Browse Source

Android DRM + WiDevine

Trolli Schmittlauch 2 years ago
3 changed files with 37 additions and 5 deletions
  1. +3
  2. +28
  3. +6

+ 3
- 0
glossary.tex View File

@ -1,5 +1,8 @@
\acro{CDM}{Content Decryption Module}
\acro{DMCA}{Digital Millenium Copyright Act}
\acro{DRM}{Digital Rights Management}
\acro{EME}{Encrypted Media Extensions}
\acro{IPC}{inter-process communication}
\acro{OS}{operating system}
\acro{SGX}{Software Guard Extensions}
\acro{SoC}{system on a chip}

+ 28
- 2
main.tex View File

@ -26,7 +26,7 @@
pdfauthor={Oliver Schmidt},
\newcommand{\comment}[1]{{\parindent0pt\fbox{\begin{minipage}{0.45\textwidth}{\em #1}\end{minipage}}}}
@ -171,7 +171,33 @@ As only userland code running in ring 3 can be run inside enclaves, relying on t
Android DRM, EME DRM arch, TBDRM (-> fTPM)
\section{Hardware Support for DRM systems}
So how can these hardware security mechanisms be used to support DRM mechanisms and make them run securely within a still open platform?
\subsection{Android DRM architecture}
The Android platform provides its own DRM framework\cite{AndroidDRMFramework}, providing an API for applications to communicate with a \textit{DRM manager} over \ac{IPC}. This DRM manager then runs plug-ins managing the actual DRM schemes as separate processes for isolation purposes. \\
The level of protection provided by the DRM plugin varies depending on the plugin itself and on the capabilities of the hardware platform. Plugins may rely on secure boot for a verified chain of trust from the firmware level on, use protected output mechanisms provided by the hardware platform and even run the programs inside a \ac{TEE}.
Plugins are automatically loaded when they are placed into the \texttt{/system/lib/drm/plugins/native/} directory. \\
One issue we see here is that there's no mention of authenticity checking of plug-ins mentioned in the documentatiion. \cite{AndroidDRMFramework} This can enable DRM plugins to claim to be able to decrypt a certain stream and thus at least result in the user not being able to decrypt their media with the proper add-on. Additionally it might also open up attack vectors for the communication with a license server, as shown later. \\
This might be the reason for the Android documentation to state that ``[t]he combination of hardware security functions, a trusted boot mechanism, and an isolated secure OS for handling security functions is critical to providing a secure device.'' \cite{AndroidDRMFramework}
One cross-platform DRM plugin solution is \textbf{WiDevine} \cite{googleWidevineDRMArchitecture2017}, currently owned by Google. It provides native solutions for the Android, iOS and HTML5 platform. Thus the \ac{DRM} decryption process is very similar to the one specified in HTML5 \acs{EME} and will be covered in section \ref{sec:HTML5_EME} in more detail. \\
The reason we look at the example of the WiDevine Android plugin is that it supports different security levels, depending on the use of hardware security mechanisms \cite{googleWidevineDRMArchitecture2017}: For security level 1, ``[a]ll content processing, cryptography, and control is performed within the Trusted Execution
Environment (TEE).'' This includes that even the decrypted video frames are to be passed to the graphics hardware using a secured mechanism. \\
This is not the case for security level 2: There only the cryptographic operations are done within a \ac{TEE}, but the decrypted video content is passed to processes running outside of a secure environment for further decoding, demuxing and postprocessing. But still all cryptographic keys remain secured within the \ac{TEE}. \\
And security level 3 is provided on devices without a \ac{TEE} at all, where ``[a]ppropriate measures may be taken to protect the
cryptographic information and decrypted content on host operating system'', which can be considered as a system-level lockdown.
\subsection{HTML5 EME}\label{sec:HTML5_EME}
Android DRM, EME DRM arch, TBDRM (-> fTPM), InkTag?
\section{lockdown/ openness}

+ 6
- 3
mybib.bib View File

@ -85,9 +85,12 @@
file = {/home/spiollinux/Zotero/storage/KCQ2TH4P/Chuang et al. - 2010 - Digital Right Management and Software Protection o.pdf}
title = {Widevine\_{{DRM}}\_{{Architecture}}\_{{Overview}}.Pdf},
title = {Widevine {{DRM Architecture Overview}} v1.2},
howpublished = {\_DRM\_Architecture\_Overview.pdf},
author = {{Google}},
month = mar,
year = {2017},
keywords = {unread,DRM},
file = {/home/spiollinux/Zotero/storage/JVFPCN6B/Widevine_DRM_Architecture_Overview.pdf}
@ -198,7 +201,7 @@ This paper's contributions are a summary of the Intel-specific architectural and
author = {Pham, S. and Arbanowski, S. and Kaiser, S.},
month = dec,
year = {2015},
keywords = {CDM,CDMi,CENC,common encryption,cryptography,digital rights management,DRM,EME,encrypted media extension,hardware-based DRM platform,hypermedia markup languages,interoperable media streaming,media source extension,MPEG-DASH,MSE,Multimedia communication,multiple DRM system,OCDM,open source content decryption module,open systems,W3C HTML5 premium media extension,Web},
keywords = {digital rights management,CDM,cryptography,DRM,EME,hypermedia markup languages,CDMi,CENC,common encryption,encrypted media extension,hardware-based DRM platform,interoperable media streaming,media source extension,MPEG-DASH,MSE,Multimedia communication,multiple DRM system,OCDM,open source content decryption module,open systems,W3C HTML5 premium media extension,Web},
pages = {417-420},
file = {/home/spiollinux/Zotero/storage/A23TYJ6N/Pham et al. - 2015 - An Open Source Content Decryption Module to Improv.pdf;/home/spiollinux/Zotero/storage/4IVKLURP/7442371.html}