Writing a interpreter extension


#1

When writing a interpreter extension are there any hooks in to the
different stages of interpretation?

In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?

Many thanks, K.


#2

On May 19, 2006, at 6:28 AM, Kris wrote:

When writing a interpreter extension are there any hooks in to the
different stages of interpretation?

In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?

Override require.


Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com


#3

Many thanks Eric, do you have a code example by any chance to get me
started, I’m not so familiar with C!

Eric H. wrote:

On May 19, 2006, at 6:28 AM, Kris wrote:

When writing a interpreter extension are there any hooks in to the
different stages of interpretation?

In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?

Override require.


Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com


#4

On May 19, 2006, at 10:50 AM, Kris wrote:

line?

Override require.

Many thanks Eric, do you have a code example by any chance to get me
started, I’m not so familiar with C!

You don’t need to write any C at all. Write it in Ruby.


Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com


#5

On May 19, 2006, at 2:59 PM, Eric H. wrote:

line by
Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com

For example:

module Kernel
alias old_require require

def require(file)
# first check if it’s already been required by searching
$LOADED_FEATURES
# Search $LOAD_PATH for the file
if it’s an .rb file then
File.open(full_path_and_filename) do |f|
# Preprocess f and if neccessary do any changes and eval them
end
# add the file to $LOADED_FEATURES
else
old_require(file)
end
end
end


#6

Quoting removed_email_address@domain.invalid, on Mon, May 22, 2006 at 12:29:24AM
+0900:

Thanks for the reply.

The problem with doing it in Ruby is that there is no where to hide the
decryption key… It would be in plain text, unless I’m am missing
something?

Doing it in compiled C would leave it in plain text, too, just mildly
more obfuscated.

Sam


#7

Thanks for the reply.

The problem with doing it in Ruby is that there is no where to hide the
decryption key… It would be in plain text, unless I’m am missing
something?

Logan C. wrote:

On May 19, 2006, at 2:59 PM, Eric H. wrote:

line by
Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com

For example:

module Kernel
alias old_require require

def require(file)
# first check if it’s already been required by searching
$LOADED_FEATURES
# Search $LOAD_PATH for the file
if it’s an .rb file then
File.open(full_path_and_filename) do |f|
# Preprocess f and if neccessary do any changes and eval them
end
# add the file to $LOADED_FEATURES
else
old_require(file)
end
end
end


#8

It would take a higher skill set to extract it though.
And you can write code that helps hide a key in a binary file.

So is it possible to write a C extension that overrides the ruby require
in the same way as the previous ruby example?

Many thanks, K.

Sam R. wrote:

Quoting removed_email_address@domain.invalid, on Mon, May 22, 2006 at 12:29:24AM
+0900:

Thanks for the reply.

The problem with doing it in Ruby is that there is no where to hide the
decryption key… It would be in plain text, unless I’m am missing
something?

Doing it in compiled C would leave it in plain text, too, just mildly
more obfuscated.

Sam


#9

On 5/22/06, Kris removed_email_address@domain.invalid wrote:

It would take a higher skill set to extract it though.
And you can write code that helps hide a key in a binary file.

So is it possible to write a C extension that overrides the ruby require
in the same way as the previous ruby example?

Sorry to be a whiner, but can’t you put the key in a file only readable
by the person who should be able to read it? Ie. manage your key
security using your OS’s security. Then you can also encrypt your
key file with a password the user has to enter if you like. This is how
SSH handles private keys.

Or are you trying to obfuscate a Ruby program?

It sounds like you are prepared to go to a lot of effort to create a
weak encryption system, which would be a shame.

Les


#10

Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.

I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.

We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.

Leslie V. wrote:

On 5/22/06, Kris removed_email_address@domain.invalid wrote:

It would take a higher skill set to extract it though.
And you can write code that helps hide a key in a binary file.

So is it possible to write a C extension that overrides the ruby require
in the same way as the previous ruby example?

Sorry to be a whiner, but can’t you put the key in a file only readable
by the person who should be able to read it? Ie. manage your key
security using your OS’s security. Then you can also encrypt your
key file with a password the user has to enter if you like. This is how
SSH handles private keys.

Or are you trying to obfuscate a Ruby program?

