Linux Appliance Code Protection - Security

This is a discussion on Linux Appliance Code Protection - Security ; Hello, The company I work for would like to put a proprietary PHP application on a linux box for use in an isolated environment with no internet connectivity. In doing so, we would like to take as many steps as ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Linux Appliance Code Protection

  1. Linux Appliance Code Protection

    Hello,

    The company I work for would like to put a proprietary PHP
    application on a linux box for use in an isolated environment with no
    internet connectivity. In doing so, we would like to take as many
    steps as possible to ensure the end user of the system cannot access
    our proprietary code. Can anyone point me in the direction(s) I should
    be looking. I've researched encrypted file systems a bit, but beyond
    this I'm kinda scattered on any additional possibilities to lock down
    the box. I realize that with physical access to the box completely
    eliminating any risk is not possible, but how much security can I
    expect from the average linux knowledgable non-expert?

    Thanks,
    Toni


  2. Re: Linux Appliance Code Protection

    1. Make the code readable only by the root user and the webserver. And
    don't give them the password to the root account. All service to the
    box must go through your company in this case.

    2. Have the webserver to decrypt the files on opening. This can be
    done by embedding a script into Apache's startup. This is not as
    reliable as above.

    3. Write your own Apache module. Pretty tough and time consuming, but
    the most secure and reliable.

    toniintc@gmail.com wrote:
    > Hello,
    >
    > The company I work for would like to put a proprietary PHP
    > application on a linux box for use in an isolated environment with no
    > internet connectivity. In doing so, we would like to take as many
    > steps as possible to ensure the end user of the system cannot access
    > our proprietary code. Can anyone point me in the direction(s) I should
    > be looking. I've researched encrypted file systems a bit, but beyond
    > this I'm kinda scattered on any additional possibilities to lock down
    > the box. I realize that with physical access to the box completely
    > eliminating any risk is not possible, but how much security can I
    > expect from the average linux knowledgable non-expert?
    >
    > Thanks,
    > Toni
    >


  3. Re: Linux Appliance Code Protection


    irish wrote:
    > 1. Make the code readable only by the root user and the webserver. And
    > don't give them the password to the root account. All service to the
    > box must go through your company in this case.


    Is there a way to prevent the end user from sticking in the source disk
    or a recovery disk and gaining root access to the filesystem by
    mounting the drive?

    > 2. Have the webserver to decrypt the files on opening. This can be
    > done by embedding a script into Apache's startup. This is not as
    > reliable as above.


    I'll look into this. Thanks.

    Toni


  4. Re: Linux Appliance Code Protection

    On Fri, 17 Nov 2006 13:30:21 -0800, toniintc wrote:

    >
    >
    >
    > irish wrote:
    >> 1. Make the code readable only by the root user and the webserver. And
    >> don't give them the password to the root account. All service to the
    >> box must go through your company in this case.

    >
    > Is there a way to prevent the end user from sticking in the source disk
    > or a recovery disk and gaining root access to the filesystem by
    > mounting the drive?


    Encrypting the filesystem and boot it off usb Or encrypt the
    partition/filesystem and put the key onto a usb drive, then mount the
    partition using the usb drive key.

    Just make sure your remove the usb drive.

    >
    >> 2. Have the webserver to decrypt the files on opening. This can be
    >> done by embedding a script into Apache's startup. This is not as
    >> reliable as above.

    >
    > I'll look into this. Thanks.
    >
    > Toni


    --
    Dancin' in the ruins tonight
    Tayo'y Mga Pinoy



  5. Re: Linux Appliance Code Protection

    toniintc@gmail.com wrote:
    > Hello,
    >
    > The company I work for would like to put a proprietary PHP
    > application on a linux box for use in an isolated environment with no
    > internet connectivity. In doing so, we would like to take as many
    > steps as possible to ensure the end user of the system cannot access
    > our proprietary code.


    Zend produce tools for exactly this purpose. As do IonCube. There's
    also Turck encoder.

    There are a few other open-source tools. I've seen the output of one of
    them - it took about 5 minutes to reverse engineer it - I'm guessing
    (hoping?) it wasn't one of the three above.

    C.


+ Reply to Thread