FR2828304A1 - Protection of software against unauthorized use, reproduction or alteration, e.g. for protection of chip card software or software protected by a material key associated with a USB port using a temporal dissociation principle - Google Patents

Abstract

Method for creation of protected software wherein: a processing algorithm is selected; protected source code is generated from the vulnerable source code by modifying it using the selected algorithm with an operand supplied to the executing data processing unit that implements the algorithm using said operand and provision of an output result from the unit to a data processing system. The invention also relates to a corresponding system, data processing unit and assembly for distribution of protected software.

Description

<Desc / Clms Page number 1>

 The present invention relates to the technical field of data processing systems in the general sense and more specifically to the means for protecting, against unauthorized use, software running on said data processing systems.

 The object of the invention is, more particularly, the means for protecting software against unauthorized use, from a processing and storage unit, such a unit being commonly embodied by a smart card or by a device. hardware key on USB port.

 In the technical field above, the main disadvantage concerns the unauthorized use of software by users who have not paid license fees. This unlawful use of software causes obvious harm to software publishers, software distributors and / or anyone incorporating such software into products. To avoid such illicit copies, it has been proposed in the state of the art, various solutions to protect software.

 Thus, it is known a protection solution consisting in implementing a hardware protection system, such as a physical element called a protection key or "dongle" in English terminology. Such a protection key should guarantee the execution of the software only in the presence of the key. However, it must be noted that such a solution is inefficient because it has the disadvantage of being easily contumable. A malicious person or hacker may, using specialized tools, such as disassemblers, remove control instructions from the protection key. It then becomes possible to make illicit copies corresponding to modified versions of the software no longer protected. In addition, this solution can not be generalized to all software, since it is difficult to connect more than two protection keys on the same system.

 The object of the invention is precisely to remedy the drawbacks stated above by proposing a method for protecting software against unauthorized use, from an ad hoc processing and storage unit, insofar as the presence of such a unit is necessary for the software to be fully functional.

<Desc / Clms Page number 2>

To achieve such an objective, the object of the invention relates to a method for protecting, from at least one blank unit comprising at least processing means and storage means, software vulnerable to its unauthorized use, said vulnerable software running on a data processing system. The method according to the invention consists: in a protection phase: to create a protected software: - by choosing, at least an algorithmic processing which, during the execution of the vulnerable software, uses at least one operand and makes it possible to obtain at least one result, - by choosing at least a portion of the source of the vulnerable software containing at least one chosen algorithmic processing, - by producing the source of the protected software from the source of the vulnerable software, by modifying at least a selected portion of the source of the vulnerable software to obtain at least a modified portion of the source of the protected software, this modification being such that: when running the protected software a first execution part is executed in the data processing system and a second execution part is executed in a unit, obtained from the blank unit after loading information,> the second part of exec ution executes at least the functionality of at least one chosen algorithmic processing,> at least one selected algorithmic processing is decomposed so that during the execution of the protected software appear by means of the second execution part, several distinct steps, to know :
0 the provision of at least one operand for the unit,
0 the realization by the unit of the functionality of the algorithmic processing on at least this operand,
0 and optionally, the provision of at least one result, by the unit for the data processing system,

<Desc / Clms Page number 3>

 for at least one selected algorithmic processing, step commands are defined so that during the execution of the protected software, each step command is executed by the first execution part and triggers, in the unit, the execution by means of the second execution part, of a step,> and a scheduling of the step commands is chosen from among the set of authorizations allowing the execution of the protected software, - and by producing:> a first part object of the protected software, from the source of the protected software, this first object part being such that during the execution of the protected software, appears a first part of execution which is executed in the data processing system and whose at least one portion takes into account that the commands of steps are executed according to the chosen scheduling,> and a second object part of the protected software, this second object part being such that after loading the blank unit and executing the protected software, the second execution part by which the steps triggered by the first execution part are executed, and loading the second object part in the blank unit, in order to obtain the unit, and in a use phase during which the protected software is executed: 'in the presence of the unit and each time a contained step command in a portion of the first execution part requires it, to execute the corresponding step in the unit, so that this portion is executed correctly and that, therefore, the protected software is fully functional, and absence of the unit, despite the request for a portion of the first execution part to trigger the execution of a step in the unit, not to

<Desc / Clms Page number 4>

 not be able to respond correctly to this request, so that at least this portion is not executed correctly and, therefore, the protected software is not fully functional.

 According to a preferred embodiment, the method according to the invention consists: in the protection phase: to modify the protected software: - by choosing at least one variable used in at least one selected algorithmic processing, which during the execution of the protected software, partially defines the state of the protected software, - by modifying at least a selected portion of the source of the protected software, this modification being such that during the execution of the protected software, at least one selected variable or at least one copy of chosen variable resides in the unit, - and producing:> the first object part of the protected software, this first object part being such that during the execution of the protected software, at least a portion of the first execution part also takes into account that at least one variable or at least one variable copy resides in the unit,> and the second object part of the protected software, this second party e object being such that, after loading in the unit and during the execution of the protected software, appears the second execution part by means of which at least one selected variable, or at least one copy of chosen variable also resides in the unit, and in the use phase: 'in the presence of the unit each time a portion of the first execution part imposes it, to use a variable or a copy of variable residing in the unit, so that this portion is executed correctly and that, therefore, the protected software is fully functional, * and in the absence of the unit, despite the request for a portion of the first execution part of use a variable or copy of a resident variable

<Desc / Clms Page number 5>

 in the unit, to be unable to respond correctly to this request, so that at least this portion is not executed correctly and that, therefore, the protected software is not fully functional.

 According to another preferred embodiment, the method according to the invention consists: in the protection phase: to define: a set of elementary functions whose elementary functions are capable of being executed in the unit; and a set of elementary commands for this set of elementary functions, these elementary commands being able to be executed in the data processing system and to trigger the execution in the unit, elementary functions, operation allowing the unit to perform the basic functions of said game, the execution of these basic functions being triggered by the execution in the data processing system, elementary commands, and modifying the protected software: modifying at least a selected portion of the source of the protected software, this modification being such that: at least one step is decomposed e such that during the execution of the protected software, this step is executed by means of the second execution part, using elementary functions,> for at least one decomposed step, elementary commands are integrated in the source of the protected software, so that during the execution of the protected software, each elementary command is executed by the first execution part and triggers in the unit, the execution by means of the second execution part, of a elementary function,> and a scheduling of the elementary commands is chosen from among all the orders allowing the execution of the

<Desc / Clms Page number 6>

 protected software, - and by producing:> the first object part of the protected software, this first object part being such that during the execution of the protected software, at least a portion of the first execution part also executes the basic commands according to the chosen scheduling,> and the second object part of the protected software also containing the operating means, this second object part being such that, after loading in the unit and during the execution of the protected software, the second part appears by means of which the elementary functions triggered by the first execution part are also executed, and in the use phase: in the presence of the unit and each time an elementary command contained in a portion of the first execution part requires it, to execute the corresponding elementary function in the unit, so that this portion is executed correctly and that, therefore, the protected software is fully functional, * and in the absence of the unit, despite the request for a portion of the first execution part, to trigger the execution of a basic function in the unit, to not be able to respond correctly to this request, so that at least this portion is not executed correctly and that, therefore, the protected software is not fully functional.

 According to another preferred embodiment, the method according to the invention consists: in the protection phase: to define: - at least one software execution characteristic, which can be monitored at least partly in the unit, at least one criterion to respect for at least one software execution characteristic, detection means to be implemented in the unit and allowing

<Desc / Clms Page number 7>

 detecting that at least one software execution characteristic does not comply with at least one associated criterion, and coercion means to be implemented in the unit and making it possible to inform the data processing system and / or to modify the execution of a software, when at least one criterion is not respected, to construct the means of exploitation allowing the unit, to also implement the means of detection and the means of coercion, and to modify the protected software: - by choosing at least one software execution characteristic to be monitored, among the execution characteristics that can be monitored, - by choosing at least one criterion to respect for at least one execution characteristic of chosen software, - by choosing in the source of the protected software, elementary functions for which at least one chosen software execution characteristic, is to be monitored, t at least a selected portion of the source of the protected software, this modification being such that during the execution of the protected software, at least one selected execution characteristic is monitored by means of the second execution part, and the non-compliance of a criterion results in information of the data processing system and / or modification of the execution of the protected software, and producing the second object part of the protected software containing the operating means also implementing the means detection and coercion means, this second object part being such that, after loading in the unit and during the execution of the protected software, at least one software execution characteristic is monitored and the non-compliance with a criterion results in information of the data processing system and / or modification of the execution of the protected software,

<Desc / Clms Page number 8>

and in the utilization phase: in the presence of the unit: - as long as all the criteria corresponding to all the monitored performance characteristics of all the modified portions of the protected software are respected, to allow the nominal operation of these portions of the protected software and therefore to allow the nominal operation of the protected software, - and if at least one of the criteria corresponding to a monitored execution characteristic of a portion of the protected software is not respected, to inform the processing system of data and / or to modify the operation of the portion of the protected software, so that the operation of the protected software is modified.

- et des moyens d'actualisation permettant de mettre à jour au moins une variable de mesure, 'à construire les moyens d'exploitation permettant à l'unité de mettre aussi en oeuvre les moyens d'actualisation, 'et à modifier le logiciel protégé : - en choisissant en tant que caractéristique d'exécution de logiciel à surveiller, au moins une variable de mesure de l'utilisation d'une fonctionnalité d'un logiciel, - en choisissant : > au moins une fonctionnalité du logiciel protégé dont l'utilisation est susceptible d'être surveillée grâce à une variable de mesure, According to an alternative embodiment, the method according to the invention consists: in the protection phase: to be defined: as a software execution characteristic that can be monitored, a variable for measuring the use a functionality of a software, - as a criterion to be respected, at least one threshold associated with each measurement variable,

and updating means making it possible to update at least one measurement variable, to construct the operating means enabling the unit to also implement the updating means, and to modify the protected software by choosing, as a software execution characteristic to be monitored, at least one variable for measuring the use of a software functionality, by choosing: at least one feature of the protected software of which use is likely to be monitored by a measurement variable,

<Desc / Clms Page number 9>

 at least one measurement variable serving to quantify the use of said functionality, at least one threshold associated with a chosen measurement variable corresponding to a limit of use of said functionality, and at least one updating method. of a measurement variable chosen according to the use of said functionality, and by modifying at least a selected portion of the source of the protected software, this modification being such that, during the execution of the protected software, the variable of measurement is updated by means of the second execution part, depending on the use of said functionality and at least one threshold overrun is taken into account, and in the use phase, in the presence of the unit, and in the case where at least one threshold violation corresponding to at least one utilization limit is detected, to inform the data processing system and / or to modify the operation of the portion of the data u protected software, so that the operation of the protected software is changed.

 According to an alternative embodiment, the method according to the invention consists in: - 7 in the protection phase: 'to be defined: - for at least one measurement variable, several associated thresholds, - and different coercion means corresponding to each of these thresholds, * and to modify the protected software: - by choosing in the source of the protected software, at least one chosen measurement variable to which must be associated several thresholds corresponding to different limits of use of the functionality, - by choosing at least two thresholds associated with the selected measurement variable, and modifying at least a selected portion of the source of the protected software, this modification being such that, during the execution of the protected software, the exceedances of the various thresholds are taken into account.

<Desc / Clms Page number 10>

 account, using the second execution part, differently, and in the use phase: in the presence of the unit: - in the case where it is detected the exceeding of a first threshold, to enjoin the protected software to no longer use the corresponding functionality, - and in the case where it is detected the exceeding of a second threshold, to render inoperative the corresponding functionality and / or at least a portion of the protected software.

 According to an alternative embodiment, the method according to the invention consists in: - 7 in the protection phase: 'to define reloading means making it possible to credit at least one additional use for at least one software functionality monitored by a measurement variable , to construct the operating means also allowing the unit to implement the reloading means, and to modify the protected software: - by choosing in the source of the protected software, at least one selected measurement variable allowing to limit the use of a feature to which at least one additional use must be able to be credited, and by modifying at least a selected portion, this modification being such that in a so-called recharging phase, at least one additional use of unless a function corresponding to a chosen measurement variable can be credited, and in the reload phase: to updating at least one selected measurement variable and / or at least one associated threshold, so as to allow at least one additional use of the functionality.

 According to an alternative embodiment, the method according to the invention consists of:

<Desc / Clms Page number 11>

- 7 dans la phase de protection : à définir : - en tant que caractéristique d'exécution de logiciel susceptible d'être surveillée, un profil d'utilisation de logiciel, - et en tant que critère à respecter, au moins un trait d'exécution de logiciel, 'et à modifier le logiciel protégé : - en choisissant en tant que caractéristique d'exécution de logiciel à surveiller au moins un profil d'utilisation de logiciel,

- en choisissant au moins un trait d'exécution qu'au moins un profil d'utilisation choisi doit respecter, - et en modifiant au moins une portion choisie du source du logiciel protégé, cette modification étant telle que, lors de l'exécution du logiciel protégé, la seconde partie d'exécution respecte tous les traits d'exécution choisis, et dans la phase d'utilisation en présence de l'unité, et dans le cas où il est détecté qu'au moins un trait d'exécution n'est pas respecté, à en informer le système de traitement de données et/ou à modifier le fonctionnement de la portion du logiciel protégé, de sorte que le fonctionnement du logiciel protégé est modifié.

- 7 in the protection phase: to be defined: - as a software performance characteristic that can be monitored, a software usage profile, - and as a criterion to be met, at least one dash of executing software, and modifying the protected software: - by choosing as a software execution characteristic to monitor at least one software usage profile,

by choosing at least one execution feature that at least one chosen usage profile must respect, and modifying at least a selected portion of the source of the protected software, this modification being such that, when executing the protected software, the second execution part respects all the selected execution features, and in the use phase in the presence of the unit, and in the case where it is detected that at least one execution feature is not respected, to inform the data processing system and / or to modify the operation of the portion of the protected software, so that the operation of the protected software is modified.

 According to an alternative embodiment, the method according to the invention consists of: - 7 in the protection phase: to define: - a set of instructions whose instructions are likely to be executed in the unit, - a set of commands instructions for this set of instructions, these command commands being able to be executed in the data processing system and to trigger in the unit the execution of the instructions, - as a usage profile, the sequence of instructions, - as an execution feature, a desired sequence for

<Desc / Clms Page number 12>

 the execution of the instructions, - as detection means, means for detecting that the sequence of instructions does not correspond to that desired, - and as means of coercion, means for informing the system of data processing and / or modify the operation of the protected software portion when the sequence of instructions does not correspond to that desired, * to build the operating means also allowing the unit to execute the instructions of the game instructions, execution of these instructions being triggered by execution in the data processing system, instruction commands, and modifying the protected software: - by modifying at least a selected portion of the source of the protected software :> by transforming the elementary functions into instructions,> by specifying the sequence that must be followed at least some of the instructions during their execution in the unit,> and by transforming the elementary commands into instructions commands corresponding to the instructions used, and in the use phase, in the presence of the unit, in the case where it is detected that the sequence of instructions executed in the unit does not correspond to that desired, to inform the data processing system and / or to modify the operation of the portion of the protected software, so that the operation of the protected software is changed.

 According to an alternative embodiment, the method according to the invention consists: in the protection phase: to define: as a set of instructions, a set of instructions of which at least certain instructions work on registers and use at the same time minus one operand to render a result, - for at least part of the instructions working on registers:

<Desc / Clms Page number 13>

a part defining the functionality of the instruction, and a part defining the desired sequence for the execution of the instructions and comprising bit fields corresponding to:
0 an identification field of the instruction,
0 and for each operand of the instruction: * a flag field, * and an intended identification field of the operand, for each register belonging to the operating means and used by the set of instructions, a field of generated identification in which is automatically stored the identification of the last instruction that has returned its result in this register, - as means of detection, means allowing, during the execution of an instruction, for each operand, when the flag field imposes it, to control the equality between the generated identification field corresponding to the register used by this operand, and the intended field of identification of the origin of this operand, - and as means of coercion, means for modifying the result of the instructions, if at least one of the controlled equalities is false.

 According to another preferred embodiment, the method according to the invention consists in: - 7 in the protection phase: to be defined: - as a triggering command, an elementary command or an instruction command, - as a a dependent function, an elementary function or an instruction, as a setpoint, at least one argument for a triggering command, corresponding at least in part to the information transmitted by the data processing system to the unit , in order to

<Desc / Clms Page number 14>

 trigger the execution of the corresponding dependent function, - a method of renaming instructions for renaming the instructions to obtain trigger commands with renamed instructions, - and recovery means to be implemented in the unit at during the use phase, and making it possible to find the dependent function to be performed, from the renamed instruction, to build operating means enabling the unit to also implement the recovery means, and to modify the protected software: - by choosing in the source of the protected software, triggering commands, - by modifying at least a chosen portion of the source of the protected software by renaming the instructions of the selected triggering commands, in order to conceal the identity of the functions corresponding dependents, - and by producing:> the first object part of the protected software, this first object part such that when executing the protected software, the trigger commands with renamed setpoints are executed,> and the second object part of the protected software containing the operating means also implementing the recovery means, this second object part being such that, after loading into the unit and during the execution of the protected software, the identity of the dependent functions whose execution is triggered by the first execution part is reestablished by means of the second execution part, and the dependent functions are executed by means of the second execution part, and in the use phase: in the presence of the unit and whenever a trigger command with a renamed setpoint, contained in a portion of the first part

<Desc / Clms Page number 15>

 executes it, to restore in the unit, the identity of the corresponding dependent function and to execute it, so that this portion is executed correctly and that, therefore, the protected software is fully functional, and in the absence of the unit, despite the request for a portion of the first execution part, to trigger the execution of a dependent function in the unit, to not be able to respond correctly to this request, so that at least this portion is not executed correctly and, therefore, the protected software is not fully functional.

 According to an alternative embodiment, the method according to the invention consists in: - 7 in the protection phase: * to be defined for at least one dependent function, a family of dependent functions that are algorithmically equivalent, but triggered by triggering commands whose instructions are renamed are different, 'and to modify the protected software: - by choosing in the source of the protected software at least one triggering command with renamed setpoint, - and by modifying at least a selected portion of the protected software source by replacing at least the setpoint renamed of a triggering command with renamed setpoint chosen, by another renamed setpoint, triggering a function dependent on the same family.

