How to secure my linux C program against piracy

Question

I have written a program in C which I need to prevent from illegal use by copying. The system will be connected to internet. How to make this program to run only in this computer or unique computer. Can we use http post and fetch from external server some encrypt codes?. Any ideas will be useful. Dont know if this is already answered, searched but could not find results.

Answer 1

the only secure way is using usb dongles, giving licence over usb dongles

Answer 2

How to secure my linux C program against piracy

You probably can't.

If I am expert enough and motivated enough, I could decompile your binary executable (or study it with binsec), study its dynamic behavior (with e.g. strace or gdb, etc...), or detect your tricks and patch then build and install my Linux kernel source code (it is free software) to circumvent your protections.

In other words, if your adversary is as powerful as the NSA, you have lost that game.

Conceptually the "protection" of a C program can be related to the halting problem and to Rice's theorem. Gory and difficult details are left as an exercise to the reader. And you'll find tons of academic papers about software obfuscation techniques (a quite effective one being in practice compiling and linking with gcc -flto -O3 then stripping the resulting executable).

How to make this program to run only in this computer

Read more about DMZ and iptables. Protect that computer by legal means and by physical means (including even 24h/24 machine guns armed guards to avoid it being stealen or damaged; they would cost you much more than the computer itself). Invest years of your time to learn more about cybersecurity (you could make a PhD on that at my workplace).

The socially and economically effective protection is a good license (EULA) written by some costly and expert lawyer. If your clients are corporations, they won't risk breaking that license, even if technically they could. (think of what could happen if they did). Observe that proprietary programs on Linux have in 2019 less protections against piracy than those in 1999 (and that even Oracle or SAP are not making most of their profit, while selling Linux proprietary software, on software licenses but on related services). Study the business model of RedHat and its profits. Read papers or books on economics of open source (e.g. this one, the most cited one).

According to rumors Oracle costly binaries don't have protections. But I use free software RDBMS.

And if you add too complex to deploy protections into your software, you just are losing potential clients.

The most difficult step is to find actual clients for your software, not to invent or deploy difficult technical tricks to avoid piracy. You could use some existing, but imperfect, license manager. My guess is that you won't find many clients (and you could give your source code to each of them, with a suitable license -perhaps a restricted license written by your lawyer- without harming your business; most persons on Earth don't even have the necessary skills to compile your source code, and those who do won't risk to go against the laws and the contracts, written by your lawyer, signed by you and them, without a very strong incentive; and I won't accept or trust your binary without having glanced into your source code before).

Don't spend a lot of efforts on protecting your software. Do spend months of efforts on documenting it properly, debugging it, and commercializing it (and, once you have a client who paid you, on training and helping your client to use your software).

PS. My personal feeling is that even if you gave me your binary Linux executable for free -as in beer- I won't even bother trying it (because I probably don't need it, and certainly because I don't trust you enough)

PPS. For me, the most important aspect of a Linux distribution is to be made of free software (a.k.a. libre software) or open source. It is certainly not the "gratis" (or free as in beer) aspect of Linux. I value freedom above the fact of not paying Debian. I am professionally writing free software, and I am paid for that.

NB. Look also into this draft report and its bibliography. It is border-line relevant to your question. And consider subcontracting the protection work at my workplace (send me an email at [email protected] if you are really serious). The lab I am working at is collectively capable of adding good protection to your code. Allocate then a budget of several hundred thousands € for that service, and at least 100k€ (for a few person-months of work). My boss would be delighted if such a contract becomes reality (but I would find such a task very boring).