Proprietary lua code

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Proprietary lua code

murthy
This topic might have been discussed before.

We have proprietary lua code (along with C/C++ binaries) made available as a self-downloadable package (by our customers) and we need to keep it hidden for various reasons (security, IP protection, etc.).

What is the recommended mechanism in lua for this?
Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Coda Highland
On Fri, Jul 26, 2019 at 6:41 PM Srinivas Murthy <[hidden email]> wrote:
This topic might have been discussed before.

We have proprietary lua code (along with C/C++ binaries) made available as a self-downloadable package (by our customers) and we need to keep it hidden for various reasons (security, IP protection, etc.).

What is the recommended mechanism in lua for this?

There isn't one. That's an application-level thing. Use whatever scheme you would use to protect any other data, and just unpack it right before you lua_load it.

It's been a very long time since I needed to do this, but at the time I just went for basic anti-casual-snooping protection -- I packed it all into a zip file, then XOR'ed the whole file with a constant byte, then assigned a custom read callback into an unzip library that undid the XOR on the fly. I have no idea if anyone ever even bothered to try to crack it, but it worked well enough to avoid making virus scanners think it's an archive file that needs analyzed.

/s/ Adam
Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Luiz Henrique de Figueiredo
In reply to this post by murthy
On Fri, Jul 26, 2019 at 8:41 PM Srinivas Murthy
<[hidden email]> wrote:
>
> This topic might have been discussed before.

See the thread starting at
http://lua-users.org/lists/lua-l/2006-04/msg00571.html (it continues
in http://lua-users.org/lists/lua-l/2006-05/msg00003.html)

Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Russell Haley
In reply to this post by murthy


On Fri, Jul 26, 2019 at 4:41 PM Srinivas Murthy <[hidden email]> wrote:
This topic might have been discussed before.

We have proprietary lua code (along with C/C++ binaries) made available as a self-downloadable package (by our customers) and we need to keep it hidden for various reasons (security, IP protection, etc.).

What is the recommended mechanism in lua for this?

There is a BSD licensed PGP application written in C called NetPGP. I was looking at embedding it and a public key in the Lua interpreter. One can then armor/encode the lua source files (with the private key) and then decode the files before you execute. You could even get creative with NetPGP and make a trial mode license and a paid for license. NetPGP comes with Lua bindings but I couldn't get them to compile (due to my own make incompetence).

It's supposedly portable code but I have never tried compiling it under Windows, just FreeBSD and Ubuntu. It was something I was hoping to put in my WinLua distribution but that's likely a pipe dream.


For What Its Worth,
Russ
Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Vadim A. Misbakh-Soloviov
In reply to this post by murthy
> hidden for various reasons (security, IP protection, etc.).

There is some working advices alredy posted in this thread, so I'd like to say
that:

> security
1) security through obscurity **never** works as planned. NEVER. Dixi.

> IP protection
all the IP addresses you connect to are anyway visible by system tools:
firewall, network stats utils and so on.

So... let it be my personal dislike for "security through obscurity"
antipattern.



Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Hugo Musso Gualandi
> all the IP addresses you connect to are anyway visible by system
> tools:
> firewall, network stats utils and so on.

I think they were referring to "Intelectual Property", not to the
"Internet Protocol".


Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Jon Chesterfield
In reply to this post by murthy

---------- Forwarded message ----------
From: Srinivas Murthy <[hidden email]>
To: Lua mailing list <[hidden email]>

This topic might have been discussed before.

We have proprietary lua code (along with C/C++ binaries) made available as a self-downloadable package (by our customers) and we need to keep it hidden for various reasons (security, IP protection, etc.).

What is the recommended mechanism in lua for this?

Hey,

Can you expand on the requirements? For example, how do you meet them for the C/C++ binaries?

If the C is shipped as x86-64 in elf or coff, then shipping lua bytecode in a section is equivalent. If the x86-64 is decrypted on the fly then the same method can apply to the lua.

Similarly, how do you defend against running the compiled C under debuggers? There may be similar countermeasures that could be built into the running lua interpreter.

Kind regards,

Jon
Reply | Threaded
Open this post in threaded view
|

Re: Proprietary lua code

Lorenzo Donati-3
In reply to this post by Hugo Musso Gualandi
On 27/07/2019 21:42, Hugo Musso Gualandi wrote:
>> all the IP addresses you connect to are anyway visible by system
>> tools:
>> firewall, network stats utils and so on.
>
> I think they were referring to "Intelectual Property", not to the
> "Internet Protocol".
>
>
>

Ohhh! The beauty of overloading!

It "works" also for human languages, not only for C++!

;-D