Famous at last, though not in the best way

Kevin Miller kevin at runrev.com
Mon Mar 17 13:32:00 EDT 2014 

Hi folks,

The offending application was built with version 5.0.0 of LiveCode. That
is long before the improved script security features introduced during the
6 series. It is now much harder to get a memory dump of a script from a
password-protected stack. It would require catching the memory dump at
exactly the right time - which is not the easiest thing to do without the
original source code.

To put this in perspective, the theoretical ability to dump memory has
been present since the early 90s. This is the first recorded time I¹ve
seen of someone actually doing it. It is much, much harder in the latest
version. However there isn¹t any way we could make a script 100% secure
against this sort of attack without moving to full compilation. Even then,
there will always be ways of decompiling some of any application,
accessing the variables etc like there is in every other app in any
language.

Full compilation would be better, but when you consider the number of
processor architectures and platforms we support, its non-trivial to say
the least. It *is* something we eventually plan to do after every single
other thing out there is done but its going to be a very long time.

In the mean time, the security is about as good as we can make it in the
present version and far better than the version used to do this.

Kind regards,

Kevin

Kevin Miller ~ kevin at runrev.com ~ http://www.livecode.com/
LiveCode: Everyone can code




On 17/03/2014 17:11, "Mike Kerner" <MikeKerner at roadrunner.com> wrote:

>Now that we're off in the weeds, yes, there are not just disassemblers,
>but
>decompilers as well, and there have been for 40 years.  I think I used my
>first one on an Apple ][.
>
>The thing with those tools is that you don't get the variable names, or
>comments, or the exact control structures, etc., because they don't know
>what the author was trying to do (and often they aren't sure what language
>- computer or human) the code was written in, although depending on the
>platform, often humans can figure that part out.  If you run an
>application
>through a decompiler/disassembler, you get something that if you recompile
>it will work, but it is not a road map to what the person was thinking,
>because optimizing compilers in particular take all sorts of liberties
>with
>the original source to get an executable that is smaller and/or runs
>faster.
>
>Even though you get source (and at least in theory can get source in
>whatever source language you want), that doesn't save you a lot of time.
>HOWEVER, if the code is just encrypted, it is far, far easier to get to
>back to what the author is really doing.
>
>Stuxnet, for instance, is a binary that isn't particularly large, but the
>malware experts have been trying for years to decipher all of it, and they
>have not, yet.
>
>
>On Mon, Mar 17, 2014 at 12:59 PM, Richard Gaskin
><ambassador at fourthworld.com
>> wrote:
>
>> Mike Kerner wrote:
>>
>>> See thread from other list - we had static compilation of HC stacks and
>>> projects back in the 80's and early 90's with Heizer Software's
>>>CompileIt!
>>> and Double-XX! (the exclamation points were part of the name).
>>>
>>
>> Those were clever, but a LOT of work to attempt to use well.  Still,
>> compilation could be done, but I'd sooner see it pursued for the
>> performance gain than the perceived security benefit.
>>
>> While it's true that a disassembler wouldn't be able to reconstruct the
>> LiveCode source (yet), modern disassemblers can produce readable C, some
>> even C#, so the seeming security is only a matter of degrees.
>>
>>
>> --
>>  Richard Gaskin
>>  Fourth World
>>  LiveCode training and consulting: http://www.fourthworld.com
>>  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
>>  Follow me on Twitter:  http://twitter.com/FourthWorldSys
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>
>
>-- 
>On the first day, God created the heavens and the Earth
>On the second day, God created the oceans.
>On the third day, God put the animals on hold for a few hours,
>   and did a little diving.
>And God said, "This is good."
>_______________________________________________
>use-livecode mailing list
>use-livecode at lists.runrev.com
>Please visit this url to subscribe, unsubscribe and manage your
>subscription preferences:
>http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list