Application / DLL - Security
I would like to know what are the best ways to protect application files and DLLs in situations like this:
Example:
- Deploy the application (software) to the client
- This software has direct injection DLLs used in Data Factories (MS SQL, MySQL, others).
Required security:
- Requirement number 1 . The main DLL (Core) requires some kind of "license" (for this user and for the duration of X and cannot be used on other computers (copied).
- Requirement number 2 . DLL data objects cannot be used by client code (it cannot create its own code and use my libraries. (EDITED - new requirement added)
- Requirement number 3 . The use of equipment or services from outside companies is not an option for us. ,
The solutions I found:
-
Req # 1 -
- Solution # 1 - The software requires a custom "save data file" (full protection), this file will be used for management. The application will read it from time to time (either when it is launched or from 24 hours to 24 hours if the application is running continuously). It will store the first execution date, the last execution date, some identifier of this machine, expiration date, etc.
- Pros:
- The client cannot uninstall it or the application will stop working, it cannot change the system date (rewind it), because the application matches the dates.
- If the user wants to update the expiration date, the software allows (offline or online).
- Minuses:
- Well, this file will be a hacker target. I don't know how best to protect him.
- Pros:
- Solution # 1 - The software requires a custom "save data file" (full protection), this file will be used for management. The application will read it from time to time (either when it is launched or from 24 hours to 24 hours if the application is running continuously). It will store the first execution date, the last execution date, some identifier of this machine, expiration date, etc.
-
Req # 2 -
- Solution # 1 - I don't have it: P
...
... -. -. -. -. -. -. -. -. -. -. -. -. -. -. -. -. -. -
Can anyone please tell me the best practices on this issue?
Various solutions, pros and cons, etc.
... -. -. -. -. -. -. -. -. -. -. -. -. -. -. -. -. -. -
source to share
I've been answering the software licensing / protection question in this answer for a long time , which is great for a DLL under your control. In short, it is not possible to deploy what cannot be copied, but once deployed, you can generate a key that then needs to be licensed when you call your team or company.
With regards to Req 2 , I think the smartest approach is to just pass a parameter to each function that hackers won't be able to know. I don't find that making complex names or obfuscating them helps (you can always parse a DLL to discover its contents). Obfuscation also makes maintenance more difficult for you - never a good idea. I doubt that protecting them is more important than maintaining those DLLs!
Thus, I would vote for some magic to be passed on to your functions. The simplest would be a simple integer. It would be safer to represent the time (a time window would be better) than you then hash. If the decryption in the DLL matches the current time, you know that you have called your own code.
source to share
Req 1
I'm not sure if this will work for you, but you can use a commercial solution using a USB dongle. You can find several companies offering an Internet security solution . Most of the software components supplied with these products contain licenses and expiration times. On the other hand, you have higher hardware costs as well as some time and effort to invest in integration.
Req 2
Depends on the interface of your DLLs. Do you think your client or other people can easily use your DLLs without the appropriate headers and information on the interface?
If you think so, perhaps you can make the interface more complex or use obfuscation.
source to share