Security through foreign languages.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Security through foreign languages.

Post by kaisellgren »

Hello fellow community members,

I've been recently chatting with another homeland PHP addict, and we were discussion about security -- and "Security through Obscurity" to be exact.

I've been thinking a lot about obscuring some parts of my code. What comes to obscurity, it makes your application harder to code due to many factors. For example if your fieldname is "dfg4rtSDFkgcvbF" it's definetly harder to remember later than "username". That's just one example.

Obscurity does not add security, but it strengthens it. However, the price of obscurity can be probably seen at the speed of the progress of your project.

After a little thinking I started to think if I write these certain parts of my script in a foreign language - Finnish. There are only 5 million Finnish speakers in this world, so it does strengthen the security by a meaningful amount. Still, I am able to code as fast as normal, and I does not affect anything else. At least not to me - but no one else other than me is coding on the project core, but rather a few outside plugins that are not affected by this obscurity method.

For example, the member table would have fields like tunnari,salari,soossi,mauste,kertapadi, ... and this would not just apply to the database.

All comments would be also unreadable for attackers unless they are fluent in Finnish.

// Ny sit pistetää kerran paddaus eli söössi tähä tunnarii nii että me suojau'utaa sateenkaarihyökkäyksilt

And trying to translate from Finnish to English is a pathetic attempt. ;)

Your thoughts?

EDIT: It would actually probably even boost the speed of coding.
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: Security through foreign languages.

Post by Chalks »

I think that I would only do this for personal projects. Mainly because anything other than a personal project could potentially have another developer at some point, and they would loathe you. LOATHE.

I do like the idea though.... if it was simpler/less obscure than a completely different language.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Security through foreign languages.

Post by califdon »

I agree with chalks. That would be fine for a personal project, or possibly for a commercial project if all the current and future coders were Finnish (which might be the case, since you indicate that you're located in Finland). I have indeed heard from other Europeans who say that Finnish, Bulgarian and Hungarian are the hardest languages for non-natives to learn. But, for example, if a determined hacker wanted to hack your code, I don't think it would be that hard for him to enlist the help of some Finnish speaker. So I guess it depends on who should have free access to your code in the future and the level of security you're trying to achieve. Maybe you could intermix Finnish, Bulgarian and Hungarian?? :wink:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security through foreign languages.

Post by kaisellgren »

califdon wrote:I agree with chalks. That would be fine for a personal project, or possibly for a commercial project if all the current and future coders were Finnish (which might be the case, since you indicate that you're located in Finland). I have indeed heard from other Europeans who say that Finnish, Bulgarian and Hungarian are the hardest languages for non-natives to learn. But, for example, if a determined hacker wanted to hack your code, I don't think it would be that hard for him to enlist the help of some Finnish speaker. So I guess it depends on who should have free access to your code in the future and the level of security you're trying to achieve. Maybe you could intermix Finnish, Bulgarian and Hungarian?? :wink:
Wow, I didn't think of that yet... hmm... I think it begins to be too complex for a coder if he needs to know all those three languages :banghead:

Of course a hacker could learn Finnish or find someone who speaks it, but this is all about obscurity -- not bulletproof security. 8)
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Security through foreign languages.

Post by califdon »

kaisellgren wrote:Of course a hacker could learn Finnish or find someone who speaks it, but this is all about obscurity -- not bulletproof security. 8)
It would sure be obscure to ME! :? It's all I can do to read code in ENGLISH! :roll:

Seriously, I think your idea has merit, if considered strictly as obfuscation. And of course it would be of no value in obscuring from another Finn. But for the rest of us ... really obscure! :)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Security through foreign languages.

Post by Weirdan »

I don't think it would be as obscure as you think. You will still be coding in PHP, so the structure of the code will rat out what the code does =). I once worked with the code where they named everything in German (and I don't speak German). It wasn't that hard although it was annoying, for sure.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security through foreign languages.

Post by kaisellgren »

Weirdan wrote:I don't think it would be as obscure as you think. You will still be coding in PHP, so the structure of the code will rat out what the code does =). I once worked with the code where they named everything in German (and I don't speak German). It wasn't that hard although it was annoying, for sure.
That is why it's called obscuration. It makes it painful for other people to understand it. Whether you understand the code in first 5 minutes or in one week - the author may have already patched a serious security vulnerability before the attacker has even understood the purpose of the whole code ;) - and that's just one benefit.

