Posted by: rcosic | 25/02/2008

Microsoft Software Licensing and Protection (SLP) Services

What is SLP?
SLP Services represent a collection of applications and services designed with the purpose of protection of intellectual rights against illegal / incorrect usage, through protection of code and licensing system.
In next posts, I will try to explain the purpose and ways of usage of SLP services, differences between already existing solutions and advantages of SLP technology.

Image Hosted by ImageShack.us

You can find all that in more detail at:
Microsoft SLP Services

The most important facts about SLP services:
Code protection – although we can help to protect our code by using obfuscation, encription and code splittng, SLP code protection brings us a new perspective on this and solves the deficiencies of earlier approaches.
Packaging and licensing – SLP services brings us different possibilities of feature-level control and creating different models of licensing of our solutions – in which purpose different tools had to be used.
Lifecycle of licensing was introduced – ajdusted tools which are used during the different project phases of development and deployment, personalized to every user.

So, let’s begin…

PROTECTION OF CODE

What’s been before the SLP services?

1. Obfuscation of code
Most of the obfuscation tools make renaming of titles of classes, methods, parameters and variables in some meaningless text. Also, obfuscation tools change the program flow in manner that it comes to the same result but it is harder to decipher..Obfuscation of code can slow down a little bit an attacker to break the code, but it doesn’t permit decompiling and reverse engineering of code. It just make reading of program code harder. Also, it is possible that bugs occur when changing the names of objects and changing the program flow.

2. Code encryption
Some attempts to protect the code crypt the code by a certain encryption algorithm and decrypt it back again during its execution. The problem in that case is the delivery and keeping the key secret. Moreover, the moment of decryption leaves the possibility for the hackers to break into the system and hack the code.

3. Code splitting

Code splitting is also a method of protection program code, and it works in such a way to split the code into two halves. Less sensitive part is been delivered as before, and more sensitive part is been delivered on a special peace of hardware made for that purpose – mostly smart card or security key. Thus the most secure approach, but you may guess, it has multiple disadvantages – high costs, clumsy handling with special equipment, parts, and so on.

SLP approach of protection of code

The general strategy of the SLP services is to take the source code and transform it in such way that its logic is encrypted and obfuscated, and to finally avoid its direct execution by CLR. So, all that good stuff inside the previous strategies is combined to produce one solid solution.
For code transformation a special tool is used named SLP Code Protector which transforms compiled MSIL code into so-called Secure Virtual Machine Language (SVML) which cannot longer be executed via CLR directly or discovered through the recompilers.
Each version of SVML is different and, as such, demands unique protection virtual engine (SVM). Even it goes so far that each application from the same provider can have different permutation.

Image Hosted by ImageShack.us

After building the app, already mentioned SLP Code Protector should be used to identify which methods would be masked. Because it is relatively ‘costly’ operation, there should be picked only the necessary methods, i.e., those containing confidential information (for example, connecting to a database, storing and entering a password, etc).

private static OleDbConnection GetDBConnection()
{
if (_dbConnection == null )
{
string connectionString= “Provider=Microsoft.Jet.OLEDB.4.0;”
+ “DataSource=Access.mdb;”
+ “Password=somepassword”;
_dbConnection = newOleDbConnection(connectionString);
_dbConnection.Open();
}
return _dbConnection;
}

After the protection process, when you look up the code, let’s say inside .NET Reflector, code looks as the following:

private static OleDbConnection GetDBConnection()
{
object[] args = new object[0];
object obj2 = SLMRuntime.ExecMethod( null, “DS9FvZGluZyAvV2luQW5zaUVuY29kaW5A0vQmXZ“, args );
return (OLEDBConnection) obj2;
}

That’ all for now…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: