Dave's Bit Bucket

Friday December 29, 2006

Comments on Peter Gutmann's Vista paper

I've been reading Peter Gutmann's thought-provoking paper, "A Cost Analysis of Windows Vista Content Protection". It's startling stuff, and I recommend it to anyone.

It has raised a few questions in my mind which Gutmann doesn't cover, however, and I think they are worth making a note of:

• Many of the security measures discussed - particularly driver revocation - are predicated on the Vista box having an unfiltered connection to the Internet. What happens if the box doesn't have a network connection, or is on a physically isolated network, or is on a network behind a firewall which blocks traffic to or from microsoft.com addresses?
• There's a very interesting piece of breaking news (well, rumour) on the Schneierblog about AACS having been cracked, which also suggests that Internet connectivity is mandated for Blu-Ray player appliances - I think that enforcing this is almost impossible, given the ability to set the player's real-time clock...
• "Tilt bits" and matters of electrical tolerances between motherboards, power supplies and add-on cards will generate lots of false positives, as Gutmann suggests. I can not only say that the idea is basically insane, but I can also see hardware manufacturers refusing to implement tilt bits, or more likely, faking their functionality.
• Hardware Functionality Scans will, similarly, be faked. I don't see it being possible to stop such behaviour being emulated.
• I wonder whether folk who make things with S/PDIF out will be interested in Meridian High-Resolution Interconnect (MHR) smart link, this being (AFAIK) the only consumer digital high-res interconnect approved by the DVD consortium, and used as the interconnect between Meridian's DVD players and surround processors?
• Rather than spin a dedicated design for every card variant in order to meet "hardware robustness rules", I'd expect many manufacturers will instead adopt some of the methods used in Hardware Security Modules intended to meet reasonable levels of FIPS 140-2 certification, and start by covering their production boards in potting compound...
• Does all this "hardware robustness" for cards, as well as motherboards, give the lie to Trusted Computing? Or is the idea that every data-carrying device will have a TPM, eventually? I also hear anecdotally that the new Intel-based Macs don't have a TPM built-in, which makes me wonder...
• "System high" policy can be handled much more elegantly if you have an environment which is able to deal with labelled data. While Solaris 10 Trusted Extensions can do this, what the article describes is effectively that the content of one's label_encodings, user_attr and exec_attr files are dictated by content providers rather than system owners... and this simply can't work.

Finally, I can't see any Sun hardware ever being certified to run Vista, since the apparent need (as described in the article) to keep hardware details secret goes against our philosophy (even SPARC is famously open-source, see VHDL for a SPARC v8 implementation and our own Verilog of the T1 SPARC v9). However, as Vista appears to be Desktop-centric (have you seen any whispers of a server version?), this will only hit some of our workstation business - given the nature of the environments in which Sun Rays are used, I don't see a problem there.

Applying reductio ad absurdum, if Sun was to produce a Vista-certifiable desktop box, it might might not be able to run Solaris (and certainly not OpenSolaris) as a consequence of its Vista-certifiability - or maybe killing non-Microsoft operating systems on generic x86 and x64 platforms is, again, Microsoft's real aim here?

Update:

Have just found out rather more about the Blu-Ray and other general HD DVD protection mechanisms courtesy of this fine article at Ars Technica. It turns out that Blu-Ray disks can contain not only media, but also firmware updates which can rework your player's crypto implementation. Internet connectivity therefore isn't required; "all that needs to happen" is for folk to buy new disks regularly. This is cunning, but still far from foolproof - and is, as you'd expect, also subject to potentially unfortunate side-effects.

Further Update:

It would appear that the rumoured AACS crack is true; the HD DVD image of Serenity has made it onto BitTorrent.

Even Further Update: AACS processing keys have been cracked. Therefore, every BluRay and HD-DVD disk can now be copied. Thank you, DRM, and goodnight.

(2006-12-29 07:28:36.0) Permalink Comments [2]