 According to an alternative embodiment, the method according to the invention consists: in the protection phase, in defining, for at least one dependent function, a family of algorithmically equivalent dependent functions: by concatenating a noise field with the information defining the functional part of the dependent function to be performed in the unit, or using the instruction identification field and the intended identification fields of the operands.

 According to an alternative embodiment, the method according to the invention consists of: - 7 in the protection phase:

<Desc / Clms Page number 16>

 to define: - as a method of renaming instructions, an encryption method for encrypting the instructions, - and as means of recovery, means implementing a decryption method for decrypting the renamed instructions and thus restore the identity of the dependent functions to be performed in the unit.

 According to another preferred embodiment, the method according to the invention consists: in the protection phase: to modify the protected software: - by choosing in the source of the protected software, at least one conditional branch made in at least one algorithmic processing chosen, - by modifying at least a selected portion of the source of the protected software, this modification being such that during the execution of the protected software, the functionality of at least one selected conditional branch is executed, by means of the second part in the unit, - and producing:> the first object part of the protected software, this first object part being such that during the execution of the protected software, the functionality of at least one selected conditional branch is executed in the unit,> and the second object part of the protected software, this second object part being such that, after loading into the unit and lo In the execution of the protected software, the second execution part by means of which the functionality of at least one selected conditional branch is executed, and in the use phase: in the presence of the unit and at each time that a portion of the first execution part requires it, to perform the functionality of at least one

<Desc / Clms Page number 17>

 conditional branch in the unit, so that this portion is executed correctly and that, therefore, the protected software is fully functional, and in the absence of the unit and despite the request for a portion of the first part of executing the functionality of a conditional branch in the unit, to not being able to respond correctly to this request, so that at least this portion is not executed correctly and that, therefore, the protected software is not completely functional.

 According to an alternative embodiment, the method according to the invention consists, in the protection phase, of modifying the protected software: by choosing, in the source of the protected software, at least one series of selected conditional branches, modifying at least a selected portion of the source of the protected software, this modification being such that during the execution of the protected software, the global functionality of at least one selected series of conditional branches is executed by means of the second execution part, in the - by producing:> the first object part of the protected software, this first object part being such that during the execution of the protected software, the functionality of at least one selected series of conditional branches is executed in the unit,> and the second object part of the protected software, this second object part being such that, after loading in the unit and during the execution of the protected software, appears the second execution part by means of which the global functionality of at least one selected series of conditional branches is executed.

 The method according to the invention thus makes it possible to protect the use of software by the implementation of a processing and storage unit which has the particularity of containing part of the software being executed. It follows that

<Desc / Clms Page number 18>

 any derivative version of the software attempting to operate without the processing and storage unit requires the recreation of the portion of the software contained in the processing and storage unit during execution, otherwise this derivative version of the software may be not completely functional.

 Various other characteristics appear from the description given below with reference to the accompanying drawings which show, by way of non-limiting examples, embodiments and implementation of the subject of the invention.

 Figs. 10 and 11 are functional block diagrams illustrating the various representations of unprotected and protected software respectively by the method according to the invention.

 Figs. 20 to 22 illustrate by way of examples, various embodiments of a device for implementing the method according to the invention.

 Figs. 30 and 31 are functional block diagrams explaining the general principle of the method according to the invention.

 Figs. 40 to 43 are diagrams illustrating the protection method according to the invention implementing the principle of protection by variable.

 Figs. 50 to 54 are diagrams illustrating the protection method according to the invention implementing the principle of protection by time dissociation.

 Figs. 60 to 64 are diagrams illustrating the protection method according to the invention implementing the principle of protection by elementary functions.

 Figs. 70 to 74 are diagrams illustrating the protection method according to the invention implementing the principle of protection by detection and coercion.

 Figs. 80 to 85 are diagrams illustrating the method of protection according to the invention implementing the principle of protection by renaming.

 Figs. 90 to 92 are diagrams illustrating the protection method according to the invention implementing the principle of protection by conditional branching.

 Fig. 100 is a diagram illustrating the various phases of implementation of the subject of the invention.

 Fig. 110 illustrates an exemplary embodiment of a system for implementing the construction stage of the protection phase according to the invention.

 Fig. 120 illustrates an exemplary embodiment of a pre-personalization unit used in the protection method according to the invention.

<Desc / Clms Page number 19>

 Fig. 130 illustrates an exemplary embodiment of a system for implementing the stage of making tools of the protection phase according to the invention.

Fig. 140 illustrates an exemplary embodiment of a system for implementing the protection method according to the invention.

Fig. 150 illustrates an exemplary embodiment of a personalization unit used in the protection method according to the invention.

In the remainder of the description, the following definitions will be used:
A data processing system 3 is a system capable of executing a program.

- de restituer des données au système de traitement de données 3, - de stocker des données au moins en partie de manière secrète et de conserver au moins une partie de celles-ci même lorsque l'unité est hors tension, - et d'effectuer du traitement algorithmique sur des données, une partie ou la totalité de ce traitement étant secret.

* A processing and storage unit is a unit capable of: - accepting data provided by a data processing system 3,

to restore data to the data processing system 3, to store data at least in part secretly and to keep at least a part thereof even when the unit is de-energized, and to perform algorithmic processing on data, some or all of this processing being secret.

Unit 6 is a processing and storage unit implementing the method according to the invention.

 * A blank unit 60 is a unit which does not implement the method according to the invention, but which can receive information transforming it into a unit 6.

A pre-personalized unit 66 is a blank unit 60 which has received a part of the information enabling it, after receiving additional information, to be transformed into a unit 6.

 * Loading information into a blank unit 60 or a pre-customized unit 66 corresponds to an information transfer in the blank unit 60 or the pre-customized unit 66, and a storage of said transferred information. Optionally, the transfer may comprise a

<Desc / Clms Page number 20>

 change of format of information.

 * A variable, a datum or a function contained in the data processing system 3 will be indicated by a capital letter, while a variable, a datum or a function contained in the unit 6 will be indicated by a lower case.

 . "Protected software" is software that has been protected by at least one protection principle implemented by the method according to the invention.

 * A "vulnerable software" is software that has not been protected by any protection principle implemented by the method according to the invention.

In the case where differentiation between vulnerable software and protected software is not important, the term "software" is used.

- ou une représentation dynamique. 'A software is presented under various representations according to the moment considered in its life cycle: - a source representation, - an object representation, - a distribution,

- or a dynamic representation.

* A source representation of a software is understood as a representation which after transformation gives an object representation.
A source representation can occur at different levels, from an abstract conceptual level to a level directly executable by a data processing system or a processing and storage unit.

An object representation of a software corresponds to a level of representation which after transfer into a distribution and then loading into a data processing system or a processing and storage unit, can be executed. It may be, for example, a binary code, an interpreted code, etc.

 * A distribution is a physical or virtual medium containing the object representation, this distribution must be made available to the user to enable him to use the software.

<Desc / Clms Page number 21>

 A dynamic representation corresponds to the execution of the software from its distribution.

 * A portion of software corresponds to any part of software and may, for example correspond to one or more consecutive instructions or not, and / or to one or more functional blocks consecutive or not, and / or to one or more functions, and / or one or more sub-programs, and / or one or more modules. A portion of a piece of software may also correspond to all of this software.

 Figs. 10 and 11 illustrate the various representations respectively of a vulnerable software 2v in the general sense, and a protected software 2p according to the method according to the invention.

 Fig. 10 illustrates various representations of a vulnerable software 2v appearing during its life cycle. The vulnerable software 2v can thus appear under one of the following representations: a source representation 2vs, a representation object 2vo, a distribution 2vd. This distribution may be commonly in the form of a physical distribution means such as a CDROM or in the form of files distributed over a network (GSM, Internet, etc.), or a dynamic representation. corresponding to the execution of the vulnerable software 2v on a data processing system 3 of all known types, which conventionally comprises at least one processor 4.

 Fig. 11 illustrates various representations of a protected software 2p appearing during its life cycle. The protected software 2p can thus appear under one of the following representations: a source representation 2ps having a first source portion for the data processing system 3 and a second source portion for the unit 6, a part of these source parts being commonly contained in common files, a 2po object representation comprising a first part object 2pos

<Desc / Clms Page number 22>

for the data processing system 3 and a second object part
2pou destined to the unit 6, a distribution 2pd comprising: a first distribution part 2pds containing the first object part 2pos, this first distribution part 2pds being intended for the data processing system 3 and which can present itself commonly under the form of a physical distribution means such as a CDROM, or in the form of files distributed over a network (GSM, Internet, etc.), and a second distribution part 2p of the form: at least one pre-personalized unit 66 on which part of the second object part 2pou has been loaded and for which the user must finish the customization by loading additional information, in order to obtain a unit 6, this additional information being obtained, for example, by loading or downloading through a network,> or at least one unit 6 on which the second object part
2pou has been loaded, * or a 2pe dynamic representation corresponding to the execution of the 2p protected software. This dynamic representation 2pe comprises a first execution part 2pes which is executed in the data processing system 3 and a second execution part 2peu which is executed in the unit 6.

 In the case where the differentiation between the different representations of the protected software 2p does not matter, the terms first part of the protected software and second part of the protected software are used.

 The implementation of the method according to the invention in accordance with the dynamic representation of FIG. 11, uses an Ip device comprising a data processing system 3 connected by a link 5 to a unit 6. The data processing system 3 is of all types and comprises, in a conventional manner, at least one processor 4. The system 3 may be a computer or be part of, for example, various machines, devices, fixed or mobile products, or

<Desc / Clms Page number 23>

 vehicles in the general sense. The connection 5 can be made in any possible way, such as for example by a serial line, a USB bus, a radio link, an optical link, a network link or a direct electrical connection to a circuit of the data processing system 3 etc. It should be noted that the unit 6 may possibly be physically inside the same integrated circuit as the processor 4 of the data processing system 3. In this case, the unit 6 may be considered as a coprocessor relative to to the processor 4 of the data processing system 3 and the link 5 is internal to the integrated circuit.

 Figs. 20 to 22 show in an illustrative and nonlimiting manner, various embodiments of the device 1 p for implementing the protection method according to the invention.

 In the embodiment shown in FIG. 20, the protection device Ip comprises, as a data processing system 3, a computer and, as a unit 6, a smart card 7 and its interface 8 commonly called card reader. The computer 3 is connected to the unit 6 by a link 5. When running a protected software 2p, the first execution part 2pes which is executed in the computer 3 and the second execution part 2peu that is executed in the smart card 7 and its interface 8, must both be functional so that the protected software 2p is fully functional.

 In the embodiment shown in FIG. 21, the protection device Ip equips a product 9 in the general sense, comprising various members 10 adapted to the function or functions assumed by such a product 9. The protection device Ip comprises, on the one hand, a data processing system 3 embedded in the product 9 and, secondly, a unit 6 associated with the product 9. For the product 9 to be fully functional, the protected software 2p must be fully functional. Thus, during the execution of the protected software 2p, the first execution part 2pes which is executed in the data processing system 3 and the second execution part 2peu which is executed in the unit 6, must all two to be functional. This 2p protected software therefore indirectly protects the product 9 or one of its functionalities against unauthorized use. For example, the product 9 may be an installation, a system, a machine, a toy, an appliance, a telephone, etc.

<Desc / Clms Page number 24>

 In the embodiment shown in FIG. 22, the Ip protection device includes several computers, as well as part of a communication network. The data processing system 3 is a first computer connected by a link 5 of the network type, to a unit 6 constituted by a second computer. For the implementation of the invention, the second computer 6 is used as a license server for a 2p protected software. When running the protected software 2p, the first execution part 2pes which is executed in the first computer 3 and the second execution part 2peu which is executed in the second computer 6, must both be functional so that 2p protected software is fully functional.

 Fig. 30 makes it possible to explain more precisely the protection method according to the invention. It should be noted that a vulnerable software 2v is considered to be completely executed in a data processing system 3. On the other hand, in the case of the implementation of a protected software 2p, the data processing system 3 comprises transfer means 12 connected by the link 5, to transfer means 13 forming part of the unit 6 making it possible to communicate with each other, the first execution part 2pes and the second execution part 2peu of the protected software 2p.

 It must be considered that the transfer means 12, 13 are of a software and / or hardware nature and are capable of ensuring and possibly optimizing the communication of data between the data processing system 3 and the unit 6.

These transfer means 12, 13 are adapted to allow to have a protected software 2p which is preferably independent of the type of link 5 used. These transfer means 12, 13 are not part of the object of the invention and are not described more precisely because they are well known to those skilled in the art. The first part of the 2p protected software contains commands. During the execution of the protected software 2p, the execution of these commands by the first execution part 2pes allows the communication between the first execution part 2pes and the second execution part 2peu. In the remainder of the description, these commands are represented by IN, OUT or TRIG.

 As shown in fig. 31, to allow the implementation of the second 2peu execution part of the protected software 2p, the unit 6 comprises protection means

<Desc / Clms Page number 25>

 14. The protection means 14 comprise storage means 15 and processing means 16.

 For the sake of simplification in the following description, it is chosen to consider, when running the protected software 2p, the presence of the unit 6 or the absence of the unit 6. In reality, a unit 6 having protection means 14 unsuitable for the execution of the second execution part 2peu of the protected software 2p is also considered as absent, whenever the execution of the protected software 2p is not correct. In other words: a unit 6 physically present and having protection means 14 adapted to the execution of the second execution part 2peu of the protected software 2p, is always considered as present, * a unit 6 physically present but comprising unsuitable protection means 14, that is to say not allowing the correct implementation of the second 2peu execution part of the protected software 2p is considered to be present, when it is functioning correctly, and as absent when 'it does not work properly,' and a physically absent unit 6 is still considered absent.

 In the case where the unit 6 is constituted by a smart card 7 and its interface 8, the transfer means 13 are broken down into two parts, one of which is on the interface 8 and the other of which is on the smart card 7. In this embodiment, the absence of the smart card 7 is considered equivalent to the absence of the unit 6. In other words, in the absence of the smart card 7 and / or its interface 8, the protection means 14 are not accessible and therefore do not allow the execution of the second part of 2peu execution of the protected software, so that the protected software 2p is not completely functional.

 According to the invention, the protection method aims to implement a protection principle, termed "time dissociation", a description of which is made in relation to FIGS. 50 to 54.

 For the implementation of the principle of protection by time dissociation, it is chosen, in the source of the vulnerable software 2vs, at least one algorithmic processing using at least one operand and rendering at least one result. It is

<Desc / Clms Page number 26>

 also selected at least a portion of the vulnerable software source 2vs containing at least one selected algorithmic processing.

At least a selected portion of the source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps. This change is such that, in particular: * when running the protected software 2p, at least a portion of the first execution part 2pes, which is executed in the data processing system 3, takes into account that the functionality of at least one algorithmic processing chosen is executed in the unit 6, during the execution of the protected software 2p, the second execution part
2p, which is executed in the unit 6, performs at least the functionality of at least one selected algorithmic processing, when executing the protected software 2p, each algorithmic processing chosen is broken down into several distinct steps, namely: step 1: the provision of the operand (s) for the unit 6, step 2: the realization in the unit 6, of the functionality of the chosen algorithmic processing using this or these operands, and step 3: optionally, the provision by the unit 6 for the data processing system 3, the result of the chosen algorithmic processing, step commands are defined to trigger the execution of the steps, and a scheduling of the step commands is chosen from the set of scheduling allowing the execution of the protected software 2p.

 The first execution part 2pes of the protected software 2p, which is executed in the data processing system 3, executes the commands of steps, triggering in the unit 6, the execution by means of the second execution part 2s, of each of the previously defined steps.

 Fig. 50 illustrates an example of running a vulnerable software 2v. In this example, during the execution of the vulnerable software 2v, in the data processing system 3, at a given instant, the calculation of Z <-F (X, Y) appears

<Desc / Clms Page number 27>

corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using operands X and Y.

FIG. 51 illustrates an exemplary implementation of the invention for which the algorithmic processing chosen in FIG. 50 is deported in the unit 6. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p and in the presence of the unit 6, it appears: at time t1, step 1, namely the execution of a step command CE, triggering the transfer of the data X and Y from the data processing system 3 to storage areas respectively x and y located in the storage means 15 of the unit 6, this step control
CE, being represented by OUT (x, X), OUT (y, Y), * at time t2, step 2, namely the execution of a step control CE2, triggering in the unit 6, the execution by means of the second 2-bit execution part of the function f, this function f being algorithmically equivalent to the function F and this step control CEz being represented by TRIG (f). More precisely, the execution of the step control CE2 leads to the execution of the function f which makes use of the contents of the storage zones x and y and renders its result in a storage area z of the unit 6, and at time t3, step 3, namely the execution of a step control CE3 triggering the transfer of the result of the function f, contained in the storage zone z of the unit 6 towards the data processing system 3 to assign it to the variable Z, this step control CE3 being represented by IN (z).

In the illustrated example, steps 1 to 3 are executed successively. It should be noted that two improvements can be made:
The first improvement concerns the case where several algorithmic processes are deported in unit 6 and at least the result of an algorithmic processing is used by another algorithmic processing.
In this case, some transfer steps may be

<Desc / Clms Page number 28>

 deleted.

 The second improvement is to opt for a relevant ordering of the orders of steps among the set of orders allowing the execution of the protected software 2p. In this respect, it is preferable to choose a scheduling of the step commands which temporally dissociates the execution of the steps, by interposing, between them, portions of code executed by the data processing system 3 and comprising or not step commands for determining other data. Figs. 52 and 53 illustrate the principle of such an embodiment.

 Fig. 52 shows an example of running a vulnerable software 2v. In this example, it appears, during the execution of the vulnerable software 2v, in the data processing system 3, the execution of two algorithmic processing leading to the determination of Z and Z ', such that Z <-F (X, Y) and Z '<- F' (X ', Y').

 Fig. 53 illustrates an example of implementation of the method according to the invention for which the two algorithmic treatments chosen in FIG. 52 are deported in the unit 6. According to one such example, when executing in the data processing system 3, the first execution part 2pes of the protected software, and in the presence of the unit 6, it appears, as explained above, the execution of the steps commands CE ,, CE2, CE3 corresponding to the determination of Z and the commands of steps CE ',, CE92, CE'3 corresponding to the determination of Z' .

