Secure Ruby Compiler

One of the killer features lacking in most scripting languages is the ability to "compile" or sufficiently "obfuscate" scripts so they can be distributed for execution without revealing the original source code.

Is this possible with Ruby today? If not, is this something planned for future versions? Are there 3rd party tools that do this?

There are many practical reasons why this feature is important. One pervasive example is where a small business hosts their website with an ISP that has the ability to access all the files/scripts. The company might have scripts that contain database passwords or registration key algorithms they don't want visible to non-employee system administrators.

If I'm not mistaken, this feature is so needed that there are commercial perl script obfuscation tools--people are literally willing to pay for this feature in Perl.

Having such a feature built-in with Ruby would be absolutely fantastic. Perhaps the bytecode can be optionally generated in a manner that combats easy reverse engineering (just enough prevent automated reverse engineering since manual efforts are virtually impossible to prevent).

Randy,

First, Ruby scripts are not compiled to bytecode, or any other
persistent format, which rules out a large class of obfuscation
processes.

I am also not aware of any existing tools which are explicitly
designed to hide sensitive strings or other data within a script. The
only real use-case I've heard for such tools is the distribution of
commercial (read: closed-source) software based on a plaintext
scripting language, which may either be anathema to the usual attitude
of developers using Ruby, or just not in enough demand to spark much
interest.

That being said, I'm currently working on a project which may require
some form of encryption of data stong enough to discourage at least
casual copying and modification. We're looking at several possible
options, but nothing really exists off-the-shelf for
purely-interpreted languages in general.

Lennon

Randy Lawrence wrote:

One of the killer features lacking in most scripting languages is the
ability to "compile" or sufficiently "obfuscate" scripts so they can be
distributed for execution without revealing the original source code.

Is this possible with Ruby today? If not, is this something planned for
future versions? Are there 3rd party tools that do this?

How much are you offering to pay? After all, if you're going to be
obfuscating your code you're clearly not going to be contributing back any
code.

If not for discouraging 'casual copying', then are there tools for
general distribution? (Like py2exe for making executables for example)

Neil Stevens wrote:

How much are you offering to pay? After all, if you're going to be
obfuscating your code you're clearly not going to be contributing back any
code.

Are you implying that if a person or company wants to obfuscate (hide) their database passwords or their registration key generation algorithms from people they don't trust, that they're "clearly not going to be contributing back any code"? Using that logic...please post all your passwords here in cleartext so you can prove to us that you're not an anti-opensource lackey trying to discredit opensource programmers.

If you refer back to my post, you'll see the example scripts I specifically mentioned were scripts that contained DATABASE PASSWORDS or REGISTRATION KEY ALGORITHMS.

You ask how much am I offering to pay? For what and to whom? I'm currently just trying to find out what exists out there and considering workarounds. If I don't find anything (commercial or free) and the workarounds aren't satisfactory, I'll probably invest the time to document requirements sufficient to get bids or to develop it in-house.

If you truly want to know how much other people are willing to pay, look up commercial Perl or Java obfuscators for the current pricing (prices were probably adjusted to match demand). As I mentioned in the post, there is commercial demand for such products.

Best regards.

unless i missed it nobody mentioned 'thewrap'
(http://trondoc.ezwebtech.com/theWRAP/\). the price is hard to beat.

i've used it to successfully wrap wxruby programs (well under 5mb). i
think it uses upx somewhere in the process. it will prevent 'casual
copying'

You can generate Windows executables with Excerb, or package an entire
directory of library and resource files into Tar2rubyscript.

Lennon

Well, here's some advertising for my own projects...

gegroet,
Erik V.

Randy Lawrence wrote:

If you refer back to my post, you'll see the example scripts I
specifically mentioned were scripts that contained DATABASE PASSWORDS or
REGISTRATION KEY ALGORITHMS.

Registration key algorithms. Exactly.

Have fun,

The version of theWRAP that I just looked at didn't compress at all...

... in fact the website says it doesn't compress...

... for me compression is a 'must-have-feature'.

I still think that:

1. exerb
2. EZExerb (yes I'm the creator, so I'm biased )
3. NSIS

is the way to go for getting a ruby project distributed on windows platforms.

I changed the compression in NSIS from the default of zlib to LZW and
I went from 5.1 megs of scattered files to 1.3 megs in a single file
(Zlib went from 5.1 to 1.7).

-Rich

>Randy Lawrence wrote:

>> One of the killer features lacking in most scripting languages is the
>> ability to "compile" or sufficiently "obfuscate" scripts so they can be
>> distributed for execution without revealing the original source code.

in my not so humble opinion, the killer feature of so-called
"scripting" languages (all programming languages are syntactic sugar)
is PRECISELY that the code is NOT obfuscated. users have a right to
understand the code they are running. copyright can still exist with
open-source software. (and ironically, the GPL proves that most
people do not, in fact, steal licensed code.) obfuscation is a tool
of oppression to secure a monopoly on an idea. (even copyrights are
supposed to be TEMPORARY.)

>> Is this possible with Ruby today? If not, is this something planned for
>> future versions? Are there 3rd party tools that do this?

-z

that should be exerb , no "c"

Hello Erik,

If not for discouraging 'casual copying', then are there
tools for general distribution? (Like py2exe for making
executables for example)

Well, here's some advertising for my own projects...

What can i do when i have 2 or more scripts (think about a
server/client program) that should be executable
but don't want to deliver so much duplicated things.
Is there any way to build two small executable and a shared runtime ?
I know that exerb can build a DLL but i think it only contains a very
fixed sets of shared files, for example a shared "wxruby.so" would still be
wrappend inside two exe files.

sorry - I switched from zlib compression to LZMA compression - not LZW!!

