I think this is great.
Now i need to figure out how to protect the executable if the virtual harddrive is mounted on another VM and into an OS with root access.
Dan
I think what all the discussions here amount to is that providing Prolog based app in a way to protects its IP is non-trivial.
Its a pity, i think, because Prolog is very well suited to explore novel IP and then also provide a platform for product development – so it doesn’t have to be a throw-away prototype.
Another idea i was mentioned is to package the Oracle Virtual Box command line tool to create a headless running VM which is password protected (i.e. the virtual disk is encrypted via password)-- i.e. the password is included in a protected script – written in a compiled language with the password “scrambled” inside. –
Together with making the Prolog app a service that runs during startup might perhaps do the trick …
I will explore the different solution to see which one would be a best fit …
thank you,
Dan
Altogether I have the feeling that the value of the software itself is decreasing while the value of having someone operate it for you is becoming the deciding business factor. I don’t want to side-track the discussion so just ignore me.
If you refer to commercial value – then the value of software per-see is very small relative to the value of everything else such as an organization that can deliver and enhance the software, the customer base that uses it, the partners within the ecosystem …
But, software that delivers the core value is a necessary condition
Dan
Since computing exists there is no real solution to “protect” a program installed on a customer system as far as the customer can access memory in a way or another … The real question is how much the customer desires to spend time to extract it …
You can try to hide a little of what you did. But, tons of students can also explain how they hacked their university servers to gain access to memory protected areas or some extra cpu they needed … and such techniques are the same ones used with modern viruses …
Once said, protection can be reinforcred in a legal way but then it is David against Goliath. Look at all those big companies making procedures be costly and years long until they pay amounts that they do not care for. That is the reason why some prefered to sell their IP to companies that spend days fighting for rights.
So, if the solution is to provide some intelligent treatment of data, you have 2 solutions :
- have a web server somewhere with just input/output and the “intelligence’” being on the server away from users. And even in that case be sure that your hoster is reliable with the correct security team and firewalls.
- ensure support that make your product need you to maintain it and make it even better because the real value of it is the one who conceived it or goes on maintaining it.
At the end, if you want to secure “peacefully” your revenue, sell it to a big company so that you don’t have to manage the IP on your own. Business has always been jungle as far as money is involved.
@j4n_bur53 as i mentionned if the question is to protect sources then if your program intelligence is on the customer side it can be hacked whatever you do and it has been the case since the beginning of computers. As for GPUs they can be on servers or local equipement or both … all depends on the use and the architecture and it doesn’t change anything about IP problems.
Anyway back to my points 1) and 2) with extra points to protect creations being for example that the intelligence may be related to some data of your own to grab from your servers or your updates or your technical support or specific hardware etc.
A simple trick used by many companies was to add a connection every x times to a server on their side with a key sent to know who uses their products having a license key and when … as far as the customer’s firewall allows it … As for dongles it is a long time that they have been cracked. Moreover, when i was computer manufacturer we could restore wiped or crashed disks or systems, even when encrypted or totally wiped … all is a question of time and having the right tools …
@grossdan I don’t know what is your system done for and how sensitive are the data and source … anwyay if your source is so important (apart from technical points VM, TPM and so on) then the first classical step is to make a sealed legal deposit and if needed have your customer sign a NDA (Non Disclosure Agreement) including financial penalties etc. so that the responsibility in case of robbery be on the customer side and more precisely the President of the involved company or the one signing and that you must check as having the legal signature to do so. Otherwise it is just a cross on a white paper …
I think the idea that the company could reverse engineer the proprietary algorithm executed by the Prolog VM while running in a guest OS within a VirtualBox – seems far fetched enough.
However, a script that send along a clear text password to start and stop a headless VM with an encrypted virtual disk-- would indeed be a simple target and a significant weakeness.
Needs thinking again how this could be overvcome …
Dan
I think i see one key problem here – i can’t ask the client ot keep the machine running all the time – they can’t bring me in (even via, remote login) every time a reboot is required.
Another issue is that disk encrpytion such as bitlocker are tied to user accounts – and hence the user must be logged in for the disk to decrypt during operation …
Perhaps a linux variant can be configured with an encrypted harddrive and that gets decrypted for a background admin/root demon, when the system is booted but not logged in by anyone.
And then perhaps even support another user while protecting the root home disk area
Could you simply build a docker container that doesn’t have bash/sh etc. in it, so one cannot connect to it interactively, only via the web port specified in the dockerfile?
jds
Thanks.
Yes, docker was suggested as well – but reading up on docker, there is apparently no user security feature included – which, means to me that anyone can mount an internal docker volume and thereby see internal files, including prolog source files, provided there.
Dan