0

I am using Lua to create a custom authentication layer for my backend services. Nginx is compiled with Lua module and LuaJIT. It works fine. I would like to do some encryption of tokens that I am serving back in those lua files and want that no one read the plain text source files. Can these lua source files be compiled into a binary or obfuscated/encrypted in such a way that Nginx's access_by_lua_file directive is still able to load these compiled files? I know this is not a full proof method but better then plain text.

dev0z
  • 2,275
  • 1
  • 15
  • 16
  • Who are you (trying) to protect this data from? – Etan Reisner Feb 24 '15 at 20:24
  • There are users who have access to the server on which there lua source files are kept. This application is also given to some people in VMs to develop against this setup – dev0z Feb 24 '15 at 20:30
  • 1
    [If people have access to your program, they can reverse engineer it, no matter what you do](http://stackoverflow.com/a/261727/646619). You can [compile the scripts to LuaJIT bytecode](http://luajit.org/running.html#opt_b), but that's for the most part a load-time benefit, and can be fairly easily decompiled by someone whose motivated enough. – Colonel Thirty Two Feb 24 '15 at 23:46
  • Ok, so it can be compiled to LuaJIT and fed to nginx. Thats all I wanted to know. Its true if someone is motivated they can can reverse engineer any binary. The idea here was to not make it that obvious in plain text. Thanks! – dev0z Feb 24 '15 at 23:50

1 Answers1

1

Lua strings are all present in the bytecode even in the absence of debugging info. Viewing a string stored in the code requires no motivation whatsoever. 

$ luajit -be 'print("hello world")' hello.out
$ luajit hello.out
hello world
$ xxd hello.out 
0000000: 1b4c 4a01 0229 0200 0200 0200 0434 0000  .LJ..).......4..
0000010: 0025 0101 003e 0002 0147 0001 0010 6865  .%...>...G....he
0000020: 6c6c 6f20 776f 726c 640a 7072 696e 7400  llo world.print.
$ luajit -bl hello.out
-- BYTECODE -- hello.out:0-0
0001    GGET     0   0      ; "print"
0002    KSTR     1   1      ; "hello world"
0003    CALL     0   1   2
0004    RET0     0   1

If your plan was to hide the encryption tokens within the bytecode, I would suggest first devising a reversible method to use an obfuscated version of them stored within the plain text of the source code (e.g. shuffle the characters, perform arithmetic on them, etc...)

Ben Grimm
  • 4,316
  • 2
  • 15
  • 24