How to protect Perl source code using encryption

Question

We have an old website written in Perl which contains sensitive passwords used for connecting to certain databases.

What is the best way to protect the Perl code? We have very minimal understanding of Perl and CGI, but we need a solution to this problem as it poses a security risk.

We'r looking for encryption/obfuscation solutions, we read about Filter::Crypto::Decrypt but have no idea how to apply it. We also stumbled on this site (http://enscryption.com/) but we'r pretty skeptical about it.

We'd appreciate some straightforward guidance on what to do, with steps! :)

Thanks!

Answer 1

You can't protect the code. As Ikegami said, in order to run the code you need to decrypt the code.

But you can protect the sensitive information. The simplest thing to do is put it in environment variables and ensure those variables are set when the program runs.

For example, if you have...

my $dbpassword = "sekret";

You'd change this to...

my $dbpassword = $ENV{DBPASSWORD};

And ensure that the DBPASSWORD environment variable is set to sekret when the program runs. This both moves the secrets out of the source code, and makes the code more flexible. You can store the secrets in one place making them easier to manage. It ensures those secrets are never stored in the clear on disk.

Similarly, if your secrets are in a file you can encrypt that file. Then have the Perl code decrypt the file using a key stored in an environment variable. Again, secrets are never stored on disk in the clear. This is similar to Rails Encrypted Credentials.

How you securely store those secrets and set those environment variables depends on your server setup. Once the problem of storing secrets is moved out of the legacy Perl code you have many options.

Answer 2

From the Perl FAQ:

How can I hide the source for my Perl program?

Delete it. :-) Seriously, there are a number of (mostly unsatisfactory) solutions with varying levels of "security".

First of all, however, you can't take away read permission, because the source code has to be readable in order to be compiled and interpreted. (That doesn't mean that a CGI script's source is readable by people on the web, though--only by people with access to the filesystem.) So you have to leave the permissions at the socially friendly 0755 level.

Some people regard this as a security problem. If your program does insecure things and relies on people not knowing how to exploit those insecurities, it is not secure. It is often possible for someone to determine the insecure things and exploit them without viewing the source. Security through obscurity, the name for hiding your bugs instead of fixing them, is little security indeed.

You can try using encryption via source filters (Starting from Perl 5.8 the Filter::Simple and Filter::Util::Call modules are included in the standard distribution), but any decent programmer will be able to decrypt it. You can try using the byte code compiler and interpreter described later in perlfaq3, but the curious might still be able to de-compile it. You can try using the native-code compiler described later, but crackers might be able to disassemble it. These pose varying degrees of difficulty to people wanting to get at your code, but none can definitively conceal it (true of every language, not just Perl).

It is very easy to recover the source of Perl programs. You simply feed the program to the perl interpreter and use the modules in the B:: hierarchy. The B::Deparse module should be able to defeat most attempts to hide source. Again, this is not unique to Perl.

If you're concerned about people profiting from your code, then the bottom line is that nothing but a restrictive license will give you legal security. License your software and pepper it with threatening statements like "This is unpublished proprietary software of XYZ Corp. Your access to it does not give you permission to use it blah blah blah." We are not lawyers, of course, so you should see a lawyer if you want to be sure your license's wording will stand up in court.