Securely distributing python source code as an application?

Discussion in 'Python' started by xkenneth, Dec 7, 2007.

  1. xkenneth

    xkenneth Guest

    Hi All,

    I'll shortly be distributing a number of python applications that
    use proprietary. The software is part of a much larger system and it
    will need to be distributed securely. How can i achieve this?

    Regards,
    Ken
     
    xkenneth, Dec 7, 2007
    #1
    1. Advertising

  2. xkenneth

    xkenneth Guest

    Message should have read:
    Hi All,

    I'll shortly be distributing a number of python applications that
    use proprietary source code. The software is part of a much larger
    system and it
    will need to be distributed securely. How can i achieve this?

    Regards,
    Ken
     
    xkenneth, Dec 7, 2007
    #2
    1. Advertising

  3. xkenneth

    Tim Churches Guest

    xkenneth wrote:
    > Message should have read:
    > Hi All,
    >
    > I'll shortly be distributing a number of python applications that
    > use proprietary source code. The software is part of a much larger
    > system and it
    > will need to be distributed securely. How can i achieve this?


    You need to define what you mean by "securely" by specifying what types
    of threat you wish to protect against.

    Tim C
     
    Tim Churches, Dec 8, 2007
    #3
  4. xkenneth

    sturlamolden Guest

    On 7 Des, 23:37, xkenneth <> wrote:

    > I'll shortly be distributing a number of python applications that
    > use proprietary. The software is part of a much larger system and it
    > will need to be distributed securely. How can i achieve this?


    If you provide the application as a web service there is no need to
    distribute anything all. That is what Google does.

    You don't have to distribute your Python source code. You can
    distribute Python bytecode (.pyc files).

    Python bytecode can be decompiled, but the source can not be
    retrieved. The same is true for Java bytecode, .NET assemblies, even
    native executables and library files. Reverse engineering not just an
    issue for programs written in Python.

    You can oobfuscate the bytecode further. You can build your own Python
    runtime and scramble the opcodes. You can device a system that
    encrypts and decrypts the bytecode on the fly. But there is no
    foolproof way of doing this. Anything you do can be cracked by an
    expert. But you can make it very difficult to decompile the bytecode.

    You can watermark the bytecode sent to each customer. It will not
    prevent reverse engineering, but you will know who is sharing it on
    BitTorrent.

    You can use a license manager like Macrovision's flexlm. If you build
    your own Python runtime from source and scramble the opcodes, you
    would have a rather safe licence manager if it's linked with the
    flexlm client library.

    There is no universal answer to this question. It depends on your
    assessment of the risks and the measurements you are willing and
    capable of taking. How malicious do you expect your customers to be?
    How technologically competent are they? How paranoid are you? Etc.
     
    sturlamolden, Dec 8, 2007
    #4
  5. xkenneth

    sturlamolden Guest

    So for example one could:


    1. Put all the compiled Python bytecode in an encrypted binary file.

    2. Build a small binary executable (.exe file) that:

    2a. Reads the binary file.

    2b. Decrypts it to conventional Python byte code.

    2c. Embeds a Python interpreter.

    2d. Executes the bytecode with the embedded Python.

    3. Link the executable with a licence manager such as flexlm.


    I think that should be rather safe (but I could be wrong).

    A really malicious customer/cracker could e.g. look in the exe-file
    and extract the crypto key. Then he (or less likely she) could guess
    which crypto algorithm you have used, and decrypt the bytecode. The
    cracker could then decompile the bytecode to Python VM opcodes, and
    use that to reverse engineer your program. One could make it more
    difficult for the cracker by asking each customer for a hardware hash
    and use that for crypto. That way the key would not be (completely)
    visible in the exe file. But history has shown that one can never
    safeguard a program 100% against humans with malicious intent. I know
    of no DRM system that has never been circumvented.
     
    sturlamolden, Dec 8, 2007
    #5
  6. xkenneth

    Larry Bates Guest

    xkenneth wrote:
    > Hi All,
    >
    > I'll shortly be distributing a number of python applications that
    > use proprietary. The software is part of a much larger system and it
    > will need to be distributed securely. How can i achieve this?
    >
    > Regards,
    > Ken


    We have partnered with developers to use our product WebSafe to provide secure
    software distribution (among other uses for the service). Take a look at:
    http://www.websafe.com. We have a special program for developers that allows
    you to put our API inside your application as well.

    Larry Bates
    Vice President/CTO
    WebSafe, Inc.
     
    Larry Bates, Dec 8, 2007
    #6
  7. xkenneth

    Ben Finney Guest

    xkenneth <> writes:

    > I'll shortly be distributing a number of python applications that
    > use proprietary.


    That's unfortunate. Hopefully it's not too late to avoid restricting
    yourself and your users in this way.

    > The software is part of a much larger system and it will need to be
    > distributed securely. How can i achieve this?


    That depends partly on what "distributed securely" means for you. Can
    you elaborate? In particular, what threat model are you seeking
    security from?

    --
    \ "If I ever get real rich, I hope I'm not real mean to poor |
    `\ people, like I am now." -- Jack Handey |
    _o__) |
    Ben Finney
     
    Ben Finney, Dec 11, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John D.
    Replies:
    1
    Views:
    277
    Suchandra Thapa
    Sep 4, 2003
  2. Bart Nessux

    securely overwrite files with Python

    Bart Nessux, Mar 5, 2004, in forum: Python
    Replies:
    11
    Views:
    1,494
    Mathias Waack
    Mar 6, 2004
  3. Ramki
    Replies:
    2
    Views:
    380
    Ed Suominen
    Apr 8, 2004
  4. Jiri Barton

    Distributing closed source modules

    Jiri Barton, Mar 24, 2005, in forum: Python
    Replies:
    5
    Views:
    381
    Dave Brueck
    Mar 29, 2005
  5. Joe Strout
    Replies:
    6
    Views:
    315
    Lawrence D'Oliveiro
    Oct 9, 2008
Loading...

Share This Page