Clearing up the SecuROM FUD

There's a lot of hoopla about SecuROM issues and Bioshock. I don't know how serious the actual issues are, but I do know that a lot of what gets said about it is pure FUD. The Sony BMG rootkit scare and the issues with Starforce have clearly gotten people much more nervous about stuff that gets put on our computers with games and even music. This is a good thing. However, it's clearly led to a situation where many people have trouble keeping things in perspective.

I happen to know something about how these things work (I develop software for a living and am in charge of information security at my company), and I did quick refresher on how CP works yesterday, so I thought I'd clarify some stuff. Some things I've already addressed in a few other threads, but a little summary couldn't hurt, I think.

First, let's get some terms straight. These are simplifications since I don't want to get too technical about it; if you're really interested, look some of the terms up on Wikipedia.

(1) What's a ring-0 or kernel mode driver, and why should I care?

Computers operate in a number of different security modes. These modes are very fundamental to the way they work. The idea is that a piece of code is only given the privileges it needs to run. For example, a normal program should not be able to read or write to memory that's being used by another program. "Kernel mode" or "ring-0" is the "full access" mode for a program. That is, a program running in kernel mode can do anything the computer is capable of doing -- read or write any memory location, send any sequence of bits to any device, and so on. That means that there's nothing in the computer architecture that limits the amount of damage a buggy or intentionally malicious kernel mode program can do.

There's nothing inherently evil about kernel mode drivers. The computer wouldn't do a damn thing without them, and any operating system comes with a big bunch of them when you install it. However, because of the risks involved, you don't want unnecessary kernel mode drivers on your box.

Why do we care? Because of copy protection. Most disk-based copy protection relies on very low-level trickery that looks at the actual physical structure of the CD or DVD -- it looks for intentionally introduced flaws, the physical location of the data, and so on. You can't do this through the regular interfaces, which operate on a higher level of abstraction: they don't really care how the data is stored, they just read and write it.

Therefore, a disk-based copy protection system usually installs its own kernel-mode driver that talks directly to the CD or DVD player, to get at data that the standard driver would ignore. If SecuROM includes a disk check as well as the activation system, it will do it this way. Tagès does the same. Starforce does the same.

In and of itself, this is not a problem: if the driver is well written and well-behaved, it won't cause any problems on your computer. It won't use up resources, it won't interfere with anything you're doing, it won't compromise security, it won't spy on you. However, that's a pretty significant "if."

Starforce's problem was that the kernel mode driver was badly written. It didn't *just* do the DVD check when called, but also interfered with them when DVD's were being written. What's more, it caused some models of DVD burner to think they were in an error state, turn down their write speeds, and eventually lock up completely and permanently. Equally badly, it opened a security hole that permitted "privilege escalation" -- that is, running any piece of code on the computer with kernel mode privileges.

There was one more thing about Starforce, but I'll get to it a bit later.

Bottom line:

(a) There's nothing inherently bad about kernel mode drivers, just like there's nothing inherently bad about fire. It's just that you don't want them to get out of control.

(b) It is not nice to have to install new kernel-mode drivers for every different disk-based copy-protection type. However, until the operating system comes with built-in DRM (sound familiar, anyone?) or the game industry switches to a business model that doesn't require disk based copy protection (such as on-line distribution, hardware hash activation, or pay-per-play), this is something we have to live with.

(c) Because of (b), it pays to be vigilant -- if someone foists a badly-behaved kernel-mode driver on us, we have to scream, loud. It works, too (see Starforce).

(2) What's a rootkit, and why is it evil?

A rootkit is also a program that runs in kernel mode. However, it's not a driver. Its purpose is to hide resources -- files and processes -- from the operating system. In a way, it walls off a little private corner of the computer and lets its payload lurk there. This makes whatever the rootkit is hiding extremely difficult to detect.

In and of themselves, rootkits are no more or less dangerous to your system than kernel mode drivers. However, I can't think of very many legitimate reasons to hide processes or resources from the OS, and I can think of a lot of illegitimate ones; for example, a rootkit could be used to hide a key logger or other really nasty spyware.

The hoopla about the Sony BMG rootkit was that the music CD copy protection scheme Sony used installed a rootkit to hide the DRM software. This made the DRM software very difficult to detect or remove. Moreover, the rootkit was buggy -- it had a security hole that could be very easily exploited to hide *any* process. I'm sure there would have been an outcry even without the security hole, but the hole made the situation much more serious.

Bottom line: you don't want rootkits on your computer because they are used to hide stuff you *really* don't want on your computer.

(3) What other bad things do copy protection systems do?

That would be a long list. However, compared to buggy kernel mode drivers or rootkits -- that open up big security holes or actually screw up your system or hardware -- they're fairly benign, more annoyances than real risks. There's no reason to panic over them, IMO, nor even do stuff like consumer boycotts -- it's enough to stand up for your rights and sort out the stuff.

* Not removing stuff on uninstall. This is usually just sloppy programming: if several games use the same CP drivers, you obviously don't want to uninstall the drivers until you uninstall the last game that uses them. Sometimes it's just carelessness. In some cases, such as the Sony BMG rootkit one, it's intentional and there are additional nefarious intentions involved, but mostly not.

