why does this work?

Some gory details on HW DRM

• Software pushes encrypted keys down into hardware

• Software pushes down encrypted content + an index to get back decrypted content

• Because the root key is protected all the way down to the HW, no key is exposed in SW

Video Playback Engine(Flash Player, AIR, AVE)

Machine Key

SOC

Adobe Access DRMHW Crypto

Audio Codec

Access Indiv Server

A/V Sync

Composite Display Controller

Content Server

1

4

7

DiskStorage

Video Codec

Video Player

2 3

License Server

89

Machine Key

License

License

11

12

13

5

6

10

14

Decrypted Video Samples

Decrypted Audio Samples

15

16

License Translation

Machine Key

Provisioned DRM Key

Machine Key

Overall Architecture

Questions