Co-authored by Tu Le and Eric Johnson
Security based upon hardware is always the best countermeasure for distinguishing authorized from unauthorized access simply because the protected information is harder to modify. Based on this fact, many application producers take comfort in the belief that if a hardware strategy via a dongle is implemented to protect the software then software piracy will be extremely difficult or eliminated. Unfortunately, the reality is found in the old adage, "only as strong as the weakest link".
Software protection is not any different, and by adding hardware via a dongle, another link is added to the overall protection strategy. The weakest link in this chain is the integration layer between hardware and software, yet many developers believe the hardware dongle will solve all of their security concerns. Ultimately, the core protection to authorize the application to run comes from the presence (or not) of the dongle, which is essentially a comparison check. Here is what that comparison check might look like:
If (donglePresent () == SUCCESS)
If we take the same view of this code in assembly, it will look like:
TEST EAX, EAX ; IS DONGLE PRESENT?
JZ 00618496 ; RUN APPLICATION IF DONGLE IS ATTACHED
And if the weakest link is attacked:
NOP ; DONGLE CHECK BYPASSED?
JNZ 00618496 ; RUN APPLICATION IF DONGLE IS NOT ATTACHED
The best strategy for protecting software intellectual property is a varied approach with different systems and techniques. Let's start with an analogy in the physical security world, like your house. Let's then say you purchase the best hardware deadbolt lock on the market to protect the valuables in your home. Will that stop thieves? Yes and No: it won't stop thieves who will break a window to get into the house, yet it will stop a thief who only tries doors. We can increase the overall security of the home via an alarm system, security cameras and even a guard dog and the same applies software as well.
When it comes to protecting software, it is important to remember these maxims:
- Understanding of the tactics and tools used (i.e. reverse engineering, debuggers and disassemblers)
- Security is best layered (different systems and techniques)
- Security is never stationary
- Go to step #1
The best security takes significant time, resources and commitment. Hardcore code crackers are typically very determined, motivated and resourceful plus they are not concerned with the "time to money" ratio investment. And, ultimately, realize nothing is unbreakable to the determined/knowledgeable.
Learn more about Flexera Software's Tamper Resistant Software Licensing Code for software protection.