Protecting your Ocean plug-in Intellectual Property and Licensing code
Protecting your Ocean plug-in Intellectual Property and Licensing code
Protecting your Ocean plug-in Intellectual Property and Licensing code
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Arxan Confidential<br />
<strong>Protect<strong>in</strong>g</strong> <strong>your</strong> <strong>Ocean</strong> <strong>plug</strong>-<strong>in</strong><br />
<strong>Intellectual</strong> <strong>Property</strong> <strong>and</strong><br />
Licens<strong>in</strong>g <strong>code</strong><br />
10/21/2010<br />
V<strong>in</strong>ce Arneja<br />
Vice President, Product Management<br />
Arxan Technologies
Today’s Topic<br />
Arxan Technologies<br />
– Company <strong>and</strong> Technology Overview<br />
Application Threats fac<strong>in</strong>g Oil & Gas Software<br />
Countermeasures to mitigate threats <strong>and</strong> preserv<strong>in</strong>g <strong>your</strong><br />
revenue stream<br />
– Application Harden<strong>in</strong>g<br />
– Arxan’s GuardIT for license management <strong>and</strong> <strong>in</strong>tellectual property<br />
protection<br />
Protection Automation<br />
Q&A<br />
Arxan Confidential<br />
2
Arxan At-A-Glance<br />
• History: Founded <strong>in</strong> 2001 from NSA Center of Excellence (CERIAS) at Purdue University. Software<br />
Company with Department of Defense pedigree<br />
- NOT a Norwegian Company!!!<br />
- Lead<strong>in</strong>g Anti-Tamper/Software Protection solution s<strong>in</strong>ce 2001, with 6 th generation product offer<strong>in</strong>g<br />
- <strong>Protect<strong>in</strong>g</strong> Petrel <strong>and</strong> other SLB applications s<strong>in</strong>ce 2006<br />
• Current St<strong>and</strong><strong>in</strong>g: Privately held, VC backed, well-funded, <strong>and</strong> grow<strong>in</strong>g<br />
- Horizontal software solution used <strong>in</strong> a variety of markets <strong>in</strong>clud<strong>in</strong>g Govt, Digital Media, Gam<strong>in</strong>g, Enterprise, ISV <strong>and</strong><br />
various other market segments<br />
- Customer Value: Maximize revenues by protect<strong>in</strong>g applications aga<strong>in</strong>st tamper<strong>in</strong>g, piracy <strong>and</strong> IP theft,<br />
<strong>and</strong> assure <strong>in</strong>tegrity of customer experience<br />
- Solution Targets Man At The End (MATE) attacks<br />
- Where the adversary ga<strong>in</strong>s an advantage from violat<strong>in</strong>g software under their control<br />
- Cross-Platform Software Protection Suite<br />
- Covers W<strong>in</strong>dows, L<strong>in</strong>ux, MacOSX, Android, .NET, Java, etc.<br />
- Real-time protection aga<strong>in</strong>st attempted hacks <strong>in</strong> runn<strong>in</strong>g applications<br />
- Add security <strong>in</strong> application, so protection goes wherever the app goes <strong>and</strong> is distributed<br />
Offices/labs <strong>in</strong> Bethesda (MD), San Francisco <strong>and</strong> W Lafayette (IN)<br />
GuardIT Won Application<br />
Security Award<br />
Won Global Product<br />
Excellence Award<br />
DRM F<strong>in</strong>alist<br />
F<strong>in</strong>alist for Red Herr<strong>in</strong>g<br />
100 Awards<br />
Named a “Cool Vendor”<br />
By Gartner<br />
Arxan Confidential<br />
3
GuardIT ® Overview<br />
• GuardIT is a software product that hardens applications to prevent<br />
unauthorized access, malware <strong>in</strong>sertion, tamper<strong>in</strong>g <strong>and</strong> compromise.<br />
• GuardIT enables you to quickly <strong>and</strong> easily implement a deep <strong>in</strong>tricate<br />
layered protection by embedd<strong>in</strong>g a collection of <strong>in</strong>terdependent<br />
protection rout<strong>in</strong>es, called Guards, <strong>in</strong>to a program at the b<strong>in</strong>ary level.<br />
• The Guards, which appear to be normal <strong>code</strong>:<br />
– Enable the program to DEFEND itself,<br />
– To DETECT <strong>and</strong> ALERT if it is attacked,<br />
– To REACT if it is modified<br />
– Are policy <strong>and</strong> threat driven<br />
• Benefits of GuardIT <strong>in</strong>clude:<br />
– Multiple uses: Embedded, Web, Mobile, Desktop<br />
– Layered protection for defense-<strong>in</strong>-depth<br />
– Low performance impact, low development impact<br />
Arxan Confidential<br />
4
Why Protect Managed Code<br />
• Easy to decompile<br />
– Metadata <strong>in</strong> tact<br />
• Type <strong>in</strong>formation<br />
• Str<strong>in</strong>gs<br />
• Symbols<br />
• Control / Data flow<br />
– Tools are freely available:<br />
e.g., Reflector<br />
• Easy to modify<br />
– Decompile<br />
– Modify source <strong>code</strong><br />
– Recompile<br />
• Everyth<strong>in</strong>g <strong>in</strong>clud<strong>in</strong>g License<br />
management becomes more<br />
vulnerable<br />
.NET Decompilation Example<br />
Arxan Confidential<br />
5
Common Attack Tools<br />
• Debuggers (dynamic analysis) - ICorDebug Tools<br />
• Disassemblers (static analysis) - ILDASM<br />
• Assemblers – ILASM<br />
• Decompilers - Reflector<br />
• Hex editors (patch programs, edit raw data) -<br />
Hackman, XVI32<br />
• Portable Executable (PE) editors<br />
• Comparison tools<br />
• File or registry monitors<br />
Arxan Confidential<br />
6
Attack Vectors <strong>and</strong> Intelligent<br />
SW Protection<br />
Intelligent Software Protection<br />
Defend Aga<strong>in</strong>st<br />
Static Attacks<br />
Detect/Defend<br />
Aga<strong>in</strong>st Dynamic<br />
Attacks<br />
Guard Types<br />
Guard Reactions<br />
<strong>and</strong> Recoveries<br />
Decompil<strong>in</strong>g<br />
Disassembl<strong>in</strong>g<br />
Signature<br />
Match<strong>in</strong>g<br />
Tamper<strong>in</strong>g<br />
Differential<br />
Analysis<br />
Debugg<strong>in</strong>g<br />
Virtualized<br />
Execution<br />
Emulat<strong>in</strong>g or<br />
Spoof<strong>in</strong>g<br />
Memory<br />
Scann<strong>in</strong>g<br />
Memory<br />
Dump<strong>in</strong>g<br />
Tamper<strong>in</strong>g<br />
Code Injection<br />
Obfuscation<br />
Encryption<br />
Value Verification<br />
Checksumm<strong>in</strong>g<br />
Anti-debug<br />
Authentication<br />
Damage/repair<br />
Watermark<strong>in</strong>g<br />
Self-Heal<br />
Exit or Fail<br />
User Notification<br />
Covert Phone Home<br />
Erase Assets<br />
Degradation<br />
Reactivate/Renew<br />
Custom Function<br />
Secure Patch<strong>in</strong>g<br />
Arxan Confidential<br />
7
Defense <strong>in</strong> Depth<br />
Control Flow Graph<br />
Encryption<br />
Guard Protected by:<br />
Encryption Guard<br />
CPI/IP Code<br />
Identified<br />
Checksum<br />
IP Protected by:<br />
Checksum Guard<br />
Obfuscation<br />
Checksum<br />
IP Protected by:<br />
Obfuscation Guard<br />
Obfuscation<br />
Guard Protected by:<br />
Checksum Guard<br />
Guards Protected by:<br />
Obfuscation Guard<br />
Arxan Confidential<br />
8
Feature Use Case:<br />
Schlumberger - Open, extensible <strong>and</strong><br />
secure platform for geoscience<br />
9
Oil <strong>and</strong> Gas Applications at Risk<br />
High value applications provide oil <strong>and</strong> gas<br />
competitive advantage <strong>and</strong> differentiation <strong>in</strong> a<br />
global <strong>and</strong> commoditized market.<br />
Complex Code<br />
Differentiat<strong>in</strong>g science<br />
These applications are distributed <strong>and</strong><br />
deployed <strong>in</strong> hostile environments <strong>and</strong> are<br />
regularly subject to attacks<br />
Rampant (<strong>and</strong> rapid) availability of high-valued<br />
