Protecting Python Applications With Cython

Python applications can be protected by combining Cython with Sentinel LDK Envelope. This works by first translating your sensitive Python modules into native modules (PYD/SO files) which are then protected using Sentinel Envelope.

NOTE   This method cannot protect an application's start script, only its Python modules. Therefore, Thales recommends that you place your application's actual entry point inside a Python module and only use the start script to call the module.

Protecting a Python application with Cython and Sentinel LDK Envelope consists of the following steps:

1.Translate your Python (PY) modules into C code using Cython.

2.Compile the resulting C files into native Python extension modules (PYD/SO) using your platform’s C compiler.

3.Protect the resulting Python native extension modules using Sentinel LDK Envelope.

The protected application can be distributed by providing the protected Python native extension modules together with your application’s start script (for example, using pyinstaller).

You can perform the protection process under Windows or Linux. This topic describes how to perform the process on a Windows machine.

Sample Code

After installing Sentinel LDK, a sample that demonstrates protecting a Python application for Windows using Cython and Sentinel LDK Envelope can be found in:

%userprofile%\Documents\Thales\Sentinel LDK version\Samples\Envelope\Python\cythonize_and_envelope\

The scripts contained there demonstrate the protection of a simple Python application that can be found in:

%userprofile%\Documents\Thales\Sentinel LDK version\Samples\Envelope\Python\sample_app

The sample application is a simple Python command line application that consists of a start script (main.py) and three modules (moduleA.py, moduleB.py, moduleC.py). To easily demonstrate both the Python2 and the Python3 use cases, this sample application has been written to work identically under both versions.

The cythonize_and_envelope folder contains:

>build_python2.bat

This script protects and packages the sample application for Python2 under Windows using the DEMOMA Batch Code, Cython, Microsoft Visual C++ Compiler for Python 2.7 (https://www.microsoft.com/download/details.aspx?id=44266), Sentinel LDK Envelope, and pyinstaller.

>envelope_cythonized_py2modules.prjx

Sentinel LDK Envelope project file that specifies the Envelope settings to protect the Python native extensions (moduleA.pyd, moduleB.pyd) that were created by the build_python2.bat script.

>build_python3.bat

This script protects and packages the sample application for Python3 under Windows using the DEMOMA Batch Code, Cython, Microsoft Build Tools for Visual Studio 2019 (https://www.visualstudio.com/downloads/#build-tools-for-visual-studio-2019), Sentinel LDK Envelope, and pyinstaller.

>envelope_cythonized_py3modules.prjx

Sentinel LDK Envelope project file that specifies the Envelope settings to protect the Python native extensions (moduleA.pyd, moduleB.pyd) that were created by the build_python3.bat script.

Protection Process

Use the steps that follow to create a protected application using Cython and Sentinel Envelope.

1. Translate your Python modules (.py) into C code using Cython

Change your Python module’s extension from PY to PYX. This allows cython to generate code that can be better protected by Envelope.

Cython can be installed using pip:

pip install cython --upgrade

Run cython and specify one of the following to indicate whether cython should treat the code as Python 2 or Python 3:

cython -2 --no-docstrings .\moduleA.pyx
cython -3 --no-docstrings .\moduleA.pyx

The result is a representation of the Python module as C code (for example: moduleA.c).

2. Compile the resulting C files into native Python extensions

NOTE   The C compiler must match the compiler that was used to build CPython. Use the compilers specified below.

Install the required compiler:

>Python2: Microsoft Visual C++ compiler for Python 2.7

https://www.microsoft.com/download/details.aspx?id=44266

>Python3: Microsoft Build Tools for Visual Studio 2019

https://www.visualstudio.com/downloads/#build-tools-for-visual-studio-2019

Open a command shell and turn it into a development prompt by executing:

>Python2:

"%userprofile%\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\vcvarsall.bat" amd64

>Python3:

"C:\<vs_build_tools_install_dir>\VC\Auxiliary\Build\vcvarsall.bat" amd64

Run the following commands inside your development prompt to compile and link the C code:

>Python2:

cl /nologo /c /MD /Ox /W3 /I C:\Python27\include moduleA.c

link /nologo /dll -out:moduleA.pyd C:\Python27\libs\python27.lib moduleA.obj

>Python3:

cl /nologo /c /MD /Ox /W3 /IC:\Python37\include moduleA.c

link /nologo /dll -out:moduleA.pyd C:\Python37\libs\python37.lib moduleA.obj

The result is a native Python extension module for Windows (moduleA.pyd).

3. Use Sentinel LDK Envelope to protect the resulting Python extension modules

Use Sentinel LDK Envelope to protect the resulting Python extension modules the same way you would protect a regular DLL file.

Related Topics

Protecting Python Applications

Protecting Python Applications Using Script Envelope