This repository contains the reference implementation of a novel distributed software watermarking system employing Byzantine fault-tolerant cross-validation protocols. Our approach addresses the critical challenge of runtime integrity verification in distributed applications through cryptographic watermarking combined with consensus-based validation mechanisms. The system achieves theoretical detection accuracy of 99.75% while maintaining sub-millisecond validation latency, as demonstrated through extensive empirical evaluation.
Modern distributed applications face increasing threats from sophisticated adversaries capable of compromising individual components. Traditional security mechanisms fail to provide real-time detection of compromised modules within complex software architectures. This research presents a cryptographically-sound approach to continuous integrity verification through distributed watermarking.
- Theoretical Framework: Formal specification of distributed watermarking with Byzantine consensus
- Cryptographic Protocol: Novel cross-validation scheme using HKDF-based key derivation and HMAC watermarks
- Implementation: Production-ready implementations in Python and Rust
- Empirical Validation: Comprehensive evaluation demonstrating practical feasibility
.
├── papier_recherche_tatouage_distribue_fr.md # French research paper
├── research_paper_distributed_watermarking.md # English research paper
├── analyse_vecteurs_attaque.md # Security analysis
├── byzantine-watermark-poc/ # Proof of concept
├── libpy/ # Python implementation
└── libru/ # Rust implementation
We consider a distributed application decomposed into n modules B = {B₁, B₂, ..., Bₙ}, where each module Bᵢ maintains:
- State function σᵢ: T → Sᵢ
- Validation set Vᵢ ⊆ {1,2,...,n} \ {i}
- Cryptographic watermark Wᵢ
Theorem 1 (Byzantine Resilience): Given |Vᵢ| ≥ 3f + 1 validators where f represents Byzantine nodes:
Pr[VALID | Bᵢ compromised] ≤ negl(λ)
Theorem 2 (Liveness): For honest module Bᵢ with f < |Vᵢ|/3:
Pr[VALID | Bᵢ honest] = 1 - ε_network
Watermark generation employs hierarchical key derivation:
kᵢ = HKDF(k_master, "module" || i || H(Cᵢ))
Wᵢ = Enc(kᵢ, H(σᵢ(t)) || t || idᵢ) ⊕ PRF(k_master, i || t)
Cross-validation watermarks:
W_{j→i} = MAC(k_{j→i}, H(σᵢ(t)) || H(σⱼ(t)) || t)
Two implementations are provided for different use cases:
Python Implementation (libpy)
- Purpose: Rapid prototyping and research validation
- Dependencies: Python standard library only
- Performance: ~12ms consensus rounds
- Use case: Academic research, proof of concept
Rust Implementation (libru)
- Purpose: Production deployment
- Dependencies: Ring (cryptography), Tokio (async runtime)
- Performance: ~400μs consensus rounds
- Use case: High-performance production systems
cd libpy
pip install -e .
python test_basic.pycd libru
cargo build --release
cargo test --all-featuresEvaluation conducted on standard hardware (Intel Xeon, 32GB RAM) with the following metrics:
- Detection accuracy under various attack scenarios
- Validation latency distribution
- Scalability analysis up to n=10 modules
- Resource consumption profiling
| Metric | Theoretical | Python | Rust |
|---|---|---|---|
| Detection Rate | 99.75% | 100% | 100% |
| False Positive Rate | <0.1% | 0% | 0% |
| Validation Latency | <50ms | 12ms | 0.4ms |
| Consensus Time | O(n²) | 11.87ms | 0.4ms |
Six attack vectors evaluated:
- Network MITM attacks
- Signature forgery attempts
- Timing manipulation
- State injection
- Byzantine coordination
- Replay attacks
Results: 5/6 attacks successfully detected (83.3% prevention rate)
Our approach builds upon foundational work in:
- Byzantine fault tolerance (Castro & Liskov, 1999)
- Software watermarking (Collberg & Thomborson, 2002)
- Distributed consensus protocols (Ongaro & Ousterhout, 2014)
- Cryptographic cross-validation (Bellare et al., 2006)
from byzantine_watermark import DistributedWatermarkSystem, Module
# Initialize system
system = DistributedWatermarkSystem()
# Add application modules
auth_module = AuthenticationModule("auth_service")
crypto_module = CryptographyModule("crypto_service")
system.add_module(auth_module)
system.add_module(crypto_module)
# Configure cross-validation topology
system.add_validation_edge("auth_service", "crypto_service")
# Initialize and validate
await system.initialize()
result = await system.validate_all()
assert result.is_secure()Detailed configuration examples available in:
byzantine-watermark-poc/USAGE.md- POC usage guidelibpy/examples/- Python integration exampleslibru/examples/- Rust integration examples
The system provides protection against:
- Individual module compromise (f < n/3)
- Runtime code injection
- State manipulation attacks
- Byzantine validators
Limitations:
- Assumes secure key management infrastructure
- Requires trusted initialization phase
- Network partitions may cause temporary unavailability
- Key Management: Utilize hardware security modules (HSM/TPM)
- Network Security: Deploy with TLS/mTLS for inter-module communication
- Monitoring: Integrate with SIEM for security event correlation
- Validation Frequency: Minimum 1Hz for critical applications
- Integration with blockchain for immutable audit trails
- Post-quantum cryptographic primitives
- Formal verification using Coq/Isabelle
- Hardware acceleration for cryptographic operations
- Extension to microservices architectures
If you use this software in your research, please cite:
@misc{byzantine-watermark-2024,
title={Byzantine Watermark: Distributed Software Watermarking with Cross-Validation},
author={karlblock},
year={2024},
howpublished={GitHub Repository},
url={https://github.com/karlblock/byzantine-watermark}
}This project is dual-licensed:
- Apache License 2.0 - For open source use (see LICENSE-APACHE)
- Modified MIT License - With attribution requirements (see LICENSE)
See NOTICE for important legal information and attribution requirements.
Commercial use requires explicit permission. Contact: karlblock@protonmail.com
This research was conducted by independent cryptographic researchers. We acknowledge the open-source community contributions and academic collaboration.
Principal Investigator: karlblock
Email: karlblock@protonmail.com
Repository: https://github.com/karlblock/byzantine-watermark
This repository represents ongoing research. The implementations provided are for academic evaluation and should undergo thorough security auditing before production deployment.