US20070283437A1 - Method to Protect Software Against Unwanted Use with a "Temporal Dissociation" Principle - Google Patents
Method to Protect Software Against Unwanted Use with a "Temporal Dissociation" Principle Download PDFInfo
- Publication number
- US20070283437A1 US20070283437A1 US11/838,118 US83811807A US2007283437A1 US 20070283437 A1 US20070283437 A1 US 20070283437A1 US 83811807 A US83811807 A US 83811807A US 2007283437 A1 US2007283437 A1 US 2007283437A1
- Authority
- US
- United States
- Prior art keywords
- unit
- execution
- software
- protected software
- variable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 238000010494 dissociation reaction Methods 0.000 title description 12
- 230000005593 dissociations Effects 0.000 title description 12
- 230000002123 temporal effect Effects 0.000 title description 12
- 230000006870 function Effects 0.000 claims description 157
- 230000005540 biological transmission Effects 0.000 claims 2
- 238000012545 processing Methods 0.000 abstract description 243
- 230000008569 process Effects 0.000 abstract description 66
- 230000001419 dependent effect Effects 0.000 description 78
- 238000001514 detection method Methods 0.000 description 62
- 238000012546 transfer Methods 0.000 description 60
- 238000005259 measurement Methods 0.000 description 59
- 238000012986 modification Methods 0.000 description 43
- 230000004048 modification Effects 0.000 description 43
- 230000001960 triggered effect Effects 0.000 description 15
- 238000010276 construction Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000006872 improvement Effects 0.000 description 10
- 238000012544 monitoring process Methods 0.000 description 10
- 230000014509 gene expression Effects 0.000 description 5
- 230000001131 transforming effect Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 238000009830 intercalation Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000004069 differentiation Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
Definitions
- This invention concerns the technical domain of data processing systems in the general sense, and is more precisely aimed at the means of protecting software running on said data processing systems against unauthorized usage.
- the subject of the invention aims in particular at the means of protecting software against unauthorized usage, using a processing and memorizing unit, such a unit being commonly materialized by a chip card or a material key on USB port.
- a protection solution which makes use of a hardware protection system, such as a physical component named protection key or “dongle”.
- a protection key should guarantee that the software executes only in presence of the key. Yet, it must be acknowledged that this solution is ineffective because it presents the inconvenience of being easy to bypass. An ill-intentioned person or a hacker can, with the aid of specialized tools such as disassemblers, delete the control instructions of the protection key. It becomes then possible to make illicit copies corresponding to modified versions of the software able to run without the protection.
- this solution cannot be generalized to all software, inasmuch as it is difficult to connect more than two protection keys to the same system.
- the subject of the invention aims precisely at finding a solution to the aforementioned problems by proposing a process to protect a software against unauthorized usage, using an ad hoc processing and memorizing unit, inasmuch as the presence of such a unit is necessary for the software to be completely functional.
- the subject of the invention concerns a process to protect, using at least one blank unit including at least processing means and memorization means, a vulnerable software against its unauthorized usage, said vulnerable software being produced from a source and working on a data processing system.
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises:
- the process according to the invention comprises, during the protection phase, modifying the protected software:
- the process according to the invention thus enables to protect usage of a software by using a processing and memorizing unit which presents the characteristic of containing a part of the software being executed. It follows that any derived version of the software attempting to work without the processing and memorizing unit imposes to recreate the part of the software contained in the processing and memorizing unit during the execution, or else said derived version of the software will not be completely functional.
- FIGS. 10 and 11 are functional blocks diagrams illustrating the various representations of a software respectively not protected and protected by the process in accordance with the invention.
- FIGS. 20 to 22 illustrate as examples, various embodiments of an apparatus implementing the process in accordance with the invention.
- FIGS. 30 and 31 are functional blocks diagrams making explicit the general principle of the process in accordance with the invention.
- FIGS. 40 to 43 are diagrams illustrating the protection process according to the invention implementing the principle of protection by variable.
- FIGS. 50 to 54 are diagrams illustrating the protection process according to the invention implementing the principle of protection by temporal dissociation.
- FIGS. 60 to 64 are diagrams illustrating the protection process according to the invention implementing the principle of protection by elementary functions.
- FIGS. 70 to 74 are diagrams illustrating the protection process according to the invention implementing the principle of protection by detection and coercion.
- FIGS. 80 to 85 are diagrams illustrating the protection process according to the invention implementing the principle of protection by par renaming.
- FIGS. 90 to 92 are diagrams illustrating the protection process according to the invention implementing the principle of protection by conditional branch.
- FIG. 100 is a diagram illustrating the different phases of implementation of the subject of the invention.
- FIG. 110 illustrates an embodiment of a system allowing the implementation of the construction stage of the protection phase in accordance with the invention.
- FIG. 120 illustrates an embodiment of a pre-customization unit used in the protection process in accordance with the invention.
- FIG. 130 illustrates an embodiment of a system allowing the implementation of the tools making stage of the protection phase in accordance with the invention.
- FIG. 140 illustrates an embodiment of a system allowing the implementation of the protection process according to the invention.
- FIG. 150 illustrates an embodiment of a customization unit used in the protection process in accordance with the invention.
- FIGS. 10 and 11 illustrate the various representations respectively of a vulnerable software 2 v in the general sense, and of a protected software 2 p protected according to the process in accordance with the invention.
- FIG. 10 illustrates various representations of a vulnerable software 2 v appearing during its life cycle.
- the vulnerable software 2 v can thus appear under any of the following representations:
- FIG. 11 illustrates various representations of a protected software 2 p appearing during its life cycle.
- the protected software 2 p can thus appear under any of the following representations:
- the expressions first part of the protected software and second part of the protected software shall be used.
- the implementation of the process according to the invention in accordance with the dynamic representation of FIG. 11 uses an apparatus 1 p including a data processing system 3 linked up by a link 5 to a unit 6 .
- the data processing system 3 is of any type and includes, classically, at least one processor 4 .
- the data processing system 3 can be a computer or be part, for instance, of various machines, devices, fixed or mobile products, or vehicles in the general sense.
- the link 5 can be realized in any possible way, such as for instance a serial link, a USB bus, a radio link, an optical link, a network link or a direct electric connection to a circuit of data processing system 3 , etc.
- the unit 6 can possibly be physically located inside the same integrated circuit than the processor 4 of the data processing system 3 .
- the unit 6 can be considered as a co-processor in relation to the processor 4 of the data processing system 3 and the link 5 is internal to the integrated circuit.
- FIGS. 20 to 22 show in an illustrative and non-limiting manner, various embodiments of the apparatus 1 p allowing the implementation of the protection process in accordance with the invention.
- the protection apparatus 1 p includes, as a data processing system 3 , a computer and, as a unit 6 , a chip card 7 and its interface 8 commonly called card reader.
- the computer 3 is linked up to the unit 6 by a link 5 .
- the first execution part 2 pes which is executed in the computer 3 and the second execution part 2 peu which is executed in the chip card 7 and its interface 8 must both be functional so that the protected software 2 p is completely functional.
- the protection apparatus 1 p equips a product 9 in the general sense, including various components 10 adapted to the function(s) assumed by such a product 9 .
- the protection apparatus 1 p includes, on the one hand, a data processing system 3 embedded in the product 9 and, on the other hand, a unit 6 associated with the product 9 . So that the product 9 is completely functional, the protected software 2 p , must be completely functional. Thus, during the execution of the protected software 2 p , the first execution part 2 pes which is executed in the data processing system 3 and the second execution part 2 peu which is executed in the unit 6 , must both be functional. Said protected software 2 p enables therefore indirectly, to protect against unauthorized usage, the product 9 or one of its functionalities.
- the product 9 can be an installation, a system, a machine, a toy, a piece of domestic appliances, a phone, etc.
- the protection apparatus 1 p includes several computers, as well as part of a communication network.
- the data processing system 3 is a first computer linked up by a link 5 of network type, to a unit 6 constituted by a second computer.
- the second computer 6 is used as a license server for a protected software 2 p .
- the first execution part 2 pes which is executed in the first computer 3 and the second execution part 2 peu which is executed in the second computer 6 must both be functional so that the protected software 2 p is completely functional.
- FIG. 30 enables to make explicit more precisely, the protection process in accordance with the invention. It should be observed that a vulnerable software 2 v , is considered as being executed totally in a data processing system 3 .
- the data processing system 3 includes transfer means 12 linked up by the link 5 , to transfer means 13 being part of the unit 6 enabling to establish communication between the first execution part 2 pes and the second execution part 2 peu of the protected software 2 p.
- the transfer means 12 , 13 are of software and/or hardware nature and are capable of providing and, possibly, optimizing the data communication between the data processing system 3 and the unit 6 .
- Said transfer means 12 , 13 are adapted to enable to have at one's disposal a protected software 2 p which is, preferably, independent from the type of link 5 used.
- Said transfer means 12 , 13 are not part of the subject of the invention and are not described more precisely as they are well known by the Man of art.
- the first part of the protected software 2 p includes commands. During the execution of the protected software 2 p , the execution of said commands by the first execution part 2 pes enables the communication between the first execution part 2 pes and the second execution part 2 peu . In the rest of the description, said commands are represented by IN, OUT or TRIG.
- the unit 6 includes protection means 14 .
- the protection means 14 include memorization means 15 and processing means 16 .
- the transfer means 13 are split into two parts, one being on the interface 8 and the other one being on the chip card 7 .
- the absence of the chip card 7 is considered as equivalent to the absence of the unit 6 .
- the protection means 14 are not accessible and do not enable the execution of the second execution part 2 peu of the protected software 2 p , so much so that the protected software 2 p is not completely functional.
- the protection process aims at implementing a principle of protection, called by “temporal dissociation”, a description of which is carried out in relation to FIGS. 50 to 54 .
- At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps .
- This modification is such that, among others:
- the first execution part 2 pes of the protected software 2 p which is executed in the data processing system 3 , executes the steps commands, triggering in the unit 6 , the execution by means of the second execution part 2 peu , of each of the previously defined steps.
- FIG. 50 illustrates an example of execution of a vulnerable software 2 v .
- the vulnerable software 2 v appears, during the execution of the vulnerable software 2 v , in the data processing system 3 , at a certain time instant, the calculation of Z ⁇ F(X, Y) corresponding to the assignment to a variable Z, of the result of an algorithmic processing represented by a function F and using operands X and Y.
- FIG. 51 illustrates an example of implementation of the invention for which the algorithmic processing chosen in FIG. 50 is remoted in the unit 6 .
- the algorithmic processing chosen in FIG. 50 is remoted in the unit 6 .
- the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6 appear:
- FIG. 52 shows an example of execution of a vulnerable software 2 v .
- the vulnerable software 2 v appears, during the execution of the vulnerable software 2 v , in the data processing system 3 , the execution of two algorithmic processings leading to the determination of Z and Z′, such that Z ⁇ F (X, Y) and Z′ ⁇ F′ (X′, Y′).
- FIG. 53 illustrates an example of implementation of the process according to the invention for which the two algorithmic processings chosen in FIG. 52 are remoted in the unit 6 .
- the steps commands CE 1 , CE 2 , CE 3 corresponding to the determination of Z and of steps commands CE′ 1 , CE′ 2 , CE′ 3 corresponding to the determination of Z′.
- the steps commands CE 1 to CE 3 are not executed consecutively inasmuch as steps commands CE′ 1 to CE′ 3 , as well as other code portions are intercalated.
- CE 1 portion of intercalated code
- CE 2 portion of intercalated code
- CE′ 1 portion of intercalated code
- CE′ 2 portion of intercalated code
- CE′ 3 portion of intercalated code
- FIG. 54 illustrates an example of an attempt of execution of the protected software 2 p , when the unit 6 is missing.
- the unit 6 is missing.
- the protection process aims at implementing a principle of protection called by ⁇ variable>> a description of which is carried out in relation to FIGS. 40 to 43 .
- variable For the implementation of the principle of protection by variable, is chosen in the source of the vulnerable software 2 vs at least one variable which, during the execution of the vulnerable software 2 v , partially defines its state.
- state of a software must be understood the set of pieces of information, at a given moment, necessary to the complete execution of said software, so much so that the absence of such a chosen variable prejudices the complete execution of said software.
- At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps .
- This modification is such that during the execution of the protected software 2 p , at least one portion of the first execution part 2 pes which is executed in the data processing system 3 , takes into account that at least one chosen variable or at least one copy of chosen variable resides in the unit 6 .
- FIG. 40 illustrates an example of execution of a vulnerable software 2 v .
- the vulnerable software 2 v in the data processing system 3 appear:
- FIG. 41 illustrates an example of a first form of implementation of the invention for which the variable resides in the unit 6 .
- the variable resides in the unit 6 .
- FIG. 42 illustrates an example of a second form of implementation of the invention for which a copy of the variable resides in the unit 6 .
- the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6 , appear:
- FIG. 43 illustrates an example of attempt of execution of the protected software 2 p , when the unit 6 is missing.
- the unit 6 is missing.
- the protection process aims at implementing a principle of protection called by ⁇ elementary function>> a description of which is carried out in relation to FIGS. 60 to 64 .
- At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps .
- This modification is such that, among others:
- the first execution part 2 pes of the protected software 2 p which is executed in the data processing system 3 , executes elementary commands CFE n (with n varying from 1 to N), triggering in the unit 6 , the execution by means of the second execution part 2 peu , of each of the previously defined elementary functions fe n .
- FIG. 60 illustrates an example of execution of a vulnerable software 2 v .
- the vulnerable software 2 v appears, during the execution of the vulnerable software 2 v in the data processing system 3 , at a certain time instant, the calculation of Z ⁇ F(X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using operands X and Y.
- FIG. 61 illustrates an example of implementation of the invention for which the algorithmic processing chosen in FIG. 60 is remoted in the unit 6 .
- the algorithmic processing chosen in FIG. 60 is remoted in the unit 6 .
- the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6 appear:
- FIG. 62 shows an example of execution of a vulnerable software 2 v .
- the vulnerable software 2 v appears during the execution of the vulnerable software 2 v , in the data processing system 3 , the execution of two algorithmic processings leading to the determination of Z and Z′, such that Z ⁇ F (X, Y) and Z′ ⁇ F′(X′, Y′).
- FIG. 63 illustrates an example of implementation of the process according to the invention for which the two algorithmic processing chosen in FIG. 62 are remoted in the unit 6 .
- the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6 appear, as explained above, the execution of the elementary commands CFE 1 to CFE N corresponding to the determination of Z and the execution of the elementary commands CFE′ 1 to CFE′ M corresponding to the determination of Z′.
- the elementary commands CFE 1 to CFE N are not executed consecutively, inasmuch as the elementary commands CFE′ 1 to CFE′ M , as well as other portions of code are intercalated.
- FIG. 64 illustrates an example of an attempt of execution of the protected software 2 p , when the unit 6 is missing.
- the execution of an elementary command cannot trigger the execution of the corresponding elementary function, because of the absence of the unit 6 .
- the value to assign to the variable Z cannot therefore be determined correctly.
- the protection process aims at implementing a principle of protection, called by ⁇ detection and coercion>>, a description of which is carried out in relation to FIGS. 70 to 74 .
- FIG. 70 illustrates the means necessary to the implementation of this principle of protection by detection and coercion.
- the unit 6 includes the detection means 17 and the coercion means 18 belonging to the processing means 16 .
- the coercion means 18 are informed by the detection means 17 that a criterion has not been abided by.
- the detection means 17 use information coming from the transfer means 13 and/or from the memorization means 15 and/or from the processing means 16 , so as to monitor one or several software execution characteristics. For each software execution characteristic is set at least one criterion to abide by.
- the detection means 17 inform the coercion means 18 of it.
- Said coercion means 18 are adapted to modify, in the appropriate way, the state of the unit 6 .
- At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps .
- This modification is such that, during the execution of the protected software 2 p , among others:
- the first type of software execution characteristic corresponds to a variable of measurement of the execution of a software and the second type corresponds to a profile of usage of a software. Said two types of characteristics can be used independently or in combination.
- the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps , this modification being such that, during the execution of the protected software 2 p , the second execution 2 peu:
- the detection means 17 inform of it the coercion means 18 which make an adapted decision to inform the data processing system 3 and/or to modify the processings carried out by the processing means 16 enabling to modify the functioning of the portion of the protected software 2 p , so that the functioning of the protected software 2 p is modified.
- the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps , this modification being such that, during the execution of the protected software 2 p , the second execution part 2 peu:
- the unit 6 informs the data processing system 3 enjoining the protected software 2 p not to use said functionality anymore. If the protected software 2 p carries on using said functionality, the second threshold will potentially be crossed. In the case where the second threshold is crossed, the coercion means 18 can make the chosen functionality ineffective and/or make the protected software 2 p ineffective.
- refilling means enabling to credit at least one software functionality monitored by a variable of measurement with at least one additional usage.
- Is also chosen, in the source of the vulnerable software 2 vs , at least one variable of measurement used to limit the usage of at least one functionality of the software and which must be able to be credited with at least one additional usage.
- the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps , this modification being such that, during a phase called of refilling, at least one additional usage of at least one functionality corresponding to a chosen variable of measurement can be credited.
- a profile of software usage is defined as criterion to abide by for said profile of usage, at least one feature of software execution.
- the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps , this modification being such that, during the execution of the protected software 2 p , the second execution part 2 peu abides by all the chosen features of execution.
- the unit 6 itself monitors the way the second execution part 2 peu is executed and can inform the data processing system 3 and/or modify the functioning of the protected software 2 p , in the case where at least one feature of execution is not abided by.
- the monitoring of different features of execution can be considered, like for instance the monitoring of the presence of instructions including a marker or the monitoring of the execution chaining for at least one part of the instructions.
- Is also chosen, in the source of the vulnerable software 2 vs , at least one algorithmic processing which must be remoted in the unit 6 and for which the chaining of at least one part of the instructions is to be monitored.
- the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the vulnerable software 2 ps , this modification being such that, during the execution of the protected software 2 p:
- FIG. 71 illustrates an example of implementation of the principle of protection by detection and coercion using, as feature of execution to abide by the monitoring of the execution chaining of a at least one part of the instructions, in the case where the expected chaining is abided by.
- the first execution part 2 pes of the protected software 2 p , executed in the data processing system 3 , executes instructions commands CI i triggering, in the unit 6 the execution of the instructions i i belonging to the instructions set.
- at least some of the instructions each include a part defining the functionality of the instruction and a part enabling to verify the expected chaining for the execution of the instructions.
- the instructions commands CI i are represented by TRIG(i i ) and the expected chaining for the execution of the instructions is i n , i n+1 and i n+2 .
- the execution in the unit 6 , of the instruction i n gives the result a and the execution of the instruction i n+1 gives the result b.
- the instruction i n+2 uses as operand, the results a and b of the instructions i n and i n+1 and its execution gives the result c.
- FIG. 72 illustrates an example of implementation of the principle of protection by detection and coercion using, as feature of execution to abide by, the monitoring of the execution chaining of at least one part of the instructions, in the case where the expected chaining is not abided by.
- the expected chaining for the execution of the instructions is still i n , i n+1 and i n+2 .
- the execution chaining is modified by the replacement of the instruction i n with the instruction i′ n , so that the chaining actually executed is i′ n , i n+1 and i n+2 .
- the execution of the instruction i′ n gives the result a, i.e. the same result that the execution of the instruction i n .
- the detection means 17 detect that the instruction i′ n does not correspond to the expected instruction to generate the result a used as operand of the instruction i n+2 .
- the detection means 17 inform of it the coercion means 18 which modify accordingly, the functioning of the instruction i n+2 , so that the execution of the instruction i n+2 gives the result C′ which can be different than C.
