WO2016096573A1 - Method and control system for controlling an execution of a software application on an execution platform - Google Patents

Method and control system for controlling an execution of a software application on an execution platform Download PDF

Info

Publication number
WO2016096573A1
WO2016096573A1 PCT/EP2015/079138 EP2015079138W WO2016096573A1 WO 2016096573 A1 WO2016096573 A1 WO 2016096573A1 EP 2015079138 W EP2015079138 W EP 2015079138W WO 2016096573 A1 WO2016096573 A1 WO 2016096573A1
Authority
WO
WIPO (PCT)
Prior art keywords
fingerprint
execution
software application
platform
platform information
Prior art date
Application number
PCT/EP2015/079138
Other languages
French (fr)
Inventor
Werner Dondl
Andreas Lange
Michael Zunke
Original Assignee
Sfnt Germany Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sfnt Germany Gmbh filed Critical Sfnt Germany Gmbh
Priority to US15/537,156 priority Critical patent/US10922387B2/en
Priority to EP15807897.2A priority patent/EP3234842A1/en
Publication of WO2016096573A1 publication Critical patent/WO2016096573A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1011Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Definitions

  • the present invention relates to a method and a control system for controlling an execution of a software application on an execution platform.
  • an object of the invention to provide an improved method for controlling an execution of a software application on an execution platform. Further, an improved control system for controlling an execution of a software application on an execution platform is to be provided.
  • step b) generating at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a), c) generating a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a),
  • the license is locked to an installation and/or update pattern of the execution platform which is unique for the execution platform so that an effective control of the execution of the software application can be carried out.
  • the license is no longer locked to specific hardware features of the execution platform but to the unique installation and/or update pattern of the execution platform provided for the software application.
  • the installation and/or update pattern is considered to be unique since today an execution platform receives a nearly constant stream of updates to the operating system and to the installed computer programs and the point in time when these stream of updates is applied depends on a whole range of more or less random circumstances.
  • An execution platform can be a single computer, a virtual machine, a distributed computer system, a part of a global or of a local network or any other hardware device and/or software providing an environment in which the software application can be executed. Further examples of an execution platform are smartphones, tablets, laptops, desktops, etc.
  • two fingerprints comply with each other when the two fingerprints (at least partly) match or are (at least partly) the same, for example.
  • Steps a)-d) are preferably carried out when installing the software application and/or when activating the software application.
  • Step e) can be carried out when the execution of the software application starts and/or during the execution of the software application. In particular, step e) can be carried out for multiple times (for example periodically).
  • the execution platform can provide a virtual machine for the execution of the software application and the allowance according to step e) can be given for the execution of the software application within the virtual machine.
  • Each platform information item can include the information that an installation or an update was carried out, that the operation system (in particular which operation system and/or which version of the operation system) or a computer program (in particular which computer program and/or which version of the computer program) was installed or updated and the point in time when the installation or update took place.
  • the first fingerprint can include at least two different platform information items and the compliance of the two fingerprints is considered as being present if at least one of the two platform information items is the same in both fingerprints.
  • at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint based on these platform information item(s) can be generated and the further fingerprint can be compared with the first fingerprint of the license and the execution of the software application is allowed according to the terms of the license in case of the further fingerprint complies with the first fingerprint and the execution of the software application is prevented in case of the further fingerprint does not comply with the first fingerprint.
  • At least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint based on these platform information item(s) can be generated and a new license including the further fingerprint can be generated only in case the further fingerprint complies with the first fingerprint, wherein the new license is used for carrying out step e).
  • the generation of the license as well as the generation of the new license can be carried out by a license server which can be remote to the execution platform.
  • the license server can be accessed through a communication connection such as the internet.
  • the method of the invention during the execution of a software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint can be generated based on these platform information item(s), wherein it can be concluded that an unauthorized use of the software application is present if the number of updates and/or the update rate in the further fingerprint lies above a threshold which depends on the number of platform information items used for the first fingerprint and the further fingerprint.
  • An unusual high number of updates and/or update rate is an indication of a cloned virtual machine for executing the software application, since after cloning a virtual machine all missing updates for the computer programs running in the cloned virtual machine are usually carried out.
  • a heuristic analysis can be carried out to determine whether an unusual high number of updates and/or update rate occurred.
  • At least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint can be generated based on these platform information item(s), wherein the further fingerprint can be sent to a license server which compares the further fingerprint with at least one of the first fingerprint and the second fingerprint and which concludes that an unauthorized use of the software application is present in case the compared fingerprints do not comply.
  • At least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint can be generated based on these platform information item(s), wherein the further fingerprint can be sent to a license server which has a database with at least one reference fingerprint of the software application, which compares the further fingerprint with the at least one reference fingerprint and which concludes that an unauthorized use of the software application is present in case the compared fingerprints do not comply.
  • the first and/or second fingerprint can be a reference fingerprint in the database. Further, in case the further fingerprint complies with the reference fingerprint the further fingerprint can be added as an further reference fingerprint to the database.
  • the fingerprints and/or the license can be signed and/or encrypted.
  • a check of the signature and/or a decryption step is carried out before comparing two fingerprints.
  • the software application can include a module for carrying out the steps of the inventive method. It is further possible to provide a separate license managing module for carrying out step e) in cooperation with the software application to be controlled.
  • non-transitory computer readable storage medium which comprises software code executable on a computer to cause the computer to carry out the claimed method (including the claimed further developments).
  • control system for controlling an execution of a software application on an execution platform, comprising a control module operative to:
  • a) determine the point in time of at least one of the following list: installation of an operation system on the execution platform, installation of a computer program running on the execution platform, updating of the operation system, updating of the computer program,
  • step b) generate at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a),
  • step c) generate a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a),
  • control module can be embodied such that it carries out steps a) to e).
  • the control system can comprise features for carrying out steps of the inventive method (including steps of the further developments of the inventive method).
  • the control module can be software and/or hardware.
  • the method for controlling an execution of a software application on an execution platform can comprise the method steps described in connection with the inventive control system.
  • FIG. 1 schematically shows an execution platform 1 for executing software applications
  • Fig. 2 shows a flow chart for an embodiment of the method for controlling an execution of the software application on the execution platform 1 shown in Fig. 1
  • Fig. 3 to 6 show different installation/update lists 10, 16, 20, 20' used in embodiments of the present invention.
  • Fig. 1 schematically shows an execution platform 1 for executing software applications.
  • the execution platform 1 is embodied as a conventional personal computer, for example, comprising a computing section 2 (comprising, for example, a processor, a hard disc, further hardware elements as well as an operating system), an input unit (in this case, for example, a keyboard) as well as an output unit 4 (e.g. a screen).
  • the execution platform 2 can communicate with a license server 5.
  • the communication can be realized via the internet 6, for example.
  • the software application 7 is an internet browser
  • the software application 8 is a PDF reader
  • the software application 9 is a CAD application.
  • the internet browser 7 and the PDF reader 8 can be named computer programs.
  • the execution of the CAD application 9 is controlled as follows in order to avoid unauthorized use.
  • a first fingerprint is generated which is characteristic for the execution platform 1 at the time of generating said first fingerprint (step S1 of the flow chart according to Fig. 2).
  • an installation/update list 10 is generated by determining the point in time of an installation and/or update of at least one computer program 7, 8 running on the execution platform 1 and/or of the operating system running on the execution platform 1.
  • the installation/update list 10 (Fig. 3) includes three platform information items 1 1 , 12 and 13.
  • Each platform information item 1 1-13 includes the name of the computer program, the information, whether an update or an installation was carried out and the point in time of the update or the installation.
  • the first platform information item 1 1 refers to the update of the internet browser 7.
  • the second platform information item 12 refers to the installation of the PDF reader 8 and the third platform information item 13 refers to the update of the PDF reader 8.
  • the platform information items 1 1-13 form a unique pattern for the execution platform 1 at the point in time of generating the installation/update list 10. This is a result of the fact that today execution platforms 1 receive a nearly constant stream of updates to the operating system and the installed computer programs. The point in time when these stream of updates is applied depends on a whole range of more or less random circumstances, as for example when the execution platform is running and is online (connected to the internet, for example), which update settings are applied, which place in the update queue the execution platform 1 got and when the execution platform 1 checks for updates. Based on the platform information items 1 1- 13 a first fingerprint is generated which is characteristic for the execution platform 1 at the time of determining the information for generating the installation/update list 10.
