Automated image testing with Verified Pixel

Posted Jan 23, 2016 0:50 UTC (Sat) by excors (subscriber, #95769)
In reply to: Automated image testing with Verified Pixel by droundy
Parent article: Automated image testing with Verified Pixel

On a phone, the image data is likely to go from the camera sensor through the ISP and into memory, then maybe through some postprocessing on the CPU and/or GPU, then to the JPEG encoder, and then you'd want to sign the JPEG data. You would have to keep that entire path secured, else it'd be fairly easy for a user to root their phone and inject their own doctored image data somewhere into the middle of the pipeline and get it signed with the secret key.

That doesn't sound too implausible to me - some mobile SoCs already have a secure path from video decoder to GPU to display (for DRM video playback), which prevents untrusted software (e.g. the Linux kernel and everything running under it) from accessing the protected memory, and they're better than the Nikon/Canon ones mentioned above at keeping their secret keys secret. But I doubt the ISP blocks are currently hooked into that system, so you'd need to find a sufficiently compelling reason for the SoC vendors to make those hardware changes.

Then you'd need to find a way to detect people who simply print out their doctored photo and take a legitimately-signed photo of that photo.

Automated image testing with Verified Pixel

Posted Jan 24, 2016 1:44 UTC (Sun) by giraffedata (guest, #1954) [Link]

I guess it would be substantially more feasible in a dedicated camera than in a general purpose computer. You can probably harden a dedicated camera pretty well against modification by the user. You could at least reduce the problem down to serious criminals, rather than anyone good with computers.

A serious camera even has distance detectors (and adjustable focus), which would make it pretty hard to fake a scene just by photographing a photograph. You might have to sculpt an elaborate replica of the fake scene.