- the execution of the instruction i′ n gives a result a′ different from the result a of the instruction i n
- the result of the instruction i n+2 can also be different from c.
- FIGS. 73 and 74 illustrates a preferred variant embodiment of the principle of protection by detection and coercion using, as feature of execution to abide by, the monitoring of the execution chaining of at least one part of the instructions.
- this preferred variant is defined an instructions set whose at least some instructions work with registers and use at least one operand with the intention of returning a result.
- a part PF defining the functionality of the instruction
- a part PE defining the expected chaining for the execution of the instructions.
- the part PF corresponds to the operation code known by the Man of art.
- the part PE defining the expected chaining includes bits fields corresponding to:
- the instructions set includes V registers belonging to the processing means 16 , each register being named R v , with v varying from 1 to V.
- R v For each register R v , are defined two fields, namely:
- the detection means 17 carry out for each operand k the following operations:
- the coercion means 18 enable to modify the result of the instructions when the detection means 17 has informed them of an instructions chaining not abided by.
- a preferred embodiment is carried out by modifying the functional part PF of the instruction currently executed or the functional part PF of subsequent instructions.
- the protection process aims at implementing a principle of protection, called by ⁇ renaming>> a description of which is carried out in relation to FIGS. 80 to 85 .
- the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps .
- This modification is such that, among others:
- the first execution part 2 pes of the protected software 2 p executed in the data processing system 3 , executes triggering commands with renamed orders transferring renamed orders to the unit 6 , and triggering in the unit 6 the restoring by means of the restoring means 20 , of the orders, and then the execution by means of the second execution part 2 peu , of each of the previously defined dependent functions fd n .
- the principle of protection by renaming is carried out by renaming the orders of the triggering commands, so as to obtain triggering commands with renamed orders whose execution in the data processing system 3 , triggers in the unit 6 , the execution of the dependent functions which would have been triggered by the triggering commands with not-renamed orders, without however the examination of the protected software 2 p enabling to determine the identity of the executed dependent functions.
- FIG. 80 illustrates an example of execution of a vulnerable software 2 v .
- the vulnerable software 2 v appears during the execution of the vulnerable software 2 v in the data processing system 3 , at a certain time instant, the calculation of Z ⁇ F(X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using the operands X and Y.
- FIGS. 81 and 82 illustrate an example of implementation of the invention.
- FIG. 81 illustrates the partial implementation of the invention.
- the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6 appear:
- the orders chosen in this way are renamed using the method of renaming of the orders.
- the orders of the triggering commands CD 1 to CD N i.e. x, y, fd 3 , fd N-1 , z are renamed so as to obtain respectively R(x), R(y), R(fd 3 ), . . . , R(fd N-1 ), R(z).
- FIG. 82 illustrates the complete implementation of the invention.
- the first execution part 2 pes of the protected software 2 p appear:
- FIG. 83 shows an example of execution of a vulnerable software 2 v .
- the execution of two algorithmic processings leading to the determination of Z and Z′ such as Z ⁇ F (X, Y) and Z′ ⁇ F′ (X′, Y′).
- FIG. 84 illustrates an example of implementation of the process according to the invention for which the two algorithmic proccesings chosen in FIG. 83 are remoted to the unit 6 .
- the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6 appear, as explained above, the execution of the triggering commands with renamed orders CDCR, to CDCR N corresponding to the determination of Z and the execution of the triggering commands with renamed orders CDCR′ 1 to CDCR′ M corresponding to the determination of Z′.
- the triggering commands with renamed orders CDCR 1 to CDCR N are not executed consecutively, inasmuch as the triggering commands with renamed orders CDCR′ 1 to CDCR′ M as well as other portions of code are intercalated.
- the following sequence is thus carried out: CDCR 1 , portion of intercalated code, CDCR′ 1 , CDCR 2 , portion of intercalated code, CDCR′ 2 , CDCR′ 3 , portion of intercalated code, CDCR′ 4 , CDCR 3 , CDCR 4 , . . . , CDCR N , CDCR′ M .
- FIG. 85 illustrates an example of an attempt of execution of the protected software 2 p , when the unit 6 is missing.
- the execution of a triggering command with renamed order can trigger neither the restoring of the order nor the execution of the corresponding dependent function, because of the absence of the unit 6 .
- the value to assign to the variable Z cannot therefore be determined correctly.
- the examination in the protected software 2 p of the triggering commands with renamed orders does not enable to determine the identity of the dependent functions which have to be executed in the unit 6 . It should be observed that the renaming of the orders is carried out during the modification of the vulnerable 2 v to a protected software 2 p.
- a variant of the principle of protection by renaming is defined for at least one dependent function, a family of dependent functions algorithmically equivalent but triggered by different triggering commands with renamed orders.
- said algorithmic processing is split into dependent functions which for at least one of them is replaced with a dependent function of the same family instead of keeping several occurrences of the same dependent function.
- triggering commands with renamed orders are modified to take into account the replacement of dependent functions with dependent functions of the same family.
- two dependent functions of the same family have different orders and consequently different triggering commands with renamed orders and, it is not possible, by examining the protected software 2 p , to discover that the dependent functions called are algorithmically equivalent.
- a dependent function a family of algorithmically equivalent dependent functions, by concatenating a noise field to the information defining the functional part of the dependent function to execute in the unit 6 .
- the restoring means 20 are means implementing a deciphering method enabling to decipher the renamed orders and thus to restore the identity of the dependent functions to execute in the unit 6 .
- Said restoring means are implemented in the unit 6 and can be of software or hardware nature. Said restoring means 20 are appealed to during the usage phase U each time a triggering command with renamed order is executed in the data processing system 3 with the intention of triggering in the unit 6 , the execution of a dependent function.
- the protection process aims at implementing a principle of protection called by ⁇ conditional branch>> a description of which is carried out in relation to FIGS. 90 to 92 .
- conditional branch BC is chosen in the source of the vulnerable software 2 vs , at least one conditional branch BC. Is also chosen at least one portion of the source of the vulnerable software 2 vs containing at least one chosen conditional branch BC.
- At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps .
- This modification is such that, during the execution of the protected software 2 p , among others:
- the first execution part 2 pes of the protected software 2 p executed in the data processing system 3 , executes conditional branches commands, triggering in the unit 6 , the execution by means of the second execution part 2 peu , of remoted conditional branches be whose functionality is equivalent to the functionality of the chosen conditional branches BC.
- FIG. 90 illustrates an example of execution of a vulnerable software 2 v .
- a conditional branch BC indicating to the vulnerable software 2 v the spot where to carry on its execution, i.e. one of the three possible spots B 1 , B 2 or B 3 . It must be understood that the conditional branch BC takes the decision to carry on the execution of the software at spot B 1 , B 2 or B 3 .
- FIG. 91 illustrates an example of implementation of the invention for which the conditional branch chosen to be remoted to the unit 6 , corresponds to the conditional branch BC.
- the conditional branch chosen to be remoted to the unit 6 corresponds to the conditional branch BC.
- FIG. 92 illustrates an example of an attempt of execution of the protected software 2 p , when the unit 6 is missing.
- the unit 6 is missing.
- the subject of the invention aims at remoting in the unit 6 , a conditional branch.
- a preferred embodiment of the invention can be carried out by remoting in the unit 6 , a series of conditional branches whose overall functionality is equivalent to all the functionalities of the conditional branches which have been remoted.
- the execution of the overall functionality of said series of remoted conditional branches leads to the placing at the data processing system 3 's disposal of a piece of information enabling the first execution part 2 pes of the protected software 2 p to carry on its execution at the chosen spot.
- the protection process in accordance with the invention is implemented by using the principle of protection by temporal dissociation, possibly combined with one or several other principles of protection.
- the principle of protection by temporal dissociation is advantageously complemented by the principle of protection by variable and/or the principle of protection by elementary functions and/or the principle of protection by conditional branch.
- the principle of protection by temporal dissociation is complemented by the principle of protection by variable, complemented by the principle of protection by elementary functions, complemented by the principle of protection by detection and coercion, complemented by the principle of protection by renaming, complemented by the principle of protection by conditional branch.
- This protection process according to the invention is composed, as shown more precisely in FIG. 100 :
- the protection phase P can be split into two protection sub-phases P 1 and P 2 .
- the first one called prior protection sub-phase P 1
- the second one called subsequent protection sub-phase P 2 is dependent of the vulnerable software 2 v to protect.
- the prior protection sub-phase P 1 and the subsequent protection sub-phase P 2 can be carried out advantageously by two different persons or two different teams.
- the prior protection sub-phase P 1 can be carried out by a person or a company providing the development of software protection systems
- the subsequent protection sub-phase P 2 can be carried out by a person or a company providing the development of software requiring to be protected.
- the prior protection sub-phase P 1 and the subsequent protection sub-phase P 2 can also be carried out by the same person or team.
- the prior protection sub-phase P 1 is composed of several stages S 11 , . . . , S 11 for each of which various tasks or jobs are to be carried out.
- stage S 11 The first stage of this prior protection sub-phase P 1 is called “definitions stage S 11 ′′. During this definitions stage S 11 :
- the definitions stage S 11 is followed by a stage called “construction stage S 12 ”.
- construction stage S 12 are constructed the transfer means 12 , 13 and the exploitation means corresponding to the definitions of the definitions stage S 11 .
- the construction of the exploitation means is carried out classically, through a program development unit and taking into account the definitions intervened in the definitions stages SI,. Such a unit is described in the rest of the description in FIG. 110 .
- the construction stage S 12 can be followed by a stage called “pre-customization stage S 13 ′′.
- pre-customization stage S 13 at least a part of the transfer means 13 and/or the exploitation means are uploaded to at least one blank unit 60 , with the intention of obtaining at least one pre-customized unit 66 .
- part of the exploitation means once transferred to a pre-customized unit 66 , is no longer directly accessible outside said pre-customized unit 66 .
- the transfer of the exploitation means to a blank unit 60 can be carried out through an adapted pre-customization unit, which is described in the rest of the description in FIG. 120 .
- the pre-customization concerns only the chip card 7 .
- a stage called “tools making stage S 14 ” can take place.
- tools making stage S 14 are made tools enabling to help generate protected software or automate the protection of software. Such tools enable:
- each tool can have various forms, such as for instance pre-processor, assembler, compiler, etc.
- the prior protection sub-phase P 1 is followed by a subsequent protection sub-phase P 2 which depends on the vulnerable software 2 v to protect.
- This subsequent protection sub-phase P 2 is composed of several stages as well.
- the first stage corresponding to the implementation of the principle of protection by temporal dissociation is called “creation stage S 21 ′′.
- This creation stage S 21 the choices made during the definition stage S 11 are used.
- the protected software 2 p is created:
- a “modification stage S 22 ” takes place.
- this modification stage S 22 are used the definitions intervened in the definitions stage S 11 .
- the protected software 2 p is modified to allow the implementation of the principles of protection according to one of the arrangements herebefore defined.
- the protected software 2 p is modified:
- the protected software 2 p is modified:
- the protected software 2 p is modified:
- the protected software 2 p is modified:
- the principles of protection according to the invention can be applied directly during the development of a new software without requiring the prior carrying out of intermediate protected pieces of software.
- the creation stage S 21 , and the modification stage S 22 can be carried out concomitantly so as to obtain directly the protected software 2 p.
- a stage called “customization stage S 23 ” takes place.
- the second object part 2 pou possibly containing the exploitation means is uploaded to at least one blank unit 60 , with the intention of obtaining at least one unit 6 , or a part of the second object part 2 pou possibly containing the exploitation means is uploaded to at least one pre-customized unit 66 , with the intention of obtaining at least one unit 6 .
- the uploading of this customization information enables to make operational at least one unit 6 . It should be observed that part of said information, once transferred to a unit 6 , is not directly accessible outside said unit 6 .
- the transfer of the customization information to a blank unit 60 or a pre-customized unit 66 can be carried out through an adapted customization unit which is described in the rest of the description in FIG. 150 .
- the customization concerns only the chip card 7 .
- protection phase P various technical means are described more precisely in relation to FIGS. 110, 120 , 130 , 140 and 150 .
- FIG. 110 illustrates an embodiment of a system 25 enabling to implement the construction stage S 12 which takes into account the definitions intervened during the definitions stage S 11 and during which are constructed the transfer means 12 , 13 and possibly, the exploitation means intended for the unit 6 .
- a system 25 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors.
- FIG. 120 illustrates an embodiment of a pre-customization unit 30 enabling to upload at least in part the transfer means 13 and/or the exploitations means to at least one blank unit 60 with the intention of obtaining a pre-customized unit 66 .
- Said pre-customization unit 30 includes reading and writing means 31 enabling to electrically pre-customize, a blank unit 60 so as to obtain a pre-customized unit 66 to which the transfer means 13 and/or the exploitations means have been uploaded.
- the pre-customization unit 30 can also include physical customization means 32 of the blank unit 60 which can for instance, have the form of a printer. In the case where the unit 6 is constituted by a chip card 7 and its reader 8 , the pre-customization generally concerns only the chip card 7 .
- FIG. 130 illustrates an embodiment of a system 35 enabling to carry out the making of the tools enabling to help generate protected software or to automate software protection.
- a system 35 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors.
- FIG. 140 illustrates an embodiment of a system 40 enabling to create directly a protected software 2 p or to modify a vulnerable software 2 v with the intention of obtaining a protected software 2 p .
- a system 40 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors, as well as tools enabling to help generate protected software or to automate software protection.
- FIG. 150 illustrates an embodiment of a customization unit 45 enabling to upload the second object part 2 pou to at least one blank unit 60 with the intention of obtaining at least one unit 6 or to upload a part of the second object part 2 pou to at least one pre-customized unit 66 with the intention of obtaining at least one unit 6 .
- Said customization unit 45 includes reading and writing means 46 enabling to electrically customize, at least one blank unit 60 or at least one pre-customized unit 66 , so as to obtain at least one unit 6 .
- a unit 6 includes the information necessary to the execution of the protected software 2 p .
- the customization unit 45 can also include physical customization means 47 for at least one unit 6 which can for instance, have the form of a printer. In the case where a unit 6 is constituted by a chip card 7 and its reader 8 , the customization generally concerns only the chip card 7 .
Abstract
The invention concerns a process to protect a vulnerable software working on a data processing system against its unauthorized usage using a processing and memorizing unit. The process comprises creating a protected software by choosing in the source of the vulnerable software at least one algorithmic processing and by producing the source of the protected software so that during the execution of the protected software appear several distinct steps, namely 1) the placing of at least one operand at the processing and memorizing unit's disposal 2) the carrying out by the processing and memorizing unit, of the algorithmic processing's functionality on at least said operand 3) and possibly, the placing at the data processing system's disposal of at least one result by the processing and memorizing unit.
Description
- This invention concerns the technical domain of data processing systems in the general sense, and is more precisely aimed at the means of protecting software running on said data processing systems against unauthorized usage.
- The subject of the invention aims in particular at the means of protecting software against unauthorized usage, using a processing and memorizing unit, such a unit being commonly materialized by a chip card or a material key on USB port.
- In the technical domain above, the main problem concerns the unauthorized usage of software by users who have not paid the license rights. This illicit use of software causes an obvious loss for software editors, software distributors and/or any person integrating such software in products. To avoid such illicit copies, various solutions, in the state of technology, have been proposed to protect software.
- Thus, a protection solution is known, which makes use of a hardware protection system, such as a physical component named protection key or “dongle”. Such a protection key should guarantee that the software executes only in presence of the key. Yet, it must be acknowledged that this solution is ineffective because it presents the inconvenience of being easy to bypass. An ill-intentioned person or a hacker can, with the aid of specialized tools such as disassemblers, delete the control instructions of the protection key. It becomes then possible to make illicit copies corresponding to modified versions of the software able to run without the protection. Moreover, this solution cannot be generalized to all software, inasmuch as it is difficult to connect more than two protection keys to the same system.
- The subject of the invention aims precisely at finding a solution to the aforementioned problems by proposing a process to protect a software against unauthorized usage, using an ad hoc processing and memorizing unit, inasmuch as the presence of such a unit is necessary for the software to be completely functional.
- So as to reach such a goal, the subject of the invention concerns a process to protect, using at least one blank unit including at least processing means and memorization means, a vulnerable software against its unauthorized usage, said vulnerable software being produced from a source and working on a data processing system. The process according to the invention comprises:
- → in a protection phase:
- creating a protected software:
- by choosing, at least one algorithmic processing which, during the execution of the vulnerable software, uses at least one operand and enables to obtain at least one result,
- by choosing at least one portion of the source of the vulnerable software containing, at least one chosen algorithmic processing,
- by producing a source of the protected software from the source of the vulnerable software, by modifying at least one chosen portion of the source of the vulnerable software to obtain at least one modified portion of the source of the protected software, this modification being such that:
- during the execution of the protected software a first execution part is executed in the data processing system and a second execution part is executed in a unit, obtained from the blank unit after upload of information,
- the second execution part executes at least the functionality of at least one chosen algorithmic processing,
- at least one chosen algorithmic processing is split so that during the execution of the protected software appear by means of the second execution part, several distinct steps, namely:
- the placing of at least one operand at the unit's disposal,
- the carrying out by the unit, of the algorithmic processing's functionality on at least said operand,
- and possibly, the placing at the data processing system's disposal of at least one result by the unit,
- for at least one chosen algorithmic processing, steps commands are defined so that during the execution of the protected software, each step command is executed by the first execution part and triggers, in the unit, the execution by means of the second execution part, of a step,
- and a sequence of the steps commands is chosen among the set of sequences allowing the execution of the protected software,
- and by producing:
- a first object part of the protected software, from the source of the protected software, said first object part being such that during the execution of the protected software, appears a first execution part which is executed in the data processing system and whose at least a portion takes into account that the steps commands are executed according to the chosen sequence,
- and a second object part of the protected software, said second object part being such that, after being uploaded to the blank unit and during the execution of the protected software, appears the second execution part by means of which the steps triggered by the first execution are executed.
- and uploading the second object part to the blank unit, with the intention of obtaining the unit,
- creating a protected software:
- → and during a usage phase during which is executed the protected software:
- in the presence of the unit and each time a step command contained in a portion of the first execution part imposes it, executing the corresponding step in the unit, so that said portion is executed correctly and that, consequently, the protected software is completely functional,
- and in the absence of the unit, in spite of the request by a portion of the first execution part to trigger the execution of a step in the unit, not being able to fulfill said request correctly, so that at least said portion is not executed correctly and that, consequently the protected software is not completely functional.
- According to a preferred embodiment, the process according to the invention comprises:
- → during the protection phase:
- modifying the protected software:
- by choosing at least one variable used in at least one chosen algorithmic processing, which during the execution of the protected software, partially defines the state of the protected software,
- by modifying at least one chosen portion of the source of the protected software, this modification being such that during the execution of the protected software, at least one chosen variable or at least one copy of chosen variable resides in the unit,
- and by producing:
- the first object part of the protected software, said first object part being such that during the execution of the protected software, at least one portion of the first execution part takes also into account that at least one variable or at least one copy of variable resides in the unit,
- and the second object part of the protected software, said second object part being such that, after upload to the unit and during the execution of the protected software, appears the second execution part by means of which at least one chosen variable, or at least one copy of chosen variable resides too in the unit,
- modifying the protected software:
- → and during the usage phase:
- in the presence of the unit each time a portion of the first execution part imposes it, using a variable or a copy of variable residing in the unit, so that said portion is executed correctly and that, consequently, the protected software is completely functional,
- and in the absence of the unit, in spite of the request by a portion of the first execution part to use a variable or a copy of variable residing in the unit, not being able to fulfill said request correctly, so that at least said portion is not executed correctly and that, consequently the protected software is not completely functional.
