Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Watermarking Help Find GPL Violations?

Posted by timothy on from the why-couldn't-it dept.

bitkid writes "I recently run across techniques that can be used to watermark program code. While I yet have to see some source code for this to play with, the authors claim that the watermarks can be introduced into the source code and can be found in the compiled executable. My question for the slashdot-crowd is: Do you think free software (GPL or other viral licenses) should be watermarked? This could help to find GPL violations (think Everybuddy or Linksys) or can be used in court someday against the next SCO to prove authorship. What might be the ramifications of this?"

12 of 265 comments (clear)

  1. Useful, but easy to get around. by The+Head+Sage · · Score: 5, Insightful

    This would be useful to prove that code is under the GPL, but this could be simply gotten around by just looking at the code, then rewriting it yourself. But, of course this will take time and money, something the big business hate to spend.. But the technology is useful.

    --
    To NULL or not to NULL.
    1. Re:Useful, but easy to get around. by floydigus · · Score: 5, Insightful

      Absolutely right.

      Furthermore, you could automate the process by writing a script to do things like randomising white space, replacing variable names, and even rewriting simple flow control constructs.

      I would suggest that if it is deemed important to be able to establish the originator of the code, then the originator should publish it as theirs as soon as it is written, or at least give it to an independent witness for safekeeping.

      --

      All things in moderation; including moderation

    2. Re:Useful, but easy to get around. by kasperd · · Score: 5, Informative

      randomising white space, replacing variable names

      Those are stuff that cannot be seen in the resulting executable, the watermark is claimed to be found even in the resulting executable. (Yes I know in some cases variable names can be visible in the executable, but you can easilly prevent it from being there.) I somehow doubt this watermarking is at all possible. With optimizing compilers it is hard to find resemblance between source and executable. Finally knowing how the watermarks are made on the code, it is probably easy to write another but slightly similar algorithm that will remove the watermark.

      --

      Do you care about the security of your wireless mouse?
  2. Beware the flipside by egg+troll · · Score: 5, Insightful

    I would be very careful with using something like this. Its nice to think that one could use watermarking for protecting GPL'ed code. However, should the technique prove successful, expect to see everything under the sun watermarked by less benevolent entities.

    --

    C - A language that combines the speed of assembly with the ease of use of assembly.
  3. Re:Watermark? by Doomrat · · Score: 5, Funny

    we are talking about a bunch of 1s and 0s here. If it can be watermarked, it can be unwatermarked. A simple script will be able to rearrange stuff to disrupt the watermark without affecting the execution of the program.

    Yes, a bit like how it's easy to reconstruct a burned down house from its ashes.

  4. details about watermarking techniques by gripdamage · · Score: 5, Informative

    The paper cited in the first link is from a professor I once had.

    On his website I found his full article, if you want some details about watermarking techniques. It's has a lot more meat than presentation slides.

  5. as usual by snarkh · · Score: 5, Insightful
    The submitter did not bother to look at the atricle (or rather the presentation).

    The main idea is that you embed the watermark into the code and then obfuscate it. The resulting code is unreadable, otherwise watermark would be trivial to remove, which makes it absolutely useless as far as open source is concerned.

  6. Re:I think not by LuxFX · · Score: 5, Insightful

    If the trademark stuff gets too hectic

    If?

    Can I have directions to your hole, I'd like to live there too.

    --
    Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
  7. Re:Watermark? by Naerbnic · · Score: 5, Informative

    Perhaps this is true for static data (as in a bunch of source code), you can insert a watermark into code, which will create a dynamic watermark (i.e. something that depends on the runtime operation of the program). To make a long story short, you cannot easily remove it by rearranging binary code, and it's difficult (i.e. NP-complete for those in the know) to analyze the software to remove. Tack on the fact you can tamperproof the code (i.e. make the behavior of the program depend on the existence of the watermark), and you have a pretty difficult path to walk if you want to remove it.

    More info can be found in this paper, if you're into reading that sort of thing.

    --


    So there I was, juggling apples and small animals, when I accidentally bit into the wrong one...
  8. Does it really matter??? by Pedrito · · Score: 5, Insightful

    I wrote a book ages ago about Windows File Formats. Included in the book was some code which was written by a third party. I obtained permission from the code's author to put it in the book, but it was very clearly copyrighted by the author of the code, both in the code, and in the book.

    So Intel is working on a product and they just swipe up the code out of the book, never ask for permission or anything, and use it in a commercial product (VTune). The author of the code, of course, was furious. He approached Intel. They blew him off. He had reverse engineered their code. He could produce an exact replica of the binary with his own code using the MS C compiler.

    He never got anything out of Intel. I suppose he could have hired attorneys, but he wasn't a wealthy guy. He couldn't find attorneys to take it without cash up front. So my question is: How do watermarks help him? I mean the guy could put the binaries side-by-side, and there was no question, it was his code.

    Your code is as protected as the lawyer you can afford...

  9. Not easy -- story submitter is confused by 0x0d0a · · Score: 5, Interesting

    Look at the techniques. This stuff is designed for use on binary-only software (with the sole exception of the comment embedding, which is easy to strip, and the embedded strings, which are easy to remove/modify).

    The approaches they're talking about are done at the compilation phase or post-compilation on Java bytecode.

    It's *extremely* difficult to produce good, reliable watermarks, because different compilers will build software differently, as will different optimization options.

    I'd essentially say that source-based watermarks are a lost cause (at least with C, and with the current constraints of readability and simplicity on code).

    A much better approach would be a project that does fuzzy comparisons on binaries, and is somewhat aware of ELF. Basically, you'd have a program that would have a set of known GPL code (a compiled Linux system would work well) and compare it to a set of compiled code.

    This is still not perfect if the person is malicious and just tries using a different compiler. This has happened before with xvid and use of icc. However, there aren't *too* many compilers out there.

    Hmm...this is an interesting problem.

    A more interesting approach that just occurs to me now -- in general, the proportions of compiled code should be roughly the same, independent of compiler -- adding padding, etc. Generate a call graph of the function tree in a set of GPL code. Then your checker would do fuzzy matching on chunks of that call graph against the suspicious code. It'd take a bit of massaging. It'd also still need some manual looking at the target once identified. However, this should be able to run in a pretty automated manner (even if it takes a long time to run) and could potentially turn up some interesting goodies. It'd certainly discourage commercial folks from ripping off GPL-using authors and companies.

    Try taking a Windows system with a lot of installed (non-GPL) software and a Linux system with a lot of (GPL) installed software. Start a comparison running. See what turns up.

    --
    May we never see th
  10. How does this help GPL? by scdeimos · · Score: 5, Informative

    Having read the .PDF paper and then skimmed the /. comments it would seem few people have taken the time to actually read (or understand) the paper before commenting on it. Hats-off to those who have.

    What is the essence of this watermarking technique?:
    - For embedding copyright information into individual .class files, as opposed to signing .cab's for whole Java apps/applets.
    - It modifies compiled Java bytecode, shuffling eight bytecode operators in targeted "dummy" class methods. The shuffling is able to encode only three bits per operation, so watermarks need to be short or dummy methods need to be large.
    - It relies on the watermarked dummy method(s) appearing in stolen (decompiled/recompiled) .class, which is achieved by pretending to call the dummy method(s) from other methods using always-false logic constructs.

    What are its downfalls?:
    - The technique is specific to Java. Forget about using it for other languages which output platform-specific machine code binaries, although it might be possible to modify it for use in .NET and other bytecode environments.
    - If an intelligent thief (or smart optimizing compiler) is able to detect the always-false condition used to shield the dummy method(s) the watermark(s) will be removed.
    - The larger your watermark, the larger you need to make your dummy method(s), or you need to embed more of them. The larger you make your dummy methods, the more obvious it will be that there's something strange about them.
    - Optimizing compilers could still destroy the modified operators used to form the watermarks.

    The paper also claims it protected more .class files from decompile/recompile attacks than *I* feel it should have: five of the ten .class files crashed their test decompiler (Mocha), thereby "protecting" their watermarks. If someone is keen to re-source your .class file, particularly if there's money to be made, I'm fairly certain they'd try another decompiler instead of giving-up on just one crash. I suspect that these five .class files could be decompiled by another utility, so the question of their watermark protection remains unanswered. Potentially this could cause up to 18 (instead of 3) of their 23 watermarks actually being defeated. This is entirely feasible, since only 3 of the 8 watermarks fully tested survived (the other 15 being in the five .class files which crashed Mocha).

    How does this technique benefit GPL? I'm not sure that it would. Even if the above problems were fixed:
    - To submit "source code" for your protected .class, you'd have to compile it, watermark it, decompile it and then post the decompiled version. Not very pretty and what about comments? I suppose you could have a Perl script reinsert comments from the original source, or copy-and-paste the watermarked dummy methods back in.
    - It's really designed to embed personal/corporate copyrights into code, protecting the IP of the submitter not the GPL community. I suppose the GPL community could design a community-wide watermark policy, but then that would become public knowledge and so thieves would be aware of its existence and be inclined to search harder to remove it.