As illustrated, the CE3 step commands at CE3 are not executed consecutively as step commands CE ', at CE'3, as well as other portions of code are interspersed. In the example, it is thus realized the following ordering: EC ,, portion of code intercalé, CE2, portion of code intercalé, CE '!, Portion of code intercalé, CE'2, portion of code interposed, CE'3 , portion of code interspersed, CE3.

 It should be noted that, when running the protected software 2p, in the presence of the unit 6, each time a step command contained in a portion of the first execution part 2pes of the protected software 2p requires it, the corresponding step is executed in the unit 6. Thus, it appears that, in the presence of the unit 6, this portion is executed correctly and that, consequently, the software

<Desc / Clms Page number 29>

 protected 2p is fully functional.

Fig. 54 illustrates an example of an attempt to execute the protected software 2p, while the unit 6 is absent. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p: * at time t1, the execution of the step command OUT (x, X), OUT (y, Y) can not trigger the transfer of the data X and Y to the respective storage areas x and y given the absence of the unit 6, * at time t2, the execution of the step command TRIG (f) can not trigger the execution of the function f, given the absence of the unit
6, and at time t3, the execution of the step command IN (z) can not trigger the transfer of the result of the function f, given the absence of the unit 6.

 It therefore appears that in the absence of the unit 6, at least one request for a portion of the first execution part 2pes to trigger the execution of a step in the unit 6, can not be satisfied, so that at least this portion is not executed correctly and, therefore, the protected software 2p is not fully functional.

 According to another advantageous characteristic of the invention, the protection method aims to implement a so-called "variable" protection principle, a description of which is given in relation to FIGS. 40 to 43.

 For the implementation of the principle of protection by variable, it is selected in the source of the vulnerable software 2vs at least one variable that during the execution of the vulnerable software 2v, partially defines the state thereof. By state of a software, it must be understood all the information, at a given moment, necessary to the complete execution of this software, so that the absence of such a chosen variable impedes the complete execution of this software. It is also chosen at least a portion of the source of the vulnerable software 2vs containing at least one chosen variable.

 At least a selected portion of the source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps. This modification is such that during the execution of the protected software 2p, at least a portion of the

<Desc / Clms Page number 30>

 first execution part 2pes which is executed in the data processing system 3, takes into account that at least one selected variable or at least one copy of the chosen variable resides in the unit 6.

Vi < -X, * à l'instant t2, l'affectation de la valeur de la variable Vi à la variable Y, représentée par Y < -Vj, * et à l'instant t3, l'affectation de la valeur de la variable VI à la variable Z, représentée par Z < -Vi
La fig. 41 illustre un exemple d'une première forme de mise en oeuvre de l'invention pour laquelle la variable réside dans l'unité 6. Dans cet exemple, lors de l'exécution dans le système de traitement de données 3 de la première partie d'exécution 2pes du logiciel protégé 2p, et en présence de l'unité 6, il apparaît : 'à l'instant ti, l'exécution d'une commande de transfert déclenchant le transfert de la donnée X depuis le système de traitement de données 3 vers la variable vs située dans les moyens de mémorisation 15 de l'unité 6, cette commande de transfert étant représentée par OUT (vi, X) et correspondant au final à l'affectation de la donnée X à la variable vl, 'à l'instant tz, l'exécution d'une commande de transfert déclenchant le transfert de la valeur de la variable v, résidant dans l'unité 6 vers le système de traitement de données 3 afin de l'affecter à la variable Y, cette commande de transfert étant représentée par IN (vi) et correspondant au final à l'affectation de la valeur de la variable v, à la variable Y,

'et à l'instant t3, l'exécution d'une commande de transfert déclenchant le transfert de la valeur de la variable Vi résidant dans l'unité 6 vers le système de traitement de données 3 afin de l'affecter à la variable Z, cette commande de transfert étant représentée par IN (vi) et correspondant au final à l'affectation de la valeur de la variable v, à la variable Z. Fig. 40 illustrates an example of execution of a vulnerable software 2v. In this example, it appears during the execution of the vulnerable software 2v in the data processing system 3: 'at time t1, the assignment of the data X to the variable Vi, represented by

Vi <-X, * at time t2, the assignment of the value of the variable Vi to the variable Y, represented by Y <-Vj, * and at time t3, the assignment of the value of the variable VI to the variable Z, represented by Z <-Vi
Fig. 41 illustrates an example of a first embodiment of the invention for which the variable resides in the unit 6. In this example, when executing in the data processing system 3 of the first part of 2pes execution of the protected software 2p, and in the presence of the unit 6, it appears: 'at time ti, the execution of a transfer command triggering the transfer of the data X from the data processing system 3 to the variable vs located in the storage means 15 of the unit 6, this transfer command being represented by OUT (vi, X) and corresponding ultimately to the assignment of the data X to the variable v1, 'to the moment tz, the execution of a transfer command triggering the transfer of the value of the variable v, resident in the unit 6 to the data processing system 3 in order to assign it to the variable Y, this transfer command being represented by IN (vi) and corresponding to the final assignment of the value of the variable v, to the variable Y,

and at time t3, the execution of a transfer command triggering the transfer of the value of the variable Vi resident in the unit 6 to the data processing system 3 in order to assign it to the variable Z , this transfer command being represented by IN (vi) and corresponding ultimately to the assignment of the value of the variable v, to the variable Z.

<Desc / Clms Page number 31>

 It should be noted that during the execution of the protected software 2p, at least one variable resides in the unit 6. Thus, when a portion of the first execution part 2pes of the protected software imposes it, and in the presence of the unit 6, the value of this variable residing in the unit 6 is transferred to the data processing system 3 to be used by the first execution part 2pes of the protected software 2p, so that this portion is executed correctly and that, therefore, the 2p protected software is fully functional.

 Fig. 42 illustrates an example of a second embodiment of the invention for which a copy of the variable resides in the unit 6. In this example, when executing in the data processing system 3 of the first part of execution 2pes of the protected software 2p, and in the presence of the unit 6, it appears: at time tl, the assignment of the data X to the variable V, located in the data processing system 3 , as well as the execution of a transfer command triggering the transfer of the data X from the data processing system 3 to the variable vs situated in the storage means 15 of the unit 6, this transfer command being represented by OUT (vi, X), 'at the instant tz, the assignment of the value of the variable V, to the variable Y, * and at time t3, the execution of a transfer command which triggers the transfer of the value of the variable vs resident in unit 6 to the data system 3 in order to assign it to the variable Z, this transfer command being represented by IN (vi).

 It should be noted that when running the protected software 2p, at least one copy of a variable resides in the unit 6. Thus, when a portion of the first execution part 2pes of the protected software 2p the imposes, and in the presence of the unit 6, the value of this variable copy residing in the unit 6 is transferred to the data processing system 3 to be used by the first execution part 2pes of the protected software 2p, so that this portion is executed correctly and that, therefore, the protected software 2p is fully functional.

 Fig. 43 illustrates an example of an attempt to execute the protected software 2p,

<Desc / Clms Page number 32>

 while unit 6 is absent. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p: * at time t1, the execution of the transfer command OUT (vi, X ) can not trigger the transfer of the data X to the variable v1, given the absence of the unit 6, 'at time t2, the execution of the transfer command IN (va) can not trigger the transfer of the value of the variable vs to the data processing system 3, given the absence of the unit 6, 'and at time t3, the execution of the transfer command IN (vi ) can not trigger the transfer of the value of the variable v to the data processing system 3, given the absence of the unit 6.

 It therefore appears that in the absence of the unit 6, at least one request for a portion of the first execution part 2pes to use a variable or a copy of variable residing in the unit 6, can not not be satisfied properly, so that at least this portion is not executed correctly and, therefore, the protected software 2p is not fully functional.

opérations pour aboutir à des opérations complexes telles que par exemple OUT (vl, 2 * X + 3) ou bien Z (5 * vI + v2). It should be noted that the data transfers between the data processing system 3 and the unit 6 illustrated in the preceding examples use only simple assignments but that those skilled in the art will know how to combine them with other

operations to result in complex operations such as for example OUT (v1, 2 * X + 3) or else Z (5 * vI + v2).

 According to another advantageous characteristic of the invention, the protection method aims to implement a protection principle, called "elementary functions", a description of which is made in relation to FIGS. 60 to 64.

For the implementation of the principle of protection by elementary functions, it is defined: a set of elementary functions whose elementary functions are likely to be executed, by means of the second part of execution
2 seconds, in the unit 6, and possibly transfer data between the data processing system 3 and the unit 6,

<Desc / Clms Page number 33>

and a set of elementary commands for this set of elementary functions, these elementary commands being able to be executed in the data processing system 3 and to trigger the execution in the unit
6, corresponding elementary functions.

 For the implementation of the principle of protection by elementary functions, it is also constructed operating means for transforming a blank unit 60 into a unit 6 capable of performing the elementary functions, the execution of these elementary functions being triggered by the execution in the data processing system 3, of elementary commands.

 For the implementation of the protection principle by elementary functions, it is also chosen, in the source of the vulnerable software 2vs, at least one algorithmic processing using at least one operand and rendering at least one result. It is also chosen at least a portion of the vulnerable software source 2vs containing at least one chosen algorithmic processing.

At least a selected portion of the source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps. This modification is such that in particular: when running the protected software 2p, at least a portion of the first execution part 2pes, which is executed in the data processing system 3, takes into account that the functionality of at least one algorithmic processing chosen is executed in the unit 6, during the execution of the protected software 2p, the second execution part
2p, which is executed in unit 6, executes at least the functionality of at least one algorithmic processing chosen, * each algorithmic processing chosen is decomposed so that when running the protected software 2p, each algorithmic processing chosen is executed, by means of the second execution part 2peu, using elementary functions. Preferably, each algorithmic processing chosen is decomposed into elementary functions fen (with n varying from 1 to N), namely: possibly one or more elementary functions allowing the

<Desc / Clms Page number 34>

provision of one or more operands for the unit 6, - elementary functions some of which use the operand (s) and which in combination perform the functionality of the algorithmic processing chosen, using this operand or these operands, and possibly a or several elementary functions making it possible for the data processing system 3 to make available to the unit 6 the result of the algorithmic processing chosen, and a scheduling of the elementary commands is chosen from among all the scheduling sequences enabling the execution of the software protected
2p.

 The first execution part 2pes of the protected software 2p, which is executed in the data processing system 3, executes elementary commands CFEn (with n varying from 1 to N), triggering in the unit 6, the execution at means of the second part of execution 2peu, each of the elementary functions fen previously defined.

 Fig. 60 illustrates an example of running a vulnerable software 2v. In this example, it appears, during the execution of the vulnerable software 2v in the data processing system 3, at a given instant, the calculation of Z v F (X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using operands X and Y.

 Fig. 61 illustrates an embodiment of the invention for which the algorithmic processing chosen in FIG. 60 is deported in the unit 6. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p and in the presence of the unit 6, it appears: at times t1, t2, the execution of the elementary commands CFE, CFEz triggering in unit 6, the execution by means of the second execution part 2peu, corresponding elementary functions fel, fez which ensure the transfer of data X , Y from the data processing system 3 to storage areas respectively x, y located in the storage means 15 of the unit 6, these elementary commands

<Desc / Clms Page number 35>

FEN-1, déclenchant dans l'unité 6, l'exécution au moyen de la seconde partie d'exécution 2peu, des fonctions élémentaires fe3 à feN-1 correspondantes, ces commandes élémentaires CFE3 à CFEN-i étant représentées, respectivement, par TRIG (fe3) à TRIG (feN-1). La suite des fonctions élémentaires fe3 à feN-1 exécutées en combinaison est algorithmiquement équivalente à la fonction F. Plus précisément, l'exécution de ces commandes élémentaires conduit à l'exécution dans l'unité 6, des fonctions élémentaires fe3 à feN l qui se servent du contenu des zones de mémorisation x, y et rendent le résultat dans une zone de mémorisation z de l'unité 6, * et à l'instant tN, l'exécution d'une commande élémentaire CFEN déclenchant dans l'unité 6, l'exécution au moyen de la seconde partie d'exécution 2peu, de la fonction élémentaire feN assurant le transfert du résultat du traitement algorithmique, contenu dans la zone de mémorisation z de l'unité 6 vers le système de traitement de données 3, afin de l'affecter à la variable Z, cette commande élémentaire CFEN étant représentée par IN (z). CFE, CFE2 being respectively represented by OUT (x, X), OUT (y, Y), * at times t3 to such, the execution of the basic commands CFE3 to

FEN-1, triggering in the unit 6, the execution by means of the second execution part 2peu, corresponding elementary functions fe3 to feN-1, these elementary commands CFE3 to CFEN-i being represented, respectively, by TRIG (fe3) to TRIG (feN-1). The sequence of the elementary functions fe3 to feN-1 executed in combination is algorithmically equivalent to the function F. More precisely, the execution of these elementary commands leads to the execution in unit 6, of the elementary functions fe3 to feN l which use the contents of the storage areas x, y and return the result in a storage area z of the unit 6, * and at the instant tN, the execution of a basic command CFEN triggering in the unit 6 , the execution by means of the second execution part 2peu, of the elementary function feN ensuring the transfer of the result of the algorithmic processing, contained in the storage area z of the unit 6 to the data processing system 3, in order to assign it to the variable Z, this elementary command CFEN being represented by IN (z).

 In the illustrated example, the elementary commands 1 to N are executed successively. It should be noted that two improvements can be made: * The first improvement concerns the case where several algorithmic processes are deported in the unit 6 and at least the result of an algorithmic processing is used by another algorithmic processing.

 In this case, some basic commands for the transfer may be deleted.

 * The second improvement is to opt for a relevant scheduling of the basic commands among the set of orders allowing the execution of the protected software 2p. In this respect, it is preferable to choose an ordering of the elementary commands which temporally dissociates the execution of the elementary functions, by interposing, between them, portions of code executed by the data processing system 3 and comprising or not commands elementary schools

<Desc / Clms Page number 36>

 determination of other data. Figs. 62 and 63 illustrate the principle of such an embodiment.

 Fig. 62 shows an example of running a vulnerable software 2v. In this example, it appears during the execution of the vulnerable software 2v, in the data processing system 3, the execution of two algorithmic processes leading to the determination of Z and Z ', such that Z <-F ( X, Y) and Z '<- F' (X ', Y').

CFE'l à CFE'M, ainsi que d'autres portions de code sont intercalées. Dans l'exemple il est ainsi réalisé l'ordonnancement suivant : CFE, portion de code intercalé, CFE'I, CFE2, portion de code intercalé, CFE'2, CFE'3, portion de code intercalé, FE F' CFE'4, CFE3, CFE4,..., CFEN, CFE'M. Fig. 63 illustrates an example of implementation of the method according to the invention for which the two algorithmic treatments chosen in FIG. 62 are deported in the unit 6. According to one such example, when executing in the data processing system 3 of the first execution part 2pes of the protected software and in the presence of the unit 6, it appears, as explained above, the execution of elementary commands CFE1 to CFEN corresponding to the determination of Z and the execution of the elementary commands CFE'1 to CFE'M corresponding to the determination of Z '. As illustrated, the CFE1 to CFEN elementary commands are not executed consecutively, since the elementary commands

CFE'l to CFE'M, as well as other portions of code are interspersed. In the example, the following scheduling is thus carried out: CFE, portion of code inserted, CFE'I, CFE2, portion of code inserted, CFE'2, CFE'3, portion of code inserted, FE F 'CFE'4 , CFE3, CFE4, ..., CFEN, CFE'M.

 It should be noted that, during the execution of the protected software 2p, in the presence of the unit 6, each time an elementary command contained in a portion of the first execution part 2pes of the protected software 2p the imposes, the corresponding elementary function is executed in the unit 6. Thus, it appears that in the presence of the unit 6, this portion is executed correctly and that, therefore, the protected software 2p is fully functional.

 Fig. 64 illustrates an example of an attempt to execute the protected software 2p, while the unit 6 is absent. In this example, when executing in the data processing system 3, the first execution part 2pes of the protected software 2p, at all times, the execution of an elementary command can not trigger the execution of the corresponding elementary function, due to the absence of the unit 6. The value to be assigned to the variable Z can not be determined correctly.

<Desc / Clms Page number 37>

 It therefore appears that, in the absence of the unit 6, at least one request for a portion of the first execution part 2pes of the protected software 2p, to trigger the execution of an elementary function in the Unit 6 can not be satisfied properly, so at least this portion is not executed correctly and therefore the 2p protected software is not fully functional.

 According to another advantageous characteristic of the invention, the protection method aims at implementing a protection principle, said by "detection and coercion", a description of which is made in relation to FIGS. 70 to 74.

'au moins un critère à respecter pour au moins une caractéristique d'exécution de logiciel, * des moyens de détection 17 à mettre en oeuvre dans l'unité 6 et permettant de détecter qu'au moins une caractéristique d'exécution de logiciel ne respecte pas au moins un critère associé, 'et des moyens de coercition 18 à mettre en oeuvre dans l'unité 6 et permettant d'informer le système de traitement de données 3 et/ou de modifier l'exécution d'un logiciel, lorsqu'au moins un critère n'est pas respecté. For the implementation of the principle of protection by detection and coercion, it is defined: at least one software execution characteristic that can be monitored at least partly in the unit 6,

at least one criterion to respect for at least one software execution characteristic, detection means 17 to be implemented in the unit 6 and making it possible to detect that at least one software execution characteristic does not respect not at least one associated criterion, and means of coercion 18 to be implemented in the unit 6 and making it possible to inform the data processing system 3 and / or to modify the execution of a software, when at least one criterion is not respected.

 For the implementation of the principle of protection by detection and coercion, it is also built operating means for transforming a blank unit 60 into a unit 6 using at least the detection means 17 and the coercion means 18 .

 Fig. 70 illustrates the means necessary for the implementation of this principle of protection by detection and coercion. The unit 6 comprises the detection means 17 and the coercion means 18 belonging to the processing means 16. The coercion means 18 are informed of the non-respect of a criterion by the detection means 17.

 More precisely, the detection means 17 use information coming from the transfer means 13 and / or means of detection.

<Desc / Clms Page number 38>

 storage and / or processing means 16, for monitoring one or more software execution characteristics. Each software execution characteristic is fixed at least one criterion to be respected.

 In the case where it is detected that at least one software execution characteristic does not comply with at least one criterion, the detection means 17 inform the means of coercion 18. These coercion means 18 are adapted to modify, from the appropriate way, the state of the unit 6.

'au moins un critère à respecter pour au moins une caractéristique d'exécution de logiciel choisie, * dans le source du logiciel vulnérable 2vs, au moins un traitement algorithmique pour lequel au moins une caractéristique d'exécution de logiciel est à surveiller, w et dans le source du logiciel vulnérable 2vs, au moins une portion contenant au moins un traitement algorithmique choisi. For the implementation of the principle of protection by detection and coercion, it is also chosen: * at least one software execution characteristic to be monitored, among the execution characteristics that can be monitored,

at least one criterion to respect for at least one selected software execution characteristic, in the source of the vulnerable software 2vs, at least one algorithmic processing for which at least one software execution characteristic is to be monitored, w and in the source of the vulnerable software 2vs, at least one portion containing at least one chosen algorithmic processing.

 At least a selected portion of the source of the vulnerable software 2vs is then modified to obtain the source of the 2ps protected software. This modification is such that in particular when running the protected software 2p: at least a portion of the first execution part 2pes, which is executed in the data processing system 3, takes into account that at least one selected software execution characteristic is to be monitored, at least partly in the unit 6, * and the second execution part 2peu, which is executed in the unit 6, at least partly monitors, a characteristic of selected software execution.

 During the execution of the protected software 2p, protected by this principle of protection by detection and coercion, in the presence of the unit 6: * as long as all the criteria corresponding to all the characteristics

<Desc / Clms Page number 39>

monitored execution of all modified portions of the protected software
2p are satisfied, these modified portions of the protected software 2p operate nominally and, therefore, the protected software 2p operates nominally, and if at least one of the criteria corresponding to a monitored execution characteristic of a portion of the software protected 2p is not respected, the data processing system 3 is informed and / or the operation of the portion of the protected software 2p is modified, so that the operation of the protected software 2p is changed.

 Of course, in the absence of the unit 6, at least one request for a portion of the first execution part 2pes of the protected software 2p to use the unit 6 can not be satisfied correctly so that at least this portion does not execute properly and therefore the 2p protected software is not fully functional.

 For the implementation of the protection principle by detection and coercion, two types of software execution characteristics are used preferentially.

 The first type of software execution characteristic corresponds to a software execution measurement variable and the second type corresponds to a software usage profile. These two types of characteristics can be used independently or in combination.

 For the implementation of the principle of protection by detection and coercion using, as an execution characteristic, a measurement variable of the software execution, it is defined: in the storage means 15, the possibility of memorizing at least a measurement variable for quantifying the use of at least one software functionality, * in the detection means 17, the possibility of monitoring at least one threshold associated with each measurement variable, and updating means allowing to update each measurement variable according to the use of the functionality with which it is associated.

<Desc / Clms Page number 40>

 It is also built operating means implementing, in addition to the detection means 17 and coercion means 18, the updating means.

 It is also chosen, in the source of the vulnerable software 2vs: at least one feature of the vulnerable software 2v whose use is likely to be monitored by means of a measurement variable, at least one measurement variable used to quantify the use said functionality, at least one threshold associated with the measurement variable corresponding to a limit of use of said functionality, and at least one method of updating the measurement variable according to the use of said functionality.

 The source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps, this modification being such that, during the execution of the protected software 2p, the second execution part 2peu:. updates the measurement variable according to the use of said functionality, * and takes into account at least one threshold overrun.

 In other words, during the execution of the protected software 2p, the measurement variable is updated according to the use of said functionality, and when the threshold is exceeded, the detection means 17 inform the means Coercion 18 which makes a decision adapted to inform the data processing system 3 and / or modify the processing performed by the processing means 16 to modify the operation of the portion of the protected software 2p, so that the operation of the software protected 2p is changed.

'pour au moins une variable de mesure, plusieurs seuils associés, * et des moyens de coercition différents correspondant à chacun de ces seuils. For the implementation of a first preferred embodiment of the protection principle by detection and coercion using, as a characteristic, a measurement variable, it is defined:

for at least one measurement variable, several associated thresholds, and different coercion means corresponding to each of these thresholds.

It is also chosen, in the source of the vulnerable software 2vs: * at least one variable of measurement used to quantify the use of at least

<Desc / Clms Page number 41>

 a feature of the software and to which should be associated several thresholds corresponding to different limits of use of said functionality, and at least two thresholds associated with the measurement variable.

 The source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps, this modification being such that, during the execution of the protected software 2p, the second execution part 2peu: * updates the variable of measurement according to the use of said functionality, and takes into account, in a different way, the exceedances of the various thresholds.

 In other words, conventionally, during the execution of the protected software 2p, when the first threshold is exceeded, the unit 6 informs the data processing system 3 enjoining the protected software 2p to stop using this feature. . If the 2p protected software continues to use this feature, the second threshold may be exceeded. In the case where the second threshold is exceeded, the coercion means 18 may render the selected functionality inoperative and / or render the protected software 2p inoperative.

 For the implementation of a second preferred embodiment of the principle of protection by detection and coercion using, as a characteristic, a measurement variable, it is defined reloading means for crediting at least one additional use for at least one software functionality monitored by a measurement variable.

 It is also built operating means implementing, in addition to the detection means 17, the coercion means 18 and the updating means, the reloading means.

 It is also chosen, in the source of the vulnerable software 2vs, at least one measurement variable used to limit the use of at least one feature of the software and to which at least one additional use must be able to be credited.

 The source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps, this modification being such that, in a so-called phase

<Desc / Clms Page number 42>

 reloading, at least one additional use of at least one feature corresponding to a selected measurement variable can be credited.

 In the recharging phase, at least one selected measurement variable and / or at least one associated threshold is updated, so as to allow at least one additional use of the corresponding functionality. In other words, it is possible, in the reloading phase, to credit additional uses of at least one feature of the protected software 2p.

 For the implementation of the principle of protection by detection and coercion using, as a characteristic, a software usage profile, it is defined as a criterion to be respected for this use profile, at least one execution feature of software.

 It is also chosen, in the source of the vulnerable software 2vs:. at least one usage profile to be monitored, and at least one performance trait that at least one chosen usage profile must respect.

 The source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps, this modification being such that, during the execution of the protected software 2p, the second execution part 2peu respects all the features of selected execution. In other words, the unit 6 itself monitors the way in which the second execution part 2peu is executed and can inform the data processing system 3 and / or modify the operation of the protected software 2p, in the case where at least one performance trait is not respected.

 During the execution of the protected software 2p, protected by this principle, in the presence of the unit 6: * as long as all the execution lines of a protected software portion 2p are respected, this portion of the protected software 2p works in a nominal way and, therefore, the protected software 2p operates in a nominal way, and if at least one execution feature of a portion of the protected software 2p is not respected, the data processing system 3 is informed and / or the operation of the portion of the protected software 2p is changed, so

<Desc / Clms Page number 43>

 that the operation of protected software 2p is possibly modified.

 It can be envisaged the monitoring of different execution features, such as for example the monitoring of the presence of instructions comprising a marker or the monitoring of the execution sequence for at least part of the instructions.

 For the implementation of the principle of protection by detection and coercion using as executing force to respect, the supervision of the sequence of execution for at least part of the instructions, it is defined: * a set of instructions whose the instructions are likely to be executed in the unit 6, a set of instruction commands for this set of instructions, these commands of instructions are likely to be executed in the data processing system 3. execution of each of these instruction commands in the data processing system 3 triggers in the unit 6, the execution of the corresponding instruction, * detection means 17 for detecting that the sequence of instructions does not does not correspond to that desired, * and means of coercion 18 for informing the data processing system 3 and / or modify the execution of software when the sequence of instructions does not does not match the desired one.

 Operating means are also constructed enabling the unit 6 to execute also the instructions of the instruction set, the execution of these instructions being triggered by the execution in the data processing system 3 of the instructions. instruction commands.

 It is also chosen, in the source of the vulnerable software 2vs, at least one algorithmic processing to be deported in the unit 6 and for which the sequence of at least part of the instructions is to be monitored.

 The source of the vulnerable software 2vs is then modified to obtain the source of the protected software 2ps, this modification is such that, during the execution of the protected software 2p: the second execution part 2peu performs at least the functionality of the processing algorithmic chosen,

<Desc / Clms Page number 44>

 the algorithmic processing chosen is broken down into instructions, the sequence which at least some of the instructions must be respected when they are executed in unit 6 is specified, and the first execution part 2pes of the protected software 2p executes commands instructions that trigger the execution of instructions in unit 6.

When running the protected software 2p, protected by this principle, in the presence of the unit 6: * as the sequence of instructions of a portion of protected software
2p, executed in the unit 6 corresponds to that desired, this protected software portion 2p operates nominally and, therefore, the protected software 2p works in a nominal way, * and if the sequence of instructions of a portion of 2p protected software executed in the unit 6 does not correspond to that desired, the data processing system 3 is informed thereof and / or the operation of the portion of the protected software 2p is modified, so that the operation of the protected software 2p is changed.

 Fig. 71 illustrates an example of implementation of the principle of protection by detection and coercion using, as execution line to respect the supervision of the sequence of execution of at least a part of the instructions, in the case where the sequence wished is respected.

 The first execution part 2pes of the protected software 2p, executed in the data processing system 3, executes command commands CIs triggering, in the unit 6, the execution of the instructions ii belonging to the instruction set. In the instruction set, at least some of the instructions each include a portion defining the functionality of the instruction and a portion for verifying the desired sequence for executing the instructions. In this example, the instruction commands CIi are represented by TRIG (ii) and the desired sequence for the execution of the instructions is in, in + l and in + 2. The execution in the unit 6, of the instruction in gives the result a and execution of the instruction in + 1 gives the result b. The in + 2 instruction uses as operand the

<Desc / Clms Page number 45>

 results a and b of the instructions in and in + l and its execution gives the result c.

 Given that this sequence of instructions executed in the unit 6 corresponds to that desired, this results in normal or nominal operation of the protected software 2p.

 Fig. 72 illustrates an example of implementation of the principle of protection by detection and coercion using, as execution feature to be respected, the monitoring of the sequence of execution of at least a part of the instructions, in the case where the desired sequence is not respected.

toujours in, in+1 et in+2. Toutefois, l'enchaînement d'exécution des instructions est modifié par le remplacement de l'instruction in par l'instruction i'n, de sorte que l'enchaînement effectivement exécuté est i'n, in+1 et in+2. L'exécution de l'instruction i'n donne le résultat a, c'est-à-dire le même résultat que l'exécution de l'instruction in. Toutefois, au plus tard lors de l'exécution de l'instruction in+2, les moyens de détection 17 détectent que l'instruction i'n ne correspond pas à l'instruction souhaitée pour générer le résultat a utilisé comme opérande de l'instruction in+2. Les moyens de détection 17 en informent les moyens de coercition 18 qui modifient en conséquence, le fonctionnement de l'instruction in+2, de sorte que l'exécution de l'instruction in+2 donne le résultat c'pouvant être différent de c. Bien entendu, si l'exécution de l'instruction i'n donne un résultat a'différent du résultat a de l'instruction in, il est clair que le résultat de l'instruction in+2 peut aussi être différent de c. According to this example, the desired sequence for executing the instructions is

always in, in + 1 and in + 2. However, the flow of execution of the instructions is modified by the replacement of the instruction in by the instruction i'n, so that the sequence effectively executed is i'n, in + 1 and in + 2. The execution of the instruction i'n gives the result a, that is to say the same result as the execution of the instruction in. However, at the latest when executing the instruction in + 2, the detection means 17 detect that the instruction i'n does not correspond to the instruction desired to generate the result used as operand of the in + 2 instruction. The detection means 17 inform the coercion means 18 which modifies accordingly, the operation of the instruction in + 2, so that the execution of the instruction in + 2 gives the result c'pouvant to be different from c . Of course, if the execution of the instruction i'n gives a result different from the result a of the instruction in, it is clear that the result of the instruction in + 2 may also be different from c.

 Since the sequence of execution of the instructions executed in the unit 6 does not correspond to that desired, it can be obtained a modification of the operation of the protected software 2p.

 Figs. 73 and 74 illustrate a preferred embodiment of the principle of protection by detection and coercion using, as execution feature to be respected, the monitoring of the sequence of execution of at least a part of the instructions.

According to this preferred variant, a set of instructions is defined in which at least some instructions work on registers and use at least one operand in order to render a result.

 As shown in fig. 73, it is defined for at least some of the instructions working on registers, a PF part defining the functionality of

<Desc / Clms Page number 46>

'un champ d'identification de l'instruction CII, 'et pour chaque opérande k de l'instruction, avec k variant de 1 à K, et K nombre d'opérandes de l'instruction : - un champ drapeau CDK, indiquant s'il convient de vérifier la provenance de l'opérande k, - et un champ d'identification prévue CIPK de l'opérande, indiquant l'identité attendue de l'instruction ayant généré le contenu de l'opérande k. the instruction and a PE part defining the desired sequence for executing the instructions. The PF part corresponds to the operation code known to those skilled in the art. The part PE defining the desired sequence, comprises bit fields corresponding to:

an identification field of the instruction CII, and for each operand k of the instruction, with k varying from 1 to K, and K number of operands of the instruction: a flag field CDK, indicating The source of operand k, and a predicted CIPK identification field of the operand should be verified, indicating the expected identity of the instruction that generated the contents of operand k.

As shown in fig. 74, the instruction set comprises V registers belonging to the processing means 16, each register being named Ry, with v varying from 1 to V. For each register Ry, two fields are defined, namely: a functional field CFy known to those skilled in the art and making it possible to store the result of the execution of instructions, and a generated identification field CIGv making it possible to store the identity of the instruction that generated the content of the functional field
CFv. This generated identification field CIGv is automatically updated with the contents of the instruction identification field
It has generated the CFv functional field. This generated identification field CIGv is not accessible or modifiable by any instruction and is only used for detection means 17.

 During the execution of an instruction, the detection means 17 perform for each operand k the following operations: the flag field CDk is read, if the flag field CDk imposes it, the intended identification field CIPk and the generated identification field CIGv corresponding to the register used by the operand k are read both, the equality of the two fields CIPk and CIGy is controlled,

<Desc / Clms Page number 47>

 and if the equality is false, the detection means 17 consider that the sequence of execution of the instructions is not respected.

 The coercion means 18 make it possible to modify the result of the instructions when the detection means 17 have informed them of a sequence of instructions not respected. A preferred embodiment consists in modifying the functional part PF of the instruction being executed or the functional part PF of subsequent instructions.

 According to another advantageous characteristic of the invention, the protection method aims at implementing a protection principle, referred to as "renaming", a description of which is given in relation to FIGS. 80 to 85.

For the implementation of the principle of protection by renaming, it is defined: a set of dependent functions, whose dependent functions are likely to be executed, by means of the second execution part
2p, in the unit 6, and possibly to transfer data between the data processing system 3 and the unit 6, this set of dependent functions being finite or infinite, a set of triggering commands for these dependent functions, these triggering commands being capable of being executed in the data processing system 3 and triggering in the unit 6, corresponding dependent functions, * for each triggering command, a setpoint corresponding at least in part to the information transmitted by the first part of execution
2pes, at the second execution part 2peu, to trigger the execution of the corresponding dependent function, this instruction being in the form of at least one argument of the triggering command, * a method of renaming the instructions intended to be implemented during the modification of the vulnerable software, such a method for renaming the instructions to obtain trigger commands with renamed instructions to conceal the identity of the corresponding dependent functions, * and recovery means 20 for be implemented in unit 6 during the use phase and to find the instructions

<Desc / Clms Page number 48>

 initial, from the renamed instruction, to find the dependent function to perform.

 For the implementation of the principle of protection by renaming, it is also built operating means for transforming a blank unit 60 into a unit 6 at least implementing the recovery means 20.

 For the implementation of the principle of protection by renaming, it is also chosen, in the source of the vulnerable software 2vs: * at least one algorithmic processing using at least one operand and rendering at least one result, * and at least a portion of the source of the vulnerable software 2vs, containing at least one selected algorithmic processing.

The source of the vulnerable software 2vs is then modified, so as to obtain the source of the 2ps protected software. This change is such that, in particular: * when running the protected software 2p, at least a portion of the first execution part 2pes, which is executed in the data processing system 3, takes into account that the functionality of at least one algorithmic processing chosen is executed in the unit 6, while executing the protected software 2p, the second execution part
2p, which is executed in unit 6, executes at least the functionality of at least one algorithmic processing chosen, * each algorithmic processing chosen is decomposed so that when running the protected software 2p, each algorithmic processing chosen is executed, by means of the second 2-bit execution part, using dependent functions. Preferably, each algorithmic processing chosen is decomposed into dependent functions fdn (with n varying from 1 to N), namely: - optionally one or more dependent functions allowing the provision of one or more operands for the unit 6 dependent functions, some of which use the operand (s) and which, in combination, perform the functionality of the algorithmic processing chosen, using this operand or these operands,

<Desc / Clms Page number 49>

and optionally one or more dependent functions making it possible for the data processing system 3 to make available to the unit 6 the result of the chosen algorithmic processing, while executing the protected software 2p, the second part of execution
2peu executes the dependent functions fdn, 'when running the protected software 2p, the dependent functions are triggered by trigger commands with renamed setpoints, * and a scheduling of the triggering commands is chosen from among all the scheduling allowing the execution protected software
2p.

 The first execution part 2pes of the protected software 2p, executed in the data processing system 3, executes commands with renamed instructions transferring to the unit 6 renamed instructions, and triggering in the unit 6 the recovery by means recovery means 20, setpoints, then the execution by means of the second execution part 2peu, each of the dependent functions fdn previously defined.

 In other words, the principle of protection by renaming consists of renaming the instructions of the triggering commands, so as to obtain triggering commands with renamed setpoints whose execution in the data processing system 3, triggers in the unit 6 , the execution of the dependent functions which would have been triggered by the triggering commands with non-renamed setpoints, without however the examination of the protected software 2p making it possible to determine the identity of the dependent functions executed.

 Fig. 80 illustrates an example of running a vulnerable software 2v. In this example, it appears during the execution of the vulnerable software 2v in the data processing system 3, at a given instant, the calculation of Z <-F (X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using the operands X and Y.

 Figs. 81 and 82 illustrate an example of implementation of the invention.

 Fig. 81 illustrates the partial implementation of the invention. In this example, when running in the data processing system 3 of the first part

<Desc / Clms Page number 50>

 2pes of the protected software 2p and in the presence of the unit 6, it appears: 'at times t1, t2, the execution of the triggering commands CD ,, CD2 triggering in the unit 6, the execution by means of the second execution part 2peu, corresponding dependent functions fdl, fd2 which ensure the transfer of data X, Y from the data processing system 3 to storage areas respectively x, y located in the storage means 15 unit 6, these triggering commands CD ,, CD2 being respectively represented by OUT (x, X), OUT (y, Y), * at times t3 to tN-i, the execution of the triggering commands CD3 to CD-j, triggering in the unit 6, the execution by means of the second execution part 2peu, corresponding dependent functions fd3 to fdN-i, these triggering commands CD3 to CD-i being represented, respectively, by TRIG (fd3) to TRIG (fdN-t). The sequence of the dependent functions fd3 to fdN-i executed in combination is algorithmically equivalent to the function F. More precisely, the execution of these triggering commands leads to the execution in unit 6 of dependent functions fd3 to fun, which use the contents of the storage areas x, y and return the result in a storage area z of the unit 6, and at the instant tN, the execution of a triggering command CDN triggering in the unit 6 , the execution by means of the second execution part 2peu, the dependent function fdN ensuring the transfer of the result of the algorithmic processing contained in the storage area z of the unit 6 to the data processing system 3, so assign it to the variable Z, this command being represented by IN (z).

consignes des commandes déclenchantes CDl à CDN à savoir x, y, fd3, fdN-I, z sont renommées de manière à obtenir respectivement R (x), R (y), R (fd3)..., R (fdN-j), R (z). In this example, to fully implement the invention, it is chosen as a setpoint, the first argument of the triggering commands OUT and the argument of the triggering commands TRIG and IN. The instructions thus chosen are renamed by the method of renaming instructions. In this way,

CD1 to CDN trigger commands, ie x, y, fd3, fdN-I, z are renamed to obtain R (x), R (y), R (fd3) ..., R (fdN-j, respectively) ), R (z).

<Desc / Clms Page number 51>

* aux instants tj, tz, l'exécution des commandes déclenchantes à consignes renommées CDCRI, CDCR2, transférant vers l'unité 6, les consignes renommées R (x), R (y) ainsi que les données X, Y déclenchant dans l'unité
6 le rétablissement au moyen des moyens de rétablissement 20, des consignes renommées pour rétablir les consignes à savoir l'identité des zones de mémorisation, x, y, puis l'exécution au moyen de la seconde partie d'exécution 2peu, des fonctions dépendantes fdl, fd2 correspondantes qui assurent le transfert des données X, Y depuis le système de traitement de données 3 vers les zones de mémorisation respectivement x, y situées dans les moyens de mémorisations 15 de l'unité 6, ces commandes déclenchantes à consignes renommées CDCRI, CDCR2 étant représentées respectivement par OUT (R (x), X), OUT (R (y), Y), * aux instants t3 à tN-i, l'exécution des commandes déclenchantes à consignes renommées CDCR3 à CDCRN l, transférant vers l'unité 6, les consignes renommées R (fd3) à R (fdN-i), déclenchant dans l'unité 6 le rétablissement au moyen des moyens de rétablissement 20, des consignes, à savoir fd3 à

fdN-i, puis l'exécution au moyen de la seconde partie d'exécution 2peu, des fonctions dépendantes fd3 à fun-1, ces commandes déclenchantes à consignes renommées CDCR3 à CDCRN étant représentées respectivement par TRIG (R (fd3)) à TRIG (R (fdN-i)), * et à l'instant tN, l'exécution de la commande déclenchante à consigne renommée CDCRN transférant vers l'unité 6, la consigne renommée R (z) déclenchant dans l'unité 6 le rétablissement au moyen des moyens de rétablissement 20, de la consigne à savoir l'identité de la zone de mémorisation z, puis l'exécution au moyen de la seconde partie d'exécution
2peu, de la fonction dépendante fdN assurant le transfert du résultat du traitement algorithmique contenu dans la zone de mémorisation z de l'unité
6 vers le système de traitement de données 3, afin de l'affecter à la variable Fig. 82 illustrates the full implementation of the invention. In this example, when executing in the data processing system 3, the first execution part 2pes of the protected software 2p, and in the presence of the unit 6, it appears:

* at the times tj, tz, the execution of the triggering commands with setpoints renamed CDCRI, CDCR2, transferring to the unit 6, the renamed setpoints R (x), R (y) as well as the data X, Y triggering in the unit
6 the recovery by means of the recovery means 20, setpoints renamed to restore the instructions namely the identity of the storage areas, x, y, then the execution by means of the second execution part 2, dependent functions fd1, fd2 corresponding to the transfer of the data X, Y from the data processing system 3 to the storage areas respectively x, y located in the storage means 15 of the unit 6, these triggering commands with renamed instructions CDCRI , CDCR2 being respectively represented by OUT (R (x), X), OUT (R (y), Y), * at times t3 to tN-i, the execution of the triggering commands with renamed setpoints CDCR3 to CDCRN 1, transferring to unit 6, the renamed instructions R (fd3) to R (fdN-i), triggering in unit 6 the recovery by means of recovery means 20, instructions, namely fd3 to

fdN-i, then the execution by means of the second execution part 2peu, of the dependent functions fd3 to fun-1, these triggering commands with renamed setpoints CDCR3 to CDCRN being respectively represented by TRIG (R (fd3)) to TRIG (R (fdN-i)), * and at the instant tN, the execution of the triggering command with a renamed setpoint CDCRN transferring to the unit 6, the renamed setpoint R (z) triggering in the unit 6 the recovery by means of the recovery means 20, of the instruction, namely the identity of the storage zone z, then the execution by means of the second execution part
2h, of the dependent function fdN ensuring the transfer of the result of the algorithmic processing contained in the storage zone z of the unit
6 to the data processing system 3, in order to assign it to the variable

<Desc / Clms Page number 52>

Z, this triggering command with renamed setpoint CDCRN being represented by IN (R (z)).

In the example illustrated, the triggering commands with setpoints renamed 1 to N are executed successively. It should be noted that two improvements can be made:
The first improvement concerns the case where several algorithmic processes are deported in unit 6 and at least the result of an algorithmic processing is used by another algorithmic processing.

 In this case, certain trigger commands with renamed setpoints used for the transfer can be optionally deleted.

 The second improvement is to opt for a relevant scheduling of the orders triggers renamed instructions among the set of orders allowing the execution of the protected software 2p. In this respect, it is preferable to choose a scheduling of the triggering commands with renamed setpoints which temporally dissociates the execution of the dependent functions, by interposing, between them, portions of code executed by the data processing system 3 and comprising or no triggering commands with renamed setpoints for the determination of other data. Figs. 83 and 84 illustrate the principle of such an embodiment.

 Fig. 83 shows an example of running a vulnerable software 2v. In this example, it appears, during the execution of the vulnerable software 2v, in the data processing system 3, the execution of two algorithmic processing leading to the determination of Z and Z ', such that Z <-F (X, Y) and Z '- F' (X ', Y').

 Fig. 84 illustrates an example of implementation of the method according to the invention for which the two algorithmic treatments chosen in FIG. 83 are deported in the unit 6. According to one such example, when executing in the data processing system 3 of the first execution part 2pes of the protected software and in the presence of the unit 6, it appears, as explained above, the execution of the triggering commands with renamed setpoints CDCR1 to CDCRN corresponding to the determination of Z and the execution of the triggering commands to instructions

<Desc / Clms Page number 53>

l'ordonnancement suivant : CDCR1, portion de code intercalé, CDCR'h CDCR2, portion de code intercalé, CDCR'2, CDCR'3, portion de code intercalé, CDCR'4, CDCR3, CDCR4,..., CDCRN, CDCR'M. renamed CDCR'l to CDCR'M corresponding to the determination of Z '. As illustrated, the CDCR1 to CDCRN setpoint trigger commands are not executed consecutively, since the CDCR'l to CDCR'M setpoint trigger commands and other code portions are interspersed. In the example, it is thus realized

the following ordering: CDCR1, intercalated code portion, CDCR'h CDCR2, intercalated code portion, CDCR'2, CDCR'3, intercalated code portion, CDCR'4, CDCR3, CDCR4, ..., CDCRN, CDCR 'Mr.

 It should be noted that, during the execution of a portion of the first execution part 2pes of the protected software 2p, the triggering commands with renamed setpoints executed in the data processing system 3, trigger in the unit 6 the restoration of the identity of the corresponding dependent functions and the execution thereof. Thus, it appears that in the presence of the unit 6, this portion is executed correctly and that, therefore, the protected software 2p is fully functional.

 Fig. 85 illustrates an example of an attempt to execute the protected software 2p, while the unit 6 is absent. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p, at all times, the execution of a trigger command with a renamed setpoint can not trigger the restoration of the setpoint and the execution of the corresponding dependent function, due to the absence of the unit 6. The value to be assigned to the variable Z can not therefore be determined correctly.

 It therefore appears that, in the absence of the unit 6, at least one request for a portion of the first execution part 2pes of the protected software 2p, to trigger the restoration of a setpoint and the execution of a dependent function in the unit 6 can not be satisfactorily satisfied, so that at least this portion is not executed correctly and, therefore, the protected software 2p is not fully functional.

 Thanks to this principle of protection by renaming, the examination in the protected software 2p of the triggering commands with renamed setpoints does not make it possible to determine the identity of the dependent functions to be executed in the unit 6. It should be noted that the renaming instructions are made when changing the

<Desc / Clms Page number 54>

 2v vulnerable software into a 2p protected software.

 According to a variant of the principle of protection by renaming, it is defined for at least one dependent function, a family of dependent functions algorithmically equivalent but triggered by triggering commands with different renamed setpoints. According to this variant, for at least one algorithmic processing using dependent functions, this algorithmic processing is decomposed into dependent functions which for at least one of them is replaced by a function dependent on the same family instead of keeping several occurrences of the same dependent function. For this purpose, trigger commands with renamed setpoints are modified to take account of the replacement of dependent functions by functions dependent on the same family. In other words, two dependent functions of the same family have different setpoints and therefore trigger commands with different renamed setpoints, and it is not possible, on examination of the protected software 2p, to detect that the functions called dependents are algorithmically equivalent.

 According to a first preferred embodiment of the variant of the protection principle by renaming, it is defined for at least one dependent function, a family of algorithmically equivalent dependent functions, by concatenating a noise field to the information defining the functional part of the function. dependent to execute in unit 6.

According to a second preferred embodiment of the variant of the protection principle by renaming, a family of dependent algorithmically equivalent functions is defined for at least one dependent function by using identification fields.

 According to a preferred embodiment of the principle of protection by renaming, it is defined as a method of renaming instructions an encryption method to encrypt the instructions to turn them into renamed instructions. It is recalled that the renaming of the instructions is carried out in the protection phase. For this preferred variant, the recovery means 20 are means implementing a decryption method for decrypting the renamed instructions and thus restore the identity of the dependent functions to be performed in the unit 6. These recovery means are set implemented in the unit

<Desc / Clms Page number 55>

 6 and may be of a software or hardware nature. These recovery means 20 are requested in the use phase U each time a command triggering a renamed setpoint is executed in the data processing system 3 in order to trigger in the unit 6, the execution of 'a dependent function.

 According to another advantageous characteristic of the invention, the protection method aims at implementing a protection principle called "conditional branching", the description of which is carried out in relation to FIGS. 90 to 92.

 For the implementation of the principle of protection by conditional branching, it is chosen in the source of the vulnerable software 2vs, at least one conditional branch BC. It is also chosen at least a portion of the source of the vulnerable software 2vs containing at least one conditional branch BC chosen.

At least a selected portion of the source of the vulnerable software 2vs is then modified, so as to obtain the source of the protected software 2ps. This modification is such that in particular when running the protected software 2p: * at least a portion of the first execution part 2pes, which is executed in the data processing system 3, takes into account that the functionality of at least one conditional branch BC selected is executed in unit 6, * and the second execution part 2, which is executed in unit 6, performs at least the functionality of at least one conditional branch
BC chooses and makes available to the data processing system 3, information allowing the first execution part 2pes, to continue its execution at the chosen location.

 The first execution part 2pes of the protected software 2p, executed in the data processing system 3, executes conditional branching commands, triggering in the unit 6, the execution by means of the second execution part 2peu, deported conditional branch connections bc whose functionality is equivalent to the functionality of the selected BC conditional branches.

 Fig. 90 illustrates an example of running a vulnerable software 2v. In this example, it appears, during the execution of the vulnerable software 2v in the data processing system 3 at a given moment, a conditional connection.

<Desc / Clms Page number 56>

 BC telling the vulnerable software 2v where to continue, ie one of three possible locations Bl, B2 or B3. It should be understood that the conditional branch BC makes the decision to continue the execution of the software at location B1, B2 or B3.

Fig. 91 illustrates an example of implementation of the invention for which the conditional branch chosen to be deported in the unit 6, corresponds to the conditional branch BC. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p and in the presence of the unit 6, it appears: at the instant tl, the execution of the conditional branch command CBC1 triggering in the unit 6, the execution by means of the second execution part 2peu, of the conditional branched offset bc algorithmically equivalent to the conditional branch BC, this conditional branching command CBC being represented by
TRIG (be), and at time t2, the transfer of the unit 6 to the data processing system 3, information allowing the first execution part
2pes, continue to perform at the chosen location, namely the place Bl, B2 or B3.

 It should be noted that during the execution of a portion of the first execution part 2pes of the protected software 2p, the conditional branching commands executed in the data processing system 3 trigger the execution of the corresponding deported conditional branches. in the unit 6. Thus, it appears that in the presence of the unit 6, this portion is executed correctly and that therefore the protected software 2p is fully functional.

 Fig. 92 illustrates an attempt to execute the protected software 2p, while the unit 6 is absent. In this example, when executing in the data processing system 3 of the first execution part 2pes of the protected software 2p: at time tl, the execution of the conditional branching command CBC1 can not trigger execution of the deported conditional branch

<Desc / Clms Page number 57>

 bc, given the absence of unit 6, and at time t2, the transfer of information allowing the first execution party to proceed to the chosen location fails, given the absence of unit 6.

 It therefore appears that in the absence of the unit 6, at least one request for a portion of the first execution part 2pes to trigger the execution of a conditional branch offset in the unit 6, can not not be satisfied properly, so that at least this portion is not executed correctly and, therefore, the protected software 2p is not fully functional.

 In the foregoing description in relation to FIGS. 90 to 92, the object of the invention is to deport in the unit 6, a conditional branch. Of course, a preferred embodiment of the invention may consist in moving in the unit 6, a series of conditional branches whose overall functionality is equivalent to all the functionalities of the conditional branches that have been deported.

The execution of the global functionality of this series of deported conditional branches results in the provision, for the data processing system 3, of information enabling the first part of execution of the protected software 2pes to continue its execution. at the chosen place.

 In the foregoing description in relation to FIGS. 40 to 92, six different principles of software protection have been explained generally independently of each other. The protection method according to the invention is implemented using the principle of protection by time dissociation, possibly associated with one or more other protection principles. In the case where the principle of protection by time dissociation is completed by the implementation of at least one other protection principle, the principle of protection by time dissociation is advantageously supplemented by the variable protection principle and / or the principle protection by elementary functions and / or the principle of protection by conditional connection.

 And when the principle of protection by variable is also implemented, it can be completed in turn by the principle of protection by elementary functions and / or the principle of protection by conditional branching.

<Desc / Clms Page number 58>

 And when the principle of protection by elementary functions is also implemented, it can be completed in turn by the principle of protection by detection and coercion and / or the principle of protection by renaming and / or the principle of protection by conditional branching.

 And when the principle of protection by detection and coercion is also implemented, it can be completed in turn by the principle of protection by renaming and / or the principle of protection by conditional branching.

 And when the principle of protection by renaming is also implemented, it can be completed in turn by the principle of protection by conditional branching.

 According to the preferred embodiment, the principle of protection by temporal dissociation is completed by the principle of protection by variable, supplemented by the principle of protection by elementary functions, supplemented by the principle of protection by detection and coercion, supplemented by the principle of protection by protection by renaming, supplemented by the principle of protection by conditional connection.

 In the case where a protection principle is applied, in addition to the principle of protection by temporal dissociation, its description carried out previously must include, in order to take account of its combined implementation, the following modifications: the notion of vulnerable software must be understood as software vulnerable to the protection principle being described.

 Thus, in the case where a protection principle has already been applied to the vulnerable software, the vulnerable software expression must be interpreted by the reader as the software expression protected by the protection principle (s) already applied; the notion of protected software must be understood as protected software with respect to the protection principle being described. Thus, in the case where a protection principle has already been applied, the expression protected software must be interpreted by the reader as the new version of the protected software; * and the choice (s) made for the implementation of the principle of

<Desc / Clms Page number 59>

 protection in the course of the description must take into account the choice (s) made for the implementation of the protection principle (s) already applied.

 The remainder of the description makes it possible to better understand the implementation of the protection method according to the invention. This protection method according to the invention involves, as it appears more precisely in FIG. 100: * first, a protection phase P during which a vulnerable software 2v is modified into a protected software 2p, * then a use phase U during which the protected software 2p is implemented. In this use phase U: in the presence of the unit 6 and whenever a portion of the first execution part 2pes executed in the data processing system 3 imposes it, an imposed functionality is executed in the unit 6, so that this portion is executed correctly and that, therefore, the protected software 2p is fully functional, - in the absence of the unit 6 and despite the request for a portion of the first part 2pes execution of a feature in the unit 6, this request can not be honored correctly, so that at least this portion is not executed correctly and therefore the 2p protected software is not not completely functional, and possibly a recharging phase R during which is credited at least one additional use of a function protected by the implementation of the second preferred embodiment of the invention. principle of protection by detection and coercion using as a characteristic, a measurement variable.

