If I obfuscated python code, would it provide the same level of 'security' as c#/java obfuscating?
i.e it makes things a little hard, but really you can still reverse engineer if you really wanted to, its just a bit cryptic.
views:
128answers:
4
+6
A:
Obfuscation is a form of security through obscurity. All obfuscated code can, if the attacker is determined enough, be reversed. There are no exceptions.
Kyle Rozendo
2010-04-27 20:37:18
[Exactly my thoughts](http://stackoverflow.com/questions/2537568/best-java-obfuscator/2537588#2537588).
BalusC
2010-04-27 20:40:05
This is very true, but it doesn't answer the question.
SLaks
2010-04-27 20:41:29
@Slaks - I disagree, "would it provide the same level of security" - Yes. The security is exactly the same at the end of the day, the duration it exists is perhaps slightly different.
Kyle Rozendo
2010-04-27 20:42:46
Yep security would be the same, since 0 == 0.
Ivo Wetzel
2010-04-27 21:23:36
@SLaks, The most useful answers that can help someone the most are often ones that seem to be indirect. If someone asked "Should I use a flathead or a phillips screwdriver for nailing in this nail?" the answer would be "Don't use a screwdriver. Use a hammer." You could say it doesn't answer the question, but it really answers a better one.
Mike Graham
2010-04-27 21:48:40
A:
Python code gets compiled to bytecode (.pyc) files as it is imported. You can distribute those .pyc files instead of the .py source code files, and the Python interpreter should be able to load them. While Python bytecode is more "obfuscated" than Python source code, it's still relatively easy to disassemble Python bytecode -- but, then again, it's not that hard to disassemble Java bytecode, either.
mipadi
2010-04-27 20:38:38
Distributing these provides no security. It is trivial to utilize a service to turn a pyc into a python source file. It does however create potential compatibility problems (bytecode changes between versions and is completely different for different Python implementations) and debugging issues.
Mike Graham
2010-04-27 20:53:12
That will require that your customer uses the exact same version of Python that was used to compile the code. Since .pyc is cross platform, but not cross version.
Ivo Wetzel
2010-04-27 21:22:42
A:
Why don't you write something and examine the bytecode? Make some functions that depend on random numbers but are almost complete improbable to execute. This way the compiler can't optimize and you'll see more 'junk'.
def myfunc(num):
if (num > 1):
return 1
else:
return 0
>>> dis.dis(myfunc)
2 0 LOAD_FAST 0 (num)
3 LOAD_CONST 1 (1)
6 COMPARE_OP 4 (>)
9 JUMP_IF_FALSE 5 (to 17)
12 POP_TOP
3 13 LOAD_CONST 1 (1)
16 RETURN_VALUE
>> 17 POP_TOP
5 18 LOAD_CONST 2 (0)
21 RETURN_VALUE
22 LOAD_CONST 0 (None)
25 RETURN_VALUE
Vetsin
2010-04-27 20:43:44
A:
Obfuscation doesn't provide security. What you describe isn't security.
If you distribute your Python program or your Java program or your C program, it is vunerable. What protects you from people using what you distributed unfairly is the law and people not being jerks.
Obfuscation not only provides no security, it has the potential of breaking working code, hurting performance, and ruining documentation.
Mike Graham
2010-04-27 20:50:15
Obfuscation is a legitimate *element* of security, and in some domains an unavoidable one. People who believe otherwise have an overly academic understanding of real-world security. The important part is to understand what it buys you, what it doesn't, and what it costs. So long as the costs and benefits are being carefully examined (as they should for any security measure), security through obscurity is not always inherently without value--though after examination, of course, you'll *often* find it not passing that examination.
Glenn Maynard
2010-04-27 21:37:46