2.1. Highest security and performance¶
Contents
2.1.1. What’s the most security pyarmor could do?¶
The following options could improve security
--enable-rft
almost doesn’t impact performance--enable-bcc
even a little faster than plain script, but consume more memory to load binary code--enable-jit
prevents from static decompilation--enable-themida
prevents from most of debuggers, only available in Windows, and reduce performance remarkable--mix-str
protects string constant in the scriptpyarmor cfg mix_argnames=1
may broken annotations--obf-code
2
could make more difficult to reverse byte code
The following options hide module attributes
--private
for script or--restrict
for package
The following options prevent functions or modules from replaced by hack code
2.1.2. What’s the best performance pyarmor could do?¶
Using default options and the following settings
--obf-code
0
--obf-module
0
pyarmor cfg restrict_module=0
By these options, the security is almost same as .pyc
In order to improve security, and doesn’t reduce performance, also enable RFT mode
If there are sensitive string, enable mix-str with filter
pyarmor cfg mix.str:includes "/regular expression/"
--mix-str
Without filter, all of string constants in the scripts are encrypted, it may reduce performance. Using filter only encrypt the sensitive string may balance security and performance.
2.1.3. Recommended options for different applications¶
For Django application or serving web request
If RFT mode is safe enough, you can check the transformed scripts to make decision, using these options
--enable-rft
--obf-code
0
--obf-module
0
--mix-str
with filterIf RFT mode is not safe enough, using these options
--enable-rft
--no-wrap
--mix-str
with filter
For most of applications and packages
If RFT mode and BCC mode are available
--enable-rft
--enable-bcc
--mix-str
with filter--assert-import
If RFT mode and BCC mode are not available
--enable-jit
--private
for scripts, or--restrict
for packages--mix-str
with filter--assert-import
--obf-code
2
If care about monkey trick, also
--assert-call
with inline marker to make sure all the key functions are protectedIf it’s not performance sensitive, using
--enable-themida
prevent from debuggers
2.1.4. Reforming scripts to improve security¶
Move main script module level code to other module
Pyarmor will clear the module level code after the module is imported, the injected code could not get any module level code because it’s gone.
But the main script module level code is never cleared, so moving un-necessary code here to other module could improve security.