1 / 23

The Maginot License: Failed Approaches to Licensing Java Software Over the Internet

The Maginot License: Failed Approaches to Licensing Java Software Over the Internet. Mark D. LaDue, Ph. D. Presented by Li Fajie. Outline. 1. Introduction 2. Java Class Files at a Glance 3. The Evaluation License of SurfinShield

louvain
Download Presentation

The Maginot License: Failed Approaches to Licensing Java Software Over the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Maginot License: Failed Approaches to Licensing Java Software Over the Internet Mark D. LaDue, Ph. D. Presented by Li Fajie

  2. Outline 1. Introduction 2. Java Class Files at a Glance 3. The Evaluation License of SurfinShield 4. The Trial Version of WingDis 2.11 5. The Evaluation License of HotJava Browser 6. Does JTimer Solve the Problem? 7. Conclusion 8. Question

  3. 1. Introduction Java Class File Format easy disassembly and even decompilation Try-before-you-buy basis Maginot license “ Like the French fortifications constructed between the World Wars, they are simple to detect and to skirt.” (Mark D. LaDue) Simple attack tools: javap utility class java.io.RandomAccessFile Inspector.java

  4. 2. Java Class Files at a Glance Example:Test725.java class Test725{ int squares(int n){ return n*n; } } Test725.class(abridged and annotated) Magic=0xCAFEBABE Version=45.3 Access=synchronized (0x0020) Class=(#2) "Test725"(#8) SuperClass=(#1) "java/lang/Object"(#17)

  5. Test725.class(continued) Constant Pool Entries=23  #1 Kind=CONSTANT_Class(7) Name="java/lang/Object"(#17)  #2 Kind=CONSTANT_Class(7) Name="Test725"(#8) [deletions] Interface Table Entries=0 Field Table Entries=0 Method Table Entries=2 AL_CODE: Method 1 Method="Test725.squares"(#19) Signature="(I)I"(#11) Access= (0x0000) Attribute Count=1 Attribute="Code"(#16) Length=56 Max Stack=2 Max Locals=2 Code Length=4

  6. Test725.class(continued) 0x00000000 1B iload_1 0x00000001 1B iload_1 0x00000002 68 imul 0x00000003 AC ireturn [deletions] Attribute Table Entries=2 Attribute="SourceFile"(#14) Length=2 Source File="Test725.java.java"(#10) Attribute="AbsoluteSourcePath"(#6) Length=2

  7. Java Class Files Raises Some Security Concerns Recover source code from them to obtain hacked class files Alter code in class files insert some code change control flow

  8. 3. The Evaluation License of SurfinShield The Evaluation License has a 30 day evaluation license It Can Be Observed That: When sfsinstall(SurfinShield's installation script) installed the software,it allowed zip application to call attention to SFped.class. Unzipping SurfinShield.zip can get SFped.class

  9. Examining SFped.class The output of javap (javap -c Sfped,): Compiled from SFped.java public class SFped extends java.lang.Object { static final int year; static final int month; static final int day; public java.util.Date ped; public SFped(); }

  10. Examining SFped.class (continuted) Method SFped() [deletions]   9 ldc #3 <Integer 97> 11 ldc #2 <Integer 3> 13 ldc #1 <Integer 15> [deletions] Notice: installation date (March 15, 1997)hard-coded into the class file

  11. /* Deduced from the output of javap -c SFped */ import java.util.Date; public class SFped{ static final int year = 97; static final int month = 3; static final int day = 15; public Date ped; public SFped() { ped = new Date(year, month, day); } } Likely form of SFped.java

  12. Hacked SFped.java import java.util.Date; public class SFped{ public Date ped; public SFped() { ped = new Date(); ped.setDate(ped.getDate() - 1); } } Update SurfinShield.zip zip -u -n ".class" SurfinShield.zip SFped.class SurfinShield will now run as before, and its splash screen will always report that the evaluation license has 29 days before it expires.

  13. 4. The Trial Version of WingDis 2.11 The Trial Version vs the Real Product Same power and functionality but two restrictions: At most five days to try "Sorry, the trial version has expired" Cannot decompile any of its own classes "Sorry, WingDis is not allowed to decompile itself" and exit.

  14. 4. The Trial Version of WingDis 2.11(continued) Finding the java Class Files: Run Bourne shell script from the decompiler's home directory, it will print the names of files which contain the word "Sorry". Running it on version 2.11 yields a single class file, ./wingsoft/javadis/ClassReader.class Modify the java Class File This is easily done by using Sun's javap utility and Inspector.java. Output of javap (abridged and annotated) [deletions]### Method void ?(boolean) [deletions] Method void ABC(boolean) [deletions] ###CHANGE 158 (ifle) -> 167 (goto) at byte 23566### ### 23566 = 23114 + 452

  15. 4. The Trial Version of WingDis 2.11(continued) 452 ifle 466 455 new #138 <Class java.io.IOException> 458 dup 459 ldc #9 <String "Sorry, the trial version has expired"> [deletions] 466 return Output of Inspector (abridged and annotated)  There are 83 methods: [deletions] Code array in method ? of length 67 starting at byte 22993. ###Code array in method ? of length 467 starting at byte 23114. Code array in method ABC of length 467 starting at byte 23114. Code array in method ? of length 252 starting at byte 23641.

  16. 4. The Trial Version of WingDis 2.11(continued) Hacker’s TakeDat.java(abridged and annotated) [deletions] RandomAccessFile victim = new RandomAccessFile(hack, "rw"); // Now put a "goto" instruction (opcode 167) at bytes 13187, 14412, 23342, // 23364, 23423, and 23566 victim.seek(13186); victim.writeByte(167); [deletions]

  17. 5. The Evaluation License of HotJava Browser Four JavaBeans components can provide 80% HotJava Browser's functionality they are offering them on a try-before-you-buy basis for30 days How does the licensing software work? Set up development environment,eg.BDK download the HotJava HTML Component Version 1.1. install HotJavaBean.jar and TextBean.jar. When these jar files are loaded into the development environment, a set of 5 JavaBeans becomes available for use: HotJavaBrowserBean; HotJavaDocumentStack; AuthenticatorBean; HotJavaSystemState; and TextBean.

  18. 5. The Evaluation License of HotJava Browser (continued) HotJavaBrowserBean( HotJava HTML Component) would necessarily be used in any browser application. However, any time it is loaded, it pops up a window with warning messages :   "Notice: This is an evaluation copy of the HotJava Browser software. The evaluation license expires 30 days after initial installation. Please visit the JavaSoft web site at   http://java.sun.com/products/hotjava   for additional licensing information." A hacker can easily disable the embarrassing warning messages and quietly make use of the HotJava HTML Component for profit.

  19. 6. Does JTimer Solve the Problem? JTimer’s Features and Benefits :  “Secure timer based on public-key private-key encryption. Lightweight with a single class to include in your application. No license server is needed. Easy key and ticket management. Simple API. Add true protection to your software in minutes! Increased exposure to potential customers by allowing download of evaluation copies on Internet. Protection againt piracy with highly secure electronic signature. “ JTimer package consists of two Java classes, Admin and Timer.

  20. 6. Does JTimer Solve the Problem? (continued) To use JTimer generate a public/private key pair and a vendor ID, a time ticket include JTimer's Timer.class, the time ticket, and the public key along with the application. call Timer's checkTicket() method, to check the expiration date of the license from the ticket and public key. To check the expiration date of the license java tea.set.timer.Admin -verify ./tea/set/timer/ticket ./tea/set/timer/pubkey  gets the result: The evaluation period has expired Please purchase a copy or stop using the software Verification successful Ticket expires at Sun Nov 23 23:53:12 CST 1997

  21. 6. Does JTimer Solve the Problem? (continued) Things InetSoft Technology Corporation forgot: Their tool is written in Java and that a hacker has the class files. A hacker can alter the application's byte code so that the checkTicket() method always returns the boolean value true. “In general, it would often suffice to change a single byte in the application from a branching opcode to a goto in order to make it function as if the checkTicket() method always returns true”.

  22. 7.Conclusion From our first three examples we see that “the Maginot license is a serious problem for Java developers who desire to sell their software over the Internet on a try-before-you-buy basis” From the example of JTimer we see that “This problem has no simple solution. Indeed, there may be no solution at all”.

  23. 8. Question “ The question now is which bytes in ClassReader.class to change, and the answer is provided by the output of Inspector. From the the javap output we know the methods and the offsets (given by the line numbers) within those methods for the bytes to be changed, and from the Inspector output we know precisely where in the class file the methods in question begin. Adding the offsets to the starting points tells us which bytes to change”. If the names of those methods are missing , how to get the correct starting points?

More Related