Search Slyck  
Interview with Alex Ionescu
February 1, 2007
Thomas Mennecke
Font Bigger Font Smaller
Digital Rights Management (DRM) has become one of the most assailable attributes of Microsoft’s latest operating system – an incarnation otherwise known as Vista. Critics have lambasted the operating system as forcing consumers to upgrade their current video cards, audio cards, and monitors in order to enjoy “premium content.” Specifically, if the consumer doesn’t own a monitor that supports HDMI (High Definition Media Input), or a graphics/audio card that doesn’t support HDCP (High Definition Content Protection), HD DVD or Blu-ray media will be downgraded to 800x600 pixels; a resolution far short of its 1920x1080 potential.

This hardware requirement has infuriated consumers across the globe, as Microsoft has stated the movie and music industry have demanded this level of protection. However, it appears that no one has offered any advocacy on behalf of the consumer who will soon find their new 27” $850.00 LCD monitor is completely useless when expecting to watch premium content through Vista. Unfortunately for most, the current consumer inventory idoesn't fulfill the necessary criteria to satisfy the movie industry’s DRM requirements.

Yet this doesn’t mean the consumer is left alone in an otherwise indefensible position. As DRM is quickly becomes public enemy number 1, the online community has become the last stronghold in a landscape of rapidly eroding consumer rights. Traditionally labeled as hackers, crackers, and pirates, many disgruntled netizens are finding these individuals are the only thing that stands between the consumer and corporate domination. Many consumers take solidarity with HD DVD and Blu-ray cracker musix64, who stated, “I’m just an upset customer. My efforts can be called fair use enforcement!”

As Vista’s deployment ramps up, news has begun to circulate that its highly regarded Protected Media Path has been defeated. The Protected Media Path is an array of Digital Rights Management technologies that allows “premium content” to be “enjoyed” by the consumer. The individual that has been labeled responsible for this feat is Alex Ionescu. Alex Ionescu is highly experienced and talented programmer whose primary work concentrates on the community-based ReactOS project. ReactOS is an open source operating system based on the Windows architecture.

Yet Alex hardly places himself in the same category as those who work to defeat Digital Rights Management. In fact, Alex’s work with PMP has been largely misrepresented by the mainstream media, and misunderstood even by Slyck as evidenced by some of our questions. Alex’s current work is not a crack, hack, or a patch that defeats Vista’s DRM. Instead, it’s simply a proof of concept idea that demonstrates that indeed the potential to defeat Vista’s DRM exists – nothing more.

To get a better understanding of his work, interviewed Alex who dispelled many of the myths surrounding his work, while also providing insight into his accomplishments.

Explain how Microsoft implements their PMP Digital Rights Management.

PMP is a series of technologies which allow modern computers to play and interoperate with premium, high-definition content, and is composed of 4 major technologies: Conditional Access, Copy Protection, Digital Rights Management and Link Protection. I've attached a diagram of how these technologies are integrated in Vista. This slide is copyright Microsoft Corporation. (Slyck has replaced the slide with a direct link to Microsoft's power point presentation, available on page 4.)

The DRM implementation is provided through different methods. One of them is the requirement for all kernel-mode code to be digitally signed. As well, user-mode processes can become "Protected Processes", which, through the kernel, hardens them from things such as a debugger attaching to them, or their memory being read from another process. To gain this status, the process and DLLs also have to be digitally signed. There's other methods through which PMP performs its duties, but code signing was the primary method linked to my blog post.

Does your work allow a “protected” HD DVD or Blu-ray disc to function at full high definition via VGA output or non-Vista approved sound card?

As I mentioned earlier, my work was simply to raise attention to the fact that a DRM crack *could* possibly be done by using a documented flag and code to bypass the code signing requirement. The VGA-output restriction and sound restrictions, as far as I know, are located in the actual driver code and possibly even in the firmware of the latest hardware chips, so even with Code Signing potentially disabled, these restrictions might still be in place.

Explain the code you developed that bypasses Vista’s PMP DRM.

I have not developed any code, merely noted that it would be possible to write such code if the way I understood PMP DRM is correct, since it would bypass code signing requirements.

If you’re not replacing vista code or adding your own driver are you simply setting a system flag to make your “code”? Are you then making your “code” the response authority for validation checks sent to the vista system PMP system?

I'm assuming this would be theoretically possible by using the flaw/ideas I brought up. However, at the time I am writing this, Microsoft is committed to, and working on, fixing any such possibility through the use of my idea and flag.

