The Windows Vista Protected Environment used to protect the MIG also provides the mechanism used for protecting the UMA engine. The PUMA name comes from taking UMA and adding a "P" on the front, because it is now protected.
PUMA is the solution in Windows Vista for mitigating against two types of attack. PUMA is designed to:
1. Provide a safer environment for the software modules that do the audio processing and rendering. The goal is to make it very hard for a hacker to snoop the content from memory and to make it very hard for hackers to insert rogue components.
Within the Protected Environment, the content is protected from snooping from other processes. This remains true to a reasonable extent even if the Protected Environment has dropped out of high-security mode.
2. Ensure that only allowed audio outputs are left turned on—that is, PUMA is designed to ensure outputs are turned off reliably if the content policy so specifies.
For the playback of premium audio content, the audio engine receives policy requests from the MIG. The MIG derives the policy from the content that the user wants to play. The premium audio content itself also comes from the MIG, because it is the MIG that typically receives the premium content from whatever delivery mechanism was used to get it to the PC.
As with the MIG environment, all software components—whether from Microsoft or a third party—need to meet robustness and compliance rules to be allowed to operate within the Protected Environment.
The PUMA process will refuse to load any software modules found to be on the Microsoft Global Revocation List. This applies to both Microsoft and third-party–supplied modules. Replacement versions of revoked modules are typically supplied at revocation time using a Windows Update mechanism.
Policy for controlling PUMA is represented and collected by the PUMA OTA, which resides in the MIG. This OTA also acts as a proxy for the PUMA, even helping in the process of revocation and renewal of PUMA modules.
PUMA Architecture
An important aspect of the audio engine is that it needs to exist separately from the MIG, because it is responsible for all the audio rendering on the PC. Long before the MIG is even instantiated to play premium content, the audio engine is used to play regular PC sounds such as the Windows boot-up wave sound.
The audio engine must render the general PC sounds and mix them in with any premium audio, and it must also bring in audio from unsecured sources and mix those in without compromising the security of the premium audio. The dotted lines in the PUMA Architecture diagram represent the different processes.
The process that the audio engine resides in is also in the Protected Environment, but additional security mechanisms are required to protect data coming from the MIG’s process to the audio engine’s process. The MIG hosts the ITA that sprouts the decryption module used to remove the protection associated with delivering the content to the PC—for example, the DVD encryption. Before the MIG determines that it is OK to pass the content to the next link in the chain (that is, PUMA), it needs to validate the PUMA.
| 