[go: up one dir, main page]

HK1070155A1 - Method to protect software against unwanted use with a "variable" principle - Google Patents

Method to protect software against unwanted use with a "variable" principle Download PDF

Info

Publication number
HK1070155A1
HK1070155A1 HK05102678A HK05102678A HK1070155A1 HK 1070155 A1 HK1070155 A1 HK 1070155A1 HK 05102678 A HK05102678 A HK 05102678A HK 05102678 A HK05102678 A HK 05102678A HK 1070155 A1 HK1070155 A1 HK 1070155A1
Authority
HK
Hong Kong
Prior art keywords
execution
protected software
unit
during
software
Prior art date
Application number
HK05102678A
Other languages
Chinese (zh)
Other versions
HK1070155B (en
Inventor
让-克里斯托夫.屈埃诺
吉勒.斯格罗
Original Assignee
瓦利迪公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 瓦利迪公司 filed Critical 瓦利迪公司
Publication of HK1070155A1 publication Critical patent/HK1070155A1/en
Publication of HK1070155B publication Critical patent/HK1070155B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention concerns a method for protecting, from at least a unit, a vulnerable software against its unauthorised use, said vulnerable software operating on a data processing system. The method consists in creating a protected software: by selecting in the source of the vulnerable software at least a variable; by producing the source of the protected software by modifying the source of the vulnerable software, so that the selected variable becomes resident in a unit.

