Is Your Software Security Scalable?
2021-06-16 Rüdiger Kügler
The ability to scale IT infrastructure and systems to quickly adjust to variable workloads and changing market demands is critical for any size business. Just look at the radical changes companies needed to accommodate the transformative shift of the workforce from the office to the home in the past year. Certainly, those who were able to quickly scale their remote networking infrastructure to support the unexpected rise in demand were the winners.
And while a scalable infrastructure makes good sense, should we expect security to be scalable as well?
To answer that question, let’s look at security from a software developer’s point of view. In this case, we are talking about security in terms of protecting software from malicious hackers. But first, it is a good idea to understand who might be attacking the software. Essentially there are 4 types of hackers – script kiddies, leisure-time hackers, professional hackers, and the all-stars. The first two groups might know how to google and find either hacking instructions or ready-made hacks while the professionals and the all-stars are the ones doing the real damage and earning an illicit living by selling their hacks. They are motivated in most cases by simple profit. Which hacks can I sell most often, at the highest price, and with the least effort?
This is where scalable security comes into play. The level of protections needs only to be scaled to the approximate value and appeal of the software. At the lowest level are the developers who feel it is not worth the effort to enable any copy protection mechanisms or licensing for their software. Obviously, in this case, software monetization is not a priority.
The next level of protection is geared toward making it as hard as possible to hack the software. This is where software developers can benefit from the complexity of the software. Hackers might be able to analyze anything executed on a CPU, but first they need to be able to execute. With typical business applications, users will only ever use between 10 and 20% of the functions. Only a fraction of the code is executed. This makes it harder for hackers to monitor the code in action. They need to find a strategy to execute the entire code completely. Whoever manages to complete that task would become the king of testing suites and would not have to continue to earn a meager living by hacking software.
The next level of software protection is for the developer to use sophisticated encryption and anti-hacking tools like AxProtector and IxProtector, found in Wibu-Systems CodeMeter Protection Suite. CodeMeter Protection Suite offers various high-caliber software protection functions, including state-of-the-art anti-debugging and anti-reverse engineering technologies, encryption of the executable code, decryption, encryption of any number of parts of the software, and signing of the encrypted application to ensure code integrity and authenticity.
At the top of the security scale is use of a unique technique called code moving. The optimum in protection is achieved by moving the code into a hardware secure device (CmDongle) and executing it in that safe environment. This makes it completely impossible for hackers to know what is going on.
One important consideration is the right choice of code: If it is too trivial, its inner workings can be guessed at by looking at its output. If it is too complex, the operation becomes too cumbersome, or it exceeds the code size limit.
The best thing about code moving is that it allows you to create as many code fragments as you want for execution in the CmDongle. To move the code, the application is encrypted with AxProtector; all functions to be moved are compiled by AxProtector and encrypted within the application. During runtime, the block in question is moved into the CmDongle, decrypted, and executed with the right input parameters. The output parameters are then returned to the application.
Cryptographic functions like AES and SHA can be used directly with CmDongles. Data can be saved temporarily and used again when the next function is called up. Hidden data can also be accessed, although security dictates that this can only be done within the Product Item that the code fragment is encrypted with.
With the use of the sophisticated licensing and protection technologies inherent in CodeMeter, developers can decide on the level of security for the application, whether it be a simple license check to prevent the intentional or inadvertent misuse of licenses or the secure execution of code in the CmDongle.
If you are interested in learning more about the code moving technique, watch the on-demand replay of our masterclass Maximum Protection with Code Moving.
VP Sales | Security Expert
After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box technology.