Forum: Ruby ANN: ZenObfuscate - for when you really really have to ship

5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-13 04:58
(Received via mailing list)
"Being perfectly honest, your obfuscator has made me feel like
writing RubyCocoa apps is a commercially viable business, whereas
before I had my doubts." - Aidan Rogers

- ZenObfuscate
     - What is it?
         - For when you really really have to ship a binary.
         - Lets you: Write in ruby, and ship a binary.
         - ZenObfuscate is a translator for a fairly large subset of
           ruby that converts your pure ruby code into a dynamically
           loadable binary, protecting your intellectual property(*).
     - How does it work?
           zenobfuscate has a commandline interface that takes the
           specified ruby files and outputs a dynamically loadable
           binary (.bundle on osx, .so on unix/linux and .dll or
           windows).
         - TODO: diagram
         - e.g., ./bin/zenobfuscate -o mylibrary lib/blah.rb; ruby
           -rmylibrary -e 'use_my_library'
         - Built on a solid foundation: RubyInline and ParseTree. Long
           standing open source packages for ruby.
     - When is it available?
           Available nowish on an individual basis
     - How much does it cost and what is its licensing?
           ZenObfuscate costs $2500 for a site license or is
           individually negotiable. ZenObfuscate is a commercial product
           produced wholly by Eric Hodel and Ryan Davis and is not for
           redistribution. All rights are reserved, etc., etc. Binaries
           produced from ZenObfuscate have no restrictions of any kind
           (except determined by their authors).
     - Requirements
           ruby 1.8.x, ruby2c, parse_tree, rubyinline (all available as
           gems)
           available on darwin ppc, darwin intel, freebsd x86, freebsd
           amd/64bit, and linux x86 (with coaxing).
     - Known Limitations
           There are issues with what the obfuscator can translate to C
           and as a result you may need to modify your code in order to
           translate it. Usually this is a pretty straightforward and
           simple task. We do a good job of translating static ruby to
           its equivalent C, but not all ruby has an equivalent in C.
         - Only translates methods in classes and modules, not
           freestanding code.
         - Explicit returns are required in all methods.
         - Temporary: Conditional logic (including ?:) may not be on the
           right hand side of an assignment.
         - Temporaryish: Exception handling and generic block closures
           currently don't translate.
         - Some expressions in ruby we don't currently do, but could
           upon request, where some other ruby expressions will never
           translate.
167a3b5582230623eb94e638133122ec?d=identicon&s=25 Kris Leech (krisleech-afm)
on 2006-06-13 13:28
(Received via mailing list)
Will this work with a Rails app?

----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>; <ruby@zenspider.com>
Sent: Tuesday, June 13, 2006 3:56 AM
Subject: ANN: ZenObfuscate - for when you really really have to ship a
binary
10d9ed7ab11115b081bb36f56a7a13bc?d=identicon&s=25 John Wilger (jwilger)
on 2006-06-13 15:21
(Received via mailing list)
On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
> Will this work with a Rails app?
...
> ----- Original Message -----
> From: "Ryan Davis" <ryand-ruby@zenspider.com>
> >      - Known Limitations
...
> >          - Explicit returns are required in all methods.
> >          - Temporary: Conditional logic (including ?:) may not be on the
> >            right hand side of an assignment.
> >          - Temporaryish: Exception handling and generic block closures
> >            currently don't translate.

Based on those limitations, I would think not.

--
Regards,
John Wilger
http://johnwilger.com
167a3b5582230623eb94e638133122ec?d=identicon&s=25 Kris Leech (krisleech-afm)
on 2006-06-13 16:07
(Received via mailing list)
> On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
> > Will this work with a Rails app?
> ...
> > ----- Original Message -----
> > From: "Ryan Davis" <ryand-ruby@zenspider.com>
> > >      - Known Limitations
> ...
> > >          - Explicit returns are required in all methods.
> > >          - Temporary: Conditional logic (including ?:) may not be on
the
> > >            right hand side of an assignment.
> > >          - Temporaryish: Exception handling and generic block closures
> > >            currently don't translate.
>
> Based on those limitations, I would think not.

