What is Validy Technology?
Validy Technology (VT) is a system which protects
software against piracy and ensures software integrity. It uses a
combination of software compilation techniques and of a small secure
hardware device called a token.
How does VT work?
A protected program has a small part of its runtime state
(variables, object fields, …) located inside the token, out of the
reach of attackers. This hidden state is manipulated inside the token
by secure instructions and a piece of information derived from the
hidden state is output from the token only when it is absolutely
needed by the computer to continue execution. Moreover the token
constantly monitors program integrity and stops working if it detects
What do you mean by program integrity?
Attackers can modify a program to make it behave differently
from what was intended. Viruses are well publicized such modifications
but a targeted attack against a specific program can be even more
damaging since it can precisely hijack invaluable information or
disrupt an important IT system unbeknown to its users.
VT helps reduce this risk by making it very
difficult to modify a program stealthily.
Can I extract the whole content of the token?
No. A token is a secure chip specially designed to keep data
secret and to securely execute programs. A token only outputs
information during normal program execution, there is no other way to
get internal data. An attacker cannot expect to “dump”
the content of the token by piecing together several
“output” orders: the token will notice that the integrity
of the program has been compromised and will stop responding. In cases
where security constraints are especially severe, it can even erase
internal data to effectively “self-destruct”.
Why not execute the complete program inside the token?
A token is optimized for security, not for speed. For a great
majority of programs a token is too slow and does not contain enough
memory. With VT, only a small fraction of the
program executes inside the token but this small fraction is essential
to determine the correct outcome of the program.
Why not simply execute remote procedure calls inside the
By sniffing the traffic and studying the arguments and results
of a procedure an attacker can often learn a great deal about its
internal behavior and then bypass the token by simulating it or even
in some case by just “replaying” previously recorded
How does VT prevent sniffing?
VT doesn't prevent sniffing,
VT runtime even has a tracing facility to easily
display the traffic between the computer and the VT
token! But VT ensures that communications cannot be
“replayed” and that they convey as little information as
possible about the token internal processing. For instance if a
function is executed inside the token and the arguments for this
function are already inside the token, it is very difficult for an
attacker to even detect that this function is executed.
Is VT token a “dongle”?
Yes. The VT token is “an electronic
device that must be attached to a computer in order for it to use
protected software”, which is the definition of a
“dongle”. But its principles of operation are very
different from that of a standard “dongle”.
Is it possible to have VT work across a
No. The latency is too high. Moreover a token holds runtime data
for only one active program, so a networked “server
token” could only be used by one program at a time.
How does VT implement “pay per
The token contains counters to limit usage. Global program usage
time can be limited or specific program features can be limited making
it possible to implement “pay per use”
How does VT scale for programs with large
The VT token behaves as an instruction level
slave coprocessor. Its basic principles of operation are similar to
floating point coprocessors operation for instance. Consequently the
token doesn't embed “pieces of the program” but only
“means to decode and execute instructions”, so its
behavior and performance is largely independent of program code
How does VT scale for programs with large
Like most coprocessors, the token has instructions to:
load data from memory to registers,
execute arithmetic and logic operations between
store data from registers to memory.
This allows VT to efficiently
support high level languages. But unlike other coprocessors that
directly communicate with the program’s main memory, the token memory
space has to reside inside the token in order to effectively hide
information. Consequently VT is sensitive to the
size of the protected data set but this is not a “hard
limit” since the token implements a virtual memory
How does VT virtual memory work?
The token implements an almost standard “demand
paging” mechanism between the token memory and secondary
storage. Before moving a page to secondary storage, the page is
encrypted and authenticated with the token high speed cryptographic
accelerator . The secondary storage can be either some standard non
secured static RAM linked to the coprocessor or the
program’s main memory. When a page is retrieved, it is checked for
tampering and then decrypted before being used.
Can VT be used with multithread programs and
with multicore processors?
Yes. The communication between the main computer and the token
embeds thread information, and the token maintains thread specific
registers and stacks.
How does VT deal with program updates?
Easily. When a token is customized, the only specific piece of
information loaded inside it is a cryptographic key to decrypt the
coprocessor instructions. All the programs protected using the
matching encryption key will work equally well with the token. For
instance, a software publisher can protect all minor versions of a
program with the same key but change key for major versions when he
requires the customer to buy a new/upgraded license/token. All the
software versions can be freely available for download but cannot be
used without token.
What are the programming languages supported by
VT currently supports
Can other languages be supported?
Other languages, especially C/C++ and C#, will be supported in
Does VT work better with interpreted
languages (Java/C#) or native languages (C/C++)?
VT works equally well for both.
How much is VT dependent of the operating
system and processor?
Java VT is implemented as a coprocessor of
the Java virtual machine. As such it works with any processor and any
system or device embedding a Java virtual machine and able to
communicate with the token through a USB
CCID driver. We have tested it on different flavors
of Windows and Linux. The C/C++ implementation will need some level of
adjustment to the target system and processor.
How is the protection applied?
During post-compilation, code transformations are applied and the
code object is generated for the target processor (or virtual machine)
augmented by the coprocessor.
For Java, the transformations are applied as a
“translation” step converting the bytecode into a new
bytecode requiring the Java virtual machine and the token to
For C/C++ , modern compilers allow third party vendors to add
specific code transformations and to modify the target
How long does it take to protect a program?
The programmer must first identify the variables he wants to
protect. If this identification is performed during the design phase
the time spent is almost negligible, if it is retrofitted to an
already existing program it’s a matter of minutes for small programs
and a matter of days for very big programs. Then the program can be
built in either the unprotected or protected mode. Unprotected builds
are completely standard and allow debug and test of everything except
the protection. Protected builds add the modified compilation (or
translation). They allow debug and test of the program with
protection. In this case the build process is slowed down by
approximately a factor of 2.
Why is Validy supplying a token simulator?
Validy is supplying a token simulator with the evaluation kit to
allow customers to test the protection by themselves and to thoroughly
understand how it works. The simulator doesn't provide any effective
protection, since unlike a token, any skilled programmer can
easily attack it. Apart from this token attack most aspects of the
protection can be studied with the simulator.
Can VT be reverse engineered?
The security of VT is not based on the
secrecy of its principles or implementation, but only on the fact that
the token can keep small amounts of data and computations secret.
Validy uses secure chips from established silicon vendors
to ensure that the token is extremely difficult to pry into. Modern
secure chips are protected against the latest physical and logical
attacks like Side Channel Attacks or Fault Injection. More
countermeasures are added to each new generation of chips.
Validy is going to work with independent certification agencies
to have the complete solution certified. Security conscious customers
are also welcome to audit the solution.
What about key loading mechanisms?
The current VT version mainly focuses on the
protection functionality and only includes a simple key loading
system. This system is adequate for software publishers customizing
the tokens before shipping them. Next versions will implement more
flexible key management and distribution systems, using standard
public key protocols.
I like the principles but I cannot use the
This is OK. Validy is willing to grant licenses and to let a
customer engineer it’s own implementation and will gladly help if
asked to. In this case, the current implementation can be viewed as a
pilot implementation. Validy even expects this business model to be
the standard for big corporations.