Protecting Python Applications With Cython

Python applications can be protected by combining Cython with Sentinel LDK Envelope. This works by first translating your sensitive Python modules into native modules (PYD/SO files) which are then protected using Sentinel Envelope.

Protecting a Python application with Cython and Sentinel LDK Envelope consists of the following steps:

1.Translate your Python (PY) modules into C code using Cython.

2.Compile the resulting C files into native Python extension modules (PYD/SO) using your platform’s C compiler .

3.Protect the resulting Python native extension modules using Sentinel LDK Envelope.

The protected application can be distributed by providing the protected Python native extension modules together with your application’s start script (for example, using pyinstaller).

Sample Code

A sample that demonstrate the protection of a Python application for Linux using Cython and Sentinel Envelope can be found in:

<root>/Linux/Samples/Envelope/Python/cythonize_and_envelope/

The scripts contained there demonstrate the protection of a simple Python application, which can be found in:

<root>/Linux/Samples/Envelope/Python/sample_app/

The sample application is a simple Python command line application that consists of a start script (main.py) and three modules (moduleA.py, moduleB.py, moduleC.py). To easily demonstrate both the Python2 and the Python3 use case, this sample application had been written in a way to work identically under both versions.

The cythonize_and_envelope folder contains:

>build_python2.sh

This script protects and packages the sample application for Python2 under Linux using the DEMOMA Batch code, Cython, GCC, Sentinel LDK Envelope, and pyinstaller.

>build_python3.sh

This script protects and packages the sample application for Python3 under Linux using the DEMOMA Batch Code, Cython, GCC, Sentinel LDK Envelope, and pyinstaller.

Protection Process

Use the steps that follow to create a protected application using Cython and Sentinel Envelope.

1.Translate your Python modules (.py) into C code using Cython

Change your Python module’s extension from PY to PYX. This allows cython to generate code that can be better protected by Envelope.

Cython can be installed using pip:

pip install cython --upgrade

Run cython and specify one of the following to indicate whether cython should treat the code as Python 2 or Python 3:

cython -2 --no-docstrings .\moduleA.pyx
cython -3 --no-docstrings .\moduleA.pyx

The result is a representation of the Python module as C code (for example: moduleA.c).

2.Compile the resulting C files into native Python extensions

Install the GCC compiler using the package manager of your Linux distribution. For example:

apt install gcc

Install the Python development headers using the package manager of your Linux distribution. For example:

apt install python2-dev

OR

apt install python3-dev

Run the following commands to compile and link the C code:

•Python2:

gcc -fPIC -pthread -fwrapv -O2 -Wall -fno-strict-aliasing -I/usr/include/python2.7 -c moduleA.c
gcc -pthread -shared moduleA.o -o moduleA.so

•Python3:

gcc -fPIC -pthread -fwrapv -O2 -Wall -fno-strict-aliasing -I "/usr/include/python3.7" -c moduleA.c
gcc -pthread -shared moduleA.o -o moduleA.so

The result is a native Python extension module for Linux (moduleA.so).

3.Use Sentinel LDK Envelope to protect the resulting Python extension modules

Use Sentinel LDK Envelope to protect the resulting Python extension modules. For example:

linuxenv --vcf:DEMOMA.hvc --fid:0 plain/moduleA.so prot/moduleA.so