In your opinion, why do you feel something as simple as a reboot renders Microsoft’s opinion of this development as a non-issue?

This development had two parts:

1) My initial research was done to allow open source and 3rd party drivers to load without being signed. This currently is allowed only by enabling "Test-Signing Mode", which disables premium content playback and puts watermarks all over the OS. I also wanted to find out if malware developers could also use this to load a rootkit into the system. For this purpose, I was told that a reboot renders this issue moot, because there are multiple ways to bypass Vista's security if a reboot is allowed. Writing to the disk and patching the kernel/MBR is one of them, so adding an extra boot flag is just as inefficient. I think the idea stemmed from the fact that rootkits want to load instantly, supposedly after being downloaded from a website or loaded from shellcode. A reboot would kill the rootkit from memory. This of course doesn't take into account malware that actually comes with an installer and drops a component on the disk.

2) My blog post referred to the fact that my research in #1 had "failed", because I was not able to find an issue that didn't require a reboot. However, I was able to load code, with a reboot, but without test signing mode. I surmised that this method could prove to be a flaw in the PMP design.

Since the hack bypasses PatchGuard, does it compromise Vista's security (as in anti-malware/virus security, not DRM security)?

No, because even with PatchGuard disabled, malware that runs in kernel-mode still needs to be signed (unless code signing is also disabled). PatchGuard is more of a method of disabling insecure, badly written drivers that hook into the kernel, such as Anti-Virus or Intrusion Detection systems that don't use the proper documented methods of receiving system events.

Again, my work on PatchGuard was only an idea: since there have been multiple documented ways of bypassing PatchGuard from kernel-mode, and since my method allows access to the kernel, then my method could also bypass PatchGuard. I have not written the code to do so however, and I am told that the methods that can bypass PatchGuard are being patched in Vista.

Explain the relationship between the media application and the Operating System that enforces Vista’s DRM.

Some of it is described in the diagram I attached, and you can also Google for more information on this. One of the things that the operating system will do is report to the media application which unsigned drivers are currently loaded into the system, and if test signing mode is enabled. The media application is then required (by Holywood requirements, AFAIK) to disable playback of premium content. It's possible, I believe, for the media application to scan this list and have a whitelist of legitimate unsigned drivers if the media companies will allow this. So supposing there is a well-known mouse driver that is unsigned and known to be safe, it's possible that the system would still be allowed to play premium content. However I doubt that the MPAA/RIAA would take the time to whitelist open source drivers.

You've downplayed your own progress by saying "...this doesn’t provide any advantage of any of the myriad other ways..." Are there any other documented DRM bypasses you are aware of that have achieved similar success? If so, what methods were used?

My comment referred to the multiple ways of bypassing code signing through a reboot, such as modifying the binaries on the disk, and then rebooting.

Do you believe that because the media application, not the operating system, enforces the PMP check, this weakens Vista's DRM?

There have been some rumors that some of the Chinese/Taiwanese DVD playback applications would ignore warnings from the OS that unsigned drivers are loaded, or might have a hidden flag to allow this to happen. As you know, many TVs and DVD players have similar anti-Macrovision/anti-RegionCoding magic sequences or codes that disable these checks. I think even my Sony TV has a "Technician's Menu" for some of these options, so it may be likely for apps to follow suit. However, applications are only one part of the path. Video and audio drivers and even the playback hardware may still have a word to say in this.

As part of the PMP guidelines and best practices guidelines, Microsoft strongly recommends (enforces?) driver writers not to do things like have debugging code, unsafe IOCTLs, mapping user-mode memory or code, or having any such hidden flags.

In the end however, I'm convinced some company will end up being ""evil"" and get their unsafe driver signed, since Verisign isn't the only one to issue Class 3 certificates, and they don't look at your code before signing it. Microsoft's response to this is revocation, but this has to be done through Windows Update. Therefore, the whole game will become like the recent Sony PSP firmware upgrades, where people are still running 1.51 or 2.00 firmware and using downgraders. I believe that the same will happen on Vista: crackers won't enable Windows Update and won't get the revocation updates, so they will still be able to use their drivers. While users probably won't be able to do this, the crackers might, and then release "anti-revocation" tools or utilities that scan Windows Update packages and remove anti-certificates.

Again, this is all speculative, I haven't done any research on this and I don't plan to, but I see these as possibilities. It may be possible that the OS has additional measures to protect against this.

Tell us more about this "special flag" you've created.

I really can't talk about this, I'm sorry.

Explain how Vista differentiates between an unprotected HD movie, say a home brew movie, and the latest Hollywood Blue-ray release.

