UA77186C2 - Method for protecting software against unauthorized use by a controlled variable - Google Patents

Abstract

The invention concerns a method for protecting, from at least a unit, a vulnerable software against its unauthorised use, said vulnerable software operating on a data processing system. The method consists in creating a protected software: by selecting in the source of the vulnerable software at least a variable; by producing the source of the protected software by modifying the source of the vulnerable software, so that the selected variable becomes resident in a unit.

Description

Description of the invention

This invention belongs to the field of data processing systems in the broadest sense of the word, and more precisely, the 2nd invention relates to means of protection against unauthorized use of the program operating in the mentioned data processing systems.

The subject of this invention refers, more specifically, to methods of protecting programs from unauthorized use based on a memory device or a processing and storage device, and this device is usually implemented in the form of a card with a microchip or a hardware key on the OB port.

In this field of technology, the main problem is related to the unauthorized use of programs by users who have not acquired the right to use them (license). Such illegal use of the programs causes clear damage to the manufacturers and sellers of the programs, and/or any other persons using such programs in their products. In order to avoid the creation of such illegal copies, a number of solutions have been proposed based on the available technical capabilities to protect such programs. 12 Yes, there is a known method of protection, which consists in the use of a hardware protective element - a physical device called an electronic protective key-plug ("add-on"). Such a security key should guarantee the execution of the program only in the presence of the key. However, we must state that this solution is ineffective, because it can be easily bypassed. An attacker can use special techniques, such as disassembly, to remove the security key control commands. At the same time, it becomes possible to make illegal copies of modified versions of the program that do not have any protection. Also, this solution cannot be extended to all applications due to the complexity of connecting more than two security keys to the same system.

Accordingly, the problem solved by the present invention is to eliminate the mentioned disadvantages by creating a method of protecting the program from unauthorized access, which uses a memory device or a processing and storage device specially created for this purpose, to the extent that the presence of such with the device is necessary for the full operation of the program. Gee)

The solution to this problem is achieved according to the invention by creating a method of protection (on the basis of at least one idle device having at least storage means) against unauthorized use of a vulnerable program operating in a data processing system. The method according to the invention is that: o - In the protection phase: c - a protected program is created: - by selecting in the source code of the vulnerable program: -- - at least one variable that partially determines its state during the execution of the vulnerable program, parts of at least one fragment containing at least one selected variable, 3o - by creating the source code of a protected program based on the source code of a vulnerable program in the modification of at least one selected fragment of the code of a vulnerable program, and this modification is such that during the execution of the protected program at least one selected variable or one copy of the selected variable resides in an idle device, which thereby becomes a device, "- and by generating a first object code portion of the protected program based on the source code C 70 of the protected program, wherein the first portion of the object code code such that during the execution of the protected program c, the first executable part executed in c is implemented data processing system, and at least one fragment

Of" which takes into account that at least one variable or one copy of the variable resides in the device - and in the use phase during which the protected program is executed: - in the presence of the device, whenever a fragment of the first executable part requires it, the variable or copy is used variable located in the device in such a way that the specified fragment 7 is executed correctly and, therefore, the protected program is fully functional; - And - while in the absence of the device, despite the request of one fragment of the first executable part, to use a variable or a copy of the variable located in the device, the possibility of a correct - response to the specified request is not ensured, so that at least the specified fragment is not executed correctly and, therefore , protected by 20, the program is not fully functional.

According to the best form of implementation of the method according to the invention: - In the protection phase: - modify the protected program: - by selecting in the source code of the protected program: 25 - at least one algorithm that during the execution of the protected program uses at least one

GF) selected variable and allows obtaining at least one resulting variable, - and at least one fragment containing at least one selected algorithm, o - by means of modification of at least one selected fragment of the code of the protected program, and this modification is such that: 60 - during execution of the protected program, the first executable part is executed in a data processing system, and the second executable part is executed in a device that also contains processing means, - at least one functional possibility of at least one selected algorithm is executed with the help of the second executable part, - at least one selected algorithm is decomposed in such a way that during the execution of the protected program, several different stages are implemented with the help of the second executable part, such as:

- provision of at least one variable for the device, - implementation in the device of the functionality of the algorithm executed on at least this variable, - ), possibly provision of at least one resulting variable by the device for the data processing system, - for at least one selected algorithm, stage commands are defined as follows, that during the execution of the protected program, each stage command is executed by means of the first executable part and causes the device to execute the stage by means of the second executable part, - and the ordering of the stage commands is selected from among the ensemble of orders that allow the execution /o of the protected program, - and by creating : - of the first part of the object code of the protected program, and the first part of the object code is such that during the execution of the protected program, stage commands are executed in accordance with the selected order, - and of the second part of the object code of the protected program, and the second part of the object object code such that /5 After loading in an idle device, during the execution of the protected program, a second executable part is implemented, with the help of which the stages, the launch of which was caused by the first executable part, are executed; - and load the second part of the object code into the idle device with the receipt of the device - and in the use phase: - in the presence of the device, whenever the stage command contained in the fragment of the first Executable part requires it, perform the corresponding stage in the device as follows so that the specified fragment is executed correctly and, therefore, the protected program is fully functional; - while in the absence of the device, despite the request of one fragment of the first executable part to start the execution of the stage in the device, the possibility of a correct response to the specified request is not ensured, so that at least the specified fragment is not executed correctly and, therefore, the protected program is not fully functional. with

According to another better form of implementation of the method according to the invention: - In the protection phase: i) - determine: - a set of elementary functions, that its elementary functions can be performed in a device that also has means of processing, "o zo - and a set of elementary commands for the specified set of elementary functions, and the specified elementary commands can be executed in the data processing system, causing the execution of elementary functions in the device; "- - construct means of operation that allow turning an idle device into a device capable of performing elementary functions from the mentioned set, and the execution of the specified elementary functions is caused by the execution of elementary commands in the data processing system; cha - modify the protected program: - by selecting in the source code of the protected program: - at least one algorithm that, during the execution of the protected program, uses at least one selected variable and allows to receive at least one resulting variable, "- at least one fragment containing at least one selected algorithm, in c - by means of modification of at least one selected fragment of the code of the protected program, and . the specified modification is such that: a - during the execution of the protected program, the first executable part is executed in the data processing system, and the second executable part is executed in the device, - at least the functional possibility of at least one selected algorithm is executed with the help of the second executable part, - at least one the selected algorithm is decomposed in such a way that during the execution of the protected

Ш- program, the specified algorithm is executed with the help of the second executable part using - elementary functions, - for at least one selected algorithm, elementary commands are integrated into the source code of the protected program in such a way that during the execution of the protected program, each elementary command is executed according

Ф with the help of the first executable part and causes the device to execute, with the help of the second executable part, an elementary function, - and the arrangement of elementary commands is selected from among the ensemble of arrangements that allow EXECUTION of the protected program, - and by creating: - the first part of the object code of the protected program, and the first part of the object code is such that in (F, during the execution of the protected program, the elementary commands are executed in accordance with the selected arrangement, and the second part of the object code of the protected program, which contains means of operation, and the second part of the program object code in such a way that after loading it into an idle device, during the execution of the protected program, a second executable part is implemented, with the help of which elementary functions are performed, the launch of which was caused by the first executable part; - and the second part of the object code is loaded into the idle device with upon receipt of the device, - and in the phase of use: - in the presence of the device, whenever required by the elementary command contained in the fragment 65 of the first executable part, perform the corresponding elementary function in the device in such a way that the specified fragment is executed correctly and, therefore, the protected program is fully functional;

- while in the absence of the device, despite the request of the fragment of the first executable part to start the execution of the elementary function in the device, the possibility of a correct response to the specified request is not ensured, so that at least the specified fragment is not executed correctly and, therefore, the protected program is not fully functional.

According to another better form of implementation of the method according to the invention: - In the protection phase: - determine: - a set of elementary functions, the elementary functions of which can be performed in the device, the 70th set of elementary commands for the mentioned set of elementary functions, and the specified elementary commands can be performed in the data processing system, causing elementary functions to be performed in the device; - construct means of operation that allow the device to perform elementary functions from the specified set, and the execution of the specified elementary functions is caused by the execution of elementary commands in the data processing system; - and modify the protected program: - by selecting at least one stage in the source code of the protected program, which during the execution of the protected program implements the functional capability of the algorithm, - by modifying at least one selected fragment of the code of the protected program, and 2o the specified modification is such that: - at least one selected stage is decomposed in such a way that during the execution of the protected program, the specified stage is executed with the help of the second executable part using elementary functions, - for at least one selected stage, elementary commands are integrated into the source code of the protected program in such a way that during the execution of the protected of the program, each elementary command is executed with the help of the first executable part and causes the device to execute, with the help of the second executable part, an elementary function, i) - and the arrangement of the elementary commands is selected in the ensemble of arrangements that allow the execution of the protected program, - and with and by creating: - the first part of the object code of the protected program, and the first part of the object code is such that during the execution of the protected program, the elementary commands are executed according to the selected arrangement, which also contains means of operation, and the second part of the object code is such that after loading into the device, during the execution of the protected program "- the second executable part is implemented, with the help of which elementary functions are performed, the launch of which was caused by the first executable part, - - and in the use phase: і- - in the presence of the device, whenever required by the elementary command contained in the part of the first executable part, perform the corresponding elementary function in the device in such a way that the specified fragment is executed correctly and, therefore, the protected program was fully functional; - while in the absence of the device, despite the request of one fragment of the first executable part on "

Starting the execution of an elementary function in the device does not ensure the possibility of a correct response to the specified request, so that at least the specified fragment is not executed correctly, and, therefore, the protected program is not fully functional. ;" According to the next best form of implementation of the method according to the invention in the protection phase, the following are determined: - at least one characteristic of the program execution, which can be controlled at least partially in the device, - AND - at least one criterion that must be fulfilled for at least one characteristic of the program execution,

Ш- - means of detection, which should be applied in the device and which allow to detect that at least one - characteristic of the program execution does not meet at least one relevant criterion, - and means of coercion, which should be applied in the device and which allow to inform the data processing system and/or modify program execution until at least one criterion is met;

F - design means of operation, which allow the device to use detection means and means of coercion; - and modify the protected program: - by selecting at least one performance characteristic of the controlled program among the performance characteristics that can be controlled, - by selecting at least one criterion that must be fulfilled for at least one selected (F, program performance characteristics, ka - by by selecting elementary functions in the source code of the protected program for which it is worth monitoring at least one characteristic of the execution of the controlled program, i.e. by modifying at least one selected fragment of the code of the protected program, and the specified modification is such that during the execution of the protected program at least one selected characteristic of the execution is controlled by means of the second executable part and non-compliance with the criterion leads to informing the data processing system and/or to modifying the execution of the protected program, i.e. by creating the second part of the object code of the protected program, which contains means 65 operation, which also involve means of detection and means of coercion, and the second part of the object code is such that after loading into the device, during the execution of the protected program, at least one characteristic of the execution of the program is controlled and non-compliance with the criterion leads to informing the data processing system and/or to modifications of the execution of the protected program - and in the use phase: - in the presence of the device: - if all the criteria corresponding to all the controlled characteristics of the execution of all modified fragments of the protected program are met, the nominal functioning of the specified fragments of the protected program and, therefore, the nominal functioning of the protected program are assumed , - and if at least one of the criteria corresponding to the characteristic of the controlled execution of one 7/0 fragment of the protected program is not observed, inform the data processing system about the specified non-compliance and/or modify the functioning of the fragment of the protected program in such a way that the function the protection of a protected program has been changed.

According to an embodiment of the method according to the invention: - In the protection phase: - defined: - as a characteristic of the program execution that can be controlled, - a variable for quantitative control of the use of one functionality of the program, - as a criterion that should be followed, - at least one threshold value associated with each variable for quantitative control, and means of renewal, allowing to renew at least one variable for quantitative control; - design means of operation that allow the device to use means of renewal; - and modify the protected program: - by selecting as a characteristic of the controlled program execution at least one variable for quantitative control of the use of one functionality of the program, sch - by selecting: - at least one functionality of the protected program, the use of which can be i) controlled using a variable for quantitative control, - at least one variable for quantitative control, which serves to quantitatively characterize the use of the mentioned functionality, Gezo - at least one threshold value associated with the selected variable for quantitative control and the corresponding limit of the use of the mentioned functionality, so - Y at least one method of updating the value of the specified variable for quantitative control depending on "- the use of the mentioned functionality, - and by means of the modification of at least one selected fragment of the code of the protected program, and

Зз5 The specified modification is such that during the execution of the protected program, the variable for quantitative control i- is updated with the help of the second executable part, depending on the use of the specified functionality, and at least one exceeding of the threshold value is taken into account - and in the use phase, in the presence of the device, in in the event that at least one exceeding of the threshold value corresponding to at least one limit of use is detected, the data processing system is informed about it or the functioning of the fragment of the protected program is modified in such a way that the functioning of the protected program is changed.

According to another variant of the implementation of the method according to the invention: - in the protection phase: - determine: - several corresponding threshold values for at least one variable for quantitative control, - AND - І various means of coercion corresponding to each of the indicated thresholds; - and modify the protected program:

Ш- - by selecting in the source code of the protected program at least one variable for quantitative - control, with which several threshold values corresponding to various limits must be associated 5r Use of functionality, со - by selecting at least two threshold values, associated with the selected variable for quantitative

F control, - by means of modification of at least one selected fragment of the code of the protected program, and the specified modification is such that during the execution of the protected program, exceeding various threshold values are taken into account with the help of the second executable part in various ways, - and in the use phase: (F, - in the presence of the device: ka - in the event that the first threshold value is exceeded, command the protected program not to use the corresponding functional option in the future, 60 - and in the case that the second threshold value is exceeded, make the corresponding functional option impossible and/or at least part of a protected program.

According to a further embodiment of the method according to the invention: - In the protection phase: - reset means are defined, allowing at least one additional use 65 of at least one functionality of the program controlled by means of a variable for quantitative control;

- design the means of operation, which also allow the device to use the means of rebooting; - and modify the protected program: - by selecting in the source code of the protected program at least one variable for quantitative

A control that allows limiting the use of one functionality for which there is a possibility of allowing at least one additional use - and by modifying at least one selected fragment, and said modification is such that in the restart phase at least one additional use of at least one functionality that corresponds to one selected variable for quantitative control, may be allowed, 70 - and in the restart phase: - renew at least one selected variable for quantitative control and at least one corresponding threshold value so as to allow at least one additional use of the functionality. According to the embodiment of the method according to the invention: - In the protection phase: - determine: - as a characteristic of the program execution that can be controlled, - a profile of the use of the program, - and as a criterion that should be followed, - at least one feature of the program execution; - and modify the protected program: - by selecting at least one profile as the performance characteristics of the controlled program

Using the program, - by selecting at least one feature of program execution that at least one usage profile must comply with, - and by modifying at least one selected piece of code of the protected program, and said modification is such that during the execution of the protected program, the second executable part complies with

All selected features of performance - and in the use phase, in the presence of the device, if it is found that at least one i) feature of performance is not observed, the data processing system is informed about this and/or the functioning of a part of the protected program is modified so that the functioning of the protected program has been changed.

According to a further variant of the implementation of the method according to Gezo's invention - In the protection phase: - define: co - a set of instructions, the instructions of which can be executed in the device, "- - a set of instruction commands for the indicated set of instructions, and the instruction commands can be executed in the data processing system, causing the device to execute instructions, і- - as a usage profile - instruction coupling, і- - as an execution feature - the desired coupling for the execution of instructions, - as means of detection - means that allow you to detect that the coupling of instructions does not match desired, - as means of coercion - means that make it possible to inform the data processing system and/or modify the functioning of a fragment of the protected program, if the coupling of instructions does not correspond to the desired; "- construct means of operation that allow the device to execute instructions from a set of instructions, with the execution of the specified instructions being triggered by the execution of instruction commands in the data processing system; - It is modified by a protected program: and ;" - by modifying at least one selected fragment of the code of the protected program: - by converting elementary functions into instructions, - by means of a coupling task that must be followed by at least some of the instructions during their execution in the device, - and by converting elementary functions commands to corresponding instruction commands

Ш- used instructions, - - and in the use phase, in the presence of the device, if it is found that the coupling of the instructions executed in the 5r device does not correspond to the desired one, the data processing system is informed about this and/or the functioning of the protected program fragment is modified so that so that the functioning of the protected program is changed.

Ф According to another better form of implementation of the method according to the invention: - In the protection phase: - defined: - as a set of instructions - a set of instructions in which at least some instructions work on registers and use at least one operand to issue a result, (Ф, - at least for the part of the instructions that work on registers: ka - the part that specifies the functional possibility of the instruction, - the part that specifies the desired coupling for the execution of the instructions and contains bit fields that correspond to: in - the identification field of the instruction, - and for each operand of the instruction: - the field of the flag, - the field of identification provided for the operand, - for each register belonging to the means of operation and the set of instructions used, - field 65 of the provided identification, in which the identification of the last instruction that returned its result to the specified register is automatically remembered ,

- as means of detection - means that allow, during the execution of the instruction for each operand, when the flag field requires it, to control the equality between the field of the generated identification corresponding to the register used by the mentioned operand and the field of the predicted identification of the starting address of this operand, - Its as means of coercion - means that allow you to modify the result of the execution of instructions if at least one of the controlled equalities is false.

