Arxan ConfidentialArxan Confidential

Arxan Technologies

Enhanced Content

Protection for HD+ Digital Media

February 2012

2Arxan Confidential

Agenda

• Arxan Overview

– Update on marketplace adoption of Arxan’s Enhanced Content Protection technology

• Technology Overview – Arxan’s Content Protection Suite

– Cross platform code-hardening and key hiding

– Achieving Enhanced Content Protection – Software-based protection

– Hardware root of trust integration

• The critical role of code hardening and key security for protecting HD+

• Featured Use Cases

• Summary and Q/A

3Arxan Confidential

Arxan Overview

• Best-of-Breed and Unique Content Protection Technology– Innovative, patented technology for Static and Dynamic Defense– Based on a threat-based, customizable approach that is DURABLE, RENEWABLE

and ENFORCEABLE

• Global and Proven Wide scale adoption across the digital media landscape– 20% of DECE/UV members = Arxan customers and partners Growing– Long-term and Proven Success Enhanced Content Protection – Diverse use cases : video, audio, DRM , IP and sensitive code security

• Some examples: Google (Widevine), Verance, Marlin

– 2011: 84 % Revenue growth, 100% digital media customer growth, 100% renewal rate

• Arxan technology recommended as ‘de facto’ standard for HD+– Protection implementations: very deep, intricate security greater than the

minimal Robustness Rules requirements – Security approach is consistently thorough and rigorous per implementation– Arxan is HW (connected home/embedded devices) and DRM agnostic

4Arxan Confidential

Digital Media Ecosystem

Content Publishers

● DRM/CAS/IP Protection/Key Security

● t l M Ml M rsM Mp r torsM Monsol sM MTMsM v Digi a edia a ee a e D e iceM nu tur rsa fac e

Embedded Device Manufacturers

More apps, more digital workflows bigger attack surface

Arxan is widely adopted by UltraViolet Content Providers, Client Implementers, DSPs and LASPs

Arxan ConfidentialArxan Confidential

Content Protection Technology Overview

Arxan Confidential

6Arxan Confidential

• Software products that provide Internal Real-time Guarding of applications to make code tamper-aware and tamper-resistant through self-protections

• Quickly and easily instrument a deep intricate layered protection by embedding a network of Guards, interdependent protection routines, into a program at the binary x86 code level with GuardIT® and at the object level for ARM, PPC and MIPS architectures with EnsureIT®

• TransformIT™ is a White Box Cryptography (WBC) solution that combines mathematical algorithms with data obfuscation techniques to perform standard cryptographic functions utilizing transformed keys such that they cannot be discovered

• Benefits include:– Multiple uses: Desktop, Mobile, Embedded and Server

– Layered protection for defense-in-depth

– Static and Dynamic security on running applications

– No single point of failureArxan Confidential

Content Security: Key and Code Hardening

7Arxan ConfidentialArxan Confidential

Arxan Content Protection Suite

• Code Protection (Anti-RE and Anti-Tamper):– Desktop/Server/Embedded/Mobile Applications– GuardIT for Windows

– GuardIT for Linux

– GuardIT for Mac OS X

– GuardIT for Microsoft .NET Framework

– GuardIT for Java

– EnsureIT for Android/ARM

– EnsureIT for Apple iOS/ARM

– EnsureIT for Linux/ARM

– EnsureIT for PowerPC

– EnsureIT for Linux/MIPS

– Add-ons

– - Arxan Licensing Code Protection for FlexNet Publisher Certificate Based

– - Arxan Licensing Code Protection for FlexNet Publisher Vendor Daemon

– - Arxan Licensing Code Protection for FlexNet Publisher Trusted Storage

– - Arxan Tamper Resistance Solution for Marlin DRM

• Cryptographic Key Protection (Public/Private Key Hiding):– TransformIT

• Host-ID Spoofing Prevention– BindIT

• Professional Services:– Product Extension Services, Security audits, Blue team, Risk assessments, etc.

