[Bug 22901] Clarification regarding a potential CDM capable of running arbitrary code from bugzilla@jessica.w3.org on 2013-08-08 (public-html-bugzilla@w3.org from August 2013)

From: <bugzilla@jessica.w3.org>
Date: Thu, 08 Aug 2013 22:24:35 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-22901-2486-7QSbdflv7r@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22901

--- Comment #5 from Glenn Adams <glenn@skynav.com> ---
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > (In reply to comment #1)
> > > > No for two reasons:
> > > > 
> > > > (1) code is not embedded in a media stream;
> > > > (2) the function of the CDM is not to execute code (whether embedded in the
> > > > stream or not), but to decrypt media content from the media stream;
> > > > 
> > > > What specific language in the specification makes you think it does either
> > > > of these?
> > > 
> 
> The absence of specific language which indicates that code shall not be
> embedded into the media stream. And second the absence of specific language
> which indicates that the function of the CDM is not to execute code.

Why should this be prohibited? It may be that some media format embeds data or
that the initialization data contains data that may be interpreted by a CDM.

> 
> So to ask directly: Assume a CDM that receives a executable as part of the
> initialization data, this seems to be covered by "opaque Key System-specific
> collection of data." (Section 1.2.4) The CDM then runs the executable and
> provides the standardized interface between the user-agent and the
> downloaded code. 
> Is this standard compliant, and if not, why not?

Yes. Initialization data is key system specific. No restrictions are placed on
its interpretation.

> 
> > [...]
> > How a specific browser manufacturer decides to integrate a CDM, and which
> > CDMs are integrated (either in a bound or unbound fashion) is up to the
> > manufacturer. The EME specification doesn't care either way.
> > 
> > So, as you can see, this is not a case of running arbitrary code, since the
> > browser manufacturer has complete control over what code they choose to
> > integrate.
> > 
> 
> So you are relegating all security concerns to the browser manufacturer?

EME does not define a system for executing code. CDMs are an implementation
detail of browser product packaging choices. Why should EME place any
constraints on the manufacturer? If the manufacturer wants to ship an insecure
product, that's their responsibility, and potential liability.

> 
> 
> > Note that it may be the case in certain CDMs that the CDM's code and
> > execution is delegated to the platform or even to a special hardware
> > processor where the details of the platform/hardware implementation aren't
> > available to the browser manufacturer. However, this is no different from a
> > browser manufacturer making use of other platform APIs (like device drivers)
> > for which the browser doesn't have code access. In other words, in these
> > cases, the browser manufacturer effectively "trusts" the platform code to
> > perform some advertised function (like decrypting a block of data).
> > 
> 
> > Since your response indicates that your original filing of this bug was
> > based on a misunderstanding of the spec, I am moving this bug from
> > RESOLVED/NEEDSINFO to RESOLVED/INVALID. If you would like further action,
> > you need to propose a specific change to the specification as written.
> 
> Please note, that this is my first response. 
> 
> I would suggest to specify:
> 1. A CDM shall not be able to run arbitrary code.

There is no cause for such a constraint. A CDM is an implementation detail not
defined or circumscribed by EME.

> 2. A section "Security considerations" which details some of the potential
> pitfalls of EME CDMs. Similar to section 5 of the web crypto api draft [1].
> For this I would suggest to specifically mention, that CDMs are able to
> communicate with a server and therefore should be sandboxed.

CDMs are part of the browser implementation. If a browser implementer wants to
support a CDM that communicates directly with a server, that downloads code and
executes it, etc., then that is an issue for the browser manufacturer and CDM
vendor. It isn't an EME specification issue. EME does not define the CDM to
browser interface (if there is one), and does not define CDM behavior other
than as an abstract information flow model as indicated in the spec. Any EME
implementation is free to implement this model as they see fit.

> 
> [1] http://www.w3.org/TR/WebCryptoAPI/

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Thursday, 8 August 2013 22:24:37 UTC