Monday, August 27, 2007 2:04 PM
cmosby
McAfee Avert Labs Blog - Digital Reality Misunderstanding
Digital Reality Misunderstanding
Friday August 24, 2007 at 10:36 am CST
Posted by Seth Purdy
Trackback
The Tuesday release of the much anticipated computer game BioShock has quickly turned up another clash between enthusiastic customers and the interests of publishers and copyright control. Reports indicate that the PC versions of the game, whether purchased on physical DVD media or via the Steam online distribution service, utilize a DRM scheme that limits the number of installations possible with a given license key. The apparent limit of two (due to customer uproar it appears this number is being raised to five) installations per license poses hurdles for users facing frequent system upgrades or recovery from system failures.
Interestingly, content owners and publishers face the same fundamental conundrum in implementing DRM as malware writers do in attempting to encrypt or otherwise obfuscate the code of their creations. The crux of it is this: If, in the end, you need to actually run code or play media content, there will necessarily be a time at which it runs in the original, unprotected form.
For the DRM case, let’s take commercial movies as an example. The data on DVDs, HD-DVDs, and Blu-ray discs is encrypted. But, ultimately you need to get the original unencrypted data onto a display device. There’s simply no way around it. The player itself handles the initial decryption. Setting aside the flaws uncovered in the CSS and, more recently, AACS implementations, that was generally sufficient until purely digital displays and connections became more prevalent. At that point there was a risk of perfect digital duplication by simply sampling the unencrypted output from a player. HDCP is a clever attempt to plug that hole. It establishes an encrypted link between the player and display, moving the point at which the digital data is in it’s “raw” unprotected state as close as possible to the final output stage (within the processing electronics of display itself), thus making digital duplication of the unprotected content more difficult. But still, the final unencrypted data has to be produced on the customer’s equipment for viewing. As such, an HDCP-compliant device could be constructed to gain access to that data and copy it.
In the case of BioShock it’s not raw media content being decrypted and displayed, but the act of allowing the game to run. At some point, after whatever checks or validation schemes are used, the customer needs to be able to actually play the game. As long as that path leads to the eventual successful launch of the game (all the data and resources needed for it to run are already on the system once it’s installed), it is possible to find a way to circumvent it and cut the DRM controls out of the picture.
Malware writers face a similar challenge when trying to obscure the code of their creations from security software using packers or encryption. Try as they might, they can’t get around the hard fact that they ultimately need to execute their original unobfuscated machine code. To do that, it has to exist in that state on the system at some point, even if as only one instruction at a time in memory. And since that’s true, we’ll always have a basic opportunity to get at it (though this is more difficult in some cases than in others).
Although the copyright lawyers may wish it otherwise, it’s a zero-sum game between usability and control. The only way to absolutely ensure that publicly distributed media content won’t be pirated, software won’t be run in an unauthorized way, or native code be accessed and identified is to encrypt the entire thing using a very strong algorithm with a highly random key, and then delete or never reveal that key to anyone. Did I say “absolutely”? That’s not quite right. The encryption algorithm or key chosen may have an unknown weakness that could later be revealed, so the only guaranteed solution is not to release the data at all! Of course, for a commercial product that would present a bit of a challenge for the marketing department (digital Cheese Shop, anyone?) and in the case of a malware executable would render it similarly useless to the author.
Unfortunately, in the case of DRM’s trying to strike a balance between some degree of control and maintaining the ability of the software or media to operate can often end up inconveniencing and angering legitimate users. Pirates, on the other hand, will happily exploit this fundamental flaw of the situation as they develop software cracks and duplication methods to circumvent the protection.
However, in the case of security software versus malware obfuscation that same flaw ensures there will always be at least one *** in the armor for us to work on when we tackle the latest virus or Trojan.