1

I am working at a small software startup and we are in the process of licensing software we have developed to another company. The software is written in C++ and runs on Linux.

This is not the first time we license software to this company. We suspect that parts of a previously delivered software have been used for other programs than those agreed upon. However we were not able to prove this, since we had delivered source code and the company distributes compiled executables, which retain no evidence of our ownership.

This time we would like to make sure that the company uses our software only for purposes covered by the license agreement. We do not want to restrict the usability of our software, but we would like to somehow sign our code so that we can identify it when it is part of a larger program.

As a first measure this time we will deliver our software as a shared library instead of source code. However, the company could still rename the library file, remove copyright notices from the file or statically embed it into an executable using the tools described in this post. Therefore I am searching for possibilities to apply some sort of digital signature to the ELF file we are going to deliver.

I was learning about the ELF file format and the various things to consider when writing shared libraries, but I found little information on how to digitally sign ELF files. I came across tools like elfpgp or signelf, however they do not seem to be actively maintained. I am particularly looking for a signature technique that would stay in place even if the library was embedded into a larger executable.

How can I sign a Linux shared library in a way that allows me to identify it and to prove ownership of the library? Which measures can I take to do so even if my library is statically embedded into an executable?

Community
  • 1
  • 1
kassiopeia
  • 615
  • 1
  • 9
  • 23
  • 1
    Yes, you could theoretically sign a library, somehow. And anyone can then simply remove the signature. Not that having a signed library actually does anything. There's nothing in the Linux kernel that will refuse to load a library with an invalid signature, so I'm afraid you just wasted a lot of time on nothing but hot air. In general, trying to make bits uncopyable or not alterable is like trying to make water not wet. – Sam Varshavchik Mar 27 '17 at 10:52
  • You could use a SHA1 or similar to have the signature of the shared objects you are giving and use that to compare afterwards. – Tomaz Canabrava Mar 27 '17 at 10:54
  • @TomazCanabrava Where would the signature go in the ELF file? Are there dedicated sections for such a purpose? – kassiopeia Mar 27 '17 at 10:58
  • A bit offtopic. Perhaps instead of signing you could do a kind of an online license server so, that all instances of your program need to have a kind of "approval" from it, or log some data to it... It will take you for sure some efforts to set it up, but might be much secure as what you have mentioned. – dmi Mar 27 '17 at 10:59
  • @dmi Thanks for your suggestion, but we would prefer not to have usage restrictions in our software. It would be enough if we can identify our software even if it part of a larger program. – kassiopeia Mar 27 '17 at 11:00
  • Then I would assume, you can implement a SW interface which will provide you an agregated (a kind of uniq) hardcoded (and distributed through your library) code. Then, you can any time call this interface from your SW to see what it returns. Then you will be a bit able to identify what version of the library is used, but this won't prevent to use its instance in another unauthorized SW i think... – dmi Mar 27 '17 at 11:03
  • Perhaps. You can add one more dependency (a kernel module) which will be also supplied to your client with your library will have to connect upon instantiation. Then you could introduce a bit more host-wide check. But again the lib can then be run at another PC... – dmi Mar 27 '17 at 11:06
  • @dmi This sounds interesting. So I would implement code that represents some kind of a signature? Can you point me at any examples on how this can be done? It is not a problem if this does not prevent the code from executing, we are just looking for ways to identify it. – kassiopeia Mar 27 '17 at 11:08
  • 1
    Ah, I have no example under my hands right away. What can be done: you can declare some global variables in different modules of your library. Then in some basis pack the code into those. Then in the translation unit who provides you the SW interface you agregate the info into a key form and return it to the caller. Important is that the variables and the function are named in the way to don't give impression they are relevant to security check, and to tightly distribute the key info through different modules to have them much fragmented. – dmi Mar 27 '17 at 11:13
  • Perhaps instead key, the lib could dump the name/hash/whatever of its process to the syslog. You just ask your customer to access the syslog, and you will see where your library has been used. If no access is granted - they like to hide something. I don't think someone will edit syslog each time your lib was used and early or late you'll cach it. – dmi Mar 27 '17 at 11:20
  • 1
    check out digsig https://github.com/digsig-ng/linux-digsig and linux ima https://lwn.net/Articles/532778/ – sailfish009 Mar 27 '17 at 11:43
  • 6
    To the person saying "Not that having a signed library actually does anything". That's so wrong. Signing a library gives other customers confidence that the library hasn't been tampered with since the company signed it. – dotMorten Jun 18 '18 at 20:52

2 Answers2

1

Package the library in an RPM or other distribution-compatible package file, and use the digital signature capabilities in the package management system.

Douglas Held
  • 1,452
  • 11
  • 25
-5

There is currently no elfsign support in the GNU toolchain, and it's not likely that there ever will be due to the implications for software freedom.

To whom do you want to prove ownership? Shouldn't the fact that you have the source code and build scripts be sufficient to convince anyone that you are the real author, and not some impostor?

Florian Weimer
  • 32,022
  • 3
  • 48
  • 92
  • 7
    I can't see how signing binaries is against software freedom. I want to be sure that shared library loaded by my process was indeed provided by trusted party. How is that against software freedom? – Jędrzej Dudkiewicz Feb 14 '18 at 11:40