• Supported languages – C, C++; Objective C/C++; both native and mixed

mode images– C# , VB.NET for managed code applications

• Supported executable file formats – PE– ELF– Mach-O/Universal Binary

• Supported compilers – Visual Studio 2003, 2005, 2008, 2010– Various Flavors of GCC

• Supported Development (Host) Platforms – All Flavors of Windows

• Supported Deployment (Target) Platforms – All Flavors of Windows– Red Hat Enterprise Linux 4 and 5– Mac OS X 10.4 – 10.6

• Supported Target chipsets – Intel Compatible x86 (32-bit); 64-bit chipset ; PPC ;

ARM; MIPS

• Build integration – Command line interface allows seamless integration

into any build environment

8Arxan Confidential

Configurable Layered Protection

CPI/IP Code IdentifiedCritical Code Identified

Critical Code Protected by:Repair Guard

Critical Code Protected by:

Checksum Guard

Control Flow Graph

Repair

Checksum

Guard Protected by:Checksum Guard

Guard Protected by:Encryption Guard

Encryption

Checksum

Guards Protected by:Obfuscation Guard

Obfuscation

ChecksumImage Protected

by:Checksum Guard

Arxan Confidential

• Network of Guards– Use multiple Guards to protect a single code

segment– When attack is detected, Guards ‘fire’, reaction

is fully programmable– Layered Protection– Many implementations of given Guard, so no

global signature– Guards protect selected ranges of code– Guards protect entire image– Guards protect each other

9Arxan Confidential

Sophisticated and Layered Guard Network

• Protection implementations follow industry-leading best practices for unique, renewable and targeted security in many layers

Arxan ConfidentialArxan Confidential

Critical Role of Key Security and Code Hardening for HD+

Arxan Confidential

11Arxan Confidential

Protecting Digital Media Content• Arxan content protection technologies are routinely used to help

meet “robustness rules” compliance– Arxan addresses robustness requirements with solutions for cryptographic

operations with key hiding (TransformIT) PLUS code protection (GuardIT/EnsureIT)

• Approach: thoroughly assess risks and implement a deep protection extends well beyond meeting merely “letter of law” of robustness rules.– Directly and indirectly we help achieve:– Cryptographic functions with required key hiding

– Signing and verification requirements

– Revocation

– Watermarking

– Device authorization (hardware binding or other)

– Code obfuscation

– Software integrity validation via signing or check-summing

– Anti-debugging, anti-decompilation

12Arxan Confidential

Protecting Digital Media Content

Arxan’s methodology for content protection:

• Jointly perform a detailed and rigorous threat analysis for the specific DRM and surrounding implementation

• Identify the critical areas of code that instantiate the threat vectors• Identify additional threat areas outside of the DRM proper• Identify areas of code that can host guards for implementation of

the overall network

• Driven by risk assessment• Multi-layer protection design• Utilize widest possible range of fail actions• Cross check back to robustness rules to assure full

coverage

• Performance and security level measurement and tuning• Generation of diverse executables as required• Final QA and delivery

Guard Network

Implementation

Guard Network

Design

Risk Assessment

13Arxan Confidential

Code Protection Complements HW Root of Trust

• Trusted execution environments (“TEE”) supported by security hardware is a complementary technology to Arxan’s guarding solutions.

• “Trusted” software executing inside the trusted environment can be additionally protected from tampering and reversing through the use of Arxan’s guarding technologies

• Software that cannot run inside the trusted environment can be protected using Arxan’s guarding technologies without requiring or interfering with root of trust functions.

