users to listen to protected albums, and they allow access to "bonus content," such as album art, liner notes,
song lyrics, and links to artist web sites. The players access music on the disc, despite the active protection,
by using a special back door interface provided by the active protection software.
XCP and MediaMax version 5 both permit users to burn copies of the entire album a limited number of
times (typically three). These copies are created using a proprietary burning application integrated into the
player. The copies include the player applications and the same active (and passive, for XCP) protection as
the original album, but they do not allow any subsequent generations of copying.
Another feature of the player applications allows users to rip the tracks from the CD to their hard disks,
but only in DRM-protected audio formats. Both schemes support the Windows Media Audio format by
using a Microsoft product, the Windows Media Data Session Toolkit [23], to deliver DRM licenses that are
bound to the PC where the files were ripped. The licenses allow the music to be transferred to portable
devices that support Windows Media DRM or burned onto CDs, but the Windows Media files will not be
usable if they are copied to another PC. Because XCP and MediaMax create Windows Media files, they are
vulnerable to any attack that can defeat Windows Media DRM. Often, DRM interoperation allows attacks
on one system to defeat other systems as well, because the attacker can transfer protected content into the
system of her choice in order to extract it.
The XCP and MediaMax version 5 players both exhibit similar spyware-like behavior: phoning home to
the vendor or record label with information about users' listening habits despite statements to the contrary
from the vendors. Whenever a protected disc is inserted, the players contact web servers to retrieve images
or banner ads to display. Part of the request is a code that identifies the album. XCP discs contact a Sony web
site,
connected.sonymusic.com
[28]; MediaMax albums contact
license.sunncomm2.com
, a
site operated by MediaMax's creator, SunnComm. These connections allow the servers to log the user's IP
address, the date and time, and the identity of the album. This undisclosed data collection, in combination
with other practices--installation without informed consent and the lack of an uninstaller--make XCP and
MediaMax fit the consensus definition of spyware.
6.1
Attacks on Players
The XCP and MediaMax version 5 players were designed to enforce usage restrictions specified by content
providers. In practice, they provide minimal security because there are many ways that users can bypass
the limitations. Perhaps the most interesting class of attacks targets the limited number of burned copies
permitted by the players. Both players are designed to enforce this limit without communicating with any
networked server; thus, the player must keep track of how many allowed copies remain by storing state on
the local machine.
It is well known that DRM systems like this are vulnerable to rollback attacks. A rollback attack backs
up the state of the machine before performing the limited operation (in this case, burning the copy). When
the operation is complete, the old system state is restored, and the DRM software is not able to determine
that the operation has occurred. This kind of attack is easy to perform with virtual machine software like
VMWare, which allows the entire state of the system to be saved or restored in a few clicks. XCP and
MediaMax both fail under this attack, which allows unlimited copies to be burned with their players.
A refined variation of this attack targets only the specific pieces of state that the DRM system uses to
remember the number of copies remaining. The XCP player uses a single file,
%windir%\system32\
$sys$filesystem\$sys$parking
, to record how many copies remain for every XCP album that
has been used on the system.
9
Rolling back this file after a disc copy operation would restore the original
number of copies remaining.
9
This file is hidden and protected by the XCP rootkit. Before the user can access the file, the rootkit must be disabled, as
described in Section 7.2. We did not determine how the MediaMax player stores the number of copies remaining.
14