Validy SoftNaos for Java is a software protection product targeted at software publishers who develop Java applications. It prevents software piracy and ensures software integrity by combining software transformation with a piece of secure hardware.
At runtime, the token becomes an extension of the main processor: it contains a subset of the application's state and executes the parts of the application that use or modify this state. The token is a slave co-processor, receiving a flow of encrypted instructions and exchanging data with the main processor through the USB interface.
The only link between a protected application and the token is a cryptographic key. The post-compiler enciphers instructions using a secret key at protection time and the token deciphers them at runtime using the same key. Protecting a new application or updating an existing application after the tokens have been distributed to clients is simple: just use the same key when running the post-compiler.
Because a small but essential part of the application is executed out of reach, the protection departs radically from software only solutions or common "dongles". Attackers can not simply look for and remove "locks". They must understand and re-implement the hidden part. Software piracy becomes much more difficult and costly.
Data and instructions are not the only hidden things. By associating an identifier or "tag" with each instruction that defines a value and a list of expected tags with each use of a value, assertions about the normal control flow of the application can be embedded in the ciphered instructions. Because it verifies these assertions at runtime, the token can detect and thwart most attacks that alter the flow of instructions coming from the main processor.
The tags mechanism is easy to implement and runs fast because it involves only simple operations. It is however extremely powerful because additional instructions can be tied to the original ones using tags. With these extra instructions, a network of opaque and irremovable checks of the application's state and invariants can be woven through the code. The difficulties for an attacker to modify the application stealthily add up to a very effective method of protecting the integrity of the software.
Like other modern cryptographic algorithms and protocols, Validy SoftNaos does not rely on keeping the way it works a secret. The technology is described in patents and security conscious customers can audit the implementation or even build their own.
To allow for an easy and free evaluation, we provide an evaluation version of Validy SoftNaos for Java, with the same post-compiler but a software simulation of the token. With this fully functional simulator, most aspects of the protection can be studied. To go further, you can contact us to order a hardware evaluation kit.
- More information...
- Download the free simulator/evaluator