The Pixel 3a joins the Android Enterprise Recommended lineup

Android Enterprise Recommended continues to shape how organizations choose devices for their teams. According to a recent HMD smartphone purchase survey, 56 percent of IT decision makers have decided to only choose Android Enterprise Recommended devices for their business. Android Enterprise Recommended helps businesses select devices with confidence from a breadth of options, so they can find a quality device at a price that’s right for the organization.

 

Today, the Pixel 3a joins the Android Enterprise Recommended lineup. Announced at Google I/O last week, the new, more affordable Pixel has enterprise-grade security, with monthly security updates and the Titan M chip. A consistent Google user experience backed by machine learning and artificial intelligence helps your team work productively. Recently, a 2019 Gartner research report that evaluated mobile security determined that the Pixel 3 device family has the strongest performance for built-in security when compared to other mobile devices.

 

The Pixel 3a joins a group of devices in Android Enterprise Recommended that provide businesses with options of enterprise-grade performance and support for zero-touch enrollment at a budget-friendly price. The Nokia 7.1, Moto G7 and Sharp AQUOS Sense are among the many knowledge worker devices within the Android Enterprise Recommended portfolio that run Android 9 Pie, and offer strong productivity power and battery life at a cost below $400.

 

Since launching in 2018, Android Enterprise Recommended now offers devices from over 20 OEMs, with knowledge worker, rugged devices and tablets in our portfolio. We also help companies secure and manage their devices with Android Enterprise Recommended EMM and Managed Service Provider partners. Learn more about the vast selection of devices available from our Android Enterprise Solutions Directory.

PHP MySQL REST API for Android

PHP REST API backed up with a MySQL database is a very common schematic of an Enterprise mobile application. When the scenario requires data to be stored in a centralized manner, then this architecture should be used. Otherwise, the local database in the mobile can be used for the storage and retrieval of information.

 

In this tutorial, we are creating a PHP RESTful service to read data from a (MySQL) database table. Also, I am providing an example Android project code for invoking this RESTful service. In a previous tutorial, we have seen then basics about PHP RESTful services. I strongly recommend you to go through it before continuing this tutorial.

 

In this example, we are calling the PHP REST API from an android application. In the server side, the API service reads data from the database and sends the response in JSON format. After receiving the response, the Android application displays the row of items in a ListView by parsing the JSON data.

 

If you want to see how to handle JSON data with PHP with detailed notes and examples, then the linked article will be a perfect tutorial on this.

PHP REST API that Reads MySQL Records

We have a database table containing the list of mobile phone model names. Our REST API fetches the list of mobile names from the database and sends the response in JSON. This REST API contains three parts. These are, the REST controller, service class, and the DAO.

PHP in Website Development Era

PHP language has a unique place in website development. It was introduced at a right time when web-based business was in new trend. Over a period it became one of the popular languages for creating web applications. The reasons are,

  • simple language structure
  • unique features
  • free license.

PHP’s unique features lead to more popularity. Since 1994 when PHP development was started, we have seen the following version releases.

 

PHP Versions

Versions Key Features Description
PHP/FI (1995) ·         Form handling Perl/CGI script (PHP 1.0) introduced by Rasmus Lerdorf. The Expansion is Personal Home Page / Form Interpreter.
PHP/FI2 (1997) ·         Data conversion

·         Form data export

With slight modifications in Form Interpreter(PHP 2.0) to handle form entries.
PHP  3 – (1998) ·         PHP core is rewritten

·         PHP parser is rewritten.

·         Zend Engine is incorporated.

Language core was changed by Zeev Suraski and Andi Gutmans and PHP refers to PHP: Hypertext Preprocessor.
PHP 4 – (2000) ·         Object-Oriented support

·         External resource handling

·         Security

·         RegEx handling

With features for supporting enterprise-oriented applications.
PHP 5 – (2004) ·         Improved object model

·         PDO Support

·         Exception handling

·         XML support

PHP core was almost stabilized with this release. Later 5.X releases have slight enhancement.
PHP 7 – (2016) ·         Improved performance (twice as that of 5.6)

·         Reduced memory usage

·         The null coalescing operator (??)

·         Return and Scalar Type Declarations

·         Anonymous Classes

·         Zero cost asserts

PHP 6.0 was skipped and PHP 7 was released. There was no clear official mention on why version 6 was skipped and there are many theories floating around. You can get more information on this by going through the linked HN discussion.

 

PHP Web Constellations

PHP is one of the best choices for creating web applications. It supports advanced web constellations. It supports most of the popular databases, libraries. PHP script can be embedded with hypertext and client-side script.

With this collective integration, PHP as an open-source attracts people in web development businesses. Currently, most renowned websites are using PHP. For example, Google, Facebook, Yahoo! and more.  As per 2013 metrics made by online research agencies like Netcraft, more than 200 million websites were using PHP.

 

Migrating from PHP 4 to PHP 5.0.x 

What has changed in PHP 5.0.x ¶

PHP 5 and the integrated Zend Engine 2 have greatly improved PHP’s performance and capabilities, but great care has been taken to break as little existing code as possible. So migrating your code from PHP 4 to 5 should be very easy. Most existing PHP 4 code should be ready to run without changes, but you should still know about the few differences and take care to test your code before switching versions in production environments.

CLI and CGI ¶

In PHP 5 there were some changes in CLI and CGI filenames. In PHP 5, the CGI version was renamed to php-cgi.exe (previously php.exe) and the CLI version now sits in the main directory (previously cli/php.exe).

 

In PHP 5 it was also introduced a new mode: php-win.exe. This is equal to the CLI version, except that php-win doesn’t output anything and thus provides no console (no “dos box” appears on the screen). This behavior is similar to php-gtk.

 

In PHP 5, the CLI version will always populate the global $argv and $argc variables regardless of any php.ini directive setting. Even having register_argc_argv set to off will have no affect in CLI.

Migrating Configuration Files ¶

Since the ISAPI modules changed their names, from php4xxx to php5xxx, you need to make some changes in the configuration files. There were also changes in the CLI and CGI filenames. Please refer to the corresponding section for more information.

Migrating the Apache configuration is extremely easy. See the example below to check the change you need to do:

Example #1 Migrating Apache configuration files for PHP 5

# change this line:    LoadModule php4_module /php/sapi/php4apache2.dll # with this one:LoadModule php5_module /php/php5apache2.dll

If your web server is running PHP in CGI mode, you should note that the CGI version has changed its name from php.exe to php-cgi.exe. In Apache, you should do something like this:

Example #2 Migrating Apache configuration files for PHP 5, CGI mode

# change this line:    Action application/x-httpd-php “/php/php.exe”  # with this one:Action application/x-httpd-php “/php/php-cgi.exe”

In other web servers you need to change either the CGI or the ISAPI module filenames.

Databases

There were some changes in PHP 5 regarding databases (MySQL and SQLite).

 

In PHP 5 the MySQL client libraries are not bundled, because of license and maintenance problems. MySQL is supported with the only change being that MySQL support is no longer enabled by default in PHP 5. This essentially means that PHP doesn’t include the –with-mysql option in the configure line so that you must now manually do this when compiling PHP. Windows users will need to edit php.ini and enable the php_mysql.dll DLL as in PHP 4 no such DLL existed, it was simply built into your Windows PHP binaries.

 

There is also a new extension, MySQLi (Improved MySQL), which is designed to work with MySQL 4.1 and above.

 

Since PHP 5, the SQLite extension is built-in PHP. SQLite is an embeddable SQL database engine and is not a client library used to connect to a big database server (like MySQL or PostgreSQL). The SQLite library reads and writes directly to and from the database files on disk.

 

Distributed Worker-Job Matching Architecture for Crowdsourcing

Towards a Distributed Worker-Job Matching
Architecture for Crowdsourcing

Towards a Distributed Worker-Job Matching

Abstract— While the crowdsourcing paradigm facilitates the use of human-enacted resources from large groups of individuals, matching workers with jobs is limited by the need for these potential workers to proactively subscribe to various networks.
This subscription phase is part of an “open call model” that reduces the ability for crowdsourcing platforms to scale or retain crowd-oriented workers. Leveraging collaborative filtering techniques, in this paper, we propose an alternative model that seeks to address the issue through a recommendation technique and system that exploits a push-pull model.

