2.1. Highest security and performace¶
Contents
2.1.1. What’s the most security pyarmor could do?¶
The following options could improve security
--enable-rft
almost doesn’t impact performace--enable-bcc
imports module need more times, for example, importing a plain script about 1 ms, but bcc module about 200 ms--enable-jit
prevents from static decompilation--enable-themida
prevents from most of debuggers, only available in Windows, and reduce permormance remarkable--mix-str
protects string constant in the script- pyarmor cfg mix_argnames=1 may broken annotations
The following options hide module attributes
--private
for script or--restrict
for package
The following options prevent from injecting functions into obfusated modules
2.1.2. What’re the best performace pyarmor could do?¶
Using default options and the following settings
--obf-code
0
--obf-module
0
- pyarmor cfg restrict_module=0
By these options, the security is almost same as .pyc
In order to improve security, and doesn’t reduce performace, also enable RFT mode
If there are sensitive string, enable mix-str with filter
- pyarmor cfg mix.str:includes “/regular expression/”
--mix-str
Without filter, all of string constants in the scripts are encrypte, it may reduce performance. Using filter only encrypt the sensitive string may balace security and performance.
2.1.3. Recommened options for different applications¶
1. For django application or serving web request
If RFT mode is safe enough, you can check the transformed scripts to make decision, using these options
--enable-rft
--obf-code
0
--obf-module
0
--mix-str
with filterIf RFT mode is not safe enought, using these options
--enable-rft
--no-wrap
--mix-str
with filter
For most of applications and packages
If RFT mode and BCC mode are available
--enable-rft
--enable-bcc
--mix-str
with filterassert-import
If not
--enable-jit
--private
for scripts, or--restrict
for packages--mix-str
with filter--assert-import
If care about injecting track, also
--assert-call
with inline marker to make sure all the key functions are protected
If it’s not perfomace sensitive, using
--enable-themida
prevent from debuggers