The present invention relates to the field of securing executable programs against copying. More specifically, in one embodiment the invention provides security against copying in an open hardware system where access to the processor executing the program and the memory holding the program is assumed.
Securing computer programs (software) against unauthorized copying has been a concern of software developers since software was sold as a separate product. The difficulty lies in the fact that software is easily copied and any copy protection or prevention scheme must allow for the eventual copying of portions of the software if it is to be executed. Unless the software is secured in a chip (integrated circuit) which also contains the microprocessor which will execute the software, the executed portions of the software must pass from the distribution media to the processor along circuit lines which are monitorable. Thus, for a program to be secure and still be useful to its intended user, the program cannot be readily copyable in its generally available form or in the form in which it is executed by the intended user.
Recently, with the increasing need for technical support from a program's developer, the desire for complete documentation, and the fear of viruses, unauthorized copying of some software, especially critical business software, has diminished. However, where software needs no support or documentation and is used on systems where viruses cannot be transmitted, such as video game systems using video game cartridges with game software stored in read-only memory (ROM), unauthorized copying is still prevalent. All that is needed is an understanding of the circuitry used in the game cartridge and a copy of the game program.
An additional concern of the makers of video games, who typically make video game consoles and wish to limit their use to games produced by licensed software producers, is not software copying, but video game console copying to produce consoles which will execute authorized game cartridges or unauthorized, but compatible, game cartridges.
In an unprotected system, a copyist (i.e., a “software pirate” or other unauthorized analyzer or copier of the software) can easily copy program code if it is accessible. Program data, as used herein refers to the data necessary to run the program, which includes instructions (program code), tables of values and image data used to generate screen images. Even if the program data is not easily accessible in its distributed form, a copyist might obtain it by observing a bus between the storage media which holds the program data and the processor to determine the program code. Thus, encryption of the program data alone does not provide real protection, since it must be decoded eventually to be used. Where the program data is stored on video game cartridges and the processor is on a video game console, analyzing the program data is simplified, since the interface between the storage media and the processor is readily available without any hidden communication. In many video game consoles, the entire bus of the CPU is readily available for analysis. This particular problem, of course, extends to all forms of program storage media which are detachable, not just video game cartridges.
Many copy protection systems are a deterrent to casual copyists, but not to determined copyists, who might be willing to spend large sums of money and time to break a copy protection scheme in order to be able to manufacture large numbers of unauthorized copies of a program. For some casual copyists, it is enough to include software-only copy protection, such as the use of secret files or codes not normally accessed or observed by a casual copyist. Many casual copyists will also forgo copying when copying involves construction of cartridges, since this requires the ability to make plastic cases and circuit boards. However, the most determined copyists of cartridges are those who plan to make large numbers of cartridges for sale and thus have the ability to make cartridges once the program data is copied.
Software-only copy protection systems, which might use an undocumented portion of the program data media to store hidden codes, generally rely on “security through obscurity” to prevent only those who are not aware of the copy methods from making workable copies. Therefore, when the goal is to stop large-scale and educated copyists, software-only protection is not viable. Fortunately, where the program data is distributed on media containing hardware elements, as is the case with video game cartridges, hardware copy protection can be included on the cartridge.
Many hardware protection systems rely on the presence of a hardware circuit or device which signals the existence of an authorized copy of the program. The program, when executed, runs a routine to check for the existence of the authorization device. If the authorization device is not present, the program refuses to continue or performs some other undesirable action. These protection systems are open to two methods of attack, both of which could render the protection ineffective.
In a first type of attack, a copyist would analyze the circuitry of the hardware authorization device to determine its essential elements and from that information make duplicate, unauthorized authorization devices. Even if the details of the authorization device are buried in a custom integrated circuit, the integrated circuit could be examined under a microscope layer-by-layer using a chemical peeling process to resolve the circuit features. The operation of the authorization device might also be observed by slowing down or speeding up both the authorization device circuitry and the processor to aid in the detailed analysis of one operation or the high-speed analysis of many passes over the program.
In a second type of attack, the copyist attempts to modify the software routines which check for the exists of the authorization device so that the routines always report back that the authorization device is in place, whether or not it actually is. With a readily-available logic analyzer attached to a microprocessor running a program, a copyist can run the processor at a slow speed and have the logic analyzer record all instructions executed by the microprocessor and all the data traffic to and from the microprocessor, then use this information to determine the flow of the program. If the flow of the program is recorded both with the authorization device in place (simulating an authorized use) and without the authorization device in place (simulating an unauthorized use), the copyist can compare the flows and determine where in the program the decision is made as to whether the authorization device is in place. Once that location is determined, the software at that location could be modified so that the routine which tests for the presence of the authorization device never fails. This can often be done by replacing one conditional jump instruction with an unconditional jump or a NOP (null operation).
Therefore, what is needed is an apparatus which allows a processor to execute program code, over a possibly insecure bus, while requiring an impractical amount of work on the part of a copyist to reproduce the program data for use apart from the apparatus or to reproduce the apparatus.