Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Protecting code and data in Windows
From: Jesper Anderson (jesperpobox.com)
Date: Mon Oct 06 2003 - 09:22:49 CDT
On Sat, Oct 04, 2003 at 01:18:08PM +0500, Muzaffar Mahkamov wrote:
> You're right. The biggest issue here is the debugger. So i wonder
> whether Microsoft could re-implement their debugging privilege or
> susbsystem, you name it. e.g. Windows could give the debug privilege
> to the developer only for debugging his own software. Thus Microsoft
> could win the support of many software companies because most of the
> software is cracked using debuggers. I have no any practical
> considerations yet but i think theoretically this is possible, because
> Windows is not just a GUI but a [commercial] operating system that has
> control over this.
Nope. Can't be done. A software ICE debugger will be able to simply
bypass all of that (essentially the OS runs under the debugger and is
granted rights by the debugger - not the other way around). Even if
that can be protected against (which would make the OS unusable in
virtual systems like VMWare, if it was even possible to do), a
hardware ICE debugger will still work.
The only way to implement this is through the Trusted Computer
Initiative (trusted by the VENDOR, not the OWNER), and that will in
practice lock everyone but licensed developers out of developing
*anything* for the OS. So, that is unlikely to happen. Plus, even that
can be bypassed; although it's harder.
> Many developers out there will not support this idea, neither do i,
> but when it comes to developing really secure software there must be
> some trade-off.
Build an OS with this built in for that then. Start with, for example,
OpenBSD; add the low level protection layer. Unfortunately it won't
help against someone with physical access to the system, but it might
be enough to completely block remote cracking (barring bugs in the
You'll quickly find that it's exactly the same protection that is
already there in UNIX style OS'es, and available (even if not always
used) in Windows OS'es; namely privileges and ACL.
There is no way to block a determined attacker with physical access.
None. It can't be done. It's possible to make it harder for them, and
maybe, just maybe, make it so hard that it's not economically feasible
to attack the system. And if you let the attacker run the software on
his own system, there is no way to protect it *at all*. It's