  • the step of determining the first fingerprint is preferably carried out when the CAD application 9 is to be executed for the first time on the execution platform 1.
  • a license including the first fingerprint is generated (step S2).
  • the generation of the license can be carried out, for example, by sending the first fingerprint to the license server 5 (for example via the internet 6).
  • the license server 5 signs and/or encrypts the first fingerprint (preferably in an automatic process) and sends it back to the execution platform 1 or to a software management system 14 connected to the execution platform 1 (Fig. 1 ).
  • the license can include the allowed terms of use of the CAD application 9.
  • the terms of use, which are preferably also signed and/or encrypted together with a signed and/or encrypted first fingerprint forms the license for the CAD application 9.
  • a second fingerprint is generated (step S3).
  • the second fingerprint can be generated each time the CAD application is started, for example.
  • the same platform information items as used for generating the first fingerprint are determined at the time of controlling the execution of the CAD application 9 (e.g. when starting the CAD application 9). Since the CAD application 9 is still running on the same execution platform 1 the second fingerprint is identical with the first fingerprint. Therefore, a comparison of both fingerprints (step S4) leads to the result that both fingerprints are identical. In this case, the execution of the CAD application 9 is allowed (step S5). If, for example, the CAD application is executed on a second execution platform 15 (Fig.
  • the second fingerprint will be different to the first fingerprint, since the platform information items 1 1- 13 will be different as shown in an installation/update list 16 for the second execution platform 15 in Fig. 4.
  • the points in time for updating the internet browser 7 and the PDF reader 8 are different (points in time t4 and t5 instead of t1 and t3). Therefore, the platform information items 1 1 and 13 of the first installation/update list 10 do not comply with the platform information items 17 and 19 of the second installation/update list 16 and the comparison of the two fingerprints leads to the result, that they are different and therefore the execution of the CAD application 9 is prevented (step S6).
  • the steps S1-S6 can be carried out by the software management system 14 and/or by a control module included in the CAD application 9 itself.
  • Fig. 5 shows an example of a third installation/update list 20 for generating the third fingerprint.
  • the third installation/update list 20 includes four platform information items 21 to 24, wherein the first to third platform information items 21-23 comply with the corresponding platform information items 1 1 to 13 of the first installation/update list 10.
  • a further update of the PDF reader 8 leads to a further platform information item 24. Due to the fact that the first to third platform information items 21 to 23 are identical with the original first to third platform information items 1 1 to 13 it is decided that the CAD application software 9 is used in an authorized manner in the first execution platform 1.
  • the CAD application 9 is executed in a virtual machine 25 (indicated with dotted lines in Fig. 1 ) it is still possible to control the execution of the CAD application 9. If, for example, the user of the CAD application 9 has cloned the virtual machine 25 (the cloned virtual machine 25' can be executed on the first or second execution platform 1 , 15, for example) the corresponding third fingerprint would be different.
  • the third fingerprint of the original virtual machine 25 can include the platform information items 21 to 24 according to Fig. 5.
  • the second update of the PDF reader 8 can be carried out at a different time, so that the third installation/update list 20' of the cloned virtual machine 25' would be different with respect to the point in time of the second update of the PDF reader 8 as indicated in Fig. 6 (fourth platform information item 24'). Therefore, it can be concluded that the CAD application 9 is executed in two different execution platforms (here in the virtual machine 25 and in the cloned virtual machine 25') although only a license for the execution on one single execution platform is present. Further, it can be concluded when the execution of the CAD application on two different platforms started at the latest (the more recent point in time of t6 and t7). This information can be used for further steps.
  • corresponding information can be presented when executing the CAD application 9 or no further updates for the CAD application 9 are delivered until the issue of the two separate executions of the CAD application 9 is solved.
  • the necessary information for generating the installation/update lists 10, 16, 20, 20' can be extracted from the registry.
  • computer programs are used for generating the installation/update lists 10, 16, 20, 20' which are known to be often updated.
  • a flash player, a PDF reader, an internet browser, JAVA, etc. can be used.
  • computer programs from the program list of the operating system can be used. The computer programs from the program list can be chosen according to predetermined rules.
  • the CAD application 9 can be used during a predetermined time period (e.g. for a free trial period, which might last four weeks) the following situation can occur.
  • a snapshot of the installed CAD application 9 is taken and after the expiry of the trial period the snapshot is copied back to the execution platform 1 so that the user can further use the CAD application 9.
  • the missing updates are normally loaded and installed. This leads to the fact, that an unusual high number of updates are installed.
  • third installation/update lists for example by a heuristic analysis
  • a snapshot was used for extending the trial period and this information can be used for further actions.
  • the execution of the CAD application 9 can be prevented and the user can be informed, that the trial period expired and that he has to purchase a license if he wants to further use the CAD application 9.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Stored Programmes (AREA)

