Monday, January 15, 2007

Microsoft Windows Vista - the operating system that breaks itself (and your hardware)

BoingBoing linked to an article (Gutmann 2007) in which a security analyst looks at new "features" of Microsoft's latest operating system, Windows Vista. The article is long, but an excellent read; it provides a detailed analysis of how Microsoft is crippling computers, breaking hardware, and creating security risks, all in the name of protecting content (translate: making sure you can't rip HD-DVDs or CDs).

I'll outline just a few of the article's revelations here:

1) Under Windows Vista you may not be able to play "protected content" if your hardware isn't "secure":
Vista's content protection mechanism only allows protected content to be sent over interfaces that also have content-protection facilities built in. Currently the most common high-end audio output interface is S/PDIF (Sony/Philips Digital Interface Format). Most newer audio cards, for example, feature TOSlink digital optical output for high-quality sound reproduction, and even the latest crop of motherboards with integrated audio provide at least coax (and often optical) digital output. Since S/PDIF doesn't provide any content protection, Vista requires that it be disabled when playing protected content [Note E]. In other words if you've sunk a pile of money into a high-end audio setup fed from an S/PDIF digital output, you won't be able to use it with protected content.

2) Even if you can play your protected content, Windows Vista forces hardware to degrade audio and video signal quality when "protected content" is being played:
Alongside the all-or-nothing approach of disabling output, Vista requires that any interface that provides high-quality output degrade the signal quality that passes through it if premium content is present. This is done through a "constrictor" that downgrades the signal to a much lower-quality one, then up- scales it again back to the original spec, but with a significant loss in quality. So if you're using an expensive new LCD display fed from a high- quality DVI signal on your video card and there's protected content present, the picture you're going to see will be, as the spec puts it, "slightly fuzzy", a bit like a 10-year-old CRT monitor that you picked up for $2 at a yard sale [Note F].

...

The same deliberate degrading of playback quality applies to audio, with the audio being downgraded to sound (from the spec) "fuzzy with less detail"

3) This downgrading of signals and inactivation of hardware is dynamic: it starts as soon as you start playing protected content, and stops when the protected content stops playing. This can lead to some very odd behavior:
The requirement to disable audio and video output plays havoc with standard system operations, because the security policy used is a so-called "system high" policy: The overall sensitivity level is that of the most sensitive data present in the system. So the instant any audio derived from premium content appears on your system, signal degradation and disabling of outputs will occur. What makes this particularly entertaining is the fact that the downgrading/disabling is dynamic, so if the premium-content signal is intermittent or varies (for example music that fades out), various outputs and output quality will fade in and out, or turn on and off, in sync. Normally this behaviour would be a trigger for reinstalling device drivers or even a warranty return of the affected hardware, but in this case it's just a signal that everything is functioning as intended.

4) The hardware in your computer can be remotely disabled by Microsoft at any time:
Once a weakness is found in a particular driver or device, that driver will have its signature revoked by Microsoft, which means that it will cease to function. Details on exactly what happens are a bit vague here, the specs contain sentences like "the related driver would have to be revoked and a new driver would have to be deployed", however presumably some minimum functionality like generic 640x480 VGA support will still be available in order for the system to boot.

What this means is that a report of a compromise of a particular driver or device will cause all support for that device worldwide to be turned off until a fix can be found [Note J]. Again, details are sketchy, but if it's a device problem then presumably the device turns into a paperweight once it's revoked. If it's an older device for which the vendor isn't interested in rewriting their drivers (and in the fast-moving hardware market most devices enter "legacy" status within a year or two of their replacement models becoming available), all devices of that type worldwide become permanently unusable.

5) Windows Vista includes anti-piracy protections that limit the extent to which you can alter the hardware in your computer. Combine this with the device-revocation ability described above, and you get some ugly situations possible:
This revocation can have unforeseen carry-on costs. Windows' anti-piracy component, WGA, is tied to system hardware components. Windows allows you to make a small number of system hardware changes after which you need to renew your Windows license (the exact details of what you can and can't get away with changing has been the subject of much debate). If a particular piece of hardware is deactivated (even just temporarily while waiting for an updated driver to work around a content leak) and you swap in a different video card or sound card to avoid the problem, you risk triggering Windows' anti-piracy measures, landing you in even more hot water. If you're forced to swap out a major system component like a motherboard, you've instantly failed WGA validation. Revocation of any kind of motherboard-integrated device (practically every motherboard has some form of onboard audio, and all of the cheaper ones have integrated video) would appear to have a serious negative interaction with Windows' anti-piracy measures.

6) Hardware will become more unstable under Windows Vista, as the hardware must report voltage-fluctuations and odd behavior as "tilt bits," which can lead Window's graphics-systems to reset:
Vista's content protection requires that devices (hardware and software drivers) set so-called "tilt bits" if they detect anything unusual. For example if there are unusual voltage fluctuations, maybe some jitter on bus signals, a slightly funny return code from a function call, a device register that doesn't contain quite the value that was expected, or anything similar, a tilt bit gets set. Such occurrences aren't too uncommon in a typical computer. For example starting up or plugging in a bus-powered device may cause a small glitch in power supply voltages, or drivers may not quite manage device state as precisely as they think. Previously this was no problem - the system was designed with a bit of resilience, and things will function as normal.

...

With the introduction of tilt bits, all of this designed-in resilience is gone. Every little (normally unnoticeable) glitch is suddenly surfaced because it could be a sign of a hack attack, with the required reaction being that "Windows Vista will initiate a full reset of the graphics subsystem, so everything will restart". The effect that these tilt bits will have on system reliability should require no further explanation.

7) All of this content protection leads to some novel security threats, including the ability to shut down computers with simple bits of code that interact with this DRM:
Content-protection "features" like tilt bits also have worrying denial-of- service (DoS) implications. ... With the number of easily-accessible grenade pins that Vista's content protection provides, any piece of malware that decides to pull a few of them will cause considerable damage. The homeland security implications of this seem quite serious, since a tiny, easily-hidden piece of malware would be enough to render a machine unusable, while the very nature of Vista's content protection would make it almost impossible to determine why the denial-of-service is occurring. Furthermore, the malware authors, who are taking advantage of "content-protection" features, would be protected by the DMCA against any attempts to reverse-engineer or disable the content-protection "features" that they're abusing.

8) All of this added security will cause a massive waste of resources; not just in wasted CPU time to encrypt and decrypt all the secure video and audio signals, but also in CPU time spent checking that no hacking is occurring:
In order to prevent active attacks, device drivers are required to poll the underlying hardware every 30ms to ensure that everything appears kosher. This means that even with nothing else happening in the system, a mass of assorted drivers has to wake up thirty times a second just to ensure that... nothing continues to happen. In addition to this polling, further device-specific polling is also done, for example Vista polls video devices on each video frame displayed in order to check that all of the grenade pins (tilt bits) are still as they should be.

So, if we look at this logically, Windows Vista will:
  • discourage people from buying high-end hardware (why buy good audio or video hardware when your operating system reduces the quality of its output?)
  • discourage people from buying premium content (why buy premium content when you can get better video and audio quality from a downloaded version?)
  • encourage people to hack their hardware (and Vista itself), as that may be the only way to get high quality audio and video output from items they've legally acquired
  • discourage people from upgrading to (or using) Windows Vista (why do I want to buy an operating system that can, at any point in time, decide to stop working because my brand of hardware got hacked by someone in another continent?)
Is Microsoft trying to get users to switch to Macs and Linux?

Reference:

Gutmann, Peter. 2007. A Cost Analysis of Windows Vista Content Protection. Distributed under the Creative Commons license. Podcast with the author. Last updated January 8, 2007.

No comments: