Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)

From: Andrew Sullivan <ajs(at)commandprompt(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Date: 2008-09-24 15:44:42
Message-ID: 20080924154442.GJ58356@commandprompt.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-www

On Wed, Sep 24, 2008 at 08:05:18AM -0700, David Fetter wrote:

> C is not magic obfuscation gear. Anybody with a debugger can expose
> what it's doing. There have been math papers showing that it's
> impossible to hide the functionality of a piece of software based only
> on the ability to run it, so the entire prospect of obscuring the
> software's functionality when people can send arbitrary inputs to it
> is one of those "known-impossible" problems like the halting problem.

To be fair, one of the points that others are trying to make is not
"secure this function for real" but "secure this function enough to
make it a little costly." Sure, someone with a debugger and probably
not much work could figure out what the function is. If all you're
trying to do is make it expensive for dodgy software shops to re-use
your code, however, this is probably enough: the sort of person who
thinks re-using someone else's undocumented code is easier than
writing it from scratch is probably not going to go to the trouble of
really learning the code via debugging tools. As a defence against
criminally lazy developers, "compliled C code" is probably good
enough. (Of course, clever non-C code is probably also enough, in my
opinion, but obviously others disagree.)

A

--
Andrew Sullivan
ajs(at)commandprompt(dot)com
+1 503 667 4564 x104
http://www.commandprompt.com/

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message William Garrison 2008-09-24 16:01:41 Re: pg_dump | pg_sql: insert commands and foreign key constraints
Previous Message Garry Saddington 2008-09-24 15:33:30 case expression

Browse pgsql-www by date

  From Date Subject
Next Message Casey Allen Shobe 2008-09-24 19:02:55 Re: Oracle and Postgresql
Previous Message Bruce Momjian 2008-09-24 15:19:07 Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)