Abstract

There is provided a method for controlling an execution of a software application on an execution platform, comprising: a) determining the point in time of at least one of the following list: installation of an operation system on the execution platform, installation of a computer program running on the execution platform, updating of the operation system, updating of the computer program, b) generating at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a), c) generating a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a), d)generating a license including said first fingerprint, said license defines terms of allowed execution of the software application on said execution platform, and e) controlling the execution by - determining at least some of the platform information item(s) as used for generating the first fingerprint at the time of executing the software application and generating a second fingerprint based on said platform information item(s), - comparing the second fingerprint with the first fingerprint of the license, and - allowing the execution of the software application according to the terms of the license in case of the second fingerprint complies with the first fingerprint, and - preventing the execution of a software application in case of the second fingerprint does not comply with the first fingerprint.

Description

METHOD AND CONTROL SYSTEM FOR CONTROLLING AN EXECUTION OF A SOFTWARE APPLICATION ON AN EXECUTION PLATFORM
The present invention relates to a method and a control system for controlling an execution of a software application on an execution platform.
It is known to control the execution of a software application such that an execution is only allowed in case of the presence of a corresponding license. The license can be locked to a secure hardware device to be connected to the execution platform. In this case the execution can be carried out only in case of the presence of the connected secure hardware device. Since in this case the software publisher or vendor has to deliver the software application and the secure hardware device to the end user, this kind of protection is preferred for expensive software applications.
For less expensive software applications it is often preferred to lock the license to the hardware of the execution platform. However, if the software application is to be executed into a virtual machine running on the hardware on the execution platform the hardware of the execution platform can often no longer be used for locking the license.
In view thereof, it is object of the invention to provide an improved method for controlling an execution of a software application on an execution platform. Further, an improved control system for controlling an execution of a software application on an execution platform is to be provided.
The object solved by a method for controlling an execution of a software application on an execution platform, comprising:
a) determining the point in time of at least one of the following list: installation of an operation system on the execution platform, installation of a computer program running on the execution platform, updating of the operation system, updating of the computer program,
b) generating at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a), c) generating a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a),
d) generating a license including said first fingerprint, said license defines terms of allowed execution of the software application on said execution platform, and e) controlling the execution by
- determining at least some of the platform information item(s) as used for generating the first fingerprint at the time of executing the software application and generating a second fingerprint based on said platform information item(s),
- comparing the second fingerprint with the first fingerprint of the license, and
- allowing the execution of the software application according to the terms of the license in case of the second fingerprint complies with the first fingerprint, and
- preventing the execution of a software application in case of the second fingerprint does not comply with the first fingerprint.
According to the method of the invention the license is locked to an installation and/or update pattern of the execution platform which is unique for the execution platform so that an effective control of the execution of the software application can be carried out. In particular, even if the software application is executed in a virtual machine an effective control can be provided. Therefore, the license is no longer locked to specific hardware features of the execution platform but to the unique installation and/or update pattern of the execution platform provided for the software application.
The installation and/or update pattern is considered to be unique since today an execution platform receives a nearly constant stream of updates to the operating system and to the installed computer programs and the point in time when these stream of updates is applied depends on a whole range of more or less random circumstances.
An execution platform can be a single computer, a virtual machine, a distributed computer system, a part of a global or of a local network or any other hardware device and/or software providing an environment in which the software application can be executed. Further examples of an execution platform are smartphones, tablets, laptops, desktops, etc.
According to the present invention two fingerprints comply with each other when the two fingerprints (at least partly) match or are (at least partly) the same, for example.
Steps a)-d) are preferably carried out when installing the software application and/or when activating the software application. Step e) can be carried out when the execution of the software application starts and/or during the execution of the software application. In particular, step e) can be carried out for multiple times (for example periodically).
The execution platform can provide a virtual machine for the execution of the software application and the allowance according to step e) can be given for the execution of the software application within the virtual machine. Each platform information item can include the information that an installation or an update was carried out, that the operation system (in particular which operation system and/or which version of the operation system) or a computer program (in particular which computer program and/or which version of the computer program) was installed or updated and the point in time when the installation or update took place.
The first fingerprint can include at least two different platform information items and the compliance of the two fingerprints is considered as being present if at least one of the two platform information items is the same in both fingerprints. According to the method of the present invention during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint based on these platform information item(s) can be generated and the further fingerprint can be compared with the first fingerprint of the license and the execution of the software application is allowed according to the terms of the license in case of the further fingerprint complies with the first fingerprint and the execution of the software application is prevented in case of the further fingerprint does not comply with the first fingerprint.
Further, during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint based on these platform information item(s) can be generated and a new license including the further fingerprint can be generated only in case the further fingerprint complies with the first fingerprint, wherein the new license is used for carrying out step e).
