Secure software system and related techniques

US 6,304,972 B1
Filed: 01/03/2000
Issued: 10/16/2001
Est. Priority Date: 01/03/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A processing system for executing an original computer program with a first portion of the original computer program executing in a first processor located at a first processing site and a second portion of the original computer program executing in a second different processor located at a second different processing site wherein the first and second processing sites are physically separate and adapted to communicate over a network, the second processor at the second processing site comprising:

(a) a code extraction processor to receive the original computer program and to parse the original computer program to provide a first program for execution at the first processing site and an associated second program for execution at the second processing site, wherein said code extraction processor provides the second program such that the second program does not by itself constitute an executable computer program and wherein the second program includes portions of the original computer program selected to render it difficult to re-create the functionality of the original computer program from information stored at or otherwise available at the first processing site;

(b) a storage device having stored therein a server program which utilizes the second program and wherein in response to communications provided thereto by the first program executing at the first processing site, the server program provides information over the network to the first processing site which allows the first program executing at the first processing site to re-create the functionality of the original computer program at the first processing site; and

(c) an execution processor to execute the server program and the second program at the second processing site; and

(d) a plurality of communication paths, each of the communication paths coupled between a particular one of the plurality of first processing sites and the particular server program utilizing the associated second program portion and wherein the server program manages the communication between the first program and the second program associated with the particular first program during execution of the first program; and

wherein said code extraction processor processes the original computer program to extract a plurality of different second programs from the original computer program to provide a like plurality of different first programs with each of the plurality of first programs intended to be transmitted to a different one of a plurality of first processing sites and each of the second program portions intended to be utilized by the server program and executed by the execution processor at the second processing site and wherein said code extraction processor concurrently generates one or more first programs, one or more second programs and one or more server programs and each of the one or more server programs utilizes a respective one of the one or more second programs and each of the one or more second programs is associated with a corresponding one of the one or more first programs and includes one or more portions of the original computer program wherein the one or more portions are selected to render it difficult to recreate the functionality of the original computer program from information stored at or otherwise available at the first processing site and each of the plurality of first programs generated by said code extraction processor for execution at first processing sites requires a different input which is provided from the respective one of the one or more server programs utilizing the associated second programs and executing at the second processing site.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure software system includes a transformation processor for transforming an original program capable of being executed on a lessee site into a vendor server program, a first program intended to be executed at the lessee site which lacks some of the functionality of the original program and a second program. The first program provides some of the computation of the original program but is unable to provide all of the functionality of the Original Program and requires cooperation with the second program which corresponds to an excised portion of the original program to provide the functionality of original program. The excised program is executed or otherwise utilized by a vendor server program which, in one embodiment, is generated by the transformation processor. With this arrangement, the lessee obtains the total functionality of the original program without having access to the original program code and the excised program is selected such that it would be relatively difficult to recreate the total functionality of the original program.

Citations

27 Claims

1. A processing system for executing an original computer program with a first portion of the original computer program executing in a first processor located at a first processing site and a second portion of the original computer program executing in a second different processor located at a second different processing site wherein the first and second processing sites are physically separate and adapted to communicate over a network, the second processor at the second processing site comprising:
- (a) a code extraction processor to receive the original computer program and to parse the original computer program to provide a first program for execution at the first processing site and an associated second program for execution at the second processing site, wherein said code extraction processor provides the second program such that the second program does not by itself constitute an executable computer program and wherein the second program includes portions of the original computer program selected to render it difficult to re-create the functionality of the original computer program from information stored at or otherwise available at the first processing site;
  
  (b) a storage device having stored therein a server program which utilizes the second program and wherein in response to communications provided thereto by the first program executing at the first processing site, the server program provides information over the network to the first processing site which allows the first program executing at the first processing site to re-create the functionality of the original computer program at the first processing site; and
  
  (c) an execution processor to execute the server program and the second program at the second processing site; and
  
  (d) a plurality of communication paths, each of the communication paths coupled between a particular one of the plurality of first processing sites and the particular server program utilizing the associated second program portion and wherein the server program manages the communication between the first program and the second program associated with the particular first program during execution of the first program; and
  
  wherein said code extraction processor processes the original computer program to extract a plurality of different second programs from the original computer program to provide a like plurality of different first programs with each of the plurality of first programs intended to be transmitted to a different one of a plurality of first processing sites and each of the second program portions intended to be utilized by the server program and executed by the execution processor at the second processing site and wherein said code extraction processor concurrently generates one or more first programs, one or more second programs and one or more server programs and each of the one or more server programs utilizes a respective one of the one or more second programs and each of the one or more second programs is associated with a corresponding one of the one or more first programs and includes one or more portions of the original computer program wherein the one or more portions are selected to render it difficult to recreate the functionality of the original computer program from information stored at or otherwise available at the first processing site and each of the plurality of first programs generated by said code extraction processor for execution at first processing sites requires a different input which is provided from the respective one of the one or more server programs utilizing the associated second programs and executing at the second processing site.
- View Dependent Claims (2)
- - 2. The system of claim 1 wherein said means for selecting a subset of inputs further comprises means for randomly selecting first ones of a plurality of inputs to the original software program.

3. A method for securing an original software program comprising a plurality of statements and being responsive to at least one input, said method comprising the steps of:
- (a) selecting a subset of the at least one input;
  
  (b) identifying ones of the plurality of statements which are influenced by said selected subset of the at least one input;
  
  (c) defining at least one abstract object class;
  
  (d) including at least one of the identified statements in each of the at least one abstract object classes;
  
  (e) generating a program portion which utilizes each of the at least one abstract object classes;
  
  (f) removing said identified statements from said software program to provide a lessee software program; and
  
  (g) inserting program code into the lessee software program which allows the lessee software program to communicate with said program portion over a network.
- View Dependent Claims (4, 5, 6, 7)
- - 4. The method of claim 3 further comprising the step of:
5. The method of claim 4 further comprising the step of:
- including each of the at least one abstract classes in a program accessible by the program portion; and
  
  storing the program portion in a storage device at a vendor site.
6. The method of claim 5 further comprising the step of storing the each of the at least one abstract object classes in a storage device at the vendor site.
7. The method of claim 6 further comprising the step of storing the program which includes the abstract object class in a storage device at the vendor site.

8. A secure software system comprising:
- (a) a first processing site including;
  
  a code extraction processor to receive an original software program and to parse the original software program to provide a first program and a second program wherein said code extraction processor further comprises;
  
  means for selecting a subset of inputs of the original software program; and
  
  means for identifying statements of the original software program which are influenced by the inputs selected by said means for selecting;
  
  a first storage device having the first program stored therein;
  
  a second storage device having stored therein a server program which utilizes the first program;
  
  an execution processor, coupled to said first and second storage devices, to execute the second program generated by the transformation processor and the server program; and
  
  means for transmitting and receiving information over a network;
  
  (b) a second processing site including;
  
  a first storage device having the first program stored therein; and
  
  a processor for executing the first program generated by said code extraction processor;
  
  means for transmitting and receiving information over a network; and
  
  (c) a network, coupled between said first site and said second site for providing a communication channel between the server program and the first program.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8 wherein said means for selecting a subset of inputs further comprises means for randomly selecting first ones of a plurality of inputs to the original software program.
  - 10. The system of claim 8 wherein said means for selecting a subset of inputs further comprises:
11. The system of claim 8 wherein said first site further comprises a code modification processor coupled to the input of said code extraction processor for receiving the original software program and for modifying program code of the original software program and for providing a modified original software program to said code extraction processor.

12. A processing system for executing an original software program, the processing system comprising:
- (a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program;
  
  (b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program;
  
  (c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor; and
  
  means for transmitting information between said first processor and said second processor over said communications network wherein in response to the first program receiving a first set of inputs, the first program generates a first set of communications and provides the first set of communications across said communications network to the second program and the second program provides a corresponding first set of communications to the first program over said communications network.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12 wherein in response to the first program receiving a second set of inputs, the first program generates a second set of communications and provides the second set of communications to the second program and wherein the second program provides a corresponding second set of communications to the first program over said communications network.
  - 14. The system of claim 13 wherein the first set of communications generated by the first program relate to at least one of:
    - (a) a first set of variables;
      
      (b) a first set of statements; and
      
      (c) a first execution path which have been removed from the first program and which are influenced by the first set of inputs.
  - 15. The system of claim 14 wherein the second set of communications generated by the first program relate to at least one of:
    - (a) a second set of variables;
      
      (b) a second set of statements; and
      
      (c) a second execution path which have been removed from the first program and which are influenced by the second set of inputs.
  - 16. The system of claim 13 wherein the second processing site is adapted to halt the execution of the first program by not supplying the corresponding set of first or second communications to the first program.