Crowdsourcing [1], through the advent of the Internet and Web 2.0 technologies, has provided a new paradigm for employment, to harness mass human computation and has given new avenues for businesses and researchers to quickly distribute work across a global cross-section of potential workers [1][2]. As defined by Howe [3], the paradigm entails an open call model via the Internet to anonymous individuals to solicit services for work, usually at a much cheaper cost than traditional outsourcing [4]. Labor markets [5] such as Amazon Mechanical Turk, Microworkers and UpWork (formerly ODesk) exhaustively use this model. The model however has a significant deficiency [6]; that is the challenge of attracting and maintaining a crowd [7][8]. Via the open call model, tasks requiring human intelligence or HITs are posted for workers to accept relevant task offerings. Those being exposed to the offering are typically members or subscribers of a labor market’s community pool or workers [6]. However, there exist massive crowds of potential workers outside of the subscribed labor market pools and currently the open call model is not capable of leveraging this untapped pool of workers [6][9].
In this paper, augmented by collaborative filtering, we propose a service-oriented architecture based on an open pushpull worker-job matching model capable of harnessing the wisdom and labor potential of diverse communities external to current labor markets. The architecture incorporates transactional web services that implement services pertinent to crowdsourcing including recruitment, job allocation and compensation. We continue by reviewing the open call model including current recruitment strategies and techniques, and worker-job recommender strategies within and external to the paradigm of crowdsourcing. We follow by presenting our proposed collaborative filtering augmented architecture for open push-pull worker-job matching.

Providing Privacy-Aware Incentives in Mobile Sensing Systems

Providing Privacy-Aware Incentives in Mobile
Sensing Systems

Providing Privacy-Aware Incentives in Mobile

Mobile sensing relies on data contributed by users through their mobile device (e.g., smart phone) to obtain useful information about people and their surroundings. However, users may not want to contribute due to lack of incentives and concerns on possible privacy leakage. To effectively promote user participation, both incentive and privacy issues should be addressed. Although incentive and privacy have been addressed separately in mobile sensing, it is still an open problem to address them simultaneously.
In this paper, we propose two credit-based privacy-aware incentive schemes for mobile sensing systems, where the focus is on privacy protection instead of on the design of incentive mechanisms. Our schemes enable mobile users to earn credits by contributing data without leaking which data they have contributed, and ensure that malicious users cannot abuse the system to earn unlimited credits.
Specifically, the first scheme considers scenarios where an online trusted third party (TTP) is available, and relies on the TTP to protect user privacy and prevent abuse attacks. The second scheme considers scenarios where no online TTP is available. It applies blind signature, partially blind signature, and a novel extended Merkle tree technique to protect user privacy and prevent abuse attacks. Security analysis and cost evaluations show that our schemes are secure and efficient.
Index Terms – Privacy; Incentive; Mobile Sensing

The ever-increasing popularity of mobile devices such as smart phones and tablets and the rich set of embedded sensors that usually come with them (e.g., GPS, accelerometer and microphone) have created a huge opportunity of sensing. Mobile sensing tries to harness this opportunity by collecting sensing data through mobile devices and utilizing the data to obtain rich information about people and their surroundings. It has many applications in healthcare [1], [2], traffic monitoring [3], and environmental monitoring
[4]. However, the large-scale deployment of mobile sensing applications is hindered by two obstacles. First, there is a lack of incentives for mobile device users to participate in mobile sensing. To participate, a user has to trigger her sensors to measure data (e.g., to obtain GPS locations), which may consume much power of her smart phone.
Also, the user needs to upload data to a server which may consume much of her 3G data quota (e.g., when the data is photos). Moreover, the user may have to move to a specific location to sense the required data. Considering these efforts and resources required from the user, an incentive scheme is strongly desired for mobile sensing applications to proliferate. Second, private information may be derived from a user’s contributed data. Such privacy concern also prevents users from participating. For instance, to monitor the propagation of a new flu, a server will collect information on who have been infected by this flu. However, a patient may not want to provide such information since it is very sensitive. To effectively motivate users to participate, both obstacles should be overcome. Several privacy-protection schemes [5]–[14] have been proposed to provide anonymity for users, and many incentive schemes [15]–[28] have been designed to promote participation by paying credits to users. However, they address privacy and incentive separately. It is nontrivial to simultaneously address incentive and privacy. One may consider simply combining a privacy protection scheme and a credit-based incentive scheme to provide both privacy and incentive, but such combination is not easy since those schemes have been designed under different system models and assumptions. More importantly, a simple combination cannot address the new challenges that only arise when both incentive and privacy are considered and were not addressed by the privacy protection scheme or the incentive scheme. In particular, existing privacy preserving schemes provide anonymity for users. Anonymity may allow a greedy user to anonymously submit unlimited data reports for the same sensing task (which is not always desirable) and earn unlimited credits without being detected.
This will increase the cost of data collection. Moreover, under the protection of anonymity, a malicious user who has compromised other users’ mobile devices can steal those users’ security credentials such as cryptographic keys and anonymously use the stolen credentials to cheat and earn as many credits as possible without being detected. Thus, the key new challenge with designing credit-based privacyaware incentive schemes for mobile sensing is how to prevent various abuse attacks while preserving privacy. This challenge calls for new designs that integratively address
incentive and privacy.
Our previous work [29] designs a privacy-aware incentive scheme for a special scenario of mobile sensing where each sensing task requires only one data report from each user (such a task is referred to as a single-report task). An example of single-report task is “Report the noise level around you now,” which only requires each user to submit a single data report of his measured noise level. In the real world, however, there are many sensing tasks that require multiple reports submitted at different times from each user (such task is referred to as the multiple-report task)1. An example of multiple-report task is “Report the noise level around you every 10 minutes in the following week.” Many other examples can be found in various mobile sensing systems [3], [4]. Unfortunately, that work cannot be directly extended to support multiple-report tasks, since its cryptographic construction only allows each user to earn credits from one report. Although it is possible to create one task for each report and then apply that
scheme, this will induce high overhead in computation and communication, and greatly increase the complexity of task management. For example, to collect the same amount of data that the aforementioned multiple-report task can do, one single-report task should be created every 10 minutes, and one set of cryptographic credentials should be computed, distributed, and processed for each task. In this paper, we propose two privacy-aware incentive schemes for mobile sensing that can support multiple-report tasks. We adopt a credit-based approach which allows each user to earn credits by contributing its data without leaking which data it has contributed. At the same time, the approach ensures that malicious users cannot abuse the system to earn unlimited amount of credits. In particular, the first scheme is designed for scenarios where an online trusted third party (TTP) is available. It relies on the TTP to protect privacy and prevent abuse attacks, and has very low computation cost at each user. The second scheme does not require any online TTP. It applies blind signature, partially
blind signature, and an extended Merkle tree to protect privacy and prevent abuse attacks. The remainder of this paper is organized as follows. Section 2 presents system models. Section 3 presents an overview of our solution. Section 4 and Section 5 present our two incentive schemes. Section 6 presents cost evaluations. Section 7 presents discussions. The last two sections review related work and conclude the paper. 

