topic Re: obfuscation of SAS code in SAS Programming

obfuscation of SAS code

reneeharper — Wed, 18 Apr 2012 12:46:34 GMT

Someone asked me this on Twitter. I have no idea how to answer, but would love to point him to the wealth of knowledge shared here. His question is:

" Is there any way or tools to obfuscation of SAS code...I'm talking Base 9.2"

Because I can't add any details to the question, I'm going to refer him to this discussion just as soon as I complete the post. Hope you guys can help hi

Re: obfuscation of SAS code

OS2Rules — Wed, 18 Apr 2012 13:33:00 GMT

Are you kidding?

Most programmers I know seem to go out of their way to do this. We call it "job security code" - written so complex that only they can read (and thus- support) it.

Multiple macros with the same name in the same program, using format definitions that no on has heard of, run-on lines of code so long they don't fit in a standard editor, writing code to an output file and then including it to execute - I've seen it all and more.

And let's not forget the best one of all - not a single comment !

Re: obfuscation of SAS code

Alfredo — Wed, 18 Apr 2012 13:38:39 GMT

By obfuscation, you mean a sort of data step code encryption?

If so, try the stored program facility:

libname source 'c:\temp';

data class / pgm=source.class (alter=mypw);

set sashelp.class;

F=(sex='F');

run;

data pgm=source.class;

*describe;

execute;

run;

Re: obfuscation of SAS code

art297 — Wed, 18 Apr 2012 13:39:57 GMT

Renee: Point him toward some of Art Carpenter's papers on the topic:

http://www.lexjansen.com/sugi/sugi21/tu/291-21.pdf

http://www2.sas.com/proceedings/sugi23/Training/p275.pdf

http://www.lexjansen.com/pharmasug/2005/technicaltechniques/tt05.pdf

Note: links corrected 10:47am 18APR2012

Re: obfuscation of SAS code

Linlin — Wed, 18 Apr 2012 13:59:04 GMT

Hi Art,

when I click the links I got the "

The webpage cannot be found

" message. Maybe it just happened to my computer.

Thanks - Linlin

Message was edited by: Linlin

Re: obfuscation of SAS code

data_null__ — Wed, 18 Apr 2012 14:30:25 GMT

 using format definitions that no on has heard of

What does that mean?

writing code to an output file and then including it to execute

I use this technique often. When the data used to gen code is large it is more logical to keep that data in SAS date set and usedata step to gen code. You can take advantage of BY group processing and all the other features that make a data step a powerful programming language. This makes much more sense than working with lots of macro arrays or scanning and parsing multiple macro variables. Plus you can print the file to the log and see exactly what code is being written, before it is executed..

Re: obfuscation of SAS code

art297 — Wed, 18 Apr 2012 14:48:43 GMT

Linlin: try them now. They somehow got mingled the way I had originally pasted them

Re: obfuscation of SAS code

reneeharper — Wed, 18 Apr 2012 14:52:07 GMT

Great references . suggested two things:

compile a macro with the SECURE option
To protect IP, you could put key algorithms in FCMP and compile to a library

Re: obfuscation of SAS code

OS2Rules — Wed, 18 Apr 2012 14:53:56 GMT

I'm not saying that these techniques do not have value.

What I'm saying is that I have seen some programs where these methods, and more, have been used intentionally to make the programs so complex that only the originator could hope to support them.

"If builders built buildings the way programmers write computer programs, then the first stiff breeze would destroy civilization".

Re: obfuscation of SAS code

data_null__ — Wed, 18 Apr 2012 15:00:27 GMT

I would be extremely reluctant to use any SAS program that I was not able to look at "if I wanted or needed to".

Re: obfuscation of SAS code

JasonDiVirgilio — Wed, 18 Apr 2012 15:43:27 GMT

(over)use of complex and/or nested SQL statements can go a long way to obfuscate what's happening - especially if your trying to obfuscate programs from SAS programmers who may not be as technically sound with SQL.

Re: obfuscation of SAS code

Haikuo — Wed, 18 Apr 2012 15:52:29 GMT

I saw his video, that was hilarious. From my personal experience ( which is not much btw), using as much as PRX is a good way for obfuscation (of course not for toby dunn). I find it is impossible even to read my own PRX code.

