Application Shielding in the context of the MovieLabs Enhanced Content Protection (ECP) specification
November 18, 2020

Introduction

Market definition and size

The global entertainment and media market reached a sheer size of 2.1 trillion dollars in 2018, with a projection at 2.6 trillion dollars in 2023, according to the Global Entertainment & Media Outlook report by PwC.[1]

Content production grew as well over the years: Netflix, a newcomer in the landscape of video production, has put out more than 1500 hours of series, films and other types of content on its platform in 2018[2].

A changing landscape

The global entertainment and media landscape changed in the last decade, and became more digitalized: the share of global digital revenue accounted for 53,1% of the total market in 2018.

According to this same report, while the decline of traditional TV is expected in the coming years, the most prominent contenders are Virtual Reality (VR) and Over-The-Top (OTT) video. These two technologies are forecasted to grow at staggering rates: over 22% CAGR for the 2019-2023 period for virtual reality and 14% CAGR for OTT videos.

As for OTT, this segment almost quadrupled in size from 2014 to 2018 and is predicted to reach 72.8 billion dollars in 2023.

Several factors favoured OTT services adoption, and one could argue that the main one being the growth of broadband bandwidth rates and adoption in developed countries. Indeed, the average penetration rate for OECD countries was at 27% in 2019[3].

Another one would be the multiplication of devices available to consumers that can receive video streaming content: personal computers, smart TVs, mobile phones, PC…

The computing capabilities and screen quality grew as well, enough to reproduce high fidelity content: for example, a modern iPad Air can display videos of up to 2K resolution[4].

The market penetration for 4K televisions is also rather impressive: in 2019, more than 369 million televisions found their way into consumers households[5].

Thanks to these rapid advances in technology, consumers now can experience watching video content using similar techniques to a film screening in a theatre, even on mobile platforms.

Security to counter piracy

To feed this display and distribution ecosystem, another one exists at the edge: production studios which create films and video content curated for television, with their most famous representatives being the Hollywood ones, but also independent creators.

For these creators, the protection of their income highly depends on the security of the platforms that will receive and play digital content.

Indeed, one of the properties of digital media is that it can be reproduced indefinitely and for a nominal cost. If a platform does not restrict copying and redistribution of video content, this represents a business risk on content creators’ revenues.

Unfortunately, security issues arise when it comes to distributing content to these new platforms.

Specific systems which have as a primary focus to distribute content are designed with content protection in mind, often using several techniques to ensure that content could not be copied or viewed without authorization. The development of Conditional Access System (CAS) in the early 2000s was an example of a content protection system aimed at protecting content distributed over a digital video broadcast system.

However, mobiles phones and personal computers are multi-purpose devices and can be used for a wide range of activities. Using these platforms in the context of video playback changes the threat model compared to other solutions, which consequently, requires new protection mechanisms.

Moreover, in this paradigm of video playback on third-party devices, content providers must engage with a broader ecosystem, convincing every actor in the chain to implement mechanisms to secure content.

Which solutions can be used for content protection?

DRM usage

Protecting the digital distribution of content meant for the industry to find new ways towards this goal.

One of the solutions envisioned by the Tech industry was to create software which could allow content distributors to control better the broadcast and playback of digital content, such as video players for example that embeds security features.

Another type of solution is Digital Rights Management (DRM) software which uses different techniques such as encryption, scrambling, access control to restrict content copy and redistribution.

For mobile platforms, DRM software is embedded within the operating system by either the device manufacturer or the operating system developer. This software can then be leveraged by OTT applications developers to secure content delivery.

Three different solutions developed by large companies are now the major players in this field for video content protection:

  • PlayReady, developed by Microsoft
  • FairPlay, developed by Apple
  • Widevine, now developed by Google

However, these solutions are not necessarily available everywhere: for example, FairPlay would only be available for Apple platforms.

Consequently, the main challenge for OTT application developers is to develop their applications with a multi-DRM system in mind[6], crucial in guaranteeing that a security feature (DRM) to protect content will be available for each platform that will be used to deliver it.

Fortunately, several providers offer solutions that integrate these different DRM systems and provide a consistent mechanism to use them on different platforms. Additionally, there is an ecosystem of software and hardware providers that cover different gaps or additional features required for securing content and managing DRM systems.

