View scripts of my standalone? - Major Security Issue

Richmond Mathewson richmondmathewson at gmail.com
Wed Mar 17 10:57:28 EDT 2010


  On 17/03/2010 16:33, Richard Gaskin wrote:
> Lyn Teyla wrote:
>> If I remember correctly, there is a long-standing security
>> issue where anyone can view the stack scripts of ANY Rev
>> standalone by doing a "memory dump" WHILE the app is running.
>>
>> This works EVEN if all stacks are completely password
>> protected (and therefore encrypted)!
>>
>> Apparently this is caused by the RunRev engine decrypting
>> and reading the scripts into memory and keeping them there
>> in clear text for as long as the app/stacks are open.
>
> That appears to remain the case with the latest version in testing.
>
> This line describes the scope of the problem:
>
>> I have no idea how to do a memory dump
>
> ;)
>
> Those for whom dumping memory is second-nature are probably familiar 
> with disassemblers as well.  Like trying to protect images on web 
> pages, the only way to deploy an app is to expose its algorithms to 
> anyone with sufficiently interest in discovering them.
>
> Sure, RevTalk is easier to read than Assembly, but copyrighted code 
> will only be stolen by those with an intent to do harm.  Those seeking 
> to profit from such theft are probably well equipped regardless of the 
> language you're using.  Nothing shared is ever safe - see Jeff 
> Massung's notes on algorithm obfuscation at:
> <http://mail.runrev.com/pipermail/use-revolution/2010-March/136017.html>
>
> That said, I wouldn't mind seeing this changed myself.  While I feel 
> the material risk is minimal, risk is still risk.  If you submit a 
> request for this please share the RQCC number here.
>
> One solution for this may have other, bigger benefits:  an option for 
> true machine-code compilation.  All desktop platforms are now using 
> the Intel instruction set, 

Really?

http://www.riscos.com/

http://www.arm.com/

http://www.iyonix.com/

http://www.cjemicros.co.uk/micros/products/a9home.shtml

> so while this might have been prohibitively onerous before it might be 
> doable today.

>
> Such compilation may also open the door to language options which 
> would let us communicate with the OS API directly from within RevTalk, 
> as Toolbook has provided for years.
>
> I would imagine that an option for machine-code compilation would 
> carry some limitations, but for those who could use it it may be well 
> worth working with those limitations.
>
> -- 
>  Richard Gaskin
>  Fourth World
>  Rev training and consulting: http://www.fourthworld.com
>  Webzine for Rev developers: http://www.revjournal.com
>  revJournal blog: http://revjournal.com/blog.irv
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>




More information about the use-livecode mailing list