According to another better form of implementation of the method according to the invention: - In the protection phase: 70 - are defined: - as a start command - an elementary command or an instruction command - as a dependent function - an elementary function or an instruction - as a setting parameter - at least one an argument to the run command that corresponds, at least in part, to the information passed by the data processing system to the device to cause the corresponding /5 dependent function to run - a method of renaming the settable parameters that allows the settable parameters to be renamed to produce run commands with renamed settable parameters, - and recovery means intended to be applied to the device in the use phase and which allow finding a dependent function that needs to be performed based on the renamed configuration parameter; - construct means of operation that allow the device to use recovery means; - and modify the protected program: - by selecting in the source code of the protected program the launch command, - by modifying at least one selected fragment of the code of the protected program by renaming the configuration parameters of the selected launch commands to hide the identity of the corresponding c h Dependent Functions, o - and by by creating: - the first part of the object code of the protected program, and the first part of the object code is such that during the execution of the protected program, launch commands with renamed setting parameters are executed, "o zo - and the second part of the object code of the protected program, containing means of operation, which also use means of recovery, and the second part of the object code is such that after loading into the device, during the execution of the protected program, the identity of the dependent functions, the execution of which is caused by the first "- executable part, are restored with the help of the second executable parts, and dependent functions are performed according to with the help of the second executable part, c. - and in the use phase: і- - in the presence of the device, whenever it is required by the run command with renamed configuration parameters contained in the fragment of the first executable part, restore the identity of the corresponding dependent function in the device and execute it so that the specified fragment is executed correctly and, therefore, the protected program was fully functional; " - while in the absence of the device, despite the request of the fragment of the first executable part to start eta) with the execution of the dependent function in the device, the possibility of a correct response to the specified request is not ensured,

And so that at least the specified fragment is not executed correctly, and, therefore, the protected program is not and? fully functional.

According to one of the variants of the implementation of the method according to the invention: - In the protection phase: - AND - define for at least one dependent function a family of algorithmically equivalent dependent functions, which are called by the launch commands, that their renamed setting parameters are different;

Ш- - and modify the protected program: - - by selecting in the source code of the protected program at least one launch command with renamed configuration parameters, so - and by modifying at least one selected fragment of the code of the protected program by

Ф replacing at least the renamed set parameters of the launch command with the selected set of set parameters with other renamed set parameters that causes the dependent function to run, from the same family.

According to the implementation variant, the method according to the invention includes: - in the protection phase, the determination, for at least one dependent function, of a family of algorithmically equivalent

Ф) dependent functions ka - by combining the noise field with information that defines the functional part of the dependent function that is performed in the device, or by using the identification field of the instruction and the identification field provided for the operand.

According to the implementation variant of the method according to the invention: - in the protection phase, the following are defined: - as a method of renaming the set parameters - an encoding method for encoding the set parameters, 65 - and as recovery means - means that apply a decoding method to decode the renamed set parameters and restore the identity dependent functions that should be performed in the device.

According to another better form of implementation of the method according to the invention: - In the protection phase: - the protected program is modified: - by selecting in the source code of the protected program at least one conditional transition performed in at least one selected algorithm, - by modifying at least one selected fragment code of the protected program, and the specified modification is such that during the execution of the protected program, the functional possibility of at least one selected conditional transition is performed, with the help of the second executable part, in the device, 70 - and by creating: - the first part of the object code of the protected program, and the first part of the object code is such that during the execution of the protected program, the functional possibility of at least one selected conditional transition is executed in the device, and the second part of the object code of the protected program, and the second part of the object code is such that /5 After downloading to the device during the execution of a protected game we implement a second executable part, with the help of which the functionality of at least one selected conditional transition is performed - and in the use phase: - in the presence of the device, whenever a fragment of the first executable part requires it, perform the functions of at least one selected conditional transition in the device as follows so that the specified fragment is executed correctly and, therefore, the protected program is fully functional; - and in the absence of the device, despite the request of the fragment of the first executable part to perform conditional transition functions in the device, the possibility of a correct response to the specified request is not ensured, so that at least the specified fragment is not executed correctly and, therefore, the protected program is not fully functional. high school

According to the following variant of the implementation of the method according to the invention, in the protection phase, the protected program is modified: - by selecting at least one series of selected conditional transitions in the source code of the protected program, - by modifying at least one selected fragment of the code of the protected program, and the aforementioned modification such that during the execution of the protected program, the global functionality of at least one selected series of conditional transitions is performed in the device by means of the second executable part, "- - and by creating: - the first part of the object code of the protected program, and the first part of the object" object code such that - during the execution of the protected program, the functional possibility of at least one selected series of conditional transitions is executed in the device, - and the second part of the object code of the protected program, and the second part of the object code is such that after loading into the device , during the execution of the protected program implements a second executable portion that executes the global functionality of at least one selected series of conditional transitions. The method according to the invention also allows to protect the use of the program by using the device. storage, the feature of which is the ability to contain part of the executable program. It follows that any derivative version of the program that attempts to function without the storage device will require the part of the program contained in the storage device to be reproduced during execution. As a result, this derivative version of the program will not be fully functional. Other various properties of the invention will become clear from the following description, which is provided with reference to the attached drawings, which show, as non-limiting examples, possible variants and forms of implementation and use of the invention. - Figures 10 and 11 are functional block diagrams illustrating various representations of the program, respectively unprotected and protected by the method according to the invention. 20-22 are shown as examples of various forms of the device for implementing the method according to

F invention.

Figures 30 and 31 are functional block diagrams explaining the general principle of the method according to the invention.

Fig.40-43 are diagrams illustrating the method of protection according to the invention, which implements the principle of protection by means of a variable.

F) Fig. 50-54 are diagrams illustrating the method of protection according to the invention, which implements the principle of protection by means of separation in chavsa.

Fig. 60-64 are diagrams illustrating the method of protection according to the invention, which implements the principle of Protection by means of elementary functions.

Fig.70-74 are diagrams illustrating a method of protection according to the invention, which implements the principle of protection by means of detection and coercion.

Fig.80-85 are diagrams illustrating a method of protection according to the invention, which implements the principle of protection by renaming. 65 Fig.90-92 are diagrams illustrating the method of protection according to the invention, which implements the principle of protection by means of a conditional transition.

Fig. 100 is a diagram illustrating various phases of the implementation of the invention.

Fig. 110 shows an example of the implementation of the system, which allows to implement the stage of construction of the protection phase according to the invention.

Fig. 120 shows an example of the implementation of the pre-personalization device used in the protection method according to the invention.

Fig. 130 shows an example of the implementation of the system, which allows to implement the stage of manufacturing means for the protection phase according to the invention.

Fig. 140 shows an example of the implementation of the system, which allows applying the method of protection according to the invention.

Fig. 150 shows an example of the implementation of the personalization device used in the protection method according to the invention.

The following definitions are used in the description: - A data processing system is a system capable of executing a program. - A storage device is a device capable of receiving data transmitted by the data processing system, storing the data, and returning it as requested by the data processing system. - A processing and storage device is a device capable of: - receiving data transmitted by the data processing system, - returning data to the data processing system, - keeping data secret, at least partially, and storing at least part of it even when the device is disconnected from power, - and carry out algorithmic processing of data, and this processing is partially or completely secret. - Device 6 is a storage device or a processing and storage device that implements the method according to the invention. - An idle device 60 is a device that does not use the method according to the invention, but which can receive information that turns it into a device 6. - An idle device 60 can become a device 6 during the execution of a program protected by the method according to i) the invention , and after execution again become an idle device 60. - Pre-personalized device 66 is an idle device 60 that has received some information that allows it, after receiving additional information, to be transformed into a device 6. Gezo - Loading data into an idle device 60 or in the pre-personalized device 66 corresponds to the transfer of information to the idle device 60 or to the pre-personalized device 66 and the coincidence of the specified transmitted data. Transmission of information may include changing its format. "- - The variable, value or function contained in the Z data processing system are hereinafter referred to as capital letters, and the variable, value or function contained in the device 6 are hereinafter referred to as lowercase letters. - "Protected program" is a program that has been protected on the basis of at least one protection principle implemented in the method according to the invention. - "Vulnerable program" is a program that was not protected by any of the protection principles implemented in the method according to the invention. - In the case when the difference between a vulnerable and a protected program is insignificant, the term ""program" is used. c - The program can be presented in a variety of forms according to the moment of its life cycle, i.e. as: - source code, c - object code, - distribution, - dynamic representation. - AND - Representation of the program in the form of source code is understood as a representation that gives, after transformation, a representation in the form of object code. Representation in the form of source code can be applied at various levels, from the abstract conceptual level to the level directly executed by a data processing system or a processing and storage device. - The object representation of the program (object code level representation) corresponds to the representation level at which the program, after transfer to the distribution and subsequent loading into the processing system

F data or processing and storage device, can be performed. It can be, for example, binary code, interpreted code, etc. - A distribution is a physical or virtual medium containing an object representation, and this distribution must be made available to the user to allow him to use the program. - Dynamic presentation corresponds to the execution of the program from the distribution. (F) - A program fragment corresponds to a certain part of it and can, for example, correspond to one or more instructions (sequential or not) and/or one or more function blocks (sequential or not), and/or one or more functions, and/ or one or more routines, and/or one or more modules. because a fragment of the program can correspond to the entire program as a whole.

Figures 10 and 11 show various views of the generally vulnerable program 2y and the program 2p protected according to the invention, respectively.

Figure 10 shows various representations of the vulnerable program 2y that appear during its life cycle. Vulnerable 2M program can appear in one of various forms, i.e. as: 65 - source code 25; - object code 2mo;

- 2ud distribution, which can usually be provided on a physical medium, for example, on a CD, or in the form of files transferred over the network (according to the OZM standard, over the Internet, etc.); - in the form of a dynamic representation of 2m, which corresponds to the execution of a vulnerable program 2m in a data processing system Z of any known types, which in the classic case contain at least one processor 4.

Fig. 11 illustrates various representations of the protected program 2p that appear during its life cycle. The protected program 2r may also appear in the form of: - source code (representation) 2rz, containing the first part of the source code intended for the data processing system C, and possibly the second part of the source code intended for the device 6, and part of these 7/0 parts of the source code can usually be contained in common files; - object representation 2ro, containing the first part of the 2roz object code intended for the data processing system Z, and possibly the second part of the 2roi object code intended for the device 6; - the 2nd distribution, containing: - the first part of the 2rd distribution, which contains the first part of the 2rd object code, and this first / 5th part of the 2rd distribution is intended for the Z data processing system and can be presented normally in the form of a distribution on a physical medium, for example on a CD, or in the form of files transferred over the network (according to the O5M standard, over the Internet, etc.), - it, the second part of the 2rd distribution, presented in the form of: - at least one idle device 60, - or at least one pre-personalized device 66 , into which a part of the second part 2 of the object code has been downloaded and for which the user must complete the personalization by downloading additional information in order to receive the device 6, and this additional information can come, for example, by downloading or transmitting over a network,

In or at least one device 6 into which the second part of the object code was loaded; c - or in the form of a dynamic representation of 2r, which corresponds to the execution of a protected program 2r. This dynamic representation of 2re contains the first executable part of 2rez, which is executed in the system C of data processing i) and the second executable part of 2rez, which is executed in the device 6.

In the case when the difference between various representations of the protected program 2p is insignificant, the expressions "the first part of the protected program" and "the second part of the protected program" are used. Fig. 1. An implementation of the method according to the invention according to the dynamic representation illustrated in FIG

Fig. 11 uses a protection device containing a data processing system connected by a communication line 5 to a device 6. The data processing system can be of any type and typically contains at least one processor 4 A data processing system can be a computer or be part of, for example, various machines, devices, stationary or mobile products, including any vehicles. The communication line 5 can be implemented in any possible way, for example, by a serial transmission line, by an OV bus, by radio, by an optical channel, by a network, or through a direct electrical connection to the circuitry of the data processing system, etc. . It should be noted that the device 6 can be physically located inside the same integrated circuit as the processor 4 of the data processing system. In this case, the device 6 can be considered as a co-processor in relation to the processor 4 of the data processing system, and the communication line 5 is an internal communication line « 70 V integrated circuit. from c Fig. 20-22 show as examples, which do not exhaust the possible options, various forms of implementation of the protection device, which allows to implement the method of protection according to the invention. ;" In the implementation example of Fig. 20, the protection device Tr contains, as a data processing system, a computer and, as a device 6, a card 7 with a microchip and its interface 8, usually called a card reader. Computer Z is connected to device b using line 5 of communication. During the execution of the protected program 2r, the first -I executable part 2rez, which is executed in the data processing system C, and the second executable part 2rec, executed in the card 7 with a microchip and in its interface 8, must be functional in order for the protected program 2r

Sh- was fully functional. - In the implementation example of Fig. 21, the protection device Tr is contained in a product of a general type, which contains 5 or various organs 10, adapted to the function or to the functions implemented by such a product 9. The protection device Tr so contains, on the one hand, a processing system data, mounted in the product 9, and, on the other hand, the device 6,

Ф is associated with product 9. For product 9 to be fully functional, the protected program 2p must be fully functional. Thus, during the execution of the protected program 2p, both the first executable part 2rez, which is executed in the data processing system C, and the second executable part 2reits, which is executed in the device 6, must be operational. This protected program 2p therefore allows you to indirectly protect the product 9 or one of its functions from unauthorized use. Product 9 can be, for example, an installation, a system, a machine, a toy, an electrical household appliance, a telephone. In the implementation example of Fig. 22, the protection device contains a set of computers, as well as a part of the communication network. The data processing system is the first computer connected by means of the line 5 of Network-type communication with the device 6, which is the second computer. To implement the invention, the second computer is used as a license server for the protected program 2r. during the execution of the protected program 2p, both the first executable part 2rez, which is executed in the first computer Z, and the second executable part 2rea, which is executed in the second computer 6, must be functional so that the protected program 2p is fully functional. 65 Fig.30 allows to explain more precisely the method of protection according to the invention. It should be noted that the vulnerable program 2m is considered as being executed entirely in the data processing system Z. On the contrary, in the case of the implementation of the protected program 2r, the system Z o the data block contains transmission means 12 connected by a communication line 5 with transmission means 13, which make up part of the device 6, which allows the first executable part 2rez and the second executable part 2rey of the protected program 2r to communicate with each other.

It should be borne in mind that the transmission means 12, 13 are implemented in software or hardware and are able to ensure and possibly optimize the data transfer between the data processing system and the device 6. These transmission means 12, 13 are adapted to allow the use of the protected program 2r , which is better independent of the type of communication line 5 used. These transmission means 12, 13 do not relate to the subject of the invention and are not described in detail, as they are well known to those skilled in the art. The first part of the protected program 2p 7/o Contains commands. During the execution of the protected program 2r, the execution of these commands by the first executable part of 2rez allows communication between the first executable part of 2rez and the second executable part of 2rez.

Further in the description, these commands are presented as IM, OT or TC.

As shown in Fig.31, in order to allow the implementation of the second executable part 2rey of the protected program 2p, the device 6 contains means 14 of protection. If the device 6 is a memory device, the means of protection 14/5 contain the means of memory 15. If the device is a processing and storage device, the means of protection 14 include means of memory 15 and means of processing 16.

To simplify the further description, we will assume that during the execution of the protected program 2, the device 6 is available or the device 6 is absent. In fact, the device 6 in the event that it contains the means of protection 14 is not adapted to the execution of the second executable part 2rey of the protected program 2r, it is also considered as missing whenever the execution of the protected program 2r is not correct. In other words: - the device b, which is physically present and contains means of protection 14 adapted to the execution of the second executable part 2rey of the protected program 2p, is always considered as present; - device 6, physically present, but containing unsuitable means of protection 14, that is, which do not allow the correct implementation of the second executable part 2rey of the protected program 2r, is considered as present if it functions correctly, and as absent if it does not function correctly; device 6, physically absent, is always treated as absent. (8)

If the device b consists of a card 7 with a microchip and its interface 8, means 13 of transmission are divided into two parts, one of which is on the interface 8, and the other - on the card 7 with a microchip. In this implementation example, the absence of the microchip card 7 is considered equivalent to the absence of the Ge device 6. In other words, in the absence of the microchip card 7 and/or its interface 8, the protection means 14 are unavailable and, therefore, do not allow the execution of the second executable part 2 of the protected program , so that the protected program 2p is not fully functional. "-

According to the invention, the method of protection is aimed at implementing the so-called principle of protection using a variable, the description of which is given with reference to Fig.40-43. in.

To implement the principle of protection using a variable in the source code 2uz of a vulnerable program, at least one variable is selected, which partially determines its state during the execution of the vulnerable program 2y. The state of the program is understood as the totality of information currently necessary for the full execution of this program.

Therefore, the absence of the specified selected variable prevents the complete execution of this program.

At least one fragment of the source code of the vulnerable program containing at least one selected variable is also selected. at least one selected piece of code 2uz of the vulnerable program in this case is modified to . get the source code of the 2rz protected program. This modification is such that during the execution of the protected program, 2r, at least one fragment of the first executable part 2rev5, which is executed in the data processing system, takes into account that at least one selected variable or at least one copy of the selected variable is located in the device 6. To implement the principle of protection using a variable, the device 6 contains at least means 15 -I memorization

Fig. 40 shows an example of the representation of a vulnerable program 2y. In this example, during execution

Sh- of the vulnerable program 2y in the data processing system Z take place: - - at the time of assigning the value X to the variable M, which is given as M.--X; - at the time of its assignment of the value of the variable M to the variable M, which is given as U Mu;

Me - at the moment of assigning the value of variable M to variable 7, which is given as 74.M.. 4) Fig. A4A1 shows an example of the first form of implementation of the invention, for which the variable is located in device 6. In this example, during execution in the system From the data processing of the first executable part 2rez of the protected program 2r in the presence of the device 6, the following are carried out: - at the time of its execution of the transfer command, which causes the transfer of data X from the data processing system C to the variable m located in the means 15 of the device 6's memory, and this the transfer command is given as i) OSHtm., X) and corresponds to the assignment of the value X to the variable m upon completion; ko - at the time of its execution of the transfer command, which causes the transfer of the value of the variable m 4, located in the device 6, to the data processing system Z in order to assign its value to the variable U, and this transfer command is given, 6o as IM(m4,) and corresponds to upon completion of assigning a value to the variable Y; - at the moment of execution of the transfer command, which causes the transfer of the value of the variable m 4, located in the device 6, to the data processing system Z in order to assign its value to the variable 7, and this transfer command is given as IM(m4) and corresponds to the assignment of the value upon completion m. variable 7.

It should be noted that during the execution of the protected program 2p, at least one variable is located in the device 6. 65 Thus, when the first executable part 2rez of the protected program 2p requires it, in the presence of the device 6, the value of this variable located in the device 6 is transferred to the system From data processing to be used by the first executable part 2rez of the protected program 2r in such a way that this part is executed correctly, and therefore the protected program 2r is fully functional.

Fig. 42 shows an example of the second form of implementation of the invention, for which a copy of the variable is located in the device 6. In this example, during the execution of the data processing of the first executable part 2 of the protected program 2 in the presence of the device 6 in the Z system, the following actions are performed: - at the moment ( assignment of the value X variable M 4 located in the data processing system Z, as well as the execution of the transfer command that causes the transfer of data X from the data processing system Z to the variable mi located in the storage means 15 of the device 6, and this transfer command is presented as ОШТ( m 4, X); 70 - at the moment y5 - assignment of the value of the variable M to the variable Y; - at the moment iz - execution of the transfer command, which causes the transfer of the value of the variable M, located in the device 6, the data processing system Z, in order to assign it the value of the variable is 7, and this transfer command is given as IM(m4).

It should be noted that during the execution of the protected program 2p, at least one copy of one variable /5 is located in the device 6.

Thus, when required by the first executable part 2rez of the protected program 2p, in the presence of the device 6, the value of this copy of the variable located in the device 6 is transferred to the data processing system C to be used by the first executable part 2rez of the protected program 2p in such a way that this part was performed correctly and, therefore, the protected program 2p was fully functional.

Fig. 43 shows an example of an attempt to execute the protected program 2r in the absence of device 6. In this example, during the execution of the data processing system Z of the first executable part 2rez of the protected program 2r: - at the time of its execution, the transmission command OSHT(m4, X) cannot cause the transfer of data X to variable m, given the absence of device 6; "at the moment of execution of the transfer command IM(m4) cannot cause the transfer of the value of the variable m to the system of data processing, due to the absence of device 6; "at the moment of execution of the transfer command GM(m4) cannot cause the transfer of the value of the variable m to the system With i) data processing, given the absence of device 6.

Thus, it appears that in the absence of device 6, at least one request of one fragment of the first executable part 2rez to use a variable or a copy of a variable located in device 6 cannot be executed correctly, so that at least this part is not executed correctly, and , therefore, the protected program 2p is not fully functional. co

It should be noted that data transfer processes between data processing system C and device b use only simple assignments (which is illustrated in the above examples). However, a specialist will be able to combine them with other operations to obtain complex operations, for example ОШТ(m 4, 2"Х3) or и- 2--(5'Muvmo). h-

According to another best feature of the invention, the protection method is oriented to the implementation of the protection principle called "time division", the description of which is made with reference to Fig.50-54.

To implement the principle of protection by time division in the source code of the vulnerable program "at least one algorithm is selected that uses at least one operand and produces at least one result. At least one fragment of the source code 2u5 of the vulnerable program is also selected, which also contains at least one selected algorithm. In this case, at least one selected fragment of the code 2uz of the vulnerable program is modified to "» receive the source code 2rz of the protected program. This modification is such that: - during the execution of the protected program 2r, at least one fragment of the first executable part 2rev, which is executed in the system C data processing, takes into account that the functional possibility of at least one selected algorithm is performed in the device 6; - during the execution of the protected program 2r, the second executable part of the 2rea, which is executed in the device 6, - performs at least the functional possibility of at least one selected algorithm; - - in during the execution of the protected program 2r, each selected algorithm is divided into several different stages, such as:

Me - stage 1: provision of at least one operand for the device 6, 4) - stage 2: execution in the device 6 of the functionality of the selected algorithm using this or these operands, - stage 3: possible provision by the device 6 to the data processing system of the result of the execution of the selected algorithm ; - stage commands are defined in such a way as to trigger the execution of stages, and - the arrangement of stage commands is selected from among the ensemble of arrangements that allow the execution of the protected program 2r. The first executable part 2rez of the protected program r, which is executed in the data processing system Z, executes stage commands, which causes the device b to execute, with the help of the second executable part 2rey, each of the given stages. To implement the principle of protection by time division, the device b contains storage means 15 and processing means 16.

Fig. 50 shows an example of the execution of the vulnerable program 2y. In this example, during the execution of the vulnerable program 2y in the data processing system Z, at this moment in time, the calculation 2.-K(X, Y) is performed, which corresponds to the assignment to variable 7 of the result of the execution of the algorithm given by the function E and using the operands X and Y. 6E Fig. 51 shows an example of the implementation of the invention, in which the processing of the selected algorithm (Fig. 50) is transferred to the device 6. In this example, during the execution in the system C of data processing of the first executable part 2rez of the protected program 2p in the presence of the device 6, have place: - at the moment and. - stage 1, such as the execution of the CE command of stage 4, which causes the transfer of X and Y data from the data processing system Z in the memory area x and y, respectively, located in the means 15 of the device 6, and this CE command) ; stage is presented as ОШТХx, Х), ОШТХ, ХМ); - at the moment io - stage 2, such as the execution of the command CE" of the stage, which causes the device 6 to execute, with the help of the second executable part of 2reits, the function y, and this function Her is algorithmically equivalent to the function P. This command of the CE" stage is given as TKIS(Y). More precisely, the execution of the SE » stage command leads to the execution of the Her function, which uses the contents of the memory areas x and y and returns its result to the memory area 2 of the device 6; 70 - at moment b - stage 3, namely the execution of the command SE"from the stage, which causes the transfer of the result of the Her function, which is contained in the memory area 27 of the device 6, to the data processing system Z, in order to assign its value to the variable 7. This command SE" of the stage is presented as IM(7).

In the given example, steps 1 to 3 are performed sequentially. It should be noted that two such improvements can be made. - The first improvement concerns the case when several algorithms are carried out in the device 6 and at least the result of the execution of one algorithm is used by another algorithm. In this case, some transfer steps may be removed. - The second improvement is aimed at the proper ordering of stage commands in the ensemble of orders that allow the execution of the protected program 2y. In this regard, it is better to choose such an arrangement of stage commands that separates the execution time of the stages, inserting between them sections of code executed in the Z data processing system, and which contains (or not) stage commands that serve to define other data. Figures 52 and 53 illustrate the principle of such an implementation.

Fig. 52 shows an example of the execution of the vulnerable program 2y. In this example, during the execution of the vulnerable program 2y in the data processing system Z, the execution of two algorithms is carried out, which lead to the determination of 7 and s ov E, such that 2--НК(Х, Хи 2. (Х, M).

Fig. 53 shows an example of the implementation of the method according to the invention, in which both of the algorithms selected in Fig. 52 are placed in the device 6. According to this example, during the execution of the data processing system C of the first executable part 2 of the protected program 2 in the presence of the device 6 takes place, as explained above, the execution of commands CE 4, CE", CE of stages corresponding to definition 7, and commands CE/, CE" CE of stages that "about

Correspond to definition 2. As shown in the example, teams of stages with CE; to SE" are not performed sequentially, since the stage commands from SE alternate with them. to SEu, as well as other sections of the code. In this example, in this way, the following ordering is implemented: SE in inserted code fragment, SE", inserted code fragment, -pee

SEU, inserted code fragment, SE"", inserted code fragment, SEz, inserted code fragment, SEz.

It should be noted that during the execution of the protected program 2p in the presence of the device 6, whenever this is required by the stage command contained in the first part of the executable part 2rez of the protected program 2p, the corresponding stage is executed in the device 6. Thus, in the presence of the device 6, this part is performed correctly and, therefore, the protected program 2p is fully functional.

Fig. 54 shows an example of an attempt to execute the protected program 2r in the absence of device 6. In this example, during the execution of the data processing system Z of the first executable part 2rez of the protected program 2r: « - at the moment y/ - execution of the command of the stage OSHT(x, X ), OSHT(U, U) cannot cause the transfer of data Хі to ХХ s memory area, respectively х and у, due to the absence of device 6; y - at the moment y - the execution of the command of the TKIS(Y) stage cannot cause the execution of function y, given the "" absence of device 6; - Her at the time of departure - the execution of the IM(7) stage command cannot cause the transfer of the result of the Her function, in view of

In the absence of device 6. -and Thus, it is considered that in the absence of device b at least one request of one fragment of the first executable part 2rez to start the execution of the stage in device b cannot be correctly executed, so that at least this part is not executed correctly, and , therefore, the protected program 2p is not fully functional. - According to another better characteristic of the invention, the protection method is aimed at implementing the protection principle called "elementary functions", the description of which is illustrated in Fig. 60 - 64. Because to implement the protection principle by means of elementary functions, the following are defined:

F - a set of elementary functions, the elementary functions of which can be performed with the help of the second executable part of the 2ray, in the device 6, possibly with subsequent data transfer between the data processing system C and the device 6; - A set of elementary commands for this set of elementary functions, and these elementary commands can be executed in the data processing system, causing the device 6 to perform the corresponding elementary iF) functions. In order to implement the principle of protection with the help of elementary functions, means of operation must also be implemented, which allow converting the idle device 60, which contains the means of memory 15 and the means of processing 16, into a device b capable of performing elementary functions. At the same time, the execution of these elementary functions is called by the execution of elementary commands in the Z data processing system.

To implement the principle of protection with the help of elementary functions, at least one algorithm that uses at least one operand and produces at least one result is also selected in the source code of the 2u8 vulnerable program. At least one fragment of the source code of the vulnerable 65 program containing at least one selected algorithm is also selected.

In this case, at least one selected fragment of the code of the vulnerable program is modified in such a way as to obtain the source code of the protected program. This modification is such that: - during the execution of the protected program 2p, at least one fragment of the first executable part 2rev, executed in the data processing system C, takes into account that the functionality of at least one selected algorithm is executed in the device 6; - during the execution of the protected program 2r, the second executable part of the 2rea, which is executed in the device 6, implements at least one functional possibility of at least one selected algorithm; - each selected algorithm is decomposed in such a way that during the execution of the protected program 2r, each selected algorithm is executed with the help of the second executable part of the 2rea using elementary 70 functions. Each selected algorithm is better decomposed into elementary functions Te, (where n ranges from 1 to M), such as: - possibly into one or more elementary functions that allow providing one or more operands for device 6, - into elementary functions , some of which use one or more operands and which in combination 7/5 Implement the functional possibility of the selected algorithm using these operands, - and, possibly, to one or more elementary functions that allow using the device 6 to provide the system with data processing result of execution of the selected algorithm; - and the arrangement of elementary commands is selected from the ensemble of arrangements that allow to execute the protected program 2r. The first executable part 2rez of the protected program 2p, which is executed in the data processing system Z, executes elementary commands CEE, (where n ranges from 1 to M), which causes the device 6 to execute, with the help of the second executable part 2rey, each of the above-mentioned elementary commands functions Te,.

Fig. 60 shows an example of the execution of the vulnerable program 2y. In this example, during the execution of the vulnerable program 2y in the data processing system Z, at this moment in time, the calculation 2.-K(X, Y) is carried out, which corresponds to the assignment to variable 7 of the result of the execution of the algorithm given by the function E and using the operands X and Y .

Fig. 61 shows an example of the implementation of the invention, in which the execution of the selected algorithm corresponding to

Fig. 60, displayed in the device 6. In this example, during the execution of the data processing of the first executable part 2rez of the protected program 2p in the system Z, in the presence of the device 6, the following occur: - at the moments of Her, and - the execution of the elementary commands SERE, SERE" , which causes the device 6 to execute, according to Ge) with the help of the second executable part 2rets, the corresponding elementary functions Te, Teo, which ensure the transfer of data X, XU from the data processing system Z in the memory area, respectively, x and y, located in the means 15 with device memory b, and these elementary commands SERE 4, SERE" are presented respectively as ОШХХ, Х), "--

OTSTU, X; - at moments from B to (04 - execution of elementary commands from SEREz to SEREmM., which causes the device 6 in

Зз5 Execution, with the help of the second executable part of the 2rey, of the corresponding elementary functions from Те with to Тем, and these elementary commands from СРЕз to СЕРЕ. 4 are submitted, respectively, as TKIS (Tem. 3) - TKIS (Tem. 4). The sequence of elementary functions from Thes to Thems, executed in combination, is algorithmically equivalent to the function R. More precisely, the execution of these elementary commands leads to the execution of elementary functions in the device b

Tez-Tem.l, which use the contents of memory areas x, y and return the result to memory area 2 of device 6; " - at the moment of them - the execution of the elementary command SERE, which causes the device b to execute, with the help of (pe) from the second executable part of the 2rey, the elementary function Tem, which ensures the transfer of the execution result and the algorithm contained in the memory area 72 of the device 6, to the Z data processing system to assign this result "" to variable 7, and this elementary command SEREu| given as IM(2).

In the given example, elementary commands from 1 to M are executed sequentially. It should be noted that it is possible

Make two such improvements. -and - The first improvement refers to the case when several algorithms are assigned to the device 6 and at least the result of the execution of one algorithm is used by another algorithm. In this case, some basic and transmission commands can be removed. - - The second improvement is aimed at the proper arrangement of elementary commands in the ensemble of arrangements, 5p, which allow to execute the protected program 2p. because In this regard, it is better to choose such an arrangement of elementary commands that separates in execution time

Ф of elementary functions, inserting between them sections of the code executed in the data processing system Z, and contains (or does not contain) elementary commands that serve to define other data. Figures 62 and 63 illustrate the principle of such an implementation.

Fig. 62 shows an example of the execution of the vulnerable program 2y. In this example, during the execution of the vulnerable program 2 in the data processing system Z, two algorithms are executed that lead to the determination of 7 and iF) 7, such that 2. given an example of the implementation of the method according to the invention, in which the execution of both selected algorithms corresponding to Fig. 62 is carried out in the device 6. According to this example, during the execution of the first executable part 2rez of the protected program 2p in the system Z of data processing, in the presence of the device 6, there is, as explained above, the execution of elementary commands from SERE 4 to SEREm, which corresponds to definition 7, the execution of elementary commands from SERE to SEREu", which corresponds to definition 7. As shown in this figure, the elementary commands from SERE to SEREu are not executed sequentially, i.e. elementary commands from SERE / to

CEEu/, as well as other sections of the code alternate. In this example, thus, the following ordering is implemented: 65 SEBE, inserted code fragment, CREP/, CERE", inserted code fragment, CERE", CEEuz, inserted code fragment, CERE, CEEz, CEE,,..., CEREM, SULFUR in.

It should be noted that during the execution of the protected program 2p in the presence of the device b every time the elementary command contained in the part of the first executable part 2rez of the protected program 2p requires it, the corresponding elementary function is executed in the device 6. Thus, it is considered that in presence of the device b, this part is performed correctly and, therefore, the protected program 2p is fully functional.

Fig. 64 shows an example of an attempt to execute the protected program 2p in the absence of device 6. In this example, during the execution of the data processing system Z of the first executable part 2rez of the protected program 2p, the execution of an elementary command cannot at any time trigger the launch of the corresponding elementary function / o due to the absence of device 6. The value that must be assigned to variable 7 cannot, therefore, be determined correctly.

Thus, it is considered that in the absence of device 6, at least one request of one fragment of the first executable part 2 of the protected program 2p to start the execution of an elementary function in device 6 cannot be correctly executed, so that at least this part is not executed correctly and, therefore, is protected 7/5 the 2nd program is not fully functional.

According to another preferred feature of the invention, the method of protection is aimed at implementing the principle of protection called "detection and coercion", the description of which is made with reference to Fig.70-74.

To implement the principle of protection by means of detection and coercion, the following are defined: - at least one characteristic of program execution, which can be controlled, at least partially, in device 6; - at least one criterion that should be observed for at least one characteristic of program execution; - detection means 17, which must be used in the device b and which allow to detect that at least one characteristic of the program execution does not meet at least one relevant criterion; c - means 18 of coercion, which must be used in the device 6 and which allow to inform the data processing system and/or modify the execution of the program until at least one criterion is met. and)

To implement the principle of protection by means of detection and coercion, means of operation are also designed, which allow to transform the inactive device 60, which contains means 15 of memory and means 16 of processing, into a device 6, which at least implements means 17 of detection and means 18 of coercion. Fig. 70 shows the means necessary to implement the principle of protection by means of detection and coercion.

