1. ENHANCED CONTENT PROTECTION OVERVIEW

2. Security Solution Characteristics Comprehensive security ecosystem All devices meet the same standard – No assumption that any particular class of devices is more difficult to hack “Hack once, hack all” is not possible – Breach limited to a single title Breach response is rapid – Within days Security solution provider has a proven track record Similar idea of per title diversity as BD+ but very different approach – BD+ is not effective

3. High-Level Model of Video Path

4. Decryption / Decoding Threats – Attacker extracts Device Key – Attacker extracts Content Key – Attacker captures decrypted compressed content – Attacker captures decrypted uncompressed content Mitigations – Software diversity per title – Decode in Trusted Execution Environment – Device keys protected by a Hardware Root of Trust – Require 3rd party verification of trusted DRM software

5. Framebuffer Threats – Attacker captures raw frames from framebuffer E.g. Screen scraping Mitigations – Use protected framebuffer (e.g. TrustZone) – Use secured links to video hardware (e.g. Nvidia)

6. HDCP Source Threats – Attacker captures raw frames from hacked driver – Attacker captures raw frames from hacked video hardware Mitigations – Require HDCP 2.1 for source devices and repeaters HDCP 2.x increases security and robustness – Never send unencrypted frame data to video drivers/hardware – Only send frame data to protected video hardware on SoC (e.g. TrustZone) – Require 3rd party verification of trusted hardware

7. HDCP Sink Threats – Attacker captures video from HDMI to screen driver interface – Attacker uses HDCP stripper with valid HDCP 1.x Device Keys Since attackers can generate valid HDCP 1.x device keys revocation is ineffective Mitigations – Require HDCP 2.0 or higher for sink devices – HDCP source only transmits premium content to HDCP 2.x devices

8. Screen Threats Threats – Attacker captures video from screen using camera Mitigations – Security solution inserts forensic watermark that can be used to identify user account and playback device

9. Breach Management Security provider monitors Internet (websites, chat rooms, IRC, etc) for indications of security breaches Security provider works with manufacturers to identify circumventions used by attackers Countermeasures developed and deployed immediately a breach is detected Some new content may prevent playback on certain devices until firmware is up-to-date

10. Example of Renewability on Android/ARM 1.Integrity Validation insures that no tampering has occurred both before and during playback 2.If Integrity Validation fails, out-of- date can be updated transparently 3.Platform may provide a means for DRM components to trigger a firmware update as required 4.Platform has the option of renewing OS and TrustZone components or leaving consumer with a device that won’t play content

11. Example: Current NDS Security Solutions FunctionCurrent NDS Platform Support AndroidIOSWindowsMacOSPS3XBox CE (TV, Blu-ray) Software diversity ✔✔✔✔ Trusted Execution Environment TrustZon e Intel, AMD Custom in SoC Hardware Root of Trust ✔ ✔ (Win8) Secure boot, root/jailbreak detect ✔✔ ✔ (Win8) Integrity Validation ✔✔✔ Watermark insertion ✔✔✔✔ Breach monitoring & response ✔✔✔✔

12. Security Management