Shulou(Shulou.com)06/01 Report--

This paper introduces a way to protect NodeJS source code: by transforming nodejs code into bytecode and starting bytecode file with node, nodejs source code is protected from leakage.

Can be applied to nodejs project submission source code, nodejs products deployed in an untrusted environment to prevent others from getting the source code.

Like JS code, nodejs source code is also transparent code, usually when starting code with node, the source code must also be placed in the startup environment. This is unsafe and unsafe in many cases. Because the js source code is transparent, others can get the product or project source code directly.

If the project is customized for a third party, the other party can get the source code directly. If you want to start a project in some environment, such as a virtual host or someone else's server, the source code is also very worrying.

To prevent a series of disturbing consequences of source code disclosure, here is a special protection technique for nodejs source code: converting nodejs code into bytecode files.

Realization principle

The parsing of js in nodejs's kernel uses Google's V8 engine. The V8 engine has a js virtual machine built into it. With the V8 virtual machine, js code can be compiled into bytecode. The V8 virtual machine can recognize and run the bytecode directly. Therefore, the following execution logic is possible:

1. Js code-> js bytecode

2. Js bytecode-> nodejs-> run

Implementation code

(routine)

The part that generates the bytecode file:

Var v8 = require ('v8')

Var fs = require ('fs')

/ / read the source file (JS source code)

Var js_code = fs.readFileSync (_ _ dirname+ "/ test.js") .toString ()

/ / generate bytecode

Var script = new vm.Script (js_code, {produceCachedData: true})

Var byte_code = script.cachedData

/ / write the bytecode to the file

Fs.writeFileSync (_ _ dirname+ "/ test.jsb", byte_code)

Read and run the bytecode:

Var v8 = require ('v8')

Var fs = require ('fs')

/ / read the bytecode from the file

Byte_code = fs.readFileSync (_ _ dirname+ "/ test.jsb")

/ / run

Var l = byte_code.slice (8,12) .reduce (function (sum, number, power) {return sum + = number * Math.pow (256, power);})

Var dummyCode = "" .repeat (l)

Script = new vm.Script (dummyCode, {cachedData: byte_code})

Script.runInThisContext ()

Running effect

Test.js is the test file for this example and the contents are as follows:

Console.log ("hello world")

Console.log ("this is a test")

The running effect is as follows:

Generate bytecode, read and run bytecode. In this way, it is not complicated, and if the quantity is large, it is still a little cumbersome.

Another drawback is compatibility. For example, the bytecode generated under win will not work properly under linux. If you want to use it under linux, you have to generate it under linux. That is, the operating system should be consistent.

For the protection of JS code products, in addition to using bytecode technology, you can also use code confusion encryption methods, such as: JShaman (http://www.jshaman.com/) is a confusing encryption tool for JS code, also applicable to nodejs code encryption, is also a very good means of nodejs code protection, and can protect the front-end JS code, with strong versatility.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.