The Maginot License: Failed Approaches to Licensing Java

Software Over the Internet

Mark D. LaDue, Ph. D.

Presented by Li Fajie

Outline1. Introduction

2. Java Class Files at a Glance

3. The Evaluation License of SurfinShield

4. The Trial Version of WingDis 2.11

5. The Evaluation License of HotJava Browser

6. Does JTimer Solve the Problem?

7. Conclusion

8. Question

1. Introduction Java Class File Format

easy disassembly and even decompilation

Try-before-you-buy basis

Maginot license

“ Like the French fortifications constructed between

the World Wars, they are simple to detect and to skirt.” (Mark D.

LaDue)

Simple attack tools:

javap utility

class java.io.RandomAccessFile

Inspector.java

2. Java Class Files at a Glance Example:Test725.javaclass Test725{

int squares(int n){

return n*n;

}

}

Test725.class(abridged and annotated)

Magic=0xCAFEBABE Version=45.3 Access=synchronized (0x0020)

Class=(#2) "Test725"(#8)

SuperClass=(#1) "java/lang/Object"(#17)

Test725.class(continued)Constant Pool Entries=23

 #1 Kind=CONSTANT_Class(7)

Name="java/lang/Object"(#17)

 #2 Kind=CONSTANT_Class(7) Name="Test725"(#8)

[deletions]

Interface Table Entries=0 Field Table Entries=0

 Method Table Entries=2 AL_CODE: Method 1

Method="Test725.squares"(#19) Signature="(I)I"(#11)

Access= (0x0000) Attribute Count=1 Attribute="Code"(#16)

Length=56 Max Stack=2 Max Locals=2 Code Length=4

Test725.class(continued)

0x00000000 1B iload_1

0x00000001 1B iload_1

0x00000002 68 imul

0x00000003 ACireturn

[deletions]

Attribute Table Entries=2

Attribute="SourceFile"(#14) Length=2

Source File="Test725.java.java"(#10)

Attribute="AbsoluteSourcePath"(#6) Length=2

Java Class Files Raises Some Security Concerns

• Recover source code from them to obtain

hacked class files• Alter code in class files

insert some code

change control flow

3. The Evaluation License of SurfinShield

• The Evaluation License

has a 30 day evaluation license

• It Can Be Observed That:When sfsinstall(SurfinShield's installation script) installed the software,it allowed zip application to call attention to SFped.class.

Unzipping SurfinShield.zip can get SFped.class

Examining SFped.class

The output of javap (javap -c Sfped,):

Compiled from SFped.java

public class SFped extends java.lang.Object {

static final int year;

static final int month;

static final int day;

public java.util.Date ped;

public SFped();

}

Examining SFped.class (continuted)

Method SFped()

[deletions]

  9 ldc #3 <Integer 97>

11 ldc #2 <Integer 3>

13 ldc #1 <Integer 15>

[deletions]

Notice:

installation date (March 15, 1997)hard-coded into the class file

 

Likely form of SFped.java

/* Deduced from the output of javap -c SFped */

import java.util.Date;

public class SFped{

static final int year = 97;

static final int month = 3;

static final int day = 15;

public Date ped;

public SFped() {

ped = new Date(year, month, day);

}

}

Hacked SFped.java

import java.util.Date;

public class SFped{

public Date ped;

public SFped() {

ped = new Date();

ped.setDate(ped.getDate() - 1);

}

}

Update SurfinShield.zip

zip -u -n ".class" SurfinShield.zip SFped.class

 SurfinShield will now run as before, and its splash screen will always

report that the evaluation license has 29 days before it expires.

4. The Trial Version of WingDis 2.11

The Trial Version vs the Real ProductSame power and functionality but two restrictions:

•At most five days to try

"Sorry, the trial version has expired"

•Cannot decompile any of its own classes

"Sorry, WingDis is not allowed to decompile itself" and exit.

 

4. The Trial Version of WingDis 2.11(continued)

Finding the java Class Files:

Run Bourne shell script from the decompiler's home directory,

it will print the names of files which contain the word "Sorry".

Running it on version 2.11 yields a single class file,

./wingsoft/javadis/ClassReader.class

Modify the java Class File

This is easily done by using Sun's javap utility and Inspector.java.