mHealth Systems for Monitoring Patients with Chronic Diseases

Model for Personalization of mHealth Systems for Monitoring Patients with Chronic Diseases

Model for Personalization of mHealth Systems

Abstract— Today chronic diseases are a major health problem worldwide. Treatment for these diseases requires proper monitoring and frequent doctor visits. In recent years several ICT tools have been designed to provide remote patients monitoring, but it is still complicated to offer a useful tool for all kind of patients, since each one has different characteristics and needs. This paper presents a new model to enable the personalization of mobile health systems. The model is particularly oriented to be used for monitoring patients with chronic diseases, such as obesity and diabetes. The proposed model comprises the use of mobile applications, Bluetooth sensors and NFC tags to enable personalization. The resulting model can be adapted to different diseases and provides health professionals with a tool that allows monitoring patients with different needs and characteristics.
Keywords— mobile software, mHealth, Bluetooth, NFC, sensors.

Job Recruitment and Job Seeking Processes

Job Recruitment and Job Seeking Processes: How Technology Can Help

Job Recruitment

Job seeking and recruiting processes have drastically changed during the past decade. Today’s companies are exploiting online technology (job portals, corporate websites, and so on) to make job advertisements reach an ever-growing audience. However, this advantage can create a higher post-processing burden for recruiters, who must sort through the huge amount of résumés and curricula vitae received, often  expressed in different languages and formats. Similarly, job seekers spend considerable time filtering job offers and restructuring their résumés to effectively communicate their strong points and address the job requirements.

Consequently, job recruiters and seekers often use various special-purpose tools, such as job aggregators (including www.jobrapido.com and www.indeed.com)1 and social networks (including www.linkedin.com, www.glassdoor.com, and www.jackalopejobs.com).2 To further optimize selection processes with respect to processing time and accuracy, job portals such as Monster (www. monster.com) and Jobnet (www.jobnetchannel.com) have started to develop advanced search engines to automatically sort résumés based on job offer requirements. These approaches could exploit, among others, supervised and unsupervised learning, software agents, and genetic algorithms. 3–8 Nonetheless, creating such tools is a complex task that requires identifying which variables influence the user’s final choice

Improving Protection of PHP Source Code using Cryptology Models

PHP is one of the most popular languages for Web development. By January 2013, PHP was being used by a remarkable 244M sites, meaning that 39% of sites in Netcraft’s Web Server Survey were running PHP[1]. One of the really significant problems for PHP developers today is lack of free and high-quality solutions for protecting source code of PHP Web applications. By “protecting source code” usually two things are considered: 1) protecting source code to be viewed/modified by others and 2) limiting protected application execution to specific Internet domain or time period. Currently, there are some solutions for protecting PHP source code which, generally, belong to two main groups. The first group contains PHP source code obfuscators, which are usually free, work with source code and provide very low level protection. Second group contains PHP encoders, which work with PHP opcode, thus provide higher level of protection, but are commercial and require using proprietary closed-source PHP extension in production environment. Even if PHP encoders provide higher level of protection, there are two main problems when using them. 1 Aleksandar Jevremović, Univerzitet Singidunum, Danijelova 32, 11000 Belgrade, Serbia, E-mail: ajevremovic@singidunum.ac.rs 2 Nenad Ristić, Fakultet za računarstvo i informatiku Univerzitet Sinergija, Raje Baničića bb, 76300 Bijeljina, Republic of Srpska, E-mail: nristic@sinergija.edu.ba 3 Mladen Veinović, Univerzitet Singidunum, Danijelova 32, 11000 Belgrade, Serbia, E-mail: mveinovic@singidunum.ac.rs First problem is limited lifetime of encoded product because source code is converted to opcode by current version of PHP interpreter, and then opcode is encoded. This means that encoded solution becomes unusable with future versions of PHP interpreters that include some important change of how source code is transformed to opcode. Because of this, developers are forced to buy new versions of encoders and to recompile source code whenever PHP version on Web server is upgraded. Frequent replacements of application files in production environment are usually a painful task. Second problem with using PHP encoders is dependency of “third trusted part” – author of encoder. This means that whole security of application depends of company that develops encoder. If encoder or extension is compromised (source code is revealed to public), all solutions encoded with that encoder are compromised, too. Additionally, encoded PHP scripts are not protected from encoder authors. In this paper we are analysing possibilities and issues with creating open-source solution for high-quality protection of PHP scripts. Standard cryptology models are used for this analysis. Based on the results of this analysis, we propose a novel model for open-source solution that provides solid protection of PHP source code on both source code and opcode levels and is not based on trusted third party.

A. Obfuscating Source Code Obfuscation is a technique that transforms original source code to its far more complex, confusing and unreadable variant, while preserving code semantics [2]. This technique is used to prevent or decrease efficiency of reverse engineering while providing the same functionality with equal or similar performance. Obfuscating is usually done by replacing variables’ and user defined functions’ names to meaningless ones, by removing comments and formatting, and by encoding source code with some of built-in or user-defined encoding functions. Using obfuscating can give good results when developer wants to prevent pirates from understanding parts of code and then illegally including them to other Web applications. However, this technique shows poor results when used for restricting usage of protected solution to specific domain name or time period, because, in this case, pirates are not required to understand large portion of code, but only to identify place where limitations are defined. Having in mind that opcode modifications of this type are not compatible with original interpreter, this technique is limited to use with source code only. Due to this, software obfuscation has been subject of numerous researches in the last several years [3, 4, 5, 6, 7, 8, 9, 10, 11]. B. Encoding/Encrypting Both encoding and encrypting are reversible data transformation techniques that, however, contain essential differences. Encoding implies using of publicly known transformation algorithm with, if used, also publicly known parameters. In other words, it is assumed that anyone can decode encoded data if informed what encoding algorithm was used for encoding. Encryption, on the other side, is based on secret parameter (key) used in transformation procedure. It is usually assumed that transformation procedure algorithm is publicly known, but it needs not to be. Most of major PHP encoders today are actually acting as encrypters because they are assuming some secret component that prevents encoded source code or opcode to be decoded. This component is usually algorithm (sometimes combined with some encryption parameter like project id or so) which explains why PHP interpreter extensions for these encoders are closed source. That, however, as said before, creates unwanted dependency of encoder provider. C. Protecting Source Code vs Protecting Opcode There are significant differences between protection on source code level and protection on opcode level. Main advantage of protection on source code level is compatibility with future versions of PHP interpreter, while main disadvantage of that approach is possibility to reveal original source code if protection is broken. On the other side, main advantage of protecting on the opcode level is lack of possibility to reveal original source code, while main disadvantage of that approach is limited lifetime of protected scripts. In case of protecting opcode, source code is interpreted by current version of PHP interpreter before it is encoded/encrypted. However, opcode compatibility with future versions of PHP interpreters is much lower than it’s the case with source code. This means that developers often need to re-encode original source code whenever hosting provider upgrades to next major version of PHP interpreter. Having in mind that process of replacing encoded scripts is happening in production environment, it is naturally to want to do this as rarely as possible. Also, reencoding source code for new PHP version usually implies buying new version of encoder. D. Translating Source Code to Compiled Languages One of the ways for increasing performance in PHP scripts is their compiling into some other programing language, which can be compiled into machine code, or for which exists more efficient interpreter. Most commonly used solutions for translating PHP source code to other programing languages are Roadsend/phc (translates to C programing language), HipHop (translates to C++ programing language), Quercus (translates to Java programing language) and Phalanger (translates to .Net platform).

