Detailed analysis of the content protection system in Vista
As Peter Gutman writes, in the new operating system some key components working with multimedia information have been significantly reworked. The purpose of this rework is to protect the so-called "luxury content" - those files that are usually copied from Blu-Ray or HD-DVD discs. The problem is that the implementation of such protection leads to a significant decrease in system performance and stability, an increase in the cost of support, equipment and software. According to Gutman, these costs will fall on the shoulders not only of individual users, but also on the entire global computer industry.
In his article “A Cost Analysis of Windows Vista Content Protection” ( bad translation into Russian ), Peter Gutman analyzes what price we all have to pay for the content protection technology in Windows Vista. We publish the key points from this article.
Disable functionality
The material protection mechanism only allows protected materials to pass through interfaces with built-in protection, and disables other interfaces. Today, S / PDIF (Sony / Philips Digital Interface Format) is most often used for high-quality audio output. Most newer audio cards have an optical TOSlink digital output, and even the latest generation of motherboards include at least a coaxial (and often optical) output. Since S / PDIF does not have built-in protections, Vista requires the interface to be disabled if protected content is played. Similarly, the YPbPr channel is disabled when viewing secured videos through unprotected Vista interfaces.
Indirect shutdown functionality
For example, for VoIP telephony, automatic echo cancellation (AEC) is a critical feature. When the AEC function is in operation, the reverse signal is mixed into the main signal stream, but Vista protection will not allow this, since in this case there is a danger of access to the protected content. Vista only allows the transmission of a badly damaged, degraded signal, which makes it difficult for AEC to work effectively.
')
Reduced playback quality
In addition to a direct ban on playback, Vista requires that each interface servicing the protected streams spoil the quality of the transmitted signal. This is done through a “narrowing system” (constrictor), which degrades the signal to a much lower level, and then restores it again, but with a significant decrease in quality.
Destruction of open standards for equipment
In order to prevent the creation of emulators with wired devices, Vista performs a “component functionality scan” (Hardware Functionality Scan, HFS), which receives unique “fingerprints” of devices and ensures that they are real. For this to work, the specification requires that the operational details of the operation of the devices remain confidential. Obviously, any programmer who has access to the protocol and is able to write a driver for him knows enough to mimic the HFS response. The only way to protect scans of "prints" is to not release any technical specifications, except for the necessary minimum.
Destruction of unified drivers
Another consequence of the HFS scan.
Sabotage "undesirable" drivers
As soon as a vulnerability is found in a specific driver or device that allows copying protected content, its signature identification is revoked by Microsoft, which means that it stops working. The details here are vague, perhaps the minimum functionality for the device will still be preserved.
The threat of driver recall is the threat of multi-million dollar fines and embargoes on future driver versions, in addition to the threat of revoking a device authorization described above.
System degradation
Vista requires devices to write something called “tilt bits” if they notice anything out of the ordinary. For example, if there are unusual voltage fluctuations, failures of signals on buses, slightly damaged return codes (return status of operation success) after calling the function, the system sets the “tilt bit”.
Such “failures” in the work of programs often occur. Previously, this was not a problem - the systems were designed with some margin of safety, and this did not bring down their work. With the introduction of “tilt bits” all the stability disappears. Any usually inconspicuous oscillation becomes important, because it can be a sign of an attack on protected content.
Increase the cost of equipment
Protecting such amazingly valuable “luxury materials” requires additional labor for driver development and user support. Of course, the bulk of the burden will fall on equipment manufacturers.
CPU overhead
To prevent interference with the internal communications of the content protection system, all messages must be encrypted and authorized. For example, the stream to the video card must be encrypted with AES-128 code. Requirements for cryptography extend to encrypt data and encompass commands and even control between program components. For example, communications between user-mode and kernel-mode must be authorized by OMAC tags.
To prevent active attacks, drivers should contact the hardware with polls every 30 ms. In addition, additional polls are being made, for example, Vista accesses the video device while displaying each frame in order to check that the “tilt bits” are where they should be.
Conclusion
An analysis of the content protection system in the operating system clearly shows that the entire design of Windows Vista is designed around this basic idea. One characteristic example: blocks of protected "luxury content" in memory are marked with a special protection bit and are encrypted so that this information cannot be copied to the hard disk. However, Vista does not prescribe any other memory encryption, and will leave your bank passwords, account and credit card data, personal data, etc. with pleasure. The security mechanism built in by Microsoft makes it clear: what’s in their eyes is the “luxury stuff” costs much more than the user's bank passwords.
