Java Software protection

Harry Barrow (barrow@cambridge.scr.slb.com)
Fri, 08 Jan 1999 20:32:46 +0000

I think there is a general problem which may need to be addressed
by Sun directly. It is the problem of protecting Java software
(applications or applets) from piracy and theft. Developers need
a means to ensure that their Java programs can only run on
authorized installations.

During the development of the Java platform, portability issues have
led to insulation of applications/applets from the underlying hardware,
and security issues have focussed upon protecting the client from
attack. Consequently, what we do not have is the means for
developers to ensure that their Java programs can only run on
authorized installations. Current approaches involve using the
JNI and native non-portable code. All very messy and unsatisfactory.

One possible solution might be to add to the JVM a new operation which
would return an ID integer that was unique to the installation upon
which it was being run. Some (non-Java) platforms provide the means
to read the machine serial number, for example. On these the JVM need
only access that serial number. On other platforms it might be
necessary to construct an ID from whatever information is available.

With access from Java to a platform ID number we could readily record
information (encrypted) when software is installed, and check it when
the software is run. Code could thus be prevented from running on
unauthorized machines, all while maintaining the "write once, run
anywhere" principle. [Actually all we need is a repeatable number
that is not shared by too many other installations: it does not need
to be truly unique to provide adequate protection.]

Of course to protect the client it might be necessary to control whether
the Java application/applet is allowed to receive the ID number, but the
security manager should handle that, like other security matters.

Does this sound like a workable scheme?

Harry Barrow
Schlumberger Cambridge Research