Prevent Modification of Script?
jstroud at mbi.ucla.edu
Thu Apr 5 07:19:14 CEST 2007
> On Apr 4, 6:10 pm, Michael Ekstrand <use... at elehack.net> wrote:
>>One significant factor: are you worried about other
>>users on your systems (or other users who share systems with you under a
>>third party's control), or are you worried about what people will do on
>>their own systems?
> Michael, Ben & others:
> The short answer is others on a shared system, or malware that could
> modify the scripts.
> I'm new to python programming and there are just some paradigms I'm
> having trouble grasping.
> If the scripts can be modified (very easily), how can the application
> be trusted?
> i.e. If its an address book, then it would be trivial for malware to
> modify the script to override data or send it somewhere else...
> It would also seem like it makes user authentication through a
> password/ username, or encryption useless. The script could easily be
> modified to by-pass authentication and encryption could be disabled.
> Please correct any wrong assumptions that I might be making..
> In a compiled application its not impossible to by pass the code.. but
> its not so easy. Perhaps this is just a side-effect of being a
> scripted language - not a flaw, just me trying to use it for something
> its not well suited for.
> - Kiel
You are worrying a little too much. Lets say you are genuinely worried
about malware, for example. To justify this worry, answer these questions:
1. Who in the world would take the time to write malware targeted at
your application specifically?
2. What value does your application have that would warrant such effort?
3. Would it not be worth a malware writer's troubles to focus on an easy
target that offers more rewards, like say, Microsoft Crapware 3000, or
whatever they are selling these days?
4. Are you so technically proficient at writing streamlined and
transparent code that a malware author will find your code an easy
target, especially if you distribute it as bytecode?
5. Could you not just md5sum the bytecode and check it from within a
launcher against a value on a server somewhere? How many barriers would
a malware writer need to circumvent to foil this protection scheme?
Again, would it be worth his troubles in fame, fortune, or the knowledge
that he did a good job?
Write your program in the language most suited for it and, when you hit
it big, hire some security experts.
More information about the Python-list