Security vulnerability with Encrypted Classes (example)

ErraticAttack — Sat, 10 Jun 2023 20:50:00 GMT

I'm posting here as an FYI -- encrypted classes in JSL are not secure. I recommend only using functions and not classes, as functions are not vulnerable to this.

The issue lies in the fact that JMP classes are introspective, while compiled functions are not. Consider the following class with that contains a method I'd really like to keep secret:

Define Class(
	"complex",
	real = 0;
	imag = 0;
	_init_ = Method( {a, b},
		real = a;
		imag = b;
	);
	secret method = Method( {secret input 1, secret input 2 = "foo"},
		{Default Local},
		my secret password = "password123";
		my secret connection database = "database=UML_4x7z;source=axml1131;pwd=my_great_password";
		Eval( Eval Expr(
		my ultra secret program = Run Program(
			Executable( "secret_exe.exe" ),
			Options( Expr( "-o " || my secret connection database ) ) 
		)
		) );
	);
	Add = Method( {y},
		New Object( complex( real + y:real, imag + y:imag ) )
	);
	Sub = Method( {y},
		New Object( complex( real - y:real, imag - y:imag ) )
	);
	Mul = Method( {y},
		New Object( complex( real * y:real - imag * y:imag, imag * y:real + real * y:imag ) )
	);
	Div = Method( {y},
		t = New Object( complex( 0, 0 ) );
		mag2 = y:Magsq();
		t:real = real * y:real + imag * y:imag;
		t:imag = imag * y:real + real * y:imag;
		t:real = t:real / mag2;
		t:imag = t:imag / mag2;
		t;
	);
	Magsq = Method( {},
		real * real + imag * imag
	);
	Mag = Method( {},
		Sqrt( real * real + imag * imag )
	);
	_to string_ = Method( {},
		Char( real ) || " + " || Char( imag ) || "i"
	);
	_show_ = _to string_;
);

If you take this script and encrypt it (using Edit->Encrypt Script...) then ideally the internal code should not be readily visible to any end-user that you might distribute this to. This, however, is not the case. It is actually ridiculously easy to deconstruct and reconstruct.

Here are a couple of functions that can deconstruct the encrypted methods (this is the problem) then reconstruct it for convenience sake:

clref = New Object( complex( 1, 2 ) );

introspect = Function( {obj},
	{Default Local},
	i = 1;
	obj part = Arg( obj, 1 );
	ret = Eval List( {Head Name( obj part )} );
	While( !Is Empty( Arg( obj part, i ) ),
		moil = Eval List({Arg( obj part, i)} );
		ret[N Items( ret ) + 1] = If( N Arg( Arg( moil, 1 ) ) > 0, Recurse( moil ), Head Name( Arg( moil, 1 ) ) );
		i++
	);
	ret
);
Clear Log();
deconstructed = introspect( Eval List( {Name Expr( clref:secret method )} ) );
Show( deconstructed );

reconstruct = Function( {input},
	{Default Local},
	init = Parse( input[1] || "()" );
	If( Is List( input ) & N Items( input ) > 1,
		For( i = 2, i <= N Items( input ), i++,
			If( Is List( input[i] ),
				Insert Into( init, Try( ( s = Recurse( input[i] ); s )[1], Char( s ) ) )
			,
				Insert Into( init, Parse( input[i] ) )
			)
		);
	);
	Eval List( {Name Expr( init ) } );
);

Show( reconstruct( v ) );

Note that there are two caveats with this -- it can't easily distinguish between strings and names (but you as a human probably can), and it will not have visibility to the center arguments of such a construct as class:method( arg1, arg2 ):returned_class_method( arg );, where the first method returns a class that you further call a method of. Even with these limitations it can be very quick to find implementation details for even passwords / sensitive information.

Again, my recommendation is that if you're encrypting a script / multiple scripts for security purposes then don't rely on classes.

Re: Security vulnerability with Encrypted Classes (example)

ih — Tue, 29 Mar 2022 14:20:48 GMT

Good to know. I suggest sending this to support@jmp.com as well if you haven't already.

topic Re: Security vulnerability with Encrypted Classes (example) in Discussions

Security vulnerability with Encrypted Classes (example)

Re: Security vulnerability with Encrypted Classes (example)