Software copy protection methods


19 posts
by Andrei » Fri Dec 28, 2012 11:44 am
I need to protect my application from copying. The application is written in C++ (Qt) and it is located on the SD card of the RPi. I realize that there is probably no way to prevent actual coping of the application’s files but there is a way to prevent somebody from running the application without the required special piece of hardware. I can of course use widely available software protection dongle but I don’t want to use it for several different reasons:
• I don’t want to pay for a dongle
• I don’t want to waste a USB port for a dongle
• I believe I can create similar protection myself

Since the device on which the application will run has already an external microcontroller connected to the UART of the RPi, I think I can use this MCU also for protecting the application. The idea is to run following steps on the application startup:
• generate random number (or a set of numbers if necessary)
• encrypt the number(s) with AES128 (the same private encryption key will be hardcoded to the RPi app and to the MCU app)
• send the encrypted number to the external MCU through UART
• the app on the MCU will receive the number, decrypt it and send the decrypted number back to the RPi app
• the RPi app will continue to function only if the received number match previously randomly generated number

The program memory of the MCU will of cause be protected from reading so there’s no way to copy the MCU app. Hence the weakest link will be the RPi application itself. I am not very familiar with the disassembling and other cracking methods so I am not sure how difficult it will be to extract the encryption key from the application’s binary. Cracker can also modify the binary and simply bypass the number checking step.

In general, what do you think of the method described above? Will the real USB protection dongle provide better protection? I understand that this is not really a Raspberry Pi specific topic but I think there may be people on this forum who have encountered the same problem.
Posts: 12
Joined: Tue Nov 13, 2012 8:38 am
by Jim JKla » Fri Dec 28, 2012 12:45 pm
Probably the only way to protect the software is to link it with Public Key encryptionwith the software registered for use on a single machine with the public key using some hardware embedded serial number. Normally the best code to identify would be the MAC code but that only works if the "B" and would not be there for an "A".

Obviously every RPi has a serial number I don't know if there's a way to acess this from software.

One point is that will not stop someone reverse engineering your code.

You have not indicated the area your code will address (note you don't need to) I know nag-ware (pop up reminers) works I know low value sponsorship works. ;)
Noob is not derogatory the noob is just the lower end of the noob--geek spectrum being a noob is just your first step towards being an uber-geek ;)

If you find a solution please post it in the wiki the forum dies too quick
User avatar
Posts: 1935
Joined: Sun Jan 29, 2012 11:15 pm
Location: Newcastle upon Tyne UK
by ShiftPlusOne » Fri Dec 28, 2012 12:59 pm
There is no point going beyond a simple serial/key. You can also read the pi's serial number an generate a key based on that, but be prepared for paying customers complain when they buy a new pi and the software their paid for doesn't work.
Unless you want to invest silly amounts of money and inconvenience paying customers, anything you do will be bypassed with a few jmps anyway.
Moderator
Moderator
Posts: 1205
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy
by BirchJD » Fri Dec 28, 2012 2:28 pm
All seems a bit over complicated to me. Just use the serial number of the SD card which you are distributing the software on. If the card is then copied, your serial number check will prevent your application running on any other SD card.
http://www.newsdownload.co.uk/
User avatar
Posts: 93
Joined: Tue Nov 13, 2012 7:43 pm
by Jim JKla » Fri Dec 28, 2012 4:14 pm
Untill we have an idea what the product is it's all a bit speculative. ;)
Noob is not derogatory the noob is just the lower end of the noob--geek spectrum being a noob is just your first step towards being an uber-geek ;)

If you find a solution please post it in the wiki the forum dies too quick
User avatar
Posts: 1935
Joined: Sun Jan 29, 2012 11:15 pm
Location: Newcastle upon Tyne UK
by Andrei » Fri Dec 28, 2012 7:19 pm
I think I should tell you some details about the application and requirements for the protection method.

As mentioned, the application will run on the RPi which in turn is only a part of a bigger device. The device may not necessarily be connected to the internet. The application should still be fully functional.

The application will start automatically when RPi boots. The application should not require any user input such as entering serial/key numbers.

Finally, the application (one executable file) should be easily updatable simply by copying a new version to the SD card.

