F-LaaS: A Control-Flow-Attack Immune License-as-a-Service Model

We use license servers to verify users’ credentials and to restrict access to proprietary software. Due to logistical reasons, it is often economical to use third party servers to manage licenses. Sadly, users on client machines can mount sophisticated attacks on the executables and try to circumvent the license check. This can be used to crack the software, and thus it is necessary for software writers to prevent such attacks, which include the use of additional code to check the integrity of the binary and the control flow. In spite of such techniques, modern control flow bending(CFB) techniques that rely on running instrumented binaries on virtual machines can circumvent such checks and change the behavior of branches and jumps at runtime. They are however extremely computationally inefficient. We propose an AI based technique that is an order of magnitude faster than the state of the art, and show its efficacy by breaking 3 widely used license managers, and 5 popularly used software. Finally, we propose a new license management service, F-LaaS that hides key functions in the binary, and are provided runtime after verifying the license to thwart the CFB attacks. We show that F-LaaS incurs an average overhead of 0.26% in the runtime of the binary.