Protecting my code if I supply the Computer - decompiling

I know this type of question has been done to death.
My question relates to protecting my code that is installed on a clients PC.
I know the answers are to obfuscate, get a patent, put code on my server, accept it will be hacked, consider that my code is not THAT important or unique etc..
BUT, I am supplying the Windows PC to the client(s) with my software pre-installed.
It is a C# .Net app.
Under these circumstances where I am supplying the hardware is there any other 'tricks' I can use to prevent decompilation my code?
Thanks

Use BitLocker (at rest encryption) on the hard disk and a user for your client with limited privileges. Don't share the admin user's password with your client.

Related

How to create a secure "call home" suport capability for an instrument?

I'm an embedded engineer (not a network guru) building a piece of Linux-based equipment (a portable measurement instrument) that is normally not connected to the Internet, but we need to make it possible for the equipment to "call home" for support, including updates and troubleshooting, in a manner that compromises neither the product's security, nor the customer's network security nor our own company network.
The "call home" capability will be completely controlled by the user, perhaps by pressing a physical button to activate it, after the equipment has been connected to whatever network the customer chooses to use. For prototype and demonstrations systems, this network could be at someone's home or office or even via a phone connection (the equipment will contain only a wired Ethernet port, and the customer would need to provide a wired AP if WiFi access is desired).
Making the connection should require no per-call configuration at the user's end, nor within our box, so I'm thinking we can require the customer to provide DHCP, and not much else. We can also require the customer to first contact us before pressing the "call home" button, so we can have our support interface up only when needed.
When a unit does "call home", it merely makes a connection to a company system, doing nothing else until an engineer (well, me) directly connects to it. Other than the existence of the connection, we should get no (or minimal) information about the network the customer is using. So I'm thinking some kind of SSH connection, but that's as far as I have gotten.
If possible, it should "feel" as if I'm connecting locally, as if the unit were on my desk (perhaps with much more latency, loss, and minimal bandwidth).
But I have no idea whatsoever how to make an SSH connection (if that's the right tool to use for this) as two separate halves: The remote unit "calls" somewhere, presumably on one of our company systems, then that system notifies an engineer (me) that a "call home" has been initiated, then waits for the engineer to connect, forming the other half of the connection.
The connection need not identify the remote system (make, model, serial number, version, etc.): I'd do that manually after logging in securely.
If needed, I can create a new system on our end (Linux, BSD, Windows, whatever, physical or VM) that can be dedicated to just this function. I can get at least one static port mapped out to our corporate WAN, if needed (but something I'd prefer to avoid, if possible).
Ideally, I'd also like for there to be minimal information in the equipment itself, so that possession of the equipment by an adversary (or competitor) could not compromise customer or company networks, other units, nor the call-home technique itself. From what little I know, I'd guess a hostname or IP address, a port number, and a key would be needed, but less would be better!
I'd also like the system to require manual intervention at both ends, with minimal automation that can be buggy or be compromised. Once we implement and test the initial system, automation could be added as our experience with it, and confidence in it, grows.
That's about as far as my thinking has taken me. Beyond this, I'm pretty much clueless. Am I on the right track? What pieces am I missing? Is this already a popular thing to do, and I simply don't know what it is called? How simple and stupid can this capability be made for a couple of prototype systems?
EDIT: If it wasn't obvious already, please assume I'm a networking idiot who can be trusted only to follow an explicit recipe, and not much more. KISS applies!
Disclaimer: as long as no "real" answer is there I just provide my more or less theoretical thoughts with hope it helps.
Without reading in detail, I found http://www.vdomck.org/2005/11/reversing-ssh-connection.html to reverse a ssh-connection. If that is easy to follow (it should be easy, just ssh -R basically, see also http://www.brandonhutchinson.com/ssh_tunnelling.html) it means your remote device could connect to your network (and "Pete" is your Partner at the customer). The problem is that initiating a ssh-connection without user/password requires a authentication- private key on that device (so in non-friendly hands).
You could place a dumb ssh-server with no private data and no special access and even the password you could set just for that single connection (and tell your partner "Pete" via phone), let your phantasie play a bit to get a static half "ImGenious$%" and a dynamic half "1243" so you can give a short easy dynamic half over phone.
Then from that dumb ssh-server you can connect to your device as in the article.
I would suggest the call home functionality uses SSH to connect to your office. This requires your customer's network provides DHCP, Internet access and DNS capability. It also requires them to allow outbound connections on port 22. The latter is possibly an issue for some security minded customers who want to prevent unknown egress of data.
You will need a certificate for your SSH server so the certificate is valid for the domain name you choose. You will also need to make sure the SSH client on the server is configured to accept the signature of your server.
It sounds like the number of devices you will be maintaining is relatively low. For this reason, I would suggest generating unique public/private key pairs for each device. You can then load the public key into your server so logins are accepted via keys only.
If a device is compromised or stolen, you can delete the appropriate key from your server. The device will not be able to login again. The private key on the device only has value because you have decided to accept the associated public key on login. Remove this and it has no value. The added benefit is that you can identify a device by the key it has used to login (e.g. you can associate each key with a different user). You can then tie up the login with the information about the device/customer that you store on your systems.
If you use reverse SSH you can have the device connect in. Once you're ready, you can use the reverse part to connect through the tunnel that the device and your server have already setup to perform the maintenance.

How to secure the software application in a single board arm computer?

We had developed an application in C language. We then cross compiled it and have it port over to an ARM Single Board Computer that is running Linux. We are starting to sell this SBC to customers for their specific needs using this application. However, we heard rumors that they are also trying to hack into the SBC to copy our compiled code and then to decompile it so that in the future they will develop their own.
So my question is: How to protect my software application in the SBC?
We had tried standard Linux software protection solution such as truecrypt but it is difficult to cross compile to the SBC. Any suggestions?
Best regards,
new2RoR
You appear to have two separate issues to deal with here:
Disclosure of confidential information (e.g. details of the implementation of your software)
Unauthorised use/modification of your software
The only entirely reliable solution to both is using a SBC with secure boot, and fully trusted execution path (e.g. everything code-signed). This is by no means impossible, but will limit your hardware choices and be high-effort. This is fundamentally contrary to the ethos of the open source movement, and solutions are hard to come by.
Dealing with the issue of confidentiality, disassembling compiled C and C++ is not particularly easy or useful and requires a fairly high level of skill; it won't be an economic attack unless the value of doing so is very high.
Unless you can prevent the attacker getting access to the binary form of the software, you can reduce the attack surface and make life more difficult for any attacker by:
Stripping symbols
Obfuscating those symbols that need to remain
Statically link with libraries.
Obfuscation or encryption of any data compiled into the software
Preventing unauthorised usage can be achieved by some kind of authentication with something a legitimate user holds and/or code signing
Code signing can be used to prevent modified versions of the software being used (so long as you trust the operating system to enforce it)
Using a hardware authentication token or unique identity device can ensure the software isn't copied and used on another system.
In practice, you probably want both of these.