software on multiple crack sites.<br />
New versions advertised for download prior to<br />
be<strong>in</strong>g cracked — troll<strong>in</strong>g for customers!<br />
Br<strong>and</strong> degradation <strong>and</strong> other consequences<br />
Revenue Leakage Prevention<br />
Licens<strong>in</strong>g logic<br />
Arxan Confidential<br />
10
Case Study: Schlumberger<br />
• SW Vendor Goal<br />
– Multi-billion dollar ISV<br />
– Sell sophisticated oil field model<strong>in</strong>g software to countries with high<br />
piracy rates <strong>and</strong> no legal or government IP protection.<br />
• SW Vendor Problem<br />
– License management <strong>and</strong> dongle security mechanisms be<strong>in</strong>g easily hacked<br />
– Hacked version of new releases on cracked SW sites with<strong>in</strong> days of GA<br />
– Complex application, many exploitable gaps between modules<br />
– Piracy rampant <strong>in</strong> Asia<br />
• Arxan Solution<br />
– Full risk assessment, then complete fortification of application with Arxan<br />
– Arxan now deployed as a security best practice across entire portfolio<br />
of applications<br />
– Protected applications successfully deployed worldwide for 4+ years<br />
– Customer benefitt<strong>in</strong>g from significantly <strong>in</strong>creased revenues, <strong>and</strong> exp<strong>and</strong><strong>in</strong>g<br />
protection to .NET ecosystem of <strong>plug</strong>-<strong>in</strong> apps<br />
Arxan Confidential<br />
11
GuardIT for .NET Automated Protection<br />
Goal is to protect licens<strong>in</strong>g <strong>and</strong> IP <strong>in</strong> the <strong>plug</strong>-<strong>in</strong> itself<br />
Externalize the protection def<strong>in</strong>ition from <strong>your</strong> <strong>plug</strong>-<strong>in</strong><br />
Schlumberger architects <strong>in</strong>volved with Risk Assessment<br />
Phase 1<br />
<br />
Licens<strong>in</strong>g Module Image (Example Protections)<br />
Phase 2<br />
• Obfuscation guard: obfuscate the entire image<br />
• Checksum guard: checksum the entire image<br />
• Str<strong>in</strong>g encryption guard: encrypt all str<strong>in</strong>gs <strong>in</strong> this module so "license succeeded" doesn't appear <strong>in</strong> pla<strong>in</strong> text<br />
• Others<br />
<br />
Plug-<strong>in</strong> Module Image (Example Protections)<br />
• Checksum guard: checksum high performance <strong>code</strong><br />
• Obfuscation guard: obfuscate sensitive IP<br />
• Checksum guard: checksum sensitive IP<br />
• Checksum guard: checksum the entire image<br />
• Str<strong>in</strong>g encryption guard: encrypt all str<strong>in</strong>gs <strong>in</strong> this module<br />
• Others<br />
Arxan Confidential<br />
12
GuardIT for .NET Automated Protection<br />
M<strong>in</strong>or customization allows for quick <strong>and</strong> strong protection<br />
Specify variety of class <strong>and</strong> method names for licens<strong>in</strong>g<br />
<strong>and</strong> IP protection for guard <strong>in</strong>vocation<br />
Specify high performance <strong>code</strong> location<br />
Seamless Build Integration<br />
Arxan Confidential<br />
13
Competitive Differences<br />
Cross Platform Software Protection Suite (Native,<br />
Managed, Interpreted)<br />
Strength of diversification/ <strong>in</strong>dividualization<br />
Protection Techniques conta<strong>in</strong>s a lot more than Renam<strong>in</strong>g<br />
(Obfuscation, Checksum, Cross Module, Encryption, etc.)<br />
Power of a Guard Network – Guards protect<strong>in</strong>g <strong>code</strong> <strong>and</strong><br />
each other – Elim<strong>in</strong>ates s<strong>in</strong>gle po<strong>in</strong>t of attack<br />
Licens<strong>in</strong>g Model is not per developer based<br />
Licens<strong>in</strong>g Risk Assessment <strong>and</strong> Protection Scheme<br />
already done<br />
Arxan Confidential<br />
14
Arxan’s GuardIT ® Protection Process<br />
1<br />
.NET Assembly file –<br />
<strong>Ocean</strong> Plug-<strong>in</strong><br />
GuardScript<br />
2<br />
Pre-fortified GuardScript for<br />
protection based on Risk<br />
Assessment<br />
Orig<strong>in</strong>al<br />
Plug-<strong>in</strong><br />
.EXE, .DLL<br />
3<br />
GuardIT ® Insertion<br />
Eng<strong>in</strong>e<br />
Eng<strong>in</strong>e automates<br />
Guard <strong>in</strong>sertion as<br />
def<strong>in</strong>ed by GuardScript<br />
directly <strong>in</strong>to b<strong>in</strong>ary<br />
Guard library conta<strong>in</strong>s many<br />
different Guard types such as:<br />
• Obfuscation<br />
•Checksum<br />
• Str<strong>in</strong>g Encryption, etc.<br />
4<br />
Protected<br />
Plug-<strong>in</strong><br />
After Guard <strong>in</strong>jection<br />
• Guards dissolve <strong>in</strong>to assembly<br />
• Guard cannot be identified or<br />
isolated<br />
Arxan Confidential<br />
15
The <strong>Ocean</strong> Store – Protected Apps<br />
Shopp<strong>in</strong>g Cart<br />
Plug-<strong>in</strong> detail<br />
Arxan Confidential<br />
16
Arxan Software Protection Suite<br />
• Code Protection (Anti-RE <strong>and</strong> Anti-Tamper):<br />
– Desktop/Server/Embedded/Mobile Applications<br />
• GuardIT for W<strong>in</strong>dows<br />
• GuardIT for Microsoft .NET Framework<br />
• GuardIT for Mac OS X<br />
• GuardIT for L<strong>in</strong>ux<br />
• GuardIT for Java<br />
• EnsureIT for Mac/PowerPC<br />
• EnsureIT for Android/ARM<br />
• EnsureIT for L<strong>in</strong>ux/ARM<br />
• EnsureIT for iOS/ARM<br />
• Add-ons<br />
- Arxan Licens<strong>in</strong>g Code Protection for FlexNet Publisher<br />
Certificate Based<br />
- Arxan Licens<strong>in</strong>g Code Protection for FlexNet Publisher<br />
Vendor Daemon<br />
- Arxan Licens<strong>in</strong>g Code Protection for FlexNet Publisher<br />
Trusted Storage<br />
- Arxan Tamper Resistance Solution for Marl<strong>in</strong> DRM<br />
• Cryptographic Key Protection (Public/Private Key<br />
Hid<strong>in</strong>g):<br />
– TransformIT<br />
• Host-ID Spoof<strong>in</strong>g Prevention<br />
– B<strong>in</strong>dIT<br />
• Professional Services:<br />
– Product Extension Services, Security audits,<br />
Blue team, Risk assessments, etc.<br />
• Supported languages<br />
– C, C++; both native <strong>and</strong> mixed mode images<br />
– C# , VB.NET for managed <strong>code</strong> applications<br />
• Supported executable file formats<br />
– PE<br />
– ELF<br />
– Mach-O/Universal B<strong>in</strong>ary<br />
• Supported compilers<br />
– Visual Studio 2003, 2005(SP1), 2008, 2010<br />
– Various Flavors of GCC<br />
• Supported Development (Host) Platforms<br />
– All Flavors of W<strong>in</strong>dows<br />
• Supported Deployment (Target) Platforms<br />
– All Flavors of W<strong>in</strong>dows<br />
– Red Hat Enterprise L<strong>in</strong>ux 4 <strong>and</strong> 5<br />
– Mac OS X 10.4 – 10.6<br />
– .NET 2.0 – 4.0<br />
• Supported Target chipsets<br />
– Intel Compatible x86 (32-bit); 64-bit chipset ; PPC ;<br />
ARM;<br />
• Build <strong>in</strong>tegration<br />
– Comm<strong>and</strong> l<strong>in</strong>e <strong>in</strong>terface allows seamless <strong>in</strong>tegration<br />
<strong>in</strong>to any build environment<br />
Arxan Confidential<br />
17
Arxan Confidential<br />
Contact Information<br />
QUESTIONS ?<br />
Email: <strong>in</strong>fo@arxan.com for more <strong>in</strong>formation about protect<strong>in</strong>g<br />
<strong>your</strong> <strong>Ocean</strong> <strong>plug</strong>-<strong>in</strong> <strong>code</strong>.<br />
www.arxan.com