As software hackers adopt new and sophisticated methods of breaking code and stealing software, Independent Software Companies (ISVs) are scrambling to stay one step ahead of thieves in order to protect their intellectual property. Today, that is getting harder to do.
It is certainly more complex as traditional anti-hacking defenses are becoming largely ineffective against more sophisticated tampering tactics. In fact, hackers have become so good at what they do that Nintendo recently reportedly lost $975 million due to piracy. Microsoft also estimated that it lost $900 million in five years when a Taiwan company started to pirate 21 titles, selling them in 22 countries.
Yet despite these significant losses, current anti-tamper products just aren't up to the task of protecting sophisticated software applications. Rather than protecting the application anti-tamper products today easily succumb to hacker efforts in a matter of minutes or hours. Or, they are often huge drains on application performance and can result in unpredictable performance spikes.
Two specific examples where traditional protection easily fails are:
Hardware Breakpoint Attacks
Many modern processors have a fixed number of hardware breakpoints (also known as debug registers) that can be used by applications and debuggers. These breakpoints are provided in the processor as a way to easily debug applications. Developers configure the breakpoints so they can interrupt the program to verify proper operation. But once an application is released to end-users, hackers use these breakpoints in order to subvert the proper execution of the application. The result is that breakpoints become a powerful hacker tool used to change the behavior of a program without changing the code.
The traditional solution to this is to detect the use of hardware breakpoints and respond accordingly. However this just moves the problem back one level - the hacker will simply use a hardware breakpoint to circumvent the detection/overwriting mechanism and continue with his hack. Incredibly, this kind of attack can take around 2-3 hours to remove the protection from an average application.
Another common hacking tactic involves patch-execute-unpatch attacks. With this approach it is possible to modify a program, execute some arbitrary code and then remove the modification so that the hack cannot be detected. This Patch-Execute-Unpatch attack takes advantage of ‘gaps' in protection to operate. If a protection scheme does not verify the integrity of all the running code dynamically at run-time frequently, then it is likely to be susceptible to a Patch-Execute-Unpatch attack. The attack works by taking advantage of delays between checking and execution. If hackers can find unchecked code, or code that is checked but has a delay before being executed, then they can modify (patch) it and have their code run (execute).
Afterwards, again before it is re-checked, a hacker can replace the original code (unpatch) to create an undetectable hack. Patch-Execute-Unpatch attacks can take one to five hours to implement, although some attacks can take as little as five minutes. The quickness that this hack can be initiated has a dramatic effect on the time that an application remains protected.
What's a software vendor to do against attacks like these?
To avoid hacking and malicious alteration of the application, software companies are turning to new anti-tamper solutions that will protect the entire application, as well as maintain code integrity. One emerging approach is to arm the application with a self-defense system that injects thousands of checks into the source code of a target application, transforming the application into its own robust security system. Resistant to detection and removal techniques, this type of approach slows a hacker down because he must manually remove each check in order to render the security around the application ineffective.
Additionally, it is always best when an anti-tamper solution is applied on a per application basis. This means that each application has a unique defense that's specific to that particular application build. When that happens, a hacker must crack each application individually so the application is not susceptible to global attacks. By deploying a unique defense to tampering in every application, hackers become reticent to spend the time to manually remove checks, as this job is tedious and laborious. In many cases, the sheer length of time and effort required makes the hacker quit and move on to an easier target.
Open source presents developers with a different set of problems
As open source continues to gain traction as a viable alternative for mission critical applications, more and more enterprises will deploy some elements of open source technologies within their web server infrastructure. A hacker may start with an SQL injection attack, and if that doesn't work, move on to attacking the web server or other infrastructure until an unprotected point of entry is found. As more enterprises deploy open source technology, cybercriminals will target the security vulnerabilities within this infrastructure.
When protecting the infrastructure, the entire environment must be taken into account: web servers and infrastructure must be made tamperproof. Vendors will often lock down their applications in order to try and regulate access privileges but they often forget about the infrastructure they use, which leaves routes of attack for a hacker.
The impact of failed or ineffective security can be catastrophic, exposing vital systems or products to significant losses or damage. If a security solution fails to address sophisticated hacking attacks then it is likely that the software's protection effectiveness will be near zero, essentially exposing the software to hackers immediately. The "hackability" of software should be a key consideration to ISVs looking to protect their IP investment. With hackers becoming more creative and sophisticated, having an application and infrastructure protection strategy that lengthens the protection time of the whole system as long as possible is obviously the best way to protect your IP investment and, ultimately, your business.
Andrew McLennan is the founder and CEO of Metaforic.