caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed
* Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml
@ 2000-06-06 20:46 Daniel Ortmann
  2000-06-07 20:23 ` Markus Mottl
                   ` (4 more replies)
  0 siblings, 5 replies; 16+ messages in thread
From: Daniel Ortmann @ 2000-06-06 20:46 UTC (permalink / raw)
  To: caml-list

Sirs,

With the intent of furthering the practical commercial use of O'Caml, or at
least eliminating some possible objections to its use ...  I submit the
following observations and questions for your consideration:


I have asked myself "How might companies object to Objective Caml?"

The thought occurs to me that companies may wish to:
- develop and sell byte-compiled O'Caml modules
- develop and sell applications which use dynamically loaded modules
- protect their actual source code

Because of the well-thought regularity of O'Caml bytecode, the ease of viewing
(for example) emacs elisp bytecode in emacs, and the unusual numbers of bright
people working with O'Caml ...

... it occurs to me that companies may be concerned about the ease of "reverse
engineering" their byte compiled software modules and thus object to Objective
Caml.

So.

How can companies protect their bytecode, at least their modules, from reverse
engineering?

1) The idea occurs to me that O'Caml might support various standard encryption
   modules using different types of encryption techniques (DES, PGP, etc).
2) Perhaps user encryption could also be supported.
3) Perhaps the encryption modules should be composeable, multiple modules
   being used to derive another module.
4) What about using public/private keys and key management?
5) Should this be integrated with licensing?  What licensing techniques are
   available on Windows?  Mac?  Unix?  Other?  (O'Caml WILL get big
   commercially, and WILL need to address this eventually.)
6) What things should be visible non-encrypted in cmi/cmo/other files?
7) Should such encryption be available via marshalling?  If not, might some
   needs be common?


Philosophically speaking, earning money and protecting the rewards of hard
work are not bad a priori.  There *will* be an exchange of value; that
exchange may be either with or without "concern for your fellow man".  In
fact, one way of looking at a dollar bill is as a type of "certificate of
service to your fellow man".

--
Daniel Ortmann, IBM Circuit Technology, Rochester, MN 55901-7829
ortmann@vnet.ibm.com or ortmann@us.ibm.com and 507.253.6795 (external)
ortmann@rchland.ibm.com and tieline 8.553.6795 (internal)
ortmann@isl.net and 507.288.7732 (home)

"The answers are so simple, and we all know where to look,
but it's easier just to avoid the question." -- Kansas




^ permalink raw reply	[flat|nested] 16+ messages in thread
* Re: Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml
@ 2000-06-07 21:41 Michael Donat
  0 siblings, 0 replies; 16+ messages in thread
From: Michael Donat @ 2000-06-07 21:41 UTC (permalink / raw)
  To: caml-list

>How can companies protect their bytecode, at least their modules, from
reverse
>engineering?


I believe that if someone has the desire to reverse engineer OCaml bytecode
someone will also have these other capabilities:

1) Be able to reverse engineer native code.
2) Be able to run the OCaml bytecode system in a debugger, stop after your
bytecode was decrypted, and reverse engineer it from there.

I don't see a benefit in having an OCaml module encryption system.

If you want to encrypt important portions of your app, you might consider
producing your own bytecode system. The main benefit of this approach is
that your bytecode is private, thus dramatically intensifying the effort
required to reverse engineer. I think this would be a much more effective
use of time than implementing an OCaml module encryption system.

Michael Donat





^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: Reverse-Engineering Bytecode: A Possible Commercial Objection To  O'Caml
@ 2000-06-08 21:58 Brent Fulgham
  0 siblings, 0 replies; 16+ messages in thread
From: Brent Fulgham @ 2000-06-08 21:58 UTC (permalink / raw)
  To: Max Skaller; +Cc: caml-list

> BTW: people here read books. An English Ocaml book 
> would provide very strong support for industrial use.
> 
I'm in the process of reading "The Functional Approach
to Programming" (Cousineau & Mauny).  This book is not
strictly OCaml (it's based on CAML-Light), but it's
teaching me the basics I need.  It's also quite a good
book for learning functional programming techniques
in general.  It's not a bad price, either.  I found it
for $32 at Borders.com.

BTW -- Although it is a translation of a French book,
it is quite well-written.  Their editor/translator was
quite talented.  I can find very little in the way
of French syntax in the volume ;-)

Hope that's helpful,

-Brent




^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: Reverse-Engineering Bytecode: A Possible Commercial Objection To   O'Caml
@ 2000-06-09 16:13 Brent Fulgham
  0 siblings, 0 replies; 16+ messages in thread
From: Brent Fulgham @ 2000-06-09 16:13 UTC (permalink / raw)
  To: caml-list

> > I'm in the process of reading "The Functional Approach
> > to Programming" (Cousineau & Mauny).  This book is not
> > strictly OCaml 
> 
> That's part of the problem. People here are short of time:
> while education in functional programming techniques is 
> useful, a description of Ocaml is more pointed: remember,
> Ocaml is _not_ a functional programming language, but an
> Algol like language with functional, procedural, and object
> oriented components... just like C++. 
> 
> In ocaml, the 'orientation' is more functional, but the biggest
> obstacle isn't the functional paradigm as such, but the actual
> concrete syntax used.
> 
Yes.  An O'Reilly-style "Nutshell" handbook would be quite nice.
However, I have not seen such an animal.  I'm afraid the C&M book
is all that's available for those of us whose French skills are
sub-par.

It will probably take a killer app to get such a book published...

-Brent




^ permalink raw reply	[flat|nested] 16+ messages in thread
* RE: Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml
@ 2000-06-09 18:18 Brent Fulgham
  0 siblings, 0 replies; 16+ messages in thread
From: Brent Fulgham @ 2000-06-09 18:18 UTC (permalink / raw)
  To: Daniel Ortmann; +Cc: caml-list

> Also, isn't "information hiding" part of the purpose of .cmi 
> files?  What I am suggesting might be viewed as an stronger 
> type of .cmi file ... with REAL "implementation hiding".  :-)
> 
Regarding your later anecdote about the Lisp source being available
under Emacs, I think we may be comparing apples to oranges.

Pulling up a .cmi file in a text editor does not provide me with
the same ease-of-analysis of Lisp sources.  I would have to sit
down and understand the byte value meanings for the OCaml VM,
parse the bytes in the .cmi file, and then discern the meaning.

This is no different than "decompiling" the byte code from a Java
VM (the compiled "class" modules).  Certainly one of us could write
a utility to "decompile" .cmi files (such beasts exist for Java).

I guess my point is:  The .cmi files seem to be obfuscated enough
for general distribution.  I mean, someone with enough interest
in your 'secrets' to learn the byte code and write a decompiler 
will be capable of doing the same to native object code as well.

I guess I'm just not sure your proposal would provide sufficient
value for the effort and performance hit required.

[ ... snip ... ]
> > 2) Encryption is illegal in many countries, or at least 
> >    export restricted, i think france changed this some time
> >    ago, but if not, it would not be possible for inria to 
> >    distribute such a product.
> 
> I believe the US has just lightened up on some of the restrictions.
> 
> ... But the answer would be:  Don't distribute the actual 
> encryptiong directly with O'Caml, just the hooks.  Have the 

Please note that under the US's current law (well, current prior
to the most recent potentially-temporary relaxation), it is also
prohibited to provide encryption hooks in your code.  You could
get around this by calling them "compression" hooks.

Regards,

-Brent 




^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2000-06-13 16:54 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2000-06-06 20:46 Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml Daniel Ortmann
2000-06-07 20:23 ` Markus Mottl
2000-06-07 22:02 ` Max Skaller
2000-06-09 12:14   ` OCaml book Joshua D. Guttman
2000-06-13 16:53     ` Julian Assange
2000-06-07 22:15 ` Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml Max Skaller
2000-06-08  8:54 ` Sven LUTHER
2000-06-08 22:36   ` Daniel Ortmann
2000-06-09 13:34     ` Sven LUTHER
2000-06-09 22:06     ` Vitaly Lugovsky
2000-06-10 14:41     ` Gerd Stolpmann
2000-06-09 15:44 ` Julian Assange
2000-06-07 21:41 Michael Donat
2000-06-08 21:58 Brent Fulgham
2000-06-09 16:13 Brent Fulgham
2000-06-09 18:18 Brent Fulgham

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).