Folks,
We have an intriguing technical challenge. How to write a secure audit file that tracks usage of a software so license fees can be based on usage thereby making it more affordable to those who use it less.
Specifically, TickZoom sells a alpha generation trading platform for hedge funds which presently costs $2,000/month to license including support (will increase soon to more than double). That's fine for institutions but too expensive for individuals. Individuals often ask for a lower price in exchange for a % of the profits made using the software until they can afford to pay the fixed fees.
We like that proposal. But we need a reliable way to audit the profit actually generated on the platform and a way to prevent users from "gaming" it by deleting or overwriting the audit file thereby reporting lower earnings than actual.
This application is written in C# and this portion of the system is obfuscated at least making it difficult to decipher the code.
The other requirement is write to the file for every trade that occurs so as to allow for more in depth auditing in the event that the user feels there is some discrepancy in the total fee. That way, individual trade profits can be compared with broker statements.
It is, of course, assumed that the file will be encrypted.
But any ideas on how to make it "tamper proof"? Especially against a simple delete attempt?
My first guess is to make the software always require a preexisting audit file or it will refuse to run.
Then when we deliver the software it gets packaged with an "empty" audit file but which, in fact, has some kind of tamper-proof verification.
The next obvious technique users might try to "tamper" with the file would be for someone to simply backup that original "empty" file and later use it to overwrite the audit file later thereby fooling the system into thinking that it was a fresh start.
Perhaps that can be resolved by included some kind of "last update timestamp" and an expiration time.
Also, totally different solution ideas are welcome. We might be forced in this case to add a "phone home" ability so that trades get logged to our central server. But that seems disadvantageous and potentially adds another failure point in a mission critical application. Generally they greatly dislike "phone home" features with obvious good reasons.
Sincerely, Waynek