The generation of the license as well as the generation of the new license can be carried out by a license server which can be remote to the execution platform. In particular, the license server can be accessed through a communication connection such as the internet. According to the method of the invention during the execution of a software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint can be generated based on these platform information item(s), wherein it can be concluded that an unauthorized use of the software application is present if the number of updates and/or the update rate in the further fingerprint lies above a threshold which depends on the number of platform information items used for the first fingerprint and the further fingerprint. An unusual high number of updates and/or update rate is an indication of a cloned virtual machine for executing the software application, since after cloning a virtual machine all missing updates for the computer programs running in the cloned virtual machine are usually carried out. In particular, a heuristic analysis can be carried out to determine whether an unusual high number of updates and/or update rate occurred. According to the method of the invention during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint can be generated based on these platform information item(s), wherein the further fingerprint can be sent to a license server which compares the further fingerprint with at least one of the first fingerprint and the second fingerprint and which concludes that an unauthorized use of the software application is present in case the compared fingerprints do not comply.
According to the method of the invention during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint can be determined and a further fingerprint can be generated based on these platform information item(s), wherein the further fingerprint can be sent to a license server which has a database with at least one reference fingerprint of the software application, which compares the further fingerprint with the at least one reference fingerprint and which concludes that an unauthorized use of the software application is present in case the compared fingerprints do not comply.
The first and/or second fingerprint can be a reference fingerprint in the database. Further, in case the further fingerprint complies with the reference fingerprint the further fingerprint can be added as an further reference fingerprint to the database.
These steps can be repeatedly carried out so that an ongoing control of the execution of the software application can be realized It can be assumed that the compared fingerprints do not comply in case only platform information item(s) until a specific point in time coincide (are the same in both fingerprints) and the remaining platform information items(s) after this specific point in time do not coincide. This can happen if the software application is executed in a virtual machine and a second execution of the software application takes place in a cloned virtual machine.
The fingerprints and/or the license can be signed and/or encrypted. In this case, a check of the signature and/or a decryption step is carried out before comparing two fingerprints.
The software application can include a module for carrying out the steps of the inventive method. It is further possible to provide a separate license managing module for carrying out step e) in cooperation with the software application to be controlled.
There is further provided a computer program product which comprises software code in order to carry out the steps of the claimed method (including the claimed further developments), when the product is being executed.
Further, a non-transitory computer readable storage medium is provided, which comprises software code executable on a computer to cause the computer to carry out the claimed method (including the claimed further developments).
There is further provided a control system for controlling an execution of a software application on an execution platform, comprising a control module operative to:
a) determine the point in time of at least one of the following list: installation of an operation system on the execution platform, installation of a computer program running on the execution platform, updating of the operation system, updating of the computer program,
b) generate at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a),
c) generate a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a),
d) generate a license including said first fingerprint, said license defines terms of allowed execution of the software application on said execution platform, and e) control the execution by - determining at least some of the platform information item(s) as used for generating the first fingerprint at the time of executing the software application and generating a second fingerprint based on said platform information item(s),
- comparing the second fingerprint with the first fingerprint of the license, and - allowing the execution of the software application according to the terms of the license in case of the second fingerprint complies with the first fingerprint, and
- preventing the execution of a software application in case of the second fingerprint does not comply with the first fingerprint. The control module can be embodied such that it carries out steps a) to e).
The control system can comprise features for carrying out steps of the inventive method (including steps of the further developments of the inventive method). In particular, the control module can be software and/or hardware. The method for controlling an execution of a software application on an execution platform can comprise the method steps described in connection with the inventive control system.
It is understood that the features named above and still to be explained below can be used not only in the given combinations, but also in other combinations or alone, without departing from the scope of the present invention.
The invention is explained in further detail below by way of example using the attached drawings which also disclose features essential to the invention. There are shown in: Fig. 1 schematically shows an execution platform 1 for executing software applications;
Fig. 2 shows a flow chart for an embodiment of the method for controlling an execution of the software application on the execution platform 1 shown in Fig. 1 , and Fig. 3 to 6 show different installation/update lists 10, 16, 20, 20' used in embodiments of the present invention.
Fig. 1 schematically shows an execution platform 1 for executing software applications. The execution platform 1 is embodied as a conventional personal computer, for example, comprising a computing section 2 (comprising, for example, a processor, a hard disc, further hardware elements as well as an operating system), an input unit (in this case, for example, a keyboard) as well as an output unit 4 (e.g. a screen). The execution platform 2 can communicate with a license server 5. The communication can be realized via the internet 6, for example. There are at least three software applications 7, 8, 9 running on the execution platform 1. The software application 7 is an internet browser, the software application 8 is a PDF reader and the software application 9 is a CAD application. In order to better distinguish between the CAD application 9 on the one hand and the internet browser 7 and the PDF reader 8 on the other hand, the internet browser 7 and the PDF reader 8 can be named computer programs. The execution of the CAD application 9 is controlled as follows in order to avoid unauthorized use.
In order to control the execution of the CAD application 9 on the execution platform 1 a first fingerprint is generated which is characteristic for the execution platform 1 at the time of generating said first fingerprint (step S1 of the flow chart according to Fig. 2).
For generating the first fingerprint an installation/update list 10 is generated by determining the point in time of an installation and/or update of at least one computer program 7, 8 running on the execution platform 1 and/or of the operating system running on the execution platform 1. In the present embodiment the installation/update list 10 (Fig. 3) includes three platform information items 1 1 , 12 and 13. Each platform information item 1 1-13 includes the name of the computer program, the information, whether an update or an installation was carried out and the point in time of the update or the installation. As shown in Fig. 3 the first platform information item 1 1 refers to the update of the internet browser 7. The second platform information item 12 refers to the installation of the PDF reader 8 and the third platform information item 13 refers to the update of the PDF reader 8.
The platform information items 1 1-13 form a unique pattern for the execution platform 1 at the point in time of generating the installation/update list 10. This is a result of the fact that today execution platforms 1 receive a nearly constant stream of updates to the operating system and the installed computer programs. The point in time when these stream of updates is applied depends on a whole range of more or less random circumstances, as for example when the execution platform is running and is online (connected to the internet, for example), which update settings are applied, which place in the update queue the execution platform 1 got and when the execution platform 1 checks for updates. Based on the platform information items 1 1- 13 a first fingerprint is generated which is characteristic for the execution platform 1 at the time of determining the information for generating the installation/update list 10. The step of determining the first fingerprint is preferably carried out when the CAD application 9 is to be executed for the first time on the execution platform 1. Thereafter, a license including the first fingerprint is generated (step S2). The generation of the license can be carried out, for example, by sending the first fingerprint to the license server 5 (for example via the internet 6). The license server 5 signs and/or encrypts the first fingerprint (preferably in an automatic process) and sends it back to the execution platform 1 or to a software management system 14 connected to the execution platform 1 (Fig. 1 ). The license can include the allowed terms of use of the CAD application 9. The terms of use, which are preferably also signed and/or encrypted together with a signed and/or encrypted first fingerprint forms the license for the CAD application 9. In order to control the execution of the CAD application 9 a second fingerprint is generated (step S3). The second fingerprint can be generated each time the CAD application is started, for example. For generating the second fingerprint the same platform information items as used for generating the first fingerprint are determined at the time of controlling the execution of the CAD application 9 (e.g. when starting the CAD application 9). Since the CAD application 9 is still running on the same execution platform 1 the second fingerprint is identical with the first fingerprint. Therefore, a comparison of both fingerprints (step S4) leads to the result that both fingerprints are identical. In this case, the execution of the CAD application 9 is allowed (step S5). If, for example, the CAD application is executed on a second execution platform 15 (Fig. 1 ) the second fingerprint will be different to the first fingerprint, since the platform information items 1 1- 13 will be different as shown in an installation/update list 16 for the second execution platform 15 in Fig. 4. For example, the points in time for updating the internet browser 7 and the PDF reader 8 are different (points in time t4 and t5 instead of t1 and t3). Therefore, the platform information items 1 1 and 13 of the first installation/update list 10 do not comply with the platform information items 17 and 19 of the second installation/update list 16 and the comparison of the two fingerprints leads to the result, that they are different and therefore the execution of the CAD application 9 is prevented (step S6). The steps S1-S6 can be carried out by the software management system 14 and/or by a control module included in the CAD application 9 itself.
Further, it is possible that during the execution of the CAD application 9 an actual fingerprint (third fingerprint) is generated and sent to the license server 5. The license server 5 can compare the third fingerprint with the first fingerprint used for generating the license. Fig. 5 shows an example of a third installation/update list 20 for generating the third fingerprint. The third installation/update list 20 includes four platform information items 21 to 24, wherein the first to third platform information items 21-23 comply with the corresponding platform information items 1 1 to 13 of the first installation/update list 10. In addition, a further update of the PDF reader 8 leads to a further platform information item 24. Due to the fact that the first to third platform information items 21 to 23 are identical with the original first to third platform information items 1 1 to 13 it is decided that the CAD application software 9 is used in an authorized manner in the first execution platform 1.
If the CAD application 9 is executed in a virtual machine 25 (indicated with dotted lines in Fig. 1 ) it is still possible to control the execution of the CAD application 9. If, for example, the user of the CAD application 9 has cloned the virtual machine 25 (the cloned virtual machine 25' can be executed on the first or second execution platform 1 , 15, for example) the corresponding third fingerprint would be different. The third fingerprint of the original virtual machine 25 can include the platform information items 21 to 24 according to Fig. 5. In the cloned virtual machine 25' the second update of the PDF reader 8 can be carried out at a different time, so that the third installation/update list 20' of the cloned virtual machine 25' would be different with respect to the point in time of the second update of the PDF reader 8 as indicated in Fig. 6 (fourth platform information item 24'). Therefore, it can be concluded that the CAD application 9 is executed in two different execution platforms (here in the virtual machine 25 and in the cloned virtual machine 25') although only a license for the execution on one single execution platform is present. Further, it can be concluded when the execution of the CAD application on two different platforms started at the latest (the more recent point in time of t6 and t7). This information can be used for further steps. For example, corresponding information can be presented when executing the CAD application 9 or no further updates for the CAD application 9 are delivered until the issue of the two separate executions of the CAD application 9 is solved. In addition, it is possible, to use the third fingerprint for generating a new license. The generation of a new license can be done when the present license is amended or has to be renewed, for example.
When using a Windows operating system the necessary information for generating the installation/update lists 10, 16, 20, 20' can be extracted from the registry. In particular, computer programs are used for generating the installation/update lists 10, 16, 20, 20' which are known to be often updated. For example, a flash player, a PDF reader, an internet browser, JAVA, etc. can be used. As an alternative or in addition computer programs from the program list of the operating system can be used. The computer programs from the program list can be chosen according to predetermined rules.
In case the CAD application 9 can be used during a predetermined time period (e.g. for a free trial period, which might last four weeks) the following situation can occur. After the start of the trial period by carrying out steps S1-S6 a snapshot of the installed CAD application 9 is taken and after the expiry of the trial period the snapshot is copied back to the execution platform 1 so that the user can further use the CAD application 9. However, when copying back such a snapshot the missing updates are normally loaded and installed. This leads to the fact, that an unusual high number of updates are installed. By analysing third installation/update lists (for example by a heuristic analysis) it can be seen whether such a high number of updates happened. If so, it can be concluded that a snapshot was used for extending the trial period and this information can be used for further actions. For example, the execution of the CAD application 9 can be prevented and the user can be informed, that the trial period expired and that he has to purchase a license if he wants to further use the CAD application 9.
In order to detect such a rollback the number of updates and/or the update rate (updates per time) can be analysed.

Claims

Claims
1. Method for controlling an execution of a software application on an execution platform, comprising:
a) determining the point in time of at least one of the following list: installation of an operation system on the execution platform, installation of a computer program running on the execution platform, updating of the operation system, updating of the computer program,
b) generating at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a),
c) generating a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a),
d) generating a license including said first fingerprint, said license defines terms of allowed execution of the software application on said execution platform, and e) controlling the execution by
- determining at least some of the platform information item(s) as used for generating the first fingerprint at the time of executing the software application and generating a second fingerprint based on said platform information item(s),
- comparing the second fingerprint with the first fingerprint of the license, and
- allowing the execution of the software application according to the terms of the license in case of the second fingerprint complies with the first fingerprint, and
- preventing the execution of a software application in case of the second fingerprint does not comply with the first fingerprint.
2. Method according to claim 1 , wherein the execution platform provides a virtual machine for the execution of the software application and the allowance according to step e) is given for the execution of the software application within the virtual machine.
3. Method according to one of the above claims, wherein the first fingerprint includes at least two different platform information items and wherein in step e) the compliance of the two fingerprints is considered as being present if at least one of the two platform information items is the same in both fingerprints.
4. Method according to one of the above claims, wherein during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint are determined and a further fingerprint based on these platform information item(s) is generated and the further fingerprint is compared with the first fingerprint of the license and the execution of the software application is allowed according to the terms of the license in case of the further fingerprint complies with the first fingerprint and the execution of the software application is prevented in case of the further fingerprint does not comply with the first fingerprint.
Method according to one of the above claims, wherein during execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint are determined and a further fingerprint based on these platform information item(s) is generated and a new license including the further fingerprint is generated only in case the further fingerprint complies with the first fingerprint, wherein the new license is used for carrying out step e).
Method according to one of the above claims, wherein during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint are determined and a further fingerprint is generated based on these platform information item(s), wherein it is concluded that an unauthorized use of the software application is present if the number of updates in the further fingerprint lies above a threshold which depends on the number of platform information items used for the first fingerprint and the further fingerprint.
Method according to one of the above claims, wherein during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint are determined and a further fingerprint is generated based on these platform information item(s), wherein it is concluded that an unauthorized use of the software application is present if the update rate in the further fingerprint lies above a threshold which depends on the number of platform information items used for the first fingerprint and the further fingerprint.
Method according to one of the above claims, wherein during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint are determined and a further fingerprint is generated based on these platform information item(s), wherein the further fingerprint is sent to a license server which compares the further fingerprint with at least one of the first and second fingerprint and which concludes that an unauthorized use of the software application is present in case the compared fingerprints do not comply.
9. Method according to one of the above claims, wherein during the execution of the software application and after generation of the second fingerprint at least some of the platform information item(s) as used for generating the first fingerprint are determined and a further fingerprint is generated based on these platform information item(s), wherein the further fingerprint is sent to a license server which has a database with at least one reference fingerprint of the software application, which compares the further fingerprint with the at least one reference fingerprint and which concludes that an unauthorized use of the software application is present in case the compared fingerprints do not comply.
10. Method according to one of the above claims, wherein the compared fingerprints do not comply in case only platform information item(s) until a specific point in time coincide and the remaining platform information items(s) after this specific point in time do not coincide.
1 1. Computer program product, which comprises software code in order to carry out the steps of one of the above claims, when the product is being executed.
12. Control system for controlling an execution of a software application on an execution platform, comprising a control module operative to:
a) determine the point in time of at least one of the following list: installation of an operation system on the execution platform, installation of a computer program running on the execution platform, updating of the operation system, updating of the computer program,
b) generate at least one platform information item based on the installed/updated operation system/computer program and the determined point in time according to step a),
c) generate a first fingerprint based on the platform information item(s) of step b), said first fingerprint is characteristic for the execution platform at the time of carrying out step a),
d) generate a license including said first fingerprint, said license defines terms of allowed execution of the software application on said execution platform, and e) control the execution by - determining at least some of the platform information item(s) as used for generating the first fingerprint at the time of executing the software application and generating a second fingerprint based on said platform information item(s),
- comparing the second fingerprint with the first fingerprint of the license, and - allowing the execution of the software application according to the terms of the license in case of the second fingerprint complies with the first fingerprint, and
- preventing the execution of a software application in case of the second fingerprint does not comply with the first fingerprint.
PCT/EP2015/079138 2014-12-16 2015-12-09 Method and control system for controlling an execution of a software application on an execution platform WO2016096573A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/537,156 US10922387B2 (en) 2014-12-16 2015-12-09 Method and control system for controlling an execution of a software application on an execution platform
EP15807897.2A EP3234842A1 (en) 2014-12-16 2015-12-09 Method and control system for controlling an execution of a software application on an execution platform

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP14198250.4A EP3035223A1 (en) 2014-12-16 2014-12-16 Method and control system for controlling an execution of a software application on an execution platform
EP14198250.4 2014-12-16

Publications (1)

Publication Number Publication Date
WO2016096573A1 true WO2016096573A1 (en) 2016-06-23

Family

ID=52101191

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/079138 WO2016096573A1 (en) 2014-12-16 2015-12-09 Method and control system for controlling an execution of a software application on an execution platform

Country Status (3)

Country Link
US (1) US10922387B2 (en)
EP (2) EP3035223A1 (en)
WO (1) WO2016096573A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107025389B (en) * 2017-03-14 2020-08-07 Oppo广东移动通信有限公司 Fingerprint input method and terminal
US10956563B2 (en) * 2017-11-22 2021-03-23 Aqua Security Software, Ltd. System for securing software containers with embedded agent
US10997283B2 (en) * 2018-01-08 2021-05-04 Aqua Security Software, Ltd. System for securing software containers with encryption and embedded agent

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100325734A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Modular Software Protection
US20110225417A1 (en) * 2006-12-13 2011-09-15 Kavi Maharajh Digital rights management in a mobile environment

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070107067A1 (en) * 2002-08-24 2007-05-10 Ingrian Networks, Inc. Secure feature activation
JP2004206435A (en) * 2002-12-25 2004-07-22 Victor Co Of Japan Ltd License management method, and license management system
CN1898956B (en) * 2003-12-18 2012-02-22 松下电器产业株式会社 Methods for validating and running applications
US20050289072A1 (en) * 2004-06-29 2005-12-29 Vinay Sabharwal System for automatic, secure and large scale software license management over any computer network
US7874015B2 (en) * 2006-05-12 2011-01-18 At&T Intellectual Property I, L.P. Methods, systems, and computer program products for controlling distribution of digital content in a file sharing system using license-based verification, encoded tagging, and time-limited fragment validity
US9015703B2 (en) * 2006-10-17 2015-04-21 Manageiq, Inc. Enforcement of compliance policies in managed virtual systems
US8612971B1 (en) * 2006-10-17 2013-12-17 Manageiq, Inc. Automatic optimization for virtual systems
SG143084A1 (en) * 2006-11-17 2008-06-27 Nanyang Polytechnic Software copyright protection and licensing system using rfid
US9280337B2 (en) * 2006-12-18 2016-03-08 Adobe Systems Incorporated Secured distribution of software updates
US7882358B2 (en) * 2007-01-15 2011-02-01 Microsoft Corporation Reversible hashing for E-signature verification
EP2255284B1 (en) * 2008-03-20 2017-01-11 International Business Machines Corporation Method and system for detecting the installation and usage of software in an application virtualization environment
TW201011531A (en) * 2008-09-03 2010-03-16 Asustek Comp Inc Computer system and related method of logging BIOS update operation
US8621203B2 (en) * 2009-06-22 2013-12-31 Nokia Corporation Method and apparatus for authenticating a mobile device
US9395966B1 (en) * 2010-09-27 2016-07-19 Symantec Corporation Systems and methods for associating installed software components with software products
US20130004142A1 (en) * 2011-06-29 2013-01-03 Rovi Corp. Systems and methods for device authentication including timestamp validation
US8725649B2 (en) * 2011-12-08 2014-05-13 Raytheon Company System and method to protect computer software from unauthorized use

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110225417A1 (en) * 2006-12-13 2011-09-15 Kavi Maharajh Digital rights management in a mobile environment
US20100325734A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Modular Software Protection

Also Published As

Publication number Publication date
EP3035223A1 (en) 2016-06-22
US10922387B2 (en) 2021-02-16
US20170372045A1 (en) 2017-12-28
EP3234842A1 (en) 2017-10-25

Similar Documents

Publication Publication Date Title
CN108900559B (en) Login certificate management method and device, computer equipment and storage medium
KR101752082B1 (en) Development-environment system, development-environment device, and development-environment provision method and computer readable medium recording program
US10540499B2 (en) Method for monitoring the security of a virtual machine in a cloud computing architecture
CN103329095B (en) Authenticate a hypervisor with encoded information
JP5646622B2 (en) Automatic processing of multipurpose data to perform functions that require different security levels or different limits of liability
TWI627554B (en) Methods for blocking unauthorized applications and apparatuses using the same
EP2637121A1 (en) A method for detecting and removing malware
US10922387B2 (en) Method and control system for controlling an execution of a software application on an execution platform
CN103348355A (en) Method and apparatus for managing security state transitions
US20180062860A1 (en) Remote hardware device conversion
US20200201606A1 (en) Change control management of continuous integration and continuous delivery
WO2021079495A1 (en) Assessment device, assessment system, assessment method, and program
US20080222043A1 (en) System and method for trans-vendor license registration and recovery
KR102063033B1 (en) User terminal for using cloud service, integrated security management server of user terminal and method thereof
CN113330419A (en) Equipment application installation method and device
CN112214756A (en) Authority management system, method and storage medium of consumption machine
JP2013239098A (en) System, device, and program for processing information
TWI696091B (en) Platform configurations
US9311474B2 (en) Information processing apparatus, information processing method, program, storage medium, and information processing system
AU2014276026B2 (en) Information processing device, information processing method, and program
US9286459B2 (en) Authorized remote access to an operating system hosted by a virtual machine
JP2009259237A (en) License external memory
US20210019381A1 (en) License management system and non-transitory computer readable medium
JP2007316938A (en) License management program, method for controlling use of software, license check program, and license check setup program
CN109344569B (en) Software use authorization method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15807897

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2015807897

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 15537156

Country of ref document: US