I don't know enough on the topic to answer this. I'm assuming it's a combination of the codec and the media application.

Does your work halt the power-hungry process which looks for mechanisms that attempt to defeat the distribution of premium content?

Again, no actual "work" has been done, just an idea. It's maybe possible for a crack to do this, I really don't know.

Do all media applications communicate with PMP, or are there exceptions like VideoLan? What are the implications for displaying premium content?

I think the codecs/DirectX might have some power in this handshake. I haven't read very much on PMP since I'm not terribly interested in it, but if you Google for the documents from Microsoft you can find some guidelines and implications. There is a slide called "Participating Software Requirements" which lists some of them. These requirements are legally binding, according to Microsoft.

When you release the generic code, what level of talent will it take to replicate and/or exceed your success?

I have been told not to release any generic code yet. Either ways however, the generic code I was planning on releasing had absolutely nothing to do with DRM, it was just a way to talk to the kernel from user-mode.

From then on, the following assumptions would need to hold:

1) Someone that knows how to disable PatchGuard must implement such code.

2) PatchGuard hasn't yet been patched by Microsoft to disable the known hacks.

3) PMP doesn't detect the flag I'm using.

4) PMP doesn't have other methods of detecting code in the kernel.

5) DRM can be bypassed simply by loading code in the kernel.

6) Someone that knows how to write kernel-mode code and where to put it in kernel-space as well as how to disable PMP with such code must implement it.

What specific knowledge areas would that individual(s) require to tackle such a project?

Intricate knowledge of the kernel, PMP, PatchGuard and Vista security mechanisms. Based on my experience, no such person exists. Again, it also assumes Microsoft hasn't patched this method or deemed it irrelevant, and I am sure that one of the two will happen.

How will the knowledge you've gained be of value in the future development of ReactOS and will it benefit the project in any way?

The knowledge I got from this issue is limited to Code Signing and PMP, two technologies which are irrelevant to my work on ReactOS, so it wouldn't really benefit it. Of course other knowledge that I've gotten throughout time while reverse engineering NT or exploring other parts of the kernel were helpful however, but not this particular research.

Do you see ReactOS development accelerating or becoming more mainstream in the near future?

Definitely, in fact I'm going to quite a few conferences and events this year to talk about ReactOS.

When can we expect the generic code to be released?

I'm fully confident that once this issue is solved with Microsoft theywill agree that the code I planned to release was inoffensive, and perhaps might not even work after a patch is released. As soon as that's done, I'll make sure with them that it's OK to release it. It still might not be. But for now, no expectations should be made.

How does it feel to be thrust into the DRM debate? Is this something you were anticipating?

Not really. I'm not a big fan of DRM but I'm willing to live with it since it doesn't personally affect me. I rarely buy movies anyways, I just see them on the cinema. If someone wants to watch movies at home illegally, they can just use BitTorrent. There's already HD-DVD and BluRay releases on the latest trackers. But I can understand how DRM can hurt honest consumers; however, I don't think the right approach is an offensive and cracking it, because this will end up being used by pirates. I think the approach needs to be made through discussion, social change, and cooperation.

People need to understand that just because movies and audio are overpriced doesn't mean they should be free. And [the] MPAA/RIAA needs to understand that people will pay reasonable prices for their media as long as they're given the freedom to do what should be legally permissible (sharing with a friend, but not the entire Internet, copying the song to as many computers as you own, but not 1000, being able to make as many backups as you want and play them when and wherever you want, not having to own a 5000$ screen to watch HD-DVD, etc).

Is there anything else you would like to add?

Yes, I would just like to stress out that I have *not* found a method to break DRM nor written ANY code to do this, nor do I plan to. My discovery is limited to a *potential* flaw in detection of unsigned code, and it *could* be used as a method to break DRM, but this is speculative. If indeed the flaw is real, Microsoft will patch it ASAP.

I am also unwilling to discuss this flaw, its implementation, any special flags or code, so I'd appreciate if no such requests are made. I don't mind talking about my views and information on PMP, DRM or any other public information however, or my work on NT/ReactOS.

Editor’s note: It’s important to note that Alex has not defeated Vista’s DRM. Yet if his work is any indication, it exemplifies the possibility exists. While Alex Ionescu is an extraordinary example of programming knowledge with a high degree of ethics, there are many other individuals who share his programming abilities – but not his degree of ethics.

This story is filed in these Slyck News categories
Technology News :: DRM

You can discuss this article here - 8 replies

© 2001-2019