How Secure Do You Want Your Application To Be?
“Anything executed on a computer can be monitored by hackers. They can understand and bypass security mechanisms just as easily as regular code.” This might be true, but what does it mean for software developers?
Three options exist:
- You cannot see a point in all of this and do not use any copy protections or licensing.
- Hackers can understand how your software operates, but you are using CodeMeter to make hacking the software as labor-intensive as writing it from scratch.
- You move essential code into a CmDongle for execution far from the prying eyes of would-be hackers.
The Ostrich Stratagem
The first and certainly worst scenario is to forego any copy protection or licensing. The old story that “Microsoft became big because of piracy” is not only misleading – it is plainly false: Much of the success of Microsoft was due to the bundling of its operating system with IBM personal computers. The nature of the market at the time also played its part, as many of the operating systems had a reputation for being complex and hard to use. Market reach and popularity came first, piracy came second. Security mechanisms have been improving over the years. Activations with authentication and serial numbers stored in the BIOS are just one example of a whole gamut of techniques and approaches.
For small and medium enterprises, a “head in the sand” strategy could potentially threaten their very survival. Studies and surveys have shown that the greatest losses are caused by ignorance of licensing terms or unintentional license violations. This goes primarily for business software in commercial use in Europe and North America. With the countless licensing models in the market, it is hardly surprising that administrators get confused and believe they have more licenses than they actually paid for. Simple technical countermeasures are enough in these instances to protect the legitimate monetization of the software.
The Hacker Pyramid
The hacking scene seems to be made up of four types: script kiddies, leisure-time hackers, professional hackers, and the all-stars. The first lot might know how to google and find either hacking instructions or ready-made hacks, but the professionals and the stars of the scene are the ones doing the damage and earning an illicit living by selling their hacks. They are motivated by simple profit: Which hacks can I sell most often, at the highest price, and with the least effort? It seems like the story of the two hikers and the bear. Both are caught off guard by the bear and take off running. As one hiker stops to put his running shoes on, the other scoffs: “They won’t make you faster than the bear.“ Says the other: “They don’t have to. They just have to make me faster than you.”
The same applies to software protection. It does not have to be perfect and unassailable. It has to be appropriate for the value and appeal of the software, and it has to be – only just – better than the standard protection. With CodeMeter, this is already guaranteed by using AxProtector.
Better Safe than Sorry
The second strategy relies around making the hackers’ job as hard as possible. It should be impossible for them to automate their shady work, and knowing one crack should not help them with finding another crack.
As software developers, you can now benefit from the complexity of your software. Hackers might be able to analyze anything executed on a CPU, but first they need to be able to execute. With typical business applications, users will only ever use between 10 and 20% of the functions. Only a fraction of the code is actually executed. This makes it harder for hackers to monitor the code in action. They need to find a strategy to execute the entire code completely. Whoever manages to complete that task would become the king of testing suites and would not have to continue to earn a meager living by hacking software.
Copy protection and licensing must get to work where they are needed in the code. One typical strategy would be to create a license wrapper class, but calling on that class repeatedly would be counterproductive: Hackers would only have to analyze, understand, and replace the code of that license wrapper class. Encrypting the class with AxProtector does not really solve this problem, and only offers a deceptive feeling of security. The better option would be to encrypt as many functions as possible in the code with AxProtector .NET and IxProtector. Now, hackers indeed need to execute the entire software. Traps can be added so that, if hackers fall into them, the CmDongle or CmActLicense is locked to prevent automated code analysis. KEYnote issue 34 included much more information on this type of integration.
The optimum in protection is achieved by moving the code into the CmDongle and executing it in that safe environment. This makes it completely impossible for hackers to know what is going on.
The ability to move code into the CmDongle is available for CmDongles with serial numbers 3-xxxxxx and firmware version 4.03. This is currently limited to code written in C, but will be expanded to Java and .NET code. One important consideration is the right choice of code: If it is too trivial, its inner workings can be guessed at by looking at its output. If it is too complex, the operation becomes too cumbersome, or it exceeds the size limit of 3 kB. CodeMoving should also only be used for single-user dongles.
The best thing about CodeMoving is that it allows you to create as many code fragments as you want for execution in the CmDongle. To move the code, the application is encrypted with AxProtector; all functions to be moved are compiled by AxProtector and encrypted within the application. During runtime, the block in question is moved into the CmDongle, decrypted, and executed with the right input parameters. The output parameters are then returned back to the application.
CmDongles come with several assistance features installed. Cryptographic functions like AES and SHA can be used directly. Data can be saved temporarily and used again when the next function is called up. Hidden data can also be accessed, although security dictates that this can only be done within the product item that the code fragment is encrypted with.
Security that Scales
With CodeMeter, you can decide on the level of security for your application, be it a simple license check to prevent the intentional or inadvertent misuse of licenses or the secure execution of code in the CmDongle: CodeMeter will match your needs.
KEYnote 35 – Edition Spring 2018