HRP20040044A2 - Method for protecting a software using a so-called elementary functions principle against its unauthorised use - Google Patents

Description

This invention relates to the technical domain of data processing systems in a general sense, and more precisely, it is intended to protect programs used on said systems from unauthorized use.

The subject of the invention is especially the protection of the program from unauthorized use, using units for processing and storage, which can be implemented in the form of a "chip" card or a circuit key on a USB port.

In the technical domain mentioned above, the main problem is related to the unauthorized use of the program by users who have not paid for the license. This unauthorized use of the program causes an obvious loss for the program authors, program distributors, and all those who integrate such programs into their products. In order to avoid such unauthorized copies, different solutions are proposed, depending on the state of technology.

Such a protection solution used by the circuit protection system is known as a key or "dongle". This protection key should ensure that the program is run only in the presence of the key. However, it must be admitted that this solution is not effective, because it can easily be bypassed. A malicious person or hacker can, with the help of special tools such as disassemblers, erase the control instructions of the security key. Thus, illegal copies can be made that correspond to modified versions of the program, which can be run without protection. Furthermore, this solution cannot be used for all programs, since it is difficult to attach more than two protection keys to one system.

The object of the invention is to find a solution to the above-mentioned problems by proposing procedures to protect the program against unauthorized use, using an "ad hoc" unit for processing and storage, because the existence of such a unit is necessary for the program to be fully functional.

In achieving this goal, the subject of the invention relates to a method for protecting an unprotected program against unauthorized use, using at least one empty unit that includes at least processing and storage procedures, where said unprotected program is produced from source code and runs on a data processing system. The method according to the invention includes:

→ during the protection phase:

• defining:

- a set of elementary functions destined to be performed in the unit

- a set of elementary commands for the specified elementary functions, which are executed in the data processing system, and activate the execution of elementary functions in the unit

• creating an exploitation procedure that enables the transformation of an empty unit into a unit capable of performing elementary functions from the specified set, where the execution of the specified elementary functions activates the execution of elementary commands in the data processing system,

• creating a protected program:

- by selecting at least one algorithm which, during the execution of an unprotected program, uses at least one operand and returns at least one result,

- by selecting at least one section in the source code of an unprotected program that contains at least one selected algorithm,

- by producing the source code of the protected program from the source code of the unprotected program, by modifying at least one selected section of the source code of the unprotected program with the aim of obtaining at least one modified section of the source code of the protected program, where the modification is such that:

▸ during the execution of the protected program, the first executable part is executed in the data processing system, and the second executable part is executed in the unit obtained from the empty unit after loading the information,

▸ the second executable part performs at least the functionality of the selected algorithm,

▸ the least selected algorithm is divided so that during the execution of the protected program the specified algorithm is executed by means of another executable part, using elementary functions,

▸ for at least one selected algorithm, the elementary commands are integrated into the source code of the protected program, so that during the execution of the protected program each command is executed by the first executable part and activates, in unit, the execution of the elementary function by the second executable part,

▸ a sequence of elementary commands is selected from a set of sequences that allow the execution of the protected program,

- and production:

▸ of the first object part of the program, which is such that during the execution of the protected program, the first executable part that is executed in the data processing system appears and at least one section of which takes into account that the elementary commands are executed in accordance with the selected sequence,

▸ and the second object part of the protected program that contains the procedure for exploitation, which is such that, after loading into the empty unit and during the execution of the protected program, a second executable part appears, by means of which the elementary functions activated by the first executable part are performed,

• and loading another object part into the unit with the aim of obtaining the unit,

→ and during the code usage phase, the protected program is executed:

• in the presence of the unit, every time the segment of the first executable part imposes it, the execution of the corresponding elementary function in the unit, so that the specified segment is executed correctly and, consequently, the protected program is fully functional,

• and in the absence of a unit, the impossibility of correctly fulfilling the requirements of the sections of the first executable part to perform the appropriate elementary function in the unit and, consequently, the protected program is not fully functional.

According to a preferred embodiment, the process according to the invention includes:

→ during the protection phase:

• modification of the protected program:

- by selecting at least one variable that is used in at least one selected algorithm, and which partially defines the state of the protected program during the execution of the protected program,

- by modifying at least one selected section of the source code of the protected program in such a way that during the execution of the protected program at least one variable or a copy of the variable is placed in the unit,

- and production:

▸ of the first object part of the protected program from the source code of the protected program, where the first object part is such that during the execution of the protected program, at least one section of the first executable part takes into account that at least one variable or copy of the variable is located in the unit,

▸ of the second object part of the protected program, which is such that after loading into the unit and during the execution of the protected program, another executable part appears, by means of which at least one variable or a copy of the variable is also placed in the unit,

→ and during the use phase:

• in the presence of a unit, every time a segment of the first executable part imposes it, the use of a variable or a copy of a variable located in the unit, so that the specified segment is executed correctly and, consequently, the protected program is fully functional,

• and in the absence of a unit, the impossibility of correctly fulfilling the requirements of sections of the first executable part to use a variable or a copy of a variable located in the unit, and that, consequently, the protected program is not fully functional.

According to another preferred embodiment, the method according to the invention includes:

→ during the protection phase:

• defining:

- at least one characteristic of program execution, which can be at least partially monitored in the unit,

- at least one criterion that needs to be met for at least one characteristic of program execution,

- the detection procedure that is implemented in the unit, and enables the detection that at least one characteristic of the program execution is not met for at least one associated criterion,

- and the coercion procedure that is implemented in the unit and enables informing the data processing system and/or modifying the program execution, when at least one criterion is not met,

• creation of an exploitation procedure that enables the unit to also implement a detection procedure and a coercion procedure,

• and modification of the protected program:

- by selecting for monitoring at least one characteristic of program execution, among the characteristics of program execution destined for monitoring,

- by selecting at least one criterion that needs to be fulfilled for at least one selected characteristic of program execution,

- by selecting in the source code of the protected program, elementary functions for which at least one characteristic of program execution will be monitored,

- by modifying at least one selected section of the source code of the protected program, which is such that during the execution of the protected program, at least one selected characteristic is monitored using another executable part, and the fact that the criterion is not met leads to informing the data processing system and/or modifies the execution of the protected program,

- and by the production of another object part of the protected program that contains a procedure for exploitation that also implements a detection procedure and a coercion procedure, where the said second object part is such that after loading into the unit and during the execution of the protected program, at least one performance characteristic is monitored, and the fact that the criterion not being met leads to the fact that the data processing system is informed and/or the execution of the protected program is modified,

→ and during the use phase:

• in the presence of the unit:

- as long as all criteria corresponding to all monitored performance characteristics of all modified sections of the protected program are met, it is possible for the said section of the protected program to work correctly and, consequently, for the protected program to work correctly,

- and if at least one criterion corresponding to the monitored characteristic of the execution of the section of the protected program is not met, the data processing system is informed and/or the functioning of the section of the protected program is modified, so that the functioning of the protected program is modified.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining:

- as performance characteristics to be monitored, a variable that measures the use of the program's functionality,

- as a criterion to be met, at least one threshold associated with each measurement variable,

- the actualization procedure that enables at least one measurement variable to be refreshed,

• creation of an exploitation procedure that enables the unit to also use the actualization procedure,

• modification of the protected program:

- by selecting, as a characteristic of the program execution to be monitored, at least one variable that measures the use of at least one functionality of the program,

- by choosing:

▸ at least one functionality of the protected program whose use is monitored using a measurement variable,

▸ at least one measurement variable used to quantify the use of the specified functionality

▸ at least one threshold associated with the selected measurement variable that corresponds to the restriction of the use of the specified functionality,

▸ and at least one method of refreshing the selected measurement variable depending on the use of the specified functionality,

- and by modifying at least one selected section of the source code of the protected program, which is such that, during the execution of the protected program, the measurement variable is updated using another executable part depending on the use of the specified functionality, whereby at least one threshold crossing is taken into account,

→ and during the use phase, in the presence of the unit, and in the case where at least one threshold crossing corresponding to at least one use restriction is detected, the data processing system is informed about this and/or the functioning of the section of the protected program is modified, so that the functioning of the protected program modified.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining:

- for at least one measurement variable, several associated thresholds,

- and different coercion procedures corresponding to each specified threshold,

• modification of the protected program:

- by selecting in the source code of the protected program at least one selected measurement variable to which different thresholds must be associated in accordance with different limitations in the use of functionality,

- by selecting at least two thresholds associated with the selected measurement variable,

- and by modifying at least one selected section of the source code of the protected program, which is such that, during the execution of the protected program, the crossing of different thresholds is taken separately, using another executable part,

→ during the use phase:

• in the presence of the unit:

- in the case where the crossing of the first threshold is detected, a ban on further use of the corresponding functionality of the protected program,

- and in the case when crossing the second threshold is detected, deactivation of the corresponding functionality and/or at least one section of the protected program.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining a reloading procedure that allows crediting at least one functionality of the program that is monitored by a measurement variable, with at least one additional use,

• creating an exploitation procedure that also allows the unit to implement a reloading procedure,

• and modification of the protected program:

- by selecting in the source code of the protected program at least one selected measurement variable that enables limitation of the use of functionality and which must be credited with at least one additional use,

- and by modifying at least one selected segment, which is such that during the reloading call phase, at least one additional use of at least one functionality corresponding to the selected measurement variable can be credited,

→ and during the reload phase:

• re-actualization of at least one selected measurement variable and/or at least one associated threshold, so that at least one additional use of the functionality is allowed.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining:

- program usage profile as a characteristic of program execution intended for monitoring,

- and as a criterion to be met, at least one feature of program execution,

• and modification of the protected program:

- by selecting at least one program usage profile as a monitored program performance characteristic

- by selecting at least one performance feature for which at least one selected usage profile must be fulfilled,

- and by modifying at least one selected section of the source code of the protected program, which is such that during the execution of the protected program, the first executable part is retained for all selected features of the execution,

→ and during the use phase, in the presence of the unit, and in the case where it is detected that at least one performance feature is not fulfilled, informing the data processing system and/or modifying the functioning of the section of the protected program, so that the functioning of the protected program is modified:

In accordance with various embodiments, the method according to the invention includes:

→ during the execution phase:

• defining:

- a set of instructions that are subject to execution in the unit,

- a set of commands for the specified set of instructions, where the commands are subject to execution in the data processing system and activate the execution of instructions in the unit,

- as a usage profile, chaining of instructions,

- as execution features, expected chaining for execution of instructions,

- as a detection procedure, a procedure that enables the detection that the chaining of instructions does not correspond to the expected,

- as a coercion procedure, a procedure that enables informing the data processing system and/or modifying the functioning of a section of the protected program when the chaining of instructions does not correspond to the expected,

• creation of a procedure for exploitation that also enables the unit to execute instructions from a set of instructions, where the execution of said instructions is activated by executing commands in the data processing system,

• modification of the protected program:

- by modifying at least one selected section of the source code of the protected program:

▸ by transforming elementary functions into instructions,

▸ by specifying chaining where at least some of the instructions must exist during their execution in the unit,

▸ and by transforming elementary commands into instructions that correspond to the used instructions,

→ and during the use phase, in the presence of the unit, in the case where the detected chaining of instructions executed in the unit does not correspond to the expected, informing the data processing system and/or modifying the functioning of the section of the protected program, so that the functioning of the protected program is modified.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining:

- as a set of instructions, a set of instructions in which at least some instructions work with registers and use at least one operand with the intention of returning a result,

- for at least some of the instructions that are done with registers:

▸ part that defines the functionality of the instruction,

▸ and a part that defines the chaining of instruction execution and includes bits for:

◊ identification of the instruction field,

◊ and for each instruction operand:

* flag,

* and expected operand identification field,

- for each register that belongs to the exploitation procedure and was used from a set of instructions, the generation of an identification field in which the identification of the last instruction that returned the result to the specified register is automatically stored,

- as a detection procedure, a procedure that enables, during the execution of the instruction, for each operand, when the flag imposes it, to check the equality of the generated identification field corresponding to the register used by the specified operand and the expected identification field in the source code of the specified operand,

- as a coercion procedure, a procedure that enables the modification of the result of the instruction, if at least one of the checked equalities is false.

In accordance with other preferred embodiments, the method according to the invention includes:

→ during the protection phase:

• defining:

- as activated commands, elementary commands or instructions

- as dependent functions, elementary functions or instructions,

- as a command, at least one argument for activating the command, which corresponds at least partially to the information transferred from the data processing system to the unit, so that the execution of the corresponding dependent function is activated,

- a procedure for renaming an order that enables renaming an order, thus obtaining an activated order with a renamed order,

- a recovery procedure designed for use in the unit during the use phase, which enables the recovery of a dependent function that is performed from a renamed order,

• creating a procedure for exploitation that enables the unit to apply the recovery procedure.

• modification of the protected program:

- by selecting the activation command in the source code of the protected program,

- by modifying at least one selected section in the source code of the protected program by renaming the order of the selected activation command, related to hiding the identity of the corresponding dependent function,

- and production:

▸ of the first object part of the protected program, which is such that during the execution phase of the protected program, an activation command is executed with a renamed order,

▸ and the second object part of the protected program containing the procedure for exploitation, where the specified second object part is such that, after loading into the unit and during the execution of the protected program, the equality of the dependent function whose execution was activated by the first executable is restored, using the second executable part part, and the dependent function is performed using another executable part,

→ and during the use phase:

• in the presence of the unit and every time the activation command with the changed order, contained in the section of the first executable part, imposes it, the equality of the corresponding dependent function and its execution is restored in the unit, so that the specified section is executed correctly and that, consequently, the protected program is fully functional,

• in the absence of the unit, and in the spirit of the request of the section of the first executable part, to activate the execution of the dependent function in the unit, it is not possible to execute the specified request correctly, so that at least the specified section is not executed correctly and, consequently, the protected program is not fully functional.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining for at least one dependent function, families of dependent functions that are algorithmically equivalent, but are activated by commands whose renamed orders are different,

• and modification of the protected program:

- by selecting, in the source code of the protected program, at least one activation command with a renamed command,

- modification of at least one section of the source code of the protected program by replacing at least one renamed command of the selected activation command with another renamed command, activating a dependent function of the same family.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase, defining, for at least one dependent function, a family of algorithmically equivalent dependent functions:

- by adding a noise field to the information defining the functional part of the dependent function that is performed in the unit,

- or by using the identification field of the instruction and the expected identification fields of the operands.

In accordance with various embodiments, the method according to the invention includes:

→ during the protection phase:

• defining:

- order encryption procedure, such as order renaming procedure,

- and as a recovery procedure, a procedure that implements a method for decrypting the renamed command and thus restores the identity of the dependent function that is performed in the unit.

