In particular, the protection sought aims to prevent reverse engineering of the program. The object of reverse engineering is to identify the design of the program in order to copy, modify or hack it, often without the consent of the authors and/or holders of same.
A virtual machine is a computer device which is capable of executing a program stored in the form of a series of instructions and which, when the program is being executed, translates each instruction into a sequence of primary operations and carries out each of these operations. Such a machine makes it possible to separate the interface by means of which the program is stored or transmitted from the platform which carries out the primary operations.
The invention may be applied in particular to protecting a program which is written in Java Card language. Such a program is called an applet and its constituting instructions are op-codes, for “operation code”, in the Java Card jargon.
In many fields which use computer programs to perform particular tasks, it is necessary to protect these programs in order to prevent them being modified beyond their original design or official purpose. Such programs may be used for the communication of data, in particular confidential data, for carrying out banking operations, in the field of computer games, etc. The series of instructions which constitute these programs must therefore be kept confidential, in order to prevent some of these instructions from being able to be modified to hack the program, or change a result produced when the program is being executed.
It is possible to retrieve the series of instructions which constitute a program by detecting variations of certain physical values which are caused by executing the program in an electronic device. These physical values may be, in particular, the power consumption of the device, or the electromagnetic field which is produced by the device. In the jargon of a person skilled in the art, these physical values which make it possible to identify the program instructions by executing the latter are called “side channels”.
In order to retrieve program instructions which are initially unknown, it is thus possible arrange field sensors close to the device executing the program, and measure in real time while the program is being executed, the variations in the electromagnetic field caused by the operations carried out by the device. Variation sequences of the field are thus detected, which can then be compared to previously-indexed variation sequences. In this way, the successive instructions which constitute the program can be identified one by one. The program thus revealed in the form of the series of instructions can then be modified, in particular for fraudulent or malicious purposes. The program instructions can similarly be identified by detecting the variations in the power consumption of the device which are caused by the operations carried out while the program is being executed.
It is known to make the identification of the program instructions from the side channels more difficult by controlling the performance of additional instructions while the program is being executed. Such additional operations do not participate in obtaining a result of the program being executed, and have the sole function of interfering with the side channels. However, the addition of supplementary operations which depend only on the instruction which is in the process of being carried out does not cause any effective interference compared with an identification of the instructions carried out on the basis of indexed variation sequences of the side channels.
For this reason, it is also known to carry out an interference operation by controlling the realization of randomly-selected supplementary operations while the program is being executed. The significant variations of the side channels which correspond to the operations actually linked to the result of the program being executed are then distributed among the variations which correspond to the operations which are extraneous to the result, but which are carried out to interfere with the significant variations. However, the significant variations can still be isolated by executing the program a large number of times, and calculating an average and/or a correlation of the variations of the side channels which are detected during successive executions of the program. Indeed, due to their random nature, the additional instructions which are added for interference make a zero contribution to the averages and/or correlations carried out. The program instructions can thus still be identified, in spite of the interference.
An object of the present invention is therefore to effectively protect a program interpreted by a virtual machine by preventing the instructions of this program from being identified by reverse engineering.