Prime Junta
August 24th, 2007, 11:19
There's a lot of hoopla about SecuROM issues and Bioshock. I don't know how serious the actual issues are, but I do know that a lot of what gets said about it is pure FUD. The Sony BMG rootkit scare and the issues with Starforce have clearly gotten people much more nervous about stuff that gets put on our computers with games and even music. This is a good thing. However, it's clearly led to a situation where many people have trouble keeping things in perspective.
I happen to know something about how these things work (I develop software for a living and am in charge of information security at my company), and I did quick refresher on how CP works yesterday, so I thought I'd clarify some stuff. Some things I've already addressed in a few other threads, but a little summary couldn't hurt, I think.
First, let's get some terms straight. These are simplifications since I don't want to get too technical about it; if you're really interested, look some of the terms up on Wikipedia.
(1) What's a ring-0 or kernel mode driver, and why should I care?
Computers operate in a number of different security modes. These modes are very fundamental to the way they work. The idea is that a piece of code is only given the privileges it needs to run. For example, a normal program should not be able to read or write to memory that's being used by another program. "Kernel mode" or "ring-0" is the "full access" mode for a program. That is, a program running in kernel mode can do anything the computer is capable of doing -- read or write any memory location, send any sequence of bits to any device, and so on. That means that there's nothing in the computer architecture that limits the amount of damage a buggy or intentionally malicious kernel mode program can do.
There's nothing inherently evil about kernel mode drivers. The computer wouldn't do a damn thing without them, and any operating system comes with a big bunch of them when you install it. However, because of the risks involved, you don't want unnecessary kernel mode drivers on your box.
Why do we care? Because of copy protection. Most disk-based copy protection relies on very low-level trickery that looks at the actual physical structure of the CD or DVD -- it looks for intentionally introduced flaws, the physical location of the data, and so on. You can't do this through the regular interfaces, which operate on a higher level of abstraction: they don't really care how the data is stored, they just read and write it.
Therefore, a disk-based copy protection system usually installs its own kernel-mode driver that talks directly to the CD or DVD player, to get at data that the standard driver would ignore. If SecuROM includes a disk check as well as the activation system, it will do it this way. Tagès does the same. Starforce does the same.
In and of itself, this is not a problem: if the driver is well written and well-behaved, it won't cause any problems on your computer. It won't use up resources, it won't interfere with anything you're doing, it won't compromise security, it won't spy on you. However, that's a pretty significant "if."
Starforce's problem was that the kernel mode driver was badly written. It didn't *just* do the DVD check when called, but also interfered with them when DVD's were being written. What's more, it caused some models of DVD burner to think they were in an error state, turn down their write speeds, and eventually lock up completely and permanently. Equally badly, it opened a security hole that permitted "privilege escalation" -- that is, running any piece of code on the computer with kernel mode privileges.
There was one more thing about Starforce, but I'll get to it a bit later.
Bottom line:
(a) There's nothing inherently bad about kernel mode drivers, just like there's nothing inherently bad about fire. It's just that you don't want them to get out of control.
(b) It is not nice to have to install new kernel-mode drivers for every different disk-based copy-protection type. However, until the operating system comes with built-in DRM (sound familiar, anyone?) or the game industry switches to a business model that doesn't require disk based copy protection (such as on-line distribution, hardware hash activation, or pay-per-play), this is something we have to live with.
(c) Because of (b), it pays to be vigilant -- if someone foists a badly-behaved kernel-mode driver on us, we have to scream, loud. It works, too (see Starforce).
(2) What's a rootkit, and why is it evil?
A rootkit is also a program that runs in kernel mode. However, it's not a driver. Its purpose is to hide resources -- files and processes -- from the operating system. In a way, it walls off a little private corner of the computer and lets its payload lurk there. This makes whatever the rootkit is hiding extremely difficult to detect.
In and of themselves, rootkits are no more or less dangerous to your system than kernel mode drivers. However, I can't think of very many legitimate reasons to hide processes or resources from the OS, and I can think of a lot of illegitimate ones; for example, a rootkit could be used to hide a key logger or other really nasty spyware.
The hoopla about the Sony BMG rootkit was that the music CD copy protection scheme Sony used installed a rootkit to hide the DRM software. This made the DRM software very difficult to detect or remove. Moreover, the rootkit was buggy -- it had a security hole that could be very easily exploited to hide *any* process. I'm sure there would have been an outcry even without the security hole, but the hole made the situation much more serious.
Bottom line: you don't want rootkits on your computer because they are used to hide stuff you *really* don't want on your computer.
(3) What other bad things do copy protection systems do?
That would be a long list. However, compared to buggy kernel mode drivers or rootkits -- that open up big security holes or actually screw up your system or hardware -- they're fairly benign, more annoyances than real risks. There's no reason to panic over them, IMO, nor even do stuff like consumer boycotts -- it's enough to stand up for your rights and sort out the stuff.
* Not removing stuff on uninstall. This is usually just sloppy programming: if several games use the same CP drivers, you obviously don't want to uninstall the drivers until you uninstall the last game that uses them. Sometimes it's just carelessness. In some cases, such as the Sony BMG rootkit one, it's intentional and there are additional nefarious intentions involved, but mostly not.
* Breaking compatibility. Because kernel-mode drivers work close to the hardware and the operating system kernel, changes in hardware or the operating system can break formerly perfectly well-behaved drivers. For example, the Tagès drivers break on Windows Vista, which means that (1) you have to figure out that they were the reason your game doesn't run, and (2) you have to figure out where to get the new drivers to make it run.
* Just not working as designed. For example, it appears that SecuROM does not always release the hardware activation code on uninstall as advertised. This is obviously annoying to customers, and at least a hassle to get sorted out.
Finally, there are a quite a few groups of people who are passionate about computer security and really good at ferreting out badly-behaved drivers (and hacking around them too). If something really evil is out there, they will find out very quickly. So forum chatter or the occasional op-ed piece are not a solid reasons to panic. A warning from SANS, Sysinternals, or www.rootkit.com is. Just cuz it's on the Internets don't mean it's true.
I happen to know something about how these things work (I develop software for a living and am in charge of information security at my company), and I did quick refresher on how CP works yesterday, so I thought I'd clarify some stuff. Some things I've already addressed in a few other threads, but a little summary couldn't hurt, I think.
First, let's get some terms straight. These are simplifications since I don't want to get too technical about it; if you're really interested, look some of the terms up on Wikipedia.
(1) What's a ring-0 or kernel mode driver, and why should I care?
Computers operate in a number of different security modes. These modes are very fundamental to the way they work. The idea is that a piece of code is only given the privileges it needs to run. For example, a normal program should not be able to read or write to memory that's being used by another program. "Kernel mode" or "ring-0" is the "full access" mode for a program. That is, a program running in kernel mode can do anything the computer is capable of doing -- read or write any memory location, send any sequence of bits to any device, and so on. That means that there's nothing in the computer architecture that limits the amount of damage a buggy or intentionally malicious kernel mode program can do.
There's nothing inherently evil about kernel mode drivers. The computer wouldn't do a damn thing without them, and any operating system comes with a big bunch of them when you install it. However, because of the risks involved, you don't want unnecessary kernel mode drivers on your box.
Why do we care? Because of copy protection. Most disk-based copy protection relies on very low-level trickery that looks at the actual physical structure of the CD or DVD -- it looks for intentionally introduced flaws, the physical location of the data, and so on. You can't do this through the regular interfaces, which operate on a higher level of abstraction: they don't really care how the data is stored, they just read and write it.
Therefore, a disk-based copy protection system usually installs its own kernel-mode driver that talks directly to the CD or DVD player, to get at data that the standard driver would ignore. If SecuROM includes a disk check as well as the activation system, it will do it this way. Tagès does the same. Starforce does the same.
In and of itself, this is not a problem: if the driver is well written and well-behaved, it won't cause any problems on your computer. It won't use up resources, it won't interfere with anything you're doing, it won't compromise security, it won't spy on you. However, that's a pretty significant "if."
Starforce's problem was that the kernel mode driver was badly written. It didn't *just* do the DVD check when called, but also interfered with them when DVD's were being written. What's more, it caused some models of DVD burner to think they were in an error state, turn down their write speeds, and eventually lock up completely and permanently. Equally badly, it opened a security hole that permitted "privilege escalation" -- that is, running any piece of code on the computer with kernel mode privileges.
There was one more thing about Starforce, but I'll get to it a bit later.
Bottom line:
(a) There's nothing inherently bad about kernel mode drivers, just like there's nothing inherently bad about fire. It's just that you don't want them to get out of control.
(b) It is not nice to have to install new kernel-mode drivers for every different disk-based copy-protection type. However, until the operating system comes with built-in DRM (sound familiar, anyone?) or the game industry switches to a business model that doesn't require disk based copy protection (such as on-line distribution, hardware hash activation, or pay-per-play), this is something we have to live with.
(c) Because of (b), it pays to be vigilant -- if someone foists a badly-behaved kernel-mode driver on us, we have to scream, loud. It works, too (see Starforce).
(2) What's a rootkit, and why is it evil?
A rootkit is also a program that runs in kernel mode. However, it's not a driver. Its purpose is to hide resources -- files and processes -- from the operating system. In a way, it walls off a little private corner of the computer and lets its payload lurk there. This makes whatever the rootkit is hiding extremely difficult to detect.
In and of themselves, rootkits are no more or less dangerous to your system than kernel mode drivers. However, I can't think of very many legitimate reasons to hide processes or resources from the OS, and I can think of a lot of illegitimate ones; for example, a rootkit could be used to hide a key logger or other really nasty spyware.
The hoopla about the Sony BMG rootkit was that the music CD copy protection scheme Sony used installed a rootkit to hide the DRM software. This made the DRM software very difficult to detect or remove. Moreover, the rootkit was buggy -- it had a security hole that could be very easily exploited to hide *any* process. I'm sure there would have been an outcry even without the security hole, but the hole made the situation much more serious.
Bottom line: you don't want rootkits on your computer because they are used to hide stuff you *really* don't want on your computer.
(3) What other bad things do copy protection systems do?
That would be a long list. However, compared to buggy kernel mode drivers or rootkits -- that open up big security holes or actually screw up your system or hardware -- they're fairly benign, more annoyances than real risks. There's no reason to panic over them, IMO, nor even do stuff like consumer boycotts -- it's enough to stand up for your rights and sort out the stuff.
* Not removing stuff on uninstall. This is usually just sloppy programming: if several games use the same CP drivers, you obviously don't want to uninstall the drivers until you uninstall the last game that uses them. Sometimes it's just carelessness. In some cases, such as the Sony BMG rootkit one, it's intentional and there are additional nefarious intentions involved, but mostly not.
* Breaking compatibility. Because kernel-mode drivers work close to the hardware and the operating system kernel, changes in hardware or the operating system can break formerly perfectly well-behaved drivers. For example, the Tagès drivers break on Windows Vista, which means that (1) you have to figure out that they were the reason your game doesn't run, and (2) you have to figure out where to get the new drivers to make it run.
* Just not working as designed. For example, it appears that SecuROM does not always release the hardware activation code on uninstall as advertised. This is obviously annoying to customers, and at least a hassle to get sorted out.
Finally, there are a quite a few groups of people who are passionate about computer security and really good at ferreting out badly-behaved drivers (and hacking around them too). If something really evil is out there, they will find out very quickly. So forum chatter or the occasional op-ed piece are not a solid reasons to panic. A warning from SANS, Sysinternals, or www.rootkit.com is. Just cuz it's on the Internets don't mean it's true.