I wonder if Rails apps will ever be compiled?
37ee5fa90f5eaeef62553629382497f7?d=identicon&s=25 Leslie Viljoen (Guest)
on 2006-06-13 16:33
(Received via mailing list)
On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
> > "Being perfectly honest, your obfuscator has made me feel like
> >      - How does it work?
> >            Available nowish on an individual basis
> >      - How much does it cost and what is its licensing?
> >            ZenObfuscate costs $2500 for a site license or is


That price looks a little extreme for what I have in mind.. are there
any alternative obfuscators? Alternatively could a
percentage-of-returns license fee be negotiated (Eric)?

Are programs written in Ruby distributable under any license you like?
A friend of mine has proposed selling a program I wrote in Ruby but
the thought of doing so made me feel like I was leveraging vast (GPL)
resources avaliable to me for free - and profiting off of them by
adding comparatively very little. I have in the past simply sold my
development time, which seemed a fairer trade since copying my
programs is a trivial task.

Does anyone here actually sell Ruby programs themselves as products?

Les
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-13 18:15
(Received via mailing list)
On Jun 13, 2006, at 4:27 AM, Kris Leech wrote:

> Will this work with a Rails app?

We haven't tested obfuscating a rails app yet, but we have every
reason to believe that we can make it work. Obviously you wouldn't
obfuscate the whole rails stack, just your controllers/models. My
only real concern is how rails does class loading magic (I'd really
want to run my tests against the obfuscated code). When we get time,
we'll do a proof of concept against a rails app to see what issues
arise.
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-13 18:15
(Received via mailing list)
On Jun 13, 2006, at 6:20 AM, John Wilger wrote:

>> >            right hand side of an assignment.
>> >          - Temporaryish: Exception handling and generic block
>> closures
>> >            currently don't translate.
>
> Based on those limitations, I would think not.

Actually we have every reason to believe that we can obfuscate rails
apps. Obviously you wouldn't obfuscate the whole ruby stack, but
models and controllers should de doable.
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-13 18:21
(Received via mailing list)
On Jun 13, 2006, at 7:29 AM, Leslie Viljoen wrote:

> That price looks a little extreme for what I have in mind.. are there
> any alternative obfuscators? Alternatively could a
> percentage-of-returns license fee be negotiated (Eric)?

see:

>     - How much does it cost and what is its licensing?
>           ZenObfuscate costs $2500 for a site license or is
>           individually negotiable. ZenObfuscate is a commercial
> product

> Are programs written in Ruby distributable under any license you like?

Yes.

> A friend of mine has proposed selling a program I wrote in Ruby but
> the thought of doing so made me feel like I was leveraging vast (GPL)
> resources avaliable to me for free - and profiting off of them by
> adding comparatively very little. I have in the past simply sold my
> development time, which seemed a fairer trade since copying my
> programs is a trivial task.

Well, it is your moral system at work here. Think about those who use
GCC to compile commercial apps.

I should point out that ruby isn't under GPL. It is under the ruby
license which allows you to make modifications or apply the GPL. See
COPYING.

> Does anyone here actually sell Ruby programs themselves as products?

As the quote at the top of my announcement suggests, yes (eventually).
167a3b5582230623eb94e638133122ec?d=identicon&s=25 Kris Leech (krisleech-afm)
on 2006-06-14 12:26
(Received via mailing list)
----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>
Sent: Tuesday, June 13, 2006 5:13 PM
Subject: Re: ZenObfuscate - for when you really really have to ship a
binary



On Jun 13, 2006, at 4:27 AM, Kris Leech wrote:

> Will this work with a Rails app?

We haven't tested obfuscating a rails app yet, but we have every
reason to believe that we can make it work. Obviously you wouldn't
obfuscate the whole rails stack, just your controllers/models. My
only real concern is how rails does class loading magic (I'd really
want to run my tests against the obfuscated code). When we get time,
we'll do a proof of concept against a rails app to see what issues
arise.

I would be *very* intrested in this.
10d9ed7ab11115b081bb36f56a7a13bc?d=identicon&s=25 John Wilger (jwilger)
on 2006-06-14 20:27
(Received via mailing list)
On 6/13/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
> On Jun 13, 2006, at 6:20 AM, John Wilger wrote:
> > Based on those limitations, I would think not.
>
> Actually we have every reason to believe that we can obfuscate rails
> apps. Obviously you wouldn't obfuscate the whole ruby stack, but
> models and controllers should de doable.

OK. For some reason I was thinking of whether you could obfuscate the
framework itself. That would be incredibly pointless, though, wouldn't
it? :-)

--
Regards,
John Wilger
http://johnwilger.com
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-14 22:20
(Received via mailing list)
On Jun 14, 2006, at 3:23 AM, Kris Leech wrote:

> I would be *very* intrested in this.

You know how to reach us.

P.S. Be a good list citizen. PLEASE learn how to properly reply to
email.
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-14 22:20
(Received via mailing list)
On Jun 12, 2006, at 7:56 PM, Ryan Davis wrote:

>     - How much does it cost and what is its licensing?
>           ZenObfuscate costs $2500 for a site license or is
>           individually negotiable. ZenObfuscate is a commercial
> product
>           produced wholly by Eric Hodel and Ryan Davis and is not for
>           redistribution. All rights are reserved, etc., etc. Binaries
>           produced from ZenObfuscate have no restrictions of any kind
>           (except determined by their authors).

I should have been more clear with my English. We're open to
negotiations _for alternative licensing schemes_.
37ee5fa90f5eaeef62553629382497f7?d=identicon&s=25 Leslie Viljoen (Guest)
on 2006-06-14 22:51
(Received via mailing list)
On 6/14/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
>
> On Jun 14, 2006, at 3:23 AM, Kris Leech wrote:
>
> > I would be *very* intrested in this.
>
> You know how to reach us.
>
> P.S. Be a good list citizen. PLEASE learn how to properly reply to
> email.

Are you talking about the indenting?
In Kris' defense I think that's a Microsoft mail client being used,
which makes proper netiquette an incredible chore. How I suffer under
the opression of Outlook!

Les
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-15 02:53
(Received via mailing list)
On Jun 14, 2006, at 1:50 PM, Leslie Viljoen wrote:

> Are you talking about the indenting?
> In Kris' defense I think that's a Microsoft mail client being used,
> which makes proper netiquette an incredible chore. How I suffer under
> the opression of Outlook!

http://www.google.com/search?q=outlook+reply+quote+fix

2 million hits... I'm sure the problem is solvable.
37ee5fa90f5eaeef62553629382497f7?d=identicon&s=25 Leslie Viljoen (Guest)
on 2006-06-15 10:06
(Received via mailing list)
On 6/15/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
> 2 million hits... I'm sure the problem is solvable.
I have previously installed a few of these fixes and they didn't help
much. They plugin I tried worked for new messages only, not replies.

Kris, if you have the freedom, I recommend either GMail or
http://www.mozilla.com/thunderbird/

Les
3cb4fdcf13aad6a7dcae83876b0e784e?d=identicon&s=25 Josef 'Jupp' SCHUGT (Guest)
on 2006-06-15 17:23
(Received via mailing list)
At Thu, 15 Jun 2006 05:50:03 +0900, Leslie Viljoen wrote:
> > email.
>
> Are you talking about the indenting?
> In Kris' defense I think that's a Microsoft mail client being used,
> which makes proper netiquette an incredible chore. How I suffer under
> the opression of Outlook!

YACTTMD(*)

I think Ryan talks about the attribution novel.

----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>
Sent: Tuesday, June 13, 2006 5:13 PM
Subject: Re: ZenObfuscate - for when you really really have to ship a
binary

The first, third and fifth line are superfluous and ought to be removed.
The result of this were

From: "Ryan Davis" <ryand-ruby@zenspider.com>
Sent: Tuesday, June 13, 2006 5:13 PM

which IMHO is acceptable as an approximation to the Nettiquette while
at the same time only requiring very little editing. I am unsure if

From: "Ryan Davis" <ryand-ruby@zenspider.com>, Sent: Tuesday, June 13,
2006 5:13 PM

actually had any advantage over this. If one actually requires a
one-liner that should rather read

From: "Ryan Davis" <ryand-ruby@zenspider.com>

because it makes little sense to provide a time without mentioning the
time zone when writing messages to c.l.r.

