0

We sell our code to a company that they can run our code 100 times a month. We need to do a few things before giving the code to the company.

  1. Hide our logic (we can hide our logic by code obfuscation)

  2. excessive usage (no more execution of our code than 100 time)

  3. redistribution (the company we sold the code to can't use it on more than 1 machine or give it to others)

Constraints: we do not have any connection or control over the code after we gave the code to the company so we cannot keep track of anything or block anything. Everything has to be done before giving the code.

Kindly share your thoughts and any suggestions on it.

No license, no MAC address binding solutions needed. Hint: the person who asked this question gave a hint that both excessive usage and redistribution have one solution.

Edit: We are selling our machine learning code to a company. We only want the code to be run a specific number of times and only on a specific machine. The company that we sold the code to has their firewalls implemented so that we cannot connect or make code to send any information back to us.

My question is how can we restrict excessive usage and redistribution of our code in this case.

Josef
  • 5,933
  • 26
  • 34
  • 1
    We can't answer this without more details. And if you give someone "the code" rather than "a binary", there's absolutely nothing technical you can do. – Marc Aug 18 '20 at 10:57
  • We are giving obfuscated code to the client , so the client cannot understand what code is doing. tell me what more details you want to know . I want to know how to stop excessive usage and redistribution of that obfuscated code. – user241348 Aug 18 '20 at 11:11
  • 3
    Obfuscated code can be deobfuscated. Even compiled code (a binary) can be made sense out of by sufficiently-qualified people. The simple reason you can't do anything if you send your code is: I can save whatever you sent me on as many machines as I want, built it, and run it. This already defeats your redistribution. If you do machine fingerprinting, I'll just create a VM and recreate it as many times as I want. You have no connection, so the only state is local. I can wipe the VM as often as I like. – Marc Aug 18 '20 at 11:13
  • You can try to modify your program for update a web server and upload information about the machine, cpu, etc.... this looks more a question for developers. – camp0 Aug 18 '20 at 11:14
  • Flagging to close as "needs details or clarity", this cannot be answered as is. – Marc Aug 18 '20 at 11:17
  • We are selling our machine learning code to a company. we only want the code to be ran a specific number of times .and only on specific machine. the company that we sold the code to has their firewalls implemented so we cannot connect or make code to send any information back to us . My question is how can we restrict excessive usage and redistribution of our code in this case. – user241348 Aug 18 '20 at 11:23
  • 3
    You can't. Whatever machine they sent you a fingerprint of, it could just be a VM they'll recreate. At some point, these things are enforced by contracts and auditing, not technical means. – Marc Aug 18 '20 at 11:28
  • 2
    The NDA is good so you can go to a court against them if they break the agreement. – kelalaka Aug 18 '20 at 13:35
  • 2
    Does this answer your question? [Are there DRM techniques to effectively prevent pirating?](https://security.stackexchange.com/questions/4637/are-there-drm-techniques-to-effectively-prevent-pirating) – Josef Aug 18 '20 at 14:38

1 Answers1

4

We are selling our machine learning code to a company. we only want the code to be ran a specific number of times .and only on specific machine. the company that we sold the code to has their firewalls implemented so we cannot connect or make code to send any information back to us . My question is how can we restrict excessive usage and redistribution of our code in this case.

You can't.

You are giving them (obfuscated) source code. Well, fire it up in a debugger, run it for a hundred times, and figure out what it stops on the 101st time. Remove. Lather, rinse, repeat.

There's two ways to solve this:

  1. Enforce it legally, via contracts and auditing.
  2. Sell it as a service. Run the code on hardware you know, and bill per execution.

With the constraints you have given, there's absolutely no way to enforce it technically.

vidarlo
  • 14,890
  • 2
  • 43
  • 56
  • 1
    Great answer and exactly right! There is NO way. Either sell a SaaS or get used to the fact that your code cannot be protected. – dmuensterer Aug 18 '20 at 12:11