Software attacks
These attacks occur in scenarios where someone loads rogue software that taps the content from the PC and writes it to disk or sends it to the Internet. On Windows XP, it is difficult to stop such software from being loaded.
In Windows Vista, the Protected Environment provides process isolation and continually monitors what kernel-mode software is loaded. If a rogue component is detected, then Windows Vista will stop playing high-level premium content, rather than risk it being stolen.
The Protected Environment contains the media components that play premium content, so the application only needs to provide remote control (Play, Rewind, Pause, and so on), rather than having to handle unprotected premium content data. The Protected Environment also provides all the necessary support for signed third-party software modules to be added. It provides a “wall” against outside attacks, where within the walls, content can be processed without undue risk of it being stolen.
These attacks concern the various outputs from the PC. For premium content, digital outputs such as Digital Visual Interface (DVI) and High-Definition Multimedia Interface (HDMI) need to have High-bandwidth Digital Content Protection (HDCP) enabled, to prevent someone recording the digital stream. Even analog TV-style outputs typically need protection, as provided by mechanisms such as Macrovision and CGMS-A. Some output types such as S/PDIF (Sony/Philips Digital Interchange Format) typically don’t have a suitable protection scheme available, so these need to be reliably turned off if the content so specifies.
In Windows Vista, the robust control of PC video outputs is provided by PVP-OPM, which is essentially the next generation of Certified Output Protection Protocol (COPP) introduced in Windows XP. However, rather than being a software API, PVP-OPM operates with the Windows media components in the Protected Environment.
User-accessible bus attacks
This relates to the capturing of premium content from the PCIe bus connecting the motherboard to the graphics adapter. Some content owners have specifically disallowed the sending of their content in unprotected form over the PCIe bus in their content licenses. In Windows Vista, PVP-UAB addresses this threat.
This section examines PVP-OPM and related output content protection initiatives.
PVP-OPM is an important part of what is needed to make the PC safer for premium content, by trying to ensure that the various outputs from the PC—such as DVI, VGA, TV-out, and so on—are properly controlled or protected (or both controlled and protected) in accordance with the content’s policy. PVP-OPM is designed to meet the requirements of HD-DVDs and Blu-Ray DVDs and of 5C DTCP.
|
|
PVP-OPM provides verified control and status for the video outputs from the graphics subsystem, making it extremely difficult for a hacker to record premium content from PC outputs with a hardware recording device.
Typically PVP-OPM operates within the Windows Vista Protected Environment, and enjoys the software protection that this provides. The Protected Environment checks for any unsafe situations for high-level premium content and turns off playing the content if an unsafe condition is found.
PVP-OPM is the successor to the COPP output protection provided in Windows XP. Where appropriate, PVP-OPM uses the same device driver interfaces (DDIs) as COPP, but there are significant differences in the way that COPP and PVP-OPM work. There is also a big difference in that COPP has to provide a software API to allow applications to manually control the graphics outputs, whereas in Windows Vista the application is a remote control for the Media Interoperability Gateway (MIG) environment, and it is the content’s policy, processed by the MIG environment, that automatically controls the outputs. Therefore, there is no need for a new API for applications to use PVP-OPM. To allow Windows XP COPP-based applications to work, Windows Vista provides a user-mode COPP emulator that maps COPP calls into PVP-OPM calls.
To work with PVP-OPM, a graphics card manufacturer must provide for the following:
Output Protection Management capability on all board outputs—at a minimum, provide the ability to turn off every output.
Device driver capability to report reliably about the board outputs and their settings.
HDCP protection for DVI and HDMI outputs and Macrovision and CGMS-A protection on analog TV-out outputs. Otherwise, outputs will be turned off by the PVP-OPM software.
The ability to pass video through a constrictor—that is, a downscaler followed by an upscaler—so that the information content of premium video can be reduced when an unprotected output such as analog VGA is present.
PVP-OPM in Windows Vista at minimum provides the same level of security as COPP in Windows XP, even if the Protected Environment has been compromised. To provide this fallback security when the Protected Environment is not in high-security mode, PVP-OPM uses many of the security techniques established in COPP. It uses OMAC messages and makes use of the PVP-OPM key pair in the driver. (OMAC is a variation on the Cipher Block Chaining Message Authentication Code. OMAC stands for One-Key CBC MAC.)
PVP-OPM fits in with the graphics subsystem virtualization provided by the Longhorn Display Driver Model (LDDM). A hardware vendor’s Windows Vista driver doesn’t need to be COPP compliant; being PVP-OPM compliant is sufficient.
PVP-OPM is designed to work with the LDDM Basic Scheduler. An enhanced version of the LDDM driver model is planned for after Windows Vista, called the LDDM Advanced Scheduler. PVP-OPM does not require the LDDM Advanced Scheduler, but it will work with the Advanced Scheduler.
|