- According to another preferred embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- a set of elementary functions whose elementary functions are liable to be executed in the unit,
- and a set of elementary commands for said set of elementary functions, said elementary commands being liable to be executed in the data processing system and to trigger the execution in the unit, of the elementary functions,
- constructing exploitation means enabling the unit to execute the elementary functions of said set, the execution of said elementary functions being triggered by the execution in the data processing system, of the elementary commands,
- and modifying the protected software:
- by modifying at least one chosen portion of the source of the protected software, this modification being such that:
- at least one step is split so that during the execution of the protected software, said step is executed by means of the second execution part, using elementary functions,
- for at least one split step, elementary commands are integrated to the source of the protected software, so that during the execution of the protected software, each elementary command is executed by the first execution part and triggers in the unit, the execution by means of the second execution part, of an elementary function,
- and a sequence of the elementary commands is chosen among the set of sequences allowing the execution of the protected software,
- and by producing:
- the first object part of the protected software, said first object part being such that during the execution of the protected software, at least one portion of the first execution part also executes the elementary commands according to the chosen sequence,
- and the second object part of the protected software also containing the exploitation means, said second object part being such that, after upload to the unit and during the execution of the protected software, appears the second execution part by means of which are also executed the elementary functions triggered by the first execution part,
- by modifying at least one chosen portion of the source of the protected software, this modification being such that:
- defining:
- → and during the usage phase:
- in the presence of the unit and each time an elementary command contained in a portion of the first execution part imposes it, executing the corresponding elementary function in the unit, so that said portion is executed correctly and that, consequently, the protected software is completely functional,
- and in the absence of the unit, in spite of the request by a portion of the first execution part, to trigger the execution of an elementary function in the unit, not being able to fulfill said request correctly, so that at least said portion is not executed correctly and that, consequently, the protected software is not completely functional.
- According to another preferred embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- at least one software execution characteristic, liable to be monitored at least in part in the unit,
- at least one criterion to abide by for at least one software execution characteristic,
- detection means to implement in the unit and enabling to detect that at least one software execution characteristic does not abide by at least one associated criterion,
- and coercion means to implement in the unit and enabling to inform the data processing system and/or modify the execution of a software, when at least one criterion is not abided by,
- constructing the exploitation means enabling the unit, to also implement the detection means and the coercion means,
- and modifying the protected software:
- by choosing at least one software execution characteristic to monitor, among the software execution characteristics liable to be monitored,
- by choosing at least one criterion to abide by for at least one chosen software execution characteristic,
- by choosing in the source of the protected software, elementary functions for which at least one chosen software execution characteristic is to be monitored,
- by modifying at least one chosen portion of the source of the protected software, this modification being such that during the execution of the protected software, at least one chosen execution characteristic is monitored by means of the second execution part, and the fact that a criterion is not abided by leads to the data processing system being informed and/or to a modification of the execution of the protected software,
- and by producing the second object part of the protected software containing the exploitation means also implementing the detection means and the coercion means, said second object part being such that, after upload to the unit and during the execution of the protected software, at least one software execution characteristic is monitored and the fact that a criterion is not abided by leads to the data processing system being informed and/or to a modification of the execution of the protected software,
- defining:
- → and during the usage phase:
- in the presence of the unit:
- as long as all the criteria corresponding to all the monitored execution characteristics of all the modified portions of the protected software are abided by, enabling said portions of the protected software to work nominally and consequently enabling the protected software to work nominally,
- and if at least one of the criteria corresponding to a monitored execution characteristic of a portion of the protected software is not abided by, informing the data processing system of it and/or modifying the functioning of the portion of the protected software, so that the functioning of the protected software is modified.
- in the presence of the unit:
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- as software execution characteristic liable to be monitored, a variable of measurement of the usage of a functionality of a software,
- as criterion to abide by, at least one threshold associated to each variable of measurement,
- and actualization means enabling to update at least one variable of measurement,
- constructing the exploitation means enabling the unit to also implement the actualization means,
- and modifying the protected software:
- by choosing as software execution characteristic to monitor, at least one variable of measurement of the usage of at least one functionality of a software,
- by choosing:
- at least one functionality of the protected software whose usage is liable to be monitored using a variable of measurement,
- at least one variable of measurement used to quantify the usage of said functionality,
- at least one threshold associated to a chosen variable of measurement corresponding to a limit of usage of said functionality,
- and at least one method of update of a chosen variable of measurement depending on the usage of said functionality,
- and by modifying at least one chosen portion of the source of the protected software, this modification being such that, during the execution of the protected software, the variable of measurement is actualized by means of the second execution part depending on the usage of said functionality, and at least one threshold crossing is taken into account,
- defining:
- → and during the usage phase, in the presence of the unit, and in the case where at least one threshold crossing corresponding to at least one limit of usage is detected, informing the data processing system of it and/or modifying the functioning of the portion of the protected software, so that the functioning of the protected software is modified.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- for at least one variable of measurement, several associated thresholds,
- and different coercion means corresponding to each of said thresholds,
- and modifying the protected software:
- by choosing in the source of the protected software, at least one chosen variable of measurement to which must be associated several thresholds corresponding to different limits of usage of the functionality,
- by choosing at least two thresholds associated to the chosen variable of measurement,
- and by modifying at least one chosen portion of the source of the protected software, this modification being such that, during the execution of the protected software, the crossings of the various thresholds are taken into account differently, by means of the second execution part,
- defining:
- → and during the usage phase:
- in the presence of the unit:
- in the case where the crossing of a first threshold is detected, enjoining the protected software not to use the corresponding functionality anymore,
- and in the case where the crossing of a second threshold is detected, making ineffective the corresponding functionality and/or at least one portion of the protected software.
- in the presence of the unit:
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining refilling means enabling to credit at least one software functionality monitored by a variable of measurement with at least one additional usage,
- constructing the exploitation means also allowing the unit to implement the refilling means,
- and modifying the protected software:
- by choosing in the source of the protected software, at least one chosen variable of measurement enabling to limit the usage of a functionality and which must be able to be credited with at least one additional usage,
- and by modifying at least one chosen portion, this modification being such that during a phase called of refilling, at least one additional usage of at least one functionality corresponding to a chosen variable of measurement can be credited,
- → and during the phase of refilling:
- reactualizing at least one chosen variable of measurement and/or at least one associated threshold, so as to allow at least one additional usage of the functionality.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- as software execution characteristic liable to be monitored, a profile of software usage,
- and as criterion to abide by, at least one feature of software execution,
- and modifying the protected software:
- by choosing as software execution characteristic to monitor at least one profile of software usage,
- by choosing at least one feature of execution by which at least one chosen profile of usage must abide,
- and by modifying at least one chosen portion of the source of the protected software, this modification being such that, during the execution of the protected software, the second execution part abides by all the chosen features of execution,
- defining:
- → and during the usage phase in the presence of the unit, and in the case where it is detected that at least one feature of execution is not abided by, informing the data processing system of it and/or modifying the functioning of the portion of the protected software, so that the functioning of the protected software is modified.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- an instructions set whose instructions are liable to be executed in the unit,
- a set of instructions commands for said instructions set, said instructions commands being liable to be executed in the data processing system and to trigger in the unit the execution of the instructions,
- as profile of usage, the chaining of the instructions,
- as feature of execution, an expected chaining for the execution of the instructions,
- as detection means, means enabling to detect that the chaining of the instructions does not correspond to the expected one,
- and as coercion means, means enabling to inform the data processing system and/or to modify the functioning of the portion of protected software when the chaining of the instructions does not correspond to the expected one,
- constructing the exploitation means also enabling the unit to execute the instructions of the instructions set, the execution of said instructions being triggered by the execution in the data processing system, of the instructions commands,
- and modifying the protected software:
- by modifying at least one chosen portion of the source of the protected software:
- by transforming the elementary functions into instructions,
- by specifying the chaining by which must abide at least some of the instructions during their execution in the unit,
- and by transforming the elementary commands into instructions commands corresponding to the instructions used,
- by modifying at least one chosen portion of the source of the protected software:
- defining:
- → and during the usage phase, in the presence of the unit, in the case where it is detected that the chaining of the instructions executed in the unit does not correspond to the expected one, informing the data processing system of it and/or modifying the functioning of the portion of the protected software, so that the functioning of the protected software is modified.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- as instructions set, an instructions set whose at least some instructions work with registers and use at least one operand with the intention of returning a result,
- for at least some of the instructions working with registers:
- a part defining the functionality of the instruction,
- and a part defining the expected chaining for the execution of the instructions and including bits fields corresponding to:
- an identification field of the instruction,
- and for each operand of the instruction:
- a flag field,
- and an expected identification field of the operand,
- for each register belonging to the exploitation means and used by the instructions set, a generated identification field in which is automatically memorized the identification of the last instruction which has returned its result in said register,
- as detection means, means enabling, during the execution of an instruction, for each operand, when the flag field imposes it, to check the equality of the generated identification field corresponding to the register used by said operand, and the expected identification field of the origin of said operand,
- and as coercion means, means enabling to modify the result of the instructions, if at least one of the checked equalities is false.
- defining:
- According to another preferred embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- as a triggering command, an elementary command or an instruction command,
- as a dependent function, an elementary function or an instruction,
- as an order, at least one argument for a triggering command, corresponding at least in part to the information transmitted by the data processing system to the unit, so as to trigger the execution of the corresponding dependent function,
- a method of renaming of the orders enabling to rename the orders so as to obtain triggering commands with renamed orders,
- and restoring means designed to be used in the unit during the usage phase, and enabling to restore the dependent function to execute, from the renamed order,
- constructing exploitation means enabling the unit to also implement the restoring means,
- and modifying the protected software:
- by choosing in the source of the protected software, triggering commands,
- by modifying at least one chosen portion of the source of the protected software by renaming the orders of the chosen triggering commands, so as to conceal the identity of the corresponding dependent functions,
- and by producing:
- the first object part of the protected software, said first object part being such that during the execution of the protected software, the triggering commands with renamed orders are executed,
- and the second object part of the protected software containing the exploitation means also implementing the restoring means, said second object part being such that, after upload to the unit and during the execution of the protected software, the identity of the dependent functions whose execution is triggered by the first execution part is restored by means of the second execution part, and the dependent functions are executed by means of the second execution part,
- defining:
- → and during the usage phase:
- in the presence of the unit and each time a triggering command with renamed order, contained in a portion of the first execution part imposes it, restoring in the unit, the identity of the corresponding dependent function and executing it, so that said portion is executed correctly and that, consequently, the protected software is completely functional,
- and in the absence of the unit, in spite of the request by a portion of the first execution part, to trigger the execution of a dependent function in the unit, not being able to fulfill said request correctly, so that at least said portion is not executed correctly and that, consequently, the protected software is not completely functional.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining for at least one dependent function, a family of dependent functions algorithmically equivalent, but triggered by triggering commands whose renamed orders are different,
- and modifying the protected software:
- by choosing, in the source of the protected software at least one triggering command with renamed order,
- and by modifying at least one chosen portion of the source of the protected software by replacing at least the renamed order of one chosen triggering command with renamed order, with another renamed order, triggering a dependent function of the same family.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase, defining, for at least one dependent function, a family of algorithmically equivalent dependent functions:
- by concatenating a field of noise to the information defining the functional part of the dependent function to execute in the unit,
- or by using the identification field of the instruction and the expected identification fields of the operands.
- According to a variant embodiment, the process according to the invention comprises:
- → during the protection phase:
- defining:
- as method of renaming of the orders, a ciphering method to cipher the orders,
- and as restoring means, means implementing a deciphering method to decipher the renamed orders and thus restore the identity of the dependent functions to execute in the unit.
- defining:
- According to another preferred embodiment, the process according to the invention comprises:
- → during the protection phase:
- modifying the protected software:
- by choosing, in the source of the protected software, at least one conditional branch carried out in at least one chosen algorithmic processing,
- by modifying at least one chosen portion of the source of the protected software, this modification being such that during the execution of the protected software, the functionality of at least one chosen conditional branch is executed, by means of the second execution part, in the unit,
- and by producing:
- the first object part of the protected software, said first object part being such that during the execution of the protected software, the functionality of at least one chosen conditional branch is executed in the unit,
- and the second object part of the protected software, said second object part being such that, after upload to the unit and during the execution of the protected software, appears the second execution part by means of which the functionality of at least one chosen conditional branch is executed,
- modifying the protected software:
- → and during the usage phase:
- in the presence of the unit and each time a portion of the first execution part imposes it, executing the functionality of at least one conditional branch in the unit, so that said portion is executed correctly and that, consequently, the protected software is completely functional,
- and in the absence of the unit and in spite of the request by a portion of the first execution part to execute the functionality of a conditional branch in the unit, not being able to fulfill said request correctly, so that at least said portion is not executed correctly and that consequently, the protected software is not completely functional.
- According to a variant embodiment, the process according to the invention comprises, during the protection phase, modifying the protected software:
-
- by choosing, in the source of the protected software, at least one series of chosen conditional branches,
- by modifying at least one chosen portion of the source of the protected software, this modification being such that during the execution of the protected software, the overall functionality of at least one chosen series of conditional branches is executed, by means of the second execution part, in the unit,
- and by producing:
- the first object part of the protected software, said first object part being such that during the execution of the protected software, the functionality of at least one chosen series of conditional branches is executed in the unit,
- and the second object part of the protected software, said second object part being such that, after upload to the unit and during the execution of the protected software, appears the second execution part by means of which the overall functionality of at least one chosen series of conditional branches is executed.
- The process according to the invention thus enables to protect usage of a software by using a processing and memorizing unit which presents the characteristic of containing a part of the software being executed. It follows that any derived version of the software attempting to work without the processing and memorizing unit imposes to recreate the part of the software contained in the processing and memorizing unit during the execution, or else said derived version of the software will not be completely functional.
- Various other characteristics emerge from the description made below in reference to the appended diagrams which show, as non-limiting examples, embodiments and implementations of the subject of the invention.
-
FIGS. 10 and 11 are functional blocks diagrams illustrating the various representations of a software respectively not protected and protected by the process in accordance with the invention. - FIGS. 20 to 22 illustrate as examples, various embodiments of an apparatus implementing the process in accordance with the invention.
-
FIGS. 30 and 31 are functional blocks diagrams making explicit the general principle of the process in accordance with the invention. - FIGS. 40 to 43 are diagrams illustrating the protection process according to the invention implementing the principle of protection by variable. FIGS. 50 to 54 are diagrams illustrating the protection process according to the invention implementing the principle of protection by temporal dissociation.
- FIGS. 60 to 64 are diagrams illustrating the protection process according to the invention implementing the principle of protection by elementary functions.
- FIGS. 70 to 74 are diagrams illustrating the protection process according to the invention implementing the principle of protection by detection and coercion.
- FIGS. 80 to 85 are diagrams illustrating the protection process according to the invention implementing the principle of protection by par renaming.
- FIGS. 90 to 92 are diagrams illustrating the protection process according to the invention implementing the principle of protection by conditional branch.
-
FIG. 100 is a diagram illustrating the different phases of implementation of the subject of the invention. -
FIG. 110 illustrates an embodiment of a system allowing the implementation of the construction stage of the protection phase in accordance with the invention. -
FIG. 120 illustrates an embodiment of a pre-customization unit used in the protection process in accordance with the invention. -
FIG. 130 illustrates an embodiment of a system allowing the implementation of the tools making stage of the protection phase in accordance with the invention. -
FIG. 140 illustrates an embodiment of a system allowing the implementation of the protection process according to the invention. -
FIG. 150 illustrates an embodiment of a customization unit used in the protection process in accordance with the invention. - In the rest of the description, the following definitions will be used:
-
- A
data processing system 3 is a system able to execute a program. - A processing and memorizing unit is a unit able:
- to accept data provided by a
data processing system 3, - to return data to the
data processing system 3, - to store data at least partly in secret and to retain at least a part of said data even if the unit is switched off,
- and to carry out algorithmic processing on said data, part or all of the result being secret.
- to accept data provided by a
- A
unit 6 is a processing and memorizing unit implementing the process according to the invention. - A
blank unit 60 is a unit which does not implement the process according to the invention, but which can receive data transforming it into aunit 6. - A
pre-customized unit 66 is ablank unit 60 which has received part of data enabling it, after reception of supplementary data, to be transformed into aunit 6. - The upload of information to a
blank unit 60 or apre-customized unit 66 corresponds to a transfer of information to theblank unit 60 or thepre-customized unit 66, and to a storage of said transferred information. The transfer can possibly include a change of the information format. - A variable, a function or data contained in the
data processing system 3 will be indicated by an uppercase letter, while a variable, a function or data contained in theunit 6 will be indicated by a lowercase letter. - A “protected software”, is a software which has been protected by at least one of the principles of protection implemented by the process in accordance with the invention.
- A “vulnerable software”, is a software which has not been protected by any principle of protection implemented by the process in accordance with the invention.
- In the case where differentiation between a vulnerable software and a protected software is not important, the term “software” is used.
- A software has various representations depending on the instant considered in its life cycle:
- a source representation,
- an object representation,
- a distribution,
- or a dynamic representation.
- A source representation of a software is understood as a representation which after transformation, results in an object representation. A source representation can offer different levels, from a conceptual abstract level to a level executable directly by a data processing system or a processing and memorizing unit.
- An object representation of a software corresponds to a level of representation which after transfer to a distribution and upload to a data processing system or a processing and memorizing unit, can be executed. It can be, for instance, a binary code, an interpreted code, etc.
- A distribution is a physical or virtual support containing the object representation, said distribution having to be put at the user's disposal to enable them to use the software.
- A dynamic representation corresponds to the execution of the software from its distribution.
- A portion of a software corresponds to some part of the software and can, for instance correspond, to one or several consecutive or not instructions, and/or one or several consecutive or not functional blocks, and/or one or several functions, and/or one or several subprograms, and/or one or several modules. A portion of a software can also correspond to all of said software.
- A
-
FIGS. 10 and 11 illustrate the various representations respectively of a vulnerable software 2 v in the general sense, and of a protected software 2 p protected according to the process in accordance with the invention. -
FIG. 10 illustrates various representations of a vulnerable software 2 v appearing during its life cycle. The vulnerable software 2 v can thus appear under any of the following representations: -
- a
source representation 2 vs, - an
object representation 2 vo, - a
distribution 2 vd. Said distribution can have commonly the form of a physical distribution medium such as a CDROM or the form of files distributed through a network (GSM, Internet, etc.), - or a
dynamic representation 2 ve corresponding to the execution of the vulnerable software 2 v on adata processing system 3 of any known type, which classically includes, at least oneprocessor 4.
- a
-
FIG. 11 illustrates various representations of a protected software 2 p appearing during its life cycle. The protected software 2 p can thus appear under any of the following representations: -
- a
source representation 2 ps including a first source part intended for thedata processing system 3 and a second source part intended for theunit 6, part of said source parts can commonly be contained in common files, - an
object representation 2 po including afirst object part 2 pos intended for thedata processing system 3 and asecond object part 2 pou intended for theunit 6, - a
distribution 2 pd including:- a
first distribution part 2 pds containing thefirst object part 2 pos, saidfirst distribution part 2 pds being intended for thedata processing system 3 and which can commonly have the form of a physical distribution medium such as a CDROM or the form of files distributed through a network (GSM, Internet, etc.), - and a
second distribution part 2 pdu having the form:- of at least one
pre-customized unit 66 to which a part of thesecond object part 2 pou has been uploaded and for which the user has to finish the customization by uploading supplementary data so as to obtain aunit 6, said supplementary data being obtained, for instance, by download through a network, - or of at least one
unit 6 to which thesecond object part 2 pou has been uploaded,
- of at least one
- a
- or a
dynamic representation 2 pe corresponding to the execution of the protectedsoftware 2 p. Saiddynamic representation 2 pe includes afirst execution part 2 pes which is executed in thedata processing system 3 and ansecond execution part 2 peu which is executed in theunit 6.
- a
- In the case where the differentiation between the different representations of the protected software 2 p is not important, the expressions first part of the protected software and second part of the protected software shall be used.
- The implementation of the process according to the invention in accordance with the dynamic representation of
FIG. 11 , uses anapparatus 1 p including adata processing system 3 linked up by alink 5 to aunit 6. Thedata processing system 3 is of any type and includes, classically, at least oneprocessor 4. Thedata processing system 3 can be a computer or be part, for instance, of various machines, devices, fixed or mobile products, or vehicles in the general sense. Thelink 5 can be realized in any possible way, such as for instance a serial link, a USB bus, a radio link, an optical link, a network link or a direct electric connection to a circuit ofdata processing system 3, etc. It should be observed that theunit 6 can possibly be physically located inside the same integrated circuit than theprocessor 4 of thedata processing system 3. In this case, theunit 6 can be considered as a co-processor in relation to theprocessor 4 of thedata processing system 3 and thelink 5 is internal to the integrated circuit. - FIGS. 20 to 22 show in an illustrative and non-limiting manner, various embodiments of the
apparatus 1 p allowing the implementation of the protection process in accordance with the invention. - In the embodiment illustrated in
FIG. 20 , theprotection apparatus 1 p includes, as adata processing system 3, a computer and, as aunit 6, achip card 7 and itsinterface 8 commonly called card reader. Thecomputer 3 is linked up to theunit 6 by alink 5. During the execution of the protected software 2 p, thefirst execution part 2 pes which is executed in thecomputer 3 and thesecond execution part 2 peu which is executed in thechip card 7 and itsinterface 8, must both be functional so that the protected software 2 p is completely functional. - In the embodiment illustrated in
FIG. 21 , theprotection apparatus 1 p equips aproduct 9 in the general sense, includingvarious components 10 adapted to the function(s) assumed by such aproduct 9. Theprotection apparatus 1 p includes, on the one hand, adata processing system 3 embedded in theproduct 9 and, on the other hand, aunit 6 associated with theproduct 9. So that theproduct 9 is completely functional, the protected software 2 p, must be completely functional. Thus, during the execution of the protected software 2 p, thefirst execution part 2 pes which is executed in thedata processing system 3 and thesecond execution part 2 peu which is executed in theunit 6, must both be functional. Said protected software 2 p enables therefore indirectly, to protect against unauthorized usage, theproduct 9 or one of its functionalities. For instance, theproduct 9 can be an installation, a system, a machine, a toy, a piece of domestic appliances, a phone, etc. - In the embodiment illustrated in
FIG. 22 , theprotection apparatus 1 p includes several computers, as well as part of a communication network. Thedata processing system 3 is a first computer linked up by alink 5 of network type, to aunit 6 constituted by a second computer. For the implementation of the invention, thesecond computer 6 is used as a license server for a protected software 2 p. During the execution of the protected software 2 p, thefirst execution part 2 pes which is executed in thefirst computer 3 and thesecond execution part 2 peu which is executed in thesecond computer 6, must both be functional so that the protected software 2 p is completely functional. -
FIG. 30 enables to make explicit more precisely, the protection process in accordance with the invention. It should be observed that a vulnerable software 2 v, is considered as being executed totally in adata processing system 3. On the other hand, in the case of the implementation of a protected software 2 p, thedata processing system 3 includes transfer means 12 linked up by thelink 5, to transfer means 13 being part of theunit 6 enabling to establish communication between thefirst execution part 2 pes and thesecond execution part 2 peu of the protected software 2 p. - It must be considered that the transfer means 12, 13 are of software and/or hardware nature and are capable of providing and, possibly, optimizing the data communication between the
data processing system 3 and theunit 6. Said transfer means 12, 13 are adapted to enable to have at one's disposal a protected software 2 p which is, preferably, independent from the type oflink 5 used. Said transfer means 12, 13 are not part of the subject of the invention and are not described more precisely as they are well known by the Man of art. The first part of the protected software 2 p includes commands. During the execution of the protected software 2 p, the execution of said commands by thefirst execution part 2 pes enables the communication between thefirst execution part 2 pes and thesecond execution part 2 peu. In the rest of the description, said commands are represented by IN, OUT or TRIG. - As illustrated in
FIG. 31 , to allow the implementation of thesecond execution part 2 peu of the protected software 2 p, theunit 6 includes protection means 14. The protection means 14 include memorization means 15 and processing means 16. - For the sake of simplification in the rest of the description, it is chosen to consider, during the execution of the protected software 2 p, the presence of the
unit 6 or the absence of theunit 6. In actual fact, aunit 6 providing protection means 14 not adapted to the execution of thesecond execution part 2 peu of the protected software 2 p is also considered as missing, each time the execution of the protected software 2 p is not correct. In other words: -
- a
unit 6 physically present and including protection means 14 adapted to the execution of thesecond execution part 2 peu of the protected software 2 p, is always considered as present, - a
unit 6 physically present but including protection means 14 not adapted, i.e. not allowing the correct implementation of thesecond execution part 2 peu of the protected software 2 p is considered as present, when it works correctly, and as missing when it does not work correctly, - and a
unit 6 physically missing is always considered as missing.
- a
- In the case where the
unit 6 is constituted by achip card 7 and itsinterface 8, the transfer means 13 are split into two parts, one being on theinterface 8 and the other one being on thechip card 7. In this embodiment, the absence of thechip card 7 is considered as equivalent to the absence of theunit 6. In other words, in the absence of thechip card 7 and/or itsinterface 8, the protection means 14 are not accessible and do not enable the execution of thesecond execution part 2 peu of the protected software 2 p, so much so that the protected software 2 p is not completely functional. - In accordance with the invention, the protection process aims at implementing a principle of protection, called by “temporal dissociation”, a description of which is carried out in relation to FIGS. 50 to 54.
- For the implementation of the principle of protection by temporal dissociation, is chosen, in the source of the
vulnerable software 2 vs, at least one algorithmic processing using at least one operand and returning at least one result. Is also chosen at least one portion of the source of thevulnerable software 2 vs containing at least one chosen algorithmic processing. - At least one chosen portion of the source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps. This modification is such that, among others: -
- during the execution of the protected software 2 p, at least one portion of the
first execution part 2 pes, which is executed in thedata processing system 3, takes into account that the functionality of at least one chosen algorithmic processing is executed in theunit 6, - during the execution of the protected 2 p, the
second execution part 2 peu, which is executed in theunit 6, executes at least the functionality of at least one chosen algorithmic processing, - during the execution of the protected software 2 p, each chosen algorithmic processing is split into several distinct steps, namely:
- step 1: the placing of the operand(s) at the
unit 6's disposal, - step 2: the carrying out in the
unit 6, of the functionality of the chosen algorithmic processing using said operand(s), - and step 3: possibly, the placing of the result of the chosen algorithmic processing at the
data processing system 3's disposal by theunit 6,
- step 1: the placing of the operand(s) at the
- steps commands are defined to trigger the execution of the steps,
- and a sequence of the steps commands is chosen among the set of sequences allowing the execution of the protected software 2 p.
- during the execution of the protected software 2 p, at least one portion of the
- The
first execution part 2 pes of the protected software 2 p, which is executed in thedata processing system 3, executes the steps commands, triggering in theunit 6, the execution by means of thesecond execution part 2 peu, of each of the previously defined steps. -
FIG. 50 illustrates an example of execution of avulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v, in thedata processing system 3, at a certain time instant, the calculation of Z←F(X, Y) corresponding to the assignment to a variable Z, of the result of an algorithmic processing represented by a function F and using operands X and Y. -
FIG. 51 illustrates an example of implementation of the invention for which the algorithmic processing chosen inFIG. 50 is remoted in theunit 6. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p and in the presence of theunit 6, appear: -
- at time instant t1, the
step 1, i.e. the execution of a step command CE1 triggering the transfer of data X and Y from thedata processing system 3 to the memorization zones respectively x and y located in the memorization means 15 of theunit 6, said step command CE, being represented by OUT(x, X), OUT(y, Y), - at time instant t2, the
step 2, i.e. the execution of a step command CE2, triggering in theunit 6, the execution by means of thesecond execution part 2 peu, of the function f, said function f being algorithmically equivalent to the function F and said step command CE2 being represented by TRIG(f). More precisely, the execution of the step command CE2 leads to the execution of the function f which uses the contents of the memorization zones x and y and returns its result to a memorization zone z of theunit 6, - and at time instant t3, the
step 3, i.e. the execution of a step command CE3 triggering the transfer of the result of the function f, contained in the memorization zone z of theunit 6 to thedata processing system 3 so as to assign it to the variable Z, said step command CE3 being represented by IN(z).
- at time instant t1, the
- In the illustrated example, the
steps 1 to 3 are executed successively. It should be observed that two improvements can be effected: -
- The first improvement concerns the case where several algorithmic processings are remoted in the
unit 6 and at least the result of one algorithmic processing is used by another algorithmic processing. In this case, certain transfer steps can possibly be removed. - The second improvement aims at opting for a pertinent sequence of the steps commands among the set of sequences allowing the execution of the protected software 2 p. In this respect, it is preferable to chose a sequence of the steps commands which temporally dissociates the execution of the steps, by intercalating between them, portions of code executed in the
data processing system 3 and including or not steps commands used to determine other data.FIGS. 52 and 53 illustrate the principle of such an embodiment.
- The first improvement concerns the case where several algorithmic processings are remoted in the
-
FIG. 52 shows an example of execution of avulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v, in thedata processing system 3, the execution of two algorithmic processings leading to the determination of Z and Z′, such that Z←F (X, Y) and Z′←F′ (X′, Y′). -
FIG. 53 illustrates an example of implementation of the process according to the invention for which the two algorithmic processings chosen inFIG. 52 are remoted in theunit 6. According to such an example, during the execution in thedata processing system 3, of thefirst execution part 2 pes of the protected software 2 p, and in the presence of theunit 6, appears, as explained above, the execution of steps commands CE1, CE2, CE3 corresponding to the determination of Z and of steps commands CE′1, CE′2, CE′3 corresponding to the determination of Z′. As illustrated, the steps commands CE1 to CE3 are not executed consecutively inasmuch as steps commands CE′1 to CE′3, as well as other code portions are intercalated. In the example, the following sequence is thus carried out: CE1, portion of intercalated code, CE2, portion of intercalated code, CE′1, portion of intercalated code, CE′2, portion of intercalated code, CE′3, portion of intercalated code, CE3. - It should be observed that, during the execution of the protected software 2 p, in the presence of the
unit 6, each time a step command contained in a portion of thefirst execution part 2 pes of the protected software 2 p imposes it, the corresponding step is executed in theunit 6. Thus, it appears, that in the presence of theunit 6, said portion is executed correctly and that, consequently, the protected software 2 p is completely functional. -
FIG. 54 illustrates an example of an attempt of execution of the protected software 2 p, when theunit 6 is missing. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p: -
- at time instant t1, the execution of the step command OUT(x, X), OUT(y, Y) cannot trigger the transfer of data X and Y to the respective memorization zones x and y taking into account the absence of the
unit 6, - at time instant t2, the execution of the step command TRIG(f) cannot trigger the execution of the function f, taking into account the absence of the
unit 6, - and at time instant t3, the execution of the step command IN(z) cannot trigger the transfer of the result of the function f, taking into account the absence of the
unit 6.
- at time instant t1, the execution of the step command OUT(x, X), OUT(y, Y) cannot trigger the transfer of data X and Y to the respective memorization zones x and y taking into account the absence of the
- It therefore appears that in the absence of the
unit 6, at least one request by a portion of thefirst execution part 2 pes to trigger the execution of a step in theunit 6, cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional. - According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection called by <<variable>> a description of which is carried out in relation to FIGS. 40 to 43.
- For the implementation of the principle of protection by variable, is chosen in the source of the
vulnerable software 2 vs at least one variable which, during the execution of the vulnerable software 2 v, partially defines its state. By state of a software, must be understood the set of pieces of information, at a given moment, necessary to the complete execution of said software, so much so that the absence of such a chosen variable prejudices the complete execution of said software. Is also chosen at least one portion of the source of thevulnerable software 2 vs containing at least one chosen variable. - At least one chosen portion of the source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps. This modification is such that during the execution of the protected software 2 p, at least one portion of thefirst execution part 2 pes which is executed in thedata processing system 3, takes into account that at least one chosen variable or at least one copy of chosen variable resides in theunit 6. -
FIG. 40 illustrates an example of execution of avulnerable software 2 v. In this example, during the execution of the vulnerable software 2 v in thedata processing system 3, appear: -
- at time instant t1, the assignment of the data X to the variable V1, represented by V1←X,
- at time instant t2, the assignment of the value of the variable V1 to the variable Y, represented by Y←V1,
- and at time instant t3, the assignment of the value of the variable V1 to the variable Z, represented by Z←V1.
-
FIG. 41 illustrates an example of a first form of implementation of the invention for which the variable resides in theunit 6. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p, and in presence of theunit 6, appear: -
- at time instant ti, the execution of a transfer command triggering the transfer of the data X from the
data processing system 3 to the variable v1 located in the memorization means 15 of theunit 6, said transfer command being represented by OUT(v1, X) and corresponding in the end to the assignment of the data X to the variable v1, - at time instant t2, the execution of a transfer command triggering the transfer of the value of the variable v1 residing in the
unit 6 to thedata processing system 3 so as to assign it to the variable Y, said transfer command being represented by IN(v1) and corresponding in the end to the assignment of the value of the variable v1 to the variable Y, - and at time instant t3, the execution of a transfer command triggering the transfer of the value of the variable v1 residing in the
unit 6 to thedata processing system 3 so as to assign it to the variable Z, said transfer command being represented by IN(v1) and corresponding in the end to the assignment of the value of the variable v1 to the variable Z.
- at time instant ti, the execution of a transfer command triggering the transfer of the data X from the
- It should be observed that during the execution of the protected software 2 p, at least one variable resides in the
unit 6. Thus, when a portion of thefirst execution part 2 pes of the protected software 2 p imposes it, and in the presence of theunit 6, the value of said variable residing in theunit 6 is transferred to thedata processing system 3 to be used by thefirst execution part 2 pes of the protected software 2 p, so much so that said portion is executed correctly and that, consequently, the protected software 2 p is completely functional. -
FIG. 42 illustrates an example of a second form of implementation of the invention for which a copy of the variable resides in theunit 6. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p, and in the presence of theunit 6, appear: -
- at time instant t1, the assignment of the data X to the variable V1 located in the
data processing system 3, as well as the execution of a transfer command triggering the transfer of the data X from thedata processing system 3 to the variable v1 located in the memorization means 15 of theunit 6, said transfer command being represented by OUT(v1, X), - at time instant t2, the assignment of the value of the variable V1 to the variable Y,
- and at time instant t3, the execution of a transfer command triggering the transfer of the value of the variable v1 residing in the
unit 6 to thedata processing system 3 so as to affect it to the variable Z, said transfer command being represented by IN(v1).
- at time instant t1, the assignment of the data X to the variable V1 located in the
- It should be observed that during the execution of the protected software 2 p, at least one copy of a variable resides in the
unit 6. Thus, when a portion of thefirst execution part 2 pes of the protected software 2 p, imposes it, and in the presence of theunit 6, the value of said copy of variable residing in theunit 6 is transferred to thedata processing system 3 to be used by thefirst execution part 2 pes of the protected software 2 p, so much so that said portion is executed correctly and that, consequently, the protected software 2 p is completely functional. -
FIG. 43 illustrates an example of attempt of execution of the protected software 2 p, when theunit 6 is missing. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p: -
- at time instant t1, the execution of the transfer command OUT(v1, X) cannot trigger the transfer of the data X to the variable v1, taking into account the absence of the
unit 6, - at time instant t2, the execution of the transfer command IN(v1) cannot trigger the transfer of the value of the variable v1 to the
data processing system 3, taking into account the absence of theunit 6, - and at time instant t3, the execution of the transfer command IN(v1) cannot trigger the transfer of the value of the variable v1 to the
data processing system 3, taking into account the absence of theunit 6.
- at time instant t1, the execution of the transfer command OUT(v1, X) cannot trigger the transfer of the data X to the variable v1, taking into account the absence of the
- It therefore appears that in the absence of the
unit 6, at least one request by a portion of thefirst execution part 2 pes to use a variable or a copy of variable residing in theunit 6, cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional. - It should be observed that the data transfers between the
data processing system 3 and theunit 6 illustrated in the previous examples use only simple assignments but that the Man of art will know how to combine them with other operations to obtain complex operations such as for instance OUT(v1, 2*X+3) or Z←(5*v1+v2). - According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection called by <<elementary function>> a description of which is carried out in relation to FIGS. 60 to 64.
- For the implementation of the principle of protection by elementary functions, are defined:
-
- a set of elementary functions whose elementary functions are liable to be executed, by means of the
second execution part 2 peu, in theunit 6, and possibly to transfer data between thedata processing system 3 and theunit 6, - and a set of elementary commands for said set of elementary functions, said elementary commands being liable to be executed in the
data processing system 3 and to trigger the execution in theunit 6, of the corresponding elementary functions.
- a set of elementary functions whose elementary functions are liable to be executed, by means of the
- For the implementation of the principle of protection by elementary functions, are also constructed exploitation means enabling to transform a
blank unit 60 into aunit 6 able to execute elementary functions, the execution of said elementary functions being triggered by the execution in thedata processing system 3, of elementary commands. - For the implementation of the principle of protection by elementary functions, is also chosen, in the source of the
vulnerable software 2 vs, at least one algorithmic processing using at least one operand and returning at least one result. Is also chosen at least one portion of the source of thevulnerable software 2 vs containing at least one chosen algorithmic processing. - At least one chosen portion of the source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps. This modification is such that, among others: -
- during the execution of the protected software 2 p, at least one portion of the
first execution part 2 pes, which is executed in thedata processing system 3, takes into account that the functionality of at least one chosen algorithmic processing is executed in theunit 6, - during the execution of the protected software 2 p, the
second execution part 2 peu, which is executed in theunit 6, executes at least the functionality of at least one chosen algorithmic processing, - each chosen algorithmic processing is split so that during the execution of the protected software 2 p, each chosen algorithmic processing is executed, by means of the
second execution part 2 peu, using elementary functions. Preferably, each chosen algorithmic processing is split into elementary functions fen (with n varying from 1 to N), namely:- possibly one or several elementary functions enabling the placing of one or several operands at the
unit 6's disposal, - elementary functions, some of which use the operand(s) and in combination, execute the functionality of the chosen algorithmic processing, using said operand(s),
- and possibly one or several elementary functions enabling the placing of the result of the chosen algorithmic processing at the
data processing system 3's disposal by theunit 6,
- possibly one or several elementary functions enabling the placing of one or several operands at the
- and a sequence of the elementary commands is chosen among the set of sequences allowing the execution of the protected software 2 p.