Output of javap (abridged and annotated)

[deletions]### Method void ?(boolean) [deletions]

Method void ABC(boolean)

[deletions]

###CHANGE 158 (ifle) -> 167 (goto) at byte 23566###

### 23566 = 23114 + 452

4. The Trial Version of WingDis 2.11(continued)

452 ifle 466

455 new #138 <Class java.io.IOException>

458 dup

459 ldc #9 <String "Sorry, the trial version has expired">

[deletions]

  466 return

  Output of Inspector (abridged and annotated)

 There are 83 methods:

[deletions]

Code array in method ? of length 67 starting at byte 22993.

###Code array in method ? of length 467 starting at byte 23114.

Code array in method ABC of length 467 starting at byte 23114.

Code array in method ? of length 252 starting at byte 23641.

 

4. The Trial Version of WingDis 2.11(continued)

Hacker’s TakeDat.java (abridged and annotated)

 

[deletions]

RandomAccessFile victim = new RandomAccessFile(hack, "rw");

// Now put a "goto" instruction (opcode 167) at bytes 13187, 14412, 23342,

// 23364, 23423, and 23566

victim.seek(13186);

victim.writeByte(167);

[deletions]

 

5. The Evaluation License of HotJava Browser

Four JavaBeans components

can provide 80% HotJava Browser's functionality

they are offering them on a try-before-you-buy basis for 30 days

How does the licensing software work?

Set up development environment,eg.BDK

download the HotJava HTML Component Version 1.1.

install HotJavaBean.jar and TextBean.jar.

When these jar files are loaded into the development environment, a set of 5 JavaBeans becomes available for use:

HotJavaBrowserBean;

HotJavaDocumentStack;

AuthenticatorBean;

HotJavaSystemState; and

TextBean.

5. The Evaluation License of HotJava Browser (continued)

HotJavaBrowserBean( HotJava HTML Component) would necessarily be used in any browser application. However, any time it is loaded, it pops up a window with warning messages :

  "Notice: This is an evaluation copy of the

HotJava Browser software. The evaluation license

expires 30 days after initial installation. Please

visit the JavaSoft web site at

  http://java.sun.com/products/hotjava

  for additional licensing information."

A hacker can easily disable the embarrassing warning messages and quietly make use of the HotJava HTML Component for profit.

6. Does JTimer Solve the Problem?

JTimer’s Features and Benefits : “Secure timer based on public-key private-key encryption.

Lightweight with a single class to include in your application. No license server is needed.

Easy key and ticket management.

Simple API. Add true protection to your software in minutes!

Increased exposure to potential customers by allowing download of evaluation copies on Internet.

Protection againt piracy with highly secure electronic signature. “

 

JTimer package

consists of two Java classes, Admin and Timer.

6. Does JTimer Solve the Problem? (continued)

To use JTimer

generate a public/private key pair and a vendor ID, a time ticket

include JTimer's Timer.class, the time ticket, and the public key along with the application.

call Timer's checkTicket() method, to check the expiration date of the license from the ticket and public key.

To check the expiration date of the license

  java tea.set.timer.Admin -verify ./tea/set/timer/ticket ./tea/set/timer/pubkey

 gets the result:

The evaluation period has expired

Please purchase a copy or stop using the software

Verification successful

Ticket expires at Sun Nov 23 23:53:12 CST 1997

6. Does JTimer Solve the Problem? (continued)

Things InetSoft Technology Corporation forgot: 

Their tool is written in Java and that a hacker has the class files.

A hacker can alter the application's byte code so that the checkTicket() method always returns the boolean value true.

“In general, it would often suffice to change a single byte in the application from a branching opcode to a goto in order to make it function as if the checkTicket() method always returns true”.

7. Conclusion

From our first three examples we see that

“the Maginot license is a serious problem for Java developers who desire to sell their software over the Internet on a try-before-you-buy basis”

From the example of JTimer we see that“This problem has no simple solution. Indeed, there may be no solution at all”.  

8. Question

“ The question now is which bytes in ClassReader.class to change, and the answer is provided by the output of Inspector. From the the javap output we know the methods and the offsets (given by the line numbers) within those methods for the bytes to be changed, and from the Inspector output we know precisely where in the class file the methods in question begin. Adding the offsets to the starting points tells us which bytes to change”.

If the names of those methods are missing , how to get the correct starting points?