Princeton's Ed Felten and Alex Halderman have published the final installment in a brilliant series of excerpts from a paper-in-progress on lessons learned from the Sony DRM disaster, in which the company incurred millions in legal liability for deliberately infecting its customers' computers with anti-copying software that left them vulnerable to worms and viruses, destabilized their computers, and spied on their actions.
In today's installment, Ed and Alex talk about attacks on the custom players installed by the DRM on Sony's crippled CDs. These players were meant to impose restrictions on users, but they made many common beginners' security mistakes, leaving them vulnerable to simple attacks that could disable their restrictive behavior.
It is well known that DRM systems like this are vulnerable to rollback attacks. In a rollback attack, the state of the machine is backed up before performing the limited operation (in this case, burning the copy). When the operation is complete, the old system state is restored, and the DRM software is not able to determine that the operation has occurred. This kind of attack is easy to perform with virtual machine software like VMWare, which allows the entire state of the system to be saved or restored in a few clicks. The XCP and MediaMax both fail under this attack, which allows unlimited copies to be burned with their players.Link
(Sony taproot graphic courtesy of Sevensheaven)