Professional Documents
Culture Documents
UC Santa Barbara
Tsinghua Unversity
2013/8/23
Decrypt
Decode
Playback
Raw Frames
2013/8/23
DRM bypasses
What for?
Solution-specific
DeCSS - DVD Jon Despotify HDCP master key leaking
Analog loophole
2013/8/23 Usenix Security 2013 4
Decrypt
Solutionspecific attacks
Decode
Playback
Raw Frames
Analog loophole 2
2013/8/23 Usenix Security 2013
Analog loophole 1
5
Automatic attacking
2013/8/23
Challenges
Complexity
Performance
Generality
2013/8/23
Intuitions
Encrypted Buffer Decrypted Buffer
Decryption
Overview
MovieStealer design & optimizations Experimental results Countermeasures Ethics and legality
2013/8/23
MovieStealer Design
2013/8/23
10
Approach overview
Goal: find the decrypted stream!
Data-paths
Statistical analysis Dumping & rebuilding
2013/8/23 Usenix Security 2013 11
Approach overview
Goal: find the decrypted stream!
Loop detection
Buffer detection Data-paths Statistical analysis Dumping & rebuilding
2013/8/23 Usenix Security 2013 12
BasicBlock E Unrolled
2013/8/23
14
2013/8/23
15
Approach review
Goal: find the decrypted stream!
Loop detection
Buffer detection Data-paths Statistical analysis Dumping & rebuilding
2013/8/23 Usenix Security 2013 16
Buffer detection
Reason about buffers based on access patterns
Consecutive bytes Inconsecutive blocks
0x1000 Original buffer 0x1000 0x1000
Original buffer
Original buffer Original buffer Original buffer Original buffer
0x1004
0x1008 Composite buffer 0x100c 0x1010 Original buffer Original buffer 0x1018
Usenix Security 2013
0x1004
0x1008 0x100c 0x1010 Composite buffer
0x1014
0x1018
2013/8/23
0x1014
0x1014
Composite buffer 0x1018
17
Approach review
Goal: find the decrypted stream!
Loop detection
Buffer detection Data-paths Statistical analysis Dumping & rebuilding
2013/8/23 Usenix Security 2013 18
Data-paths
Buffer_in A Buffer_in B
Identify paths through a loop which modify the input data to output data
A sensible data-path, find it!
Loop
Buffer_out
2013/8/23
19
Approach review
Goal: find the decrypted stream!
Loop detection
Randomness
In 100
Out
80
60
40
20
0
L1 L2 L3 L4 L5 L6 L7 L8 L9
20
2013/8/23
21
Output
Decode
2013/8/23
22
Approach review
Goal: find the decrypted stream!
Loop detection
Buffer detection Data-paths Statistical analysis Dumping & rebuilding
2013/8/23 Usenix Security 2013 23
* Intentionally omitted
2013/8/23 Usenix Security 2013 24
Workflow
Start playing the video
Make MovieStealer begin analysis Wait for a few minutes
Harvest
2013/8/23 Usenix Security 2013 25
MovieStealer Optimizations
2013/8/23
26
Wont sniff enough data Media players dont function normally Some media players check the performance Might get caught by checking systems of DRM
2013/8/23 Usenix Security 2013 27
Optimizations
Goal: minimize overheads! Improved loop selection Efficient loop analysis On-Demand instrumentation Execution frequency Instruction analysis Bandwidth filtering Copying optimizations Callstack key
2013/8/23
Callstack key
void crypto_loop(const char *key, void *in, void *out, int len); void encrypt() { crypto_loop("key", dec, enc, len); } void decrypt() { crypto_loop("key", enc, dec, len); } on_enter callstack_key ^= func_addr on_exit callstack_key ^= func_addr
2013/8/23 Usenix Security 2013 29
Experimental Results
2013/8/23
30
Implementation
Dynamic binary instrumentation (DBI)
Intel PIN framework
2013/8/23
31
Evaluation
GnuPG for testing optimizations
Three DRM platforms
Microsoft PlayReady (Netflix) Adobe RTMPE (Hulu and Amazon Video) Spotify's music protection
2013/8/23
32
Results - GPG
Optimizations
Only execution frequency Only bandwidth filtering Only instruction analysis
Loops Instrumented
40 35 10
Seconds Elapsed
3480 (112x) 180 (5.8x) 49 (1.58x)
6
7
3480
47 (1.51x)
31
Seconds Elapsed
31 All enabled
2013/8/23
180 49 Only instruction Only bandwidth analysis Usenix Security filtering 2013
33
Results - DRM
Platform Netflix Hulu Amazon Video Spotify Protection Dynamic code Packing and self-checking
Loops Instrumented
2274 1529 1258 2305
Loops Traced
58 46 35 224
Buffers Identified
80 14 6 60
Seconds Elapsed*
110 281 146 536
Countermeasures
2013/8/23
35
Countermeasures
Attack the instrumentation
Anti-debugging
Anti-piracy
Watermarking
2013/8/23
36
2013/8/23
37
Ethics
Responsible disclosure
Contacted Microsoft, Spotify, Adobe, Amazon, Netflix, and Hulu Microsoft, Spotify, and Adobe responded
Tested MovieStealer Confirmed DRM bypass Provided comments and encouraged publication
2013/8/23
38
Legality
We believe this work to be legal under DMCA
Consulted with UC counsel and the EFF Thank you all
2013/8/23
39
Acknowledgement
Thanks for support from Microsoft, Adobe, and Spotify Thanks Kevin Borgolte, Yanick Fratantonio, Christian Kreibich, and Thorsten Holz for presentation advice
2013/8/23
40
Contact info
Send us an email fish@cs.ucsb.edu, yans@cs.ucsb.edu, chris@cs.ucsb.edu, vigna@cs.ucsb.edu
2013/8/23
41
Question time
Questions?
2013/8/23
42