Abstract
Personal content creation has become a significant part of the media industry, and sales are not necessarily the main objective of such creators. Individual creators have a greater need for privacy protection; therefore, the novel active content (AC) approach is proposed to address this need. The Intention Markup Language (InML) markup language is also introduced to express the content owner’s intentions systematically and precisely, and then to implement these as an executable code. To overcome the incompatibility and inconvenience of the existing digital rights management (DRM) systems, the novel AC format is proposed. This is based on the Portable Executable (PE) format and consists of a PE header and sections, followed by an AC header, the content, and the intention code. The proposed content virtualization technique protects the content against a variety of attacks by treating content in main memory as if it were stored on the user’s storage. Since external players, beyond the AC control boundary, may potentially expose the content, these are controlled by hooking code included in the intention engine while the AC is in use. Finally, example use cases are presented to show how intentions can be expressed in InML documents and the creation and use of an AC file on Windows is demonstrated.
Keywords
Introduction
Today, most content is digital, which has led to widespread copyright infringement in the highly-developed Internet environment. In addition, since information and communication technologies have evolved, it has become increasingly difficult for owners to protect their copyrights. Therefore, a variety of digital rights management (DRM) technologies have been developed and utilized in many digital content-focused business areas. DRM frameworks enable digital content to be securely and transparently distributed, protecting copyright holders and intermediaries in the content distribution value chain [1]. For two reasons, traditional DRM approaches are conceptually simple but very complex in practice. First, users are unfamiliar with such DRM systems, which are restrictive and mean that buyers of legal content are faced with complex software installation processes and hard-to-understand user interfaces. Second, there is no de facto standard and it very difficult to achieve interoperability between DRM systems for business (rather than technical) reasons. Here interoperability means enabling content and associated rights governed by one DRM system to be exported to and managed by other DRM systems. Although there have been efforts to achieve interoperability among many different intermediaries and DRM systems, the results have not been satisfactory [2, 7]. Nevertheless, DRM systems are used in a range of different fields, for example enabling healthcare companies to manage secure documents [3] and the digital cable TV industry to control unauthorized subscription and illegal reproduction using the broadcast flag [4]. The organizations that have deployed DRM successfully typically produce massive amounts of content or profit from distributing this content to consumers.
This is the era of personal content creation, as can be seen from the proliferation of video streaming sites, personal blogs, and social media sites, among others [5]. While organizations and other professional producers primarily create content to generate revenue, individual content creators may have a variety of other goals such as gaining popularity, personal collection, monitoring how the content is used, and limited sharing. Since DRM systems are expensive and difficult to use and cannot accurately represent personal creators’ intentions, these goals cannot be achieved using traditional DRM systems. For example, the desire to restrict sharing is closely related to the protection of privacy. Someone may only want to share a photo of their face with a few friends, or send a scanned copy of their driver’s license to an agency on the understanding that it is checked and then permanently destroyed.
Ultimately, the protection of privacy is more important and necessary than copyright protection for individuals [6]. DRM approaches are being used to protect privacy as well, since both DRM and the protection of privacy involve access control. However, their drawbacks, such as system complexity, incompatibility, and cost, are more significant for individuals.
Thus, dealing with personal content creation and different individual needs will require a new approach. This is the motivation behind the proposed novel digital content format, called active content (AC), which consists of a Portable Executable (PE) header and sections [17], followed by an AC header, the passive content, and the intention code, as shown in Fig. 1. Here, “passive content” refers to content in existing formats, as distinct from the active (executable) content. The AC approach makes content available in accordance with the content owner’s intentions; the intention code ensures only the intended behavior on content is made available on the recipient’s platform. In contrast, a content recipient can freely control passive content if a DRM system does not grab it. AC does increase the content size slightly, which used to be a crucial issue. However, the increase in size due to the included header information and intention code is trivial in an age where increases in camera resolution and decreases in storage prices have increased the size of multimedia content dramatically. Any type of content can be protected using AC, but this paper focuses on still images because it is one of the most popular content types shared via the Internet.
Overall structure of the AC format.
As shown in Table 1, there are many differences between the DRM and AC approaches. First, the AC system is designed to be simple and easy to use; therefore, it excludes the payment algorithms and processes of DRM systems, reducing the value chain players to just the sender and receiver and greatly reducing the system complexity. When using a DRM system, the content owner creates the content but the control code is written by a DRM company. This division makes it difficult for content owners to express their intentions for the content in an accurate and timely manner. Finally, DRM systems require an agent to be installed on the PC or device before the content can be accessed, significantly reducing interoperability.
