I am currently a Ph.D. student at the University of Rennes, conducting research at the IRISA research center. My doctoral work, which I began in 2024, is supervised by Mohamed Sabt within the SPICY research team.
My research is centered on Digital Rights Management (DRM) systems, which are used by major streaming platforms like Netflix, Prime Video, and Disney+ to protect their content from piracy. These DRM systems rely on closed-source and obfuscated software, which can obscure potential vulnerabilities that may pose risks to both content providers and end users. To address these challenges, we use reverse engineering techniques to gain a deeper understanding of these systems, with the goal of enhancing their security and safeguarding user privacy.
Publication
Formal Security Analysis of Widevine through the W3C EME Standard
S.
Delaune, J.
Lallemand, G.
Patat, F.
Roudot, and M.
Sabt
In 33rd USENIX Security Symposium (USENIX Security 24), Aug 2024
Streaming services such as Netflix, Amazon Prime Video, or Disney+ rely on the widespread EME standard to deliver their content to end users on all major web browsers. While providing an abstraction layer to the underlying DRM protocols of each device, the security of this API has never been formally studied. In this paper, we provide the first formal analysis of Widevine, the most deployed DRM instantiating EME. We define security goals for EME, focusing on media protection and usage control. Then, relying on the TAMARIN prover, we conduct a detailed security analysis of these goals on some Widevine EME implementations, reverse-engineered by us for this study. Our investigation highlights a vulnerability that could allow for unlimited media consumption. Additionally, we present a patched protocol that is suitable for both mobile and desktop platforms, and that we formally proved secure using TAMARIN.
@inproceedings{299820,author={Delaune, S. and Lallemand, J. and Patat, G. and Roudot, F. and Sabt, M.},title={Formal Security Analysis of Widevine through the {W3C} {EME} Standard},booktitle={33rd USENIX Security Symposium (USENIX Security 24)},year={2024},isbn={978-1-939133-44-1},address={Philadelphia, PA},pages={6399--6415},url={https://www.usenix.org/conference/usenixsecurity24/presentation/delaune},publisher={USENIX Association},month=aug,}
