EA005465B1 - Method for protecting a software using a so-called variable principle against its unauthorised use - Google Patents

Abstract

The invention concerns a method for protecting, from at least a unit, a vulnerable software against its unauthorised use, said vulnerable software operating on a data processing system. The method consists in creating a protected software: by selecting in the source of the vulnerable software at least a variable; by producing the source of the protected software by modifying the source of the vulnerable software, so that the selected variable becomes resident in a unit.

Description

Technical field

The present invention relates to the field of data processing systems in the broad sense of the word, and more specifically, the invention relates to means of protection against unauthorized use of a program operating in these data processing systems.

State of the art

The subject of the present invention relates, more specifically, to methods of protecting programs from unauthorized use based on a storage device or a processing and storage device, moreover, this device is usually implemented as a microchip card or hardware key on an I8B port.

In the indicated field of technology, the main problem is associated with unauthorized use of programs by users who have not acquired the right to use them (license). Such illegal use of programs causes obvious harm to manufacturers and sellers of programs, and / or to any other persons who use such programs in their products. In order to avoid creating such illegal copies to protect such programs, a number of solutions have been proposed based on existing technical capabilities.

So, there is a known method of protection, consisting in the use of a hardware security element - a physical device called an electronic security key-dongle (BoyDe). Such a security key should guarantee the execution of the program only in the presence of the key. However, one has to admit that this solution is inefficient, as it is easily dispensed with. An attacker can use special tricks, such as disassembling, to remove security key control commands. At the same time, it becomes possible to make illegal copies of modified versions of the program that do not have any protection. In addition, this solution cannot be extended to all programs due to the complexity of connecting more than two security keys to one system.

Disclosure of invention

Accordingly, the problem solved by the present invention is to eliminate these disadvantages by creating a method of protecting the program from unauthorized access using a storage device or processing and storage device specially created for this purpose, to the extent that the presence of such a device is necessary for full operation programs.

The solution to this problem was achieved in accordance with the invention by creating a method of protection (based on at least one idle device containing at least storage means) against unauthorized use of a vulnerable program that operates in a data processing system. The method according to the invention is that:

in the protection phase:

- create a secure program:

- by selecting the vulnerable program in the source code:

at least one variable, which during the execution of the vulnerable program partially determines its state, and at least one fragment containing at least one selected variable,

- by creating the source code of the protected program on the basis of the source code of the vulnerable program by modifying at least one selected code fragment of the vulnerable program, and this modification is such that during the execution of the protected program at least one selected variable or one copy of the selected variable is in an unused device , which thereby turns into a device,

- and by creating the first part of the object code of the protected program on the basis of the source code of the protected program, the first part of the object code being such that during the execution of the protected program the first executable part is executed, which is executed in the data processing system, and at least one fragment of which takes into account that at least one variable or one copy of the variable is in the device,

- and in the phase of use during which the protected program is executed:

- in the presence of the device, whenever a fragment of the first executable part requires it, use a variable or a copy of the variable located in the device so that the specified fragment is executed correctly, and therefore the protected program is fully functional;

whereas in the absence of a device, despite the request of one fragment of the first executable part to use a variable or a copy of the variable located in the device, it is not possible to correctly answer the specified request, so at least the specified fragment is not executed correctly, and therefore a protected program is not fully functional.

In accordance with a preferred form of implementing the method according to the invention:

- in the protection phase:

modify the protected program:

- by selecting a protected program in the source code:

-1005465 of at least one algorithm that, during the execution of the protected program, uses at least one selected variable and allows to obtain at least one resulting variable, and at least one fragment containing at least one selected algorithm, by modifying at least at least one selected code fragment of a protected program, and this modification is such that:

during the execution of the protected program, the first executable part is executed in the data processing system, and the second executable part is executed in the device, which also contains processing means, at least the functionality of at least one selected algorithm is executed by the second executable part, at least one the selected algorithm is decomposed in such a way that, during the execution of the protected program, several different stages are realized, by means of the second executable part, namely:

providing at least one variable for the device, implementing in the device the functionality of an algorithm performed on at least this variable, and possibly providing at least one resulting variable by the device for the data processing system for at least one selected algorithm the instructions of the steps are determined in such a way that during the execution of the protected program, each command of the step is executed by means of the first executable part and causes this device to execute and performed by the second part, and the ordering of the steps commands is chosen among the ordered assembly, allowing the implementation of the protected software,

- and by creating:

the first part of the object code of the protected program, the first part of the object code being such that during the execution of the protected program the instructions of the steps are executed in accordance with the selected ordering, and the second part of the object code of the protected program, the second part of the object code being such that after loading into an unused device during the execution of the protected program, the second executable part is implemented, through which the steps are performed, the launch of which was called by the first executable part;

and load the second part of the object code into an idle device to obtain the device, and in the phase of use:

in the presence of the device, whenever a stage command contained in a fragment of the first executable part requires it, the corresponding step in the device is performed in such a way that the specified fragment is executed correctly and, therefore, the protected program is fully functional;

whereas in the absence of a device, despite the request of one fragment of the first executable part to start the execution of a stage in the device, it is not possible to correctly answer the specified request, so at least the specified fragment is not executed correctly, and therefore, the protected program does not is fully functional.

In accordance with another preferred embodiment of the method according to the invention, in the phase of protection is determined:

a set of elementary functions, the elementary functions of which can be performed in a device that also contains processing means, and a set of elementary commands for a specified set of elementary functions, and the indicated elementary commands can be executed in a data processing system, causing execution of elementary functions in the device;

design means of operation that allow you to convert an idle device into a device capable of performing elementary functions from the specified set, and the execution of these elementary functions is caused by the execution of elementary commands in the data processing system;

modify the protected program:

by selecting a protected program in the source code:

at least one algorithm that during execution of the protected program uses at least one selected variable and allows to obtain at least one resulting variable, and at least one fragment containing at least one selected algorithm,

-2005465 by modifying at least one selected code fragment of a protected program, said modification being such that:

during the execution of the protected program, the first executable part is executed in the data processing system, and the second executable part is executed in the device, at least the functionality of at least one selected algorithm is executed by the second executable part, at least one selected algorithm is decomposed in such a way that during the execution of the protected program, the specified algorithm is executed by means of the second executable part using elementary functions for at least one The selected algorithm, the elementary commands are integrated into the source code of the protected program so that during the execution of the protected program each elementary command is executed by the first executable part and causes the elementary function to execute, by the second executable part, in the device, and the ordering of elementary commands is selected among the ensemble of orderings, allowing the execution of a protected program,

- and by creating:

the first part of the object code of the protected program, the first part of the object code being such that during the execution of the protected program elementary commands are executed in accordance with the selected ordering, and the second part of the object code of the protected program containing operating means, the second part of the object code being such that after loading into an idle device, during the execution of the protected program, the second executable part is implemented, through which elementary functions are performed, the launch of the cat The first was executed the first part;

and load the second part of the object code into an idle device to obtain the device, and in the phase of use:

in the presence of the device, whenever an elementary command contained in a fragment of the first executable part requires it, perform the corresponding elementary function in the device so that the specified fragment is executed correctly, and therefore the protected program is fully functional;

whereas in the absence of a device, despite a request for a fragment of the first executable part to start execution of an elementary function in the device, it is not possible to correctly respond to the specified request, so at least the specified fragment is not executed correctly, and therefore the protected program does not is fully functional.

In accordance with another preferred form of implementation of the method according to the invention in the phase of protection:

determine a set of elementary functions, the elementary functions of which can be performed in the device, and a set of elementary commands for the specified set of elementary functions, and these elementary commands can be executed in the data processing system, causing the execution of elementary functions in the device;

design means of operation that allow the device to perform elementary functions from the specified set, and the execution of these elementary functions is caused by the execution of elementary commands in the data processing system;

and modify the protected program:

by selecting at least one step in the source code of the protected program that, during the execution of the protected program, implements the functionality of the algorithm, by modifying at least one selected piece of code of the protected program, said modification being such that:

at least one selected stage is decomposed in such a way that during the execution of the protected program the specified step is performed by means of the second executable part using elementary functions, for at least one selected stage the elementary commands are integrated into the source code of the protected program so that during execution of a protected program, each elementary command is executed by the first executable part and causes the device to execute, by the second executable part, the electronic elementary functions, and ordering the elementary commands is chosen ensemble ordering, allowing execution of the protected program, and through the establishment of:

-3005465 of the first part of the object code of the protected program, the first part of the object code being such that during the execution of the protected program elementary commands are executed in accordance with the selected ordering, and the second part of the object code of the protected program, which also contains operating means, the second part of the object code being that after downloading to the device, during the execution of the protected program, the second executable part is implemented, through which elementary functions are performed, the launch of which was called by the first part executed, and in the use phase:

in the presence of the device, whenever an elementary command contained in the part of the first executable part requires it, they perform the corresponding elementary function in the device in such a way that the specified fragment executes correctly, and therefore the protected program is fully functional;

whereas in the absence of a device, despite the request of one fragment of the first executable part to start execution of an elementary function in the device, it is not possible to correctly answer the specified request, so at least the specified fragment is not executed correctly, and therefore, the protected program not fully functional.

In accordance with the following preferred form of implementing the method according to the invention:

at least one characteristic of program execution, which can be monitored at least partially in the device, at least one criterion that must be satisfied for at least one characteristic of program execution, detection means, which should be used in the device and which allow find that at least one characteristic of program execution does not meet at least one relevant criterion, and coercive means that should be used in the device and which allow to inform the data processing system and / or modify the execution of the program until at least one criterion is met;

design means of operation, allowing the device to use the means of detection and means of coercion;

and modify the protected program:

by selecting at least one execution characteristic of the monitored program from among the execution characteristics that can be monitored, by selecting at least one criterion that must be satisfied for at least one selected characteristic of the program execution, by selecting elementary functions in the source code of the protected program, for which at least one characteristic of the execution of the controlled program should be controlled, by modifying at least one selected code fragment of the protected program, said modification being such that during the execution of the protected program at least one selected execution characteristic is controlled by the second executable part and non-compliance with the criterion leads to informing the data processing system and / or to modification of the protected program execution, and by creating the second part of the object code of the protected program containing operating means, also involving detection means I and coercive means, and the second part of the object code is such that after downloading to the device, during the execution of the protected program, at least one characteristic of the program execution is monitored and non-compliance with the criterion leads to informing the data processing system and / or to modification of the execution of the protected program, and in use phase:

in the presence of the device, if all the criteria that meet all the controlled characteristics of the execution of all modified fragments of the protected program are met, allow the nominal functioning of these fragments of the protected program and, therefore, the nominal functioning of the protected program, and if at least one of the criteria that meets the characteristics of the controlled execution of one fragment of a protected program, not observed, inform the data processing system of the indicated non-compliance and / or modifying the operation of the protected fragment of the program so as to secure the functioning of the program was changed.

In accordance with an embodiment of the method according to the invention in the protection phase:

determine

-4005465 as a characteristic of the execution of a program that can be monitored, a variable for quantitative control of the use of one functionality of the program, as a criterion that at least one threshold value associated with each variable for quantitative control, and means of updating, allowing you to update at least one variable for quantitative control;

designing operating tools that allow the device to use update tools;

and modify the protected program:

by selecting as a characteristic of the execution of the controlled program, at least one variable for quantitative control of the use of one functionality of the program, by selecting:

at least one functionality of a protected program, the use of which can be controlled using a variable for quantitative control, at least one variable for quantitative control, which serves to quantify the use of the mentioned functionality, at least one threshold value associated with the selected variable for quantitative control and corresponding to the limit of use of the specified functionality, and according at least one method of updating the value of the specified variable for quantitative control depending on the use of the specified functionality, and by modifying at least one selected code fragment of the protected program, said modification being such that, during the execution of the protected program, the variable for quantitative control is updated by means of the second the executed part, depending on the use of the specified functionality, and at least m If there is one excess of the threshold value, and in the phase of use, in the presence of the device, in case at least one excess of the threshold value is found that corresponds to at least one limit of use, the data processing system is informed about this and / or the functioning of the fragment of the protected program is modified , so that the functioning of the protected program is changed.

In accordance with another embodiment of the method according to the invention:

in the protection phase:

determining several corresponding threshold values for at least one variable for quantitative control, and various coercive means corresponding to each of these thresholds;

and modify the protected program:

by selecting at least one variable for quantitative control in the source code of the protected program with which several threshold values corresponding to different limits of use of functionality should be associated, by selecting at least two threshold values associated with the selected variable for quantitative control, and by modifying at least one selected code fragment of the protected program, said modification being such that during execution Protected programs exceeding various threshold values are taken into account by means of the second executable part in various ways, and in the phase of use:

in the presence of a device:

in the case when an excess of the first threshold value is detected, instruct the protected program not to continue to use the corresponding functionality, and in the case when an excess of the second threshold value is detected, the corresponding functionality and / or at least part of the protected program are not fulfilled.

According to a further embodiment of the method according to the invention, in the protection phase:

determine the means of reloading, allowing to allow at least one additional use of at least one functionality of the program controlled by a variable for quantitative control;

design means of operation that also allow the device to use the means of reboot;

and modify the protected program:

by selecting at least one variable for quantitative control in the source code of the protected program, which allows limiting the use of one functional possibility for which it is possible to permit at least one additional use, and by modifying at least one selected fragment, moreover the specified modification is such that in the reboot phase at least one additional use of at least one functionality sponding one selected variable for the quantitative control can be permitted, and in the restart phase:

updating at least one selected variable for quantitative control and at least one corresponding threshold value so as to allow at least one additional use of the functionality.

In accordance with an embodiment of the method according to the invention in the protection phase:

determine, as a characteristic of the program that can be monitored, the profile of the use of the program, and as a criterion that at least one sign of program execution is to be observed;

and modify the protected program:

by selecting as a characteristic of the execution of the controlled program at least one profile of the use of the program, by selecting at least one sign of the execution of the program that must comply with at least one profile of use, and by modifying at least one selected code fragment of the protected program, the specified modification is such that during the execution of the protected program the second executable part respects all selected signs of execution, and in Use se, in the presence of the device in case it is detected that is not observed at least one feature implementation, inform the data processing system and / or modified parts of the protected program functioning so that the operation of the protected program has been changed.

According to a further embodiment of the method according to the invention, in the protection phase:

determine a set of instructions, instructions from which can be executed in the device, a set of instructions for the specified set of instructions, and instructions can be executed in the data processing system, causing the device to execute instructions, as a usage profile - coupling instructions, as a sign execution - the desired grip for executing instructions, as a means of detection - means to detect that the clutch of instructions does not match the desired, as e means of coercion - means to inform the data processing system and / or modify the functioning of a fragment of a protected program, if the clutch of instructions does not match the desired, design means of operation that allow the device to execute instructions from a set of instructions, and the execution of these instructions is caused by the execution of instructions of the instructions in the processing system data;

and modify the protected program:

by modifying at least one selected code fragment of a protected program:

by transforming elementary functions into instructions, by defining a clutch that at least some of the instructions must follow during their execution on the device, and by converting elementary commands into instructions that correspond to the instructions used, and in the use phase, in the presence of the device , if it is found that the coupling of the instructions executed in the device does not correspond to the desired, inform the data processing system about it and / or modify the functions Partitioning a protected program so that the functioning of the protected program is changed.

In accordance with another preferred form of implementing the method according to the invention in the protection phase:

defined as a set of instructions - a set of instructions in which at least some instructions operate on registers and use at least one operand to produce a result,

-6005465 for at least part of the instructions working on registers:

a part specifying the functionality of the instruction, and a part specifying the desired grip for executing the instructions and containing bit fields corresponding to:

instruction identification field, and for each instruction operand:

the flag field, and the identification field provided for the operand, for each register belonging to the operating means and used by a set of instructions, is the provided identification field, which automatically remembers the identification of the last instruction that returned its result to the specified register, as means of detection, means allowing, during the execution of the instruction for each operand, when the flag field requires it, to control the equality between the generated identification field, respectively Leica Geosystems registers used by said operand, and a field provided for identifying the start address of the operand, and as a means of coercion - means to modify the output of the document, if at least one of the monitored equalities false.

In accordance with another preferred form of implementation of the method according to the invention in the phase of protection:

define, as a start command, an elementary command or instruction command, as a dependent function, an elementary function or instruction, as a setting parameter, at least one argument for a start command corresponding at least partially to the information transmitted by the data processing system to device, to trigger the start of the corresponding dependent function, the method of renaming settings, allowing you to rename settings to receive start commands from enovannymi setting parameters, and recovery means for use in the device in use and allowing to find the phase dependent function to be executed, based on the renamed setup parameter;

design means of operation, allowing the device to use recovery tools;

and modify the protected program:

by selecting the start command in the source code of the protected program, by modifying at least one selected fragment of the protected program code by renaming the settings of the selected start commands to hide the identity of the corresponding dependent functions, and by creating:

the first part of the object code of the protected program, and the first part of the object code is such that during the execution of the protected program run commands with renamed settings are executed, and the second part of the object code of the protected program containing operating tools that also use recovery tools, the second part of the object code such that after downloading to the device, during the execution of the protected program, the identity of the dependent functions, the execution of which is caused by the first executable portion executed by the second recovered portion and dependent functions performed by the second portion performed, and in the use phase:

in the presence of the device, whenever the start command with the renamed settings contained in the fragment of the first executable part requires it, restore the identity of the corresponding dependent function in the device and execute it so that the specified fragment executes correctly, and therefore the protected program is fully functional ;

whereas in the absence of a device, despite the request of a fragment of the first executable part to start the execution of a dependent function in the device, it is not possible to correctly respond to the specified request, so at least the specified fragment is not executed correctly, and therefore, the protected program does not is fully functional.

In accordance with one embodiment of the method according to the invention in the protection phase:

determining for at least one dependent function a family of dependent functions, algorithmically equivalent, but called by start commands, the renamed settings of which are different;

and modify the protected program:

-7005465 by selecting at least one start command with renamed settings in the source code of the protected program and by modifying at least one selected piece of the protected program code by replacing at least the renamed settings of the start command with the selected set of settings by other renamed settings, which causes the start of a dependent function from the same family.

According to an embodiment, the method according to the invention comprises:

in the protection phase, determining for at least one dependent function a family of algorithmically equivalent dependent functions by linking the noise field with information defining the functional part of the dependent function that is performed in the device, or by using the instruction identification field and identification fields provided for the operand.

In accordance with an embodiment of the method according to the invention, the following are determined in the protection phase:

as a method for renaming settings — the encoding method for encoding the settings, and as recovery tools — tools that use the decoding method to decode the renamed settings and restore the identity of the dependent functions that need to be performed on the device.

In accordance with another preferred form of implementing the method according to the invention in the protection phase:

modify the protected program by selecting at least one conditional transition performed in at least one selected algorithm in the source code of the protected program by modifying at least one selected fragment of the protected program code, said modification being such that, during the execution of the protected program, the functional the possibility of at least one selected conditional transition is performed by the second executable part, in the device, and by means of I have:

the first part of the object code of the protected program, the first part of the object code being such that during the execution of the protected program the functionality of at least one selected conditional transition is executed in the device, and the second part of the object code of the protected program, the second part of the object code being such that after download to the device, during the execution of the protected program, the second executable part is implemented, through which the functionality of at least one choice annogo conditional jump, and in the use phase:

in the presence of the device, whenever a fragment of the first executable part requires it, at least one selected conditional transition is performed in the device in such a way that the fragment is executed correctly and, therefore, the protected program is fully functional;

and in the absence of a device, despite a request for a fragment of the first executable part to perform conditional transition functions in the device, it is not possible to correctly answer the specified request, so at least the specified fragment is not executed correctly, and therefore, the protected program is not fully functional.

According to a further embodiment of the method according to the invention, the protected program is modified in the protection phase:

by selecting at least one series of selected conditional transitions in the source code of the protected program, by modifying at least one selected code fragment of the protected program, said modification being such that, during the execution of the protected program, the global functionality of at least one selected series of conditional transitions performed in the device by means of a second executable part, and by creating:

the first part of the object code of the protected program, and the first part of the object code is such that during the execution of the protected program the functionality of at least one selected series of conditional jumps is performed in the device, and the second part of the object code of the protected program, and the second part of the object code is such that after downloading to the device, during the execution of the protected program, the second executable part is implemented, through which the global functionality of at least EPE one chosen series of conditional branches.

-8005465

The method according to the invention also allows you to protect the use of the program by using a storage device, the feature of which is the ability to contain part of the program. It follows that any derivative version of a program that tries to function without a storage device will require the reconstruction of part of the program contained in the storage device during execution. As a result, this derivative version of the program will not be fully functional.

Brief Description of the Drawings

Other various features of the invention will become apparent from the following description, given with reference to the accompanying drawings, which show, by way of non-exhaustive examples, possible variations and forms of realization and use of the invention.

FIG. 10 and 11 are functional block diagrams illustrating various representations of a program, respectively, insecure and secure in accordance with the invention.

In FIG. 20-22 are shown as examples of various forms of execution of the device for implementing the method according to the invention.

FIG. 30 and 31 are functional block diagrams explaining the general principle of the method according to the invention.

FIG. 40-43 are diagrams illustrating a method that implements the principle of protection with a variable.

FIG. 50-54 are diagrams illustrating a method that implements the principle of protection using time division.

FIG. 60-64 are diagrams illustrating a method that implements the principle of protection using elementary functions.

FIG. 70-74 are diagrams illustrating a method that implements the principle of protection through detection and coercion.

FIG. 80-85 are diagrams illustrating a protection method that implements the principle of protection by renaming.

FIG. 90-92 are diagrams illustrating a method of protection that implements the principle of protection using conditional branching.

FIG. 100 is a diagram illustrating various phases of the invention of the protection of the protection of the protection of the protection according to according to according to according to according to the invention, invention, invention, invention, invention, invention.

In FIG. 110 shows an example implementation of a system that allows you to implement the stage of construction of the protection phase according to the invention.

In FIG. 120 shows an example implementation of a pre-personalization device used in the protection method according to the invention.

In FIG. 130 shows an example implementation of a system that allows the implementation of the step of manufacturing the means for the protection phase according to the invention.

In FIG. 140 shows an example implementation of a system that allows you to apply the protection method according to the invention.

In FIG. 150 is an example implementation of a personalization device used in the security method of the invention.

The implementation of the invention

In the following description, the following definitions are used:

• Data processing system 3 is a system capable of executing a program.

• Storage device - a device capable of receiving data transmitted by data processing system 3, placing data and returning it upon request of data processing system 3.

A processing and storage device is a device capable of: • receiving data transmitted by a data processing system 3, • returning data to a data processing system 3, • storing data in secret, at least partially, and preserving at least part of it even when the device is disconnected from the power, and • perform algorithmic data processing, and this processing is partially or completely secret.

• Device 6 - a storage device or a processing and storage device that implements the method according to the invention.

• An idle device 60 is a device that does not use the method according to the invention, but which can receive information turning it into device 6.

• An idle device 60 may become a device 6 during execution of a program protected by the method according to the invention, and after execution again become an idle device 60.

• The pre-personalized device 66 is an idle device 60 that has received a piece of information that allows it, after receiving additional information, to be converted to device 6.

-9005465 • Downloading data to an idle device 60 or to a pre-personalized device 66 corresponds to transferring information to an idle device 60 or to a pre-personalized device 66 and storing the specified transmitted data. The transmission of information may include changing its format.

• A variable, quantity or function contained in the data processing system 3 is hereinafter indicated in capital letters, and a variable, quantity or function contained in the device 6 is hereinafter indicated in lowercase letters.

• A protected program is a program that has been protected based on at least one security principle implemented in the method according to the invention.

• Vulnerable program - a program that has not been protected by any of the protection principles implemented in the method according to the invention.

• When the distinction between a vulnerable and a protected program is not significant, the term program is used.

• The program can be presented in various forms in accordance with the moment of its life cycle, ie, as:

source code, object code, distribution, dynamic representation.

• Representation of a program in the form of source code is understood as a representation that, after conversion, gives a representation in the form of object code. Presentation in the form of source code can be represented at various levels, from the abstract conceptual level to the level directly performed by the data processing system or processing and storage device.

• The object representation of the program (representation at the level of the object code) corresponds to the level of representation at which the program, after being transferred to the distribution kit and then loaded into the data processing system or processing and storage device, can be executed. This can be, for example, binary code, interpreted code, etc.

• A distribution is a physical or virtual medium containing an object representation, and this distribution must be made available to the user in order to allow him to use the program.

• The dynamic view corresponds to the execution of the program from the distribution.

• A program fragment corresponds to any part of it and may, for example, correspond to one or more instructions (sequential or not) and / or one or more function blocks (sequential or not), and / or one or more functions, and / or one or several subprograms, and / or one or more modules. A fragment of the program can correspond to the entire program completely.

In FIG. 10 and 11 show various representations of respectively vulnerable program 2ν in general form and program 2p protected according to the invention.

In FIG. Figure 10 shows various representations of the vulnerable 2ν program that appear during its life cycle. The vulnerable 2ν program can appear in one of various forms, i.e., as:

source code 2ν§;

object code 2νο;

2νά distribution, which can usually be provided on physical media, for example, on a CD, or in the form of files transmitted over the network (according to the C8M standard, over the Internet, etc.);

in the form of a dynamic representation of 2us. corresponding to the execution of the vulnerable program 2ν in the data processing system 3 of any known types, which in the classical case contain at least one processor 4.

FIG. 11 illustrates various representations of a secure 2p program appearing during its life cycle. A protected 2p program may also appear in the form of a • source code (view) 2p§ containing the first part of the source code for the data processing system 3, and possibly the second part of the source code for the device 6, and some of these parts of the source code can usually be contained in shared files;

• an object representation of 2po containing the first part 2po§ of the object code, intended for the data processing system 3, and, possibly, the second part of the 2poi object code, intended for the device 6;

• 2rb distribution kit containing:

• the first part of 2rb§ of the distribution package containing the first part of 2rb§ of the object code, and this first part of 2rb§ of the distribution package is intended for the data processing system 3 and can usually be presented in the form of a distribution package on physical media, such as a CD, or in the form of files transmitted over the network (according to the C8M standard, over the Internet, etc.), and • the second part of the 2rbi distribution, presented in the form of at least one idle device 60,

-10005465 or at least one pre-personalized device 66 into which a part of the second part of the object code part 2 has been downloaded and for which the user must complete personalization by downloading additional information to obtain device 6, this additional information can be obtained, for example, by downloading or transmitting over the network, or at least one device 6, into which the second part 2 of the object code has been downloaded;

or in the form of a dynamic 2p representation corresponding to the execution of a 2p protected program. This dynamic representation of 2p contains the first executable part of 2pc5. which runs in the data processing system 3, and a second run part 2, which runs in the device 6.

In the case where the difference between the various representations of the protected program 2p is not significant, the expressions the first part of the protected program and the second part of the protected program are used.

The implementation of the method according to the invention in accordance with the dynamic representation illustrated in FIG. 11 uses a protection device 1p comprising a data processing system 3 connected by a communication line 5 to the device 6. The data processing system 3 may be of any type and typically comprises at least one processor 4. The data processing system 3 may be a computer or be part, for example, of various machines, devices, stationary or movable products, including any vehicles. The communication line 5 can be implemented in any possible way, for example, via a serial transmission line, via an I8V bus, by radio, by an optical channel, by a network, or through a direct electrical connection to a circuit of a data processing system 3, etc. It should be noted that the device 6 may be physically located inside the same integrated circuit as the processor 4 of the data processing system 3. In this case, the device 6 can be considered as a coprocessor with respect to the processor 4 of the data processing system, and the communication line 5 is an internal communication line in the integrated circuit.

In FIG. 20-22 are given as examples that do not exhaust the possible options, various forms of implementation of the protection device 1p, allowing to implement the protection method corresponding to the invention.

In the embodiment of FIG. 20, the protection device 1p comprises, as a data processing system 3, a computer and, as a device 6, a microchip card 7 and its interface 8, commonly referred to as a card reader. Computer 3 is connected to device 6 via communication line 5. During the execution of the protected program 2p, the first executable part 2p§, which is executed in the data processing system 3, and the second executable part 2pree, which is executed on the microchip card 7 and in its interface 8, must be functional so that the protected program 2p is fully functional.

In the embodiment of FIG. 21, the protection device 1p is contained in the general product 9, containing various organs 10 adapted to the function or functions realized by such product 9. The protection device 1p contains, on the one hand, a data processing system 3 integrated in the product 9, and, with on the other hand, the device 6 associated with the product 9. For the product 9 to be fully functional, the secure program 2p must be fully functional. So, during the execution of the protected program 2p, both the first executable part 2re§, which is executed in the data processing system 3, and the second executable part 2rea, which is executed on the device 6, must be operational. This secure 2p program, therefore, indirectly protects the product 9 or one of its functionality from unauthorized use. The product 9 may be, for example, an installation, system, machine, toy, household appliance, telephone.

In the embodiment of FIG. 22, the protection device 1p comprises a plurality of computers, as well as part of a communication network. The data processing system 3 is a first computer connected via a network type communication line 5 to a device 6, which is a second computer. To implement the invention, the second computer 6 is used as a license server for a secure 2p program. During the execution of the protected program 2p, the first executable part 2p§, which is executed in the first computer 3, and the second executable part 2pree, which is executed in the second computer 6, must be functional so that the protected program 2p is fully functional.

FIG. 30 makes it possible to explain more precisely the protection method according to the invention. It should be noted that the vulnerable program 2ν is considered to be executed completely in the data processing system 3. On the contrary, in the case of the implementation of the protected program 2p, the data processing system 3 comprises transmission means 12 connected by a communication line 5 to the transmission means 13 constituting a part of the device 6, which allows the first executable part 2р§ and the second executable part 2rea of the protected program 2p to communicate with each other.

It should be borne in mind that the transmission means 12, 13 are implemented programmatically or financially and are able to provide and, possibly, optimize data transfer between the data processing system 3

-11005465 and device 6. These transmission means 12, 13 are adapted to allow the use of a secure program 2p, which is preferably independent of the type of communication line 5 used. These transmission means 12, 13 are not the subject of the invention and are not described in more detail, since they are well known in the art. The first part of the 2p protected program contains commands. During the execution of the protected program 2p, the execution of these commands by the first executable part 2Р§ allows communication between the first executable part 2Р§ and the second executable part 2Рё. In the further description, these commands are presented in the form of ИТ, ICU or TJC.

As shown in FIG. 31, in order to enable the implementation of the second executable part 2 of the protected program 2p, the device 6 comprises security means 14. If the device 6 is a storage device, the means of protection 14 contain a means of 15 storage. If the device 6 is a processing and storage device, the means of protection 14 contain means 15 of storage and means 16 of the processing.

To simplify the further description, we assume that during the execution of the protected program 2p, device 6 is present or device 6 is absent. In fact, the device 6, in the case when it contains means of protection 14 that are not adapted to the execution of the second executable part 2 of the protected program 2p, is also considered absent every time the execution of the protected program 2p is not correct.

In other words:

a device 6, physically present and containing protection means 14 adapted to execute the second executable part 2 of the protected program 2 p, is always considered to be present;

a device 6 that is physically present, but containing unsuitable means of protection 14, that is, which does not allow the correct implementation of the second run part 2 of the protected program 2p, is considered as present if it functions correctly, and as absent if it does not function correctly;

device 6, physically absent, is always considered as absent.

If the device 6 consists of a card 7 with a microchip and its interface 8, the transmission means 13 is divided into two parts, one of which is on the interface 8, and the other on the card 7 with a microchip. In this implementation example, the absence of a card 7 with a microchip is considered the equivalent of the absence of the device 6. In other words, in the absence of a card 7 with a microchip and / or its interface 8, the security means 14 are unavailable and, therefore, do not allow the second executable part 2 of the protected program to be executed, so the protected 2p program is not fully functional.

According to the invention, the protection method is aimed at implementing the so-called principle of protection using a variable, the description of which is given with reference to FIG. 40-43.

To implement the protection principle with the help of a variable in the source code 2ν§ of the vulnerable program, at least one variable is selected, which during the execution of the vulnerable program 2ν partially determines its state. Under the state of the program refers to the totality of information currently necessary for the full implementation of this program. Thus, the absence of the specified selected variable prevents the full execution of this program.

At least one piece of source code 2ν§ of the vulnerable program containing at least one selected variable is also selected.

At least one selected piece of code 2ν§ of the vulnerable program in this case is modified to obtain the source code 2р§ of the protected program. This modification is such that during the execution of the protected program 2p, at least one fragment of the first executable part 2p§, which is executed in the data processing system 3, takes into account that at least one selected variable or at least one copy of the selected variable is in the device 6. To implement the protection principle with a variable, device 6 comprises at least storage means 15.

In FIG. 40 shows an example of the representation of the vulnerable 2ν program. In this example, during the execution of the vulnerable program 2ν in the data processing system 3, there are:

• at the moment 1 ₁ assignment of the value of X to the variable which is represented as ν ₁ ^ X;

• at time ΐ _2, assigning the value of the variable VI to the variable Υ, which is represented as Υ ν ₁ ;

• at the moment 1 ₃ assignment of the value of the variable VI to the variable Ζ, which is represented as Ζ VI.

In FIG. 41 is an example of a first embodiment of the invention for which a variable is located in device 6. In this example, during execution in the data processing system 3 of the first executable part 2р§ of the protected program 2p in the presence of device 6, the following are carried out:

• at the moment ΐΐ the execution of the transfer command, causing the transfer of this X from the data processing system 3 to the variable νμ located in the means 15 of the storage device 6, and this

-12005465 the transfer command is represented as ΘυΤ (νι, X) and corresponds upon completion of the assignment of the value X to the variable ν ₁ ;

• at time ΐ _{2, the} execution of the transfer command, causing the transfer of the value of the variable ν ₁ located in the device 6, to the data processing system 3 to assign its value to the variable Υ, and this transfer command is presented as ΙΝ (ν ₁ ) and corresponds to the assignment upon completion the values ν _{ί of the} variable Υ;

• at time ΐ _{3, the} execution of the transfer command, causing the transfer of the value of the variable ν ₁ located in the device 6, to the data processing system 3, to assign its value to the variable причем, and this transfer command is represented as ΙΝ (ν ₁ ) and corresponds to the completion of the value assignment ν _{1 of the} variable Ζ.