- during the execution of the protected software 2 p, at least one portion of the
- The
first execution part 2 pes of the protected software 2 p, which is executed in thedata processing system 3, executes elementary commands CFEn (with n varying from 1 to N), triggering in theunit 6, the execution by means of thesecond execution part 2 peu, of each of the previously defined elementary functions fen. -
FIG. 60 illustrates an example of execution of avulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v in thedata processing system 3, at a certain time instant, the calculation of Z←F(X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using operands X and Y. -
FIG. 61 illustrates an example of implementation of the invention for which the algorithmic processing chosen inFIG. 60 is remoted in theunit 6. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p and in the presence of theunit 6, appear: -
- at time instants t1, t2, the execution of the elementary commands CFE1, CFE2 triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the corresponding elementary functions fe1, fe2 which provide the transfer of data X, Y from thedata processing system 3 to memorization zones respectively x, y located in the memorization means 15 of theunit 6, said elementary commands CFE1, CFE2 being represented respectively by OUT(x, X), OUT(y, Y), - at time instants t3 to tN-1, the execution of the elementary commands CFE3 to CFEN-1, triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the corresponding elementary functions fe3 to feN-1, said elementary commands CFE3 to CFEN-1 being represented, respectively, by TRIG(fe3) to TRIG(feN-1). The series of elementary functions fe3 to feN-1 executed in combination is algorithmically equivalent to the function F. More precisely, the execution of said elementary commands leads to the execution in theunit 6, of the elementary functions fe3 to feN-1 which use the contents of the memorization zones x, y and return the result to a memorization zone z of theunit 6, - and at time instant tN, the execution of the elementary command CFEN triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the elementary function feN providing the transfer of the result of the algorithmic processing, contained in the memorization zone z of theunit 6 to thedata processing system 3, so as to assign it to the variable Z, said elementary command CFEN being represented by IN(z).
- at time instants t1, t2, the execution of the elementary commands CFE1, CFE2 triggering in the
- In the illustrated example, the
elementary commands 1 to N are executed successively. It should be observed that two improvements can be effected: -
- The first improvement concerns the case where several algorithmic processings are remoted in the
unit 6 and at least the result of one algorithmic processing is used by another algorithmic processing. In this case, some elementary commands used for the transfer, can possibly be removed. - The second improvement aims at opting for a pertinent sequence of the elementary commands among the set of sequences allowing the execution of the protected software 2 p. In this respect, it is preferable to choose a sequence of the elementary commands which temporally dissociates the execution of the elementary functions, by intercalating between them, portions of code executed in the
data processing system 3 and including or not elementary commands used for the determination of other data.FIGS. 62 and 63 illustrate the principle of such an embodiment.
- The first improvement concerns the case where several algorithmic processings are remoted in the
-
FIG. 62 shows an example of execution of avulnerable software 2 v. In this example, appears during the execution of the vulnerable software 2 v, in thedata processing system 3, the execution of two algorithmic processings leading to the determination of Z and Z′, such that Z←F (X, Y) and Z′←F′(X′, Y′). -
FIG. 63 illustrates an example of implementation of the process according to the invention for which the two algorithmic processing chosen inFIG. 62 are remoted in theunit 6. According to such an example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p and in the presence of theunit 6, appear, as explained above, the execution of the elementary commands CFE1 to CFEN corresponding to the determination of Z and the execution of the elementary commands CFE′1 to CFE′M corresponding to the determination of Z′. As illustrated, the elementary commands CFE1 to CFEN are not executed consecutively, inasmuch as the elementary commands CFE′1 to CFE′M, as well as other portions of code are intercalated. In the example, the following sequence is thus carried out: CFE1, portion of intercalated code, CFE′1, CFE2, portion of intercalated code, CFE′2, CFE′3, portion of intercalated code, CFE′4, CFE3, CFE4, . . . , CFEN, CFE′M. - It should be observed that, during the execution of the protected software 2 p, in the presence of the
unit 6, each time an elementary command contained in a portion of thefirst execution part 2 pes of the protected software 2 p imposes it, the corresponding elementary function is executed in theunit 6. Thus, it appears, that in the presence of theunit 6, said portion is executed correctly and that, consequently, the protected software 2 p is completely functional. -
FIG. 64 illustrates an example of an attempt of execution of the protected software 2 p, when theunit 6 is missing. In this example, during the execution in thedata processing system 3, of thefirst execution part 2 pes of the protected software 2 p, at every time instant, the execution of an elementary command cannot trigger the execution of the corresponding elementary function, because of the absence of theunit 6. The value to assign to the variable Z cannot therefore be determined correctly. - It therefore appears, that in the absence of the
unit 6, at least one request by a portion of thefirst execution part 2 pes of the protected software 2 p, to trigger the execution of an elementary function in theunit 6 cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional. - According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection, called by <<detection and coercion>>, a description of which is carried out in relation to FIGS. 70 to 74.
- For the implementation of the principle of protection by detection and coercion, are defined:
-
- at least one software execution characteristic liable to be monitored at least in part in the
unit 6, - at least one criterion to abide by for at least one software execution characteristic,
- detection means 17 to implement in the
unit 6 and enabling to detect that at least one software execution characteristic does not abide by at least one associated criterion, - and coercion means 18 to implement in the
unit 6 and enabling to inform thedata processing system 3 and/or modify the execution of a software, when at least one criterion is not abided by.
- at least one software execution characteristic liable to be monitored at least in part in the
- For the implementation of the principle of protection by detection and coercion, are also constructed exploitation means enabling to transform a
blank unit 60 into aunit 6 implementing at least the detection means 17 and the coercion means 18. -
FIG. 70 illustrates the means necessary to the implementation of this principle of protection by detection and coercion. Theunit 6 includes the detection means 17 and the coercion means 18 belonging to the processing means 16. The coercion means 18 are informed by the detection means 17 that a criterion has not been abided by. - More precisely, the detection means 17 use information coming from the transfer means 13 and/or from the memorization means 15 and/or from the processing means 16, so as to monitor one or several software execution characteristics. For each software execution characteristic is set at least one criterion to abide by.
- In the case where it is detected that at least one software execution characteristic does not abide by at least one criterion, the detection means 17 inform the coercion means 18 of it. Said coercion means 18 are adapted to modify, in the appropriate way, the state of the
unit 6. - For the implementation of the principle of protection by detection and coercion, are also chosen:
-
- at least one software execution characteristic to monitor, among the software execution characteristics liable to be monitored,
- at least one criterion to abide by for at least one chosen software execution characteristic,
- in the source of the
vulnerable software 2 vs, at least one algorithmic processing for which at least one software execution characteristic is to be monitored, - and in the source of the
vulnerable software 2 vs, at least one portion containing at least one chosen algorithmic processing.
- At least one chosen portion of the source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps. This modification is such that, during the execution of the protected software 2 p, among others: -
- at least one portion of the
first execution part 2 pes, which is executed in thedata processing system 3, takes into account that at least one chosen software execution characteristic is to be monitored, at least in part in theunit 6, - and the
second execution part 2 peu, which is executed in theunit 6, monitors at least in part, a chosen software execution characteristic.
- at least one portion of the
- During the execution of the protected software 2 p, protected by this principle of protection by detection and coercion, in the presence of the unit 6:
-
- as long as all the criteria corresponding to all the monitored execution characteristics of all the modified portions of the protected software 2 p are abided by, said modified portions of the protected software 2 p work nominally, so that said protected software 2 p works nominally,
- and if at least one of the criteria corresponding to a monitored execution characteristic of a portion of the protected software 2 p is not abided by, the
data processing system 3 is informed of it and/or the functioning of the portion of the protected software 2 p is modified, so that the functioning of the protected software 2 p is modified.
- Naturally, in the absence of the
unit 6, at least one request by a portion of thefirst execution part 2 pes of the protected software 2 p to use theunit 6 cannot be fulfilled correctly so that at least said portion is not executed correctly and that consequently the protected software 2 p is not completely functional. - For the implementation of the principle of protection by detection and coercion, two types of software execution characteristics are used preferentially.
- The first type of software execution characteristic corresponds to a variable of measurement of the execution of a software and the second type corresponds to a profile of usage of a software. Said two types of characteristics can be used independently or in combination.
- For the implementation of the principle of protection by detection and coercion using, as execution characteristic, a variable of measurement of software execution, are defined:
-
- in the memorization means 15, the possibility to memorize at least one variable of measurement used to quantify the usage of at least one functionality of a software,
- in the detection means 17, the possibility to monitor at least one threshold associated to each variable of measurement,
- and actualization means enabling to update each variable of measurement depending on the usage of the functionality to which it is associated.
- Are also constructed exploitation means implementing, in addition to the detection means 17 and the coercion means 18, the actualization means.
- Are also chosen, in the source of the
vulnerable software 2 vs: -
- at least one functionality of the vulnerable software 2 v whose usage is liable to be monitored using a variable of measurement,
- at least one variable of measurement used to quantify the usage of said functionality,
- at least one threshold associated to the variable of measurement corresponding to a limit of usage of said functionality,
- and at least one method of update of the variable of measurement depending on the usage of said functionality.
- The source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps, this modification being such that, during the execution of the protected software 2 p, thesecond execution 2 peu: -
- actualizes the variable of measurement depending on the usage of said functionality,
- and takes into account at least one threshold crossing.
- In other words, during the execution of the protected software 2 p, the variable of measurement is updated depending on the usage of said functionality, and when the threshold is crossed, the detection means 17 inform of it the coercion means 18 which make an adapted decision to inform the
data processing system 3 and/or to modify the processings carried out by the processing means 16 enabling to modify the functioning of the portion of the protected software 2 p, so that the functioning of the protected software 2 p is modified. - For the implementation of a first preferred variant embodiment of the principle of protection by detection and coercion using, as characteristic, a variable of measurement, are defined:
-
- for at least one variable of measurement, several associated thresholds,
- and different coercion means corresponding to each of said thresholds.
- Are also chosen, in the source of the
vulnerable software 2 vs: -
- at least one variable of measurement used to quantify the usage of at least one functionality of the software and to which must be associated several thresholds corresponding to different limits of usage of said functionalities,
- and at least two thresholds associated to the variable of measurement.
- The source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps, this modification being such that, during the execution of the protected software 2 p, thesecond execution part 2 peu: -
- actualizes the variable of measurement depending on the usage of said functionality,
- and takes into account, differently, the crossing of the various thresholds.
- In other words, classically, during the execution of the protected software 2 p, when the first threshold is crossed, the
unit 6 informs thedata processing system 3 enjoining the protected software 2 p not to use said functionality anymore. If the protected software 2 p carries on using said functionality, the second threshold will potentially be crossed. In the case where the second threshold is crossed, the coercion means 18 can make the chosen functionality ineffective and/or make the protected software 2 p ineffective. - For the implementation of a second preferred variant embodiment of the principle of protection by detection and coercion using, as characteristic, a variable of measurement, are defined refilling means enabling to credit at least one software functionality monitored by a variable of measurement with at least one additional usage.
- Are also constructed exploitation means implementing, in addition to the detection means 17, the coercion means 18 and the actualization means, the refilling means.
- Is also chosen, in the source of the
vulnerable software 2 vs, at least one variable of measurement used to limit the usage of at least one functionality of the software and which must be able to be credited with at least one additional usage. - The source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps, this modification being such that, during a phase called of refilling, at least one additional usage of at least one functionality corresponding to a chosen variable of measurement can be credited. - Is carried out, during the phase of refilling, the reactualization of at least one chosen variable of measurement and/or of at least one associated threshold, so as to allow at least one additional usage of the corresponding functionality. In other words, it is possible, during the phase of refilling, to credit additional usages of at least one functionality of the protected software 2 p.
- For the implementation of the principle of protection by detection and coercion using, as characteristic, a profile of software usage, is defined as criterion to abide by for said profile of usage, at least one feature of software execution.
- Are also chosen, in the source of the
vulnerable software 2 vs: -
- at least one profile of usage to monitor,
- and at least one feature of execution by which at least one chosen profile of usage must abide.
- The source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps, this modification being such that, during the execution of the protected software 2 p, thesecond execution part 2 peu abides by all the chosen features of execution. In other words, theunit 6 itself monitors the way thesecond execution part 2 peu is executed and can inform thedata processing system 3 and/or modify the functioning of the protected software 2 p, in the case where at least one feature of execution is not abided by. - During the execution of the protected software 2 p, protected by this principle, in the presence of the unit 6:
-
- as long as all the features of execution of all the modified portions of the protected software 2 p are abided by, said modified portions of the protected software 2 p work nominally, so that said protected software 2 p works nominally,
- and if at least one feature of execution of a portion of protected software 2 p is not abided by, the
data processing system 3 is informed of it and/or the functioning of the portion of the protected software 2 p is modified, so that the functioning of the protected software 2 p is modified.
- The monitoring of different features of execution can be considered, like for instance the monitoring of the presence of instructions including a marker or the monitoring of the execution chaining for at least one part of the instructions.
- For the implementation of the principle of protection by detection and coercion using as feature of execution to abide by, the monitoring of the execution chaining for at least one part of the instructions, are defined:
-
- an instructions set, whose instructions are liable to be executed in the
unit 6, - a set of instructions commands for said instructions set, said instructions commands are liable to be executed in the
data processing system 3. The execution of each of said instructions commands in thedata processing system 3 triggers in theunit 6, the execution of the corresponding instruction, - detection means 17 enabling to detect that the chaining of the instructions does not correspond to the expected one,
- and coercion means 18 enabling to inform the
data processing system 3 and/or to modify the execution of a software when the chaining of the instructions does not correspond to the expected one.
- an instructions set, whose instructions are liable to be executed in the
- Are also constructed exploitation means enabling the
unit 6 to also execute the instructions of the instructions set, the execution of said instructions being triggered by the execution in thedata processing system 3 of the instructions commands. - Is also chosen, in the source of the
vulnerable software 2 vs, at least one algorithmic processing which must be remoted in theunit 6 and for which the chaining of at least one part of the instructions is to be monitored. - The source of the
vulnerable software 2 vs is then modified, so as to obtain the source of thevulnerable software 2 ps, this modification being such that, during the execution of the protected software 2 p: -
- the
second execution part 2 peu executes at least the functionality of the chosen algorithmic processing, - the chosen algorithmic processing is split into instructions,
- the chaining by which at least some of the instructions must abide during their execution in the
unit 6 is specified, - and the
first execution part 2 pes of the protected software 2 p executes instructions commands which trigger the execution of the instructions in theunit 6.
- the
- During the execution of the protected software 2 p, protected by this principle, in the presence of the unit 6:
-
- as long as the chaining of the instructions of all the modified portions of the protected software 2 p, executed in the
unit 6 corresponds to the expected one, said modified portions of the protected software 2 p work nominally, so that said protected software 2 p works nominally, - and if the chaining of the instructions of a portion of the protected software 2 p executed in the
unit 6 does not correspond to the expected one, thedata processing system 3 is informed of it and/or the functioning of the portion of protected software 2 p is modified, so that the functioning of the protected software 2 p is modified.
- as long as the chaining of the instructions of all the modified portions of the protected software 2 p, executed in the
-
FIG. 71 illustrates an example of implementation of the principle of protection by detection and coercion using, as feature of execution to abide by the monitoring of the execution chaining of a at least one part of the instructions, in the case where the expected chaining is abided by. - The
first execution part 2 pes of the protected software 2 p, executed in thedata processing system 3, executes instructions commands CIi triggering, in theunit 6 the execution of the instructions ii belonging to the instructions set. In said instructions set, at least some of the instructions each include a part defining the functionality of the instruction and a part enabling to verify the expected chaining for the execution of the instructions. In this example, the instructions commands CIi are represented by TRIG(ii) and the expected chaining for the execution of the instructions is in, in+1 and in+2. The execution in theunit 6, of the instruction in gives the result a and the execution of the instruction in+1 gives the result b. The instruction in+2 uses as operand, the results a and b of the instructions in and in+1 and its execution gives the result c. - Taking into account that said chaining of the instructions executed in the
unit 6 corresponds to the expected one, it results in a normal or nominal functioning of the protected software 2 p. -
FIG. 72 illustrates an example of implementation of the principle of protection by detection and coercion using, as feature of execution to abide by, the monitoring of the execution chaining of at least one part of the instructions, in the case where the expected chaining is not abided by. - According to this example, the expected chaining for the execution of the instructions is still in, in+1 and in+2. However, the execution chaining is modified by the replacement of the instruction in with the instruction i′n, so that the chaining actually executed is i′n, in+1 and in+2. The execution of the instruction i′n gives the result a, i.e. the same result that the execution of the instruction in. However, at the latest during the execution of the instruction in+2, the detection means 17 detect that the instruction i′n does not correspond to the expected instruction to generate the result a used as operand of the instruction in+2. The detection means 17 inform of it the coercion means 18 which modify accordingly, the functioning of the instruction in+2, so that the execution of the instruction in+2 gives the result C′ which can be different than C. Naturally, if the execution of the instruction i′n gives a result a′ different from the result a of the instruction in, it is clear that the result of the instruction in+2 can also be different from c.
- Inasmuch as the execution chaining of the instructions executed in the
unit 6 does not correspond to the expected one, a modification of the functioning of the protected software 2 p can therefore be obtained. -
FIGS. 73 and 74 illustrates a preferred variant embodiment of the principle of protection by detection and coercion using, as feature of execution to abide by, the monitoring of the execution chaining of at least one part of the instructions. According to this preferred variant, is defined an instructions set whose at least some instructions work with registers and use at least one operand with the intention of returning a result. - As illustrated in
FIG. 73 , are defined for at least some of the instructions working with registers, a part PF defining the functionality of the instruction and a part PE defining the expected chaining for the execution of the instructions. The part PF corresponds to the operation code known by the Man of art. The part PE defining the expected chaining, includes bits fields corresponding to: -
- an identification field of the instruction CII,
- and for each operand k of the instruction, with k varying from 1 to K, and K number of operands of the instruction:
- a flag field CDk, indicating whether or not it is appropriate to verify the origin of the operand k,
- and an expected identification field CIPk of the operand, indicating the expected identity of the instruction which has generated the contents of the operand k.
- As illustrated in
FIG. 74 , the instructions set includes V registers belonging to the processing means 16, each register being named Rv, with v varying from 1 to V. For each register Rv, are defined two fields, namely: -
- a functional field CFv, known by the Man of art and enabling to store the result of the execution of the instructions,
- and a generated identification field CIGv enabling to memorize the identity of the instruction which has generated the contents of the functional field CFv. Said generated identification field CIGv is automatically updated with the contents of the identification field of the instruction CII which has generated the functional field CFv. Said generated identification field CIGv is neither accessible, nor modifiable by any of the instructions and is solely used for the detection means 17.
- During the execution of an instruction, the detection means 17 carry out for each operand k the following operations:
-
- the flag field CDk is read,
- if the flag field CDk imposes it, the expected identification field CIPk and the generated identification field CIGv corresponding to the register used by the operand k are both read,
- the equality of the two fields CIPk and CIGv is checked,
- and if the equality is false, the detection means 17 consider that the execution chaining of the instructions is not abided by.
- The coercion means 18 enable to modify the result of the instructions when the detection means 17 has informed them of an instructions chaining not abided by. A preferred embodiment is carried out by modifying the functional part PF of the instruction currently executed or the functional part PF of subsequent instructions.
- According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection, called by <<renaming>> a description of which is carried out in relation to FIGS. 80 to 85.
