Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)

On Wed, Sep 24, 2008 at 08:05:18AM -0700, David Fetter wrote:

> C is not magic obfuscation gear.  Anybody with a debugger can expose
> what it's doing. There have been math papers showing that it's
> impossible to hide the functionality of a piece of software based only
> on the ability to run it, so the entire prospect of obscuring the
> software's functionality when people can send arbitrary inputs to it
> is one of those "known-impossible" problems like the halting problem.

To be fair, one of the points that others are trying to make is not
"secure this function for real" but "secure this function enough to
make it a little costly."  Sure, someone with a debugger and probably
not much work could figure out what the function is.  If all you're
trying to do is make it expensive for dodgy software shops to re-use
your code, however, this is probably enough: the sort of person who
thinks re-using someone else's undocumented code is easier than
writing it from scratch is probably not going to go to the trouble of
really learning the code via debugging tools.  As a defence against
criminally lazy developers, "compliled C code" is probably good
enough.  (Of course, clever non-C code is probably also enough, in my
opinion, but obviously others disagree.)

A

--
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/