How to Prevent CyberTerrorism and Software Piracy Through Validy SoftNaos - A Technical Perspective
By Angsuman Chakraborty, Gaea News NetworkSaturday, November 22, 2008
Cyber terrorism, data theft and piracy are three of the most concerning factors for any software developer or a learned internet user. We have always looked forward to numerous softwares as they claim to prevent any trespasser but in vain. None of them have been efficient enough and that is the reason why we are here to tell you about a new and unknown technology, Validy Softnaos (which was given to us to for reviewing purpose and have a technological insight) It uses a hardware-software bridge that works efficiently to prevent any unauthorized activity.
What is Validy Technology
Validy Technology (VT) is a system which protects software against piracy and ensures software integrity. It uses a combination of software compilation techniques and of a small secure hardware device called a token. If you look at this following pic, you will understand the technology behind Validy’s.
You can see that there is a co-processor that works under a Secure Token (an USB dongle) and executes the program there itself
Validy Softnaos
Validy SoftNaos for Java is a software protection product targeted at software publishers who develop Java applications. It prevents software piracy and ensures software integrity by combining software transformation with a piece of secure hardware (a secure token of USB dongle).
How Does it Work
To perform the protection by Validy SoftNaos for Java, a post-compiler transforms the Java bytecode of the application. Unless a Validy SoftNaos USB token is attached to the PC, the protected application can not run anymore.
At runtime, the token becomes an extension of the main processor. It contains a subset of the application’s state and executes the parts of the application that use or modify this state.
The token is a slave co-processor, receiving a flow of encrypted instructions and exchanging data with the main processor through the USB interface.
The whole concept of Validy Softnaos protection works on enciphering and deciphering of encryption. Because the only link between a protected application and the token is a cryptographic key. The post-compiler enciphers instructions using a secret key at protection time and the token deciphers them at runtime using the same key.
Protection over Data in Co Processor (Technical Aspect)
The protection of an application with Validy Technology begins with the relocation of some of the instance and static fields of some of its classes inside the memory of the secure coprocessor. When such a transformed class is loaded or such a transformed object is created, a chunk of memory is allocated in the heap of the coprocessor to hold the values of the relocated fields. In the transformed classes, the relocated instance and static fields are replaced by the address of these chunks of memory. These addresses are stored in two fields named k$this and k$class for instance and static fields respectively. Figure 3.1 shows an object of class A and its fields before and after the relocation of two fields to the coprocessor.
What’s More?
What I liked the most about this product was its use of tags. The tags mechanism is easy to implement and runs fast because it involves only simple operations. It is however extremely powerful because additional instructions can be tied to the original ones using tags.
This makes it simple, fast and yet secure.
Validy USB Token
The Validy USB token is built around a secure micro-controller running the firmware for one or more of the following Validy applications: Validy Softnaos, Validy WebBusiness, Validy FileCrypt, or Validy SmartLicense.
The main characteristics of the micro-controller are:
- 32 bit architecture
- 256 Kbytes of ROM (for the code)
- 32 Kbytes of EPROM (for permanent data)
- 8 Kbytes of RAM (for the working set of applications)
- 256 Kbytes of external ciphered RAM (used as a paging area by Validy SoftNaos)
- USB full speed interface (12 Mbit/s) Cryptographic accelerator for DES and Triple DES
- Cryptographic accelerator for RSA up to 1024 bit keys (or 2048 bits using the Chinese Remainder Theorem)
- Countermeasures to protect against physical attacks.
Advantages
* strong protection against software piracy without undue control of the user’s machine or breach of privacy
* low impact on the development and distribution of the software: protection is mostly automated, application updates can be produced after the tokens are in the field
* integrity checks or accesses to token cryptographic resources (for authentication or signature) can be added and securely tied to other token instructions
How to Install
Simply run the vldy-softnaos-eval-1.0.x.y.jar
installer. After execution, you will find the following directories under the install root location you have chosen:
- lib: The jar files for the translator, annotations, Ant task, virtual coprocessor, and interface with the secure coprocessor.
- lib\libs: The third party libraries used by the translator.
- doc: This evaluation guide in PDF and HTML formats.
- examples: Sample applications.
To use the actual secure coprocessor, the runtime that communicates with a hardware token instead of simulating it must be used. The jar file vldy-tech-vruntime.jar
must be replaced by vldy-tech-runtime.jar
on the class path.
You can find more about running the tools here
Conclusion
Validy Technology is very competent to fight against such bigger threats but there are some points they should consider on.
1. The documentation is too technical (though I know its for software developers). But even a software developer can feel lost under all these technicalities. So improvement upon documentation is a must.
2. It is too much java dependent and I will surely want it to grow over it and be as diverse as possible.
Predictions tell us that we will have 12 million dongles attached to computers by 2012. So you can understand that what a magnanimous influence will it be if it becomes a success. Having said all that, Validy Softnaos is worth a try. If you are concerned over piracy and sabotages, then you may use it and tell us your experience too.
Tags: 2012, Claim, Cyber terrorism, Lost, Piracy, Validy Softnaos, Validy technology