Device 6 contains detection means 17 and forcing means 18 belonging to processing means 16. Means 18 of coercion receive information about non-compliance with the criterion from means 17 of detection. "-

More precisely, the detection means 17 use the information coming from the transmission means 13 and/or from the storage means 15 and the processing means 16 so that one or more characteristics of the execution of the program are observed. Each characteristic of program execution is assigned at least one criterion that should be followed.

In the event that it is found that at least one characteristic of the program execution does not satisfy at least one criterion, the detection means 17 inform the enforcement means 18 about it. These forcing means 18 are adapted to change the state of the device 6 accordingly.

To implement the principle of protection by means of detection and coercion, the following must also be selected: c - at least one characteristic of the execution of the controlled program, among the characteristics of the execution, which

And can be controlled; and?" at least one criterion that must be met for at least one selected performance characteristic of the program; - in the source code 2uz of the vulnerable program, - at least one algorithm for which it is necessary to control - AND at least one characteristic of the program execution; - in the source code of the 2uz vulnerable program, - at least one fragment containing at least one

Ш is the selected algorithm. - If these conditions are fulfilled, at least one selected fragment of the code of the vulnerable program is modified to obtain the source code of the protected program. This modification is such that precisely during the execution of the protected program 2r:

F - at least one fragment of the first executable part 2rez, which is executed in the data processing system Z, takes into account that at least one characteristic of the execution of the selected program must be controlled, at least partially, in the device 6; 5B - the second executable part 2rec, which is executed in the device 6, controls, at least partially, one characteristic of the execution of the selected program. (F, During the execution of the program 2p, protected using the principle of detection and coercion, in the presence of device 6, the following situation occurs: - if all the criteria corresponding to all the controlled characteristics of the execution of all modified fragments of the protected program 2p are met, these modified fragments of the protected program 2r function properly and, therefore, the protected program 2r functions properly; - if at least one of the criteria corresponding to the characteristic of the controlled execution of one fragment of the protected program 2r is not met, the Z data processing system is informed about this and/or the functioning of the fragment of the protected program 2r is modified in such a way that the functioning of the protected 65 program 2r is changed.

Naturally, in the absence of device 6, at least one request of one fragment of the first executable part

2rez of the protected program 2r for the use of the device 6 cannot be performed correctly, so at least this part is not performed correctly, and therefore, the protected program 2r is not fully functional.

To implement the principle of protection by detection and enforcement, it is better to use two types of program execution characteristics.

The first type of program execution characteristic corresponds to the program execution control variable, and the second type corresponds to the application usage profile. These two types of characteristics can be used independently or in combination.

To implement the principle of protection by detection and coercion, which uses as a characteristic 7/0 Program execution a program execution control variable, the following must be defined: - in the means 15 of memory - the ability to remember at least one control variable, which serves as a quantitative characteristic of use at least one functionality of the program; - in detection means 17 - the ability to observe at least one threshold value associated with each control variable; - means of renewal, allowing to renew each control variable depending on the use of the functionality with which it is connected.

They also construct means of operation, which use, in addition to means of detection 17 and means of coercion 18, also means of renewal.

In addition, the following are selected in the source code of the vulnerable program: - at least one functional possibility of the vulnerable program 2Uu, the use of which can be controlled using a variable for quantitative control; - at least one variable for quantitative control, which serves as a quantitative characteristic of the specified functionality; - at least one threshold value associated with a variable for quantitative control and corresponding to the limit of the use of the specified functionality; o - Its at least one method of updating the variable for quantitative control according to the use of the specified functionality.

The source code 2z of the vulnerable program is then modified to obtain the source code 2rz of the protected program, and this modification is such that during the execution of the protected program 2r, the second executable part of Gezo 2rey: - renews the value of the variable for quantitative control according to the use of the specified functionality; "- - and takes into account at least one exceedance of the threshold value.

In other words, during the execution of the protected program 2r, the value of the variable for quantitative control

Зб It is renewed according to the use of the specified functionality, and in case of exceeding the threshold value of the detection means 17, the enforcement means 18 are informed about it, which make a decision adapted to inform the data processing system and/or modify the processing carried out by the means 16 processing This allows you to modify the functioning of a fragment of the protected program 2r in such a way that the functioning of the protected program 2r is changed. "

To implement the first best variant of the implementation of the principle of protection by means of detection and coercion, with c that uses a variable for quantitative control as a characteristic, determine: - for at least one variable for quantitative control - several corresponding threshold values; ;" - There are various means of coercion corresponding to each of these thresholds.

In the source code 2uz of the vulnerable program, the following are also selected: - at least one variable for quantitative control, which serves as a quantitative characteristic of the use - AND at least one functionality of the program, with which several threshold values should be associated, corresponding to various limits of the use of the specified functionality ; - - There are at least two threshold values associated with the variable for quantitative control. - The 2uz source code of the vulnerable program is then modified to produce the 2rz source code of the protected 5r program. This modification is such that during the execution of the protected program 2r, the second executable part of the 2rei: co - renews the value of the variable for quantitative control in accordance with the use of the specified functional

F possibilities; - and takes different account of exceeding various threshold values.

In other words, in the usual case, during the execution of the protected program 2p, when the first threshold value is exceeded, the device b informs the data processing system Z, giving the command to the protected program 2p not to use this functionality anymore. If the protected program 2r continues (F) to use this functionality, then the second threshold value may be exceeded. If the second threshold value is exceeded, the coercion means 18 can disable the selected functionality and/or disable the protected program 2r. 60 To implement of the second preferred variant of the principle of protection by detection and enforcement, which uses as a characteristic a variable for quantitative control, defines a reset means that allows at least one additional use of at least one functionality of the program controlled by means of a variable for quantitative control.

They also design means of operation, where applied, in addition to means of detection 17, means of coercion 18 and means of renewal 65, as well as means of rebooting.

In addition, in the source code 2uz of the vulnerable program, at least one variable is selected for quantitative control, which serves to limit the use of at least one functionality of the program, for which there is a possibility of allowing at least one additional use.

The source code 2z of the vulnerable program is then modified to obtain the source code 2rz of the protected program, the modification being such that in a phase called the reload phase, at least one additional use of at least one functionality corresponding to one selected variable for quantitative control may be allowed .

In the restart phase, at least one selected variable for quantitative control and/or at least one associated threshold value is updated to allow at least one 7/0 additional use of the corresponding functionality. In other words, in the restart phase, an opportunity is provided to allow additional use of at least one functionality of the protected program 2r.

In order to implement the principle of protection by detection and enforcement, which uses as a characteristic the profile of the use of the application, as a criterion to be observed for this profile of use, at least one characteristic of the execution of the application must /5 be defined.

In addition, in the source code 2uz of the vulnerable program, select: - at least one usage profile that should be controlled; - Its at least one performance characteristic that must be observed in at least one usage profile.

The source code 2z of the vulnerable program is then modified to produce the source code 2rz of the protected program, and this modification is such that during the execution of the protected program 2r, the second executable part 2reim observes all the selected execution features.

In other words, the device 6 itself controls the way in which the second executable part 2rem is executed and can inform the data processing system Z and/or modify the functioning of the protected program 2r in the event that at least one execution feature is not observed.

During the execution of the 2p program, protected on the basis of this principle, in the presence of the device b) the following situation occurs: - if all the signs of the execution of all modified fragments of the protected 2p program are observed, then these modified fragments of the protected 2p program function properly and, therefore , the protected program 20;.YK(O0 zo functions properly; - if at least one sign of the execution of one fragment of the protected program 2r is not observed, the system of data processing and/or the functioning of the fragment of the protected program 2r is informed about this, it is modified "- so in such a way that the functioning of the protected program 2r was changed.

It is possible to provide control of various features of execution, for example, control of the presence of instructions containing a label generator, or control of the coupling of the execution of at least one part of the instructions. uh-

To implement the principle of protection by means of detection and coercion, where as a sign of execution, which should be followed, clutch control of the execution of at least part of the instructions is used, determine: - a set of instructions, the instructions from which can be executed in the device 6; - a set of instruction commands for this instruction set, and these instruction commands can be executed "

In the Z data processing system. Execution of each of these instruction commands in the Z data processing system causes execution of the corresponding instruction in the pt») c device 6; . - detection means 17, which make it possible to detect that the coupling of instructions does not correspond to the desired one; and?" - means 18 of coercion, which make it possible to inform the data processing system and/or modify the execution of the program, if the coupling of the instructions does not correspond to the desired one.

They also design operating tools that allow the device b to execute instructions from a set of -I instructions, and the execution of these instructions is triggered by the execution of instruction commands in the Z data processing system.

Ш- In addition, in the source code 2 and 5 of the vulnerable program, at least one algorithm is selected, which should be carried out in the device 6 and for which it is worth controlling the coupling of at least part of the instructions.

The source code of the vulnerable program is then modified to produce the source code of the protected program. This modification is such that during the execution of the protected program 2r:

F - the second executable part of the 2rey performs at least the functional possibility of the selected algorithm; - the selected algorithm is divided into instructions; - given coupling, which must be followed by at least some of the instructions in the course of their execution in this device 6; - the first executable part 2rez of the protected program 2r executes the instruction commands that start

Ф) execution of instructions in device 6. ka During the execution of program r protected on the basis of this principle, in the presence of device 6, the following situation occurs: v - if the coupling of instructions of all modified fragments of protected program 2r corresponds to the desired, these modified fragments of protected program 2r function properly and, therefore, the protected program 2p functions properly; - if the coupling of the instructions of the fragment of the protected program 2r executed in the device 6 does not correspond to the desired one, the data processing system Z is informed about this and/or the functioning of the fragment of the protected program 2r is modified in such a way that the functioning of the protected program 2r is changed.

Fig. 71 shows an example of the implementation of the principle of protection by means of detection and coercion, where as a sign of execution that it should be followed, control of the coupling of the execution of at least part of the instructions is used in the event that the desired coupling is observed.

The first executable part 2rez of the protected program 2r, executed in the Z data processing system, executes

SI teams; of instructions, which causes the device 6 to execute instructions and; belonging to the set of instructions. In a set of instructions, at least some of the instructions include a part that specifies the functionality of the instruction and a part that allows checking the desired coupling to execute the instructions. In this example, the C team; of instructions are given as TKIS(i)), and the desired clutch for executing the instructions is i, dni, and ip". The execution of the i instruction in device 6 gives the result a, and the execution of the id-4 instruction gives the result B. The ido instruction uses 7/0 as the operand of the results of the i and id-i instructions, and its execution gives the result c.

Taking into account the fact that this coupling of the instructions executed in the device 6 corresponds to the desired, the functioning of the protected program 2r corresponds to the normal or nominal mode.

Fig. 72 shows an example of the implementation of the principle of protection by means of detection and coercion, where as a sign of execution that it should be followed, control of the coupling of the execution of at least /5 part of the instructions is used in the event that the desired coupling is not observed.

According to this example, the preferred clutch for executing instructions is always both dl, id, and il. However, the coupling of the execution of the instructions is modified by replacing the instruction and 4 with the instruction It so that the actual coupling being executed is It", idch4 and ip". The execution of the instruction ii gives the result a, that is, the same result as the execution of the instruction id. However, no later than than when executing the instruction id-", the detection means 17 detect that the instruction Y does not correspond to the desired instruction to produce the result a used as an operand for the instruction ido. The detection means 17 inform the enforcement means 18 about this, which modify, as a result, the functioning instructions and du, in such a way that the execution of instructions and du" gives a result c, which may differ from c.

It is clear that if the execution of the instruction 4 gives a result a" different from the result a of the instruction id, it is clear that the result of the execution of the instruction id may also differ from p.

Therefore, if the coupling of the execution of the instructions executed in the device 6 does not correspond to the desired one, it is possible i) to obtain a modification of the functioning of the protected program 2r.

Fig. 73 and 74 show a better version of the implementation of the principle of protection by means of detection and coercion, where as a sign of execution, which should be observed, control of the coupling of the execution of at least part of the instructions is used. According to this preferred embodiment, a set of instructions is defined in which at least some instructions operate on registers and use at least one operand to produce a result. "-

As shown in Fig.73, at least for some of the instructions operating on the registers, a part is defined

RE, which sets the functional possibility of the instruction, and part of the RE, which sets the desired coupling for the execution of the instructions. The RE part corresponds to the operation code known to a specialist. The PE part that defines the desired coupling contains bit fields corresponding to: - the SP field of the instruction identification; - th for each operand K of the instruction, where K runs the value from 1 to K, K - the number of operands of the instruction: - the SO field, a flag indicating whether it is worth checking the origin of the operand K, « - its CIP field; identification provided for the operand and indicating the expected identity of the instruction that generated the contents of the operand K.

As shown in Fig. 74, the set of instructions contains M registers belonging to the means of processing 16, where each ;" the register is named K., (m ranges from 1 to M). For each Ku register, two fields are defined, such as: - functional field SK, known to a specialist and which allows to save the result of the execution of instructions; - and the Sibu field of the generated identification, in which the identification of the last instruction that returned its result to the specified register is automatically remembered, i.e. the one that generated the content of the SE functional field. This Sibu field of the generated identification is automatically updated together with the contents of the SII field

Ш- identification of the instruction, having generated the functional field СЕу/. The Sib field of the generated identification is neither accessible nor modifiable by any other instruction and is used exclusively by detection means 17 . During the execution of the instruction, the detection means 17 perform the following operations for each operand k:

Ф - readable field CO, flag; - if this is required by the CO field, the flag, then both fields are read: the CIP field of the provided identification and the SiIS field of the generated identification corresponding to the registers used by the K operand; - the equality of both SIR and SIb fields is checked; - Its, if the equality is false, then the means of detection 17 consider that the coupling of the execution of instructions is not (F, observed). The means of coercion 18 should allow modifying the result of the execution of instructions, when the means of detection 17 inform them about the non-compliance of the coupling of instructions. The best implementation is , in order to modify the functional part of the RE of the executed instruction or the functional part of the RE of the following instructions.

According to another best feature of the invention, the protection method is aimed at implementing the protection principle called "renaming", the description of which is made with reference to Fig.80-85.

To implement the principle of protection by renaming, the following must be defined: 65 - an ensemble of dependent functions, the dependent functions of which can be performed with the help of the second executable part of the 2ray in the device 6, possibly with the subsequent transfer of data between the Z data processing system and the device 6

(and this ensemble of dependent functions may or may not be finite); - an ensemble of launch commands for these dependent functions, and these launch commands can be executed in the Z data processing system and cause the device 6 to execute the corresponding dependent functions; - for each launch command - a setting parameter that corresponds, at least in part, to the information transmitted by the first executable part 2rez of the second executable part 2rey to trigger the launch of the corresponding dependent function, and this setting parameter is presented in the form of at least an argument of the launch command; - a method of renaming configuration parameters, intended for use during the modification /o of a vulnerable program and which allows renaming configuration parameters in such a way as to receive launch commands with renamed parameters, allowing to hide the identity of the corresponding dependent functions; - recovery means 20 intended for use in the device 6 in the use phase and allowing to restore the initial setting parameters based on the renamed setting parameters in order to find the dependent function that needs to be performed.

To implement the principle of protection by renaming, the means of operation are also designed, which allow converting the idle device 60, which contains means 15 of memory and means 16 of processing, to the device 6, which uses at least means 20 of recovery.

To implement the principle of protection by renaming, the following must also be selected in the source code of the vulnerable program: - at least one processing algorithm that uses at least one operand and that produces at least one result; - At least one fragment of the source code of the vulnerable program containing at least one selected algorithm.

The source code of the vulnerable program is then modified to produce the source code of the protected program. This modification is such that: - during the execution of the protected program 2p, at least one fragment of the first executable part 2rev, i) executed in the data processing system Z, takes into account that the functionality of at least one selected algorithm is executed in the device 6; - during the execution of the protected program 2r, the second executable part of the 2rea, which is executed in the device 6, Gezo performs at least one functional possibility of at least one selected algorithm; - each selected algorithm is decomposed in such a way that during the execution of the protected program 2r, each co-selected algorithm is executed with the help of the second executable part 2reim, using dependent functions. p

Each selected algorithm is better decomposed into dependent functions T, (where n ranges from 1 to M), such as: - possibly into one or more dependent functions that allow providing one or more operands for - z device b, i- - on dependent functions, some of which use one or more operands and which in combination implement the functionality of the selected algorithm that uses these operands, - and, possibly, on one or more dependent functions that allow using the device 6 to provide the system with processing given the result of execution of the selected algorithm; "- during the execution of the protected program 2r, the second executable part of the 2rei performs dependent functions and; with c - during the execution of the protected program 2p, these dependent functions are launched by launch commands with renamed configuration parameters; ;" - Its sequence of launch commands is selected from the ensemble of sequences that allow the execution of the protected program 2r.

The first executable part 2rez of the protected program 2r, executed in the Z data processing system, executes -I launch commands with renamed configuration parameters, which transfer the renamed configuration parameters to the device 6. This causes the device 6 to restore using the recovery tools 20 of the instructions

Ш- parameters, and then execution, with the help of the second executable part of 2reya, of each of the above-mentioned dependent - functions and.

In other words, the principle of protection by renaming is to rename co-configurations of the launch commands to obtain launch commands with renamed directives

Ф parameters, the execution of which in the З data processing system causes the execution of dependent functions in device b, which would be launched by launch commands with unrenamed setting parameters, but without the fact that studying the protected program 2р allows to determine the identity of the executed dependent functions.

