[ale] Perl Obfuscation

Keith R. Watson keith.watson at gtri.gatech.edu
Thu Apr 21 10:10:57 EDT 2005 

At 09:15 4/21/2005 -0400, you wrote:
>Aler's,
>
>I know we;ve discussed this before.  I'm in need of a great Perl
>obfuscater program.  I'm currently testing Acme::EyeDrops and
>Acme::Bleach.  I'm also thinking about investing in a commercial
>available system.  Anyone have suggestions of a good commercial program
>that can obfuscate my code without breaking it?
>
>I was leaning heavily on Acme::EyeDrops yesterday until I found out that
>it does not support programs that call die() automatically.  Then if you
>want that support you need to turn it on when calling sightly().  Even
>with the switch on there still may be problems per the man page.  We
>have some complicated programs many that use eval { } to wrap around
>database calls to protect against program death.  We also have dies to
>kill a program when bad things go wrong.  I need something that will
>hide this code without compromising the way it operrates.
>
>Chris
>

Chris,

I found this in Perl FAQ 3 (it makes reference to Filter::* from CPAN) in 
spite of what the FAQ says I have included some possible solutions.

How can I hide the source for my Perl program?

Delete it. :-) Seriously, there are a number of (mostly unsatisfactory) 
solutions with varying levels of ``security''.

First of all, however, you can't take away read permission, because the 
source code has to be readable in order to be compiled and interpreted. 
(That doesn't mean that a CGI script's source is readable by people on the 
web, though--only by people with access to the filesystem.) So you have to 
leave the permissions at the socially friendly 0755 level.

Some people regard this as a security problem. If your program does 
insecure things and relies on people not knowing how to exploit those 
insecurities, it is not secure. It is often possible for someone to 
determine the insecure things and exploit them without viewing the source. 
Security through obscurity, the name for hiding your bugs instead of fixing 
them, is little security indeed.

You can try using encryption via source filters (Filter::* from CPAN), but 
any decent programmer will be able to decrypt it. You can try using the 
byte code compiler and interpreter described below, but the curious might 
still be able to de-compile it. You can try using the native-code compiler 
described below, but crackers might be able to disassemble it. These pose 
varying degrees of difficulty to people wanting to get at your code, but 
none can definitively conceal it (true of every language, not just Perl).

If you're concerned about people profiting from your code, then the bottom 
line is that nothing but a restrictive license will give you legal 
security. License your software and pepper it with threatening statements 
like ``This is unpublished proprietary software of XYZ Corp. Your access to 
it does not give you permission to use it blah blah blah.'' We are not 
lawyers, of course, so you should see a lawyer if you want to be sure your 
license's wording will stand up in court.



Here are some ideas:

Compile it
http://www.indigostar.com/perl2exe.htm


pENC - Can encrypt Perl Source code multiple times. Each iteration produces 
a license file that is required for the encrypted program to run.
http://www.p3ptools.com/index.php?category=pENC


Perlguardian - Encrypt Perl scripts, modules and run them only in one 
specific domain name, also set up the expiry date for scripts.
http://www.perlguardian.com/


PerlSafe - Protects Perl source code by generating binary executables from 
scripts. It's currently available for Linux and OpenBSD x86 based 
platforms. By MadLogic, Inc.
http://www.madlogic.com/perlsafe.html


WWS Perl Protector - Allows encrypt Perl source code and Perl Modules 
making its very difficult to modify or steal.
http://www.webwapstudio.com/PerlProtector.html


Here's an article on rolling your own encrypted script
http://archives.neohapsis.com/archives/sf/www-mobile/2003-q1/0111.html


WWC - The World Wide Perl Coder allows you to encrypt your Perl source 
code. (this one may be free)
http://www.worldwidecreations.com/perlcoder.htm


iWeb Toolkit: Perl Source Code Obfuscator (this looks like an on line 
obfuscator)
http://www.searchengineforums.com/tools/perl-encrypt/


Stunnix Perl-obfus - the obfuscator for Perl source code
http://www.stunnix.com/prod/po/overview.shtml


You might consider posting your question on the Atlanta Perl Mongers list too.
http://pompeii.mvrateshop.com/public/apm/
atlanta-pm at mail.pm.org


hope this helps,
keith

-- 

Keith R. Watson                        GTRI/ISD
Systems Support Specialist III         Georgia Tech Research Institute
keith.watson at gtri.gatech.edu           Atlanta, GA  30332-0816
404-894-0836

More information about the Ale mailing list