Solving the Hacking Problem

To avoid hacking and malicious alteration of the application, software companies are turning to new anti-tamper solutions that will protect the entire application, as well as maintain code integrity.

As software hackers adopt new and sophisticated methods of breaking code and stealing software, Independent Software Companies (ISVs) are scrambling to stay one step ahead of thieves in order to protect their intellectual property.

Today, that is getting harder to do. It is certainly more complex as traditional anti-hacking defenses are becoming largely ineffective against more sophisticated tampering tactics. In fact, hackers have become so good at what they do that Nintendo recently reportedly lost $975 million due to piracy. Microsoft also estimated that it lost $900 million in five years when a Taiwan company started to pirate 21 titles, selling them in 22 countries.

Yet despite these significant losses, current anti-tamper products just aren''''''''t up to the task of protecting sophisticated software applications. Rather than protecting the application anti-tamper products today easily succumb to hacker efforts in a matter of minutes or hours. Or, they are often huge drains on application performance and can result in unpredictable performance spikes.

Two specific examples where traditional protection easily fails are:

Hardware Breakpoint Attacks

Many modern processors have a fixed number of hardware breakpoints (also known as debug registers) that can be used by applications and debuggers. These breakpoints are provided in the processor as a way to easily debug applications. Developers configure the breakpoints so they can interrupt the program to verify proper operation. But once an application is released to end-users, hackers use these breakpoints in order to subvert the proper execution of the application. The result is that breakpoints become a powerful hacker tool used to change the behavior of a program without changing the code.

The traditional solution to this is to detect the use of hardware breakpoints and respond accordingly. However this just moves the problem back one level the hacker will simply use a hardware breakpoint to circumvent the detection/overwriting mechanism and continue with his hack. Incredibly, this kind of attack can take around 2-3 hours to remove the protection from an average application.

Patch-Execute-Unpatch Attacks

Another common hacking tactic involves patch-execute-unpatch attacks. With this approach it is possible to modify a program, execute some arbitrary code and then remove the modification so that the hack cannot be detected. This Patch-Execute-Unpatch attack takes advantage of gaps in protection to operate. If a protection scheme does not verify the integrity of all the running code dynamically at run-time frequently, then it is likely to be susceptible to a Patch-Execute-Unpatch attack. The attack works by taking advantage of delays between checking and execution. If hackers can find unchecked code, or code that is checked but has a delay before being executed, then they can modify (patch) it and have their code run (execute).

Afterwards, again before it is re-checked, a hacker can replace the original code (unpatch) to create an undetectable hack. Patch-Execute-Unpatch attacks can take one to five hours to implement, although some attacks can take as little as five minutes. The quickness that this hack can be initiated has a dramatic effect on the time that an application remains protected

What's a software vendor to do against attacks like these?

To avoid hacking and malicious alteration of the application, software companies are turning to new anti-tamper solutions that will protect the entire application, as well as maintain code integrity. One emerging approach is to arm the application with a self-defense system that injects thousands of checks into the source code of a target application, transforming the application into its own robust security system. Resistant to detection and removal techniques, this type of approach slows a hacker down because he must manually remove each check in order to render the security around the application ineffective.

Additionally, it is always best when an anti-tamper solution is applied on a per application basis. This means that each application has a unique defense that''''''''s specific to that particular application build. When that happens, a hacker must crack each application individually so the application is not susceptible to global attacks. By deploying a unique defense to tampering in every application, hackers become reticent to spend the time to manually remove checks, as this job is tedious and laborious. In many cases, the sheer length of time and effort required makes the hacker quit and move on to an easier target.

Open source presents developers with a different set of problems

As open source continues to gain traction as a viable alternative for mission critical applications, more and more enterprises will deploy some elements of open source technologies within their web server infrastructure. A hacker may start with an SQL injection attack, and if that doesn''''''''t work, move on to attacking the web server or other infrastructure until an unprotected point of entry is found. As more enterprises deploy open source technology, cybercriminals will target the security vulnerabilities within this infrastructure.

When protecting the infrastructure, the entire environment must be taken into account: web servers and infrastructure must be made tamperproof. Vendors will often lock down their applications in order to try and regulate access privileges but they often forget about the infrastructure they use, which leaves routes of attack for a hacker.

In conclusion

The impact of failed or ineffective security can be catastrophic, exposing vital systems or products to significant losses or damage. If a security solution fails to address sophisticated hacking attacks then it is likely that the software''''''''s protection effectiveness will be near zero, essentially exposing the software to hackers immediately. The hackability of software should be a key consideration to ISVs looking to protect their IP investment. With hackers becoming more creative and sophisticated, having an application and infrastructure protection strategy that lengthens the protection time of the whole system as long as possible is obviously the best way to protect your IP investment and, ultimately, your business.

Metaforic: First Public Demo of Anti-Tamper Solution

MetaFortress Demo to Showcase Unique Software Security Solution That Extends Protection Time for Applications

Metaforic, a leading provider of anti-tamper solutions, today announced that it will be publically demonstrating its recently launched MetaFortess solution at the upcoming SC World Congress conference in booth # 107. The event will be held December 9 and 10 at the Javits Convention Center New York City. 

This will be the first public demonstration of MetaFortress, Metaforic''''s anti-tamper solution. MetaFortress protects applications from piracy, hacking and illegal use by utilizing a network of thousands of cross-referenced checks, which can take years of painstaking work to remove.

MetaFortress''''s unique approach greatly extends the time it takes for hackers to penetrate an application from minutes to months or even years.

MetaFortress can be seen on Tuesday December 9 and Wednesday December 10. The expo floor is open 10 a.m. to 4:30 p.m. ET at the SC World Congress Enterprise Data Security Conference Booth #107 Jacob K. Javits Convention Center New York City

Metaforic''''s U.S. Vice President of Sales, Steven Goodison and Sales Engineers and Senior Developers, Joshua Pincus and Ewan Dennis will be on-site to provide product demos.

Last month, Metaforic was named by Network World as one of the top IT security companies to watch. That honor is the latest in a series of significant milestones for the early-stage start-up. In September, the company was selected as a semi-finalist in the Global Security Challenge (GSC), an international business competition focusing on and identifying the world’s most promising security start-ups.

In addition, within the last two months Metaforic has announced the availability of MetaFortress, closed a round of funding, established a U.S.office, and hired senior sales and technical staff.