It should be noted that during the execution of the protected program 2p, at least one variable is located in the device 6. So, when it is required by the part of the first executable part 2Р§ of the protected program 2p, in the presence of the device 6, the value of this variable located in the device 6 is transmitted data processing system 3, in order to be used by the first executable part 2p§ of the protected program 2p so that this part is executed correctly, and therefore, the protected program 2p is fully functional.

In FIG. 42 is an example of a second embodiment of the invention for which a copy of the variable is located in device 6. In this example, during the execution in the data processing system 3 of the first executable part 2р§ of the protected program 2p in the presence of device 6, the following are performed:

• at time ΐ _{1, the} assignment of the value X to the variable ν ₁ located in the data processing system 3, as well as the execution of a transfer command, causing the transfer of this X from the data processing system 3 to the variable ν ₁ located in the means 15 of the storage device 6, this command the transmission is represented as 0υΤ (ν ₁ , X);

• at the moment ΐ ₂ - assignment of the value of the variable ν _{1 to the} variable Υ;

• at the moment ΐ ₃ - execution of the transfer command, causing the transfer of the value of the variable ν ₁ located in the device 6 to the data processing system 3 to assign its value to the variable Ζ, and this transfer command is represented as как (ν1).

It should be noted that during the execution of the protected program 2p, at least one copy of one variable is located in device 6.

So, when the part of the first executable part 2Р§ of the protected program 2Р, in the presence of the device 6 requires it, the value of this copy of the variable located in the device 6 is transmitted to the data processing system 3 to be used by the first executable part 2Р§ of the protected program 2Р thus so that this part is executed correctly and, therefore, the protected 2p program is fully functional.

In FIG. 43 is an example of an attempt to execute a protected program 2p in the absence of device 6. In this example, during the execution in the data processing system 3 of the first executable part 2p§ of the protected program 2p:

• at time ΐ _{1, the} execution of the transfer command 0υΤ (ν ₁ , X) cannot cause the transfer of this X variable ν ₁ , given the absence of device 6;

• at time ΐ _{2, the} execution of the transfer command ΙΝ (ν ₁ ) cannot cause the value of the variable ν1 to be transmitted to the data processing system 3, given the absence of device 6;

• at the moment ΐ _{3, the} execution of the transfer command ΙΝ (ν ₁ ) cannot cause the transfer of the value of the variable ν1 to the data processing system 3, given the absence of device 6.

Thus, it seems that in the absence of device 6, at least one request for one fragment of the first executable part 2р§ to use a variable or a copy of a variable located in device 6 cannot be correctly executed, so at least this part does not runs correctly, and therefore, the 2p protected program is not fully functional.

It should be noted that the data transfer processes between the data processing system 3 and the device 6 use only simple assignments (as illustrated in the above examples). However, the specialist will be able to combine them with other operations to obtain complex operations, for example, 0υΤ (ν ₁ , 2 * X + 3) or Ζ (5 * ν ₁ + ν ₂ ).

According to another preferred characteristic of the invention, the protection method is oriented towards the implementation of the protection principle, called time division, described with reference to FIG. 50-54.

To implement the protection principle by dividing in time in the source code 2ν§ of the vulnerable program at least one algorithm is selected that uses at least one operand and produces at least one result. At least one piece of source code 2у5 of the vulnerable program containing at least one selected algorithm is also selected.

At least one selected piece of code 2ν§ of the vulnerable program in this case is modified to obtain the source code 2р§ of the protected program. This modification is such that:

-13005465 during execution of the protected 2p program, at least one fragment of the first 2pc5 executable part. which is performed in the data processing system 3, takes into account that the functionality of at least one selected algorithm is executed in the device 6;

during the execution of the protected program 2p, the second executable part 2rea, which is executed in the device 6, performs at least the functionality of at least one selected algorithm;

during the execution of the protected 2p program, each selected algorithm is decomposed into several different stages, namely:

step 1 — providing at least one variable for the device 6, step 2 — executing the selected algorithm in the device 6 using this or these operands, step 3 — possible providing the result of the selected algorithm to the data processing system 6;

the instructions of the steps are determined in such a way as to cause the execution of the steps, and the ordering of the instructions of the steps is selected among the ensemble of orderings that allow the execution of the protected 2p program.

The first executable part 2p§ of the protected program 2p, which is executed in the data processing system 3, executes the commands of the steps, which causes the device 6 to execute, by means of the second executable part 2preya, of each of the above steps. To implement the principle of protection by temporary separation, the device 6 contains means 15 for storing and means 16 for processing.

In FIG. 50 shows an example of the execution of the vulnerable program 2ν. In this example, during the execution of the vulnerable program 2ν in the data processing system 3, at the given time, Ζ P (X, Υ) is calculated corresponding to assigning to the variable Ζ the result of the execution of the algorithm represented by the function P and using the operands X and Υ.

In FIG. 51 shows an example implementation of the invention in which the processing of the selected algorithm (Fig. 50) is transferred to device 6. In this example, during the execution of the first executable part 2Р§ of the protected program 2Р in the presence of device 6 in the data processing system 3, the following takes place:

at the moment £ ₁ - stage 1, namely the execution of the CE command! stage, causing the transfer of data X and Υ from the data processing system 3 in the memory area x and y, respectively, located in the means 15 of the storage device 6, and this command CE! the stage is represented as ICU (x, X), ICU (y, Υ);

at the moment ΐ ₂ - stage 2, namely, the execution of the CE command of the ₂ stage, causing the function £ to be executed in the device 6 by means of the second executable part 2, and this function £ is algorithmically equivalent to the function P. This CE command of the ₂ stage is represented as TJC ( £). More precisely, the execution of the CE instruction _of stage ₂ leads to the execution of the function £, which uses the contents of the memory regions x and y and returns its result to the memory region ζ of the device 6;

at time T, stage 3, namely, the execution of the CE command _{3 of the} stage, causing the transfer of the result of the function £ contained in the ζ memory of device 6 to the data processing system 3 in order to assign its value to the variable Ζ. This CE command of ₃ stages is represented as ΙΝ (ζ). In this example, steps 1 through 3 are performed sequentially.

It should be noted that the following two improvements can be made.

The first improvement concerns the case when one or more algorithms are transferred to device 6 and at least the result of executing one algorithm is used by another algorithm. In this case, some transmission steps may be omitted.

The second improvement aims to properly streamline the teams of steps in the ensemble of orderings, allowing you to run a protected program 2p. In this regard, it is preferable to choose such an ordering of the instructions of the steps that divides the execution of the steps in time, inserting between them sections of the code executed in the data processing system 3 and containing (or not containing) the instructions of the steps for determining other data. FIG. 52 and 53 illustrate the principle of such an implementation.

In FIG. 52 shows an example of the execution of the vulnerable program 2ν. In this example, during the execution of the vulnerable program 2ν in the data processing system 3, two algorithms are executed leading to the determination of Ζ and Ζ ', such that Ζ P (X, Υ) and Ζ' P '(X', Υ ') .

In FIG. 53 shows an example implementation of the method according to the invention, in which both selected in FIG. 52 algorithms are transferred to the device 6. According to this example, during the execution of the first executable part 2Р§ of the protected program 2Р in the data processing system 3, in the presence of the device 6, the instructions CE ₁ , CE ₂ , CE _{3 of the} steps are executed corresponding to the definition of Ζ, and teams CE ₁ ', CE ₂ ', CE ₃ 'stages corresponding to the definition of Ζ'. As shown in the example, the commands of the steps with CE1 CE3 not performed sequentially as alternate stages with them command CE ₁ 'CE _3', as well as other sections of code. In this example, the following ordering is thus implemented: CE ₁ , inserted code fragment, CE ₂ , inserted code fragment,

-14005465

CE ₁ ', inserted code fragment, CE ₂ ', inserted code fragment, CE ₃ ', inserted code fragment, CE3.

It should be noted that during the execution of the protected program 2p in the presence of the device 6, every time that is required by the step command contained in the first executable part 2p§ of the protected program 2p, the corresponding step is performed in the device 6. Thus, in the presence of the device 6, this part is executed correctly and, therefore, the protected 2p program is fully functional.

In FIG. 54 is an example of an attempt to execute a protected 2p program in the absence of device 6. In this example, during the execution in the data processing system 3 of the first executable part 2p§ of the protected 2p program:

at the moment ΐ ₁ - the execution of the command of the stage of ICU (x, X), ICU (y, Υ) cannot cause the transfer of data X and Υ in the memory area, respectively, x and y, given the absence of device 6;

at the moment ΐ ₂ - the execution of the command of the phase TJC (£) cannot cause the execution of the function £, given the absence of device 6;

and at the moment ΐ ₃ - the execution of the command of stage ΙΝ (ζ) cannot cause the transfer of the result of the function £, given the absence of device 6.

Thus, it seems that in the absence of device 6, at least one request of one fragment of the first executable part 2р§ to start the execution of a step in device 6 cannot be correctly executed, so at least this part is not executed correctly, and, therefore, the protected 2p program is not fully functional.

According to another preferred characteristic of the invention, the protection method is aimed at implementing a protection principle called elementary functions, the description of which is illustrated in FIG. 60-64.

To implement the protection principle by means of elementary functions, a set of elementary functions is determined, the elementary functions of which can be performed by means of the second executable part 2 of the device 6, possibly followed by data transmission between the data processing system 3 and device 6;

and a set of elementary instructions for this set of elementary functions, and these elementary instructions can be executed in the data processing system 3, causing the execution in the device 6 of the corresponding elementary functions.

To implement the protection principle by means of elementary functions, means of operation must also be implemented that make it possible to convert an unused device 60, containing storage means 15 and processing means 16, into a device 6 capable of performing elementary functions. Moreover, the execution of these elementary functions is called the execution of elementary commands in the data processing system 3.

To implement the protection principle by means of elementary functions in the source code 2ν§ of the vulnerable program, at least one algorithm is also selected that uses at least one operand and produces at least one result. At least one piece of source code 2ν§ of the vulnerable program containing at least one selected algorithm is also selected.

At least one selected piece of code 2ν§ of the vulnerable program in this case is modified in such a way as to obtain the source code 2р§ of the protected program. This modification is such that:

during the execution of the protected program 2p, at least one fragment of the first executable part 2re5. which is performed in the data processing system 3, takes into account that the functionality of at least one selected algorithm is executed in the device 6;

during the execution of the protected program 2p, the second executable part 2rea, which is executed in the device 6, implements at least the functionality of at least one selected algorithm;

each selected algorithm is decomposed in such a way that during the execution of the protected 2p program, each selected algorithm is executed by the second executable part 2preya using elementary functions. Each selected algorithm is preferably decomposed into elementary functions £ e _p (where η runs through the values from 1 to Ν), namely:

perhaps one or more elementary functions that allow one or more operands to be provided for device 6, elementary functions, some of which use one or more operands and which in combination implement the functionality of the selected algorithm using these operands, and, possibly, one or more elementary functions, allowing through the device 6 to provide the data processing system 3 with the result of the selected algorithm;

moreover, the ordering of elementary commands is selected in the ensemble of orderings, allowing to execute the protected 2p program.

-15005465

The first executable part 2p§ of the protected program 2p, which is executed in the data processing system 3, executes the elementary CEEP instructions (where η runs through the values from 1 to Ν), which causes the device 6 to execute, by means of the second executable part 2preya, of each of the above elementary functions Ge _p .

In FIG. 60 shows an example of the execution of the vulnerable program 2ν. In this example, during the execution of the vulnerable program 2ν in the data processing system 3, at the given moment, the calculation Ζ Е (X, Υ) is performed, corresponding to assigning to the variable Ζ the result of the execution of the algorithm represented by the function E and using the operands X and Υ.

In FIG. 61 is an example embodiment of the invention in which the execution of the selected algorithm corresponding to FIG. 60, transferred to the device 6. In this example, during the execution in the data processing system 3 of the first executable part 2Р§ of the protected program 2Р, in the presence of the device 6, there are:

at moments ΐ ₁ , ΐ ₂ - the execution of elementary commands CEE ₁ , CEE ₂ , causing the device 6 to execute, by means of the second executable part 2, corresponding elementary functions Ge ₁ , Ge ₂ , which provide the transmission of data X, Υ from the data processing system 3 in the memory area, respectively, x and y, located in the means 15 for storing the device 6, and these elementary commands CEE ₁ , CEE _{2 are} represented respectively as OIT (x, X), OIT (y, Υ);

at moments ΐ ₃ to ΐ _Ν-1 - the execution of elementary commands CEE ₃ to CEE „, causing the device 6 to execute, by means of the second executable part 2, the corresponding elementary functions Ge ₃ to Ge,. and moreover, these elementary commands to CEE ₃ according to CEE „are presented, respectively, as TWY (Ge ₃ ) - TB1C (Ge \ _- |). The sequence of elementary functions from Ge ₃ to Ge, which are performed in combination, is algorithmically equivalent to function E. More precisely, the execution of these elementary commands leads to the execution of 6 elementary functions Ge ₃ to Ge, which use the contents of the memory areas x, y and returning the result to the memory region ζ of the device 6;

at the moment ΐ _Ν - execution of the elementary command CEE ·., ·. causing the execution in the device 6, by means of the second executable part 2rea, of the elementary function Ge, which provides the transfer of the result of the algorithm contained in the ζ memory of the device 6 to the data processing system 3 to assign this result to the variable Ζ, and this elementary CPE command is represented as ΙΝ (ζ).

In the above example, elementary commands 1 through Ν are executed sequentially. It should be noted that the following two improvements can be made.

The first improvement concerns the case when one or more algorithms are transferred to device 6 and at least the result of executing one algorithm is used by another algorithm. In this case, some elementary instructions serving for transmission may be excluded.

The second improvement is aimed at the proper ordering of elementary teams in the ensemble of orderings, allowing to execute the protected 2p program.

In this regard, it is preferable to choose an ordering of elementary instructions that divides the execution of elementary functions in time, inserting between them sections of code executed in the data processing system 3 and contains (or does not contain) elementary instructions that serve to determine other data. FIG. 62 and 63 illustrate the principle of such an implementation.

In FIG. 62 shows an example of the execution of the vulnerable program 2ν. In this example, during the execution of the vulnerable program 2ν in the data processing system 3, two algorithms are executed leading to the determination of Ζ and Ζ ', such that Ζ Е (X, Υ) and Ζ' Е '(X', Υ ').

In FIG. 63 is an example implementation of the method according to the invention, in which the execution of both selected algorithms corresponding to FIG. 62, transferred to the device 6. In accordance with this example, during the execution of the first executable part 2Р§ of the protected program 2Р in the data processing system 3, in the presence of the device 6, as explained above, elementary instructions CEE ₁ through CEE are executed ,, corresponding to the definition of Ζ, and the execution of elementary commands from CEE ₁ 'to CEE _M ', corresponding to the definition of Ζ '. As shown in this figure, elementary commands CEE ₁ through CEE are not executed sequentially, i.e. elementary commands from CEE ₁ 'to CEE _M ', as well as other sections of the code alternate. In this example, the following ordering is thus implemented: CEE ₁ , inserted code fragment, CEE ₁ ', CEE ₂ , inserted code fragment, CEE ₂ ', CEE ₃ ', inserted code fragment, CEE ₄ ', CEE ₃ , CEE ₄ , ..., CEE ,, CEE _M '.

It should be noted that during the execution of the protected program 2p in the presence of the device 6, whenever the elementary command contained in the first executable part 2p§ of the protected program 2p requires it, the corresponding elementary function is performed in the device 6. Thus, it seems that in in the presence of device 6, this part is executed correctly and, therefore, the protected 2p program is fully functional.

In FIG. 64 is an example of an attempt to execute a protected program 2p in the absence of device 6. In this example, during execution in the data processing system 3 of the first executable part

-16005465

2p§ of the 2p protected program, the execution of an elementary command at no time can cause the corresponding elementary function to start due to the absence of device 6. The value that must be assigned to the variable Ζ cannot, therefore, be determined correctly.

Thus, it seems that in the absence of device 6, at least one request of one fragment of the first executable part 2p§ of the protected program 2p to start execution of an elementary function in device 6 cannot be correctly executed, so at least this part is not executed correctly, and therefore, the protected 2p program is not fully functional.

According to another preferred characteristic of the invention, the protection method is aimed at implementing the protection principle called detection and coercion, which is described with reference to FIG. 70-74.

To implement the principle of protection through detection and coercion are determined:

at least one characteristic of the execution of the program, which can be monitored at least partially in the device 6;

at least one criterion that must be met for at least one characteristic of program execution;

• means of detection 17, which must be used in the device 6 and which make it possible to detect that at least one characteristic of program execution does not meet at least one relevant criterion;

• means of coercion 18, which must be used in the device 6 and which allow to inform the data processing system 3 and / or modify the execution of the program until at least one criterion is met.

To implement the principle of protection by means of detection and coercion, means of operation are also designed to convert an idle device 60, containing storage means 15 and processing means 16, into a device 6 that at least implements detection means 17 and coercion means 18.

In FIG. 70 shows the means necessary to implement the principle of protection through detection and coercion. The device 6 comprises detection means 17 and enforcement means 18 belonging to the processing means 16. The enforcement means 18 receives information about non-compliance with the criterion from the detection means 17.

