The Many Facades of DRM Author: Rod Schultz [email protected] 1. INTRODUCTION In February 2007, Apple's CEO Steve Jobs wrote an open letter to the world denouncing DRM and its use in the music industry. In this letter Jobs stated, "DRMs haven’t worked, and may never work, to halt music piracy". The world took notice of this statement, and blogs all over the Internet were devoted to interpreting his message and meaning. The debate over DRM and its value began even before that, and has raged for over a decade now. Over time more and more people have developed a mental picture of what DRM is and what it does. But what do people really know about DRM? Most people only understand that a DRM prevents them from sharing or copying music and movies. Very few understand the intricate nature of this technology, how it enables business models, how it is built, and how it can be attacked. Even fewer understand the sheer mathematical complexity needed to create a DRM, and the cost of maintaining it. In this article I will discuss the many facades of DRM, including its multiple layers, their construction, and the functionality they provide. I will expand on DRM techniques and how they can fail based on my experiences at Apple (iTunes and iPod protection) and Adobe (Flash Player RTMPe protection). 2. BUSINESS MODEL Perhaps the most interesting thing about the Steve Jobs DRM letter to the world was the timing. When it was written, I was a member of the Apple FairPlay team (the engineering group at Apple that creates its DRM) and we were already working on a software update to iTunes that would allow the purchase and playback of DRM free music. Jobs was astute enough to realize the negative reaction the public had to DRM, and he successfully painted the picture that Apple hated DRM, and that Apple wanted music to be freely shared. On April 2nd, 2007 EMI Music announced an agreement with Apple to sell DRM free music on the iTunes store, with all other major labels to follow in January of 2009. The music industry finally gave in to Steve Jobs, giving him—and the consumer—a victory in the music war on DRM. Maybe there was another motive. Maybe Steve Jobs was really trying to spin a pending decision by the music industry into a public perception victory for Apple. The truth was that with the power of its DRM Apple was locking the majority THE MANY FACADES OF DRM 1 of music downloads to its devices, the most import of which was the iPod. The music industry didn't go DRM free because they hated DRM; they went DRM free because they were fearful of the leverage Apple was gaining with their iTunes + FairPlay + iPod combination. Apple’s DRM created this lock, and it became so successful that the music industry went with the lesser of two evils (songs locked to Apple’s iPod monopoly vs. the distribution of DRM-free music) and chose to distribute DRM-free music. These actions, taken only a few years after the disastrous impact of Napster, illustrate that DRM is an instrumental technology in creating and shaping business models for digital content distribution. Without DRM the iTunes store would never have been born. No music label would have licensed content to Apple, and the majority of the general public would not have purchased iTunes content that didn't come from a major label. It was only after the service became mature and too powerful that the music labels changed the rules of the game and went DRM-free. The same content protection needs apply for movies as well. DRM provides the digital security that studios (Disney, Fox, Warner Brothers) require a digital content distributer (Apple, Amazon, Netflix) to provide. For video, DRM is even more important, and the studios can still set the rules without yielding to a public demand for DRM-free movies. Until the world evolves to a point where this digital security impacts the revenue or future growth of the studio, DRM will be required. When the cost of creating a movie like Avatar ranges between $300 million and $500 million, the studios naturally want their money back. They want protections in place that will give them confidence to release digital copies to the world. Video is consumed very differently than music. A good song is something you listen to multiple times, over months, years, and sometimes decades. It is something you share with others. The best songs have an extremely long lifetime in the consumer space. Movies are more expensive to produce and are usually viewed once. So studios have to be strategic about how they release movies to consumers. Studios break the licensing and release of their content into distribution windows. The majority of movie revenue is generated at the box-office release window, the VOD (video on demand) window, and the home video window (DVD and Blu-ray sales). These windows were created to segment the market and generate as much revenue as possible for a product that can easily cost hundreds of millions of dollars to produce, and is usually viewed only once. Each of these widows (there are at least six, and potentially more if you count airline, hotel, and foreign distribution) provides an opportunity for the studio to distribute to different segments. Each window also provides a unique opportunity for a consumer to steal the content, and forces the content distributer to deploy a DRM. The paradigm that exists is one where the content creator wishes to get the maximum revenue for its content for each distribution window. Each window has different DRM requirements, with current and future revenue impacting the mandated strength of the protection for each window. This DRM approval gives the content providers the ability to influence the DRM features and its corresponding design. 2 THE MANY FACADES OF DRM 3. CONTROL ARCHITECTURE When architecting any security system it is critical to identify points of failure and design around them whenever possible. Security systems are barriers, and when barriers are created they are attacked. A DRM is no different. The very nature of a DRM system--preventing the user from accessing something that is completely under their control--makes it extremely vulnerable to attack. Due to this vulnerability one feature studios look for is something called renewability. Renewability is a channel that the DRM provider can utilize to update key software modules in the field. This allows the security of the DRM to be renewed and restored if there is a breach. It is analogous to changing the engine or tire on a car if it breaks. The entire car doesn't need to be replaced; only the area that has failed. The difference is that a car must be taken to a mechanic for repair; a DRM is updated in place. It is this concept of a secure system that is critical to the durability of a DRM. It is extremely difficult to predict how detrimental a flaw in the design will be to the integrity of what the DRM is protecting, so it must be designed to withstand attacks, adapt to attacks, and avoid catastrophic failure when it is attacked. On the surface it seems obvious that the DRM would be designed this way, but the execution of this concept is not as simple as it sounds. Modular software systems are designed to be broken into independent pieces. Each piece has a clear boundary and well-defined interface for 'hooking' into other pieces. Progress in most technologies accelerates once systems have achieved this state. But clear boundaries and well-defined interfaces also make a technology easier to attack, break, and reverse engineer. Well-designed DRMs have very fuzzy boundaries and are designed to have very non-standard interfaces. THE MANY FACADES OF DRM 3 !"##$%"&'()"*$+,-./0"$+1&2"34 !"##$%"&'()"*$%67$+1&2"34 5,,0#1$%"&'()"*$%67$+1&2"3$ 5,,0#1$%"&'()"*$+,-./0"$+1&2"3$ Module 1 Module 2 Module 3 Module 1 Module 3 Module 4 Module 5 Module 6 Module 4 Module 6 Module 2 Module 5 8'(90"$:$;$+1&2"3$%"&'() These non-standard interfaces make it harder to reverse engineer, but also much more difficult to upgrade in the field. To minimize the cost of failures that cannot be fixed with a software update (renewability), DRMs are designed to be revoked. Revocation can occur at different levels of device and content granularity. This means that entire device classes can effectively be prevented from playing protected content, or a specific users device can be turned off to prevent it from playing back content (it should be noted that I have never seen user level revocation done in the real world). It is also possible to revoke specific movie titles if the content provider feels that there has been a breach on the content. To further defend itself against the cost of breach, DRMs are also designed to have binary diversity. This is the equivalent of a biological immune system. In this case the immune system is not protecting an individual but rather an entire DRM ecosystem. Just as it is impossible to predict what viruses will infect the human population, it is impossible to predict what attacks will be levied against a DRM. The diversity of each person’s immune system helps prevent global pandemics, and the binary diversity of a DRM helps prevent global breaches. The attack on the DRM can be modeled as a virus. Here the DRM breach is the virus, and the vector is the downloading and replaying of the attack.