Software Security

Some of the issues associated with software security were raised in Chapter 4 in the discussion of how license managers enforce the terms and conditions of business and licensing models. In this section we'll cover the topic more thoroughly.

Software Security Techniques

The first thing most software developers think of when it comes to software security is preventing piracy. This is a good thing, because no matter which reports you read, piracy is a multi-billion dollar problem. Several techniques have emerged for making software more secure, each a bit more complicated and a bit more effective at deterring thieves .

Serial Numbers and Activations

Recall from Chapter 15 that a serial number is a unique identifier that distinguishes individual products, and that through activation you can bind a legal copy of the software to a specific machine. A more advanced technique uses a digitally signed license with software, so that an application or a service will not run unless a valid license with a valid signature is present.

Most people aren't hackers, and most people don't frequent hacker pages on the Internet. Most illegally copied software is passed on by friends and relatives, who may have few qualms about passing along a serial number or a license as well. Serial numbers, software activations, and digitally signed licenses all cut down on casual copyingafter all, a serial number can be traced to its official owner if it's posted on the Internet or otherwise gets away.

Hackers attack these schemes in a number of ways. The most damaging attack is reverse-engineering the serial number generation algorithm and writing their own. That opens the door for actual software piracythe selling of illegal copies.

Digitally signed licenses are much betterthe private key needed to sign the licenses will not be available, so the hacker must either modify the program to bypass software security or replace the embedded public key with one for which the pirate has a private key. That way, the pirate can generate his own licenses.

Protecting the Validation Code

All of the schemes we've discussed thus far are based on embedding one or more checks in your code that confirm the presence of a valid license. A typical code fragment that does this might look like the this:

 if (!LicenseIsValid(licenseFileName))  {     ComplainAndExit(); } 

Surprisingly, it's often trivial for a hacker or a software pirate to bypass this kind of security check, even if you have a highly secure, digitally signed license and even if your license validation routine is difficult to reverse-engineer . All the software hacker has to do is use a disassembler, find the code corresponding to the if statement, and insert a jump around the test or replace the test with no-ops. That means that you can't just use a Boolean return to check your licenseyou have to be a lot trickier to foil a hacker.

Instead of just asking a simplistic yes/no question, more secure approaches actually store something that your application needs to run as encrypted data within the signed license. This might be a critical function, such as an initialization routine or a function that registers subcomponents within the application. The application then verifies the license and decrypts this data, which in turn controls the behavior of the software. You then have to protect the software that performs the license validation and decryption, which is when you realize that the professional license managers described in Chapter 4 are actually pretty hard to write!

Hardware Binding

Hardware binding, as discussed in Chapter 15, is the process of associating or binding information about the software with some kind of hardware. There are two basic choices for hardware binding, each with its own advantages and disadvantages.

In machine binding, the software is bound to the machine it runs on. The binding process works by taking a hardware fingerprint of the machine. If too many parameters change, the software stops working. The chief advantage of machine binding is its low cost. The chief disadvantage is that it may prevent users from easily upgrading their machines or moving software to a new machine. It is also the easiest kind of binding for a cracker to crack.

In hardware binding, the software is bound to a physical device connected to a serial or USB port, commonly referred to as a dongle. The device must be connected for the software to work. The chief advantage of a dongle is portability and strength of security. The chief disadvantage is cost and management.

Software Security Costs/Benefits

An important thing to remember about piracy prevention is this: Many, if not most, of the people who run illegal copies would not have bought the software if they hadn't gotten it free. You don't want to make life difficult for your legitimate users, possibly driving them away, in a futile attempt to prevent people from using your software who would never actually buy it.

Software security can add significantly to the cost of developing, maintaining, and supporting your software. Obfuscation is often helpful in foiling attempts by hackers, but it can make your programs extremely difficult to debug. Even running a certificate server as a certificate authority can add tremendous cost, given its 24/7 operational requirements.

This doesn't mean that we endorse software piracy. Casually copying an application from your work computer to your home computer, purchasing one copy of an operating system and installing it on more than one computer without the necessary license rights, and posting an application on a Web site or making it available via a P2P network are all illegal activities. The best way to address software piracy is to weigh the risks of implementing strong anti-piracy tactics against the potential for lost revenue. If you're selling enterprise-class software or providing your software as a service via an xSP, piracy is not likely to be a problem, partly because of the intense integration and support requirements and partly because of the ease with which piracy can be determined through nontechnical means. If your software requires regular updates of code or data to be useful, piracy may not be that much of a problem.

However, if you're losing, or even suspect you're losing, thousands or millions of dollars because of software piracy, do something about it. Explore a new business model, such as a rental. Implement a lightweight protection mechanism and see who breaks it. If you find your software freely available on the hacker Web sites or Usenet lists, (use Google groups to view alt.2600.*), implement stronger forms of protection. You may even be justified in using a hardware-based software protection device.