1

I would like to verify that users are running particular source code. Is there a way this could be achieved?

I want to verify that the original "algorithm" has been followed correctly if you will. What I need is for the user to send "pure" (not tampered) GPS traces.

Since Trusted Execution Environments are used for streaming movies in a way that the user cannot copy the content, could one rely on TEEs to verify that the code has been run unaltered?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Fred
  • 11
  • 1
  • Source code, not compiled code? If so, what's preventing the user from writing their own code? I think we need more details here and to better understand your goal. – schroeder Apr 07 '21 at 14:11
  • 4
    Does this answer your question? [Is it fundamentally possible to validate that an unmodified version of your client connects to your server?](https://security.stackexchange.com/questions/72091/is-it-fundamentally-possible-to-validate-that-an-unmodified-version-of-your-clie), [Verifying android application integrity from server side](https://security.stackexchange.com/questions/112312/verifying-android-application-integrity-from-server-side). – Steffen Ullrich Apr 07 '21 at 14:33
  • You're right. The same source code would yield different compiled code on different machines, so I want to verify that the original "algorithm" has been followed correctly if you will. And yes, nothing's preventing the user from writing their own code. What I need, is for the user to send "pure" (not tampered) GPS traces. So it's not like an application or something. – Fred Apr 07 '21 at 14:37
  • 1
    *"... What I need, is for the user to send "pure" (not tampered) GPS traces."* Unless you can define a criteria for untampered, you can't test for it. – user10216038 Apr 07 '21 at 15:12
  • 1
    You are talking about DRM which is a broken solution. – defalt Apr 07 '21 at 15:17
  • @user10216038 I agree that I pretty much can't test the data to see if it has been tampered with or not. That's why I want to verify the process in which the data has been handled. – Fred Apr 07 '21 at 15:40
  • @defalt what do you mean by "broken solution"? – Fred Apr 07 '21 at 15:41
  • Short answer: you can't. You need to find a different approach entirely than trusting the client-side. – schroeder Apr 07 '21 at 18:54
  • ... and we didn't even get onto the topic of [*GPS signal spoofing*](https://en.wikipedia.org/wiki/Spoofing_attack#GPS_spoofing)! – brynk Apr 10 '21 at 02:19

0 Answers0