Is Intellectual Property Security a Myth ?

Written by JoeStagner
Posted December 18, 2012 at 3:54 pm

Is intellectual property protection a myth?

In a word, yes, sort of, at least in a technically acruate sense.

Last week I had a conversation with a developer who told be that his company would never develop an HTML5 app because his intellectual property was far too valuable to share with anyone who wanted it.

Of course, upon further discussion, like most of the developers that have said this to me over the years, what he was really concerned with is software piracy, but lets talk about the former first.

Developers, like the one I was talking to above, insist that their distributed applications be compiled so that their source code is “secured”.

Ok, 1999 called to say it misses you !

I was working at Microsoft when we released the beta versions of .NET. Included in the SDK was a decompiler. Developers around the world went nuts because all their source code would be stolen !

The truth of the matter is that source code is retrievable from compiled applications on all popular computing platforms. Just a bit of crafty googling will find you de-compilers for C#, Java, Visual Basic, C/C++ and a plethora of other languages.

These will turn your executable binaries into source code. Which tool you use would depend on the type of file you are decompiling which can be determined by headers in the files themselves.

The common response is that the code is not the same as the original source code, and that is true, it may be harder to read (or it may be easier) but either way the “intellectual property” would be exposed.

And there are other ways to get source code for an app too.

You will also find disassemblers that turn an executable binary file into assembly code. They basically convert the executable machine instructions into platform specific Assembly code instructions. If assembly code is not your thing you could them run a source translator to convert the Assembly into another language like “C”.

Of course this still doesn’t deliver the exact source code written by the developer. The resulting source code may not even be recompilable without modification, but again, the “Intellectual Property” has been retrieved.

There are very clever tools like the Holodeck Debugger that allow a skilled hacker type to view in real time what instructions are being executed by the operating system. (Holodeck is an AMAZING tool for good guy developers too !)

It’s possible to implement an encrypted operating system (file system, memory, runtime, ect.) that could decrypt programs in isolation for execution, but characteristics of such an operating system would make it unsuitable for general consumer use.

So, when we talk about intellectual property protection in our applications it’s important to understand that what we are really talking about is just increasing the difficulty level involved in stealing our code or using it in meaningful ways that oppose our desires.

.NET and Java developers who felt the need solved this problem by using pre-compilation obfuscators. The obfuscation process converted the source code to a product that, while syntactically valid, made no sense to the human viewer.

When decompiled the hacker has access to only the OBFUSCATED source code. The intellectual property was still in there, but for all intents and purposes, still secret. The process of reverse engineering code delivered after this obfuscation / compilation was too time consuming to be of interest. This makes the intellectual property secret in a practical sense, it not a purely technical one. Some obfuscators even produces source code that would feail recompilation attempts.

Likewise, people have been securing the logic and the content of the web for a long time. Obfuscators exist for HTML, CSS, and JavaScript. If you’re a web developer you have certainly cracked open a page or a downloaded a JavaScript file and seen huge strings of hex digits. Those were probably a method of obfuscation.

For example, the following simple JavaScript program:

var a="Hello World!";
function MsgBox(msg)
{
    alert(msg+"\n"+a);
}
MsgBox("OK");

When obfuscated becomes this.

var _0xf979=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A",
"\x4F\x4B"];var a=_0xf979[0];function MsgBox(_0xa221x3)
{alert(_0xa221x3+_0xf979[1]+a);} ;
MsgBox(_0xf979[2]);

Using the application will expose what it does but viewing the source code does dot expose HOW it does it.

There are really two things that people are interested in defending against. One is people using their software for free, the other is people stealing their source code which is to say the algorithms that are specific to their applications.

If you’re build an app using web standards (HTML5/JavaScript/CSS) you need to decide how much “protection” is enough to satisfy your concerns.

Of course the most secure method is to keep the parts of your logic that need to be secret on the server. You can modify your application’s architecture so that some functionality is only available when an internet connection is present.

You can use obfuscated client side assets to confuse prying eyes from easily hacking the APIs. Of course, if an even higher level of security is necessary, you can further restrict access to the APIs by using SSL and a per request token based authentication mechanism.

Similarly, once you have done the above you can use similar methods to assure that the user of your app is authorized to use it by periodically requiring an authentication handshake. (Mozilla apps will provide an API to help the developer do exactly this using Persona and the MozApps receipt system.

Many organizations have discovered that these concerns are never realized when their apps become public but above are a few ideas that you can use to make stealing your code more difficult. Remember, there is no such thing an an app that can’t be reverse engineered. But you can make them work for it !

Filed under: Op-Ed, Security

RSS feed for comments on this post

3 Responses to this post

Havvy on December 18th, 2012 10:37 pm

I just want to point out that while deobfuscation is usually not undertaken, there is at least one case where it has been successfully done: The Minecraft source code via the Minecraft Coder Pack. While not all functions are deobfuscated, and it is up to the modding community to name the methods, the source code is still quite readable.

I’ve also spent time deobfuscating JavaScript code with success, but only for small scripts.

As far as the hex encoding version, it would take me all of five minutes to convert the hex into non-hex and this is actually the hardest encryption scheme I’ve actually seen for JS. Most obfuscation schemes I see are done via evaling the results of a deobfuscator function on obfuscated source code all passed to the client.

Really, the only true way to keep your code safe from prying eyes is to never have it run on the user’s computers and keep it server side.
Robert Kaiser on December 19th, 2012 2:41 pm

Apart from that, there is no such thing as intellectual “property” that can be “stolen”. Property is something you don’t have any more after someone has taken it from you, by stealing or selling/buying or other means.
Intellectual content can only be copied or re-used without authorization, you still retain it yourself as well, so the damage is not in someone taking it away from you but in someone sharing it without your consent or in a way you didn’t want them to.
The same kind of sharing, when done *with* your consent, is the basis for education and innovation, and by not allowing people to share it, you are prohibiting education, evolution and innovation, as well as your work growing into something bigger, creating your legacy.
I understand people value the products of their work and want to ensure they and their families get fed and can make a living, and I surely respect that. But in many cases this is just being taken too far. The examples of people making a living by creating open code are growing more and more, and the cases where people are paid for creating code that then is taken into the open are on the rise.
In any case, even if you want to protect your code, this is about copyright about sharing, not about property and stealing.
Pankaj Nikam on December 20th, 2012 5:14 pm

I am a hard core .NET developer and I am always thinking about securing my intellectual property. Obfuscators are good however they also fail at some point. There is nothing secure. Any dedicated person can get the important piece of code. If its a web app, at least the business logic and the database logic is secured. When it comes to desktop apps, one can never be assured that the information is safe and secure. No language can safeguard against the de-compilation of its output. HTML5 apps can be good because of its support on multiple devices. If you don’t want to share your business logic, you can always rely on web services or WebAPI for handling the logics. However its easier to view the source of HTML app as compared to others.
The trick you mentioned about obfuscating JavaScript code is also great. There are numerous online tools available for it too. At least it will keep some people at bay!
Intellectual property, I believe, is seriously a myth!

MisfitGeek (Joe Stagner)

Is Intellectual Property Security a Myth ?

Powered by …

Your Host.

Recent Posts

Posts

Catagories

Older Posts

Tags

Admin

My Tweets

Blogroll