Protect commercial SW-based service?

Started by Rune Allnor June 24, 2009
Hi folks.

Suppose you have developed an SW-based service that

1) Reduces processing time by >99%
2) Reduces manual interactions ( = personnel salaries,
    training and accomodations costs) by >99%
3) Reduces error rates and product flaws by >99%

compared to present standard procedures. The commercial
idea is to

a) Lease a dedicated computer+SW to customers.
b) Have the computer + SW do its thing as a LAN-based
    'black box'. Clients send data in and recieve end results
    by LAN protocol.
c) Have the clients subscribe to the service, paying annual
    fees, or the computer disables its LAN-based service.

How would you go about protecting the integrity of the
computer + SW?  If the computer is compromised and
the SW hacked, the commercial basis for the service
is gone.

Rune
On Jun 24, 8:33=A0am, Rune Allnor  wrote:
> Hi folks. > > Suppose you have developed an SW-based service that > > 1) Reduces processing time by >99% > 2) Reduces manual interactions ( =3D personnel salaries, > =A0 =A0 training and accomodations costs) by >99% > 3) Reduces error rates and product flaws by >99% > > compared to present standard procedures. The commercial > idea is to > > a) Lease a dedicated computer+SW to customers. > b) Have the computer + SW do its thing as a LAN-based > =A0 =A0 'black box'. Clients send data in and recieve end results > =A0 =A0 by LAN protocol. > c) Have the clients subscribe to the service, paying annual > =A0 =A0 fees, or the computer disables its LAN-based service. > > How would you go about protecting the integrity of the > computer + SW? =A0If the computer is compromised and > the SW hacked, the commercial basis for the service > is gone. > > Rune
Option (c) would probably be most robust to reverse-engineering of your software. Would this software be used in a context where users would have Internet or other network access to a server under your control? You could perform the actual processing (which I'm assuming is the sensitive part of the system) on hardware that is entirely under your control, then use a subscription-based usage model. This requires you to maintain hardware, manage processing capacity to accommodate your user load, etc., but it probably exposes the least information that could be compromised. In my experience, anything that can be broken/reverse-engineered (i.e. software copy protection, etc.) will be, if there is enough of an incentive (money) out there to do so. Jason
Rune Allnor wrote:
> Hi folks. > > Suppose you have developed an SW-based service that > > 1) Reduces processing time by >99% > 2) Reduces manual interactions ( = personnel salaries, > training and accomodations costs) by >99% > 3) Reduces error rates and product flaws by >99% > > compared to present standard procedures. The commercial > idea is to > > a) Lease a dedicated computer+SW to customers. > b) Have the computer + SW do its thing as a LAN-based > 'black box'. Clients send data in and recieve end results > by LAN protocol. > c) Have the clients subscribe to the service, paying annual > fees, or the computer disables its LAN-based service. > > How would you go about protecting the integrity of the > computer + SW? If the computer is compromised and > the SW hacked, the commercial basis for the service > is gone.
Prevent the customer from having physical access to the computer. (Put it inside a safe. The contract awards you adequate compensation for the loss of future income if the safe is breached.) Allow only data into and results out of the computer via a communication link that doesn't support program updates. There is concern nowadays that terrorists of foreign powers could interrupt a nations power grid by hacking into control centers via the internet. I think it's criminal that the same network that comes into my home is connected to such places. If they are networked at all, it should be on separate wires. Jerry -- Engineering is the art of making what you want from things you can get. �����������������������������������������������������������������������
On 24 Jun, 18:58, Jason  wrote:
> On Jun 24, 8:33=A0am, Rune Allnor wrote: > > > > > > > Hi folks. > > > Suppose you have developed an SW-based service that > > > 1) Reduces processing time by >99% > > 2) Reduces manual interactions ( =3D personnel salaries, > > =A0 =A0 training and accomodations costs) by >99% > > 3) Reduces error rates and product flaws by >99% > > > compared to present standard procedures. The commercial > > idea is to > > > a) Lease a dedicated computer+SW to customers. > > b) Have the computer + SW do its thing as a LAN-based > > =A0 =A0 'black box'. Clients send data in and recieve end results > > =A0 =A0 by LAN protocol. > > c) Have the clients subscribe to the service, paying annual > > =A0 =A0 fees, or the computer disables its LAN-based service. > > > How would you go about protecting the integrity of the > > computer + SW? =A0If the computer is compromised and > > the SW hacked, the commercial basis for the service > > is gone. > > > Rune > > Option (c) would probably be most robust to reverse-engineering of > your software. Would this software be used in a context where users > would have Internet or other network access to a server under your > control? You could perform the actual processing (which I'm assuming > is the sensitive part of the system) on hardware that is entirely > under your control, then use a subscription-based usage model.
The problem is that I need to have the HW at the user's site. What I have in mind will be used offshore, on survey vessels, and there is just not enough bandwidth off the vessels to communicate data back and forth. Typical transfer rates are 12 - 24 hours per GByte. So the question is if it is possible to come up with some sort of tamper-resistant HW, where the SW is well protected from network access, and any attempt to physically break the thing open will leave visible traces. Rune
On 24 Jun, 19:09, Jerry Avins  wrote:
> Rune Allnor wrote: > > Hi folks. > > > Suppose you have developed an SW-based service that > > > 1) Reduces processing time by >99% > > 2) Reduces manual interactions ( =3D personnel salaries, > > =A0 =A0 training and accomodations costs) by >99% > > 3) Reduces error rates and product flaws by >99% > > > compared to present standard procedures. The commercial > > idea is to > > > a) Lease a dedicated computer+SW to customers. > > b) Have the computer + SW do its thing as a LAN-based > > =A0 =A0 'black box'. Clients send data in and recieve end results > > =A0 =A0 by LAN protocol. > > c) Have the clients subscribe to the service, paying annual > > =A0 =A0 fees, or the computer disables its LAN-based service. > > > How would you go about protecting the integrity of the > > computer + SW? =A0If the computer is compromised and > > the SW hacked, the commercial basis for the service > > is gone. > > Prevent the customer from having physical access to the computer. (Put > it inside a safe. The contract awards you adequate compensation for the > loss of future income if the safe is breached.) Allow only data into and > results out of the computer via a communication link that doesn't > support program updates.
That's the general idea, yes. I'm wondering if there are solutions available for these kinds of things or if I have to design them from scratch.
> There is concern nowadays that terrorists of foreign powers could > interrupt a nations power grid by hacking into control centers via the > internet. I think it's criminal that the same network that comes into my > home is connected to such places. If they are networked at all, it > should be on separate wires.
I've seen places where the internal power grid was galvanically separated from the outside grid: Power from the outside grid ran an electric motor, which turned a generator, which at last powered the safe power grid. All of it to protect sensitive computers. Rune
Am Wed, 24 Jun 2009 05:33:58 -0700 schrieb Rune Allnor:

