Types of Attack and Their Sentinel LDK Defense

It is important to “know your enemy.” When you are well informed about the types of attacks that a software cracker may make, you will be best able to devise and implement strategies that limit or prevent their success.

This section describes the elements of some of the more common attacks that software crackers use, and refers you to specific Sentinel LDK strategies that you can implement to counter such attacks.

Patching Executables and DLLs

A software cracker disassembles and/or debugs EXE or DLL files to find protected code. The actual file is then patched in order to modify run-time flow, or to remove calls in the code.

Commonly, the software cracker sends a small, standalone patch executable that the end user runs in order to patch your software.

Sentinel LDK Solution

The greater the number of protected files, the longer it takes a software cracker to remove protection. You can protect multiple executable and DLL files using Sentinel LDK Envelope. You can also use the Data Protection facility to encrypt and protect data files that are accessed by protected applications.

Modifying Key Memory

Licensing data is normally stored in the memory of a software protection key. A software cracker attempts to access the Protection Key memory in order to modify the licensing terms. For example, a depleted execution-based license might be changed to a perpetual license, or a feature that has not been paid for might be enabled.

Sentinel LDK Solution

In the context of Sentinel LDK, Read-only memory (ROM) is a segment of the memory that can contain data that the protected application can access, but cannot overwrite. Sentinel protection keys contain two ROM segments, one of which contains Sentinel LDK Feature-based licenses. The second segment provides an area in which vendor-customized data can be stored. These segments can only be updated using remote updates.

Sentinel LDK automatic Feature-based licenses utilize read-only memory of Sentinel protection keys. The different types of available licenses are sufficient for almost any licensing model.

You can customize your own licenses and still use a ROM segment in a Sentinel protection key’s memory. Note however that licenses that have been customized must remain static (for example, such licenses cannot include a decremented number of executions).

For additional information about licensing models, see Licensing Business Models.

Emulating Protection Keys

To emulate the software of a protection key manufacturer, a software cracker creates an application that replays previously recorded calls, as if an actual protection key is returning the calls.

Limited functionality emulators only record and replay calls. Full-functionality emulators also emulate the key, including its encryption. A software cracker requires access to the encryption key to create a full-functionality emulator.

There are several places in which emulators can reside. Primarily, they are an attempt to replace the driver.

Sentinel LDK Solution

Sentinel LDK provides a secure channel between an application and the Sentinel HL key. Data that passes between the protected application and the key is encrypted. Taking advantage of the secure channel functionality between your application and a Sentinel HL key provides you with the strongest possible protection.

A different encryption key is used in every session. This means that someone recording data passing through the secure channel cannot replay the data, since the encryption key used to encrypt the data will differ from that used to decrypt the data.

Using Remote Desktops and Remote Desktop Solutions

When using the remote desktops of some operating systems, it might be possible for an end user with a standalone protection key to enable software on multiple remote desktops simultaneously.

Sentinel LDK Solution

The Sentinel LDK protection includes mechanisms to determine if a protected application is running on a remote desktop. If such a situation is detected, and a Feature in the license is not specifically enabled for remote desktops, the program will not function.

Cloning Hardware Keys

The software cracker reverse-engineers a hardware protection key, then creates duplicates. Such an attack is extremely costly to the cracker, both in terms of the reverse engineering tools and the expertise required. It is also costly in terms of ongoing production of hardware keys.

Sentinel LDK Solution

Sentinel HL keys are each unique and have their own ID. Keys that are in the same Batch Code and behave identically are each uniquely encrypted, the key’s customized controller and memory forming a unique locked pair. This means that if the memory of one Sentinel HL key is copied to another Sentinel HL key, the second key will not function.

Clock Tampering

Clock tampering relates to either the system clock of the machine on which the protected software is running, or to a real-time clock contained in keys. The software cracker resets the time to enable extended, unlicensed use of the software.

Sentinel LDK Solution

When implementing time-based licenses for your software, use one of the following keys:

>Sentinel HL Time or Sentinel HL NetTime keys. These keys provide a real-time clock.

>Sentinel HL (Driverless configuration) key. This key provides a virtual clock (V‑Clock). For more information, see How Sentinel LDK Protects Time-based Licenses With V-Clock.

Both the clock itself, and the license which is stored in read-only memory, cannot be modified.

Additional Sentinel LDK-specific Strategies

This section describes additional general protection strategies that are available to users of Sentinel LDK.

Use Both the Sentinel Licensing API and Sentinel LDK Envelope

Maximize security by using the Sentinel Licensing API to implement calls to a Sentinel protection key, and protect the application with Sentinel LDK Envelope. Using one protection method does not preclude the use of the other.

Insert Multiple Calls in your Code

Inserting many calls, throughout the code, to the Sentinel protection key in order to check the presence of the key, and binding data from the key with the software functionality, frustrates those attempting to crack your software. Multiple calls increase the difficulty in tracing a protection scheme.

You can also add obstacles to a potential software cracker’s progress by encrypting data that has no bearing on the application. Similarly, you can divert attention by generating “noise” through random number generators, time values, intermediate results of calculations, and other mechanisms that do not lead to meaningful results or actions.

Encrypt/Decrypt Data with a Sentinel protection key

Encryption and decryption processes are performed inside a Sentinel protection key, well beyond the reach of any debugging utility.

Encrypting data with the Sentinel LDK AES-based encryption engine considerably enhances software security. By encrypting data used by your application, the decryption process depends on both the presence of a Sentinel protection key and its internal intelligence.

By implementing a Sentinel Licensing API scheme in which data is decrypted by a Sentinel protection key, the association between the protected application and the Sentinel protection key cannot easily be removed. Cracking the software also necessitates the software cracker decrypting the data.

Use a Checksum to Verify Integrity of Executable Files

Compare the value in the executable file with a checksum stored in Sentinel protection key memory. If the two values are not equal, you can assume that someone has attempted to modify the files. Repeat this check in various places in the code, varying it in each place to make it more difficult for a software cracker to detect.

NOTE   This strategy is not necessary if you protect your application with Sentinel LDK Envelope. Envelope implements its own integrity checks and uses code encryption to prevent modification of the protected application.