SlideShare a Scribd company logo
1 of 28
Download to read offline
Designing and Attacking DRM
Nate Lawson | Root Labs | 2008/4/11 | Session Code: HT1-402
If you pay attention, you’ll learn…
• Why software protection matters
• Attack methods
  – Tools & techniques
• Design principles
  – Model: mesh vs. chain
  – Anti-debugging is no panacea
• Update: who’s cracked or not




                                      2
My background
• Root Labs founder
  – Design and analyze security schemes
  – Emphasis on embedded, kernel, software protection, and
    crypto
• IBM/ISS
  – Original developer of RealSecure IDS
• Cryptography Research
  – Co-designed Blu-ray disc content protection layer, aka BD+




                                                                 3
In the past, DRM was simple
• Copy protection (1980’s)
   – Simple goal: only run from the original floppy media
   – No privacy problems
   – Relatively harmless
       – Some games did format themselves if not properly cracked
   – Legal restrictions only via copyright, not on analyzing schemes or
     releasing tools




                                                                          4
Today, bad DRM is too common
• Goals overly complex
   – Can share among a few devices but not too many
   – Expiration dates, limited number of plays
• Privacy problems
   – Network access
   – Cookies
• Collateral damage when it goes bad
• Dangerous and unclear legal environment

• If there’s going to be DRM, make it simpler!


                                                      5
Definition: software protection
• Software protection is the technical enforcement
  mechanism
   – DRM is the policy, a different talk
• Composed from:
   –   Integrity protection
   –   Obfuscation/anti-debugging
   –   Encryption/key management
   –   Renewability




                                                     6
Why you will care
Laptop disk encryption

• Common myth: software protection only matters for DRM
• Nope!
   – “Cold Boot Attacks on Encryption Keys”, Halderman et al
      – Extract FileVault key from RAM after a reboot
      – Or, freeze RAM with cold spray and move to another computer
• If you use software encryption, you need effective
  obfuscation
   – Since the key is somewhere in RAM, key hiding vital
   – Exactly same problem as DRM




                                                                      8
Exploit protection
• If you want to make exploits difficult, obfuscate
   – Address layout randomization
   – Initial stack configuration
   – Future: compilers will randomize code generation
• Integrity checking
   – Stack canaries
   – Vista PatchGuard (aka Kernel Patch Protection)
• Same measures as DRM




                                                        9
Malware analysis
• Malware hides with same techniques as DRM
   – But worse!
• DRM designers have the harder problem
   – “Do no harm”
      – Debuggers must be allowed for legitimate work
      – No persistent modifications
      – Avoid interfering with Vista PatchGuard


• All these areas require knowledge of the same techniques
  as designing or analyzing DRM



                                                         10
Designing software protection
Software protection design principles
• Mesh vs. chain
   – Protection measures should be mutually enforcing
      – Example: two threads hashing each other
   – A chain is a long series of links
      – Failure of any one link and it falls apart
• Full integration with application functions
   – Protection must be intertwined with main functionality
• Renewability
   – Provide yourself a way to repair hacks




                                                              12
Integrity protection
• Goal: respond to modifications
   – Explicit: detect and perform some action
   – Implicit: modifications directly cause change
• Many things can perturb the environment
   – Patching
   – INT3 breakpoints
   – Attaching debugger
• Implicit integrity protection better than explicit
   – Check/response are not separable logic
   – Prevent “divide-and-conquer”




                                                       13
Obfuscation/anti-debugging
• Goal: make inspection more difficult
   – Obfuscation: logic becomes harder to understand or patch
     coherently
   – Anti-debugging: respond to the act of inspecting the program
• Better if mixed with integrity protection
   – Example: hash the results of various anti-debugging checks and
     use as key to decrypt next function
• Most anti-debugging is poorly-implemented
   – Single point checks with if/then logic




                                                                      14
Encryption/key management
• Encryption in software protection is a type of
  obfuscation
   – Cipher+key in some form present in memory
• Key management
   – Broadcast encryption
      – Encrypt content key with lots of keys
      – Stop doing this for known-hacked keys
   – Software protection can make this more versatile
      – “You must be at least this unhacked to decrypt the
        video”




                                                             15
Renewability
• Every scheme needs a survival plan
• Online updates
   – Common in a PC environment
   – Caveats: version roll-back, privacy
• Piggy-backing on content
   – Better in embedded/cross-platform environments
   – Caveat: heterogeneity complicates testing
   – Examples
      – DTV/Dish send updates in channel stream (“ECMs”)
      – BD+ puts protection logic on each Blu-ray disc




                                                           16
Tools & techniques
Historical reverser’s toolbag
• In the past
   –   debug.exe
   –   SoftICE with iceext
   –   IDA Pro doing static disassembly
   –   Hex editor


• Today
   –   IDA, Ollydbg
   –   Bindiff, binnavi
   –   Paimei
   –   Custom tools


                                          18
Tip: go to ring 0

• Even if you’re attacking a user-mode app, kernel access
  gives a powerful viewpoint
   – Full access to thread state
   – No modification of process memory (i.e., int3 instruction)
   – Access to page protection, MSRs, etc. allow stealth schemes
• More advanced
   – Patch bochs/qemu
   – Write your own hypervisor debug stub




                                                                   19
WinDbg is awesome
• Powerful tool for reversing
   –   Kernel and usermode access
   –   Automatic symbol server
   –   x86 32 and 64-bit support
   –   Extensions for common tasks (“!peb”)
   –   Open plug-in interface
   –   Free
• Downsides
   – No third-party CPU extensions (sorry ARM)
• Let’s make it the next SoftICE



                                                 20
Tip: use debug registers creatively
• Intel processors have hardware breakpoints
   – DR0-3: addresses to be monitored
   – DR6: status bits that describe which event occurred
   – DR7: configures the type of event to monitor for each address
• Interesting side effects
   – DR4-5 are aliases for DR6-7 if the CR4.DE bit is clear
   – DR7.GD bit causes reads or writes to any of the debug registers to
     generate an INT1
      • Legacy behavior from ICE days




                                                                      21
Update on recent hacks
Recent hacks this year
• Nintendo Wii
   – Loader compromised (tmbinc; Dec)
   – Software save game hack (bushing, segher, tmbinc; Feb)
• Windows Media DRM
   – drmdbg decrypts keys and is staying current with updates (Jan)
• iTunes
   – requiem decrypter released, removed via C&D (Feb)
   – Tools that rip audio samples from memory still exist (QTFairUse6,
     myFairTunes7)
• iPhone
   – Bootloader software compromise (iPhone Dev Team; March)


                                                                         23
AACS vs. BD+
• Both allow updates to security
   – AACS: new MKBs and player keys
   – BD+: new software on discs
• Effectiveness metrics
   – How long each update survives before being hacked (L)
   – How frequently the updates appear (T)
      – If L < T, you are releasing new discs into an already-hacked
        environment!
• Goal: increase L, decrease T




                                                                       24
Timeline of hacks

                  2007                         2008


  v1 (Apr 2006)          v3 (May)   v4 (Oct)           v7 (Apr)   Jul? Oct?




                   X      X             X               X
AACS
                                    v1 (Oct)          Mar


                                                            ?
BD+                                                   X
AACS analysis
• Not doing so hot
   – Very low L (length of time update is unbroken)
      – -2 … +2 weeks if you throw out the initial period
   – Long T (time between updates)
      – < 3 months not allowed by business agreements
      – Up to 18 months if hacked player not identified
      – Appears to be steady now at every 6 months
• Game over or …?
   – Unmasking the Slysoft oracle
   – Sequence keys




                                                            26
BD+ analysis
• Too early to tell
• Flexible L
   – Software protection can be a small or large barrier, depending on
     effort invested
• Potentially lower T
   – Update schedule in hands of disc authors
      • Potentially less parties to coordinate with for updates
      • Just test and ship a disc
• 2008 will be an exciting year!




                                                                         27
Questions?



  For more on software protection, check out my blog “rdist” at:
                      rootlabs.com

More Related Content

What's hot

CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure  BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008guest642391
 

What's hot (20)

CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure  BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
 

Viewers also liked

Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform SecurityNate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)Nate Lawson
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Nate Lawson
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Nate Lawson
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 

Viewers also liked (19)

Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform Security
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 

Similar to Designing and Attacking DRM (RSA 2008)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Mark Minasi Introducing Windows 7
Mark Minasi   Introducing Windows 7Mark Minasi   Introducing Windows 7
Mark Minasi Introducing Windows 7Nathan Winters
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
An Introduction To Android
An Introduction To AndroidAn Introduction To Android
An Introduction To Androidnatdefreitas
 
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customizationHiren Mayani
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Android Overview
Android OverviewAndroid Overview
Android Overviewatomi
 
Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcachedelliando dias
 
Challenges In Managing Embedded Product Development
Challenges In Managing Embedded Product DevelopmentChallenges In Managing Embedded Product Development
Challenges In Managing Embedded Product DevelopmentAtul Nene
 
[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...
[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...
[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...CODE BLUE
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Prossixdub
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsJustin Warner
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability  Agile Methods To Support Massive Growth PresentationJust In Time Scalability  Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Working With People Adl Uni
Working With People Adl UniWorking With People Adl Uni
Working With People Adl UniMatthew Landauer
 

Similar to Designing and Attacking DRM (RSA 2008) (20)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Mark Minasi Introducing Windows 7
Mark Minasi   Introducing Windows 7Mark Minasi   Introducing Windows 7
Mark Minasi Introducing Windows 7
 
Becoming a Power User
Becoming a Power UserBecoming a Power User
Becoming a Power User
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Desk Maintenance
Desk MaintenanceDesk Maintenance
Desk Maintenance
 
An Introduction To Android
An Introduction To AndroidAn Introduction To Android
An Introduction To Android
 
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customization
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcached
 
Challenges In Managing Embedded Product Development
Challenges In Managing Embedded Product DevelopmentChallenges In Managing Embedded Product Development
Challenges In Managing Embedded Product Development
 
OpenStack Days Krakow
OpenStack Days KrakowOpenStack Days Krakow
OpenStack Days Krakow
 
[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...
[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...
[CB20] Reverse Engineering archeology : Reverse engineering multiple devices ...
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use Cases
 
Adversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the ProsAdversarial Post Ex - Lessons from the Pros
Adversarial Post Ex - Lessons from the Pros
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability  Agile Methods To Support Massive Growth PresentationJust In Time Scalability  Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
Working With People Adl Uni
Working With People Adl UniWorking With People Adl Uni
Working With People Adl Uni
 

Recently uploaded

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Designing and Attacking DRM (RSA 2008)

