Tutorial :Distribute a application to the public so they can compile, without revealing the source



Question:

I have a proprietary application I would like to hand out to a few people for testing, except we do not want to reveal the source to them. The application is written in C++ for Linux. It links against readily available packages on the Fedora/Ubuntu repos.

Is there any way to process the source to something intermediate... then distribute it, and have the users do a final compile which actually compiles and links the intermediate code to their native platform.

I am trying to see if there is any alternative to distributing precompiled binaries. Thanks.


Solution:1

It's not a technical answer, but do you trust them enough to just ask for a signed NDA?


Solution:2

Just compile it to assembler. Can be done using the -S option.

helloworld.cpp:

#include <iostream>    using namespace std;    int main(void)  {      cout << "Hello World" << endl;      return 0;  }  

And then do:

emil@lanfear /home/emil/dev/assemblertest $ g++ -S -o helloworld.s helloworld.cpp  emil@lanfear /home/emil/dev/assemblertest $ g++ -o helloworld helloworld.s  emil@lanfear /home/emil/dev/assemblertest $ ./helloworld  Hello World  

Using this method you can distribute only the .s-files which will contain very hard to read assembler.


Solution:3

You can process the existing source code to "mangle" it; basically this consists of stripping out all comments, and changing variable names to be minimal and stripping out all source code formatting. The problem is, they can relatively easily change the variable names back and add formatting and comments; while they won't have the same level of information in the resultant source code as you do, they WILL have completely functional source code (because that's what you distributed to them). This is about the only way to do this sort of thing.


Solution:4

In short, no. By definition if they can compile it then they have your source. The best you can do is increase the pain of them trying to understand it.

I agree with John. If you have a small number of clients and trust them, an NDA would be a better route.

Another thing I just thought about... what about just running the preprocessor and compiler, but not the assembler and the linker? You would need a copy for each specific architecture's assembly language, but I assume that would be painful enough to dissuade editing while easy enough to compile.


Solution:5

You could divide your application in two parts: first part will contain precompiled libraries with the OS independent functionality, and the second one will contain a little parts of sources that users would compile. In such way NVIDIA distributes their drivers.


Solution:6

You could obfuscate your C/C++ code. See my question for C/C++ obfuscation tools


Solution:7

If it's C, you can use the clang compiler, then dump the LLVM intermediate representation. If it's C++, you might need to wait a while until clang's C++ support matures.


Solution:8

The best solution I can come up with is to either limit the number of platforms you support and do your own compilations, or compile to a binary format that is hard to extract information from, but the user can compile this to their native format.

Personally I would go with option 1.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »