According to a study from IDC and Flexera Software, a significant proportion of software companies feel their licensing and pricing strategies are not effective in capturing the real value their software provides. As a result, their bottom line is suffering, and increasingly they’re subject to software piracy. While automated software licensing tools exists to ensure vendors receive adequate compensation for their products, many are yet to employ this technology.
The consequences of falling behind in software licensing are abundantly clear. The amount of revenue illegally being siphoned away from software companies due to unauthorised software use is staggering. A recent BSA Global Software survey notes that 43 percent of the software installed on PCs around the world, totaling more than $62 billion in value, was not properly licensed. This, combined with evermore sophisticated and relentless hackers is leaving software companies who fail to implement the latest security measures, very vulnerable.
Gaps in Traditional Hacker Protection
As a result of revenue leakage from hackers, software companies are re-assessing their traditional licensing security approaches and noting gaps that must be closed. One area of particular vulnerability in software protection is the binary attack. This is a term used to describe how hackers inject malicious code into the application to circumvent licensing. A binary attack can occur in disk with a disassembler or in memory while an application is running. The hacker typically applies a patch that changes the application storage location and its behavior. The code requiring license validation before performing an action is modified, so the application doesn’t check for licenses or, even worse, it looks for the hacker’s licenses.
Typical approaches to fighting these hacker modifications include encrypt ion, dongle protection, secure boots, and more. While effective in less sophisticated times or in only certain specific situations, gaps exist which can expose software companies to hacker risk:
- Encryption gap: Offers only one level of protect ion. Hackers can find the decryption keys hidden in the application, which then removes all protection. There’s also a rework impact of the encryption gap, as software companies then have to rewrite application code when protect ion is compromised. Finally, encryption can significantly impact performance.
- Dongle gap: Dongle protection does not address binary patching, and determined hackers know how to use dongle emulators to break dongle protection.
- Secure boots gap: This method protects devices, not software. Exposure is increasing since the Internet of Things (IoT) means putting more and more software on devices.
The gaps in these typical protection strategies has meant that software companies are beginning to fight back more aggressively. Enhanced tamper-resistant application capabilities provide additional security layers to fortify and protect the software application from piracy and thereby reduce revenue leakage.
Ring of Defense: Resistance, Obfuscation and Detection
Increasingly, software companies are adopting a “Ring of Defense,” tamper-resistance strategy to protect their intellectual property and eliminate revenue leakage. The Ring of Defense strategy is analogous to fortifying a home against burglary by making it significantly more difficult to gain entry and steal what’s inside:
- Resistance – Adding a “Moat” Around Software: Tamper resistant licensing establishes a secure barrier around the software – a moat – making illegal entry by hackers significantly more difficult by preventing debugging and application signature spoofing – techniques hackers undertake to reverse engineer the application and gain illegal entry.
- Obfuscation – Hiding the “Front Door”: Enhanced code-obfuscation tamper resistance makes it harder for hackers to conduct static analysis on the application to find an entry point – the “front door.” Using this strategy, the strings, variables and functions that control the flow of software and application data, which may contain sensitive information, are hidden – making it significantly more difficult for hackers to find the code logic and gain illegal entry.
- Detection – Adding “Motion Sensors” and “Alarms” Signaling Intrusion: Ring of Defense licensing also helps ensure application integrity and maximises protection against binary tampering through innovative techniques that detect when hackers try to modify the application in memory and on disk. It also provides “call-home” notification alerts – effectively detecting unauthorised intrusion within the application and sounding the alarm to notify the software company of the illegal intrusion.
Software licensing is complex and ever-evolving. The rise in hacker threat and the revenue leakage experienced by many software companies is evidence that better licensing strategies are needed to monetize and properly protect intellectual property. Implementing tamper-resistant licensing is a case in point. Software companies unable to devote the significant time, money and staffing necessary to build and maintain best-in-class tamper resistant licensing systems should look to third-party automation that will deliver significant protections.