  • 1. Designing and Attacking DRM Nate Lawson | Root Labs | 2008/4/11 | Session Code: HT1-402
  • 2. If you pay attention, you’ll learn… • Why software protection matters • Attack methods – Tools & techniques • Design principles – Model: mesh vs. chain – Anti-debugging is no panacea • Update: who’s cracked or not 2
  • 3. My background • Root Labs founder – Design and analyze security schemes – Emphasis on embedded, kernel, software protection, and crypto • IBM/ISS – Original developer of RealSecure IDS • Cryptography Research – Co-designed Blu-ray disc content protection layer, aka BD+ 3
  • 4. In the past, DRM was simple • Copy protection (1980’s) – Simple goal: only run from the original floppy media – No privacy problems – Relatively harmless – Some games did format themselves if not properly cracked – Legal restrictions only via copyright, not on analyzing schemes or releasing tools 4
  • 5. Today, bad DRM is too common • Goals overly complex – Can share among a few devices but not too many – Expiration dates, limited number of plays • Privacy problems – Network access – Cookies • Collateral damage when it goes bad • Dangerous and unclear legal environment • If there’s going to be DRM, make it simpler! 5
  • 6. Definition: software protection • Software protection is the technical enforcement mechanism – DRM is the policy, a different talk • Composed from: – Integrity protection – Obfuscation/anti-debugging – Encryption/key management – Renewability 6
  • 8. Laptop disk encryption • Common myth: software protection only matters for DRM • Nope! – “Cold Boot Attacks on Encryption Keys”, Halderman et al – Extract FileVault key from RAM after a reboot – Or, freeze RAM with cold spray and move to another computer • If you use software encryption, you need effective obfuscation – Since the key is somewhere in RAM, key hiding vital – Exactly same problem as DRM 8
  • 9. Exploit protection • If you want to make exploits difficult, obfuscate – Address layout randomization – Initial stack configuration – Future: compilers will randomize code generation • Integrity checking – Stack canaries – Vista PatchGuard (aka Kernel Patch Protection) • Same measures as DRM 9
  • 10. Malware analysis • Malware hides with same techniques as DRM – But worse! • DRM designers have the harder problem – “Do no harm” – Debuggers must be allowed for legitimate work – No persistent modifications – Avoid interfering with Vista PatchGuard • All these areas require knowledge of the same techniques as designing or analyzing DRM 10
  • 12. Software protection design principles • Mesh vs. chain – Protection measures should be mutually enforcing – Example: two threads hashing each other – A chain is a long series of links – Failure of any one link and it falls apart • Full integration with application functions – Protection must be intertwined with main functionality • Renewability – Provide yourself a way to repair hacks 12
  • 13. Integrity protection • Goal: respond to modifications – Explicit: detect and perform some action – Implicit: modifications directly cause change • Many things can perturb the environment – Patching – INT3 breakpoints – Attaching debugger • Implicit integrity protection better than explicit – Check/response are not separable logic – Prevent “divide-and-conquer” 13
  • 14. Obfuscation/anti-debugging • Goal: make inspection more difficult – Obfuscation: logic becomes harder to understand or patch coherently – Anti-debugging: respond to the act of inspecting the program • Better if mixed with integrity protection – Example: hash the results of various anti-debugging checks and use as key to decrypt next function • Most anti-debugging is poorly-implemented – Single point checks with if/then logic 14
  • 15. Encryption/key management • Encryption in software protection is a type of obfuscation – Cipher+key in some form present in memory • Key management – Broadcast encryption – Encrypt content key with lots of keys – Stop doing this for known-hacked keys – Software protection can make this more versatile – “You must be at least this unhacked to decrypt the video” 15
  • 16. Renewability • Every scheme needs a survival plan • Online updates – Common in a PC environment – Caveats: version roll-back, privacy • Piggy-backing on content – Better in embedded/cross-platform environments – Caveat: heterogeneity complicates testing – Examples – DTV/Dish send updates in channel stream (“ECMs”) – BD+ puts protection logic on each Blu-ray disc 16
  • 18. Historical reverser’s toolbag • In the past – debug.exe – SoftICE with iceext – IDA Pro doing static disassembly – Hex editor • Today – IDA, Ollydbg – Bindiff, binnavi – Paimei – Custom tools 18
  • 19. Tip: go to ring 0 • Even if you’re attacking a user-mode app, kernel access gives a powerful viewpoint – Full access to thread state – No modification of process memory (i.e., int3 instruction) – Access to page protection, MSRs, etc. allow stealth schemes • More advanced – Patch bochs/qemu – Write your own hypervisor debug stub 19
  • 20. WinDbg is awesome • Powerful tool for reversing – Kernel and usermode access – Automatic symbol server – x86 32 and 64-bit support – Extensions for common tasks (“!peb”) – Open plug-in interface – Free • Downsides – No third-party CPU extensions (sorry ARM) • Let’s make it the next SoftICE 20
  • 21. Tip: use debug registers creatively • Intel processors have hardware breakpoints – DR0-3: addresses to be monitored – DR6: status bits that describe which event occurred – DR7: configures the type of event to monitor for each address • Interesting side effects – DR4-5 are aliases for DR6-7 if the CR4.DE bit is clear – DR7.GD bit causes reads or writes to any of the debug registers to generate an INT1 • Legacy behavior from ICE days 21
  • 23. Recent hacks this year • Nintendo Wii – Loader compromised (tmbinc; Dec) – Software save game hack (bushing, segher, tmbinc; Feb) • Windows Media DRM – drmdbg decrypts keys and is staying current with updates (Jan) • iTunes – requiem decrypter released, removed via C&D (Feb) – Tools that rip audio samples from memory still exist (QTFairUse6, myFairTunes7) • iPhone – Bootloader software compromise (iPhone Dev Team; March) 23
  • 24. AACS vs. BD+ • Both allow updates to security – AACS: new MKBs and player keys – BD+: new software on discs • Effectiveness metrics – How long each update survives before being hacked (L) – How frequently the updates appear (T) – If L < T, you are releasing new discs into an already-hacked environment! • Goal: increase L, decrease T 24
  • 25. Timeline of hacks 2007 2008 v1 (Apr 2006) v3 (May) v4 (Oct) v7 (Apr) Jul? Oct? X X X X AACS v1 (Oct) Mar ? BD+ X
  • 26. AACS analysis • Not doing so hot – Very low L (length of time update is unbroken) – -2 … +2 weeks if you throw out the initial period – Long T (time between updates) – < 3 months not allowed by business agreements – Up to 18 months if hacked player not identified – Appears to be steady now at every 6 months • Game over or …? – Unmasking the Slysoft oracle – Sequence keys 26
  • 27. BD+ analysis • Too early to tell • Flexible L – Software protection can be a small or large barrier, depending on effort invested • Potentially lower T – Update schedule in hands of disc authors • Potentially less parties to coordinate with for updates • Just test and ship a disc • 2008 will be an exciting year! 27
  • 28. Questions? For more on software protection, check out my blog “rdist” at: rootlabs.com