More specifically, the detection means 17 use information coming from the transmission means 13 and / or from the storage means 15 and the processing means 16 so that one or more of the program execution characteristics is respected. Each characteristic of program execution is associated with at least one criterion that must be observed.

If it is found that at least one characteristic of program execution does not satisfy at least one criterion, the detection means 17 inform the enforcement means 18 about this. These coercive means 18 are adapted to change the state of the device 6 accordingly.

To implement the principle of protection through detection and coercion, the following should also be selected:

at least one performance characteristic of the monitored program, among the performance characteristics that can be monitored;

at least one criterion that must be met for at least one selected program execution characteristic;

in the source code 2ν§ of the vulnerable program, at least one algorithm for which at least one characteristic of the program execution is to be controlled;

in the source code 2ν§ of the vulnerable program, at least one fragment containing at least one selected algorithm.

When these conditions are met, at least one selected fragment of the 2ν§ code of the vulnerable program is modified to obtain the source code 2р§ of the protected program. This modification is such that it is during the execution of the 2p protected program:

at least one fragment of the first executable part 2р§, which is executed in the data processing system 3, takes into account that at least one execution characteristic of the selected program must be monitored at least partially in the device 6;

the second run part 2, which is executed in the device 6, controls at least partially one characteristic of the execution of the selected program.

During the execution of program 2p, protected by the principle of detection and coercion, in the presence of device 6, the following situation occurs:

if all the criteria that meet all the controlled performance characteristics of all the modified fragments of the protected program 2p are met, these modified fragments of the protected program 2p are functioning properly and, therefore, the protected program 2p is functioning properly;

-17005465 if at least one of the criteria corresponding to the characteristic of the controlled execution of one fragment of the protected program 2p is not met, the data processing system 3 is informed about this and / or the functioning of the fragment of the protected program 2p is modified so that the functioning of the protected program 2p is changed .

Naturally, in the absence of device 6, at least one request from one fragment of the first executable part 2Р§ of the protected program 2Р to use device 6 cannot be correctly executed, so at least this part is not executed correctly, and therefore, the protected 2p program is not fully functional.

To implement the protection principle through detection and coercion, it is preferable to use two types of program execution characteristics.

The first type of program execution characteristics corresponds to the program execution control variable, and the second type corresponds to the program usage profile. Both of these types of characteristics can be used independently or in combination.

To implement the protection principle through detection and coercion, which uses the program execution control variable as a characteristic of program execution, the following must be defined:

in the storage means 15, the ability to remember at least one control variable that serves as a quantitative characteristic of the use of at least one program functionality;

in detection means 17, the ability to observe at least one threshold value associated with each control variable;

update tools to update each control variable depending on the use of the functionality with which it is associated.

Designed also means of operation, which involve, in addition to means 17 of the detection and means 18 of coercion, also means of updating. In addition, in the source code 2ν§ of the vulnerable program, the following are selected:

at least one functionality of the vulnerable 2ν program, the use of which can be controlled using a variable for quantitative control;

at least one variable for quantitative control, serving as a quantitative characteristic of the specified functionality;

at least one threshold value associated with the variable for quantitative control and corresponding to the limit of use of the specified functionality;

and at least one method of updating the variable for quantitative control in accordance with the use of the specified functionality.

The source code 2ν§ of the vulnerable program is then modified to obtain the source code 2p§ of the protected program, and this modification is such that, during the execution of the protected program 2p, the second part 2reya being executed updates the value of the variable for quantitative control in accordance with the use of this functionality;

and takes into account at least one exceeding the threshold value.

In other words, during the execution of the protected program 2p, the value of the variable for quantitative control is updated in accordance with the specified functionality and, if the threshold value is exceeded, the detection means 17 inform the enforcement means 18 that make a decision adapted to inform the system 3 data processing and / or modify the processing carried out by means of processing 16. This allows you to modify the functioning of the fragment of the protected program 2p so that the functioning of the protected program 2p has been changed.

To implement the first preferred embodiment of the principle of protection using detection and coercion, using as a characteristic a variable for quantitative control, determine:

for at least one variable for quantitative control, several corresponding threshold values;

and various coercive means corresponding to each of these thresholds.

The source code 2ν§ of the vulnerable program also selects at least one variable for quantitative control, which serves as a quantitative characteristic of the use of at least one functionality of the program with which several threshold values must be associated, corresponding to different limits of use of the specified functionality;

and at least two threshold values associated with the variable for quantitative control.

-18005465

The source code 2ν8 of the vulnerable program is then modified to obtain the source code 2p§ of the protected program. This modification is such that, during the execution of the protected program 2p, the second part 2reya being executed updates the value of the variable for quantitative control in accordance with the use of the indicated functionality;

and differently takes into account the excess of different threshold values.

In other words, in the usual case, during the execution of the protected program 2p, when the first threshold value is exceeded, the device 6 informs the data processing system 3, instructing the protected program 2p to no longer use this functionality. If the protected 2p program continues to use this functionality, then the second threshold value may be exceeded. If the second threshold value is exceeded, the coercive means 18 can render the selected functionality inoperative and / or make the protected program 2p inoperative.

To implement the second preferred variant of the principle of protection by detection and coercion, using a variable for quantitative control as a characteristic, reloading means are determined that allow at least one additional use of at least one functionality of the program controlled by the variable for quantitative control.

Means of operation are also designed where, in addition to detection means 17, means 18 of coercion and means of updating, also means of reloading are used.

In addition, at least one variable for quantitative control is selected in the source code 2ν§ of the vulnerable program, which serves to limit the use of at least one functionality of the program for which it is possible to permit at least one additional use.

The source code 2ν§ of the vulnerable program is then modified to obtain the source code 2p§ of the protected program, and this modification is such that in the phase called the reboot phase, at least one additional use of at least one functionality corresponding to one selected variable for quantitative control may be allowed.

In the reset phase, at least one selected variable is updated for quantitative control and / or at least one associated threshold value to allow at least one additional use of the corresponding functionality. In other words, in the reboot phase, it is possible to allow additional use of at least one functionality of the 2p protected program.

To implement the principle of protection through detection and coercion, which uses the profile of the use of the program as a characteristic, at least one sign of the execution of the program must be defined as a criterion that must be observed for this profile of use.

In addition, in the source code 2ν§ of the vulnerable program, one selects:

at least one usage profile to be controlled;

and at least one sign of implementation, which must be observed in at least one usage profile.

The source code 2ν§ of the vulnerable program is then modified to obtain the source code 2p§ of the protected program, and this modification is such that during the execution of the protected 2p program, the second part of 2rea that is executed respects all selected execution signs.

In other words, the device 6 itself controls the way that the second run part 2 is executed, and can inform the data processing system 3 and / or modify the operation of the protected program 2p if at least one criterion is not met.

During the execution of program 2p, protected on the basis of this principle, in the presence of device 6, the following situation occurs:

if all the signs of the execution of all modified fragments of the protected program 2p are met, then these modified fragments of the protected program 2p are functioning properly and, therefore, the protected program 2p is functioning properly;

if at least one sign of the execution of one fragment of the protected program 2p is not observed, the data processing system 3 is informed about this and / or the functioning of the fragment of the protected program 2p is modified so that the functioning of the protected program 2p is changed.

You can provide control of various signs of execution, for example, control the availability of instructions containing a label generator, or control the adhesion of the execution of at least one part of the instructions.

-19005465

In order to implement the protection principle by means of detection and coercion, where as a sign of fulfillment that is required to be observed, the control of the fulfillment of at least part of the instructions is used to determine:

a set of instructions, instructions from which can be executed in the device 6;

a set of instruction instructions for this instruction set, and these instruction instructions may be executed in the data processing system 3. The execution of each of these instruction instructions in the data processing system 3 causes the execution of the corresponding instruction in the device 6;

detection means 17 for detecting that the coupling of instructions is not as desired;

coercive means 18, allowing to inform the data processing system 3 and / or modify the execution of the program if the coupling instructions does not match the desired. Tools are also designed that allow the device 6 to execute instructions from a set of instructions, and the execution of these instructions is caused by the execution of instructions in the data processing system 3.

In addition, at least one algorithm is selected in the source code 2νδ of the vulnerable program, which must be transferred to device 6 and for which the coupling of at least part of the instructions should be controlled.

The source code 2νδ of the vulnerable program is then modified to obtain the source code 2p§ of the protected program.

This modification is such that during the execution of the protected 2p program:

the second executable part 2reya performs at least the functionality of the selected algorithm;

the selected algorithm is decomposed into instructions;

the clutch is set, which at least some of the instructions must follow during their execution in the device 6;

the first executable part 2p§ of the protected program 2p executes instructions commands that start the execution of instructions in the device 6.

During the execution of program 2p, protected on the basis of this principle, in the presence of device 6, the following situation occurs:

if the concatenation of the instructions of all the modified fragments of the protected program 2p is as desired, these modified fragments of the protected program 2p are functioning properly and, therefore, the protected program 2p is functioning properly;

if the coupling of the instructions of the fragment of the protected program 2p executed in the device 6 does not match the desired, then the data processing system 3 is informed about this and / or the functioning of the fragment of the protected program 2p is modified so that the functioning of the protected program 2p is changed.

In FIG. 71 is an example of the implementation of the protection principle by detection and coercion, where as a sign of fulfillment that you want to comply with, control is used to control the grip of at least part of the instructions if the desired grip is observed.

The first executable part 2p§ of the protected 2p program, executed in the data processing system 3, executes instructions C1 _{1 of} instructions, which causes the device 6 to execute instructions ί ₁ related to the set of instructions. In a set of instructions, at least some of the instructions contain a part defining the functionality of the instruction and a part allowing checking the desired grip for executing the instructions. In this example, the C1 commands ₁ instructions are represented as TCU (1 ₁ ), and the desired grip for executing the instructions is ί _η , ΐ _{η + 1} and ί _{η + 2} . The execution in the device 6 of the instruction ί _η gives the result a, and the execution of the instruction ΐ _{η + 1} gives the result b. The instruction ί _{η + 2} uses the results a and b of the instructions ί _η and ί _{η + 1} as an operand, and its execution gives the result c.

Given that this coupling of the instructions executed in the device 6 corresponds to what is desired, the operation of the protected program 2p corresponds to the normal or nominal mode.

In FIG. 72 is an example of the implementation of the principle of protection by detection and coercion, where as a sign of fulfillment that you want to comply with, control of the grip of at least part of the instructions is used if the desired grip is not respected.

According to this example, the desired grip for executing instructions is always ί _η , ΐ _{η + 1,} and ί _{η + 2} . However clutch instruction execution is modified by replacing the instructions to an instruction ΐ _η ί _'η such that the clutch is actually performed ί' _η, ΐ _{η + 1} and ί _{η + 2.} Executing the instruction ί ' _η gives the result a, that is, the same result as executing the instruction ΐ _η . However, no later than when executing the instruction ί _{η + 2} , the detection means 17 detect that the instruction ί ' _η does not correspond to the desired instruction for generating the result of a used as an operand for the instruction ί _{η + 2} . Detection means 17 inform enforcement means 18 of this, which can

-20005465, as a result, the operation of the instruction ί _{η + 2} is differentiated, so that the execution of the instruction ί _{η + 2} gives the result c ', which may differ from c.

Of course, if the execution of the instruction ί ' _η gives a result a' different from the result a of the instruction ί _η , it is clear that the result of the execution of the instruction ί _{η + 2} may also differ from c.

Therefore, if the coupling of the execution of the instructions executed in the device 6 does not correspond to the desired, a modification of the functioning of the protected program 2p can be obtained.

In FIG. 73 and 74 show a preferred embodiment of the principle of protection by detection and coercion, where as a sign of execution that you want to comply, control is used to control the execution of at least part of the instructions. In accordance with this preferred embodiment, a set of instructions is defined in which at least some instructions operate on registers and use at least one operand to output a result.

As shown in FIG. 73, at least for a part of the instructions operating on the registers, a part PP that defines the functionality of the instruction and a part PE that defines the desired chaining for executing the instructions are defined. Part of the PP corresponds to the code of operations known to the specialist. The RE part determining the desired grip contains bit fields corresponding to:

instruction identification field C11;

and for each operand to the instruction, where k runs through the values from 1 to K, K is the number of operands of the instruction:

the SE field _{to the} flag indicating whether the origin of operand k should be checked, and the C1P field _{to the} identification provided for the operand and indicating the expected identity of the instruction that generated the contents of operand k.

As shown in FIG. 74, the instruction set contains V registers belonging to the processing means 16, where each register is named Κ _ν (ν runs through the values from 1 to V). For each register Κ _ν two fields are defined, namely:

functional field SR, known to the specialist and allowing to store the result of the execution of instructions;

and the SCH field, the generated identification, which automatically remembers the identification of the last instruction that returned its result to the specified register, that is, generated the contents of the functional field CP ,. This CES field, the generated identification is updated automatically along with the contents of the instruction identification field C11, generating a functional field CP ,. The SSD field, the generated identification is neither accessible nor modifiable for any other instruction, and serves solely for detection means 17.

During the execution of the instruction, the detection means 17 perform the following operations for each operand:

read the SE field _{to the} flag;

if required by the SE field _{to the} flag, then both fields are read: the C1P field _{to the} provided identification and the CES field, the generated identification corresponding to the registers used by the operand to;

the equality of both fields С1Р _к and СЧС ,, is checked;

and if the equality is false, then the detection means 17 considers that the chain of execution of the instructions is not respected.

Means 18 of coercion should allow to modify the result of the execution of the instructions, when the means 17 of detection will inform them of non-compliance with the clutch instructions. A preferred implementation is to modify the functional part PP of the instruction to be executed or the functional part PP of the subsequent instructions.

According to another advantageous characteristic of the invention, the protection method is aimed at implementing the protection principle called renaming, which is described with reference to FIG. 80-85.

To implement the principle of protection by renaming should be determined:

an ensemble of dependent functions, the dependent functions of which can be performed by means of the second executable part 2 of the device in the device 6, possibly followed by data transfer between the data processing system 3 and the device 6 (this ensemble of dependent functions may be finite or not);

an ensemble of start commands for these dependent functions, wherein these start commands can be executed in the data processing system 3 and cause the execution of the corresponding dependent functions in the device 6;

for each start command, a setting parameter corresponding, at least in part, to the information transmitted by the first executable part 2p§ of the second executable part 2rei, to cause the start of the corresponding dependent function, and this setting parameter is presented in the form of at least an argument to the start command ;

a method for renaming settings intended for use during the modification of a vulnerable program and allowing renaming settings in this way

-21005465 to receive launch commands with renamed parameters, allowing you to hide the identity of the corresponding dependent functions;

recovery means 20 intended for use in the device 6 in the use phase and allowing to restore the initial settings based on the renamed settings to find the dependent function that needs to be performed.

To implement the principle of protection by renaming also designed means of operation, allowing you to convert an idle device 60 containing a means of 15 storage and processing means 16, into a device 6 that uses at least means 20 recovery.

To implement the protection principle by renaming the vulnerable program in the 2ν§ source code, the following should also be selected:

at least one algorithm using at least one operand and generating at least one result;

and at least one piece of source code 2ν§ of the vulnerable program containing at least one selected algorithm. The source code 2ν§ of the vulnerable program is then modified to obtain the source code 2p§ of the protected program. This modification is such that:

during the execution of the protected 2p program, at least one fragment of the first 2pc5 executable part. which is performed in the data processing system 3, takes into account that the functionality of at least one selected algorithm is executed in the device 6;

during the execution of the protected program 2p, the second executable part 2rea, which is executed in the device 6, performs at least the functionality of at least one selected algorithm;

each selected algorithm is decomposed in such a way that during the execution of the protected 2p program, each selected algorithm is executed by the second executable part 2preya, using dependent functions. Each selected algorithm is preferably decomposed into dependent functions ίά _η (where η runs through the values from 1 to именно), namely:

perhaps one or more dependent functions that allow you to provide one or more operands for device 6, dependent functions, some of which use one or more operands and which in combination implement the functionality of the selected algorithm using these operands, and, possibly, one or more dependent functions, allowing through the device 6 to provide the data processing system 3 with the result of the selected algorithm;

during the execution of the protected program 2p, the second executable part 2prey performs dependent functions ίά _η ;

during the execution of the protected 2p program, these dependent functions are started by run commands with renamed settings;

and the ordering of the launch commands is selected among the ensemble of orderings that allow the execution of the protected 2p program.

The first executable part 2p§ of the secure 2p program, executed in the data processing system 3, executes start commands with renamed settings, transmitting the renamed settings to device 6. This causes the device 6 to restore using the means 20 to restore the settings, and then perform, by means of the second executable part 2, each of the dependent functions ίά _η defined above.

In other words, the principle of protection by renaming is to rename the settings of the launch commands in order to receive the launch commands with the renamed settings, the execution of which in the data processing system 3 causes the execution of dependent functions in the device 6, which would be triggered by the unnamed commands settings, however, without studying the protected 2p program, it would be possible to determine the identity of the dependent functions performed.

In FIG. 80 shows an example of the execution of the vulnerable program 2ν. In this example, during the execution of the vulnerable program 2ν in the data processing system 3 at the given moment, the calculation Ζ Е (Х, Υ) corresponds to assigning the variable Ζ to the result of the algorithm represented by function G and using the operands X and Υ.