In accordance with other preferred embodiments, the method according to the invention includes:

→ during the protection phase:

• modification of the protected program:

- by selecting, in the source code of the protected program, at least one conditional branching that is performed in at least one selected algorithm,

- by modifying at least one selected section of the source code of the protected program, which is such that during the execution of the protected program, the functionality of at least one selected conditional branching is performed using another executable part, in the unit,

- and production:

▸ of the first object part of the protected program, such that during the execution of the program, the functionality of at least one selected conditional branch is performed in the unit,

▸ and the second object part of the protected program, which is such that, after loading into the unit and during the execution of the protected program, another executable part appears by which the functionality of at least one selected conditional branching is performed,

→ and during the use phase:

• in the presence of the unit and every time the segment of the first protected part requires it, the execution of the functionality of at least one conditional branch in the unit, so that the specified segment is executed correctly and, consequently, the protected program is fully functional,

• both in the absence of the unit and in the spirit of the request of the section of the first executable part to perform conditional branching in the unit, the inability to fulfill the specified request correctly, so that at least the specified section is not executed correctly and, consequently, the protected program is not fully functional.

In accordance with various embodiments, the method according to the invention includes, during the protection phase, the modification of the protected program:

- by selecting, in the source code of the protected program, at least one set of selected conditional branches,

- by modifying at least one selected section of the source code of the protected program, which is such that during the execution phase of the protected program, the overall functionality of at least one selected series of conditional branches is performed using another executable part, in the unit,

- and production:

▸ of the first object part of the protected program, which is such that during the execution of the protected program, the functionality of at least one selected sequence of conditional branches is performed in the unit,

▸ of the second object part of the protected program, which is such that, after loading ' into the unit and during the execution of the protected program, another executed part appears, by means of which the overall functionality of at least one selected series of conditional branches is performed.

The method according to the invention thus enables the protection of the use of the program by using a processing and storage unit that represents a characteristic contained in the part of the program being executed. It follows that any derived version of a program that is attempted without a processing and storage unit forces the part of the program located in the processing and storage units to be recreated at runtime, otherwise said derived version of the program will not be fully functional.

Various other characteristics that can be seen from the description are shown in the attached diagrams, and show, as non-limiting examples, embodiments and implementations of the subject of the invention.

Figures 10 and 11 are functional block diagrams showing various examples of programs that are not protected, and which are protected by the method according to the invention.

Figures 20 and 22 show examples of different embodiments of the device for implementing the method according to the invention.

Figures 30 and 31 are functional block diagrams explaining the general principle of the method according to the invention.

Figures 40 and 43 are diagrams showing the protection procedure according to the invention by applying the variable protection principle.

Figures 50 and 54 are diagrams showing the protection procedure in accordance with the invention by applying the principle of protection by temporary separation.

Figures 60 and 64 are diagrams showing the protection procedure in accordance with the invention by applying the principle of protection using elementary functions.

Figures 70 and 74 are diagrams showing the protection procedure in accordance with the invention by applying the principle of protection by detection and coercion

Figures 80 and 85 are diagrams showing the protection procedure in accordance with the invention by applying the principle of protection by renaming.

Figures 90 and 92 are diagrams showing the protection procedure in accordance with the invention by applying the principle of protection by conditional branching.

Figure 100 is a diagram showing various stages of implementation of the subject invention.

Fig. 110 shows the implementation of a system that allows the implementation of the stage of the manufacturing stage in the protection stage in accordance with the invention.

Fig. 120 shows an embodiment of a pre-adapted unit used in a protection process according to the invention.

Figure 130 shows the implementation of a system that allows the implementation of tools from the production stage to the protection stage in accordance with the invention.

Figure 140 shows the implementation of the system that allows the implementation of the protection process in accordance with the invention.

Figure 150 shows an embodiment of the adaptation unit used in the protection process according to the invention.

In the following description, the following definitions will be used:

• Data processing system 3 is a system capable of executing a program.

• The processing and storage unit is capable of:

- accept the data received from the data processing system 3,

- return the data to the data processing system 3,

- save data at least partially hidden and save at least part of said data even if the unit is disconnected from the power supply,

- and implement a data processing algorithm, where a part or all of the data is hidden.

• Unit 6 is a processing and storage unit that implements the process according to the invention.

• An empty unit 60 is a unit that does not implement a process according to the invention, but which can receive data by transforming it into a unit 6.

• Pre-adjusted unit 66 is an empty unit 60 that receives part of the data allowing, after receiving additional data, to transform into unit 6.

• Loading information into blank unit 60 or pre-adapted unit 66 corresponds to transferring information to blank unit 60 or pre-adapted unit 66, and storing said transferred information. Transmission may eventually involve changing the format of the information.

• The variable, function or data contained in the data processing system 3 will be marked with an uppercase letter, while the variables, functions and data contained in the unit 6 will be marked with a lowercase letter.

• "Protected program" is a program that is protected by at least one principle of protection by a process implemented in accordance with the invention.

• "Unprotected program" is a program that is not protected by any principle of protection by the process implemented in accordance with the invention.

• In the case where the distinction between an unprotected and a protected program is not important, the term "program" is used.

• The program has different forms that depend on the observed moment in its life cycle:

- original form

- object form

- distribution

- dynamic form.

• The original form is a form that is understood to become an object form after transformation. The source form can provide various forms, from the conceptual abstract level to the level that is implemented directly in the data processing system or in the processing and storage unit.

• The object form of a program corresponds to the level of representation at which, after being transferred to a distribution form and loaded into a data processing system or processing and storage unit, it can be executed. Such a form can be, for example, binary code, interpreter code, etc.

• Distribution is a physical or virtual support that contains an object form, which is performed at the request of the user, which enables him to use the program.

• The dynamic form corresponds to the execution of the program by the distribution.

• A program section corresponds to a part of the program, such as one or more instructions that may or may not be in sequence, one or more function blocks that may or may not be in sequence, one or more functions that may or may not be in sequence one or more subroutines that may or may not be in sequence. A section of the program can also contain all of the above.

Figures 10 and 11 show different forms, respectively, of an unprotected program 2v in the general sense, and a protected program 2p protected in accordance with the process according to the invention.

Figure 10 shows the various forms of an unprotected 2v program that appear during its life cycle. An unprotected 2v program therefore appears in any of the following forms:

• original form of 2vs

• object form 2vo

• distribution 2vd. Said distribution may take the form of physical distribution media such as CDROM or files distributed via a network (GSM, Internet, etc.),

• or a dynamic form of 2ve corresponding to the execution of an unprotected program 2v on a data processing system of any known type, which as a rule includes at least one processor 4.

Figure 11 shows the different versions of the protected program 2p that appear during the life cycle. The protected program 2p can appear in any of the following forms:

• the original form 2ps which includes the first original part intended for the data processing system 3 and the second original part intended for the unit 6, where part of the mentioned original parts can be contained in the same file,

• the object form 2po which includes the first object part 2pos intended for the data processing system 3 and the second object part 2pou intended for the unit 6,

• 2pd distribution includes:

- the first distribution part 2pds which contains the first object part 2pos, where said first distribution part 2pds is intended for the data processing system 3 and can take the form of a medium for physical distribution such as a CDROM or be in the form of files distributed via a network (GSM, Internet etc.),

- and the second distribution part 2pdu which has the form:

▸ at least one pre-customized unit 66 into which the second object part 2pou is loaded and where the user completes the customization by loading additional data so that the unit 6 is obtained, where the additional data can, for example, be loaded over the network,

▸ or at least one unit 6 into which the second object part 2pou is loaded,

• or a dynamic representation of 2pe corresponding to the execution of the protected program 2p. Said dynamic representation 2pe includes a first executable part 2pes which is executed in the data processing system 3 and a second executable part 2peu which is executed in the unit 6.

In the case where the distinction between different forms of the protected program 2p is not important, the expressions first part of the protected program and second part of the protected program should be used.

The implementation of the process in accordance with the invention and in accordance with the dynamic form in Figure 11, uses a device 1p that contains a data processing system 3, which is connected by a connection 5, to a unit 6. The data processing system 3 can be of any type, and usually includes at least one processor 4. The data processing system 3 can be a computer or part of, for example, different machines, devices, fixed or mobile products, or intermediaries in a general sense. The connection 5 can be realized in any way, such as a serial connection, a USB bus, a radio connection, an optical connection, a network connection or a direct electrical connection to the circuit of the data processing system 3, etc. It should be noted that the unit 6 can be physically located within the integrated circuit of the processor 4 of the data processing system 3. In this case, the unit 6 can be seen as a co-processor in relation to the processor 4 of the data processing system 3, and the connection 5 is internal to the integrated circuit.

Figures 20 and 22 show, illustratively and in a non-limiting sense, different embodiments of the device 1p which allows the implementation of the protection process in accordance with the invention.

In the embodiment shown in Figure 20, the protective device 1p includes as a data processing system 3 in the form of a computer, and a unit 6 with a chip card 7 and an interface 8, which is commonly called a card reader. The computer 3 is connected to the unit 6 via the connection 5. During the execution of the protected program 2p, both the first executable part 2pes which is executed in the computer 3 and the second executable part 2peu which is executed in the "chip" card 7 and its interface 8 must be functional for the protected program 2p to be fully functional.

In the embodiment shown in Figure 21, the protection device 1p supplies the product 9 in a general sense, including various components 10 adapted to the function(s) assumed to have the product 9. The protection device 1p includes, on the one hand, a unit 6 connected to by product 9. If product 9 is fully functional, protected program 2p must be fully functional. Therefore, during the execution of the protected program 2p, both the first executable part 2pes which is executed in the data processing system 3 and the second executable part 2peu which is executed in the unit 6 must be functional. the mentioned protected program 2p thus indirectly provides protection against unauthorized use of product 9 or one of its functionalities. Product 9 can be, for example, an installation, system, machine, toy, household appliance, telephone, etc.

In the embodiment shown in Figure 22, the protective apparatus 1p includes several computers, as well as part of the communication network. The data processing system 3 is the first computer connected by a network-type connection 5 to the unit 6 arranged via the second computer. To implement the invention, the second computer 6 is used as a license server for the protected program 2p. During the execution of the protected program 2p, both the first executable part 2pes which is executed in the first computer 3 and the second executable part 2peu which is executed in the second computer must be functional so that the protected program 2p is fully functional.

Figure 30 provides a more precise explanation of the protection process according to the invention. It can be seen that for the unprotected program 2v, it is considered to be executed entirely in the data processing system 3. On the other hand, in the case of the implementation of the protected program 2p, the data processing system 3 includes a transmission means 12 connected via link 5, to the transmission means 13 which is part of the unit 6, enabling communication to be established between the first executable part 2pes and the second executable part 2peu of the protected program 2p.

It should be taken into account that the transmission means 12 and 13 are of a programming and/or circuit nature and are capable of ensuring and possibly optimizing the exchange of data between the data processing system 3 and the unit 6. The said transmission means 12, 13 are adapted to enable the availability of the protected program 2p which is, preferably, independent of the used type of connection 5. The mentioned transmission means 12, 13 are not part of the invention and are not specifically described because they are considered to be known to experts. The first part of the protected program 2p includes commands. During the execution of the protected program 2p, the execution of said commands by the first executable part 2pes enables communication between the first executable part 2pes and the second executable part 2peu. In the rest of the description of the invention, the mentioned commands are indicated by IN, OUT and TRIG.

As shown in Fig. 31, in order to allow the implementation of the second executable part 2peu of the protected program 2p, the unit 6 includes a protection process 14. The protection process 14 includes a storing process 15 and a processing process 16.

In order to simplify the rest of the description of the invention, the presence or absence of unit 6 during the execution of the protected program 2p was taken into consideration. In reality, the case when the unit 6 providing the protection process 14 is not adapted to execute the second executable part 2peu of the protected program 2p is also considered as an error, and the execution of the protected program 2p is not correct. In other words:

• when the unit 6 is physically present and includes the protection procedure 14 adapted for execution in the second executable part 2peu of the protected program 2p, it is always considered to be present,

• when unit 6 is physically present, but includes a protection procedure 14 that is not adapted, i.e. it does not allow the correct implementation of the second executable part 2peu of the protected program 2p, it is considered to be present when the program is working correctly, i.e. it is missing when it is not working correctly,

• even when unit 6 is physically missing, it is always considered missing.

In the case where the unit 6 is implemented as a "chip" card 7 and its interface 8, the transfer process is divided into two parts, one of which is in the interface 8 and the other in the "chip" card 7. In this embodiment, the absence of a "chip " of the card 7 is equal to the absence of the unit 6. In other words, in the absence of the "chip" card 7 and/or its interface 8, the protection procedure 14 is not available, so it is not possible to execute the second part 2peu of the protected program 2p, so that the protected program 2p is not fully functional .

In accordance with the invention, the goal of the protection process is the implementation of the principle of protection by "elementary functions", the description of which is shown in Figures 60 to 64.

To implement the principle of protection with elementary functions, the following is defined:

• a set of elementary functions that must be performed in unit 6, using the second executable part 2peu, and possibly transfer data between the data processing system 3 and unit 6,

• a set of elementary commands for the specified set of elementary functions, where the specified elementary commands are destined for execution in the data processing system 3 and for activating the execution of the corresponding elementary functions in the unit 6.

To implement the principle of protection using elementary functions, an exploitation procedure is also constructed that enables the transformation of the empty unit 60 into a unit 6 capable of performing elementary functions, where the execution of said elementary functions is activated by executing elementary commands in the data processing system 3.

To implement the protection principle using elementary functions, at least one algorithm that uses at least one operand and returns at least one result is also selected, in the source code of the unprotected program 2vs. At least one section in the source code of the unprotected 2vs program containing at least one algorithm is also selected.

Then at least one selected section of the source code of the unprotected program 2vs was modified so that the source code of the protected program 2ps was obtained. This modification is such that, among other things:

• during the execution of the protected program 2p, at least one section of the first executable part 2pes which is executed in the data processing system 3, takes into account that the functionality of at least one selected algorithm is executed in the unit 6,

• during the execution of the protected program 2p, the second executable part which is executed in unit 6, executes at least one functionality of at least one selected algorithm,

• each selected algorithm is split so that during the execution of the protected program 2p, each selected algorithm is executed using elementary functions by the second executable part 2peu. Preferably, each chosen algorithm is divided into elementary functions fen (where n varies from 1 to N), namely:

- possibly one or more elementary functions that enable placing one or more operands at the disposal of unit 6,

- elementary functions, where some use operands and in combination perform the functionality of selected algorithms, using the specified operands,

- and possibly one or more elementary functions that make it possible to place the results of the selected algorithms at the disposal of the data processing system 3 via the unit 6,

• is a selected sequence of elementary commands selected from a set of sequences that allow the execution of the protected program 2p.

