Re: Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml

Re: Reverse-Engineering Bytecode: A Possible Commercial Objection To O'Caml

[Michael Donat]

>How can companies protect their bytecode, at least their modules, from
reverse
>engineering?


I believe that if someone has the desire to reverse engineer OCaml bytecode
someone will also have these other capabilities:

1) Be able to reverse engineer native code.
2) Be able to run the OCaml bytecode system in a debugger, stop after your
bytecode was decrypted, and reverse engineer it from there.

I don't see a benefit in having an OCaml module encryption system.

If you want to encrypt important portions of your app, you might consider
producing your own bytecode system. The main benefit of this approach is
that your bytecode is private, thus dramatically intensifying the effort
required to reverse engineer. I think this would be a much more effective
use of time than implementing an OCaml module encryption system.

Michael Donat

Signatures (was: Reverse-Engineering Bytecode)

[Thorsten Ohl]

Michael Donat <donat@intergate.bc.ca> writes:

> I don't see a benefit in having an OCaml module encryption system.

But a cryptographic O'Caml module _signature_ system could be useful
for checking the integrity of applications.  I always distribute my
work as source, but it would be useful if there was a way to check
that the sources have not been modified if someone sends in a bug
report.

Even better would be a fixed point condition that would allow to print
a warning message: ``The sources have been modified, you can do
anything you want, but don't blame me or the results.''

Cheers,
-Thorsten
-- 
Thorsten Ohl, Physics Department, TU Darmstadt -- ohl@hep.tu-darmstadt.de
http://heplix.ikp.physik.tu-darmstadt.de/~ohl/ [<=== PGP public key here]

Re: Signatures (was: Reverse-Engineering Bytecode)

[Vitaly Lugovsky]

On Fri, 9 Jun 2000, Thorsten Ohl wrote:

> > I don't see a benefit in having an OCaml module encryption system.
> 
> But a cryptographic O'Caml module _signature_ system could be useful
> for checking the integrity of applications.  I always distribute my
> work as source, but it would be useful if there was a way to check
> that the sources have not been modified if someone sends in a bug
> report.
> 
> Even better would be a fixed point condition that would allow to print
> a warning message: ``The sources have been modified, you can do
> anything you want, but don't blame me or the results.''

 But it don't need a core support from OCaml - you just can use MD5 checksum
or something like this....

--

   V.S.Lugovsky aka Mauhuur (http://ontil.ihep.su/~vsl) (UIN=45482254)

Re: Signatures (was: Reverse-Engineering Bytecode)

[Markus Mottl]

On Sat, 10 Jun 2000, Vitaly Lugovsky wrote:
> On Fri, 9 Jun 2000, Thorsten Ohl wrote:
> > Even better would be a fixed point condition that would allow to print
> > a warning message: ``The sources have been modified, you can do
> > anything you want, but don't blame me or the results.''
> 
>  But it don't need a core support from OCaml - you just can use MD5 checksum
> or something like this....

Which is already available under OCaml, anyway:

  let md5 = Digest.file "foo" in ...

Regards,
Markus Mottl

-- 
Markus Mottl, mottl@miss.wu-wien.ac.at, http://miss.wu-wien.ac.at/~mottl

Re: Signatures (was: Reverse-Engineering Bytecode)

[Thorsten Ohl]

> Even better would be a fixed point condition that would allow to
> print a warning message: ``The sources have been modified, you can
> do anything you want, but don't blame me or the results.''

Vitaly Lugovsky wrote:

> But it don't need a core support from OCaml - you just can use MD5
> checksum or something like this....

I'm not so sure.  I woudl liek to access a checksum of the actual
sources that have been used to compile the module implementations in
the currently running program, just like Dynlink does for module
types.

One can play games with MD5 and a `Signatures' module in the Makefile,
but this is not 100%ly secure, because the code could be compiled by
hand, without updating the checksums.

Or am I missing something here?

Cheers,
-Thorsten
-- 
Thorsten Ohl, Physics Department, TU Darmstadt -- ohl@hep.tu-darmstadt.de
http://heplix.ikp.physik.tu-darmstadt.de/~ohl/ [<=== PGP public key here]

Re: Signatures (was: Reverse-Engineering Bytecode)

[Vitaly Lugovsky]

On Tue, 13 Jun 2000, Thorsten Ohl wrote:

> One can play games with MD5 and a `Signatures' module in the Makefile,
> but this is not 100%ly secure, because the code could be compiled by
> hand, without updating the checksums.
> 
> Or am I missing something here?

 We can use a script wrapper to compiler itself, like it does ocamlfind.
And so, we don't need to change the compiler code...

--

   V.S.Lugovsky aka Mauhuur (http://ontil.ihep.su/~vsl) (UIN=45482254)