BookmarkSubscribeRSS Feed
SASMeister
Calcite | Level 5

Hi,

we are working on distributing a SAS application. With SAS application we mean a bunch of SAS programs containing Base SAS Procedures / Datasteps / Macros) and some SAS tables. We want to make sure that nobody can steal our intellectual property. So far we have come up with the usual solution of using compiled macros to hide source code, and with encrypting and password protecting SAS datasets/tables.

 

Now we realize that we are using formats generously in the application, and they contain some of our key intellectual property.

We have googled around a bit: there seems to be neither encryption nor password protection for SAS catalogs (i.e. for format entries in formats.sas7bcat)

 

We think that a MALICIOUS_USER could copy the SAS formats while the program is running and – with some work – figure out some of our - er – secrets.

 

So far we are thinking along two lines:

 

1) We could do some aggressive setting up and deleting of formats within the SAS code

 

2) Is there a way to load the SAS formats into memory (RAM) for the duration of a SAS session (or even only for the duration of a Data step or Proc step and deleting the SAS macro catalog?

 

Any ideas and suggestions would be appreciated.

 

Yours truly,

SASMeister

(currently not feeling like a SASMeister)
 

Note: We have

SAS (r) Proprietary Software 9.4 (TS1M3)

This session is executing on the X64_SRV12 platform (Windows Server 2012 R2 Standard / 64-bit Windows)

 

Late addition:

Re: my thinking line #2: I thought of a way to test if a format can be used in absence of its FORMATS catalog.

The answer is NO. Run the attached code to see for yourself...

4 REPLIES 4
Kurt_Bremser
Super User

In times like this, I'd supply the application as a webapp (stored processes) where users only have access to the web interface.

SAS itself is, typical for older mainframe applications (and any interpreting system) an open source and collaborative environment, where code is quite freely shared. Just look at this forum.

SASMeister
Calcite | Level 5

Hi Kurt,

thanks for your reply - with which I agree in principle. I am posting this on behalf of one of our departments, and they have special needs.

 

 

SASKiwi
PROC Star

If you have a department with special security needs then a full SAS security audit may be required, if you aren't in the process of doing one already. This would look at:

 

  • SAS data in-flight - securing and encrypting SAS network traffic and in memory
  • SAS data at rest - securing and encrypting SAS files and data on disk
  • Securing the SAS environment - firewalls, VPN, SAS user access etc. 

 

I'd recommed getting expert security advice from SAS or a recognised partner.

SASKiwi
PROC Star

One option to explore would be to dictate that ALL user-written SAS formats must be created in the SAS WORK library only from SAS source code for every job. This means the FORMAT catalogs only exist for that SAS session and only the user or an administrator would have access to that WORK directory.

hackathon24-white-horiz.png

The 2025 SAS Hackathon has begun!

It's finally time to hack! Remember to visit the SAS Hacker's Hub regularly for news and updates.

Latest Updates

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 4 replies
  • 1267 views
  • 3 likes
  • 3 in conversation