- For the implementation of the principle of protection by renaming, are defined:
-
- a set of dependent functions, whose dependent functions are liable to be executed, by means of the
second execution part 2 peu, in theunit 6, and possibly to transfer data between thedata processing system 3 and theunit 6, said set of dependent functions can be finite or infinite, - a set of triggering commands for said dependent functions, said triggering commands being liable to be executed in the
data processing system 3 and to trigger in theunit 6, the execution of corresponding dependent functions, - for each triggering command, an order corresponding at least in part to the information transmitted by the
first execution part 2 pes, to thesecond execution part 2 peu, so as to trigger the execution of the corresponding dependent function, said order having the form of at least one argument of the triggering command, - a method of renaming of the orders designed to be used during the modification of the vulnerable software 2 v, such a method enabling to rename the orders so as to obtain triggering commands with renamed orders enabling to conceal the identity of the corresponding dependent functions,
- and restoring means 20 designed to be used in the
unit 6 during the usage phase and enabling to restore the initial order, from the renamed order, so as to restore the dependent function to execute.
- a set of dependent functions, whose dependent functions are liable to be executed, by means of the
- For the implementation of the principle of protection by renaming, are also constructed exploitation means enabling to transform a
blank unit 60 into aunit 6 implementing at least the restoringmeans 20. - For the implementation of the principle of protection by renaming, are also chosen, in the source of the
vulnerable software 2 vs: -
- at least one algorithmic processing using at least one operand and returning at least one result,
- and at least one portion of the source of the
vulnerable software 2 vs, containing at least one chosen algorithmic processing.
- The source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps. This modification is such that, among others: -
- during the execution of the protected software 2 p, at least one portion of the 25
first execution part 2 pes, which is executed in thedata processing system 3, takes into account that the functionality of at least one chosen algorithmic processing is executed in theunit 6, - during the execution of the protected software 2 p, the
second execution part 2 peu, which is executed in theunit 6, executes at least the functionality of at least one chosen algorithmic processing, - each chosen algorithmic processing is split so that during the execution of the protected software 2 p, each chosen algorithmic processing is executed, by means of the
second execution part 2 peu, using dependent functions. Preferably, each chosen algorithmic processing is split into dependent functions fdn (with n varying from 1 to N), namely:- possibly one or several dependent functions enabling the placing of one or several operands at the
unit 6's disposal, - dependent functions, some of which use the operand(s) and execute in combination the functionality of the chosen algorithmic processing, using said operand(s),
- and possibly, one or several dependent functions enabling the placing by the
unit 6, at thedata processing system 3's disposal of the result of the chosen algorithmic processing,
- possibly one or several dependent functions enabling the placing of one or several operands at the
- during the execution of the protected software 2 p, the
second execution part 2 peu executes the dependent functions fdn, - during the execution of the protected software 2 p, the dependent functions are triggered by triggering commands with renamed orders,
- and a sequence of the triggering commands is chosen among the set of sequences allowing the execution of the protected software 2 p.
- during the execution of the protected software 2 p, at least one portion of the 25
- The
first execution part 2 pes of the protected software 2 p, executed in thedata processing system 3, executes triggering commands with renamed orders transferring renamed orders to theunit 6, and triggering in theunit 6 the restoring by means of the restoring means 20, of the orders, and then the execution by means of thesecond execution part 2 peu, of each of the previously defined dependent functions fdn. - In other words, the principle of protection by renaming is carried out by renaming the orders of the triggering commands, so as to obtain triggering commands with renamed orders whose execution in the
data processing system 3, triggers in theunit 6, the execution of the dependent functions which would have been triggered by the triggering commands with not-renamed orders, without however the examination of the protected software 2 p enabling to determine the identity of the executed dependent functions. -
FIG. 80 illustrates an example of execution of avulnerable software 2 v. In this example, appears during the execution of the vulnerable software 2 v in thedata processing system 3, at a certain time instant, the calculation of Z←F(X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using the operands X and Y. -
FIGS. 81 and 82 illustrate an example of implementation of the invention. -
FIG. 81 illustrates the partial implementation of the invention. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p and in the presence of theunit 6, appear: -
- at time instants t1, t2, the execution of the triggering commands CD1, CD2 triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the corresponding dependent functions fd1, fd2 which provide the transfer of data X, Y from thedata processing system 3 to the memorization zones respectively x, y located in the memorization means 15 of theunit 6, said triggering commands CD1, CD2 being represented respectively by OUT(x, X), OUT(y, Y), - at time instants t3 to tN-1, the execution of the triggering commands CD3 to CDN-1, triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the corresponding dependent functions fd3 to fdN-1, said triggering commands CD3 to CDN-1 being represented respectively, by TRIG(fd3) to TRIG(fdN-1). The series of dependent functions fd3 to fdN-1 executed in combination is algorithmically equivalent to the function F. More precisely, the execution of said triggering commands leads to the execution in theunit 6, of the dependent functions fd3 to fdN-1 which use the contents of the memorization zones x, y and return the result in a memorization zone z of theunit 6, - and at time instant tN, the execution of a triggering command CDN triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the dependent function fdN providing the transfer of the result of the algorithmic processing contained in the memorization zone z of theunit 6 to thedata processing system 3, so as to assign it to the variable Z, said command being represented by IN(z).
- at time instants t1, t2, the execution of the triggering commands CD1, CD2 triggering in the
- In this example, to completely implement the invention, are chosen as orders, the first argument of the triggering commands OUT and the argument of the triggering commands TRIG and IN. The orders chosen in this way are renamed using the method of renaming of the orders. In this manner, the orders of the triggering commands CD1 to CDN i.e. x, y, fd3, fdN-1, z are renamed so as to obtain respectively R(x), R(y), R(fd3), . . . , R(fdN-1), R(z).
-
FIG. 82 illustrates the complete implementation of the invention. In this example, during the execution in thedata processing system 3, of thefirst execution part 2 pes of the protected software 2 p, and in the presence of theunit 6, appear: - at time instants t1, t2, the execution of the triggering commands with renamed orders CDCR1, CDCR2, transferring to the
unit 6, the renamed orders R(x), R(y) as well as the data X, Y triggering in theunit 6 the restoring by means of the restoring means 20, of the renamed orders to restore the orders i.e. the identity of the memorization zones x, y, and then the execution by means of thesecond execution part 2 peu, of the corresponding dependent functions fdl, fd2 which provide the transfer of the data X, Y from thedata processing system 3 to the memorization zones respectively x, y located in the memorization means 15 of theunit 6, said triggering commands with renamed orders CDCR1, CDCR2 being represented respectively by OUT (R(x), X), OUT (R(y), Y), -
- at time instants t3 to tN-1, the execution of the triggering commands with renamed orders CDCR3 to CDCRN-1, transferring to the
unit 6, the renamed orders R(fd3) to R(fdN-1), triggering in theunit 6 the restoring by means of the restoring means 20, of the orders, i.e. fd3 to fdN-1, and then the execution by means of thesecond execution part 2 peu, of the dependent functions fd3 to fdN-1, said triggering commands with renamed orders CDCR3 to CDCRN-1 being represented respectively by TRIG (R(fd3)) to TRIG (R(fdN-1)), - and at time instant tN, the execution of the triggering command with renamed order CDCRN transferring to the
unit 6, the renamed order R(z) triggering in theunit 6 the restoring by means of restoring means 20, of the order i.e. the identity of the memorization zone z, and then the execution by means of thesecond execution part 2 peu, of the dependent function fdN providing the transfer of the result of the algorithmic processing contained in the memorization zone z of theunit 6 to thedata processing system 3, so as to assign it to the variable Z, said triggering command with renamed order CDCRN being represented by IN (R(z)).
- at time instants t3 to tN-1, the execution of the triggering commands with renamed orders CDCR3 to CDCRN-1, transferring to the
- In the illustrated example, the triggering commands with renamed
orders 1 to N are executed successively. It should be observed that two improvements can be effected: -
- The first improvement concerns the case where several algorithmic processings are remoted to the
unit 6 and at least the result of one algorithmic processing is used by another algorithmic processing. In this case, some triggering commands with renamed orders used for the transfer, can possibly be removed. - The second improvement aims at opting for a pertinent sequence of the triggering commands with renamed orders among the set of sequences allowing the execution of the protected software 2 p. In this respect, it is preferable to choose a sequence of the triggering commands with renamed orders which dissociate temporally the execution of the dependent functions, by intercalating, between them portions of code executed in the
data processing system 3 and including or not triggering commands with renamed orders used of the determination of other data.FIGS. 83 and 84 illustrate the principle of such an embodiment.
- The first improvement concerns the case where several algorithmic processings are remoted to the
-
FIG. 83 shows an example of execution of avulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v, in thedata processing system 3, the execution of two algorithmic processings leading to the determination of Z and Z′, such as Z←F (X, Y) and Z′ ← F′ (X′, Y′). -
FIG. 84 illustrates an example of implementation of the process according to the invention for which the two algorithmic proccesings chosen inFIG. 83 are remoted to theunit 6. According to such an example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p and in the presence of theunit 6, appear, as explained above, the execution of the triggering commands with renamed orders CDCR, to CDCRN corresponding to the determination of Z and the execution of the triggering commands with renamed orders CDCR′1 to CDCR′M corresponding to the determination of Z′. As illustrated, the triggering commands with renamed orders CDCR1 to CDCRN are not executed consecutively, inasmuch as the triggering commands with renamed orders CDCR′1 to CDCR′M as well as other portions of code are intercalated. In the example, the following sequence is thus carried out: CDCR1, portion of intercalated code, CDCR′1, CDCR2, portion of intercalated code, CDCR′2, CDCR′3, portion of intercalated code, CDCR′4, CDCR3, CDCR4, . . . , CDCRN, CDCR′M. - It should be observed that, during the execution of a portion of the
first execution part 2 pes of the protected software 2 p, the triggering commands with renamed orders executed in thedata processing system 3, trigger in theunit 6 the restoring of the identity of the corresponding dependent functions and then their execution. Thus, it appears that in the presence of theunit 6, said portion is executed correctly and that, consequently, the protected software 2 p is completely functional. -
FIG. 85 illustrates an example of an attempt of execution of the protected software 2 p, when theunit 6 is missing. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p, at every time instant, the execution of a triggering command with renamed order can trigger neither the restoring of the order nor the execution of the corresponding dependent function, because of the absence of theunit 6. The value to assign to the variable Z cannot therefore be determined correctly. - It therefore appears, that in the absence of the
unit 6, at least one request by a portion of thefirst execution part 2 pes of the protected software 2 p, to trigger the restoring of an order and the execution of a dependent function in theunit 6 cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional. - Thanks to this principle of protection by renaming, the examination in the protected software 2 p of the triggering commands with renamed orders does not enable to determine the identity of the dependent functions which have to be executed in the
unit 6. It should be observed that the renaming of the orders is carried out during the modification of the vulnerable 2 v to a protected software 2 p. - According to a variant of the principle of protection by renaming, is defined for at least one dependent function, a family of dependent functions algorithmically equivalent but triggered by different triggering commands with renamed orders. According to this variant, for at least one algorithmic processing using dependent functions, said algorithmic processing is split into dependent functions which for at least one of them is replaced with a dependent function of the same family instead of keeping several occurrences of the same dependent function. To this end, triggering commands with renamed orders are modified to take into account the replacement of dependent functions with dependent functions of the same family. In other words, two dependent functions of the same family have different orders and consequently different triggering commands with renamed orders and, it is not possible, by examining the protected software 2 p, to discover that the dependent functions called are algorithmically equivalent.
- According to a first preferred embodiment of the variant of the principle of protection by renaming, is defined for at least one dependent function, a family of algorithmically equivalent dependent functions, by concatenating a noise field to the information defining the functional part of the dependent function to execute in the
unit 6. - According to a second preferred embodiment of the variant of the principle of protection by renaming, is defined for at least one dependent function, a family of algorithmically equivalent dependent functions by using identification fields.
- According to a preferred variant embodiment of the principle of protection by renaming, is defined as method of renaming of the orders a ciphering method enabling to cipher the orders to transform them into renamed orders. Remember that the renaming of the orders is carried out during the phase of protection P. For this preferred variant, the restoring means 20 are means implementing a deciphering method enabling to decipher the renamed orders and thus to restore the identity of the dependent functions to execute in the
unit 6. Said restoring means are implemented in theunit 6 and can be of software or hardware nature. Said restoring means 20 are appealed to during the usage phase U each time a triggering command with renamed order is executed in thedata processing system 3 with the intention of triggering in theunit 6, the execution of a dependent function. - According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection called by <<conditional branch>> a description of which is carried out in relation to FIGS. 90 to 92.
- For the implementation of the principle of protection by conditional branch, is chosen in the source of the
vulnerable software 2 vs, at least one conditional branch BC. Is also chosen at least one portion of the source of thevulnerable software 2 vs containing at least one chosen conditional branch BC. - At least one chosen portion of the source of the
vulnerable software 2 vs is then modified, so as to obtain the source of the protectedsoftware 2 ps. This modification is such that, during the execution of the protected software 2 p, among others: -
- at least one portion of the
first execution part 2 pes, which is executed in thedata processing system 3, takes into account that the functionality of at least one chosen conditional branch BC is executed in theunit 6, - and the
second execution part 2 peu, which is executed in theunit 6, executes at least the functionality of at least one chosen conditional branch BC and puts at thedata processing system 3's disposal, a piece of information enabling thefirst execution part 2 pes, to carry on its execution at the chosen spot.
- at least one portion of the
- The
first execution part 2 pes of the protected software 2 p, executed in thedata processing system 3, executes conditional branches commands, triggering in theunit 6, the execution by means of thesecond execution part 2 peu, of remoted conditional branches be whose functionality is equivalent to the functionality of the chosen conditional branches BC. -
FIG. 90 illustrates an example of execution of avulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v in thedata processing system 3 at a certain time instant, a conditional branch BC indicating to the vulnerable software 2 v the spot where to carry on its execution, i.e. one of the three possible spots B1, B2 or B3. It must be understood that the conditional branch BC takes the decision to carry on the execution of the software at spot B1, B2 or B3. -
FIG. 91 illustrates an example of implementation of the invention for which the conditional branch chosen to be remoted to theunit 6, corresponds to the conditional branch BC. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p and in the presence of theunit 6, appear: -
- at time instant t1, the execution of the conditional branch command CBC1 triggering in the
unit 6, the execution by means of thesecond execution part 2 peu, of the remoted conditional branch be algorithmically equivalent to the conditional branch BC, said conditional branch command CBC, being represented by TRIG(bc), - and at time instant t2, the transfer from the
unit 6 to thedata processing system 3, of the information enabling thefirst execution part 2 pes, to carry on its execution at the chosen spot, i.e. the spot B1, B2 or B3.
- at time instant t1, the execution of the conditional branch command CBC1 triggering in the
- It should be observed that during the execution of a portion of the
first execution part 2 pes of the protected software 2 p, the conditional branches commands executed in thedata processing system 3 trigger the execution of the corresponding remoted conditional branches in theunit 6. Thus, it appears, that in the presence of theunit 6, said portion is executed correctly and that, consequently, the protected software 2 p is completely functional. -
FIG. 92 illustrates an example of an attempt of execution of the protected software 2 p, when theunit 6 is missing. In this example, during the execution in thedata processing system 3 of thefirst execution part 2 pes of the protected software 2 p: -
- at time instant t1, the execution of the conditional branch command CBC1, cannot trigger the execution of the remoted conditional branch bc, taking into account the absence of the
unit 6, - and at time instant t2, the transfer of the piece of information enabling the
first execution part 2 pes to carry on at the chosen spot fails taking into account the absence of theunit 6.
- at time instant t1, the execution of the conditional branch command CBC1, cannot trigger the execution of the remoted conditional branch bc, taking into account the absence of the
- It therefore appears that in the absence of the
unit 6, at least one request by a portion of thefirst execution part 2 pes to trigger the execution of a remoted conditional branch in theunit 6, cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional. - In the previous description in relation to FIGS. 90 to 92, the subject of the invention aims at remoting in the
unit 6, a conditional branch. Naturally, a preferred embodiment of the invention can be carried out by remoting in theunit 6, a series of conditional branches whose overall functionality is equivalent to all the functionalities of the conditional branches which have been remoted. The execution of the overall functionality of said series of remoted conditional branches leads to the placing at thedata processing system 3's disposal of a piece of information enabling thefirst execution part 2 pes of the protected software 2 p to carry on its execution at the chosen spot. - In the previous description in relation to FIGS. 40 to 92, six different principles of software protection have been made explicit generally speaking independently of one another. The protection process in accordance with the invention, is implemented by using the principle of protection by temporal dissociation, possibly combined with one or several other principles of protection. In the case where the principle of protection by temporal dissociation is complemented by the implementation of at least another principle of protection, the principle of protection by temporal dissociation is advantageously complemented by the principle of protection by variable and/or the principle of protection by elementary functions and/or the principle of protection by conditional branch.
- And when the principle of protection by variable is also implemented, it can be complemented in its turn by the principle of protection by elementary functions and/or the principle of protection by conditional branch.
- And when the principle of protection by elementary functions is also implemented, it can be complemented in its turn by the principle of protection by detection and coercion and/or the principle of protection by renaming and/or the principle of protection by conditional branch.
- And when the principle of protection by detection and coercion is also implemented, it can be complemented in its turn by the principle of protection by renaming and/or the principle of protection by conditional branch.
- And when the principle of protection by renaming is also implemented, it can be complemented in its turn by the principle of protection by conditional branch.
- According to the preferred variant embodiment, the principle of protection by temporal dissociation is complemented by the principle of protection by variable, complemented by the principle of protection by elementary functions, complemented by the principle of protection by detection and coercion, complemented by the principle of protection by renaming, complemented by the principle of protection by conditional branch.
- In the case where a principle of protection is applied, in complement to the principle of protection by temporal dissociation, its previously carried out description must include, to take into account its combined implementation, the following modifications:
-
- the notion of vulnerable software must be understood as software vulnerable towards the principle of protection being described. Thus, in the case where a principle of protection has already been applied to the vulnerable software, the expression “vulnerable software” must be interpreted by the reader as the expression “software protected by the principle(s) of protection already applied”;
- the notion of protected software must be understood as software protected towards the principle of protection being described. Thus, in the case where a principle of protection has already been applied, the expression “protected software” must be interpreted by the reader as the expression “new version of the protected software”;
- and the choice(s) made for the implementation of the principle of protection being described must take into account the choice(s) made for the implementation of the principle(s) of protection already applied.
- The rest of the description enables to have a better understanding of the implementation of the protection process in accordance with the invention. This protection process according to the invention is composed, as shown more precisely in
FIG. 100 : -
- first, of a protection phase P during which a vulnerable software 2 v is modified to become a protected software 2 p,
- then, of a usage phase U during which the protected software 2 p is used.
- During this usage phase U:
-
-
- in the presence of the
unit 6 and each time a portion of thefirst execution part 2 pes executed in thedata processing system 3 imposes it, an imposed functionality is executed in theunit 6, so that said portion is executed correctly and that, consequently, the protected software 2 p is completely functional, - in the absence of the
unit 6 and in spite of the request by a portion of thefirst execution part 2 pes to execute a functionality in theunit 6, said request cannot be fulfilled correctly, so that at least said portion is not executed correctly and that consequently, the protected software 2 p is not completely functional,
- in the presence of the
- and possibly of a phase of refilling R during which is credited at least one additional usage of a functionality protected by the implementation of the second preferred variant embodiment of the principle of protection by detection and coercion using as characteristic, a variable of measurement.
-
- The protection phase P can be split into two protection sub-phases P1 and P2. The first one, called prior protection sub-phase P1, takes place independently of the vulnerable software 2 v to protect. The second one, called subsequent protection sub-phase P2 is dependent of the vulnerable software 2 v to protect. It should be observed that the prior protection sub-phase P1 and the subsequent protection sub-phase P2 can be carried out advantageously by two different persons or two different teams. For instance, the prior protection sub-phase P1 can be carried out by a person or a company providing the development of software protection systems, while the subsequent protection sub-phase P2 can be carried out by a person or a company providing the development of software requiring to be protected. Naturally, it is clear that the prior protection sub-phase P1 and the subsequent protection sub-phase P2 can also be carried out by the same person or team.
- The prior protection sub-phase P1 is composed of several stages S11, . . . , S11 for each of which various tasks or jobs are to be carried out.
- The first stage of this prior protection sub-phase P1 is called “definitions stage S11″. During this definitions stage S11:
-
- are chosen:
- the type of the
unit 6. As an illustrative example, can be chosen asunit 6, achip card reader 8 and thechip card 7 associated to the reader, - and the transfer means 12, 13 designed to be implemented respectively in the
data processing system 3 and in theunit 6, during the usage phase U and capable of providing the transfer of data between thedata processing system 3 and theunit 6,
- the type of the
- and in the case where the protection process according to the invention implements the principle of protection by elementary function, are also defined:
- a set of elementary functions whose elementary functions are liable to be executed in the
unit 6, - and a set of elementary commands for said set of elementary functions, said elementary commands being liable to be executed in the
data processing system 3 and to trigger the execution in theunit 6, of the elementary functions,
- a set of elementary functions whose elementary functions are liable to be executed in the
- and in the case where the protection process according to the invention implements the principle of protection by detection and coercion, are also defined:
- at least one software execution characteristic, liable to be monitored at least in part in the
unit 6, - at least one criterion to abide by for at least one software execution characteristic,
- detection means 17 to implement in the
unit 6 and enabling to detect that at least one software execution characteristic does not abide by at least one associated criterion, - and coercion means 18 to implement in the
unit 6 and enabling to inform thedata processing system 3 and/or modify the execution of a software, when at least one criterion is not abided by,
- at least one software execution characteristic, liable to be monitored at least in part in the
- and in the case where the protection process according to the invention implements the principle of protection by detection and coercion using as characteristic a variable of measurement of the software execution, are also defined:
- as software execution characteristic liable to be monitored, a variable of measurement of the usage of a functionality of a software,
- as criterion to abide by, at least one threshold associated to each variable of measurement,
- and actualization means enabling to update at least one variable of measurement,
- and in the case where the protection process according to the invention also implements a first preferred variant embodiment of the principle of protection by detection and coercion using as characteristic a variable of measurement of the software execution, are also defined:
- for at least one variable of measurement, several associated thresholds,
- and different coercion means corresponding to each of said thresholds,
- and in the case where the protection process according to the invention implements a second preferred variant embodiment of the principle of protection by detection and coercion using as characteristic a variable of measurement of the software execution, are also defined refilling means enabling to add at least one additional usage to at least one software functionality monitored by a variable of measurement,
- and in the case where the protection process according to the invention implements the principle of protection by detection and coercion using as characteristic a profile of software usage, are also defined:
- as software execution characteristic liable to be monitored, a profile of software usage,
- and as criterion to abide by, at least one feature of software execution,
- and in the case where the protection process according to the invention implements the principle of protection by detection and coercion using as feature of execution to abide by, the monitoring of the execution chaining, are also defined:
- an instructions set whose instructions are liable to be executed in the
unit 6, - a set of instructions commands for said instructions set, said instructions commands being liable to be executed in the
data processing system 3 and to trigger in theunit 6 the execution of the instructions, - as profile of usage, the chaining of the instructions,
- as feature of execution, an expected chaining for the execution of the instructions,
- as detection means 17, means enabling to detect that the chaining of the instructions does not correspond to the expected one,
- and as coercion means 18, means enabling to inform the
data processing system 3 and/or to modify the functioning of the portion of protected software 2 p when the chaining of the instructions does not correspond to the expected one,
- an instructions set whose instructions are liable to be executed in the
- and in the case where the protection process according to the invention implements a preferred variant embodiment of the principle of protection by detection and coercion using as feature of execution to abide by, the monitoring of the execution chaining, are also defined:
- as instructions set, an instructions set whose at least some instructions work with registers and use at least one operand with the intention of returning a result,
- for at least some of the instructions working with registers:
- a part PF defining the functionality of the instruction,
- and a part defining the expected chaining for the execution of the instructions and including bits fields corresponding to:
- an identification field of the instruction CII,
- and for each operand of the instruction:
- a flag field CDk,
- and an expected identification field CIPk of the operand,
- for each register belonging to the exploitation means and used by the instructions set, a generated identification field CIGv in which is automatically memorized the identification of the last instruction which has returned its result in said register,
- as detection means 17, means enabling, during the execution of an instruction, for each operand, when the flag field CDk imposes it, to check the equality of the generated identification field CIGv corresponding to the register used by said operand, and the expected identification field CIPk of the origin of said operand,
- and as coercion means 18, means enabling to modify the result of the instructions, if at least one of the checked equalities is false.
- and in the case where the protection process according to the invention implements the principle of protection by renaming, are also defined:
- as a triggering command, an elementary command or an instruction command,
- as a dependent function, an elementary function or an instruction,
- as an order, at least one argument for a triggering command, corresponding at least in part to the information transmitted by the
data processing system 3 to theunit 6, so as to trigger the execution of the corresponding dependent function, - a method of renaming of the orders enabling to rename the orders so as to obtain triggering commands with renamed orders,
- and restoring means 20 designed to be used in the
unit 6 during the usage phase U, and enabling to restore the dependent function to execute, from the renamed order,
- and in the case where the protection process according to the invention implements a variant of the principle of protection by renaming, is also defined for at least one dependent function, a family of dependent functions algorithmically equivalent, but triggered by triggering commands whose renamed orders are different,
- and in the case where the protection process according to the invention implements one of the preferred embodiments of the variant of the principle of protection by renaming, are also defined for at least one dependent function, a family of algorithmically equivalent dependent functions:
- by concatenating a field of noise to the information defining the functional part of the dependent function to execute in the
unit 6, - or by using the identification field of the instruction CII and the expected identification fields CIPk of the operands.
- by concatenating a field of noise to the information defining the functional part of the dependent function to execute in the
- and in the case where the protection process according to the invention implements a preferred variant of the principle of protection by renaming, are also defined:
- as method of renaming of the orders, a ciphering method to cipher the orders,
- and as restoring means 20, means implementing a deciphering method to decipher the renamed orders and thus restore the identity of the dependent functions to execute in the
unit 6.
- are chosen:
- During the prior protection sub-phase Pl1the definitions stage S11 is followed by a stage called “construction stage S12”. During such a stage S12, are constructed the transfer means 12, 13 and the exploitation means corresponding to the definitions of the definitions stage S11.
- During this construction stage S12, are therefore carried out:
-
- the construction of the transfer means 12, 13 enabling, during the usage phase U, the transfer of data between the
data processing system 3 and theunit 6, - and when the principle of protection by elementary functions is also implemented, the construction of the exploitation means also enabling the
unit 6, during the usage phase U to execute the elementary functions of the set of elementary functions, - and when the principle of protection by detection and coercion is also implemented, the construction:
- of the exploitation means enabling the
unit 6, during the usage phase U to also implement the detection means 17 and the coercion means 18, - and possibly of the exploitation means enabling the
unit 6, during the usage phase U to also implement the actualization means, - and possibly of the exploitation means enabling the
unit 6, during the usage phase U to also implement the refilling means, - and possibly of the exploitation means also enabling the
unit 6, during the usage phase U to execute the instructions of the instructions set,
- of the exploitation means enabling the
- and when the principle of protection by renaming is also implemented, the construction of the exploitation means enabling the
unit 6, during the usage phase U to also implement the restoring means.
- the construction of the transfer means 12, 13 enabling, during the usage phase U, the transfer of data between the
- The construction of the exploitation means is carried out classically, through a program development unit and taking into account the definitions intervened in the definitions stages SI,. Such a unit is described in the rest of the description in
FIG. 110 . - During the prior protection sub-phase P1, the construction stage S12 can be followed by a stage called “pre-customization stage S13″. During this pre-customization stage S13, at least a part of the transfer means 13 and/or the exploitation means are uploaded to at least one
blank unit 60, with the intention of obtaining at least onepre-customized unit 66. It should be observed that part of the exploitation means, once transferred to apre-customized unit 66, is no longer directly accessible outside saidpre-customized unit 66. The transfer of the exploitation means to ablank unit 60 can be carried out through an adapted pre-customization unit, which is described in the rest of the description inFIG. 120 . In the case of apre-customized unit 66, constituted by achip card 7 and itsreader 8, the pre-customization concerns only thechip card 7. - During the prior protection sub-phase P1, after the definitions stage S11 and, possibly after the construction stage S12, a stage called “tools making stage S14” can take place. During this tools making stage S14 are made tools enabling to help generate protected software or automate the protection of software. Such tools enable:
-
- to help choose or to choose automatically in the vulnerable software 2 v to protect:
- the algorithmic processing(s) liable to be split into steps remotable in the
unit 6, - the portion(s) liable to be modified,
- and when the principle of protection by variable is also implemented, the variable(s) liable to be remoted in the
unit 6, - and when the principle of protection by elementary functions is also implemented, the algorithmic processing(s) liable to be split into elementary functions remotable in the
unit 6, - and when the principle of protection by detection and coercion is also implemented, the software execution characteristic(s) to monitor and, possibly, the algorithmic processing(s) liable to be split into instructions remotable in the
unit 6, - and when the principle of protection by renaming is also implemented, the algorithmic processing(s) liable to be split into dependent functions remotable in the
unit 6 and for which the orders of the triggering commands can be renamed, - and when the principle of protection by conditional branch is also implemented, the conditional branch(es) whose functionality is liable to be remoted in the
unit 6,
- the algorithmic processing(s) liable to be split into steps remotable in the
- and, possibly, to help generate protected software or to automate the protection of software.
- to help choose or to choose automatically in the vulnerable software 2 v to protect:
- These different tools can be carried out independently or in combination and each tool can have various forms, such as for instance pre-processor, assembler, compiler, etc.
- The prior protection sub-phase P1 is followed by a subsequent protection sub-phase P2 which depends on the vulnerable software 2 v to protect. This subsequent protection sub-phase P2 is composed of several stages as well. The first stage corresponding to the implementation of the principle of protection by temporal dissociation is called “creation stage S21″. During this creation stage S21, the choices made during the definition stage S11 are used. With the aid of said choices and possibly of tools constructed during the tools making stage S14, the protected software 2 p is created:
-
- by choosing, at least one algorithmic processing which, during the execution of the vulnerable software 2 v, uses at least one operand and enables to obtain at least one result,
- by choosing at least one portion of the source of the
vulnerable software 2 vs containing, at least one chosen algorithmic processing, - by producing a source of the protected
software 2 ps from the source of thevulnerable software 2 vs, by modifying at least one chosen portion of the source of thevulnerable software 2 vs to obtain at least one modified portion of the source of the protectedsoftware 2 ps, this modification being such that:- during the execution of the protected software 2 p a
first execution part 2 pes is executed in thedata processing system 3 and asecond execution part 2 peu is executed in aunit 6, obtained from theblank unit 60 after upload of information, - the
second execution part 2 peu executes at least the functionality of at least one chosen algorithmic processing, - at least one chosen algorithmic processing is split so that during the execution of the protected software 2 p appear by means of the
second execution part 2 peu, several distinct steps, namely:- the placing of at least one operand at the
unit 6's disposal, - the carrying out by the
unit 6, of the algorithmic processing's functionality on at least said operand, - and possibly, the placing at the
data processing system 3's disposal of at least one result by theunit 6,
- the placing of at least one operand at the
- for at least one chosen algorithmic processing, steps commands are defined so that during the execution of the protected software 2 p, each step command is executed by the
first execution part 2 pes and triggers, in theunit 6, the execution by means of thesecond execution part 2 peu, of a step, - and a sequence of the steps commands is chosen among the set of sequences allowing the execution of the protected software 2 p,
- during the execution of the protected software 2 p a
- and by producing:
- a
first object part 2 pos of the protected software 2 p, from the source of the protectedsoftware 2 ps, saidfirst object part 2 pos being such that during the execution of the protected software 2 p, appears afirst execution part 2 pes which is executed in thedata processing system 3 and whose at least a portion takes into account that the steps commands are executed according to the chosen sequence, - and a
second object part 2 pou of the protected software 2 p, saidsecond object part 2 pou being such that, after being uploaded to theblank unit 60 and during the execution of the protected software 2 p, appears thesecond execution part 2 peu by means of which the steps triggered by thefirst execution 2 pes are executed.
- a
- Naturally, the principle of protection by temporal dissociation according to the invention can be applied directly during the development of a new software without requiring the prior realization of a
vulnerable software 2 v. In this way, a protected software 2 p is obtained directly. - During the subsequent protection sub-phase P2, and when at least another principle of protection is applied in addition to the principle of protection by temporal dissociation, a “modification stage S22” takes place. During this modification stage S22, are used the definitions intervened in the definitions stage S11. Using said definitions and possibly tools constructed during the tools making stage S14, the protected software 2 p is modified to allow the implementation of the principles of protection according to one of the arrangements herebefore defined.
- When the principle of protection by variable is implemented, the protected software 2 p is modified:
-
- a by choosing at least one variable used in at least one chosen algorithmic processing, which during the execution of the protected software 2 p, partially defines the state of the protected software 2 p,
- by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that during the execution of the protected software 2 p, at least one chosen variable or at least one copy of chosen variable resides in theunit 6, - and by producing:
- the
first object part 2 pos of the protected software 2 p, saidfirst object part 2 pos being such that during the execution of the protected software 2 p, at least one portion of thefirst execution part 2 pes takes also into account that at least one variable or at least one copy of variable resides in theunit 6, - and the
second object part 2 pou of the protected software 2 p, saidsecond object part 2 pou being such that, after upload to theunit 6 and during the execution of the protected software 2 p, appears thesecond execution part 2 peu by means of which at least one chosen variable, or at least one copy of chosen variable resides too in theunit 6.
- the
- When the principle of protection by elementary functions is implemented, the protected software 2 p is modified:
-
- by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that:- at least one step is split so that during the execution of the protected software 2 p, said step is executed by means of the
second execution part 2 peu, using elementary functions, - for at least one split step, elementary commands are integrated to the source of the protected
software 2 ps, so that during the execution of the protected software 2 p, each elementary command is executed by thefirst execution part 2 pes and triggers in theunit 6, the execution by means of thesecond execution part 2 peu, of an elementary function, - and a sequence of the elementary commands is chosen among the set of sequences allowing the execution of the protected software 2 p,
- at least one step is split so that during the execution of the protected software 2 p, said step is executed by means of the
- and by producing:
- the
first object part 2 pos of the protected software 2 p, saidfirst object part 2 pos being such that during the execution of the protected software 2 p, at least one portion of thefirst execution part 2 pes also executes the elementary commands according to the chosen sequence, - and the
second object part 2 pou of the protected software 2 p also containing the exploitation means, saidsecond object part 2 pou being such that, after upload to theunit 6 and during the execution of the protected software 2 p, appears thesecond execution part 2 peu by means of which are also executed the elementary functions triggered by thefirst execution part 2 pes.
- the
- by modifying at least one chosen portion of the source of the protected
- When the principle of protection by detection and coercion is implemented, the protected software 2 p is modified:
-
- by choosing at least one software execution characteristic to monitor, among the software execution characteristics liable to be monitored,
- by choosing at least one criterion to abide by for at least one chosen software execution characteristic,
- by choosing in the source of the protected
software 2 ps, elementary functions for which at least one chosen software execution characteristic is to be monitored, - by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that during the execution of the protected software 2 p, at least one chosen execution characteristic is monitored by means of thesecond execution part 2 peu, and the fact that a criterion is not abided by leads to thedata processing system 3 being informed and/or to a modification of the execution of the protected software 2 p, - and by producing the
second object part 2 pou of the protected software 2 p containing the exploitation means also implementing the detection means 17 and the coercion means 18, saidsecond object part 2 pou being such that, after upload to theunit 6 and during the execution of the protected software 2 p, at least one software execution characteristic is monitored and the fact that a criterion is not abided by leads to thedata processing system 3 being informed and/or to a modification of the execution of the protected software 2 p.
- For the implementation of the principle of protection by detection and coercion using as characteristic a variable of measurement of the software execution, the protected software 2 p is modified:
-
- by choosing as software execution characteristic to monitor, at least one variable of measurement of the usage of at least one functionality of a software,
- by choosing:
- at least one functionality of the protected software 2 p whose usage is liable to be monitored using a variable of measurement,
- at least one variable of measurement used to quantify the usage of said functionality,
- at least one threshold associated to a chosen variable of measurement corresponding to a limit of usage of said functionality,
- and at least one method of update of a chosen variable of measurement depending on the usage of said functionality,
- and by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that, during the execution of the protected software 2 p, the variable of measurement is actualized by means of thesecond execution part 2 peu depending on the usage of said functionality, and at least one threshold crossing is taken into account.
- For the implementation of a first preferred variant embodiment of the principle of protection by detection and coercion using, as characteristic, a variable of measurement, the protected software 2 p is modified:
-
- by choosing in the source of the protected
software 2 ps, at least one chosen variable of measurement to which must be associated several thresholds corresponding to different limits of usage of the functionality, - by choosing at least two thresholds associated to the chosen variable of measurement,
- and by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that, during the execution of the protected software 2 p, the crossings of the various thresholds are taken into account differently, by means of thesecond execution part 2 peu.
- by choosing in the source of the protected
- For the implementation of a second preferred variant embodiment of the principle of protection by detection and coercion using as characteristic, a variable of measurement, the protected software 2 p is modified:
-
- by choosing in the source of the protected
software 2 ps, at least one chosen variable of measurement enabling to limit the usage of a functionality and which must be able to be credited with at least one additional usage, - and by modifying at least one chosen portion, this modification being such that during a phase called of refilling, at least one additional usage of at least one functionality corresponding to a chosen variable of measurement can be credited.
- by choosing in the source of the protected
- For the implementation of the principle of protection by detection and coercion using as characteristic, a profile of software usage, the protected software 2 p is modified:
-
- by choosing as software execution characteristic to monitor at least one profile of software usage,
- by choosing at least one feature of execution by which at least one chosen profile of usage must abide,
- and by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that, during the execution of the protected software 2 p, thesecond execution part 2 peu abides by all the chosen features of execution.
- For the implementation of the principle of protection by detection and coercion using as feature of execution to abide by, the monitoring of the execution chaining, the protected software 2 p is modified:
-
- by modifying at least one chosen portion of the source of the protected
software 2 ps:- by transforming the elementary functions into instructions,
- by specifying the chaining by which must abide at least some of the instructions during their execution in the
unit 6, - and by transforming the elementary commands into instructions commands corresponding to the instructions used.
- by modifying at least one chosen portion of the source of the protected
- When the principle of protection by renaming is implemented, the protected software 2 p is modified:
-
- by choosing in the source of the protected
software 2 ps, triggering commands, - by modifying at least one chosen portion of the source of the protected
software 2 ps by renaming the orders of the chosen triggering commands, so as to conceal the identity of the corresponding dependent functions, - and by producing:
- the
first object part 2 pos of the protected software 2 p, saidfirst object part 2 pos being such that during the execution of the protected software 2 p, the triggering commands with renamed orders are executed, - and the
second object part 2 pou of the protected software 2 p containing the exploitation means also implementing the restoring means 20, saidsecond object part 2 pou being such that, after upload to theunit 6 and during the execution of the protected software 2 p, the identity of the dependent functions whose execution is triggered by thefirst execution part 2 pes is restored by means of thesecond execution part 2 peu, and the dependent functions are executed by means of thesecond execution part 2 peu.
- the
- by choosing in the source of the protected
- For the implementation of a variant of the principle of protection by renaming, the protected software 2 p is modified:
-
- by choosing, in the source of the protected
software 2 ps at least one triggering command with renamed order, - and by modifying at least one chosen portion of the source of the protected
software 2 ps by replacing at least the renamed order of one chosen triggering command with renamed order, with another renamed order, triggering a dependent function of the same family.
- by choosing, in the source of the protected
- When the principle of protection by conditional branch is implemented, the protected software 2 p is modified:
-
- by choosing, in the source of the protected
software 2 ps, at least one conditional branch carried out in at least one chosen algorithmic processing, - by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that during the execution of the protected software 2 p, the functionality of at least one chosen conditional branch is executed, by means of thesecond execution part 2 peu, in theunit 6, - and by producing:
- the
first object part 2 pos of the protected software 2 p, saidfirst object part 2 pos being such that during the execution of the protected software 2 p, the functionality of at least one chosen conditional branch is executed in theunit 6, - and the
second object part 2 pou of the protected software 2 p, saidsecond object part 2 pou being such that, after upload to theunit 6 and during the execution of the protected software 2 p, appears thesecond execution part 2 peu by means of which the functionality of at least one chosen conditional branch is executed.
- the
- by choosing, in the source of the protected
- For the implementation of a preferred embodiment of the principle of protection by conditional branch, the protected software 2 p is modified:
-
- by choosing, in the source of the protected
software 2 ps, at least one series of chosen conditional branches, - by modifying at least one chosen portion of the source of the protected
software 2 ps, this modification being such that during the execution of the protected software 2 p, the overall functionality of at least one chosen series of conditional branches is executed, by means of thesecond execution part 2 peu, in theunit 6, - and by producing:
- the
first object part 2 pos of the protected software 2 p, saidfirst object part 2 pos being such that during the execution of the protected software 2 p, the functionality of at least one chosen series of conditional branches is executed in theunit 6, - and the
second object part 2 pou of the protected software 2 p, saidsecond object part 2 pou being such that, after upload to theunit 6 and during the execution of the protected software 2 p, appears thesecond execution part 2 peu by means of which the overall functionality of at least one chosen series of conditional branches is executed.
- the
- by choosing, in the source of the protected
- Naturally, the principles of protection according to the invention can be applied directly during the development of a new software without requiring the prior carrying out of intermediate protected pieces of software. In this way, the creation stage S21, and the modification stage S22 can be carried out concomitantly so as to obtain directly the protected software 2 p.
- During the subsequent protection sub-phase P2, after the creation stage S21 of the protected software 2 p, and possibly after the modification stage S22, a stage called “customization stage S23” takes place. During this customization stage S23, the
second object part 2 pou possibly containing the exploitation means is uploaded to at least oneblank unit 60, with the intention of obtaining at least oneunit 6, or a part of thesecond object part 2 pou possibly containing the exploitation means is uploaded to at least onepre-customized unit 66, with the intention of obtaining at least oneunit 6. The uploading of this customization information enables to make operational at least oneunit 6. It should be observed that part of said information, once transferred to aunit 6, is not directly accessible outside saidunit 6. The transfer of the customization information to ablank unit 60 or apre-customized unit 66 can be carried out through an adapted customization unit which is described in the rest of the description inFIG. 150 . In the case of aunit 6, constituted by achip card 7 and itsreader 8, the customization concerns only thechip card 7. - For the implementation of the protection phase P, various technical means are described more precisely in relation to
FIGS. 110, 120 , 130, 140 and 150. -
FIG. 110 illustrates an embodiment of asystem 25 enabling to implement the construction stage S12 which takes into account the definitions intervened during the definitions stage S11 and during which are constructed the transfer means 12, 13 and possibly, the exploitation means intended for theunit 6. Such asystem 25 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors. -
FIG. 120 illustrates an embodiment of apre-customization unit 30 enabling to upload at least in part the transfer means 13 and/or the exploitations means to at least oneblank unit 60 with the intention of obtaining apre-customized unit 66. Saidpre-customization unit 30 includes reading and writing means 31 enabling to electrically pre-customize, ablank unit 60 so as to obtain apre-customized unit 66 to which the transfer means 13 and/or the exploitations means have been uploaded. Thepre-customization unit 30 can also include physical customization means 32 of theblank unit 60 which can for instance, have the form of a printer. In the case where theunit 6 is constituted by achip card 7 and itsreader 8, the pre-customization generally concerns only thechip card 7. -
FIG. 130 illustrates an embodiment of asystem 35 enabling to carry out the making of the tools enabling to help generate protected software or to automate software protection. Such asystem 35 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors. -
FIG. 140 illustrates an embodiment of asystem 40 enabling to create directly a protected software 2 p or to modify a vulnerable software 2 v with the intention of obtaining a protected software 2 p. Such asystem 40 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors, as well as tools enabling to help generate protected software or to automate software protection. -
FIG. 150 illustrates an embodiment of acustomization unit 45 enabling to upload thesecond object part 2 pou to at least oneblank unit 60 with the intention of obtaining at least oneunit 6 or to upload a part of thesecond object part 2 pou to at least onepre-customized unit 66 with the intention of obtaining at least oneunit 6. Saidcustomization unit 45 includes reading and writing means 46 enabling to electrically customize, at least oneblank unit 60 or at least onepre-customized unit 66, so as to obtain at least oneunit 6. At the close of this customization, aunit 6 includes the information necessary to the execution of the protected software 2 p. Thecustomization unit 45 can also include physical customization means 47 for at least oneunit 6 which can for instance, have the form of a printer. In the case where aunit 6 is constituted by achip card 7 and itsreader 8, the customization generally concerns only thechip card 7. - The protection process according to the invention can be implemented with the following improvements:
-
- It can be planned to use jointly several processing and memorizing units between which is divided out the
second object part 2 pou of the protected software 2 p so that their joint use enables to execute the protected software 2 p, the absence of at least one of said processing and memorizing units preventing the usage of the protected software 2 p. - In the same way, after the pre-customization stage S13 and during customization stage S23, the part of the
second object part 2 pou necessary to transform thepre-customized unit 66 into aunit 6 can be contained in a processing and memorizing unit used by thecustomization unit 45 so as to limit the access to said part of thesecond object part 2 pou. Naturally, said part of thesecond object part 2 pou can be divided out between several processing and memorizing units so that said part of thesecond object part 2 pou is accessible only during the joint use of said processing and memorizing units.
- It can be planned to use jointly several processing and memorizing units between which is divided out the
Claims (17)
1. A method to protect software comprising:
storing a first portion of the software on a first unit, the first unit comprising a memory and a processor;
storing a second portion of the software on a second unit, the second unit comprising a secure processor and a secure memory, where the second portion of the software is secret and the first and second portions of the software forming a single program; and
executing the single formed program by utilizing the first and second portions of the software,
wherein the secret second portion of the software comprises at least two computing operations, and
wherein portions of the at least two computing operations are interleaved with each other for transmission from the second unit to the first unit and vise versa.
2. The method of claim 1 , wherein portions of the second portion of the software are executed by the secure processor and the first portion of the software is executed by the processor of the first unit.
3. The method of claim 1 , wherein:
the at least two computing operations stored in the second unit comprise a first computing operation and a second computing operation,
the first computing operation uses a first variable to obtain a first result variable,
the second computing operation uses a second variable to obtain a second result, during the execution of the program:
performing a first variable movement by moving the first variable from the first unit into the second unit,
performing a second variable movement by moving the second variable from the first unit into the second unit,
performing a first result movement by moving the first result variable from the second unit into the first unit, and
performing a second result movement by moving the second result variable from the second unit into the first unit,
each of said first and second variable movements, said first and second computing operations, and said first and second result movements comprise an operation,
the first variable movement, the first result movement, and the first computing operation comprise a first set of operations and the second variable movement, the second result movement and the second computing operation comprises a second set of operations, and
at least one operation of one of the sets is interleaved with the operations of the other set.
4. The method according to claim 1 , wherein the second unit is a chip medium configured to attach and detach to the first unit.
5. The method according to claim 1 , wherein the processor of the second unit is a coprocessor of the processor of the first unit.
6. The method according to claim 1 , wherein the second unit is a token.
7. The method according to claim 1 , wherein, when the second unit is missing, the program cannot be executed correctly and the software is not completely functional.
8. The method according to claim 1 , wherein, when the at least one variable is not provided by the second unit upon request, the program is not executed correctly.
9. The method according to claim 1 , wherein the at least two computing operations are elementary functions.
10. The method according to claim 1 , further comprising:
storing elementary functions that are to be executed in the second unit; and
providing commands from the first unit to the second unit to trigger execution of a respective elementary function.
11. The method according to claim 1 , further comprising:
defining instructions set in which instructions work with registers and use at least one operand for returning a result,
wherein at least some of the instructions comprise:
a part defining functionality of the instruction,
a part defining expected chaining for execution of the instruction and
comprising bits fields corresponding to an identification field of the instruction,
wherein each of the at least one operand comprises: a flag field and an expected identification field,
wherein, for each register used by the instructions set, providing a generated identification field in which the identification of the last instruction which has returned its result in a respective register is automatically memorized,
wherein, during the execution of an instruction, for each operand, when required by the flag field, checking the equality of the generated identification field corresponding to the register used by said operand, and the expected identification field of the origin of said operand, and modifying the result of the instructions, if at least one of the checked equalities is false.
12. The method according to claim 1 , further comprising selecting a part of the software to form the second portion during operation of creating the protected program.
13. A system to protect software comprising:
a first unit comprising a memory and a processor and which stories a first portion of the software; and
a second unit comprising a secure processor and a secure memory and which stores a second portion of the software,
wherein the second portion of the software is secret,
wherein the first and second portions of the software form a single program,
wherein the processor executes the single formed program utilizing the second unit,
wherein the secret second portion of the software comprises at least two computing operations, and
wherein portions of the at least two computing operations are interleaved with each other for transmission from the second unit to the first unit and vise versa.
14. The system according to claim 13 , wherein the second unit is a chip medium configured to attach and detach to the first unit.
15. The system according to claim 13 , wherein the processor of the second unit is a coprocessor of the processor of the first unit.
16. The system according to claim 13 , wherein the second unit is a token.
17. A method to protect software comprising:
storing a first portion of the software on a first unit, wherein the first unit comprises a memory and a processor;
storing a second portion of the software comprising a first and second computing operations on a second unit, the second unit comprising a secure processor and a secure memory, where the second portion of the software is secret, and where the first and second portions of the software form a single program; and
executing the program,
wherein, operations performed during the execution comprise:
transmitting from the first portion of the software first input for the first computing operation and second input for the second computing operation to the second unit, said first and second computing operations are executed in the second unit,
transmitting by the second unit results from the first and second computing operations to the first unit, and
wherein operations related to the first computing operation are interleaved with operations related to the second computing operations.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/838,118 US20070283437A1 (en) | 2002-06-25 | 2007-08-13 | Method to Protect Software Against Unwanted Use with a "Temporal Dissociation" Principle |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/178,917 US7272725B2 (en) | 2002-06-25 | 2002-06-25 | Method to protect software against unwanted use with a “temporal dissociation” principle |
US11/838,118 US20070283437A1 (en) | 2002-06-25 | 2007-08-13 | Method to Protect Software Against Unwanted Use with a "Temporal Dissociation" Principle |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/178,917 Continuation US7272725B2 (en) | 2002-06-25 | 2002-06-25 | Method to protect software against unwanted use with a “temporal dissociation” principle |
Publications (1)
Publication Number | Publication Date |
---|---|
US20070283437A1 true US20070283437A1 (en) | 2007-12-06 |
Family
ID=26874810
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/178,917 Active 2024-10-23 US7272725B2 (en) | 2002-06-25 | 2002-06-25 | Method to protect software against unwanted use with a “temporal dissociation” principle |
US11/838,118 Abandoned US20070283437A1 (en) | 2002-06-25 | 2007-08-13 | Method to Protect Software Against Unwanted Use with a "Temporal Dissociation" Principle |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/178,917 Active 2024-10-23 US7272725B2 (en) | 2002-06-25 | 2002-06-25 | Method to protect software against unwanted use with a “temporal dissociation” principle |
Country Status (1)
Country | Link |
---|---|
US (2) | US7272725B2 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
USRE40866E1 (en) | 2000-09-27 | 2009-08-04 | Huron Ip Llc | System, method, and architecture for dynamic server power management and dynamic workload management for multiserver environment |
GB2405958A (en) * | 2003-08-20 | 2005-03-16 | Macrovision Europ Ltd | Code obfuscation and controlling a processor by emulation |
US20060242082A1 (en) * | 2004-11-29 | 2006-10-26 | Yanki Margalit | Method and system for protecting of software application from piracy |
WO2008088073A1 (en) * | 2007-01-18 | 2008-07-24 | Panasonic Corporation | Obfuscation assisting apparatus |
Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5608894A (en) * | 1994-03-18 | 1997-03-04 | Fujitsu Limited | Execution control system |
US5754646A (en) * | 1995-07-19 | 1998-05-19 | Cable Television Laboratories, Inc. | Method for protecting publicly distributed software |
US5892899A (en) * | 1996-06-13 | 1999-04-06 | Intel Corporation | Tamper resistant methods and apparatus |
US5930357A (en) * | 1993-08-30 | 1999-07-27 | Canon Kabushiki Kaisha | Method of managing contracts for licensed program use and a management system thereof |
US5938778A (en) * | 1997-11-10 | 1999-08-17 | International Business Machines Corporation | System and method for tracing instructions in an information handling system without changing the system source code |
US6044469A (en) * | 1997-08-29 | 2000-03-28 | Preview Software | Software publisher or distributor configurable software security mechanism |
US20010037450A1 (en) * | 2000-03-02 | 2001-11-01 | Metlitski Evgueny A. | System and method for process protection |
US6314409B2 (en) * | 1996-01-11 | 2001-11-06 | Veridian Information Solutions | System for controlling access and distribution of digital property |
US20010044902A1 (en) * | 2000-01-03 | 2001-11-22 | Shavit Nir N. | Secure software system and related techniques |
US6463538B1 (en) * | 1998-12-30 | 2002-10-08 | Rainbow Technologies, Inc. | Method of software protection using a random code generator |
US20030023856A1 (en) * | 2001-06-13 | 2003-01-30 | Intertrust Technologies Corporation | Software self-checking systems and methods |
US6523119B2 (en) * | 1996-12-04 | 2003-02-18 | Rainbow Technologies, Inc. | Software protection device and method |
US6535972B1 (en) * | 1999-11-16 | 2003-03-18 | Advanced Micro Devices, Inc. | Shared dependency checking for status flags |
US6594671B1 (en) * | 1999-06-14 | 2003-07-15 | International Business Machines Corporation | Separating privileged functions from non-privileged functions in a server instance |
US6668325B1 (en) * | 1997-06-09 | 2003-12-23 | Intertrust Technologies | Obfuscation techniques for enhancing software security |
US6931542B1 (en) * | 1997-04-16 | 2005-08-16 | Gemplus | Method for verifying the execution of a software product |
US20060031686A1 (en) * | 1999-09-03 | 2006-02-09 | Purdue Research Foundation | Method and system for tamperproofing software |
US7305704B2 (en) * | 2002-03-16 | 2007-12-04 | Trustedflow Systems, Inc. | Management of trusted flow system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2634917A1 (en) | 1988-08-01 | 1990-02-02 | Pionchon Philippe | METHOD AND DEVICE FOR PROTECTING SOFTWARE, ESPECIALLY AGAINST UNAUTHORIZED COPIES |
EP1086411B1 (en) | 1998-06-12 | 2003-11-12 | Gemplus | Method for verifying the execution of a software product |
-
2002
- 2002-06-25 US US10/178,917 patent/US7272725B2/en active Active
-
2007
- 2007-08-13 US US11/838,118 patent/US20070283437A1/en not_active Abandoned
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5930357A (en) * | 1993-08-30 | 1999-07-27 | Canon Kabushiki Kaisha | Method of managing contracts for licensed program use and a management system thereof |
US5608894A (en) * | 1994-03-18 | 1997-03-04 | Fujitsu Limited | Execution control system |
US5754646A (en) * | 1995-07-19 | 1998-05-19 | Cable Television Laboratories, Inc. | Method for protecting publicly distributed software |
US6314409B2 (en) * | 1996-01-11 | 2001-11-06 | Veridian Information Solutions | System for controlling access and distribution of digital property |
US5892899A (en) * | 1996-06-13 | 1999-04-06 | Intel Corporation | Tamper resistant methods and apparatus |
US6523119B2 (en) * | 1996-12-04 | 2003-02-18 | Rainbow Technologies, Inc. | Software protection device and method |
US6931542B1 (en) * | 1997-04-16 | 2005-08-16 | Gemplus | Method for verifying the execution of a software product |
US6668325B1 (en) * | 1997-06-09 | 2003-12-23 | Intertrust Technologies | Obfuscation techniques for enhancing software security |
US6044469A (en) * | 1997-08-29 | 2000-03-28 | Preview Software | Software publisher or distributor configurable software security mechanism |
US5938778A (en) * | 1997-11-10 | 1999-08-17 | International Business Machines Corporation | System and method for tracing instructions in an information handling system without changing the system source code |
US6463538B1 (en) * | 1998-12-30 | 2002-10-08 | Rainbow Technologies, Inc. | Method of software protection using a random code generator |
US6594671B1 (en) * | 1999-06-14 | 2003-07-15 | International Business Machines Corporation | Separating privileged functions from non-privileged functions in a server instance |
US20060031686A1 (en) * | 1999-09-03 | 2006-02-09 | Purdue Research Foundation | Method and system for tamperproofing software |
US6535972B1 (en) * | 1999-11-16 | 2003-03-18 | Advanced Micro Devices, Inc. | Shared dependency checking for status flags |
US20010044902A1 (en) * | 2000-01-03 | 2001-11-22 | Shavit Nir N. | Secure software system and related techniques |
US20010037450A1 (en) * | 2000-03-02 | 2001-11-01 | Metlitski Evgueny A. | System and method for process protection |
US20030023856A1 (en) * | 2001-06-13 | 2003-01-30 | Intertrust Technologies Corporation | Software self-checking systems and methods |
US7305704B2 (en) * | 2002-03-16 | 2007-12-04 | Trustedflow Systems, Inc. | Management of trusted flow system |
Also Published As
Publication number | Publication date |
---|---|
US7272725B2 (en) | 2007-09-18 |
US20030028793A1 (en) | 2003-02-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20070294770A1 (en) | Method to Protect Software Against Unwanted Use with a Variable Principle | |
US20070136816A1 (en) | Method to protect software against unwanted use with a detection and coercion principle | |
US20070283437A1 (en) | Method to Protect Software Against Unwanted Use with a "Temporal Dissociation" Principle | |
US20070277239A1 (en) | Method to Protect Software Against Unwanted Use with a "Renaming" Principle | |
US7502940B2 (en) | Method to protect software against unwanted use with a “conditional branch” principle | |
US7434064B2 (en) | Method to protect software against unwanted use with a “elementary functions” principle | |
AU2002325998B2 (en) | Method for protecting a software using a so-called variable principle against its unauthorised use | |
ZA200400350B (en) | Method for protecting a software using a so called renaming principle against its unauthorised use | |
ZA200400349B (en) | Method for protecting a software using a so called temporal dissociation principle against its unauthorised use | |
AU2002328377B2 (en) | Method for protecting a software using a so-called detection and coercion principle against its unauthorised use | |
ZA200400351B (en) | Method for protecting a software using a so called conditional jump principle against its unauthorised use | |
ZA200400353B (en) | Method for protecting a software using a so called elementary functions principle against its unauthorised use |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |