New Method To Detect and Prove GPL Violations 218
qwerty writes "A paper to be presented at the upcoming academic conference Automated Software Engineering describes a new method to detect code theft and could be used to detect GPL violations in particular. While the co-called birthmarking method is demonstrated for Java, it is general enough to work for other languages as well. The API Benchmark observes the interaction between an application and (dynamic) libraries that are part of the runtime system. This captures the observable behavior of the program and cannot be easily foiled using code obfuscation techniques, as shown in the paper (PDF). Once such a birthmark is captured, it can be searched for in other programs. By capturing the birthmarks from popular open-source frameworks, GPL-violating applications could be identified."
Clean room could replicate signature. (Score:4, Insightful)
This is not to say that the technique wouldn't be useful for hunting down GPL violations. But a positive is not difinitive by itself.
Meanwhile code obfuscation (even automatically generated obfuscation) could easily modify at least the timing, if not the order, of such calls.
Nevertheless this is a powerful tool: An hunk of GPL code that hasn't had its flow obfuscated systematically (even code that HAS been obfuscated but not systematically) will have large swaths of code that trips the detector. And it doesn't require reverse engineering until after the alarm goes off.
Good job, guys.
Re:new use of old trick (Score:5, Insightful)
Re:No, really (Score:4, Insightful)
As you can imagine I really don't like the GPL or the FSF or Richard Stallman or any of his friends too much. While I recognize their contributions I think that they've fallen into the trap of trying to force everyone to convert to what has become a quasi-religion where the Inquisition is more important than celebrating mass.
Re:No, really (Score:2, Insightful)
Re:No, really (Score:2, Insightful)
One of the strengths of open source is that improvements are shared. If one company just makes some improvements to an open source project and then redistributes it in a way that violates the terms of the license designed to keep it open, that only completely undermines that strength. Open source code isn't necessarily superior. It's the development model of open source.
Either way, it's a pretty shitty thing for a company to do. Just follow the damn license. It isn't hard.
Re:A couple of things.... (Score:4, Insightful)
Also worth considering is what a compiler optimiser might do -- they can be quite good at rearranging code different ways depending on whether optimising for speed or code size, and what the target is. That's probably another reason why this might work better with java, which only has rather rudimentary jit optimiser.
If this tool can help identify some infringing code, that's well and good, but I wouldn't rely on it, wouldn't think it would add much if any legal weight, and neither would I think it could replace a thousand eyes.
Anyhow, the real problem, as I see it, with identifying open source code pilfered and added to a closed source project is that you generally aren't allowed to reverse engineer the code itself to see what it actually does. So even if you're Very Damn Sure that a piece of commercial software illegally uses open source and sells it as its own closed source, you're not allowed to investigate and come up with evidence. You'll have to file a suit and get a judge to order the code examined, and with only a good hunch to go on, and no way to document a financial loss, and probably not having too deep pockets yourself, that's rather unlikely to go anywhere.
Which is why I think it's important that we support institutions like FSF, which can occasionally fight the battle on behalf of the little guy.
Regards,
--
*Art
Re:No, really (Score:3, Insightful)
Besides, If i were to buy software from a company I'd like to know if it's stuff they designed and know line by line or if they just rebranded things i could obtain for free elsewhere.
I say, if you can expose them, do it.
Very Cool (Score:2, Insightful)
Re:No, really (Score:4, Insightful)
The Free Software movement, however, believes that code which protects the user's freedoms to use, modify and distribute it is intrinsically superior, and that people who wish to write code that does not respect these freedoms should not be aided by being able to use the work of those who do.
As such, an Open Source advocate would not mind, because the closed copy would quickly become inferior. A Free Software advocate would object, because their work would be being used for (in their view) unethical purposes (denying end users their freedoms).
Re:No, really (Score:5, Insightful)
You know, I'm absolutely tired of the BSD trolls that claim that the BSD license is "freer", not because I have a beef with the BSD, simply because your definition of "freedom" is ludicrous.
There are no absolute freedoms. Freedom to infringe on other's rights or freedoms gives more freedom to yourself, but limits it to other members of society. So long as there are things that cannot be owned or achieved communaly without side effects to others, freedoms have a limit, that is the actions that you cannot do so that others can do them.
The GPL definition of freedom is that a sofware and derivatives must always, under all conditions, be free. Yes, it a restriction to the developer who would wish to close up his source and use a GPLed piece of code, but it is an additional freedom to all the users who now have access to this source, which would have otherwise been denied.
Analogy time: the King is free to treat his peasants as dogs if he wished and if he has sufficient power to repress any opinions the peasants would have about that. The peasants, however, are limited by the freedoms the king has. Therefore the balance of freedoms for a more equal society would be that the king's freedoms be limited in order to allow the peasants to live their life.