Description

Method for protecting software against unauthorized use by means of the "variable" principle
The present invention relates generally to the field of data processing systems, and more specifically to a method of preventing unauthorized use of software running on the data processing system.
The subject of the invention is mainly a method for preventing unauthorized use of software using a memory unit or a processing and memory unit, such unit usually being embodied as a physical key in a chip card or a USB port.
In the above-mentioned technical field, a major problem relates to the unauthorized use of software by users who do not pay a license fee. This illegal use of software results in obvious losses to software programmers, software distributors, and/or anyone who integrates the software into a product. To avoid such illegal copying, various schemes have been proposed in the prior art to protect the software.
Therefore, protection schemes are known which utilize a hardware protection system, such as a physical component called a protection key or "dongle". Such a protection key should ensure that the software is only executed if a key is present. However, it must be acknowledged that this solution is inefficient, as it presents an inconvenience that is not easily overlooked. With the help of special tools such as disassemblers, a malicious person or hacker can delete the control instructions of the protection keys. Then, it becomes possible to execute an illegal copy corresponding to a modified version of software that can be run without protection. Furthermore, this solution cannot be generalized to all software, since it is difficult to connect more than two protection keys to the same system.
The subject of the invention is to find precisely the solution to the above-mentioned problems by proposing a method of preventing the unauthorized use of software, in particular the use of a memory unit or a processing and memory unit, since this unit is necessary for the software to function completely.
To achieve this object, the subject of the invention relates to a method for preventing unauthorized use of leaky software (vulgaris software) generated by a source and acting on a data processing system, using at least one white space unit comprising at least memory modules (means). The method according to the invention comprises:
→ in the protection phase:
● creating protected software:
-by selecting among the sources of the leaky software:
at least one variable which, during the execution of the leaky software, defines, in part, the state of the latter,
and at least one portion containing at least one selected variable,
-transforming the blank cell into a cell by generating a source of protected software from the source of the vulnerable software, by modifying at least one selected part of the source of the vulnerable software such that during execution of the protected software the at least one selected variable or a copy of the at least one selected variable resides in the blank cell,
and by generating a first object part of the protected software by a source of the protected software, the first object part being a first execution part occurring in the data processing system during execution of the protected software, and at least a part of the first execution part residing in the unit taking into account at least the variable or at least a copy of the variable,
→ and during the use phase, executing the protected software during the use phase:
● each time a portion of the first execution part utilizes (improse) it when a unit exists, use the variable or copy of the variable residing in the unit to execute the part correctly, so that the protected software is fully functional,
● and in the absence of a unit, although a portion of the first execution portion requests use of a variable or copy of a variable residing in the unit, the request may not be fulfilled correctly so that at least the portion is executed incorrectly, and therefore, the protected software is not fully functional.
According to a preferred embodiment, the method according to the invention comprises:
→ during the protection phase:
● modifying the protected software:
-by selecting among the sources of protected software:
at least one algorithmic process that, during execution of the protected software, uses at least one selected variable and makes available at least one resulting variable,
and at least one portion containing at least one selected algorithmic process, -by modifying at least one selected portion of the source of the protected software, this modification being:
during execution of the protected software, a first execution part is executed in the data processing system, and a second execution part is executed in a unit further comprising a processing module,
by means of the second execution part, at least the functionality of the at least one selected algorithmic process is executed,
separating at least one selected algorithmic process so that during execution of the protected software, by means of the second execution part, several different steps occur, namely:
at least one variable is set for use by the unit,
the functionality of performing algorithmic processing on at least the variables in the units,
and possibly, by means of the unit, setting at least one result variable for use by the data processing system,
defining step commands for at least one selected algorithmic process such that, during execution of the protected software, each step command is executed by a first execution section and triggering in a unit the execution of a step by a second execution section,
and selecting the order of the step commands in the ordered set that allows (enable) execution of the protected software,
-and by generating:
a first object portion of the protected software, said first object portion being for executing step commands according to the selected order during execution of the protected software,
and a second object portion of the protected software, said second object portion being such that, after loading into the white space unit and during execution of the protected software, a second execution portion occurs by which the steps triggered by the first execution portion are executed,
● and, to obtain the cell, loading the second object portion onto a blank cell,
→ and during the use phase:
●, in the presence of this element, and each time a step contained in a part of the first execution part commands the use of it, the corresponding step is executed in this element in order to execute said part correctly, so that the protected software is fully functional,
● and in the absence of a unit, although a request for a portion of the first execution part triggers an execution step in the unit, the request cannot be fulfilled correctly so that at least the portion is executed incorrectly, and therefore the protection software is not fully functional.
According to another preferred embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
a set of basic functions, the basic functions of which are easy to execute in the unit further comprising a processing module,
-and a set of basic commands for said set of basic functions, said basic commands being susceptible to be executed in the data processing system and triggering the execution of the basic functions in the unit,
●, a utilization module (implementation) is constructed that allows transforming blank cells into cells that can execute the set of basic functions, triggering the execution of the basic functions by executing basic commands in the data processing system,
● modifying the protected software:
-by selecting among the sources of protected software:
at least one algorithmic process which, during the execution of the protected software, uses at least one selected variable and allows at least one resulting variable to be obtained,
and at least one portion comprising at least one selected algorithmic process,
-by modifying at least one selected part of the source of the protected software, this modification being:
during execution of the protected software, executing a first execution part in the data processing system and executing a second execution part in the unit,
at least the functionality of the at least one selected algorithmic process is performed by the second executing part,
separating at least one selected algorithmic process to execute said algorithmic process using a base function during execution of the protected software by a second execution part,
grouping the basic commands into a source of the protected software for at least one selected algorithmic process, so that during execution of the protected software, each basic command is executed by a first execution section and triggering in the unit the execution of a basic function by a second execution section,
and selecting the order of the base commands in the set of orders that allow execution of the protected software,
-and by generating:
a first object portion of the protected software, said first object portion being for executing basic commands according to a selected order during execution of the protected software,
and a second object part containing protected software utilizing the module, the second object part being such that, after loading into the white space unit and during execution of the protected software, a second execution part occurs by which the basic function triggered by the first execution part is executed,
● and to obtain the cell, the second object portion is loaded onto the blank cell.
→ and during the use phase:
●, when the unit is present, and each time the basic command contained in a part of the first execution part makes use of it, the corresponding basic function is executed in the unit in order to correctly execute said part, so that the protected software is fully functional,
● and in the absence of the unit, although a request for a portion of the first execution part triggers execution of a base function in the unit, the request cannot be fulfilled correctly so that at least the portion is executed incorrectly, and therefore the protected software is not fully functional.
According to another preferred embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
a set of elementary functions, the elementary functions of which are easy to execute in the unit,
and a set of basic commands for said set of basic functions, said basic commands being susceptible to being executed in the data processing system and triggering the execution of the basic functions in the unit,
● a utilization module is constructed that allows the unit to execute the set of base functions, triggering the execution of the base functions by executing base commands in the data processing system,
● and modifying the protected software:
-performing at least one step of the functionality of the algorithmic processing during execution of the protected software by selecting in a source of the protected software,
-by modifying at least one selected part of the source of the protected software, this modification being:
separating at least one selected step so that said step is performed by the second execution part using the basic function during execution of the protected software,
for at least one selected step, grouping the basic commands into a source of the protected software, so that during execution of the protected software, each basic command is executed by a first execution section and triggering the execution of a basic function in the unit by a second execution section,
and selecting the order of the base commands in the set of orders that allow execution of the protected software,
-and by generating:
a first object portion of the protected software, said first object portion being for executing basic commands according to a selected order during execution of the protected software,
and a second object part further comprising protected software using the module, the second object part being a add-onAfter loading the unit, and during execution of the protected software, a second execution part occurs, by means of which the basic function triggered by the first execution part is executed,
→ and during the use phase:
●, when the unit is present, and each time the basic command contained in a part of the first execution part makes use of it, the corresponding basic function is executed in the unit in order to correctly execute said part, so that the protected software is fully functional,
● and in the absence of the unit, although a request for a portion of the first execution part triggers execution of the basic function in the unit, the request cannot be fulfilled correctly so that at least the portion is executed incorrectly, and therefore the protected software is not fully functional.
According to another preferred embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
-at least one software execution characteristic, at least part of which is susceptible to being monitored in the unit,
-at least one criterion by which the at least one software execution feature complies,
-a detection module implemented in the unit and allowing to detect that at least one software execution characteristic does not comply with at least one relevant criterion,
and a enforcement (coercion) module implemented in the unit and allowing to notify the data processing system and/or modify the software executed when at least one criterion is not observed,
● the configuration allows the unit to also implement a utilization module for the detection module and the forcing module,
● and modifying the protected software:
-by selecting at least one software execution characteristic to monitor among the software execution characteristics that are easy to monitor,
-at least one criterion followed by selecting at least one selected software execution characteristic,
-by selecting in the source of protected software a base function that will monitor at least one selected software execution characteristic,
-by modifying at least one selected part of the source of the protected software, which modification results in the fact that, during execution of the protected software, at least one selected execution characteristic is monitored by the second execution part, and that a criterion is not observed, which leads to informing the data processing system and/or modifying the execution of the protected software,
and further implementing the detection module and the enforcement module by generating a second object part comprising the protected software utilizing the module, said second object part being that, after being loaded into the unit and during execution of the protected software, monitoring at least one software execution characteristic and the fact that a criterion is not observed results in informing the data processing system and/or modifying the execution of the protected software,
→ and during the use phase:
● when the unit is present:
-allowing said portion of protected software to run nominally (nominally) as long as all criteria corresponding to all monitored execution characteristics of all modified portions of the protected software are observed, thus allowing the protected software to run nominally,
and if at least one criterion corresponding to the monitored execution characteristics of a portion of the protected software is not complied with, informing the data processing system and/or modifying the execution of the portion of the protected software (functioning) so as to modify the execution of the protected software.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
-defining variables of a measure of use of the functionality of the software as software execution characteristics that are easy to monitor,
defining at least one threshold value relating to the variables of each metric as a criterion of adherence,
and an implementation module allowing updating of variables of at least one metric,
● configuration allows the unit to also implement a utilization module that implements the module,
● and modifying the protected software:
-by selecting at least one variable of a measure of usage of at least one functionality of the software as a monitored software execution characteristic,
-by selecting:
the variables of the usage metric facilitate monitoring at least one functionality of the protected software that it uses,
at least one variable to quantify a measure of usage of the functionality,
at least one threshold value related to a variable of the selected metric corresponding to a limit of use of the functionality,
and at least one method of updating the variables of the selected metric based on the use of the functionality,
-implementing a variable of the metric by means of the second execution part, according to the use of said functionality, during the execution of the protected software, by modifying at least one selected part of the source of the protected software, and taking into account at least one threshold crossing (cross),
→ and during the use phase, upon the presence of the unit, and upon detection of at least one threshold crossing corresponding to at least one usage limit, informing the data processing system and/or modifying the execution of the protected software so as to modify the execution of the protected software.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
several correlation thresholds for variables of at least one metric,
-and a different forcing module corresponding to each of said thresholds,
● and modifying the protected software:
by selecting, in the source of protected software, the variables of at least one selected metric that must be related to several thresholds corresponding to different limits of functional use,
-selecting at least two thresholds related to the variables of the selected metric,
and by modifying at least one selected portion of the source of the protected software, this modification being such as to take into account differently, during the execution of the protected software, the crossing of different thresholds by the second execution portion,
→ and during the use phase:
● in the presence of this element:
-in case of detecting crossing of the first threshold, commanding the protected software to no longer use the corresponding functionality,
and in case of detecting crossing of the second threshold, invalidating at least a part of the respective functionality and/or protected software.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase:
● define a refinish (refill) module that allows, through at least one additional use, trust in at least one software functionality monitored by a variable of a metric,
the ● configuration also allows the unit to implement a utilization module for the retrofit module,
● and modifying the protected software:
-by selecting in the source of the protected software a variable that allows to limit the use of the functionality and that must be able to pass at least one selected metric trusted by at least one further use,
and by modifying at least one selected portion, this modification enabling to trust, during a phase called replenishment, at least one further use of at least one functionality of the variable corresponding to the selected metric,
→ and during refitting:
● re-implement the variables and/or the at least one correlation threshold for the at least one selected metric to allow at least one additional use of the functionality.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
-defining a profile of software usage (profile) as software execution characteristics that are easy to monitor,
-and defining at least one software execution characteristic as a criterion to comply with,
● and modifying the protected software:
-selecting at least one profile of software usage as a monitored software execution characteristic,
-by selecting at least one execution characteristic to which at least one selected usage profile has to comply,
and by modifying at least one selected portion of the source of the protected software, such modification being such that, during execution of the protected software, the second execution portion complies with all selected execution characteristics,
→ and during the use phase, upon the presence of the unit, and in case of a detected non-compliance with the at least one execution feature, informing the data processing system and/or modifying the execution of the portion of the protected software in order to modify the execution of the protected software.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
an instruction set whose instructions are susceptible to being executed in the unit,
-an instruction command set for said instruction set, said instruction command being susceptible to be executed in a data processing system and triggering the execution of an instruction in the unit,
-defining the instruction link as a usage profile,
-defining an intended link for executing an instruction as an execution characteristic,
-defining a module allowing detection of instruction links not corresponding to expected instruction links as detection module,
and defining as mandatory modules a module allowing to inform the data processing system and/or to change the functionality of the protected software when the instruction links do not correspond to the expected instruction links,
● the construction also allows the unit to execute utilization modules of the instructions of the instruction set, triggering execution of the instructions by executing instruction commands in the data processing system,
● and modifying the protected software:
-by modifying at least one selected part of the source of the protected software:
by transforming the basic function into an instruction,
by specifying the links that at least some of the instructions must adhere to during their execution in the unit,
and by transforming the basic command into an instruction command corresponding to the instruction used,
→ and during the use phase, in the presence of the unit, informing the data processing system and/or modifying the execution of the portion of the protected software in order to modify the execution of the protected software in case it is detected that the instruction link executed in the unit does not correspond to the expected instruction link.
According to a different embodiment, the method according to the invention comprises:
→ in the protection phase:
● define:
-defining as instruction set at least some of its instructions working with registers and for returning a result, an instruction set using at least one operand,
-for at least some instructions working with registers:
the portion of the functionality of the instruction is defined,
and a portion defining an expected link for executing the instruction and including bit fields corresponding to:
an identification field of the instruction is fetched,
and for each operand of the instruction:
a flag field for indicating whether the data is to be written,
and an expected identification field of the operand,
-for each register belonging to the utilization module and used by the instruction set, automatically storing in said register the identification of the last instruction whose result has been returned,
-and defining as detection modules, for each operand, a module allowing to check, for each operand, the equation (equality) corresponding to the generated identification field of the register used by said operand and the original expected identification field of said operand when it is utilized by the flag field,
-and if at least one of the checked equations is false, defining the module that allows modifying the instruction result as a forcing module.
According to another preferred embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
-defining a basic command or an instruction command as a trigger command,
defining a basic function or instruction as a correlation function,
-defining at least one argument (argument) for a trigger command, corresponding at least in part to the information transmitted by the data processing system to the unit, as an order (order) for triggering the execution of the corresponding correlation function,
-an order renaming method allowing renaming an order to obtain a trigger command with a renamed order,
and a recovery module designed to be used in the unit during a use phase and to allow the recovery of the correlation function for execution by the renaming order,
● configuration allows the unit to also implement a recovery module utilization module,
● and modifying the protected software:
-by selecting a trigger command in the source of the protected software,
-modifying at least one selected part of the source of the protected software by renaming the order of the selected trigger commands so as to hide the identity (identity) of the corresponding correlation function,
-and by generating:
a first object part of the protected software, said first object part being a trigger command executed with a rename order during execution of the protected software,
and a second object part comprising protected software utilizing the module, the second object part, after being loaded into the unit and during execution of the protected software, recovering, by means of a second execution part, the identity of the correlation function whose execution was triggered by the first execution part, executing, by means of the second execution part, the correlation function,
→ and during the use phase:
● when the element is present and each time a trigger command with rename order contained in a part of the first execution section makes use of it, the properties of the corresponding correlation function are restored in the element and executed in order to execute said part correctly, so that the protected software is fully functional,
● and in the absence of the element, although a request for a portion of the first execution portion triggers execution of the associated function in the element, the request cannot be fulfilled correctly so that at least the portion is executed incorrectly, and therefore the protected software is not fully functional.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase,
● define a family of correlation functions for at least one correlation function that are algorithmically equivalent, but are triggered by trigger commands whose renaming order differs,
● and modifying the protected software:
-selecting at least one trigger command with a rename order in a source of protected software,
-and modifying at least one selected part of the source of the protected software by replacing the renaming order of one selected trigger command having the renaming order by at least another renaming order, triggering the related functions of the same family.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase, a family of algorithmically equivalent correlation functions is defined for at least one correlation function:
-by concatenating (concatenate) the noise field to the information defining the functional part of the correlation function for execution in the unit,
or by using the identification field of the instruction and the expected identification field of the operand.
According to a different embodiment, the method according to the invention comprises:
→ during the protection phase:
● define:
-defining the encryption method of the encryption order as a renaming method of the order,
and defining as the recovery module the module implementing the decryption renaming order, so as to recover the identity of the correlation function for the decryption method executed in the unit.
According to another preferred embodiment, the method according to the invention comprises:
→ during the protection phase:
● modifying protected software
-selecting, in the source of the protected software, at least one conditional branch to be executed in at least one selected algorithmic process,
-the functionality of at least one selected conditional branch is performed in the unit by means of a second execution part during execution of the protected software by modifying at least one selected part of the source of the protected software,
-and by generating:
a first object part of the protected software, said first object part being the functionality of executing at least one selected conditional branch in a unit during execution of the protected software,
and a second object part of the protected software, the second object partIn order for a second execution section to occur after loading into the unit, and during execution of the protected software, the functionality of at least one selected conditional branch is executed by the second execution section,
→ and during the use phase:
●, in the presence of the element, and each time a portion of the first execution part makes use of it, the functionality of at least one conditional branch is executed in the element in order to correctly execute said portion, so that the protected software is fully functional,
● and in the absence of the element, although a portion of the first execution part requests that the conditional branching functionality be executed in the element, the request cannot be fulfilled correctly so that at least the portion is executed incorrectly, and therefore the protected software is not fully functional.
According to a different embodiment, the method according to the invention comprises: during the protection phase, the protected software is modified:
-selecting at least one selected conditional branch in the source of the protected software,
-performing the full functionality of at least one selected series of conditional branches in the unit by means of a second execution part during execution of the protected software by modifying at least one selected part of the source of the protected software,
