obviscating python code for distribution

Chris Angelico rosuav at gmail.com
Wed May 18 14:07:25 EDT 2011


On Thu, May 19, 2011 at 3:40 AM, geremy condra <debatem1 at gmail.com> wrote:
> Just a note: you can do many cool things to prevent the last from
> working, assuming you're talking about RSA fault injection attacks.

Sure. Each of those caveats can be modified in various ways; keeping
checksums of everything in memory, encrypting stored data with
something that isn't stored on that computer, etc, etc, etc. But in
terms of effort for gain, it's not usually worth it. However, it is a
good idea to be aware of your caveats; for instance, are you aware
that most Linux systems will allow a root login from another file
system (eg a live-boot CD) to access the hard drive read-write,
regardless of file ownership and passwords? (My boss wasn't, and was
rather surprised at how easily it could be done.)

>> But mainly: Don't panic about the really really obscure attack
>> possibilities...
>
> Just one caveat I would add to this: make sure you're drawing this
> line at the correct place. If your attack model is wrong things have a
> tendency to drop from 'impossible' to 'laughably easy' in a hurry.

Absolutely. Sometimes it's worth scribbling comments in your code like:
/* TODO: If someone tries X, it might cause Y. Could rate-limit here
if that's an issue. */
Then, you keep an administrative eye on the production code. If you
start having problems, you can deal with them fast, rather than having
the ridiculous situation of security issues lingering for months or
years before finally getting a band-aid solution.

>> Test your server by connecting with a basic TELNET client...
>
> I actually like to use scapy a lot. It's a little slow, but you can
> really get down deep and still feel sort of sane afterwards, and it
> makes it easier on you if you don't need to go all the way to the
> metal.

Sort of sane? I lost that feeling years ago. :) When I'm working on
Windows, I'll sometimes use SMSniff for packet sniffing, but
generally, I just stick with high level socket services and depend on
the underlying libraries to deal with malformed packets and such. On
Linux, I generally whip up a quick script to do whatever job on the
spot (Python and Pike are both extremely well suited to this), but on
Windows, I use my MUD client, RosMud, which has a "passive mode"
option for playing the part of the server.

Chris Angelico



More information about the Python-list mailing list