Virtual Machine – Is Virtual Machine Image Good Protection for Source Code?

distributionvirtual machine

We have developed an application that is sold as an online service. After some time we realized that some of customers would need/prefer/require to have it installed locally on their intranet. However the application was developed using scripting language and we wouldn't want to allow clients to access the source code.

The question is: What are the technical downsides of distributing application as a virtual machine image?

Best Answer

I think what you're suggesting is a variant of a turnkey project.

On the pro side, a turnkey project:

  • Can make it easier for a customer to get up and running quickly
  • Shields the customer from all of the necessary configurations
  • Can lower support costs because a standard image is used for the project

On the down side:

  • You'll now need to maintain updates to the OS and supporting tools within your master or golden image
  • You'll always have clients that want distro baz instead of the foo and bar that you already provide

Regarding protecting source code -- If the bulk of your company's intellectual property is encapsulated within the various configuration scripts, then this may be a decent approach to protecting that information. You would:

  1. copy the scripts on to the system that will be the master image
  2. run the scripts to configure things
  3. remove the scripts from the system
  4. make copies of the master image and distribute.

This is probably only beneficial to you if there are a lot of configuration steps that have to be made. If it's a trivial number of steps, then diligent customers can figure out exactly what your scripts set up for them. There decision point for you is if there are enough configuration points so that the resource cost of recreating your scripts outweighs the financial cost of purchasing a system.

If you're hoping that you can provide a system and then keep control of the system account(s), I think you're going to have a harder time. User privilege escalation exploits occur frequently across all operating systems, especially when someone already has log in access to the system.

In summary, I would only consider providing a turnkey system if you can remove all of the configuration scripts that you are concerned about prior to distribution.

Additional considerations
Any binary files you have would likely be safe from casual investigation. Based upon the comments, it doesn't sound like you're worried about individuals with debuggers or reverse-engineering tools.

Database schemas will be exposed, and I don't think there's a lot you can do to protect those. Whether or not the schema is meaningful to someone else is a different matter. If the schema is large, obfuscation can be surprisingly effective at keeping prying eyes out of a database.

Related Topic