Do you still think my solution is overkill or unnecessarily complicated? Could someone give me an estimation of the difficulty of cracking the executable binary file?
Posts: 12
Joined: Tue Nov 13, 2012 8:38 am
by BirchJD » Fri Dec 28, 2012 8:02 pm
The SD card serial number can be found here, a simple text file to read. By itself you would have to compile the serial number in to each application released:
/sys/block/mmcblk0/device/serial

If you are worried about someone being knowledgeable enough to trace assembly code and work it out. You may as well forget about doing any product because it all comes down to assembly at the lowest level. You can defend yourself a bit by encrypting important constants used in your application. But if your tracing code that wont help much.
http://www.newsdownload.co.uk/
User avatar
Posts: 93
Joined: Tue Nov 13, 2012 7:43 pm
by ShiftPlusOne » Sat Dec 29, 2012 4:48 am
Andrei, as you probably know, anytime you have an 'if' in your program, there is a comparison being made. Finding that 'if' in disassembled code can be trivial. So if you have some complicated algorithm to generate a key, send it to a server, get an answer, compare and then an 'if', it's easy to find and change. I am no RE expert, I've only dabbled with simple binaries which were provided for the sole purpose of being cracked, so I don't know what the software giants do, but it most likely involves convoluting the code, maybe even decrypting it during runtime in extreme cases, so that it's not just a matter of changing a single instruction. I would also think that developing an algorithm which doesn't come down to a few simple checks is not trivial.

Think about it this way. How much money has Ubisoft spent on protecting their software? What software has the most brutal copy protection? Type the name of that software into thepiratebay and see what comes up. Raspberry Pi itself is a good example. The instruction set for the GPU has been reverse engineered and I wouldn't be surprised if we have basic opensource firmware in a few years. No matter what you do, you're just manipulating bits and if someone is determined they can figure out what you're doing and bypass it.

The only realistic option is to minimize piracy by creating the software and providing the support that people want to pay money for, setting a reasonable price, and making it easily available for purchase. The other option is to write software nobody will bother to crack, but I guess that would also be software nobody is willing to pay for.
Moderator
Moderator
Posts: 1205
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy
by Hi-Z » Sat Jan 05, 2013 10:32 pm
Your thread intrigues me and some of the responses got me thinking even more.

1. As others stated, using the Serial number built into USB & SD memory cards is the equivalent of a 'dongle'. Unfortunately, the number must be compiled into the program, which makes it useless if your card fails and needs to be replaced. This also forces the purchase of the dongle from you.

2. I recently obtained a board with a real time clock and was pleasantly surprised to see that it also came with a serial EEPROM. Another variation of the above example would be to put your own serial number in that. I believe it also has its own independent serial number (like the SD & USB), but I can't confirm that without rechecking the datasheet.

3. The MCU is the dongle (serial number) used in the same manner as above.

4. To avoid the 'if' statement dilemma and since the external MCU is protected, why not get the MCU to provide executable code back to the RPi. In other words, deliberately write the Pi program with missing instructions and upon verification of serial number, send the code to the Pi to be run. This could be as simple as 'Jump to xxxx memory location and continue running program'.

5. The same as above, but have the code stored (encrypted) on the Pi. The MCU returns the decryption keys to the Pi which unencrypts then executes the code.

6. By default, all communications via the UART are encrypted

7. Use multiple verification routines. In other words, serial number verification should happen more than once in your program. It's easier to hack a program once than it is to do multiple times. i.e. Security via frustration.

I also envision a method by which the serial number is used as one of the encryption keys in addition to using a public/private key ... an extra level of protection, but I haven't wrapped my head around how to properly execute it securely.

NOTE: No system is truly 100% secure. If someone wants to find a way in, they will. The best we can do is make it difficult enough to discourage weekend hackers.
Posts: 25
Joined: Wed Jan 02, 2013 8:19 pm
Location: Canuckistan
by rurwin » Sun Jan 06, 2013 12:08 am
viewtopic.php?p=238194#p238194

Here's another anecdote:
Back in the days of the BBC Micro, the word processor of choice was WordStar, which came on a Sideways ROM. I had a Second Processor, which meant I had more memory for my documents. But WordStar refused to work on the second processor -- I had to switch it off and write my stuff on the unadorned BBC Micro. One day at a computer exhibition I came upon a representative of the distributors of WordStar and asked him why this was. It turned out it was to prevent copying: it checked to see if it was running in RAM by trying to write to itself, and if it was it would crash, on purpose, with no diagnostic or warning messages. On the second processor, the contents of the ROM were copied over the tube to the second processor's RAM, hence the test saw RAM, and the application crashed.