The first executable part 2pes of the protected program 2p executed in the data processing system 3 executes elementary commands CFEn (where n changes from 1 to N) which activate, in unit 6, the execution of each of the previously defined elementary functions fen by the second executable part 2 peu.

Figure 60 shows an example of the execution of an unprotected program 2v. In this example, in the data processing system 3 during the execution of the unprotected program 2v there occurs, at a certain time, the calculation Z←F(X, Y) corresponding to the association of the result of the algorithm represented by the function F using the operands X and Y of the variable Z.

Figure 61 shows an example of the implementation of the invention for which the selected algorithm from Figure 60 is separated into unit 6. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3 and in the presence of unit 6, occurs:

• at times t1, t2, execution of elementary commands CFE1, CFE2 activating in unit 6 the execution of corresponding elementary functions fe1, fe2 by means of the second executive part 2peu, which ensures the transfer of data X, Y from the data processing system 3 to the memory areas in order x, y located in the memory 15 of the unit 6, and where the mentioned elementary commands CFE1, CFE2 are displayed respectively with OUT(x, X), OUT(y, Y),

• at times t3 to tN-1, the execution of elementary commands CFE3 to CFEN-1 activates the execution of the corresponding functions fe3 to feN-1 in unit 6 by means of the second executable part 2peu, where the specified elementary commands CFE3 to CFEN-1 are displayed, respectively, with TRIG (fe3) to TRIG(feN-1). A series of elementary functions fe3 to feN-1 executed in combination is the algorithmic equivalent of function F. More precisely, the execution of the mentioned elementary commands leads to the execution, in unit 6, of elementary functions fe3 to feN-1 that use the contents of memory areas x, y and return the result to the memory area from unit 6,

• at the moment tN, the execution of the elementary command CFEN activates, in unit 6, the execution of the elementary function feN by means of the second executable part 2peu, ensuring the transfer of the result of the algorithm, contained in the memory zone z of unit 6 to the data processing system 3, by attaching it to the variable Z , where the specified elementary command CFEN is represented by IN(z).

In the shown example, elementary commands 1 to N are executed sequentially. It should be noted that two improvements can be achieved:

• The first improvement refers to the case where several algorithms are separated into unit 6 and at least the result of one algorithm is used in another algorithm. In this case, some elementary commands used for transmission can possibly be removed.

• The second improvement refers to deciding on a suitable sequence of elementary commands from among the set of sequences that allow the execution of the protected program 2p. In view of this, it is desirable to choose a sequence of elementary commands that temporarily separate the execution of elementary functions, inserting between them, sections of code executed in the data processing system 3 and may or may not include elementary commands used to determine other data. Figures 62 and 63 show the principle of such a design.

Figure 62 shows an example of the execution of an unprotected program 2v. In this example, during the execution of the unprotected program 2v, in the data processing system 3, the execution of two algorithms leading to the determination of Z and Z' occurs, such that Z←F(X, Y) and Z'←F'(X' , Y').

Fig. 63 shows an example of the implementation of the process according to the invention for which the two selected algorithms selected from Fig. 62 are separated into the unit 6. According to this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3 and in the presence of the unit 6 , there is, as previously explained, the execution of elementary commands CFE1 to CEFN corresponding to the determination of Z and the execution of elementary commands CFE'1 to CEF'M corresponding to the determination of Z'. As shown, elementary statements CFE1 through CFEN are not executed in sequence, because elementary statements CFE'1 through CFE'M are inserted as well as other code segments. In the example, the following sequence is performed: CFE1, embedded code segment, CFE'1, CFE2, embedded code segment, CFE'2, CFE'3, embedded code segment, CFE'4, CFE3, CFE4,..., CFEN , CFE'M.

It should be noted that during the execution of the protected program 2p, in the presence of unit 6, every time the elementary command contained in the section of the first executable part 2pes of the protected program 2p imposes it, the corresponding elementary function is executed in unit 6. So, it happens that in the presence of unit 6 , the specified part executes correctly and that, consequently, the protected program 2p is fully functional.

Figure 64 shows an example of an attempt to execute the protected program 2p, when unit 6 is missing. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3, at any time the execution of the elementary command cannot activate the execution of the corresponding elementary function due to the lack of unit 6. The value attached to the variable Z cannot be determined correctly .

That is why it happens that in the absence of unit 6, at least one request from the section of the first executable part 2pes of the protected program 2p to activate the execution of the elementary function in unit 6 cannot be fulfilled correctly, so that the section mentioned at least cannot be executed correctly and that, consequently, the protected program 2p is not fully functional.

In accordance with another advanced feature of the invention, the goal of the protection process is to implement the "variable" protection principle, the description of which is shown in Figures 40 to 43.

To implement the variable protection principle, at least one 2vs variable is selected in the source code of the unprotected program 2vs, which, during the execution of the unprotected program 2v, partially defines its state. The state of the program should be understood as a set of pieces of information that are necessary at a given moment for the correct execution of the specified program, so that the absence of variables selected in this way hinders the complete execution of the specified program. At least one part of the source code of the unprotected 2vs program containing at least one selected variable is also selected.

At least one selected portion of the source code of the unprotected program 2vs is then modified, so that the source code of the protected program 2ps is obtained. This modification is such that during the execution of the protected program 2p, at least one segment of the first executable part 2pes which is executed in the data processing system 3, takes into account that at least one selected variable or at least one copy of the selected variable remains in the unit 6.

Figure 40 shows an example of the execution of an unprotected program 2v. In this example, during the execution of unprotected program 2v in data processing system 3, the following occurs:

• at time t1, data X is transferred to variable V1, represented by V1←X

• at time t2, the value of V1 is transferred to the variable Y, represented by Y←V1

• at time t2, the value of V1 is transferred to the variable Z, represented by Z←V1

Figure 41 shows an example of the first way of implementing the invention where the variable remains in the unit 6. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3, and in the presence of the unit 6, occurs:

• at time t1, the execution of the command to activate the data transfer activates the transfer of data X from the data processing system 3 to the variable v1 located in the memory 15 of the unit 6, and the specified transfer command is displayed with OUT(v1, X) and corresponds to the completion of the association of data X variables v1,

• at time t2, execution of the command to activate the transfer of the variable v1 stored in the unit 6 to the data processing system 3 so as to associate it with the variable Y, and said transfer is indicated by IN(v1) and corresponds to the completion of the association of the value of the variable v1 with the variable Y,

• at time t3, executing a command to activate the transfer v1 stored in the unit 6 to the data processing system 3 by associating it with the variable Z, and said transfer is represented by IN(v1) and corresponds to the completion of associating the value of the variable v1 with the variable Z.

It can be observed that during the execution of the protected program 2p, at least one variable is located in the unit 6. Thus, when the segment of the first executable part 2pes of the protected program 2p imposes it, and in the presence of the unit 6, the value of the variable located in the unit 6 is transferred to the processing system data 3 to be used by the first executable part 2pes of the protected program 2p, so that said section is executed correctly and, consequently, the protected program 2p is fully functional.

Figure 42 shows an example of another form of implementation of the invention in which a copy of the variable is located in the unit 6. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3, and in the presence of the unit 6, occurs:

• at time t1, associating the variable x to the variable V1 located in the data processing system 3, as well as executing the command to activate the transfer of data X in the data processing system 3 to the variable v1 located in the memory 15 of the unit 6, and the specified transfer is displayed in the form of OUT( v1, X),

• at the moment t2, when the value of the variable V1 is associated with the variable X,

• and at time t3, executing a command to activate the transfer of the value of the variable v1 located in the unit 6 to the data processing system 6 by holding it to the variable Z, and said transfer command is displayed as IN(v1).

It should be noted that during the execution of the protected program 2p, at least one copy of the variable is stored in the unit 6. Thus, when the section of the first executable part 2pes of the protected program 2p so requires, and in the presence of the unit 6, the value of the specified copy of the variable located in the unit 6 is transferred to the data processing system 3 to be used by the first executable part 2pes of the protected program 2p, so that said section is executed correctly and, consequently, the protected program 2p is fully functional.

Figure 43 shows an example of an attempt to execute the protected program 2p when unit 6 is missing. In this example, during the execution of the first executable part 2pes of the protected program 2p in data processing system 3:

• at time t1 the execution of the transfer command OUT(v1, X) cannot activate the transfer of data X to the variable v1, given that unit 6 is missing,

• at time t2, the execution of the transfer command IN(v1) cannot activate the transfer of the value of the variable v1 to the data processing system 3, given that the unit 6 is missing,

• and at time t3, the execution of the transfer instruction IN(v1) cannot activate the transfer of the value of the variable v1 to the data processing system 3, given that the unit 6 is missing.

It is therefore visible that in the absence of unit 6, at least one request of the section of the first executable part 2pes for the use of a variable or a copy of the variable located in unit 6 cannot be correctly fulfilled, so that the section mentioned at least is not executed correctly and, consequently, the protected program 2p not fully functional.

It should be noted that the data transfer between the data processing system 3 and the unit 6 shown in the previous example uses only a simple join, but it is known to those skilled in the art that it can be combined with other operations to obtain complex operations such as for example OUT(v1,2 *X+3) or Z←(5*v1+v2).

In accordance with the second advantage of the invention, the protection process aims to implement the protection principle called "detection and coercion", the description of which is presented in relation to figures 70 to 74.

To implement the principles of protection by detection and coercion, the following are defined:

• at least one performance characteristic subject to at least partial monitoring in unit 6,

• at least one criterion that needs to be met for at least one characteristic of program execution,

• the detection procedure 17 which is implemented in unit 6 a allows to detect that at least one characteristic of the program execution is not fulfilled for at least one associated criterion,

• the coercion procedure 18, which is implemented in unit 6 and enables the data processing system 3 to be informed and/or program execution modified, when at least one criterion is not met.

To implement the principle of protection by detection and coercion, an exploitation procedure is also created that enables the transformation of the empty unit 60 into unit 6 by implementing at least the detection procedure 17 and the coercion procedure 18.

Figure 70 shows the procedures necessary to implement the principles of protection by detection and coercion. Unit 6 includes a detection procedure 17 and a forcing procedure 18 belonging to the processing part 16. The forcing procedure 18 is informed by the detection procedure 17 that the criteria are not met.

More precisely, the detection process 17 uses the information coming from the transmission process 13 and/or the memory 15 and/or the processing part 16, so that one or more characteristics of the program execution are monitored. For each characteristic of program execution, at least one criterion is set that must be fulfilled.

In the case when at least one characteristic of the program execution is detected that is not fulfilled in at least one criterion, the detection process 17 informs the forcing process 18 about it. Said forcing procedure 18 is adapted to modify, in an appropriate manner, the state of unit 6.

To implement the principle of protection by detection and coercion, the following are also selected:

• at least one characteristic of the program to monitor, among the characteristics of program execution that can be monitored,

• at least one criterion that needs to be met for at least one selected characteristic of program execution,

• in the source code of the unprotected 2vs program, at least one algorithm for which the program execution characteristic is monitored,

• and in the source code of the unprotected 2vs program, at least one segment of at least one algorithm.

At least one selected section of the source code of the unprotected program 2vs is modified, so that the source code of the protected program 2ps is obtained. This modification is such that, during the execution of the protected program 2p, among other things:

• at least one segment of the first executable part 2pes, which is executed in the data processing system 3, takes into account that at least one selected characteristic of the execution of the program is monitored, at least partially, in the unit 6,

• and the second executable part 2peu, which is executed in unit 6, follows at least a partially selected characteristic of program execution.

During the execution of the protected program 2p, protected by this principle of protection by detection and coercion, in the presence of unit 6:

• as long as all the criteria corresponding to the monitored performance characteristics of all modified sections of the protected program 2p are met, the said section of the protected program 2p works correctly, so that the said protected program 2p works correctly,

• and if at least one of the criteria corresponding to the monitored performance characteristics of the segment of the protected program 2p is not met, the data processing system 3 is informed about this and/or the functioning of the segment of the protected program 2p is modified, so that the functioning of the protected program 2p is modified.

Naturally, in the absence of unit 6, at least one request of the section of the first executable part 2pes of the protected program 2p to use unit 6 cannot be fulfilled correctly so that the at least said section is not executed correctly and, consequently, the protected program 2p is not fully functional.

To implement the principles of protection by detection and coercion, two types of program execution characteristics are preferred.

The first type of program performance characteristic corresponds to the measurement of program performance, and the second corresponds to the program usage profile. The mentioned two types of characteristics can be used independently or in combination.

To implement the principle of protection by detection and coercion using, as a performance characteristic, a variable that measures the performance of the program, the following are defined:

• in memory 15, the possibility of storing at least one variable that measures the use of at least one functionality of the program,

• in the detection procedure 17, the possibility of monitoring at least one threshold associated with each measurement variable,

• and the actualization procedure that enables each measurement variable to be refreshed depending on the use of the functionality associated with it.

An exploitation procedure is also constructed that implements the actualization procedure in addition to the detection procedure 17 and the forcing procedure 18 .

It is also selected, in the source code of the protected program 2vs:

• at least one characteristic of program execution 2p, the use of which is monitored using a measurement variable,

• at least one variable that measures the use of the specified functionality,

• at least one threshold associated with the measurement variable that corresponds to the limit of use of the specified functionality,

• and at least one method of refreshing the measurement variable depending on the use of the mentioned functionality.

The source code of the unprotected program 2vs is then modified, so that the source code of the protected program 2ps is obtained, with the modification being such that during the execution of the protected program 2p, the second executable part 2peu:

• updates the measurement variable that measures the use of the specified functionality,

• and also takes into account at least one threshold crossing.

In other words, during the execution of the protected program 2p, the measurement variable is refreshed depending on the use of the specified functionality, and when the threshold is exceeded, the detection process 17 informs the enforcement process 18 about it, which makes a customized decision to inform the data processing system 3 and/or about the modification processing performed by the processing part 16, which enables the modification of the functioning of the section of the protected program 2p, so that the functioning of the protected program 2p is also modified.

To implement the first preferred variant of the invention of the principle of protection by detection and coercion using, as characteristics, measurement variables, the following are defined:

• for at least one measurement variable, several associated thresholds,

• and different coercive procedures corresponding to each of the mentioned thresholds.

It is also selected, in the source code of the unprotected 2vs program:

• at least one variable that measures the use of at least one functionality of the program and which must be associated with several thresholds that correspond to different limits of the use of the mentioned functionalities,

• and at least two thresholds associated with the measurement variable.

The source code of the unprotected program 2vs is then modified, so that the source code of the protected program 2ps is obtained, and this modification is such that, during the execution of the protected program 2p, the second executable part 2peu:

• updates the measurement variable depending on the use of the specified functionality,

• and takes into account, separately, the transitions of different thresholds.

In other words, normally, during the execution of the protected program 2p, when the first threshold is crossed, the unit 6 informs the data processing system 3 that the protected program 2p no longer uses the specified functionality. If the protected program 2p continues to use the specified functionality, the second threshold can potentially be crossed. In case the second threshold is crossed, the forcing procedure 18 can neutralize the selected functionality and/or neutralize the protected program 2p.

To implement the second preferred different embodiment of the principle of protection by detection and coercion using, as a characteristic, a measurement variable, a reloading method is defined that enables the crediting of at least one functionality of the program followed by the measurement variable with at least one additional use.

An exploitation procedure is also created that implements the actualization procedure in addition to the detection procedure 17 and the coercion procedure 18.

There is also selected, in the source code of the unprotected 2vs program, at least one measurement variable that is used to limit the use of at least one functionality of the program and which must be capable of being credited with at least one additional use.

The source code of the unprotected program 2vs is then modified, so that the source code of the protected program 2ps is obtained, and this modification is such that, during a phase called reloading, at least one additional use of at least one functionality corresponding to the selected measurement variable can be credited.

During the reloading phase, reactualization of at least one selected measurement variable and/or at least one associated threshold is performed, so that additional use of the corresponding functionality is allowed. In other words, during the recharge phase, it is possible to credit additional use of at least one functionality of the protected program 2p.

To implement the principle of protection by detection and coercion using, as a characteristic, the profile of the use of the program, at least one feature of the program's execution is defined as a criterion that must be met for the specified profile of use.

It is also selected in the source code of the unprotected 2vs program:

• at least one usage profile for monitoring

• and at least one performance feature for which at least one selected usage profile must be met

Then the source code of the unprotected program 2vs is modified, so that the source code of the protected program 2ps is obtained, where the modification is such that, during the execution of the protected program 2p, the second executable part 2peu should fulfill all the selected execution features. In other words, the unit 6 itself monitors the execution mode of the second executable part 2peu and, if necessary, informs the data processing system 3 and/or modifies the functioning of the protected program 2p, in the event that at least one execution feature is not fulfilled.

During the execution of the protected program 2p, protected by this principle, in the presence of unit 6:

• as long as all the performance features of the modified section of the protected program 2p are present, said modified section of the protected program 2p works correctly, so that the protected program 2p works correctly,

• and if at least one execution feature of the section of the protected program 2p is not present, the data processing system 3 is informed and/or the functioning of the section of the protected program 2p is modified, so that the functioning of the protected program 2p is modified.

Monitoring of various features of execution may be contemplated, such as instruction presence monitoring that includes markers to monitor execution modification for at least one portion of the instructions.

To implement the principle of protection by detection and coercion using execution features that should be present, by monitoring execution changes for at least one part of the instructions, the following is defined:

• a set of instructions specified for execution in unit 6,

• a set of commands for the specified set of instructions, where the specified commands are intended for execution in the data processing system 3. The execution of each of the specified commands in the data processing system 3 activates the execution of the corresponding instructions in the unit 6,

• detection procedure 17, which allows determining that the change of instructions does not correspond to the expected one,

• and the coercion procedure 18, which enables informing the data processing system 3 and/or modifying the execution of the program when the change of instructions does not correspond to the expected one.

An exploitation procedure is also constructed which enables the unit 6 to also execute instructions from the set of instructions, where the execution of said instructions is activated by the execution of commands in the data processing system 3.

Also, in the source code of the unprotected program 2vs, at least one algorithm is selected, which must be separated into unit 6 and for which the modification of at least one part of the instructions is monitored.

The source code of the unprotected program 2vs is then modified, so that the source code of the protected program 2ps is obtained, which is modified so that during the execution of the protected program 2p:

• the second executable part of 2peu performs at least one functionality of the selected algorithm,

• the selected algorithm is divided into instructions,

• chaining is specified, where at least some instructions must be present during their execution in unit 6,

• and the first executable part 2pes of the protected program 2p executes commands that activate the execution of instructions in unit 6.

During the execution of the protected program 2p, which is protected by this principle, in the presence of unit 6:

• as long as the chaining of instructions of all modified sections of the protected program 2p executed in unit 6 are as expected, the said modified section of the protected program 2p works correctly, so that the said protected program 2p also works correctly,

• and if the instruction changes in the section of the protected program 2p executed in unit 6 do not correspond to the expectations, the data processing system 3 is informed and/or the functioning of the section of the protected program 2p is modified, so that the functioning of the protected program 2p is modified.

Figure 71 shows an example of the implementation of the principle of protection by detection and coercion using, as a performance feature to be fulfilled, the monitoring of the chaining of the execution of at least one part of the instructions, in the case when the expected chains are met.

The first executable part 2pes of the protected program 2p which is executed in the data processing system 3, executes the commands CIi by activating, in the unit 6, the execution of the instructions ii belonging to the set of instructions. In the specified set of instructions, at least some of the instructions include a part that defines the functionality of the instruction and a part that enables the verification of the expected change in the execution of the instructions. In this example, the CIi instruction is represented by TRIG(ii), and the expected instruction execution changes are in, in+1, and in+2. The execution of the instruction in in unit 6 gives the result a, and the execution of the instruction in+1 gives the result b. The instruction in+2 is used as an operand, and the results a and b of the instructions in and in+1 and their executions give the result c.

Considering that the specified changes to the instructions performed in unit 6 are as expected, this results in the correct or nominal functioning of the protected program 2p.

Figure 72 shows an example of the implementation of the principle of protection by detection and coercion using, as a performance feature that should be present, the monitoring of the chaining of the execution of at least part of the instructions, in the case where the expected chaining is not present.

According to this principle, the expected chaining for executing instructions is the same as in, in+1 and in+2. However, the execution chaining is modified by replacing the in instruction with the i'n instruction, so that the actual execution chaining is i'n, in+1, and in+2. The execution of the instruction i'n gives the result a, i.e. the same result as the execution of the instruction in. However, at the last execution of the instruction in+2, the detection procedure 17 detects that the instruction i'n does not correspond to the expected instruction that generates the result a, which is used as the operand of the instruction in+2. The detection process 17 informs the forcing process 18 about it, which accordingly modifies the functioning of the instruction in+2, so that the execution of the instruction in+2 gives a result c' that can be different from c. Naturally, if the execution of the instruction i'n produces a result a' that is different from the result a of the instruction in, it is clear that the result of the instruction in+2 can also be different from c.

Since the chaining of instructions executed in unit 6 does not correspond to the expected, the functioning of the protected program 2p is modified.

Figures 73 and 74 show a preferred embodiment of the protection principle using detection and coercion which, as an execution feature to be present, follows the chaining of the execution of at least one part of the instructions. According to a preferred embodiment, a set of instructions is defined, of which at least some instructions work with registers and use at least one operand with the intention of returning a result.

As shown in Figure 73, at least some instructions are defined to work with registers, where the PF part defines the functionality of the instructions, and the PE part defines the expected chaining of instruction execution. The PF portion corresponds to an operation code known to those skilled in the art. The PE part defines the expected chaining which includes the bits corresponding to:

• the identification field of the CII instruction

• and for each operand k of the instruction, where k changes from 1 to K, and by the number of operands of the instruction K:

- flag CDk indicating whether or not it is appropriate to verify the source of operand k,

- field of the expected identification of the operand CIPk, which indicates the expected identity of the instruction that generates the content of the operand k.

As shown in Figure 74, the instruction set includes V registers belonging to the processing procedure 16, each register is called Rv, where v varies from 1 to V. For each register Rv, two fields are defined, namely:

• function field CFv, known to experts, which is used to store the results of executing instructions,

• and the generated identification field CIGv, which enables the identity of the instruction that generates the content of the function field CFv to be stored. Said generated identification field CIGv is automatically updated with the content of the identification field of the instruction CII that generates the function field CFv. Said generated identification field CIGv is thereafter not accessible or modifiable by any instruction and is used only by the detection procedure 17.

During the execution of the instruction, the detection procedure 17 performs the following functions for each operand:

• the CDk flag has been read

• if the flag CDk imposes it, the field of the expected identification CIPk and the field of the generated identification CIGv corresponding to the used register are read,

• checking the equality of fields CIPk and CIGv,

• and if the fields are not equal, the detection procedure 17 considers that execution chaining is not present

The forcing procedure 18 enables modification of the instruction result when the detection procedure 17 informs it that instruction chaining is not present. The desired performance is achieved by modifying the functional part of the PF instruction currently being executed or the functional part of the PF next instruction.

In accordance with the following advanced characteristic of the invention, the protection process is directed to the implementation of the protection principle called "renaming", the description of which is presented in relation to Figures 80 to 85.

To implement the principle of protection by renaming, the following are defined:

• a set of dependent functions, destined to be performed by the second executable part 2peu, in unit 6, and possibly intended for data transfer between the data processing system 3 and unit 6, where the specified set of functions can be finite or infinite,

• a set of commands for activating the specified dependent functions, where the specified activation commands are destined for execution in the data processing system 3, and activate the execution of the corresponding dependent functions in the unit 6,

• for each activation command, an order that at least partially corresponds to the information transferred from the first executable part 2pes, to the second executable part 2peu, so that the activation of the execution of the corresponding dependent function, the specified order takes the form of at least one argument of the activation command,

• a command renaming procedure designed for use during modification of an unprotected 2v program, which allows command renaming so that an activation command is obtained with a renamed command that allows concealing the identity of the corresponding dependent function,

• a recovery procedure 20 designed for use in unit 6 during the use phase, which enables recovery of the initial order from the renamed order by restoring the dependent function for execution.

To implement the principle of protection by renaming, an exploitation procedure is created that enables the transformation of the empty unit 60 into unit 6 by implementing at least the recovery procedure 20.

To implement the principle of protection by renaming, it is also selected, in the source code of the unprotected program 2vs:

• at least one algorithm that uses at least one operand and returns at least one result,

• and at least one fragment of the source code of the unprotected 2vs program, which contains at least one selected algorithm.

Then the source code of the unprotected program 2vs is modified, so that the source code of the protected program 2ps is obtained. This modification is such that, among other things:

• during the execution of the protected program 2p, at least one segment of the first executable part 2pes, which is executed in the data processing system 3, takes into account that the functionality of at least one selected algorithm is executed in the unit 6,

• during the execution of the protected program 2p, the second executable part 2peu, which is executed in unit 6, performs at least one functionality of at least one selected algorithm,

• each selected algorithm is split so that during the execution of the protected program 2p, each selected algorithm is executed by another executable part 2peu, using dependent functions. Preferably, each algorithm is divided into dependent functions fdn (n varies from 1 to N), namely:

- possibly one or more dependent functions that make it possible to place one or more operands at the disposal of unit 6,

- dependent functions, some of which use operand(s) and are performed in combination with the functionality of the selected algorithm, using the specified operand(s),

- and possibly, one or more dependent functions that enable, by means of unit 6, making the results of the algorithm available to the data processing system 3,

• during the execution of the protected program 2p, the second executable part 2peu executes the dependent function fdn,

• during the execution of the protected program 2p, the dependent function is activated by activation commands with renamed commands,

• a sequence of commands for activation is selected from a set of sequences that allow the execution of the protected program 2p.

The first executable part 2pes of the protected program 2p, which is executed in the data processing system 3, executes the activation commands with the renamed orders by transferring the order to the unit 6, and activates, in the unit 6, the renewal of the order using the renewal process 20, and then executing, using the second executive part 2peu, all previously defined functions fdn.

In other words, the principle of protection by renaming is carried out by renaming the orders of activation commands, so that the received activation commands with renamed orders, the execution of which in the data processing system 3 is activated, in the unit 6, the execution of dependent functions, which can be activated by the activation commands with non-renamed orders, however, without examining the protected program 2p which allows determining the identity of executed dependent functions.

Figure 80 shows an example of the execution of an unprotected program 2v. In this example, during the execution of the unprotected program 2v in the data processing system 3, the calculation of Z←F(X, Y) occurs, at a certain moment, which corresponds to the association of the variables Z with the result of the algorithm represented by the function F and using the operands X and Y.

Figures 81 and 82 show an example of the implementation of the invention.

Figure 81 shows a partial implementation of the invention. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3 and in the presence of the unit 6, occurs:

• at times t1, t2, the execution of activation commands CD1, CD2 which activate, in unit 6, the execution of the corresponding dependent functions fd1, fd2 by means of the second executive part 2peu, thereby ensuring the transfer of data X, Y from the data processing system 3 to the areas to store in the order x, y located in the store procedure 15 in unit 6, and where the commands to activate CD1, CD2 are indicated respectively by OUT(x, X), OUT(y, Y),

• at times t3 to tN-1 the execution of activation commands CD3 to CDN-1 which activate, in unit 6, the execution of the corresponding dependent functions fd3 to fdN-1 by means of the second executable part 2peu, where the activation commands CD3 to CdN- 1 shown in order, from TRIG(fd3) to TRIG(fdN-1). A series of dependent functions fd3 to fdN-1, executed in combination, are algorithmically equivalent to function F. More precisely, execution of the above activation commands leads to the execution of dependent functions fd3 to fdN-1, in unit 6, which use the contents of the storage area x, y and return the result to storage area z unit 6,

• and at time tN, execution of the CDN activation command which activates, in the unit 6, the execution of the dependent function fdN by means of the second executable part 2peu, thus ensuring the transfer of the result of the algorithm contained in the storage area z of the unit 6 to the data processing system 3, so that is appended to the variable Z, where the specified command is represented by IN(z).

In this example, for the full implementation of the invention, the first argument of the activation command OUT and the argument of the activation commands TRIG and IN were selected as commands. Accounts selected in this way are renamed using the order renaming process. In this sense, the orders for activating the commands CD1 to CDN i.e. x, y, fd3, fdN-1, z are renamed so that they are obtained in order R(x), R(y), R(fd3),... , R(fdN-1), R(z).

