We are users of an open source simulation project where licensing agreement permits distribution of executable without source. The software is compiled as a DLL and can be initialized at launch two ways:
- It reads a series of human readable text files to allocate/set different variables. This is the default option.
- Alternatively, an optional source file is provided with the distribution to set variables at compile time. There's no need for the input files.
The second option came into existence because users have expressed hesitation distributing the input files because they contain IP about the thing they are simulating. The developers were kind enough to accommodate.
Question: Suppose the second option is used by Company A to distribute the executable for their clients to use. What actions can Company A do to ensure the data is protected/safeguarded/encrypted? The paranoia here is to be sure someone can't use the source to find patterns (through decompilation or other means) in the executable and discover the variable values at compile time.
OS's are linux, OSx and Windows.
-
This seems similar to several existing questions about binary obfuscation (e.g. stackoverflow.com/questions/2273610/…).Oliver Charlesworth– Oliver Charlesworth2016年05月22日 17:50:33 +00:00Commented May 22, 2016 at 17:50
-
1If it's in the binary it can be found. Period. There is experimental research to make the program behaviour impossible to understand, but it's not really usable.fuz– fuz2016年05月22日 17:52:25 +00:00Commented May 22, 2016 at 17:52
-
Far too broad. This is no consulting site.too honest for this site– too honest for this site2016年05月22日 18:00:39 +00:00Commented May 22, 2016 at 18:00
-
Please don't change your question after it has received answers.Mat– Mat2016年05月22日 18:49:52 +00:00Commented May 22, 2016 at 18:49
1 Answer 1
None.
The fact the tool is open source has very little to do with the question. With one minor tweak, it is the same answer for IP compiled into closed source program.
Encryption doesn't work. You can read more about it here, but in a nutshell, you need to provide your adversaries both the locked data and the key. Such a scheme is effectively with key length of zero, and is called "obfuscation".
As a further complicating factor is that your adversary is interested in data that passes along a well defined interface to a DLL. Anyone can monitor the interfaces between your program and the DLL, and get the actual data, as easily as if it were in a file.
The only thing you can do, and here open source comes to your aid, is to integrate your IP into the DLL, and then try to obfuscate the whole thing. As before, be aware that this is only effective in making it more difficult to get to the data, never impossibly so.