-and by generating:
a first object part of the protected software, said first object part being a functionality for executing at least one selected series of conditional branches in the unit during execution of the protected software,
and of protected softwareA second object part, said second object part being such that after loading into the unit and during execution of the protected software a second execution part occurs, by means of which second execution part the full functionality of at least one selected series of conditional branches is executed.
The method according to the invention thus allows to protect the software usage by using a memory location that exhibits the characteristics of a part containing the software being executed. It follows that attempting any derived version of software that has no storage unit running forces the software portion contained in the storage unit to be recreated during execution, or the derived software version will not function completely.
Various other characteristics emerge from the description given below with reference to the accompanying drawings, which represent, by way of non-limiting example, embodiments and implementations of the subject matter of the invention.
Fig. 10 and 11 are functional block diagrams illustrating various representations of software that are unprotected and protected by methods according to the present invention, respectively.
Fig. 20 to 22 illustrate various embodiments of modules implementing the method according to the invention.
Fig. 30 to 31 are functional block diagrams clearly illustrating the general principle of the method according to the invention.
Fig. 40 to 43 are diagrams illustrating a protection method according to the present invention in which a protection principle is implemented by a variable.
Fig. 50 to 54 are diagrams illustrating a protection method according to the present invention in which a protection principle is implemented by temporal separation (temporal separation).
Fig. 60 to 64 are diagrams illustrating a protection method according to the present invention in which a protection principle is implemented by an elementary function (elementary function).
Fig. 70 to 74 are diagrams illustrating a protection method according to the present invention by detecting and enforcing a protection principle.
Fig. 80 to 85 are diagrams illustrating a protection method according to the present invention in which a protection principle is implemented by renaming.
Fig. 90 to 92 are diagrams illustrating a protection method according to the present invention in which a protection principle is implemented by a conditional branch.
Diagram 100 is a diagram illustrating different stages of an implementation of the inventive subject matter.
FIG. 110 illustrates an embodiment of a system that allows for a structural level of the protection phase according to the present invention.
Fig. 120 illustrates an embodiment of a pre-customization unit for use in a protection method according to the present invention.
Fig. 130 illustrates an embodiment of a system that allows implementing a facility that generates stages of protection phases (stages) according to the present invention.
Fig. 140 illustrates an embodiment of a system that allows implementing the protection method according to the invention.
Fig. 150 illustrates an embodiment of a customization unit for use in a protection method according to the present invention.
In the rest of the description, the following definitions will be used:
● the data processing system 3 is a system capable of executing programs.
● the storage unit is a unit that can accept data provided by the data processing system 3, store the data, and recover the data at the request of the data processing system 3.
● the processing and storage units are
Accept data provided by the data processing system 3,
return data to the data processing system 3
-storing data at least partly in secrecy and retaining at least part of said data even if the unit is switched off,
-performing algorithmic processing on the data, some or all of the results being secret.
● unit 6 is a storage unit or a processing and storage unit implementing the method according to the invention.
● the blank cell 60 is a cell that cannot implement the method according to the invention, but that can receive data for its conversion into cell 6.
● the blank cell 60 can become cell 6 during execution of the software protected by the method according to the invention and, after execution, again become the blank cell 60.
● the pre-customized cell 66 is a blank cell 60 that allows the partial data to be transformed into cell 6 to be received after the supplemental data has been received.
● loading information into the blank cells 60 or the pre-customized cells 66 corresponds to transferring information to the blank cells 60 or the pre-customized cells 66 and storing the transferred information. The transmitting can include changing a format of the information.
● the variables, functions or data contained in data processing system 3 will be represented by capital letters, while the variables, functions or data contained in cell 6 will be represented by lowercase letters.
● "protected software" is software that has been protected by at least one of the protection principles implemented by the method according to the invention.
● "leaky software" is software that is not protected by any protection principle implemented by the method according to the invention.
● the term "software" is used where the distinction between the compromised and protected software is not important.
● the software has various representations according to the instant considered in its lifetime:
-a representation of the source,
-a representation of the object,
-distribution (distribution),
-or dynamic representation.
● the source representation of the software is understood to result in a representation of the object representation after transformation. The source representation can provide various levels from a conceptual abstraction level (level) to a level directly executable by the data processing system or the processing and storage units.
● correspond to a stage of a representation that can be performed after delivery to a data processing system or a processing and storage unit. Which can be, for example, binary code, interpreted code, etc.
● the distribution is a physical or virtual support containing object representations that must be made free to be handled by users in order to allow them to use the software.
● dynamically represent the execution of the software corresponding to the distribution therefrom.
● parts of software correspond to parts of software and for example to one or several consecutive or non-consecutive instructions, and/or to one or several consecutive or non-consecutive functional blocks, and/or to one or several functions, and/or to one or several subroutines, and/or to one or several modules. Part of the software can also correspond to all of the software.
Fig. 10 and 11 illustrate various representations of software 2v that is generally leaky and protected software 2p that is protected by the method according to the invention, respectively.
FIG. 10 illustrates various representations of the compromised software 2v that appear during its lifetime. Thus, the software 2v that is vulnerable to the holes can appear under any of the following expressions:
● the source represents 2vs,
● the purpose is to represent 2vo,
● distribute 2 vd. The distribution can typically be in the form of a physical distribution medium, such as a CDROM or a file distributed over a network (GSM, Internet, etc.),
● or corresponding to a data processing system 3 of any known type, which typically comprises a dynamic representation 2ve of the compromised software 2v executing on at least four processors.
Fig. 11 illustrates various representations of protected software 2p that appear during its lifetime. Thus, the protected software 2p appears under any of the following representations:
● the source representation 2ps includes a first source part for the data processing system 3 in part, and alternatively, a second source part for the unit 6, which can typically be contained in a common file,
● the object representation 2po comprises a first object part 2pos for the data processing system 3 and, alternatively, a second object part 2pou for the cell 6,
● distribute 2pd including:
a first distribution part 2pds containing a first object part 2pos, said first distribution part 2pds being intended for the data processing system 3 and typically being able to take the form of a physical distribution medium such as a cd rom or a file distributed over a network (GSM, Internet, etc.),
-and the second distribution portion 2pdu has the form:
at least one of the blank cells 60 is,
at least one pre-customization unit 66, already loaded with a portion of the second object portion 2pou and used to obtain, by loading, the complementary data that the user must have done in order to obtain the unit 6, for example by downloading from a network, said complementary data being available
Having loaded at least one cell 6 of the second object portion 2pou,
● or dynamic representation 2pe, corresponding to the execution of protected software 2 p. The dynamic representation 2pe comprises a first execution part 2pes executed in the data processing system 3 and a second execution part 2peu executed in the unit 6.
In case the distinction between the different representations of the protected software 2p is not important, the wording first part of the protected software and second part of the protected software should be used.
The implementation of the method of the invention according to the dynamic representation of fig. 11 uses a module 1p comprising a data processing system 3 connected to a unit 6 by a link 5. The data processing system 3 is of any type and typically comprises at least one processor 4. The data processing system 3 can be a computer or, for example, a component of various machines, devices, fixed or mobile products or vehicles in general. The link 5 can be implemented in any possible way, such as for example a serial link, a USB bus, a radio link, an optical link, a network link or a direct electrical connection to the circuitry of the data processing system 3, etc. It should be noted that the unit 6 may be physically located in the same integrated circuit as the processor of the data processing system 3. In this case the unit 6 can be seen as a coprocessor which is magnetic with the processor 4 of the data processing system 3 and the link 5 is internal to the integrated circuit.
Figures 20 to 22 represent, by way of example and without limitation, various embodiments of a module 1p allowing to implement the protection method according to the invention.
In the embodiment shown in fig. 20, the protection module 1p comprises a computer as data processing system 3 and as unit 6 a chip card 7 and an interface 8 commonly referred to as a card reader. The computer 3 is connected to the unit 6 via a link 5. During the execution of the protected software 2p, the first execution part 2pes executed in the computer 3 and the second execution part 2peu executed in the chip card 7 and its interface 8 must be functional in order for the protected software 2p to function fully.
In the embodiment shown in fig. 21, the protection module 1p has, in general, a product 9 comprising various components 10 suitable for the functions assumed by such a product 9. The protection module 1p comprises, on the one hand, a data processing system embedded in the product 9 and, on the other hand, a unit 6 relating to the product 9. Thus, the product 9 is fully functional and the protected software 2p must be fully functional. Thus, during the execution of the protected software 2p, the first execution part 2pes, which is executed in the data processing system 3, and the second execution part 2peu, which is executed in the unit 6, have to be functional. The protected software 2p thus allows to indirectly prevent unauthorized use of the product 9 or one of its functions. For example, the product 9 can be a facility, a system, a machine, a toy, a household appliance, a telephone, and the like.
In the embodiment shown in fig. 22, the protection module 1p comprises several computers, as well as part of the communication network. The data processing system 3 is a first computer connected to a unit 6 constituted by a second computer by a network-type link 5. For the implementation of the present invention, the second computer 6 acts as a license server for the protected software 2 p. During execution of the protected software 2p, the first execution part 2pes executed in the first computer 3 and the second execution part 2peu executed in the second computer 6 must be functional in order for the protected software 2p to be fully functional.
Fig. 30 allows to illustrate the protection method according to the invention more clearly. It should be noted that the compromised software 2v is considered to be entirely executing in the data processing system 3. On the other hand, in the case of the implementation of the protected software 2p, the data processing system 3 comprises a transfer module 12 connected, by means of a link 5, to a transfer module 13 that is part of the unit 6, allowing communication to be established between the first execution part 2pec and the second execution part 2peu of the protected software 2 p.
It has to be noted that the transfer modules 12, 13 are software and/or hardware in nature and are able to provide and possibly optimize data communication between the data processing system 3 and the unit 6. The transfer modules 12, 13 are intended to allow the protected software 2p to be freely handled, independently of the type of link 5 used. Said transfer modules 12, 13 are not part of the subject of the present invention, since they are well known to the skilled person and therefore not described more precisely. The first part of the protected software 2p comprises commands. During execution of the protected software 2p, the execution of the command by the first execution part 2pes allows communication between the first execution part 2pes and the second execution part 2 peu. IN the rest of the description, the command is denoted IN, OUT or TRIG.
As shown in fig. 31, to allow the implementation of the second execution part 2peu of the protected software 2p, the unit 6 comprises a protection module 14. In case the unit 6 is a memory unit, the protection module 14 comprises a memory module 15. In the case where the unit 6 is a processing and storage unit, the protection module 14 comprises a storage module 15 and a processing module 16.
To simplify the rest of the description, during the execution of the protected software 2p, the choice is to consider the presence of the unit 6 or the absence of the unit 6. In fact, each time the protected software 2p is incorrectly executed, the unit 6 of the protection module 14 that provides a second execution part 2peu that is not suitable for executing the protected software 2p is also considered to be absent. In other words:
● and including the protection module 14 adapted to execute the second execution part 2peu of the protected software 2p is always considered to be present.
●, but comprises an element 6 of the second execution part 2peu that is not suitable, i.e. does not allow correct execution of the protected software 2p, is considered to be present when it works correctly, and absent (missing) when it works incorrectly,
● and physically absent element 6 are always considered absent.
In the case of a unit 6 consisting of a chip card 7 and its interface 8, the transfer module 13 is divided into two parts, one on the interface 8 and the other on the chip card 7. In this embodiment the absence of a chip card 7 is considered equivalent to the absence of a unit 6. In other words, in the absence of the chip card 7 and/or its interface 8, the protection module 14 is not accessible and does not allow the execution of the second execution part 2peu of the protected software 2p, to the extent that the protected software 2p is not fully functional.
According to the invention, the protection method is used to implement a protection principle called variable, the description of which is carried out with reference to fig. 40 to 43.
To implement the protection principle by means of variables, at least one variable is selected in the source of the software with holes 2vs, which at least one variable defines its state in part during the execution of the software with holes 2 v. From the state of the software, it must be understood that at a given time, multiple sets of information of the software need to be fully executed, to the extent that the absence of this selected variable is detrimental to the full execution of the software. A source of at least a portion of the compromised software 2vs containing at least one selected variable is also selected.
The source of the at least one selected portion of the leaked software 2vs is then modified to obtain a source of the protected software 2 ps. This modification is that at least a part of the first execution part 2pes, which is executed in the data processing system 3, resides in the unit 6 during execution of the protected software 2p, taking into account at least one selected variable or at least one copy of a selected variable. To implement the protection principle by means of variables, the unit 6 comprises at least a memory module 15.
Fig. 40 illustrates an example of execution of the software 2v with holes. In this example, during the execution of the compromised software 2v in the data processing system 3, there occurs:
● at time t1Assigning data X to variable V1By V1And (c) a step of ← X,
● at time t2Will vary the variable V1Is assigned to variable Y, using Y ← V1It is shown that,
● and at time t3Will vary the variable V1Is assigned to variable Z and is used as Z ← V1And (4) showing.
FIG. 41 illustrates an example of a first form of implementation of the present invention where variables reside in cell 6. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3, when the unit 6 is present, there occurs:
● at time t1Execution triggers the transfer of data X from the data processing system 3 to a variable V located in a memory module 15 of the unit 61The branch command of (1), the branch command being OUT (v)1X) and finally corresponds to the assignment of data X to variable v1
● at time t2Execution triggers a variable v to reside in element 61Is transmitted to the data processing system 3 IN order to assign it to a branch command for the variable Y, said branch command being IN (v)1) Express, and ultimately correspond to, the variable v1Is assigned to the variable Y and,
● and at time t3Execution triggers a variable v to reside in element 61To the data processing system 3 IN order to assign it to the branch command of the variable Z, said branch command being IN (v)1) Represents and finally corresponds to the variable v1Is assigned to variable Z.
It should be observed that at least one variable resides in the unit 6 during execution of the protected software 2 p. Thus, when a portion of the first execution part 2pes of the protected software 2p makes use of it and is present in the unit 6, the variable values residing in the unit 6 are transferred to the data processing system 3 for use by the first execution part 2pes of the protected software 2p to such an extent that the portion is executed correctly, whereby the protected software 2p is fully functional.
FIG. 42 illustrates an example of a second form of implementation of the present invention in which a copy of the variable resides in cell 6. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3 and in the presence of the unit 6, there occurs:
● at time t1Assigning data X to variables V located in the data processing system 31And to carry out the triggering of the transfer of the data X from the data processing system 3 to the variable v located in the memory module 15 of the unit 61The branch command of (1), the branch command being OUT (v)1And X) represents a group of,
● at time t2Will vary the variable V1Is assigned to the value of the variable Y,
● and at time t3Execution triggers a variable v to reside in element 61Is transmitted to the processing data system 3 IN order to change it to a branch command of variable Z, IN (v)1) And (4) showing.
It should be noted that at least one copy of the variables resides in the unit 6 during execution of the protected software 2 p. Thus, when a portion of the first executed portion 2pes of the protected software 2p makes use of it and is present in the unit 6, said copy value of the variable residing in the unit 6 is transferred to the data processing system 3 for use by the first executed portion 2pes of the protected software 2p, to the extent that said portion is executed correctly, and therefore the protected software 2p is fully functional.
Fig. 43 illustrates an example of an execution attempt of the protected software 2p when the unit 6 is absent. In this example, during execution of the first execution part 2pes of the protected software 2p in the data processing system 3:
● at time t1Executing the branch command OUT (v) in view of the lack of cells 61X) does not trigger the transfer of data X to variable v1
● at time t2Executing the branch command IN (v) IN view of the absence of the unit 61) Can not trigger the variable v1Is transmitted to the data processing system 3,
● and at time t3Executing the branch command IN (v) IN view of the absence of the unit 61) Can not trigger the variable v1Is transmitted to the data processing system 3.
It is therefore clear that in the absence of unit 6, at least one request using a part of first execution part 2pes of a variable or copy of a variable residing in unit 6 cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore protected software 2p is not fully functional.
It should be noted that the data transfer between the data processing system 3 and the unit 6 shown in the previous examples uses only simple allocations, while the skilled person will know how to combine them with other operations to obtain complex operations such as, for example, OUT (v) for example12X +3) or Z ← (5 · v)1+v2)。
According to another advantageous characteristic of the invention, the protection method is used to implement a protection principle called "temporary decomposition", the description of which will be carried out with reference to fig. 50 to 54.
To implement the protection principle by temporary decomposition, at least one algorithmic process is selected in the leaky software 2vs, using at least one operand and returning at least one result. At least one portion of the source of the software 2vs containing the leaks processed by the at least one selected algorithm is also selected.
At least one selected portion of the source of the compromised software 2vs is then modified to obtain a source of protected software 2 ps. This modification is wherein:
●, during execution of the protected software 2p, at least a part of the first execution part 2pes executed in the data processing system 3 takes into account the functionality of executing at least one selected algorithmic process in the unit 6,
●, during execution of the protected software 2p, the second execution part 2peu executing in unit 6 performs at least the functionality of at least one selected algorithmic process,
● during execution of the protected software 2p, each selected algorithmic process is divided into several different steps, namely:
-step 1: the operands are left free to be processed by the unit 6,
-step 2: the operands are used in unit 6 to perform the functionality of the selected algorithmic processing,
-and step 3: alternatively, the selected arithmetic processing result is freely processed by the data processing system 3 via the unit 6.
● define the step command to trigger the execution of the step,
● and selecting the step command order among the set of orders that allow execution of the protected software 2 p.
The first execution part 2pes of the protected software 2p executing in the data processing system 3 executes the step command triggered in the unit 6, each previously defined step being executed by the second execution part 2 peu. To protect the cell by means of a temporary decomposition, the unit 6 comprises a storage module 15 and a processing module 16.
FIG. 50 illustrates an example of executing a leaky software 2 v. In this example, during execution of the leaky software 2v, at some time, a calculation occurs in the data processing system 3 corresponding to Z ← F (X, Y) assigning the result of the algorithmic processing, expressed in function F and using operands X and Y, to Z.
Fig. 51 illustrates an example of an implementation of the present invention for remotely processing (remote) the selected algorithmic processing in fig. 50 in unit 6. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3 and in the presence of the unit 6, there occurs:
● at time t1In step 1, i.e. a step command CE is executed which triggers the transfer of data X and Y from data processing system 3 to storage areas X and Y, respectively, located in storage module 15 of unit 61Said step commands CE1Represented by OUT (X, X), OUT (Y, Y),
● at time t2Step 2, i.e. executing the step command CE in the trigger unit 62Through the secondThe execution section 2peu executes a function F which is algorithmically equivalent to the function F and the step command CE2And is represented by TRIG (f). More specifically, the execution step command CE2 causes the execution of a function f that uses the contents of storage areas x and y, and returns the result thereof to storage area z of unit 6,
● and at time t3Step 3, i.e. the execution of a step command CE triggering the transfer of the result of the function f contained in the memory area Z of the unit 6 to the data processing system 3 in order to assign it to the variable Z3Said step commands CE3Denoted by IN (z).
In the illustrated example, steps 1 to 3 are performed continuously. It should be noted that two improvements can be brought about:
● the first improvement relates to the case where several algorithmic processes are handled remotely in unit 6, and the results of using one algorithmic process are at least handled by another algorithm. In this case, some of the transfer steps can be eliminated.
● A second improvement relates to the selection of certain orders of step commands in the set of orders that allow execution of the protected software 2 p. In this respect, the step order of the temporarily decomposed executing steps is preferably selected by inserting between them the code portions executed in the data processing system 3 with or without step orders for determining other data. Fig. 52 and 53 illustrate the principle of such an embodiment.
Fig. 52 shows an example of executing the software 2v with a leak. In this example, during execution of the leaky software 2v, execution of the two algorithmic processes that result in the determinations of Z and Z ' occurs in the data processing system 3, so that Z ← F (X, Y) and Z ' ← F ' (X ', Y ').
Fig. 53 illustrates an example of an implementation of the method according to the invention for the remote processing in the unit 6 of the two algorithmic processes selected in fig. 52. According to this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3 and when the unit 6 is present, the execution corresponding to the confirmation as described above occursStep command CE for Z determination1、CE2、CE3And a step command CE corresponding to the determination of Z1’、CE2’、CE3'. As shown, the step command CE is discontinuously performed due to the insertion of the step commands CE1 'to CE 3' and other code portions1To CE3. In the example, the following sequence is thus performed: CE1Partial insertion code, CE2Partial insertion code, CE1', partial insertion code, CE2', partial insertion code, CE3', partial insertion code, CE3
It should be noted that during the execution of the protected software 2p, and when the unit 6 is present, each time a step command contained in a part of the first execution section 2pes of the protected software 2p makes use of it, a corresponding step is executed in the unit 6. Thus, it appears that in the presence of the unit 6, said portion is executed correctly, and therefore the protected software 2p is fully functional.
Fig. 54 illustrates an example of an execution attempt of the protected software 2p when the unit 6 is absent. In this example, during execution of the first execution part 2pes of the protected software 2p in the data processing system 3:
●, at time t1, taking into account the absence of cell 6, the step of executing commands OUT (X, X), OUT (Y, Y) cannot trigger the transfer of data X and Y to the respective memory areas X and Y,
●, at time t2, the execution step command trig (f) cannot trigger the execution of the function f, taking into account the absence of cells 6,
● and at time t3, the execution of the step command in (z) is unable to trigger the result of the transfer function f, taking into account the absence of a cell 6.
Thus, it appears that in the absence of the unit 6, at least one request that cannot correctly fulfill a part of the first execution portion 2pes triggers a step to be executed in the unit 6, so that at least said part is executed incorrectly, and therefore the protected software 2p does not function completely.
According to another advantageous characteristic of the invention, the protection method is used to implement a protection principle called "basic function", the description of which is carried out with reference to fig. 60 to 64.
To implement the protection principle by means of a basis function, the following is defined:
● basic function set, which basic functions are easily executable in unit 6 by means of the second execution part 2peu, and data may be transferred between the data processing system 3 and the unit 6,
● and a set of basic commands for said set of basic functions, which are easy to execute in the data processing system 3 and trigger the execution of the corresponding basic functions in the unit 6.
To implement the protection principle by means of a basic function, utilization means are also formed which allow to transform the blank cell 60 containing the memory module 15 and the processing module 16 into a cell 6 capable of executing the basic function whose execution is triggered by the execution of a basic command in the data processing system 3.
To implement the protection principle by means of a basic function, at least one algorithmic process is used which also selects in the source of the software 2vs that is vulnerable to faults, using at least one operand and returning at least one result. At least one portion of the source of the software 2vs containing the leaks processed by the at least one selected algorithm is also selected.
At least one selected part of the source of the compromised software 2vs is then modified in order to obtain a source of protected software 2 ps. Wherein the modification is such that:
●, during the execution of the protected software 2p, at least one part of the first execution part 2pes is executed in the data processing system 3 taking into account the functionality of the at least one selected algorithmic process executed in the unit 6,
●, during execution of the protected software 2p, the second execution part 2peu executing in unit 6 performs at least the functionality of at least one selected algorithmic process,
● separating each selected algorithm process for executionDuring the protection of the software 2p, each selected arithmetic processing is executed by the second execution section 2peu using the basic function. Preferably, each selected algorithmic process is divided into basis functions fen(where N varies from 1 to N), i.e.:
one or several basic functions allowing to set one or several operands for use by the unit 6,
-basic functions, some of which use operands and in combination perform the functionality of the selected algorithmic process using the operands,
-allowing, by means of the unit 6, to set one or several elementary functions for which the result of the selected algorithmic processing is submitted to the data processing system 3.
● selects the order of the basic commands from the set of orders that allow execution of the protected software 2 p.
The first execution part 2pes of the protected software 2p executing in the data processing system 3 executes the basic command CFE triggered in the unit 6n(where N is from 1 to N), each of the previously defined basic functions fe is executed by the second execution part 2peun
FIG. 60 illustrates an example of executing a leaky software 2 v. In this example, during execution of the leaky software 2v in the data processing system 3, at some point in time, there occurs a computation Z ← F (X, Y) corresponding to the assignment of the result of the algorithmic processing, expressed in function F and using operands X and Y, to Z.
Fig. 61 illustrates an example of an implementation of the invention for remotely processing the algorithmic processing selected in fig. 60 in unit 6. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3 and in the presence of the unit 6, there occurs:
● at time t1,t2Execution of the initial function CFE triggered in the unit 61、CFE2The provision of the transfer of data X, Y from the data processing system 3 to the storage located in the unit 6, respectively, is performed by the second execution part 2peuRespective basis functions fe of memory areas x, y in the module 151,fe2The basic command CFE1,CFE2Respectively represented by OUT (X, X), OUT (Y, Y),
● at time t3To tN-1Execution of the basic command CFE triggered in the unit 63To CFEN-1The corresponding basic function fe is executed by the second execution part 2peu3To feN-1Using TRIG (fe) respectively3) To TRIG (fe)N-1) Representing the basic command CFE3To CFEN-1. Combining the performed basic functions fe3To feN-1The sequence is algorithmically equivalent to the function F. More precisely, the execution of said elementary commands results in the execution in the unit 6 of an elementary function fe using the contents of the memory areas x, y and returning the result to the memory area z of the unit 63To feN-1
● and at time tNExecution of the basic command CFE triggered in the unit 6NThe basic function fe providing the result of the algorithmic processing contained in the memory area z of the unit 6 to be transferred to the data processing system 3 is executed by the second execution means 2peuNIn order to assign it to the variable Z, the basic command CFENDenoted by IN (z).
In the illustrated example, the basic commands 1 to N are executed consecutively. It should be noted that two improvements can be brought about:
● the first improvement involves remotely processing the results of several algorithmic processes in unit 6 and at least one algorithmic process used by another algorithm. In this case, some of the basic commands that can be used for transmission can be removed.
● the second improvement is directed to selecting the relative order of the basic commands in the set of orders that allow execution of the protected software 2 p. In this respect, the basic command order for temporarily decomposing the execution of the basic function is preferably selected by interposing between them the code portions executed in the data processing system 3 and the basic commands including or not including the basic commands for determining other data. Fig. 62 and 63 illustrate the principle of such an embodiment.
Fig. 62 shows an example of executing the software 2v with a leak. In this example, during execution of the leaky software 2v, execution of the two algorithmic processes that result in the determinations of Z and Z 'occurs in the data processing system 3, so that Z ← F (X, Y) and Z' ← (X ', Y').
Fig. 63 illustrates an example of implementation of the method of the invention according to the remote processing in unit 6 of the two algorithmic processes chosen in fig. 62. According to this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3 and when the unit 6 is present, as described above, the execution of the basic command CFE corresponding to the determination Z occurs1To CFENAnd executing the basic command CFE corresponding to the determination Z1' to CFEM'. As shown, because the basic command CFE is inserted1' to CFEM' and other parts of code, not to continuously execute basic commands CFE1To CFEN. In this example, the following sequence, CFE, is thus performed1Partial insertion code, CFE1’、CFE2Partial insertion code, CFE2’、CFE3', partial insertion code, CFE4’、CFE3、CFE4、...、CFEN、CFE’M
It should be noted that during the execution of the protected software 2p, and when the unit 6 is present, each time a basic command contained in the portion of the first execution section 2pes of the protected software 2p makes use of it, a corresponding basic function is executed at the unit 6. Thus, it appears that in the presence of the unit 6, said portion is executed correctly, and therefore the protected software 2p is fully functional.
Fig. 64 illustrates an example of an attempt to execute the protected software 2p when the unit 6 is absent. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3, at each instant of time the execution of the elementary commands cannot trigger the execution of the corresponding elementary functions, because the unit 6 is missing, and therefore the value assigned to the variable Z is correctly determined.
Thus, it appears that in the absence of the unit 6, a part of the first execution part 2pes of the protected software 2p cannot be correctly fulfilled to trigger at least one request for the execution of the basic function in the unit 6, so as to incorrectly execute at least said part, and therefore the protected software 2p is not fully functional.
According to another advantageous characteristic of the invention, the protection method is directed to implementing a protection principle called "detection and enforcement", the description of which will be carried out with reference to fig. 70 to 74.
To implement the protection principle by detection and enforcement, the following is defined:
● are at least partially susceptible to at least one software execution characteristic being monitored in element 6,
● at least one criterion followed by at least one software execution characteristic,
● detection module 17 implemented in unit 6 and allowing the detection of at least one software execution characteristic that does not respect at least one relevant criterion,
● and enforcement module 18 implemented in unit 6 and allows notification to the data processing system 3 and/or modification of the execution of the software when at least one criterion is not observed.
To implement the protection principle by detection and enforcement, a utilization module is also constructed that allows to convert the blank unit 60 containing the memory module 15 and the processing module 16 into a unit 6 implementing at least the detection module 17 and the enforcement module 18.
Fig. 70 illustrates the modules required to implement this protection principle by detection and enforcement. The unit 6 comprises a detection module 17 and a forcing module 18 belonging to the processing module 16. The enforcement module 18 is informed by the detection module 17 that the criterion is not complied with.
More precisely, the detection module 17 uses the information coming from the transfer module 13 and/or from the storage module 15 and/or from the processing module 16 in order to monitor one or several software execution characteristics. At least one criterion to be observed is set for each software execution characteristic.
Upon detecting that at least one software execution characteristic does not comply with at least one criterion, detection module 17 notifies enforcement module 18 of this. The forcing module 18 is also used to modify the state of the unit 6 in an appropriate manner.
In order to realize the protection principle through detection and enforcement, the following steps are also selected:
●, to monitor software execution characteristics subject to monitoring,
● for at least one selected software execution characteristic,
●, in the source of the software 2vs, which has a leak, at least one algorithmic process monitoring at least one software execution characteristic thereof,
● and at least one of the parts contains at least one selected algorithmic process in the source of the software 2 vs. holes.
At least one selected portion of the source of the compromised software 2vs is then modified to obtain a source of protected software 2 ps. This modification is during execution of the protected software 2p, where:
● at least a part of the first execution part 2pes being executed in the data processing system 3 takes into account at least one selected software execution characteristic to be monitored at least partly in the unit 6,
● and a second execution section 2peu executing in unit 6 at least partially monitors the selected software execution characteristics.
During the execution of the protected software 2p protected by this protection principle of detection and enforcement, and when the unit 6 is present:
● are to be able to cause said modified part of protected software 2p to be nominally acted upon, so as to cause said protected software 2p to be acted upon,
● and if at least one criterion corresponding to a monitored execution characteristic of the portion of protected software 2p is not observed, informing the data processing system 3 and/or modifying the functionality of the portion of protected software 2p in order to modify the functionality of the protected software 2 p.
Of course, in the absence of the unit 6, a part of the first execution part 2pes of the protected software 2p cannot be correctly fulfilled to use at least one request of the unit 6 in order to incorrectly execute at least one of said parts, and therefore the protected software 2p is not fully functional.
To implement the protection principle by detection and enforcement, two software implementation features are preferably used.
A first type of software execution characteristic corresponds to a variable of a metric of software execution and a second type corresponds to a profile of software usage. The two characteristics can be used independently or in combination.
To use the variables of the metrics of the software execution as execution characteristics, by detecting and enforcing the protection principle, the following are defined:
●, in the storage module 15, the probability of at least one variable used to quantify the measure of use of at least one functionality of the software,
● in the detection module 17, the probability of at least one threshold value relating to the variable of each metric is monitored,
● and the implementation modules that allow updating the variables of each metric based on the use of each functionality associated therewith.
Besides the detection module 17 and the forcing module 18, a utilization module is also formed which implements the implementation module.
In the source of the software 2vs with the holes, the following are also selected:
●, the use of which is easily monitored,
● used to quantify the variance of at least one measure of the usage of the functionality,
● at least one threshold value related to a variable corresponding to a measure of a limit of use of the functionality,
● and at least one method of updating variables of the metrics based on the use of the functionality.
The source of the compromised software 2vs is then modified to obtain the source of the protected software 2ps, this change being during the execution of the protected software 2p, the second execution 2 peu:
● implement variables of the metrics based on the use of the functionality,
● and considering at least one threshold crossing.
In other words, during the execution of the protected software 2p, the variables of the metrics are updated according to the use of said functionality, and when the threshold is crossed, the detection module 17 informs the enforcement module 18 to make an appropriate decision to inform the data processing system 3 and/or to modify the processing performed by the processing module 16, the processing module 16 allowing the modification of the functionality of the portion of the protected software 2p in order to modify the functionality of the protected software 2 p.
To implement a first preferred different embodiment of the protection principle using the variables of the metrics as characteristics, by detection and enforcement, it is defined that:
● several correlation thresholds for at least one variable of the metric,
● and a different enforcement module corresponding to each of the thresholds.
In the source of the software 2vs with the holes, the following are also selected:
● is used to quantify the usage of at least one functionality of the software and must be at least one variable of a measure of several thresholds corresponding to the correlation of different limits of the usage of said functionality,
● and at least two thresholds related to the variables of the metric.
The source of the compromised software 2vs is then modified to obtain the source of the protected software 2ps, this modification being such that, during the execution of the protected software 2p, the second execution part 2 peu:
● implement variables of the metrics based on the use of the functionality,
● and to account for crossing of various thresholds differently.
In other words, in general, during the execution of the protected software 2p, when the first threshold is crossed, the unit 6 informs the data processing system 3 to command the protected software 2p to no longer use said functionality. The second threshold may be crossed if the protected software 2p continues to use the functionality. In case the second threshold is crossed, forcing module 18 can deactivate the selected functionality and/or deactivate protected software 2 p.
To implement a second preferred variant embodiment of the protection principle by using a variable of a metric as detection and enforcement of a characteristic, a complementary module is defined that allows to trust (credit) at least one software functionality monitored by the variable of the metric by at least one further use.
In addition to the detection module 17, the forcing module 18 and the enforcement module, a utilization module is also constructed that implements a retrofit module.
In the source of the vulnerable software 2vs, at least one variable is also selected which is used to limit the usage of at least one functionality of the software and which has to be trusted by at least one further usage.
The source of the compromised software 2vs is then modified to obtain a source of protected software 2ps, this modification being to enable trust in at least one further use of at least one functionality of the variable corresponding to the selected metric during the call supplement phase.
During the complementary phase, a re-realization of at least one selected variable of the metric and/or at least one associated threshold is performed, so as to allow at least one further use of the respective functionality. In other words, during the complementary phase, the further use of at least one functionality of the protected software 2p may be trusted.
In order to implement the protection principle by using a profile utilized by software as detection and enforcement of a characteristic, at least one feature executed by the software is defined as a criterion to be observed for said utilized profile.
In the source of the software 2vs with the holes, the following are also selected:
● at least one is monitored with a profile,
● and at least one selected performance characteristic to which the utilization profile must comply.
The source of the compromised software 2vs is then changed to obtain the source of the protected software 2ps, this modification being that the second execution part 2peu complies with the selected execution characteristics during execution of the protected software 2 p. In other words, without respecting at least one execution characteristic, the unit 6 itself monitors the way in which the second execution part 2peu executes and can inform the data processing system 3 and/or modify the functionality of the protected software 2 p.
During the execution of the protected software 2p protected by this principle, when the unit 6 is present:
●, the modified part of protected software 2p functions nominally, so that the protected software 2p functions nominally,
● and if at least one execution characteristic of a portion of the protected software 2p is not observed, notifying the data processing system 3 and/or modifying the functionality of the portion of the protected software 2p so as to modify the functionality of the protected software 2 p.
Monitoring different execution characteristics can be considered, such as monitoring for the presence of instructions including a flag or monitoring for execution links for at least a portion of the instructions.
To implement a protection principle by detection and enforcement of execution characteristics using monitoring of execution links for at least a part of instructions as compliance, it is defined that:
● instruction set, the instructions of which are easy to execute in unit 6,
● for the set of instructions, which are easy to execute in the data processing system 3. Execution of each instruction command in the data processing system 3, triggers execution of the corresponding instruction in the unit 6,
● allow the detection module 17 detecting the instruction link not corresponding to the expected one,
● and enforcement module 18 for allowing notification to the data processing system 3 and/or modification of execution of the software when the instruction linkage does not correspond to the expected one.
A utilization module is also constructed which allows the unit 6 to also execute the instructions of the instruction set, the execution of which is triggered by the execution of instruction commands in the data processing system 3.
At least one algorithmic process that has to be processed remotely in the unit 6 and that will monitor the linking of at least a part of the instructions is also selected in the compromised software 2 vs.
The source of the compromised software 2vs is then modified to obtain the source of the protected software 2ps, this modification being during the execution of the protected software 2 p:
● second executive component 2peu performs at least the functionality of the selected algorithmic processing,
● break the selected algorithmic processing into multiple instructions,
● specify the links at least some of the instructions must adhere to during their execution in unit 6,
● and the first execution part 2pes of the protected software 2p execute instruction commands that trigger the execution of instructions in the unit 6.
During the execution of the protected software 2p protected by this principle, in the presence of the unit 6:
●, said modified part of protected software 2p is functioning nominally, so that protected software 2p is functioning nominally,
● and if the instruction linkage of the part of the protected software 2p executing in unit 6 does not correspond to the expected one, informing the data processing system 3 and/or modifying the functionality of the part of the protected software 2p in order to modify the functionality of the protected software 2 p.
FIG. 71 illustrates an example of implementing the protection principle by detection and enforcement using an execution link monitoring at least a portion of the instructions as an execution feature of adherence in the case of adherence to the intended link.
Execution of the first execution part 2pes of the protected software 2p executed in the data processing system 3 triggers execution of the instruction i belonging to the instruction set in the unit 6iCommand CIi. In the instruction set, each of at least some of the instructions includes a portion defining the functionality of the instruction and a portion allowing verification of a portion of intended links for executing the instruction. In this example, TRIG (i) is usedi) Presentation instruction command CIiAnd the expected link for executing the instruction is in、in+1And in+2. Execution of instruction i in unit 6nGiving result a and executing instruction in+1Giving the result b. Instruction in+2As operand, instruction inAnd in+1The results a and b and their execution give the result c.
It is considered that said instruction link executed in the unit 6 corresponds to the expected one, which results in the normal or nominal function of the protected software 2 p.
FIG. 72 illustrates an example of implementing the protection principle by detection and enforcement using an execution link monitoring at least a portion of these instructions as an execution feature for adherence without adherence to the intended link.
According to this example, the expected link for executing the instruction is still in、in+1And in+2. However, by using instruction in' instead of instruction inModifying the execution link so that the actual executed link is in、in+1And in+2. The execution instruction in' gives the result a, i.e. the result is compared with the execution instruction inThe same result. However, instruction i is being executed at the latestn+2Meanwhile, the detection module 17 detects the instruction in' not corresponding to generating for instruction in+2The expected instruction of result a of the operation of (a). The detection module 17 informs the enforcement module 18 about this and modifies the instruction i accordinglyn+2To execute instruction in+2Giving a result c' that can differ from c. Of course, if instruction i is executedn' given a different instruction from inResult a' of result a, obviously instruction in+2The result of (c) is also different from c.
Since the execution chain of the instructions executed in the unit 6 does not correspond to the intended one, an improvement of the functionality of the protected software 2p can be obtained.
Fig. 73 and 74 illustrate different preferred embodiments of the protection principle by detection and enforcement that will monitor the execution characteristics of at least a portion of the instructions for execution linkage action compliance. According to this preferred variant embodiment, an instruction set is defined, at least some of which work with registers and use at least one operand for returning results.
As shown in fig. 73, at least some of the instructions working with the registers are defined, a portion RF defining the functionality of the instructions and a portion PE defining the intended linkage for executing the instructions. The part PF corresponds to an operation code known to the skilled person. The partial PEs define the intended links, including bit fields corresponding to:
● instruct the CII's identification field,
● and each operand K for an instruction, where K is from 1 to K, and K instruction operands:
-a flag field CDkIndicating whether it is appropriate to check the start of operand K,
-and expected identification field of operand CIPkIndicating the expected identification of the instruction that has generated the contents of operand k.
As shown in FIG. 74, the instruction set includes V registers, each referred to as R, belonging to the processing module 16vWherein V is from 1 to V. For each register RvTwo fields are defined, namely:
● function field CF known to the skilled personvAnd allows the results of the instruction execution to be stored,
● and generated identification field CIGvAllowing storage of already generated function fields CFvAn identification of an instruction of content of. By having generated the function field CFvThe content of the identification field of the instruction CII, automatically updating the generated identification field CIGv. The generated identification field CIGvNeither accessible nor modifiable by any instruction and is used only for the detection module 17.
During execution of the instruction, for each operand k, the detection module 17 performs the following operations:
● reading the flag field CDk
● if flag field CDkWith which the expected identification field CIP corresponding to the register used by operand k is read simultaneouslykAnd the generated identification field CIGv
● check two fields CIPkAnd CIGvThe equation (c) of (a) is,
● and if the equation is false, the detection module 17 considers that the instruction's execution linkage is not followed.
Forcing module 18 allows modifying the instruction result when detection module 17 has informed that they do not obey the instruction linkage. The preferred embodiment is performed by modifying the functional part PF of the currently executed instruction or the functional part RF of the instruction following it.
According to another advantageous characteristic of the invention, the protection method is directed to implementing a protection principle called "renaming", which will be described with reference to fig. 80 to 85.
To implement the protection principle by renaming, define:
● A set of correlation functions (dependent functions) is easily executable in the unit 6 by the second execution part 2peu, and data can be transferred between the data processing system 3 and the unit 6, said set of correlation functions can be limited or unlimited,
● for said correlation function, said trigger command being apt to be executed in the data processing system 3 and triggering the execution of the corresponding correlation function in the unit 6,
●, the order (order) of each trigger command corresponds at least in part to the information conveyed by the first execution part 2pes to the second execution part 2peu for triggering the execution of the corresponding associated function, the order having the form of at least one argument of the trigger command,
●, which is designed as a renaming method of the orders used during the modification of the software 2v with holes, which allows to rename these orders in order to obtain, by renaming the orders, a trigger command that allows to cancel the identity of the corresponding related function,
● and a recovery module 20 designed to be used in the unit 6 during the use phase and allowing the recovery of the original order by the renamed order in order to resume the execution of the correlation function.
To implement the protection principle by renaming, a utilization module is also constructed which converts the blank unit 60 containing the memory module 15 and the processing module 16 into a unit 6 implementing at least the recovery module 20.
In order to realize the protection principle through renaming, the following steps are also selected in the leaky software 2 vs:
● at least one algorithmic process using at least one operand and returning at least one result,
● and a source of at least a portion of the compromised software 2vs containing at least one selected algorithmic process.
