Filter::Rijndael - Source Filter used for encrypting source code based on Filter::decrypt
This is a decrypting source filter based on Rijndael encryption.
The purpose of this source filter is to hide the source code from a casual user that would want to change your code.
It is important to note that a decryption filter can never provide complete security against attack. At some point the parser within Perl needs to be able to scan the original decrypted source. That means that at some stage fragments of the source will exist in a memory buffer.
Also, with the introduction of the Perl Compiler backend modules, and the B::Deparse module in particular, using a Source Filter to hide source code is becoming an increasingly futile exercise.
The best you can hope to achieve by decrypting your Perl source using a source filter is to make it unavailable to the casual user.
Given that proviso, there are a number of things you can do to make life more difficult for the prospective cracker.
Strip the Perl binary to remove all symbols.
Build the decrypt extension using static linking. If the extension is provided as a dynamic module, there is nothing to stop someone from linking it at run time with a modified Perl binary.
Do not build Perl with
-DDEBUGGING. If you do then your source can be retrieved with the
-Dpcommand line option.
The sample filter contains logic to detect the
Do not build Perl with C debugging support enabled.
Do not implement the decryption filter as a sub-process (like the cpp source filter). It is possible to peek into the pipe that connects to the sub-process.
Check that the Perl Compiler isn't being used.
There is code in the BOOT: section of Rijndael.xs that shows how to detect the presence of the Compiler. Make sure you include it in your module.
Assuming you haven't taken any steps to spot when the compiler is in use and you have an encrypted Perl script called "myscript.pl", you can get access the source code inside it using the perl Compiler backend, like this
perl -MO=Deparse myscript.pl
Note that even if you have included the BOOT: test, it is still possible to use the Deparse module to get the source code for individual subroutines.
If you feel that the source filtering mechanism is not secure enough you could try using the unexec/undump method. See the Perl FAQ for further details.
Maybe transform the code to Opcodes first, change IV after each block...
Sorin Pop <email@example.com>
Paul Marquess ( Filter::decrypt ) Rafael R. Sevilla ( Crypt::Rijndael ) Mark Shelor ( Digest::SHA )
19th February 2012