This patent application is assigned to Irdeto B.v.
The following quote was obtained by the news editors from the background information supplied by the inventors: "In the software industry, it is often desirable to limit access to a given software application for reasons that may include preventing unauthorized use (e.g., unlicensed pirating) or unauthorized manipulation (e.g., hacking). One known solution to unauthorized use of software is to bind any given software application to a specific computer or device. In this manner, the software application may then only be executed on the respective licensed device. This binding of the software application to a specific device is commonly known as node-locking or alternatively referred to as hardware-software anchoring.
"The traditional approach to node-locking has been to take a unique identifier (ID) from a piece of hardware and make the software application dependent on the given ID. The number and characteristics of these unique IDs vary greatly from platform to platform. Some common hardware identifiers include: the Media Access Control (MAC) address, the Hard-Disk Drive Identifier (HDD ID), and a Serial Number (SN). Additional node-locking identifiers can include Basic Input/Output System (BIOS) values, hash values computed by a driver hash function, device IDs, or any similar identifier unique to a given hardware device or element. In the traditional approach to node-locking, anchoring a piece of software (i.e. the application) to a particular node is a matter of creating a dependency from the unique ID to the functioning of the software. In some systems, this may be a set of mathematical operations that derive a key from a unique ID. In other systems, an algorithm may be devised that requires a subset of unique IDs to be valid while allowing all others to be incorrect. The latter allows for variation in the hardware itself--for example, a network interface card may be removed from a computer.
"In a white-box attack context, the attacker has full knowledge of the system being attacked and therefore full control over the execution of the software. The attacking intruder may or may not be a legitimate user of the software, though the execution of the software is assumed to proceed normally. There are many difficulties with the security of the traditional approach to node-locking in a white-box attack scenario. The hardware IDs must typically be read during execution, and this characteristic therefore makes them easy to replicate. A variety of these types of white-box attacks follow.
"In one scenario, at the point where the software application calls the Application Programming Interface (API) which queries the unique ID of the device, an attacker may replace this call with a hard-coded value. This may be a function that the attacker replaces in the software application code itself, or it could simply be the data area where the software application is expecting to obtain the ID. If the attacker can mount this attack, he can replace the unique ID with any chosen value, thereby rendering the node-locking protection ineffective. Further, a typical extension of hard-coding attacks is the creation of an exploit. As an attacker learns where to hard-code an important value, he also becomes enabled in creating an automatic program (i.e., exploit) to modify, and hence, replicate the software application on any device. This automation removes the need for the attacker to distribute and publish his knowledge about how to mount the attack because the exploit does this job for him.
"A second common attack scenario on unique IDs is emulation. Virtual machines (such as VMware.TM. available from
"A third common attack on unique IDs is a simple re-implementation of a system or sub-system that performs the node-locked actions with the node-locking protections removed. Following a simple observation of the unique IDs that are in use for the system under attack, an attacker may typically re-implement the parts that use the unique ID in assembly code, C programming, or the like.
"It is, therefore, desirable to provide a system and method for overcoming problems associated with the traditional approach to node-locking."
In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "It is an object of the present invention to obviate or mitigate at least one disadvantage of previous approaches to node-locking.
"The present invention described herein below solves the aforementioned problem by securely binding an arbitrary program to an authorized instance of a generic execution platform. Once the binding process occurs, the protected software application will not exhibit correct behavior unless it is run on the execution platform to which it is bound. This holds true even in the presence of many attacks which tamper with the software application and the execution platform. In accordance with the embodiments of the present invention, the attacker is assumed to have full white-box access to the specification of the execution platform, and has full white-box control over the execution of the software application. In general, the inventive system and method presents a mechanism to bind a program, P, to any un-trusted execution platform, E, which contains a
"In a first aspect, the present invention provides a system for secure operation of a software application, the system including: a source of entropy for generation of a secret value; a provisioning mechanism for binding the secret value to one or more portions of the software application so as to form a protected program; and a trusted signing authority in communication with the provisioning mechanism, the provisioning mechanism further binding the secret value to the trusted signing authority; wherein the trusted signing authority in conjunction with the secret value provides verification of the protected program.
"In a further aspect, the present invention provides a method for secure operation of a software application, the method including: generating a secret value from a source of entropy; binding, via a provisioning mechanism, the secret value to one or more portions of the software application so as to form a protected program; communicating the secret value to a trusted signing authority; and verifying the protected program by way of the trusted signing authority in conjunction with the secret value.
"Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures.
BRIEF DESCRIPTION OF THE DRAWINGS
"Embodiments of the present invention will now be described, by way of example only, with reference to the attached Figures.
"FIGS. 1A and 1B illustrate the general flow processes in accordance with the present invention.
"FIG. 2 is a flow diagram in accordance with a first embodiment of the present invention executed on an untrusted platform.
"FIG. 3 is a flow diagram in accordance with a second embodiment of the present invention based upon MAC algorithms.
"FIG. 4 is a further implementation of the present invention illustrating binding of a protected program to a software module stack.
"FIG. 5 is another implementation of the present invention illustrating binding of a protected program over a network.
"FIG. 6 is still another implementation of the present invention illustrating binding of protected program sub-modules over a cloud-based environment."
URL and more information on this patent application, see: Bodis,
Keywords for this news article include: Software, Irdeto B.v..
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Koch Brothers Step up Anti-Obamacare Campaign
- Obama Administration Releases Proposal to Regulate For-Profit Colleges
- Elizabeth Vargas' Husband Marc Cohn Addresses Rumors
- Quiznos Files for Chapter 11
- Keurig Adds Peet's coffee, Alters Starbucks deal
- U.S. to Relinquish Gov't Control Over Internet
- FDIC Sues Big Banks Over Rate Manipulation
- U.S. Consumer Sentiment Falls in Early March
- Vybz Kartel Convicted of Murder
- SoCalGas Reaches Record Spend on Diversity Suppliers