Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Perl 'executable'

by perlte58 (Initiate)
on Oct 22, 2010 at 01:33 UTC ( #866689=perlquestion: print w/ replies, xml ) Need Help??
perlte58 has asked for the wisdom of the Perl Monks concerning the following question:

For security reasons, is there any way to deploy just a Perl 'executable' or 'binary'? Seems to me that deploying a Perl script -- which can be read and maybe hacked -- is risky.

Cheers!

Comment on Perl 'executable'
Re: Perl 'executable'
by marto (Bishop) on Oct 22, 2010 at 01:41 UTC
    You can package scripts using pp or similar, but you can't hide the source code. See perlfaq3.
Re: Perl 'executable'
by aquarium (Curate) on Oct 22, 2010 at 04:11 UTC
    Security through obscurity is hardly a good security measure. Micro$oft have been hiding their source code for how many years?..and how many trojans and viruses successfully get through that?
    wikipedia is a bunch of php scripts etc...it's a matter of truly understanding security issues, and always being vigilant.
    perhaps a useful visual comparison would be that to building a bridge over a chasm. a beginner instict for the "strongest" bridge would be a solid block of material spanning the gap. but instead a well designed series of arcs is stronger, and much more practical, and cheaper too. so too in security you need to evaluate the threats in terms of typical attacks, e.g. DOS attack, SQL injection, DNS poisoning, etc..well established vectors of attack. And for a little CGI script, you want to know that people can't read the script itself (over the web) and the CGI permissions don't end up giving them indirect access into the whole file system.
    the hardest line to type correctly is: stty erase ^H
Re: Perl 'executable'
by Marshall (Prior) on Oct 22, 2010 at 04:45 UTC
    If you use the recent ActiveState PerlApp tools, it is possible, but not very easy to decode what the application .exe is doing. If you are up to it and want to take on a challenge, /msg me and I'll send you an .exe for you to de-compile. I think this is difficult.

    In the open source arena, if the program is a good one, it doesn't matter whether or not you have access to the source or not - you won't "crack it". Meaning that even if you know all about how it works, you can't make it misbehave, typically because the O/S permissions won't allow it.

      "If you use the recent ActiveState PerlApp tools, it is possible, but not very easy to decode what the application .exe is doing. If you are up to it and want to take on a challenge, /msg me and I'll send you an .exe for you to de-compile. I think this is difficult."

      Agreed. The FAQ states it's possible, and advises against relying on perlapp for hiding sensitive data. I'm sure if one where to google seach this topic they'd find, if not a complete solution, a script to start the on the right track to "de-compile" the generated exe.

Re: Perl 'executable'
by Ratazong (Prior) on Oct 22, 2010 at 07:38 UTC

    ... deploying a Perl script -- which can be read ...

    shmem wrote a very high-ranked node on the topic of transforming perl-scripts to .exe-format to prevent them from being read: Uncool Use Of Perl: perl2exe. decompile quick steps. So please be aware of that risk (or rethink your security-approach)

    HTH, Rata
      shmem is right about perl2exe. PerlApp is more difficult. You won't find any text strings to display. In older versions, they just XOR'd the script with a fixed string. What they do now is more sophisticated and harder to figure out. But at some level of effort, it is possible to figure out. This is not NSA encryption!

      I figure a main question is would be what the OP is trying to protect against? Insertion of malicious code? "Stealing" his software?

Re: Perl 'executable'
by zentara (Archbishop) on Oct 22, 2010 at 12:40 UTC
    You could look at it the other way. When it's deployed as a binary, no one really can be sure what it is doing, without extensive effort. Whereas a conventional script can be easily scanned, to see what it is doing.

    If you want some security with a script, just have it's permissions and ownership set, and maybe do some cryptographic fingerprinting of it.

    I would be very suspicious of any binary I was asked to run, unless I compiled it myself.


    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku ................... flash japh

      "I would be very suspicious of any binary I was asked to run, unless I compiled it myself."

      Really? I guess you must be running Gentoo then, and even then bootstrapped your own compiler from hand-written assembler in order to get the initial gcc working from code you trust.

      There are times when you just have to trust a binary whether you like it or not. Reflections on Trusting Trust has a valuable take on the issue.

      Paul
        I agree, but there are certain tradeoffs in trust. I do keep a watch over the software than comes in precompiled form.

        I make a distinction in trust levels.

        I would be more likely to trust a binary that comes from a prebuilt distribution, like Ubuntu; than from some perl hacker who claims he/she dosn't want me to see what the script does. There is just an obvious difference there in threat level.

        At least the distributions make their source packages available. Will the perl hacker make his uncompiled source script available to me?


        I'm not really a human, but I play one on earth.
        Old Perl Programmer Haiku ................... flash japh
Re: Perl 'executable'
by Xilman (Friar) on Oct 22, 2010 at 13:38 UTC

    One thing you can do is split your script into two parts — a client for which you give away the source code and a server which you keep adequately secure (you get to define "adequate") on a machine under your control.

    Assuming that server does something sufficiently valuable and sufficiently complex that your users find it easier and/or cheaper to use it than to circumvent your security mechanisms to read and/or hack your script, then you have achieved your stated goal.

    Paul

Re: Perl 'executable'
by bart (Canon) on Oct 24, 2010 at 08:59 UTC
    which can be read and maybe hacked
    You know, a pre-built .exe file doesn't have to be hacked, as it can just be replaced by any drop-in replacement program... And generally, nobody will know it has been replaced, without running it.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://866689]
Approved by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (7)
As of 2014-12-19 05:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (70 votes), past polls