Secure software system and related techniques
First Claim
1. A processing system for executing an original computer program with a first portion of the original computer program executing in a first processor located at a first processing site and a second portion of the original computer program executing in a second different processor located at a second different processing site wherein the first and second processing sites are physically separate and adapted to communicate over a network, the second processor at the second processing site comprising:
- (a) a code extraction processor to receive the original computer program and to parse the original computer program to provide a first program for execution at the first processing site and an associated second program for execution at the second processing site, wherein said code extraction processor provides the second program such that the second program does not by itself constitute an executable computer program and wherein the second program includes portions of the original computer program selected to render it difficult to re-create the functionality of the original computer program from information stored at or otherwise available at the first processing site;
(b) a storage device having stored therein a server program which utilizes the second program and wherein in response to communications provided thereto by the first program executing at the first processing site, the server program provides information over the network to the first processing site which allows the first program executing at the first processing site to re-create the functionality of the original computer program at the first processing site; and
(c) an execution processor to execute the server program and the second program at the second processing site; and
(d) a plurality of communication paths, each of the communication paths coupled between a particular one of the plurality of first processing sites and the particular server program utilizing the associated second program portion and wherein the server program manages the communication between the first program and the second program associated with the particular first program during execution of the first program; and
wherein said code extraction processor processes the original computer program to extract a plurality of different second programs from the original computer program to provide a like plurality of different first programs with each of the plurality of first programs intended to be transmitted to a different one of a plurality of first processing sites and each of the second program portions intended to be utilized by the server program and executed by the execution processor at the second processing site and wherein said code extraction processor concurrently generates one or more first programs, one or more second programs and one or more server programs and each of the one or more server programs utilizes a respective one of the one or more second programs and each of the one or more second programs is associated with a corresponding one of the one or more first programs and includes one or more portions of the original computer program wherein the one or more portions are selected to render it difficult to recreate the functionality of the original computer program from information stored at or otherwise available at the first processing site and each of the plurality of first programs generated by said code extraction processor for execution at first processing sites requires a different input which is provided from the respective one of the one or more server programs utilizing the associated second programs and executing at the second processing site.
2 Assignments
0 Petitions
Accused Products
Abstract
A secure software system includes a transformation processor for transforming an original program capable of being executed on a lessee site into a vendor server program, a first program intended to be executed at the lessee site which lacks some of the functionality of the original program and a second program. The first program provides some of the computation of the original program but is unable to provide all of the functionality of the Original Program and requires cooperation with the second program which corresponds to an excised portion of the original program to provide the functionality of original program. The excised program is executed or otherwise utilized by a vendor server program which, in one embodiment, is generated by the transformation processor. With this arrangement, the lessee obtains the total functionality of the original program without having access to the original program code and the excised program is selected such that it would be relatively difficult to recreate the total functionality of the original program.
-
Citations
27 Claims
-
1. A processing system for executing an original computer program with a first portion of the original computer program executing in a first processor located at a first processing site and a second portion of the original computer program executing in a second different processor located at a second different processing site wherein the first and second processing sites are physically separate and adapted to communicate over a network, the second processor at the second processing site comprising:
-
(a) a code extraction processor to receive the original computer program and to parse the original computer program to provide a first program for execution at the first processing site and an associated second program for execution at the second processing site, wherein said code extraction processor provides the second program such that the second program does not by itself constitute an executable computer program and wherein the second program includes portions of the original computer program selected to render it difficult to re-create the functionality of the original computer program from information stored at or otherwise available at the first processing site;
(b) a storage device having stored therein a server program which utilizes the second program and wherein in response to communications provided thereto by the first program executing at the first processing site, the server program provides information over the network to the first processing site which allows the first program executing at the first processing site to re-create the functionality of the original computer program at the first processing site; and
(c) an execution processor to execute the server program and the second program at the second processing site; and
(d) a plurality of communication paths, each of the communication paths coupled between a particular one of the plurality of first processing sites and the particular server program utilizing the associated second program portion and wherein the server program manages the communication between the first program and the second program associated with the particular first program during execution of the first program; and
wherein said code extraction processor processes the original computer program to extract a plurality of different second programs from the original computer program to provide a like plurality of different first programs with each of the plurality of first programs intended to be transmitted to a different one of a plurality of first processing sites and each of the second program portions intended to be utilized by the server program and executed by the execution processor at the second processing site and wherein said code extraction processor concurrently generates one or more first programs, one or more second programs and one or more server programs and each of the one or more server programs utilizes a respective one of the one or more second programs and each of the one or more second programs is associated with a corresponding one of the one or more first programs and includes one or more portions of the original computer program wherein the one or more portions are selected to render it difficult to recreate the functionality of the original computer program from information stored at or otherwise available at the first processing site and each of the plurality of first programs generated by said code extraction processor for execution at first processing sites requires a different input which is provided from the respective one of the one or more server programs utilizing the associated second programs and executing at the second processing site. - View Dependent Claims (2)
-
-
3. A method for securing an original software program comprising a plurality of statements and being responsive to at least one input, said method comprising the steps of:
-
(a) selecting a subset of the at least one input;
(b) identifying ones of the plurality of statements which are influenced by said selected subset of the at least one input;
(c) defining at least one abstract object class;
(d) including at least one of the identified statements in each of the at least one abstract object classes;
(e) generating a program portion which utilizes each of the at least one abstract object classes;
(f) removing said identified statements from said software program to provide a lessee software program; and
(g) inserting program code into the lessee software program which allows the lessee software program to communicate with said program portion over a network. - View Dependent Claims (4, 5, 6, 7)
transmitting the lessee software program to a lessee site; and
storing the lessee software program in a storage device at the lessee site.