* Breaking compatibility. Because kernel-mode drivers work close to the hardware and the operating system kernel, changes in hardware or the operating system can break formerly perfectly well-behaved drivers. For example, the Tagès drivers break on Windows Vista, which means that (1) you have to figure out that they were the reason your game doesn't run, and (2) you have to figure out where to get the new drivers to make it run.

* Just not working as designed. For example, it appears that SecuROM does not always release the hardware activation code on uninstall as advertised. This is obviously annoying to customers, and at least a hassle to get sorted out.

Finally, there are a quite a few groups of people who are passionate about computer security and really good at ferreting out badly-behaved drivers (and hacking around them too). If something really evil is out there, they will find out very quickly. So forum chatter or the occasional op-ed piece are not a solid reasons to panic. A warning from SANS, Sysinternals, or www.rootkit.com is. Just cuz it's on the Internets don't mean it's true.

There's nothing inherently bad about kernel mode drivers, just like there's nothing inherently bad about fire.

Quote of the day

Thanks for all of the info … the internet has practically exploded over this stuff the past of the day and most of it is mis-information pointing to forum threads …

Oh, just when i was discussing how people function at work. (The pack mental - one shouts wolf, and everybody follows).

I do not develop application for a living but have had a career in computer security. This information is somewhat obsolete since i ventured on and become head of our IT department. I still however have my thoughts on security in everything we do, but in a broader aspect (following the "real" debate - not this securom).

I just want as before smile at prime junta and say: Thank you for your time and sane technical aspect of thing. Support this thread wholehearted (so far).

And i still thinking copy protection is bad. I do. But i don't blaime companies for trying to get revenues of their investments. I blame people thinking its their right to copy things. Its their fault its needed in the first place.

No fire without smoke.

---
and for the first time ever, i have problem with the activation!

Thanks for the information, the clear presentation , and for adding a new acronym to my collection. Fear,Uncertainty and Doubt describes this whole situation very well.

Terrific article. Thanks Junta.

Very good. Thanks for posting this.

Yes, an interesting read, thanks!!

Seeing Slashdot made this headline, to an article where the authour himself, a blogger, admit that he used the name "Rootkit" and "Bioshock" so he could get hits from the net. (Helping people getting it installed).

He acted upon microsoft Rootkit Revealer reporting it as a rootkit, but did not either understand what it ment or bother with it.

Anyway. Here is a post from one of the comments:

"
The reason that the RR tool warns you is because of the * in the entry, it even tells you that if you bother to read it…

Microsoft offers a utility called RootkitRevealer located: here. The program will scan your system for rootkits. Once you scan your system, the program will reveal the SecuROM rootkit with this message:

…\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*

This is due to the * character at the end, causing the “Key Name Contains Embedded Nulls” message.

What part of that was unclear? Because there’s an * it’s a rootkit? Ya, Smooth, Nice fud."

And this is the reality people doing forensic in real life have to deal with. Alot false/negative. This "fear" about this beeing a rootkit has no ground.

Read through the comments on slashdot. Its not bashing the game, it brings out valid points and wonder why people has to feed fuel to a fire that don't exist.



The biggest question is how many of those people complaining does complain cause there is no way to download it? They must buy the game.

FUD means that there is no truth to the message and its only meaning to stir up people. I am glad that Slashdots community for once brings some sanity to the debate and points out this. If one bother to read and understand that is.

Not that everybody does it…

Some copy protection programs - as I call them right now - of DVDs are installed regardless you skipped or closed the install-program altogether, as far as I've heard.

I doubt that this was a majority of programs, but it happened.

And the rootkit features of the Sony/BMG copy-prptection-rootkit were - as far as I've heard - exploited by some WOW users to hide things, as far as I know (I never found any *detailed* article on that, though.)

FUD, by the way, is the most favourite marketing product of MS.


Bottom line: Maybe I should create some FUD about myself, too ?

Indeed, thanks for the well-written info.

Originally Posted by Alrik Fassbauer
Some copy protection programs - as I call them right now - of DVDs are installed regardless you skipped or closed the install-program altogether, as far as I've heard.

I doubt that this was a majority of programs, but it happened.

The only one I've heard of that did this was the infamous Sony BMG rootkit.

And the rootkit features of the Sony/BMG copy-prptection-rootkit were - as far as I've heard - exploited by some WOW users to hide things, as far as I know (I never found any *detailed* article on that, though.)

That's correct.

FUD, by the way, is the most favourite marketing product of MS.

Which has exactly what to do with the topic at hand? Or did you just put it in like some people put "Have you accepted Jesus Christ as your personal savior?" in their .sigs?

I meant that FUD is widely used to disregard products.

This FUD here with Bioshock is rather a "user-generated FUD", but you can also use it as an marketing tool.

And of course, the best thing with FUD is, that you can never be caught, when it's well made.

For example (okay, this is hilarious, but regardless … ) someone didn't like BioShock due to some certain or uncertain reasons. For example that it is no RPG. So, the person then could write down this FUD somewhere, where it might be easily transported into other blogs & forums, if the person made it "right" - meaning the best mix of all ingredients, includding the mentioning of a copy protection and how it appeared to work for the person.

This spread fast, and things spread wide, often unproved. Like rumors. That's how FUD goes.

I don't know what actually happened, especially how this FUD was created, but I keep all possible variations I can see in mind.