The thing was, every extension board on the market that had RAM, had a switch to disable writes. The copy-protection did almost nothing to stop copying, and nothing at all to stop real pirates copying the ROM into another ROM and selling it. All it did was to inconvenience innocent, paying customers such as myself.

As I said in the above post: you can't stop copying, and every step you take to try will annoy some innocent customers. If you must use some sort of copy-protection then make it as light and unobtrusive as possible. You will stop the casual pirates and not annoy too many of the people who provide your pay cheque. If you are too heavy handed about it, you will still have pirates, and you will have fewer customers.

It is a mathematically provable fact that you cannot protect the code in the manner you suggest. The processor has to execute the code, and at that point it has to be unencrypted. Any tests can be found and patched out, and they will be; pirates are doing just this sort of thing already. Read up on the PS3 cracking saga, and that uses multiple levels of hardware protection inside the CPU.

You can build your dongle. It will add to your costs significantly in development, certification, hardware (for every sale) and customer support. It will mean that any prospective customers who need to use the on-board UART for their own purposes become customers of your competitors. It will also mean that if any customer fries, breaks or loses their dongle, they will think twice before buying a replacement.
User avatar
Moderator
Moderator
Posts: 2890
Joined: Mon Jan 09, 2012 3:16 pm
by gritz » Sun Jan 06, 2013 1:20 am
In my particular corner of computing almost every piece of software worth a damn is payware. Application development, testing and debugging isn't free and neither is customer support, or embedding of third-party intellectual property, or keeping up with market trends and developments in peripheral technology. Developer friends of mine have to weigh up copy protection options all the time with regard to themselves and the end user. They're all smarter than me and yet none of them have come up with a definitive answer as to the nuts and bolts - serial, challenge / response and hardware dongle etc all have downsides for user and supplier.

So maybe put yourself in the position of the end user. Why would an end user want to use a legit version of your software, rather than a crack? Walk on water support, some free tidbits now and again, a feeling of belonging, being treated as an individual? That sort of thing. It also rather depends on the likely sales and the price of your product, as well as the computer-savviness of your end user and exactly-what-it-is that your application does. Copy protection can only ever be one spoke in the wheel of commercialising your product.

You have reminded me of a conversation on a digital music forum between customers and a developer that I'll link to. The dev. gives a few hints as to his methodology:

http://www.kvraudio.com/forum/viewtopic.php?t=282441&start=0&postdays=0&postorder=asc&highlight=copy+protection
Posts: 449
Joined: Sat Jan 28, 2012 2:33 am
by rurwin » Sun Jan 06, 2013 11:46 am
Thinking about this in bed last night, I haven't seen a dongle since the 1990's, although the thread gritz links to shows they are still about.

All the software I use these days uses on-line registration: the software or documentation has a customer-specific key and the supplier's customer-support converts that into an activation key. That is of minimal impact to the user and puts them on notice that any leaked copies can be traced back to them. You can use the computer's serial number in that, but then your customer-support has to deal with people who have legitimate reasons for needing a new key.

LabView is worth a mention: they license the software to one person, and only that person can get tech-support, but that person may be changed a small number of times per year (six IIRC). The software does not prevent concurrent installations or even concurrent use (so far as I know.) That is so reasonable that my colleague and I took care to ensure we were not both using it at once, and we stayed well within the six-per-year limitation.
User avatar
Moderator
Moderator
Posts: 2890
Joined: Mon Jan 09, 2012 3:16 pm
by Hi-Z » Sun Jan 06, 2013 3:52 pm
There is a definite shift towards online registration of products in the software industry. I saw this coming a number of years ago but it's only been really pushed in the past couple years with the advent of the industry buzzwords "cloud computing". You are expected to have internet access. Physical distribution (ie CD & DVD) has been slowly replaced by online distribution as well.