The source of the compromised software 2vs is then modified to obtain the source of the protected software 2 ps. This modification is where:
●, during the execution of the protected software 2p, at least a part of the first execution part 2pes executed in the data processing system 3 takes into account the functionality of executing at least one selected algorithmic process in the unit 6,
●, during execution of the protected software 2p, the second execution part 2peu executing in unit 6 performs at least the functionality of at least one selected algorithmic process,
● to execute each selected algorithmic process during execution of the protected software 2p by means of the second execution part 2peu using the associated function. Preferably, each selected algorithmic process is divided into a correlation function fdn(where N is from 1 to N), i.e.:
-setting one or several correlation functions of one or several operands for use by the unit 6,
-correlation functions, some of which use operands and use said operands, in combination with a functionality to perform a selected algorithmic process,
and possibly one or several correlation functions allowing to set the result of the selected algorithmic processing by means of the unit 6 to be used by the data processing system 3,
● during execution of the protected software 2p, the second execution part 2peu executes the dependent function fdn
●, during execution of the protected software 2p, by triggering the correlation function with a rename order trigger command,
● selects the order of the trigger commands in the set of orders that allow execution of the protected software 2 p.
The first execution part 2pes of the protected software 2p executing in the data processing system 3 executes the trigger command by passing the rename order to the reorder order of the unit 6 and triggers the restore order in the unit 6 by the restore module 20, and then executes each of the previously defined dependent functions fd by the second execution part 2peun
In other words, the protection principle by renaming is performed by renaming the order of the trigger commands, so that by renaming the trigger commands executed in the data processing system 3, the execution of the dependent functions already triggered by the trigger commands through the unnamed order is triggered in the unit 6, however, the protection functions 2p allowing the determination of the characteristics of the executed dependent functions are not examined.
FIG. 80 illustrates an example of performing a leaky function 2 v. In this example, during execution of the leaky software 2V in the data processing system 3, at some point in time a calculation Z ← F (X, Y) occurs corresponding to the assignment of the result of the processing to the variable Z with the function F and the algorithm represented using the operands X and Y.
Fig. 81 and 82 illustrate examples of implementations of the present invention.
FIG. 81 illustrates a partial implementation of the present invention. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3, and when the unit 6 is present, there occurs:
● at time t1,t2Executing the trigger command CD1、CD2Which triggers the execution in unit 6, by means of second execution part 2peu, of a corresponding correlation function fd providing transfer of data X, Y from data processing system 3 to storage areas x, y, respectively, located in storage module 15 of unit 61,fd2Said trigger command CD1、CD2Denoted by OUT (X, X) and OUT (Y, Y), respectively,
● at time t3To tN-1Executing the trigger command CD3To CDN-1Which triggers the execution of the corresponding correlation function fd in unit 6 by means of the second execution part 2peu3To fdN-1Said trigger command CD3To CDN-1Using TRIG (Fd) respectively3) To TRIG (fd)N-1) And (4) showing. In connection with the execution of the correlation function FD3To FDn-1Is algorithmically equivalent to the function F. More precisely, the execution of said trigger command results in the execution in the unit 6 of a correlation function fd using the contents of the memory areas x, y and returning the result to the memory area z of the unit 63To fdN-1
● and at time tNExecuting the trigger command CDNWhich triggers the execution, in the unit 6, of the result of the processing of the algorithm provided for inclusion in the memory area Z of the unit 6, transmitted to the data-processing system 3, by means of the second execution part 2peu, in order to assign it to the function fd of relevance of the variable ZNThe command is denoted by IN (z).
IN this example, the first argument of the trigger command OUT and the arguments of the trigger commands TRIG and IN are selected as an order for the complete implementation of the invention. The order selected in this way is renamed using a renaming method of order. In this way, the trigger command CD is renamed1To CDNIn the order of (1), i.e., x, y, fd3,fdN-1Z to obtain R (x), R (y), R (fd), respectively3)...,R(fdN-1)、R(z)。
FIG. 82 illustrates an overall implementation of the present invention. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3, and when the unit 6 is present, there occurs:
● at time t1,t2By renaming the order CDCR1、CDCR2Executing a trigger command, transmitting the renaming order R (x), R (y) to the unit 6, triggering in the unit 6 the restoration of the renaming times by means of the restoration module 20In order to restore the order, i.e. the identity of the storage areas X, Y, and then to perform the corresponding correlation function fd providing the transfer of data X, Y from the data processing system 3 to the storage areas X, Y, respectively, located in the storage module 15 of the unit 6, by means of the second execution part 2peu1,fd2CDCR with renaming order1、CDCR2Are denoted by OUT (r (X), OUT (r (Y), respectively.
● at time t3To tN-1By renaming the order CDCR3To CDCRN-1, execute the trigger command, rename the order R (fd)3) To R (fd)N-1) Is passed to the unit 6, where the restoration of the order by the restoration module 20 is triggered, i.e. fd3To fdN-1Then, by the second execution section 2peu, the correlation function fd is executed3To fdN-1CDCR with renaming order3To CDCRN-1Respectively using TRIG (R (fd)3) To TRIG (R (fd))N-1) Is) to indicate that,
● at time tN-1By renaming the order CDCRNExecuting a trigger command to transfer the renaming order r (z) to the unit 6, triggering in the unit 6 the restoration of the order, i.e. the characteristics of the storage area z, by the restoration module 20, and then the execution of the correlation function fd by the second execution part 2peu providing the result of the algorithmic processing contained in the storage area z of the unit 6 to the data processing system 3NTo assign it to variable Z, with a rename order CDCRNIs denoted by IN (r (z)).
In the example shown, trigger commands with rename orders 1 to N are executed consecutively. It should be noted that two improvements can be made:
● the first improvement relates to the situation where unit 6 processes several algorithmic processes remotely and the results of using one algorithmic process are at least processed by another algorithm. In this case, some trigger commands with rename order for transfer may be removed.
● A second improvement is directed to selecting the relative order of trigger commands in the order set that allows execution of the protected software 2 p. In this respect, the order of the trigger commands with rename order that are temporarily out of order for executing the associated function is preferably selected by inserting between them portions of code that execute in the data processing system 3 and including or not including trigger commands with rename order for determining other data. Fig. 83 and 84 illustrate the principle of such an embodiment.
Fig. 83 shows an example of executing the software 2p with a leak. In this example, during execution of the leaky software 2p, the execution of two algorithmic processes resulting in the determination of Z and Z ' occurs in the data processing system 3, such as Z ← F (X, Y) and Z ' ← F ' (X ', Y ').
Fig. 84 illustrates an example of an implementation of the method according to the invention of the unit 6 remotely processing the two algorithmic processes selected in fig. 83. According to this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3 and in the presence of the unit 6, as described above, the CDCR with rename order corresponding to the determination Z is executed1To CDCRNAnd executing a CDCR having a rename order corresponding to the determination of Z1' and CDNRM' trigger command. As shown, CDCR with renaming order is performed discontinuously1To CDCRNBecause a CDCR with a renaming order is inserted1To CDCRM' and other code portions. In this example, the following sequence, CDCR, is thus performed1Inserting code portions, CDCR1’、CDCR2Code insertion part, CDCR2’、CDCR3', inserted code portion, CDCR4’、CDCR3、CDCR4、...、CDCRN、CDCR’M
It should be noted that during the execution of a part of the first execution part 2pes of the protected software 2p, the trigger command with rename order executed in the data processing system 3 triggers in the unit 6 the restoration of the characteristics of the respective related functions and then their execution. Thus, in the presence of the unit 6, it appears that the portion is executed correctly, and therefore the protected software 2p is fully functional.
Fig. 85 illustrates an example of an attempt to execute the protected software 2p when the unit 6 is absent. In this example, during the execution of the first execution part 2pes of the protected software 2p in the data processing system 3, the execution of a trigger command with rename order at each instant of time can neither trigger the recovery order nor the corresponding correlation function, because of the absence of the unit 6. Therefore, the value assigned to the variable Z cannot be determined correctly.
Thus, the failure to correctly fulfil a part of the first execution part 2pes of the protected software 2p in the absence of the unit 6 triggers the restoration of the order and at least one request for the execution of the related function in the unit 6, so that at least said part cannot be correctly executed, and therefore the protected software 2p does not function completely.
Due to this protection principle by renaming, the check in the protected software 2p with trigger commands in rename order cannot determine the nature of the related function that has to be executed in the unit 6. It should be noted that the renaming of the order is performed during the modification of the vulnerable software 2v to the protected software 2 p.
According to a variant of the protection principle by renaming, a family of correlation functions is defined that are algorithmically equivalent for at least one correlation function but are triggered by different trigger commands with a renaming order. According to this variant, for at least one algorithmic process using correlation functions, said algorithmic process is divided into a plurality of correlation functions, wherein at least one of them is replaced by correlation functions of the same family, instead of keeping several occurrences of the same function. To this end, the trigger commands with rename order are modified to take into account the replacement of the correlation functions with correlation functions of the same family. In other words, two correlation functions of the same family have different orders, and therefore it is not possible to have different trigger commands in rename order, and to find out that said correlation functions are algorithmically equivalent by checking the protected software 2 p.
According to a different first preferred embodiment of the protection principle by renaming, a family of algorithmically equivalent correlation functions is defined for at least one correlation function for execution in unit 6 by linking the noise field to information defining the functional part of the correlation function.
According to a different second preferred embodiment of the protection principle by renaming, a family of algorithmically equivalent correlation functions is defined for at least one correlation function by using an identification field.
According to a different preferred embodiment of the protection principle by renaming, the encryption method that allows the encryption order in order to transform them into a renaming order is defined as the method of renaming order. Remember the renaming of the order of execution during the protection phase P. For this preferred variant, the recovery module 20 is a module implementing a decryption method that allows the decryption of the renamed order, thus recovering the identity of the associated function for execution in the unit 6. The recovery module is implemented in the unit 6 and can be a software or hardware attribute. The recovery module is required to execute the relevant function each time a trigger command with a rename order is executed in the data processing system 3 for triggering in the unit 6 during the use phase U.
According to another advantageous characteristic of the invention, the protection method is directed to implementing a protection principle called "conditional branching", which will be described with reference to fig. 90 to 92.
To implement the protection principle by conditional branches, at least one conditional branch BC is selected in the source of the software 2vs with holes. At least a part of the source of the compromised software 2vs containing at least one selected conditional branch BC is also selected.
At least one selected portion of the source of the compromised software 2vs is then modified to obtain a source of protected software 2 ps. This modification is during execution of the protected software 2p, where:
● at least one part of the first execution part 2pes, which is executed in the data processing system, allows for the functionality of executing at least one selected conditional branch BC in the unit 6,
● and a second execution part 2peu, which executes in unit 6, performs at least the functionality of the at least one selected conditional branch BC and leaves free a piece of information by the data processing system 3 that allows the first execution part 2peu to continue its execution at the selected point.
The first execution part 2pes of the protected software 2p executing in the data processing system 3 executes a conditional branch command which triggers in the unit 6 the execution by the second execution part 2peu of a remote processing conditional branch BC whose functionality is equivalent to that of the selected conditional branch BC. To implement the protection principle by conditional branching, the unit 6 comprises a memory module 15 and a processing module 16.
FIG. 90 illustrates an example of executing a leaky software 2 v. In this example, during execution of the compromised software 2v in the data processing system 3, at some point in time, there occurs a point at which the compromised software 2v is indicated to continue its execution, i.e., three possible points B1、B2Or B3A conditional branch BC of one of. It must be understood that conditional branch BC taken at point B1、B2Or B3The decision to continue executing the software.
Fig. 91 illustrates an example of implementation of the invention of the selected conditional branch corresponding to conditional branch BC remotely processed by unit 6. In this example, when the first execution part 2pes of the protected software 2p is executed in the data processing system 3 and the unit 6 is present, there occurs:
● at time t1Executing conditional branch command CBC1Which triggers the execution in unit 6 of a remote processing conditional branch BC, algorithmically equivalent to conditional branch BC, by means of a second execution part 2peu, said conditional branch commanding CBC1Expressed in terms of TRIG (bc),
● and at time t2The first execution part 2pes will be allowed to be at the selected point, point B1、B2Or B3The information to continue its execution is transmitted from the unit 6 to the data processing system 3.
It should be noted that during execution of a part of the first execution portion 2pes of the protected software 2p, a conditional branch command executed in the data processing system 3 triggers execution of a corresponding remote processing conditional branch in the unit 6. Thus, it appears that in the presence of the unit 6, said portion is executed correctly, and therefore the protected software 2p is fully functional.
Fig. 92 illustrates an example of an attempt to execute the protected software 2p when the unit 6 is absent. In this example, during execution of the first execution part 2pes of the protected software 2p in the data processing system 3:
● at time t1Conditional branch command CBC is executed in view of the lack of cell 61The execution of the remote processing conditional branch bc cannot be triggered,
● and at time t2The piece of information allowing the first executing part 2pes to execute at the selected point is transmitted in view of the absence of the unit 6.
Thus, the failure to correctly fulfill a part of the first execution part 2pes, occurring in the absence of the unit 6, triggers the execution of at least one request of a conditional branch of the remote processing in the unit 6, so that at least said part is executed incorrectly, and the protected software is therefore not fully functional.
In the previous description relating to fig. 90 to 92, the subject of the invention is the remote processing of conditional branches in the unit 6. Of course, the preferred embodiment of the invention is carried out by remotely processing in the unit 6 a series of conditional branches whose overall functionality is equivalent to that of all the conditional branches that have been remotely processed. Executing the full functionality of the sequence of remote processing conditional branches results in setting a piece of information that allows the first executing part 2pes of the protected software 2p to continue its execution at the selected point for use by the data processing system 3.
In the preceding description with reference to fig. 40 to 92, six different software protection principles have been clearly described independently of one another. The protection method according to the invention is implemented by using the protection principle by variables, possibly in combination with one or several other protection principles. In the case of a compensation of the protection principle by a variable by implementing at least one further protection principle, the protection principle by a variable is advantageously compensated by a temporarily decomposed protection principle and/or by a protection principle of a basis function.
And when the protection principle by temporal decomposition is also implemented, it is in turn turned to supplement it by the protection principle of the basis function and/or by the protection principle of the conditional branch.
And when the protection principle by the basis function is also implemented, it is in turn the turn to supplement it by the detection and enforcement protection principle and/or by the renaming protection principle and/or by the conditional protection principle.
And when the protection principle by detection and enforcement is also implemented, it is in turn the turn to supplement it by the protection principle by renaming and/or by the protection principle by conditional branching.
And when the protection principle by renaming is also implemented, it is in turn turned to supplement it by the protection principle by conditional branching.
According to a different preferred embodiment, the protection principle by variables is supplemented by protection principles by temporal decomposition, by protection principles by basis functions, by detection and enforcement, by renaming, by conditional branching.
In the case of applying the protection principle, complementary to that by a variable, the previously completed description thereof must include the following improvements in view of its combined realization:
● must understand the concept of the vulnerable software to protect the principle being described. Thus, having applied the protection principles to the vulnerable software, the reader must interpret the expression "vulnerable software" as the expression "software protected by the already applied protection principles";
● the concept of protected software must be understood as software that is protected by the protection principles being described. Thus, having applied the protection principle, the reader must interpret the expression "protected software" as the expression "new version of protected software";
● and the choice made to implement the protection principle being described must be taken into account in the choice made to implement the protection principle already applied.
The remaining description allows a better understanding of the implementation of the protection method according to the invention. As more precisely shown in the diagram 100, this protection method according to the invention consists of:
● first, a protection phase P, during which the leaky software is modified to become protected software 2P,
● second, phase U is used, during which the protected software 2p is used. During this phase U:
in the presence of the unit 6, each time a part of the first execution part 2pes executing in the data processing system 3 makes use of it, the functionality that is made use of is executed in the unit 6 in order to execute said part correctly, so that the protected software 2p is fully functional,
in the absence of the unit 6, although a part of the first execution part 2pes requests to perform a functionality in the unit 6, said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and thus the protected software 2p does not function completely,
● and possibly a supplementary phase R during which variables of the metrics are used as characteristics, trusting at least one further use of the functionality protected by the second preferred variant embodiment implementing the detection and enforcement protection principle.
The protection phase P can be divided into two protection sub-phases P1And P2. Is called atPre-protection sub-phase P1The first phase of (2) occurs independently of the protected, leaky software 2 v. Called the subsequent protection sub-phase P2Second phase P of2Relating to protected, leaky software 2 v. It should be noted that the preceding protection sub-phase P can advantageously be performed by two different persons or in two different ways1And a next protection sub-phase P2. For example, the pre-protection sub-phase P is performed by a person or company providing the development of the software protection system1And the next protection sub-phase P is executed by the person or company providing the claimed software development2. Of course, the pre-protection sub-phase P can also be performed by the same person or team1And a next protection sub-phase P2As will be apparent.
Preceding protection sub-phase P1By several stages S for different tasks or jobs to be performed11、....、S1iAnd (4) forming.
This preceding protection sub-phase P1Is called the "definition stage S11", at this definition level S11
● selecting:
the type of unit 6, i.e. in particular a storage unit or a processing and storage unit. In the example shown, the chip card reader 8 and the chip card 7 associated with the reader can be selected as the unit 6,
and transfer modules 12, 13 designed to be implemented in the data processing system 3 and in the unit 6, respectively, capable of providing, during a phase of use U, a transfer of data between the data processing system 3 and the unit 6,
● and when the protection method according to the invention implements the protection principle by means of a basic function, it also defines:
a set of basic functions, the basic functions of which are easy to execute in the unit 6,
and a set of basic commands for said set of basic functions, said basic commands being susceptible of being executed in the data processing system 3 and triggering the execution of the basic functions in the unit 6,
● and when the protection method according to the invention implements the protection principle by detection and enforcement, it also defines:
at least one software execution characteristic susceptible to be monitored at least partially in the unit 6,
-at least one criterion by which at least one software execution characteristic complies,
a detection module 17 implemented in the unit 6, allowing to detect that at least one software execution characteristic does not comply with at least one relevant criterion,
and a forcing module 18 implemented in unit 6, allowing to notify data processing system 3 and/or modify the execution software when at least one criterion is not observed,
● and in the case where the protection method according to the invention implements the protection principle by detection and enforcement, using as characteristics variables of the metrics of the software execution, it will also:
-the variables of the measure of use of the functionality of the software are defined as software execution characteristics that are easy to monitor,
defining at least one threshold value relating to the variables of each metric as a criterion of adherence,
-and an enforcement module defining variables allowing to update at least one metric,
● and in the case where the protection method according to the invention also implements, as a property, a first preferred different embodiment by means of a detection and enforcement protection principle, using the variables of the metrics of the software implementation, further defines:
several correlation thresholds for variables of at least one metric,
-and a different forcing module corresponding to each of said threshold values,
● and in the case where the protection method according to the invention also implements the use of variables of the metrics of the executing software as characteristics, by means of a second preferred different embodiment of the detection and enforcement protection principle, also defines a complementary module allowing to add at least one further use to at least one software functionality monitored by the variables of the metrics,
● and in the case where the protection method according to the invention also enables the use of a profile of the software utilization as a property, by detecting and enforcing the protection principle, will also be
-a profile of software usage is defined as software execution characteristics that are subject to monitoring,
-at least one feature of the software execution is defined as a criterion to be observed,
● and in the case where the protection method according to the invention also enables monitoring of the execution link as an execution feature to be observed, by detecting and enforcing the protection principle, also:
defining a set of instructions whose instructions are susceptible to being executed in the unit 6,
defining a set of instruction commands for said set of instructions, said instruction commands being susceptible of being executed in the data processing system 3 and triggering the execution of instructions in the unit 6,
-defining the instruction links as profiles of use,
-defining an expected link for executing an instruction as an execution characteristic,
defining as detection module 17 a module that allows detecting instruction connections that do not correspond to an instruction link of a desired one,
and a module allowing to notify the data processing system 3 and/or to modify the functionality (functionality) of the portion of protected software 2p when the instruction linkage does not correspond to the expected one, is defined as a forcing module 18,
● and when the protection method according to the invention uses the monitored execution links as the execution features to be observed, by detecting and enforcing a preferred variant embodiment of the protection principle, it is also:
-defining as an instruction set at least some of its instructions working with registers and for returning results, an instruction set using at least one operand,
-for at least some instructions working with registers:
a part PF defining the functionality of the instruction,
and defining expectations for executing instructions and including bit fields
A linked portion, the bit field corresponding to:
o the identification field of the CII instruction
And for each operand of the instruction:
mark field CDk
Expected identification field CIP of star and operandk
-defining a generated identification field CIG for each register belonging to a utilization module and used by an instruction setvWherein the identity of the last instruction to return its result is automatically stored in said register,
will allow the flag field CD to be asserted during execution of the instruction for each operandkWhen using it, the generated identification field CIG corresponding to the register used by the operand is checkedvAnd an expected identification field CIP of the start of the operandkThe module of (a) is defined as a detection module 17,
-defining as mandatory modules the modules that allow modifying the result of the instruction if at least one of the checked equations is false.
● and will also be used when the protection principle is implemented by renaming according to the protection method of the invention
A basic command or an instruction command is defined as a trigger command,
defining a basic function or instruction as a correlation function,
defining at least one argument for a trigger command, corresponding at least in part to the information transmitted by the data processing system 3 to the unit 6, as an order to trigger the execution of the corresponding correlation function,
-defining a method allowing renaming an order in order to obtain a renaming order for a trigger command having a renaming order,
and defining a recovery module 20 designed to be used in the unit 6 during the use phase U and to allow recovery of the correlation functions in rename order for execution,
● and in a different case where the protection method according to the invention implements the protection principle by renaming, it also defines a family of correlation functions that are algorithmically equivalent for at least one correlation function, but are triggered by trigger commands whose renaming order is different,
● and in the case where the protection method according to the invention implements one of the different preferred embodiments of the protection principle by renaming, it also defines a family of correlation functions that are algorithmically equivalent for at least one of the correlation functions:
by connecting the noise field to information defining the functional part of the correlation function for execution in the unit 6,
or by using the identification field of the instruction CII and the expected identification field CIP of the operandk
● and in the case where the protection method according to the invention implements the preferred-different protection principle by renaming, it will also:
-defining the encryption method of the encryption order as a renaming method of the order,
and the module that will implement the decryption renaming order, thus recovering the decryption method of the identity of the function concerned to be executed in the unit 6, is defined as the recovery module 20.
In the preceding protection sub-phase P1During which a stage S is defined11Followed by a so-called "build stage S12"is used. At this stage S12During which the transfer modules 12, 13 are structured and/or correspond to the definition stage S11The utilization module of (1).
In this constructional stage S12During this, therefore, the following is performed:
● the transfer modules 12, 13 are constructed to allow, during the phase of use U, the transfer of data between the data processing system 3 and the unit 6,
●, and when implementing the protection principle by means of elementary functions, a utilization module configured to allow the unit 6 to execute the elementary functions of the set of elementary functions during the phase of use U,
● and when the protection principle by detection and enforcement is also implemented, the following are constructed:
the allowing unit 6 also implements, during the use phase U, the utilization modules of the detection module 17 and of the forcing module 18,
and/or allowing unit 6 to also realize and implement, during use phase U, a utilization module implementing the module,
and/or allowing unit 6 to also realize a utilization module of the supplementary module during the use phase U,
and, or, a utilization module allowing unit 6 to execute the instructions of the instruction set during a use phase U,
● and when the protection principle by renaming is also implemented, the formation allows the unit 6 to also implement a utilization module of the recovery module during the use phase U.
Usually by means of a program development unit and considered at the definition level S11The definition of (1) performs the construction of the utilization module. Such elements are described in the other description of fig. 110.
In the preceding protection sub-phase P1During the construction stage S12Followed by a so-called "pre-customization stage S12"is used. At this pre-customization stage S13During which at least part of the transfer module 13 and/or the utilization module is loaded into at least one blank unit 60 in order to obtain at least one pre-customized unit 66. It is noted that, as soon as the pre-customization unit 66 is transferred, no direct access is made to a part of the utilization module outside said pre-customization unit 66. The transfer of utilization modules to the blanking unit 66 can be performed by a suitable pre-customization unit, which is described in the remaining description of fig. 120. The pre-customization unit 66 is formed by the chip card 7 and its reader 8, the pre-customization only involving the chip card 7.
In the preceding protection sub-phase P1During the period, at definition level S11Thereafter, and/or at the construction stage S12Thereafter, what is referred to as a "tool generation stage S" can occur14"is used. At this tool generation stage S14During which tools are generated that allow for the assistance of generating protected software or automated software protection. Such a tool allows:
● help to select or automatically select in the leaky software 2v the one to be protected:
variables that are easy to remote control in the unit 6,
-a portion that is easy to modify,
and when implementing the protection principle by temporary decomposition, an algorithmic process easily divided into steps that can be processed remotely in the unit 6,
and, when the protection principle by basis functions is also implemented, easily divided into basis functions that are processed remotely in the unit 6,
and when the protection principle by detection and enforcement is also implemented, the monitored execution characteristics and, or, an algorithmic process apt to be divided into instructions that can be processed remotely in the unit 6,
and when the protection principle by renaming is also implemented, an algorithmic process which is easily divided into related functions which are processed remotely in the unit 6 and which can rename the order of the trigger commands for it,
and its functionality is easy when also implementing the protection principle by conditional branching
A conditional branch of the remote processing in the unit 6,
● and, alternatively, to assist in the generation of protected software or automated software protection. These different tools are executed independently or in conjunction and each tool has various forms such as, for example, a preprocessor, an assembler, a compiler, and the like.
In the preceding protection sub-phase P1Followed by the next protection sub-phase P relating to the protected, leaky software 2v2. This next guard sub-phase P2Also consisting of several stages. The first stage corresponding to the protection principle implemented by the variables is the "creation stage S21". At this creation stage S21During the period, use is made in the definition stage S11The selection made during. In the selection and/or in the tool generation phase S14With the help of the tools created during the process, the protected software 2p is created in the following way:
● by selecting among the sources of the software 2vs that are vulnerable:
at least one variable which defines in part the state of the latter during the execution of the leaky software 2v,
and at least one portion containing at least one selected variable,
● by generating a source of protected software 2ps from a source of the compromised software 2vs, by modifying at least one selected portion of the source of the compromised software 2vs, this modification being that, during execution of the protected software 2p, at least one selected variable or a copy of at least one selected variable resides in a white space 60 transformed into a cell 6,
● and by generating a first object portion 2pos of the protected software 2p from a source of the protected software 2ps, said first object portion 2pos being a first execution portion 2pes which, during execution of the protected software 2p, occurs in the data processing system 3 and at least a part of which resides in the unit 6 taking into account at least one variable or a copy of at least one variable.
Of course, the protection principle by variables according to the invention can be applied directly during the development of new software, without requiring the previous implementation of the leaky software 2 v. In this way, the protected software 2p is directly obtained.
During the next protection sub-phase P2 and when at least one further protection principle is applied in addition to the protection principle by a variable, a "modification stage S" occurs22". In this modification stage S22During this time, the definitions inserted during definition stage S11 are used. With the help of said definitions and, alternatively, of the tools constructed during the tool generation stage S14, the protected software 2p is modified so as to allow implementing the protection principle according to one of the configurations previously defined.
When implementing the protection principle by temporary decomposition, the protected software 2p is modified:
● by selecting among the sources of protected software 2 ps:
at least one algorithmic process which, during the execution of the protected software 2p, uses at least one chosen variable and allows to obtain at least one result variable,
and at least one portion comprising at least one selected algorithmic process,
● by modifying at least one selected portion of the source of protected software 2ps, this modification is:
during execution of the protected software 2p, the first execution part 2pes is executed in the data processing system 3 and the second execution part 2peu is executed in the unit 6 comprising the processing module 16,
-a functionality of at least performing at least one selected algorithmic process by means of the second execution part 2peu,
splitting at least one selected algorithmic process so that during the execution of the protected software 2p, by means of the second execution part 2peu, several different steps occur, namely:
at least one variable is set for use by the unit 6,
the functionality of an algorithmic processing on at least said variables is performed in unit 6,
and possibly, via unit 6, at least one result variable is set for use by data processing system 3,
-defining a step command for at least one selected algorithmic process such that during execution of the protected software 2p, the step command is executed by the first execution part 2pes, and triggering in unit 6 the execution of a step by the second execution step 2peu,
and in the set of orders allowing the execution of the protected software 2p, the order of the step commands is selected,
● and by generating:
a first object part 2pos of the protected software 2p, said first object part 2pos being a step command to be executed according to a selected order during execution of the protected software 2p,
and a second object portion 2pou of the protected software 2p, said second object portion 2pou being the second execution portion 2peu in which the execution of the steps triggered by the first execution portion 2pes occurs after loading into the blank cell 60 and during the execution of the protected software 2 p.
When the protection principle by the basic function is implemented but the protection principle by the temporary decomposition is not implemented, the protection software 2p is modified:
● by selecting among the sources of protected software 2 ps:
at least one algorithmic process which, during the execution of the protected software 2p, uses at least one chosen variable and allows to obtain at least one result variable,
and at least one portion comprising at least one selected algorithmic process,
● by modifying at least one selected portion of the source of protected software 2ps, this modification is:
during execution of the protected software 2p, the first execution part 2pes is executed in the data processing system 3 and the second execution part 2peu is executed in the unit 6,
-a functionality of at least performing at least one selected algorithmic process by means of the second execution part 2peu,
-splitting at least one selected algorithmic process in order to perform said algorithmic process during the execution of the protected software 2p by means of the second execution part 2peu using a basic function,
combining the elementary commands into a source of the protected software 2ps for at least one selected algorithmic process, so that during the execution of the protected software 2p, each elementary command is executed by the first execution part 2pes and triggering the execution of the elementary function by the second execution part 2peu in the unit 6,
-selecting a sequence of elementary commands in the ordered set allowing the execution of the protected software 2p,
● and by generating:
a first object part 2pos of the protected software 2p, said first object part 2pos being for executing basic commands according to the selected order during execution of the protected software 2p,
and a second object portion 2pou containing protected software 2p utilizing modules, said second object portion 2pou being the second execution portion 2peu that occurs after loading into the blank cell 60 and during execution of the protected software 2p, executing the basic functions triggered by the first execution portion 2 pes.
When the protection principle by temporary decomposition and by basic functions is implemented simultaneously, the protected software 2p is modified:
● are provided by selecting at least one step in the source of protected software 2ps, which, during execution of the protected software 2p, performs the functionality of an algorithmic process,
● by modifying at least one selected portion of the source of protected software 2ps, this modification is:
-splitting at least one selection step so that said step is performed during the execution of the protected software 2p, by means of the second execution part 2peu, using a basic function,
-grouping the elementary commands into the source of the protected software 2ps for at least one selected step, so that during the execution of the protected software 2p each elementary command is executed by the first execution part 2pes and triggering in the unit 6 the execution of an elementary function by the second execution part 2peu,
and the order of the basic commands is selected in the set of orders allowing the execution of the protected software 2p,
● and by generating:
a first object part 2pos of the protected software 2p, said first object part 2pos being for executing basic commands according to the selected order during execution of the protected software 2p,
and a second object portion 2pou further containing protected software 2p utilizing modules, said second object portion 2pou being the occurrence of the second execution portion 2peu executing the basic function triggered by the first execution portion 2pes after loading into the unit 6 and during execution of the protected software 2 p.
When implementing the protection principle by detection and enforcement, the protected software 2p is modified:
● are monitored by selecting at least one of the software execution characteristics that is monitored among the software execution characteristics that are susceptible to monitoring,
● by selecting at least one criterion of a characteristic by which at least one selected software is to perform,
● by selecting a base function in the source of protected software 2ps, at least one selected software execution characteristic for the base function will be monitored,
● by modifying at least one selected part of the source of the protected software 2ps, this modification being such that during execution of the protected software 2p, monitoring at least one selected execution characteristic by the second execution part 2peu, and the fact that the criterion is not observed results in the data processing system 3 being informed of and/or modifying the execution of the protected software 2p,
● and by generating a second object part 2pou containing the protected software 2p utilizing modules, the detection module 17 and the forcing module 18 are also implemented, said second object part 2pou being such that the fact that, after loading into the unit 6 and during the execution of the protected software 2p, at least one software execution characteristic is monitored and the criterion is not observed results in the data processing system 3 being informed and/or the execution of the protected software 2p being modified.
To use the variables of the metrics of the software execution as characteristics, the protected software 2p is modified by detecting and enforcing the protection principle:
● by selecting at least one change in a measure of usage of at least one functionality of the software as a monitored software execution characteristic,
● by selecting:
a variable of the usage measure, apt to monitor at least one functionality of the protected software 2p it uses,
-at least one variable to quantify a measure of the usage of the functionality,
-at least one threshold value related to a variable of the selected metric corresponding to a limitation of use of the functionality,
-and at least one method of updating the variables of the selected metric according to the use of said functionality,
● and by modifying at least one selected part of the source of the protected software 2ps, this modification being to implement a variant of the metric by the second execution part 2peu, depending on the use of said functionality, during the execution of the protected software 2p, and taking into account at least one threshold crossing.
To use the variables of the metrics as characteristics, the protected software is modified by detecting and enforcing a first preferred different embodiment of the protection principle:
● by selecting in the source of protected software 2ps at least one selected metric variable that must be related to several thresholds corresponding to different limits of use of the functionality,
● by selecting at least two thresholds related to the variables of the selected metric,
● and by modifying at least one selected part of the source of the protected software by taking into account differently the crossing of different thresholds by the second execution part 2peu during the execution of the protected software 2 p.
To use the variables of the metrics as characteristics, the protected software 2p is modified by detecting and enforcing a second preferred different embodiment of the protection principle:
● by selecting a variable in the source of protected software 2ps that allows restricting the use of functionality and at least one selected metric that must be able to be trusted by at least one further use,
● and by modifying at least one selected portion, this modification enabling, in a phase called retrofitting, to trust at least one further use of at least one functionality of the variable corresponding to the selected metric.
To use a profile of software usage as a property, the protected software is modified by detecting and enforcing the protection principle:
● are monitored by selecting at least one profile of software usage as a software execution characteristic,
● by selecting at least one enforcement characteristic that at least one selected profile of use must comply with,
● and by modifying at least one selected portion of the source of protected software 2ps, this modification being such that during execution of the protected software 2p, the second execution portion 2peu complies with all selected execution characteristics.
To use the monitoring of the execution links as an execution characteristic of compliance, the protected software is modified by detecting and enforcing protection principles:
● by modifying at least one selected part of the source of protected software 2 ps:
-by converting the basic function into an instruction,
by specifying the links to which at least some of the instructions must adhere during their execution in the unit 6,
and by converting the basic command into an instruction command corresponding to the instruction used.
When implementing the protection principle by renaming, the protected software is modified:
● by selecting the trigger command in the source of the protected software 2ps,
● modifies at least one selected part of the source of the protected software 2ps, by renaming the order of the selected trigger commands, so as to cancel the identity of the corresponding correlation function,
● and by generating:
a first object part 2pos of the protected software 2p, said first object part 2pos being a trigger command to execute with a rename order during execution of the protected software 2p,
and a second object portion 2pou containing protected software 2p utilizing modules, said second object portion 2pou being such as to restore, after loading into the unit 6 and during execution of the protected software 2p, the identity of the correlation function whose execution is triggered by the first execution portion 2pes via the second execution portion 2peu and to execute the correlation function via the second execution portion 2 peu.
To implement a difference in protection principle by renaming, the protected software 2p is modified:
● by selecting at least one trigger command with a rename order in the source of the protected software 2ps,
● and modifying at least one selected portion of the source of protected software 2ps by replacing at least one rename order of a selected trigger command having a rename order with another rename order, triggering related functions of the same family.
When implementing the protection principle by conditional branching, the protected software 2p is modified:
● by selecting at least one conditional branch in the source of protected software 2ps to be executed in at least one selected algorithmic process,
● is modified by executing the functionality of at least one selected conditional branch during execution of the protected software 2p, in unit 6, via the second execution part 2peu,
● and by generating:
a first object part 2pos of the protected software 2p, said first object part pos being a functionality to execute at least one selected conditional branch in the unit 6 during execution of the protected software 2p,
and a second object portion 2pou of the protected software 2p, said second object portion 2pou being the occurrence of a second execution portion 2peu after loading into the unit 6 and during execution of the protected software 2p, by means of which second execution portion 2peu the functionality of at least one selected conditional branch is executed.
To implement the preferred embodiment of the protection principle by conditional branching, the protected software 2p is modified:
● by selecting at least one series of selected conditional branches in the source of protected software 2ps,
● is modified by executing the overall functionality of at least one selected series of conditional branches during the execution of the protected software 2p, in unit 6, by means of the second execution part 2peu,
● and by generating:
a first object part 2pos of the protected software 2p, said first object part 2pos being a functionality of executing at least one selected sequence of conditional branches in the unit 6 during execution of the protected software 2ps,
and a second object portion 2pou of the protected software 2p, said second object portion 2pou being the appearance of a second execution portion 2peu after loading into the unit 6 and during execution of the protected software 2p, the entire functionality of at least one selected series of conditional branches being executed by the second execution portion 2 peu.
Of course, during the development of new software, the protection principle according to the invention can be applied directly without the need for prior execution of indirect protection software. In this manner, the creation stage S can be concomitantly executed21And a modification stage S22In order to directly obtain the protected software 2 p.
In the next guard sub-phase P2Meanwhile, in the case of using at least one other protection principle, supplemented by the protection principle of the variable, at the creation stage S of the protected software 2p21After, and/or in the modification stage S22Later, what appears is called "custom level S23"is used. At this customization stage S23During this time, the second object portion 2pou, which may contain a utilization module, is loaded onto at least one blank cell 60 for obtaining at least one cell 6, or a portion of the second object portion 2pou, which may contain a utilization module, is loaded onto at least one pre-customized cell 66 for obtaining at least one cell 6. Loading this customization information allows to make at least one unit 6 operative. It should be noted that the information portion, as long as it is transferred to the unit 6, cannot be directly accessed outside the unit 6. The transfer of customization information to the blank cell 60 or the pre-customized cell 66 can be performed by a suitable customization cell as described in the other description of FIG. 150. In the case of the unit 6, consisting of a chip card and its reader, the customization involves only the chip card 7.
To implement the protection phase P, various technical modules are described more precisely with reference to fig. 110, 120, 130, 140 and 150.
Fig. 110 illustrates an embodiment of system 25, system 25 allowing implementation of a construction stage S12 that considers definitions inserted during definition stage S11 and, during construction stage, construction of transport modules 12, 13 and, alternatively, utilization modules for unit 6. Such a system 25 comprises a program development unit or workstation, usually in the form of a computer, including system units, screens, peripheral devices such as a keyboard-mouse and, among others, the following programs: file editors, assemblers, preprocessors, compilers, interpreters, debuggers, and link editors.
Fig. 120 illustrates an embodiment of the pre-customization unit 30 that allows for at least partial loading of the transfer module 13 and/or utilization module into at least one of the blank units 60 in order to obtain the pre-customized unit 66. The pre-customization unit 30 comprises a read-write module 31, a blanking unit 60 allowing electronic pre-customization to obtain a pre-customization unit 66 that has loaded the transfer module 13 and/or utilized the module. The pre-customization unit 30 can also include a physical customization module 32 of a blank unit 60, the blank unit 60 can be in the form of, for example, a printer. In the case of a unit 6 formed by a chip card 7 and its reader 8, the advance customization usually involves only the chip card 7.
FIG. 130 illustrates an embodiment of a system 35 that allows for the execution of generation tools that allow for the assistance of generating protected software or automated software protection. Such a system 35 comprises a program development unit or engineering station, usually in the form of a computer, including system units, screens, peripheral devices such as a keyboard-mouse and, among others, the following programs: file editors, assemblers, preprocessors, compilers, interpreters, debuggers, and link editors.
Fig. 140 illustrates an embodiment of a system 40 that allows for the direct creation of protected software 2p or the modification of compromised software 2v for obtaining protected software 2 p. Such a system 40 comprises a program development unit or workstation, typically in the form of a computer, including system elements, screens, peripheral devices such as a keyboard and mouse and, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers, and link editors, as well as tools that allow for the generation of protected or automation protected software.
Diagram 150 illustrates an embodiment of customization unit 45 that allows loading of second object portion 2pou onto at least one blank cell 60 for obtaining at least one cell 6, or loading of a portion of second object portion 2pou onto at least one pre-customized cell 66 for obtaining at least one cell 6. Such customization unit 45 comprises a read-write module 46 allowing electronic customization, at least one blank unit 60 or at least one pre-customized unit 66, in order to obtain at least one unit 6. Upon completion of this customization, the unit 6 includes the information necessary to execute the protected software 2 p. The customization unit 45 can also include a physical customization module 47 for at least one unit, at least one unit 6 can be in the form of a printer, for example. In the case of a unit 6 consisting of a chip card 7 and its reader 8, the customization usually involves only the chip card 7.
The protection method according to the invention can be implemented by the following modifications:
● are intended to share several processing and storage units between which the second object part 2pou of the protected software 29 is divided so that their shared use allows the execution of the protected software 29 in the absence of at least one of said processing and storage units, preventing the use of the protected software 2 p.
● in the same manner, at a pre-customization stage S13After, and at the customization stage S23During this time, the portion of second object portion 2pou needed to transform pre-customized element 66 into element 6 can be included in the processing and storage unit used by customization unit 45 to restrict access to that portion of second object portion 2 pou. Of course, the portion of the second object portion 2pou can be divided among several processing and memory units so that the portion of the second object portion 2pou can be accessed only during common use of the processing and memory units.

Claims (38)

1. A protection method for preventing unauthorized use of a vulnerable software (2v), using at least one white space unit (60) comprising at least one memory module (15), said vulnerable software (2v) being generated from a source (2vs) and running on a data processing system (3), said protection method comprising:
→ during the protection phase (P)
● creating protected software (2 p):
-by selecting in the source (2vs) of the leaky software:
at least one variable which, during execution of the vulnerable software (2v), defines in part the state of the vulnerable software (2v),
and at least one portion containing at least one selected variable,
-by generating a source (2ps) of protected software from a source (2vs) of the vulnerable software, by modifying at least one selected part of the source (2vs) of the vulnerable software, this modification being such that during execution of the protected software (2p) at least one selected variable or a copy of at least one selected variable resides in a blank cell (60), whereby the blank cell (60) is transformed into a cell (6),
-and by generating a first object part (2pos) of the protected software (2p) from a source (2ps) of the protected software, said first object part (2pos) being a first execution part (2pes) that occurs in the data processing system (3) during execution of the protected software (2p), and at least a part of the first execution part (2pes) residing in the unit (6) taking into account at least one variable or a copy of the at least one variable,
→ and during the use phase (U), executing the protected software (2p) during the use phase:
● each time a part of the first execution part (2pes) makes use of it in the presence of the element (6), use the variable or a copy of the variable residing in the element (6) in order to execute said part correctly, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a part of the first execution part (2pes) requests use of a variable or a copy of a variable residing in the unit (6), the request cannot be fulfilled correctly so that at least the part is executed incorrectly, and therefore the protected software (2p) is not fully functional.
2. The method of claim 1, comprising:
→ during the protection phase (P):
● modified protected software (2 p):
-by selecting in the source (2ps) of protected software:
at least one algorithmic process which, during the execution of the protected software (2p), uses at least one chosen variable and allows at least one result variable to be obtained,
and at least one portion comprising at least one selected algorithmic process,
-by modifying at least one selected part of the source (2ps) of protected software, this modification being:
during the execution of the protected software (2p), a first execution part (2pes) is executed in the data processing system (3), and a second execution part (2peu) is executed in a unit (6) further comprising a processing module (16),
-executing at least the functionality of the at least one selected algorithmic process by means of the second execution part (2peu),
separating at least one selected algorithmic process so that during execution of the protected software (2p), through the second execution part (2peu), several different steps occur, namely:
setting at least one variable for use by the unit (6),
-performing in a unit (6) the functionality of an algorithmic processing on at least said variables,
and possibly, by means of a unit (6), setting at least one result variable for use by the data processing system (3),
defining step commands for at least one selected algorithmic process such that, during execution of the protected software (2p), each step command is executed by the first execution part (2pes) and triggers execution of a step in the unit (6) by the second execution part (2peu),
and selecting the order of the step commands in the set of orders allowing the execution of the protected software (2p),
-and by generating:
a first object part (2pos) of the protected software (2p), said first object part (2pos) being for executing step commands according to a selected order during execution of the protected software (2p),
and a second object portion (2pou) of the protected software (2p), said second object portion (2pou) being such that, after loading into the blank cell (60) and during execution of the protected software (2p), a second execution portion (2peu) occurs by means of which second execution portion (2peu) the steps triggered by the first execution portion (2pes) are executed,
● and for the acquisition cell (6), loading a second object portion (2pou) onto the blank cell (60),
→ and during the use phase (U):
●, in the presence of the element (6), and each time the step contained in a part of the first execution part (2pes) commands the utilization thereof, the corresponding step is executed in the element (6) in order to correctly execute said part, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of a step in the unit (6), the request cannot be fulfilled correctly, so that at least the part is executed incorrectly, and therefore the protected software (2p) does not function completely.
3. The method of claim 1, comprising:
→ during the protection phase (P):
● define:
-a set of basic functions, the basic functions of which are susceptible to being executed in a unit (6) further comprising a processing module (16),
-and a set of basic commands for said set of basic functions, said basic commands being susceptible of being executed in the data processing system (3) and triggering the execution of the basic functions in the unit (6),
● to transform the blank cells (60) into utilization modules of the cells (6) capable of executing the set of basic functions, the execution of which is triggered by the execution of basic commands in the data processing system (3),
● modified protected software (2 p):
-by selecting in the source (2ps) of protected software:
at least one algorithmic process which, during the execution of the protected software (2p), uses at least one chosen variable and allows at least one result variable to be obtained,
and at least one portion comprising at least one selected algorithmic process,
-by modifying at least one selected part of the source (2ps) of protected software, this modification being:
during execution of the protected software (2p), executing the first execution part (2pes) in the data processing system (3) and the second execution part (2peu) in the unit (6),
at least one selection is performed by the second performing part (2peu)The functionality of the algorithm-based process is determined,
separating at least one selected algorithmic process in order to execute said algorithmic process during execution of the protected software (2p) by means of a second execution part (2peu) using a basic function,
integrating a set of basic commands into the source (2ps) of the protected software for at least one selected algorithmic process, so that during the execution of the protected software (2p), each basic command is executed by a first execution part (2pes), and triggering the execution of a basic function by a second execution part (2peu) in a unit (6),
and selecting the order of the basic commands in the set of orders allowing the execution of the protected software (2p),
-and by generating:
a first object part (2pos) of the protected software (2p), said first object part (2pos) being for executing basic commands according to a selected order during execution of the protected software (2p),
and a second object portion (2pou) containing protected software (2p) utilizing modules, said second object portion (2pou) being the appearance of a second execution portion (2peu) after loading into the blank cell (60) and during execution of the protected software (2p), the execution of the elementary functions triggered by the first execution portion (2pes) by means of the second execution portion (2peu),
● and to obtain cells (6), a second object portion (2pou) is loaded onto the blank cells (60).
→ and during the use phase (U):
●, when the unit (6) is present, and each time the elementary commands contained in a part of the first execution part (2pes) make use of it, the corresponding elementary functions are executed in the unit (6) in order to correctly execute said part, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of a basic function in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
4. The method of claim 2, comprising:
→ during the protection phase (P):
● define:
-a set of elementary functions, the elementary functions of which are easy to execute in the unit (6),
-and a set of basic commands for said set of basic functions, said basic commands being susceptible to being executed in the data processing system (3) and triggering the execution of the basic functions in the unit (6),
● constructing a utilization module allowing the unit (6) to execute the set of basic functions, triggering the execution of the basic functions by executing basic commands in the data processing system (3),
● and modified protected software (2 p):
-by selecting in the source (2ps) of protected software at least one step of the functionality of the algorithmic processing to be performed during the execution of the protected software (2p),
-by modifying at least one selected part of the source (2ps) of protected software, this modification being:
separating at least one selected step so that said step is performed by the second execution part (2peu) using the basic function during the execution of the protected software (2p),
for at least one selected step, integrating a set of basic commands into the source (2ps) of the protected software, so that during the execution of the protected software (2p), each basic command is executed by means of the first execution part (2pes) and triggering the execution of a basic function in the unit (6) by means of the second execution part (2peu),
and selecting the order of the basic commands in the set of orders allowing the execution of the protected software (2p),
-and by generating:
a first object part (2pos) of the protected software (2p), said first object part (2pos) being for executing basic commands according to a selected order during execution of the protected software (2p),
and a second object portion (2pou) further comprising protected software (2p) utilizing the modules, said second object portion (2pou) being the occurrence of a second execution portion (2peu) after loading into the unit (6) and during execution of the protected software (2p), by means of which second execution portion (2peu) the basic functions triggered by the first execution portion (2pes) are executed,
→ and during the use phase (U):
●, when the unit (6) is present, and each time the elementary commands contained in a part of the first execution part (2pes) make use of it, the corresponding elementary functions are executed in the unit (6) in order to correctly execute said part, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of a basic function in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
5. The method of claim 3 or 4, comprising:
→ during the protection phase (P):
● define:
-at least one software execution characteristic, at least partly susceptible to being monitored in the unit (6),
-at least one criterion by which the at least one software execution feature complies,
-a detection module (17) implemented in the unit (6) and allowing to detect that at least one software execution characteristic does not comply with at least one relevant criterion,
and a forcing module implemented in the unit (6) and allowing the data processing system (3) to be informed and/or the execution of the modification software to be modified when at least one criterion is not complied with,
● the configuration allows the unit (6) to also implement a utilization module for the detection module (17) and the forcing module (18),
● and modified protected software (2 p):
-by selecting at least one software execution characteristic to monitor among the software execution characteristics that are easy to monitor,
-selecting at least one criterion to be observed by at least one selected software execution characteristic,
-by selecting in the source (2ps) of protected software a base function that will monitor at least one selected software execution characteristic,
-by modifying at least one selected portion of the source (2ps) of the protected software, this modification being such that during the execution of the protected software (2p), at least one selected execution characteristic is monitored by the second execution portion (2peu), and the fact that the criterion is not observed results in informing the data processing system (3) and/or modifying the execution of the protected software (2p),
-and further implementing a detection module (17) and a forcing module (18) by generating a second object portion (2pou) containing protected software (2p) utilizing modules, said second object portion (2pou) being such that, after loading into the unit (6), and during execution of the protected software (2p), monitoring at least one software execution characteristic and the fact that a criterion is not observed results in informing the data processing system (3) and/or modifying the execution of the protected software (2p),
→ and during the use phase (U):
● in the presence of element (6):
-allowing said portion of protected software (2p) to run nominally, and therefore allowing the protected software (2p) to run nominally, as long as all criteria corresponding to all monitored execution characteristics of all modified portions of the protected software (2p) are respected,
-and if at least one criterion corresponding to an execution characteristic of the monitored portion of the protected software (2p) is not observed, informing the data processing system (3) thereof and/or modifying the execution of the portion of the protected software (2p) so as to modify the execution of the protected software (2 p).
6. The method of claim 5, for restricting the use of the protected software (2p), comprising:
→ during the protection phase (P):
● define:
-defining variables of a measure of use of the functionality of the software as software execution characteristics that are easy to monitor,
defining at least one threshold value relating to the variables of each metric as a criterion of adherence,
-and an enforcement module defining variables allowing to update at least one metric,
● allows the unit (6) to also implement a utilization module that implements the module,
● and modified protected software (2 p):
-by selecting at least one variable of a measure of usage of at least one functionality of the software as a monitored software execution characteristic,
-by selecting:
the variables of the usage measure facilitate monitoring of at least one functionality of the protected software (2p) used by it,
to quantify the use of said functionalityAt least one variable of the measure is selected,
at least one threshold value related to a variable of a selected metric corresponding to a limit of use of the functionality,
and at least one method of updating the variables of the selected metric based on the use of the functionality,
-by modifying at least one selected portion of the source (2ps) of protected software, this modification being such as to implement, during the execution of the protected software (2p), a variable of the metric, according to the use of said functionality, by means of the second execution portion (2peu), and taking into account at least one threshold crossing,
→ and during the use phase (U), in the presence of the unit (6), and in the event of detection of at least one threshold crossing corresponding to at least one use limit, informing the data processing system (3) and/or modifying the execution of the portion of protected software (2p) so as to modify the execution of the protected software (2 p).
7. The method of claim 6, comprising:
→ during the protection phase (P):
● define:
several correlation thresholds for variables of at least one metric,
-and a different forcing module corresponding to each of said thresholds,
● and modified protected software (2 p):
-by selecting in the source (2ps) of protected software the variables of at least one selected metric that must be related to several thresholds corresponding to different limits of functional use,
-selecting at least two thresholds related to the variables of the selected metric,
and by modifying at least one selected portion of the source (2ps) of the protected software, this modification taking into account differently the crossing of different thresholds, by means of the second execution portion (2peu), during the execution of the protected software (2p),
→ and during the use phase (U):
● in the presence of element (6):
-in case of detection of crossing of the first threshold, commanding the protected software (2p) to no longer use the corresponding functionality,
-and in case of detection of crossing of the second threshold, invalidating at least a part of the respective functionality and/or protected software (2 p).
8. The method of claim 6, comprising:
→ in protection phase (P):
● define a supplemental module that allows for at least one software functionality to be trusted to be monitored by a measured variable through at least one additional use,
● the construction also allows the unit (6) to implement a utilization module for the retrofit module,
● and modified protected software (2 p):
-by selecting in the source (2ps) of protected software a variable of at least one selected metric that allows limiting the use of the functionality and that must be trusted by at least one further use,
and by modifying at least one selected portion, this modification enabling to trust, during a phase called retrofitting, at least one further use of at least one functionality of the variable corresponding to the selected metric,
→ and during refitting:
● re-implement the variables and/or the at least one correlation threshold for the at least one selected metric to allow at least one additional use of the functionality.
9. The method of claim 5, comprising:
→ during the protection phase (P):
● define:
-defining a profile of software usage as software execution characteristics that are easy to monitor,
-and defining at least one software execution characteristic as a criterion to comply with,
● and modified protected software (2 p):
-selecting at least one profile of software usage as a monitored software execution characteristic,
-by selecting at least one execution characteristic to which at least one selected usage profile has to comply,
-and by modifying at least one selected portion of the source (2ps) of the protected software, this modification being such that, during the execution of the protected software (2p), the second execution portion (2peu) adheres to all selected execution characteristics,
→ and during the use phase (U), when the unit (6) is present, and in case of detection of non-compliance with the at least one execution characteristic, informing the data processing system (3) and/or modifying the execution of the portion of the protected software (2p) in order to modify the execution of the protected software (2 p).
10. The method of claim 9, comprising:
→ during the protection phase (P):
● define:
-an instruction set whose instructions are susceptible to being executed in a unit (6),
-an instruction command set for said instruction set, said instruction command being susceptible to be executed in the data processing system (3) and triggering the execution of an instruction in the unit (6),
-defining the instruction link as a usage profile,
-defining an intended link for executing an instruction as an execution characteristic,
-defining a module allowing detection of instruction links not corresponding to expected instruction links as detection module (17),
-and defining as a forcing module (18) a module allowing to inform the data processing system (3) and/or to change the functionality of a part of the protected software (2p) when the instruction link does not correspond to the expected instruction link,
● the construction also allows the unit (6) to execute a utilization module of the instructions of the instruction set, triggering the execution of said instructions by executing instruction commands in the data processing system (3),
● and modified protected software (2 p):
-by modifying at least one selected part of the source (2ps) of the protected software:
by transforming the basic function into an instruction,
by specifying the links to which at least some of the instructions must adhere during their execution in the unit (6),
and by transforming the basic command into an instruction command corresponding to the instruction used,
→ and during the use phase (U), in the presence of the unit (6), in case it is detected that the instruction linkage executed in the unit (6) does not correspond to the expected instruction linkage, informing the data processing system (3) thereof and/or modifying the execution of the portion of the protected software (2p) in order to modify the execution of the protected software (2 p).
11. The method of claim 10, comprising:
→ in protection phase (P):
● define:
-defining as instruction set, for returning a result, an instruction set of which at least some instructions work with registers and which uses at least one operand,
-for at least some instructions working with registers:
a part of the functionality (PF) of the instruction is defined,
and a portion of a bit field defining an expected link for executing the instruction and including bits corresponding to:
the identification field (CII) of the instruction,
and for each operand of the instruction:
mark field (CD)k),
Expected identification field (CIP) of operandk),
-for each register belonging to the utilization module and used by the instruction set, automatically storing in said register the identification of the last instruction that has returned its result (CIG)v),
-and will allow, for each operand, the current flag field (CD) during execution of the instructionk) Using it, checking the generated identification field (CIG) corresponding to the register used by the operandv) And an original expected identification field (CIP) of the operandk) The module of equations (17) is defined as the detection module,
-and defining the module that allows modifying the result of the instruction as a forcing module (18) if at least one of the checked equations is false.
12. The method of claim 4, comprising:
→ during the protection phase (P):
● define:
-an instruction set whose instructions are susceptible to being executed in a unit (6),
-an instruction command set for said instruction set, said instruction command being susceptible to be executed in the data processing system (3) and triggering the execution of an instruction in the unit (6),
-the linking of these instructions is at least partly susceptible to being monitored in the unit (6),
during the execution of the software, it is expected that the links must be observed,
a detection module (17) implemented in the unit (6) and intended to allow the detection of links of these instructions not complying with expected links,
and a forcing module (18) implemented in the unit (6) and allowing to inform the data processing system (3) and/or to change the execution of the software when the instruction chain connection does not correspond to the expected instruction chain connection,
● is also structured to allow the unit (6) to execute the instructions of the instruction set and to implement a utilization module of the detection module (17) and of the forcing module (18),
● and modified protected software (2 p):
-by modifying at least one selected part of the source (2ps) of the protected software:
by transforming the basic function into an instruction,
by selecting an instruction whose link is to be monitored in the source of the protected software (2p),
by specifying the expected links that at least some of these selected instructions must adhere to during execution in the unit (6),
and by transforming the basic command into an instruction command corresponding to the instruction used,
-the modification is such that during execution of the protected software (2p) the linking of the instructions is monitored by means of the second execution part (2peu) and the expected linking is not subject to the modification resulting in the data processing system (3) being notified and/or in the execution of the protected software (2 p).
-and by generating a second object part (2pou) of the protected software (2p) further comprising instructions allowing the execution of these command sets and also implementing the utilization modules of the detection module (17) and of the forcing module (18), said second object part (2pou) being such that, after uploading to the unit (6), and during the execution of the protected software (2p), the linking of these instructions is monitored and the expected linking is not observed with modifications leading to the data processing system (3) being notified and/or to the execution of the protected software (2 p).
→ and during the use phase (U):
● in the presence of element (6):
-allowing the protected software (2p) to run nominally for said portion and thus allowing the protected software (2p) to run nominally as long as the linking of these instructions corresponds to the expected linking in all modified portions of the protected software (2p),
-and in the case of detecting in a portion of the protected software (2p) that the link of the instruction executed in the unit (6) does not correspond to the expected link, notifying the data processing system (3) of the situation and/or modifying the execution of the portion of the protected software (2p) so that the execution of the protected software (2p) is modified.
13. The method of claim 3, comprising:
→ during the protection phase (P):
● define:
-an instruction set whose instructions are susceptible to being executed in a unit (6),
-an instruction command set for said instruction set, said instruction command being susceptible to be executed in the data processing system (3) and triggering the execution of an instruction in the unit (6),
-the linking of these instructions is at least partly susceptible to being monitored in the unit (6),
during the execution of the software, it is expected that the links must be observed,
a detection module (17) implemented in the unit (6) and intended to allow the detection of links of these instructions not complying with expected links,
and a forcing module (18) implemented in the unit (6) and allowing to inform the data processing system (3) and/or to change the execution of the software when the instruction chain connection does not correspond to the expected instruction chain connection,
● is also structured to allow the unit (6) to execute the instructions of the instruction set and to implement a utilization module of the detection module (17) and of the forcing module (18),
● and modified protected software (2 p):
-by modifying at least one selected part of the source (2ps) of the protected software:
by transforming the basic function into an instruction,
by selecting an instruction whose link is to be monitored in the source of the protected software (2p),
by specifying the expected links that at least some of these selected instructions must adhere to during execution in the unit (6),
and by transforming the basic command into an instruction command corresponding to the instruction used,
-the modification is such that during execution of the protected software (2p) the linking of the instructions is monitored by means of the second execution part (2peu) and the expected linking is not subject to the modification resulting in the data processing system (3) being notified and/or in the execution of the protected software (2 p).
-and by generating a second object part (2pou) of the protected software (2p) further comprising instructions allowing the execution of these command sets and also implementing the utilization modules of the detection module (17) and of the forcing module (18), said second object part (2pou) being such that, after uploading to the unit (6), and during the execution of the protected software (2p), the linking of these instructions is monitored and the expected linking is not observed with modifications leading to the data processing system (3) being notified and/or to the execution of the protected software (2 p).
→ and during the use phase (U):
● in the presence of element (6):
-allowing the protected software (2p) to run nominally for said portion and thus allowing the protected software (2p) to run nominally as long as the linking of these instructions corresponds to the expected linking in all modified portions of the protected software (2p),
-and in the case of detecting in a portion of the protected software (2p) that the link of the instruction executed in the unit (6) does not correspond to the expected link, notifying the data processing system (3) of the situation and/or modifying the execution of the portion of the protected software (2p) so that the execution of the protected software (2p) is modified.
14. The method of claim 3, comprising:
→ during the protection phase (P):
● define:
-defining a basic command as a trigger command,
-defining a basis function as a correlation function,
-defining at least one argument for a trigger command, corresponding at least in part to the information transmitted by the data processing system (3) to the unit (6), as an order for triggering the execution of the corresponding correlation function,
an order renaming method allowing renaming the orders in order to obtain trigger commands with a renamed order,
-and a recovery module (20) designed to be used in the unit (6) during a use phase (U) and to allow recovery of the correlation function from the renamed order for execution,
● the configuration allows the unit (6) to also implement a utilization module for the recovery module,
● and modified protected software (2 p):
-by selecting a trigger command in the source (2ps) of the protected software,
-modifying at least one selected portion of the source (2ps) of the protected software by renaming the order of the selected trigger commands so as to hide the identity of the corresponding correlation function,
-and by generating:
a first object part (2pos) of the protected software (2p), said first object part (2pos) being a trigger command to be executed with a rename order during execution of the protected software (2p),
and a second object portion (2pou) containing protected software (2p) of a utilization module also implementing a recovery module (20), said second object portion (2pou) being such that, after loading into the unit (6) and during execution of the protected software (2p), the identity of the correlation function whose execution is triggered by the first execution portion (2pes) is recovered by means of the second execution portion (2peu), the correlation function being executed by means of the second execution portion (2peu),
→ and during the use phase (U):
●, in the presence of the element (6), and each time a trigger command with rename order contained in a portion of the first execution section (2pes) makes use of it, the identity of the corresponding related function is restored in the element (6) and it is executed in order to execute said portion correctly, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of the associated function in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
15. The method of claim 14, comprising:
→ during the protection phase (P),
● define a family of correlation functions for at least one correlation function that are algorithmically equivalent, but are triggered by trigger commands whose renaming order differs,
● and modified protected software (2 p):
-by selecting at least one trigger command with a rename order in the source (2ps) of the protected software,
-and modifying at least one selected part of the source (2ps) of the protected software by replacing the renaming order of one selected trigger command with the renaming order at least by another renaming order, triggering related functions of the same family.
16. The method of claim 15, comprising:
→ during the protection phase (P), a family of algorithmically equivalent correlation functions is defined for at least one correlation function:
-by connecting the noise field to information defining a functional part of the correlation function for execution in the unit (6),
or by using the identification field (CII) of the instruction and the expected identification field (CIP) of the operandk)。
17. The method of claim 14, 15 or 16, comprising:
→ during the protection phase (P):
● define:
-defining the encryption method of the encryption order as a renaming method of the order,
-and defining as the recovery module (20) the module implementing the decryption renaming order, so as to recover the identity of the correlation function for the decryption method performed in the unit (6).
18. The method of claim 4, comprising:
→ during the protection phase (P):
● define:
-defining a basic command as a trigger command,
-defining a basis function as a correlation function,
-defining at least one argument for a trigger command, corresponding at least in part to the information transmitted by the data processing system (3) to the unit (6), as an order for triggering the execution of the corresponding correlation function,
an order renaming method allowing renaming the orders in order to obtain trigger commands with a renamed order,
-and a recovery module (20) designed to be used in the unit (6) during a use phase (U) and to allow recovery of the correlation function from the renamed order for execution,
● the configuration allows the unit (6) to also implement a utilization module for the recovery module,
● and modified protected software (2 p):
-by selecting a trigger command in the source (2ps) of the protected software,
-modifying at least one selected portion of the source (2ps) of the protected software by renaming the order of the selected trigger commands so as to hide the identity of the corresponding correlation function,
-and by generating:
a first object part (2pos) of the protected software (2p), said first object part (2pos) being a trigger command to be executed with a rename order during execution of the protected software (2p),
and a second object portion (2pou) containing protected software (2p) of a utilization module also implementing a recovery module (20), said second object portion (2pou) being such that, after loading into the unit (6) and during execution of the protected software (2p), the identity of the correlation function whose execution is triggered by the first execution portion (2pes) is recovered by means of the second execution portion (2peu), the correlation function being executed by means of the second execution portion (2peu),
→ and during the use phase (U):
●, in the presence of the element (6), and each time a trigger command with rename order contained in a portion of the first execution section (2pes) makes use of it, the identity of the corresponding related function is restored in the element (6) and it is executed in order to execute said portion correctly, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of the associated function in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
19. The method of claim 18, comprising:
→ during the protection phase (P),
● define a family of correlation functions for at least one correlation function that are algorithmically equivalent, but are triggered by trigger commands whose renaming order differs,
● and modified protected software (2 p):
-by selecting at least one trigger command with a rename order in the source (2ps) of the protected software,
-and modifying at least one selected part of the source (2ps) of the protected software by replacing the renaming order of one selected trigger command with the renaming order at least by another renaming order, triggering related functions of the same family.
20. The method of claim 19, comprising:
→ during the protection phase (P), a family of algorithmically equivalent correlation functions is defined for at least one correlation function:
-by connecting the noise field to information defining a functional part of the correlation function for execution in the unit (6),
or by using the identification field (CII) of the instruction and the expected identification field (CIP) of the operandk)。
21. The method of claim 18, 19 or 20, comprising:
→ during the protection phase (P):
● define:
-defining the encryption method of the encryption order as a renaming method of the order,
-and defining as the recovery module (20) the module implementing the decryption renaming order, so as to recover the identity of the correlation function for the decryption method performed in the unit (6).
22. The method of claim 12, comprising:
→ during the protection phase (P):
● define:
-defining a basic command as a trigger command,
-defining a basis function as a correlation function,
-defining at least one argument for a trigger command, corresponding at least in part to the information transmitted by the data processing system (3) to the unit (6), as an order for triggering the execution of the corresponding correlation function,
an order renaming method allowing renaming the orders in order to obtain trigger commands with a renamed order,
-and a recovery module (20) designed to be used in the unit (6) during a use phase (U) and to allow recovery of the correlation function from the renamed order for execution,
● the configuration allows the unit (6) to also implement a utilization module for the recovery module,
● and modified protected software (2 p):
-by selecting a trigger command in the source (2ps) of the protected software,
-modifying at least one selected portion of the source (2ps) of the protected software by renaming the order of the selected trigger commands so as to hide the identity of the corresponding correlation function,
-and by generating:
a first object part (2pos) of the protected software (2p), said first object part (2pos) being a trigger command to be executed with a rename order during execution of the protected software (2p),
and a second object portion (2pou) containing protected software (2p) of a utilization module also implementing a recovery module (20), said second object portion (2pou) being such that, after loading into the unit (6) and during execution of the protected software (2p), the identity of the correlation function whose execution is triggered by the first execution portion (2pes) is recovered by means of the second execution portion (2peu), the correlation function being executed by means of the second execution portion (2peu),
→ and during the use phase (U):
●, in the presence of the element (6), and each time a trigger command with rename order contained in a portion of the first execution section (2pes) makes use of it, the identity of the corresponding related function is restored in the element (6) and it is executed in order to execute said portion correctly, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of the associated function in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
23. The method of claim 22, comprising:
→ during the protection phase (P),
● define a family of correlation functions for at least one correlation function that are algorithmically equivalent, but are triggered by trigger commands whose renaming order differs,
● and modified protected software (2 p):
-by selecting at least one trigger command with a rename order in the source (2ps) of the protected software,
-and modifying at least one selected part of the source (2ps) of the protected software by replacing the renaming order of one selected trigger command with the renaming order at least by another renaming order, triggering related functions of the same family.
24. The method of claim 23, comprising:
→ during the protection phase (P), a family of algorithmically equivalent correlation functions is defined for at least one correlation function:
-by connecting the noise field to information defining a functional part of the correlation function for execution in the unit (6),
or by using the identification field (CII) of the instruction and the expected identification field (CIP) of the operandk)。
25. The method of claim 22, 23 or 24, comprising:
→ during the protection phase (P):
● define:
-defining the encryption method of the encryption order as a renaming method of the order,
-and defining as the recovery module (20) the module implementing the decryption renaming order, so as to recover the identity of the correlation function for the decryption method performed in the unit (6).
26. The method of claim 13, comprising:
→ during the protection phase (P):
● define:
-defining a basic command as a trigger command,
-defining a basis function as a correlation function,
-defining at least one argument for a trigger command, corresponding at least in part to the information transmitted by the data processing system (3) to the unit (6), as an order for triggering the execution of the corresponding correlation function,
an order renaming method allowing renaming the orders in order to obtain trigger commands with a renamed order,
-and a recovery module (20) designed to be used in the unit (6) during a use phase (U) and to allow recovery of the correlation function from the renamed order for execution,
● the configuration allows the unit (6) to also implement a utilization module for the recovery module,
● and modified protected software (2 p):
-by selecting a trigger command in the source (2ps) of the protected software,
-modifying at least one selected portion of the source (2ps) of the protected software by renaming the order of the selected trigger commands so as to hide the identity of the corresponding correlation function,
-and by generating:
protected softA first object portion (2pos) of the piece (2p), said first object portion (2pos) being for executing a trigger command with a rename order during execution of the protected software (2p),
and a second object portion (2pou) containing protected software (2p) of a utilization module also implementing a recovery module (20), said second object portion (2pou) being such that, after loading into the unit (6) and during execution of the protected software (2p), the identity of the correlation function whose execution is triggered by the first execution portion (2pes) is recovered by means of the second execution portion (2peu), the correlation function being executed by means of the second execution portion (2peu),
→ and during the use phase (U):
●, in the presence of the element (6), and each time a trigger command with rename order contained in a portion of the first execution section (2pes) makes use of it, the identity of the corresponding related function is restored in the element (6) and it is executed in order to execute said portion correctly, so that the protected software (2p) is fully functional,
● and in the absence of a unit (6), although a request for a part of the first execution part (2pes) triggers the execution of the associated function in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
27. The method of claim 26, comprising:
→ during the protection phase (P),
● define a family of correlation functions for at least one correlation function that are algorithmically equivalent, but are triggered by trigger commands whose renaming order differs,
● and modified protected software (2 p):
-by selecting at least one trigger command with a rename order in the source (2ps) of the protected software,
-and modifying at least one selected part of the source (2ps) of the protected software by replacing the renaming order of one selected trigger command with the renaming order at least by another renaming order, triggering related functions of the same family.
28. The method of claim 27, comprising:
→ during the protection phase (P), a family of algorithmically equivalent correlation functions is defined for at least one correlation function:
-by connecting the noise field to information defining a functional part of the correlation function for execution in the unit (6),
or by using the identification field (CII) of the instruction and the expected identification field (CIP) of the operandk)。
29. The method of claim 26, 27 or 28, comprising:
→ during the protection phase (P):
● define:
-defining the encryption method of the encryption order as a renaming method of the order,
-and defining as the recovery module (20) the module implementing the decryption renaming order, so as to recover the identity of the correlation function for the decryption method performed in the unit (6).
30. The method of one of claims 2-4, 12-16, 18-20, 22-24, and 26-28, comprising:
→ during the protection phase (P):
● modifying protected software (2p)
-by selecting in the source (2ps) of the protected software at least one conditional branch executed in at least one selected algorithmic process,
-by modifying at least one selected portion of the source (2ps) of the protected software, this modification being such as to carry out, during the execution of the protected software (2p), the functionality of at least one selected conditional branch in the unit (6) through the second execution portion (2peu),
-and by generating:
a first object portion (2pos) of the protected software (2p), said first object portion (2pos) being a functionality to execute at least one selected conditional branch in the unit (6) during execution of the protected software (2p),
and a second object portion (2pou) of the protected software (2p), said second object portion (2pou) being such that, after loading into the unit (6) and during execution of the protected software (2p), a second execution portion (2peu) is present, by means of which second execution portion (2peu) the functionality of at least one selected conditional branch is executed,
→ and during the use phase (U):
●, in the presence of the element (6), and each time a part of the first execution part (2pes) makes use of it, the functionality of at least one conditional branch is executed in the element (6) in order to correctly execute said part, the protected software (2p) therefore functioning completely,
● and in the absence of a unit (6), although a part of the first execution part (2pes) requests the execution of the functionality of a conditional branch in the unit (6), said request cannot be fulfilled correctly, so that at least said part is executed incorrectly, and therefore the protected software (2p) does not function completely.
31. The method according to claim 30, comprising, during the protection phase (P), modifying the protected software (2P):
-by selecting among the sources (2ps) of the protected software at least a series of selected conditional branches,
-performing the full functionality of at least one selected series of conditional branches in the unit (6) through the second execution part (2peu) during the execution of the protected software (2p) by modifying at least one selected part of the source (2ps) of the protected software,
-and by generating:
a first object portion (2pos) of the protected software (2p), said first object portion (2pos) being a functionality to execute at least one selected series of conditional branches in a unit (6) during execution of the protected software (2p),
and a second object portion (2pou) of the protected software (2p), said second object portion (2pou) being such that, after loading into the unit (6) and during execution of the protected software (2p), a second execution portion (2peu) occurs, by means of which second execution portion (2peu) the full functionality of at least one selected series of conditional branches is executed.
32. Method according to one of claims 2-4, 12-16, 18-20, 22-24 and 26-28, comprising dividing the protection phase (P) into preceding protection sub-phases (P) independent of the protected software1) Next protection sub-phase (P) relating to protected software2)。
33. The method of claim 32, comprising, prior to the pre-protection sub-phase (P)1) During which definition stages (S) are inserted during which all definitions are performed11)。
34. The method of claim 33, including, after defining the stage (S11), inserting a construction stage (S12) during which the utilization module is constructed.
35. The method of claim 34, including, after the construction stage (S12), inserting a pre-customization stage (S13), including loading at least a portion of the utilization modules into the blank cells (60) to obtain pre-customization cells (66).
36. The method of claim 33, comprising, during the pre-protection sub-phase (P1), inserting a tool generation stage during which tools are generated that allow to help generate protected software or automated software protection (S14).
37. The method of claim 35, comprising dividing the next protection sub-phase (P2) into:
● a creation stage (S21) during which the self-leaking software (2v) creates protected software (2p),
●, possibly, during which the modification stage of the protected software (2p) is modified (S22),
● and possibly, a customization stage (S23) during which:
-loading a second object portion (2pou), possibly containing protected software (2p) of the exploitation module, into at least one blanking cell (60) in order to obtain at least one cell (6),
-or, in order to obtain at least one unit (6), loading a part of the second object portion (2pou) possibly containing the protected software (2p) making use of the module into at least one pre-customized unit (66).
38. The method of claim 37, including using at least one tool that assists in generating protected software or automated software protection during the creation stage (S21), and possibly during the modification stage (S22).
HK05102678.0A 2001-07-31 2002-07-04 Method to protect software against unwanted use with a "variable" principle HK1070155B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR01/10250 2001-07-31
FR0110250A FR2828305B1 (en) 2001-07-31 2001-07-31 METHOD FOR PROTECTING SOFTWARE USING A PRINCIPLE SAID "VARIABLE" AGAINST ITS UNAUTHORIZED USE
PCT/FR2002/002338 WO2003012649A2 (en) 2001-07-31 2002-07-04 Method for protecting a software using a so-called variable principle against its unauthorised use

Publications (2)

Publication Number Publication Date
HK1070155A1 true HK1070155A1 (en) 2005-06-10
HK1070155B HK1070155B (en) 2007-06-22

Family

ID=

Also Published As

Publication number Publication date
CA2454090A1 (en) 2003-02-13
EA200400057A1 (en) 2004-06-24
ZA200400348B (en) 2005-03-30
OA12699A (en) 2006-06-23
JP3949107B2 (en) 2007-07-25
HRP20040049A2 (en) 2004-06-30
PL367366A1 (en) 2005-02-21
TNSN04012A1 (en) 2006-06-01
IL159953A0 (en) 2004-06-20
EA005465B1 (en) 2005-02-24
ECSP044951A (en) 2004-04-28
GEP20053647B (en) 2005-10-25
WO2003012649A2 (en) 2003-02-13
KR20040027881A (en) 2004-04-01
BR0211374A (en) 2004-07-20
YU5404A (en) 2006-08-17
FR2828305B1 (en) 2010-09-03
CN1288525C (en) 2006-12-06
AU2002325998B2 (en) 2008-10-30
UA77186C2 (en) 2006-11-15
MXPA04000488A (en) 2005-03-07
CR7231A (en) 2005-07-21
NO20040232L (en) 2004-03-30
EP1412861A2 (en) 2004-04-28
MA26126A1 (en) 2004-04-01
AP2004002958A0 (en) 2004-03-31
WO2003012649A3 (en) 2003-12-24
HUP0400228A2 (en) 2004-09-28
CO5550508A2 (en) 2005-08-31
KR100940347B1 (en) 2010-02-04
FR2828305A1 (en) 2003-02-07
IS7121A (en) 2004-01-20
JP2004537806A (en) 2004-12-16
CN1535410A (en) 2004-10-06

Similar Documents

Publication Publication Date Title
CN1754173A (en) Software management system, recording medium and information processing device
CN1875345A (en) Extensible type system for representing and checking consistency of program components during the process of compilation
CN1702634A (en) Facilitating management of storage of a pageable mode virtual environment absent intervention of a host of the environment
CN1282071C (en) Data processor, data processing method and program thereof
CN1950798A (en) Software installation on removable media
CN1591397A (en) Secure data management apparatus
CN1584824A (en) A Architecture of Microprocessor Based on CISC Structure and Its Instruction Realization
CN101030138A (en) Application framework
CN1977531A (en) Program creation device, program test device, program execution device, information processing system
CN1822016A (en) Storage and retrieval of data based on public key coding
CN101040306A (en) Pseudo-random number generator
CN1288524C (en) Method of protecting software against unauthorized use using the "renaming" principle
CN1763712A (en) Method for dynamical determination of actions to perform on a selected item in a web portal GUI environment
CN1313898C (en) Method and system for protecting software from undesired use using the principle of conditional branching
CN1288525C (en) Method for protecting software against unauthorized use by means of the "variable" principle
HK1070155B (en) Method to protect software against unwanted use with a "variable" principle
CN1219253A (en) Data processing condition code flags
HK1071458A (en) Method to protect software against unwanted use with a "temporal dissociation" principle
HK1070154B (en) Method to protect software against unwanted use with a "renaming" principle
CN1552010A (en) Method for protecting a software using a so-called temporal dissociation principle against its unauthorised use
CN1275115C (en) A method of protecting software against unintentional use using the principle of "elementary functions"
CN100336668C (en) Printing system, apparatus and method, printing requesting device and managing device and program
CN100339778C (en) Method for protecting a software using a so-called detection and coercion principle against its unauthorised use
CN1993673A (en) Data processor, data processing program and recording miduem recording the data processing program
HK1078363B (en) Method to protect software against unwanted use with a "detection and coercion" principle