If it can protect bombs, why not commercial software, too?

Software protection used by Department of Defense comes to commercial sector

A technology used by the U.S. Department of Defense to protect software from piracy and tampering has been released to the commercial sector to help software companies avoid loss of intellectual property, the makers of the product announced Monday.

The team behind vendor Arxan Technologies began designing the product five years ago at Purdue University with funding from the National Security Agency, according to Amena Ali, Arxan’s chief marketing officer.

The military incorporates Arxan technology into weapons systems to prevent tampering, she says. If a weapon went down in enemy territory and did not explode, hackers could use reverse engineering techniques to learn how the missile was built and make duplicates. Arxan prevents that by placing modules of object code into software at the binary level.

“Today every single major defense contractor, as well as the Army, Navy and Air Force all use Arxan because there is a Department of Defense mandate to incorporate antitamper technology in weapons systems,” Ali says.

Arxan decided to take the technology to the commercial sector about a year ago and is marketing it as GuardIT. Arxan has 11 customers in the private sector so far, most of which use GuardIT to protect desktop software. They pay an average of $500,000 to $1 million per year in licensing and support costs, says Arxan CEO Mike Dager.

Worldwide, vendors made $65 billion in PC software in 2006, but lost $40 billion in potential revenue due to pirated software, according to this report by the Business Software Alliance and IDC. In developing countries, more than two-thirds of the market is composed of illegally made software.

A number of vendors have tackled the problem, such as AntiPiracy World, the maker of CipherPack and SafeNet.

Arxan uses a library of 12,000 guards that are placed into software code and prevent hacking in a variety of ways. One guard encrypts sections of a program, and decrypts the sections at runtime, keeping the key a secret so an attacker can’t reverse the process. Another guard obfuscates program logic, breaking up its basic building blocks to make it hard to trace. Another guard overrides code altered by hackers with the original code after tampering has been detected.

The GuardIT system uses a Design Wizard that matches guards to the resources a customer wants to protect and the types of threats the customer wants to avoid, whether that be piracy, reverse engineering, tampering or malware. A single customer could receive thousands of guards, Dager says.

“The attackers and the hackers and the pirates, they’ve got a wide variety of things they can do to steal software, tamper with code,” he says. “We analyze those methods they can come in with and we develop guards to stop that.”

Hurco, an Indiana company that makes software for the machine tools industry, is using GuardIT as it expands into countries where piracy is more common than in the United States, says Hurco Vice President Greg Volovic.

Hurco officials are well aware of piracy threats, having seen one of its products copied illegally and sold on the Internet about six years ago.

When Hurco first made contact with Arxan, Volovic says he and his colleagues asked the vendor to try to hack their code.

“Within 90 minutes of submitting them the code, they had an illegal version operating. That to me showed expertise and credibility,” Volovic says.

Volovic thinks he could have prevented Hurco’s software from being pirated six years ago if GuardIT had been available then.

“They’re able to insert these objects in your code with so many levels of nesting that it becomes almost impossible from a time or resource perspective to be able to break through them,” he says.

Learn more about this topic

Charges dropped in Russian Microsoft piracy case

02/15/07

Microsoft offers Vista preview to fight piracy

01/22/07

Q&A: BSA calls for more police action in Singapore

10/30/06

Software piracy: Love it or hate it

07/10/06

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies