Validy Technology FAQ

Frequently Asked Questions about Validy® Technology

1. What is Validy Technology?
2. How does VT work?
3. What do you mean by program integrity?
4. Can I extract the whole content of the token?
5. Why not execute the complete program inside the token?
6. Why not simply execute remote procedure calls inside the token?
7. How does VT prevent sniffing?
8. Is VT token a “dongle”?
9. Is it possible to have VT work across a network?
10. How does VT implement “pay per use”?
11. How does VT scale for programs with large code size?
12. How does VT scale for programs with large data sets?
13. How does VT virtual memory work?
14. Can VT be used with multithread programs and with multicore processors?
15. How does VT deal with program updates?
16. What are the programming languages supported by VT?
17. Can other languages be supported?
18. Does VT work better with interpreted languages (Java/C#) or native languages (C/C++)?
19. How much is VT dependent of the operating system and processor?
20. How is the protection applied?
21. How long does it take to protect a program?
22. Why is Validy supplying a token simulator?
23. Can VT be reverse engineered?
24. What about key loading mechanisms?
25. I like the principles but I cannot use the implementation.

1.

What is Validy Technology?

Validy Technology (VT) is a system which protects software against piracy and ensures software integrity. It uses a combination of software compilation techniques and of a small secure hardware device called a token.

2.

How does VT work?

A protected program has a small part of its runtime state (variables, object fields, …) located inside the token, out of the reach of attackers. This hidden state is manipulated inside the token by secure instructions and a piece of information derived from the hidden state is output from the token only when it is absolutely needed by the computer to continue execution. Moreover the token constantly monitors program integrity and stops working if it detects an attack.

3.

What do you mean by program integrity?

Attackers can modify a program to make it behave differently from what was intended. Viruses are well publicized such modifications but a targeted attack against a specific program can be even more damaging since it can precisely hijack invaluable information or disrupt an important IT system unbeknown to its users. VT helps reduce this risk by making it very difficult to modify a program stealthily.

4.

Can I extract the whole content of the token?

No. A token is a secure chip specially designed to keep data secret and to securely execute programs. A token only outputs information during normal program execution, there is no other way to get internal data. An attacker cannot expect to “dump” the content of the token by piecing together several “output” orders: the token will notice that the integrity of the program has been compromised and will stop responding. In cases where security constraints are especially severe, it can even erase internal data to effectively “self-destruct”.

5.

Why not execute the complete program inside the token?

A token is optimized for security, not for speed. For a great majority of programs a token is too slow and does not contain enough memory. With VT, only a small fraction of the program executes inside the token but this small fraction is essential to determine the correct outcome of the program.

6.

Why not simply execute remote procedure calls inside the token?

By sniffing the traffic and studying the arguments and results of a procedure an attacker can often learn a great deal about its internal behavior and then bypass the token by simulating it or even in some case by just “replaying” previously recorded request/response pairs.

7.

How does VT prevent sniffing?

VT doesn't prevent sniffing, VT runtime even has a tracing facility to easily display the traffic between the computer and the VT token! But VT ensures that communications cannot be “replayed” and that they convey as little information as possible about the token internal processing. For instance if a function is executed inside the token and the arguments for this function are already inside the token, it is very difficult for an attacker to even detect that this function is executed.

8.

Is VT token a “dongle”?

Yes. The VT token is “an electronic device that must be attached to a computer in order for it to use protected software”, which is the definition of a “dongle”. But its principles of operation are very different from that of a standard “dongle”.

9.

Is it possible to have VT work across a network?

No. The latency is too high. Moreover a token holds runtime data for only one active program, so a networked “server token” could only be used by one program at a time.

10.

How does VT implement “pay per use”?

The token contains counters to limit usage. Global program usage time can be limited or specific program features can be limited making it possible to implement “pay per use” licenses.

11.

How does VT scale for programs with large code size?

The VT token behaves as an instruction level slave coprocessor. Its basic principles of operation are similar to floating point coprocessors operation for instance. Consequently the token doesn't embed “pieces of the program” but only “means to decode and execute instructions”, so its behavior and performance is largely independent of program code size.

12.

How does VT scale for programs with large data sets?

