software tamper-proofing deployed 2-year anniversary report macrovision corporation patrice capitant...
TRANSCRIPT
Software Tamper-ProofingDeployed
2-year Anniversary Report
Macrovision Corporation
Patrice Capitant
VP Engineering
Agenda
SafeDisc The Hacker World Hacker Tools & Security Risks SafeDisc Deployment In The Field The Lessons Recommendations SafeDisc 2.0 Summary
SafeDisc
Copy Protection of PC games on CD. Applied to more than 51 million units over 20
months Applied to more than 300 titles More than 100 SafeDisc replication facilities
worldwide
The Hacker World
Super-Hackers (The White Knights)– Organized (suppliers, crackers, coders, web hosters)
– Friendly competition but cooperation on tough problems
Custom Tools– Debuggers & add-ons (anti-debugger aids, memory
dumps...)
– Advanced Hex-editors
– Packers & unpackers (PEcrypt, Procdump,…)
The Hacker World
Hacker’s goals: to beat and humiliate you– Generate tamper-proof patches
– Generate essays on your technology
– Generate essays on hack techniques
: .:[ #HUMMERS_WareZ ]:.
: .:[ Application Form ]:.
§-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§WE'RE LOOKING FOR: Suppliers, Web Hosters, Crackers, Coders
Check the position(s) you want to apply for, look for the section & answer the questions.
: []Topsite FTP Courier X1 : X2 : X9 :: []Web Hoster X1 : X3 : X9 :: []Site Operator X1 : X4 : X9 :: []Shell Supplier X1 : X5 : X9 :: []Supplier X1 : X6 : X9 :: []Cracker X1 : X7 : X9 :: []Coder X1 : X8 : X9 :: []Other X1 : X9 : X9 :§-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§
Hackers’ Application Form – Part 1
X1. Information
: Real Name-...............................[ ]
: Nick-....................................[ ]
: E-mail-..................................[ ]
: IP Mask-.................................[ ]
: ICQ Number-..............................[ ]
: Connection speed-........................[ ]
: Years of experience in warez?-...........[ ]
: Have you been or are you in a group right now?[ ]-YES [ ]-NO
: What Groups? What Position?Groups-...............[ ]Position-.............[ ]
Hackers’ Application Form – Part 2
X2. Topsite FTP Courier
: Do you have access to new, 0-min warez?[ ]-YES [ ]-NO
: How many mb can you curry in a week?-......[ MBS ]
: Name the sites you are on?#1-[ ]#2-[ ]#3-[ ]
Hackers’ Application Form – Part 3
X3. Web Host
: Can you host the page 24/7?[]-YES []-NO
: Space Available for the page-..............[ MBS ]
: Any other information? (Domain name, etc)[ ][ ][ ]
Hackers’ Application Form – Part 4
X4. SiteOp
: Connection Speed: (cable users need not apply)[]T1 []T3 []OC+
: Operating System (Check all that apply)[ ]Windows 3.1x/95/98[ ] Any Nix os (Please Specify) [ ][ ]Other(Please Specify) [ ]
: Space Available for the group-..........… [ GIGS ]
: Will your site be dedicated to HUMMERS only?[ ]-YES [ ] –NO
: Will your site be up 24/7? If not,how often?[ ]-YES [ ]-NO Hours up-[ ]
: How many users can your site support at a time?-[ ]
: What is the ip and login info of your site? (look only account)IP: [ ]LOGIN: [ ] PASS: [ ]
Hackers’ Application Form – Part 5
X5. Shell Supplier
: Do you own a shell?[ ]-YES [ ]-NO
: How many 24/7 bots do you have on your shell?-[ ]
Hackers’ Application Form – Part 6
X6. Supplier
: What can you supply?-................[ ]
: How much can u supply in a day/week?-[ ]
: Will you supply on demand?[ ]-YES [ ]-NO
Hackers’ Application Form – Part 7
X7. Cracker
: How long have you been hacking/cracking?-[ ]
: How many applications have you cracked?-[ ]
: How many games have you cracked?-[ ]
: What are the last last three games/apps you've cracked?#1-[ ]#2-[ ]#3-[ ]
: Are you willing to demonstrate your skills to a Senior in HUMMERS?[]-YES []-NO
Hackers’ Application Form – Part 8
X8. Coder
: What do you use to code? (Programs)[ ]
: Do you have examples of your work?