ANALYSIS WITH CRYPTOGRAPHY MODELS From cryptology aspect source code protection could be seen as an establishing secure communication channel between developer and PHP interpreter. Instructions, in a form of source code, which represent secret message, are encrypted and can only be decrypted by final interpreter. Using standard characters for representing different roles in secret communication, Alice and Bob are developer and PHP interpreter, while Eve is everyone else – including Web server administrator. Encryption algorithm is considered to be publicly available in all wide used systems. Following presented model, main question that arises is how to manage key(s) that is used for encryption/decryption procedures. This question leads to another question: is symmetric or asymmetric cryptography more appropriate using in this case? Additionally, trust in Bob’s integrity must be reconsidered. A. Symmetric or Asymmetric Cryptography When using symmetric cryptography same key is used for encryption and for decryption. This opens a questions – who generates the key (Alice or Bob), and how is key distributed to the other part? If PHP interpreter generates the key, that key can be stored locally, maybe even inside interpreter’s binaries. However, how can this key securely be distributed to developer, with no one else access to it, even system administrator? The same problem, even more accented, remains in case when developer generates the key and needs to distribute that to interpreter. By using asymmetric cryptography, the need for secure channel is eliminated. Developer can encrypt PHP source code by using PHP interpreter’s public key. That means that encrypted source code can only be decrypted by using PHP interpreter’s private key, which is stored on secure location. Additionally, developer can digitally sign source code with his protected key so interpreter can be sure that it’s coming from developer. This is useful when limiting application to work only with files developed by the same developer. Lifetime of protected solution in this case is limited by source code compatibility with future PHP interpreters versions, or by digital certificate lifetime (which can be unlimited), whatever comes first. However, problem of location where PHP interpreter’s private key is stored, and how it’s used, remains. Potential solution is storing private key within interpreter’s binary, so only reverse engineering attack is possible. However, behavior of interpreter is not guaranteed because its source code can be changed and then modified interpreter could be used. B.Main Problem – Open Source Interpreter As we can see from previous examples, no matter if we use symmetric or asymmetric encryption, place for storing key that is used for source code decryption remains as the main problem with protecting source code. Another part of this problem is the fact that PHP interpreter is open source, so it can be modified to expose decrypted source code before executing it. That implies that we cannot trust in Bob’s integrity, which means that we can consider PHP interpreter on Web server as Eve, too. C. Reverse Engineering When analysed from cryptology aspect, reverse engineering process is analogue to cryptanalysis. By this we mean that pirate is trying to read or modify message that is not intended to be seen or modified by him. Ideal solution for this problem would be one that can’t be reverse engineered even if reverse engineering is tried on CPU level. In this worldview, a software pirate is defined as anyone who subverts system security for the purpose of stealing intellectual property in software on that system[12]. Question that arises is how deep we need to go in order to provided trusted another part in secret communication – component that will securely execute our programs in environments being controlled and eavesdropped a by potential pirates? And also, is it possible to have such a component as open-source, without relying on secret possessed by disputed “trusted third part” – author of that component? And finally, even if the solution for this problem exists, will its price and complexity be appropriate for using in cheap shared hosting environments? For this paper purpose we set our goal to make protected PHP scripts as safe as if they were typed in some compiled language (like C, for example). This also means that protection from assembler lever reverse engineering is not included in proposed solution.

PROPOSED SOLUTION Based on exposed results and insights from cryptology based analysis, we propose a novel solution model that provides protection of PHP scripts on both source code and opcode levels, and is not based on trusted third party. Protection level of proposed solution is equal to currently available commercial solutions, based on closed-source components. Architecture of proposed solution is explained on Fig 3. Two main components of proposed solution are PHP source code compiler/encrypter and open-source extension for original PHP interpreter. Additional component is random key generator, but for this purpose any (pseudo) random generator can be used.

PHP source code compiler works as a regular interpreter – converts source code to opcode – with exception that result (opcode) is encoded/encrypted with freshly generated key (which is known only to developer). That encoded opcode can be executed only with PHP interpreter that knows the secret key. Also, in order to increase encoded scripts’ lifetime, encoder can encode source code directly (with obfuscation if selected), without transforming it to opcode. However, protection level in this case will be significantly lower because potential pirate will be able to catch (obfuscated) source code as a result of extension execution. Even if working with source code instead opcode is supported, this is not recommended because it could be revealed by PHP interpreter modified by the eavesdropper. Another component of proposed solution is open-source (publicly available) extension for decoding previously explained encoded PHP scripts. However, this extension is completely unusable without having key which is used for encoding PHP scripts. That’s why extension is compiled to binary by developer, and during that process key is built-in binary result. However, in order to hide location where key is stored in extension binary, extension compiler, before compiling, is randomly obfuscating extension’s source code by adding random code snippets and false keys as variables, that have no impact on extension behaviour. This means that two results of independent compiling of extension, even with the same key, will give completely different results. Next step for developer is to upload encoded PHP scripts and compiled extension to Web server and to enable it when executing his protected scripts. Downside of proposed solution is requirement for server administrator to allow users to load their own binary extensions.

CONCLUSION In this paper we analysed problem of protecting intellectual property in a form of interpreted languages source code. PHP, as the most popular interpreted language for Web development is used as an example. Our main analysis is based on using of standard cryptology models and which are used for analysing existing solutions, as well for search for ideal theoretical model. Essential problem for protecting PHP scripts, analysed as cryptology model, is lack of trusted another part in secured communication. PHP interpreter, in a role of another part in secured communication, is an open-source software which behaviour is publicly know and can be modified by potential eavesdroppers/pirates. Source code obfuscation is identified as computationally secure protection, while (human-based) breaking it is analogue to cryptanalysis. However, the need for source code to be understandable by interpreter eliminates obfuscation as a serious standalone protection. On the other side, source code or opcode encryption requires trusted decryption part, at least as a secured space where key used for decryption is stored and used. This is not possible with using completely open-source solution for PHP interpreter. Using closed-source components for decryption, which is case with existing PHP encoders, creates security and commercial dependency of encoder provider. Solution’s model presented in this paper proposes hybrid approach where all components that provide scripts protection (or secure communication, from cryptology aspect) are publicly available and open-source. However, decryption component is realized as PHP interpreter’s extension and is obfuscated and compiled by developer. Key, which is used for PHP scripts encryption, is integrated within aforementioned extension during the compiling procedure.

IMPROVING-PROTECTION-OF-PHP-SOURCE-CODE-USING-CRYPTOLOGY-MODELS

GNU Prolog-PHP Multi-tier Integration

The internet expands quickly and every day brings some new users. HTTP and web pages became the most important technology as far as the internet is concerned. In some situations when you say internet you really mean World Wide Web. For programmers WWW has an important advantage: if you write your application in WWW technology, you will no longer have to worry about cross platform compatibility installation and deploy problems and so on. It is enough that a platform has its own web browser and everything works. Above is not exactly true due to browser interpretation of tags differences, but in theory it should be true and browser programmers try to gain the unification. For some appliance the CLP tools are very convenient. They have interesting mechanisms implemented like branch and bound, forward checking and looking ahead [1]. It could be used as discreet optimization tool and continuous optimization tool. In some cases CLP can be efficient [2], [3] and it is a flexible tool [4] which can be used for modeling various problems. CLP is declarative so the models are easy to modify, that is useful especially when you want to implement different problem variant. Even if new problem variant has not a canonical form yet [5]. It follows that finding a efficient way of PHP and CLP work together would be a good job.

INTEGRATION EXAMPLES There have been done some work so far for both logic programming and constraint logic programming tools. Lee Naish presented NU-Prolog work as CGI already in 1995 [6]. NU-Prolog does not support constraints. You could use the similar method to run any other tool as a CGI, but problem of executing time causing timeouts remains unsolved. Sometimes you meet large complexity growth and CLP programs can work for hours [5]. The problem of timeouts may occur specially in large solutions. There are also some attempts of providing CLP tools for client side computing. You can find JLog project on sourceforge.net [7] and JavaScript CLP implementation [8]. Both are interesting projects and may be useful. Unfortunately the JavaScript implementation runs sometimes even 47 times slower then original Ciao Prolog program [8]. Beside of Java Prolog implementation there are also Java-Prolog integration projects. Paul Tarnau’s Jinni should be mentioned here [9]. Some other appliance can be found in Wojciech Pieprzyca’s work [10]. If you look for CLP-PHP integration you may find simple solution like using system or exec PHP functions [11], but server administrators often block this features, besides the described approach does not solve the execution time problem as well. Better interface is provided for ECLiPSe [12]. In this case ECLiPSe program works as socket server(in accept loop). Client PHP programs can connect with the server using object library written in PHP. In this case a TCP connection is established and a goal is sent. After that server, which receives query in EXDR format over the socket stream, executes it, and sends the result back to PHP client. In above example the HTTP request and consulting of CLP program is served in single query. It probably took some work around to gain the separation.

  1. Proposed approach In the paper a middle ware concept is presented. The ANSI C TCP socket server gets the task from PHP (that serves HTTP query) and runs CLP tool independently. The status of program consulting process can be checked in any time by PHP web page. In this way the separation is gained, that solves the problem of web server timeouts. A web application, that supports GUI can initiate CLP work and control it. During the time of program execution a further interaction with user is possible. There is no need to wait until CLP execution ends and mean while the application can have access to best solution found so far by CLP program. This approach can be useful especially in complex task when execution time of CLP program could be longer then web server timeout. III. THE PROPOSED APPLICATION WORK SCHEMA There is four most important components which are involved in described solution: • Web browser client • Web server / PHP • The middleware socket server • GNU Prolog. The requests are being sent by web browser to web/PHP server. Then PHP application establishes a socket connection to middleware server and a command is sent. Command data is dependent on communication protocol (see III-A).

After middleware server receives appropriate command, it initiates pipeline shell command and starts GNU Prolog for CLP program consulting. The command is ran in a separate thread, so the server could accept further connections in the main thread. Mean time the server sends an acknowledge back to the socket. A. Communication protocol The protocol is very simple. All data are sent in raw text format. There are three commands implemented: • consult – starts CLP program consulting. The additional parameter containing CLP program path have to be sent with consult command. • results – gets CLP program execution results from the server. • stop – stops the middleware server execution.

THE ANSI C SOCKET SERVER The middleware server and GNU Prolog are installed on the same server machine. The main loop of the middle server is presented in listing 1. It operates according to the model: 1) Wait for client connection. 2) After the connection is established read string from the socket. 3) If appropriate command was read, execute the command. 4) Write back a response to the socket. 5) Close the socket.

A PHP application is responsible basically for GUI. It could be any application that demands constraint logic programming aid. It can contain only simple GUI and socket communication or it could be large enterprise solution, that have to support for example some scheduling process. The socket communication from the side of PHP operates according to the model: 1) Establish socket connection. 2) Send command (and parameter). 3) Read server response from the socket. 4) Close the socket. A. Test web application The PHP Test Application consists of HTML form that contains two fields: cmd and param. cmd field is used for specifying command and field param contains prolog program path if the sent command was consult. Above is determined by the communication protocol (see III-A). A results space is located below the HTML form (see figure 2). In this area PHP Application displays the data, that are received from middleware server. The construction of Test Application is quite plain. The part responsible for socket communication and results display is presented in listing 4. The whole block of code will run, if there is the cmd parameter present in $ GET PHP array. At the beginning socket connection between the application and the middleware socket server is established. Next the command that was entered to the HTML form is sent to the socket. If the command was consult, then the additional parameter (param) is sent. Directly after that the server response is being read from opened socket.

The PHP and GNU Prolog were successfully integrated. A small Test Application was developed and reviewed. The separation of web front end and GNU Prolog process is achieved. Problem of web server timeouts is solved. The middleware server was written in ANSI C. It is compiled to native binary file. It is an advantage as far as the performance issues are concerned, but for some users it could cause deploying difficulties. Now the middleware server supports only limited functionality and it forces prolog program implementation to present results as console output, so it could be read from pipeline. A. Future work The server supports single session. The obvious direction of development is to implement multiple sessions support. In described version the middleware server consults goal top. The functionality of consulting different goals could be added. When the top consulting ends, the consult thread is ended. During the execution time only the results is read, nothing is sent to working CLP program. It is possible to implement two-way communication. The feature of CLP program upload, could also be implemented. There have been some assumption, that only limited capacity of few variables is needed. For example result length is limited to 5000 lines. In this case a dynamic memory allocation could be developed as well. An authorization mechanism could be added and server logging could be improved. Other possibilities and needs could be identified during further tests and operation.