> Hi folks. > > Suppose you have developed an SW-based service that > > 1) Reduces processing time by >99% > 2) Reduces manual interactions ( = personnel salaries, > training and accomodations costs) by >99% > 3) Reduces error rates and product flaws by >99% > > compared to present standard procedures. The commercial idea is to > > a) Lease a dedicated computer+SW to customers. b) Have the computer + SW > do its thing as a LAN-based > 'black box'. Clients send data in and recieve end results by LAN > protocol. > c) Have the clients subscribe to the service, paying annual > fees, or the computer disables its LAN-based service. > > How would you go about protecting the integrity of the computer + SW? > If the computer is compromised and the SW hacked, the commercial basis > for the service is gone. > > Rune
You could protect it with an USB dongle that must be present for the SW to run like e.g. http://wibu.de/start.php?lang=en Personally, I have to say that I don't like dongles. They tend to break, get lost and are nuisance to legitimate users, whereas illegitimate users will crack your SW and do without. Then there are also the cases where HW becomes obsolete (like parallel port dongles) and legitmate users are out in the rain, because newer HW precludes the use of SW. But I see the point that a small company wants to protect its business by protecting its SW. HTH Martin
Rune Allnor  wrote:
 
> I've seen places where the internal power grid was galvanically > separated from the outside grid: Power from the outside grid > ran an electric motor, which turned a generator, which at last > powered the safe power grid. All of it to protect sensitive > computers.
That was usual for, at least, the large IBM S/360 systems, and I believe also S/370. A great surge protection system. -- glen
Rune Allnor  wrote:
 
< a) Lease a dedicated computer+SW to customers.
< b) Have the computer + SW do its thing as a LAN-based
<    'black box'. Clients send data in and recieve end results
<    by LAN protocol.
< c) Have the clients subscribe to the service, paying annual
<    fees, or the computer disables its LAN-based service.

The is pretty much the model used by Pay-TV systems, though
some times not quite successful.

Also, the cryptographic processors on ATMs and other
remote financial systems.

One system that I know of uses battery backed RAM in a
tamperproof container, such that opening it disconnects
the battery and the RAM loses its contents.  

