Last week, we released the first open-source library to obfuscate VPAX files: the Vpax-Obfuscator, also available as a NuGet package and as a command line tool (CLI).
While the VPAX file contains only metadata and no data, some of the metadata could be considered sensitive in certain scenarios: table and column names, measure definitions, or other DAX expressions like row-level security.
The Vpax-Obfuscator library can be integrated into any tool that employs the VertiPaq-Analyzer library. The purpose of the Vpax-Obfuscator library is to obfuscate all the names of columns, measures, and tables of a Tabular semantic model, making the DAX code unreadable to a human but still consistent for tools like DAX Optimizer.
The obfuscation process involves replacing the original names of tables, columns, and measures with generated identifiers that have no semantic meaning. This transformation is systematically applied across the entire VPAX file, ensuring the altered code remains consistent and functional for analysis tools. The obfuscation process generates two files: the obfuscated VPAX file and a dictionary file (.dict) that maps the original names to their obfuscated counterparts. Without the dictionary, the VPAX file is extremely hard to read: this feature can help those companies that have critical model metadata requiring an additional layer of security.
The dictionary (.dict) file is the key to translating the obfuscated code back into its original, human-readable form. It ensures that only the user who performed the obfuscation can decode the obfuscated information.
The obfuscated names are generated differently every time you obfuscate a VPAX file. However, the library supports incremental obfuscation to keep the same obfuscated names across different VPAX versions of the same model: this allows tool like DAX Optimizer to keep track of the issues ignored in previous versions of the VPAX file, without losing the corresponding features in DAX Optimizer.
Because the source code of Vpax-Obfuscator is publicly available:
- Companies can run their own audit to ensure that the obfuscated code cannot be decoded or reverse-engineered without the .dict file.
- It is possible to customize the obfuscation algorithm and generate VPAX files that are obfuscated with different techniques.
This technology will help companies to get remote assistance without disclosing sensitive information in the model metadata.