views:

689

answers:

+9 Q:

Protecting a high value C# application with only one user

I have a single application -- written in C# -- which is used by only one user. I provide this software for a very high monthly fee (> $10,000). I'd like to protect this application against use by any other user and I'd like to be able to stop the one user from using the application if they stop paying the license fee.

I know that there is no perfect protection scheme, and I've reviewed the many similar questions on SO, but my question is a little different because I have only one client, I have full access to their hardware, and I don't mind taking even a few hours per installation for a substantial increase in security.

+3 A:

Security is a process.

I question the reason why someone would pay 10k per month for an application. Duplication of the functionality of this application would probably not be at that great of cost. So if the entity using it describes it to another programmer could they duplicate it? Probably.

At any rate, if you have access to their hardware and you control their OS user name / password, simply make the password expire every month.

Habakuk 2009-12-07 00:22:39

If the application does a job which would cost you more than 10k a month in salary, this is a perfectly reasonable proposition.

Mathias 2009-12-07 01:22:37

@Mathias - I agree, but it does seem too good to be true. Even if it saves 10k per month, what kind of businessman would pay 10k a month instead of a one time payment, especially for software. Does it require that much maintenance? Good for the OP that they negotiated this deal. How long will it last?

2009-12-07 02:40:29

+2 A:

You can bind your app to the box. You can also limit the use to the user by providing him with a login. I do not see though what you can do about your user sharing his credentials and the box with somebody else.

If binding to a box is enough there are techniques to do that - i.e. you can bind it to NIC hardware id.

mfeingold 2009-12-07 00:24:19

+9 A:

For 10K/month you could afford to run it on your hardware, which you administer, instead of on their hardware. You could put your hardware in a datacentre, to which they don't have physical access.

The hardware must be run on hardware at the customer's site.

So, I guess they're sensitive about where their data is located.

There are many 3rd-party licensing solutions (for example, Infralution, .Net Reactor, Oreans WinLicense, Armadillo, XHEO DeployLX, and presumably many more). If you're interested in Microsoft's own solution, see InishTech here and here.

ChrisW 2009-12-07 00:27:02

The hardware must be run on hardware at the customer's site.

2009-12-07 02:13:07

I edited my answer to reference various existing licensing software.

ChrisW 2009-12-07 03:38:42

+6 A:

The only way to truly protect your code and ensure that you can charge for it, is to make a subscription-based web application. Barring that, there's several options that might work:

running the app on a server that you control, updating the app so it only runs on that system, and granting them remote desktop access
making the program contact a remote subscription and authorization system that you control (although this could be circumvented by reverse engineering the code)

Side note: dang, I need to find a client that'll pay me $10K a month for a software package! LOL.

Kaleb Brasee 2009-12-07 00:30:00

The application has a high performance GUI component which requires that it be run locally.

2009-12-07 02:14:30

+3 A:

I am going to assume a Windows platform (i.e. not Mono).

You might want to look at generating and installing a certificate on the machine your software is installed on. This means your software can check that the machine is authorised to run your software, and you can also use the certificate to encrypt and decrypt stuff. IOW you could look to encrypt your assemblies, and then decrypt them before dynamically loading them, or you could use encryption/decryption on any data you provide.

This link may be a good start for you to check this out.

slugster 2009-12-07 01:17:19

+7 A:

The best solution is probably a combination of popular tactics in use today:

Lock the application down

…to the MAC address, hard drive serial number, and windows product key of the host operating system (if available). You could hard-code this into the application after gathering it at the site. If the wrong hardware is detected then shut it down. Also, look for items in the registry that suggest the presence of VMware or Virtual PC integration features and refuse to run when found.

Obfuscate

…so it will be more difficult to reverse-engineer as well as remove your licensing. CIL is extremely easy to reverse-engineer so this should be a focus with your application (as described) no matter what else you do. This may take a lot of time to get right, especially if you rely on serialization. If possible, wrap all of your assemblies into one EXE file which is encrypted and has an unmanaged bootstrapper.

Send out a heartbeat

…to an offsite server, with hardware or site specific data. If the software is copied and started on another computer you may get a tip. This also has the potential to alert you if the application goes offline. Additionally, you could configure the application to require a basic encrypted response from your server or shut down.

One final note: don’t go overboard. Presumably, you are being paid $10,000 because of the experience of your application over possible alternatives (whatever those are). As you add in protective measures you increase the number of possible (very annoying) bugs, add maintenance cost, and headaches for your customer. A heavily disruptive licensing scheme could make your client think otherwise.

Robert Venables 2009-12-07 02:38:52

+2 A:

This sounds like a situation where a hardware dongle might be appropriate. Pay somebody to create a hardware dongle (it sounds like you can afford it!) and send one to the customer. Construct your software such that the user has to enter a password to unlock something encrypted on the dongle that your software needs to run.

Authentication is generally based on at least two aspects of the user's situation:

Something you are (biometrics)
Something you have (dongle)
Something you know (password)

If you want to go for all three, combine your hardware dongle with a fingerprint reader.

Greg Hewgill 2009-12-07 03:17:28

That doesn't address the OP's wanting to disable the software if their license expires.

ChrisW 2009-12-07 03:37:29

In that case, embed an expiration date on the dongle (perhaps both a "soft" date that puts the software in annoyware mode, and a "hard" date that turns it off entirely), and send the user a new dongle once every month or whatever. And if *that's* not enough, combine all the above with a "phone home" feature.

Greg Hewgill 2009-12-07 03:47:00

@ChrisW: it can, some dongles (like Aladdin HASP key) do support expiration timers, which can be updated remotely by the vendor.

Mathias 2009-12-07 03:48:19

Doesn't a dongle have exactly the same problem as phone-home, i.e. that the hacker can remove the code which abends the application if there's an unsuccessful license check? And to counter that threat, when the O/S is controlled by the user, the only solution I can think of is obfustication ... or, perhaps, running some crucial part of the application on the supposedly-more-hack-proof dongle itself.

ChrisW 2009-12-07 04:01:42

@ChrisW: exactly, I've heard of applications where some critical calculation was implemented in an FPGA inside the dongle (which made it really fast). "Cracked" copies of the app wouldn't even have the code to perform the correct calculations, so the original authors substituted an inaccurate version of the algorithm if the dongle was missing, which looked like it worked but didn't really.

Greg Hewgill 2009-12-07 04:10:59

Even if you do put an expiration date on the dongle, how would the dongle know what the crrent date is: would the dongle contain its own clock?

ChrisW 2009-12-07 11:47:38

Do you have any recommendations as to how I might find someone to "create a hardware dongle"? Are you suggesting some sort of custom hardware?

2009-12-08 13:34:11

Previously mentioned in the comments above is the Aladdin HASP: http://www.aladdin.com/hasp/default.aspx They've been in the dongle business for a long time and will be worth talking to.

Greg Hewgill 2009-12-08 18:01:59

+1 A:

I have, in the past, used a 'phone home' authentication on application start up, that assures it can only run if your servers give it authentication.

This requires, of course, that you can provide very high availability on your authentication servers, and have a well obfuscated code base, but it works very well.

johnc 2009-12-07 03:41:38

Take a look at the article Developing for Software Protection and Licensing; it explains how to choose a solution, why you should obfuscate your application and gives a number of tips for structuring your code to be harder to crack.

The gist of the article is that you should be thinking of these things right from the start of development, but it's never to late to address them.

The thing to remember is that once your application is running on another machine, there is no 100% guaranteed way to prevent execution. What you can do, if you're careful, is raise the bar sufficiently high that it's easier to purchase your software than to crack it.

Obligatory disclaimer & plug: the company I co-founded produces the OffByZero Cobalt software licensing solution for .NET.

Duncan Bayne 2010-01-05 21:55:04

ansaurus

tags: