Technology Approach:
Protecting software applications deployed outside of trusted operating environments
is not absolute. Instead, the goal for software protection technology is to extend
the time, expense, and resources required by those attepting to reverse engineering and tamper with an application. As a result, the
protection process and the ability to continuously update applications with new
enhanced protection must be automated. V.i. Labs’ CodeArmor Software Protection
technology and architecture exemplifies this approach by offering an automated post-processing
capability that adds protection into applications without requiring source code
modifications.
By striking this balance, enterprise organizations and software providers can protect
applications with minimal impact to the development process and are not required
to support the protection mechanisms themselves – leveraging V.i. Labs’ software
protection expertise.
Protection Capabilities
The table below compares the reverse engineering threat vectors to V.i. Labs’ countermeasure
approach. Many of these vectors are used in piracy, tampering, and code theft attacks.
For example, in a piracy scenario the cracking groups commonly build patched versiosn
of executable and DLL files that bypass or disable a software vendor's license/activation
and Digital Rights Management (DRM) rountines. These patches are built using static
and runtime reverse engineering processes. V.i. Labs CodeArmor Software Protection allows
software providers to layer these countermeasures into software applications. An example of a
key protection capability available for native Windows applications, is Just-In-Time
(JIT) function decryption. This capability allows CodeArmor to protect against memory
dumping tools and scripts by limiting the availability decrypted code in memory
at any one time.
Appoach for protecting Microsoft .NET applications:
Applications developed using managed frameworks like Microsoft .NET significantly
raise the risk of piracy, tampering, and code theft threats as well as increasing
the complexity of protecting applications at runtime. Unlike native Windows applications,
Microsoft .NET applications are only partially compiled into an Microsoft Intermediate Language
(MSIL) and contain highly descriptive metadata. This fact means that the deployed
code itself can be decompiled into a higher representation source code. In addition,
because the framework is a standards based implementation, there are a multitude
of freeware tools available that can decompile.NET code. This greatly reduces the
skill level of a hacker or competitor to tamper and steal the code.
Since the introduction of Microsoft .NET, code obfuscation has been the predominant
method of protecting the application by removing the context of the code itself.
However, since the binaries can still be decompiled and additional tools leveraged
to analyze the application operation, reverse engineering is still a simple endeavor.
V.i. Labs extended its native software protection approach to go beyond code obfuscation
and prevent .NET applications from being decompiled as well as offering runtime
monitoring capabilities to detect and react to threats from debuggers, decompilers,
tampered .NET Framework, and other tools that could tamper or access the code once
application is executed. The V.i. Labs protection technology is itself obfuscated
and then implemented as unmanaged code within the .NET application and therefore
is not exposed in the managed code. To offer code encryption support
for the .net environment, V.i. Labs developed a driver based technology called Secure
Container to protect the decryption of IL code as well as external access to this
code during application operation. Together these extensions offers a layered defense
against reverse engineering that can be combined with traditional code obfuscation
tools to provide the best defense against reverse engineering of .NET applications.
Software Protection Automation:
V.i. Labs created a patented post processor technology to balance the need to automate
protection, add comprehensive reverse engineering countermeasures, and extend or
evolve protection over time and optimize performance. The Post Processor embeds
the V.i. Labs protection technology into the application executable and associated
DLL files using binary analysis. As a result the application file Portable Executable
(PE) structure is modified, but no source code changes are necessary. To guard against
a “class break” where all applications protected by V.i. Labs could be compromised
by a scripted threat, the Post Processor was designed to ensure that each instance
of the protection logic, key creation, and obfuscation of the protection code is
unique every time an application has protection applied. This approach enables the
CodeArmor technology to be implemented at the end of the software build process.
CodeArmor Software Protection components:
- Configuration Interface – A graphical interface is available that allows the CodeArmor
administrator to choose protection levels, select sensitive functions (e.g., licensing),
and other options that allow protection to be optimized for a given application.
Once protection is defined a command line interface allows the post processing operation
to be integrated within the build process.
- Post Processor - An application that automatically analyzes application binary files,
applies encryption at the function level, embeds secure run-time monitoring functions,
adds pre-defined application and security extensions, and creates a secure version
of the target application.
- Secure Execution Monitor - A set of security functions that are embedded in the
software application during the protection process to secure the application at
run-time. The monitor provides functions to encrypt and decrypt application subroutines,
ensure application integrity, and monitor the runtime environment for malicious
activity and unauthorized access.
- Secure Container Technology – For applications developed using Microsoft .NET, the
CodeArmor protection process uses a secure container technology to create a secure
virtual environment to protect the decryption of MSIL code. The container technology
is a driver level integration that is only required for .NET applications.
Read our technology whitepaper Guarding Against Software Piracy, Source Code Theft and Tampering