Like most coprocessors, the token has instructions to:

  • load data from memory to registers,

  • execute arithmetic and logic operations between registers,

  • store data from registers to memory.

This allows VT to efficiently support high level languages. But unlike other coprocessors that directly communicate with the program’s main memory, the token memory space has to reside inside the token in order to effectively hide information. Consequently VT is sensitive to the size of the protected data set but this is not a “hard limit” since the token implements a virtual memory mechanism.

13.

How does VT virtual memory work?

The token implements an almost standard “demand paging” mechanism between the token memory and secondary storage. Before moving a page to secondary storage, the page is encrypted and authenticated with the token high speed cryptographic accelerator . The secondary storage can be either some standard non secured static RAM linked to the coprocessor or the program’s main memory. When a page is retrieved, it is checked for tampering and then decrypted before being used.

14.

Can VT be used with multithread programs and with multicore processors?

Yes. The communication between the main computer and the token embeds thread information, and the token maintains thread specific registers and stacks.

15.

How does VT deal with program updates?

Easily. When a token is customized, the only specific piece of information loaded inside it is a cryptographic key to decrypt the coprocessor instructions. All the programs protected using the matching encryption key will work equally well with the token. For instance, a software publisher can protect all minor versions of a program with the same key but change key for major versions when he requires the customer to buy a new/upgraded license/token. All the software versions can be freely available for download but cannot be used without token.

16.

What are the programming languages supported by VT?

VT currently supports Java™ programs.

17.

Can other languages be supported?

Other languages, especially C/C++ and C#, will be supported in future versions.

18.

Does VT work better with interpreted languages (Java/C#) or native languages (C/C++)?

VT works equally well for both.

19.

How much is VT dependent of the operating system and processor?

Java VT is implemented as a coprocessor of the Java virtual machine. As such it works with any processor and any system or device embedding a Java virtual machine and able to communicate with the token through a USB CCID driver. We have tested it on different flavors of Windows and Linux. The C/C++ implementation will need some level of adjustment to the target system and processor.

20.

How is the protection applied?

During post-compilation, code transformations are applied and the code object is generated for the target processor (or virtual machine) augmented by the coprocessor.

For Java, the transformations are applied as a “translation” step converting the bytecode into a new bytecode requiring the Java virtual machine and the token to run.

For C/C++ , modern compilers allow third party vendors to add specific code transformations and to modify the target processors.

21.

How long does it take to protect a program?

The programmer must first identify the variables he wants to protect. If this identification is performed during the design phase the time spent is almost negligible, if it is retrofitted to an already existing program it’s a matter of minutes for small programs and a matter of days for very big programs. Then the program can be built in either the unprotected or protected mode. Unprotected builds are completely standard and allow debug and test of everything except the protection. Protected builds add the modified compilation (or translation). They allow debug and test of the program with protection. In this case the build process is slowed down by approximately a factor of 2.

22.

Why is Validy supplying a token simulator?

Validy is supplying a token simulator with the evaluation kit to allow customers to test the protection by themselves and to thoroughly understand how it works. The simulator doesn't provide any effective protection, since unlike a token, any skilled programmer can easily attack it. Apart from this token attack most aspects of the protection can be studied with the simulator.

23.

Can VT be reverse engineered?

The security of VT is not based on the secrecy of its principles or implementation, but only on the fact that the token can keep small amounts of data and computations secret. Validy uses secure chips from established silicon vendors to ensure that the token is extremely difficult to pry into. Modern secure chips are protected against the latest physical and logical attacks like Side Channel Attacks or Fault Injection. More countermeasures are added to each new generation of chips.

Validy is going to work with independent certification agencies to have the complete solution certified. Security conscious customers are also welcome to audit the solution.

24.

What about key loading mechanisms?

The current VT version mainly focuses on the protection functionality and only includes a simple key loading system. This system is adequate for software publishers customizing the tokens before shipping them. Next versions will implement more flexible key management and distribution systems, using standard public key protocols.

25.

I like the principles but I cannot use the implementation.

This is OK. Validy is willing to grant licenses and to let a customer engineer it’s own implementation and will gladly help if asked to. In this case, the current implementation can be viewed as a pilot implementation. Validy even expects this business model to be the standard for big corporations.