Figure 82 shows a complete implementation of the invention. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3, and in the presence of the unit 6, occurs:

• at moments t1, t2, execution of activation commands with renamed orders CDCR1, CDCR2, transfer of renamed orders R(x), R(y) as well as data X, Y to unit 6, activation in unit 6 of renewal of renamed orders using the procedure for recovery 20, which restores the orders, i.e. the identity of the storage areas x, y, and then the execution of the corresponding dependent functions fd1, fd2 by means of the second executive part 2peu, which ensures the transfer of data X, Y from the data processing system 3 to the storage area in turn x, y located in the storage procedure 15 of unit 6, and where the activated commands with the renamed orders CDCR1, CDCR2 are listed, shown respectively by OUT(R(x), X), OUT(R(y), Y),

• at times t3 to tN-1, execution of activation commands with renamed orders CDCR3 to CDCRN-1, transfer of renamed orders R(fd3) to R(fdN-1) to unit 6, activation, in unit 6, of renewing orders, i.e. .fd3 to fdN-1 using the restore procedure 20, and then executing the dependent functions fd3 to fdN-1 using the second executable 2peu, where the activated commands with renamed orders CDCR3 to CDCRN-1 are listed in order with TRIG(R(fd3) ) to TRIG(R(fdN-1)),

• and at the moment tN, executing the activation command with the renamed order CDCRN by transferring it to unit 6, the renamed order R(z) activates in unit 6 the restoration of the order, i.e. the identity of the storage area z using the restoration procedure 20, and then the execution of the dependent function fdN using another of the executable part 2peu, thereby ensuring the transfer of the result of the algorithm contained in the storage area of the unit 6 to the data processing system 3, by associating it with the variable Z, where the indicated activated command with the renamed command CDCRN is displayed with IN(R(z)).

In the example shown, activated commands with renamed commands 1 to N are executed successively. It should be noted that two improvements can be achieved:

• The first improvement refers to the case where multiple algorithms are separated into unit 6, and the result of at least one algorithm is used for another algorithm. In this case, some activated orders with renamed orders used for transfer may be removed.

• Another improvement relates to the selection of a suitable sequence of activated commands with renamed commands from among a set of sequences allowing the execution of the protected program 2p. In view of this, it is desirable to select a sequence of activated commands with renamed commands that temporarily interrupts the execution of dependent functions, by inserting between them segments of code executed in the data processing system 3 and including or not activated commands with renamed commands used to determine other data. Figures 83 and 84 show the principle of such a design.

Figure 83 shows an example of the execution of an unprotected program 2v. In this example, during the execution of the unprotected program 2v in the data processing system 3, two algorithms are executed that lead to the determination of Z and Z', so that Z←F(X, Y) and Z'←F'(X', Y').

Fig. 84 shows an example of the implementation of the process according to the invention for which the two selected algorithms from Fig. 83 are separated into a unit 6. According to such an example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3 and in the presence of the unit 6, there occurs as previously explained, the execution of the activation commands with the renamed orders CDCR1 to CDCRN corresponding to the determination of Z and the execution of the activation commands with the renamed orders CDCR'1 to CDCR'M corresponding to the determination of Z'. As shown, the CDCR1 to CDCRN command-rename activation commands are not executed in sequence, since the CDCR'1 to CDCR'M command-rename activation commands are inserted as well as the other code snippets. In the example, the following sequence is executed: CDCR1, inline code segment, CDCR'1, CDCR2, inline code segment, CDCR'2, CDCR'3, inline code segment, CDCR'4, CDCR3, CDCR4,..., CDCRN, CDCR 'M.

It should be noted that during the execution of the section of the first executable part 2pes of the protected program 2p, the command to activate with the renamed command which is executed in the data processing system 3, activates in the unit 6 the restoration of the equality of the correspondingly dependent functions and their executions. Thus, it happens that in the presence of the unit 6, the specified segment is performed correctly and, consequently, the protected program 2p is fully functional.

Figure 85 shows an example of an attempt to execute a protected program 2p when unit 6 is missing. In this example, during the execution of the first executable part of the 2pes protected program 2p in the data processing system 3, the execution of the activated orders with the renamed order cannot activate either the renewal of the order or the execution of the corresponding dependent function at any time, due to the absence of unit 6. The value to be joins the variable Z, so it cannot be determined correctly.

That is why, in the absence of unit 6, at least one request of the section of the first executable part of the 2pes protected program 2p for activating the renewal of the order and executing the dependent function in unit 6 cannot be fulfilled correctly, so that at least the specified section is not executed correctly and that , consequently, the protected program 2p is not fully functional.

Thanks to the principle of protection by renaming, the examination of activated commands with renamed commands in the protected program 2p does not allow determining the identity of the dependent function performed in unit 6. It should be noted that the renaming of commands is performed during the modification of the unprotected program 2v into the protected program 2p.

In accordance with variations of the renaming protection principle, a family of dependent functions is defined for at least one dependent function that are algorithmically equivalent, but are activated by different activation commands with renamed commands. In accordance with this variation, for at least one algorithm that uses dependent functions, there is a division of said algorithm into dependent functions, where at least one of them is replaced with a dependent function of the same family instead of maintaining multiple occurrences of the same dependent function. Finally, the activation commands with renamed commands are modified to account for the replacement of dependent functions with dependent functions of the same family. In other words, two dependent functions of the same family have different orders, and it is not possible, by examining the protected program 2p, to discover that the called dependent functions are algorithmically equivalent.

In accordance with the first preferred embodiment of the variation of the protection principle by renaming, a family of algorithmically equivalent dependent functions is defined for at least one dependent function by adding an interference field to the information that defines the functional part of the dependent function executed in unit 6.

According to another preferred embodiment of the variation of the renaming protection principle, a family of algorithmically equivalent dependent functions is defined for at least one dependent function using identification fields.

In accordance with the preferred variation of the implementation of the principle of protection by renaming, an encryption method is defined as a method of renaming orders, which enables the encryption of orders by transforming them into renamed orders. It should be noted that the renaming of orders is performed during the protection phase P. For this preferred variation, the recovery process 20 means implementing a decryption method that enables decryption of the renamed orders, thus restoring the identity of the dependent functions performed in unit 6. Said recovery process implemented in unit 6 can be program or circuit nature. Said recovery procedure 20 is called during the use phase U each time an activation command with a renamed order is executed in the data processing system 3, with the intention of activating the execution of the dependent function in the unit 6.

In accordance with another advantage of the invention, the protection process refers to the implementation of the protection principle called "conditional branching" which is shown in Figures 90 to 92.

To implement the principle of protection by conditional branching, at least one conditional branch is selected in the source code of the unprotected program 2v. At least one segment of the source code of the protected program 2vs containing at least one selected conditional branch BC is also selected.

At least one selected portion of the source code of the unprotected program 2vs is then modified, so that the source code of the protected program 2ps is obtained. This modification is such that during the execution of the protected program 2p, among other things:

• at least one segment of the first executable part 2pes, which is executed in the data processing system 3, takes into account that the functionality of at least one conditional branching BC is executed in the unit 6,

• and the second executable part 2peu, which is executed in unit 6, and performs at least one functionality of at least one selected conditional branch BC and makes available to the data processing system 3 a piece of information that enables the first executable part 2pes to continue execution at the selected point.

The first executable part 2pes of the protected program 2p, which is executed in the data processing system 3, executes the conditional branch commands, activating in the unit 6 the execution by means of the second executable part 2peu of the extracted conditional branches bc whose functionality is equivalent to the functionality of the selected conditional branches BC.

Figure 90 shows an example of the execution of an unprotected program 2v. In this example, during the execution of the unprotected program 2v in the data processing system 3, at a certain moment a conditional branch BC occurs which shows the unprotected program 2v the point where the execution continues, i.e. one of the three possible points B1, B2, B3. It is understood that conditional branching BC makes a decision to continue program execution at points B1, B2 or B3.

Figure 91 shows an example implementation of the invention for which the conditional branch selected for allocation to unit 6 corresponds to the conditional branch BC. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3 and the presence of the unit 6, occurs:

• at time t1, the execution of the conditional branch command CBC1 which activates the execution, in unit 6 and by means of the second executable part 2peu, of the extracted conditional branch bc which is algorithmically equivalent to the conditional branch BC, and where the specified conditional branch command CBC1 is represented by TRIG(bc) ,

• at time t2, transfer of information that enables the first executive part 2pes to continue execution at the selected point B1, B2 or B3, from unit 6 to data processing system 3.

It should be noted that during the execution of the segment of the first executable part 2pes of the protected program 2p, the conditional branch command executed in the data processing system 3 activates the execution of the corresponding isolated conditional branches in the unit 6. Thus, it happens that, in the presence of the unit 6, the specified segment executes correctly and that, consequently, the protected program 2p is fully functional.

Figure 92 shows an example of an attempt to execute the protected program 2p when unit 6 is missing. In this example, during the execution of the first executable part 2pes of the protected program 2p in the data processing system 3:

• at time t1, the execution of the conditional branch command CBC1 cannot activate the execution of the isolated conditional branch bc, taking into account the absence of unit 6,

• at time t2, the transfer of a piece of information that allows the first executive part 2pes to continue at the selected point is not feasible taking into account the absence of unit 6.

That's why it happens that in the absence of unit 6, at least one request of the section of the first executable part 2pes to activate the execution of the isolated conditional branching in unit 6 cannot be correctly fulfilled, so that the at least specified section is not executed correctly and, consequently, the protected program 2p is not fully functional.

In the previous description shown in Figures 90 to 92, the content of the invention refers to the allocation of conditional branching to unit 6. Naturally, the preferred embodiment of the invention can be carried out by the allocation, to unit 6, of a series of conditional branches whose overall functionality is equivalent to all the functionalities of conditional branches that separate. The execution of the overall functionality of the specified series of separate conditional branches leads to making available to the data processing system 3 pieces of information that enable the first executable part 2pes of the protected program 2p to continue execution at the selected point.

In the preceding description in connection with Figures 40 to 92, five different principles of program protection have been set forth which, generally speaking, are mutually exclusive. The protection process in accordance with the invention is implemented using the principle of protection by elementary functions, possibly combined with one or more other protection principles. In the case where the principle of protection by elementary functions is supplemented by the implementation of at least one more principle of protection, where the principle of protection by elementary functions is improved by the principle of protection by variable and/or the principle of protection by detection and coercion and/or the principle of protection by renaming and/or the principle of protection by conditional branching.

And when the principle of protection by detection and coercion is implemented, it can be supplemented by the principle of protection by sequential renaming and/or the principle of protection by conditional branching.

And when the principle of protection by renaming is implemented, it can be supplemented by the successive principle of protection by conditional branching.

In accordance with the preferred embodiment, the principle of protection by elementary functions is supplemented with the principle of protection by variable, supplemented by the principle of protection by detection and coercion, supplemented by the principle of protection by renaming, and supplemented by the principle of protection by conditional branching.

In the case where the protection principle is applied, as a supplement to the protection principle with elementary functions, the above description must include, taking into account the combined implementation, the following modifications:

• the term unprotected program should be understood as a program unprotected according to the described protection principle. Thus, in the case where the principle of protection has already been applied to an unprotected program, the term "unprotected program" should be interpreted by the reader as the term "program protected by the principle of protection that has already been applied";

• the notion of a protected program should be understood as a program that is protected according to the described protection principle. So, in the case where the principle of protection has already been applied, the term "protected program" should be interpreted by the reader as the term "new version of the protected program";

• the choice made to implement the described protection principle should take into account the choice made to implement the already applied protection principle.

The remainder of the description provides a better understanding of the implementation of the protection process in accordance with the invention. This protection process in accordance with the invention is composed, as shown more precisely in Figure 100:

• first, from the protection phase P during which the unprotected program 2v is modified into the protected program 2p,

• then, from the use phase U during which the protected program 2p is used.

During this phase of use In:

- in the presence of the unit 6 and every time the segment of the first executable part 2pes which is executed in the data processing system 3 requests it, the required functionality is performed in the unit 6, so that the said segment is executed correctly and that, consequently, the protected program 2p fully functional,

- in the absence of unit 6 and in the spirit of the request of the section of the first executable part 2pes to be performed in unit 6, the specified request cannot be fulfilled correctly, so that at least the specified section is not executed correctly and, consequently, the protected program 2p is not fully functional,

• and possibly from the reloading phase R during which at least one additional use of the functionality protected by the implementation of the second preferred variant of the implementation of the principle of protection by detection and coercion is credited using, as a characteristic, a measurement variable.

Protection phase P can be divided into two sub-phases of protection P1 and P2. The first, called the pre-protection sub-phase P1, takes place independently of the unprotected program being protected. The second, called sub-stage of post-protection P2 depends on the unprotected program 2v being protected. It should be noted that the pre-protection sub-phase P1 and the post-protection sub-phase P2 can be conveniently performed by two different people or two different teams. For example, the pre-protection sub-phase P1 can be performed by the person or firm developing the system to protect the program, while the post-protection sub-phase P2 can be performed by the person or firm developing the program to be protected. Naturally, it is clear that the pre-protection sub-phase P1 and the post-protection sub-phase P2 can be performed by the same person or team.

The sub-phase of the previous protection P1 consists of multiple stages S11,...,S1i for each of the different tasks or jobs to be performed.

The first stage of the sub-stage of the previous protection P1 is called "determination stage S11". During this determination step S11:

• are selected:

- type of unit 6. For illustration, the "chip" card reader 8 and the "chip" card 7 associated with the reader can be selected for unit 6,

- and the transfer procedure 12, 13 designed to be applied during the phase of use in the data processing system 3 and the unit 6 respectively, and capable of providing data transfer between the data processing system 3 and the unit 6,

• are defined:

- a set of elementary functions that are destined to be performed in unit 6,

- and a set of elementary commands for the specified elementary functions, where the specified elementary commands are specified for execution in the data processing system 3 and for activating the execution of elementary functions in the unit 6,

• and in the case where the protection process in accordance with the invention implements the principle of protection by detection and coercion, the following are also defined:

- at least one characteristic of program execution, determined for at least partial monitoring in unit 6,

- at least one criterion that needs to be met for at least one characteristic of program execution,

- detection procedure 17 which is implemented in unit 6 and which enables the detection of at least one performance characteristic for which at least one associated criterion is not met,

- the coercion procedure 18, which is implemented in unit 6 and enables informing the data processing system 3 and/or modifying the execution of the program, when at least one criterion is not met,

• and in the case where the protection process in accordance with the invention implements the principle of protection by detection and coercion using as a characteristic a measurement variable that measures the execution of the program, it is also defined:

- a variable that measures the use of the program's functionality as a characteristic of the program determined for monitoring,

- at least one threshold associated with each measurement variable as a criterion to be fulfilled,

- and the actualization procedure that enables the refreshing of at least one measurement variable,

• and in the case where the protection process according to the invention also implements the first preferred embodiment of the protection principle by detection and coercion using as a characteristic a variable that measures the execution of the program, it is also defined:

- several associated thresholds for at least one measurement variable,

- different coercion procedures corresponding to each of the mentioned thresholds,

• and in the case where the protection process in accordance with the invention implements another preferred variant of the implementation of the protection principle by detection and coercion using as a characteristic a variable that measures the execution of the program, a reloading procedure is also defined that enables the addition of at least one additional use of at least one functionality that is monitored by a measurement variable ,

• and in the case where the protection process in accordance with the invention implements the principle of protection by detection and coercion using the program usage profile as a characteristic, it is also defined:

- as a characteristic of program execution intended for monitoring, program usage profile,

- at least one feature of program execution as a criterion to be fulfilled,

• and in the case where the protection process according to the invention implements the principle of protection by detection and enforcement using execution chaining monitoring as a performance feature to be fulfilled, it is also defined:

- a set of instructions that are intended for execution in unit 6,

- a set of commands for the specified set of instructions, where the specified instructions are intended for execution in the data processing system 3 and for activating the execution of instructions in the unit 6,

- chaining of instructions as a usage profile,

- expected chaining of execution of instructions as a feature of execution,

- as a detection procedure 17, a procedure that enables detection that the chaining of instructions does not correspond to the expected,

- as a coercion procedure 18, a procedure that enables informing the data processing system 3 and/or modifying the functioning of the section of the protected program 2p when the chaining of instructions does not correspond to the expected,

• and in the case where the protection process in accordance with the invention implements a preferred embodiment variant of the protection principle by detection and enforcement using execution chaining monitoring as an execution feature to be fulfilled, it is also defined:

- a set of instructions, where at least some instructions work with registers and use at least one operand with the intention of returning a result,

- for at least some instructions that work with registers:

▸ part PF that defines the functionality of the instructions,

▸ and a section that defines the expected chaining of instruction execution and includes flags corresponding to:

◊ to the CII instruction identification field,

◊ and for each instruction operand:

* flag field CDk,

* expected CIPk operand identification field,

- for each register that belongs to the exploitation procedure and that uses a set of instructions, a generated CIGv identification field in which the identification of the instruction that last returned the result to the register is automatically stored,

- the detection procedure 17, which enables, during the execution of the instruction, for each operand, when the flag CDk allows it, to check the identity of the generated identification field CIGv corresponding to the register used by the specified operand, and the expected identification field CIPk in the source code of the specified operand,

• and in the case where the protection process in accordance with the invention implements the principle of protection by renaming, it is also defined:

- as an activation command, elementary command or instructional command,

- as a dependent function, elementary function or instruction,

- as an order, at least one argument for the activation command that at least partially corresponds to the information transferred from the data processing system 3 to the unit 6, so that it activates the execution of the corresponding dependent function,

- order renaming procedure that enables order renaming so that activation orders are received with renamed orders,

- and a recovery procedure 20 designed for use in unit 6 during the utilization phase U which enables recovery of the dependent function for execution by the renamed order,

• and in the case where the protection process in accordance with the invention implements variants of the principle of protection by renaming, a family of algorithmically equivalent dependent functions is also defined, for at least one dependent function, but which are activated by activation commands whose renamed orders are different,

• and in the case where the protection process in accordance with the invention implements one of the preferred embodiments of variants of the protection principle by renaming, a family of algorithmically equivalent dependent functions is also defined for at least one dependent function:

- by adding the interference field to the information that defines the functional part of the dependent function performed in unit 6,

- or using the instruction identification field CII and the expected operand identification field CIPk.

• and in the case where the process of protection in accordance with the invention implements the preferred variant of the principle of protection by renaming, it is also defined:

- as an order renaming procedure, an encryption procedure for order encryption,

- and as a recovery procedure 20, a procedure that implements an encryption procedure for decrypting the renamed orders by which the equality of the dependent functions performed in the unit 6 is restored.

During the pre-protection sub-phase P1, the defining step S11 is followed by a step called "constructing step S12". During this step S12, the transfer procedure 12, 13 and possibly the exploitation procedure corresponding to the definition step S11 are constructed.

During this stage of constructing S12, the following is done:

• the construction of the transfer procedure 12, 13 which enable, during the use phase U, the transfer of data between the data processing system 3 and the unit 6,

• the construction of the exploitation procedure, which also enables unit 6 to perform elementary functions from the set of elementary functions during the use phase U,

• and when the principle of protection by detection and coercion is also implemented, the construction:

- the exploitation procedure which enables the unit 6, during the use phase U, to also implement the detection procedure 17 and coercion 18,

- and possibly the exploitation procedure that enables unit 6, during the use phase U, to also implement the actualization procedure,

- and possibly an exploitation procedure that enables unit 6, during the use phase U, to also implement a reloading procedure,

- and possibly an exploitation procedure that enables unit 6, during the use phase U, to execute instructions from a set of instructions,

• and when the principle of protection by renaming is also implemented, the construction of the exploitation procedure enables unit 6, during the use phase U, to also implement the restoration procedure.

The construction of the exploitation procedure is performed classically, with a developed program unit and taking into account the definitions that appeared in the definition stage S11. This unit is defined in the rest of the description in Figure 110.

During the pre-protection sub-phases P1, the construction step S12 may be followed by a step called "pre-adjustment step S13". During this pre-adaptation step S13, at least part of the transfer process 13 and/or the exploitation process is loaded into at least one blank unit 60 with the intention of obtaining at least one pre-adapted unit 66. It should be noted that the exploitation process part, once transferred to the pre -adapted unit 66, is no longer directly accessible outside the specified pre-adapted unit 66. The transfer of the exploitation procedure to the unit 60 can be done through the adapted pre-adapted unit, which is described in the rest of the description in Figure 120. In the case of the pre-adapted unit 66 , constituted in the form of a "chip" card 7 and its reader 8, the pre-adjustment applies only to the "chip" card 7.

During the pre-protection sub-phase P1, after the defining stage S11 and possibly after the designing stage S12, a stage called "tool making stage S14" can occur. During this stage of creating the S14 tools, the created tools enable assistance in the generation of the protected program or the automation of the protected program. These tools enable:

• assistance in selection or automatic selection in unprotected program 2v for protection:

- algorithms determined for division into elementary functions that are allocated to unit 6,

- section designated for modification,

- and when the variable protection principle is also implemented, the algorithm(s) determined to be divided into steps separated into unit 6,

- and when the principle of protection by detection and coercion is also implemented, the characteristic(s) of execution for monitoring, and possibly the algorithm determined to be divided into instructions separated in unit 6,

- and when the principle of protection by renaming is also implemented, the algorithm is determined to be divided into dependent functions separated into unit 6 and for which the orders of the activation commands are renamed,

- and when the principle of protection by conditional branching is also applied, conditional branching(s) whose functionalities are determined to be allocated to unit 6,

• and, possibly, help in generating a protected program or automating program protection.

These different tools can be done independently or in combination, and each tool can take different forms, such as pre-processor, assembler, compiler, etc.

The pre-protection sub-phase P1 is followed by the post-protection sub-phase P2 which depends on the unprotected program 2v being protected. This sub-phase of subsequent protection P2 also consists of several stages. The first stage corresponding to the implementation of the principle of protection by elementary functions is called "creation stage S21". During this creation stage S21, the selections made during the definition stage S11 are used. With the help of the above selections and possibly the tools constructed during the tool creation stage S14, a protected program 2vs is created:

• by selecting at least one algorithm which, during the execution of the unprotected program 2v, uses at least one operand and allows obtaining at least one result,

• by selecting, in the source code of the unprotected 2vs program, at least one section containing at least one selected algorithm,

• by producing the source code of the protected program 2ps from the source code of the unprotected program 2vs, by modifying at least one selected section of the source code of the unprotected program 2ps into the source code of the protected program 2ps, which is such that:

- during the execution of the protected program 2p, the first executable part 2pes is executed in the data processing system 3, and the second executable part 2peu is executed in the unit 6 which is obtained from the empty unit 60 after loading the data,

- the second executable part of 2peu performs the functionality of at least one selected algorithm,

- at least one selected algorithm is divided so that during the execution of the protected program 2p, the specified algorithm is executed using the second executable part 2peu using elementary functions,

- are for at least one selected algorithm elementary commands integrated into the source code of the protected program 2p, so that during the execution of the protected program 2p each elementary command is executed by the first executable part 2pes and activates, in unit 6, the execution of the elementary function by the second executable part 2peu ,

- a sequence of elementary commands is selected from the set of sequences that allow the execution of the protected program 2p,

• and production:

- of the first object part 2pos of the protected program 2p from the source code of the protected program 2ps, where the first object part 2pos is specified such that during the execution of the protected program 2p, the first executable part 2pes appears which is executed in the data processing system 3, at least one section of which takes considering that the elementary command is executed in accordance with the selected sequence,

- and the second object part 2pou of the protected program 2p, which contains the procedure for exploitation and which is such that after loading into the empty unit 60 and during the execution of the protected program 2p, the second executable part 2peu appears by means of which the elementary functions activated by the first executable part are performed 2 pes.

Naturally, the principle of variable protection in accordance with the invention can be applied during the development of a new program without requiring the prior implementation of an unprotected program 2v. In this way, the protected program 2p is obtained directly.

During the sub-phases of the following protection P2, and when at least one more protection principle is applied in addition to the protection principle by elementary functions, the "modification stage S22" occurs. During the modification step S22, the definitions that appeared during the definition step S11 are used. With the help of the above definitions and possibly the tools constructed during the tool creation stage S14, the protected program 2p is modified so as to allow the implementation of the protection principle in accordance with one of the previously defined divisions.

When the variable protection principle is applied, the protected program 2p is modified:

• by selecting at least one variable that is used in at least one selected algorithm, and which, during the execution of the protected program 2p, partially defines the state of the protected program 2p,

• by modifying at least one selected section of the source code of the protected program 2ps, which is such that during the execution of the protected program 2p, at least one variable or a copy of the variable is located in unit 6,

• and production:

- of the first object part 2pos of the protected program 2p, where the specified first object part 2pos is such that during the execution of the protected program 2p at least one section of the first executable part 2pes takes into account that at least one variable or a copy of the variable is located in unit 6,

- and the second object part 2pou of the protected program 2p, where said object part 2pou is such that, after loading into the unit 6 and during the execution of the protected program 2p, another executable part 2peu appears, by means of which at least the selected variable or a copy of the variable is also placed in the unit 6.

When the principles of protection by detection and coercion are implemented, the protected program 2p is modified:

• by selecting for monitoring at least one program execution characteristic, among the program execution characteristics provided for monitoring,

• by selecting at least one criterion that must be met for at least one selected characteristic of program execution,

• by selecting, in the source code of the protected program 2ps, elementary functions for which at least one characteristic of program execution is monitored,

• by modifying at least one selected section of the source code of the protected program 2ps, which is such that during the execution of the protected program 2p, at least one selected performance characteristic is monitored by means of another executable part 2peu, and the fact that the criterion is not met leads to informing the processing system data 3 and/or the execution of the protected program 2p is modified,

• by the production of the second object part 2pou of the protected program 2p, which contains an exploitation procedure that also implements the detection procedure 17 and the coercion procedure 18, and where the second object part 2pou is such that after loading into unit 6 and during the execution of the protected program 2p, at least one the characteristic of the program execution and the fact that the criterion is not met leads to informing the data processing system 3 and/or modifying the execution of the protected program 2p.

To implement the principle of protection by detection and coercion using the characteristic of the variable that measures the execution of the program, the protected program 2p is modified:

• by selecting at least one variable that measures the use of at least one functionality of the program as a characteristic of the program execution to be monitored,

• by choosing:

- at least one functionality of the protected program 2p, the use of which is subject to monitoring using measurement variables,

- at least one measurement variable used to quantify the use of the specified functionality,

- at least one threshold associated with the measurement variable that corresponds to the limit of use of the specified functionality,

- at least one procedure for refreshing the selected measurement variable, which depends on the use of the specified functionality,

• and by modifying at least one selected section of the source code of the protected program 2ps, which is such that, during the execution of the protected program 2p, the measurement variable is updated using another executable part 2peu depending on the use of the mentioned functionality, and that at least one threshold crossing is taken into account.

To implement the first preferred variant of the implementation of the principle of protection by detection and coercion using, as a characteristic, a measurement variable, the protected program 2p is modified:

• by selecting, in the source code of the protected program 2ps, at least one selected measurement variable for which several thresholds corresponding to different limits of functionality use should be associated,

• by selecting at least two thresholds associated with the selected measurement variable,

• by modifying at least one selected section of the source code of the protected program 2ps, which is such that, during the execution of the protected program 2p, transitions of different thresholds using the second executable part 2pe are taken into account separately.

To implement the second preferred variant of the implementation of the principle of protection by detection and coercion using the protected measurement variable as a characteristic, program 2p is modified:

• by selecting, in the source code of the protected program 2ps, at least one selected measurement variable that allows limiting the use of the functionality and that should be allowed to be credited with at least one additional use,

• and by modifying at least one selected segment, which is such that during the phase called reloading, at least one additional use of at least one functionality corresponding to the selected measurement variable can be credited.

To implement the principle of protection by detection and coercion using, as a characteristic, the program usage profile, the protected program 2p is modified:

• by selecting at least one program usage profile as a monitored program performance characteristic,

• by selecting at least one performance feature for which at least one selected usage profile must be fulfilled,

• and by modifying at least one selected section of the source code of the protected program 2ps, which is such that, during the execution of the protected program 2p, the second executable part 2peu fulfills all the selected execution features.

To implement the principle of protection by detection and coercion, as a feature of execution to be fulfilled, monitoring by execution chaining, the protected program 2p is modified:

• by modifying at least one selected section of the source code of the protected program 2ps:

- by transforming elementary functions into instructions,

- by specifying chaining in which at least some instructions should be completed during their execution in unit 6,

- and by transforming elementary commands into commands that correspond to the instructions used.

When the principle of protection by renaming is implemented, the protected program 2p is modified:

• by selecting the 2ps activation command in the source code of the protected program,

• by modifying at least one selected section of the source code of the protected 2ps program by renaming the order of the selected activation commands, so that the identity of the corresponding dependent functions is hidden,

• and production:

- of the first object part 2pos of the protected program 2p, where the specified first object part 2pos is such that during the execution of the protected program 2p the activation command is executed with a renamed order,

- and the second object part 2pou of the protected program 2p, which contains the exploitation procedure and also implements the restoration procedure 20, and where the second object part 2pou is such that, after loading into unit 6 and during the execution of the protected program 2p, it is restored using the second executable part 2peu the equality of the dependent function activated by the execution of the first executable part 2pes and the dependent function executed by the second executable part 2peu.

To implement a variant of the protection principle by renaming, the protected program 2p is modified:

• by selecting, in the source code of the protected program 2ps, at least one activation command with renamed accounts.

• and by modifying at least one selected section of the source code of the protected program 2ps by replacing at least one renamed command of one selected activation command with a renamed command, with another renamed command, activating a dependent function of the same family.

When the principle of protection by conditional branching is implemented. the protected program 2p is modified:

• by selecting, in the source code of the protected program 2p, at least one conditional branching that is performed in at least one algorithm,

• and by modifying at least one selected section of the source code of the protected program 2ps, which is such that during the execution of the protected program 2p, the functionality of at least one conditional branching in unit 6 is performed, using the second executable part 2peu,

• and production:

- of the first object part 2pos of the protected program 2p, where the specified first object part 2pos is such that during the execution of the protected program 2p the functionality of at least one selected conditional branch is performed in unit 6,

- and the second object part 2pou of the protected program 2p, where the specified second object part 2pou is such that, after loading into unit 6 and during the execution of the protected program 2p, the second executable part 2peu appears, by means of which the functionality of at least one conditional branching is performed.

To implement the preferred implementation of the conditional branching protection principle, the protected program is modified:

• by selecting, in the source code of the protected program 2ps, at least one set of selected conditional branches,

• by modifying at least one selected section of the source code of the protected program 2ps, which is such that, during the execution of the protected program 2p, the overall functionality of at least one sequence is performed using the second executable part 2peu in unit 6,

• and production:

- of the first object part 2pos of the protected program 2p, where the specified first object part 2pos is such that during the execution of the protected program 2p the functionality of at least one sequence of conditional branches is performed in unit 6,

- and the second object part 2pou of the protected program 2p, where the specified second object part 2pou is such that, after loading into unit 6 and during the execution of the protected program 2p, the second executable part 2peu appears, by means of which the overall functionality of at least one sequence of conditional branches is performed.

Naturally, the principle of protection in accordance with the invention can be applied directly during the development of a new program without the requirement for prior protection of intermediate parts of the program. In this way, the creation step S21 and the modification step S22 can be performed simultaneously so that the protected program 2p is obtained directly.

During the sub-phase of subsequent protection P2, after the creation stage S21 of the protected program 2p, and possibly after the modification stage S22, a stage called "adaptation stage S23" occurs. During this adjustment step S23, the second object part 2pou containing the exploitation procedure is loaded into at least one empty unit 60, with the intention of obtaining at least one unit 6, or the part of the second object part 2pou possibly containing the exploitation procedure is loaded into at least one pre-adjusted unit 66, with the intention of obtaining at least one unit 6. By loading this customized information, at least one unit 6 becomes operational. It should be noted that a portion of said information, once transferred to unit 6, cannot be directly accessed outside of unit 6. The transfer of adapted information to blank unit 60 or pre-adapted unit 66 can be done through the adapted adaptation unit described in the remainder of the description at Figure 150. In the case of unit 6, consisting of "chip" card 7 and reader 8, the adjustment applies only to "chip" card 7.

To implement the protection phase P, the various technical procedures are described in more detail in Figures 110, 120, 130, 140 and 150.

Figure 110 shows the performance of the system 25 which enables the implementation of the construction stage S12 which takes into account the definitions created during the definition stage S11 during which the transfer procedures 12, 13 and possibly the exploitation procedure intended for the unit 6 are constructed. Thus, the system 25 includes a program development unit or a workstation that has the standard form of a computer consisting of a system unit, a screen, peripherals such as a keyboard-mouse, and includes, among others, the following programs: editor, assembler, pre-processor, compiler, interpreter, debugger and link editor.

Fig. 120 shows an embodiment of a pre-adapted unit 30 that allows loading at least part of the transfer process 13 and/or the exploitation process into at least one empty unit 60 with the intention of obtaining a pre-adapted unit 66. Said pre-adapted unit 30 includes a read and write process 31 which enables the electrical pre-adjustment of the empty unit 60 so that a pre-adjusted unit 66 is obtained into which the loading is carried out by means of the transfer process 13 and/or the exploitation process. The pre-adapted unit 30 may also include a physical adaptation process 32 of the blank unit 60 which is, for example, in the form of a printer. In the case where the unit 6 consists of a "chip" card 7 of its reader 8, the pre-adaptation generally applies only to the "chip" card 7.

Figure 130 shows an embodiment of a system 35 that enables the creation of tools that assist in the generation of a protected program or automate the protection of a program. Thus, system 35 includes a unit for program development or a workstation which, as a standard, has the form of a computer consisting of a system unit, a screen, peripherals such as a keyboard-mouse, and includes, among other things, the following programs: editor, assembler, preprocessor, compiler, interpreter , debugger and link editor.

Figure 140 shows the implementation of the system 40, which enables the direct creation of a protected program 2p or the modification of an unprotected program 2v with the aim of obtaining a protected program 2p. Thus, the system 40 includes a program development unit or a workstation which, as a standard, has the form of a computer consisting of a system unit, a screen, peripherals such as a keyboard-mouse, and includes, among other things, the following programs: editor, assembler, preprocessor, compiler, interpreter , debugger and link editor, as well as tools that help generate a protected program or automate program protection.

Fig. 150 shows an embodiment of the adjustment unit 45 which enables loading of the second object part 2pou into at least one empty unit 60 with the aim of obtaining at least one unit 6 or loading of a part of the second object part 2pou into at least one pre-adjusted unit 66 with the aim of obtaining at least one unit 6 Said adaptation unit 45 includes a write and read process 46 that enables the electrical adaptation of at least one blank unit 60 or at least one pre-adapted unit 66, so as to obtain at least one unit 6. At the end of this adaptation, the unit 6 includes the information necessary for execution of the protected program 2p. The adaptation unit 45 also includes a physical adaptation procedure 47 for at least one unit 6 which may have, for example, the form of a printer. In the case where the unit 6 consists of a "chip" card 7 and its reader 8, the adjustment generally refers only to the "chip" card 7.

The protection process according to the invention can be implemented with the following improvements:

• It is possible to plan the joint use of several storage and processing units between which they jointly use another object part 2pou of the protected program 2p so that their joint use enables the use of the protected program 2p to be prevented in the absence of at least one specified storage and processing unit.

• In the same way, after the pre-adaptation step S13 and during the adaptation step S23, a part of the second object part 2pou necessary to transform the pre-adaptation unit 66 into the unit 6 may be contained in the processing and storage unit used by the adaptation unit 45, thus to restrict access to the specified part of the second object part 2pou. Naturally, said second object part 2pou can be used by multiple storage and processing units so that said second object part 2pou is accessible only during joint use by said processing and storage units.

Claims (35)