 The protection phase P can be decomposed into two protection sub-phases P1 and P2. The first, so-called upstream protection subphase Pi, is implemented independently of the vulnerable software 2v to be protected. The second, said P2 downstream protection sub-phase is dependent on the vulnerable software 2v to protect.

It should be noted that the sub-phases of upstream protection P1 and downstream P2 can advantageously be carried out by two different persons or two different teams. For example, the upstream protection sub-phase P1 can be performed by

<Desc / Clms Page number 60>

 a person or a company providing the development of software protection systems, while the P2 downstream protection sub-phase can be performed by a person or a company providing software development to be protected. Of course, it is clear that the upstream and downstream P2 protection sub-phases can also be performed by the same person or the same team.

 The upstream protection sub-phase P1 involves several stages Su, ..., Si; for each of which different tasks or work are to be done.

- un jeu de fonctions élémentaires dont les fonctions élémentaires sont susceptibles d'être exécutées dans l'unité 6, - et un jeu de commandes élémentaires pour ce jeu de fonctions élémentaires, ces commandes élémentaires étant susceptibles d'être exécutées dans le système de traitement de données 3 et de déclencher l'exécution dans l'unité 6, des fonctions élémentaires, 'et dans le cas où le procédé de protection selon l'invention met en oeuvre le principe de protection par détection et coercition, il est aussi défini :

- au moins une caractéristique d'exécution de logiciel, susceptible d'être surveillée au moins en partie dans l'unité 6, - au moins un critère à respecter pour au moins une caractéristique d'exécution de logiciel, The first stage of this upstream protection sub-phase P1 is called the "Su definition stage". At this stage of definitions Su: it is chosen: - the type of the unit 6. As an illustration, it can be chosen as a unit
6, a reader 8 of smart cards and the smart card 7 associated with the reader, and the transfer means 12, 13 intended to be implemented respectively in the data processing system 3 and in the unit 6, during the use phase U and able to ensure the transfer of data between the data processing system 3 and the unit 6, * and in the case where the protection method according to the invention implements the principle protection by elementary functions, it is also defined:

a set of elementary functions whose elementary functions are likely to be executed in the unit 6, and a set of elementary commands for this set of elementary functions, these elementary commands being capable of being executed in the processing system 3 and to trigger the execution in unit 6, elementary functions, and in the case where the protection method according to the invention implements the protection principle by detection and coercion, it is also defined:

at least one software execution characteristic, which can be monitored at least partly in the unit 6, at least one criterion to be met for at least one software execution characteristic,

<Desc / Clms Page number 61>

 detection means 17 to be implemented in the unit 6 and making it possible to detect that at least one software execution characteristic does not comply with at least one associated criterion, and coercion means to implement in unit 6 and making it possible to inform the data processing system 3 and / or to modify the execution of a software, when at least one criterion is not respected, and in the case where the method of protection according to the invention implements the principle of protection by detection and coercion using as a characteristic a variable for measuring the execution of the software, it is also defined: as a software execution characteristic that can be monitored , a variable for measuring the use of a functionality of a software, - as a criterion to be respected, at least one threshold associated with each measurement variable, - and updating means making it possible to update to the minus one e measurement variable, and in the case where the protection method according to the invention implements a first preferred embodiment of the protection principle by detection and coercion using as a variable a measure of the execution of the software, it is also defined: - for at least one measurement variable, several associated thresholds, - and different coercion means corresponding to each of these thresholds, and in the case where the protection method according to the invention implements a second variant preferred embodiment of the principle of protection by detection and coercion using as characteristic a measurement variable of the execution of the software, it is also defined reloading means for crediting at least one additional use for at least one software functionality monitored by

<Desc / Clms Page number 62>

- et en tant que critère à respecter, au moins un trait d'exécution de logiciel, et dans le cas où le procédé de protection selon l'invention met en oeuvre le principe de protection par détection et coercition utilisant comme trait d'exécution à respecter, la surveillance de l'enchaînement d'exécution, il est aussi défini : - un jeu d'instructions dont les instructions sont susceptibles d'être exécutées dans l'unité 6, - un jeu de commandes d'instructions pour ce jeu d'instructions, ces commandes d'instructions étant susceptibles d'être exécutées dans le système de traitement de données 3 et de déclencher dans l'unité 6 l'exécution des instructions,

- en tant que profil d'utilisation, l'enchaînement des instructions, - en tant que trait d'exécution, un enchaînement souhaité pour l'exécution des instructions, - en tant que moyens de détection 17, des moyens permettant de détecter que l'enchaînement des instructions ne correspond pas à celui souhaité, - et en tant que moyens de coercition 18, des moyens permettant d'informer le système de traitement de données 3 et/ou de modifier le fonctionnement de la portion de logiciel protégé 2p lorsque l'enchaînement des instructions ne correspond pas à celui souhaité, et dans le cas où le procédé de protection selon l'invention met en oeuvre une variante préférée de réalisation du principe de protection par détection et coercition utilisant comme trait d'exécution à respecter, la surveillance de l'enchaînement d'exécution, il est aussi défini : a measurement variable, and in the case where the protection method according to the invention implements the protection principle by detection and coercion using as a characteristic a software usage profile, it is also defined: as a characteristic executable software that can be monitored, a software usage profile,

and as a criterion to be complied with, at least one software execution feature, and in the case where the protection method according to the invention implements the principle of protection by detection and coercion using, as execution feature, respect, the supervision of the sequence of execution, it is also defined: - a set of instructions whose instructions are likely to be executed in the unit 6, - a set of instructions commands for this game of instructions, these instruction commands being able to be executed in the data processing system 3 and to trigger in the unit 6 the execution of the instructions,

as a use profile, the sequence of instructions, as an execution feature, a desired sequence for executing the instructions, as detection means 17, means for detecting that the sequence of instructions does not correspond to that desired, - and as means of coercion 18, means for informing the data processing system 3 and / or to modify the operation of the portion of protected software 2p when sequence of instructions does not correspond to that desired, and in the case where the protection method according to the invention implements a preferred variant embodiment of the protection principle by detection and coercion using as a performance feature to be respected, the monitoring the execution sequence, it is also defined:

<Desc / Clms Page number 63>

à :
0 un champ d'identification de l'instruction CII,
0 et pour chaque opérande de l'instruction : * un champ drapeau CDk, * et un champ d'identification prévue CIPk de l'opérande, - pour chaque registre appartenant aux moyens d'exploitation et utilisé par le jeu d'instructions, un champ d'identification générée CIGv dans lequel est automatiquement mémorisée l'identification de la dernière instruction ayant rendu son résultat dans ce registre, en tant que moyens de détection 17, des moyens permettant, lors de l'exécution d'une instruction, pour chaque opérande, lorsque le champ drapeau CDk l'impose, de contrôler l'égalité entre le champ d'identification générée CIGv correspondant au registre utilisé par cet opérande, et le champ d'identification prévue CIPk de l'origine de cet opérande, et en tant que moyens de coercition 18, des moyens permettant de modifier le résultat des instructions, si au moins une des égalités contrôlées est fausse, et dans le cas où le procédé de protection selon l'invention met en oeuvre le principe de protection par renommage, il est aussi défini : - en tant qu'une commande déclenchante, une commande élémentaire ou une commande d'instruction, - en tant qu'une fonction dépendante, une fonction élémentaire ou une instruction, as an instruction set, a set of instructions at least some of whose instructions work on registers and use at least one operand to render a result, - for at least part of the instructions working on registers:> a PF part defining the functionality of the instruction, and a part defining the desired sequence for executing instructions and having corresponding bit fields

at :
0 an identification field of the instruction CII,
0 and for each operand of the instruction: * a flag field CDk, * and an intended identification field CIPk of the operand, - for each register belonging to the operating means and used by the set of instructions, a CIGv generated identification field in which is automatically stored the identification of the last instruction having returned its result in this register, as detection means 17, means allowing, during the execution of an instruction, for each operand, when the flag field CDk imposes it, to control the equality between the generated identification field CIGv corresponding to the register used by this operand, and the intended identification field CIPk of the origin of this operand, and as means of coercion 18, means for modifying the result of the instructions, if at least one of the controlled equalities is false, and in the case where the protection method according to the invention sets forth the principle of protection by renaming, it is also defined: - as a triggering command, an elementary command or an instruction command, - as a dependent function, an elementary function or an instruction,

<Desc / Clms Page number 64>

 as a setpoint, at least one argument for a triggering command corresponding at least in part to the information transmitted by the data processing system 3 to the unit 6 in order to trigger the execution of the function corresponding dependency, - a method of renaming instructions to rename the instructions to obtain triggering commands with renamed instructions, - and recovery means 20 to be implemented in the unit 6 during the phase d U use, and to find the dependent function to perform, from the renamed instruction, * and in the case where the protection method according to the invention implements a variant of the protection principle by renaming, it is also defined for at least one dependent function, a family of dependent functions that are algorithmically equivalent, but triggered by triggering commands whose setpoints are renamed In the case where the protection method according to the invention implements one or other of the preferred embodiments of the variant of the protection principle by renaming, it is also defined for at least one dependent function. , a family of algorithmically equivalent dependent functions: by concatenating a noise field to the information defining the functional part of the dependent function to be executed in the unit 6, or by using the identification field of the instruction CI1 and in the case where the protection method according to the invention implements a preferred variant of the principle of protection by renaming, it is also defined: as a method of renaming instructions, an encryption method for encrypting the instructions, - and as means of recovery 20, means implementing a decryption method for deciphering frer the instructions

<Desc / Clms Page number 65>

 renamed and thus restore the identity of the dependent functions to be executed in the unit 6.

 In the upstream protection sub-phase, the S11 definition stage is followed by a stage called the "Sound stage of construction". At such a stage Su, the transfer means 12, 13 and possibly the operating means corresponding to the definitions of the definition step S11 are constructed.

At this stage of construction S, 2, it is therefore proceeded to: the construction of the transfer means 12, 13 allowing, during the use phase U, the transfer of data between the data processing system 3 and unit 6, * and when the principle of protection by elementary functions is also implemented, the construction of the means of exploitation allowing the unit
6, during the use phase U to perform the basic functions of the set of elementary functions, and when the principle of protection by detection and coercion is also implemented, to the construction of: operating means allowing the unit 6, during the use phase U also to implement the detection means and the coercion means, and possibly operating means allowing the unit 6, during the phase of use U also implement the means of updating, - and possibly operating means allowing the unit 6, during the reloading phase to also implement the reloading means, - and possibly means of exploitation also allowing unity
6, during the use phase U to execute the instructions of the instruction set, and when the principle of protection by renaming is also implemented, the construction of the operating means allowing the unit 6, during the use phase U to also implement the means of

<Desc / Clms Page number 66>

 recovery.

 The construction of the operating means is carried out in a conventional manner, via a program development unit taking into account the definitions that have been made at the definition stage S11. Such a unit is described in the following description in FIG. 110.

 During the upstream protection sub-phase P1, the construction step S12 can be followed by a stage called "pre-personalization stage S13". During this pre-personalization stage S13, at least part of the transfer means 13 and / or the operating means are loaded into at least one blank unit 60 in order to obtain at least one pre-personalized unit 66. It should be noted that part of the operating means, once transferred to a pre-personalized unit 66, is no longer directly accessible from outside this pre-personalized unit 66. The transfer of operating means in a blank unit 60 can be realized via a suitable pre-personalization unit, which is described in the following description in FIG. 120. In the case of a pre-personalized unit 66, consisting of a smart card 7 and its reader 8, the pre-personalization only concerns the smart card 7.

- la ou les portions susceptibles d'être modifiées, - et lorsque le principe de protection par variable est aussi mis en oeuvre, la ou les variables susceptibles d'être déportées dans l'unité 6, - et lorsque le principe de protection par fonctions élémentaires est aussi mis en oeuvre, le ou les traitements algorithmiques susceptibles d'être During the upstream protection sub-phase P1, it can be implemented, after the definition step S11 and, optionally after the construction step S12, a stage called "tool making stage S14". At this stage of making tools S14 are made tools to help the generation of protected software or to automate the protection of software. Such tools allow: to help choose or choose automatically in the vulnerable software
2v to protect: the algorithmic processing or processes that can be decomposed into remote stages in the unit 6,

the portion or portions that can be modified, and when the variable protection principle is also implemented, the variable or variables that may be deported in unit 6, and when the protection principle by function elementary is also implemented, the algorithmic treatment or treatments likely to be

<Desc / Clms Page number 67>

 decomposed into elementary functions that are deportable in unit 6, and when the protection principle by detection and coercion is also implemented, the execution characteristic (s) to be monitored and, optionally, the algorithmic processing (s) likely to be decomposed into remote instructions in the unit 6, - and when the principle of protection by renaming is also implemented, the algorithmic treatment or processes capable of being decomposed into dependent functions that are transferable in the unit 6 and for which the instructions of the triggering commands may be renamed, and when the conditional branch protection principle is also implemented, the conditional branch (s) whose functionality is likely to be deported in unit 6, and possibly to assist in generate protected software or automate software protection.

 These different tools can be made independently or in combination and each tool can take various forms, such as preprocessor, assembler, compiler, etc.

 The upstream protection sub-phase P1 is followed by a downstream protection subphase P2 dependent on the vulnerable software 2v to be protected. This downstream protection sub-phase P2 also involves several stages. The first stage corresponding to the implementation of the principle of protection by time dissociation is called "creation step S21". During this creation step S21, the choices made at the definition stage Sn are used. With the aid of these choices and possibly tools constructed at the S14 tool making stage, the protected software 2p is created by choosing at least one algorithmic processing which, when running the vulnerable software 2v , uses at least one operand and makes it possible to obtain at least one result, * by choosing at least a portion of the source of the vulnerable software 2vs containing at least one chosen algorithmic processing,

<Desc / Clms Page number 68>

 producing the source of the protected software 2ps from the source of the vulnerable software 2vs, modifying at least a selected portion of the source of the vulnerable software 2vs to obtain at least one modified portion of the source of the protected software 2ps, this modification being such that: when executing the protected software 2p a first execution part 2pes is executed in the data processing system 3 and a second execution part 2peu is executed in a unit 6, obtained from the blank unit 60 after loading information, - the second execution part 2peu performs at least the functionality of at least one selected algorithmic processing, - at least one selected algorithmic processing is decomposed so that when running the protected software 2p appear by means of the second part of execution 2peu, several distinct stages, namely:> the provision of at least one operand for the u 6, the realization by the unit 6, of the functionality of the algorithmic processing on at least this operand, and optionally, the provision of at least one result, by the unit 6 for the processing system. data 3, - for at least one chosen algorithmic processing, step commands are defined so that during the execution of the protected software 2p, each step command is executed by the first execution part 2pes and triggers, in the unit 6, the execution by means of the second execution part 2peu, of a step, - and a scheduling of the commands of steps is chosen from among the set of scheduling allowing the execution of the protected software 2p , and producing: a first object part 2pos of the protected software 2p, from the source of the protected software 2ps, this first object part 2pos being

<Desc / Clms Page number 69>

as when executing the protected software 2p, there appears a first execution part 2pes which is executed in the data processing system 3 and of which at least one portion takes into account that the commands of steps are executed according to the selected scheduling, - and a second object part 2pou of the protected software 2p, this second object part 2pou being such that, after loading in the blank unit
60 and during the execution of the protected software 2p, appears the second part of execution 2peu by means of which the steps triggered by the first part of execution 2pes are executed.

 Of course, the principle of protection by time dissociation according to the invention can be applied directly during the development of a new software without requiring the prior implementation of a vulnerable software 2v. In this way, 2p protected software is obtained directly.

 During the downstream protection sub-phase P2, and when at least one other protection principle is applied in addition to the time-dissociation protection principle, a "modification stage 822" is implemented. In this modification stage S22, definitions defined at the definition stage 811 are used. Using these definitions and possibly tools built in the tool making stage S14, the protected software 2p is modified to allow the implementation of the protection principles according to one of the arrangements defined above.

When the variable protection principle is implemented, the protected software 2p is modified: * by choosing at least one variable used in at least one selected algorithmic processing, which during the execution of the protected software 2p, partially defines the state of the protected software 2p, 'by modifying at least a selected portion of the source of the protected software
2ps, this change is such that when running the protected software
2p, at least one selected variable or at least one selected variable copy resides in unit 6, and producing:

<Desc / Clms Page number 70>

the first object part 2pos of the protected software 2p, this first object part 2pos being such that during the execution of the protected software
2p, at least a portion of the first execution part 2pes also takes into account that at least one variable or at least one variable copy resides in the unit 6, and the second object part 2pou of the protected software 2p, this second object part 2pou being such that, after loading in the unit 6 and during the execution of the protected software 2p, the second execution part 2peu appears by means of which at least one selected variable, or at least one copy chosen variable also resides in unit 6.

When the principle of protection by elementary functions is implemented, the protected software 2p is modified: by modifying at least a selected portion of the source of the protected software
2ps, this modification being such that: at least one step is decomposed so that during the execution of the protected software 2p, this step is executed by means of the second execution part 2peu, by using elementary functions, for at least one decomposed step, elementary commands are integrated in the source of the protected software 2ps, so that during the execution of the protected software 2p, each elementary command is executed by the first execution part 2pes and triggers in the unit 6, the execution by means of the second execution part 2peu, of an elementary function, - and a scheduling of the elementary commands is chosen from among the set of scheduling allowing the execution of the protected software 2p, * and by producing: the first object part 2pos of the protected software 2p, this first object part 2pos being such that during the execution of the protected software
2p, at least a portion of the first run part 2pes also executes the elementary commands according to the scheduling

<Desc / Clms Page number 71>

 chosen, - and the second object 2pou part of the protected software 2p also containing the operating means, this second object part 2pou being such that, after loading in the unit 6 and during the execution of the protected software 2p, appears the second part of execution 2peu by means of which are also executed the elementary functions triggered by the first part of execution 2pes.

