December 29, 2006 at 15:34Detailed Analysis of Content Protection in Vista
According to Peter Gutman, some key components working with multimedia information have been significantly redone in the new operating system. The purpose of this alteration is to protect the so-called "luxury content" - those files that are usually overwritten from Blu-Ray or HD-DVD. The problem is that the implementation of such protection leads to a significant decrease in system performance and stability, an increase in the cost of support, hardware and software. According to Gutman, these costs will be borne not only by individual users, but also by the entire global computer industry.
In his article “A Cost Analysis of Windows Vista Content Protection” ( poor translation into Russian) Peter Gutman analyzes what price all of us will have to pay for content protection technology in Windows Vista. We publish key points from this article.
Disabling Functionality
The material protection mechanism passes protected materials only through interfaces with built-in protection, and disables the remaining interfaces. Today, S / PDIF (Sony / Philips Digital Interface Format) is most often used for high-quality audio output. Most new audio cards have TOSlink optical digital output, and even the latest generation of motherboards include at least a coaxial (and often optical) output. Because S / PDIF does not have built-in protections, Vista requires the interface to be disabled if protected content is playing. In the same way, the YPbPr channel is disabled when viewing protected videos through unprotected Vista interfaces.
Indirectly disabling functionality
For example, for VoIP telephony, automatic echo cancellation (AEC) is a critical feature. When the AEC function is working, the return signal is mixed into the main signal stream, but Vista protection will not allow this, since in this case there is a danger of access to protected content. Vista only allows the transmission of a badly damaged, degraded signal, which makes AEC more efficient.
Decreased playback quality
In addition to the direct prohibition of playback, Vista requires that each interface serving protected streams spoils the quality of the transmitted signal. This is done through a constrictor, which degrades the signal to a much lower level and then restores it again, but with a significant decrease in quality.
Destruction of open hardware standards
In order to prevent the creation of wired device emulators, Vista performs a “Hardware Functionality Scan (HFS)” that receives unique “fingerprints” of devices and ensures that they are genuine. For this to work, the specification requires that the operational details of the operation of devices remain confidential. Obviously, any programmer who has access to the protocol and is able to write a driver for it knows enough to simulate an HFS response. The only way to protect scans of “fingerprints” is to not issue any technical specifications, with the exception of the necessary minimum.
Destroying Unified Drivers
Another consequence of HFS scanning.
Sabotage of "objectionable" drivers
As soon as a vulnerability is found in a specific driver or device that allows copying protected content, its signature-identification is revoked by Microsoft, which means that it stops working. The details here are vague, perhaps the minimum functionality for the device will still be preserved.
The threat of driver revocation is a threat of multimillion-dollar fines and embargoes on future versions of drivers, in addition to the threat of revoking a device’s work permit described above.
System reliability degradation
Vista requires devices to write so-called “tilt bits” if they notice anything unusual. For example, if unusual voltage fluctuations, bus signal failures, slightly corrupted return codes (return status of successful operation) after a function call are observed, the system sets “tilt bit”.
Similar “failures” in the work of programs often happen. Previously, this was not a problem - the systems were designed with some margin of safety, and this did not interfere with their work. With the introduction of “tilt bits,” all stability disappears. Any usually imperceptible hesitation becomes important because it can be a sign of an attack on protected content.
Increase in equipment cost
Protecting such amazingly valuable “luxury materials” requires additional labor for driver development and user support. Of course, the bulk of the load will fall on equipment manufacturers.
Excessive CPU load
To prevent interference with the content protection system’s internal communications, all messages must be encrypted and authorized. For example, the stream to the video card must be encrypted with AES-128 code. Cryptography requirements extend beyond data encryption and encompass commands and even control between program components. For example, communications between user-mode and kernel-mode must be authorized with OMAC tags.
To prevent active attacks, drivers must access the hardware with polls every 30 ms. In addition, additional polls are made, for example, Vista refers to the video device when displaying each frame to verify that the “tilt bits” are located where they are supposed to be.
Conclusion
An analysis of the content protection system in the operating system clearly shows that the whole design of Windows Vista is built around this basic idea. One typical example: blocks of protected “content lux” in memory are marked with a special protection bit and are encrypted so that this information cannot be copied to the hard drive. However, Vista does not prescribe any other memory encryption, and with a pleased look will leave your bank passwords, account and credit card information, personal data, etc. The security mechanism built into Microsoft makes it clear that what they see as “luxury material” costs much more than a user's bank passwords.