1. The process of protecting an unprotected program (2v) performed on a data processing system (3) against unauthorized use, using at least one empty unit (60) with at least a storage method (15) and a processing method (16) included, characterized by the fact that it includes: • during the protection phase (P): - defining: ▸ set of elementary functions that are destined to be performed in unit (6), ▸ and a set of elementary commands for the specified set of elementary functions, where the specified elementary commands are destined for execution in the data processing system (3) and for activating the execution of elementary functions in the unit (6), - creating a procedure for exploitation that enables the transformation of an empty unit (60) into a unit (6) capable of performing the elementary functions of the specified set, where the execution of the specified elementary functions is activated by the execution of elementary commands in the data processing system (3), - creating a protected program (2p): ▸ by selecting at least one algorithm which, during the execution of the unprotected program (2v), uses at least one operand and allows obtaining at least one result, ▸ by selecting at least one section in the source code of the unprotected program (2v) that contains at least one selected algorithm, ▸ by producing the source code of the protected program (2ps) from the source code of the unprotected program (2vs), by modifying at least one selected section of the source code of the unprotected program (2vs), with the aim of obtaining at least one section of the source code of the protected program (2ps), where the specified modification is such that: � during the execution of the protected program (2p), the first executable part (2pes) is executed in the data processing system (3), and the second executable part (2peu) is executed in the unit (6) obtained from the empty unit (60) after loading the information, � the second executable part (2peu) performs the functionality of at least one selected algorithm, � at least one algorithm is divided so that during the execution of the protected program (2p) the specified algorithm is executed by means of another executable part (2peu) using elementary functions, � for at least one algorithm, the elementary commands are integrated into the source code of the protected program (2ps), so that during the execution of the protected program (2p), each elementary command is executed by the first executable part (2pes), which activates the execution of the second executable part (2peu) of the elementary functions in unit (6), � a sequence of elementary commands is selected from a set of sequences that allow the execution of the protected program (2p), ▸ and production: � of the first object part (2pos) of the protected program (2p) from the source code of the unprotected program (2ps), where the specified first object part (2pos) is such that, during the execution of the protected program (2p), the first executable part (2pes) appears which is performed in the data processing system (3), and at least one part of which takes into account that elementary commands are performed in accordance with the selected sequence, � and the second object part (2pou) of the protected program (2p) which contains the procedure for exploitation, which is such that, after loading into the empty unit (60) and during the execution of the protected program (2p), the second executable part (2peu) appears by means of which the elementary functions activated by the first executive part (2pes) are performed, - and loading the second object part (2pos) into the empty unit (60), with the aim of obtaining the unit (6), • and during the use phase (U), when the protected program (2p) is running: - in the presence of the unit (6), every time the segment of the first executable part (2pes) requires it, the execution of the corresponding elementary function in the unit (6), so that the specified segment is executed correctly and, consequently, the protected program (2p) is completely functional, - and in the absence of unit (6), and in the spirit of the requirement of the section of the first executive part (2pes) for the performance of the elementary function in unit (6), the impossibility of correctly fulfilling the requirements, so at least the specified section is not performed correctly and, consequently, the protected program is not completely functional. 2. The process according to claim 1, characterized in that it includes: • during the protection phase (P): - modification of the protected program (2p): ▸ by selecting at least one variable used in the selected algorithm, which during the execution of the protected program (2p), partially defines the later state of the protected program (2p), ▸ by modifying at least one selected section of the source code of the protected program (2ps), which is such that during the execution of the protected program (2p), at least one variable or a copy of the variable is located in the unit (6), ▸ and production: � of the first object part (2pos) of the protected program (2p) from the source code of the unprotected program (2ps), where the specified first object part (2pos) is such that, during the execution of the protected program (2p), the first executable part (2pes) appears which takes into account that at least one variable or a copy of the variable is in the unit (6), � and the second object part (2pou) of the protected program (2p), where said second object part (2pou) is such that, after loading into the empty unit (60) and during the execution of the protected program (2p), the second executable part (2peu ) by means of which at least one selected variable or copy of the variable is also placed in unit (6), • and during the use phase (U): - in the presence of the unit (6), every time the segment of the first executable part (2pes) requires it, the use of a variable or a copy of the variable stored in the unit (6), so that the specified segment is executed correctly and, consequently, the protected program (2p ) fully functional, - and in the absence of unit (6), and in the spirit of the request of the section of the first executive part (2pes) for the use of a variable or a copy of the variable stored in unit (6), the impossibility of correctly fulfilling the request, so at least the said section is not performed correctly and that, consequently, protected the program is not fully functional. 3. The process according to claim 1, characterized in that it includes: • during the protection phase (P): - defining: ▸ at least one characteristic of program execution, destined for at least partial monitoring in unit (6), ▸ at least one criterion that needs to be met for at least one characteristic of program execution, ▸ of the detection procedure (17) which is implemented in unit (6) and enables the detection that at least one associated criterion is not met for at least one characteristic of the program execution, ▸ and the coercion procedure (18) which is implemented in the unit (6) and enables informing the data processing system (3) and/or modifying the execution of the program when at least one criterion does not exist, - creating a procedure for exploitation that enables the unit (6) to also implement a detection procedure (17) and a coercion procedure (18), - modification of the protected program (2p): ▸ by selecting at least one characteristic of the execution of the program for monitoring, among the characteristics of the execution of the programs destined for monitoring, ▸ by selecting at least one criterion to be fulfilled for at least one selected characteristic of the program, ▸ by selecting, in the source code of the protected program (2ps), elementary functions for which at least one characteristic of program execution is monitored, ▸ by changing at least one selected section of the source code of the protected program (2p), which is such that during the execution of the protected program (2p), at least one characteristic of the program's execution is monitored using another executable part (2peu), and the fact that the criterion is not met leads to informing the system for data processing (3) and/or the execution of the protected program (2p) is modified, ▸ and by producing the second object part (2pou) of the protected program (2p) which contains the procedure for exploitation, and which also implements the detection procedure (17) and the coercion procedure (18), where the second object part (2pou) is such that, after loading into the unit (6) and during the execution of the protected program (2p), at least one characteristic of the execution of the program is monitored, and the fact that the criterion is not met leads to the fact that the data processing system (3) is informed and/or the execution of the protected program is modified (2p ), • and during the use phase (U): - in the presence of unit (6): ▸ as long as all the criteria corresponding to the monitored performance characteristics of all modified sections of the protected program (2p) are met, said section of the protected program (2p) operates correctly and consequently enabling the protected program (2p) to operate nominally, ▸ and if at least one of the criteria corresponding to the monitored performance characteristics of the section of the protected program (2p) is not met, the data processing system (3) is informed about this and/or the functioning of the section of the protected program (2p) is modified, so that the functioning of the protected program (2p) modifies. 4. A process according to claim 3, characterized in that it limits the use of the protected program (2p), including: • during the protection phase (P): - defining: ▸ as characteristics of program execution destined for monitoring, measurement variables that measure the use of program functionality, ▸ as criteria to be met, at least one threshold associated with each measurement variable, ▸ and the actualization procedure that enables updating at least one measurement variable, - creation of an exploitation procedure that enables the unit (6) to also implement the actualization procedure, - and modification of the protected program (2p): ▸ by selecting, as a characteristic of the program execution to be monitored, at least one variable that measures the use of at least one functionality of the program, ▸ by selecting: � at least one functionality of the protected program (2p) whose use is subject to monitoring using a measurement variable, � at least one measurement variable used to quantify the use of the specified functionality, � at least one threshold associated with the selected measurement variable that corresponds to the limit of use of the specified functionality, � and at least one method of refreshing the selected measurement variable that depends on the use of the specified functionality, ▸ and by changing at least one selected section of the source code of the protected program (2ps), which is such that during the execution of the protected program (2p), the measurement variable is updated using another executable part (2peu) depending on the use of the specified functionality, and that it takes into account at least one threshold crossing, • and during the use phase (U), in the presence of the unit (6) and in the case where at least one threshold crossing corresponding to at least one use limit is detected, the data processing system (3) is informed about this and/or the functioning of the protected section is modified program (2p) so that the functioning of the protected program (2p) is modified. 5. The process according to claim 4, characterized in that it includes: • during the protection phase (P): - defining: ▸ for at least one measurement variable, several associated thresholds, ▸ and different coercion procedures corresponding to each of the mentioned thresholds, - and modification of the protected program (2p): ▸ by selecting, in the source code of the protected program (2p), at least one measurement variable that must be associated with individual thresholds that correspond to different limits of functionality use, ▸ by selecting at least two thresholds associated with the selected measurement variable, ▸ by changing at least one selected section of the source code of the protected program (2ps), which is such that, during the execution of the protected program (2p), transitions of different thresholds are taken into account separately, by means of another executable part (2peu), • and during the use phase (U): - in the presence of unit (6): ▸ in the event that the crossing of the first threshold is detected, the prohibition of further use of the corresponding functionality of the protected program (2p), ▸ and in the case when crossing the second threshold is detected, blocking the corresponding functionality and/or at least one section of the protected program (2p). 6. A process according to claims 4 or 5, characterized in that it includes: • during the protection phase (P): - defining a reloading procedure that enables crediting of at least one functionality of the program followed by a measurement variable with at least one additional use, - creation of an exploitation procedure that also allows unit (6) to implement a reloading procedure, - and modification of the protected program (2p): ▸ by selecting in the source code of the protected program (2p) at least one selected measurement variable that allows limiting the use of the functionality and that must be able to be credited with at least one additional use, ▸ and by modifying at least one selected segment, which is such that during the invocation phase of the reload, at least one additional use of at least one functionality corresponds to the selected measurement variable being credited, • and during the reload phase: - reactivation of at least one selected measurement variable and/or at least one associated threshold, so that it allows at least one additional use of the functionality. 7. The process according to claim 3, characterized in that it includes: • during the protection phase (P): - defining: ▸ program usage profile as a characteristic of the program subject to monitoring, ▸ at least one feature of the program execution as a criterion to be met, - and modification of the protected program (2p): ▸ by selecting a program execution characteristic to monitor at least one program usage profile, ▸ by selecting at least one performance feature for which there must be at least one selected profile, ▸ by changing at least one section of the source code of the protected program (2p), which is such that during the execution of the protected program (2p) the second executable part (2peu) fulfills all the selected execution features, • and during the use phase (U) in the presence of the unit (6) and in the case when it is detected that at least one performance feature is not fulfilled, informing the data processing system (3) and/or modifying the functioning of the section of the protected program (2p), so that the functioning of the protected program (2p) has been modified. 8. The process according to claim 7, characterized in that it includes: • during the protection phase (P): - defining: ▸ a set of instructions destined for execution in the unit (6), ▸ a set of commands for the specified set of instructions that are destined for execution in the data processing system (3) and for activating the execution of instructions in the unit (6), ▸ as a usage profile, chaining of instructions, ▸ as performance features, expected chaining of instruction execution, ▸ as a detection procedure (17), a procedure that enables detection that the chaining of instructions does not correspond to the expected, ▸ as a coercion procedure (18), a procedure that allows to inform the data processing system (3) and/or to modify the functioning of the section of the protected program (2p) when the chaining of instructions does not correspond to the expected, - creating a procedure for exploitation that enables the unit (6) to execute instructions from a set of instructions that is activated by executing commands in the data processing system (3), - modification of the protected program (2p): ▸ by changing at least one selected section in the source code of the protected program (2ps): by transforming elementary functions into instructions, � by specifying chaining where at least some instructions must exist during their execution in unit (6), � and by transforming elementary commands into instructions that correspond to the used instructions, • and during the use phase (U), in the presence of the unit (6), in the event that it is detected that the chaining of instructions executed in the unit (6) does not correspond to the expected, informing the data processing system (3) about it and/or modification the functioning of the section of the protected program (2p), so that the functioning of the protected program (2p) is modified. 9. The process according to claim 8, characterized in that it includes: ̧ • during the protection phase (P): - defining: ▸ set of instructions where at least some instructions work with registers and use at least one operand with the intention of returning a result, ▸ for at least some instructions that work with registers: � part (PF) that defines the functionality of the instructions, � and the part that defines the expected chaining of instruction execution, and includes bit fields corresponding to: * instruction identification field (CII), * and for each instruction operand: a. flags (CDk), b. and the expected identification field (CIPk) of the operand, ▸ for each register belonging to the exploitation procedure, which is used by the set of instructions, a generated identification field (CIGv) in which the identification of the last instruction that returned a result to the specified register is automatically stored, ▸ as a detection procedure (17), a procedure that enables the equality of the generated identification field (CIGv) corresponding to the register used by the specified operand and the expected identification field ( CIPk) in the source code of the specified operand, ▸ and as a coercion procedure (18), a procedure that enables modification of the result of the instruction, if at least one of the checked equalities is false. 10. The process according to claims 1 or 8, characterized in that it includes: • during the protection phase (P): - defining: ▸ as activation commands, commands or elementary commands, ▸ as dependent functions, elementary functions or instructions, ▸ as an order, at least one activation command order that at least partially corresponds to the information transferred from the data processing system (3) to the unit (6) so as to activate the execution of the corresponding dependent function, ▸ order renaming procedure, which enables order renaming by obtaining an activation order with renamed orders, ▸ and a recovery procedure (20) designed for use in the unit (6) during the use phase (U) and which enables the recovery of an independent function to be performed by the renamed order, - creating an exploitation procedure that enables the unit (6) to also implement a recovery procedure, - and modification of the protected program (2p): ▸ by selecting activation commands in the source code of the protected program (2ps), ▸ by modifying at least one selected section of the source code of the protected program (2ps) by renaming the order of the selected activation commands, so as to hide the identity of the corresponding dependent function, ▸ and production: � of the first object part (2pos) of the protected program (2p) which is such that during the execution of the protected program (2p) activation commands with renamed orders are executed, � and the second object part (2pou) of the protected program (2p) which contains the procedure for exploitation and also implements the recovery procedure (20), and which is such that after loading into the unit (6) and during the execution of the protected program (2p) the identity is restored dependent functions, the execution of which was activated by the first executable part (2pes), by means of the second executable part (2peu), and the dependent function is executed by means of the second executable part (2peu), • and during the use phase (U) - in the presence of unit (6) and every time the command to activate with a renamed order contained in the first executable part (2pes) imposes it, the identity of the corresponding dependent function is restored in unit (6) and it is executed, thus the specified section is executed correctly and that, consequently, the protected program (2p) is fully functional, - and in the absence of unit (6), in the spirit of the request of the section of the first executive part (2pes) to activate the execution of the dependent function in unit (6), the specified request cannot be fulfilled correctly, so that at least the specified section cannot be performed correctly and that, consequently , the protected program (2p) is not fully functional. 11. The process according to claim 10, characterized in that it includes: • during the protection phase (P): - defining for at least one dependent function, a family of dependent functions that are algorithmically equivalent, but which are activated by activation commands whose renamed orders are different, - and modification of the protected program (2p): ▸ by selecting, in the source code of the protected program (2ps), at least one activation command with a renamed command, ▸ and by changing at least one selected section of the source code of the protected program (2ps) so that at least one renamed command of the selected activation command is replaced with a renamed command by another renamed command, which activates a dependent function from the same family. 12. The process according to claim 11, characterized in that it includes: • during the protection phase (P), defining, for at least one dependent function, a group of algorithmically equivalent dependent functions: - by adding the interference field to the information that defines the functional part of the dependent function performed in unit (6), - or by using the identification field of the instruction (CII) and the expected identification field (CIPk) of the operand. 13. The process according to claims 10, 11 or 12, characterized in that it includes: • during the protection phase (P): - defining: ▸ as a procedure for renaming the order, the procedure for encrypting the order, ▸ and as a recovery procedure (20), a procedure that implements the order decryption method and thus restores the identity of the dependent function performed in unit (6). 14. A process according to one of claims 1 to 13, characterized in that it includes: • during the protection phase (P): - modification of the protected program (2p): ▸ by selecting, in the source code of the protected program (2ps), at least one conditional branching that is performed with at least one algorithm, ▸ by changing at least one selected section of the source code of the protected program (2ps), which is such that during the execution of the protected program (2p) at least one functionality of the selected conditional branching is performed using the second executable part (2peu), in unit (6), ▸ and production: � of the first object part (2pos) of the protected program (2p) which is such that during the execution of the protected program (2p) the functionality of at least one selected conditional branch is performed in unit (6), � and the second object part (2pou) of the protected program (2p), which is such that after loading into the unit (6) and during the execution of the protected program (2p), the second executable part (2peu) appears, by means of which the functionality of at least one conditional branching is performed, • and during the use phase (U): - in the presence of the unit (6) and every time the segment of the first executable part (2pes) requires it, the execution of the functionality of at least one conditional branch in the unit (6), so that the specified segment is executed correctly and that, consequently, it is a protected program (2p ) fully functional, - both in the absence of unit (6) and in the spirit of the requirement of the section of the first executive part (2pes) to perform the functionality of conditional branching in unit (6), the impossibility of correctly fulfilling the specified requirement, so that at least the specified section is not performed correctly and, consequently, the protected program (2p) is not fully functional. 15. The process according to claim 14, characterized in that it includes during the protection phase (P) the modification of the protected program (2p): ▸ by selecting, in the source code of the protected program (2ps), at least one set of selected conditional branches, ▸ by changing at least one selected section of the source code of the protected program (2p), which is such that during the execution of the protected program (2p), in unit (6) the overall functionalities of at least one set of selected conditional branches are performed using the second executable part (2peu), , ▸ and production: � of the first object part (2pos) of the protected program (2p), which is such that during the execution of the protected program (2p) in unit (6) the functionalities of at least one selected series of conditional branches are performed, � and the second object part (2pou) of the protected program (2p), which is such that after loading into the unit (6) and during the execution of the protected program (2p), the second executable part (2peu) appears, by means of which all the functionalities of at least one selected a series of conditional branches. 16. The process according to one of claims 1 to 15, characterized in that it includes the division of the protection phase (P) into a sub-phase of prior protection (P1) which does not depend on the program to be protected and a sub-phase of subsequent protection (P2) which it depends on the program being protected. 17. The process according to claim 16, characterized in that it includes, that during the sub-phase of the previous protection, a definition stage (S11) appears, during which all definitions are performed. 18. The process according to claim 17, characterized in that it includes, that after the definition stage (S11) the creation stage (S12) appears, during which the exploitation procedure is created. 19. The process according to claim 18, characterized in that it includes that after the production stage (S12) a pre-adjustment stage (S13) appears, which includes loading at least part of the exploitation procedure into the empty unit (60) with the aim of obtaining a pre-adjusted unit (66). 20. The process according to claims 17 or 18 characterized by the fact that it includes, during the sub-phase of the previous protection (P1), a tool creation stage (S14) appears, during which tools are created that enable program generation or program protection automation. 21. The process according to claims 16 and 19, characterized in that it includes the division of the sub-phase of subsequent protection (P2) into: - creation stage (S21) during which a protected program (2p) is created from an unprotected program (2v), - eventually, the modification stage (S22) during which the protected program (2p) is modified, - and eventually, the adaptation stage (S23) during which: ▸ the second object part (2pou) of the protected program (2p), which contains the procedure for exploitation, is loaded into at least one empty unit (60) with the aim of obtaining at least one unit (6), ▸ or a part of another object part (2pou) of the protected program (2p), which possibly contains a procedure for exploitation, is loaded into at least one pre-adapted unit (66), with the aim of obtaining at least one unit (6). 22. The process according to claims 20 and 21, characterized in that it includes during the stage of creation (S21), and possibly during the stage of modification (S22), the use of at least one tool that helps in generating the protected program or in automating the protection of the program. 23. A system for implementing the protection process in accordance with claim 18, characterized by the fact that it includes at least one program development unit which during the development stage (S12) is used for the construction of the exploitation procedure intended for the unit (6), taking into account the definitions that have appeared during the definition stage (S11). 24. Process implementation system according to claim 19, characterized in that it includes a pre-adjusted unit (30) which allows loading at least part of the exploitation procedure into at least one empty unit (60) with the aim of obtaining at least one pre-adjusted unit (66 ). 25. A process implementation system according to claim 20, characterized in that it includes a program development unit, which is used during the stage of creating tools (S14) by means of which the protected program is generated or program protection is automated. 26. A process implementation system according to claim 21 or 22, characterized in that it includes a program development unit used to create or modify a protected program (2p). 27. A process implementation system according to claim 21, characterized in that it includes an adaptation unit (45) that enables loading: - of another object part into at least one empty unit (60) with the aim of obtaining at least one unit (6), - or another object part (2pou) into at least one pre-adjusted unit (66) with the aim of obtaining at least one unit (6). 28. A pre-adapted unit (66), characterized in that it is obtained by the system according to claim 24. 29. The unit (6), characterized by the fact that it enables the execution of the protected program (2p) and prevents its unauthorized use, characterized by the fact that it contains the second object part (2pou) of the protected program (2p) which is loaded using the adaptation unit (45 ) in accordance with requirement 27. 30. A set of units (6), characterized by the fact that the loading of the protected program (2p) by the second object part (2pou), using the adaptation unit (45) in accordance with claim 27, is divided between several processing and storage units so that their common use enables the execution of a protected program (2p), 31. Distribution set (2pd) of the protected program (2p), characterized in that it includes: - the first distribution part (2pds) which contains the first object part (2pos) and which is designed for execution on the data processing system (3), - and the second distribution part (2pdu) which has the form: ▸ empty units (60), ▸ or a pre-adapted unit (66) according to claim 28, capable of being transformed into a unit (6) after loading in the adaptation information, ▸ or units (6) in accordance with requirement 29. 32. Distribution set (2pd) of the protected program (2p) according to claim 31, characterized in that the first distribution part (2pds) has the form of a medium for physical distribution, CDROM for example, or the form of files that are distributed over the network. 33. The distribution set (2pd) of the protected program (2p) according to claim 31, characterized in that the second distribution part (2pdu) has the form of an empty unit (60), a pre-adapted unit (66) or a unit (6), including at least one "chip" card (7). 34. A processing and storage unit, characterized in that it contains a part of the second object part (2pou) necessary for the transformation of the pre-adapted unit (66), in accordance with claim 28, into a unit (6) in accordance with claim 29. 35. A set of processing and storage units characterized by using them together and containing a part of the second object part (2pou) necessary to transform the pre-adapted unit (66) according to claim 28 into a unit (6) according to claim 29.