17. A processing system for executing an original software program, the processing system comprising:
- (a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program;
  
  (b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program;
  
  (c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor; and
  
  means for transmitting information between said first processor and said second processor over said communications network; and
  
  (d) a code extraction processor to receive the original software program and to parse the original software program to provide the first program and the second program.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17 wherein said code extraction processor further comprises:
19. The system of claim 18 wherein said means for selecting a subset of inputs further comprises means for selecting first ones of a plurality of inputs to the original software program which allow the program executing in said processor at the second processing site to maintain control over the first program executing at the processor at the first processing site.

20. A processing system for executing an original software program, the processing system comprising:
- (a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program, said first processor having a bus operating at a first bus speed;
  
  (b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program, said first processor having a bus operating at a second bus speed;
  
  (c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor, said communications network operating at a third speed wherein the third speed is slower than the speed at which the fist and second buses operate; and
  
  (d) means for transmitting information between said first processor and said second processor over said communications network;
  
  wherein communication between the first program and the second program across said communications network is input dependent; and
  
  wherein in response to the first program receiving a first set of inputs, the first program generates a first set of communication across said communication network to the second program and wherein the second program provides a corresponding first set of communications to the first program over the communications network.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20 wherein in response to the first program receiving a second set of inputs, the first program generates a second set of communication and provides the second set of communications to the second program and wherein the second program provides a corresponding second set of communications to the first program over said communications network.
  - 22. The system of claim 21 wherein the first set of communications generated by the first program relate to at least one of:
    - (a) a first set of variables;
      
      (b) a first set of statements; and
      
      (c) a first execution path which have been removed from the first program and which are influenced by the first set of inputs.
  - 23. The system of claim 22 wherein the second set of communications generated by the first program relate to at least one of:
    - (a) a second set of variables;
      
      (b) a second set of statements; and
      
      (c) a second execution path which have been removed from the first program and which are influenced by the second set of inputs.
  - 24. The system of claim 20 wherein the second processing site is adapted to halt the execution of the first program by not supplying one of the corresponding set of first and second communications to the first porgram.

25. A processing for executing an original software program, the processing system comprising:
- (a) a first processor located at the first processing site, to execute a first program which corresponds to a first portion of an original software program, said first processor having a bus operating at a first bus speed;
  
  (b) a second processor located at the second processing site which is physically separated from the first processing site, the second processor for executing a second program which corresponds to a second portion of the original software program where the first and second programs combined correspond to the entire original software program, said first processor having a bus operating at a second bus speed;
  
  (c) a communications network coupled between the first and second processing sites and through which said first processor communicates with said second processor, said communications network operating at a third speed wherein the third speed is slower than the speed at which the fist and second buses operate;
  
  (a) means for transmitting information between said first processor and said second processor over said communications network; and
  
  (e) a code extraction processor to receive the original software program and to parse the original software program to provide the first program and the second program, wherein said code extraction processor further comprises;
  
  means for selecting a subset of inputs of the original software program; and
  
  means for identifying statements of the original software program which are influenced by the inputs selected by said means for selecting.
- View Dependent Claims (26)
- - 26. The system of claim 25 wherein said means for selecting a subset of inputs further comprises means for selecting first ones of a plurality of inputs to the original software program which allow the program executing in said processor at the second processing site to maintain control over the first program executing at the processor at the first processing site.

27. A method for securing an original program that is dependent on one or more inputs, the method comprising the steps of:
- (a) adding an arbitrary input request to the original program;
  
  (b) modifying the original program to operate on new values which are a function of existing program values and values input in response to the arbitrary input request;
  
  (c) identifying one or more new values;
  
  (d) rewriting code of the original program which utilizes identified new values;
  
  (e) removing the implementation code of some or all of the rewritten code;
  
  (f) replacing the removed code by a set of communication calls to a vendor server program; and
  
  (g) inserting program code into the vendor server program such that the vendor server program utilizes the implementation code removed in step (d);
  
  (f) adding a communication interface to the vendor server program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Venice Technologies Incorporated
Original Assignee
Massachusetts Institute of Technology
Inventors
Shavit, Nir N.
Primary Examiner(s)
Iqbal, Nadeem

Application Number

US09/476,557
Time in Patent Office

652 Days
Field of Search

713/200, 713/201, 713/202, 380/4, 380/25, 380/23, 714/4, 714/18, 714/25, 714/37, 714/43, 714/48, 370/241, 370/252, 340/825.34, 340/825.31
US Class Current

726/3
CPC Class Codes

G06F 21/125 by manipulating the program...

Secure software system and related techniques

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Secure software system and related techniques

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links