In FIG. 81 and 82 show an example implementation of the invention.

In FIG. 81 is an example of a partial implementation of the invention. According to this example, during the execution of the first executable part 2Р§ of the protected program 2Р in the data processing system 3 in the presence of the device 6, the following are performed:

at the moments ΐι, ΐ ₂ - the execution of elementary commands SE ₁ , SE ₂ , which causes the device 6 to execute, by means of the second executable part 2, the corresponding dependent functions ίάι, ίά ₂ , which provide the transfer of data X, Υ from the data processing system 3 to the memory areas, respectively, x and y, located in the means 15 for storing the device 6, and these commands SS, SE ₂ start are respectively presented as OIT (x, X), OIT (y, Υ);

-22005465 at moments 1 ₃ through ΐ _Ν-1 - execution of start commands from SC ₃ through ΟΌ _Ν-1 , which causes the device 6 to execute through the second executable part 2 of the corresponding dependent functions from GB ₃ to ίά _Ν . ₁ , and these startup commands are from ί.Ό ₃ through SB ^. _{1 are} represented respectively as TKYU (GB ₃ ) ΤΚΙΟ (Γά _Ν-1 ), and the sequence of dependent functions GB ₃ through ίύ _Ν-1 , performed in combination, is algorithmically equivalent to function G (more precisely, the execution of these launch commands leads to in the device 6, dependent functions from GB ₃ through ίύ _Ν-1 , which use the contents of the memory regions x, y and return the result to the memory region ζ of the device 6);

and at the moment ΐ _Ν , the launch command ί.Ό _{Ν is} executed, causing the device 6 to execute, by means of the second executable part 2, of the dependent function GB- ₃ , providing the transfer of the result of the algorithm contained in the ζ memory of device 6 to the data processing system 3 to assign it to the variable Ζ. This command is represented as ΙΝ (ζ).

In this example, in order to fully implement the invention, the first argument of the launch OIT commands and the argument of the launch commands ΤΚΙΟ and ΙΝ are selected as the installation parameter. The settings selected in this way are renamed using the method of renaming settings. Thus, the installation parameters of the launch commands from the SE, according to ί.Ό _Ν . namely, x, y, GB ₃ , ίά _Ν-1 , ζ are renamed so as to obtain respectively I (x), I (y), K (£ 6 ₃ ) ..., Κ (ίύ _Ν-1 ), Κ (ζ).

In FIG. 82 is an example of a complete implementation of the invention. According to this example, during the execution of the first executable part 2Р§ of the protected program 2Р in the data processing system 3, in the presence of the device 6, the following are carried out:

at moments ΐι, ΐ ₂ - execution of CESC1, SOSIA ₂ start commands with renamed settings, transmitting to the device 6 renamed settings I (x), I (y), as well as data X, Υ, which causes restoration in device 6 ( using means 20 recovery) renamed settings to restore the settings, namely the identity of the memory areas x, y, and then performing, through the second executable part 2reya, the corresponding dependent functions £ ₆ GB ₂ , which provide transfer data X, Υ from the data processing system 3 to the memory areas x, y, respectively, located in the storage means 15 of the device 6 (these SUCTION commands!, SUCTION ₂ starts with renamed settings are presented respectively as OIT (I (x), X) , ICU (I (y), Υ);

in moments from ΐ ₃ to ΐ _Ν-1 - execution of the PUMP ₃ commands to ί.Όί'Β _Ν-1 starts with renamed settings, transmitting to the device 6 renamed settings from I (£ b ₃ ) to Κ (£ ά _{Ν -} ι), which causes the device 6 to be restored using the means 20 of restoring the installation parameters, namely, from GB ₃ to £ ά _Ν- ι, and then, by means of the second executable part 2, to perform dependent functions from GB ₃ to £ ά _Ν- ι, and these commands (with ₃ to sucking S0SV _3-1) run with renamed setting parameters are presented according But the team TYAYU (I (£ ₃ b)) of TYAYU (Κ (£ 6ν-1));

at the moment ΐ _Ν - execution of the start command ί'Όί'ΒΝ with renamed settings, which transfers the renamed settings Κ (ζ) to device 6. This causes the device 6 to restore, using the recovery means 20, the settings, namely the identity of the memory region ζ, and then, by means of the second executable part 2, of the dependent function ίά _Ν , which provides the transfer of the result of the algorithm contained in the memory region ζ of the device 6, the data processing system 3 to assign it to the variable Ζ. This ί.Όί'Β _Ν start command with renamed settings is represented as ΙΝ (Κ (ζ)). In this example, the start commands with renamed settings 1 through Ν are executed sequentially. It should be noted that the following two improvements can be made.

The first improvement concerns the case when one or several algorithms are transferred to device 6 and at least the result of one algorithm is used by another algorithm (in this case, some start commands with renamed settings used for transmission may be excluded).

The second improvement aims to properly streamline startup commands with renamed settings among the ensemble of sequencing, allowing the execution of a protected 2p program.

In this regard, it is preferable to choose such an ordering of startup commands with renamed installation parameters that divides the execution of dependent functions in time, inserting between them pieces of code executed in the data processing system 3, while containing (or not containing) startup commands with renamed installation parameters serving to determine other data. FIG. 83 and 84 illustrate the principle of such an implementation.

In FIG. 83 shows an example of the execution of the vulnerable program 2ν. In this example, in the data processing system 3, during the execution of the vulnerable program 2ν, two algorithms are executed, leading to the determination of Ζ and Ζ 'such that Ζ E (X, Υ) and Ζ' E '(X', Υ ').

In FIG. 84 shows an example implementation of the method according to the invention, in which both selected in FIG. 83 algorithms are transferred to the device 6. In accordance with this example, during the execution in the data processing system 3 of the first executable part 2Р§ of the protected program 2Р, in the presence

-23005465 device 6, there is, as explained above, the execution of commands (from SOS'SH to ί.Όί.Ή _Ν ) of the launch with renamed settings, corresponding to the definition of Ζ, and the execution of commands (from SESI / according to SESRm ') start from renamed settings, corresponding to the definition of Ζ '. As shown, launch commands with SECI _| by ί.Όί.Ή _{Ν are} not executed sequentially, since the start commands from SESI / by SOSI _M ', as well as other code fragments, alternate with them. In this example, the following ordering is thus implemented: SOSI _| , the inserted code fragment, SECI /, SECU, the inserted code fragment, SESIL SOSK ₃ ', the inserted code fragment, SBSI', SOSI ;, SBSI, ···, SSSI., SOSI ·· '.

It should be noted that during the execution of the fragment of the first executable part 2р§ of the protected program 2p, the start command with the renamed settings that are executed in the data processing system 3 causes the device 6 to restore the identity of the corresponding dependent functions, and then their execution. Thus, in the presence of device 6, this fragment is executed correctly and, therefore, the protected program 2p is fully functional.

In FIG. 85 is an example of an attempt to execute a protected program 2p in the absence of device 6. In this example, while executing in the data processing system 3 the first executable part 2p§ of the protected program 2p, the execution of the start command with the renamed settings cannot at any time cause any restoration of the settings nor the execution of the corresponding dependent function due to the absence of device 6. The value that must be assigned to the variable Ζ, therefore, cannot be determined correctly about.

Thus, it seems that in the absence of device 6, at least one request of one fragment of the first executable part 2Р§ of the protected program 2Р to start the restoration of the settings and to execute the dependent function in the device in device 6 cannot be correctly executed, so that at least at least, this part is not executed correctly, and therefore, the protected 2p program is not fully functional.

Due to this protection principle, by renaming, studying 2p startup programs in a protected program with renamed settings does not allow us to determine the identity of the dependent functions that must be performed on device 6. It should be noted that the settings are renamed during the conversion of the vulnerable 2ν program to a protected program 2 p.

In accordance with a variant of the principle of protection by renaming, at least one dependent function must be defined, a family of dependent functions, algorithmically equivalent, but called by run commands with various renamed settings. In this embodiment, at least one algorithm using dependent functions is decomposed into dependent functions so that at least one of them is replaced by a dependent function of the same family, instead of storing multiple occurrences of the same dependent function. To this end, startup commands with renamed settings are modified to allow for the replacement of dependent functions with dependent functions of the same family.

In other words, two dependent functions from the same family have different settings, and therefore run commands with different renamed settings. Therefore, when studying the protected 2p program, it is not possible to detect that the called dependent functions are algorithmically equivalent.

In accordance with the first preferred implementation of the variant of the protection principle by renaming, for at least one dependent function, an algorithmically equivalent family of dependent functions is determined by linking the noise field with information defining the functional part of the dependent function that is performed in device 6.

In accordance with a second preferred implementation of a variant of the security principle, by renaming at least one dependent function, an algorithmically equivalent family of dependent functions is determined using identification fields.

In accordance with a preferred embodiment of the protection principle by renaming, a coding method is defined as the renaming method of the setting parameters, which allows the setting parameters to be encoded to be converted into renamed setting parameters.

It should be recalled that the renaming of the settings is carried out in phase P protection. For this preferred embodiment, the recovery tools 20 are tools that use a decoding method to decode the renamed settings and thus restore the identity of the dependent functions that must be performed on the device 6. These recovery tools are used on the device 6 and can be either software or hardware. Recovery means 20 are requested in phase and use each time a start command with renamed settings is executed in the data processing system 3 in order to cause a dependent function in the device 6.

-24005465

According to another preferred characteristic of the invention, the protection method is aimed at implementing the protection principle called conditional transition, the description of which is illustrated in FIG. 90-92.

To implement the protection principle by using a conditional transition in the source code 2ν§ of the vulnerable program, at least one conditional transition of the aircraft is selected. At least one fragment of the source code 2ν§ of the vulnerable program containing at least one selected conditional transition of the aircraft is also selected.

In this embodiment, at least one selected fragment of the 2ν§ code of the vulnerable program is modified to obtain the source code 2р§ of the protected program. This modification is such that during the execution of the protected 2p program:

at least one fragment of the first executable part 2p§, which is executed in the data processing system 3, takes into account that the functionality of at least one selected conditional transition BC is performed in the device 6;

the second executable part 2reya, which is executed in the device 6, performs at least the functionality of at least one selected conditional transition BC and provides the data processing system 3 with information that allows the first executable part 2re§ to continue its execution in the selected place. The first executable part 2p§ of the protected program 2p, executed in the data processing system 3, executes conditional branch commands, which causes the device 6 to execute, by means of the second executable part 2rei, of the rendered conditional transitions bc, the functionality of which is equivalent to the functionality of the selected conditional transitions BC. To implement the principle of protection using a conditional transition, the device 6 contains means 15 for storing and means 16 for processing.

In FIG. 90 shows an example of execution of the vulnerable program 2ν. In this example, during the execution of the vulnerable program 2ν in the data processing system 3 at the given moment, a conditional transition of the aircraft takes place, indicating to the vulnerable program 2ν the place where to continue its execution, namely one of the three possible places В ₁ , В ₂ or В ₃ . It should be understood that the conditional transition of the aircraft decides to continue the program at location B ₁ , B ₂ or B ₃ .

In FIG. 91 shows an example embodiment of the invention in which the conditional transition selected for transfer to the device 6 corresponds to the conditional transition of the aircraft.

In this example, during the execution of the first executable part 2Р§ of the protected program 2Р in the data processing system 3 in the presence of the device 6, the following takes place:

at the moment ΐι - the execution of the conditional transition instruction CBC1, which causes the device 6 to execute, by means of the second executable part 2, the rendered conditional transition bc, algorithmically equivalent to the conditional transition BC, and this conditional transition command CBC1 is represented as TWT (bc);

and when ί ₂ - transfer device 6 3 system data information processing, allowing first executable portion 2re§ continue its execution at the selected place, namely, B _s B ₂ or B 3.

It should be noted that during the execution of the fragment of the first executable part 2Р§ of the protected program 2Р, the conditional branch commands that are executed in the data processing system 3 start the execution of the corresponding remote conditional branches in the device 6. Thus, it appears that in the presence of the device 6 this part It runs correctly and, therefore, the 2p protected program is fully functional.

In FIG. 92 is an example of an attempt to execute a protected 2p program in the absence of device 6. In this example, during the execution in the data processing system 3 of the first executable part 2p§ of the protected 2p program:

at the moment ί! the execution of the conditional branch transition mechanism CBS1 cannot cause the remote conditional transition bc to be executed, given the absence of device 6;

and at the time ί _2, an attempt to transmit information that allows the first executable part 2р§ to continue execution at the selected location cannot be successful due to the absence of device 6.

Thus, in the absence of device 6, at least one request of one fragment of the first executable part 2р§ to start execution of the rendered conditional transition in device 6 cannot be correctly executed. Therefore, at least this part is not executed correctly, and, therefore, the protected 2p program is not fully functional.

In the preceding description illustrated in FIG. 90-92, the present invention is directed to the removal into the device 6 of one conditional transition. Of course, a preferred embodiment of the invention may consist in transferring to the device 6 a series of conditional transitions, the global functionality of which is equivalent to the ensemble of functionality of the rendered conditional transitions. Fulfillment of the global functionality of this series of rendered conditional transitions leads to the fact that the data processing system 3 is provided with information allowing the first executable part 2Р§ of the protected program 2Р to continue its execution in the selected place.

-25005465

In the preceding description illustrated in FIG. 40-92, six different principles of program protection were explained in general terms independently of one another. The protection method according to the invention can be implemented using the principle of protection with a variable, to which one or more other protection principles can be added. In the case where the principle of protection with a variable is supplemented by the implementation of at least one other principle of protection, the principle of protection with a variable is preferably supplemented with the principle of protection with time separation and / or the principle of protection with elementary functions.

If the principle of protection by means of time division is applied in this way, it can be supplemented, in turn, by the principle of protection by means of elementary functions and / or the principle of protection by conditional transition.

If the principle of protection by means of elementary functions is applied in this way, it can be supplemented, in turn, by the principle of protection by means of detection and coercion and / or the principle of protection by renaming, and / or the principle of protection by conditional branching.

If the principle of protection by means of detection and coercion is applied in this way, then it can be supplemented, in turn, by the principle of protection by renaming and / or the principle of protection by conditional branching. And if the principle of protection by renaming is also applied, then it can be supplemented, in turn, by the principle of protection by conditional transition.

According to a preferred embodiment, the principle of protection with a variable is supplemented by the principle of protection by time separation, supplemented by the principle of protection by means of elementary functions, supplemented by the principle of protection by detection and coercion, supplemented by the principle of protection by renaming, supplemented by the principle of protection by conditional transition.

In the case when, in addition to the principle of protection with a variable, any other protection principle is applied in order to take into account such a combined implementation of the invention, the above description should contain the following modifications:

the concept of a vulnerable program should be understood in the sense of the vulnerability of the program with respect to the described protection principle. So, in the case when the protection principle has already been applied to a vulnerable program, the expression vulnerable program should be interpreted as the expression program protected by one or more protection principles already applied;

the concept of a protected program should be understood in the sense of program security in relation to the described protection principle. So, in the case when the protection principle has already been applied, the expression protected program should be interpreted by the reader as the expression a new version of the protected program;

one or more choices made (made) to implement the described protection principle must (should) take into account the choice (s) made (made) to implement the already applied (applied) one or more protection principles.

The following description allows a better understanding of the implementation of the protection method according to the invention. In this protection method according to the invention, it is carried out as specified in FIG. one hundred:

first, the protection phase P, during which the vulnerable program 2ν is converted into the protected program 2p;

then the phase and use, during which the protected program 2p is used, and in the phase and use:

in the presence of device 6, whenever a fragment of the first executable part 2р§ executed in the data processing system 3 requires it, the proper functionality is performed in the device 6 in such a way that this part is executed correctly, and therefore, the protected program 2p is fully functional, in the absence of device 6, despite the request of a fragment of the first executable part 2р§ to execute functionality in device 6, this request cannot be correctly satisfied, so at least This portion is not executed correctly, and therefore protected software 2p is not fully functional;

and, possibly, the reboot phase I, during which at least one additional use of the functionality protected by implementing the second preferred embodiment of the principle of protection by detection and coercion, using as a characteristic a variable for quantitative control, is allowed.

The protection phase P can be decomposed into two protection sub-phases P ₁ and P ₂ . The first, called input, protection sub-phase P ₁ is implemented regardless of the vulnerable program 2ν to be protected. The second, called output, sub-phase P2 _of protection depends on the vulnerable program 2ν to be protected. It should be noted that the input and output sub-phases of P ₁ and P ₂ protection can be implemented by two different persons or groups. For example, the input protection sub-phase P ₁ can be implemented by an employee or organization developing software protection systems, while the output sub-phase P ₂

-26005465 protection can be implemented by an employee or organization engaged in the development of programs that you want to protect. Of course, it is clear that the input and output sub-phases of P ₁ and P ₂ protection can be implemented by one employee or one organization.

The input sub-phase P _{1 of} protection involves several stages 8c, ... § ₁₁ , for each of which it is necessary to perform several tasks or tasks.

The first stage of this input subphase is P! protection is called stage 8 ₁₁ definitions.