Fig. 80 shows an example of the execution of the vulnerable program 2y. In this example, during the execution of the vulnerable program 2m in the data processing system Z, at this moment in time, the calculation 2--K(X, Y) takes place, which corresponds to the assignment to variable 7 of the result of the execution of the algorithm given by the function E and using the operands X and U. ko Fig. 81 and 82 show an example of the implementation of the invention. Fig. 81 shows an example of a partial implementation of the invention. According to this example, during the execution of the data processing of the first executable part of the protected program 2r in the system Z in the presence of the device 6, the following are carried out: - at moments y and y - the execution of elementary commands СО., СО", which causes the device b to execute, according to with the help of the second executable part of 2reya, the corresponding dependent functions and;, and" that ensure the transmission of data X, M from the data processing system Z in the memory area, respectively, x and y, are located in the storage means 15 of the device 6, and these commands СО, СО» of the launch are given respectively as ОШТх, Х), ОТ (у, ХУ); 65 - at moments from 5 to iM.4 - execution of launch commands from СОз to СОМ, which causes the device b to execute with the help of the second executable part of 2rey the corresponding dependent functions from ЯТ4з to Yes, and these launch commands from СХОз to СОк.4 are submitted respectively as TKIS(Taz) -TKIS(Tak 1), and the sequence of dependent functions from Taz to iTak.i, performed in combination, is algorithmically equivalent to the function E (more precisely, the execution of these start commands leads to the execution of dependent functions from Taz in device b to food, which use the contents of the memory areas x, y and return the result to the memory area 72 of the device 6); - and at their moment, the CO command is executed in the start-up, which causes execution in the device b, with the help of the second executable part 2rec, the dependent function уТЯу, which ensures the transfer of the result of the execution of the algorithm contained in the memory area 2 of the device 6, to the system З data processing to assign it to variable 7. This command is given as IM(2). 70 In this example, in order to fully implement the invention, the first argument of the OT launch commands and the argument of the TCS and IM launch commands are selected as a setting parameter. The setting parameters selected in this way are renamed according to the setting parameter renaming method. Thus, the setting parameters of the launch commands from СО and to СОum, such as x, y, Taz, T4k.ya, 2 are renamed to obtain respectively K(x), KKU), (az)... (Tam) , (g).

Fig. 82 shows an example of a complete implementation of the invention. According to this example, during the execution in the Z system of the data processing of the first executable part 2rez of the protected program 2r, in the presence of the device 6, the following are performed: - at moments y/, y - execution of the SOSKU, SOSK" start-up commands with renamed setting parameters that are transferred to device 6 renamed set parameters K(x), K(Y), as well as data X, Y, which causes device 6 to restore (with the help of recovery means 20) the renamed set parameters to restore set parameters, such as the identity of memory areas yati x, y, and then execution, with the help of the second executable part of the 2ray, of the corresponding dependent functions 14.4, etc., which ensure the transfer of data X, Y from the data processing system Z to the memory areas, respectively, x, y, located in the means 15 memorizing the device b (these commands SOSK., SOSK»o start-up with renamed setting parameters are presented as OOT (P), X), OT (KU), X); - at moments from z to Her - execution of commands SOSK»z to SOSKU 1 start with renamed setting parameters i) that transfer to device 6 the renamed setting parameters from K(Td4z) to K(Tak.4), which causes device 6 restoration by means of 20 restoration of setting parameters, such as with it from to Hak, and then execution, with the help of the second executable part of 2rei, dependent functions from Taz to So, and these Gezo Commands (from SOSKz to SOSKM. 1) of the launch with the renamed setting parameters are submitted, respectively, by the commands TKIS (K(az)) to TKIS (Kak); so - at the time of Her - the execution of the SOSK command in the startup with renamed setting parameters, which "(cl) transfers to the device 6 the renamed setting parameters K(7). This causes the device 6 to restore, with the help of the means of restoration 20, the setting parameters, namely identity of memory area 7, and then in.

Execution, with the help of the second executable part 2rets, the dependent function TЯ ху, which ensures the transmission of the result of the execution of the algorithm contained in the memory area 2 of the device 6, to the data processing system Z to assign it to the variable 7. This command of the SOSKU launch with the renamed parameters is given as

IZH(P(2)).

In the given example, the launch command with renamed configuration parameters from 1 to M "

They are performed sequentially. It should be noted that two such improvements can be made. in c - The first improvement refers to the case when several algorithms are assigned to the device 6 and at least the result of the execution of one algorithm is used by another algorithm (in this case, some commands ;" of the start with renamed configuration parameters serving for transfer can be removed). - The second improvement aims to properly order the launch commands with renamed configuration parameters among the ensemble of orders that allow the execution of the protected program 2r. -And In this regard, it is better to choose such an arrangement of startup commands with renamed configuration parameters, which separates the execution time of dependent functions, inserting between them sections of the code that is executed

Ш- in the Z data processing system, and which contains (or does not contain) startup commands with renamed - setting parameters that serve to define other data. Figures 83 and 84 illustrate the principle of such an implementation. so Fig. 83 shows an example of the execution of the vulnerable program 2y. In this example, in the Z data processing system

Ф during the execution of the vulnerable program 2y, two algorithms are executed, which lead to the determination of 7 and 7 such that 7--Е(Х, Хи 2-Х, У.

Fig. 84 shows an example of the implementation of the method according to the invention, in which both algorithms selected in Fig. 83 are transferred to the device 6. According to this example, during the execution of the data processing system Z of the first executable part 2rez of the protected program 2p, in the presence of the device 6 , there is, as explained iF) above, the execution of commands (from SOSC to SOSC) of startup with renamed configuration parameters, which corresponds to definition 7, and the execution of commands (from SOSC. to SOSC) of startup with renamed configuration parameters, which corresponds to definition 7 As shown, the launch commands from SOSK; to SOSK; are not executed sequentially, since launch commands from SOSC to SOSC, as well as other code fragments, alternate with them. In this example, thus, the following ordering is implemented: SOSK 4, inserted code fragment, SOSKU,

SOS", inserted code fragment, SOSK", SOSKU, inserted code fragment, SOSK/, SOSK»z, SOSK,,..., sosSskM SOSKU.

It should be noted that during the execution of the fragment of the first executable part 2rez of the protected program 2r 65 Start commands with renamed configuration parameters executed in the data processing system Z cause the device 6 to restore the identity of the corresponding dependent functions, and then their execution. Thus, in the presence of device b, this fragment is executed correctly and, therefore, the protected program 2p is fully functional.

Fig. 85 shows an example of an attempt to execute the protected program 2p in the absence of device 6. In this example, during the execution in the system of data processing of the first executable part 2 of the protected program 2p, the execution of the start command with renamed configuration parameters cannot at any time trigger the restoration of the configuration parameters , nor the execution of the corresponding dependent function due to the absence of device 6. The value that must be assigned to variable 7, therefore, cannot be determined correctly.

Thus, it is considered that in the absence of the device b, at least one request of one fragment of the first 7/0 executable part 2rez of the protected program 2r to start the restoration of the set parameters and the execution of the dependent function in the device in the device b cannot be correctly performed, so that at least this part is not executed correctly, and therefore the protected program 2r is not fully functional.

Thanks to this principle of protection by means of renaming, studying in the protected program 2r the launch commands with renamed configuration parameters does not allow to determine the identity of the dependent functions /5 that should have been performed in the device 6. It should be noted that the renaming of the configuration parameters is carried out during the conversion of the vulnerable program 2m to protected program 2 years

According to a variant of the renaming protection principle, at least one dependent function had to be defined, a family of algorithmically equivalent dependent functions called by run commands with various renamed parameters. In this embodiment, at least one algorithm using dependent functions is decomposed into dependent functions such that at least one of them is replaced by a dependent function of the same family, instead of storing multiple occurrences of the same dependent function. To this end, startup commands with renamed options are modified to account for the replacement of dependent functions with dependent functions of the same family.

In other words, two dependent functions from the same family have different setting parameters, and, therefore,

Run commands with various renamed options. Therefore, when studying the protected program 2p, it is impossible to find that the called dependent functions are algorithmically equivalent. and)

According to the first best implementation of the variant of the protection principle by renaming, an algorithmically equivalent family of dependent functions is determined for at least one dependent function by combining the noise field with information that determines the functional part of the dependent function that is executed in the device 6.

In accordance with the second best implementation of the version of the principle of protection by renaming, for at least one dependent function, an algorithmically equivalent family of dependent functions 3 n is determined using identification fields.

In accordance with the best version of the implementation of the principle of protection by renaming, as a method of renaming setting parameters, a coding method is specified, which allows encoding setting parameters for their transformation into renamed setting parameters. It is worth reminding that the renaming of the setting parameters is carried out in the P phase of protection. For this preferred option, the recovery means 20 are means using a decoding method that allows decoding the renamed set parameters and thus restoring the identity of the dependent functions that they need.

Run in device 6. These recovery tools are applied in device 6 and can be both software and hardware. The recovery means 20 are requested in the use phase Y whenever a start command with renamed configuration parameters is executed in the data processing system Z in order to call the ;" devices would perform a dependent function.

According to another best characteristic of the invention, the method of protection is aimed at implementing the principle

The protection called "conditional transition", the description of which is illustrated in Fig. 90-92. -I To implement the principle of protection using a conditional transition in the source code 2u85 of the vulnerable program, at least one conditional transition of the VS is selected. At least one fragment of the source is also selected

Sh-code 2uz of the vulnerable program containing at least one selected conditional transition of the VS. - In this variant, at least one selected fragment of the code of the vulnerable program is modified to obtain the source code of the protected program. This modification is such that during the execution of the protected program of 2r:

F - at least one fragment of the first executable part 2rez, which is executed in the data processing system C, takes into account the fact that the functional possibility of at least one selected conditional transition BC is executed in the device 6; - the second executable part of 2resh, which is executed in device b, performs at least one functional possibility of at least one selected conditional transition of VS and provides information to data processing system C,

F) which allows the first executable part of 2rez to continue its execution in the selected location. ka The first executable part 2rez of the protected program 2p, executed in the Z data processing system, executes the conditional transition commands, which causes the device b to execute, with the help of the second executable part bo Greek, the conditional transitions bBs, the functionality of which is equivalent to the functionality of the selected conditional transitions Sun. To implement the principle of protection using a conditional transition, the device 6 contains means 15 of memory and means 16 of processing.

Fig. 90 shows an example of the execution of the vulnerable program 2y. In this example, during the execution of the vulnerable program 2y in the Z data processing system, at this moment in time, a conditional transition BC occurs, which indicates to the vulnerable 65 program 2y a place where it should continue its execution, such as one of the three possible places B 4, Vo or Vz. It should be understood that the conditional transfer of the VS makes a decision to continue the execution of the program in the place of V., Vo or Vz.

Fig. 91 shows an example of the implementation of the invention, in which the conditional transition selected for transfer to the device 6 corresponds to the conditional transition of the VS.

In this example, during data processing in system C of the first executable part 2rez of the protected program 2r in the presence of device 6, the following occur: - at the moment of It - the execution of the command SVS 3 of a conditional transition, which causes execution in device b, with the help of the second executable part 2resh , of the conditional transition RS, which is algorithmically equivalent to the conditional transition VS, and this command is SVO. conditional transition is presented as TKIS(Bbs); - And at the moment y5 - transmission by the device 6 to the data processing system Z of information that allows the first executed /o part 2rez to continue its execution in the selected place, such as B, Vo or B».

It should be noted that during the execution of the fragment of the first executable part 2rez of the protected program 2r, the conditional transition commands executed in the data processing system Z trigger the execution of the corresponding conditional transitions in the device 6. Thus, it is considered that this part is executed in the presence of the device b correctly and, therefore, the protected program 2p is fully functional.

Fig. 92 shows an example of an attempt to execute the protected program 2r in the absence of device 6. In this example, during the execution of the first executable part 2rez of the protected program 2r in the Z system of data processing: - at the time of execution of the SWS command. the conditional transition cannot cause the execution of the issued conditional transition Bbs, given the absence of device 6; - and at the moment, an attempt to transmit information to her, which allows the first executable part of 2rez to continue 2o execution at the selected location, cannot be successful due to the absence of device 6.

Thus, in the absence of device b, at least one request of one fragment of the first executable part 2rez to start execution of the conditional transition in device 6 cannot be correctly executed.

Therefore, at least this part is not performed correctly, and therefore the protected program 2r is not fully functional. high school

In the previous description, illustrated in Fig.90-92, this invention is aimed at bringing to the device 6 one conditional transition. Of course, the best variant of the invention may consist in transferring to the device i) 6 series of conditional transitions, the global functionality of which is equivalent to the ensemble of functionality of the transferred conditional transitions. Execution of the global functionality of this series of conditional transitions results in the fact that the data processing system is given information that allows the first executable part of the protected program to continue its execution at the selected location.

In the previous description, illustrated in Fig. 40-92, six different principles of program protection were explained in a general way independently of each other. The method of protection according to the invention can be "- implemented using the principle of protection using a variable, to which one or more other protection principles can be added. In the case when the principle of protection using a variable is supplemented by the implementation of at least one other principle of protection, the principle of protection using a variable is better supplemented (M by the principle of protection by means of time division and/or the principle of protection by means of elementary functions.

If the principle of protection with the help of time division is applied in this way, then it can be supplemented, in turn, with the principle of protection with the help of elementary functions and/or the principle of protection with the help of a conditional transition. в с If the principle of protection using elementary functions is applied in this way, then it can be

And supplemented, in turn, by the principle of protection by means of detection and coercion and/or the principle of protection by means of renaming, and/or the principle of protection by means of conditional transition.

If the principle of protection by means of detection and coercion is applied in this way, then it can be supplemented, in turn, by the principle of protection by means of renaming and/or the principle of protection by -AND by means of a conditional transition. And if the principle of protection by renaming is also applied, then it can be supplemented, in turn, by the principle of protection by conditional transition.

Ш- According to the best variant of implementation, the principle of protection using a variable is supplemented by the principle of protection by means of time division, supplemented by the principle of protection by means of elementary functions, supplemented by the principle of protection by means of detection and coercion, supplemented by the principle of protection by means of renaming, supplemented by the principle of protection using a conditional transition.

Ф In the case when, in addition to the variable protection principle, some other protection principle is applied to take into account such a combined implementation of the invention, the above description must contain the following modifications: 5B - the concept of a vulnerable program must be understood in the sense of the vulnerability of the program relative to the described protection principle . Thus, in the case when the protection principle has already been applied to a vulnerable program, the expression "vVulnerable (F, program)" should be interpreted as the expression "a program protected by one or more recently applied protection principles"; - the concept of a protected program should be understood in sense of program security relative to the described protection principle. Thus, in the case where the protection principle has already been applied, the expression "protected program" should be interpreted by the reader as the expression "new version of the protected program"; - one or more choices made (made) for implementation of the described protection principle, must take into account the choice(s) made for the implementation of one or more protection principles already applied. 65 The following description allows a better understanding of the implementation of the protection method according to the invention. In this protection method according to with the invention, as specified in Fig. 100:

- first phase P of protection, during which the vulnerable program 2M is transformed into a protected program 2p; - then the OO phase of use, during which the protected program 2p is used, and in the use phase: - in the presence of device b, every time when a fragment of the first executable part 2rev executed in the data processing system requires it, the appropriate functionality is performed in device 6 in such a way that this part is executed correctly, and, therefore, the protected program 2p is fully functional, - in the absence of device 6, despite the request of a fragment of the first executable part 2rez, to perform the functionality in device b, this request cannot be correctly satisfied, so that at least this /o part is not executed correctly, and therefore the protected program 2r is not fully functional; - possibly a restart phase K, during which at least one additional use of the functionality protected by the implementation of the second best implementation of the principle of detection and enforcement is allowed, which uses a variable for quantitative control as a characteristic.

The P phase of protection can be divided into two subphases of P. and Po protection. The first, called the input, subphase Ri /5 protection is implemented independently of the subject protection of the vulnerable program 2M. The second, called the initial, sub-phase Po of protection depends on the subject of protection of the vulnerable program 2M. It should be noted that the input and output sub-phases of R. and Po protection can be implemented by two different individuals or groups. For example, the input subphase P. of protection can be implemented by an employee or an organization engaged in the development of software protection systems, while the output subphase P5" of protection can be implemented by an employee or

Organizations developing programs that should be protected. Of course, it is clear that the input and output sub-phases of R. and Ro protection can be implemented by one employee or one organization.

The input subphase of R. protection involves several stages 544, ... Z), for each of which several tasks or tasks must be performed.

The first stage of this entry sub-phase of R. protection is called "stage 544 determinations". In the course of this stage 5414 ch g of definitions: - are selected: i) - type of device 6, such as - a storage device or a processing and storage device. For example, it is possible to choose as device 6 a device 8 for reading cards with a microchip and a card with a microchip connected to the device 8 for reading - and the means 12, 13 of transmission, intended for use, respectively, in the Z data processing system and in the Gezo 5 U device phase O of use and are able to provide data transfer between the data processing system C and the device 6; - moreover, in the case when the method of protection according to the invention uses the principle of protection with the help of elementary functions, the following are also defined: "- - a set of elementary functions, the elementary functions of which can be performed in the device 6, - a set of elementary commands for this set of elementary functions , and these elementary commands can be executed in the Z data processing system, causing elementary functions to be performed in the device b; - and in the event that the method of protection according to the invention uses the principle of protection by means of detection and coercion, the following must also be provided: - at least one characteristic of the program execution, which can be controlled, at least partially, in the device 6, " - at least one the criterion that it should be observed for at least one performance characteristic - ptsh) of the program, . - detection means 17, which must be used in device b and which allow to detect that at least one characteristic of the program execution does not meet at least one relevant criterion, - and enforcement means 18, which must be used in device 6 and which allow to inform the system 45 3 data processing and/or modify the course of program execution if at least one criterion is not met; - And - moreover, in the case when the method of protection according to the invention uses the principle of protection by means of detection and coercion, which uses a variable as a characteristic for quantitative control of program execution, the following should also be defined: - - as a characteristic of program execution, which can be controlled, - a variable for quantitative control 5r Use of one functionality of the program, co - as a criterion that should be followed - at least one threshold value associated with each variable

Ф for quantitative control, - and means of renewal, allowing to renew at least one variable for quantitative control; - and in the case when the method of protection according to the invention uses the first best variant of the implementation of the principle

Protection by detection and coercion, which uses as a characteristic a variable for quantitative control of program execution, must also be provided: (Ф) - for at least one variable for quantitative control - several corresponding threshold values, ka - І various means of coercion corresponding to each of these threshold values; - moreover, in the case when the method of protection according to the invention uses the second best variant of the implementation of the principle of Protection by detection and coercion, which uses a variable as a characteristic for quantitative control of program execution, restart means are also provided, which allow at least one additional use of at least one functionality a program controlled by a variable for quantitative control; - moreover, in the case when the method of protection according to the invention uses the principle of protection by means of detection 65 and coercion, which uses the program usage profile as a characteristic, the following should also be provided: - as a characteristic of the program execution that can be controlled, - the program usage profile, - and as a criterion that should be followed - at least one sign of program execution; - moreover, in the case when the method of protection according to the invention uses the principle of protection by means of detection and coercion, where as a sign of execution, which should be observed, control of execution clutch is used, the following should also be provided: - a set of instructions, the instructions of which can be executed in device 6, - a set of instruction commands for the indicated set of instructions, and these instruction commands can be executed in the Z data processing system, causing the device 6 to execute the instructions, 70 - as a usage profile - an instruction coupling, - as an execution feature - a desired execution coupling of instructions, - as means of detection 17 - means of detecting that the coupling of instructions does not correspond to the desired one, - and as means of 18 coercion - means of informing the data processing system and/or modifying the 7/5 functioning of a fragment of the protected program 2r, if the coupling of the instructions does not correspond to the desired; - and in the case when the method of protection according to the invention uses a better variant of the implementation of the principle of protection by means of detection and coercion, where as a sign of execution that should be observed, control of execution coupling is used, the following should also be provided: - as a set of instructions - a set of instructions, with of which at least some instructions operate on registers and

At least one operand is used for outputting a result, - for at least one part of the instructions operating on registers: - the RE part, which specifies the functional possibility of the instruction, - the part, which specifies the desired coupling for the execution of the instructions and which contains the bit fields corresponding to: - the SP field of the identification of the instruction, sch - and for each operand of the instruction: - the SO field, the flag, and) - and the SIR field; of the identification provided for the operand, - for each register belonging to the means of operation and used by the set of instructions, - the CIB field of the generated identification, in which the identification of the last Gezo instruction that returned its result to this register is automatically remembered, - as means 17 detection - means that allow, during the execution of the instruction for each operand, if required by the CO field of the flag, to control the equality between the SIBU field of the generated identification, which corresponds to the register used by this operand, and the CIP field of the intended identification of the initial address of this operand, - - and as means 18 of coercion - means allowing to modify the result of the instruction, if at least one of the controlled equalities is false; - and in the case when the method of protection according to the invention uses the principle of protection by means of renaming, should also be provided : - as a start-up command - an elementary command or an instruction command, « - as a hall each function - an elementary function or instruction, with c - as an optional parameter, - at least one argument for the launch command, corresponding to at least . part of the information transmitted by the data processing system to the device 6 to cause the corresponding i? of the dependent function, - a method of renaming the configuration parameters, which allows renaming the configuration parameters in order to receive launch commands with renamed parameters, - AND - and recovery means 20 intended for use in the device 6 in the O phase of use and which allow to find again the dependent function, which it should be performed based on the renamed setting parameter, and in the case when the method of protection according to the invention uses a variant of the principle of protection by renaming, a family of algorithmically equivalent dependent functions called by commands is also defined for at least one dependent function startup, renamed configuration parameters because of which there are various,

F - and in the case when the method of protection according to the invention uses one or another better implementation of the variant of the protection principle by means of renaming, a family of algorithmically equivalent dependent functions is also determined, for at least one dependent function: - by combining the noise field with the information that determines that functional part of the dependent function that is performed in the device 6,

Ф) - or by using the SI field of the instruction identification and the CIP field in the provided identification of the operands; - moreover, in the case when the method of protection according to the invention uses a better variant of the principle of protection by means of renaming, the following should also be provided: - as a method of renaming the set parameters - a coding method for encoding the set parameters, - and as means of recovery - means that apply a decoding method for decoding the renamed configuration parameters and restoring the identity of the dependent functions to be performed in the device 6. 65 During the entry phase of the protection according to stage 5.4; and the definition follows a stage called "stage 5425 construction".

In the course of such a stage 542, means 12, 13 of transmission and possibly means of operation corresponding to the definition of stage 544 of definition are constructed.

During this stage 542 construction is carried out, therefore: - construction of transmission means 12, 13, which allow, during phase I of use, to transfer data between the data processing system C and the device 6; - if the principle of protection with the help of elementary functions is also applied, - construction of means of operation that allow the device to perform elementary functions from a set of elementary functions in the OO phase of use; - m, if the principle of protection by means of detection and coercion is also applied, - construction: 70 - means of operation, which allow the device b in the OO phase of use to also attract means of detection 17 and means of coercion 18, - and, possibly, means of operation, which allow device 6 in the О phase of use also involve the means of renewal - as well as, possibly, the means of operation that allow the device 6 in the reset phase to engage also /5 the reset means - and also, possibly, the means of operation that allow the device b in the ОO phase use to execute instructions from an instruction set; - ii, if the principle of protection by renaming is also applied, - construction of means of operation, which allow the device 6 in the phase ) of use to use recovery means as well.

The construction of means of operation is carried out in the usual way, with the help of a program development device, taking into account the definitions entered at stage 544 definitions. A similar device is described below and illustrated

Fig. 110.

During the initial subphase of R. protection, the stage 5412 of the design can be followed by a stage called "stage 13 of pre-personalization". During this stage 513 of pre-personalization, at least transfer means 13 and means of operation are loaded into at least one idle device 60 to obtain at least one pre-personalized device 66. It should be noted that part of the means of operation, having been transferred to i) pre-personalized device 66, no longer is accessible directly from the outside of this pre-personalized device 66. The transfer of means of operation to the idle device 60 can be implemented with the help of an adapted pre-personalization device described further and illustrated in Fig. 120. In the case of a pre-personalized device 66 consisting of a card 7 with a microchip and a device 8 for reading it, pre-personalization applies only to the card 7 with a microchip. co

During the initial subphase of R. protection, after stage 544 of determinations and possibly after stage 542 of construction, a stage called "stage C 44 of manufacturing means" can also be carried out. In the course of this stage 544 of production of tools, tools are produced that allow to help create protected programs or to automate - c5 Protection of programs. Such means allow: - to help select or automatically select in a vulnerable program 2y that it needs to be protected: - one or more variables that can be exported to device 6, - fragments that can be changed, - if the principle of protection by using time division, - one or more "algorithms that can be divided into stages, which can be transferred to the device 6, with - if the principle of protection using elementary functions is also applied, - one or more . algorithms that can be decomposed into elementary functions that can be transferred to the device 6, and - Her, if the principle of protection by means of detection and coercion is also applied, - one or more performance characteristics that must be controlled, and possibly one or several algorithms which

Can be decomposed into instructions that can be exported to device 6, - AND - if the principle of protection by renaming is also applied - one or more algorithms that can be decomposed into dependent functions that can be exported to device b and for which set parameters of the launch commands can be renamed, - - ii, if the principle of protection using a conditional transition is also applied, - one or more 5r conditional transitions, the functionality of which can be transferred to the device 6; so - maybe help create secure programs or automate

F program protection.

These various tools can be implemented independently or in combination, and each tool can take various forms, for example, be a preprocessor, an assembler, a compiler, etc. After the input sub-phase R of protection, there is an output sub-phase Po of protection, which depends on the subject of protection of the vulnerable program 2m. This initial sub-phase of Po protection also involves several stages. The first stage, corresponding to implementation

F) the principle of protection using a variable, called "stage 5 24 creation". During this stage 524 of creating ka, the choice made in the stage 54414 of determination is used. With the help of this selection and, possibly, the means constructed in the stage 544 of making the means, the protected program 2p is created: in - by means of the selection in the source code 2uz of the vulnerable program: - at least one variable, which, during the execution of the vulnerable program 2y, partially determines its state, - th of at least one fragment containing at least one selected variable; - by creating the source code 2rz of the protected program based on the source code 2z of the vulnerable program by modifying at least one selected fragment of the code 2z of the vulnerable program, and this modification is such that during the execution of the protected program 2r at least one selected variable or one copy of the selected variable is in idle device 60, which thereby turns into device 6;

- and by creating the first part of the 2rz object code of the protected program 2r based on the source code of the 2rz protected program, and this first part of the 2rz object code is such that during the execution of the protected program 2r the first executable part of the 2rz is implemented, which is executed in to the data processing system, and at least one part of which takes into account that at least one variable or one copy of the variable is in the device 6.

Of course, the principle of protection using a variable according to the invention can be applied directly during the development of a new program without the need for prior implementation of a vulnerable program 2y. Thus, the protected program 2p is directly formed during the initial subphase P" of protection. At the same time, in the case when at least one other protection principle is applied, in addition to the variable protection principle, "MODIFICATION stage 52" is implemented. During this stage of the ZAO modification, the definitions entered in the stage 544 definitions are used. Using these definitions and possibly the means constructed in step 5 414 of making the means, the protected program 2p is modified to allow implementation of the protection principles according to one of the arrangements defined above.

When the principle of time division is applied, the protected program 2r is modified in the following way: - by selecting in the source code of the protected program 2rz: - at least one algorithm which, during the execution of the protected program 2r, uses at least one selected variable and allows obtaining at least one resulting variable , - th of at least one fragment containing at least one selected algorithm; - by means of modification of at least one selected fragment of code 2rz of the protected program, and this modification is such that: - during the execution of the protected program 2r, the first executable part of 2rez is executed in the data processing system C, and the second executable part of 2rea is executed in the device 6, which is also contains processing means 16, - at least one functional possibility of at least one selected algorithm is implemented with the help of the second executable part of 2rey, - at least one selected algorithm is decomposed in such a way that during the execution of the protected i) program 2r is implemented, with the help of the second executable part of 2rey, several different stages, such as: - provision of at least one variable to the device 6, - implementation in the device 6 of the functionality of the algorithm performed on at least this variable, Ge zo - ), possibly provision of at least one resulting variable by the device 6 to the processing system data, - for at least one selected algorithm of the team of stages c are defined in such a way that during the execution of the protected program 2r, each step command is executed using the first executable part 2rez and "- causes the device 6 to execute the step using the second executable part 2rey - and the ordering of the stage commands is selected from among the ensemble of orders that allow execution of a protected program 2 years; - and by creating: - the first part of the 2rd object code of the protected program 2r, and the first part of the 2rd object code is such that during the execution of the protected program 2r the stage commands are executed in accordance with the selected order, " - and the second part The 2nd part of the object code of the protected program 2p, and the second part of the 2nd object code -ptv) with the code is such that after downloading to the idle device 60, during the execution of the protected program 2p, the second executable part of 2retsy is implemented, with the help of which the stages, start the execution of which was;" caused by the first executable part 2res.

When the principle of protection by means of elementary functions is applied, while the principle of protection by

With the help of time division is not applied, the protected program 2r is modified: - AND - by selecting in the source code of the protected program 2r: - at least one algorithm, which during the execution of the protected program 2r uses at least one selected variable and allows to receive at least one resulting variable, - - th of at least one fragment containing at least one selected algorithm; - by means of modification of at least one selected fragment of the code of the protected program, and this modification is such that:

F - during the execution of the protected program 2r, the first executable part 2rez is executed in the data processing system Z, and the second executable part 2rez is executed in the device 6, - at least the functional possibility of at least one selected algorithm is performed with the help of the second executable part 2rez, - at least one selected the algorithm is decomposed in such a way that during the execution of the protected

F) program 2r, this algorithm is executed with the help of the second executable part of 2rets with the use of elementary functions, - for at least one selected algorithm, elementary commands are integrated into the source code of the 2rbo protected program in such a way that during the execution of the protected program 2r, each elementary command is executed according to with the help of the first executable part 2rez and causes the device 6 to execute, with the help of the second executable part 2rey, an elementary function, and the arrangement of the elementary commands is selected from the ensemble of arrangements that allow the execution of the protected program 2p; 65 - and by creating: - the first part of the 2rd part of the object code of the protected program 2p, and this first part of the 2rd part of the object code is such that during the execution of the protected program 2p elementary commands are executed according to the selected order, - and the second part of the 2nd part of the object code of the object code of the protected program 2p, which contains means of operation, and this second part of the object code 2p is such that after loading into the idle device 60, during the execution of the protected program 2p, the second executable part of the 2p is implemented, with the help of which elementary functions are performed, the launch of which was caused by the first executable part of 2rezv.

When the principles of protection by time division and elementary functions are applied together, the protected program 2r is modified: 70 - by selecting at least one step in the source code of the protected program 2r, which during the execution of the protected program 2r implements the functional capability of the algorithm; - by means of modification of at least one selected fragment of the code 2rz of the protected program, and this modification is such that: - at least one selected stage is decomposed in such a way that during the execution of the protected program 2r this stage is performed with the help of the second executable part of the 2rea using elementary functions, - for at least one selected stage, the elementary commands are integrated into the source code 2rz of the protected program in such a way that during the execution of the protected program 2r, each elementary command is executed with the help of the first executable part of 2rez and causes the device b to execute, with the help of the second executable part of 2rey, the elementary functions, - and the arrangement of elementary commands is selected from the ensemble of arrangements that allow the execution of the protected program 2p; - and by creating: - the first part of the 2nd object code of the protected program 2p, and this first part of the 2nd object code is such that during the execution of the protected program 2nd, elementary commands are executed in accordance with the selected ordering, - and the second part of the 2nd object code the object code of the protected program 2p, which also contains means of operation, and) and this second part of the object code 2r of the object code is such that after downloading to the device 6, during the execution of the protected program 2p, the second executable part of the 2re is implemented, with the help of which elementary functions that were triggered by the first 2rev5 executable. When the principle of protection by means of detection and coercion is applied, the protected program 2r is modified: - by means of a choice among the execution characteristics that can be controlled by at least one of the execution characteristics of the controlled program; "- - by selecting at least one criterion that must be met for at least one selected performance characteristic of the program; - - by means of selection in the source code of the protected program of elementary functions for which at least one characteristic of the execution of the controlled program should be monitored; - by means of modification of at least one selected fragment of the 2rz code of the protected program, and this modification is such that during the execution of the protected program 2r at least one characteristic of the program execution is controlled with the help of the second executable part of the 2rea and non-compliance with the criterion "leads to informing the data processing system and/ or to the modification of the execution of the protected program 2r; with c - Her by creating the second part of the 2nd part of the object code of the protected program 2nd, which contains means. operation, which also involve means of detection 17 and means of coercion 18, and this second part of 2roi and? of the object code such that after downloading to the device 6, during the execution of the protected program 2r, at least one characteristic of the program execution is controlled and non-compliance with the criterion leads to the notification of the bistem from data processing and/or to the modification of the execution of the protected program 2r. -I To implement the principle of protection by means of detection and coercion, which uses a variable as a characteristic for quantitative control of program execution, the protected program 2p is modified:

Sh- - by selecting at least one variable as a characteristic of the controlled program execution - for quantitative control of the use of one functionality of the program; - by selecting: co - at least one functionality of the protected program 2p, which can be used

Ф to control using a variable for quantitative control, - at least one variable for quantitative control, which serves as a quantitative characteristic of the use of the mentioned functionality, 5B - at least one threshold value associated with the selected variable for quantitative control and the corresponding limit of the use of the mentioned functionality , (F) - Its at least one method of updating the variable value for quantitative control in accordance with the use of the mentioned functionality; - Its by means of modification of at least one selected fragment of code 2rz of the protected program, because this modification is such that during the execution of the protected program 2r, the variable for quantitative control is renewed with the help of the second executable part of the Greeks, depending on the use of the specified functionality, and at least one is taken into account exceeding the threshold value.

To implement the first best variant of the principle of protection by detection and coercion, which uses a variable for quantitative control as a characteristic, the protected program 2r is modified: 65 - by selecting in the source code of the protected program 2rz at least one variable for quantitative control, which should be connected several threshold values corresponding to various limits of the use of functionality; - by selecting at least two threshold values associated with the selected variable for quantitative control; - It by means of modification of at least one selected fragment of code 2rz of the protected program, and this modification is such that during the execution of the protected program 2r, exceeding various threshold values are taken into account by means of the second executable part of 2rey in a different way.