IMHO the problem is the misconception that Outlook, Outlook Express
and Lotus Notes are Mail User Agents. This is wrong. They are
multi-purpose tools that *include* a MUA. As well as it is stupid to
expect that all the different functions of a Swiss Army Knife serve
their purpose as well as dedicated tools, it is equally stupid to
expect such multi-purpose tools to be as good as a dedicated Mail User
Agent.

To give an example the Screwdriver works fine if you have free access
to the screw. But as soon as this is not the case you run into trouble
and have to find a real screwdriver. Often as SAK is sufficient for
IKEA products but I found out that sometimes it isn't :-|

(*) Yet another contribution to this meta-discussion.

Josef 'Jupp' Schugt
3d333b0012928f3dd5a6861cb09ad683?d=identicon&s=25 Kris Leech (krisleech)
on 2006-06-16 12:04
Leslie Viljoen wrote:
> On 6/15/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
>> 2 million hits... I'm sure the problem is solvable.
> I have previously installed a few of these fixes and they didn't help
> much. They plugin I tried worked for new messages only, not replies.
>
> Kris, if you have the freedom, I recommend either GMail or
> http://www.mozilla.com/thunderbird/
>
> Les

I was replying using the ruby-forum, it did not add the ">"'s even
though I used reply with quote.  My bad either way. Email-wise I'm on
ThunderB... I think the web based interface to the list is mis-leading,
ruby-forum. Until recently I didn't know it was a list.

Anyways will be in touch.
3d333b0012928f3dd5a6861cb09ad683?d=identicon&s=25 Kris Leech (krisleech)
on 2006-06-16 12:06
John Wilger wrote:
> On 6/13/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
>> On Jun 13, 2006, at 6:20 AM, John Wilger wrote:
>> > Based on those limitations, I would think not.
>>
>> Actually we have every reason to believe that we can obfuscate rails
>> apps. Obviously you wouldn't obfuscate the whole ruby stack, but
>> models and controllers should de doable.
>
> OK. For some reason I was thinking of whether you could obfuscate the
> framework itself. That would be incredibly pointless, though, wouldn't
> it? :-)
>
> --
> Regards,
> John Wilger
> http://johnwilger.com

It would be an advantage to compile the whole Rails framework and the
standard libary to prevent code injection. If of course possible?
31ab75f7ddda241830659630746cdd3a?d=identicon&s=25 Austin Ziegler (austin)
on 2006-06-16 13:50
(Received via mailing list)
On 6/16/06, Kris Leech <krisleech@interkonect.com> wrote:
> It would be an advantage to compile the whole Rails framework and the
> standard libary to prevent code injection. If of course possible?

That's not the point of ZenObfuscate. It doesn't turn Ruby into a
"static" language. If you want to prevent code injection, you need to
defend against it in your application.

-austin
2c51fec8183a5d21c4e11b430beabb47?d=identicon&s=25 Patrick Hurley (Guest)
on 2006-06-16 15:25
(Received via mailing list)
On 6/16/06, Austin Ziegler <halostatue@gmail.com> wrote:
> That's not the point of ZenObfuscate. It doesn't turn Ruby into a
> "static" language. If you want to prevent code injection, you need to
> defend against it in your application.

I believe that the injection he is talking about after the application
is deployed with rails still in plain text view, having someone open
the rails files and add code that could over write methods, etc. Of
course this implies a pretty sophisticated understanding of Ruby and
the application. And also leads to a pretty difficult chain -- now you
have to handle all the standard libraries that are used as well,
otherwise the same user could inject their code there as well. Don't
forget about the RUBYOPT environment variable or even modifying the
ruby interpreter.

I am not against any of these things and may likely purchase
ZenObfuscate for our company at some point, but to base any business
model around the purity of code (in any language, but especially
dynamic languages) run on a clients machine is a mistake. You can take
some baby steps to hide stuff, but the cost/benefit ratio slips
rapidly when you try to defend against a reasonably sophisticated
attacker.

pth
31af45939fec7e3c4ed8a798c0bd9b1a?d=identicon&s=25 Matthew Smillie (notmatt)
on 2006-06-16 22:13
(Received via mailing list)
On Jun 16, 2006, at 14:18, Patrick Hurley wrote:

> I am not against any of these things and may likely purchase
> ZenObfuscate for our company at some point, but to base any business
> model around the purity of code (in any language, but especially
> dynamic languages) run on a clients machine is a mistake. You can take
> some baby steps to hide stuff, but the cost/benefit ratio slips
> rapidly when you try to defend against a reasonably sophisticated
> attacker.

I went to a great talk a short while back:

On the Impossibility of Obfuscation
Shafi Goldwasser, MIT

abstract: http://www.lfcs.inf.ed.ac.uk/events/milner-lecture/2006.html

Sorry, for those of you interested in the nitty-gritty theoretical
bits, but I'm not aware of any sort of video or audio or anything
from the talk.

matthew smillie.
31af45939fec7e3c4ed8a798c0bd9b1a?d=identicon&s=25 Matthew Smillie (notmatt)
on 2006-06-17 00:12
(Received via mailing list)
On Jun 16, 2006, at 21:10, Matthew Smillie wrote:

>
> I went to a great talk a short while back:
>
> On the Impossibility of Obfuscation
> Shafi Goldwasser, MIT
>
> abstract: http://www.lfcs.inf.ed.ac.uk/events/milner-lecture/2006.html
>
> Sorry, for those of you interested in the nitty-gritty theoretical
> bits, but I'm not aware of any sort of video or audio or anything
> from the talk.

But there is a paper:
http://www.mit.edu/~tauman/obfuscation.pdf

matthew smillie.
58479f76374a3ba3c69b9804163f39f4?d=identicon&s=25 Eric Hodel (Guest)
on 2006-06-17 04:59
(Received via mailing list)
On Jun 16, 2006, at 3:06 AM, Kris Leech wrote:
> It would be an advantage to compile the whole Rails framework and the
> standard libary to prevent code injection. If of course possible?

It would take significant work to prevent code injection, at the very
least you would need to:

Obfuscate all .rb files your program uses into C files (including
anything in stdlib)
Provide a custom C main() to invoke your obfuscated libraries
Statically link Ruby, your main() and your obfuscated C files
Remove rb_require from Ruby
Remove RUBYOPT and -r flags from Ruby

You may even need to write your application to work with $SAFE >= 1,
depending on how much your code allows users to interact with its
internals.

ZenObfuscate only prevents Ruby2Ruby from reassembling your IP.

--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com
3d333b0012928f3dd5a6861cb09ad683?d=identicon&s=25 Kris Leech (krisleech)
on 2006-06-17 13:12
Patrick Hurley wrote:
> On 6/16/06, Austin Ziegler <halostatue@gmail.com> wrote:
>> That's not the point of ZenObfuscate. It doesn't turn Ruby into a
>> "static" language. If you want to prevent code injection, you need to
>> defend against it in your application.
>
> I believe that the injection he is talking about after the application
> is deployed with rails still in plain text view, having someone open
> the rails files and add code that could over write methods, etc.

Yes that is what I talk of.

Of
> course this implies a pretty sophisticated understanding of Ruby and
> the application.

Anyone with a basic understanding of Ruby/Rails could insert code access
the database using activerecord.

And also leads to a pretty difficult chain -- now you
> have to handle all the standard libraries that are used as well,
> otherwise the same user could inject their code there as well. Don't
> forget about the RUBYOPT environment variable or even modifying the
> ruby interpreter.

Ultimitly you would need to include all ruby files in the binary.

>
> I am not against any of these things and may likely purchase
> ZenObfuscate for our company at some point, but to base any business
> model around the purity of code (in any language, but especially
> dynamic languages) run on a clients machine is a mistake. You can take
> some baby steps to hide stuff, but the cost/benefit ratio slips
> rapidly when you try to defend against a reasonably sophisticated
> attacker.

True, but depends on the type of application and nature of the data.

>
> pth
10d4acbfdaccb4eee687a428ca00a5d8?d=identicon&s=25 Jim Weirich (weirich)
on 2006-06-17 16:02
Kris Leech wrote:
> Patrick Hurley wrote:
>> On 6/16/06, Austin Ziegler <halostatue@gmail.com> wrote:
>>> That's not the point of ZenObfuscate. It doesn't turn Ruby into a
>>> "static" language. If you want to prevent code injection, you need to
>>> defend against it in your application.
>>
>> I believe that the injection he is talking about after the application
>> is deployed with rails still in plain text view, having someone open
>> the rails files and add code that could over write methods, etc.
>
> Yes that is what I talk of.

But if anyone has access to the files comprising the application, they
could completely replace the files with whatever they wanted.  Even
compiled/ofuscated code isn't a remedy for that.

> Anyone with a basic understanding of Ruby/Rails could insert code access
> the database using activerecord.

Actually, anyone with access to the database could modify the database
without needing to go through activerecord.

If you are worried about these things, then (1) control access to the
program files, and (2) control access to the database.

-- Jim Weirich
2c51fec8183a5d21c4e11b430beabb47?d=identicon&s=25 Patrick Hurley (Guest)
on 2006-06-18 04:28
(Received via mailing list)
On 6/17/06, Kris Leech <krisleech@interkonect.com> wrote:
> Ultimitly you would need to include all ruby files in the binary.

But I could just rename the compiled so file, write a simple loader
that loads the .so and then do what ever I wanted. To take real
control you would need a special build of ruby (probably with an
"embedded encrypted key" (yes I know this is stupid :-), that would
only run encrypted and/or signed versions of the code.

Ultimately, this is also bound to be far too easy to circumvent (again
by any attacker worth his or her salt) -- if the key is embedded it
can be extracted and used to decrypt the files -- the key can be
changed etc.

Again the only thing that can save you is a service based approach
(where you control the server) and the code never gets to the clients
machine -- if the code is on a client machine and the value it high
enough it can and will be hacked, all non hardware DRM is doomed to
quick and painful failure. Depending upon your application and
audience you may be able to hide your internals from your user
community, but don't believe that you can protect it against a
determined and knowledgeable opponent.

pth
3d333b0012928f3dd5a6861cb09ad683?d=identicon&s=25 Kris Leech (krisleech)
on 2006-06-19 12:13
Jim Weirich wrote:
> Kris Leech wrote:
>> Patrick Hurley wrote:
>>> On 6/16/06, Austin Ziegler <halostatue@gmail.com> wrote:
>>>> That's not the point of ZenObfuscate. It doesn't turn Ruby into a
>>>> "static" language. If you want to prevent code injection, you need to
>>>> defend against it in your application.
>>>
>>> I believe that the injection he is talking about after the application
>>> is deployed with rails still in plain text view, having someone open
>>> the rails files and add code that could over write methods, etc.
>>
>> Yes that is what I talk of.
>
> But if anyone has access to the files comprising the application, they
> could completely replace the files with whatever they wanted.  Even
> compiled/ofuscated code isn't a remedy for that.
>
>> Anyone with a basic understanding of Ruby/Rails could insert code access
>> the database using activerecord.
>
> Actually, anyone with access to the database could modify the database
> without needing to go through activerecord.

Of course, if you can inject ruby code you can do anything.

>
> If you are worried about these things, then (1) control access to the
> program files, and (2) control access to the database.

What if server access is none controllable eg. shared servers.
And if you are on the server you can read database.yml (plain text), and
as said insert code.

>
> -- Jim Weirich
3d333b0012928f3dd5a6861cb09ad683?d=identicon&s=25 Kris Leech (krisleech)
on 2006-06-19 12:19
Patrick Hurley wrote:
> On 6/17/06, Kris Leech <krisleech@interkonect.com> wrote:
>> Ultimitly you would need to include all ruby files in the binary.
>
> But I could just rename the compiled so file, write a simple loader
> that loads the .so and then do what ever I wanted.

But would the code in the .so be modify-able?

To take real
> control you would need a special build of ruby (probably with an
> "embedded encrypted key" (yes I know this is stupid :-), that would
> only run encrypted and/or signed versions of the code.

