Protecting IP
50 views
Skip to first unread message
Joe Bloggs
Jun 14, 2016, 9:33:35 AM6/14/16
to v8-u...@googlegroups.com
Hi,
My employer is looking to shift major development to node.js. Now, before you point out that this is the v8 mailing list, rest assured this message is pertinent to this list.
My employer wants to protect their IP and not have it available as simple text files. We understand that a binary compilation is still hackable, that anything that executes on a remote machine can be reverse engineered, but we just want it to be non-trivial - no one should be able to merely open a text file and read the source code.
I want to soundboard my current (extremely rudimentary) thoughts against you guys. The idea is to create a custom compilation of node and the v8 engine, where the v8 engine has been modified in the following manner (very high level, lots of details need to be filled in):
1. v8 exposes a function 'ExecuteEncryptedString' which internally decrypts the string and passes on execution to already available functions.
2. There shall be no way for the 'require' syntax to load an encrypted file.
3. Any attempt to use console.log to dump the encrypt string merely dumps the encrypted string.
4. The overall outcome we are looking for is anyone can execute the code if they have the custom executable, but they can't decrypt it trivially. They will need to disassemble the executable.
5. We want this approach to be forward compatible. That's where we will need guidance from you guys on how to ensure that, to the extent reasonably possible, in the future we will be able to simply download the code for a new version of v8, and run a simple script to add the custom parts and create the custom executable. Of course, in the face of innovation for better performance etc. this might break, and that is understandable. We also understand we may need a separate discussion with the node.js guys.
I would like to hear your thoughts on this. If you have better ideas on achieving this, if you see obvious loopholes in the approach, or you just want to share your thoughts, please feel free to provide constructive feedback.
Regards,
Simon
My employer is looking to shift major development to node.js. Now, before you point out that this is the v8 mailing list, rest assured this message is pertinent to this list.
My employer wants to protect their IP and not have it available as simple text files. We understand that a binary compilation is still hackable, that anything that executes on a remote machine can be reverse engineered, but we just want it to be non-trivial - no one should be able to merely open a text file and read the source code.
I want to soundboard my current (extremely rudimentary) thoughts against you guys. The idea is to create a custom compilation of node and the v8 engine, where the v8 engine has been modified in the following manner (very high level, lots of details need to be filled in):
1. v8 exposes a function 'ExecuteEncryptedString' which internally decrypts the string and passes on execution to already available functions.
2. There shall be no way for the 'require' syntax to load an encrypted file.
3. Any attempt to use console.log to dump the encrypt string merely dumps the encrypted string.
4. The overall outcome we are looking for is anyone can execute the code if they have the custom executable, but they can't decrypt it trivially. They will need to disassemble the executable.
5. We want this approach to be forward compatible. That's where we will need guidance from you guys on how to ensure that, to the extent reasonably possible, in the future we will be able to simply download the code for a new version of v8, and run a simple script to add the custom parts and create the custom executable. Of course, in the face of innovation for better performance etc. this might break, and that is understandable. We also understand we may need a separate discussion with the node.js guys.
I would like to hear your thoughts on this. If you have better ideas on achieving this, if you see obvious loopholes in the approach, or you just want to share your thoughts, please feel free to provide constructive feedback.
Regards,
Simon
Jochen Eisinger
Jun 22, 2016, 9:58:06 AM6/22/16
to v8-u...@googlegroups.com
Have you considered using a less-easy-to-read format like asm.js, run a obfuscator over the source, or put your IP into a binary node module?
--
--
v8-users mailing list
v8-u...@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups "v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Yang Guo
Jun 27, 2016, 7:05:20 AM6/27/16
to v8-users, beethovia...@outlook.com
Is there any way for an user run code on the node.js instance at all? I'm asking since node.js runs on the server, so the source is usually not accessible from outside.
Zephyr Pellerin
Jun 27, 2016, 5:49:26 PM6/27/16
to v8-users, beethovia...@outlook.com
This is actually a fairly common requirement that I've had the "pleasure" of dealing with for a host of people and firms. Unfortunately, it's also very easy to mess up without a lot of care. I have a longtime interest in reverse engineering so I may have a different standard of "trivial disassembly" but here are some guidelines to start out with if you just want to prevent easy recovery of the original source code.
1. Obfuscators typically don't. There are tons of tools out there that 'obfuscate' JavaScript source and equally many tools that deobfuscate everything short of variable names. If you go down this path, minification alone may be your best bet. Just remember, this sort of protection can be unmade by individuals without any programming experience.
2. It's best to know what you are doing if you are serious. I've seen others try the "strip v8 down until you've just got bytecode" route. It can be a solid approach depending on your familiarity with V8 and IDA Pro -- I've also seen it turn into a company-ending-waste-of-time. Here's one way a team tried to do it that I wouldn't recommend. Emit raw bytecode and process at dbrk -- someone can also just emit the source of each function. So you patch code->kind to OPTIMIZED_FUNCTION -- The source is still available in full in any hex editor in the global offset table (ELF executable here). So you strip the some ordinal set from global offset table post hoc -- program breaks (they ended up calling a consultant)
3. The host of alternative JS transpilers and compilers are generally more inscrutable but that effect is gained through obscurity. High level information about the program's source and structure are still preserved.
Best of luck,
- zv
Mike Schwartz
Jun 27, 2016, 6:23:23 PM6/27/16
to v8-users, beethovia...@outlook.com
It doesn't seem that hard to hack node to do this.
You use something like nasm and include your packaged .js program. Then hack node to load and optionally decrypt your program and eval() it. Nasm generates a .o file you link your custom node with.
Seems like a couple of hours' work.
You would have to patch any newer versions of node as you want to upgrade. I'd be sure to run the unit tests for node itself before deploying.
You use something like nasm and include your packaged .js program. Then hack node to load and optionally decrypt your program and eval() it. Nasm generates a .o file you link your custom node with.
Seems like a couple of hours' work.
You would have to patch any newer versions of node as you want to upgrade. I'd be sure to run the unit tests for node itself before deploying.
joko suwito
Jun 27, 2016, 6:24:56 PM6/27/16
to v8-u...@googlegroups.com
Maaf saya tidak kesengajaan saya. T.ksh
Joe Bloggs
Jul 2, 2016, 8:31:59 AM7/2/16
to v8-u...@googlegroups.com
As pointed out by others, there are de-obfuscators available; we want something more robust than that.
The whole reason for introducing node.js is to benefit from the resulting productivity - at least in our company programmers are loving javascript more than C/C++ - happy programmers are productive programmers.
Thanks for your thoughts.
From: v8-u...@googlegroups.com <v8-u...@googlegroups.com> on behalf of Jochen Eisinger <joc...@chromium.org>
Sent: Wednesday, 22 June 2016 1:57:53 PM
To: v8-u...@googlegroups.com
Subject: Re: [v8-users] Protecting IP
Sent: Wednesday, 22 June 2016 1:57:53 PM
To: v8-u...@googlegroups.com
Subject: Re: [v8-users] Protecting IP
Joe Bloggs
Jul 2, 2016, 8:33:26 AM7/2/16
to v8-users
This is an enterprise application given in the form of an installer. We are not doing SaaS.
From: v8-u...@googlegroups.com <v8-u...@googlegroups.com> on behalf of Yang Guo <yan...@chromium.org>
Sent: Monday, 27 June 2016 11:05:20 AM
To: v8-users
Cc: beethovia...@outlook.com
Subject: [v8-users] Re: Protecting IP
Sent: Monday, 27 June 2016 11:05:20 AM
To: v8-users
Cc: beethovia...@outlook.com
Subject: [v8-users] Re: Protecting IP
Joe Bloggs
Jul 2, 2016, 8:38:05 AM7/2/16
to v8-users
Many thanks for the ideas guys. We want this to be a generic solution, not one particular js tied up within a custom binary. The idea is to have the source files present on disk as encrypted files. This allows us to easily roll out new patches, add functionality
by adding new files, etc. Having a separate executable for each independent bit of javascript would become unmaintainable very quickly.
From: Mike Schwartz <myk...@gmail.com>
Sent: Monday, 27 June 2016 10:23 PM
To: v8-users
Cc: beethovia...@outlook.com
Subject: Re: [v8-users] Re: Protecting IP
Sent: Monday, 27 June 2016 10:23 PM
To: v8-users
Cc: beethovia...@outlook.com
Subject: Re: [v8-users] Re: Protecting IP
Reply all
Reply to author
Forward
0 new messages