Login/Register
Distribute a application to the public so they can compile, without revealing the source
Asked Answered
c++compilationobfuscationdistributeprecompile
J

8

11

I have a proprietary application I would like to hand out to a few people for testing, except we do not want to reveal the source to them. The application is written in C++ for Linux. It links against readily available packages on the Fedora/Ubuntu repos.

Is there any way to process the source to something intermediate... then distribute it, and have the users do a final compile which actually compiles and links the intermediate code to their native platform.

I am trying to see if there is any alternative to distributing precompiled binaries. Thanks.

Jacquelinejacquelyn answered 16/7, 2009 at 0:44 Comment(2)
I had a very similar question stackoverflow.com/questions/1025494/obfuscating-c-c-codeCadelle
What's the motivation? Is there any particular reason why they can't be allowed to see the source? And what is the reason for not wanting to distribute precompiled binaries?Calida
T
7

Just compile it to assembler. Can be done using the -S option.

helloworld.cpp:

#include <iostream>

using namespace std;

int main(void)
{
    cout << "Hello World" << endl;
    return 0;
}

And then do:

emil@lanfear /home/emil/dev/assemblertest $ g++ -S -o helloworld.s helloworld.cpp
emil@lanfear /home/emil/dev/assemblertest $ g++ -o helloworld helloworld.s
emil@lanfear /home/emil/dev/assemblertest $ ./helloworld
Hello World

Using this method you can distribute only the .s-files which will contain very hard to read assembler.

Triumphal answered 16/7, 2009 at 1:0 Comment(3)
This doesn't solve the "native platform" issue, as it is machine-dependent (and possibly distro-dependent, depending on what headers are included).Dandle
Fair point. I still believe that it could be an option in some cases though, so I'll leave the post rather than delete it.Triumphal
Even though it is platform-dependent there're not so many platforms out there - you most likely can do this separately for all platforms of interest.Paly
M
5

It's not a technical answer, but do you trust them enough to just ask for a signed NDA?

Magistrate answered 16/7, 2009 at 0:57 Comment(1)
Game developers do that with online betas, but this is higher risk/higher reward.Raina
L
4

You can process the existing source code to "mangle" it; basically this consists of stripping out all comments, and changing variable names to be minimal and stripping out all source code formatting. The problem is, they can relatively easily change the variable names back and add formatting and comments; while they won't have the same level of information in the resultant source code as you do, they WILL have completely functional source code (because that's what you distributed to them). This is about the only way to do this sort of thing.

Lockyer answered 16/7, 2009 at 0:50 Comment(3)
This is called "shrouded source" and it used to be pretty common for e.g. UNIX software.Molliemollify
Couldn't you also strip the debugging information from it, or is this is what you are referring to?Raina
No, you can't pre-strip the debugging info when you're distributing source code (even mangled source code). The debugging info doesn't get created until the binary is compiled.Catheycathi
H
1

In short, no. By definition if they can compile it then they have your source. The best you can do is increase the pain of them trying to understand it.

I agree with John. If you have a small number of clients and trust them, an NDA would be a better route.

Another thing I just thought about... what about just running the preprocessor and compiler, but not the assembler and the linker? You would need a copy for each specific architecture's assembly language, but I assume that would be painful enough to dissuade editing while easy enough to compile.

Harmonics answered 16/7, 2009 at 1:1 Comment(0)
M
1

You could divide your application in two parts: first part will contain precompiled libraries with the OS independent functionality, and the second one will contain a little parts of sources that users would compile. In such way NVIDIA distributes their drivers.

Maleficence answered 16/7, 2009 at 3:6 Comment(0)
C
1

You could obfuscate your C/C++ code. See my question for C/C++ obfuscation tools

Cadelle answered 16/7, 2009 at 4:26 Comment(0)
M
1

The best solution I can come up with is to either limit the number of platforms you support and do your own compilations, or compile to a binary format that is hard to extract information from, but the user can compile this to their native format.

Personally I would go with option 1.

Martamartaban answered 8/8, 2009 at 9:53 Comment(1)
Since it already has Fedora and Ubuntu specific dependencies, then the list of target platforms is already limited. So yes - the option 1 is the most reasonable. Besides, providing end-users with architecture-specific, precompiled binaries is how it's done for most (all?) proprietary software written in C++.Deepsix
E
0

If it's C, you can use the clang compiler, then dump the LLVM intermediate representation. If it's C++, you might need to wait a while until clang's C++ support matures.

Estuarine answered 16/7, 2009 at 0:52 Comment(3)
The LLVM intermediate representation has already been compiled, and thus any build-time changes (e.g. different size of a structure on one persons system from another) won't be reflected in the resulting binaries. So this will usually only work in cases where distributing binaries would have been just as effective.Molliemollify
Assuming the only goal is to make it portable to other platforms, that's good enough, right?Estuarine
Let's take an easy example. Linux and BSD have some system structures which are different sizes. When you compile from C to LLVM's intermediate representation, the header file which declares these structures on the platform where you compile (say, OpenBSD) will decide how big the compiler thinks the structure is. When you try to use that LLVM intermediate representation to build a running binary on Linux, the structure size will be wrong and your program will crash. So, no, doesn't seem good enough to me.Molliemollify

© 2022 - 2024 — McMap. All rights reserved.