-
-
5. The method of claim 4 further comprising the step of:
-
including each of the at least one abstract classes in a program accessible by the program portion; and
storing the program portion in a storage device at a vendor site.
-
-
6. The method of claim 5 further comprising the step of storing the each of the at least one abstract object classes in a storage device at the vendor site.
-
7. The method of claim 6 further comprising the step of storing the program which includes the abstract object class in a storage device at the vendor site.
-
8. A secure software system comprising:
-
(a) a first processing site including;
a code extraction processor to receive an original software program and to parse the original software program to provide a first program and a second program wherein said code extraction processor further comprises;
means for selecting a subset of inputs of the original software program; and
means for identifying statements of the original software program which are influenced by the inputs selected by said means for selecting;
a first storage device having the first program stored therein;
a second storage device having stored therein a server program which utilizes the first program;
an execution processor, coupled to said first and second storage devices, to execute the second program generated by the transformation processor and the server program; and
means for transmitting and receiving information over a network;
(b) a second processing site including;
a first storage device having the first program stored therein; and
a processor for executing the first program generated by said code extraction processor;
means for transmitting and receiving information over a network; and
(c) a network, coupled between said first site and said second site for providing a communication channel between the server program and the first program. - View Dependent Claims (9, 10, 11)
means for identifying a plurality of execution paths in the original software program;
means for identifying at least one input in each of the execution paths of the original software program; and
means for selecting predetermined ones of the inputs to the original software program in accordance with a predetermined criteria.
-
-
11. The system of claim 8 wherein said first site further comprises a code modification processor coupled to the input of said code extraction processor for receiving the original software program and for modifying program code of the original software program and for providing a modified original software program to said code extraction processor.
-
12. A processing system for executing an original software program, the processing system comprising:
-
(a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program;
(b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program;
(c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor; and
means for transmitting information between said first processor and said second processor over said communications network wherein in response to the first program receiving a first set of inputs, the first program generates a first set of communications and provides the first set of communications across said communications network to the second program and the second program provides a corresponding first set of communications to the first program over said communications network.- View Dependent Claims (13, 14, 15, 16)
-
-
17. A processing system for executing an original software program, the processing system comprising:
-
(a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program;
(b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program;
(c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor; and
means for transmitting information between said first processor and said second processor over said communications network; and
(d) a code extraction processor to receive the original software program and to parse the original software program to provide the first program and the second program. - View Dependent Claims (18, 19)
means for selecting a subset of inputs of the original software program; and
means for identifying statements of the original software program which are influenced by the inputs selected by said means for selecting.
-
-
19. The system of claim 18 wherein said means for selecting a subset of inputs further comprises means for selecting first ones of a plurality of inputs to the original software program which allow the program executing in said processor at the second processing site to maintain control over the first program executing at the processor at the first processing site.
-
20. A processing system for executing an original software program, the processing system comprising:
-
(a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program, said first processor having a bus operating at a first bus speed;
(b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program, said first processor having a bus operating at a second bus speed;
(c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor, said communications network operating at a third speed wherein the third speed is slower than the speed at which the fist and second buses operate; and
(d) means for transmitting information between said first processor and said second processor over said communications network;
wherein communication between the first program and the second program across said communications network is input dependent; and
wherein in response to the first program receiving a first set of inputs, the first program generates a first set of communication across said communication network to the second program and wherein the second program provides a corresponding first set of communications to the first program over the communications network. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A processing for executing an original software program, the processing system comprising:
-
(a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program, said first processor having a bus operating at a first bus speed;
(b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program, said first processor having a bus operating at a second bus speed;
(c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor, said communications network operating at a third speed wherein the third speed is slower than the speed at which the fist and second buses operate;
(a) means for transmitting information between said first processor and said second processor over said communications network; and
(e) a code extraction processor to receive the original software program and to parse the original software program to provide the first program and the second program, wherein said code extraction processor further comprises;
means for selecting a subset of inputs of the original software program; and
means for identifying statements of the original software program which are influenced by the inputs selected by said means for selecting. - View Dependent Claims (26)
-
-
27. A method for securing an original program that is dependent on one or more inputs, the method comprising the steps of:
-
(a) adding an arbitrary input request to the original program;
(b) modifying the original program to operate on new values which are a function of existing program values and values input in response to the arbitrary input request;
(c) identifying one or more new values;
(d) rewriting code of the original program which utilizes identified new values;
(e) removing the implementation code of some or all of the rewritten code;
(f) replacing the removed code by a set of communication calls to a vendor server program; and
(g) inserting program code into the vendor server program such that the vendor server program utilizes the implementation code removed in step (d);
(f) adding a communication interface to the vendor server program.
-
Specification