Forum: Ruby on Rails Running Rails from embedded Ruby

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Kris (Guest)
on 2006-05-19 18:43
Is it possible to run a Rails application from embedded ruby?

I'm thinking of replacing dispaches with a C application which will then
call the normal Rails dispaches and so on...

Is this do-able?

Many thanks, Kris.
Stephane Fourdrinier (Guest)
on 2006-05-19 19:10
(Received via mailing list)
It is... and it is great.

here is the way I did it in my script, it works fine for what I need...

#!/appl/ruby/bin/ruby

require 'rubygems'
require_gem 'activerecord'
require_gem 'activesupport'
# need the require for all the models you use... for example
require '../app/models/command.rb'
require '../app/models/server.rb'
require '../app/models/ip.rb'
require '../app/models/interface.rb'

<rest of your program here... as if you were in a rail application>

I hope this helps and works for you.
Kris (Guest)
on 2006-05-19 19:17
Thanks for the reply. That has given me hope!
It would be great to know a bit more information, even off the list...

I don't quite get how it works?


Stephane Fourdrinier wrote:
> It is... and it is great.
>
> here is the way I did it in my script, it works fine for what I need...
>
> #!/appl/ruby/bin/ruby
>
> require 'rubygems'
> require_gem 'activerecord'
> require_gem 'activesupport'
> # need the require for all the models you use... for example
> require '../app/models/command.rb'
> require '../app/models/server.rb'
> require '../app/models/ip.rb'
> require '../app/models/interface.rb'
>
> <rest of your program here... as if you were in a rail application>
>
> I hope this helps and works for you.
Kris (Guest)
on 2006-05-19 19:26
Does the C application need to be a HTTP server which forwards HTTP
requests to Rails dispaches using embedded ruby interpreter?


#include "ruby.h"

main() {
  ruby_init();
  ruby_script("embedded");
  rb_load_file("dispatch.rb");
  while (1) {
    if (need_to_do_ruby) {
      ruby_run();
    }
  }
}
Stephane Fourdrinier (Guest)
on 2006-05-19 19:35
(Received via mailing list)
I didn't realize it was from inside a C application. I thought it was
from a ruby script. never done it from a C program.
Kris (Guest)
on 2006-05-19 19:40
Oh, I'm not clear enough...
I basically want to run Rails through embedded ruby in a C app so that
it can load encrypted ruby source and decrypt before loading it in to
the interpreter... Possible?

Stephane Fourdrinier wrote:
> I didn't realize it was from inside a C application. I thought it was
> from a ruby script. never done it from a C program.
Alex Y. (Guest)
on 2006-05-19 19:57
(Received via mailing list)
Kris wrote:
> Oh, I'm not clear enough...
> I basically want to run Rails through embedded ruby in a C app so that
> it can load encrypted ruby source and decrypt before loading it in to
> the interpreter... Possible?
I'm sure it's possible, but you'll have more luck on the ruby-lang list
than here, I'd have thought...

Actually, thinking about it, you could probably do it entirely from Ruby
if you wanted to.  How critical is the security of the code you'd want
to encrypt?  Little Sister or Big Brother?
Kris (Guest)
on 2006-05-19 21:54
Well I want to protect the intellectual property of my code. If they had
to crack a binary to decrypt the code that would be enough...

Any ideas?

Alex Y. wrote:
> Kris wrote:
>> Oh, I'm not clear enough...
>> I basically want to run Rails through embedded ruby in a C app so that
>> it can load encrypted ruby source and decrypt before loading it in to
>> the interpreter... Possible?
> I'm sure it's possible, but you'll have more luck on the ruby-lang list
> than here, I'd have thought...
>
> Actually, thinking about it, you could probably do it entirely from Ruby
> if you wanted to.  How critical is the security of the code you'd want
> to encrypt?  Little Sister or Big Brother?
Alex Y. (Guest)
on 2006-05-19 22:46
(Received via mailing list)
Kris wrote:
> Well I want to protect the intellectual property of my code. If they had
> to crack a binary to decrypt the code that would be enough...
So basically, all you need is something to "keep the honest people
honest".  That's easy enough.

> Any ideas?
Override Kernel#require with a method that checks first to see if the
required file's first line (or 20 bytes, or whatever) has a signature
string to indicate that the remainder of the file is encrypted, and if
so provide a $global_decryption_key for it to reference so that it can
read the rest of the file, decrypt it and eval() the resulting string.
If the signature string isn't there, fall back to a standard require().

This isn't particularly secure, for a couple of reasons:  firstly,
you've got to put the $global_decryption_key somewhere the app (and
therefore your users) can get to it, and you've also got to provide the
code that will do the decryption at runtime.  A smart rubyist will
quickly put two and two together.  Secondly, the entire unencrypted
source would be available if someone were to dump the core image of the
running ruby process (I presume - I haven't actually checked this, but
it's a safe assumption).  Despite this, there's really no way for them
to "accidentally" get their hands on your code.

If you're set on a C decrypter for that little bit of extra obscurity,
you could wrap one (along, I *think*, with the Kernel#require override)
in a ruby extension which you could just require from environment.rb.

I believe there's a ruby obfuscator around (Eric?  Are you out there?)
that might help if they do get hold of your source, too.

Maybe it's just me, but this seems simpler than embedding the
interpreter... but is it secure enough?
Kris (Guest)
on 2006-05-21 19:35
Great reply Alex and it would work a treat if the decryption key was not
in plain text. I am not so fussed about people getting the code from
memory dumps, because at least they can't modify the code.

> If you're set on a C decrypter for that little bit of extra obscurity,
> you could wrap one (along, I *think*, with the Kernel#require override)
> in a ruby extension which you could just require from environment.rb.
>
> I believe there's a ruby obfuscator around (Eric?  Are you out there?)
> that might help if they do get hold of your source, too.
>
> Maybe it's just me, but this seems simpler than embedding the
> interpreter... but is it secure enough?

Are you suggesting I overide require but instead of using Ruby I use
compiled C, because if that is possible it would be the answer.

As far as I know the ruby obsfucator will not work with Rails, I think
it only works with a subset of ruby.

Many thanks, Kris.


Alex Y. wrote:
> Kris wrote:
>> Well I want to protect the intellectual property of my code. If they had
>> to crack a binary to decrypt the code that would be enough...
> So basically, all you need is something to "keep the honest people
> honest".  That's easy enough.
>
>> Any ideas?
> Override Kernel#require with a method that checks first to see if the
> required file's first line (or 20 bytes, or whatever) has a signature
> string to indicate that the remainder of the file is encrypted, and if
> so provide a $global_decryption_key for it to reference so that it can
> read the rest of the file, decrypt it and eval() the resulting string.
> If the signature string isn't there, fall back to a standard require().
>
> This isn't particularly secure, for a couple of reasons:  firstly,
> you've got to put the $global_decryption_key somewhere the app (and
> therefore your users) can get to it, and you've also got to provide the
> code that will do the decryption at runtime.  A smart rubyist will
> quickly put two and two together.  Secondly, the entire unencrypted
> source would be available if someone were to dump the core image of the
> running ruby process (I presume - I haven't actually checked this, but
> it's a safe assumption).  Despite this, there's really no way for them
> to "accidentally" get their hands on your code.
>
> If you're set on a C decrypter for that little bit of extra obscurity,
> you could wrap one (along, I *think*, with the Kernel#require override)
> in a ruby extension which you could just require from environment.rb.
>
> I believe there's a ruby obfuscator around (Eric?  Are you out there?)
> that might help if they do get hold of your source, too.
>
> Maybe it's just me, but this seems simpler than embedding the
> interpreter... but is it secure enough?
Alex Y. (Guest)
on 2006-05-21 22:32
(Received via mailing list)
Kris wrote:
> Great reply Alex and it would work a treat if the decryption key was not
> in plain text.
The only requirement for the decryption key would be that it's *somehow*
available at launch time.  If you're feeling especially tricksy, you
could make a request to a web service for the key (over SSL if
necessary).  The next step up would be to request today's decryption key
and the encryption key for tomorrow, and then re-encrypt the code to
disk after require()ing it.  That's almost certainly overkill, but it
does sound like fun :-)

>
> Are you suggesting I overide require but instead of using Ruby I use
> compiled C, because if that is possible it would be the answer.
Everything I've read so far leads me to believe it's possible.  I'm
looking at doing something very similar for a non-Rails project right
now.
Kris (Guest)
on 2006-05-22 12:06
Thats sounds like a good way to go about it!
Is the non-rails project you are doing still ruby? If so I would be
intrested in helping out or having a look at what you are doing if
possible...

Alex Y. wrote:
> Kris wrote:
>> Great reply Alex and it would work a treat if the decryption key was not
>> in plain text.
> The only requirement for the decryption key would be that it's *somehow*
> available at launch time.  If you're feeling especially tricksy, you
> could make a request to a web service for the key (over SSL if
> necessary).  The next step up would be to request today's decryption key
> and the encryption key for tomorrow, and then re-encrypt the code to
> disk after require()ing it.  That's almost certainly overkill, but it
> does sound like fun :-)
>
>>
>> Are you suggesting I overide require but instead of using Ruby I use
>> compiled C, because if that is possible it would be the answer.
> Everything I've read so far leads me to believe it's possible.  I'm
> looking at doing something very similar for a non-Rails project right
> now.
Alex Y. (Guest)
on 2006-05-22 13:00
(Received via mailing list)
Kris wrote:
> Thats sounds like a good way to go about it!
> Is the non-rails project you are doing still ruby? If so I would be
> intrested in helping out or having a look at what you are doing if
> possible...
It's still ruby, but I can't really talk about what it is yet.  I'll be
releasing pertinent source, though, probably over the next couple of
months.  Thanks for the offer, though :-)
Kris L. (Guest)
on 2006-05-22 13:52
No problem, can I get your email address Alex so I can keep in touch?
Mine is krisleech AT interkonect DOT com if you prefer to keep your
address out of the forum...

Alex Y. wrote:
> Kris wrote:
>> Thats sounds like a good way to go about it!
>> Is the non-rails project you are doing still ruby? If so I would be
>> intrested in helping out or having a look at what you are doing if
>> possible...
> It's still ruby, but I can't really talk about what it is yet.  I'll be
> releasing pertinent source, though, probably over the next couple of
> months.  Thanks for the offer, though :-)
Alex Y. (Guest)
on 2006-05-22 14:01
(Received via mailing list)
Kris L. wrote:
> No problem, can I get your email address Alex so I can keep in touch?
> Mine is krisleech AT interkonect DOT com if you prefer to keep your
> address out of the forum...
>
It's pretty well visible already on the mailing list :-)

I'm at removed_email_address@domain.invalid if you can't see it.

--
Alex
This topic is locked and can not be replied to.