-Rich
P.s. - I tried UPX... it didn't even come close to 1.3 megs final.

It's a choice. If you want to share your source, that is your decision.
If you don't, that is also your decision.

One example of the need to obfuscate code: You have a "power user"
that continually hoses their system by making changes where they
shouldn't be. Locked up source would prevent this.

i don't think thewrap was intended as an installer...just to create
one file executables...

I love your passion for open source. I love open source too.

zuzu wrote:
[snip]

users have a right to understand the code they are running.

[snip]

What specific code do they have the right to understand? All code? I want to have that "right to understand" too! Where can I obtain it?

Was that "right to understand" conveyed by law or a private contracts?

What if the user is too stupid to understand the code? Does the developer have to simplify the code until it could be understood by all users? If the developer refuses to simplify the code, are they criminals or merely commiting a breach of contract?

[snip]

(and ironically, the GPL proves that most
people do not, in fact, steal licensed code.)

[snip]

How does GPL prove this? I'm not disagreeing with you, I'm just trying to understand how the GPL proves that fact.

I reread the GPL and I couldn't find any statistical data comparing number of people who steal vs comply with licensed code. All it contains is a bunch of terms and conditions--no quantifiable data on theft.

Perhaps the GPL is obfuscated so that the statistical data on theft is hidden from plain view. ASCII stenography? Hmmmm.

obfuscation is a tool of oppression to secure a monopoly on an idea. (even copyrights are
supposed to be TEMPORARY.)

Well, I don't like oppression and I don't like monopoly (but the game "Monopoly" is kinda fun).

Obfuscation is a tool of oppression? Like airplanes are a tool for terrorism? Should they both be banned? Hmmm, it could mean fewer visits from the mother-in-law...maybe not a bad idea!

To be fair, we can probably imagine at least one undesirable use for every invention known to humankind. It doesn't mean it is the only use for the inventions--maybe it just means we need to use our imagination to think of more positive uses.

I wouldn't use obfuscation for oppression. I'd use obfuscation to hide passwords when full-blown encryption isn't very practical or necessary. For example, obfuscating a script that contains a database connection password that I'm hosting on a shared server just in case an unauthorized person gains read access to the script.

ps

Data needs to be overwritten between 9 times (DOD 5220.22-M standard) - 27+ times (Guttman) before it is safe from modern HD recovery tools. Encrypt (or at a minimum, obfuscate) data you don't want to become public (anything useful for id theft or credit card fraud). Most of us don't consider this when selling our computer or changing web hosting providers.

zuzu wrote:
[snip]

> users have a right to understand the code they are running.

[snip]

I love your passion for open source. I love open source too.

Unfortunately, our DESIRE for something does not automatically grant us the RIGHT to what we desire. And the way things SHOULD be is not necessarily the way things ACTUALLY stand.

Was that "right to understand the code they are running" conveyed by law or a private contract? If the "right" was granted by a valid contract, BOTH parties must receive something "in consideration" for what they give.

Assuming that "right" was granted, what if a user is too stupid to understand the code? Does the developer have to simplify the code until it could be understood by all users? If the developer refuses to simplify the code, are they criminals or merely commiting a breach of contract or both? What if simplifying the code for one user ends up confusing a different user?

[snip]

> (and ironically, the GPL proves that most
> people do not, in fact, steal licensed code.)

[snip]

How does GPL prove this? I'm not disagreeing with you, I'm just trying to understand how the GPL proves that fact.

I reread the GPL and I couldn't find any statistical data comparing number of people who steal vs comply with licensed code. All it contains is a bunch of terms and conditions--no quantifiable data on theft.

Perhaps the GPL is obfuscated so that the statistical data on theft is hidden from plain view. ASCII stenography?

> obfuscation is a tool of oppression to secure a monopoly on an idea. (even copyrights are
> supposed to be TEMPORARY.)
>

Well, I don't like oppression and I don't like monopoly (but the game "Monopoly" is kinda fun).

Obfuscation is a tool of oppression? Like airplanes are a tool for terrorism? Should they both be banned? Hmmm, it could mean fewer visits from the mother-in-law...maybe not a bad idea!

To be fair, we can probably imagine at least one undesirable use for every invention known to humankind. It doesn't mean it is the only use for the inventions--maybe it just means we need to use our imagination to think of more positive uses.

I wouldn't use obfuscation for oppression. I'd use obfuscation to hide passwords when full-blown encryption isn't very practical or necessary. For example, obfuscating a script that contains a database connection password that I'm hosting on a shared server just in case an unauthorized person gains read access to the script.

Ultimately, I hope liberty wins. Having the freedom to NOT use closed-source software. And having the freedom to NOT provide source code to users. And everything in between. Let freedom reign supreme.

ps

Data needs to be overwritten between 9 times (DOD 5220.22-M standard) - 27+ times (Guttman) before it is safe from modern data recovery tools. Encrypt (or at a minimum, obfuscate) data you don't want to become public (anything useful for id theft or credit card fraud). Most of us don't consider this when selling our computer or changing web hosting providers.

thank you. sounds exactly like what I'm looking for.

> > If not for discouraging 'casual copying', then are there
> > tools for general distribution? (Like py2exe for making
> > executables for example)
>
> Well, here's some advertising for my own projects...

What can i do when i have 2 or more scripts (think about a
server/client program) that should be executable but don't
want to deliver so much duplicated things. Is there any way
to build two small executable and a shared runtime ?

No. The idea of RubyScript2Exe is to let a script run on
Windows in the simplest way possible (or "How can my mother
start an application?"). Manually copying one or more DLL's
isn't the simplest way. You could as well install Ruby...

The "hiding my code" in this thread is just a side effect of
RubyScript2Exe, not one of its goals.

Do you really care about size? I usually don't...

gegroet,
Erik V.