1. Field of the Invention
The present invention generally relates to the provision of security for computer software applications and, more particularly, to arrangements for preventing observation of the behavior of applications programs by unauthorized personnel.
2. Description of the Prior Art
The number and diversity of computer applications software has proliferated during the past few years. Hardware developments of computers has allowed the functionality of such applications programs to be greatly expanded and, consequently the amount of code that must be written and other development costs has increased greatly. During the same period of time, the awareness of software vendors of the value of such programs which may be lost by unauthorized duplication has grown. Accordingly, it is now common practice for software vendors to require registration of individual program copies or to sell site licenses for particular users and to include features in the program which prevent the running of the application or major portions thereof by persons other than those to whom the program copy is registered.
Registration of software is generally enforced by disabling large portions of the software unless access is authorized in accordance with the registration. In much the same manner, it is common practice to promote sales of software by providing the software to the user, possibly on-line, in a form which has reduced functionality similar to that of a demonstration copy which can be run sufficiently for a potential purchaser to determine whether or not to purchase it. The enablement of initially disabled functions is then performed remotely upon purchase, payment and registration. Distribution of software in such a convertible form also provides the benefit of avoiding the need to produce a separate version as a demonstration copy and the potential for corruption of one copy with another.
However, while such features have developed a level of sophistication and complexity and have achieved a good level of security, it is axiomatic that any such feature can be defeated by modification of the application program to bypass such features. The process by which functionality of protected software and access to protected functions can be restored is generally referred to as xe2x80x9chackingxe2x80x9d, which is also generally applied to the defeat of password protection, user identification or verification and the like. The process of modification of the program is often referred to as xe2x80x9cpatchingxe2x80x9d. The quality of providing difficulty in modification of the program by hacking is referred to as xe2x80x9ctamper resistancexe2x80x9d. Of course, xe2x80x9ctamper resistancexe2x80x9d is a desirable quality for many types of software, such as databases, as well as application programs.
Creation of tamper resistant software often involves the concept of privilege levels incorporated in the processor and so-called privileged instructions. Privileged instructions are generally required to allow access to restricted features of the processor architecture. For example, privileged instructions or functions may include the loading and unloading of protected dedicated debug registers in the processor, hooking of interrupt vectors and processing critical operating system (OS) memory areas as well as input/output (I/O) functions. These privileged functions are controlled (e.g. requested) by the application at a low privilege level but are actually performed by other structure or software at a higher privilege level during normal operation of the application program through more privileged operating system components. In particular, execution of I/O functions is restricted to the highest privilege level(s) of the OS and cannot be performed but only requested by applications operating or executing at lower privilege levels.
That is, to make application software more secure, consistent with software development requirements, it is often necessary to develop a privileged companion software module (usually in the form of a device driver) which works in tandem with the application and performs these privileged operations on behalf of the less privileged application. When the application has a need (or should have a need, as determined by the programmer) to verify system integrity or to determine if certain types of tampering have occurred, the application can make a call to the privileged module to perform these services. Unfortunately, such an organization and its relatively widespread use make the interface between the application and the privileged module a logical point of attack for attempting to defeat a security feature. For example, patching out the security related calls to the privileged module would, in many cases defeat the tamper resistance and integrity check functions they are intended to perform.
While no form of tamper resistance is completely secure, it is generally recognized that the greater the level of complexity that can be provided in such measures (e.g. by inclusion of more techniques, traps and interdependencies) within the application and the corresponding privileged module, the lower the likelihood of success in defeating them within a given amount of time and effort to compromise application or data integrity or to obtain access to secrets contained therein. Unfortunately, such complexity may also compromise the reliability and/or stability of the software application (or, for example, the robustness of a data base and/or error recovery systems) as well as the execution speed and efficiency of the software, itself. Therefore, there is a heretofore unavoidable trade-off between efficiency of application execution and security of the application, itself, and its data.
It is therefore an object of the present invention to provide a technique of increasing security for software by detection of tampering and termination of execution and/or corruption of files when tampering is detected.
It is another object of the present invention to provide effective security for software without significant compromise of execution efficiency of the software.
It is a further object of the invention to prevent the observation of software behavior by unauthorized persons.
It is yet another object of the invention to prevent unauthorized enablement or observation of disabled or protected portions of software.
In order to accomplish these and other objects of the invention, a method is provided for providing tamper resistance in software running on a processor having a plurality of differentiated sections, a first differentiated section being capable of performing a function not available on a second differentiated section, and software containing commands for performing the method are provided comprising the steps of incrementing a first pseudo-random binary sequence associated with the second differentiated section, calling the function in the first differentiated section from the second differentiated section, incrementing a second pseudo-random binary sequence generator associated with the first differentiated section, performing the function (which may include a comparison of pseudo-random sequence values or may or may not include one or more operations in addition to the incrementing of a pseudo-random binary sequence generator), comparing pseudo-random binary sequence values in said first and second pseudo-random binary sequence generators, and controlling execution of said software in accordance with a result of the comparison.
In accordance with another aspect of the invention, a method for providing tamper resistance in software running on a processor having a plurality of differentiated sections, one differentiated section being capable of performing a function not available on a second differentiated section, and software containing commands for performing the method are provided comprising the steps of altering data using an algorithm and a pseudo-random binary sequence value in a first differentiated section, and altering data using an inverse algorithm and a pseudo-random binary sequence value at the first differentiated section, whereby data altered by said algorithm is restored when the pseudo-random binary sequence values of said differentiated section and said another differentiated section are the same.