develooper Front page | perl.perl5.porters | Postings from October 2003

Re: How to tell if Perl has -DDEBUGGING?

Thread Previous
From:
Steve Hay
Date:
October 24, 2003 09:46
Subject:
Re: How to tell if Perl has -DDEBUGGING?
Message ID:
3F9957CF.20906@uk.radan.com
Nicholas Clark wrote:

>On Fri, Oct 24, 2003 at 05:14:55PM +0100, Steve Hay wrote:
>
>  
>
>>I was looking at the Filter::decrypt module as a means of encrypting 
>>source code.  (And I don't want a flame war about the ethics or merits 
>>or doing that.)
>>    
>>
>
>Indeed. It would be off topic for p5p. Probably even off topic for
>advocacy.
>
>
>  
>
>>The documentation suggests statically linking the Filter::decrypt 
>>extension against a non-DEBUGGING Perl.  I don't want to statically link 
>>it, but I don't want people (devious miscreants or otherwise) to take 
>>the dynamically linked module and slap it into their DEBUGGING Perl and 
>>start hacking either.
>>
>>It occurred to me that if the module knew for sure whether or not the 
>>Perl in question was a DEBUGGING Perl then the dynamically linked plan 
>>is a little safer.
>>    
>>
>
>I don't think that you can know for sure, because someone versed in the
>perl source can always bugger about with their interpreter until they
>find a way to convince your module that -DDEBUGGING isn't set when it
>is. (And one can set -g without -DDEBUGGING if one Configures by hand).
>
>However, you should be able to outdo everyone who has to use a precompiled
>perl (er from regular sources), plus anyone who isn't knowledgeable enough
>to modify the sources before compiling their own.
>
>As with every attacker/ defender situation, you can't win. You have to keep
>all the holes plugged to stay in the game. They only have to find one hole
>to win. Plus they work in parallel. But hopefully beating most people is
>good enough for your purposes.
>
Yep, I think you're trick will be fine (once I've figured out how to do 
it in the XS :)

And as the Filter::decrypt manpage itself says, "a decryption filter can 
never provide complete security against attack" anyway.  I accept that 
people can always get the code if they *really* want it, but I'd like 
them to have to work for it a bit.  Simply running the code under a 
(standard) DEBUGGING Perl is way too easy.

- Steve


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About