Hardware Anti-Piracy Protection on Windows RT 8.1

    Reading a short article on a well-known news resource, I saw a funny introduction: “ Microsoft 's new tablets are as if designed to not buy them .” The dubious statement, in my opinion, is nevertheless supported by the difficult fate of the first version of Surface RT and the amazing similarity of the new Surface 2 to it. However, our company has always been primarily concerned with customers.
    The essence of this article, which may seem a bit provocative to Habr readers, is as follows: at the end of 2013 we present a new product - the Guardant Code micro electronic key to protect applications on Windows RT from piracy. Someone may already be turning a finger at the temple, but we really offer developers of serious (!) Windows RT applications to protect their software with a hardware key.

    In the article you will learn:
    1. Why did we need Windows RT 8.1 and what is the first Windows RT bad from the point of view of our tasks
    2. How does this whole design work
    3. How limited by the architecture did not allow us to provide electronic key support in the form of a microSD-card
    4. ... and with what crutches you can get around it

    First contact

    Prior to the Surface release, we discussed expanding our list of target platforms on Windows RT. Yet a certain faith in Microsoft was present, and besides, they have money. With money and the right approach, you can promote anything on the market - although so far they have not really succeeded. At the same time, Android also became the king of the smartphone market in more than one day - so time will show the correctness of the MS strategy. In any case, we got the first version of Surface a year ago, carefully studied it and decided to do nothing. It is dangerous to go into a nonexistent market with our products - you had to wait for the results of Surface sales for a couple of quarters and evaluate the interest of our category of customers.

    They waited, drew conclusions - and put Surface in a distant drawer of the table.

    This status of the project lasted until the middle of summer 2013, when Microsoft [apparently from hopelessness] decided to give an impetus to its product and began to distribute it almost for free in the field of education (I exaggerate, of course), and also made a price drop for everyone else. And in the field of education, in fact, there are serious products and there is piracy. So, the input for July 2013: there is a “promising” platform, there are interested customers, there is a ready-made base in the form of the Guardant Mobile project (focused on Android with microSD and USB keys). Getting to work.

    Unsuccessful attempt


    We started with our youngest and very niche product: Guardant SD. It is a microSD card with a microcontroller (with hardware acceleration of cryptography) and 4GB of general purpose memory. This thing allows you to load and execute Java applets on board using a very simple API. Architecturally, everything is very similar to our Guardant Code key, and is imprisoned for application protection. Expensive business applications, for example, "Mobile waiter" on Android tablets. The meaning is this: we take out an important part of Java code into the applet, embed our API calls in place of the cut-out code - and that’s it, part of the code is now executed on the map, the application receives an uncopyable hardware artifact in addition to the byte set and piracy says no. It works on Android, Windows, Linux, and we tried to make it work on Windows RT.

    Did not work out. The setup came from, say, the partial limitations of Windows RT.

    It all started with the fact that the wonderful, convenient and user-oriented Windows RT categorically refuses to see files with the "hidden" flag. In principle, why do they need an rival iPad. Lyrical digression: the exchange with the key occurs through a regular file on the card, which by default is created by the microcontroller as a hidden one. Actually, making Surface see this file was virtually impossible.

    However, in reality this is surmountable. If you carry out pre-sale preparation of the card on any other platform, you can forcefully create this file open, and the microcontroller will not touch this flag. Of course, the very first formatting of a card or deleting a file will make the key inoperative, but you can always recreate this file.

    The real problem came from another place, although it is close in essence. Everything happened like this: we spoiled the main part of the code (the basis of a low-level library implementing the protocol for exchanging with a card), tried to send APDU to the card - and we can’t move further than the first command. The feeling that the microcontroller simply does not want to give us answers. In general, for a short while we had to rummage through the Internet and torment the manufacturer of the microcontroller: in Windows RT, non-disconnectable read buffering was discovered. Those. it is possible to send a request to the card and flash the record, but the answer cannot be read - it takes it from the buffer. Obviously, Windows RT cannot assume that the file on the card can be modified internally.her, in our case, the forces of the microcontroller. A hundred man-hours of expensive development, although it was practically lowered into the toilet, but allowed us to better study the platform

    Naturally, we searched through all the documentation and the Internet, talked with Microsoft representatives, but we got a ruler on our hands and left this project - it’s impossible, it’s impossible.

    However, our engineering minds were not ready to give up so easily. It was hard to believe that there would be no pair of crutches to circumvent this limitation. They were found. Here is the recipe in two steps:

    1. Create a file for sharing 400 MB on the card.
    2. We force the firmware to write the answers of the microcontroller sequentially, and not all the time to the beginning of the file.

    And here it is, unreliable and crooked - but a working solution. With this file size, Windows RT does not dare to cache it for reading completely, and since the response is always written to the new address in the exchange file, it is read perfectly. Slow - due to file size - but read.

    Despite the solution, it did not go into production due to the following concerns:

    • A significant increase in RAM in future Surface may allow Windows RT to still cache this file as a whole (or at least in significant parts)
    • We are consuming a noticeable part of the 4GB flash -memory cards (and there is only one microSD slot in the tablet)
    • When the 400MB runs out, the answers need to be looped and written to the beginning of the file - and there may already be something cached
    • It all works pretty slowly

    Of course, we rejoiced at our ingenuity, but decided to try to adapt the Guardant Code micro USB to the tablet. Fortunately, the USB port is guaranteed there and the micro-key does not interfere much (see the picture at the beginning of the article).

    Second unsuccessful attempt

    Having decided that with a USB key we would not encounter these problems, we rushed into battle. We transferred the key to HID mode, stuck it in the tablet - the key was detected, the LED is on. You can begin the exchange of data.

    We were again disappointed. There was no way in the WinRT API to send something to a custom USB device, even though we had honest HID support. Microsoft, of course, designed Windows RT as a closed ecosystem (OS, hardware, non-alternative application store) - but this is already unscrupulous closeness.

    By the end of July, the situation was as follows: hands fall, our devices cannot be adapted to the Surface, it’s time to tell our customers a decisive and reasonable “no”.

    And here we pay attention to the announced Windows RT 8.1, and the already available Preview version.

    The third attempt, successful

    On Windows RT (in particular on Surface), a fairly coercive Windows Update is implemented. Thus, we can assume that for most Surface users (no matter how small their number seems), updating to 8.1 will not take long. At the same time, a pleasant surprise awaited us in the new version: support for working with arbitrary HID devices. As mentioned earlier, our modern electronic keys can work both with a proprietary protocol that requires a driver - and in HID mode. Work without a driver slightly reduces the speed and security of the exchange, but does not create any critical situation. Since we only support Code for mobile platforms, security still rests on the code that the client transfers from the application to execute it on board the key.

    The development process for Windows 8.1 was predictably successful. The new APIs from MS worked perfectly even in the Preview version, and we did not encounter any significant difficulties. And finally, on the third attempt, we got a product to protect against piracy on Windows RT.

    In fact, the developed library allows you to split the application into two parts:

    1. Application for the Windows Store
    2. The key intellectual part, taken out in the Code key (up to 50,000 lines of C code).

    The code is called by the only CodeRun function, with an input and output buffer and selector (to make a switch inside and select the necessary code fragment for execution). Of course, you can create arbitrarily tricky logic using buffers for maximum analysis complexity.

    In fact, we get two things “for the price of one”: with a successful selection of the downloadable code, we have protection from analysis and modification (an important code inside the key), and, of course, we get an uncopyable entity in the form of a hardware key, which is an integral part of the application.

    And a few important things in the end:

    • You need to add lines to the application manifest to allow work with the dongle
    • Even the most innocuous access to the key requires confirmation via the GUI dialog, so with the library of unit tests without a GUI this is not even tested - there will be an exception
    • You can’t access the key from the main program stream

    On this note, I finish my story about Windows RT and copyright. As far as the hardware protection keys are needed and appropriate at the end of 2013 on an as yet untwisted platform, time will tell. At least MS was able to bail out $ 400 million from Surface sales last quarter, this is a good sign, especially after writing off $ 900 million the year before.

    Also popular now: