Forum: JRuby Source Code Encryption

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C89d34cc0b89c6a71fe90fff58e92070?d=identicon&s=25 Kengsreng Tang (sreng)
on 2015-05-05 08:13
How to encrypt source code deployed on Apache Tomcat?

I using rails on jruby deployed on client machine, and I want to prevent
client from hacking my source code.

Any ideas?

Thanks
Kengsreng
Caa2df9372ffa0a9e95b2bab1e8fea34?d=identicon&s=25 Karol Bucek (Guest)
on 2015-05-05 09:36
(Received via mailing list)
Chances are you're already using Warbler to generate a .war ... just try
it's compiled feature.

It will pre-compile all .rb files into -> .class ones and replace .rb
file's content to load the compiled .class.

If you're really into it you can further obfuscate with tools such as
Proguard, although I would be a little cautious there.

K.
C89d34cc0b89c6a71fe90fff58e92070?d=identicon&s=25 Kengsreng Tang (sreng)
on 2015-05-08 00:29
Karol,

Do you know how to compile xxx.yml files ?
A8f7c2b66fafa83e9537c1f82348f11d?d=identicon&s=25 Doug Hathaway (Guest)
on 2015-05-08 00:49
(Received via mailing list)
You could perhaps encrypt the contents of the YML file, then decrypt
before parsing.



—
Sent from Mailbox

On Thu, May 7, 2015 at 6:29 PM, Kengsreng Tang <lists@ruby-forum.com>
2c0c4cf3ccc8da22f7c3b9586ce1cd70?d=identicon&s=25 Christian MICHON (Guest)
on 2015-05-09 09:46
(Received via mailing list)
Use jrubyc to compile your main ruby script to class files. That should
do.
486ca04f06d968004643ce5b47376ded?d=identicon&s=25 Keith B. (keith_b)
on 2015-05-09 21:19
(Received via mailing list)
Even with compiling, the resulting class files can be inspected
(somewhat) with javap.

If you run javap -v on the file (don’t included the .class extension)
then you can see the method signatures and Java byte code instructions.
Not at all like seeing the original source, but not at all encrypted
either.

- Keith
2c0c4cf3ccc8da22f7c3b9586ce1cd70?d=identicon&s=25 Christian MICHON (Guest)
on 2015-05-09 21:50
(Received via mailing list)
I agree but there's no way to really recover the original ruby script.
At
best you'll retrieve what you listed and the string constants.

It's the easiest form of obfuscation I know for jruby.

If you have another suggestion, I will test it
2c0c4cf3ccc8da22f7c3b9586ce1cd70?d=identicon&s=25 Christian MICHON (Guest)
on 2015-05-09 21:52
(Received via mailing list)
I almost forgot... Have a look at jd-gui if you're using Windows. You'll
get a much better java decompilation than what you suggested.
On May 9, 2015 9:49 PM, "Christian MICHON" <christian.michon@gmail.com>
C89d34cc0b89c6a71fe90fff58e92070?d=identicon&s=25 Kengsreng Tang (sreng)
on 2015-05-11 07:58
Hi Christian,

Is Jrubyc can compile yaml file?
2c0c4cf3ccc8da22f7c3b9586ce1cd70?d=identicon&s=25 Christian MICHON (Guest)
on 2015-05-11 12:37
(Received via mailing list)
No jrubyc will only compile ruby files, ie .rb files.

If you wish to preserve the yaml content, I would suggest to simply
encrypt
it with ruby-rc4 (why not?) and obfuscate the string used as key through
a
dictionary. That would do.

So in total:
- compile all rb files into class files using jrubyc
- encrypt yaml and xml with ruby-rc4, and obfuscate the key within a
dictionary.

If you need more dedicated help, just point me to a git repository. ;-)


On Mon, May 11, 2015 at 7:58 AM, Kengsreng Tang <lists@ruby-forum.com>
C0cb3aadb9a66d00df16686f4a1fc312?d=identicon&s=25 Tim Uckun (Guest)
on 2015-05-11 18:05
(Received via mailing list)
Why don't you just put your settings in a .rb file?

On Mon, May 11, 2015 at 10:36 PM, Christian MICHON <
2c0c4cf3ccc8da22f7c3b9586ce1cd70?d=identicon&s=25 Christian MICHON (Guest)
on 2015-05-11 22:47
(Received via mailing list)
I'm not the creator of this thread, but I believe settings should be
part
of a configuration file instead of being in the code itself.

Database.yaml in rails is a typical example of such approach.
B05d3cbc64b0031a24c2887fb6ddc173?d=identicon&s=25 christian (Guest)
on 2015-05-12 22:30
(Received via mailing list)
I followed the thread and realized the you want to "encrypt" some
passwords
or something when you asked about yaml file.

if you use something like configurator gem to replace yaml with ruby
code
then the jrubyc will still keep yaml values as literals inside the class
files. even you decide to use some encryption for the yaml file you will
face the same problem that the encryption key which is just a literal or
byte array inside a class file. all you gain is that nobody tumbles over
the "password" accidentally but anyone who wants to unwrap if can do so
and
it might take only a few minutes to do so.

if your intention is to obfuscate your ruby codebase then jrubyc could
be
OK but even this can be reversed. but is probably not feasible for
bigger
codebase as it is manual procedure.

I personally find it important to think on how to undo the protection
you
put in place - just to get a feeling how good your protection is.

- christian
This topic is locked and can not be replied to.