Hurco Companies Inc. is a business on the move. The global industrial automation company built its new control software on a Windows platform for improved extensibility and interoperability over its old proprietary code. It is making headway in Asian markets.
But greater opportunity can mean greater risk.
"Our Asian business has grown, but the large degree of piracy in Asian markets compounded our concern over revenue growth," said Greg Volovic, Hurco executive vice president. Hurco's proprietary software hadn't been a tempting target. "But now that we are on Windows, educated hackers who are cracking applications in other markets can turn their expertise on us."
Volovic's nightmare is potential customers getting pirated Hurco software to run on their existing machines, spending pennies on the dollar for what might have been a deal for hundreds of thousands of dollars. That nightmare is reality for many software vendors.
The software piracy business is worth tens of billions. Globally, for every $2 spent on legitimate software, $1 is spent on pirated copies. The figures are much worse in developing markets in Africa and Asia, according to a study by the Business Software Alliance and IDC.
The 2006 study estimated that 35% of software sold globally is pirated, running to more than 80% in Russia, China and Vietnam. The rates remained more or less stable compared with those of 2005.
Hackers don't even have to reverse engineer the programs themselves in many cases, particularly commodity commercial products, to feed the hungry market for illegitimate software. By simply cracking the licensing protection, they flood the world with full-featured copies of popular business, entertainment and consumer products for a fraction of the cost of legit versions.
The epidemic of software piracy and tampering, targeting six-figure specialized industrial applications and commodity consumer and general business programs creates a market for what have become known as application hardening products. Arxan Technologies, Cloakware, PreEmptive Solutions and V.i. Laboratories all sell products that make applications, if not 100% tamperproof, so tough to crack that hackers will give up and turn to more profitable, low-hanging fruit.
"These guys are good; they understand machine code language and CPU architecture," said Victor DeMarines, V.i. Labs' vice president of products. "We prevent the really skilled hacker from building class breaks [cracking the underlying security technology]. We take away the business incentive."
They are also more reliable than hardware protections, such as dongles, as Hurco discovered that their dongle-protected desktop version showed up available on the Internet.
"We had hired third party to design a physical dongle, with a software hook to assure dongle was present," said Volovic. "Someone defeated it by emulating the function of the software key, or masked it so the software thought the dongle was present."
These tools apply a variety techniques to harden apps, including strong encryption to highly sophisticated obfuscation techniques. These go beyond the typical obfuscation built in by developers as they write code, which can be easily defeated by skilled hackers, or encryption wrappers, which are vulnerable when code is exposed in the clear at runtime.
PreEmptive's obfuscation, for example, is far more complex and dynamic than standard techniques, confronting hackers with new challenges as they attempt to decompile code. For example, it uses a dynamic renaming technology, called overload induction, which will defeat most hackers and discourage the real code-jockeys, who will, hopefully, seek easier targets. (Its Dotfuscator product, which runs on both Java and .NET platforms, is integrated with Microsoft's Visual Studio.)
Cloakware also uses an obfuscation technique, called Transcoder, which modifies precompiled code. When the code is compiled, it functions as intended, but is highly resistant to hackers.
Hackers can defeat normal encryption wrappers by capturing and decompiling code at runtime, but V.i. Labs, re-encrypts the function dynamically as it's loaded into memory, making it almost impossible for hackers to capture and crack the entire program.
Arxan, which started out protecting Department of Defense weapons systems and moved into the commercial software sector in 2006, takes another approach, selectively embedding selected "Guards" (they have thousands to choose from) to thwart crackers.
Because they work somewhat differently, these technologies aren't always competitive, offering layered defenses. V.i. Labs' DeMarines said his company and PreEmptive, for example, share some common customers.
Importantly, these products are generally applied when coding is complete, so they don't disrupt the development lifecycle. That's important when you consider that security and business development can often be at odds.
"Operations management operates in real-time, the development cycle operates in longer time, and stakeholders are rarely aligned," said Sebastian Holst, PreEmptive Solutions' senior vice president of sales and marketing. "Injecting code post-build and pre-deployment allows you to serve both constituencies."
This kind of protection is typically customized for each application, and isn't cheap, sometimes running to six figures a shot.
"For license management, there's no customization if that's all that's needed," said VinceArneja, Arxan director of product management. "But for intellectual property protection, you can't implement protection out of box you have to build a custom solution."
"We like that the solution is unique for every customer," said Hurco's Volovic, whose code is protected by Arxan. "Our implementation is not the same as others. It's not a commodity-based technology that hackers would breach."