Software Tamper-Proofing Deployed 2-year Anniversary Report Macrovision Corporation Patrice Capitant VP Engineering

Agenda SafeDisc The Hacker World Hacker Tools & Security Risks SafeDisc Deployment In The Field The Lessons Recommendations SafeDisc 2.0 Summary

SafeDisc Copy Protection of PC games on CD. Applied to more than 51 million units over 20 months Applied to more than 300 titles More than 100 SafeDisc replication facilities worldwide

The Hacker World Super-Hackers (The White Knights) Custom Tools Organized (suppliers, crackers, coders, web hosters) Friendly competition but cooperation on tough problems Custom Tools Debuggers & add-ons (anti-debugger aids, memory dumps...) Advanced Hex-editors Packers & unpackers (PEcrypt, Procdump,…)

The Hacker World Hacker’s goals: to beat and humiliate you Generate tamper-proof patches Generate essays on your technology Generate essays on hack techniques

Hackers’ Application Form – Part 1 : .:[ #HUMMERS_WareZ ]:. : .:[ Application Form ]:. §-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+§ WE'RE LOOKING FOR: Suppliers, Web Hosters, Crackers, Coders Check the position(s) you want to apply for, look for the section & answer the questions. : []Topsite FTP Courier X1 : X2 : X9 : : []Web Hoster X1 : X3 : X9 : : []Site Operator X1 : X4 : X9 : : []Shell Supplier X1 : X5 : X9 : : []Supplier X1 : X6 : X9 : : []Cracker X1 : X7 : X9 : : []Coder X1 : X8 : X9 : : []Other X1 : X9 : X9 :

Hackers’ Application Form – Part 2 X1. Information : Real Name-...............................[ ] : Nick-....................................[ ] : E-mail-..................................[ ] : IP Mask-.................................[ ] : ICQ Number-..............................[ ] : Connection speed-........................[ ] : Years of experience in warez?-...........[ ] : Have you been or are you in a group right now? [ ]-YES [ ]-NO : What Groups? What Position? Groups-...............[ ] Position-.............[ ]

Hackers’ Application Form – Part 3 X2. Topsite FTP Courier : Do you have access to new, 0-min warez? [ ]-YES [ ]-NO : How many mb can you curry in a week?-......[ MBS ] : Name the sites you are on? #1-[ ] #2-[ ] #3-[ ]

Hackers’ Application Form – Part 4 X3. Web Host : Can you host the page 24/7? []-YES []-NO : Space Available for the page-..............[ MBS ] : Any other information? (Domain name, etc) [ ]

Hackers’ Application Form – Part 5 X4. SiteOp : Connection Speed: (cable users need not apply) []T1 []T3 []OC+ : Operating System (Check all that apply) [ ]Windows 3.1x/95/98 [ ] Any Nix os (Please Specify) [ ] [ ]Other(Please Specify) [ ] : Space Available for the group-..........… [ GIGS ] : Will your site be dedicated to HUMMERS only? [ ]-YES [ ] –NO : Will your site be up 24/7? If not,how often? [ ]-YES [ ]-NO Hours up-[ ] : How many users can your site support at a time?-[ ] : What is the ip and login info of your site? (look only account) IP: [ ] LOGIN: [ ] PASS: [ ]

Hackers’ Application Form – Part 6 X5. Shell Supplier : Do you own a shell? [ ]-YES [ ]-NO : How many 24/7 bots do you have on your shell?-[ ]

Hackers’ Application Form – Part 7 X6. Supplier : What can you supply?-................[ ] : How much can u supply in a day/week?-[ ] : Will you supply on demand? [ ]-YES [ ]-NO

Hackers’ Application Form – Part 8 X7. Cracker : How long have you been hacking/cracking?-[ ] : How many applications have you cracked?-[ ] : How many games have you cracked?-[ ] : What are the last last three games/apps you've cracked? #1-[ ] #2-[ ] #3-[ ] : Are you willing to demonstrate your skills to a Senior in HUMMERS? []-YES []-NO

Hackers’ Application Form – Part 9 X8. Coder : What do you use to code? (Programs) [ ] : Do you have examples of your work? : []-YES []-NO (If yes, please include one with this app) : How fast can you start and finish a good program for the group?

Hackers’ Application Form – Part 10 X9. Other : What other thing can you do that is not listed? [ ] [ ]

Hackers’ Application Form – Part 11 X10. Hand-in App Now rename this yournick.txt and copy and paste, then send it to "HUMMERS@HOME.COM" with "HUMMERS APPLICANT" as your subject. §-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-§ ©1998 [HUMMERS_Warez]

Hacker Tools & Security Risks Debuggers Disassemblers File Level Attacks Memory Lifts Spoofing Cryptographic Attacks Procedural

Debuggers Step through code Set memory and code breakpoints Disassemble code Change operation of code General experimentation tool e.g. SoftIce, TRW and Microsoft debuggers

Disassemblers Can analyse security code in a file on hard drive Allow authentication and security code to be easily patched and recompiled Help remove obfuscation code e.g. idapro

Spoofing Spy programs used to monitor application calls to system functions Spoof program intercepts calls and returns data expected for an authentication e.g. frogsice, spy32

Memory Lifts Copies decrypted application (or sections) from memory to a file. Reconstructs the remainder of the application Can memory lift security code or protected application e.g. procdump

Cryptographic Attacks Use of cryptographic techniques to analyse encrypted-protected applications Use of cryptographic techniques to find decryption keys

Procedural Leaks from publishers Release of demo builds Publishing cracks on the WWW Publishing cracker tools

SafeDisc Deployment Successful Pre-release Testing… …Conclusions: Software successfully tested by single hackers and corporate entities (Microsoft, Alladin) over 2-month period …Conclusions: It will take a very long time to crack: There is plenty of time to add security features If a crack occurs, patching the security hole will be sufficient

In The Field First hack after 6 month. Three generic hacks over two years, all patched. All hacks limited to Super-Hackers. Time to Hack keeps decreasing.

The Lessons Super-Hackers can’t spell Super-Hackers will work together: You are facing large skilled groups not individuals Hacks are more than one break: Frequently reflect systematic understanding of whole security system

The Lessons Hacks are more a matter of “when” than “if” Essays on your security techniques will be published Patches will be tamper-proofed (just to show you)

The Lessons (cont.) Security hardness when raised to the level of Super-Hackers Diminishes number of hacks Diminishes distribution sites for patches Deters cautious users from applying patches

Recommendations Be proactive: Be patient: Focus on slowing down hacks: New security techniques must be added frequently Expect to develop major changes in security architecture on a regular basis Be patient: Monitor hackers techniques & tools Devise multiple techniques before releasing counter-attack Focus on slowing down hacks: Put as many layers of security as you can in all critical areas Focus on limiting hack effectiveness: Use polymorphism: Each installation is different Dedicate resources to monitor and close Web sites

SafeDisc 2.0 Enhanced automated wrapping tool Added DLL and data protection Additional security layers in each critical area Debuggers, disassemblers, spoofing, memory lifts & cryptographic attacks Heavier use of polymorphism Same program against hackers sites New SDK for publishers Additional security (level 1-3) for identified functions Additional media signatures for both data & audio

Summary SafeDisc hacks limited to a small group of Super-Hackers Original strategy focused on preventing all hacks Did not put a boundary on time to hack Second generation tamper-proofing just released Focuses on limiting time to hack

Conclusion The more you learn, The more you learn you have to learn