Microsoft recently shipped several products that form a new software family called SLP Services. It's aimed to help software vendors tighten security of their code and ease development of licensing infrastructure (effectively allowing to skip that step). New solution based on several new concepts – "SKU Agility", "Code Transformation", SVM (Secure Virtual Machine) and SVML (Secure Virtual Machine Language). Below is a brief overview of these new products.
Code Protector
What this tool does is not obfuscation and not envelope encryption. Microsoft claim that they offer "a new and unique way" to protect .NET code. In two words, they one-way encrypt most sensitive part of code and provide SVM (Secure Virtual Machine), in which secured code can be run. SVM permutation is unique for each vendor. Here is more verbose explanation:
Vendors can select certain functionality for one-way code transformation. This protected code partition is complied into the application binaries - making it a permanent and integral part of the application. Integrated with the transformed code is the Secure Virtual Machine (SVM), which runs transformed code within the native .NET framework at runtime. Since transformed code is permanently unreadable, there is much lower risk of in-memory code compromise on client machines. And, since every vendor (ISV or other) receives a unique permutation of the SVM, there's no danger to other clients in the unlikely event of a crack of a specific SVM permutation (see diagram below).
Of course, adding one more "Virtual Machine" comes at the price of performance and it is about all products of that kind. However, it would be nice to compare this new Microsoft's product with others. We did some research when selected code protection tool to use in-house and stopped on .NET Reactor. It seemed to be the best we found at that time.
To be able to use this tool with your products you have to buy permutation of SVM. The minimum price is $500 for one year subscription for online service (see below).
SLP Server 2008
In simple words, you should divide your application into features that make sense to be sold individually.
By making it simple to map functions, methods, and classes into business features, SLP Services lets you focus on developing the core features of your application, rather than spending valuable weeks creating a licensing infrastructure. Using SLP Code Protector, you simply navigate the completed application binaries and select functions and map them to the features created by the marketing department.
After that, sales people will be able to "configure" different sets of features and set licensing options using SLPS Licensing Portal. Other benefits provided by SLP server are license activation service, ability to monitor how features are used and help in integration with eCommerce and CRM systems.
Price on Standard Edition of SLP Server 2008 (5 products max) starts from $23,000. Price on Enterprise edition, that does not have limitation on number of products, starts from $60,000
SLP Online Services
This is just a hosted version of SLP Server 2008. Basic subscription that supports one product only and provides limited number of service will cost you $500 a year. If you have 5 products and want all features, the price is already $7,500 a year. And Enterprise subscription with all included is $20,000 a year.
That means that it worth buying server version instead of subscription to online service if you are going to use SLP service for more than 3 years.
Conclusion
These new products look like a good option to protect your code and ease development of licensing infrastructure. And it is great that they are coupled in tightly integrated products. However, these solutions are quite pricey, so some one can decide to rather use some good obfuscator like .Net Reactor (single developer license price is $179) and write licensing infrastructure themselves. And the result may be more secure and cheaper (especially if you outsource your development).
Here are some links if you need more details:
Microsoft Software Licensing and Protection Services Home
SLP Services MSDN Site
Code Protector SDK download (includes generic permutation and limited to protect 3 methods only)