13

HTML5 has a DRM framework Encrypted Media Extensions (EME), that allows DRM companies to create content decryption modules (CDM) to decrypt DRM protected content. Browsers should use a sandbox to run the CDM, so that security holes that allow access to the computer are not as dangerous as it was when Flash was used for DRM. Furthermore it is a plugin concept, that allows more companies to provide modules for different forms of DRM, so that competition is enabled.

But when there is a standardized API for modules and the modules themself run in a sandbox (and thus have limited ability to modify the system to protect themself), how can they protect the output stream? The site sends encrypted data, that goes into the CDM, and then the CDM plays a video using a standard API inside the browser. How does the CDM avoid, that I patch the API to dump the stream to the disk instead of playing the video?

For example the widevine CDM provided by Google seems to link against ffmpeg. What would happen, when somebody starts grabbing the data that goes into the decoder in the ffmpeg library? Then the attacker could store the video stream (probably some MP4 format). Another option would be to grab the output of the decoder and save raw video data.

How does the CDM protect its output?

I am aware, that Netflix in Full HD does not use this mechanism, but relies on a trusted media path, thus requiring Windows 10 (I guess booted with secure boot), a recent Intel processor and a HDCP capable monitor, so the trust chain is never broken. But most other DRM video uses EME with one of the common CDMs.

When the addon itself is not responsible to protect the output, how do real world addons make sure, that the browser protects their output?
As far as I know, addons like widevine run in open source builds of Firefox (i.e. they do not restrict themself to binaries provided by Mozilla), but there are no large leaks of DRM protected movies.

For example I would expect a lot more ripped Netflix movies when anyone could run the CDM in a patched browser and then extract the decrypted media stream.
In consequence, Netflix would never have adopted the standard, if the output of the CDM could just be extracted using the EME API.

allo
  • 3,173
  • 11
  • 24
  • Moreover, I don't have to patch the browser. Even if it's closed source I can RE it and see the authentication mechanism it uses. User agent? no problem, fake user agent, etc.. But I suspect this is a question about DRMs in general, and has nothing to do specially with EME. Open standard make the work easier, but not many times - you don't even have to do RE, you can sniff the network traffic. – Chayim Friedman Jun 29 '20 at 10:01
  • Did you get an answer? I'm interested in this question, too – Chayim Friedman Jun 29 '20 at 10:02
  • @ChayimFriedman No, I still do not know. – allo Jun 29 '20 at 21:41

1 Answers1

1

According to my reading of the specification, this is not a problem that Encrypted Media Extensions are designed to deal with. Once it is verified that your User Agent is allowed to access the media and the media is decrypted, the CDM doesn't care about it anymore. It is then up to the User Agent to handle media protection from there (such as with the Windows Protected Media Path you mentioned).

Moshe Katz
  • 1,331
  • 1
  • 11
  • 17
  • 2
    Then I'd like to extend my question: How do DRM addons make sure the browser protect their output? If they would not protect it at all, there would be a lot of ripped netflix movies and other protected media. – allo Apr 12 '19 at 09:13