Friday, February 20, 2015

Protecting your application against hacking

Last Tuesday February 17th, 2015 I saw a publication from Mr. Tuuka Turunen entitled Qt Weekly #26: Protecting your application against hacking, where he stated some pitfalls and advised that a paid Qt license as a good way of protecting your software against hacking. Some comments were written, a lot less than I expected for such a vast topic. One that attracted my attention was "Can you share more insights about protection methods against hacking using the open-source libraries?", from a person named Michele. I tried to reply but was unable to do so, so dear Michele, whoever you are, here it goes.
There are ways to avoid tampering that that article didn't mention, as clearly it wants to sell the point that a paid Qt license is better (that may be the case, I'm not opposing to it, and I believe helping the Trolls to pay their bills is the best way to reciprocate everything they've already done for us). But to us cheap hackers who live in very distinct realms where getting a paid Qt license is unfeasible, there are some funny ways (that can be used on the non-LGPL world too) we can protect our beloved programs. I will not delve into specific details, but I used the techniques I mentioned in some projects I was involved with. One is encrypt your binary with  a 4096-bit asymmetric key and wrap it around an executable that decrypts it. You can encrypt the main binary, libraries, plugins, resources and everything else. This solution coupled with obfuscators, symbol strippers, some canaries in code to avoid tampering a running program's memory, homecalling. Those measures will give you a reasonable safety window, allowing you to develop newer versions of your program before people are able to crack an older version. These techniques are not particularly tied to Qt, but can be applied to projects based on it somewhat easily (the paid version doesn't improve this workflow).
About reverse engineering, DMCA already protects people in USA and countries that bow to it. There are countries where such clause may be unenforceable, and people who reverse-engineer are not afraid of legalese, either because they're too small, too big or too far away to care, so if your program is worth reverse engineering, people will try to reverse engineer it, no matter what. So reverseengineeringreturn=softwarevalue/(effort*time). Make it difficult enough, time wasting enough, and crackers will go somewhere else. Make great value software, crackers' efforts will redouble.
As a side note, if you are trying to prevent people from using an unpaid software, remember that piracy has its good side, as it promotes visibility and mindshare. You can use the techniques mentioned here to prevent unauthorized use, but I would rather use them to prevent fellow rivals from knowing the innards that make my app so marvelous, or to prevent crackers from using my application as a vector to spread malware.

Compliments of the season and happy hacking!

Monday, December 01, 2008

ATI == regret?

My ASUS A8V AMD socket-939 MoBo is no more, has ceased to be, it has expired and gone to make its maker (and so on). Being unable to find a substitute socket 939 MoBo in the market, I had to buy almost a whole new computer (motherboard, processor, memory and video card). This time I opted for Intel (Core2 quad Q6600 and a DP35DPM MoBo with 4GB DDR2-800 RAM), but I chose to honor AMD's openness buying an ATI video card (PCIe 3650, 1GB DDR2). Good point: it compiles KDE trunk in a snap. Bad points: ATI's fglrx driver has video artifacts when using 3D compositing while playing a video or running an OpenGL application (probably because of the lack of DRI2 support or some alternative as the one implemented by NVIDIA), and freezes the machine when I try to open a 2nd X instance. Being used to report and fix bugs, I visited http://suport.ati.com and reported these (tickets 737-1380050 and 737-1380060) as follows:


Ticket #: 737-1380050
Status: Work In Progress
Date Created: 11/30/2008 6:45 PM EDT
Date Updated: 12/1/2008 12:05 AM EDT

Ticket Description
Type of Inquiry: PC support
Bus Type: PCI Express
Operating System: Linux X86 64
Other Operating System:
Driver Version:
Driver Version: CATALYST 8.11
Other Driver Version:
Category: Solve a Problem
Driver Version:
Topic: Display
Trade-up to product
(Trade-up FAQ):
Have you moved since submitting the rebate?:
Order number:
Sub-topic: 3D Applications
Multimedia Center Component:
Multimedia Center Version:
Media Center Component:
Media Center Version:
Other Multimedia Center Version :
Other Promotion:
Other Topic:
Graphics Manufacturer: Sapphire Technology Ltd.
Vendor: Not Sure
Application: Other
Application Name: compiz
Product: Other Sapphire (Uncertified)
Application Version:
Which retailer did you purchase your ATI card from ?:
Offer/ Department #:
Was this purchased over the Internet?:
Other Retailer:
Purchase Date:
Rebate Amount:
New Address
Street Address:
Address 2:
City:
Country:
Postal Code / Zip:
Province:
State:
State / Province / Division:
Postal Code:
Zip:
Summary: Error when playing video or using OpenGL applicaltions with 3D compositing
Details: When 3D compositing is enabled (either Compiz or kwin4), if I run an OpenGL application or a video player there is image corruption, as if the application was fighting against the window manager for video resources. It probably happens because the fglrx driver lacks DRI2 support or any other way to avoid this problem (afaict).
Disabling 3D compositing is not a satisfatory solution, as current linux desktop environments a using 3D compositing in a broader an broader way nowadays, and the same problem doesn't happen with other vendors' cards and drivers.

Ticket #: 737-1380060
Status: Work In Progress
Date Created: 11/30/2008 7:50 PM EDT
Date Updated: 12/1/2008 12:05 AM EDT

Ticket Description
Type of Inquiry: PC support
Bus Type: PCI Express
Operating System: Linux X86 64
Other Operating System:
Driver Version:
Driver Version: CATALYST 8.11
Other Driver Version:
Category: Solve a Problem
Driver Version:
Topic: Lockups and Hangs
Trade-up to product
(Trade-up FAQ):
Have you moved since submitting the rebate?:
Order number:
Sub-topic: Operating System
Multimedia Center Component:
Multimedia Center Version:
Media Center Component:
Media Center Version:
Other Multimedia Center Version :
Other Promotion:
Other Topic:
Graphics Manufacturer: Sapphire Technology Ltd.
Vendor:
Application:
Application Name:
Product: Other Sapphire (Uncertified)
Application Version:
Which retailer did you purchase your ATI card from ?:
Offer/ Department #:
Was this purchased over the Internet?:
Other Retailer:
Purchase Date:
Rebate Amount:
New Address
Street Address:
Address 2:
City:
Country:
Postal Code / Zip:
Province:
State:
State / Province / Division:
Postal Code:
Zip:
Summary: System freezes when trying to run a 2nd X server
Details: When I try to run a 2nd instance of X.org's X server with the latest fglrx drivers my computer freezes. It's always repeatable.


After a short period of time I got the following automated response:


The Linux drivers available from ATI are provide are "as is".
You may be able to get further assistance from the Linux community
at the links below:


http://www.linux.org/help/index.html

http://www.linuxdoc.org/

http://www.xfree86.org/


To report issues with Linux drivers you can submit an online ticket using
the "Linux Driver Feedback" Category, and your report will be
received and reviewed/tested by our driver team. Please note that your report
will only be responded to if we require additional information.


Not that I had high expectations about seeing these problems fixed anytime soon, but why make me fill a support ticket if they don't support my platform of choice at all? My reply:


First, thanks for the prompt response. I understand the fact the driver is provided "as is", so ATI/AMD doesn't feel obliged to help me with its driver's problem(s). What I don't understand is why, instead of just stamping out clearly that Linux drivers aren't supported, I had to spend time filling a ticket and describing the problem to get such unuseful answer with three barely related links, while alerting me when I selected "Linux" as the operating system would be much more straightforward and honest.
I understand my ticket will not get a satisfying solution (to me) by ATI/AMD, but nevertheless I still feel the need to remember you that "Customer Care" usually means "caring about customers", and even if I didn't expect to have the problem I reported fixed anytime soon, I at least had hope a Linux driver developer would be notified about it, and maybe I could help him somehow, giving more feedback or anything suitable, as I was able to do with other vendors (NVIDIA's Aaron Plattner and Intel's Keith Packard). Please don't take that as if I'm trying to teach you how to do your work or how ATI/AMD should do business (I'm not), I'm just telling you what I expected from a Company like ATI/AMD, based on experiences I had with other vendors. That said, I recently bought a graphics card with an ATI chipset (3650, 1GB DDR2 RAM) because of a perceived (and widely advertised in the media) openness of your company towards Linux (my platform of choice). Had I but known of this lack of both support and developer interaction beforehand I would surely choose another vendor.
I would like to ask ATI/AMD to change its support/customer care website to reflect more precisely its policy about (nonexistent) Linux support, so no time would be spent by someone like me who tried to ask for help and at the same time tried to help ATI/AMD to improve its products.


ATI/AMD is a big Corporation, as NVIDIA and Intel are, but its corporate culture makes the interaction between outsiders and developers much harder to achieve. I've heard nothing from Mr. Matthew Tippett (AMD's Linux Core Engineering Manager) since June 01, 2007, and AMD's forum has scarce information about fglrx problems (it doesn't even have any Linux-specific category).
Linux stays advancing at a fast pace in the market and is being used more and more. Advanced desktop effects are becoming the norm, and stable, full-featured graphics drivers are essential to make it reality to more people. Some days ago we've seen NVIDIA mention a bugfix for KDE in its drivers!
Please AMD, interact more with your customers. Create proper channels of communication and improve the ones who already exist. Accept and welcome feedback from those who care. Let users take a more active participation in making AMD/ATI products better. Listen to us. Talk to us.