The main benefit of this method is version control. When you have an update, it can be immediately distributed to all registered users. And when delivered, each users registration info can be embedded into the program to help source out piracy (great link gritz). Additionally, you can use the registration process to send the customer the "missing chunk of code" that upgrades your demo version to full. But what happens when the customer doesn't have internet access? Do you create special copies to be mailed to them? Or do you make demo distribution a "hobbled" variation of the full release with an "if" statement comparison? You obviously can't have them calling you every time they run the program to gain access, so what do you do? Do you piss off 20% of your customers by making registration difficult, or do you just not pursue them as customers and let them find the competition?

There are certain applications where the above model succeeds ... High end ($$$$$), limited distribution comes to mind, but in those situations your product is limited to industry professionals who pay anyways. Contrast that to low end($), mass distribution and 'rurwin's theory of alienation' applies.

I guess it comes down to the following: Who is your customer and how do you wish to treat them?


Side Note: The ROM write method is a classic ... a similar example is to write to a OTP (one time programmable) device.
Posts: 25
Joined: Wed Jan 02, 2013 8:19 pm
Location: Canuckistan
by technion » Mon Jan 07, 2013 4:43 am
Andrei wrote: Will the real USB protection dongle provide better protection? .


This post implies that "real USB protection dongle" is actually hard to beat.
I bought a product (legitimately) a while back and was advised it would take three months to receive my dongle. In the meantime.. it wasn't hard to find a crack.
Posts: 230
Joined: Sun Dec 02, 2012 9:49 am
by Jim JKla » Mon Jan 07, 2013 6:57 am
And this just goes to show that if they want to pirate you software even the hardware dongle is not strong enough.

Note the effort here is being made by the people writing the crack thats the hard part finding a freely available crack and taking the risk it's not opening a back door in your system is another thing alltogether.
Noob is not derogatory the noob is just the lower end of the noob--geek spectrum being a noob is just your first step towards being an uber-geek ;)

If you find a solution please post it in the wiki the forum dies too quick
User avatar
Posts: 1935
Joined: Sun Jan 29, 2012 11:15 pm
Location: Newcastle upon Tyne UK
by Lonewolff » Mon Jan 07, 2013 11:04 am
BirchJD wrote:All seems a bit over complicated to me. Just use the serial number of the SD card which you are distributing the software on. If the card is then copied, your serial number check will prevent your application running on any other SD card.

This is exactly what I was thinking. 8-)
Loving my peice of the Pi
Posts: 112
Joined: Fri Dec 28, 2012 11:13 pm
Location: Merimbula, Australia
by hesterl » Mon Dec 02, 2013 7:20 am
USB copy protection (http://www.kakasoft.com/usb-copy-protect/) can protect all files (NTFS files supported) stored in your USB. After encripted by this program, you can set different users and passwords with different permissions, like: reading, writing, full permissions and others...It's really good to use!
Posts: 2
Joined: Mon Dec 02, 2013 6:04 am
by MarkieB » Mon Dec 02, 2013 4:14 pm
NOTE: No system is truly 100% secure. If someone wants to find a way in, they will. The best we can do is make it difficult enough to discourage weekend hackers.


Totally agree. This is pretty much the reason I've given-up writing distributable/standalone software - there is no effective way of securing it.
Posts: 3
Joined: Fri Nov 29, 2013 9:21 pm
by rurwin » Mon Dec 02, 2013 6:19 pm
I'm being dragged kicking and screaming to the same conclusion: there is no future in one-man garage-built software as a standalone product. The only business model that makes sense is a service that might include some software. The customer must see buying the software as giving them something worthwhile. Therefore rather than just write some useful package and leave it at that, the producer must also supply valuable support to their customers. That's easy for large companies to do, but not for a lone software engineer.

The only model that might make a profit is nag-ware, where the program nags the user to register it, but not in a sufficiently annoying manner to make it worthwhile to hack out the nagging. A small fraction of the user-base will pay for it, and they won't pay much. It will make a profit, but probably not enough to live on.

I have resigned myself to supporting open-source, and generating income elsewhere.
User avatar
Moderator
Moderator
Posts: 2890
Joined: Mon Jan 09, 2012 3:16 pm