Security of Software

Having spent a long time getting a program to do what I want I don't mind publishing it on this Forum for anyone to use, but If I sell the hardware embedded in a box that also needs support I don't want to give it away to the opposition.

So the question is:-

Once I've up loaded a program into an Arduino Uno can anyone who gets their hands on the Uno successfully extract the program ?

Any thoughts very welcome.

Tim

You can use the fuse settings to activate lock bits.

The chip datasheet and google will have loads more results.

I'm not talking about PIC chips etc but an Arduino Uno.

Unfortunarely the link was close to incomphensible to me.

To extract the program out of an unprotected Uno, I assume there is a special software tool not included in the Arduino IDE ?

A puzzled,

Tim

timmoore46: I'm not talking about PIC chips etc but an Arduino Uno.

So are we.

timmoore46: Unfortunately the link was close to incomprehensible to me.

Such is life.

timmoore46: To extract the program out of an unprotected Uno, I assume there is a special software tool not included in the Arduino IDE ?

It's called "avrdude". It is the utility that the Arduino IDE uses to interface with the bootloader.

timmoore46: Once I've up loaded a program into an Arduino Uno can anyone who gets their hands on the Uno successfully extract the program ?

If the Atmega 328 is unprotected they will be able to extract the compiled code as a series of Hex values. It may be possible with a lot of hard work to make sense of that and "convert" it back into human-understandable code. But unless you have done something extraordinarily clever it would probably be easier to write equivalent code from scratch.

Of course someone could extract your code and upload it to other Atmega 328 chips without undertsanding it - just like making bootleg copies of CDs.

...R

Now that I can understand ! It answers all my questions !

Thank you very very much !

A very happy,

:sweat_smile:

Tim

@ OP, you might read this too... http://forum.arduino.cc/index.php?topic=259388.0

Doc

Robin2:
Of course someone could extract your code and upload it to other Atmega 328 chips without undertsanding it - just like making bootleg copies of CDs.

Undeniably this happens quite a bit, look at all the clones of the Saleae logic analyzer, various programmers, etc. out there, especially on eBay. Once you have that code, figuring out the schematic and how to clone it is about as easy as one could hope for, a continuity tester is just about the only tool you need.

Tim,
The real issue for you if you decide to sell this as a closed source product will be the s/w licensing.
If you are using Arduino libraries, it will be impossible to comply with the licensing terms of the Arduino libraries,
if you don’t want to fully disclose all the source code

The issue is not with the gnu tools and gcc avr compiler s/w libraries that come with the IDE
but rather that Arduino libraries.
Different arduino libaries have different licensing terms.
The license might be GPL, LGPL, BSD, MIT, or even freeware.
The bulk of libraries that come with the IDE are LGPL 2.1+
a few are GPL 3.0

Remember that the “free” in GPL/LGPL open source is about freedom and user rights.

If you use a GPL 3.0 library then all the code must conform to GPL 3.0 and you must
open source all the code - That is “price” for using a GPL 3.0 piece of s/w.
GPL 3.0 is a “You can use this code, if you share your code with everyone else” license.
Also, if you use GPL 3.0 you wave your patent rights that might be related to your code.

Many people mistakenly believe that LGPL 2.1+ can be freely used in a closed source project/product
very similar to an MIT, BSD or even a freeware license.
This is not the case. While LGPL 2.1 source modules can be used in closed source projects/products,
in order to fully comply with the GNU LGPL 2.1+ license, there are some things you must do.
This is the “price” you pay for using LGPL 2.1 licensed s/w.
The biggest thing you must do is that you must provide a means for the user to
rebuild the s/w image so that he can modify/update/maintain the image he received.
LGPL 2.1 is a “You are allowed to use it in a closed source project, but you must provide a means for users
to update any of the LGPL 2.1 source components used” license.

In other words, the high level goal of both LGPL and GPL is to always allow the user access to and the
ability to modify LGPL and GPL modules even once they are linked into a larger work.
In other words, even with LGPL, you can never lock out and users ability to modify the open source portions
of the code, even if it is used as component of larger closed source project/product.