So as you said, the GPL is also a social instrument, but it is no less free than the BSD; it simply distributes freedoms in a different matter. If you have a problem with that, use whichever license you wish to use. But don't go around accusing the GPL is limiting freedoms when it gives others freedoms that the BSD could never guarantee.
Re:No, really (Score:3, Insightful)
Re:No, really (Score:1, Insightful)
That doesn't follow in the real world, where we have other restrictions, i.e. copyright law. That allows people to take code and make it proprietary, which they otherwise couldn't. In an environment like that, it causes a net increase of freedom when there is an incentive to make code available under an open source license. Licensing software under the GPL provides that incentive by supplying functionality in return for making derivative works open source.
Re:No, really (Score:3, Insightful)
Re:No, really (Score:4, Insightful)
GPL -> Distribution restrictions. BSD -> No restrictions. No restrictions -> More freedom. More freedom -> Possible unsavory side effects that people choose to live with
GPL -> Code will always be open and derivatives will stay that way
BSD -> Code can be closed off and new improvements to it can remain closed off forever.
Always open code -> More freedom
Sometimes open code -> Permanent loss of freedom with regards to that code.
Indeed, logic is great.
BSD has a similar one, except that it doesn't place restrictions on how that happens. No one can make BSD-licensed software "non free", it will always be available to everyone. The only difference is that it might not benefit from coerced third party improvements, but that's what you sign up for.
I never said that you can't sign up for that if so you wish, but code is always used within contexts, and when used in the context of proprietary software, any improvements on the code will be lost, any bug fixes will be lost, any added functionality will be lost.
Sure, some people will build upon it, but losing the obligation of putting the improvements back into the codebase means that it will eventually stagnate, and that the improvements that could have been used for the good of everyone who contributed can be denied at will. Look at FreeBSD with OS X: Apple got the foundation of their OS for free, and after that they simply closed up the rest at will. Perhaps the Apple folks got to improve their memory management, or add some new DRM techniques. Whatever they've done, the FreeBSD devs will never get to see it.
If they don't mind as users and developers to see their work used to create a proprietary, vendor-locked platform then it's their prerogative; as a used and dev I prefer to make sure that my code is an established base of constant improvement. With the GPL they're empowered and free to do that; with BSD new parties are empowered to do whatever and completely ignore original creators aside from the required attributions.
Notice that I'm not saying the BSD license is more free; it is equally free, but shifting freedom to new developers and vendors to be,IMO, lazy bastards and profiting for nothing, while GPL shifts it to original developers, contributors and users to get reciprocal treatment from others. You're free to think that the former is more important; I belive the latter brings greater benefits to everyone in the long term.
BSD has a similar one, except that it doesn't place restrictions on how that happens. No one can make BSD-licensed software "non free", it will always be available to everyone. The only difference is that it might not benefit from coerced third party improvements, but that's what you sign up for.
No one is coercing anyone here. If you had read and understoof the GPL, and it looks like you haven't, you'd know that the conditions apply only to those who want to redistribute software. If you want to keep your patches to yourself you can do that and it's your right, but if you're going to be using other's code to sell it or gain from it you have to abide by the creator's conditions. Going back to my point about freedom, perhaps as distributor you have less leeway regarding your changes, but your users have just gained the guarantee that they'll always be able to see and change the code. The BSD could not have done that.
BSD licenses guarantee absolutely nothing. Here's the code, do whatever the heck you want with it. The perceived benefits to using the GPL are nice, but please don't insult people's intelligence by claiming they result in more freedom. A restriction to ensure X or Y is still that - a restriction. The distribution restrictions on the GPL are designed to further Stallman's social causes (some of which I actually agree with). If you feel that's fine, then by all means use the GPL. That's your choice.
You hit the nail on the head. Th
Re:No, really (Score:1, Insightful)
>...but who really has a problem with the GPL? Only those that want to take source code and not distribute source code...
...and those of us who are tired of jackasses like you and RMS braying about how it's the only licence worth having and calling those who don't agree thieves (like you just did in the above quote).
Seriously, you guys come across worse than Jehovah's Witnesses. We don't agree with your childish principles and want nothing to do with you or your code; we are quite capable of writing our own, thank you. STFU and and leave us alone.
Re:new use of old trick (Score:3, Insightful)
So, while the argument might make some sense in the right situation if you squint enough, it's about as valid as a criminal telling a police officer "You should thank me, because I'm the one keeping you employed." Sure, whatever.
Re:BSD network code (Score:3, Insightful)
The LEAST of my concern in releasing ANY open source is some childish popularity contest.
The only valid reason for me has always been the hope of getting something in return. In the case of BSD, this return is usually "applications that work better". Without the BSD TCP-stack, Windows would probably be worse quality, how would that have benefitted anybody except the anti-Microsoft zealot?