Software self-defense systems and methods

US 10,255,414 B2
Filed: 06/05/2015
Issued: 04/09/2019
Est. Priority Date: 07/29/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:

determining that a computer program has been tampered with;

setting, based on the determination, a plurality of first variables distributed in a first plurality of different locations of the computer program and stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with;

receiving a request from the computer program to perform a first operation;

in response to receiving the request, analyzing at least a quasi-random subset of the plurality of first variables to determine that the computer program has been tampered with;

in response to testing the at least quasi-random subset of the plurality of first variables, setting a plurality of second variables distributed in a second plurality of different locations of the computer program to a state indicating that the computer program has been tampered with; and

implementing, based on the analysis, at least one protective response.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for protecting a computer program from unauthorized analysis and modification. Obfuscation transformations can be applied to the computer program'"'"'s local structure, control graph, and/or data structure to render the program more difficult to understand and/or modify. Tamper-resistance mechanisms can be incorporated into the computer program to detect attempts to tamper with the program'"'"'s operation. Once an attempt to tamper with the computer program is detected, the computer program reports it to an external agent, ceases normal operation, and/or reverses any modifications made by the attempted tampering. The computer program can also be watermarked to facilitate identification of its owner. The obfuscation, tamper-resistance, and watermarking transformations can be applied to the computer program'"'"'s source code, object code, or executable image.

Citations

16 Claims

1. A method performed by a computer system comprising a processor and a non-transitory computer-readable storage medium storing instructions that when executed by the processor, cause the processor to perform the method, the method comprising:
- determining that a computer program has been tampered with;
  
  setting, based on the determination, a plurality of first variables distributed in a first plurality of different locations of the computer program and stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with;
  
  receiving a request from the computer program to perform a first operation;
  
  in response to receiving the request, analyzing at least a quasi-random subset of the plurality of first variables to determine that the computer program has been tampered with;
  
  in response to testing the at least quasi-random subset of the plurality of first variables, setting a plurality of second variables distributed in a second plurality of different locations of the computer program to a state indicating that the computer program has been tampered with; and
  
  implementing, based on the analysis, at least one protective response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining that the computer program has been tampered with comprises analyzing the computer program to determine that a portion of the computer program has been altered.
  - 3. The method of claim 1, wherein determining that the computer program has been tampered with comprises analyzing the computer program to determine that a watermark included in the computer program has been altered.
  - 4. The method of claim 1, wherein the at least a subset of the plurality of first variables comprises discontiguous variables within the computer program.
  - 5. The method of claim 1, where the method further comprises setting, in response to analyzing the at least a subset of the plurality of first variables, at least one third variable associated with the computer program stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with.
  - 6. The method of claim 1, wherein the at least one protective response comprises performing a second operation different than the first operation.
  - 7. The method of claim 1, wherein the at least one protective response comprises sending an indication to a remote system that the computer program has been tampered with.
  - 8. The method of claim 1, wherein the at least one protective response comprises returning, in response to the request, an error indication to the computer program.

9. A non-transitory computer-readable storage medium storing instructions that when executed by a system comprising a processor, cause the processor to perform a method comprising:
- setting, based on the determination, a plurality of first variables distributed in a first plurality of different locations of the computer program and stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with;
  
  receiving a request from the computer program to perform a first operation;
  
  in response to receiving the request, analyzing at least a quasi-random subset of the plurality of first variables to determine that the computer program has been tampered with;
  
  in response to testing the at least quasi-random subset of the plurality of first variables, setting a plurality of second variables distributed in a second plurality of different locations of the computer program to a state indicating that the computer program has been tampered with; and
  
  implementing, based on the analysis, at least one protective response.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein determining that the computer program has been tampered with comprises analyzing the computer program to determine that a portion of the computer program has been altered.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein determining that the computer program has been tampered with comprises analyzing the computer program to determine that a watermark included in the computer program has been altered.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein the at least a subset of the plurality of first variables comprises discontiguous variables within the computer program.
  - 13. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises setting, in response to analyzing the at least a subset of the plurality of first variables, at least one third variable associated with the computer program stored in memory associated with the processor executing the computer program to indicate that the computer program has been tampered with.
  - 14. The non-transitory computer-readable storage medium of claim 9, wherein the at least one protective response comprises performing a second operation different than the first operation.
  - 15. The non-transitory computer-readable storage medium of claim 9, wherein the at least one protective response comprises sending an indication to a remote system that the computer program has been tampered with.
  - 16. The non-transitory computer-readable storage medium of claim 9, wherein the at least one protective response comprises returning, in response to the request, an error indication to the computer program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Original Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Inventors
Horning, James J., Sibert, W. Olin, Tarjan, Robert E., Maheshwari, Umesh, Horne, William G., Wright, Andrew K., Matheson, Lesley R., Owicki, Susan S.
Primary Examiner(s)
Zhen, Wei Y
Assistant Examiner(s)
Wu, Junchun

Application Number

US14/732,312
Publication Number

US 20150278491A1
Time in Patent Office

1,404 Days
Field of Search

717127
US Class Current
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 21/10   Protecting distributed prog...

G06F 21/125   by manipulating the program...

G06F 21/14   against software analysis o...

Software self-defense systems and methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Software self-defense systems and methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links