"Being perfectly honest, your obfuscator has made me feel like writing RubyCocoa apps is a commercially viable business, whereas before I had my doubts." - Aidan Rogers
- ZenObfuscate
- What is it?
- For when you really really have to ship a binary.
- Lets you: Write in ruby, and ship a binary.
- ZenObfuscate is a translator for a fairly large subset of
ruby that converts your pure ruby code into a dynamically
loadable binary, protecting your intellectual property(*).
- How does it work?
zenobfuscate has a commandline interface that takes the
specified ruby files and outputs a dynamically loadable
binary (.bundle on osx, .so on unix/linux and .dll or
windows).
- TODO: diagram
- e.g., ./bin/zenobfuscate -o mylibrary lib/blah.rb; ruby
-rmylibrary -e 'use_my_library'
- Built on a solid foundation: RubyInline and ParseTree. Long
standing open source packages for ruby.
- When is it available?
Available nowish on an individual basis
- How much does it cost and what is its licensing?
ZenObfuscate costs $2500 for a site license or is
individually negotiable. ZenObfuscate is a commercial product
produced wholly by Eric Hodel and Ryan Davis and is not for
redistribution. All rights are reserved, etc., etc. Binaries
produced from ZenObfuscate have no restrictions of any kind
(except determined by their authors).
- Requirements
ruby 1.8.x, ruby2c, parse_tree, rubyinline (all available as
gems)
available on darwin ppc, darwin intel, freebsd x86, freebsd
amd/64bit, and linux x86 (with coaxing).
- Known Limitations
There are issues with what the obfuscator can translate to C
and as a result you may need to modify your code in order to
translate it. Usually this is a pretty straightforward and
simple task. We do a good job of translating static ruby to
its equivalent C, but not all ruby has an equivalent in C.
- Only translates methods in classes and modules, not
freestanding code.
- Explicit returns are required in all methods.
- Temporary: Conditional logic (including ? may not be on the
right hand side of an assignment.
- Temporaryish: Exception handling and generic block closures
currently don't translate.
- Some expressions in ruby we don't currently do, but could
upon request, where some other ruby expressions will never
translate.
···
--
I know that you believe you understand what you think I said but,
I'm not sure you realize that what you heard is not what I meant.
----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>; <ruby@zenspider.com>
Sent: Tuesday, June 13, 2006 3:56 AM
Subject: ANN: ZenObfuscate - for when you really really have to ship a
binary
"Being perfectly honest, your obfuscator has made me feel like
writing RubyCocoa apps is a commercially viable business, whereas
before I had my doubts." - Aidan Rogers
- ZenObfuscate
- What is it?
- For when you really really have to ship a binary.
- Lets you: Write in ruby, and ship a binary.
- ZenObfuscate is a translator for a fairly large subset of
ruby that converts your pure ruby code into a dynamically
loadable binary, protecting your intellectual property(*).
- How does it work?
zenobfuscate has a commandline interface that takes the
specified ruby files and outputs a dynamically loadable
binary (.bundle on osx, .so on unix/linux and .dll or
windows).
- TODO: diagram
- e.g., ./bin/zenobfuscate -o mylibrary lib/blah.rb; ruby
-rmylibrary -e 'use_my_library'
- Built on a solid foundation: RubyInline and ParseTree. Long
standing open source packages for ruby.
- When is it available?
Available nowish on an individual basis
- How much does it cost and what is its licensing?
ZenObfuscate costs $2500 for a site license or is
individually negotiable. ZenObfuscate is a commercial product
produced wholly by Eric Hodel and Ryan Davis and is not for
redistribution. All rights are reserved, etc., etc. Binaries
produced from ZenObfuscate have no restrictions of any kind
(except determined by their authors).
- Requirements
ruby 1.8.x, ruby2c, parse_tree, rubyinline (all available as
gems)
available on darwin ppc, darwin intel, freebsd x86, freebsd
amd/64bit, and linux x86 (with coaxing).
- Known Limitations
There are issues with what the obfuscator can translate to C
and as a result you may need to modify your code in order to
translate it. Usually this is a pretty straightforward and
simple task. We do a good job of translating static ruby to
its equivalent C, but not all ruby has an equivalent in C.
- Only translates methods in classes and modules, not
freestanding code.
- Explicit returns are required in all methods.
- Temporary: Conditional logic (including ? may not be on the
right hand side of an assignment.
- Temporaryish: Exception handling and generic block closures
currently don't translate.
- Some expressions in ruby we don't currently do, but could
upon request, where some other ruby expressions will never
translate.
--
I know that you believe you understand what you think I said but,
I'm not sure you realize that what you heard is not what I meant.
I should have been more clear with my English. We're open to negotiations _for alternative licensing schemes_.
···
On Jun 12, 2006, at 7:56 PM, Ryan Davis wrote:
- How much does it cost and what is its licensing?
ZenObfuscate costs $2500 for a site license or is
individually negotiable. ZenObfuscate is a commercial product
produced wholly by Eric Hodel and Ryan Davis and is not for
redistribution. All rights are reserved, etc., etc. Binaries
produced from ZenObfuscate have no restrictions of any kind
(except determined by their authors).
From: "Ryan Davis" <ryand-ruby@zenspider.com>
> - Known Limitations
...
> - Explicit returns are required in all methods.
> - Temporary: Conditional logic (including ? may not be on the
> right hand side of an assignment.
> - Temporaryish: Exception handling and generic block closures
> currently don't translate.
Based on those limitations, I would think not.
···
On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
----- Original Message -----
--
Regards,
John Wilger
-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don't know," Alice answered.
"Then," said the cat, "it doesn't matter."
- Lewis Carrol, Alice in Wonderland
That price looks a little extreme for what I have in mind.. are there
any alternative obfuscators? Alternatively could a
percentage-of-returns license fee be negotiated (Eric)?
Are programs written in Ruby distributable under any license you like?
A friend of mine has proposed selling a program I wrote in Ruby but
the thought of doing so made me feel like I was leveraging vast (GPL)
resources avaliable to me for free - and profiting off of them by
adding comparatively very little. I have in the past simply sold my
development time, which seemed a fairer trade since copying my
programs is a trivial task.
Does anyone here actually sell Ruby programs themselves as products?
Les
···
On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
Will this work with a Rails app?
----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>; <ruby@zenspider.com>
Sent: Tuesday, June 13, 2006 3:56 AM
Subject: ANN: ZenObfuscate - for when you really really have to ship a
binary
> "Being perfectly honest, your obfuscator has made me feel like
> writing RubyCocoa apps is a commercially viable business, whereas
> before I had my doubts." - Aidan Rogers
>
> - ZenObfuscate
> - What is it?
> - For when you really really have to ship a binary.
> - Lets you: Write in ruby, and ship a binary.
> - ZenObfuscate is a translator for a fairly large subset of
> ruby that converts your pure ruby code into a dynamically
> loadable binary, protecting your intellectual property(*).
> - How does it work?
> zenobfuscate has a commandline interface that takes the
> specified ruby files and outputs a dynamically loadable
> binary (.bundle on osx, .so on unix/linux and .dll or
> windows).
> - TODO: diagram
> - e.g., ./bin/zenobfuscate -o mylibrary lib/blah.rb; ruby
> -rmylibrary -e 'use_my_library'
> - Built on a solid foundation: RubyInline and ParseTree. Long
> standing open source packages for ruby.
> - When is it available?
> Available nowish on an individual basis
> - How much does it cost and what is its licensing?
> ZenObfuscate costs $2500 for a site license or is
We haven't tested obfuscating a rails app yet, but we have every reason to believe that we can make it work. Obviously you wouldn't obfuscate the whole rails stack, just your controllers/models. My only real concern is how rails does class loading magic (I'd really want to run my tests against the obfuscated code). When we get time, we'll do a proof of concept against a rails app to see what issues arise.
> Will this work with a Rails app?
...
> From: "Ryan Davis" <ryand-ruby@zenspider.com>
> > - Known Limitations
...
> > - Explicit returns are required in all methods.
> > - Temporary: Conditional logic (including ? may not be on
the
> > right hand side of an assignment.
> > - Temporaryish: Exception handling and generic block closures
> > currently don't translate.
Based on those limitations, I would think not.
I wonder if Rails apps will ever be compiled?
···
On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
> ----- Original Message -----
-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don't know," Alice answered.
"Then," said the cat, "it doesn't matter."
- Lewis Carrol, Alice in Wonderland
Actually we have every reason to believe that we can obfuscate rails apps. Obviously you wouldn't obfuscate the whole ruby stack, but models and controllers should de doable.
···
On Jun 13, 2006, at 6:20 AM, John Wilger wrote:
On 6/13/06, Kris Leech <kris@alternativefocusmedia.com> wrote:
Will this work with a Rails app?
...
----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
> - Known Limitations
...
> - Explicit returns are required in all methods.
> - Temporary: Conditional logic (including ? may not be on the
> right hand side of an assignment.
> - Temporaryish: Exception handling and generic block closures
> currently don't translate.
That price looks a little extreme for what I have in mind.. are there
any alternative obfuscators? Alternatively could a
percentage-of-returns license fee be negotiated (Eric)?
see:
- How much does it cost and what is its licensing?
ZenObfuscate costs $2500 for a site license or is
individually negotiable. ZenObfuscate is a commercial product
Are programs written in Ruby distributable under any license you like?
Yes.
A friend of mine has proposed selling a program I wrote in Ruby but
the thought of doing so made me feel like I was leveraging vast (GPL)
resources avaliable to me for free - and profiting off of them by
adding comparatively very little. I have in the past simply sold my
development time, which seemed a fairer trade since copying my
programs is a trivial task.
Well, it is your moral system at work here. Think about those who use GCC to compile commercial apps.
I should point out that ruby isn't under GPL. It is under the ruby license which allows you to make modifications or apply the GPL. See COPYING.
Does anyone here actually sell Ruby programs themselves as products?
As the quote at the top of my announcement suggests, yes (eventually).
···
On Jun 13, 2006, at 7:29 AM, Leslie Viljoen wrote:
We haven't tested obfuscating a rails app yet, but we have every
reason to believe that we can make it work. Obviously you wouldn't
obfuscate the whole rails stack, just your controllers/models. My
only real concern is how rails does class loading magic (I'd really
want to run my tests against the obfuscated code). When we get time,
we'll do a proof of concept against a rails app to see what issues
arise.
I would be *very* intrested in this.
···
----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>
Sent: Tuesday, June 13, 2006 5:13 PM
Subject: Re: ZenObfuscate - for when you really really have to ship a binary
OK. For some reason I was thinking of whether you could obfuscate the
framework itself. That would be incredibly pointless, though, wouldn't
it?
···
On 6/13/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
On Jun 13, 2006, at 6:20 AM, John Wilger wrote:
> Based on those limitations, I would think not.
Actually we have every reason to believe that we can obfuscate rails
apps. Obviously you wouldn't obfuscate the whole ruby stack, but
models and controllers should de doable.
--
Regards,
John Wilger
-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don't know," Alice answered.
"Then," said the cat, "it doesn't matter."
- Lewis Carrol, Alice in Wonderland
Are you talking about the indenting?
In Kris' defense I think that's a Microsoft mail client being used,
which makes proper netiquette an incredible chore. How I suffer under
the opression of Outlook!
Les
···
On 6/14/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
On Jun 14, 2006, at 3:23 AM, Kris Leech wrote:
> I would be *very* intrested in this.
You know how to reach us.
P.S. Be a good list citizen. PLEASE learn how to properly reply to
email.
On 6/13/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
On Jun 13, 2006, at 6:20 AM, John Wilger wrote:
> Based on those limitations, I would think not.
Actually we have every reason to believe that we can obfuscate rails
apps. Obviously you wouldn't obfuscate the whole ruby stack, but
models and controllers should de doable.
OK. For some reason I was thinking of whether you could obfuscate the
framework itself. That would be incredibly pointless, though, wouldn't
it?
2 million hits... I'm sure the problem is solvable.
···
On Jun 14, 2006, at 1:50 PM, Leslie Viljoen wrote:
Are you talking about the indenting?
In Kris' defense I think that's a Microsoft mail client being used,
which makes proper netiquette an incredible chore. How I suffer under
the opression of Outlook!
>
>
> > I would be *very* intrested in this.
>
> You know how to reach us.
>
> P.S. Be a good list citizen. PLEASE learn how to properly reply to
> email.
Are you talking about the indenting?
In Kris' defense I think that's a Microsoft mail client being used,
which makes proper netiquette an incredible chore. How I suffer under
the opression of Outlook!
YACTTMD(*)
I think Ryan talks about the attribution novel.
···
At Thu, 15 Jun 2006 05:50:03 +0900, Leslie Viljoen wrote:
On 6/14/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
> On Jun 14, 2006, at 3:23 AM, Kris Leech wrote:
----- Original Message -----
From: "Ryan Davis" <ryand-ruby@zenspider.com>
To: "ruby-talk ML" <ruby-talk@ruby-lang.org>
Sent: Tuesday, June 13, 2006 5:13 PM
Subject: Re: ZenObfuscate - for when you really really have to ship a binary
The first, third and fifth line are superfluous and ought to be removed.
The result of this were
actually had any advantage over this. If one actually requires a
one-liner that should rather read
From: "Ryan Davis" <ryand-ruby@zenspider.com>
because it makes little sense to provide a time without mentioning the
time zone when writing messages to c.l.r.
IMHO the problem is the misconception that Outlook, Outlook Express
and Lotus Notes are Mail User Agents. This is wrong. They are
multi-purpose tools that *include* a MUA. As well as it is stupid to
expect that all the different functions of a Swiss Army Knife serve
their purpose as well as dedicated tools, it is equally stupid to
expect such multi-purpose tools to be as good as a dedicated Mail User
Agent.
To give an example the Screwdriver works fine if you have free access
to the screw. But as soon as this is not the case you run into trouble
and have to find a real screwdriver. Often as SAK is sufficient for
IKEA products but I found out that sometimes it isn't
(*) Yet another contribution to this meta-discussion.
That's not the point of ZenObfuscate. It doesn't turn Ruby into a
"static" language. If you want to prevent code injection, you need to
defend against it in your application.
-austin
···
On 6/16/06, Kris Leech <krisleech@interkonect.com> wrote:
It would be an advantage to compile the whole Rails framework and the
standard libary to prevent code injection. If of course possible?
It would take significant work to prevent code injection, at the very least you would need to:
Obfuscate all .rb files your program uses into C files (including anything in stdlib)
Provide a custom C main() to invoke your obfuscated libraries
Statically link Ruby, your main() and your obfuscated C files
Remove rb_require from Ruby
Remove RUBYOPT and -r flags from Ruby
You may even need to write your application to work with $SAFE >= 1, depending on how much your code allows users to interact with its internals.
ZenObfuscate only prevents Ruby2Ruby from reassembling your IP.
···
On Jun 16, 2006, at 3:06 AM, Kris Leech wrote:
It would be an advantage to compile the whole Rails framework and the
standard libary to prevent code injection. If of course possible?
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
I have previously installed a few of these fixes and they didn't help
much. They plugin I tried worked for new messages only, not replies.
Kris, if you have the freedom, I recommend either GMail or
Les
···
On 6/15/06, Ryan Davis <ryand-ruby@zenspider.com> wrote:
On Jun 14, 2006, at 1:50 PM, Leslie Viljoen wrote:
> Are you talking about the indenting?
> In Kris' defense I think that's a Microsoft mail client being used,
> which makes proper netiquette an incredible chore. How I suffer under
> the opression of Outlook!
I believe that the injection he is talking about after the application
is deployed with rails still in plain text view, having someone open
the rails files and add code that could over write methods, etc. Of
course this implies a pretty sophisticated understanding of Ruby and
the application. And also leads to a pretty difficult chain -- now you
have to handle all the standard libraries that are used as well,
otherwise the same user could inject their code there as well. Don't
forget about the RUBYOPT environment variable or even modifying the
ruby interpreter.
I am not against any of these things and may likely purchase
ZenObfuscate for our company at some point, but to base any business
model around the purity of code (in any language, but especially
dynamic languages) run on a clients machine is a mistake. You can take
some baby steps to hide stuff, but the cost/benefit ratio slips
rapidly when you try to defend against a reasonably sophisticated
attacker.
pth
···
On 6/16/06, Austin Ziegler <halostatue@gmail.com> wrote:
That's not the point of ZenObfuscate. It doesn't turn Ruby into a
"static" language. If you want to prevent code injection, you need to
defend against it in your application.
may not be on the
may not be on the