protecting python code

[Rudi Hammad]

Hello,
So the studio has asked me to protect some code, because they are giving access to external people to it.
I though that a way of doing it is, introducing in the code an import file as theLicense.py , so if that license file isn´t found, the code will not work. This license file is stored in the studio server, and no one know the root for it.
So the code would be something like

------------------------------------------------------------------------------------------------------------------------------------
import sys
my_pth = '/theRoot/tool_lic_file'
sys.path.append(my_pth)
try:
    import theLicense
except:
    cmds.warning("LICENSE NOT FOUND")
    sys.exit()
------------------------------------------------------------------------------------------------------------------------------------

So what I publish is the .pyc. of that code.
The problem is that when the code is compiled, if you open it, you´ll see something like:

------------------------------------------------------------------------------------------------------------------------------------
ó
ØXc s1 d z d[] d l[] z[] e[] gHd
/theRoot/tool_lic_file append( ( ( s4 > s
------------------------------------------------------------------------------------------------------------------------------------

As you can see, the root to the license is displayed in the .pyc, so it is very easy to get it, and there fore steal the company´s code

ps: I also thought about introducing an expire date, but I don´t like this method to much

thank you

[Justin Israel]

What you are describing it not really security. It is "security through obscurity". You are just sort of hoping that it will be complicated for the average person to figure out the small roadblocks you have put in place to try and protect your code. Also, a pyc file is no more secure than a plain text py file, because they are easily disassembled back into py files with a command line tool. 

Basically, you can't expect too much security when distributing python code. Mostly you have to rely on the support aspects of your license, and that if they were to change the code, they would become out of sync with what you support. If you really want to try and protect access to the source code, then you could try and compile it with cython and distribute only the compiled modules. This at least converts it to cpython and distributes an actual binary. It may still be possible to find string literals, so you will have to check the results of the binary yourself. Another idea that you can use in combination with cython-compiled code is to have your tool "phone home". This means that in order to function, it has to be able to connect to your server and check out a license. And lastly, the most secure way to protect people from stealing your python code is to just not ship it all to them, and have it run certain parts of the functionality as remote calls to your server.

 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/464b06bc-1c53-4c79-8684-a9179c5a26f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alok Gandhi]

The only reliable way to hide your source code is to compile it. Some of the tools that can do this are:

freeze, PyInstaller, Py2Exe, Squeeze, cx_freeze

[Justin Israel]

On Mon, Mar 27, 2017, 12:22 PM Alok Gandhi <alok.ga...@gmail.com> wrote:

The only reliable way to hide your source code is to compile it. Some of the tools that can do this are:

freeze, PyInstaller, Py2Exe, Squeeze, cx_freeze

Are you sure these are reliable ways to hide source code? In my experience with some of them, they tend to zip up the source and wrap it into an executable that handles extracting and running it in a reproducible way. But I was never under the impression that it was a reliable way to hide it. Just another deterrent. At least Cython transpiles your python to C and then really compiles it to its own binary format. That has to be more reliable than archiving it into an executable, right?

Either way, you can only do so much to protect your python source, if you are giving it to another party. 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/CAPaTLMSmCqH1yGe_zxTL4WaEBXvda0fqJfeBLZiDba5iTDN3PQ%40mail.gmail.com.

[Alok Gandhi]

some of them, they tend to zip up the source and wrap it into an executable that handles extracting and running it in a reproducible way. But I was never under the impression that it was a reliable way to hide it. 

That is true. I agree that ultimately compiling is the only reliable way and cython can do it. Other than that, the tools I listed above are able to obfuscate the code but only to a certain extent, not completely. Also here are some obfuscation tricks that you can follow to make it hard for somebody to understand your code when using one of the tools that I listed:

1. Remove all comments and documentation from your code.

2.  Use name mangling.

cython will leave no bytecode at all and is MOST reliable.

In the end, obfuscation is hard when it comes to python. 

[Rudi Hammad]

Thanks.

Is it really that easy to disassembled back to py? I thought it would be possible but tricky.

I´ll try cyton for now, see how it goes.

cheers

[Robert White]

Yeah, it is really easy actually.

https://sourceforge.net/projects/easypythondecompiler/ is just one of many examples.

Even saw an article a few weeks ago about someone rescuing some source code by grabbing it from the in-memory code objects.

[Marcus Ottosson]

Even saw an article a few weeks ago about someone rescuing some source code by grabbing it from the in-memory code objects.

Saw it too, pretty sweet!

https://news.ycombinator.com/item?id=13847465

​

--

You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_maya+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/a9f1a9af-76c7-4462-874a-3847d25f0922%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Marcus Ottosson
konstr...@gmail.com

[Rudi Hammad]

yes, I just tried it.
Works perfeclty. Thanks for letting mw know how easy and weak .pyc are.

cheers

[Rudi Hammad]

Hello again,

About protecting the code of a studio again...what about changing the permissions of files? I can ask the IT guys of the studio, that have administrator privileges, to set up the security of files?
So if they make it only readable, no one can  copy it to an external usb or send to their personal emails the files etc..The problem is that by doing that, I don´t know how to import the files to maya, because it says "there is no module called whatever".
We are a small studio, so we don´t have "high tech" security. Do you think that something like that could work?

[Marcus Ottosson]

So if they make it only readable, no one can copy it to an external usb or send to their personal emails the files etc.

If you can read it, you can copy it.

​

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_maya+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/42429ff3-f031-414e-8508-b7f119ba413d%40googlegroups.com.

[Rudi Hammad]

Sorry, what I meant is if it is possible to import a module that has all the permissions denied by the administrator. I guess not, but just in case.

[Marcus Ottosson]

Importing a module is reading it.​

[Justin Israel]

On Mon, May 15, 2017, 9:10 PM Rudi Hammad <rudih...@gmail.com> wrote:

So if they make it only readable, no one can  copy it to an external usb or send to their personal emails the files etc..

If people are allowed to read it for import, then your only way to address these specific concerns is to prevent mounting of attached storage to the workstations, and to disable external internet access on the workstations that can mount these production locations. 

From a code standpoint, as mentioned in previous mail threads, you could go about adding a license checkout but that would only work well for compiled python extensions and not py, pyc, pyo. 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/42429ff3-f031-414e-8508-b7f119ba413d%40googlegroups.com.

[Alok Gandhi]

As already pointed out above, there is no reliable way other than compiling (using cython), to protect your source code. 

Here's a crazy idea, and I am just thinking aloud so this might sound stupid -

• Why not encrypt all your python code as plain text files.
  
• The source files can be decrypted only with a key.
  
• Write a layer between the client and the source code that does the decryption using the key. This layer can be conveniently compiled once using cython.
  
• The client code loads the libraries dynamically using the encryption layer.
  
• Any updates to the library source code can be done by writing the source code in python and decrypting it using the decryption layer.
  

This does not solve the problem entirely but simplifies it to a certain extent.

You have to secure one and one only thing - 

The encryption-decryption source code.

The encrypt-decrypt layer is to be designed in such a way that it can not run outside the studio of the environment. There are many ways to do this using the mac-addresses etc. This could even be written in C/C++

Again, just as a huge caveat - This is not a well-thought approach, it just occurred to me and instead of making notes somewhere else I am writing it in the mail.

On Mon, May 15, 2017 at 7:22 PM, Justin Israel <justin...@gmail.com> wrote:

On Mon, May 15, 2017, 9:10 PM Rudi Hammad <rudih...@gmail.com> wrote:

So if they make it only readable, no one can  copy it to an external usb or send to their personal emails the files etc..

If people are allowed to read it for import, then your only way to address these specific concerns is to prevent mounting of attached storage to the workstations, and to disable external internet access on the workstations that can mount these production locations. 

From a code standpoint, as mentioned in previous mail threads, you could go about adding a license checkout but that would only work well for compiled python extensions and not py, pyc, pyo. 

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_maya+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/42429ff3-f031-414e-8508-b7f119ba413d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.

To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_maya+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/CAPGFgA24TtnJZVm3SRcM_qCUpAZ_EttXbZt0fMzOEN3Jw%2BiGCA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--