Why does Microsoft go to such unprecedented difficulties? There can be only one logical explanation. If Microsoft succeeds in making Vista a standard OS, then the corporation will have exclusive control over the distribution of protected digital information. “The result will be a technologically executed monopoly, compared to which today's de facto monopoly of Windows will seem like an era of heaven on earth,” says Peter Guttman.
In his article “A Cost Analysis of Windows Vista Content Protection” ( bad translation into Russian ), Peter Gutman analyzes what price we all have to pay for the content protection technology in Windows Vista. We publish the key points from this article.
Disable functionality
The material protection mechanism only allows protected materials to pass through interfaces with built-in protection, and disables other interfaces. Today, S / PDIF (Sony / Philips Digital Interface Format) is most often used for high-quality audio output. Most newer audio cards have an optical TOSlink digital output, and even the latest generation of motherboards include at least a coaxial (and often optical) output. Since S / PDIF does not have built-in protections, Vista requires the interface to be disabled if protected content is played. Similarly, the YPbPr channel is disabled when viewing secured videos through unprotected Vista interfaces.
Indirect shutdown functionality
For example, for VoIP telephony, automatic echo cancellation (AEC) is a critical feature. When the AEC function is in operation, the reverse signal is mixed into the main signal stream, but Vista protection will not allow this, since in this case there is a danger of access to the protected content. Vista only allows the transmission of a badly damaged, degraded signal, which makes it difficult for AEC to work effectively.
')
Reduced playback quality
In addition to a direct ban on playback, Vista requires that each interface servicing the protected streams spoil the quality of the transmitted signal. This is done through a “narrowing system” (constrictor), which degrades the signal to a much lower level, and then restores it again, but with a significant decrease in quality.
Destruction of open standards for equipment
In order to prevent the creation of emulators with wired devices, Vista performs a “component functionality scan” (Hardware Functionality Scan, HFS), which receives unique “fingerprints” of devices and ensures that they are real. For this to work, the specification requires that the operational details of the operation of the devices remain confidential. Obviously, any programmer who has access to the protocol and is able to write a driver for him knows enough to mimic the HFS response. The only way to protect scans of "prints" is to not release any technical specifications, except for the necessary minimum.
Destruction of unified drivers
Another consequence of the HFS scan.
Sabotage "undesirable" drivers
As soon as a vulnerability is found in a specific driver or device that allows copying protected content, its signature identification is revoked by Microsoft, which means that it stops working. The details here are vague, perhaps the minimum functionality for the device will still be preserved.
The threat of driver recall is the threat of multi-million dollar fines and embargoes on future driver versions, in addition to the threat of revoking a device authorization described above.
System degradation
Vista requires devices to write something called “tilt bits” if they notice anything out of the ordinary. For example, if there are unusual voltage fluctuations, failures of signals on buses, slightly damaged return codes (return status of operation success) after calling the function, the system sets the “tilt bit”.
Such “failures” in the work of programs often occur. Previously, this was not a problem - the systems were designed with some margin of safety, and this did not bring down their work. With the introduction of “tilt bits” all the stability disappears. Any usually inconspicuous oscillation becomes important, because it can be a sign of an attack on protected content.
Increase the cost of equipment
Protecting such amazingly valuable “luxury materials” requires additional labor for driver development and user support. Of course, the bulk of the burden will fall on equipment manufacturers.
CPU overhead
To prevent interference with the internal communications of the content protection system, all messages must be encrypted and authorized. For example, the stream to the video card must be encrypted with AES-128 code. Requirements for cryptography extend to encrypt data and encompass commands and even control between program components. For example, communications between user-mode and kernel-mode must be authorized by OMAC tags.
To prevent active attacks, drivers should contact the hardware with polls every 30 ms. In addition, additional polls are being made, for example, Vista accesses the video device while displaying each frame in order to check that the “tilt bits” are where they should be.
Conclusion
An analysis of the content protection system in the operating system clearly shows that the entire design of Windows Vista is designed around this basic idea. One characteristic example: blocks of protected "luxury content" in memory are marked with a special protection bit and are encrypted so that this information cannot be copied to the hard disk. However, Vista does not prescribe any other memory encryption, and will leave your bank passwords, account and credit card data, personal data, etc. with pleasure. The security mechanism built in by Microsoft makes it clear: what’s in their eyes is the “luxury stuff” costs much more than the user's bank passwords.
Why does Microsoft go to such unprecedented difficulties? There can be only one logical explanation. If Microsoft succeeds in making Vista a standard OS, then the corporation will have exclusive control over the distribution of protected digital information. “The result will be a technologically executed monopoly, compared to which today's de facto monopoly of Windows will seem like an era of heaven on earth,” says Peter Guttman.
Source: https://habr.com/ru/post/4907/
All Articles