During this stage of 8 ₁₁ definitions are selected:

device type 6, namely, a storage device or a processing and storage device. For example, as a device 6, you can select a card reader 8 with a microchip and a microchip card associated with the reader 8, and transmission means 12, 13, intended for use in the data processing system 3 and in the device 6 in phase and use, respectively capable of transmitting data between the data processing system 3 and the device 6;

moreover, in the case where the protection method according to the invention involves the principle of protection using elementary functions, are also determined:

a set of elementary functions, the elementary functions of which can be performed in the device 6, and a set of elementary commands for this set of elementary functions, and these elementary commands can be executed in the data processing system 3, causing execution of the elementary functions in the device 6;

moreover, in the case where the protection method according to the invention involves the principle of protection by detection and coercion, should also be provided:

at least one characteristic of program execution, which can be monitored at least partially in device 6, at least one criterion that must be met for at least one characteristic of program execution, detection means 17, which must be applied in device 6 and which make it possible to detect that at least one characteristic of program execution does not meet at least one relevant criterion, and coercive means 18 that must be applied in the device 6 and which allow to inform the data processing system 3 and / or modify the program progress if at least one criterion is not met;

moreover, in the case where the protection method according to the invention involves the principle of protection by detection and coercion, using, as a characteristic, a variable for quantitative control of program execution, the following should also be determined:

as a characteristic of the execution of the program that can be monitored, a variable for quantitative control of the use of one functionality of the program, as a criterion that must be observed, at least one threshold value associated with each variable for quantitative control, and means of updating, allowing you to update at least one variable for quantitative control;

moreover, in the case where the protection method according to the invention involves the first preferred embodiment of the principle of protection by detection and coercion, using, as a characteristic, a variable for quantitative control of program execution, should also be provided:

for at least one variable for quantitative control, several corresponding threshold values, and various coercive means corresponding to each of these threshold values;

moreover, in the case where the protection method according to the invention employs a second preferred embodiment of the principle of protection by detection and coercion, using, as a characteristic, a variable for quantitative control of program execution, reloading means are also provided that allow at least one additional use of at least at least one program functionality controlled by a variable for quantitative control;

moreover, in the case when the protection method according to the invention involves the principle of protection by detection and coercion, using the profile of the use of the program as a characteristic, should also be provided:

as a characteristic of the program that can be monitored, is the profile of the use of the program, and as a criterion that must be observed is at least one sign of the program;

-27005465 and in the case where the protection method according to the invention involves the principle of protection by detection and coercion, where as a sign of fulfillment that you want to comply with, use is made of the clutch control of execution, should also be provided:

a set of instructions, the instructions of which can be executed in the device 6, a set of instructions for the specified set of instructions, and these instructions can be executed in the data processing system 3, causing instructions to be executed in the device 6, coupling instructions as the usage profile, as a sign of fulfillment, the desired grip for executing the instructions, as detection means 17, means to detect that the grip of the instructions does not match the desired, and in quality forcing means 18 - means to inform the system data 3 and / or modify the operation of the protected program fragment 2p, if the document does not correspond to the desired clutch;

and in the case where the protection method according to the invention employs a preferred embodiment of the principle of protection by detection and coercion, where as a sign of fulfillment to be followed, use is made of the control of fulfillment, should also be provided:

as a set of instructions, a set of instructions from which at least some instructions operate on registers and use at least one operand to produce the result for at least one part of instructions operating on registers:

a PP part defining the functionality of the instruction, and a part specifying the desired grip for executing the instructions and containing bit fields corresponding to:

field C11 identification instructions, and for each operand instruction:

* Field ί.Ό _(: flag, * and field S1R _{to the} identification provided for the operand, for each register belonging to the exploitation means and used a set of instructions, - SY field _have generated the identification, which is automatically memorized the identification of the last instruction, the return of your the result in the register, as the detection means 17 - means to during execution of the instruction for each operand, if required ί.Ό field _(: flag control equality between the field generated by the ID manually XU _Y katsii corresponding to registers used by this operand, and field S1R provided _to identify the start address of the operand, and means 18 as coercive - means to modify the instruction result, if at least one of the monitored equations is false;

moreover, in the case where the protection method according to the invention involves the principle of protection by renaming, should also be provided:

as a start command, an elementary command or instruction command, as a dependent function, an elementary function or instruction, as a setting parameter, at least one argument for the start command corresponding at least partially to the information transmitted by the data processing system 3 to device 6, to cause the start of the corresponding dependent function, the method of renaming settings, which allows you to rename the settings to receive start commands from the renamed parameters, and means of recovery 20, intended for use in the device 6 in phase and use and allowing again to find the dependent function that needs to be performed based on the renamed setting parameter, and in the case when the protection method according to the invention involves a variant of the protection principle with renaming is also defined for at least one dependent function, a family of dependent functions, algorithmically equivalent, but called by run commands, renamed settings ovochnye parameters which are different, and in the case where the method of protection according to the invention uses a particular preferred implementation of the embodiment using the principle of protection renaming is also determined for the at least one independent function, a family of dependent functions algorithmically equivalent:

by coupling the noise field with information defining the functional part of the dependent function that is performed in the device 6, or by using the instruction identification field C11 and the C1P field _{to the} provided operand identification;

moreover, in the case where the protection method according to the invention involves the preferred variant of the principle of protection by renaming, should also be provided:

-28005465 as a method for renaming settings — the encoding method for encoding the settings, and as recovery means 20 — tools that use the decoding method to decode the renamed settings and restore the identity of the dependent functions that need to be performed on device 6.

During the input protection sub-phase, the determination step 8 ₁₁ is followed by a step called the design step 8 ₁₂ . During this step 8, ₁₂ are constructed means 12, transmission 13, and possibly operating means corresponding definitions ₁₁ determines step 8.

During this step 8, ₁₂ begin constructing hence to designing means 12, transmission 13, allowing, during the use phase, and transmit data between system 3 and the data processing device 6;

if the principle of protection by means of elementary functions is also applied to the construction of operating means that allow the device 6 in phase and use to perform elementary functions from a set of elementary functions;

and (if the principle of protection by means of detection and coercion is also applied), to the construction of:

operating means allowing the device 6 in phase and use to also use detection means 17 and coercive means 18, and possibly operating means allowing the device 6 in phase and use to also use updating means, and also, possibly, operating means allowing the device 6 in the reboot phase, also use the reboot tools, as well as, possibly, operating tools that allow the device 6 in the phase and use to follow the instructions from the set of instructions;

and (if the principle of protection by renaming also applies) to the construction of operating means allowing the device 6 in phase and use to use also means of restoration.

The design of the operating means is carried out in the usual way, by means of a program development device, taking into account the definitions introduced in stage 8 of ₁₁ definitions. A similar device is described below and illustrated in FIG. 110.

During the input protection sub-phase P _{1, a} design step 8 ₁₂ may be followed by a step called pre-personalization step 8 ₁₃ . During this pre-personalization stage 8 ₁₃ , at least the transmission means 13 and the operating means are loaded into at least one idle device 60 to obtain at least one pre-personalized device 66. It should be noted that part of the operating means, being transferred to the pre-personalized device 66 is no longer directly accessible from the outside of this pre-personalized device 66. The transfer of operating means to an idle device 60 can be implemented by adapting of this pre-personalization device, which is described later and illustrated in FIG. 120. In the case of a pre-personalized device 66, consisting of a card 7 with a microchip and a device 8 for reading it, pre-personalization applies only to a card 7 with a microchip.

During the input protection sub-phase P ₁ , after the determination stage 8 ₁₁ and, possibly, after the construction stage 8 ₁₂ , a step called the means manufacturing step 8 ₁₄ can also be carried out. During this phase, August ₁₄ manufacturing assets produced tools to help create secure programs or to automate the protection of software.

Such tools can help you choose or automatically select in the vulnerable 2ν program that you want to protect:

one or more variables that can be transferred to device 6, fragments that can be changed if the principle of protection by time separation is also applied - one or more algorithms that can be decomposed into steps that can be transferred to device 6 if the principle of protection using elementary functions is also applied, one or more algorithms that can be decomposed into elementary functions that can be transferred to device 6, and if the principle of protection using design and enforcement, - one or more performance characteristics that need to be monitored, and possibly one or more algorithms that can be decomposed into instructions that can be transferred to device 6, if the principle of protection by renaming is also applied, one or several algorithms that can be decomposed into dependent functions that can be transferred to device 6 and for which the installation parameters of the launch commands can be renamed, and if the protection principle is also applied and using conditional transitions, one or more conditional transitions, the functionality of which can be transferred to device 6;

-29005465 and possibly help create protected programs or automate program protection.

These various tools can be implemented independently or in combination, and each tool can take various forms, for example, be a preprocessor, assembler, compiler, etc. The input protection sub-phase P ₁ is followed by the output protection sub-phase P ₂ , which depends on the vulnerable program 2ν to be protected. This output sub-phase P _{2 of the} protection also includes several stages. The first stage, corresponding to the implementation of the principle of protection with the help of a variable, is called the creation stage 8 ₂₁ . During this creation stage 8 ₂₁ , the selection made in the determination stage 8 ₁₁ is used. Using this selection and, possibly, the tools designed in step _{8-14 of} manufacturing the means, a secure program 2p is created:

by selecting the vulnerable program in the 2ν§ source code:

at least one variable, which, during the execution of the vulnerable program 2ν, partially determines its state, and at least one fragment containing at least one selected variable;

by creating the source code 2p§ of the protected program on the basis of the source code 2ν§ of the vulnerable program by modifying at least one selected fragment of the code 2ν§ of the vulnerable program, and this modification is such that during the execution of the protected program 2p at least one selected variable or one copy the selected variable is located in an idle device 60, which thereby turns into a device 6;

and by creating the first part 2prog of the object code of the protected program 2p based on the source code 2p§ of the protected program, and this first part 2po§ of the object code is such that during the execution of the protected program 2p the first executable part 2p§ is executed, which is executed in the system 3 data processing, and in at least one part of which it is taken into account that at least one variable or one copy of the variable is in the device 6. Of course, the principle of protection with the variable according to the invention can be rimenen directly in the development of a new program without the need to pre-implementation 2ν vulnerable program. Thus, the protected 2p program is directly obtained during the output protection sub-phase P2. Moreover, in the case when at least one other protection principle is applied, in addition to the principle of protection with a variable, a modification stage 8 ₂₂ is implemented. During this step, _{22 August} modifying the definitions introduced in step August ₁₁ determinations. Using these definitions and, possibly, the tools designed in step _{8-14 of} manufacturing the means, the protected program 2p is modified to allow the protection principles to be implemented in accordance with one of the configurations defined above.

When the principle of protection by time separation is applied, the protected 2p program is modified as follows:

by selecting a protected program in the 2p§ source code:

at least one algorithm that during the execution of the protected program 2p uses at least one selected variable and allows to obtain at least one resulting variable, and at least one fragment containing at least one selected algorithm;

by modifying at least one selected piece of code 2p§ of the protected program, and this modification is such that:

during the execution of the protected program 2p, the first executable part 2p§ is executed in the data processing system 3, and the second executable part 2prey is executed in the device 6, which also contains processing means 16, at least the functionality of at least one selected algorithm is performed by the second of the executable part 2reya, at least one selected algorithm is decomposed in such a way that during the execution of the protected program 2p, several various stages, namely:

the provision of at least one variable for the device 6, the implementation in the device 6 of the functionality of the algorithm performed on at least this variable, and, possibly, the provision of at least one resulting variable by the device 6 for the data processing system 3, at least for one selected algorithm, the instructions of the steps are determined in such a way that during the execution of the protected program 2p, each command of the step is executed by the first executable part 2р§ and causes execution in the device 6 the execution of the stage by means of the second executable part 2reya, wherein the ordering of the instructions of the stages is selected among the ensemble of orderings allowing the execution of the protected 2p program;

and by creating:

-30005465 of the first part of the object code of the protected program 2p, the first part of the object code 2pg is such that during the execution of the protected program 2p, the instructions of the steps are executed in accordance with the selected ordering, and the second part of the 2nd object code of the protected program 2p, the second part The structure of the object code is such that after loading into an unused device 60, during the execution of the protected program 2p, the second executable part 2preya is implemented, by means of which the steps are carried out, the start of which called by the first executable part of 2p§.

When the principle of protection by means of elementary functions is applied, while the principle of protection by time division is not applied, the protected 2p program is modified: by selecting a protected program in the 2p§ source code:

at least one algorithm that during the execution of the protected program 2p uses at least one selected variable and allows to obtain at least one resulting variable, and at least one fragment containing at least one selected algorithm;

by modifying at least one selected piece of code 2p§ of the protected program, and this modification is such that during the execution of the protected program 2p the first executable part 2p§ is executed in the data processing system 3 and the second executable part 2prey is executed in the device 6, at least at least, the functionality of at least one selected algorithm is performed by the second executable part 2 of yoy, at least one selected algorithm is decomposed in such a way that during execution In a 2p protected program, this algorithm is executed by means of the second 2pree part being executed using elementary functions, for at least one selected algorithm, elementary commands are integrated into the source code of a 2p protected program so that during the execution of a 2p protected program, each elementary command is executed by the first of the executed part 2р§ and causes the device 6 to execute, by means of the second executable part 2prea, an elementary function, moreover, the ordering of elementary commands ybiraetsya ensemble ordering, allowing execution of the protected software 2p;

and by creating:

the first part 2po of the object code of the protected 2p program, and this first part 2po§ of the object code is such that during the execution of the protected 2p program elementary commands are executed in accordance with the selected ordering, and the second part of the 2nd object code of the protected 2p program containing operating means, moreover, this second part 2 of the object code is such that after loading into an idle device 60, during the execution of the protected program 2p, the second executable part 2 is implemented, by means of which elementary functions are taken, the start of which was caused by the first part of 2re§ being executed.

When the principles of protection using time-sharing and elementary functions are applied together, the 2p protected program is modified:

by selecting at least one stage in the source code 2p§ of the protected program, which during the execution of the protected program 2p carries out the functionality of the algorithm;

by modifying at least one selected piece of code 2p§ of the protected program, and this modification is such that:

at least one selected stage is decomposed in such a way that during the execution of the protected program 2p this stage is performed by means of the second executable part 2pree using elementary functions, for at least one selected stage the elementary commands are integrated into the source code 2p§ of the protected program in such a way that during the execution of the protected program 2p, each elementary command is executed by means of the first executable part 2р§ and causes execution in the device 6, by means of the second of the second part of the 2reya, the elementary function, and the ordering of the elementary commands is selected in the ensemble of orderings, allowing to execute the protected 2p program;

and by creating:

the first part 2pro of the object code of the protected program 2p, and this first part 2po§ of the object code is such that during the execution of the protected program 2p the elementary commands are executed in accordance with the selected ordering, and the second part of the 2nd object code of the protected program 2p, which also contains operating means moreover, this second part 2 of the object code is such that after loading into the device 6, during the execution of the protected program 2p, the second executable part 2 of the realm is implemented, by means of which tare functions, the start of which was called by the first executable part

-31005465

2 pp. When the principle of protection by means of detection and coercion is applied, the protected 2p program is modified:

by selecting among the execution characteristics that can be controlled by at least one performance characteristic of the monitored program;

by selecting at least one criterion to be performed for at least one selected program execution characteristic;

by selecting in the source code 2p§ of the protected program elementary functions for which at least one characteristic of the execution of the controlled program should be monitored;

by modifying at least one selected code fragment 2p§ of the protected program, and this modification is such that during the execution of the protected program 2p, at least one characteristic of the program execution is controlled by the second part 2reya being executed and non-compliance with the criterion leads to informing the data processing system 3 and / or to modification of the execution of the protected 2p program;

and by creating the second part 2 of the object code of the protected program 2p, containing operating means, also involving detection means 17 and means 18 of coercion, and this second part 2 of the object code is such that after downloading to the device 6, during the execution of the protected program 2p, at least one characteristic of program execution is monitored and non-compliance with the criterion leads to informing the data processing system 3 and / or to modification of the execution of the protected program 2p. To implement the protection principle using detection and coercion, using a variable as a characteristic for quantitative control of program execution, the protected 2p program is modified:

by selecting as a characteristic of the execution of the controlled program at least one variable for quantitative control of the use of one functionality of the program;

by choosing:

at least one functionality of the protected program 2p, the use of which can be controlled using a variable for quantitative control, at least one variable for quantitative control, which serves as a quantitative characteristic of the use of the mentioned functionality of at least one threshold value associated with the selected variable for quantitative control and corresponding to the utilization limit of the mentioned functional spine, and at least one method of updating the value of a variable for quantitative control in accordance with the use of the mentioned functionality;

and by modifying at least one selected piece of code 2Р§ of the protected program, and this modification is such that during the execution of the protected program 2Р the variable for quantitative control is updated by means of the second executable part 2Рё, depending on the use of the indicated functionality, and at least at least one threshold exceeded.

To implement the first preferred variant of the protection principle using detection and coercion, using a variable for quantitative control as a characteristic, the protected 2p program is modified:

by selecting at least one variable for the quantitative control in the source code of the 2p§ protected program with which several threshold values should be associated, corresponding to different limits of use of the functionality;

by selecting at least two threshold values associated with the selected variable for quantitative control;

and by modifying at least one selected piece of code 2p§ of the protected program, this modification being such that, during the execution of the protected program 2p, the excess of various threshold values is taken into account by the second executable part 2preya in a different way. To implement the second preferred variant of the principle of protection by detection and coercion, using the variable for quantitative control as a characteristic, the protected program 2p is modified by selecting at least one variable for quantitative control in the source code of the protected program 2p§ to limit the use of functionality, for which it should be possible to authorize at least one additional use;

and by modifying at least one selected fragment, and this modification is such that in a phase called a reboot phase, at least one additional use of at least one functionality corresponding to one selected variable for quantitative control can be allowed.

-32005465

To implement the principle of protection using detection and coercion, using the program usage profile as a characteristic, the protected program 2p is modified by selecting at least the program usage profile as a characteristic of the controlled program execution;

by selecting at least one program execution flag that must comply with at least one usage profile;

and by modifying at least one selected piece of code 2p§ of the protected program, this modification being such that, during the execution of the protected program 2p, the second executable part 2pray respects all selected execution signs.

To implement the principle of protection by detecting and coercion, where the control of execution is used as a sign of execution, the protected program 2p is modified by modifying at least one selected code fragment 2p§ of the protected program by converting elementary functions into instructions, by the clutch task, which at least some of the instructions must follow during their execution in the device 6, and by Browsing elementary instructions into instruction instructions corresponding to the instructions used.

When the principle of protection by renaming is applied, the protected 2p program is modified by selecting the start command in the 2p§ source code of the protected program;

by modifying at least one selected piece of code 2p§ of the protected program by renaming the settings of the selected launch commands in order to hide the identity of the corresponding dependent functions;

and by creating the first part 2po of the object code of the protected program 2p, and this first part 2po§ of the object code is such that during the execution of the protected program 2p, run commands with renamed settings are executed, and the second part of the 2nd object code of the protected program 2p containing means operation, also using recovery tools 20, and this second part of the 2-object code is such that after downloading to the device 6, during the execution of the protected program 2p, the identity hangs of the functions whose execution is started by the first executable part 2rep, is restored by the second executable part 2pri, and the dependent functions are performed by the second executable part 2pri.

To implement a variant of the principle of protection by renaming, the protected program 2p is modified by selecting at least one start command with renamed settings in the source code 2p§ of the protected program;

and by modifying at least one selected piece of code 2p§ of the protected program by replacing at least the renamed settings of the start command with the selected set of settings with other renamed settings, which causes the start of a dependent function from the same family.

When the principle of protection using a conditional transition is applied, the protected program 2p is modified by selecting at least one conditional transition in the source code 2p§ of the protected program that is performed in at least one selected algorithm;

by modifying at least one selected code fragment 2p§ of the protected program, and this modification is such that during the execution of the protected program 2p the functionality of at least one selected conditional transition is performed by the second executable part 2preya in the device 6;

and by creating the first part 2po of the object code of the protected program 2p, and this first part 2po§ of the object code is such that during the execution of the protected program 2p the functionality of at least one selected conditional transition is executed in the device 6, and the second part 2poi of the object code a protected program 2p, and this second part 2 of the object code is such that after downloading to the device 6, during the execution of the protected program 2p, the second executable part 2 is implemented, by means of which lnyaetsya functionality is at least one selected conditional jump.

For the preferred implementation of the protection principle using conditional branching, the protected 2p program is modified

-33005465 by selecting at least one series of selected conditional jumps in the source code of the 2p§ protected program;

by modifying at least one selected piece of code 2p§ of the protected program, and this modification is such that during the execution of the protected program 2p the global functionality of at least one selected series of conditional transitions is performed by the second executable part 2preya in the device 6;

and by creating the first part 2prog of the object code of the protected program 2p, and this first part 2po§ of the object code is such that during the execution of the protected program 2p the functionality of at least one selected series of conditional jumps is executed in the device 6, and the second part 2roy object code of the protected program 2p, and this second part 2roy object code is such that after downloading to the device 6, during the execution of the protected program 2p, the second executable part 2reya is implemented, through which , the global functionality of at least one chosen series of conditional branches.

Of course, the protection principles according to the invention can be applied directly during the development of a new program without first implementing intermediate vulnerable programs. Thus, stages 8 _{21 of} creation and 8 ₂₂ modifications can be carried out simultaneously in order to immediately obtain a secure program 2p.

During output subphase _P2 protection when employed at least one other protection principle, in addition to the principle of protection by means of the variable after step _{21 August} creating 2p protected program, and possibly after step August ₂₂ modification is realized stage called stage 8 ₂₃ personalization. During this personalization stage 8 ₂₃ , the second part of the 2-part object code, possibly containing operating means, is loaded into at least one idle device 60 to obtain at least one device 6. Alternatively, a part of the second part 2 of the object code, possibly containing operating means, is loaded into at least one pre-personalized device 66 to obtain at least one device

6. Downloading this personalizing information makes it possible to make at least one device operational 6. It should be noted that part of this information, when transferred to device 6, is not directly accessible from outside this device 6. Transferring personalization information to an idle device 60 or to a pre-personalized device 66 can be implemented by an adapted personalization device, which is described later and illustrated in FIG. 150.

In the case of the device 6, consisting of a card 7 with a microchip and a device 8 for reading it, personalization concerns only a card 7 with a microchip.

Various technical means for implementing the protection phase P, which will now be described in more detail, are illustrated in FIG. 110, 120, 130, 140 and 150.

In FIG. 110 shows an example implementation of a system 25, which allows for the implementation of design stage 8 ₁₂ taking into account the definitions introduced in determination stage 8 ₁₁ , and during which transmission means 12, 13 and, possibly, operating means for device 6 are constructed. Such a system 25 contains a program development device or workstation, usually a computer that contains a system unit, a monitor, peripheral devices such as a keyboard and mouse and on which the following programs are installed: file editions tori, assemblers, preprocessors, compilers, interpreters, debuggers, and linkers.

In FIG. 120 shows an example implementation of a pre-personalization device 30 that allows at least partially transferring means 13 and / or operating means to be loaded into at least one idle device 60 to obtain at least a pre-personalized device 66. The pre-personalization device 30 includes means 31 a read / write device that allows electrically pre-personalization of an idle device 60 to obtain a pre-personalization device 66 into which transmission means 13 and / or media are loaded TWA operation. The pre-personalization device 30 may also comprise physical means 32 of the pre-personalization of the idle device 60, which is, for example, a printer. If the device 6 consists of a card 7 with a microchip and a device 8 for reading it, pre-personalization usually refers only to a card 7 with a microchip.

In FIG. 130 is an example implementation of a system 35 that allows the manufacture of tools intended for use in creating secure programs or automating program protection. Such a system 35 includes a program development device or workstation, typically a computer that contains a system unit, a monitor, peripherals such as a keyboard and mouse, and which have the following programs: file editors, assemblers, preprocessors, compilers, interpreters, debuggers, and editors connections.

In FIG. 140 shows an example implementation of a system 40 that allows you to directly obtain a secure program 2p or modify a vulnerable program 2ν in order to obtain a secure program 2p. Such a system 40 comprises a program development device or workstation, typically a computer, which comprises a system unit, a monitor, peripherals

-34005465 The type of keyboard and mouse on which the following programs are installed: file editors, assemblers, preprocessors, compilers, interpreters, debuggers and link editors, as well as tools that help create protected programs or automate program protection.

In FIG. 150 shows an example implementation of a personalization device 45 that allows you to download the second part 2 of the object code into at least one idle device 60 to obtain at least one device 6, or a part of the second part 2 of the object code into at least one pre-personalized device 66 to get at least one device

6. This personalization device 45 comprises a read / write device 46 that electrically personalizes at least one idle device 60 or at least one pre-personalized device 66 to obtain at least one device 6. Upon completion of this personalization, device 6 contains information necessary to run a secure 2p program. The personalization device 45 may also comprise physical personalization means 47 for at least one device 6, which is, for example, a printer. If the device 6 consists of a card 7 with a microchip and a device 8 for reading it, personalization usually refers only to a card 7 with a microchip.

The protection method according to the invention can be implemented with further improvements.

It is possible to provide for the sharing of multiple processing and storage devices between which the second part of the object object code 2p is distributed in such a way that their joint execution allows the 2p program to be executed, while the absence of at least one of these processing and storage devices prevents the use of the protected program 2 p.

Similarly, after pre-personalization step 8 ₁₃ and during personalization step 8 ₂₃ , part of the second part 2 of the object code needed to convert the pre-personalized device 66 to device 6 may be contained in the processing and storage device used by the personalization device 45 to restrict access to this part second part of the 2 object code code. Of course, this part of the second part of the 2nd part of the object code can be distributed between several processing and storage devices so that this part of the second part of the 2nd part of the object code is available only during the sharing of these processing and storage devices.

Claims (37)

CLAIM 1. A protection method based on at least one unused device (60) containing at least means (15) for remembering from unauthorized use of a vulnerable program (2ν) that operates on the data processing system (3), that in phase (P) of protection they create a protected program (2p): - through selection in the source code (2νδ) of the vulnerable program: at least one variable, which during the execution of a vulnerable program (2ν) partially determines its state, and at least one fragment containing at least one selected variable, - by creating the source code (2p§) of the protected program based on the source code (2νδ) of the vulnerable program by modifying at least one selected code fragment (2νδ) of the vulnerable program, and this modification is such that during the execution of the protected program (2p) at least at least one selected variable or one copy of the selected variable is in the unused device (60), which thereby turns into a processing and storage device, - and by creating the first part (2po§) of the object code of the protected program (2p) based on the source code (2p§) of the protected program, the first part (2po§) of the object code is such that during the execution of the protected program (2p) the first executable part (2Re§), which is performed in the data processing system (3), and at least one fragment of which takes into account that at least one variable or one copy of the variable is in the processing and storage device, and in the (And) use phase during which protection is performed constant prices software (2p) - in the presence of a processing and storage device, whenever it is required by a fragment of the first part (2Re§), use a variable or a copy of a variable that is in the processing and storage device so that the specified fragment is executed correctly, and therefore the protected program (2p) was fully functional. 2. The method according to claim 1, characterized in that in phase (P) of protection: modify the protected program (2p): - by selecting in the source code (2p§) of the protected program: -35005465 at least one algorithm that, during the execution of a protected program (2p), uses at least one selected variable and produces at least one resulting variable, and at least one fragment containing at least one selected algorithm, - by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that: during the execution of the protected program (2p), the first executable part (2 pp) is executed in the data processing system (3), and the second executable part (2 plots) is executed in the processing and storage device, which also contains the processing means (16), at least , the functionality of at least one selected algorithm is performed by the second executable part (2 paths), at least one selected algorithm is decomposed in such a way that during the execution of the protected program (2p) are implemented by the second execute the second part (2rei) several different stages, namely: providing at least one variable for the processing and storage device, implementing in the processing and storing device the functionality of the algorithm performed on at least this variable, and possibly providing at least one resulting variable with the processing and storage device for the system (3) processing data for at least one selected algorithm, the teams of steps are defined in such a way that during the execution of a protected program (2p) each step command is executed through th first executable part (2re§) and causes a processing and storage device, performing step executed by the second part (2rei), the ordering of steps is selected among commands ordered assemblies that allow execution of the protected software (2p) - and by creating: the first part (2po) of the object code of the protected program (2p), the first part (2po§) of the object code is such that during the execution of the protected program (2p) commands of the steps are executed in accordance with the selected ordering, and the second part (2roy) of the object code of the protected program (2p), and the second part (2roy) of the object code is such that after loading into the unused device (60), during the execution of the protected program (2p) the second executed part (2ray) is implemented, through which the steps was called n the first part performed (2 § §); - and load the second part (2) of the object code into the unused device (60) with the receipt of the processing and storage device, and in the (And) use phase: in the presence of a processing and storage device, whenever it is required by the command of the stage contained in the fragment of the first part to be executed (2 sec), the corresponding stage is performed in the processing and storage device so that the specified fragment is executed correctly and therefore the protected program (2p ) was fully functional; whereas in the absence of a processing and storage device, despite the request of one fragment of the first part (2Re§) to start the execution of a stage in the processing and storage device, it is not possible to correctly answer the specified request, so that at least the specified fragment is not runs correctly, and therefore the protected program (2p) is not fully functional. 3. The method according to claim 1, characterized in that in phase (P) of protection: determine: - a set of elementary functions, the elementary functions of which can be performed in a processing and storage device, which also contains processing means (16), - and a set of elementary commands for the specified set of elementary functions, and these elementary commands can be executed in the data processing system (3), causing the elementary functions to be executed in the processing and storage device; design operating tools that allow you to convert an unused device (60) into a processing and storage device capable of performing elementary functions from the specified set, and the execution of these elementary functions is caused by the execution of elementary commands in the data processing system (3); modify the protected program (2p): - by selecting in the source code (2p§) of the protected program: at least one algorithm that during the execution of a protected program (2p) uses at least one selected variable and allows to obtain at least one resultant variable, -36005465 and at least one fragment containing at least one selected algorithm, - by modifying at least one selected code fragment (2p§) of the protected program, and the indicated modification is such that: during the execution of the protected program (2p), the first executable part (2p§) is executed in the data processing system (3), and the second executable part (2passes) is executed in the processing and storage device, at least the functionality of the at least one selected algorithm is performed by means of the second executable part (2 paths), at least one selected algorithm is decomposed in such a way that, during the execution of the protected program (2p), the specified algorithm is performed by the second executable part (2 paths) with m elementary functions, for at least one selected algorithm, elementary commands are integrated into the source code (2p§) of the protected program in such a way that during the execution of the protected program (2p) each elementary command is executed by the first executable part (2п§) and calls in the processing and storage device is executed by the second part (2 paths), an elementary function, and the ordering of elementary commands is selected among the ensemble of orderings that allow the execution of a protected we (2p) - and by creating: the first part (2po) of the object code of the protected program (2p), the first part (2po§) of the object code is such that during the execution of the protected program (2p) elementary commands are executed in accordance with the selected ordering, and the second part (2roy) of the object the code of the protected program (2p) containing the means of operation, the second part (2roy) of the object code is such that after loading into the unused device (60) during the execution of the protected program (2p) the second executable part (2ray), through which you olnyayutsya elementary functions, the triggering of which was caused by the first executable part (2re§); and load the second part (2) of the object code into the unused device (60) with obtaining the processing and storage device, and in the (And) phase of use: in the presence of a processing and storage device, whenever it is required by an elementary command contained in a fragment of the first part to be executed (2 sec), the corresponding elementary function is performed in the processing and storage device so that the specified fragment is executed correctly, and therefore the protected program (2p ) was fully functional; whereas in the absence of a processing and storage device, despite the request for a fragment of the first part (2Re§) to start execution in the processing and storage device of the elementary function, it is not possible to correctly answer the specified request, so that at least the specified fragment is not runs correctly, and therefore the protected program (2p) is not fully functional. 4. The method according to p. 2, characterized in that in phase (P) of protection: determine: - a set of elementary functions, the elementary functions of which can be performed in the processing and storage device, - and a set of elementary commands for the specified set of elementary functions, and these elementary commands can be executed in the data processing system (3), causing the elementary functions to be executed in the processing and storage device; design operating tools that allow the processing and storage device to perform atomic functions from the specified set, and the execution of these atomic functions is caused by the execution of elementary commands in the data processing system (3); and modify the protected program (2p): - by selecting in the source code (2p§) of the protected program at least one stage, which during the execution of the protected program (2p) performs the functionality of the algorithm, - by modifying at least one selected code fragment (2p§) of the protected program, and the indicated modification is such that: at least one selected stage is decomposed in such a way that during the execution of a protected program (2p), this stage is performed by the second executable part (2ray) using elementary functions, for at least one selected stage, elementary commands are integrated into the source code (2p§ ) of the protected program in such a way that during the execution of the protected program (2p) each elementary command is executed by means of the first executable part (2 §§) and calls in -37005465 processing and storage device execution through the second part (2 tray) of the elementary function, and the ordering of elementary commands is selected in the ensemble of orderings, allowing the execution of a protected program (2p), - and by creating: the first part (2po) of the object code of the protected program (2p), the first part (2po§) of the object code is such that during the execution of the protected program (2p) elementary commands are executed in accordance with the selected ordering, and the second part (2roy) of the object the code of the protected program (2p), which also contains the means of operation, and the second part (2roy) of the object code is such that after loading into the processing and storage device during the execution of the protected program (2p) the second executable part (2rei) is implemented, through which oh the elementary functions are executed, the start of which was called by the first executed part (2Re§), and in phase (I) of use: in the presence of a processing and storage device, whenever it is required by the elementary command contained in the part of the first part to be executed (2 § §), the corresponding elementary function is executed in the processing and storage device so that the specified fragment is executed correctly, and therefore the protected program ( 2p) was fully functional; whereas in the absence of a processing and storage device, despite the request of one fragment of the first part (2Re§) to start execution in the processing and storage device of the elementary function, it is not possible to correctly answer the specified request, so that at least the specified fragment is not executed correctly, and therefore the protected program (2p) is not fully functional. 5. The method according to p. 3 or 4, characterized in that in phase (P) protection: determine: at least one program execution characteristic that can be monitored at least partially in the processing and storage device, - at least one criterion that must be met for at least one characteristic of program execution, - means (17) of detection, which should be used in the processing and storage device and which make it possible to detect that at least one characteristic of program execution does not meet at least one relevant criterion, - and means (18) of coercion that should be used in the processing and storage device and which allow informing the data processing system (3) and / or modifying the execution of the program until at least one criterion is met; design means of operation, allowing the processing and storage device to use the means (17) of detection and the means (18) of coercion; and modify the protected program (2p): - by selecting at least one performance characteristic of the monitored program from among the performance characteristics that can be monitored, - by selecting at least one criterion to be fulfilled for at least one selected characteristic of program execution, - by selecting in the source code (2p§) a protected program of elementary functions for which at least one characteristic of the execution of a controlled program should be monitored, - by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that during the execution of the protected program (2p) at least one selected execution characteristic is controlled by means of the second executable part (2ray) and non-compliance with the criterion to inform the data processing system (3) and / or to modify the execution of the protected program (2p), - and by creating a second part (2roy) of the object code of the protected program (2p), containing operating tools, also using detection means (17) and means of coercion (18), with the second part (2roy) of the object code being such that after loading into the device processing and storage, during the execution of a protected program (2p), at least one characteristic of program execution is monitored and noncompliance with the criteria leads to informing the data processing system (3) and / or modifying the execution of the protected program we (2p), and in phase (I) use: in the presence of a processing and storage device: - if all the criteria that meet all the monitored characteristics of the performance of all modified fragments of the protected program (2p) are met, allow nominal functions -38005465 tion of the specified fragments of the protected program (2p) and therefore the nominal functioning of the protected program (2p), - and if at least one of the criteria that meets the characteristics of the controlled execution of one fragment of the protected program (2p) is not met, inform the data processing system (3) about the specified non-compliance and / or modify the operation of the fragment of the protected program (2p) so that The functioning of the protected program (2p) has been changed. 6. The method according to p. 5, characterized in that in order to limit the use of a protected program (2p), in phase (P) protection: determine: - as a characteristic of the execution of a program that can be monitored, a variable for the quantitative control of the use of one functionality of the program, - as a criterion that must be met, at least one threshold value associated with each variable for quantitative control, - and updating tools that allow updating at least one variable for quantitative control; - design operating tools that allow the processing and storage device to apply the updating tools; and modify the protected program (2p): - by choosing as a characteristic of the performance of the monitored program at least one variable for the quantitative control of the use of one functionality of the program, - by choosing: at least one protected program functionality (2p), the use of which can be monitored using a variable for quantitative control, at least one variable for quantitative control, which serves to quantitatively characterize the use of said functionality, at least one threshold value associated with the variable selected for quantitative control and corresponding to the use limit of the specified functionality, and at least one method of updating the value of the specified variable for quantitative control, depending on the use of the specified functionality, - and by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that during the execution of the protected program (2p), the variable for the quantitative control is updated by the second executed part (2ray) depending on the use of the specified functional capabilities and at least one threshold excess is taken into account, and in phase (I) of use, in the presence of a processing and storage device, in the case that at least bottom exceeding the threshold value corresponding to at least one limit use, inform the system (3) Data processing and / or modify the operation of the protected program fragment (2p) in such a way that operation of the protected software (2p) has been changed. 7. The method according to claim 6, characterized in that in phase (P) of protection: determine: - several corresponding threshold values for at least one variable for quantitative control, - and various means of coercion corresponding to each of the specified thresholds; and modify the protected program (2p): - by selecting in the source code (2p§) of the protected program at least one variable for the quantitative control, to which several threshold values must be associated, corresponding to different limits of use of the functionality, - by selecting at least two threshold values associated with the selected variable for quantitative control, - and by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that during the execution of the protected program (2p), exceeding the various threshold values are taken into account by the second executed part (2ray) in various ways, and in phase (I) use: in the presence of a processing and storage device: -39005465 - when an excess of the first threshold is detected, give the command to the protected program (2p) not to use the corresponding functionality, - and in the case when an excess of the second threshold is detected, the corresponding functionality and / or at least part of the protected program is made impossible (2p). 8. The method according to p. 6 or 7, characterized in that in phase (P) protection: determine the means of reboot, allowing to resolve at least one additional use of at least one functionality of the program, controlled by a variable for the quantitative control; design operating facilities that also allow the processing and storage device to use reset facilities; and modify the protected program (2p): - by selecting in the source code (2p§) of the protected program at least one variable for quantitative control, which allows to limit the use of one functionality for which it is possible to allow at least one additional use, - and by modifying at least one selected fragment, and the specified modification is such that in the reload phase at least one additional use of at least one functionality corresponding to one selected variable for the quantitative control can be allowed, and in the reload phase: update at least one selected variable for the quantitative control and at least one corresponding threshold value so as to allow at least one additional use of the functionality. 9. The method according to claim 5, characterized in that in phase (P) of protection: determine: - as a characteristic of the execution of the program that can be monitored, the profile of the use of the program, - and as a criterion that must be met - at least one sign of the program; and modify the protected program (2p): - by selecting as the characteristic of the execution of the monitored program at least one program use profile, - by selecting at least one feature of the program, which must comply with at least one usage profile, - and by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that during the execution of the protected program (2p), the second executed part (2ray) observes all the selected execution attributes, and in phase (AND) use, in the presence of a processing and storage device, if it is found that at least one performance indicator is not observed, inform the data processing system (3) and / or modify the operation of a part of the protected program (2p) so that s operation of the protected software (2p) has been changed. 10. The method according to p. 9, characterized in that in phase (P) protection: determine: - a set of instructions, instructions from the composition of which can be executed in the processing and storage device, - a set of instructions commands for the specified set of instructions, and instructions instructions can be executed in the data processing system (3) by calling the execution of instructions in the processing and storage device, - as a profile of use - coupling instructions, - as a sign of fulfillment - the desired grip for executing instructions, - as means (17) of detection - means, which make it possible to detect that the coupling of instructions does not correspond to the desired one, - as means (18) of coercion - means allowing to inform the data processing system (3) and / or modify the functioning of a fragment of a protected program (2p) if the coupling of instructions does not correspond to the desired one; design operating tools that allow the processing and storage device to execute instructions from a set of instructions, and the execution of these instructions is caused by the execution of instructions commands in the data processing system (3); -40005465 and modify the protected program (2p): - by modifying at least one selected code fragment (2p§) of the protected program: by converting elementary functions into instructions, by specifying a link, which at least some of the instructions must follow during their execution in the processing and storage device, and by converting the elementary commands into instructions commands corresponding to the instructions used; and in phase (I) of use, in the presence of a processing and storage device, if it is found that the coupling performed in the processing and storage device of instructions does not correspond to the desired one, inform the data processing system (3) and / or modify the operation of the fragment protected program (2p) so that the operation of the protected program (2p) has been changed. 11. The method according to p. 10, characterized in that in phase (P) protection: determine: - as a set of instructions, a set of instructions in which at least some instructions operate on registers and use at least one operand to produce a result, - at least for the part of the instructions working on the registers: the part (PP) defining the functionality of the instruction, and the part defining the desired concatenation for executing the instructions and containing bit fields corresponding to: Identification instruction field (C11), and instructions for each operand: the field (SI _k ) of the flag and the field (C1P _k ) of the identification provided for the operand, - for each register belonging to the means of operation and used by the instruction set, - the field (СЮ _У ) of the provided identification, in which the identification of the last instruction that returns its result to the specified register is automatically stored, - as the means (17) detecting - means to during execution of the instruction for each operand when required field (SI _k) flag control equality between the field (XU _Y) generated by the identification corresponding to registers used by said operand, and field (S1P _to ) provided identification of the initial address of this operand, - and as means (18) of coercion - means, allowing to modify the result of executing instructions, if at least one of the controlled equalities is false. 12. The method according to p. 3, 4 or 10, characterized in that: in phase (P) of protection: determine: - as a start command, an elementary command or instruction command, - as a dependent function, an elementary function or instruction, - as a setting parameter, at least one argument for the start command, corresponding at least in part to the information transmitted by the data processing system (3) to the processing and storage device in order to trigger the corresponding dependent function, - method of renaming the installation parameters, allowing you to rename the installation parameters to receive start commands with the renamed installation parameters, - and means (20) of recovery, intended for use in the processing and storage device in the (I) use phase and allowing to find a dependent function that must be performed based on the renamed setting parameter; design operating tools that allow the processing and storage device to use recovery tools; and modify the protected program (2p): - by selecting the source code of the protected program in the source code (2p§), - by modifying at least one selected code fragment (2р§) of the protected program by renaming the settings of the selected launch commands in order to hide the identity of the corresponding dependent functions, - and by creating: the first part (2po) of the object code of the protected program (2p), the first part (2po§) of the object code is such that during the execution of the protected program (2p), start commands with the renamed settings are executed, and the second part (2roi) of the object code protected program (2p) containing operating tools that also use restoration tools (20), and the second part (2roy) of the object code is such that after loading into the processing and storage device, during the execution of the protected process -41005465 grams (2p) the identity of the dependent functions, the execution of which is caused by the first performed part (2Re§), is restored by the second executed part (2ray), and the dependent functions are executed by the second executed part (2ray), and in the (And) use phase: - in the presence of a processing and storage device, whenever required by a launch command with renamed settings, contained in the fragment of the first part to be executed (2ps), the identity of the corresponding dependent function is restored in the processing and storage device and the specified fragment is executed it was executed correctly and therefore the protected program (2p) was fully functional; whereas in the absence of a processing and storage device, despite a request from a fragment of the first part (2Re§) to start execution in a processing and storage device of a dependent function, it is not possible to correctly answer the specified request, so that at least the specified fragment is not runs correctly and therefore the protected program (2p) is not fully functional. 13. The method according to p. 12, characterized in that in phase (P) protection: for at least one dependent function, a family of dependent functions is determined, algorithmically equivalent, but caused by launch commands, the renamed settings of which are different; and modify the protected program (2p): - by selecting in the source code (2p§) of the protected program at least one launch command with renamed settings, - and by modifying at least one selected code fragment (2p§) of the protected program by replacing at least the renamed setup parameters of the launch command with the selected set of settings with other renamed settings, which causes the launch of a dependent function from the same family. 14. The method according to p. 13, characterized in that it includes in phase (P) of protection the definition of at least one dependent function of a family of algorithmically equivalent dependent functions - by coupling a noise field with information defining that functional part of the dependent function that is performed in the processing and storage device, - or by using the identification instruction field (C11) and identification fields (C1P _k ) provided for the operand. 15. The method according to PP.12, 13 or 14, characterized in that in phase (P) protection is determined: - as a method for renaming settings - an encoding method for encoding settings, - and as means (20) of restoration, means using a decoding method for decoding renamed setting parameters and restoring the identity of dependent functions that need to be performed in the processing and storage device. 16. A method according to any one of claims 2 to 15, characterized in that in phase (P) of protection: modify the protected program (2p): - by selecting in the source code (2p§) of the protected program at least one conditional transition performed in at least one selected algorithm, - by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that during the execution of the protected program (2p) the functionality of at least one selected conditional transition is performed through the second executable part (2ray) in the device processing and storage, - and by creating: the first part (2р§) of the object code of the protected program (2p), and the first part (2po§) of the object code is such that during the execution of the protected program (2p) the functionality of at least one selected conditional transition is performed in the processing and storage device, and the second part (2roy) of the object code of the protected program (2p), and the second part (2roy) of the object code is such that after loading into the processing and storage device during the execution of the protected program (2p) the second executable part (2ray) is realized, stvom is performing feature at least one selected conditional jump and in phase (I) of use: in the presence of a processing and storage device, whenever it is required by a fragment of the first part to be executed (2 §), the functions of at least -42005465 one selected conditional transition in such a way that the specified fragment is executed correctly and therefore the protected program (2p) is fully functional; and in the absence of a processing and storage device, despite a request from a fragment of the first part to be executed (2Re§) to perform the conditional transition functions in the processing and storage device, it is not possible to correctly answer the specified request, so that at least the specified fragment is not executed correctly and hence the protected program (2p) is not fully functional. 17. The method according to p. 16, characterized in that in phase (P) of protection modify the protected program (2p): - by selecting in the source code (2p§) of the protected program at least one series of selected conditional jumps, - by modifying at least one selected code fragment (2p§) of the protected program, and this modification is such that during the execution of the protected program (2p) the global functionality of at least one selected series of conditional jumps is performed in the processing and storage device by means of the second executable part (2ray), - and by creating: the first part (2р§) of the object code of the protected program (2p), and the first part (2po§) of the object code is such that during the execution of the protected program (2p) the functionality of at least one selected series of conditional jumps is performed in the processing and storage device and the second part (2roy) of the object code of the protected program (2p), and the second part (2roy) of the object code is such that after loading into the processing device and storage during the execution of the protected program (2p) the second executable part (2ray) is realized by means of which the global functionality of at least one selected series of conditional transitions is performed. 18. The method according to any one of claims 1 to 17, characterized in that the phase (P) of the protection is decomposed into an input subphase (P1) of protection independent of the protected program and into an output subphase (P2) of protection dependent of the protected program. 19. The method according to p. 18, characterized in that during the input subphase (P ₁ ) of protection, a definition stage (8 ₁₁ ) is involved, in which all definitions are performed. 20. The method according to p. 19, characterized in that after the stage (8 ₁₁ ) definitions involve the design stage (8 ₁₂ ), at which the means of operation are created. 21. The method according to claim 20, characterized in that after the design stage (8 ₁₂ ), the pre-personalization stage (8 ₁₃ ) is used, consisting in loading at least a part of the operating means into the unused device (60) in order to obtain the pre-personalized device (66). 22. The method according to p. 19 or 20, characterized in that during the input subphase (P ₁ ) of protection, a stage (8 ₁₄ ) of production of means is used, at which means are produced that help in creating protected programs or automating protection of programs. 23. The method according to p. 18 or 21, characterized in that the output subphase (P ₂ ) protection laid out on: step (8 ₂₁₎ creating, based on which the vulnerable program (2ν) generated protected program (2p); possibly, stage (8 ₂₂ ) of the modification, at which the protected program is modified (2p); and possibly a stage (8 ₂₃ ) of personalization, in which: - the second part (2) of the object code of the protected program (2p), possibly containing operating tools, is loaded into at least one unused device (60) in order to receive at least one processing and storage device, - or the second part (2) of the object code of the protected program (2p), possibly containing operating tools, is loaded into at least one prepersonalized device (66) in order to receive at least one processing and storage device. 24. The method according to p. 22 or 23, characterized in that during the stage (8 ₂₁ ) of the creation and, possibly, stage (8 ₂₂ ) modifications use at least one of the means intended for use in creating protected programs or automation of protection programs. 25. The system for implementing the method according to claim 20, characterized in that it contains a software development device that serves during the design stage ( _8–12 ) for constructing operating facilities for the processing and storage device, taking into account the definitions introduced at the stage (8 ₁₁ ) definitions. 26. The system for implementing the method according to p. 21, characterized in that it contains a prepersonalization device (30), allowing to load at least part of the operating tools into at least one unused device (60) in order to obtain at least one prepersonalized device ( 66). -43005465 27. The system for implementing the method according to item 22, characterized in that it contains a software development device, which serves at the stage (8 ₁₄ ) of manufacturing means, for producing means intended for use in creating protected programs or automating program protection. 28. The system for implementing the method according to item 23 or 24, characterized in that it contains a software development device used to create or modify a protected program (2p). 29. The system for implementing the method according to item 23, characterized in that it contains a personalization device (45), allowing you to download the second part (2roy) of the object code in at least one unused device (60) in order to obtain at least one processing device and storage; or part of the second part (2) of the object code in at least one prepersonalized device (66) in order to receive at least one processing and storage device. 30. A pre-personalized device (66), characterized in that it is formed by the system in accordance with clause 26. 31. A processing and storage device that allows you to execute a protected program (2p) and prevent it from unauthorized use, characterized in that it contains the second part (2roy) of the object code of the protected program (2p) loaded using a personalization device (45), made according to .29. 32. A set of processing and storage devices, characterized in that the second part (2roy) of the object code of the protected program (2p), loaded using the personalization device (45), performed according to clause 29, is distributed among several processing and storage devices in such a way that sharing them allows you to run a protected program (2p). 33. The distribution package ensemble (2rb) of the protected program (2p), characterized in that it contains the first part of the distribution kit (2rb§) containing the first part (2po§) of the object code and intended to work in the data processing system (3), and the second part distribution kit (2rbi) in the form: an unused device (60), or a pre-personalized device (66) in accordance with clause 30, which, after downloading the personalization information, is converted into a processing and storage device, or a processing and storage device in accordance with clause 31. 34. The distribution package ensemble (2rb) of the protected program (2p) according to p. 33, characterized in that the first part of the distribution kit (2rb§) is made in the form of a distribution kit on physical media, such as a compact disk, or in the form of files transferred over the network. 35. The distribution package ensemble (2rb) of the protected program (2p) according to p. 33, characterized in that the second part of the distribution kit (2rbi) is designed as unused devices (60), prepersonalized devices (66) or processing and storage devices and contains at least At least one card (7) with a microchip. 36. A processing and storage device, characterized in that it contains a part of the second part (2roy) of the object code necessary to convert a pre-personalized device (66) according to item 30 into a processing and storage device, made according to item 31. 37. A set of processing and storage devices, characterized in that the processing and storage devices used together contain a part of the second part (2roy) of the object code necessary to convert the pre-personalized device (66) according to item 30 into a processing and storage device, made according to p.31.