When the principle of protection by detection and coercion is implemented, the protected software 2p is modified: w by choosing at least one software execution characteristic to be monitored, among the execution characteristics that can be monitored, choosing at least one criterion to respect for at least one chosen software execution characteristic, * by choosing in the source of the protected software 2ps, elementary functions for which at least one selected software execution characteristic is to be monitored, * by modifying at least a selected portion of the source of the protected software
2ps, this change is such that when running the protected software
2p, at least one chosen execution characteristic is monitored by means of the second execution part 2peu, and the non-respect of a criterion results in information of the data processing system and / or modification of the data processing system. execution of the protected software 2p, and producing the second object part 2pou of the protected software 2p containing the operating means also implementing the detection means 17 and the coercion means 18, this second object part 2pou being such that, after loading in the unit 6 and during the execution of the protected software 2p, at least one software execution characteristic is monitored and the non-respect of a criterion results in information of the data processing system and / or a modification of the execution of the protected software 2p.

<Desc / Clms Page number 72>

- au moins une variable de mesure servant à quantifier l'utilisation de ladite fonctionnalité, - au moins un seuil associé à une variable de mesure choisie correspondant à une limite d'utilisation de ladite fonctionnalité, - et au moins une méthode de mise à jour d'une variable de mesure choisie en fonction de l'utilisation de ladite fonctionnalité, * et en modifiant au moins une portion choisie du source du logiciel protégé
2ps, cette modification étant telle que, lors de l'exécution du logiciel protégé 2p, la variable de mesure est actualisée au moyen de la seconde partie d'exécution 2peu, en fonction de l'utilisation de ladite fonctionnalité et au moins un dépassement de seuil est pris en compte. For the implementation of the principle of protection by detection and coercion using as a characteristic variable a measurement of the execution of the software, the protected software 2p is modified: * by choosing as characteristic of software execution to be monitored, to less a variable for measuring the use of a software functionality, * by choosing: - at least one feature of the 2p protected software whose use is likely to be monitored by means of a measurement variable,

at least one measurement variable for quantifying the use of said functionality, at least one threshold associated with a chosen measurement variable corresponding to a limit of use of said functionality, and at least one update method. of a variable of measure chosen according to the use of said functionality, * and by modifying at least a chosen portion of the source of the protected software
2ps, this modification being such that, during the execution of the protected software 2p, the measurement variable is updated by means of the second execution part 2peu, according to the use of said functionality and at least one overrun of threshold is taken into account.

For the implementation of a first preferred embodiment of the principle of protection by detection and coercion using, as a characteristic, a measurement variable, the protected software 2p is modified: by choosing in the source of the protected software 2ps, minus one selected measurement variable to which several thresholds corresponding to different limits of use of the functionality must be associated, * by choosing at least two thresholds associated with the chosen measurement variable, * and by modifying at least a selected portion of the source of the protected software
2ps, this modification being such that, during the execution of the protected software 2p, the exceedances of the various thresholds are taken into account,

<Desc / Clms Page number 73>

 the second part of execution 2peu, differently.

 For the implementation of a second preferred embodiment of the principle of protection by detection and coercion using as a characteristic, a measurement variable, the protected software 2p is modified: by choosing in the source of the protected software 2ps, at least a chosen measurement variable making it possible to limit the use of a feature to which at least one additional use must be able to be credited, * and by modifying at least one chosen portion, this modification being such that in a so-called recharging phase, at unless an additional use of at least one feature corresponding to a selected measurement variable can be credited.

'en choisissant au moins un trait d'exécution qu'au moins un profil d'utilisation choisi doit respecter, 'et en modifiant au moins une portion choisie du source du logiciel protégé
2ps, cette modification étant telle que, lors de l'exécution du logiciel protégé 2p, la seconde partie d'exécution 2peu respecte tous les traits d'exécution choisis. For the implementation of the principle of protection by detection and coercion using as a characteristic, a software usage profile, the protected software 2p is modified: * by choosing as a software execution characteristic to monitor at least one profile of software use,

selecting at least one execution trait that at least one chosen usage profile must respect, and modifying at least a selected portion of the source of the protected software
2ps, this modification being such that, during the execution of the protected software 2p, the second execution part 2peu respects all the selected execution features.

- en transformant les fonctions élémentaires en instructions, - en spécifiant l'enchaînement que doivent respecter au moins certaines des instructions lors de leur exécution dans l'unité 6, - et en transformant les commandes élémentaires en commandes For the implementation of the principle of protection by detection and coercion using as execution line to respect, the monitoring of the sequence of execution, the protected software 2p is modified: * by modifying at least a selected portion of the source of the protected software
2ps:

- by transforming the elementary functions into instructions, - by specifying the sequence that must follow at least some of the instructions when they are executed in the unit 6, - and by transforming the elementary commands into commands

<Desc / Clms Page number 74>

 instructions corresponding to the instructions used.

When the principle of protection by renaming is implemented, the software 2p is modified: 'by choosing in the source of the protected software 2ps, triggering commands, * by modifying at least a selected portion of the source of the protected software 2ps by renaming the instructions of the triggering commands chosen, in order to conceal the identity of the corresponding dependent functions, * and by producing: the first object part 2pos of the protected software 2p, this first object part 2pos being such that during the execution of the protected software
2p, the triggering commands with renamed setpoints are executed, and the second object part 2pou of the protected software 2p containing the operating means also implementing the recovery means 20, this second object part 2pou being such that, after loading into the 6 and during the execution of the protected software 2p, the identity of the dependent functions whose execution is triggered by the first execution part 2pes is restored by means of the second execution part 2peu, and the functions dependents are executed by means of the second 2-bit execution part.

For the implementation of a variant of the protection principle by renaming, the protected software 2p is modified: * by choosing in the source of the protected software 2ps at least one triggering command with renamed reference, * and by modifying at least a portion chosen source of the protected software
2ps by replacing at least the renamed setpoint of a triggering command with a chosen setpoint, by another setpoint renamed, triggering a function dependent on the same family.

 When the principle of protection by conditional branching is implemented, the protected software 2p is modified:

<Desc / Clms Page number 75>

by choosing in the source of the protected software 2ps, at least one conditional branch made in at least one chosen algorithmic processing, by modifying at least a selected portion of the source of the protected software
2ps, this change is such that when running the protected software
2p, the functionality of at least one selected conditional branch, is executed, by means of the second execution part 2peu, in the unit 6, * and producing: the first object part 2pos of the protected software 2p, this first part object 2pos being such that when running the protected software
2p, the functionality of at least one selected conditional branch is executed in the unit 6, - and the second object part 2pou of the protected software 2p, this second object part 2pou being such that, after loading in the unit 6 and when of the execution of the protected software 2p, the second execution part 2peu appears by means of which the functionality of at least one selected conditional branch is executed.

For the implementation of a preferred embodiment of the conditional branch protection principle, the protected software 2p is modified: by choosing, in the source of the protected software 2ps, at least one series of selected conditional branches, modifying at least a selected portion of the protected software source
2ps, this change is such that when running the protected software
2p, the global functionality of at least one selected set of conditional branches is executed by means of the second 2-bit execution part, in the unit 6, * and producing: the first object part 2pos of the protected software 2p, this first part object 2pos being such that during the execution of the protected software
2p, the functionality of at least one selected series of conditional branches is executed in the unit 6,

<Desc / Clms Page number 76>

 and the second object part 2p or of the protected software 2p, this second object part 2pou being such that, after loading in the unit 6 and during the execution of the protected software 2p, the second execution part 2peu appears by means of which the global functionality of at least one selected series of conditional branches is executed.

Of course, the protection principles according to the invention can be applied directly during the development of a new software without requiring the prior implementation of intermediate protected software. In this way, the creation and modification stages 821 and 822 can be performed concomitantly so as to directly obtain the protected software 2p.

During the downstream protection sub-phase P2, it is implemented after the creation stage 821 of the protected software 2p, and possibly after the modification stage 822, a stage called "personalization stage 823". During this personalization stage 823, the second object part 2p or possibly containing the operating means is loaded in at least one blank unit 60, in order to obtain at least one unit 6, or part of the second object part 2 or possibly containing the operating means is loaded into at least one pre-customized unit 66, in order to obtain at least one unit 6. The loading of this personalization information makes it possible to make at least one unit 6 operational. note that some of this information, once transferred to a unit 6, is not directly accessible from outside this unit 6. The transfer of the personalization information in a blank unit 60 or a pre-customized unit 66 may be realized through a suitable personalization unit which is described in the following description in FIG. 150. In the case of a unit 6, consisting of a smart card 7 and its reader 8, the personalization only concerns the smart card 7.

 For the implementation of the protection phase P, various technical means are described more precisely in relation to FIGS. 110, 120, 130, 140 and 150.

 Fig. 110 illustrates an exemplary embodiment of a system 25 for implementing the construction step 812 taking into account the definitions that have occurred at the definition stage 8u and during which the means are constructed.

<Desc / Clms Page number 77>

 12,13 and optionally, the operating means for the unit 6. Such a system 25 comprises a program development unit or workstation conventionally presented in the form of a computer comprising a central unit, a screen, devices of the keyboard-mouse type, and including, in particular, the following programs: file editors, assemblers, preprocessors, compilers, interpreters, debuggers and linkers.

 Fig. 120 illustrates an exemplary embodiment of a pre-personalization unit 30 for loading at least part of the transfer means 13 and / or the operating means in at least one blank unit 60 in order to obtain at least one pre-unit 66. This pre-personalization unit 30 comprises reading and writing means 31 making it possible to electrically pre-personalize a blank unit 60 so as to obtain a pre-personalized unit 66 in which the transfer means 13 and / or or operating were loaded. The pre-personalization unit 30 may also include physical personalization means 32 of the blank unit 60 that can be, for example, in the form of a printer. In the case where the unit 6 is constituted by a smart card 7 and its reader 8, the pre-customization generally concerns only the smart card 7.

 Fig. 130 illustrates an exemplary embodiment of a system 35 for making the preparation of tools to help generate protected software or automate software protection. Such a system 35 comprises a program development unit or workstation conventionally presented in the form of a computer comprising a central unit, a screen, peripherals of the keyboard-mouse type, and comprising, in particular, the following programs: file editors, assemblers, preprocessors, compilers, interpreters, debuggers and linkers.

 Fig. 140 illustrates an embodiment of a system 40 for directly creating a protected software 2p or to modify a vulnerable software 2v to obtain a protected software 2p. Such a system 40 comprises a program development unit or workstation conventionally presented in the form of a computer comprising a central unit, a screen, peripherals of the keyboard-mouse type, and comprising, in particular, the following programs: publishers

<Desc / Clms Page number 78>

 files, assemblers, pre-processors, compilers, interpreters, debuggers, and linkers, as well as tools to help generate protected software or automate software protection.

 Fig. 150 illustrates an exemplary embodiment of a personalization unit 45 for charging the second object part 2pou in at least one blank unit 60 in order to obtain at least one unit 6 or part of the second object part 2pou in at least a pre-personalized unit 66 for obtaining at least one unit 6.

This personalization unit 45 comprises a reading and writing means 46 making it possible to electrically personalize at least one blank unit 60 or at least one pre-personalized unit 66, so as to obtain at least one unit 6.

At the end of this customization, a unit 6 includes the information necessary for the execution of the protected software 2p. The personalization unit 45 may also include physical personalization means 47 for at least one unit 6 that may be, for example, in the form of a printer. In the case where a unit 6 is constituted by a smart card 7 and its reader 8, the personalization generally concerns only the smart card 7.

The protection method of the invention can be implemented with the following improvements:
It can be envisaged to use jointly several processing and storage units in which the second object portion 2p or of the protected software 2p is distributed so that their joint use makes it possible to execute the protected software 2p, the absence of at least one of these processing and storage units preventing the use of the protected software
2p.

 Likewise, after the pre-personalization stage 813 and during the personalization stage S23, the part of the second object part 2 or necessary to transform the pre-personalized unit 66 into a unit 6 can be contained in a processing unit and storage used by the personalization system 45 to limit access to this information.

 Of course, this part of the second object part 2pou can be distributed in several processing and storage units so that this information is accessible only when the combined use of these

<Desc / Clms Page number 79>

 processing and storage units.

Claims (36)

CLAIMS: 1-Process for protecting, from at least one blank unit (60) comprising at least storage means (15) and processing means (16), a vulnerable software (2v) against its unauthorized use, said vulnerable software (2v) operating on a data processing system (3), characterized in that it consists of: - 7 in a protection phase (P): to create a protected software (2p): - by choosing, at less an algorithmic processing which, when running the vulnerable software (2v), uses at least one operand and makes it possible to obtain at least one result, - by choosing at least a portion of the source of the vulnerable software (2vs) containing, at least one algorithmic processing chosen, - by generating the source of the protected software (2ps) from the source of the vulnerable software (2vs), by modifying at least a selected portion of the source of the vulnerable software (2vs) to obtain at least a portion modified log source protected version (2ps), this modification being such that:> during the execution of the protected software (2p) a first execution part (2pes) is executed in the data processing system (3) and a second part d execution (2p) is performed in a unit (6), obtained from the blank unit (60) after loading information,> the second execution part (2p) executes at least the functionality of at least a chosen algorithmic processing,> at least one chosen algorithmic processing is decomposed so that during the execution of the protected software (2p) appear by means of the second execution part (2pu), several distinct steps, namely: 0 the provision of at least one operand for the unit (6), <Desc / Clms Page number 81> 0 and optionally, the provision of at least one result, by the unit (6) for the data processing system (3),> for at least one selected algorithmic processing, step commands are defined of in the execution of the protected software (2p), each step command is executed by the first execution part (2pes) and triggers, in the unit (6), execution by means of the second execution part (2pes). execution part (2p), of a step,> and a scheduling of the commands of steps is chosen among the set of scheduling allowing the execution of the protected software (2p), - and by producing:> a first part object (2pos) of the protected software (2p), from the source of the protected software (2ps), this first object part (2pos) being such that during the execution of the protected software (2p), a first part of execution (2pes) which is executed in the data processing system (3) and whose ins a portion takes into account that the commands of steps are executed according to the chosen scheduling,> and a second object part (2pou) of the protected software (2p), this second object part (2pou) being such that, after loading into the blank unit (60) and during the execution of the protected software (2p), the second execution part (2p) appears, by means of which the steps triggered by the first execution part (2pes) are executed, and to load the second object part (2pou) in the blank unit (60), in order to obtain the unit (6), and in a use phase (U) during which the protected software is executed (2p): 0 the realization by the unit (6) of the functionality of the algorithmic processing on at least this operand, <Desc / Clms Page number 82>  in the presence of the unit (6) and whenever a step command contained in a portion of the first execution part (2pes) requires it, to execute the corresponding step in the unit ( 6), so that this portion is executed correctly and that, therefore, the protected software (2p) is fully functional, * and in the absence of the unit (6), despite the demand for a portion of the first execution part (2pes) to trigger the execution of a step in the unit (6), to not being able to correctly answer this request, so that at least this portion is not executed correctly and that, therefore, the protected software (2p) is not fully functional. 2-Process according to claim 1, characterized in that it consists of:

 - 7 in the protection phase (P): to modify the protected software (2p): - by choosing at least one variable used in at least one chosen algorithmic processing, which during the execution of the protected software (2p), defines partially the state of the protected software (2p), - by modifying at least a selected portion of the source of the protected software (2ps), this modification being such that during the execution of the protected software (2p), at least one variable chosen or at least one copy of the chosen variable resides in the unit (6), and producing:> the first object part (2pos) of the protected software (2p), this first object part (2pos) being such that when the execution of the protected software (2p), at least a portion of the first execution part (2pes) also takes into account that at least one variable or at least one copy of variable resides in the unit (6),> and the second object part (2pou) of the protected software (2p), this second part object (2pou) being such that, after loading in the unit (6) and during the execution of the protected software (2p), appears the second execution part (2pu) by means of which at least one chosen variable, or at least one copy of variable <Desc / Clms Page number 83>  chosen also lies in the unit (6), - 7 and in the utilization phase (U): in the presence of the unit (6) each time a portion of the first execution part (2pes ) imposes it, to use a variable or a copy of variable residing in the unit (6), so that this portion is executed correctly and that, therefore, the protected software (2p) is fully functional, * and in the absence of the unit (6), despite the request for a portion of the first execution part (2pes) to use a variable or a copy of variable residing in the unit (6), to be able to respond correctly to this request, so that at least this portion is not executed correctly and, therefore, the protected software (2p) is not fully functional.  3-Process according to claim 1 or 2, characterized in that it consists: - 7 in the protection phase (P): * to define: - a set of elementary functions whose basic functions are likely to be executed in the unit (6), and a set of elementary commands for this set of elementary functions, these elementary commands being able to be executed in the data processing system (3) and to trigger the execution in the unit (6), elementary functions, * to construct operating means allowing the unit (6), to execute the elementary functions of said game, the execution of these elementary functions being triggered by the execution in the system data processing (3), basic commands, * and to modify the protected software (2p):

 by modifying at least a selected portion of the source of the protected software (2ps), this modification being such that: at least one step is decomposed so that during the execution of the protected software (2p), this step is executed at <Desc / Clms Page number 84>  by means of elementary functions,> for at least one decomposed step, elementary commands are integrated in the source of the protected software (2ps), so that during the execution of the second execution part (2pu), protected software (2p), each elementary command is executed by the first execution part (2pes) and triggers in the unit (6), the execution by means of the second execution part (2pe), of a elementary function,> and a scheduling of the elementary commands is chosen from the set of scheduling allowing the execution of the protected software (2p), - and by producing:> the first object part (2pos) of the protected software (2p), this first object part (2pos) being such that during the execution of the protected software (2p), at least a portion of the first execution part (2pes) also executes the elementary commands according to the chosen scheduling,> and the second share ie object (2pou) of the protected software (2p) also containing the operating means, this second object part (2pou) being such that, after loading in the unit (6) and during the execution of the protected software (2p) ), appears the second part of execution (2pu) by means of which are also executed the elementary functions triggered by the first part of execution (2pes), and in the phase of use (U): 'in the presence of the unit (6) and whenever an elementary command contained in a portion of the first execution part (2pes) requires it, to execute the corresponding elementary function in the unit (6), so that this portion is executed correctly and that, therefore, the protected software (2p) is fully functional, and in the absence of the unit (6), despite the demand for a portion of the <Desc / Clms Page number 85>  first execution part (2pes), to trigger the execution of an elementary function in the unit (6), to not be able to respond correctly to this request, so that at least this portion is not executed correctly and, therefore, the protected software (2p) is not fully functional. 4-Process according to claim 3, characterized in that it consists of:

 in the protection phase (P): * to be defined: - at least one software execution characteristic, which can be monitored at least partly in the unit (6), - at least one criterion to be met for at least least one software execution characteristic, - detection means (17) to be implemented in the unit (6) and making it possible to detect that at least one software execution characteristic does not comply with at least one criterion associated, - and coercion means (18) to implement in the unit (6) and to inform the data processing system (3) and / or modify the execution of software, when at least one criterion is not respected, to construct the operating means enabling the unit (6) to also use the detection means (17) and the coercion means (18), and to modify the protected software (2p):

 by choosing at least one software execution characteristic to be monitored, from the execution characteristics that can be monitored, by choosing at least one criterion to respect for at least one chosen software execution characteristic, choosing in the source of the protected software (2ps), elementary functions for which at least one selected software execution characteristic is to be monitored, <Desc / Clms Page number 86>  by modifying at least a selected portion of the source of the protected software (2ps), this modification being such that during the execution of the protected software (2p), at least one selected execution characteristic is monitored by means of the second part (2p), and the non-respect of a criterion results in information of the data processing system and / or modification of the execution of the protected software (2p), and producing the second object part (2pou) of the protected software (2p) containing the operating means also implementing the detection means (17) and the coercion means (18), this second object part (2pou) being such that, after loading into the unit (6) and when running the protected software (2p), at least one software execution characteristic is monitored and failure to meet a criterion results in information of the data processing system and / or to a modification of the executable protection of the protected software (2p), and in the utilization phase (U): in the presence of the unit (6): - as long as all the criteria corresponding to all the monitored performance characteristics of all the modified portions of the protected software (2p) are respected, to allow the nominal operation of these portions of the protected software (2p) and consequently to allow the nominal operation of the protected software (2p), and if at least one of the criteria corresponding to a characteristic of monitored execution of a portion of the protected software (2p) is not respected, to inform the data processing system (3) and / or to modify the operation of the portion of the protected software (2p), so that the operation of the protected software (2p) is changed.  5-Process according to claim 4, for limiting the use of a protected software (2p), characterized in that it consists: - 7 in the protection phase (P): <Desc / Clms Page number 87>  selecting, as a software execution characteristic to be monitored, at least one variable for measuring the use of a software functionality, by choosing: at least one feature of the protected software (2p) of which the use may be monitored by means of a measurement variable,> at least one measurement variable used to quantify the use of said functionality,> at least one threshold associated with a selected measurement variable corresponding to a limit of use of said functionality,> and at least one method of updating a measurement variable chosen according to the use of said functionality, and modifying at least a selected portion of the source of the protected software (2ps) , this modification being such that, during the execution of the protected software (2p), the measurement variable is updated by means of the second execution part (2p), depending on the use of said at least one threshold overrun is taken into account, and in the use phase (U), in the presence of the unit (6), and in the case where

 to define: - as a software execution characteristic that can be monitored, a variable for measuring the use of a software functionality, - as a criterion to be met, at least one threshold associated with each measurement variable, and update means making it possible to update at least one measurement variable, to construct the operating means enabling the unit (6) to also implement the updating means. , * and modify the protected software (2p):

<Desc / Clms Page number 88>

 at least one threshold violation corresponding to at least one usage limit is detected, the data processing system (3) is informed thereof and / or the operation of the portion of the protected software (2p) is modified, so that the operation of the protected software (2p) is changed. 6-Process according to claim 5, characterized in that it consists: - 7 in the protection phase (P): 'to define: - for at least one measurement variable, several associated thresholds, - and means of coercion different corresponding to each of these thresholds,. and modify the protected software (2p):

 by choosing from the source of the protected software (2ps), at least one selected measurement variable to which several thresholds corresponding to different limits of use of the functionality must be associated, by choosing at least two thresholds associated with the variable chosen measurement, - and modifying at least a selected portion of the source of the protected software (2ps), this modification being such that, during the execution of the protected software (2p), the exceedances of the various thresholds are taken into account, by means of the second execution part (2pu), differently, - 7 and in the use phase (U): in the presence of the unit (6): - in the case where the overrange is detected a first threshold, to enjoin the protected software (2p) to no longer use the corresponding functionality, - and in the case where it is detected the exceeding of a second threshold, to render inoperative the corresponding functionality and / or to minus a portion of the protected software (2p).  7-Process according to claim 5 or 6, characterized in that it consists of: <Desc / Clms Page number 89>

 by choosing from the source of the protected software (2ps), at least one measurement variable chosen making it possible to limit the use of a feature to which at least one additional use must be able to be credited, and by modifying at least one portion chosen, this modification being such that in a so-called recharging phase, at least one additional use of at least one functionality corresponding to a chosen measurement variable can be credited, and in the recharging phase: to update at least one variable of chosen measure and / or at least one associated threshold, so as to allow at least one additional use of the functionality.

 - 7 in the protection phase (P): * to define reloading means making it possible to credit at least one additional use for at least one software functionality monitored by a measurement variable, to build the operating means also allowing to the unit (6) implementing the reloading means, and modifying the protected software (2p): 8-Process according to claim 4, characterized in that it consists: - 7 in the protection phase (P): * to define: - as a software execution characteristic that can be monitored, a profile of use of software, - and as a criterion to respect, at least one feature of software execution, and to modify the protected software (2p):

 by choosing as a software execution characteristic to monitor at least one software usage profile, by choosing at least one execution feature that at least one chosen usage profile must respect, <Desc / Clms Page number 90>

 and modifying at least a selected portion of the source of the protected software (2ps), this modification being such that, during the execution of the protected software (2p), the second execution part (2peu) respects all the features of the protected software (2p) selected execution, and in the use phase (U) in the presence of the unit (6), and in the case where it is detected that at least one performance feature is not respected, to inform the data processing system (3) and / or to modify the operation of the portion of the protected software (2p), so that the operation of the protected software (2p) is modified. 9-Method according to claim 8, characterized in that it consists: - 7 in the protection phase (P): * to define: - a set of instructions whose instructions are likely to be executed in the unit (6), - a set of instruction commands for this set of instructions, these instruction commands being capable of being executed in the data processing system (3) and triggering in the unit (6) the execution of instructions, - as a usage profile, the sequence of instructions, - as an execution feature, a desired sequence for executing instructions, - as detection means (17) means for detecting that the sequence of instructions does not correspond to that desired, and as means of coercion (18) means for informing the data processing system (3) and / or modify the operation of the protected software portion (2p) when e the sequence of instructions does not correspond to that desired, to build the operating means also allowing the unit (6) to execute the instructions of the instruction set, the execution of these instructions being triggered by the execution in the treatment system <Desc / Clms Page number 91>

 - by modifying at least a selected portion of the source of the protected software (2ps):> by transforming the elementary functions into instructions,> by specifying the sequence that must be respected at least some of the instructions when they are executed in the unit (6 ), and by transforming the elementary commands into instruction commands corresponding to the instructions used, and in the use phase (U), in the presence of the unit (6), in the case where it is detected that the sequence of instructions executed in the unit (6) does not correspond to that desired, to inform the data processing system (3) and / or to modify the operation of the portion of the protected software (2p), so that the operation of the protected software (2p) is changed.

 data (3), instruction commands, and to modify the protected software (2p): 10-Process according to claim 9, characterized in that it consists: - 7 in the protection phase (P): to define: - as a set of instructions, a set of instructions which at least some instructions work on registers and using at least one operand to render a result, - for at least part of the instructions working on registers:> a part (PF) defining the functionality of the instruction,> and a part defining the desired sequence for executing the instructions and comprising bit fields corresponding to: 0 an instruction identification field (CII), 0 and for each operand of the instruction: * a flag field (CDk), * and an expected identification field (CIPk) of the operand, - for each register belonging to the operating means and used <Desc / Clms Page number 92>

 by the set of instructions, a generated identification field (CIGv) in which is automatically stored the identification of the last instruction having returned its result in this register, - as detection means (17), means allowing when executing an instruction, for each operand, when the flag field (CDk) imposes it, to check the equality between the generated identification field (CIGv) corresponding to the register used by this operand, and the intended identification field (CIPk) of the origin of this operand, and as means of coercion (18) means for modifying the result of the instructions, if at least one of the controlled equalities is false. 11-Process according to claim 3 or 9 characterized in that it consists: - 7 in the protection phase (P): to define: - as a triggering command, an elementary command or an instruction command, - as a dependent function, an elementary function or an instruction, - as a setpoint, at least one argument for a triggering command, corresponding at least in part to the information transmitted by the data processing system (3) to the unit (6), in order to trigger the execution of the corresponding dependent function, - a method of renaming instructions to rename the instructions in order to obtain trigger commands with renamed instructions, - and means of recovery (20) to be implemented in the unit (6) during the use phase (U), and to find the dependent function to perform, from the renamed instruction, to build way s of operation allowing the unit (6) to put <Desc / Clms Page number 93>  - by choosing in the source of the protected software (2ps), triggering commands, - by modifying at least a chosen portion of the source of the protected software (2ps) by renaming the instructions of the triggering commands chosen, in order to conceal the identity of the functions corresponding dependents, - and producing:> the first object part (2pos) of the protected software (2p), this first object part (2pos) being such that during the execution of the protected software (2p), the triggering commands with instructions fame are executed,> and the second object part (2pou) of the protected software (2p) containing the operating means also implementing the recovery means (20), this second object part (2pou) being such that, after loading in the unit (6) and during the execution of the protected software (2p), the identity of the dependent functions whose execution is triggered by the first execution part (2pes) is reestablished e by means of the second part of execution (2peu), and the dependent functions are executed by means of the second part of execution (2peu), and in the phase of use (U): * in the presence of the unit (6) and each time a command triggering a renamed instruction, contained in a portion of the first execution part (2pes) requires it, to restore in the unit (6), the identity of the corresponding function and executing it, so that this portion is executed correctly and that, therefore, the protected software (2p) is fully functional, * and in the absence of the unit (6), despite the request for a portion of the first execution part (2pes), to trigger the execution of a function

 also implement the recovery means, and modify the protected software (2p): <Desc / Clms Page number 94>  dependent in the unit (6), to not be able to respond correctly to this request, so that at least this portion is not executed correctly and that, therefore, the protected software (2p) is not completely functional.  12-Process according to claim 11, characterized in that it consists: - 7 in the protection phase (P):

 to define, for at least one dependent function, a family of dependent functions that are algorithmically equivalent, but triggered by triggering commands whose renamed instructions are different, and to modify the protected software (2p):

 - by choosing in the source of the protected software (2ps) at least one triggering command with renamed reference, - and by modifying at least a selected portion of the source of the protected software (2ps) by replacing at least the renamed instruction of a triggering command with renamed instruction chosen, by another renamed instruction, triggering a dependent function of the same family.  13-Process according to claim 12, characterized in that it consists: - 7 in the protection phase (P), to define, for at least one dependent function, a family of algorithmically equivalent dependent functions: - by concatenating a field of noise to information defining the functional part of the dependent function to be performed in the unit (6), - or using the instruction identification field (CII) and the planned identification fields (CIPk) operands.  14-Process according to claim 11, 12 or 13, characterized in that it consists:

 - 7 in the protection phase (P): to define: - as a method of renaming the instructions, an encryption method to encrypt the instructions, <Desc / Clms Page number 95>  and as recovery means (20), means implementing a decryption method for decrypting the renamed setpoints and thereby restoring the identity of the dependent functions to be executed in the unit (6).  15-Method according to one of claims 1 to 14, characterized in that it consists: - 7 in the protection phase (P): to modify the protected software (2p): by choosing in the source of the protected software ( 2ps), at least one conditional branch performed in at least one chosen algorithmic processing, - by modifying at least a selected portion of the source of the protected software (2ps), this modification being such that during the execution of the protected software (2p) the functionality of at least one selected conditional branch is performed, by means of the second execution part (2pu), in the unit (6), and producing:> the first object part (2pos) of protected software (2p), this first object part (2pos) being such that during the execution of the protected software (2p), the functionality of at least one selected conditional branch is executed in the unit (6),> and the second object part (2pou) of the protected software (2p), this second part object (2pou) being such that, after loading in the unit (6) and during the execution of the protected software (2p), appears the second part of execution (2peu) by means of which the functionality of at least one selected conditional branch is executed, and in the utilization phase (U): in the presence of the unit (6) and whenever a portion of the first execution part (2pes) l imposes, to execute the functionality of at least one conditional branch in the unit (6), so that this portion is <Desc / Clms Page number 96>  executed correctly and that, therefore, the protected software (2p) is fully functional, and in the absence of the unit (6) and despite the request for a portion of the first execution part (2pes) of execute the functionality of a conditional branch in the unit (6), to not be able to respond correctly to this request, so that at least this portion is not executed correctly and that, therefore, the protected software (2p ) is not fully functional.  16-Method according to claim 15, characterized in that it consists, in the protection phase (P), to modify the protected software (2p): - by choosing, in the source of the protected software (2ps) at least one series of selected conditional branches, - by modifying at least a selected portion of the source of the protected software (2ps), this modification being such that during the execution of the protected software (2p), the global functionality of at least one chosen series of conditional branches is executed by means of the second execution part (2pu), in the unit (6), and by producing: the first object part (2pos) of the protected software (2p), this first object part (2pos) being such that during the execution of the protected software (2p), the functionality of at least one selected series of conditional branches is executed in the unit (6), and the second object part (2pou) of the software protected (2p), this second object part (2 being such that, after loading in the unit (6) and during the execution of the protected software (2p), the second execution part (2pu) appears by means of which the global functionality of at least one selected series of conditional branches is executed.  17-Process according to one of claims 1 to 16, characterized in that it consists in breaking down the protection phase (P) into an upstream protection sub-phase (PI), independent of the software to be protected and a sub-phase protection phase <Desc / Clms Page number 97>  downstream (P2), dependent on the software to be protected.  18-Process according to claim 17, characterized in that it consists, during the upstream protection sub-phase (PI), to involve a definition stage (S11) in which are performed all the definitions.  19-Process according to claim 18, characterized in that it consists, after the definition stage (S11), to involve a construction stage (S12) in which are constructed the operating means.  20-Process according to claim 19, characterized in that it consists, after the construction step (S12), to involve a pre-personalization stage (S13), of charging in a blank unit (60), at least part of the operating means to obtain a pre-personalized unit (66).  21-Process according to claim 18 or 19, characterized in that it consists, during the upstream protection sub-phase (PI), to involve a tool making stage (S14) in which are made tools to help generate protected software or to automate software protection.  22-Process according to claims 17 and 20, characterized in that it consists in decomposing the downstream protection sub-phase (P2), in: a creation step (S21) in which is created the protected software (2p) from the vulnerable software (2v), optionally, a modification stage (S22) in which the protected software (2p) is modified, and a personalization stage (S23) in which: the second object part (2p) ) of the protected software (2p) possibly containing the operating means is loaded into at least one blank unit (60) in order to obtain at least one unit (6), or part of the second object part (2pou) protected software (2p) possibly containing the operating means is loaded into at least one pre-personalized unit (66) in order to obtain at least one unit (6).  23-Process according to claims 21 and 22, characterized in that it consists, during the creation stage (S21) and optionally the modification stage (S22), in <Desc / Clms Page number 98>  use at least one of the tools for assisting in the generation of protected software or the automation of software protection.  24-System for implementing the method according to claim 19, characterized in that it comprises a program development unit, serving, during the construction stage (S12), to carry out the construction of the operating means for the unit (6), taking into account definitions at the definition stage (S11).  25-System for implementing the method according to claim 20, characterized in that it comprises a pre-personalization unit (30) for loading at least a portion of the operating means in at least one blank unit (60), to obtain at least one pre-customized unit (66).  26-System for implementing the method according to claim 21, characterized in that it comprises a program development unit, used to perform during the tool making stage (S14), the making of tools assistance in generating protected software or automating software protection.  27-System for implementing the method according to claim 22 or 23, characterized in that it comprises a program development unit for creating or modifying a protected software (2p).  28-System for implementing the method according to claim 22, characterized in that it comprises a personalization unit (45) for loading: * the second object part (2pou) in at least one virgin unit (60 ), in order to obtain at least one unit (6), or part of the second object part (2pou) in at least one pre-customized unit (66), in order to obtain at least one unit (6) ).  Pre-customized unit (66), characterized in that it is obtained by the system according to claim 25.  30-unit (6) for executing protected software (2p) and preventing its unauthorized use, characterized in that it contains the second object part (2pou) of the protected software (2p) loaded using a personalization unit (45) according to claim 28.  31-Set of units (6), characterized in that the second object part (2pou) <Desc / Clms Page number 99>  of the protected software (2p), loaded with a personalization unit (45) according to claim 28, is distributed over several processing and storage units so that their joint use makes it possible to execute the protected software (2p).  32-Distribution set (2pd) of a protected software (2p), characterized in that it comprises: a first distribution part (2pds) containing the first object part (2pos) and intended to operate in a system of data processing (3), * and a second distribution part (2pdu) in the form of: - a blank unit (60), - or a pre-customized unit (66) according to claim 29 , after loading personalization information, to be transformed into a unit (6), - or a unit (6) according to claim 30.  33-Distribution set (2pd) of a protected software (2p) according to claim 32, characterized in that the first distribution part (2pds) is in the form of a physical distribution means, CDROM for example, or in the form of files distributed over a network.  34-distribution set (2pd) of a protected software (2p) according to claim 32, characterized in that the second distribution portion (2pdu), in the form of virgin units (60), units pre-customized (66) or units (6), comprises at least one smart card.  A processing and storage unit characterized in that it contains the part of the second object part (2pu) necessary to transform a pre-customized unit (66) according to claim 29 into a unit (6) according to claim 30 .  36-Set of processing and storage units characterized in that the processing and storage units used together contain the part of the second object part (2pou) necessary to transform a pre-customized unit (66) according to claim 29 in a unit (6) according to the <Desc / Clms Page number 100>  claim 30.