Semprini: Advancing software protection & licensing

The topic of information security has become increasingly important in recent years. The need for protection is not only very high for private individuals, but also for  companies who have an increasing need for information security. Particularly in the IT sector, the protection of intellectual property becomes more and more crucial as delivering commercial software always carries the risk that a criminal user will resell it illegally. If software is distributed and used without the publisher’s permission, manufacturers suffer great economic damage. Software licensing offers technical options to prevent unauthorized use and distribution and ways to implement new business models to improve monetization of the software. The techniques used for licensing are very similar to those used for software protection. Without integrity protection, license checks could easily be bypassed by manipulating the binary code, and without obfuscating the running program, license checks could easily be detected as such and potentially bypassed by external means. Therefore, there is a great need for secure methods of obfuscating programs.

Based on these considerations, the aim of the project SEMPRINI is to optimize procedures for software protection and licensing in terms of usability and performance without sacrificing security. The main goal is to further develop Wibu-Systems patented "Blurry Box" method. This approach emerged in 2014 from a cooperative project between WIBU-SYSTEMS AG, the FZI Research Center for Information Technology, and the Karlsruhe Institute of Technology and has been in use ever since. However, the installation is still very complex and work intensive. Installation currently depends heavily on the logic of the program to be protected and therefore cannot be automated.

From a technology perspective, Wibu-Systems contributions to this project aim to design, analyze, and prototype a new method for automatic variant creation to enable automatic installation of the Blurry Box protection method. Two points are relevant for automatic installation. The first is automatic variant creation, i.e. preparation of the program to increase the complexity of the code structure so that the protection technologies can be better applied. The second is automated outsourcing of decision functions to a dongle, making it harder for analytical tools to detect the conditions of conditional jumps. WIBU-SYSTEMS AG plans to research and prototype procedures for both of these problems as part of the project. In addition, Wibu-Systems will apply the analytical techniques to be developed by the FZI to its own protection technologies in order to analyze the security of its own protection procedures, which do not require special hardware.