One greater benefit is that it's easier for me to code, because I would code in my mother tongue :lol:

Would you write in Ukrainian or in English?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Security through foreign languages.

Post by Weirdan »

kaisellgren wrote:Would you write in Ukrainian or in English?
My mother tongue happens to be Russian (there are a lot of people speaking Russian in Ukraine, despite what the country name suggests :) ), but I wouldn't use it for coding. The one reason would be that I work in multilanguage team (with members from UK and Ukraine) and the other would be that code that uses anything but English always appeared as unprofessional to me, even if I knew that language. This viewpoint is almost universally accepted by most programmers I know personally.

Besides I'm not quite sure how PHP will handle multibyte identifiers (Cyrillic uses second byte when encoded in UTF-8).
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security through foreign languages.

Post by kaisellgren »

Weirdan wrote:
kaisellgren wrote:Would you write in Ukrainian or in English?
My mother tongue happens to be Russian (there are a lot of people speaking Russian in Ukraine, despite what the country name suggests :) ), but I wouldn't use it for coding. The one reason would be that I work in multilanguage team (with members from UK and Ukraine) and the other would be that code that uses anything but English always appeared as unprofessional to me, even if I knew that language. This viewpoint is almost universally accepted by most programmers I know personally.

Besides I'm not quite sure how PHP will handle multibyte identifiers (Cyrillic uses second byte when encoded in UTF-8).
Well okay. Russian indentifiers - eh...

But for Finnish, PHP handles it totally anywhere I use Finnish. All characters are acceptable :D

And the part of the script that would be in Finnish is not coded by anyone else other than me. So, with this assembly, I am thinking of writing it in Finnish.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Security through foreign languages.

Post by omniuni »

"Ny sit stop once paddaus or söössi here tunnarii nii that we suojau'utaa sateenkaarihyökkäyksilt"

You're right. It's not exactly translatable.

I would question, though, what this actually achieves. If someone is trying to hack your website you'll buy yourself a few hours, sure, but if you really wanted to keep your code to yourself, why not just compile it? For the benefit of being able to re-use the code if you want to on other projects, or being able to show it to someone else (non-finnish) you'd buy your self a lot more time while they decompile the thing.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security through foreign languages.

Post by kaisellgren »

omniuni wrote:"Ny sit stop once paddaus or söössi here tunnarii nii that we suojau'utaa sateenkaarihyökkäyksilt"

You're right. It's not exactly translatable.

I would question, though, what this actually achieves. If someone is trying to hack your website you'll buy yourself a few hours, sure, but if you really wanted to keep your code to yourself, why not just compile it? For the benefit of being able to re-use the code if you want to on other projects, or being able to show it to someone else (non-finnish) you'd buy your self a lot more time while they decompile the thing.
Obscuration is not a way to protect yourself. It's a way to stab a knife in your crackers stomach. I can not compile the code. Yet I am not trying to defeat crackers with this method - but rather stab them.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Security through foreign languages.

Post by omniuni »

Well, I don't think it'll be much more than pins and needles... but I think they're in the right places to cause some considerable pain.

We'll call this technique "Kai's Curse".
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security through foreign languages.

Post by kaisellgren »

omniuni wrote:Well, I don't think it'll be much more than pins and needles... but I think they're in the right places to cause some considerable pain.

We'll call this technique "Kai's Curse".
Ahhah :D

I actually find using Finnish very useful in my code...
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Security through foreign languages.

Post by califdon »

I can certainly understand the motivation to program in your native language.

By the way, I have never heard of the English word "obscuration", but this is usually called "obfuscation". Today's English lesson! :P
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security through foreign languages.

Post by kaisellgren »

califdon wrote:I can certainly understand the motivation to program in your native language.

By the way, I have never heard of the English word "obscuration", but this usually called "obfuscation". Today's English lesson! :P
Something wierd happened. You made three posts :)

Btw, http://www.thefreedictionary.com/Obscuration
Post Reply