[Newbies] Squeak in commercial projects
Bert Freudenberg
bert at freudenbergs.de
Wed Mar 7 09:29:21 UTC 2007
On Mar 7, 2007, at 8:57 , goran at krampe.se wrote:
> Hi!
>
> Just a note - decompiling from bytecodes is very easy in Squeak. The
> only thing missing is the original indentation and any comments. But
> everything else is there. Just so you know.
Well, if you're really concerned about decompiling, just mangle the
selectors. As long as you are not constructing Symbols at runtime
(#asSymbol, #intern:) this works perfectly well. Same for class names
and instance variable names.
> Locking down the image is of course doable - so that you can't easily
> get to the tools etc - but there are of course ways to go around that
> too. For example, I guess you can use an image file analyzer (there is
> at least one I think) or hack a VM to do stuff when the image is
> loaded.
Sure. But if the names are mangled this is about as much fun as
reverse engineering machine code. No wait, the tool support is still
better ;)
>> But doesn't this imply that the source is downloaded, making it easy
>> (easier) to hack the system? I could make the private Monticello
>> connection secure, update the system and then delete the source...
>> just
>> thinking out loud.
>
> Yes - a Monticello package is just a zip file of source code. Sure,
> you
> can make the transfer "secure" using SSL or whatever - and you can
> apply
> it and throw it away
Well, you certainly would want to encrypt and sign the patch. If you
are *that* paranoid I'd not even use MC but just image segments.
It's all a question of cost/value. I for one would be more concerned
about preventing malicious code injection than the possibility of
reverse engineering. But you have to weigh that yourself.
- Bert -
More information about the Beginners
mailing list