-1

I wrote a python program for the company I am employed at. We want to bring this code (along with other code) onto customers' server. My boss want the code secured so that the customer cannot read the code. I know that other people have asked similar questions

How do I protect Python code?

and the answer so far has been "it cannot be done, use legal measures like NDAs". On the one hand this is hard to believe on the other hand my boss still wants it, not just legal measures (and honestly, I want it to). A colleagues suggested this, which could be other code than python as well and also databases and whatnot, so it would be more all purpose than solutions just tailored to python:

Put all the code into a "box", encrypt the box and make it so that the box can only be decrypted into memory, where the code will be interpreted.

This sounds legit to me. It might be possible for the client to read the content while the program is in memory, but this sounds like a lot of work and not worth the effort for the client.

How could this approach be implemented in practice?

Make42
  • 12,236
  • 24
  • 79
  • 155
  • You could make a hook for import to decrypt python files based on an API key, but again, due to the inspection that's possible in python, I don't think this will necessarily prevent anyone from reverse-engineering it – C.Nivs Jan 27 '20 at 18:58
  • 1
    "but this sounds like a lot of work and not worth the effort." Nope, that's a piece of cake. – Klaus D. Jan 27 '20 at 19:00
  • Since the customer owns the execution platform, the customer has privilege to inspect the memory during execution. There are plenty of disassemblers and decompliers to handle the decryption job from there. – Prune Jan 27 '20 at 19:05
  • 1
    So, why are people downvoting this question to negative? It seems as if "I can't answer the question and know Python" is the criteria for downvotes? – Charles Merriam Jan 28 '20 at 19:06

2 Answers2

1

Sometimes you need to figure out what effect your boss wants instead of the boss' request.

Python made an early design choice to prevent information hiding in order to make better development tools available. This breaks most pure Python schemes.

Also, all these systems can be broken with different levels of effort. The most common mechanisms for protection:

  • Talk to the mothership: require an Internet connection and a system you guarantee to keep up (against DDOS attacks, etc.) such that program needs to talk to the mothership to run. Sometimes logging in does something as simple as passing back the current date so that using pirated software is possible but really annoying. Other configurations have significant code running only on the server.
  • Subvert Python: you can screw around with import hooks, decrypt some string and eval it, screw around with custom codecs, run code obfuscators, etc. The problem is these always cause errors, errors are hard to debug, and users no longer give you the nice stacktrace of what other errors occurred.
  • Configure Customer Name: Your configuration file with the customer name uses some cryptographic check-sum.

So, the general answer is no. Use contracts and stay out of China.

Charles Merriam
  • 19,908
  • 6
  • 73
  • 83
  • How is "talk to the mothership" of any help? If one can see the code - you can just eliminate just that part or mock the talking. The only way this is helpful is if the mothership actually provides functionality. But in this case it might as well do *all* of the work. – Make42 Aug 31 '20 at 10:34
  • The mothership does need to do work. Typical uses are providing some critical information,e.g., the customer name block that was encrypted with today's date. With work, you can craft new code to have the customer name loaded unencrypted and used unencrypted. Everything is "protect for penny of prevention to make subversion a pound of effort." – Charles Merriam Sep 10 '20 at 22:03
1

box can only be decrypted into memory, where the code will be interpreted

If the key is located on the client's side, from the security perspective the encryption is pointless.

You may still obfuscate your code to make it less readable, but it still only obfuscation

this sounds like a lot of work and not worth the effort.

that's may be good estimation. I believe this is one of the reasons why SaaS and APIs are so popular these days

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Maybe there is a misunderstanding: I meant that it would not be worth the effort for the client to get the code out of memory, not for us as the programmers ;-). – Make42 Jan 28 '20 at 13:57
  • If I cannot use SaaS (e.g. no internet connection in a production plant), would it be a good idea to build a different "box" (some sort of virtual machine), install my code in there and give it an external REST API or something like that? This would sort of simulate SaaS. Would that be a valid approach? It is sort of a mix of the approach of my question and your SaaS approach. – Make42 Jan 28 '20 at 19:52