To implement the second best version of the principle of protection by detection and coercion, which uses a variable for quantitative control as a characteristic, the protected program 2r is modified: 70 - by selecting in the source code of the protected program 2rz at least one variable for quantitative control, which allows limiting the use of functionality , for which it must be possible to allow at least one additional use; - and by modifying at least one selected fragment, and this modification is such that in a phase called the reload phase, at least one additional use of at least one 7/5 functionality corresponding to one selected variable for quantitative control may be allowed.

To implement the principle of protection by means of detection and coercion, which uses the program usage profile as a characteristic, the protected program 2p is modified: - by selecting at least a profile as a characteristic of the controlled program execution

Using the program; - by selecting at least one feature of program execution that must be followed by at least one usage profile; - Its by means of modification of at least one selected fragment of code 2rz of the protected program, and this modification is such that during the execution of the protected program 2r, the second executable part of the 2rei sc observes all the selected features of execution.

To implement the principle of protection by means of detection and enforcement, where the control of execution coupling is used as a sign of execution that should be observed i) the protected program 2r is modified: - by modifying at least one selected fragment of the code 2rz of the protected program: - by transforming elementary functions on the instructions, Gezo - by means of the coupling task, which must be followed by at least some of the instructions during their execution in the device 6, so - by means of the transformation of elementary commands into command commands corresponding to "- the used instructions.

When the principle of protection by renaming is applied, the protected program 2r is modified: - - by selecting in the source code of the protected program 2rz the launch command; - by modifying at least one selected code fragment of the protected program by renaming the configuration parameters of the selected launch commands to hide the identity of the corresponding dependent functions; - and by creating: "- the first part of the 2nd object code of the protected program 2p, and this first part of the 2nd object -ptv) code is such that during the execution of the protected program 2p, launch commands with renamed configuration parameters are executed; » - Its second part 2roid of the object code of the protected program 2r, which contains the means of operation, which also use means of recovery 20, and this second part 2roid of the object code is such that after loading into the device 6, during the execution of the protected program 2r identity dependent functions, the execution of which is started by the first executable part of 2rez, is resumed with the help of the second executable part of 2rey, and the dependent functions are performed with the help of the second executable part of 2rey.

Ш- To implement the version of the protection principle by renaming, the protected program 2r is modified: - - by selecting in the source code of the protected program 2rz at least one launch command with renamed configuration parameters; co - Its by means of modification of at least one selected fragment of code 2rz of the protected program

Ф by replacing at least the renamed configuration parameters of the launch command with the selected configuration parameter set with other renamed configuration parameters, which causes the dependent function from the same family to be launched. 5B When the principle of protection using a conditional transition is applied, the protected program 2p is modified: (Ф, - by selecting in the source code of the 2p protected program at least one conditional transition performed in at least one selected algorithm; - by modifying at least one selected fragment of the code 2rz of the protected program, and because this modification is such that during the execution of the protected program 2r, the functional possibility of at least one selected conditional transition is performed with the help of the second executable part of the 2rec in the device 6; - and by creating: - the first part of the 2rz object code of the protected program 2r, and this first part 2roz of the object code is such that during the execution of the protected program 2r, the functional possibility of at least one 65 selected conditional transition is executed in the device 6, - And the second part 2roz of the object code of the protected program 2r, and this second part 2 of the object code is such that after loading in device 6, during the execution of the protected program 2p, the second executable part 2resh is implemented, with the help of which the functional possibility of at least one selected conditional transition is implemented.

In order to better implement the principle of protection using a conditional transition, the protected program 2r is modified: - by selecting at least one series of selected conditional transitions in the source code of the protected program 2rz; - by means of modification of at least one selected fragment of code 2rz of the protected program, 7/0 and this modification is such that during the execution of the protected program 2r, the global functional possibility of at least one selected series of conditional transitions is performed using the second executable part of 2rey in the device 6; - and by creating: - the first part 2roz object code of the protected program 2r, and this first part 2roz object /5 Code is such that during the execution of the protected program 2r, the functional possibility of at least one selected series of conditional transitions is performed in the device 6 , - And of the second part of the object code of the protected program 2r, and this second part of the object code of the protected program 2r is such that after downloading to the device 6, during the execution of the protected program 2r, the second executable part of the 2rec is implemented, with the help of which the global functional possibility at least

ONE selected series of conditional transitions.

Of course, the principles of protection according to the invention can be applied directly during the development of a new program without the preliminary implementation of intermediate vulnerable programs. Thus, stages 524 creation and 522 modification can be carried out simultaneously to immediately obtain a protected program 2r.

In the course of the initial sub-phase Po of protection in the case when at least one other protection principle is applied, in addition to the protection principle by means of a variable, after stage C 2 and the creation of the protected program 2p and possibly after stage C 2" modification, a stage called "stage C 23 of personalization". In the course of this (8) stage 5oz of personalization, the second part 2roy of the object code, possibly containing means of operation, is loaded into at least one idle device 60 to obtain at least one device 6.

Alternatively, a portion of the second part of the object code 2, possibly containing the means of operation, is loaded into at least one pre-personalized device 66 to produce at least one device 6. The loading of this personalization information enables at least one pre-personalized device b to be made operational. It should be noted that part of this information, having been transferred to the device b, is not accessible directly from the outside of this device 6. The transfer of personalization information to the inactive device 60 or to the pre-personalized device 6b can be implemented with the help of an adapted personalization device, which is described further and illustrated Fig. 150. uh-

In the case of a device b consisting of a card 7 with a microchip and a device 8 reading it, the personalization applies only to the card 7 with a microchip.

Various technical means for implementing phase P protection, which will be described in more detail later, are illustrated in Fig. 110, 120, 130, 140 and 150.

Fig. 110 shows an example of the implementation of the system 25, which allows you to implement the stage 542 of the design with the consideration of the definitions entered at the stage 544 of the definitions, and during which the transmission means 12, 13 are designed. and possibly means of operation intended for the device 6. A similar system 25 includes a development device and? programs or a workstation, which is usually a computer that contains a system unit, a monitor, peripheral devices such as a keyboard and mouse, and on which the following programs are installed: file editors, assemblers, preprocessors, compilers, interpreters, debuggers and connection editors . - And Fig. 120 shows an example of the implementation of the pre-personalization device 30, which allows at least partially loading the transmission means 13 and/or the means of operation into at least one idle device 60,

Sh- in order to obtain at least a pre-personalized device 66. The pre-personalization device ZO contains a read-write device 31, which allows electrically pre-personalizing the inactive device 60 to obtain a pre-personalized device 66, in which the transmission means 13 and/or the means of operation are loaded. The pre-personalization SOA device may also contain physical means 32 of pre-personalization of the idle device 60, which

F represent, for example, a printer. If the device 6 consists of a card 7 with a microchip and a device 8 for its reading, pre-personalization is usually related only to the card 7 with a microchip.

Fig. 130 shows an example of the implementation of the system 35, which allows the production of tools intended for use in creating protected programs or automating the protection of programs. Such a system 35 includes a software development device or workstation, which is usually a computer,

Ф) which contains a system unit, a monitor, peripheral devices such as a keyboard and a mouse, and on which the following programs are installed: file editors, assemblers, preprocessors, compilers, interpreters, debuggers and connection editors. In Fig. 140, an example of the implementation of the system 40 is shown, which allows directly obtaining a protected program 2p or modifying a vulnerable program 2y in order to obtain a protected program 2p. Such a system 40 includes a program development device or workstation, which is usually a computer that includes a system unit, a monitor, peripheral devices such as a keyboard and mouse, and on which the following programs are installed: file editors, assemblers, preprocessors, compilers, interpreters, debuggers and editors of 65 CONNECTIONS, as well as tools that help in creating protected programs or automating the protection of programs.

Fig. 150 shows an example of the implementation of the personalization device 45, which allows loading the second part of the 2nd object code into at least one idle device 60 to obtain at least one device b, or a part of the second part of the 2nd object code into at least one pre-personalized device 66, to obtain at least one device 6. This personalization device 45 includes means 46

Read-write, which allows electrically personalizing at least one idle device 60 or at least one pre-personalized device 66 to obtain at least one device 6. Upon completion of this personalization, the device 6 contains the information necessary to execute the protected program 2r.

The personalization device 45 may also contain physical personalization means 47 for at least one device 6, which is, for example, a printer. If the device 6 consists of a card 7 with a 7/0 Microchip and a device 8 for reading it, the personalization usually applies only to the card 7 with a microchip.

The method of protection according to the invention can be implemented with additional improvements. - It is possible to envisage the joint use of a set of processing and storage devices, between which the second part of the object code of the protected program 2p is distributed in such a way that their joint execution allows the execution of the protected program 2p, while the absence of at least one of these processing and storage devices /5 prevents use of the protected program 2 years. - Similarly, after the pre-personalization stage 543 and during the personalization stage Z3, the part of the second part of the 2nd object code necessary to convert the pre-personalized device 66 to the device 6 can be contained in the processing and storage device used by the personalization device 45 to limit access to this parts of the second part of the 2nd part of the object code. Of course, this part of the second part of the object code can be distributed among several processing and storage devices in such a way that this part of the second part of the object code is available only during the joint use of these processing and storage devices.

Claims (24)

