Upload
louvain
View
25
Download
1
Embed Size (px)
DESCRIPTION
The Maginot License: Failed Approaches to Licensing Java Software Over the Internet. Mark D. LaDue, Ph. D. Presented by Li Fajie. Outline. 1. Introduction 2. Java Class Files at a Glance 3. The Evaluation License of SurfinShield - PowerPoint PPT Presentation
Citation preview
The Maginot License: Failed Approaches to Licensing Java
Software Over the Internet
Mark D. LaDue, Ph. D.
Presented by Li Fajie
Outline1. Introduction
2. Java Class Files at a Glance
3. The Evaluation License of SurfinShield
4. The Trial Version of WingDis 2.11
5. The Evaluation License of HotJava Browser
6. Does JTimer Solve the Problem?
7. Conclusion
8. Question
1. Introduction Java Class File Format
easy disassembly and even decompilation
Try-before-you-buy basis
Maginot license
“ Like the French fortifications constructed between
the World Wars, they are simple to detect and to skirt.” (Mark D.
LaDue)
Simple attack tools:
javap utility
class java.io.RandomAccessFile
Inspector.java
2. Java Class Files at a Glance Example:Test725.javaclass Test725{
int squares(int n){
return n*n;
}
}
Test725.class(abridged and annotated)
Magic=0xCAFEBABE Version=45.3 Access=synchronized (0x0020)
Class=(#2) "Test725"(#8)
SuperClass=(#1) "java/lang/Object"(#17)
Test725.class(continued)Constant Pool Entries=23
#1 Kind=CONSTANT_Class(7)
Name="java/lang/Object"(#17)
#2 Kind=CONSTANT_Class(7) Name="Test725"(#8)
[deletions]
Interface Table Entries=0 Field Table Entries=0
Method Table Entries=2 AL_CODE: Method 1
Method="Test725.squares"(#19) Signature="(I)I"(#11)
Access= (0x0000) Attribute Count=1 Attribute="Code"(#16)
Length=56 Max Stack=2 Max Locals=2 Code Length=4
Test725.class(continued)
0x00000000 1B iload_1
0x00000001 1B iload_1
0x00000002 68 imul
0x00000003 ACireturn
[deletions]
Attribute Table Entries=2
Attribute="SourceFile"(#14) Length=2
Source File="Test725.java.java"(#10)
Attribute="AbsoluteSourcePath"(#6) Length=2
Java Class Files Raises Some Security Concerns
• Recover source code from them to obtain
hacked class files• Alter code in class files
insert some code
change control flow
3. The Evaluation License of SurfinShield
• The Evaluation License
has a 30 day evaluation license
• It Can Be Observed That:When sfsinstall(SurfinShield's installation script) installed the software,it allowed zip application to call attention to SFped.class.
Unzipping SurfinShield.zip can get SFped.class
Examining SFped.class
The output of javap (javap -c Sfped,):
Compiled from SFped.java
public class SFped extends java.lang.Object {
static final int year;
static final int month;
static final int day;
public java.util.Date ped;
public SFped();
}
Examining SFped.class (continuted)
Method SFped()
[deletions]
9 ldc #3 <Integer 97>
11 ldc #2 <Integer 3>
13 ldc #1 <Integer 15>
[deletions]
Notice:
installation date (March 15, 1997)hard-coded into the class file
Likely form of SFped.java
/* Deduced from the output of javap -c SFped */
import java.util.Date;
public class SFped{
static final int year = 97;
static final int month = 3;
static final int day = 15;
public Date ped;
public SFped() {
ped = new Date(year, month, day);
}
}
Hacked SFped.java
import java.util.Date;
public class SFped{
public Date ped;
public SFped() {
ped = new Date();
ped.setDate(ped.getDate() - 1);
}
}
Update SurfinShield.zip
zip -u -n ".class" SurfinShield.zip SFped.class
SurfinShield will now run as before, and its splash screen will always
report that the evaluation license has 29 days before it expires.
4. The Trial Version of WingDis 2.11
The Trial Version vs the Real ProductSame power and functionality but two restrictions:
•At most five days to try
"Sorry, the trial version has expired"
•Cannot decompile any of its own classes
"Sorry, WingDis is not allowed to decompile itself" and exit.
4. The Trial Version of WingDis 2.11(continued)
Finding the java Class Files:
Run Bourne shell script from the decompiler's home directory,
it will print the names of files which contain the word "Sorry".
Running it on version 2.11 yields a single class file,
./wingsoft/javadis/ClassReader.class
Modify the java Class File
This is easily done by using Sun's javap utility and Inspector.java.
Output of javap (abridged and annotated)
[deletions]### Method void ?(boolean) [deletions]
Method void ABC(boolean)
[deletions]
###CHANGE 158 (ifle) -> 167 (goto) at byte 23566###
### 23566 = 23114 + 452
4. The Trial Version of WingDis 2.11(continued)
452 ifle 466
455 new #138 <Class java.io.IOException>
458 dup
459 ldc #9 <String "Sorry, the trial version has expired">
[deletions]
466 return
Output of Inspector (abridged and annotated)
There are 83 methods:
[deletions]
Code array in method ? of length 67 starting at byte 22993.
###Code array in method ? of length 467 starting at byte 23114.
Code array in method ABC of length 467 starting at byte 23114.
Code array in method ? of length 252 starting at byte 23641.
4. The Trial Version of WingDis 2.11(continued)
Hacker’s TakeDat.java (abridged and annotated)
[deletions]
RandomAccessFile victim = new RandomAccessFile(hack, "rw");
// Now put a "goto" instruction (opcode 167) at bytes 13187, 14412, 23342,
// 23364, 23423, and 23566
victim.seek(13186);
victim.writeByte(167);
[deletions]
5. The Evaluation License of HotJava Browser
Four JavaBeans components
can provide 80% HotJava Browser's functionality
they are offering them on a try-before-you-buy basis for 30 days
How does the licensing software work?
Set up development environment,eg.BDK
download the HotJava HTML Component Version 1.1.
install HotJavaBean.jar and TextBean.jar.
When these jar files are loaded into the development environment, a set of 5 JavaBeans becomes available for use:
HotJavaBrowserBean;
HotJavaDocumentStack;
AuthenticatorBean;
HotJavaSystemState; and
TextBean.
5. The Evaluation License of HotJava Browser (continued)
HotJavaBrowserBean( HotJava HTML Component) would necessarily be used in any browser application. However, any time it is loaded, it pops up a window with warning messages :
"Notice: This is an evaluation copy of the
HotJava Browser software. The evaluation license
expires 30 days after initial installation. Please
visit the JavaSoft web site at
http://java.sun.com/products/hotjava
for additional licensing information."
A hacker can easily disable the embarrassing warning messages and quietly make use of the HotJava HTML Component for profit.
6. Does JTimer Solve the Problem?
JTimer’s Features and Benefits : “Secure timer based on public-key private-key encryption.
Lightweight with a single class to include in your application. No license server is needed.
Easy key and ticket management.
Simple API. Add true protection to your software in minutes!
Increased exposure to potential customers by allowing download of evaluation copies on Internet.
Protection againt piracy with highly secure electronic signature. “
JTimer package
consists of two Java classes, Admin and Timer.
6. Does JTimer Solve the Problem? (continued)
To use JTimer
generate a public/private key pair and a vendor ID, a time ticket
include JTimer's Timer.class, the time ticket, and the public key along with the application.
call Timer's checkTicket() method, to check the expiration date of the license from the ticket and public key.
To check the expiration date of the license
java tea.set.timer.Admin -verify ./tea/set/timer/ticket ./tea/set/timer/pubkey
gets the result:
The evaluation period has expired
Please purchase a copy or stop using the software
Verification successful
Ticket expires at Sun Nov 23 23:53:12 CST 1997
6. Does JTimer Solve the Problem? (continued)
Things InetSoft Technology Corporation forgot:
Their tool is written in Java and that a hacker has the class files.
A hacker can alter the application's byte code so that the checkTicket() method always returns the boolean value true.
“In general, it would often suffice to change a single byte in the application from a branching opcode to a goto in order to make it function as if the checkTicket() method always returns true”.
7. Conclusion
From our first three examples we see that
“the Maginot license is a serious problem for Java developers who desire to sell their software over the Internet on a try-before-you-buy basis”
From the example of JTimer we see that“This problem has no simple solution. Indeed, there may be no solution at all”.
8. Question
“ The question now is which bytes in ClassReader.class to change, and the answer is provided by the output of Inspector. From the the javap output we know the methods and the offsets (given by the line numbers) within those methods for the bytes to be changed, and from the Inspector output we know precisely where in the class file the methods in question begin. Adding the offsets to the starting points tells us which bytes to change”.
If the names of those methods are missing , how to get the correct starting points?