Arxan Technologies - WikiLeaks/Arxan...2012/02/17 · Arxan Confidential 3 Arxan Overview •...
Transcript of Arxan Technologies - WikiLeaks/Arxan...2012/02/17 · Arxan Confidential 3 Arxan Overview •...
Arxan ConfidentialArxan Confidential
Arxan Technologies
Enhanced Content
Protection for HD+ Digital Media
February 2012
2Arxan Confidential
Agenda
• Arxan Overview
– Update on marketplace adoption of Arxan’s Enhanced Content Protection technology
• Technology Overview – Arxan’s Content Protection Suite
– Cross platform code-hardening and key hiding
– Achieving Enhanced Content Protection – Software-based protection
– Hardware root of trust integration
• The critical role of code hardening and key security for protecting HD+
• Featured Use Cases
• Summary and Q/A
3Arxan Confidential
Arxan Overview
• Best-of-Breed and Unique Content Protection Technology– Innovative, patented technology for Static and Dynamic Defense– Based on a threat-based, customizable approach that is DURABLE, RENEWABLE
and ENFORCEABLE
• Global and Proven Wide scale adoption across the digital media landscape– 20% of DECE/UV members = Arxan customers and partners Growing– Long-term and Proven Success Enhanced Content Protection – Diverse use cases : video, audio, DRM , IP and sensitive code security
• Some examples: Google (Widevine), Verance, Marlin
– 2011: 84 % Revenue growth, 100% digital media customer growth, 100% renewal rate
• Arxan technology recommended as ‘de facto’ standard for HD+– Protection implementations: very deep, intricate security greater than the
minimal Robustness Rules requirements – Security approach is consistently thorough and rigorous per implementation– Arxan is HW (connected home/embedded devices) and DRM agnostic
4Arxan Confidential
Digital Media Ecosystem
Content Publishers
● DRM/CAS/IP Protection/Key Security
● t l M Ml M rsM Mp r torsM Monsol sM MTMsM v Digi a edia a ee a e D e iceM nu tur rsa fac e
Embedded Device Manufacturers
More apps, more digital workflows bigger attack surface
Arxan is widely adopted by UltraViolet Content Providers, Client Implementers, DSPs and LASPs
Arxan ConfidentialArxan Confidential
Content Protection Technology Overview
Arxan Confidential
6Arxan Confidential
• Software products that provide Internal Real-time Guarding of applications to make code tamper-aware and tamper-resistant through self-protections
• Quickly and easily instrument a deep intricate layered protection by embedding a network of Guards, interdependent protection routines, into a program at the binary x86 code level with GuardIT® and at the object level for ARM, PPC and MIPS architectures with EnsureIT®
• TransformIT™ is a White Box Cryptography (WBC) solution that combines mathematical algorithms with data obfuscation techniques to perform standard cryptographic functions utilizing transformed keys such that they cannot be discovered
• Benefits include:– Multiple uses: Desktop, Mobile, Embedded and Server
– Layered protection for defense-in-depth
– Static and Dynamic security on running applications
– No single point of failureArxan Confidential
Content Security: Key and Code Hardening
7Arxan ConfidentialArxan Confidential
Arxan Content Protection Suite
• Code Protection (Anti-RE and Anti-Tamper):– Desktop/Server/Embedded/Mobile Applications– GuardIT for Windows
– GuardIT for Linux
– GuardIT for Mac OS X
– GuardIT for Microsoft .NET Framework
– GuardIT for Java
– EnsureIT for Android/ARM
– EnsureIT for Apple iOS/ARM
– EnsureIT for Linux/ARM
– EnsureIT for PowerPC
– EnsureIT for Linux/MIPS
– Add-ons
– - Arxan Licensing Code Protection for FlexNet Publisher Certificate Based
– - Arxan Licensing Code Protection for FlexNet Publisher Vendor Daemon
– - Arxan Licensing Code Protection for FlexNet Publisher Trusted Storage
– - Arxan Tamper Resistance Solution for Marlin DRM
• Cryptographic Key Protection (Public/Private Key Hiding):– TransformIT
• Host-ID Spoofing Prevention– BindIT
• Professional Services:– Product Extension Services, Security audits, Blue team, Risk assessments, etc.
