The present invention relates to electronic data processing, and more particularly concerns software and hardware for preventing the unauthorized manipulation of proprietary content in a computer.
Multimedia and other proprietary content is increasingly being made available in forms that can be received, processed, and presented in computers, or in sophisticated devices that share many of the characteristics of computers. Public networks such as the Internet can provide online selection and delivery of content in high-quality digital form. Even off-line media such as optical discs may have only specific rights granted, to a customer, such as playback for a limited time period. For customers, online delivery and sophisticated licensing increase timeliness and convenience. Publishers can realize lower delivery costs, reduced physical inventory, and other benefits. Unfortunately, these advantages are often outweighed by the ease of unauthorized access, copying, and other manipulation by the customer or by others.
Unauthorized copying of online and other digital content is becoming a significant problem. In the past, most premium content available on the World Wide web was of sufficiently low value that wholesale piracy was not attractive, and casual copying was not overly damaging to the content owner. Also, some digital media players already incorporate hardware protection against unauthorized access or manipulation. However, present and potential distributors increasingly desire to make available high-value content, and are increasingly fearful of both organized and casual theft of their rights.
New modes of distributing digital content frequently involve the transmission of a digital bit stream independently of a physically protectible medium, and manipulation by remote software and hardware over which the distributor has no control. These characteristics render the content especially susceptible to diversion by third parties, and to use by legitimate recipients of the content outside the scope of the license granted them by the distributors. Digital rights management is fast becoming an important concern as online commerce continues its rapid growth. Content distributors and the electronics industry must quickly develop technologies and protocols for ensuring that licensed digital content is guaranteed to be handled in accordance with the rights granted by its distributors. If adequate protection is not forthcoming, those who distribute premium content may be put out of business by widespread theft or, more likely, will refuse to deliver content in the otherwise desirable new ways that technology makes available. Digital data that is furnished to a user with restrictions upon its use will be referred to as licensed or premium content.
Traditional security systems do not adequately address this difficulty. Existing techniques for encrypting and storing data, and for authorizing and revoking user privileges have little effectiveness against legitimate users of the hardware and software that ultimately employ the dataxe2x80x94and it is precisely those legitimate users who have both an interest and an ability to misuse the data. Traditional smart cards merely provide authentication and encryption. Cryptographic coprocessors provide higher-performance services and are programmable; but operating systems and other untrusted programs can employ their functions for unauthorized purposes.
Three broad categories of solution are available for this problem. One solution is to forego general-purpose computers altogether in favor of special-purpose tamper-resistant hardware for delivery, storage, and display of valuable digital content. This is the approach adopted by the cable industry, and appears to be the model for digital video disk (DVD) players. The second solution employs proprietary data formats and software, or software containers. The third solution modifies a general-purpose computer to support a model for client-side content security and digital rights management.
One approach within the third category of solutions introduces the concept of a secure operating system. Minimal hardware support can allow a personal computer or similar general-purpose machine to authenticate to remote distributors that the computer is running a copy of an operating system that is trusted to provide adequate protection for digital content, and that even a legitimate user in physical possession of the computer cannot vitiate this protection. Copending commonly assigned provisional patent application Ser. No. 60/105,891, filed on Oct. 26, 1998, entitled xe2x80x9cSystem and Method for Authenticating an Operating System to a Central Processing Unit, Providing the CPU/OS With Secure Storage, and Authenticating the CPU/OS to a Third Partyxe2x80x9d, application Ser. No. 09/227,611, filed on Jan. 8, 1999, now U.S. Pat. No. 6,327,652, entitled xe2x80x9cLoading and Identifying a Digital Rights Management Operating Systemxe2x80x9d, application Ser. No. 09/227,568, filed Jan. 8, 1999, entitled xe2x80x9cKey-Based Secure Storagexe2x80x9d, and application Ser. No. 09/227,559, filed Jan. 8, 1999, entitled xe2x80x9cDigital Rights Management Using One Or More Access Prediates, Rights Manager Certificates, And Licensesxe2x80x9d describe aspects of this concept. Authenticating the proper booting and integrity of such a trusted operating system allows it to maintain""secret keys and other data, and to prove to remote parties that it is running properly.
This solution works well. However, it requires constructing the entire operating system, as well as device drivers and other components, with the mechanisms for trusted operation. In the environment of relatively small systems, these problems need not be significant. Larger operating systems, such as the Windows2000(copyright) operating system available from Microsoft Corporation, have millions of lines of code, and thousands of individual modules, few of which have anything to do with digital rights management. Furthermore, such large operating systems are desirably open to extension and modification by third-party sellers of programs such as drivers, plug-ins, and utilities. It is difficult to ensure that all outside programmers comply with the rules required to preserve rights management, and a certification program could become onerous. Trusting entire operating systems also requires that bugs in any part of the system be remedied very quickly and thoroughly, because rights management involves the entire system.
The success of digital rights management in developing new methods of content delivery therefore still needs an architecture for protecting rights in digital content, in the environment of general-purpose, user-controlled equipment having large, multi-purpose operating systems.
A xe2x80x9csecure pagesxe2x80x9d architecture is capable of running designated processes, libraries, or other software components at a higher level of protection, without requiring that the remainder of an operating system or similar environment be trusted. For example, rights-management operating-system modules, communications drivers, and video decoding applications programs can run in protected memory that is not accessible by other OS modules and device drivers, and by other applications outside the OS, even if those outside components actively attempt to steal content data or data such as keys for decrypting the content. The trusted modules exchange data among themselves, and are able to prove to remote parties that they are running in a protected mode. Each trusted module optionally restricts access from some or all of the other trusted modules, to create a hierarchy of trust.
Secure pages handle premium content with a system of code modules in a hierarchy of trust, where a module names other modules that it is willing to trust, and those modules in turn name other modules that they are willing to trust.
According to other aspects of the invention, trusted code modules execute in a secure memory with page permissions assigned by a secure loader and a security manger, enforced by a memory manager. Code entry points are restricted for greater protection. Security managers for particular operating systems can be received from an outside source.
Secure pages also provide increased user security for applications such as home banking, where the application must be protected from viruses or other malicious code, and where it must store secrets (for instance, bank account numbers and transactions) on disk in a way that is unconditionally inaccessible to other applications, and to viruses.
Secure pages permit a code module running in a particular module to be cryptographically authenticated over a network. The code can also store secrets encrypted on disk in a form that is inaccessible from other modules. Code that runs in a secure page is also inherently protected from viruses or other adversarial attack. While it is running, the secure-page memory manager protects the code from tampering. When the code is stored on disk, it cannot be modified without changing its identity, so that any secrets stored on disk will not be available to the modified component, and the modified program will be unable to authenticate itself as trusted over a network.