Re: protecting perl script source

From: John Hanna (jhannaat_private)
Date: Fri Jan 24 2003 - 12:01:20 PST

Next message: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"

Previous message: frank @ absoluta.org ( Frank Ned ): "Re: protecting perl script source"
In reply to: frank @ absoluta.org ( Frank Ned ): "Re: protecting perl script source"
Next in thread: Dr. Ernst Molitor: "Re: protecting perl script source"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Unfortuantely perl2exe provides no real security. The perl byte code is
easily stripped out of the resulting file, and there are a number of nifty
ways to convert perl bytecode back into source, even preserving label names.
Perl2exe makes it easier to distribute perl applications (ie without having
to distribute perl).

Another previously proprosed approach is obfuscation. (Obfuscated perl code
is an art form at www.perlmonks.org.) However perl even provides a module to
produce beautifully indented source from the internal bytecode -- the
developers use it to check their work.

john


----- Original Message -----
From: "frank @ absoluta.org ( Frank Ned )" <frankat_private>
To: "John Hanna" <jhannaat_private>
Cc: <secprogat_private>
Sent: Friday, January 24, 2003 11:44 AM
Subject: Re: protecting perl script source


> www.perl2exe.com
>
> John Hanna wrote:
> >
> > Hi. Let's assume someone wrote a perl script that figured out how to
make a
> > lot of money on the stock market, but that they wanted to protect the
script
> > because if others began using it, it would dimish its returns. The new
> > millionaire would want to protect her creation, but it has to run on a
> > computer with access to the internet. She puts it on a box which she
tries
> > to keep patched, it's behind a firewall, and only root has access to the
> > scripts. The scripts need to run unattended, and the system needs to
boot
> > unattended. She fears two things: a remote root vulnerability, and that
> > someone would physically walk off with the box.
> >
> > My impression is that under these conditions, besides vigilance,
limiting
> > running processes, working on physical security, keeping up on patches,
> > possibly some sort of IDS -- there really isn't anything she can do to
> > protect the source. If it's booting unattended, and running scripts
> > unattended there's no sort of crypto strategy that could protect either
> > against an intruder with root access or physical access to the hard
drive.
> >
> > What do you think?
> > John

Next message: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"
Previous message: frank @ absoluta.org ( Frank Ned ): "Re: protecting perl script source"
In reply to: frank @ absoluta.org ( Frank Ned ): "Re: protecting perl script source"
Next in thread: Dr. Ernst Molitor: "Re: protecting perl script source"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 12:30:53 PST