It sounds like you are prepared to go to a lot of effort to create a
weak encryption system, which would be a shame.

Les


#11

On 5/22/06, Kris L. removed_email_address@domain.invalid wrote:

Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.

I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.

We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.

Try to do this. I bet I could break it in 10 minutes.

But against the average person it might work. But the average person
is not your problem…

Ryan


#12

In any case how would you go about securing ruby code or do you think it
is not possible? Is no code secure?


#13

By reading the key from the binary or reading the un-encrypted code from
memory?

Ryan L. wrote:

On 5/22/06, Kris L. removed_email_address@domain.invalid wrote:

Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.

I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.

We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.

Try to do this. I bet I could break it in 10 minutes.

But against the average person it might work. But the average person
is not your problem…

Ryan


#14

The use case can’t be changed, it would need to be secure code… At the
moment I dont see any language that offers this, Java and .NET make
bytecode which is easily reversed. There are obsfucator’s but I dont
think they provide much protection just a layer against casual file
browsing. PHP’s obsfucator’s are easily reversed with online services.

Do you not think a binary offers protection for code…? You can’t
reverse to code anyway. It whole ruby code base was kept in the binary
and ran inline, like embedded ruby this might offer real protection…
It would need to be encrypted inside the binary.


#15

Kris L. wrote:

dealing with sensative data.

We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.
Try to do this. I bet I could break it in 10 minutes.

But against the average person it might work. But the average person
is not your problem…

Ryan

Haha, you really don’t want to go down this road. If you can’t
accomplish what you are trying to do with proven cryptographic security
primitives, then you should probably change the use case. Security
through obscurity is really a waste of everyones time. Even if you make
it quite difficult for people to figure out, it only takes one person to
do the work and then everyone can take advantage of the crack.

-Jeff


#16

The use case can’t be changed, it would need to be secure code…

Then the prerequisite would be secure hardware. It’s not possible to
safely encrypt code purely in software.

You’ve not explained why you think that code hidden inside a compiled
binary is safe. It might be just a tad more difficult to extract than
from a script, but it doesn’t make sense to distinguish between sorta
safe and a little bit more safe.

Maybe you need to describe the use case in more detail.

-tim


#17

On 5/22/06, Kris L. removed_email_address@domain.invalid wrote:

By reading the key from the binary or reading the un-encrypted code from
memory?

Yep.

There is work being done to create a Ruby obfuscator by Ryan D. and
Eric H.:

http://blog.zenspider.com/archives/2006/03/obfuscated_hack.html

It is part of the RubyToC project. That may be your best bet.

Ryan


#18

On 5/22/06, Kris L. removed_email_address@domain.invalid wrote:

Mainly I want to be able to sell ruby/rails applications without doing a
hosted only solution (like basecamp), if I was 37signals I would want to
sell the application as you would desktop software…

That doesn’t really explain why you want to encrypt code:

  • if people copy your software illegally, they can do so whether the
    source code is available or not.

  • if the code you want to release is so incredibly ingenius that
    people will want to illegally steal your IP to integrate into their
    own software, you can a.) sue them b.) get a patent (US only) c.) a
    little bit of obfuscating won’t keep them out anyhow.

    -tim


#19

Mainly I want to be able to sell ruby/rails applications without doing a
hosted only solution (like basecamp), if I was 37signals I would want to
sell the application as you would desktop software…

The ruby obsufcator looks good but it may never work with Rails… it
doesn’t at the moment. :frowning:


#20

Its an application that deals with highly sensitive data, I dont want
insiders to be able to write a bit of ruby and dump the data to
file/screen…

Tim B. wrote:

On 5/22/06, Kris L. removed_email_address@domain.invalid wrote:

Mainly I want to be able to sell ruby/rails applications without doing a
hosted only solution (like basecamp), if I was 37signals I would want to
sell the application as you would desktop software…

That doesn’t really explain why you want to encrypt code:

  • if people copy your software illegally, they can do so whether the
    source code is available or not.

  • if the code you want to release is so incredibly ingenius that
    people will want to illegally steal your IP to integrate into their
    own software, you can a.) sue them b.) get a patent (US only) c.) a
    little bit of obfuscating won’t keep them out anyhow.

    -tim