Application / DLL - Security

Question

Hi, I would like to know what are the best approaches for protecting apllication and DLL files in situations like this:

Example:

• Deploy the application (software) on the client
• This software have DLLs - direct injection used in Data Factories (MS SQL, MySQL, other).

Wanted Security:

• Requirement #1 - Main DLL (Core) requires some kind of "license" (for this user and for X duration and can not be used in other machines (copied).
• Requirement #2 - Data Factories DLLs can not be used by client custom code (he can't build his own code and use mine libraries. (EDITED - added new requirement)
• Requirement #3 - Using hardware or services from external companies is not an option for us. .

Solutions that I found:

• Req #1 -

  • Solution #1 - The software requires a custom "save data file" (full protection on it), this file will be used for control. The application will read it from times to times (or when it starts, or from 24h in 24h if the application is running continuously. It will stores the first execution date, last execution date, some ID of that machine, expiration date, etc. .
    • Pros:
      • Client can not delete it or the application will stop working, he can't change the system date (rewind it) because the app matches the dates.
      • If the user wants to upgrade the expiration date, the software allow it (by offline or online way).
    • Cons:
      • Well, this file will be a hacking target. I do not know the best way to protect it.

• Req #2 -

  • Solution #1 - I do not have one :P

.

. - . - . - . - . - . - . - . - . - . - . - . - . - . - . - . - . - . -

Can anyone tell me the best practices on this subject?

Different solutions, pros and cons, etc...

. - . - . - . - . - . - . - . - . - . - . - . - . - . - . - . - . - . -

Answer 1

Req 1

I'm not sure this will fit your need, but you could use a commercial solution involving a USB dongle. You can find serveral companies offering software security solution in the internet. Most software components shiped with these products contain licensing and time expiration means. On the other hand you have the higher costs for the hardware and some time and work to invest on integration.

Req 2

Depends on the interface of your DLLs. Do you think your client or other people can easily use your DLLs without apropriate headers and information on the interface?

If you think so, maybe you can make the interface look more complex or use obfuscation.

Answer 2

I answered the question about licensing/protecting software at some length in this response - which would work fine for a DLL under your control as well. In short, it isn't possible to deploy something that cannot be copied but it is possible to generate a key after deployment that must then be licensed by a call to your group or company.

With respect to Req 2 I think that the most reasonable approach is simply to pass in a parameter to each function that possible hackers won't know. I don't believe that making the names complex or otherwise obfuscating them helps (you can always analyze a DLL to discover its contents). Obfuscating also makes maintenance harder for you - never a good idea. I doubt that protecting them is more important than maintaining these DLLs!

Thus, I'd vote for some form of magic number being passed to your functions. The easiest would be a simple integer. More secure would be a time representation (a window of time would be best) that you then hash. If the dehash in the DLL matches the current time, you know you were called by your own code.