Re: protecting perl script source

From: John Hanna (jhannaat_private)
Date: Fri Jan 24 2003 - 12:01:20 PST

  • Next message: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"

    Unfortuantely perl2exe provides no real security. The perl byte code is
    easily stripped out of the resulting file, and there are a number of nifty
    ways to convert perl bytecode back into source, even preserving label names.
    Perl2exe makes it easier to distribute perl applications (ie without having
    to distribute perl).
    
    Another previously proprosed approach is obfuscation. (Obfuscated perl code
    is an art form at www.perlmonks.org.) However perl even provides a module to
    produce beautifully indented source from the internal bytecode -- the
    developers use it to check their work.
    
    john
    
    
    ----- Original Message -----
    From: "frank @ absoluta.org ( Frank Ned )" <frankat_private>
    To: "John Hanna" <jhannaat_private>
    Cc: <secprogat_private>
    Sent: Friday, January 24, 2003 11:44 AM
    Subject: Re: protecting perl script source
    
    
    > www.perl2exe.com
    >
    > John Hanna wrote:
    > >
    > > Hi. Let's assume someone wrote a perl script that figured out how to
    make a
    > > lot of money on the stock market, but that they wanted to protect the
    script
    > > because if others began using it, it would dimish its returns. The new
    > > millionaire would want to protect her creation, but it has to run on a
    > > computer with access to the internet. She puts it on a box which she
    tries
    > > to keep patched, it's behind a firewall, and only root has access to the
    > > scripts. The scripts need to run unattended, and the system needs to
    boot
    > > unattended. She fears two things: a remote root vulnerability, and that
    > > someone would physically walk off with the box.
    > >
    > > My impression is that under these conditions, besides vigilance,
    limiting
    > > running processes, working on physical security, keeping up on patches,
    > > possibly some sort of IDS -- there really isn't anything she can do to
    > > protect the source. If it's booting unattended, and running scripts
    > > unattended there's no sort of crypto strategy that could protect either
    > > against an intruder with root access or physical access to the hard
    drive.
    > >
    > > What do you think?
    > > John
    



    This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 12:30:53 PST