The LGPL 2.1 license is quite clear that if you use it in a closed source project/product you must
provide all the pre-compiled objects and build scripts so that an end user can rebuild the image
with updated versions of the open source modules.

For example, if you ship an image in your AVR, and there were an update/bug-fix to the digitalWrite() code,
the user has to have the ability to re-create your the image using the updated code.

The Arduino guys very much dance around this issue.
Here is a excerpt from their FAQ page: http://arduino.cc/en/Main/FAQ

Using the Arduino core and libraries for the firmware of a commercial product does not require you to release the source code for the firmware. The LGPL does, however, require you to make available object files that allow for the relinking of the firmware against updated versions of the Arduino core and libraries. Any modifications to the core and libraries must be released under the LGPL.

The problem with this, is that section 6(a) of the LGPL 2.1 requires more than that:

Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable “work that uses the Library”, as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library.

In the case of shipping a product with a firmware image that uses Arduino code,
that would fall under the the executable work, portion above,
which still requires that the user have the ability to modify the open source components and create
a modified executable (firmware image) with the modified library.

Where this gets very sticky and impossible to comply, is that currently the wimpy Ardiuino IDE build system
has no way to build/re-build an image using pre-compiled images.
Because of this, it is impossible to comply with the LGPL 2.1 licensing terms when trying to create
a closed source Arduino project/product that uses the Arduino IDE since the user has no way
of modifying/updating the code of any of the LGPL 2.1 modules used and then re-creating a new firmware image as is
required by 6(a) of the 2.1 LGPL

So in the ultimate irony, the Arduino platform and core libraries used LGPL 2.1 licenses but there is no way
to comply with it for closed source Arduino projects/products so they might as well have used GPL licensing
which would have made it more obvious that you can’t create closed source projects.

— bill

bperrybap: Many people mistakenly believe that LGPL 2.1+ can be freely used in a closed source project/product very similar to an MIT, BSD or even a freeware license. This is not the case.

As a practical matter, has anyone ever been sued over this, and who enforces this? How do they detect it? Do they have a crack squad of engineers buying every electronics product in the world, including very niche products, no matter how expensive, to see if it has an Atmel chip in it or not and then reverse engineering it to see if obvious compile images of their software is in it? Just wonderin'...

JoeN:

bperrybap: Many people mistakenly believe that LGPL 2.1+ can be freely used in a closed source project/product very similar to an MIT, BSD or even a freeware license. This is not the case.

As a practical matter, has anyone ever been sued over this, and who enforces this? How do they detect it? Do they have a crack squad of engineers buying every electronics product in the world, including very niche products, no matter how expensive, to see if it has an Atmel chip in it or not and then reverse engineering it to see if obvious compile images of their software is in it? Just wonderin'...

Yes people/companies have been sued. http://en.wikipedia.org/wiki/Gpl-violations.org http://gpl-violations.org/ http://lwn.net/Articles/250798/

In terms of who enforces it, there are several but FSF, SFLC and SFC being some of the better known entities.

I'll agree that as a practical matter it is often difficult to discover violations and then enforce GPL/LGPL licensing against a violator can end up being expensive. Not just in a chip, but in s/w products from major companies including the likes of Microsoft.

There are many dishonest people and companies out there stealing and repackaging open source in their own products in order to unfairly monetize the work of others.

There is nothing to stop anyone from being dishonest, and in most cases, particularly in a small run products, the likelihood of being caught must less being prosecuted for it are extremely low.

It is no different than cheating in professional athletics. The rewards can be high and the risk of being caught and punished for it are low, so some people cheat.

--- bill

bperrybap: It is no different than cheating in professional athletics. The rewards can be high and the risk of being caught and punished for it are low, so some people cheat.

Some?

Many people mistakenly believe that LGPL 2.1+ can be freely used in a closed source project/product

Apparently including the Arduino project leaders, since they state in various places that you CAN build closed source projects with the arduino libraries. (http://arduino.cc/en/Main/FAQ ) The GPL/LGPL actual license terms are as bperrybap states, and are obnoxiously incompatible with closed-source embedded products, despite what fsf sometimes seems to say. The ability to produce proprietary products is very much oriented toward desktop-like environments :-( (This is why you won't see a GPL license on avr-libc, or newlib, or anything I ever write, even though they're also open source.)

(Does FSF/etc actually pursue violators of the gnu licenses on software where they are not the license holder? I don't think I know of any project that has been called out on the LGPL re-linkability requirement.)

Providing object files of your proprietary project that are linkable with new versions of the arduino libraries is likely to be pretty spectacularly useless to almost everyone. But the requirement does make attempts to protect the object code in the chip using the AVR hardware mechanisms technically/legally meaningless. (OTOH, I believe that you don't have to "publish" such object files in network-retrievable form. You just are supposed to (at least) provide them on request.)

westfw:

Many people mistakenly believe that LGPL 2.1+ can be freely used in a closed source project/product

Apparently including the Arduino project leaders, since they state in various places that you CAN build closed source projects with the arduino libraries. (http://arduino.cc/en/Main/FAQ ) The GPL/LGPL actual license terms are as bperrybap states, and are obnoxiously incompatible with closed-source embedded products, despite what fsf sometimes seems to say. The ability to produce proprietary products is very much oriented toward desktop-like environments :-(

While the license is more generally applied to desktop environments, it is possible to make it work for embedded environments and there are cases/examples of companies that have properly complied in embedded environments. TIVO being a very notable one. I've also seen the object files and makefiles for Samsung phone s/w, and for several embedded GPS devices. You can also find the code and build tools for many android phones out there. These are what are being used to create many of the custom roms you see out there. The rebuild requirement is what ensures you have the needed components to allow you to rebuild a custom phone rom even though some of the code is closed source.

Some of the TIVO "abuse" of LGPL and GPL 2.x is what led Stallman to create GPL 3.0 to tighten up the licensing. Ironically, even many of the things that Michael Tieman was doing back in 1989 when he started Cygnus were HORRIBLE and extreme abuses of GPL (CopyLeft - back then) and are no longer allowed under current GPL terms. Tieman took over and re-wrote the gcc compiler and linker in the main gcc distribution to use a slightly different object format. He then refused to give you linker source to a few modules for some of the newer risk processors and also refused to license the binary objects to them unless you paid Cygnus 10's of thousands of dollars! I tangled heavily with him back then and he finally relented after several of us were going to release a backport of the old object format code to get around his abuse.

(This is why you won't see a GPL license on avr-libc, or newlib, or anything I ever write, even though they're also open source.)

I went the other route and any open source projects I write are GPL 3.0 which restricts its use to open source projects/products. i.e. I'll only share my efforts with other fully open source authors/projects.

(Does FSF/etc actually pursue violators of the gnu licenses on software where they are not the license holder? I don't think I know of any project that has been called out on the LGPL re-linkability requirement.)

Yes. But not so much in the US. Also I haven't dug deep enough into the cases to be know whether the cases were LGPL vs GPL. Go read about some of the recent cases with SFLC and SFC. They have determined that there is enough money coming in to sustain the litigation. So now they are taking on cases on behalf of other authors. So far, this has mainly been for large works like the linux kernel, or something like ffmpeg where there are commercial violators with money go after. What is interesting is that it only takes a single author to enable the case, and it can proceed even if all the other authors willing decide to not to proceed or wave their rights.

Providing object files of your proprietary project that are linkable with new versions of the arduino libraries is likely to be pretty spectacularly useless to almost everyone. But the requirement does make attempts to protect the object code in the chip using the AVR hardware mechanisms technically/legally meaningless.

I don't necessarily agree with all of that. Projects that are developed using more traditional unix style scripting tools like make, etc... can be fairly easy to rebuild for a developer type person with average skills. Where things are pretty hopeless is when using proprietary tools and IDEs which are quite common for Windows development and environments like Arduino.

But I do agree that most people and users of a product are not developers. And for them this kind of stuff is of no value. But then those types would not be building any s/w anyway, so you have exclude them from the people that the license was designed to offer rights to.

--- bill