MovieLabs

Content piracy is the main threat for content creators, especially for video content which has a long “shelf life” such as films or TV shows, compared to live broadcasts of events, such as sports. Moreover, ultra-high-definition content such as ones in 4K resolution has a theatrical quality level, which poses a risk too.

In a standardization effort around the creation, distribution and protection of Hollywood video content, and most notably to preserve the sustainability of content creation, production studios created a non-profit organization to this intent.

Six studios originally founded this organization called MovieLabs:

  • Paramount Pictures Corporation,
  • Sony Pictures Entertainment Inc.,
  • Twentieth Century Fox Film Corporation,
  • Universal City Studios LLLP,
  • Walt Disney Pictures and Television,
  • Warner Bros. Entertainment, Inc.

Nowadays, the organization is governed by a board with a representative of the five leading studios, as Twentieth Century Fox is now part of the Walt Disney Group.

Throughout the years, frameworks and requirements for content distribution and protection have been developed and documented to the intent of the video production ecosystem by MovieLabs experts and community, taking into account with each update the advancements and findings in the field.

As for the protection of premium video content, the Enhanced Content Protection (ECP) framework applies, which is now in its 1.2 version[7].

This document mandates security requirements at every step of the distribution pipeline and addresses the two main threats regarding content piracy:

  • Content ripping, meaning extracting content from the service or hardware which can then be mass distributed;
  • Output capture, meaning that content can be intercepted between the platform and the display, either through hardware or with software.

These requirements define in broad terms which security features and their architecture, a platform which is intended to receive content must have.

Here are the elements detailed in the framework:

  • Hardware Root of Trust (RoT):  this is an element which represents the security foundation of a system in the form of a specific chip, a code or data which is safely provisioned by the manufacturer.
  • Secure Media Pipeline: this mechanism must be available to protect content end-to-end, from its arrival, through the decryption process to the display. It can be a software logic, leveraging other elements of the platform such as the Hardware RoT and the Trusted Execution Environment (TEE).
  • Secure Computation Environment: a processor space where secure computations can be executed. This component frequently translates into what is called a Trusted Execution Environment.
  • Encryption: the platform must provide professional-grade encryption mechanisms, such as the implementation of strong cryptographic algorithms and a random generator number.
  • Link control/protection: System must support HDCP 2.2, a protocol which has been designed to prevent output capture.

Changes in the 1.2 version

In 2018, MovieLabs updated the Enhanced Content Protection framework to reflect the discovery of vulnerabilities identified on microprocessors at the time.[8]  While it is not clear to which vulnerabilities the press release refers to, the document was updated and now requires that the DRM system must include mitigations against side-channel attacks.

A side-channel attack is a particular type of attack which leverages information leakage from a system to infer sensitive information such as cryptographic keys.

One may assume that the side-channel mitigations in the ECP framework refer to the Spectre and Meltdown type of side-channel attacks which were discovered in early 2018: these attacks could allow an attacker to respectively break the isolation between different applications and between user applications and the operating system.[9]

For DRM systems, this meant that an attacker could potentially use these attacks to retrieve sensitive information included in the kernel memory and bypass these security systems put in place to extract video content.

These mitigations must be implemented to protect the DRM system according to the recommendations by the microprocessors, firmware and operating systems providers, making sure that patches against these attacks are effectively applied to counter potential attacks.

The addition can be found under DRM System Specification > Integrity & Robustness:

“The system shall implement all mitigations for side-channel attacks, including cache and timing side-channel attacks, recommended by the providers of the underlying microprocessor architectures, firmware and secure operating systems.
The system shall implement additional mitigation against cache, timing, and code injection attacks and reverse engineering, such as obfuscation and address space layout randomization.”[10]

An organization should then be on the lookout against side-channel attacks if new methods emerge in the future and apply the necessary corrections when available.

On top of these mitigations, the framework adds another protection layer in the form of protection against cache, timing and code injections attacks as well as protection against reverse engineering.

For cache and code injection attacks, address space layout randomization (ASLR) is recommended, and we effectively wrote in 2016 a clang cheat sheet on application hardening[11] which goes into more details on how to implement this functionality when compiling with Clang/LLVM.

