[Cuis-dev] Is it possible to hide the source code in a Cuis project ?

Wed Dec 15 06:43:47 PST 2021

Hi Nicola,

On 12/15/21 12:34 PM, Nicola Mingotti via Cuis-dev wrote:
> Hi guys,
> 
> I am considering the possibility of delivering an application
> I am closing these days in the BeagleBone Black / BeagleBone AI in 
> Cuis-Smalltalk.
> 
> The application is already written in Python + Node it would
> be mostly a translation effort.
> 
> It would be a major advantage If could hide the code from unwelcome eyes 
> (the competence).
> My classes, specific for the application, should be by default visible only
> byte compiled.
> 
> I discovered a few days ago the possibility of seeing the bytecode
> of a method doing : "Inspect compiled method" so I started to ask
> myself. Does Cuis need only the compiled method to run? Is it
> necessary to have also the source code in place ?
Yes! You can switch of the warnings about missing changes and
source files and it will happily squeak along without source code.
> 
> Ideally It would be great if I could keep also the classes source code into
> the BBB, but encrypted. In such a way that, if the customer needs
> a modification, I log in remotely, decrypt the source, make the
> changes and leave there again only the byte code.
There should an easier way to do that.
The only piece of information the decompiler can not reproduce
are the names of local variables and parameters. AFIR each method
has a pointer (a 32-bit offset) into the changes file (or the source 
file). These can be replaced by a collection of local variables names.
This will enable you to make onsite modifications without the source,
by relying on the decompiler only. If you want to go
that way, drop me a note and will look up the details.
> 
> Just guessing. It could be that my classes are subclasses of 
> EncrypedClass which
> by default shows only mangled sourcecode in the Browser, unless the 
> programmer
> provides a deciphering password.
Your changes are rather dim. The decompiler is much to good at 
decompiling. Of course you might be able to remove the decompiler,
but it would be easy to file it in again as long there is a compiler
available. Removing the Compiler will make it impossible to
make on-site changes and render every useful tool, browser, debugger 
etc.pp. useless. I bet it will render the image useless.
Maybe you remember the changes you made to the startup-code,
even in this part there are references to the compiler.

The only chance I see here, is to change the VM to make it
load an encrypted image and password-protect access to
the browser tools in your UI. Of course if someone gains root
access to your computer, he/she could easily read the decrypted
image from RAM.

In a nutshell: It is not worth the effort.

I might be worthwhile to run your application with an (overlay)
file-system that supports encryption (encfs for example).
Again you need to block access to the browsers in your UI.

> 
> Let me know what you think. If this is possible it would be
> extremely interesting. If you think is very complex to achieve I put it
> in the desiderata list, procrastinate, and keep it mind for the future.
I would like to see app distribution with a single file for Cuis
applications. That is appending the image to the VM executable
maybe compressed an encrypted. The big problem here is that
some plugins can not be compiled as internal plugins
and some drivers must be shared objects/DLLs. Of course
the VM could be changed here, but that would mean
Squeak/VMMaker programming.

It is much easier to add modules to Python's
module loader infrastructure that load encrypted
modules.
> 
> 
> Bye
> Nicola

HTH and Best Regards,

Gerald