: []-YES []-NO (If yes, please include one with this app)
: How fast can you start and finish a good program for the group?[ ][ ]
Hackers’ Application Form – Part 9
X9. Other
: What other thing can you do that is not listed?[ ][ ][ ][ ][ ][ ]
Hackers’ Application Form – Part 10
X10. Hand-in App
Now rename this yournick.txt and copy and paste, then send it to "[email protected]" with
"HUMMERS APPLICANT" as your subject.
§-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-§ ©1998 [HUMMERS_Warez]
Hackers’ Application Form – Part 11
Hacker Tools & Security Risks
Debuggers Disassemblers File Level Attacks Memory Lifts Spoofing Cryptographic Attacks Procedural
Debuggers
Step through code Set memory and code breakpoints Disassemble code Change operation of code General experimentation tool e.g. SoftIce, TRW and Microsoft debuggers
Disassemblers
Can analyse security code in a file on hard drive Allow authentication and security code to be
easily patched and recompiled Help remove obfuscation code e.g. idapro
Spoofing
Spy programs used to monitor application calls to system functions
Spoof program intercepts calls and returns data expected for an authentication
e.g. frogsice, spy32
Memory Lifts
Copies decrypted application (or sections) from memory to a file.
Reconstructs the remainder of the application Can memory lift security code or protected
application e.g. procdump
Cryptographic Attacks
Use of cryptographic techniques to analyse encrypted-protected applications
Use of cryptographic techniques to find decryption keys
Procedural
Leaks from publishers Release of demo builds Publishing cracks on the WWW Publishing cracker tools
SafeDisc Deployment
Successful Pre-release Testing…– Software successfully tested by single hackers and
corporate entities (Microsoft, Alladin) over 2-month period
…Conclusions:– It will take a very long time to crack:
• There is plenty of time to add security features
– If a crack occurs, patching the security hole will be sufficient
In The Field
First hack after 6 month. Three generic hacks over two years, all patched. All hacks limited to Super-Hackers. Time to Hack keeps decreasing.
Time to Hack (days)
020406080100120140160180200
The Lessons
Super-Hackers can’t spell Super-Hackers will work together:
– You are facing large skilled groups not individuals
Hacks are more than one break: – Frequently reflect systematic understanding of whole
security system
The Lessons
Hacks are more a matter of “when” than “if” Essays on your security techniques will be
published Patches will be tamper-proofed (just to show you)
The Lessons (cont.)
Security hardness when raised to the level of Super-Hackers– Diminishes number of hacks
– Diminishes distribution sites for patches
– Deters cautious users from applying patches
Recommendations
Be proactive: – New security techniques must be added frequently– Expect to develop major changes in security architecture on a
regular basis Be patient:
– Monitor hackers techniques & tools– Devise multiple techniques before releasing counter-attack
Focus on slowing down hacks:– Put as many layers of security as you can in all critical areas
Focus on limiting hack effectiveness:– Use polymorphism: Each installation is different– Dedicate resources to monitor and close Web sites
SafeDisc 2.0
Enhanced automated wrapping tool– Added DLL and data protection
Additional security layers in each critical area– Debuggers, disassemblers, spoofing, memory lifts &
cryptographic attacks– Heavier use of polymorphism
Same program against hackers sites New SDK for publishers
– Additional security (level 1-3) for identified functions Additional media signatures for both data & audio
Summary
SafeDisc hacks limited to a small group of Super-Hackers
Original strategy focused on preventing all hacks– Did not put a boundary on time to hack
Second generation tamper-proofing just released– Focuses on limiting time to hack
Conclusion