Regards,

Haikuo

Re: obfuscation of SAS code

JasonDiVirgilio — Wed, 18 Apr 2012 16:09:32 GMT

Those Art Carpenter papers are priceless. Evil, but priceless. I especially like the section about using (obvious) variable names for anything other than what they look like (WEIGHT = height of the patient.)

Re: obfuscation of SAS code

ColmSmyth — Thu, 19 Apr 2012 14:51:51 GMT

Hi all,

As the original OP of the question Renne on Twitter (@colmsmyth) please let me clarify more what I meant. This is kind of for IP protection but also just to be a bit fancy really. Is there a way that you could open a *.sas program and the code is already garbled or obfuscated etc, this would have been done via a saved macro or something like that.

However, I would then also want the ability to de-scramble it again by calling a save macro perhaps from saved shortcut button on the tool bar, perhaps prompting for a password before the de-scrambling happens.

So you know when you get a file in a particular format and you try to open it with the wrong application, it opens but it looks like webdings basically....thats kinda what i want

Cheers

Re: obfuscation of SAS code

JasonDiVirgilio — Tue, 24 Apr 2012 14:50:34 GMT

Hi,

I took a stab at this. It's rudimentary, but hopefully it's enough to get you going. It reads a SAS program one line at a time, and converts each character using a "key" which can be changed to your liking. It then writes each character out to an output file (obfuscated, if you will). You can call the same macro with an inverse (?) of the key to un-obfuscate it to another output file.

filename testfile '/<some path>/<some original program>.sas';
filename fileout1 '/<some path>/<some obfuscated program>.sas';

filename fileout2 '/<some path>/<un-obfuscated program>.sas';

%macro obfuscate(key=,filein=testfile, fileout=fileout1);
data garble1;
    infile &filein truncover length=linesize;
    file &fileout ;
    length record $80. asc_char_in varylen key 8.;
    varylen=80;
    key = &key; ;
    input record $varying. varylen;
    do i = 1 to linesize;
      asc_char_in=rank(substr(record,i,1));
      char_out= byte(asc_char_in + key);
      put char_out $1. @;
    end;
    put;
run;
%mend;
%obfuscate(key=_n_+7);
%obfuscate(key=0-(_n_+7), filein=fileout1, fileout=fileout2);

Re: obfuscation of SAS code

ColmSmyth — Mon, 30 Apr 2012 14:17:10 GMT

Hi Jason,

Great stuff....tried this out and works quite well, reversing did not quite bring back all the code identically especially for commented portions of the source code.

Now, further to my original post, my ideal situation is that write code, its validated, stored somewhere safe, then its obfuscated, and that obfuscated program would be recognized by SAS and would be run-able.

However I dont think SAS can do this other than with PWENCODE, i.e it knows what that scrambled code is as its a built in function etc.

Thoughts ?

EDIT: In fact if SAS could use the Oracle dbms_obfuscation_toolkit.DESDecrypt feature you could obfuscate the entire program, then read in the scrambled program and decrypt it on the fly to a self deleting temporary file for example which is run during the process...if that makes sense

Re: obfuscation of SAS code

JasonDiVirgilio — Mon, 30 Apr 2012 15:48:24 GMT

I'm fairly certain with a little tweaking, you could make the "key" idea a bit more robust. I hope it was sufficient to give an idea of how it could work.

The PWENCODE procedure seems to only work for passwords, not entire program files.

Your Oracle obfuscation tookit idea looks like it could work, albeit with a bit of pl/sql coding that is out of my league - but it's a great idea if you don't mind storing the code in an Oracle table.

Re: obfuscation of SAS code

ballardw — Mon, 30 Apr 2012 16:08:05 GMT

OS2Rules wrote:

"If builders built buildings the way programmers write computer programs, then the first stiff breeze would destroy civilization".

I learned this as "the first woodpecker" back aboutn 1977...

Re: obfuscation of SAS code

FriedEgg — Mon, 30 Apr 2012 18:39:52 GMT

In PROC FCMP you will also need to use the ENCRYPT option or the compiled code can be easily retrieved and viewed.

Re: obfuscation of SAS code

Tom — Mon, 30 Apr 2012 21:22:55 GMT

I really don't agree with hiding your code on purpose. You will generate more actual problems than any potential problems you would have from just leaving the code in plain text.

But what is the problem with using compiled macros, compiled data datasets, etc? What is it that you want to hide that you cannot hide that way? Not really much different than shipping compiled binaries without source code in terms of hiding.