• Supported languages – C, C++; Objective C/C++; both native and mixed
mode images– C# , VB.NET for managed code applications
• Supported executable file formats – PE– ELF– Mach-O/Universal Binary
• Supported compilers – Visual Studio 2003, 2005, 2008, 2010– Various Flavors of GCC
• Supported Development (Host) Platforms – All Flavors of Windows
• Supported Deployment (Target) Platforms – All Flavors of Windows– Red Hat Enterprise Linux 4 and 5– Mac OS X 10.4 – 10.6
• Supported Target chipsets – Intel Compatible x86 (32-bit); 64-bit chipset ; PPC ;
ARM; MIPS
• Build integration – Command line interface allows seamless integration
into any build environment
8Arxan Confidential
Configurable Layered Protection
CPI/IP Code IdentifiedCritical Code Identified
Critical Code Protected by:Repair Guard
Critical Code Protected by:
Checksum Guard
Control Flow Graph
Repair
Checksum
Guard Protected by:Checksum Guard
Guard Protected by:Encryption Guard
Encryption
Checksum
Guards Protected by:Obfuscation Guard
Obfuscation
ChecksumImage Protected
by:Checksum Guard
Arxan Confidential
• Network of Guards– Use multiple Guards to protect a single code
segment– When attack is detected, Guards ‘fire’, reaction
is fully programmable– Layered Protection– Many implementations of given Guard, so no
global signature– Guards protect selected ranges of code– Guards protect entire image– Guards protect each other
9Arxan Confidential
Sophisticated and Layered Guard Network
• Protection implementations follow industry-leading best practices for unique, renewable and targeted security in many layers
Arxan ConfidentialArxan Confidential
Critical Role of Key Security and Code Hardening for HD+
Arxan Confidential
11Arxan Confidential
Protecting Digital Media Content• Arxan content protection technologies are routinely used to help
meet “robustness rules” compliance– Arxan addresses robustness requirements with solutions for cryptographic
operations with key hiding (TransformIT) PLUS code protection (GuardIT/EnsureIT)
• Approach: thoroughly assess risks and implement a deep protection extends well beyond meeting merely “letter of law” of robustness rules.– Directly and indirectly we help achieve:– Cryptographic functions with required key hiding
– Signing and verification requirements
– Revocation
– Watermarking
– Device authorization (hardware binding or other)
– Code obfuscation
– Software integrity validation via signing or check-summing
– Anti-debugging, anti-decompilation
12Arxan Confidential
Protecting Digital Media Content
Arxan’s methodology for content protection:
• Jointly perform a detailed and rigorous threat analysis for the specific DRM and surrounding implementation
• Identify the critical areas of code that instantiate the threat vectors• Identify additional threat areas outside of the DRM proper• Identify areas of code that can host guards for implementation of
the overall network
• Driven by risk assessment• Multi-layer protection design• Utilize widest possible range of fail actions• Cross check back to robustness rules to assure full
coverage
• Performance and security level measurement and tuning• Generation of diverse executables as required• Final QA and delivery
Guard Network
Implementation
Guard Network
Design
Risk Assessment
13Arxan Confidential
Code Protection Complements HW Root of Trust
• Trusted execution environments (“TEE”) supported by security hardware is a complementary technology to Arxan’s guarding solutions.
• “Trusted” software executing inside the trusted environment can be additionally protected from tampering and reversing through the use of Arxan’s guarding technologies
• Software that cannot run inside the trusted environment can be protected using Arxan’s guarding technologies without requiring or interfering with root of trust functions.
• As root of trust implementations mature and standardize, Arxan guarding techniques may be able to leverage security API’s to provide additional security attributes to non-TEE applications
14Arxan Confidential
TransformIT and HW Root of Trust
• Arxan’s TransformIT can provide both:– a software only solution for cryptographic operations where key
hiding (including use of dynamic keys) is a requirement.– a software solution that leverages hardware enabled root of trust
(TEE) service
• Without requiring any application source change!• Ensures availability of crypto services with key hiding with a
common API for the app, on all system environments.• Maximizes usage of hardware value when available in
system environments• Reduces application porting/testing cost across diverse
target platforms
15Arxan Confidential
Application Portability and Leverage of HW TEE with TransformIT
Application
TransformIT
No HW security dependency
OS w/o root of trust services
HW without security features
Application
TransformIT
Leverage of HW supported security services
OS
HW with security features
Root of TrustServices
No source code changes required in application to use key hiding crypto services:Available in standalone S/W (WBC) form, or leveraging hardware based TEE
(software only)
16Arxan Confidential
Trusted Execution Environments
• Arxan has all the technology components required to develop and deliver a standalone software trusted execution environment (Software TEE)
• As with TransformIT, an Arxan Software TEE can provide a stable trusted run-time environment across diverse platforms
• Derivative versions of the Arxan Software TEE will take advantage of extant hardware enabled root of trust services
• This model assures applications:– Availability of the TEE independent of platform specifics, including
availability of security hardware, differences in root of trust s/w API’s, access issues to the root of trust API’s, etc.
– Maximal leverage of the hardware security services when they are available
– Without requiring custom porting to each and every target platform
17Arxan Confidential
Application Portability and Leverage of HW TEE with TransformIT
Arxan TrustedExecution
Environment (software only)
Application
No HW security dependency
OS w/o root of trust services
HW without security features
Arxan TrustedExecution
Environment
Application
Leverage of HW supported TEE services
OS
HW with security features
Root of trustservices
No source code changes required in application to operate in a trusted executionenvironment: TEE available in standalone s/w form, and leveraging h/w security.
Arxan ConfidentialArxan Confidential
Featured Use Cases for
Enhanced Content Protection
Arxan Confidential
19Arxan ConfidentialArxan Confidential
Selective Use Cases for ECPProfile: Watermarking
ProviderConsole / STB
ContentStreaming Video from Premium Content Provider
Streaming Content Provider
Cross-Platform DRM
ArxanCustomer:
Audio Watermarking Technology
Vendor(Verance)
Worlds most popular Cross
Device(Divx)
Mobile DRM Solution Provider
(Authentec)
World’s Leading
Streaming Content
Provider
Leading Multi-Platform DRM
Provider(Widevine/
Google)
Use Case and App Secured:
Protecting the Cinavia Product.
IP protection and anti-tamper of the
technology is critical.
Protect DRM SDK across a broad
range of platforms. The DRM is
accessed by a number of end-
products including digital media players and
content stores, some of which are
internal-to-DivX/Rovi & others are
partner’s end-products.
Protect DRM (PlayReady®) agent and 3rd party media
players on iOS and Android.
Undergone Independent
security
Enhancing DRM protection
(Playready), Device Binding, Secure store,
Communications from client to
server
Targets include leading game
consoles
Enhancing security of DRM
for content protection
Example App: Netflix Plug-In on
Chrome OS
Target of Attack/Protection:
Client software on target devices
Client software on target devices and
key discovery
Client software on target devices and
key discovery
Client software on target devices and
key discovery
Premium content via PC, Mac,
Linux, iOS and Android viewing
20Arxan Confidential
Summary: ECP with Arxan
• Proven success with software-based ECP products and methodologies
• Scalable software-based ECP solution complements and can take advantage of hardware root of trust
• Rapid and Cost-effective Deployment– No changes to the source code or the how the application works– Ease of diversification and renewable security enables low cost breach
mitigation
• Arxan security satisfies robustness requirements for both open and closed environments
• Arxan security is DRM and device agnostic– Flexible licensing scenarios to match the unique deployments of DRMs and
other variables
• Comprehensive platform/processor coverage
Arxan ConfidentialArxan Confidential
Thank You ….
Questions ?
www.arxan.comBlog: http://arxancto.blogspot.com/Twitter: http://twitter.com/arxancto
Arxan Confidential
Kevin Morgan – [email protected] – CTO/VP Engineering
Jodi Wadhwa – [email protected] – VP Marketing