Doom9 Researchers Break BD+

← Back to Stories (view on slashdot.org)

Posted by kdawson on Saturday November 1, 2008 @06:27AM from the blue-hooray dept.

An anonymous reader writes "BD+, the Blu-ray copy protection system that was supposed to last 10 years, has now been solidly broken by a group of doom9 researchers. Earlier, BD+ had been broken by the commercial company SlySoft." Someone from SlySoft posts a hint early in the thread, but then backs off for fear of getting fired. The break is announced on page 15.

4 of 345 comments (clear)

Min score:

Reason:

Sort:

As the article says... by Angstroem · 2008-11-01 06:50 · Score: 5, Informative

...start reading on page 15, it'll discuss (a) what they did and (b) how resistant it is against potential counterattacks by the BD+ people.
Mind you, the idea was not to break the underlying encryption scheme (breaking AES could still turn out being hard for the next couple of years...), but rather disable the BD+ security layer.
1. Re:As the article says... by IamTheRealMike · 2008-11-01 07:30 · Score: 5, Informative
  
  As far as I can tell, it wasn't actually disabled though. What they guy did is write his own BD+ VM. An impressive feat for sure, but that attack was always anticipated. As the dude says later,
  
  Apart from that the purpose of the program (called "content code") running inside the player on a virtual machine is to detect any known compromised players or known unlicensed emulators (like ours). The content code is give a wide range of opportunities to do that. For example it has (limited) access to the player memory and can even execute arbitrary code on the machine though we haven't seen that yet and our emulator doesn't support this either.
  As long as we have access to a working (licensed) players all these measures are useless as we can record traces from this player and adjust the data "injected" in the virtual machine address space by traps or events to perfectly match our recordings. Even if whitebox attack resistant AES or ECDSA algorithms are used and nobody manages to break them we can still use the obfuscated algorithms and their keys.
  So basically the disk authors can keep up for as long as they can trace the VM of an existing licensed player. They don't need to do that currently because no publishers are searching for their VM specifically.
  They'll probably be able to do this for as long as publishers want their discs to be playable on software players, simply because it's quite easy to reverse engineer x86 code on a PC, when you have a debugger and plenty of Jolt. I don't know what the BluRay player market looks like. If most BluRay players are hardware based, then as a movie studio I'd be tempted to simply write some BD+ code that looked for existing software players and banned all of them. Then the "trace a licensed player" step outlined above suddenly turns into a silicon reverse engineering problem instead of a software reverse engineering problem. Much harder.
  That said, I doubt they'd actually do that. Presumably they allowed software players for a reason, despite knowing they were way easier to hack than hardware players.
Re:Congratulations! by Jah-Wren+Ryel · 2008-11-01 07:46 · Score: 5, Informative

Is this just for MKBv7 (Media Key Block) or is BD+ permanently broken?
For the most part it is permanently broken. BD+ is just a very simple virtual machine - these guys reimplemented the virtual machine. So the disc publishers can write all kinds of new copy prevention code in the BD+ 'language' but the doom9 guys' VM will be able to execute it pretty much like any sanctioned BD+ VM would. The disc publishers might start exploiting non-standard or undefined behavior in the BD+ VMs (presumably most hardware players all just run the same BD+ VM from macrovision, so any bugs in it should be the same across most if not all hardware players) but such shenanigans won't be too hard to reverse engineer and include into the clone VM.
Now when the publishers switch to MKBv8 that will be a new set of AACS keys that will need to be rediscovered, but that's independent of and in addition to BD+.

--
When information is power, privacy is freedom.
Re:Patent trouble by localroger · 2008-11-01 14:37 · Score: 5, Informative

First, you need to understand what a patent is; it is legal protection, to be sure, but more than that it is a form of publication. Patents exist to encourage inventors to reveal what they have discovered so that others can build on it. Their reward for giving away their secrets is the period of artificial monopoly to capitalize on their discovery. But yes, you can read patents and glean what went into them and expand upon them, because that's what patents are designed to make possible.
Second, you need to understand what the remedy is for a patent holder whose patent is violated. There are no "patent police" who go out and look for patent violators. Patent owners have to keep their own vigilance, and when they think their patent is being infringed the remedy is to sue the infringers. The result of such a suit is usually an injunction to force the infringer to stop selling his competing products. (Probably the most famous case of this was Polaroid v. Kodak, where Kodak was forced to abandon their entire line of Polaroid-like instant cameras, of which they had sold millions.)
Now bearing this in mind, exactly what would Sony or Fox or whoever get by suing Doom9? They aren't making money off of this, they just gave it away. Injunctions notwithstanding it's almost impossible to stop the dissemination of software whose authors have deliberately tried to make it available for free. There are no profits to seize, and any effort to show a dollar amount for damages would be very iffy. Patent infringement is not fraud and is not criminal, so there is no risk of anybody going to jail. All in all, there's not much the patent holder can do in this case except suck it up and go on to the next project.

--
Brackets contain world's first nanosig, highly magnified:[.]