Patent Grant
8429345
The invention relates to a method, a control logic and a system for detecting a virtual storage volume and a data carrier.
Certain copy-protection schemes for optical discs, e.g. CDROM, DVD or blue-ray disc, check if a special feature, a so-called “signature”, which can not be duplicated onto optical recordable media, is present on the optical disc. Such a signature and a corresponding method for verifying the signature are disclosed for example in WO 03/054878 A1 or in EP1672631A1. A computer program is only allowed to execute if the signature is present. Copy-protection software is looking for such a signature on a target storage medium, which should be e.g. an original optical disc, and which is expected to be placed in a target storage drive, e.g. an optical disc drive. An operating system of a computer system presents a storage drive together with a storage medium as a storage volume. Other examples for such storage volumes might be provided by a USB-Stick (semiconductor memory with a USB interface), a floppy drive with a floppy disk, a memory card in a card-reader or partitions on hard disks. The wording “target storage medium”, “target storage drive” and “target storage volume” is used throughout this description for the corresponding storage medium, storage drive and storage volume on which the certain data is expected to be found by the copy-protection software. Typically, the copy-protection software is checking, whether the signature is present on the target storage volume.
Emulation software intercepts the communication between the copy protection software and the optical disc drive, and manipulates the data and/or access timing information to insert false signature information. Emulation software can achieve this by presenting a virtual storage medium such as a disc image mounted on a virtual drive as a virtual storage volume to the copy protection software, while the disc image is actually stored on a hard disk drive (HDD).
Such virtual storage volumes with disc images of floppy disks, optical discs etc. are useful in certain circumstances, i.e.:
However, in cases where the content of a copy protected optical disc is stored as a disc image on the hard disk and presented to a copy protection software (also called control logic), copy-protection schemes may be circumvented by malicious virtual drive software, which not only provides access to the content but also to the signature. The copy-protection software is not aware of the fact that the target storage volume, on which the signature is found, is not the original optical disc in an optical disc drive, but is a disc image on the hard disk drive. The original disc might be redistributed to other user(s), and the copy on the hard disk drive might be in fact an unauthorized copy.
Known methods to identify a virtual storage volume depend either on system-level software (“device drivers”) or have become ineffective. Such previous methods may include separately or in combination:
A further possibility to protect data content within protected areas on a target optical carrier against unauthorized reading and/or copying with a computer is disclosed in WO 2004/088658 A1. The disclosed method comprises steps of determining whether a target optical record carrier or a non-target optical record carrier is inserted into a drive of the computer, and—if a target optical record carrier is inserted into the drive of the computer—modifying read requests to the protected data areas so that no data is read or the read data is useless, and/or—modifying write commands in respect to the data within the protected data areas to a recordable carrier or other storage so that the written data is useless.
It is an object of the present invention to provide a method for detecting a virtual storage volume which is difficult to circumvent and which provides an effective way to discover whether a virtual storage volume is used in order to fake or otherwise give the impression that the presence of an original storage medium in a corresponding drive,
It is a further object of the present invention to provide a control logic for detecting a virtual storage volume which enables an easy and efficient detection of such virtual storage volume, when used on a computer system to provide measures against unauthorized copying of protected software applications or data.
It is a further object of the present invention to provide a system for detecting a virtual storage volume which enables an easy and efficient detection of such virtual storage volume, which are present on such a system.
The object is achieved in a first aspect by a method for detecting a virtual storage volume, comprising the steps of
Throughout the description the wording “read operation” is used to describe a sequence of read accesses to different storage locations on a storage volume.
In other words the method is able to distinguish whether a data transfer is obtained from the virtual storage volume or from an original storage volume built of a drive and an original storage medium by querying and correlating the data transfer statistics from the operating system. So by checking the data transfers of a target storage volume (which should read the data from the original storage volume, e.g. provided by an optical disc, a floppy disk, a USB-stick, a memory card) and comparing the signal pattern during such data transfer with a signal pattern of data transfers of another storage volume, e.g. a hard disk drive, similarities are obtainable. In case the target storage volume is not represented by a virtual drive with a disc image stored on the other storage volume, e.g. the hard disk drive, the signal pattern of the data transfers from the other storage volume, e.g. the hard disk drive, and from the target storage volume should differ significantly, since the access is not related. However, in case that the target storage volume is in fact a virtual disc drive with a disc image stored on another storage volume, e.g. the hard disk drive, the signal pattern should look similar, since the access in question actually takes place on the hard disk drive. In case such a virtual storage volume is detected, appropriate measures could be taken, e.g. to refuse to run the application, to remove the disc image from the other storage volume or to instruct the user to insert the original storage medium in the corresponding drive.
With a second aspect, a control logic for detecting a virtual storage volume, the control logic being adapted to run on a computer system, said computer system comprising
With a third aspect a system for detecting a virtual storage volume, comprising:
With a fourth aspect a tangible data carrier is provided, having stored thereon software code components, which, when loaded onto a computer system execute the above mentioned method.
The terms “first access pattern” and “second access pattern” are used to distinguish both access pattern and do not imply any timerelationship between these access patterns.
The above and other objects, features and advantages of the present invention will become more apparent from the following description of the presently preferred exemplary embodiments of the invention taken in conjunction with the accompanying drawings, in which
a shows an exemplary measurement data of a first access pattern of a target storage medium,
b shows an exemplary measurement data of a second access pattern of another storage medium of a computer system,
In
A copy-protection software is typically checking, whether a characteristic which is difficult or impossible to copy (e.g. a so-called “signature”) is actually present on a target storage medium, e.g. an original optical disc. Therefore, the copy-protection software accesses a target storage volume, e.g. an optical disc drive with the original optical disc, in order to check whether on the target storage medium such a signature is actually present. The virtual drive software 3 presents the virtual storage medium as such target storage medium, so that the signature is read from the disc image 6, which is actually present on the hard disk drive 2, because it has been copied (possibly without authorization) onto the hard disk drive 2. The control logic 4 is not able to detect, that the signature is in fact stored on the hard disk drive 2 and not read from the original optical disc.
In order to distinguish whether data transfer is obtained from a virtual storage volume 1 or a physical storage volume, access patterns are derived from the target storage volume and from other storage volumes of the computer system 5. Such access patterns are derivable by using performance application programming interfaces (API) of operating systems, e.g. Microsoft Windows®.
Examples for such performance application programming interfaces are
Such performance APIs show for example, how many bytes are transferred in a given amount of time and the number of read operations (explained more in detail with respect to
Another possibility is the use of a device driver, which is able to collect such required measurement data, e.g. how many bytes are transferred in a given amount of time and the number of read operations.
Read access statistics or a first access pattern are obtained from the target storage volume which is supposed to access the original disc and a second or further access pattern is obtained from one or more hard disk drives 2. The read access statistics or access patterns are collected either continuously or during predefined time intervals. In one embodiment the access patterns are monitored while performing a verification of signature of the disc.
In a further embodiment the first access pattern is determined before actually reading the target storage volume. If the result of the read operation is known, because for example the signature of the disc is known beforehand, then the resulting first access pattern can be simulated beforehand and can be compared with the monitored second access pattern of another storage volume.
If the characteristic read access pattern resulting from the signature verification access can be statistically detected not only in the access statistics or access pattern of the target storage volume, but also in the access statistics of one of the hard disk drives 2 of the computer system 5, the control logic 4 can conclude that emulation by means of a virtual storage volume 1 is present and can start appropriate measures, e.g. to refuse to run the protected application, to remove the virtual storage volume 1 or to instruct the user to insert the original storage medium in a corresponding drive.
In
By determining the correlation between the first access pattern 10 and the second access pattern 11 it is derived that the first access pattern 10 and the second access pattern 11 show a similar time-dependent behavior.
For example, such correlation might be determined by counting how many accesses have been executed (nearly) in parallel, and by using a predefined threshold of number of parallel accesses in order to derive whether a virtual storage volume is present. Another possibility would be to calculate according to a known algorithm a correlation value between the first access pattern 10 and the second access pattern 11 and to use a predefined threshold value between 0 and 1 (e.g. 0.5) to determine, whether a virtual storage volume is present, when the correlation value is above the threshold value.
With this high correlation value or similar access pattern it is concluded that the target storage volume is in fact a virtual storage volume 1 with a disc image 6 on the hard disk drive 2 and not a separate optical disk drive with an original optical disc.
The read-ahead logic of the virtual drive software 3 used in this example seems to be 64 sectors, i.e. 131072 bytes, explaining the large transfers on the hard disk drive 2 compared to the small transfers on the virtual storage volume 1.
In
It is possible to use additional copy protection schemes like checking, whether the signature is present on the original storage medium.
A very efficient way to implement the method is the use of statistics provided by an operating system of the computer system 5, dealing with access statistics of storage volumes, since these statistics are already present and can easily be used, e.g. by the control logic 4.
Operating systems provide so-called performance application programming interfaces (performance API), which can be sampled to determine the first access pattern 10 and the second access pattern 11.
Since the check of the signature is part of many copy protection schemes and properties like a time interval during which such signature is read by the control logic 4 and the length of the signature are known beforehand by the control logic 4, this time interval is well suited for monitoring the first access pattern 10 and the second access pattern 11. In this case it is even possible to only monitor the second access pattern 11 and determine the first access pattern 10 by simulating the read operation of the signature beforehand.
Monitoring of the access pattern can take place during predefined time intervals for using less control logic efforts during other time intervals or can take place continuously in order to further enhance the probability of detecting the virtual storage volume 1.
Since the computer system 5 may have a plurality of storage volumes 2, each of which might have stored the virtual image, the method is applicable as well for these cases, thereby monitoring access patterns 11 of every storage volume 2 and determining correlations between the first access pattern 10 and further access patterns 11 of all of the storage volumes 2 in order to find out on which storage volume 2 a virtual image has been stored.
The method may be improved by filtering the first access pattern 10 and the second access pattern 11 before determining the correlation, thereby decreasing noise effects, e.g. from other processes that are running on the computer system 5. Such filtering might include, but is not restricted to:
The method is applicable for optical discs as target storage medium, optical disc drives as target storage drive and a hard disk drive 2 as other storage volume.
Although the method, control logic and system have been described with respect to read operations, it is apparent that a corresponding method, control logic and system is applicable as well during write operations in order to identify, on which volume a writing process takes place actually.
| Number | Date | Country | Kind |
|---|---|---|---|
| 06020725 | Oct 2006 | EP | regional |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2007/008033 | 9/14/2007 | WO | 00 | 5/5/2009 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2008/040440 | 4/10/2008 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5884093 | Berenguel et al. | Mar 1999 | A |
| 6275898 | DeKoning | Aug 2001 | B1 |
| 6904599 | Cabrera et al. | Jun 2005 | B1 |
| 7783666 | Zhuge et al. | Aug 2010 | B1 |
| 20020112161 | Thomas, III et al. | Aug 2002 | A1 |
| 20040103261 | Honda et al. | May 2004 | A1 |
| 20040111630 | Hwang et al. | Jun 2004 | A1 |
| 20050108538 | Howard et al. | May 2005 | A1 |
| 20060153052 | Meerwald et al. | Jul 2006 | A1 |
| 20090292871 | Watanabe et al. | Nov 2009 | A1 |
| Number | Date | Country |
|---|---|---|
| 1 672 631 | Jun 2006 | EP |
| 2003-271425 | Sep 2003 | JP |
| 2004-185644 | Jul 2004 | JP |
| 2005-149436 | Jun 2005 | JP |
| 2006-59374 | Mar 2006 | JP |
| 03 015088 | Feb 2003 | WO |
| WO 03054878 | Jul 2003 | WO |
| WO 2004088658 | Oct 2004 | WO |
| Entry |
|---|
| Office Action issued Jul. 1, 2011, in European Patent Application No. 06 020 725.5. |
| Office Action issued Apr. 14, 2011, in China Patent Application No. 200780037033.1 (English translation only). |
| “FAQ Softlock.cd” Internet Article, [Online] XP002414300 Retrieved from the Internet: URL:http://www.softlock.net/faqs.asp> [retrieved on Dec. 14, 2006]. |
| Japanese Office Action Issued Jun. 26, 2012 in Patent Application No. 2009-530772 (with English Summary translation). |
| Number | Date | Country | |
|---|---|---|---|
| 20100011382 A1 | Jan 2010 | US |