Comparison of active content and DRM approach.
In summary, a novel digital content format is proposed that protects the content owner’s privacy better by only allowing the uses they intend. This paper is organized as follows. Section 2 defines the Intention Markup Language (InML) format, used to systematically express individual intentions, and provides several use cases. Section 3 introduces the overall AC creation mechanism and the content virtualization technique, together with methods of controlling external players to resolve security issues. Section 4 implements an actual AC scheme on the Microsoft’s Windows 7 platform, describing the AC authoring tool and format in detail. Finally, Section 5 presents the conclusions.
The copyright owner’s rights to a piece of content can be expressed systematically using Extensible Markup Language (XML), for example via the Extensible Rights Markup Language (XrML) or Open Digital Rights Language (ODRL) [8]. The XrML [9] is defined as a “digital rights language for trusted content and services.” It supports content integrity and entity authentication and confidentiality, which are quite complicated to use for the protection of privacy. The ODRL [10] focuses on assets, agreements, and parties. It has no licensing agreement, and so can be considered to be open source software. However, it is based on standards created by book publishers, who do not prioritize privacy. Both of these formats were designed for use with traditional DRM, and so are unsuitable for the AC approach. InML, based also on XML, is used to represent the content owner’s intentions and to protect content privacy. InML is used not only to express the content owner’s intentions but also to produce the intention code that reflects them precisely. InML consists of InML uses cases and an InML schema.
InML structure
The underlying logic of InML is simple: the content operation specified by an intention element is allowed if its conditions element evaluates to true; otherwise, the operation specified by its action element is performed. Intention elements express the content owner’s intentions as to how the AC should be executed on the recipient’s platform, while action elements express the actions that should be taken if the AC is not used as intended. Conditions elements express logical propositions that can be either true or false. InML’s basic structure can be represented in pseudo code as follows.
The attributes of intention elements are related to possible intentions, such as play, copy, and print. Other types of intentions are possible; however, for simplicity, only these three are considered in this paper. The play intention allows the receiver to play the content if the condition is met, and similarly for the copy and print intentions. Action elements have three possible values also: destruct (delete the AC), alert (show a message to the user), and refuse (simply refuse the user’s request). An InML tag can contain several intention elements, in which case only the intention requested by the user is considered. Table 2 shows the InML schema, presenting its structure in detail.
The InML schema
The InML schema
This section demonstrates three possible InML use cases, as shown in the following. The first use case only includes a simple condition and action, while the more complex condition in the second use case must be evaluated using a truth table. The third use case includes two intentions with independent conditions.
AC creation and usage
AC creation
Figure 2 gives an overview of the AC creation process. First, the content owner selects the target content and expresses their intentions in an InML document. Then, appropriate intention and system engines are selected based on the InML document’s content and are combined to form the intention code. The intention engines each correspond to a value in one of the intention or action elements and are precompiled libraries, namely dynamic link libraries (DLL). For example, the play intention engine is needed to control the AC as specified by a play intention.
AC creation process.
The system engine (also a dynamic library) forms the foundation of the intention engine and handles various control and management functions. The engines are modular so that AC files only include the necessary functions, minimizing the file size increase. The intention code and passive content are combined, and then PE and AC headers are added to create the final AC file.
The PE header is generated by compiling the code needed to start the system engine (system.dll). This code is in the PE format’s text section and uses the memory offset in the AC header to switch control to the intention code. The AC format is a modified version of the PE format, and its header is laid out as shown in Fig. 3. The signature (which should be the ASCII codes for “AC,” i.e., 17217 or 0x4341) is used to synchronize and align the header information. The header then specifies the number of intention engines, AC header size, passive content offset/size, system engine offset/size, and intention engine offsets/sizes, in that order. The header has a total size of bytes, where is the number of intention engines.
AC header information (with offsets in bytes).
In this paper, it is assumed that, while stored on the recipient’s device, content in the AC format is securely protected from all attacks. In other words, it is assumed there is no way to directly extract the passive content. Existing technologies, such as cryptography, obfuscation, and secure key exchange protocols, can solve this issue, thus, making this assumption frees us to focus on the AC structure. Solutions to such problems can be included in the system engine in the future.
In [11], the concept of content virtualization is used to reach the real content via header information about where to find it or plurality of directories pointing to the same storage location of it. Virtualization is also a widely used technique for networks and devices for a number of reasons, including speed and security [12–14]. Content can be prevented from being released unintentionally while using the AC system by using the following content virtualization technique. The main idea behind content virtualization is passive content in main memory can be handled as if it were stored on the user’s storage device. When a user executes an AC file, the system engine loads it into the virtual memory allocated to the AC process.
Placing the passive content in virtual memory has three security advantages. First, it is volatile, meaning it can only be accessed while the AC is in use. Second, users cannot access it directly because there is no associated file path. Third, virtual memory can only be accessed by the process owner. This technique allows external content players, such as image viewers and print drivers, to access the AC as if it were normal content. This means the content does not need to be stored on the user’s storage device, which could be vulnerable to even simple attacks. Figure 4 illustrates the AC execution process.
The procedure of AC operation based on content virtualization technique.
Unlike the DRM approach, the AC approach uses external players with no special security features. The intention engine retrieves the external player path that is already present in the Windows registry. For a JPEG file, for example, the command for invoking the default JPEG viewer or editor can be extracted from the registry path “HKEY_CLASSES_ROOT∖jpegfile∖shell∖open∖com mand.” For the print intention, printer handles act as external players. These can be found by invoking the EnumPrinters Windows API. The intention engines include player search functions because different intentions may require different players: for example, play intentions may require an image viewer, while print intentions require printer handles. In addition, some engines may not need players at all.
The external players should not be able to copy or store the content without authorization; however, they lie beyond the AC boundary. Therefore, ways to control such players are needed, with different approaches for different types of players. Here, since the InML schema includes play and print intentions, JPEG image viewers and printers will be considered player examples.
The play intention engine hooks the CreateProcess API in Windows’ explorer.exe process, modifying the first six bytes of CreateProcess’s destination function so that a modified function, also injected into explorer.exe, is called whenever the external player is executed. This can be done by injecting the DLL file containing the modified function into the target process and then letting the process to execute LoadLibrary API using CreateRemoteThread API [15]. The new function creates an external player process and then hooks file input/output APIs such as CreateFile, ReadFile, and WriteFile, controlling the risks posed by the external viewer’s file handing functions. In summary, when the user executes an AC file, the play intention engine hooks the necessary APIs, injecting a function that invokes the external player and requests it to open the JPEG content. Finally, the file I/O APIs are hooked to limit the external player to executing the content as intended by the owner.
In the case of print intentions, the injected function sends the content to a printer handle. Although the user can select from the available printers, only real printers are visible: virtual printers, such as printing to PDF, are excluded or disabled so that the unintended copy of passive content is not generated.
Example implementation
Implementation environment
A standard PC running 32-bit Windows 7 and Microsoft Visual Studio 10 SP1 was used to implement Use case 3 in Section 2 with the standard Lena test image (lena.jpg) as the content. The AC was created using the AC authoring tool shown in Fig. 5. This tool takes the content and an InML document describing the owner’s intentions as input and includes the engines and headers to create the structure shown in Fig. 2. The intentions can also be input using an embedded GUI-based InML document generator.
AC authoring tool, with InML document generation functionality.
Figure 6 shows the structure of the AC created using the Lena test image for Use case 3. The structure begins with the PE header and sections (29184 bytes). The code at the PE text section’s entry point reads the AC header and executes system.dll. Since the intention and action elements for Use case 3 have four possible results, this is followed by print.dll, play.dll, destruct.dll, and refuse.dll. The AC header is 56 bytes long, while lena.jpg was compressed from a 512×512×3-byte bitmap to 29240 bytes.
Structure of the AC for Use Case 3 with the Lena image.
The novel AC content format is simple, highly interoperable, inexpensive, and flexible. This makes it more suitable than other DRM systems for personal content creation. However, since this is the first time such an approach has been proposed, significant improvements are still needed.
First, more types of intention could be introduced, such as monitor and fade. The monitor intention could allow the creator to monitor how the AC is being used, while the fade intention could allow the content to fade away its quality over time, giving the creator the right to be forgotten [16]. It would be straightforward to add more intentions to the InML schema; however, developing the corresponding intention engines would be more complicated.
Second, it may be possible to improve upon the implementations presented in Sections 3 and 4. This is a potentially easier task, as the engines’ modularity allows them to be replaced by more advanced versions.
Finally, the widespread use of AC will result in increased content security issues. However, these could be resolved if the AC format was accepted by the relevant industries and supported by core OS libraries.
Footnotes
ACKNOWLEDGMENTS
The authors gratefully acknowledge the helpful comments and suggestions of the reviewers, which have improved the presentation. This work was supported by National Research Foundation of Korea grant (No. NRF-2015R1C1A1A02037777) funded by the Korea government.