• As root of trust implementations mature and standardize, Arxan guarding techniques may be able to leverage security API’s to provide additional security attributes to non-TEE applications

14Arxan Confidential

TransformIT and HW Root of Trust

• Arxan’s TransformIT can provide both:– a software only solution for cryptographic operations where key

hiding (including use of dynamic keys) is a requirement.– a software solution that leverages hardware enabled root of trust

(TEE) service

• Without requiring any application source change!• Ensures availability of crypto services with key hiding with a

common API for the app, on all system environments.• Maximizes usage of hardware value when available in

system environments• Reduces application porting/testing cost across diverse

target platforms

15Arxan Confidential

Application Portability and Leverage of HW TEE with TransformIT

Application

TransformIT

No HW security dependency

OS w/o root of trust services

HW without security features

Application

TransformIT

Leverage of HW supported security services

OS

HW with security features

Root of TrustServices

No source code changes required in application to use key hiding crypto services:Available in standalone S/W (WBC) form, or leveraging hardware based TEE

(software only)

16Arxan Confidential

Trusted Execution Environments

• Arxan has all the technology components required to develop and deliver a standalone software trusted execution environment (Software TEE)

• As with TransformIT, an Arxan Software TEE can provide a stable trusted run-time environment across diverse platforms

• Derivative versions of the Arxan Software TEE will take advantage of extant hardware enabled root of trust services

• This model assures applications:– Availability of the TEE independent of platform specifics, including

availability of security hardware, differences in root of trust s/w API’s, access issues to the root of trust API’s, etc.

– Maximal leverage of the hardware security services when they are available

– Without requiring custom porting to each and every target platform

17Arxan Confidential

Application Portability and Leverage of HW TEE with TransformIT

Arxan TrustedExecution

Environment (software only)

Application

No HW security dependency

OS w/o root of trust services

HW without security features

Arxan TrustedExecution

Environment

Application

Leverage of HW supported TEE services

OS

HW with security features

Root of trustservices

No source code changes required in application to operate in a trusted executionenvironment: TEE available in standalone s/w form, and leveraging h/w security.

Arxan ConfidentialArxan Confidential

Featured Use Cases for

Enhanced Content Protection

Arxan Confidential

19Arxan ConfidentialArxan Confidential

Selective Use Cases for ECPProfile: Watermarking

ProviderConsole / STB

ContentStreaming Video from Premium Content Provider

Streaming Content Provider

Cross-Platform DRM

ArxanCustomer:

Audio Watermarking Technology

Vendor(Verance)

Worlds most popular Cross

Device(Divx)

Mobile DRM Solution Provider

(Authentec)

World’s Leading

Streaming Content

Provider

Leading Multi-Platform DRM

Provider(Widevine/

Google)

Use Case and App Secured:

Protecting the Cinavia Product.

IP protection and anti-tamper of the

technology is critical.

Protect DRM SDK across a broad

range of platforms. The DRM is

accessed by a number of end-

products including digital media players and

content stores, some of which are

internal-to-DivX/Rovi & others are

partner’s end-products.

Protect DRM (PlayReady®) agent and 3rd party media

players on iOS and Android.

Undergone Independent

security

Enhancing DRM protection

(Playready), Device Binding, Secure store,

Communications from client to

server

Targets include leading game

consoles

Enhancing security of DRM

for content protection

Example App: Netflix Plug-In on

Chrome OS

Target of Attack/Protection:

Client software on target devices

Client software on target devices and

key discovery

Client software on target devices and

key discovery

Client software on target devices and

key discovery

Premium content via PC, Mac,

Linux, iOS and Android viewing

20Arxan Confidential

Summary: ECP with Arxan

• Proven success with software-based ECP products and methodologies

• Scalable software-based ECP solution complements and can take advantage of hardware root of trust

• Rapid and Cost-effective Deployment– No changes to the source code or the how the application works– Ease of diversification and renewable security enables low cost breach

mitigation

• Arxan security satisfies robustness requirements for both open and closed environments

• Arxan security is DRM and device agnostic– Flexible licensing scenarios to match the unique deployments of DRMs and

other variables

• Comprehensive platform/processor coverage

Arxan ConfidentialArxan Confidential

Thank You ….

Questions ?

www.arxan.comBlog: http://arxancto.blogspot.com/Twitter: http://twitter.com/arxancto

Arxan Confidential

Kevin Morgan – kmorgan@arxan.com – CTO/VP Engineering

Jodi Wadhwa – jwadhwa@arxan.com – VP Marketing