The usual tradeoff is between cost of the protection system
and cost of that being protected.  (Don't buy expensive
door locks and leave the windows open.)  

It is also the model for "smart cards", which might, for
example, hold the remaining value of the card.  It is
much more difficult to protect against someone with millions
of dollars to spend breaking the card, including using acid
to get through the plastic and probing the silicon with the
system running.  

-- glen 

Rune Allnor wrote:

> Hi folks. > > Suppose you have developed an SW-based service that > > 1) Reduces processing time by >99% > 2) Reduces manual interactions ( = personnel salaries, > training and accomodations costs) by >99% > 3) Reduces error rates and product flaws by >99%
:))))) Innovative diet snake oil with 99% less fat.
> compared to present standard procedures. The commercial > idea is to > > a) Lease a dedicated computer+SW to customers. > b) Have the computer + SW do its thing as a LAN-based > 'black box'. Clients send data in and recieve end results > by LAN protocol. > c) Have the clients subscribe to the service, paying annual > fees, or the computer disables its LAN-based service. > > How would you go about protecting the integrity of the > computer + SW? If the computer is compromised and > the SW hacked, the commercial basis for the service > is gone.
The only way is that you position yourself as some kind of authority which certifies the data. Unless you approve the transaction, the data should not be accepted as valid. Vladimir Vassilevsky DSP and Mixed Signal Design Consultant http://www.abvolt.com
Rune Allnor  wrote:
(big snip)
 
< How would you go about protecting the integrity of the
< computer + SW?  If the computer is compromised and
< the SW hacked, the commercial basis for the service
< is gone.

Google for cautionary "tamper resistance".  It is a little
old by now, but most of the ideas should still apply.

-- glen

Rune Allnor wrote:

Rune,

The standard way is getting a patent and licensing it to some fat company.

> There are a couple of addede benefits, > from the SW's owner's point of view, compared to 'pure' > software:
So the business is about selling the custom made hardware "accelerator"; something that they can't just buy of the shelf. That might work for some time. BTW, long while ago I tried to protect the software by doing not very obvious calculations essential for the program operation in the external 8051. There was also some obfuscation. It was hacked off not within a year. Hacked conceptually; not by reading the protected chip. Funny thing I met the hacker in person many years after; here in US. One more trick: keeping a part of the code in a battery powered RAM. If they connect a JTAG or something, it is likely to corrupt the code. Also, you can size the battery so it will discharge by itself within a year; so the customer will have to go to you for the "service renewal".
> > - A cracker needs access to a physical device > - A cracker must leave physical traces of his actions
What prevents your competition from doing the same functional thing as yours from the scratch? If they know the working concept, implementing the same thing shouldn't be the very big problem.
> Which means that the owner has a totally different way > to keep track of the integrity of the SW: Only a limited > set of people have access to the physical device. The > lease means that the physical devices are replaced by > the owner every now and then, and penalty clauses are > activated if traces of tampering can be found on the > devices. > > Sure, it's not perfect, but there are enough practical > limitations to the procedure that arbitrary users are > put off.
Non technical problems can't be helped by any technical means. Vladimir Vassilevsky DSP and Mixed Signal Design Consultant http://www.abvolt.com
On 27 Jun, 20:11, Eric Jacobsen  wrote:

> > I like the idea somebody came up with, about using FPGAs for > > key computations. Are FPGAs available as standard-format PC > > cards? I never remeber the acronym - PCIB or something like that. > > > Rune > > FPGAs can be reverse-engineered, too, so all you've done is raise the > bar a bit. =A0 That's good, since every bit helps, but it's still not > going to be completely secure, just harder to crack.
Not just harder. There are a couple of addede benefits, from the SW's owner's point of view, compared to 'pure' software: - A cracker needs access to a physical device - A cracker must leave physical traces of his actions Which means that the owner has a totally different way to keep track of the integrity of the SW: Only a limited set of people have access to the physical device. The lease means that the physical devices are replaced by the owner every now and then, and penalty clauses are activated if traces of tampering can be found on the devices. Sure, it's not perfect, but there are enough practical limitations to the procedure that arbitrary users are put off. Rune
Eric Jacobsen  wrote:
(snip)
 
< FPGAs can be reverse-engineered, too, so all you've done is raise the 
< bar a bit.   That's good, since every bit helps, but it's still not 
< going to be completely secure, just harder to crack.

They can be, but it should be somewhat harder than other solutions.
Well, you need one with encrypted configuration stream.  I believe
that a key is built into the chip, such that the configuration
data is individually encrypted.  I don't know how well the 
key is protected against probing the silicon, though.

Even when you have the unencrypted bit stream, converting back
to a logic diagram is pretty difficult.

< And there are ways of "securing" FPGAs, too, it's all just how much pain 
< do you want to deal with to raise the pain level of somebody trying to 
< crack your system.  I don't know that adding an FPGA, with associated 
< security, is any better than the usual means of securing software.  

Well, it would help to put part of the actual algorithm into the
FPGA, not just use it as a new form of dongle.  Though the usual
reason for FPGA implementations of algorithms is speed, security
could be another.

< Are you worried about somebody disassembling and reverse engineering 
< compiled code?   I'd think that'd be pretty tough these days.

In general, yes.  But there is little protection against just
cloning the device.  Also, disassembling just to find the
details of the algorithm may be somewhat easier than complete
reverse engineering.  (Assuming one is going for trade secret
and not patent protection.)  

One could, for example, run the software on an emulation system
and find where it spends most of its time.  That would make
it easier to find the important parts to disassemble.
(Not that I have done that, but it makes some sense.)

-- glen

On 6/26/2009 3:14 PM, Rune Allnor wrote:
> On 27 Jun, 00:07, Jerry Avins wrote: >> mblume wrote: >>> Am Fri, 26 Jun 2009 10:30:17 -0400 schrieb Jerry Avins: >>>>>> [dongles to protect SW] >>>> I was an inconvenienced legitimate customer. The dongle broke, and they >>>> wouldn't sell me a replacement, even with a trade-in. "Against policy." >>> That's the problem with dongles. Ultimately honest customer are p***d off >>> and come close to an undesirable encounter with lawyers. >>> Nevertheless, Rune's problem remains: He, a small company, probably the >>> only guy in the shop (garage?) against a big company with a lot of vessels >>> (and probably more lawyers). They buy one copy, install it on 17 vessels. >>> How to prevent that? >> Put it into a pressurized box (without revealing any details) and have >> the program in volatile RAM that gets powered down if the pressure >> drops. Make it clear that replacement is at the option of the supplier. >> If, in the opinion of the supplier, the failure seems due to tampering, >> the lease is terminated. > > I like the idea somebody came up with, about using FPGAs for > key computations. Are FPGAs available as standard-format PC > cards? I never remeber the acronym - PCIB or something like that. > > Rune
FPGAs can be reverse-engineered, too, so all you've done is raise the bar a bit. That's good, since every bit helps, but it's still not going to be completely secure, just harder to crack. And there are ways of "securing" FPGAs, too, it's all just how much pain do you want to deal with to raise the pain level of somebody trying to crack your system. I don't know that adding an FPGA, with associated security, is any better than the usual means of securing software. Are you worried about somebody disassembling and reverse engineering compiled code? I'd think that'd be pretty tough these days. I think the whole lease-maintenance-upgrades agreement thing is a good way to do it. You keep the customer by providing support, maintenance, and upgrade service as part of the contract, and you price that appropriately so that it's more in their interest to pay you than it is to try to reverse engineer it and do something themselves. If the relationship is good they'll also be motivated to help protect your IP as being yours.
Rune Allnor  wrote:
 
> I like the idea somebody came up with, about using FPGAs for > key computations. Are FPGAs available as standard-format PC > cards? I never remeber the acronym - PCIB or something like that.
Not from the factory, but there are people who build and sell them in a variety of PC form factors. I have seen them in PCMCIA cards, and also ones that fit into an Opteron socket on a multi-way Opteron box. I presume also PCI and such. -- glen
Jerry Avins  wrote:
 
