Bochum (Germany) – A group of independent programmers, including amateurs and semi-professional security analysts, has discovered what appears to be elements of at least three prominent open-source codecs, embedded within the media player element of the XCP package shipped with Sony BMG audio CDs.
A low-level examination of the binary code in XCP, by members of the German research firm SABRE-Security.com, turned up numerous instances of library functions whose formation and nomenclature apparently match that of LAME, the open-source MP3 codec distributed freely since 1999.
Later, the SABRE team, working in association with other amateur programmers, discovered evidence of code from two other open-source projects. Functions from the mpg123 library – a discontinued open-source project – were detected; and a simple examination of the hexadecimal object code from a portion of XCP actually revealed the copyright notice for Freeware Advanced Audio Coder (FAAC).
All three of these codecs may be downloaded from their developers, or through SourceForge, free of charge. However, the use of both LAME and FAAC by media players, such as the one included in XCP, is protected by the Lesser General Public License (LGPL). A library licensed for redistribution under the terms of LGPL may be distributed as part of a commercial package, such as XCP.
But the terms of LGPL specify that the copyright notice and other legal notices attached to the library, are also included. Here is the portion of the LGPL which makes this clear:
You may copy and distribute verbatim copies of the Library’s complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.
No such notices are apparent anywhere within the software or the packaging of Sony BMG audio CDs that contain the XCP package. XCP includes a copy protection scheme which was discovered late last month to utilize a stealth technique, likely inspired by malware, to prevent ordinary users from being able to detect the copy protection mechanism and remove it from their Windows computers.
Furthermore, the mpg123 library is licensed through the original, and more restrictive, General Public License (GPL), which mandates that any software that utilizes any portion of the open source code in any way, must also be made open source.
The media player component of XCP is not protected by stealth; however, the intense scrutiny which XCP has garnered lately has apparently inspired other knowledgeable programmers to examine the entire package, to see if there’s anything else we should be made aware of.
The investigation, which began last week and has attracted several co-participants along the way, has focused on the binary code of XCP, making use one of SABRE-Security’s own products. On its Web site, SABRE describes BinDiff as a reverse-engineering tool. This tool is currently being offered to software analysts as part of a suite, one purpose of which is to detect security vulnerabilities in commercial software. BinDiff is also said to help software authors detect whether applications and libraries have utilized portions of their code without authorization.
A “library,” in software terms, is a collection of functions designed specifically to be utilized by applications and other programs. Like the functions in a programmable calculator, library functions accept parameters, such as pointers to data in memory, and generally return discrete results, like the solution to a formula. A codec library such as LAME is used to isolate and decode the data from streams of MP3 digital audio, and return pointers to that data, or isolated elements from the data (such as titles of tracks and names of artists) to an application such as a media player.
Both technically and legally, a media player may be permitted to use LAME as its MP3 codec of choice, and that media player may be sold as shareware, or through retail channels. But the publisher is legally bound to the terms of the LGPL license, which state that the LGPL disclaimer of warranty, which applies to LAME, must be featured prominently.
LGPL also makes clear distinctions between an application which “uses” a library and one which modifies it, implying that changes are made to the library’s source code. A modification of an open source library must also be distributed as open source, and not sold commercially. The product of the modification must be a library itself, not an application, and notices regarding the nature of the modification must be presented to the user.
The many technicalities involved in this license call into question the extent to which First 4 Internet, the manufacturer of XCP, may have violated the LGPL terms, if at all. The fact that BinDiff detected multiple functions whose assembly matches the formation of those used in LAME and two other codecs, suggests that XCP may have utilized those functions with a minimum of modification. However, the LAME library is generally distributed as a separate file (in Windows, a DLL), whose filename alone would inform users as to LAME’s presence as part of an application. Simply embedding the functions within a separate software package, even with little or no adaptation or change to those functions, may constitute a modification under the terms of LGPL.
Also, there’s the question of why XCP as a media player actually needs portions of all three of these codecs. If only the encoding portion of FAAC was used (the decoding portion is FAAD, evidence of whose existence in XCP has not yet been reported), then conceivably FAAC may be used for making licensed backup copies of CDs. But both mpg123 and LAME (the latter of which is still an active project) are used to decode MPEG Layer-3 audio streams, and LAME is also used to encode such streams.
Finally, the revelation of the apparent existence of these open source codecs in XCP calls into question just how much Sony BMG actually knew about the XCP software it was distributing with its audio CDs. If the music publisher had no knowledge of the use of open source software, it might also conceivably have had no knowledge of the origin of the stealth techniques used to hide XCP’s copy protection element, though it is known that Sony BMG knew some measure of stealth was employed.
Sony BMG’s spokesperson has been contacted for comment, and may yet respond.