What do you think to these programs like EXECrypter which adds
anti-debug, encryptioned code and other anti-tamper/hack techniques.

>
> Ultimately, this is also bound to be far too easy to circumvent (again
> by any attacker worth his or her salt) -- if the key is embedded it
> can be extracted and used to decrypt the files -- the key can be
> changed etc.
>
> Again the only thing that can save you is a service based approach
> (where you control the server) and the code never gets to the clients
> machine -- if the code is on a client machine and the value it high
> enough it can and will be hacked, all non hardware DRM is doomed to
> quick and painful failure. Depending upon your application and
> audience you may be able to hide your internals from your user
> community, but don't believe that you can protect it against a
> determined and knowledgeable opponent.

It looks like Ruby is mostly suited to the service based approach. And
can not be distributed like compiled desktop applications.

>
> pth
10d4acbfdaccb4eee687a428ca00a5d8?d=identicon&s=25 Jim Weirich (weirich)
on 2006-06-19 12:27
Kris Leech wrote:

> What if server access is none controllable eg. shared servers.
> And if you are on the server you can read database.yml (plain text), and
> as said insert code.

Most shared hosts put users into different user accounts and allow you
to specifiy access levels on those files.

-- Jim Weirich'
2c51fec8183a5d21c4e11b430beabb47?d=identicon&s=25 Patrick Hurley (Guest)
on 2006-06-19 20:26
(Received via mailing list)
On 6/19/06, Kris Leech <krisleech@interkonect.com> wrote:

> > But I could just rename the compiled so file, write a simple loader
> > that loads the .so and then do what ever I wanted.

> But would the code in the .so be modify-able?

I could write a routine that creates a thread, and call break point. I
could alias and breakpoint any routine I care about. So the .so is not
modified, but I can modify its code in place.

> What do you think to these programs like EXECrypter which adds
> anti-debug, encryptioned code and other anti-tamper/hack techniques.

They make things difficult, not impossible -- check out how long it
takes for games to hit Usenet after they are release. Most of these
are filled with all the best tricks.

> It looks like Ruby is mostly suited to the service based approach. And
> can not be distributed like compiled desktop applications.

I think it is a great tool for desktop applications, but the real
question is that of your business model. If you want to release code
that cannot be copied give it up. Secure things need to be on secure
servers -- everything else can be modified -- it is really just a
question of difficulty.

pth
5a837592409354297424994e8d62f722?d=identicon&s=25 Ryan Davis (Guest)
on 2006-06-19 21:13
(Received via mailing list)
On Jun 19, 2006, at 11:25 AM, Patrick Hurley wrote:

> On 6/19/06, Kris Leech <krisleech@interkonect.com> wrote:
>
>> > But I could just rename the compiled so file, write a simple loader
>> > that loads the .so and then do what ever I wanted.
>
>> But would the code in the .so be modify-able?
>
> I could write a routine that creates a thread, and call break point. I
> could alias and breakpoint any routine I care about. So the .so is not
> modified, but I can modify its code in place.

We're talking ruby here... it is much much easier to modify the code
than that.

>> What do you think to these programs like EXECrypter which adds
>> anti-debug, encryptioned code and other anti-tamper/hack techniques.
>
> They make things difficult, not impossible -- check out how long it
> takes for games to hit Usenet after they are release. Most of these
> are filled with all the best tricks.

Yes, but as I said earlier, cracked games and the like are generally
doing a single jump over the license check code. That is pretty
simple. We're trying to provide a level of protection to IP. Not make
it impossible, but just as difficult as any other compiled language
out there.

Again, you see cracked games all the time, but you don't see them
reverse engineered into readable code very much.

>> It looks like Ruby is mostly suited to the service based approach.
>> And
>> can not be distributed like compiled desktop applications.
>
> I think it is a great tool for desktop applications, but the real
> question is that of your business model. If you want to release code
> that cannot be copied give it up. Secure things need to be on secure
> servers -- everything else can be modified -- it is really just a
> question of difficulty.

*nod* exactly.
E13ba8e702211be152c640df2d8e141f?d=identicon&s=25 Joe Black (joe-black)
on 2006-09-26 12:11
where to get it?
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.