> Put it into a pressurized box (without revealing any details) and have > the program in volatile RAM that gets powered down if the pressure > drops. Make it clear that replacement is at the option of the supplier. > If, in the opinion of the supplier, the failure seems due to tampering, > the lease is terminated.
User destroys the first one, but finds the pressure switch. Determines the activation pressure of the switch. Assuming he can't buy another one, arranges with a friend such that the friend buys one. Put box in a pressurized room and open it. Make sure the room pressure is sufficiently high compared to the tolerance on the pressure switch. Countermeasure: Put in both low and high pressure switch, and erase RAM if the pressure is too high or low. Use different pressure levels for different boxes. Counter-Countermeasure. Assume that the box volume is sufficiently large, arrange a small volume box sealed on the outside with a differential pressure meter and the ability to drill a small hole. Once the hole is through, the pressure will equalize, but the additional volume is small enough not to trigger the switch. Raise the room pressure until the differential pressure meter says zero. Open the box. Does anyone remember James Bond's car "theft protection" system in the movie "Live and let Die"? -- glen
Fred Marshall wrote:
> Jerry Avins wrote: >> mblume wrote: >>> Am Fri, 26 Jun 2009 10:30:17 -0400 schrieb Jerry Avins: >>>>>> [dongles to protect SW] >>>>>> >>>> I was an inconvenienced legitimate customer. The dongle broke, and >>>> they wouldn't sell me a replacement, even with a trade-in. "Against >>>> policy." >>> That's the problem with dongles. Ultimately honest customer are >>> p***d off and come close to an undesirable encounter with lawyers. >>> Nevertheless, Rune's problem remains: He, a small company, probably >>> the only guy in the shop (garage?) against a big company with a lot >>> of vessels (and probably more lawyers). They buy one copy, install >>> it on 17 vessels. How to prevent that? >> Put it into a pressurized box (without revealing any details) and have >> the program in volatile RAM that gets powered down if the pressure >> drops. Make it clear that replacement is at the option of the >> supplier. If, in the opinion of the supplier, the failure seems due >> to tampering, the lease is terminated. >> >> Jerry > > That may be a small price to pay.....
Who pays for what? With the program gone, reverse engineering isn't possible. If the program can be recreated from its actions, protection isn't possible. Jerry -- Engineering is the art of making what you want from things you can get. �����������������������������������������������������������������������
On 27 Jun, 00:07, Jerry Avins  wrote:
> mblume wrote: > > Am Fri, 26 Jun 2009 10:30:17 -0400 schrieb Jerry Avins: > >>>> [dongles to protect SW] > > >> I was an inconvenienced legitimate customer. The dongle broke, and they > >> wouldn't sell me a replacement, even with a trade-in. "Against policy." > > > That's the problem with dongles. Ultimately honest customer are p***d off > > and come close to an undesirable encounter with lawyers. > > Nevertheless, Rune's problem remains: He, a small company, probably the > > only guy in the shop (garage?) against a big company with a lot of vessels > > (and probably more lawyers). They buy one copy, install it on 17 vessels. > > How to prevent that? > > Put it into a pressurized box (without revealing any details) and have > the program in volatile RAM that gets powered down if the pressure > drops. Make it clear that replacement is at the option of the supplier. > If, in the opinion of the supplier, the failure seems due to tampering, > the lease is terminated.
I like the idea somebody came up with, about using FPGAs for key computations. Are FPGAs available as standard-format PC cards? I never remeber the acronym - PCIB or something like that. Rune
Jerry Avins wrote:
> mblume wrote: >> Am Fri, 26 Jun 2009 10:30:17 -0400 schrieb Jerry Avins: >>>>> [dongles to protect SW] >>>>> >>> I was an inconvenienced legitimate customer. The dongle broke, and >>> they wouldn't sell me a replacement, even with a trade-in. "Against >>> policy." >> That's the problem with dongles. Ultimately honest customer are >> p***d off and come close to an undesirable encounter with lawyers. >> Nevertheless, Rune's problem remains: He, a small company, probably >> the only guy in the shop (garage?) against a big company with a lot >> of vessels (and probably more lawyers). They buy one copy, install >> it on 17 vessels. How to prevent that? > > Put it into a pressurized box (without revealing any details) and have > the program in volatile RAM that gets powered down if the pressure > drops. Make it clear that replacement is at the option of the > supplier. If, in the opinion of the supplier, the failure seems due > to tampering, the lease is terminated. > > Jerry
That may be a small price to pay..... Fred
mblume wrote:
> Am Fri, 26 Jun 2009 10:30:17 -0400 schrieb Jerry Avins: >>>> [dongles to protect SW] >>>> >> I was an inconvenienced legitimate customer. The dongle broke, and they >> wouldn't sell me a replacement, even with a trade-in. "Against policy." >> > That's the problem with dongles. Ultimately honest customer are p***d off > and come close to an undesirable encounter with lawyers. > Nevertheless, Rune's problem remains: He, a small company, probably the > only guy in the shop (garage?) against a big company with a lot of vessels > (and probably more lawyers). They buy one copy, install it on 17 vessels. > How to prevent that?
Put it into a pressurized box (without revealing any details) and have the program in volatile RAM that gets powered down if the pressure drops. Make it clear that replacement is at the option of the supplier. If, in the opinion of the supplier, the failure seems due to tampering, the lease is terminated. Jerry -- Engineering is the art of making what you want from things you can get. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