Hundreds of eager participants from all over the world took part in our latest hacker’s contest. Their mission: To crack the Blurry Box® protection for a game application to work without its license. Blurry Box is a novel protection technology that relies on fully public encryption mechanisms. The end result: Not a single hacker managed to break the new technology.
For three long weeks, the contestants labored away at the challenge. Two indeed managed to send meaningful results to the independent jury, including Professors Dr. Thorsten Holz and Dr. Christof Paar from the Horst Goertz Institute (HGI) and Professor Dr. (TU NN) Norbert Pohlmann from the Institute for Internet Security if(is). Neither hack actually broke the Blurry Box protections. The jury decided to withhold the €50,000.00 prize money, but both entrants were granted €1,000.00 in recognition of their effort. The remaining prize money will go towards more research and development in the area.
Blurry Box was developed by the Competence Center for Applied Security Technology (KASTEL) at the Karlsruhe Institute of Technology (KIT), the Research Center for Information Technology (FZI) and Wibu-Systems and took first prize at the 2014 German IT Security Awards. It has been integrated in CodeMeter and its capabilities have been proven publicly in the open contest. The technology, based on seven special mechanisms, duplicates, modifies, and encrypts individual functions in a program and selects the right variant only during runtime, with due consideration for the program flow. It also limits the rate of decryption. When a function is called up, only that function will be decrypted, while the other functions remain locked away in the memory. Decrypting a function that is not actually required will lead to the automatic termination of the license, making brute force attacks impossible. The effort that would-be hackers need to invest to crack the protections is higher than the work that would go into developing the program from scratch. For a vivid explanation of the mechanism, Wibu-Systems has produced a special animation video: https://www.wibu.com/bb.
, Director of the Institute of Cryptography and Security at the Karlsruhe Institute of Technology (KIT), explains the thinking behind the contest: “The results of the hacker’s contest make me proud. However good our analytical work beforehand, real-world security depends on how well our theoretical models match the reality out there. We can only know this by observation and empirical experiments. Even theories benefit from hacker’s contests. Our IT security research at the KASTEL competence center sees systems holistically and considers many different disciplines and methods. Blurry Box is a perfect example of this.”
Greater security is usually coming at the price of lower performance. This means that some of the more computing-intensive features of Blurry Box will only be working with local licenses.
Blurry Box vs. CodeMoving: Who wins?
Blurry Box and CodeMoving are not mutually exclusive. In fact, Blurry Box uses CodeMoving to select the next method on the CmDongle. However, traditional CodeMoving typically works slowly and the protected functions are trivial. With Blurry Box, CodeMoving truly comes into its own. Even complex functions can now be protected, and only the choice of variants is made on the CmDongle. This makes Blurry Box readily scalable with continued acceptable performance.