Software Code Protection

Importance of Software Protection

Protecting intellectual property and ensuring that only properly licensed software can be used is one of the many challenges software developers face. IP theft takes many forms, including counterfeiting, piracy, reverse engineering, and industrial espionage, costing software vendors millions in lost revenue. According to the BSA’s most recent Global Software Survey, 37% of software worldwide is unlicensed and the commercial value of unlicensed software worldwide is estimated at $46.3 billion.

Furthermore, software tampering and malicious cyberattacks on connected systems in the Industry 4.0 domain go well beyond financial loss — human safety, including the potential for injury or loss of life, is a serious concern.

Fortunately, proven mechanisms exist to protect against these illegal and dangerous threats.

Code Protection – Anti-piracy

Source code encryption technologies protect software by encrypting code before release. This solution is highly scalable and can be seamlessly integrated into existing software. During runtime, a copy protection system—such as a dongle—decrypts the data using a unique license key. If the license is missing, the required key is missing and hence the data cannot be decoded or used. The decryption key is embedded within the license generated for each end-user, and only the necessary portions of the software are decrypted as needed. Once the process is complete, these sections can be re-encrypted for additional security.

For enhanced protection, multiple encryption keys can be used to encode the same data in different locations within the software. During runtime, the correct key is randomly selected, making it more difficult for the hacker to locate.

Anti-Reverse Engineering

Your developers worked hard on your software’s intellectual property, and competitors would love to see how your software works. Copycats can diminish your competitive advantage, and if a competitor can reverse engineer your software, then they can easily add the same functionality to their applications.

Even more concerning, reverse-engineered software can bypass restrictions within the software. In some cases, you might place safety restrictions in your software that prevent your user from exceeding predetermined limits. For example, you have a software that controls construction equipment, and you know that the construction cranes used have a 2000 lb limit. If someone reverse engineers the software, they could alter the code to override this limit and push it to 3,000 lbs, creating a dangerous situation that disregards your original safety limit.

Another issue of reverse engineering software is to remove revenue enforcing license checks. If your software relies on subscription terms to generate recurring revenue for ongoing updates and support, a hacker could bypass these restrictions, allowing the software to run indefinitely without a valid license.

For example, .NET assemblies are particularly vulnerable because they are easy to disassemble using commonly available tools, making reverse engineering a straightforward task. In order to prevent unauthorized analysis or modification, your executable code should always be encrypted before delivery.

Obfuscation

Source code obfuscation is a security technique that makes code difficult to understand for humans and computers, without affecting the program’s output. It’s used to protect code from theft, tampering, and reverse engineering. Here are some ways source code obfuscation works:

  • Complicating code: Programmers can make code more difficult to understand by translating parts of it into different forms, such as binary language.
  • Inserting nonsense: Programmers can add decoy logic or nonsense statements to confuse attackers.
  • Renaming: Programmers can rename classes, fields, methods, and libraries.
  • Altering structure: Programmers can change the structure of the code.
  • Encrypting: Programmers can encrypt strings and classes.
  • Removing metadata: Programmers can remove certain metadata.
  • Hiding calls: Programmers can hide calls to sensitive APIs.

Obfuscation is most effective for languages that create intermediate level instructions, such as Java or .NET. It’s also possible to use obfuscation software to automatically apply obfuscation methods to code.

For enhanced security, obfuscation can be combined with runtime application self-protection (RASP), which monitors app behavior in real-time.

Integrity Protection

The term “Integrity Protection” encompasses security measures, namely the protection of system resources, programs, and data against unauthorized manipulation, or at minimum, identification and display of such modifications. There are two primary points of vulnerability to address.

  1. The embedded system can be attacked directly from the Internet. During code updates, malicious actors can replace or alter execution codes, exploiting any weaknesses present in the code.
  2. Hackers often have access to the same open-source information as the developers. With knowledge of the execution code binary structure, hackers can use powerful development/analytical tools to directly modify the code in a static attack. Furthermore, by understanding the system’s memory and process architecture, the hacker can initiate a dynamic attack by inserting malicious code into the boot process.

One key security challenge to ensure data integrity is to bring the system into a safe mode and stop the execution of all functions as soon as an attack has been detected. Several strategies can be employed to counter potential threats effectively:

  • Encrypt the running code itself and utilize a secure hardware device for key management and state storage. This approach ensures the encryption key is securely stored in either a dongle or in software, which then activates and ties the key to a specific device or control system.
  • Prevent the loader of the operating system from executing any unauthorized code. This also includes protecting the open system platform itself to prevent hackers from installing their own loader. Additionally, the embedded system’s BIOS should prevent any loading of an unauthorized operating system, ensuring only approved software can be executed.

Programming Languages and Platforms

Code protection and encryption technologies must support the most widely used programming languages and platforms: C# and NET, Java, C/C++, Python, and scripted languages including JavaScript, PHP, and HTML5. APIs should also be available for Embedded platforms, like Linux Embedded, VxWorks, QN, and Android.

Code protection is paramount for software monetization. We can help you identify what protection mechanism is best for your software. Contact us today by sending an email to info@software-licensing.com or submit the form below.

"*" indicates required fields

Please contact me about:*
This field is hidden when viewing the form