Why is Microsoft embarking on such unprecedented difficulties? There can be only one logical explanation. If Microsoft succeeds in making Vista a standard OS, then the corporation will have exclusive control over the distribution channels of secure digital information. “The result will be a technologically complete monopoly, compared to which today's de facto Windows monopoly will seem like an era of heaven on earth,” says Peter Gutman.
In his article “A Cost Analysis of Windows Vista Content Protection” ( poor translation into Russian) Peter Gutman analyzes what price all of us will have to pay for content protection technology in Windows Vista. We publish key points from this article.
Disabling Functionality
The material protection mechanism passes protected materials only through interfaces with built-in protection, and disables the remaining interfaces. Today, S / PDIF (Sony / Philips Digital Interface Format) is most often used for high-quality audio output. Most new audio cards have TOSlink optical digital output, and even the latest generation of motherboards include at least a coaxial (and often optical) output. Because S / PDIF does not have built-in protections, Vista requires the interface to be disabled if protected content is playing. In the same way, the YPbPr channel is disabled when viewing protected videos through unprotected Vista interfaces.
Indirectly disabling functionality
For example, for VoIP telephony, automatic echo cancellation (AEC) is a critical feature. When the AEC function is working, the return signal is mixed into the main signal stream, but Vista protection will not allow this, since in this case there is a danger of access to protected content. Vista only allows the transmission of a badly damaged, degraded signal, which makes AEC more efficient.
Decreased playback quality
In addition to the direct prohibition of playback, Vista requires that each interface serving protected streams spoils the quality of the transmitted signal. This is done through a constrictor, which degrades the signal to a much lower level and then restores it again, but with a significant decrease in quality.
Destruction of open hardware standards
In order to prevent the creation of wired device emulators, Vista performs a “Hardware Functionality Scan (HFS)” that receives unique “fingerprints” of devices and ensures that they are genuine. For this to work, the specification requires that the operational details of the operation of devices remain confidential. Obviously, any programmer who has access to the protocol and is able to write a driver for it knows enough to simulate an HFS response. The only way to protect scans of “fingerprints” is to not issue any technical specifications, with the exception of the necessary minimum.
Destroying Unified Drivers
Another consequence of HFS scanning.
Sabotage of "objectionable" drivers
As soon as a vulnerability is found in a specific driver or device that allows copying protected content, its signature-identification is revoked by Microsoft, which means that it stops working. The details here are vague, perhaps the minimum functionality for the device will still be preserved.
The threat of driver revocation is a threat of multimillion-dollar fines and embargoes on future versions of drivers, in addition to the threat of revoking a device’s work permit described above.
System reliability degradation
Vista requires devices to write so-called “tilt bits” if they notice anything unusual. For example, if unusual voltage fluctuations, bus signal failures, slightly corrupted return codes (return status of successful operation) after a function call are observed, the system sets “tilt bit”.
Similar “failures” in the work of programs often happen. Previously, this was not a problem - the systems were designed with some margin of safety, and this did not interfere with their work. With the introduction of “tilt bits,” all stability disappears. Any usually imperceptible hesitation becomes important because it can be a sign of an attack on protected content.
Increase in equipment cost
Protecting such amazingly valuable “luxury materials” requires additional labor for driver development and user support. Of course, the bulk of the load will fall on equipment manufacturers.
Excessive CPU load
To prevent interference with the content protection system’s internal communications, all messages must be encrypted and authorized. For example, the stream to the video card must be encrypted with AES-128 code. Cryptography requirements extend beyond data encryption and encompass commands and even control between program components. For example, communications between user-mode and kernel-mode must be authorized with OMAC tags.
To prevent active attacks, drivers must access the hardware with polls every 30 ms. In addition, additional polls are made, for example, Vista refers to the video device when displaying each frame to verify that the “tilt bits” are located where they are supposed to be.
Conclusion
An analysis of the content protection system in the operating system clearly shows that the whole design of Windows Vista is built around this basic idea. One typical example: blocks of protected “content lux” in memory are marked with a special protection bit and are encrypted so that this information cannot be copied to the hard drive. However, Vista does not prescribe any other memory encryption, and with a pleased look will leave your bank passwords, account and credit card information, personal data, etc. The security mechanism built into Microsoft makes it clear that what they see as “luxury material” costs much more than a user's bank passwords.
Why is Microsoft embarking on such unprecedented difficulties? There can be only one logical explanation. If Microsoft succeeds in making Vista a standard OS, then the corporation will have exclusive control over the distribution channels of secure digital information. “The result will be a technologically complete monopoly, compared to which today's de facto Windows monopoly will seem like an era of heaven on earth,” says Peter Gutman.