By Tu Le
I've worked in the security industry for over 15 years and I often get requests to help developers quickly integrate security protection into their applications. There are many piracy prevention solutions to lend a helping hand, including using software licensing and protection. Another option is to use executable packers and encryptors, which are often referred to as application shelling or hardening.
What is Application Shelling
Application shelling is a technology that a few software security companies offer to highlight how easy and effective it can be to protect software application intellectual property from being reverse engineered. As the name suggests, application shelling is a process where security functions are injected into the program and then encrypted based upon some industry standard such as AES (Advanced Encryption Standard).
Typically due to time constraints or in some cases, a lack of source code, the use of this technology is attractive to software publishers because it provides the ability to quickly get the product out the door. It also prevents novice crackers from modifying a few bytes of the executable to circumvent security such as the infamous "JNZ to JMP" instruction. However, there are hidden dangers in using this type of technology that most software publishers are not aware, including.
When security fails, you end up with an unsatisfied, angry end user and usually a blue screen of death (BSOD)
- Shelling involves injecting security function(s) and encrypting the program. When the security fails, the program will ultimately fail due to the program workflow getting redirected to some random memory pointer which will force the application to crash rather than gracefully exiting the program.
- Due to the encrypting and decrypting nature of cryptography, initial loading time will be impacted which will negatively affect the end user experience.
Mission critical applications require a predictable outcome.
- Since shelling technology enforces its own workflow in order to properly decrypt the program in memory, an unpredictable outcome results.
Maintaining, troubleshooting and debugging a deployed application will be difficult as the application is encrypted.
- Ironically, the company offering the application shelling will require an unprotected version of the application in order to troubleshoot.
- The application footprint will increase due to the nature of the technology as the process involves embedding additional security code to the application startup code sequence.
- A sophisticated hacker can exploit the shelling technology by embedding malicious malware into the application to circumvent virus and other security protection by masking its signatures to maliciously spread or gain access to an unauthorized area of the system.
Application Shelling Isn't the Panacea
There are other security mechanisms available, including software licensing technology that detects and limits the functionality of the program over time. This software licensing technology utilizes secure data types and tamper resistant applications to prevent software piracy and hacking. Implementing application security to minimize risk of software piracy requires careful planning and design.
Maureen Polte, Vice President of Product Management for InstallShield