Let’s start with a summary and conclusions – especially for CAD managers:
- Compiled Lisp code can provide a vector for viruses.
- Files of type .vlx, .fas and .des should be considered potentially harmful.
- Use within the organisation is possible if the supplier is trusted AND after thorough screening of the source code.
- A topic like “decompiling” should be open to discussion on moral grounds.
- Any CAD system – with the necessary knowledge – provides access to computers to the point where system administrators become nervous, to say the least.
- Train, instruct, and control employees on a basis of trust.
Table of Contents
Why would you want to compile CAD-Lisp?
Lisp is an interpreted language. So speaking of compiling is a bit misleading here, compiling does not offer any substantial changes, it remains interpreted.
But what does compiling offer? Files are encrypted and slowing elements such as spacers are removed. In other words, it all becomes a bit faster, changes to code by third parties are (almost) impossible and there is protection against copying behaviour.
All in all, there are good reasons to compile code, and, there are valid reasons not to do it.
What I think…
A personal note on this subject.
As a client, I would never do business with a company that does not hand over the source code. I have seen the misery, it works, until there is an update of the CAD software after which it does not work. Then someone wants to modify it and the code is inaccessible and the producer is gone. Other scenario: the code is simply lost over the years.
The result: all the code has to be rewritten, destruction of capital. You always want to avoid this and not using compiled code is the only right answer.
Something like this doesn’t happen to you? My practice is different, I have regularly had to bail out companies where decompiling proved impossible.
In context, it is also worth mentioning that harmony licensing is an excellent idea for SMEs.
How do you compile code?
Compiling for BricsCAD can be done with DEScoder.exe, see the BricsCAD installation under Program files. The beauty is simplicity here.
For AutoCAD… Start LISP IDE and then… Do something like
(vlisp-compile 'st "C:\MyLisp\Example.lsp" "C:\MyLisp\Example.fas")
With much examples on the net, you should be able to get results quickly.
Security through obscurity
People don’t like to talk about decompiling LISP and feel safe when files are encrypted.
The Truth: Talk about decompilation and reverse engineering and yes, encryption is weak and not secure!
Discussion items are even removed from Autodesk forums. Positioning decompilation as “It is better not to discuss in public” is a joke and does not help much. Message for these people: Suppose we are talking about the encrypted data exchange on your bank account instead of Lisp. Is it also “better not to discuss in public”? Then think about that again.
By the way, if weak encryption is a problem, simply improve encryption. At least as important is user behavior. As said, train, instruct, and control employees on a basis of trust.
Above all: Compiled code can contain unnoticed malware.
Decompiling
In fact, it is sometimes not difficult to decompile. Encryption is then a little more than just an obstacle. For BricsCAD, the encryption is stronger, but the chain is as weak as the weakest link, so don’t expect your code to be secure.
See for example http://www.sporaw.com/work/decompilers.htm, or https://lispbox.wordpress.com/2014/12/23/visual-lisp-vlxfas-and-visual-basic-v5v6-files -decompiling-procedure/, http://cd.textfiles.com/unprotect/AUTODC/ and yes, I find it no problem to mention these links.
And for those who have lost their source code, decompiling can be a welcome solution. So to end this discussion, who wouldn’t want to know what computer virus is embedded in that .fas file? Do yourself a favour and decompile files from sources you’re not entirely sure about.
In fact, company policy should be to flag .vlx, .fas, and .des as potentially malicious.