The formula of the invention with 25 o 1. A method of protection, based on at least one idle device (60) containing at least storage means (15), against unauthorized use of a vulnerable program (2y) that functions on a data processing system (3), which consists in that: "so zo a in the phase (P) of protection: " create a protected program (2p): so - by means of a selection in the source code (2y5) of a vulnerable program: "- Ш of at least one variable, which during the execution of a vulnerable program (2y ) partially determines its state, Ш and at least one fragment containing at least one selected variable, c. 35 - by creating the source code (2rz) of the protected program based on the source code (2u5) of the vulnerable chn program by modifying at least one selected fragment of the code (2u5) of the vulnerable program, and this modification is such that during the execution of the protected program (2r) at least one the selected variable or one copy of the selected variable is located in an idle device (60), which is thereby transformed into a device (6), - and by creating the first part (2rov) of the object code of the protected program (2p) based on the "source code ( 2rz) of the protected program, and the first part (2rz) of the object code is such that during the execution of the protected program (2r) the first executable part (2rev) is implemented, which is executed in the data processing system (3) and at least one fragment of which takes into account that at least one variable or one copy of the variable "z" is in the device (b), and a is in the phase ()) of use, during which the protected program (2p) is executed: n- in the presence of the device (b), every time , when the fragment of the first executable part (2rez) requires it, -And use a variable or a copy of the variable located in the device (6) in such a way that the specified fragment is executed correctly and, therefore, the protected program (2p) is fully functional; - n- while in the absence of device (6), despite the request of one fragment of the first executable part - (2revz) to use a variable or a copy of the variable located in device (6), the possibility of a correct answer to the specified request is not ensured, so that at least the specified fragment is not executed correctly and, therefore, (ee) the protected program (2p) is not fully functional. F 2. The method according to claim 1, which differs in that: and in the phase (P) of protection: - the protected program (2r) is modified: - by means of a selection in the source code (2rz) of the protected program: Ш of at least one algorithm, which during the execution of the protected program (2r) uses at least (Ф) one selected variable and allows to receive at least one resulting variable, GI Ш and at least one fragment containing at least one selected algorithm - by means of modification of at least one selected code fragment (2rz) of the protected program , and its modification is such that: During the execution of the protected program (2p), the first executable part (2rez) is executed in the data processing system (3), and the second executable part (2rey) is executed in the device (6), which also contains means (16) of processing, Ш at least the functional possibility of at least one selected algorithm is performed according to b5 / With the help of the second executable part (2rec), Ш at least one selected algorithm is decomposed in such a way that in the course of at the end of the protected program (2r), several different stages are implemented with the help of the second executable part (2rec), such as: - provision of at least one variable for the device (b), - implementation in the device (6) of the functional capabilities of the algorithm executed at least over by this variable, - it is possible to provide at least one resulting variable by the device (6) for the data processing system (3), Ш for at least one selected algorithm stage commands are defined in such a way that during the execution of the protected program (2p) each stage command is executed according to using the first executable part (2rez) and /o Causes the device (6) to execute the stage using the second executable part (2rec), Ш and the ordering of the stage commands is selected from the array of orders that allow the execution of the protected program (2r), - and using creation: Ш of the first part (2 roz) of the object code of the protected program (2r), and the first part (2 roz) of the object /5 Code is such that during the execution of the protected program (2r) stage commands are executed in accordance with the selected order, Ш of its second part (2рой) of the object code of the protected program (2р), and the second part (2рой) of the object code is such that after loading into the idle device (60), during the execution of the protected program (2p), the second executable part (2rec) is implemented, with the help of which the stages whose launch was caused by the first executable part (2rez) are executed; "« they load the second part (2roc) of the object code into the idle device (60) with the receipt of the device (b), and in the phase (3) of use: - in the presence of the device (6), every time the command requires it of the stage contained in the fragment of the first executable part (2revz), perform the corresponding stage in the device (b) in such a way that the indicated fragment is executed correctly and, therefore, the protected program (2p) is fully functional; n- while in the absence of the device (6), despite the request of one fragment of the first executable part i) (2revz) to start the execution of the stage in the device (6), the possibility of a correct response to the specified request is not provided, so that at least the specified fragment is not executed correctly and, therefore, the protected program (2p) is not fully functional. Ge zo 3. The method according to claim 1, which differs in that: and in the phase (P) of protection: so "- define: "- - a set of elementary functions, the elementary functions of which can be performed in the device (6), which also contains means ( 16) processing, i- - 1 set of elementary commands for the indicated set of elementary functions, and the indicated elementary commands can be executed in the system (3) of data processing, causing the execution of elementary functions in the device (6); - design means of operation that allow convert an idle device (60) into a device (6) capable of performing elementary functions from the specified set, and the execution of the specified elementary "functions is caused by the execution of elementary commands in the data processing system (3); with c - modify the protected program (2p): - by using a selection in the source code (2rz) of the protected program: ;" Ш of at least one algorithm, which during the execution of the protected program (2p) uses at least one selected variable and allows obtaining at least one resulting variable, The length of at least one fragment containing at least one selected algorithm, -And - by means of modification of at least one selected code fragment (2rz) of the protected program, and the specified modification is such that: Sh- Sh during the execution of the protected program (2p), the first executable part (2rez) is executed in the system (3) - data processing, and the second executable part (2rec) is executed in the device (6), Ш at least the functional possibility of at least one selected algorithm is performed with the help of the second executable part (2rec), Ф Ш at least one selected algorithm is decomposed in such a way that during the execution of the protected program (2r), the specified algorithm is executed with the help of the second executable part (2rec) using elementary functions, For at least one selected algorithm, the elementary commands are integrated into the source code (2rz) of the protected program in such a way that during the execution of the protected program (2r), each elementary command Ф) is executed with the help of the first executable part (2rez) and causes the device (6) to execute, with the help of the second executable part (2reits), an elementary function, And the arrangement of elementary commands is selected from the array of arrangements that allow the execution of the protected program (2p), - and by creating: Ш of the first part (2roz) of the object code of the protected program (2r), and the first part (2rovz) of the object code is such that during the execution of the protected program (2r) elementary commands are executed in accordance with the selected arrangement, 65 Sections of the second part (2roy) of the object code of the protected program (2r) containing means of operation, and the second part (2roys) of the object code is such that after loading into the idle device (60), during the execution of the protected program (2r) the second executable part (2resh) is implemented, with the help of which elementary functions are performed, the launch of which was caused by the first executable part (2rezv); "" they load the second part (2roc) of the object code into the idle device (60) with the receipt of the device (b), and in the phase (3) of use: "- in the presence of the device (6), whenever it requires the elementary command contained in the fragment of the first executable part (2rez) performs the corresponding elementary function in the device (6) in such a way that the specified fragment is executed correctly and, therefore, the protected program (2p) is fully functional; 70 n- while in the absence of the device (6), despite the request of the fragment of the first executable part (2rev) to start the execution of the elementary function in the device (6), the possibility of a correct response to the specified request is not provided, so that at least the specified fragment is not executed correctly and, therefore, the protected program (2p) is not fully functional. 4. The method according to claim 2, which differs in that: and in the phase (P) of protection: "- define: - a set of elementary functions, the elementary functions of which can be performed in the device (6), - and a set of elementary commands for the mentioned set elementary functions, and the specified elementary commands can be performed in the data processing system (3), causing the device (6) to perform elementary functions; n" construct means of operation that allow the device (6) to perform elementary functions from the specified set, and the execution of the specified elementary functions are called by the execution of elementary commands in the data processing system (3); "and modify the protected program (2r): сч - by selecting at least one step in the source code (2rz) of the protected program, which during the execution of the protected program (2r) the functional possibility of the algorithm, and) - by means of modification of at least one selected code fragment (2rz) of the protected program, and the said modification is such that: at least one selected stage is decomposed in such a way that during the execution of the protected program "о зо (р) the specified stage is executed with the help of the second executable part (2rec) using elementary functions, со Ш for at least one selected stage, elementary commands are integrated into the source code ( 2rz) "- a protected program in such a way that during the execution of the protected program (2p), each elementary command is executed with the help of the first executable part (2rez) and causes the device (6) to be executed with the help of the second executable part (2reits), of an elementary function, the ordering of elementary commands is selected from the array of orderings that allow the execution of the protected program (2r), and by creating: the first part (2roz) of the object code of the protected program (2r), and the first part ( 2rovz) of the object "Code such that during the execution of the protected program (2r) elementary commands are executed in accordance with the order selected from c, . Ш Its second part (2rots) of the object code of the protected program (2r), which also contains means of operation, and? and the second part (2roy) of the object code is such that after downloading to the device (6), during the execution of the protected program (2r), the second executable part (2resh) is implemented, with the help of which elementary functions are performed, the launch of which was caused by the first executable by part (2rez), -I a a in phase (3) of use: n- in the presence of device (6), every time it is required by the elementary command contained in part Ш- of the first executed part (2revz), perform the corresponding elementary the function in the device (6) in such a way that - the specified fragment is executed correctly and, therefore, the protected program (2p) is fully functional; n- while in the absence of the device (6), despite the request of one fragment of the first executable part of the co (2rez) to start the execution of the elementary function in the device (b), the possibility of a correct Ф response to the specified request is not ensured, so that at least the specified fragment is not is executed correctly and, therefore, the protected program (2p) is not fully functional. 5. The method according to item C or 4, which differs in that: and in the phase (P) of protection: "- determine: (Ф, - at least one characteristic of program execution that can be controlled, at least partially, in the device ( b), - at least one criterion that must be fulfilled for at least one performance characteristic of the program, - detection means (17), which should be used in the device (b) and which allow to detect that at least one program performance characteristic does not correspond to at least one the corresponding criterion, - and means (18) of coercion, which should be applied in the device (6) and which allow to inform the system (3) of data processing and/or modify the execution of the program until at least one criterion is met; 65 "design means of operation , which allow the device (b) to engage means (17) of detection and means (18) of coercion; "and modify the protected program (2p): - by selecting at least one performance characteristic of the controlled program from the performance characteristics that can be controlled, - by selecting at least one criterion that must be fulfilled for at least one selected performance characteristic of the program, - by selection in the source code (2rz) of the protected program of elementary functions for which it is worth monitoring at least one characteristic of the execution of the controlled program, - by means of modification of at least one selected fragment of the code (2rz) of the protected program, 7/0 and the specified modification is such that during execution of the protected program (2r) at least one selected performance characteristic is controlled using the second executable part, (2rec) and non-compliance with the criterion leads to informing the data processing system (3) and/or modifying the execution of the protected program (2r), - It by creating a second parts (2 years) of the object code are protected of the program (2r), containing means of operation, which also use means (17) of detection and means (18) of coercion, and the second part (2r) of the object code is such that after loading into the device (6), during execution of the protected program (2p) at least one characteristic of the program execution is monitored, and non-compliance with the criterion leads to informing the system (3) of data processing and/or to modifying the execution of the protected program (2p), and in phase (3) of use: n- if the device is available (6): - if all the criteria corresponding to all the controlled characteristics of the execution of all modified fragments of the protected program (2r) are met, allowing the nominal functioning of the mentioned fragments of the protected program (2r) and, therefore, the nominal functioning of the protected program (2r), - and if at least one of the criteria corresponding to the characteristics of the controlled execution of one text fragment of the protected program (2p) is not met, the data processing system (3) is informed about the non-compliance and/or modify the functioning of a fragment of the protected program (2p) in such a way that i) the functioning of the protected program (2p) was changed. 6. The method according to claim 5, which differs in that: in order to limit the use of the protected program (2p), Gezo and in the phase (P) of protection: "- define: so - as a characteristic of the execution of the program that can be controlled, - a variable for quantitative control "- the use of one functionality of the program, - as a criterion to be followed, - at least one threshold value associated with each - variable for quantitative control, and - and means of renewal, allowing to renew at least one variable for quantitative control; "construct means of operation that allow the device (b) to apply update means; "and modify the protected program (2r): - by selecting at least one variable as a characteristic of the controlled program's execution "for quantitative control of the use of one functionality of the program, with c - by choosing: . At least one functionality of the protected program (2p), the use of which can be used? control using a variable for quantitative control, Ш at least one variable for quantitative control, which serves to quantitatively characterize the use of the mentioned functionality, - Ш at least one threshold value associated with the selected variable for quantitative control and the corresponding limit of the use of the specified functionality , - The use of at least one method of updating the value of the mentioned variable for quantitative control depending on - the use of the specified functionality, - It by means of the modification of at least one selected code fragment (2rz) of the protected program, and the specified modification is such that during the execution of the protected program (2r) the variable for the quantitative Ф control is renewed with the help of the second executable part (2rey), depending on the use of the specified functionality, and at least one exceeding of the threshold value is taken into account in the phase ()) of use, if the device (b) is present, in the event that at least one exceedance of the threshold value corresponding to at least one limit of use is detected, the data processing system (3) is informed about this and/or the functioning of the fragment of the protected program (2r) is modified in such a way that Ф) the functioning of the protected program (2r) ) was changed. ka 7. The method according to claim 6, which differs in that: and in the phase (P) of protection: 60 "- determine: - several corresponding threshold values for at least one variable for quantitative control, - and various means of coercion corresponding to each of mentioned thresholds; "and modify the protected program (2r): - by selecting in the source code (2rz) of the protected program at least one variable for quantitative b5 Control, with which several threshold values corresponding to various limits of the use of functionality must be associated , - by selecting at least two threshold values associated with the selected variable for quantitative control, - It by modifying at least one selected code fragment (2rz) of the protected program, and the specified modification is such that during the execution of the protected program (2r) exceeding various threshold values are taken into account with the help of the second executable part (2rec) in various ways, and in phase (3) of use: n- in the presence of the device (6): - in the case when the first threshold value is exceeded, a command is given to the protected program 7/ 0 g) not to use the corresponding functional possibility in the future - and in the event that the second threshold value is exceeded, the corresponding functional possibility and/or at least part of the protected program are made impossible (2p). 8. The method according to claim 6 or 7, which is characterized by the fact that: and in the phase (P) of the protection: "reset means are determined, allowing at least one additional use of at least one functionality of the program, controlled by means of a variable for quantitative control; " means of operation, which also allow the device (6) to use the means of restarting; "and modify the protected program (2r): - by selecting in the source code (2rz) of the protected program at least one variable for quantitative control, which allows limiting the use of one functionality, for which there is a possibility of allowing at least one additional use, and by modifying at least one selected fragment, said modification being such that in the restart phase at least one additional use of at least one functionality corresponding to one selected variable for quantitative control can be allowed, and a in the transition phase e-loading: i) "- update at least one selected variable for quantitative control and at least one corresponding threshold value so as to allow at least one additional use of the functionality. 9. The method according to claim 5, which differs in that: Gezo a in the phase (P) of protection: "- defined: so - as a characteristic of the execution of the program that can be controlled, - the profile of use "- the program, - and as a criterion , that it should be observed, - at least one sign of program execution; - "and modify the protected program (2p): і- - by selecting as a characteristic of the execution of the controlled program at least one profile of the use of the program, - by selecting at least one sign of program execution, that it must be followed by at least one usage profile, i.e. by modifying at least one selected fragment of the code (2rz) of the protected program, specified) and the specified modification is such that during the execution of the protected program (2r) the second executable part . (2rets) complies with all the selected features of performance, and? and and in the phase (3) of use, in the presence of the device (6), in the event that it is found that at least one performance feature is not observed, the data processing system (3) is informed about this and/or the functioning of the part of the protected program (2p) is modified so that the functioning of the protected program (2p) was changed. -And 10. The method according to claim 9, which differs in that: and in the phase (P) of protection: ш- "- determine: - - a set of instructions, the instructions of which can be executed in the device (b), - a set of commands of instructions for the specified set of instructions, and the instruction commands can be executed in the data processing system (3), causing the device (6) to execute the instructions, Ф - as a usage profile - instruction coupling, - as a sign of execution - the desired coupling for the execution of instructions , - as means of (17) detection - means of detecting that the coupling of instructions does not correspond to the 5B desired, - as means of (18) coercion - means of informing the system of (3) data processing and/or Ф) modifying the functioning of a fragment of the protected program (2p), if the coupling of the instructions does not correspond to the desired; "- construct means of operation that allow the device (6) to execute instructions from a set of instructions, because the execution of the specified instructions is caused by the execution of other commands instructions in the data processing system (3); "and modify the protected program (2r): - by modifying at least one selected fragment of the code (2rz) of the protected program: Ш by converting elementary functions into instructions, 65 Ш by means of a coupling task that must be followed by at least some of the instructions during their implementation in the device (b), By converting elementary commands into instruction commands corresponding to the instructions used, and in the phase (OO) of use, in the presence of the device (6), in the event that it is found that the coupling of the instructions executed in the device (6) does not correspond to the desired , inform the data processing system (3) about this, or modify the functioning of the fragment of the protected program (2p) so that the functioning of the protected program (2p) is changed. 11. The method according to claim 10, which differs in that: and in the protection phase (P): 70 "- defined: - as a set of instructions - a set of instructions in which at least some instructions operate on registers and use at least one operand to produce a result , - at least for a part of the instructions operating on registers: Ш part (РЭ), which specifies the functional possibility of the instruction, Ш part, which specifies the desired coupling for the execution of instructions and contains bit fields corresponding to: - the field (СИИ) of the instruction identification , - І for each operand of the instruction: x field (СО) of the flag, x field (СИР,) of the identification provided for the operand, - for each register belonging to the means of operation and used by the set of instructions, - field (СИБУ) of the provided identification, in which the identification of the last instruction that returned its result to the specified register is automatically remembered - as means (17) of detection - means that allow during the execution of the instruction for each op rand, when required by the field (CO) of the flag, to control the equality between the field (Sibu) of the generated identification, according to the corresponding register used by the mentioned operand, and the field (SIRK) of the predicted identification about the starting address of this operand, - and as means (18) coercion - means that allow you to modify the result of the execution of instructions, if at least one of the controlled equalities is false. 12. The method according to claim 3, 4 or 10, which differs in that: "o zo a in the phase (P) of protection: "- define: so - as a start command - an elementary command or an instruction command, "- - as a dependent function - an elementary function or an instruction, - as a setting parameter - at least one argument for the launch command, corresponding at least - to a part of the information transferred by the data processing system (3) to the device (6) to cause the launch of the corresponding dependent function, - a method renaming the setup parameters, which allows the setup parameters to be renamed to obtain launch commands with the renamed setup parameters, - and recovery means (20) which are intended to be applied to the device (6) in the phase (3) of use and which "allow the dependent function to be found, that it must be performed on the basis of the parameter renamed in s; . "design the means of operation, which allow the device (b) to use the means of recovery; and?" "and modify the protected program (2r): - by selecting in the source code (2rz) of the protected program the launch command, - by modifying at least one selected fragment of the code (2rz) of the protected program by - AND renaming the configuration parameters of the selected launch commands to hide the identity of the corresponding dependent functions, w- - and by creating: - W the first part (2roz) of the object code of the protected program (2r), and the first part (2rovz) of the object code is such that during the execution of the protected program (2r ) the launch commands are executed with renamed installation parameters, F Ш of its second part (2 years) of the object code of the protected program (2 years), which contains the means of operation, which also use the means (20) of recovery, and the second part (2 years) of the object object code is such that after downloading to the device (6), during the execution of the protected program (2p), the identity of the dependent functions, whose execution is caused by the first executable part (2rez), restores sya with the help of the second executable part (2rec), and the dependent functions are performed with the help of the second executable part (2rec), Ф) a and in the phase (3) of use: ka "- in the presence of the device (6), every time it is required the launch command with renamed installation parameters contained in the fragment of the first executable part (2rev), restore the identity of the corresponding dependent function in the bo device (6) and execute it so that the specified fragment is executed correctly and, therefore, the program (2p) is protected fully functional; n- while in the absence of the device (6), despite the request of the fragment of the first executable part (2rev) to start the execution of the dependent function in the device (b), the possibility of a correct response to the specified request is not ensured, so that at least the specified fragment is not executed correctly and , therefore, the protected program 65 (2p) is not fully functional. 13. The method according to claim 12, which differs in that: and in the phase (P) of protection: - define, for at least one dependent function, a family of algorithmically equivalent dependent functions, which are called by launch commands, the renamed setting parameters of which are different; "and modify the protected program (2r): - by selecting in the source code (2rz) of the protected program at least one launch command with renamed installation parameters, - and by modifying at least one selected code fragment (2rz) of the protected program by replacing at least renamed installation parameters parameters of the launch command with the selected set of /o configuration parameters to other renamed configuration parameters, which causes the dependent function from the same family to run. 14. The method according to claim 13, which is characterized by the fact that it includes: and in the phase (P) of the protection of the determination, for at least one dependent function, of a family of algorithmically equivalent dependent functions - by combining the noise field with the information that defines that functional part of the dependent function, which is performed in the device (6), - or by using the instruction identification field (SI) and the identification field (SIP) provided for the operand. 15. The method according to claim 12, 13 or 14, which differs in that: and in the phase (P) of the protection, the following are defined: - as a method of renaming the setting parameters - a coding method for encoding the setting parameters, - and as means (20) of recovery - means , which apply a decoding method to decode the renamed configuration parameters and restore the identity of the dependent functions to be performed in the device (6). high school 16. The method according to any one of claims 2-15, which differs in that: and in the phase (P) of protection: i) - modify the protected program (2p): - by means of selection in the source code (2rz) of the protected program at least one conditional transition, performed in at least one selected processing algorithm, "o zo - by means of modification of at least one selected code fragment (2rz) of the protected program, and the specified modification is such that during the execution of the protected program (2r) the functional possibility of at least one selected conditional transition is performed with the help of the second executable part (2resh), In the "th device (b), - and with the help of creating: - Ш the first part (2roz) of the object code of the protected program (2r), and the first part (2rovz) about of the object code is such that during the execution of the protected program (2p), the functional possibility of at least one selected conditional transition is executed in the device (b) of its second part (2roy) of the object code of the protected program (2p), and the second the part (2roy) of the object code is such that after loading into the device (6), during the execution of the protected program (2p), the second executable part (2rem) is implemented, with the help of which the functional possibility of at least one selected conditional transition is performed, and and in phase (3) of use: ;" n- in the presence of device (b), whenever a fragment of the first executable part (2rez) requires it, the functions of at least one selected conditional transition are performed in device (6) in such a way that the specified fragment is executed correctly and, therefore, the protected program ( 2r) was fully functional; -And "- and in the absence of device (b), despite the request of the fragment of the first executable part (2rev) to perform the conditional transition functions in device (6), the possibility of correct response to the specified request is not ensured, so that at least the specified fragment is not executed correctly and, therefore, the protected program (2p) is not fully functional. 17. The method according to claim 16, which is characterized by the fact that in the phase (P) of protection, the protected program (2r) is modified: c - by selecting in the source code (2rz) of the protected program at least one series of selected Ф conditional transitions, - by means of modification at least one selected piece of code (2rz) of the protected program, and the specified modification is such that during the execution of the protected program (2r), the global functional dv The possibility of at least one selected series of conditional transitions is performed in the device (6) by means of the second executable part (2rec), (Ф, - and by creating: ka Ш the first part (2roz) of the object code of the protected program (2r), and the first part (2rovz) of the object code is such that during the execution of the protected program (2r) the functional possibility at least one selected series of conditional transitions is executed in the device (6), Ш of its second part (2рой) of the object code of the protected program (2р), and the second part (2рой) of the object code is such that after the entering the device (6), during the execution of the protected program (2p), the second executable part (2retsh) is implemented, with the help of which the global functionality of at least one selected series of conditional transitions is implemented. 65 18. The method according to any one of claims 1-17, which is characterized by the fact that the protection phase (P) is divided into an input sub-phase (P.) of protection, independent of the protected program, and an output sub-phase (P) of protection, depending on the program being protected. 19. The method according to claim 18, which is characterized by the fact that during the input subphase (R.) of protection, a stage (544) of determinations is used, at which all determinations are performed. 20. The method according to claim 19, which differs in that after the stage (544) of determinations, the stage of construction (542) is used, in which means of operation are created. 21. The method according to claim 20, which is characterized in that after the stage (542) of construction, a stage (of 45) of pre-personalization is used, which consists in loading into the idle device (60) at least part of the means of operation in order to obtain a pre-personalized device (66 ). 70 22. The method according to claim 19 or 20, which is characterized by the fact that during the input subphase (Pi) of the protection, the stage (544) of the production of means is used, in which the means are manufactured, which help in creating protected programs or automating the protection of programs. 23. The method according to claim 18 or 21, which differs in that the initial subphase (Po) of protection is divided into: "stage (524) of creation, at which a protected program (2r) is created on the basis of a vulnerable program (2y); " perhaps the stage (522) of modification, in which the protected program (2r) is modified; " and, perhaps, the stage (Z»2z) of personalization, in which: - the second part (2roc) of the object code of the protected program (2r), which may contain exploits, is loaded into at least one idle device (60) to obtain at least one device (b), - or part of the second part (2r) of the object code of the protected program (2r), which may contain means of operation is loaded into at least one pre-personalized device (66) to obtain at least one device (6). 24. The method according to claim 22 or 23, which is characterized by the fact that during the stage (524) of creation and possibly the stage (5 22) of modification, at least one of the means intended for use in creating protected programs or automating the protection of programs is used. sch shchi 6) (Se) (ee) "- cha - - with . and? -I -I - (ee) 4) ime) 60 b5