Software self-defense systems and methods
First Claim
1. A method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:
- determining that a computer program has been tampered with;
setting, based on the determination, a plurality of first variables distributed in a first plurality of different locations of the computer program and stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with;
receiving a request from the computer program to perform a first operation;
in response to receiving the request, analyzing at least a quasi-random subset of the plurality of first variables to determine that the computer program has been tampered with;
in response to testing the at least quasi-random subset of the plurality of first variables, setting a plurality of second variables distributed in a second plurality of different locations of the computer program to a state indicating that the computer program has been tampered with; and
implementing, based on the analysis, at least one protective response.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for protecting a computer program from unauthorized analysis and modification. Obfuscation transformations can be applied to the computer program'"'"'s local structure, control graph, and/or data structure to render the program more difficult to understand and/or modify. Tamper-resistance mechanisms can be incorporated into the computer program to detect attempts to tamper with the program'"'"'s operation. Once an attempt to tamper with the computer program is detected, the computer program reports it to an external agent, ceases normal operation, and/or reverses any modifications made by the attempted tampering. The computer program can also be watermarked to facilitate identification of its owner. The obfuscation, tamper-resistance, and watermarking transformations can be applied to the computer program'"'"'s source code, object code, or executable image.
-
Citations
16 Claims
-
1. A method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:
-
determining that a computer program has been tampered with; setting, based on the determination, a plurality of first variables distributed in a first plurality of different locations of the computer program and stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with; receiving a request from the computer program to perform a first operation; in response to receiving the request, analyzing at least a quasi-random subset of the plurality of first variables to determine that the computer program has been tampered with; in response to testing the at least quasi-random subset of the plurality of first variables, setting a plurality of second variables distributed in a second plurality of different locations of the computer program to a state indicating that the computer program has been tampered with; and implementing, based on the analysis, at least one protective response. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium storing instructions that when executed by a system comprising a processor, cause the processor to perform a method comprising:
-
setting, based on the determination, a plurality of first variables distributed in a first plurality of different locations of the computer program and stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with; receiving a request from the computer program to perform a first operation; in response to receiving the request, analyzing at least a quasi-random subset of the plurality of first variables to determine that the computer program has been tampered with; in response to testing the at least quasi-random subset of the plurality of first variables, setting a plurality of second variables distributed in a second plurality of different locations of the computer program to a state indicating that the computer program has been tampered with; and implementing, based on the analysis, at least one protective response. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification