Copy Protection

[Stephen Early]

On Thursday, 6 Sep 2001, Mike Brodbelt wrote:

> Now, my understanding of the low level detail of x86 hardware is
> insuffiently good to be certain, but I believe that a protected mode OS
> has almost complete control over the instructions executed by a child
> process, and can mess with it to it's hearts content.

It certainly can.

> The OS is responsible for setting up virtual address space for the child
> process's code and data, and as such, has pretty much complete control
> over the execution environment, down to the ability to inspect each
> instruction before execution, if it so wishes.

Indeed. However, this doesn't gain you as much as you might think: in
the general case it's impossible to write a program that can work out
what another program is going to do. (Think "halting problem".)

If you're just looking for instances of a particular instruction
(eg. the ix86 cpuid instruction) you might have some luck; however, if
the program is able to generate code and execute it you're back to
inspecting each instruction before execution; I don't think you can
spot it with a static analysis.

I don't approve of including non-virtualisable instructions in the
processor's user mode instruction set, but unfortunately I think that
they are going to become more and more a fact of life. It's possible
to deal with them moderately efficiently in some cases (see "dynamic
scan-before-execute technique" in
http://www.plex86.org/research/paper.txt), but someone writing
copy-protection code that makes use of non-virtualisable instructions
could easily make their code inefficient under virtualisation.

I think we've strayed a long way from the list topic...

Steve Early