Tuesday, September 7, 2010

notes on PHP source code protection

Situation: you have php code. php code to be installed on untrusted system. What's your take?

We've been experimenting with compiling php code into native binaries and then using binary packers. Binary packing is easy. UPX is ultimate solution.
Compiling php code is a bit messier. There's no universal solution. There's Zend Engine, which seems easiest but costs $$.

We've been experimenting with opensource compilers. Looked at these few: roadsend pcc http://code.roadsend.com/pcc), roadsend rphp (http://code.roadsend.com/rphp/) facebook hiphop php (what a name!! ;-))

Base platform - debian.

pcc - bigloo (a dialect of scheme) written compiler. Easy to bootstrap and get it blinking. We got it working with bigloo 3.4a-3 then down to compiling actual php code. Compiling simple scriptlets was easy. pcc comes with support of some runtime libraries (curl, gtk, mysql, odbc, sqlite, xml etc) which is nice. Didn't support json thu, so we had to hack our own. This was a bit of hassle, because we actually had to figure out how to code in scheme.. At the end we had something like:

(module php-json-lib
(include "../phpoo-extension.sch")
(library profiler)
(json-encode link)
(json-decode link)

that actually worked. Fair. Compiled binaries are surprisely faster than original php scripts. Actual compilation process is slightly amusing: php -> bigloo scheme -> .c -> .o -> binary -> upx packed !

learning scheme was useful thu.

Down to rphp:

Written in C++, uses llvm library. We are still experimenting w/ this compiler. to be updated.

hiphop-php. Comes from facebook team (where else they'd name their project 'hiphop' :p). Building was a bit of pain due to dependencies and manual patching. Following scriptlet summarizes installation steps of this monster on debian box:

git clone http://github.com/facebook/hiphop-php.git
wget http://www.monkey.org/~provos/libevent-1.4.14b-stable.tar.gz
tar xvfz libevent-1.4.14b-stable.tar.gz
cd libevent-1.4.14b-stable/
patch -p1 < ../hiphop-php/src/third_party/libevent-1.4.14.fb-changes.diff
sudo apt-get purge libevent-dev
sudo make && sudo make install
cd ..
tar xvfz curl-7.21.1.tar.gz
cd curl-7.21.1/
patch -p1 < ../hiphop-php/src/third_party/libcurl.fb-changes.diff
sudo make install
sudo apt-get install libgd2-noxpm-dev libxml2-dev libexpat1-dev libicu-dev libmcrypt-dev libonig-dev libreadline-dev libcap-dev binutils-dev libboost-dev libboost-system-dev libboost-filesystem-dev libboost-program-options-dev libtbb-dev
cd ../hiphop-php
cmake .
make install

Compiling php code with hiphop-php is a bit freaky. hiphop php actually is capable of bundling your code with a webserver (nuts!), but you can simply use --keep-tempdir=1 and then pack that binary.

major drawback, out-of-box only mysql API support. The rest has to be hacked. Plus - extensions are written in C++, which are much easier to deal with.

No comments:

Post a Comment