For the most comprehensive view of the new elements in the 1.2 version of the ECP framework, see the chart below:

Specs ElementsAdditions in the 1.2 specification version
Cryptography/
Connection/
Binding to device/
Software Diversity/
Copy & Title Diversity/
Integrity & RobustnessThe system shall implement all mitigations for side-channel attacks, including cache and timing side-channel attacks, recommended by the providers of the underlying microprocessor architectures, firmware and secure operating systems.
The system shall implement additional mitigation against cache, timing, and code injection attacks and against reverse engineering, such as obfuscation and address space layout randomization.
Revocation & Renewal/
Outputs & Link Protection/
EncryptionThe platform shall support a random number generator compliant with NIST 800-90C, AIS-31 or GM/T 0005-2012
Secure Media Pipeline/
Secure Computation EnvironmentThe platform shall be able to protect memory of the secure execution environment against access from untrusted code& devices, including implementing all of the relevant mitigations for cache side-channel attacks recommended by the providers of its microprocessor architecture, firmware and secure operating system.
Hardware Root of Trust/
Link Control/protectionThe platform shall provide a secure, unforgeable means of enumerating the unique identities of all downstream link protection sink devices.
Link protection sink components shall not be enabled to operate until their delivery to the manufacture of the consumer device containing them. This enabling must be controlled and secured cryptographically by the maker of the sink component.
Forensic watermarkingThe watermark shall be robust against corruption of the forensic information, including collusion attacks, and transformations and capture techniques that leave the content still watchable.
Playback control watermark/
Breach response/
CertificationForensic watermarks shall be tested for robustness by a 3rdparty.

How to protect against reverse engineering to comply with ECP MovieLabs 1.2?

To protect an application against reverse-engineering, two methods can be applied:

  • The first mechanism is code and data obfuscation, which is used to protect against static analysis: an attacker can use a decompiler to try and understand a program logic, its data and control flow.
  • The second mechanism is anti-tampering measures such as integrity check functions which can be integrated into the program during development. These functions will then detect at runtime if the application is being debugged or subject to other dynamic binary analysis techniques using known frameworks and crash, thus limiting dynamic analysis and thwarting attackers.

It is important to note that there is no silver bullet when it comes to protection against reverse-engineering: countermeasures must combine different techniques, should be tested in the field and constantly evolve according to recent findings. Overall, the goal is to increase the cost for the attacker and to maximize the time-to-break.

For these types of protection, there is always a protection versus. performance tradeoff and the solution should be sufficiently granular to let the user fine-tune them to their needs.

Our product Epona App Shield is our answer to these challenges by integrating these two features and can help in obstructing the work of an attacker. Thanks to its 30 obfuscation passes available, an organization can find the right performance/security combination that works for its application, meeting the need for a streamlined playback experience while complying with ECP MovieLabs requirements and guaranteeing content security.

For more information on Epona App Shield, go to the following link: https://quarkslab.com/epona/

If you wish to see how Epona App Shield could help your organization in enhancing the security level, schedule a meeting with our sales team at the following link:

https://quarkslab.com/schedule-a-demo/

References


[1] Global Entertainment & Media Outlook 2019-2023, PwC : pwc.co/outlook

[2] Netflix statistics, Statista; https://www.statista.com/statistics/882490/netflix-original-content-hours/

[3] https://www.oecd.org/sti/broadband/broadband-statistics-update.htm

[4] https://www.apple.com/ipad-air/specs/

[5] https://www.statista.com/statistics/540680/global-4k-tv-unit-sales/

[6] https://docs.microsoft.com/fr-fr/azure/media-services/latest/design-multi-drm-system-with-access-control

[7] https://movielabs.com/ngvideo/MovieLabs_ECP_Spec_v1.2.pdf

[8] https://movielabs.com/news/movielabs-publishes-updated-specification-for-enhanced-content-protection-v1-2/

[9] https://meltdownattack.com/

[10] https://movielabs.com/ngvideo/MovieLabs_ECP_Spec_v1.2.pdf

[11] https://blog.quarkslab.com/clang-hardening-cheat-sheet.html