Linux per program firewall similar to windows and mac counterparts

Is it possible to create GUI firewall that works as Windows and Mac counterparts? Per program basis. Popup notification window when specific program want to send\recv data from network.
If no, than why? What Linux kernel lacks to allow existence of such programs?
If yes, than why there aren't such program?
P.S. This is programming question, not user one.
Yes it's possible. You will need to setup firewall rules to route traffic through an userspace daemon, it'll involve quite a bit of work.
N/A
Because they're pretty pointless - if the user understands which programs he should block from net access he could just as well use one of multiple existing friendly netfilter/iptables frontends to configure this.
It is possible, there are no restrictions and at least one such application exists.
I would like to clarify a couple of points though.
If I understood this article correct, the firewalls mentioned here so far and iptables this question is tagged under are packet filters and accept and drop packets depending more on IP addresses and ports they come from/sent to.
What you describe looks more like mandatory access control to me. There are several utilities for that purpose in Linux - selinux, apparmor, tomoyo.
If I had to implement a graphical utility you describe, I would pick, for example, AppArmor, which supports whitelists, and, to some extent, dynamic profiling, and tried to make a GUI for it.
OpenSUSE's YaST features graphical interface for apparmor setup and 'learning' , but it is specific to the distribution.
So Linux users and administrators have several ways to control network (and files) access on per-application basis.
Why the graphical frontends for MAC are so few is another question. Probably it's because Linux desktop users tend to trust software they install from repositories and have less reasons to control them this way (if an application is freely distributed, it has less reasons to call home and packages are normally reviewed before they get to repositories) while administrators and power users are fine with command line.
As desktop Linux gets more popular and people install more software from AUR or PPA or even from gnome-look.org where packages and scripts are not reviewed that accurately (if at all) a demand for such type of software (user-friendly, simple to configure MAC) might grow.
To answer your 3rd point.
There is such a program which provides zenity popups, it is called Leopard Flower:
http://sourceforge.net/projects/leopardflower
Yes. Everything is possible
-
There are real antiviruses for linux, so there could be firewalls with GUI also. But as a linux user I can say that such firewall is not needed.
I reached that Question as i am currently trying to migrate from a Mac to Linux. There are a lot of applications I run on my Mac and on my Linux PC. Some of them I trust fully. But others I am not fully trusting. If they are installed from a source that checks them or not, do i have to trust them because someone else did? No, I am old enough to choose myself.
In times where privacy is getting more and more complicate to achieve, and Distributions exist that show that we should not trust everyone, I like to be in control of what my applications do. This control might not end at the connection to the network/Internet but it is what this question (and mine is about.
I have used LittleSnitch for MacOSX in the past years and I was surprised how often an application likes to access the internet without me even noticing. To check for updates, to call home, ...
Now where i would like to switch to Linux, I tried to find the same thing as I want to be in control of what leaves my PC.
During my research I found a lot of questions about that topic. This one, in my opinion, best describes what it is about. The question for me is the same. I want to know when an application tries to send or receive information over the network/internet.
Solutions like SELinux and AppAmor might be able to allow or deny such connections. Configuring them means a lot of manual configuration and does not inform when a new application tries to connect somewhere. You have to know which application you want to deny access to the network.
The existence of Douane (How to control internet access for each program? and DouaneApp.com) show that there is a need for an easy solution. There is even a Distribution which seems to have such a feature included. But i am not sure what Subgraph OS (subgraph.com) is using, but they state something like this on there website. It reads exactly like the initial question: "The Subgraph OS application firewall allows a user to control which applications can initiate outgoing connections. When an unknown application attempts to make an outgoing connection, the user will be prompted to allow or deny the connection on a temporary or permanent basis. This helps prevent malicious applications from phoning home."
As it seems to me, there are only two options at the moment. One is to Compiling Douane manually mysqlf or two, switch distribution to Subgraph OS. As one of the answers state, everything is possible - So i am surprised there is no other solution. Or is there?

can the license information stored in Dongle be taken out of it and stored on a file or something?

We have a registered PC based application that needs a Dongle (hardware that gets plugged on the printer port) to start and execute. The vendor who provided us this application and Dongle, does not make or work with these dongles any more, since they are very old technology, and would not help us in this aspect.
So my question is --> is it possible to read the security code from this Dongle and store it in a file or something on the PC. We also do not have the source code of the application. Can we change the call in the application to read the security key from this file instead of trying to read it from the Dongle attached to the printer/parallel port.
Sorry for the vague question but we are very desperate to get help on this problem as out application has 16-bit code and it would not be supported by Windows 7 which is 64 bit. Thanks!!
The LPT security devices don't just contain information but usually include a processor and perform certain operations. Dongle emulators were developed when dongles where more widespread, but as they were based on reverse-engineering, they didn't work exactly right.
To answer your question, no, what you need is not possible. You need to start thinking about migration to another application. A temporary solution would be to have a copy of older OS running in virtual machine and to have your application run in this virtual machine. Such solution will work for another 5-10 years for sure, and I think it's enough for migration.

How are web site passwords encrypted by browsers?

What are some platform-specific API's that web browsers use to securely save passwords with reversible encryption on local systems?
Since they must be able to reproduce the exact characters to pass up to a web site, the data can't be a one-way hash. My initial thought is there are system methods which utilize your current authentication data to perform encryption/decryption, but do not give access to applications to read it (your system login data) directly. I'm wondering what these are on different platforms (Windows, Linux, OS X) and how well they protect the information if the hard drive is accessed directly; i.e. a stolen laptop hard drive is placed into another computer or analyzed via a Live CD.
Here's how google chrome does it. Looks like they use CryptProtectData on windows.

Resources