details left ambiguous to prevent pre-analysis
Architecture · Mode 2 of 3

Always-Online
License Enforcement

A remote license server holds cryptographic material required for execution. Protected binaries must maintain a periodic connection to the server to function. After a configurable grace period, disconnected binaries silently degrade. All Mode 1 protections are included by default. DRM and Ring-0 are mutually exclusive – choose one or the other on top of the standalone foundation.

01

How It Works

Always-Online DRM is supplemental. All standalone Witness protections (virtualization, encrypted bytecode, anti-tamper, integrity chaining) are included by default. The license server adds a remote trust anchor that binds execution to a valid license and specific hardware.

Protected Binary
  • Contains encrypted VM bytecode with critical values withheld
  • Cannot derive complete decryption keys without server-held secrets
  • Presents hardware fingerprint and license credentials at activation
  • Periodically proves execution integrity to maintain authorization
License Server
  • Stores per-function cryptographic tokens bound to each license
  • Validates hardware identity and enforces machine activation limits
  • Issues encrypted secrets only after successful authentication
  • Monitors heartbeat integrity and revokes compromised licenses
All communication is protected by post-quantum key exchange and authenticated encryption.
02

Attack Surface

What happens when an attacker attempts to bypass the license requirement? Every scenario results in non-functional or degraded execution.

Unlicensed Binary
Attacker obtains the protected binary without a valid license key.
Cannot execute
Critical constants are withheld from the binary at compile time. Without contacting the server with valid credentials, the VM cannot reconstruct correct decryption keys. Every protected function produces wrong results.
Shared License Key
Attacker uses a license key activated on a different machine.
Activation refused
Each activation binds the license to a hardware fingerprint. The server enforces per-license machine limits. A different machine produces a different fingerprint and is rejected once the activation limit is reached.
Network Interception
Attacker captures the encrypted traffic between binary and server.
Cannot decrypt
The key exchange uses post-quantum cryptography, and all sessions are authenticated. The client generates ephemeral keys per session against the server's embedded identity. Captured traffic cannot be replayed or decrypted, even with a quantum computer. Session keys are unique per activation.
Fake Server
Attacker redirects traffic to a server they control.
Authentication fails
The binary authenticates the server using credentials embedded at compile time. A fake server cannot produce valid authenticated responses. The binary detects the impersonation and refuses to proceed.
Binary Patching
Attacker modifies the binary to skip license checks.
Silent corruption
License verification is not a check that can be bypassed. The server-held secrets are mathematically required for correct decryption. Patching out the verification code does not produce the missing key material. Additionally, integrity is woven into every VM operation, so patches corrupt all future computation.
Disconnected Execution
Attacker blocks network access after initial activation.
Gradual corruption
The server periodically issues integrity challenges that are cryptographically entangled with VM execution state. After a configurable grace period, missing heartbeat responses cause progressive corruption of load-bearing cryptographic values. Computation silently degrades until results become unusable.
03

Protocol Lifecycle

A multi-phase protocol establishes and maintains the trust relationship between the protected binary and the license server.

Protected Binary
encrypted channel
License Server
Activation
Present Credentials
Submit license key, hardware fingerprint, and ephemeral quantum-resistant public key
activation request
Validate License
Verify license key, check activation limits, bind hardware fingerprint
Derive Session Keys
Decapsulate server response to establish shared session secret
key encapsulation
Encapsulate Secret
Generate shared secret using quantum-resistant key encapsulation, bind to license
Token Delivery
each protected function
Request Token
Identify function by index, authenticate request with session key
token request
Retrieve & Encrypt
Look up stored function token, encrypt with session key and hardware-specific transform
Apply Token
Decrypt and inject token into VM key derivation – function becomes executable
encrypted token
Log Issuance
Record token delivery for audit trail and abuse detection
Section Decryption
The VM handler section is encrypted with a key that incorporates a server-held augmentation value. After successful activation, the server provides this value, enabling the binary to derive the correct per-page decryption keys. Without it, the entire VM handler section remains encrypted and non-functional.
Continuous Verification
periodic
Heartbeat
Submit execution integrity proof and runtime state digest
integrity proof
Validate & Challenge
Verify proof against expected values, issue fresh challenge for next interval
Incorporate Response
Fold server challenge into load-bearing execution state – missing responses corrupt computation
challenge
Monitor Health
Track heartbeat frequency, detect anomalies, flag suspicious patterns
Enforcement
License violations, expired heartbeats, or tamper detection do not produce immediate error messages. Instead, load-bearing cryptographic values are progressively corrupted, causing silent data degradation. The exact point of failure is ambiguous, making reverse engineering significantly harder.
04

Binding Layers

Six independent cryptographic binding mechanisms operate simultaneously. Each layer independently prevents unauthorized execution.

License Binding
Each license key is cryptographically bound to a limited number of machines. The server enforces activation limits and tracks all bound hardware identities. Revoked or expired licenses immediately prevent token issuance.
Server-side Per-license
Machine Fingerprinting
A cryptographic hash of hardware identifiers uniquely identifies each machine. The server validates the fingerprint before issuing tokens and enforces per-license activation limits. Different hardware produces a different identity that the server refuses to authorize.
Hardware-bound Anti-sharing
Section-Level Encryption
The entire VM handler section is encrypted with per-page derived keys that incorporate a server-held augmentation value. Without this value, the binary cannot decrypt its own interpreter and all execution fails.
Binary-wide Server-gated
Function-Level Token Binding
Critical constants are extracted from each protected function at compile time and stored on the server. At runtime, the server returns these tokens individually. Each function is independently gated by its own token.
Per-function Server-held
Quantum-Resistant Key Exchange
All key exchanges use post-quantum authenticated encryption. Even an adversary with access to a quantum computer cannot decrypt captured activation traffic or recover session keys from network recordings.
Post-quantum Future-proof
Distributed Integrity Verification
A cryptographic computation is distributed across every VM dispatch. Each basic block computes a small piece, and results feed into load-bearing execution state. Removing or patching any piece causes cascading divergence that corrupts all subsequent decryption.
Anti-tamper Every dispatch
05

Security Properties

The combination of server-held secrets, hardware binding, and continuous verification produces the following guarantees.

Per-License Binding
Each license is bound to a limited number of machines. The server tracks activations and enforces limits. Licenses can be revoked at any time.
Per-Machine Binding
Hardware fingerprinting ties tokens to specific machines. Tokens issued for one machine cannot be used on another, preventing license sharing and cloning.
Per-Function Isolation
Each protected function has its own independent token. Recovering one token does not compromise any other function. Granular revocation is possible.
Quantum Resistance
Post-quantum key encapsulation protects all key exchanges. Captured traffic remains secure even against future quantum computing attacks.
Load-Bearing Integrity
Integrity verification is not a removable check. Cryptographic computations are distributed across every dispatch, making tampering mathematically expensive.
Silent Degradation
Failed verifications cause progressive data corruption rather than obvious crashes. The exact point of detection is ambiguous, complicating reverse engineering.
Continuous Verification
Periodic heartbeats verify license validity throughout execution. After a configurable grace period, missed heartbeats cause progressive cryptographic degradation.
Anti-Sharing
Hardware fingerprints, activation limits, and machine-specific token encryption combine to prevent license sharing across different machines.
Server-Side Revocation
Compromised or pirated licenses can be revoked server-side at any time. Revocation takes effect at the next heartbeat interval with no binary update required.
Cross-Function Entanglement
Protected functions share persistent cryptographic state. Each function's execution feeds entropy into a shared accumulator. Breaking one function's protection corrupts the others.
Thread Safety
All VM state is thread-local. Protected functions are fully reentrant and can execute concurrently across any number of threads without synchronization.
Binary Impersonation
The binary's PE structure can be reshaped to match the forensic signatures of other commercial protectors, misdirecting automated classification tools.