Abstract. Today, digital content is routinely distributed over the Internet, and consumed in devices based on open platforms. However, on open platforms users can run exploits, reconfigure the underlying operating system or simply mount replay attacks since the state of any (persistent) storage can easily be reset to some prior state. Faced with this difficulty, existing approaches to Digital Rights Management (DRM) are mainly based on preventing the copying of protected content thus protecting the needs of content providers. These inflexible mechanisms are not tenable in the long term since their restrictiveness prevents reasonable usage scenarios, and even honest users may be tempted to circumvent DRM systems. In this paper we present a security architecture and the corresponding reference implementation that enables the secure usage and transfer of stateful licenses (and content) on a virtualized open platform. Our architecture allows for openness while protecting security objectives of both users (flexibility, fairer usage, and privacy) and content providers (license enforcement). In particular, it prevents replay attacks that is fundamental for secure management and distribution of stateful licenses. Our main objective is to show the feasibility of secure and fairer distribution and sharing of content and rights among different devices. Our implementation combines virtualization technology, a small security kernel, trusted computing functionality, and a legacy operating system (currently Linux).
Keywords. Trusted Computing, security architectures, stateful licenses⋆ Full version appears as a technical report HGI-TR-2007-002 in [24].
MotivationTimo was about to board a train home when he noticed an advertisement for a wireless kiosk selling the first album from a new band. He took out his music phone, connected the kiosk which was already visible in his music gallery application, and with a few clicks downloaded a preview copy of the lead song in the album. While on board the train, Timo listened to the song and liked it so much that he listened to it once more. When he tried to listen a third time, the phone told him that he had finished the free previews, but can buy a full license. He bought the full license with a few more clicks and could listen to the song with no constraints. When he got home, he transferred the song to his home stereo system. When Anna visited Timo, he played the new song to her. She wanted a copy of her own. Timo used the remote control of his stereo system to lend a copy to Anna's music phone for a week. Timo's copy of the song remained disabled for a week while Anna was enjoying the song.This and other similar scenarios for trading and using digital goods involve policies whose enforcement requires the enforcement mechanism to securely maintain state information about past usage or environmental factors. They can be enforced by using stateful licenses. Some e-business applications already deploy such (mostly proprietary) stateful licences to sell certain digital goods (online vide...