DSO Security
by Nikos Beck · in Technical Issues · 09/14/2007 (10:09 am) · 3 replies
If I have all of my script in DSOs and someone replaces the executable with another build of the engine, what happens when there is a script function call that is not in the engine? Is there the equivalent of a core dump? Is the misunderstood statement echoed? Is there a stack trace? Is there a stack dump?
I'm concerned that if I have the statement:
DecryptFile("afile.txt", "the_encryption_key")
...then someone with an engine they've modified, not including my function, will be able to see the call. They might be able to see the encryption key parameter in some form of error report, and then be able to break my encryption.
Can someone read my code by purposely causing run-time errors?
I'm concerned that if I have the statement:
DecryptFile("afile.txt", "the_encryption_key")
...then someone with an engine they've modified, not including my function, will be able to see the call. They might be able to see the encryption key parameter in some form of error report, and then be able to break my encryption.
Can someone read my code by purposely causing run-time errors?
About the author
#2
09/14/2007 (11:21 am)
That's a good suggestion. I'll encode the key in the engine.
#3
You are at most slowing down people from decrypting your .dso's by maybe 10-12 hours.
There is a truism in software applications that there is simply no 100% solid way around: Whatever the client application can decode, hackers can work around any protection and decode it as well.
Now the question becomes, "how much time do I want to try to keep the honest people out of my code?" because the dishonest (or even simply curious) people are going to be able to decrypt, dis-assemble, and otherwise bypass any security measure you come up with.
09/14/2007 (12:01 pm)
It's very important to realize that even with the following:Quote:
That's a good suggestion. I'll encode the key in the engine.
You are at most slowing down people from decrypting your .dso's by maybe 10-12 hours.
There is a truism in software applications that there is simply no 100% solid way around: Whatever the client application can decode, hackers can work around any protection and decode it as well.
Now the question becomes, "how much time do I want to try to keep the honest people out of my code?" because the dishonest (or even simply curious) people are going to be able to decrypt, dis-assemble, and otherwise bypass any security measure you come up with.
Associate Orion Elenzil
Real Life Plus
why not just try it ?
however,
even if the answer is "no", a malicious developer could easily modify the engine so that the answer is "yes".
perhaps you want to encode the encryption key in the engine instead of in script ?