[clug] A most interesting read, most interesting

Wed Dec 27 23:40:53 GMT 2006

On Thu, Dec 28, 2006 at 12:26:54AM +1100, David Tulloh wrote:
> I found it fascinating to read this email just after I had read this 
> article on the new DRM measures in Vista 
> http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

David, that is the funneiest article I have ever read - ROTFL.... :-) What a
great link, thanks...

Surely it isnt serious - or if it is I would like to buy front line sits to
witness MS making an absolute fool of themselves when the technology gets
cracked in a matter of month of it being properly released. Or better yet - let
all the industry big players invest millions into it, and then have it cracked
so they cant back away anyway (this is similar to what happened with DVDs).

The MS "specifications" show what I call "computer science" mentality.
Programmers are trained to think in interfaces, APIs and abstractions. Most
computer programmers have no idea what is making the machine actually work -
they think that a driver is simply a black box which accepts inputs from one
API (A device on the PCI bus) and sends output to another device on the bus.
The middle bit is a big black box....

This is simply not true. The driver reads encrypted data from the dvd drives,
but needs to decrypt it so it can do various video transforms (like pan
scanning, dolby processing etc). So there is a decrypted mpeg stream somewhere
in memory. Even if the software reencrypts the data to send it over the AGP/PCI
bus to the driver there is a decrypted version in memory. (The only way this
could work is if the driver simply passed the encrypted data to the screen
without decrypting it. This like the old CDROM passthough cable where the CDROM
drive was directly connected to the mixer on the sound card - but this is no
different than having a stand alone black box player because the pc can add no
extra functionality it might as well be off).

If you were able to load a device driver with full access to ring 0 you could
just read the memory directly - but even if you can only load signed device
drivers (which is rediculusly unworkable so I dont think that will even happen)
you can always read memory directly through the hardware.

I am reminded of a talk i watched recently in the last RuxCon conference in
sydney Called Hit By A Bus: Physical Access Attacks with Firewire - Adam
Boileau. Great talk and a demo - really broght the software guys in the
audience crashing down to earh in a big thud.

Adam reminded us what the DMA initials stand for with devices - Direct Memory
Access - I repeat that: _Direct_ _Memory_ _Access_. This means that any device
attached to the PCI/AGP bus has the ability to negotiate to have direct access
to the memory bus - without going through the CPU at all - this is done in
hardware using the PCI bus master controller. What this means in practice is
that any device attached to the PCI bus can read and write memory directly
without needing any permission from the CPU - which means that the OS or
whatever software is actually running on the CPU has no say in at all or can
actually know that its happening.

Adams demonstration was spectacular - he reprogrammed his linux laptop to look
like a firewire device, and was able to use the firewire bus protocol (which
seems to allow devices to map DMA regions) to map a windows  host's memory
space. He then searched through the memory for logon passwords/keys what ever
and was able to hack the windows logon screen directly (just as a demonstration
- he could have gotten any keys/passwords or data he wanted).

The message was clear - first rule of security, do not allow physical access.
When you have physcial access you automatically win. This is why DRM can never
work. It would be funny to see big players spend millions trying and failing
especially MS. Maybe thats is a good thing....

Michael.