Running Rails from embedded Ruby

kris · May 19, 2006, 4:43pm

Is it possible to run a Rails application from embedded ruby?

I’m thinking of replacing dispaches with a C application which will then
call the normal Rails dispaches and so on…

Is this do-able?

Many thanks, Kris.

kris · May 19, 2006, 5:10pm

It is… and it is great.

here is the way I did it in my script, it works fine for what I need…

#!/appl/ruby/bin/ruby

require ‘rubygems’
require_gem ‘activerecord’
require_gem ‘activesupport’

need the require for all the models you use… for example

require ‘…/app/models/command.rb’
require ‘…/app/models/server.rb’
require ‘…/app/models/ip.rb’
require ‘…/app/models/interface.rb’

I hope this helps and works for you.

kris · May 19, 2006, 5:17pm

Thanks for the reply. That has given me hope!
It would be great to know a bit more information, even off the list…

I don’t quite get how it works?

Stephane Fourdrinier wrote:

It is… and it is great.

here is the way I did it in my script, it works fine for what I need…

#!/appl/ruby/bin/ruby

require ‘rubygems’
require_gem ‘activerecord’
require_gem ‘activesupport’

need the require for all the models you use… for example

require ‘…/app/models/command.rb’
require ‘…/app/models/server.rb’
require ‘…/app/models/ip.rb’
require ‘…/app/models/interface.rb’

I hope this helps and works for you.

kris · May 19, 2006, 5:26pm

Does the C application need to be a HTTP server which forwards HTTP
requests to Rails dispaches using embedded ruby interpreter?

#include “ruby.h”

main() {
ruby_init();
ruby_script(“embedded”);
rb_load_file(“dispatch.rb”);
while (1) {
if (need_to_do_ruby) {
ruby_run();
}
}
}

kris · May 19, 2006, 5:35pm

I didn’t realize it was from inside a C application. I thought it was
from a ruby script. never done it from a C program.

kris · May 19, 2006, 5:40pm

Oh, I’m not clear enough…
I basically want to run Rails through embedded ruby in a C app so that
it can load encrypted ruby source and decrypt before loading it in to
the interpreter… Possible?

Stephane Fourdrinier wrote:

I didn’t realize it was from inside a C application. I thought it was
from a ruby script. never done it from a C program.

kris · May 19, 2006, 5:57pm

Kris wrote:

Oh, I’m not clear enough…
I basically want to run Rails through embedded ruby in a C app so that
it can load encrypted ruby source and decrypt before loading it in to
the interpreter… Possible?
I’m sure it’s possible, but you’ll have more luck on the ruby-lang list
than here, I’d have thought…

Actually, thinking about it, you could probably do it entirely from Ruby
if you wanted to. How critical is the security of the code you’d want
to encrypt? Little Sister or Big Brother?

kris · May 19, 2006, 8:46pm

Kris wrote:

Well I want to protect the intellectual property of my code. If they had
to crack a binary to decrypt the code that would be enough…
So basically, all you need is something to “keep the honest people
honest”. That’s easy enough.

Any ideas?
Override Kernel#require with a method that checks first to see if the
required file’s first line (or 20 bytes, or whatever) has a signature
string to indicate that the remainder of the file is encrypted, and if
so provide a $global_decryption_key for it to reference so that it can
read the rest of the file, decrypt it and eval() the resulting string.
If the signature string isn’t there, fall back to a standard require().

This isn’t particularly secure, for a couple of reasons: firstly,
you’ve got to put the $global_decryption_key somewhere the app (and
therefore your users) can get to it, and you’ve also got to provide the
code that will do the decryption at runtime. A smart rubyist will
quickly put two and two together. Secondly, the entire unencrypted
source would be available if someone were to dump the core image of the
running ruby process (I presume - I haven’t actually checked this, but
it’s a safe assumption). Despite this, there’s really no way for them
to “accidentally” get their hands on your code.

If you’re set on a C decrypter for that little bit of extra obscurity,
you could wrap one (along, I think, with the Kernel#require override)
in a ruby extension which you could just require from environment.rb.

I believe there’s a ruby obfuscator around (Eric? Are you out there?)
that might help if they do get hold of your source, too.

Maybe it’s just me, but this seems simpler than embedding the
interpreter… but is it secure enough?

kris · May 21, 2006, 5:35pm

Great reply Alex and it would work a treat if the decryption key was not
in plain text. I am not so fussed about people getting the code from
memory dumps, because at least they can’t modify the code.

If you’re set on a C decrypter for that little bit of extra obscurity,
you could wrap one (along, I think, with the Kernel#require override)
in a ruby extension which you could just require from environment.rb.

I believe there’s a ruby obfuscator around (Eric? Are you out there?)
that might help if they do get hold of your source, too.

Maybe it’s just me, but this seems simpler than embedding the
interpreter… but is it secure enough?

Are you suggesting I overide require but instead of using Ruby I use
compiled C, because if that is possible it would be the answer.

As far as I know the ruby obsfucator will not work with Rails, I think
it only works with a subset of ruby.

Many thanks, Kris.

Alex Y. wrote:

Kris wrote:

Well I want to protect the intellectual property of my code. If they had
to crack a binary to decrypt the code that would be enough…
So basically, all you need is something to “keep the honest people
honest”. That’s easy enough.

Any ideas?
Override Kernel#require with a method that checks first to see if the
required file’s first line (or 20 bytes, or whatever) has a signature
string to indicate that the remainder of the file is encrypted, and if
so provide a $global_decryption_key for it to reference so that it can
read the rest of the file, decrypt it and eval() the resulting string.
If the signature string isn’t there, fall back to a standard require().

This isn’t particularly secure, for a couple of reasons: firstly,
you’ve got to put the $global_decryption_key somewhere the app (and
therefore your users) can get to it, and you’ve also got to provide the
code that will do the decryption at runtime. A smart rubyist will
quickly put two and two together. Secondly, the entire unencrypted
source would be available if someone were to dump the core image of the
running ruby process (I presume - I haven’t actually checked this, but
it’s a safe assumption). Despite this, there’s really no way for them
to “accidentally” get their hands on your code.

If you’re set on a C decrypter for that little bit of extra obscurity,
you could wrap one (along, I think, with the Kernel#require override)
in a ruby extension which you could just require from environment.rb.

I believe there’s a ruby obfuscator around (Eric? Are you out there?)
that might help if they do get hold of your source, too.

Maybe it’s just me, but this seems simpler than embedding the
interpreter… but is it secure enough?

kris · May 19, 2006, 7:54pm

Well I want to protect the intellectual property of my code. If they had
to crack a binary to decrypt the code that would be enough…

Any ideas?

Alex Y. wrote:

Kris wrote:

Oh, I’m not clear enough…
I basically want to run Rails through embedded ruby in a C app so that
it can load encrypted ruby source and decrypt before loading it in to
the interpreter… Possible?
I’m sure it’s possible, but you’ll have more luck on the ruby-lang list
than here, I’d have thought…

Actually, thinking about it, you could probably do it entirely from Ruby
if you wanted to. How critical is the security of the code you’d want
to encrypt? Little Sister or Big Brother?

kris · May 21, 2006, 8:32pm

Kris wrote:

Great reply Alex and it would work a treat if the decryption key was not
in plain text.
The only requirement for the decryption key would be that it’s somehow
available at launch time. If you’re feeling especially tricksy, you
could make a request to a web service for the key (over SSL if
necessary). The next step up would be to request today’s decryption key
and the encryption key for tomorrow, and then re-encrypt the code to
disk after require()ing it. That’s almost certainly overkill, but it
does sound like fun

Are you suggesting I overide require but instead of using Ruby I use
compiled C, because if that is possible it would be the answer.
Everything I’ve read so far leads me to believe it’s possible. I’m
looking at doing something very similar for a non-Rails project right
now.

kris · May 22, 2006, 10:06am

Thats sounds like a good way to go about it!
Is the non-rails project you are doing still ruby? If so I would be
intrested in helping out or having a look at what you are doing if
possible…

Alex Y. wrote:

Kris wrote:

Great reply Alex and it would work a treat if the decryption key was not
in plain text.
The only requirement for the decryption key would be that it’s somehow
available at launch time. If you’re feeling especially tricksy, you
could make a request to a web service for the key (over SSL if
necessary). The next step up would be to request today’s decryption key
and the encryption key for tomorrow, and then re-encrypt the code to
disk after require()ing it. That’s almost certainly overkill, but it
does sound like fun

Are you suggesting I overide require but instead of using Ruby I use
compiled C, because if that is possible it would be the answer.
Everything I’ve read so far leads me to believe it’s possible. I’m
looking at doing something very similar for a non-Rails project right
now.

kris · May 22, 2006, 11:52am

No problem, can I get your email address Alex so I can keep in touch?
Mine is krisleech AT interkonect DOT com if you prefer to keep your
address out of the forum…

Alex Y. wrote:

Kris wrote:

Thats sounds like a good way to go about it!
Is the non-rails project you are doing still ruby? If so I would be
intrested in helping out or having a look at what you are doing if
possible…
It’s still ruby, but I can’t really talk about what it is yet. I’ll be
releasing pertinent source, though, probably over the next couple of
months. Thanks for the offer, though

kris · May 22, 2006, 11:00am

Kris wrote:

Thats sounds like a good way to go about it!
Is the non-rails project you are doing still ruby? If so I would be
intrested in helping out or having a look at what you are doing if
possible…
It’s still ruby, but I can’t really talk about what it is yet. I’ll be
releasing pertinent source, though, probably over the next couple of
months. Thanks for the offer, though

kris · May 22, 2006, 12:01pm

Kris L. wrote:

No problem, can I get your email address Alex so I can keep in touch?
Mine is krisleech AT interkonect DOT com if you prefer to keep your
address out of the forum…

It’s pretty well visible already on the mailing list

I’m at [email protected] if you can’t see it.

–
Alex