Avni Rambhia's Blog


The Role of Standardized TEE in DRM

19 Jul 2015 | by Avni Rambhia
Share this:

The trusted execution environment (TEE) is a secure area that resides in the main processor of a connected device and ensures that sensitive applications are stored processed and protected in a trusted environment. The TEEs ability to offer safe execution of authorized security software, known as ‘trusted applications’, enables it to provide end-to-end security by enforcing protection, confidentiality, integrity and data access rights. Made up of software and hardware, the TEE offers a level of protection against software attacks generated in the rich operating system (OS). It assists in the control of access rights and houses sensitive applications, which need to be isolated from the rich OS. The TEE bridges the gap between the rich OS (high functionality, low security) and the SE (limited functionality, high security).

Digital content such as videos and TV programs not only require a high level of functionality to deliver the quality features expected by end-users, but also a high level of security to protect against unlawful reproduction and redistribution of copyrighted works. The TEE simplifies the critical tasks of secure boot chain, secret key storage, secure time verification and secure updates that are needed to implement a robust media player. 

The Need for Standardization in TEEs 

Developing secure media playback applications is not only technologically difficult but is extremely expensive. Porting a robust media application which conforms to typical robustness obligations can easily cost upwards of a quarter million dollars per platform. While a few large service providers have the financial means to bite the proverbial bullet and built out an extensive application base, this level of investment is out of reach for most service providers.  If application developers had a more standardized way to leverage “trusted hardware” resources within any given device, they could – in theory at least – develop an application once and then port it relatively quickly from a security and robustness perspective. 

This was the motivation for GlobalPlatform, who identifies, develops and publishes specifications that promote the secure and interoperable deployment and management of multiple applications on secure chip technology, to take on the work of standardizing an interface to a trusted execution environment (TEE). Picking up where the TrustZone architecture for ARM left off, GlobalPlatform’s TEE specification transcends chipset architectures and specific implementation characteristics to provide an international industry standard for building a trusted end-to-end solution which serves multiple actors and supports several business models.

By providing a reasonably isolated secure execution environment that can be leveraged whenever valuable assets need to be accessed in the end-to-end video rendering path, GlobalPlatform enables a standardized way for DRM applications to store and access application secrets and keys, license storage and management, usage policy or account information.  The same infrastructure is also applicable to functions such as watermarking and fingerprinting.

In addition, the trusted application interface via a large number of APIs (such as HTML5) with other device components / modules, whether secure or unsecure (media playback, scheduling, and rendering), which allow to combine the secure treatment inside the TEE with other features present in the device. To complete the solution, attestation of information for the remote validation of the video rendering path is part of the TEE remote administration.

 

How to achieve a ‘trusted’ TEE

As with all stakeholders, DRM providers want to be assured that a TEE installed in a connected device is a ‘trusted’ TEE and has been created to a recognized industry standard such as GlobalPlatform. As part of GlobalPlatform’s commitment to ensuring the long-term interoperability of embedded applications on secure chip technology, it has developed an open and thoroughly evaluated compliance program which allows stakeholders to evaluate the functional behavior of a TEE product against the requirements outlined by GlobalPlatform TEE Specifications. Adding to this offering, in February 2015, GlobalPlatform’s TEE Protection Profile was officially certified by Common Criteria. This means that product vendors are now able to undertake formal security evaluation of their TEE products, using laboratories licensed by supporting certification bodies to evaluate and certify that they meet the security requirements in the document.

 

GlobalPlatform also plans to launch a TEE Security Certification Secretariat later this year, as well as announce GlobalPlatform Security Accredited Laboratories. The certification of products to GlobalPlatform’s TEE Specification Suite and Protection Profile promotes confidence within the connected devices market by establishing an agreed industry framework. This lowers the cost of progress for industry players such as application developers, hardware manufacturers and software developers by removing barriers caused by interoperability issues. Most importantly, a compliance program also provides a common framework for partnership initiatives to develop throughout the value chain. This will increase business opportunities and create an overall benchmark for the market to strive towards.

 

What does this mean for DRM developers today?

Most DRM vendors Frost & Sullivan interviewed acknowledged that a standardized interface to a TEE has the potential to dramatically improve the scalability of multi-screen applications across a growing combinatorical nightmare of devices, platforms and hardware primitives.  The problem is that there is still considerable gap between the ideal level of maturity and comprehensiveness such a standard would deliver, and the status of implementations currently available.  One content protection company we spoke to commented that: “Our experience is that it has always been, and still is, important to exploit every aspect of hardware support that exists in chipsets. The TEE is one of those hardware layers that is important to leverage, whenever it is available, as part of the security implementation regime.”  Another similarly pointed out that a TEE characterized by a standardized API is a welcome development, but in reality developers continue to grapple with a complex and intricate landscape which they must navigate on a device-by-device basis.

Another aspect that is causing worry across the board is that despite the many security features they offer, TEEs are still not in and of themselves a silver bullet for security against hackers. As one example, any application that is certified under an appropriate program to be “secure” is then authorized to run within the TEE along with other highly sensitive applications. This places tremendous burden on penetration testing and security verification procedures. Even one rogue application slipping past this figurative checkpoint erases the benefits of hosting a DRM application within a quarantined execution environment and places all its keys and secrets at risk of discovery and dissemination. As a result, DRM applications built to leverage a TEE still need to be made internally robust through application hardening measures such as obfuscation, white box cryptography, and more.  Furthermore, the task of DRM applications does not end at cryptography, as is the case with simpler applications such as financial or banking apps. Media applications must continue to secure compressed, decrypted content streams throughput the decompression and rendering process – which nearly always occurs outside the TEE today.

Despite these challenges, it is clear the community at large is in agreement that TEE standardization initiatives like GlobalPlatform represent a much-needed step in the right direction towards enabling cost-effective cross-platform secure content applications.  Over time, as the standard matures, and its implementations and surrounding testing procedures mature, there is tremendous potential for meaningful reductions in the current complexity of porting robust, durable DRM applications to the fullest possible range of managed set top boxes and unmanaged consumer devices. As the reed for customization and re-engineering on a device-by-device basis is minimized, time to market and flexibility are maximized and ROI is dramatically improved.

Factors like globalization of OTT businesses into piracy-rich markets, increase content resolution past HD towards 4K and beyond, and the competitive imperative to open up vast content libraries for anywhere-anytime access, create worrisome risks for content creators who nonetheless need to tap into the revenue potential of new media business models in order to remain competitive, relevant and profitable. As a consequence of this, many studios and programmers will continue to require top of the line security measures from their content licensees, including applications that build out or leverage secure video paths. That said, at Frost & Sullivan we believe there will be a growing number of programmers & copyright owners who are willing to accept best-effort secure clients that opportunistically leverage hardware security anchors as available but who will not require content to be withheld from devices whose price points cannot justify this level of hardware sophistication. This global opportunity notwithstanding, we also believe that content services in major markets will only be able to differentiate and thrive if they achieve the ability to reach over 95 percent of devices in the market with a consistent, high-quality, immersive content experience. Unfortunately the economics for achieving this today are daunting, leading many service providers to restrict their reach to the top 5 or 8 devices in the market and consequently severely restraining their ongoing growth potential. Any technology or initiative that can mitigate this business-critical pain point – even if it cannot fully eliminate it – is a step forward in the right direction.

A detailed discussion of Frost & Sullivan’s findings around technical trends in DRM and the impact of initiatives like GlobalPlatform on the competitive landscape for the DRM industry is available here.

Comments: