Member Avatar for PC_Nerd

Hi,

Firstly Ill say that I'm a comlete newbie to perl, and this is more of an investigation question than a code one.

I want to use perl for a CGI script- however I need the source code to be completely closed source - so that users cant decompile it ( I plan to distribute it and it would be a security issue if the source code got out). I understand that perl can be compiled into bytecode, but I read somewhere that you can just as easily decompile the bytecode.

If you can easily decompile it are there any other solutions for keeping the source closed, while being able to be platform independant?

I have alot of experience with python and my understanding is that its much harder to decompile php's bytecode than it is with perl.

Thanks for your help,
PC_Nerd

  • 4 Contributors
  • 11 Replies
  • 1K Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by PC_Nerd
Member Avatar for Salem

> I plan to distribute it and it would be a security issue if the source code got out
Security through obscurity isn't
If you set up a big enough target, then the secrets you hide inside your code will be found out.

Member Avatar for PC_Nerd

So what exactly do you mean by that? - I dont understand you.

Member Avatar for Murtan

The first point was a link to an article that describes why the concept of 'security through obscurity' was false. (The concept that just because you aren't telling anyone about how you do something that it is therefore secure.)

The second half about the 'big enough target' refers to the fact that if there is a big enough reward, someone will put in the effort required to break any security.

Member Avatar for Salem

If you've got a secret, then hiding it in the source code will not work.

a) you don't know how long it will be before someone cracks it.
b) worse, you don't know how long they knew how to crack it, before you found out.
Say it takes a year for you to find out it's been cracked, but the crack has been known for 11 months. You've had 1 month of security, and 11 months of problems.

Perhaps begin with a description of the problem, and not a description of how to make your solution secure.

For example, what's the application?
Defending against kiddies trying to improve their rank on an online game is a completely different problem to defending state secrets from the likes of the NSA.

Member Avatar for PC_Nerd

Yup - I completely understand the fact that if someone really wants to crack the source they can. What im trying to do is to make that as diffucult as possible.

Im trying to secure a php through a CGI, which will provide a password to the script instead of loading it from a file - I mean sure its still not perfect, but if its a C++ compiled cgi then its better than raw source code yes?

anyway - is there a direct/well known method for decompiling perl CGI scripts ( and if anyone knows is there a similar weakness in C++/C cgi scripts?).

Thanks

Member Avatar for Salem

> Im trying to secure a php through a CGI, which will provide a password to the script instead of loading it from a file
Most people seem to use https to establish a secure connection between the server and the remote user. Could this be used here?

> is there a direct/well known method for decompiling perl CGI scripts
Well known to whom?
The CGI hackers fraternity - possibly?
"Joe Plumber" - probably not.

But we've already established that saving your secret in the script is a waste of time. You need an alternative design which avoids the problem altogether.

> and if anyone knows is there a similar weakness in C++/C cgi scripts
The ability to reverse engineer something has little to do with the implementation language.
Besides, C++ (and expecially C) is far harder to work with in the sense that you have to take responsibility for a lot of memory management issues. Which is basically a way of saying that you're wide open to buffer overflow exploits unless you're really REALLY careful.
All machine translation from a higher-level to a lower-level follow patterns which are easy (for those who know what to look for) to pick up on, and from that figure out a lot of what is happening.

Member Avatar for PC_Nerd

Ok,

I completely understand that to compile the code is no sure means to secure it - because as you said if someone wants it enough they will get in.

What I am asking is "Is there a specific method that comes with the perl compiler that decompiles the code just as easily?".

From my knowledge C++ doesnt have a specific decompiler, it is just hacked by hackers. Is this the same for perl or is there a perl --decompile file.pl option or somethign to that effect?

Thanks

Member Avatar for KevinADC

Well, I doubt there is a way to do it that is completely cross platform independent. Each perl version and even the same version for different operating systems and even the same version of perl for the same operating system but a different version of the operating all have quirks. Your chances of success are low.

Member Avatar for PC_Nerd

Ok thanks,

Do you know of any other alternatives to perl/CGI etc that means my code is secure but still cross platform?

Thanks

Member Avatar for KevinADC

Your question, as has been well answered, makes no sense. Any code you distribute will not be secure.

The code will be of no interest to anyone that is not a code cracker but just wants to use the program. And no amount of encoding or obfuscating your code will be enough to hide it from anyone that wants to crack it. There is virtually nothing in between those two ends of the spectrum. You will be protecting your code only from the first group of people that have no interest in the code in the first place.

Member Avatar for PC_Nerd

Ok thanks

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.