When writing a interpreter extension are there any hooks in to the
different stages of interpretation?
In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?
Many thanks, K.
--
Posted via http://www.ruby-forum.com/.
Override require.
On May 19, 2006, at 6:28 AM, Kris wrote:
When writing a interpreter extension are there any hooks in to the
different stages of interpretation?In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
Many thanks Eric, do you have a code example by any chance to get me
started, I'm not so familiar with C!
Eric Hodel wrote:
On May 19, 2006, at 6:28 AM, Kris wrote:
When writing a interpreter extension are there any hooks in to the
different stages of interpretation?In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?Override require.
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
--
Posted via http://www.ruby-forum.com/\.
You don't need to write any C at all. Write it in Ruby.
On May 19, 2006, at 10:50 AM, Kris wrote:
Eric Hodel wrote:
On May 19, 2006, at 6:28 AM, Kris wrote:
When writing a interpreter extension are there any hooks in to the
different stages of interpretation?In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?Override require.
Many thanks Eric, do you have a code example by any chance to get me
started, I'm not so familiar with C!
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
For example:
module Kernel
alias old_require require
def require(file)
# first check if it's already been required by searching $LOADED_FEATURES
# Search $LOAD_PATH for the file
if it's an .rb file then
File.open(full_path_and_filename) do |f|
# Preprocess f and if neccessary do any changes and eval them
end
# add the file to $LOADED_FEATURES
else
old_require(file)
end
end
end
On May 19, 2006, at 2:59 PM, Eric Hodel wrote:
On May 19, 2006, at 10:50 AM, Kris wrote:
Eric Hodel wrote:
On May 19, 2006, at 6:28 AM, Kris wrote:
When writing a interpreter extension are there any hooks in to the
different stages of interpretation?In particular I would like to pre-process the ruby file/class being
interpreted. Is a ruby class block loaded from a file or read line by
line?Override require.
Many thanks Eric, do you have a code example by any chance to get me
started, I'm not so familiar with C!You don't need to write any C at all. Write it in Ruby.
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
Thanks for the reply.
The problem with doing it in Ruby is that there is no where to hide the
decryption key... It would be in plain text, unless I'm am missing
something?
Logan Capaldo wrote:
On May 19, 2006, at 2:59 PM, Eric Hodel wrote:
line by
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliantFor example:
module Kernel
alias old_require requiredef require(file)
# first check if it's already been required by searching
$LOADED_FEATURES
# Search $LOAD_PATH for the file
if it's an .rb file then
File.open(full_path_and_filename) do |f|
# Preprocess f and if neccessary do any changes and eval them
end
# add the file to $LOADED_FEATURES
else
old_require(file)
end
end
end
--
Posted via http://www.ruby-forum.com/\.
Quoting krisleech@interkonect.com, on Mon, May 22, 2006 at 12:29:24AM +0900:
Thanks for the reply.
The problem with doing it in Ruby is that there is no where to hide the
decryption key... It would be in plain text, unless I'm am missing
something?
Doing it in compiled C would leave it in plain text, too, just mildly
more obfuscated.
Sam
It would take a higher skill set to extract it though.
And you can write code that helps hide a key in a binary file.
So is it possible to write a C extension that overrides the ruby require
in the same way as the previous ruby example?
Many thanks, K.
Sam Roberts wrote:
Quoting krisleech@interkonect.com, on Mon, May 22, 2006 at 12:29:24AM
+0900:Thanks for the reply.
The problem with doing it in Ruby is that there is no where to hide the
decryption key... It would be in plain text, unless I'm am missing
something?Doing it in compiled C would leave it in plain text, too, just mildly
more obfuscated.Sam
--
Posted via http://www.ruby-forum.com/\.
Sorry to be a whiner, but can't you put the key in a file only readable
by the person who should be able to read it? Ie. manage your key
security using your OS's security. Then you can also encrypt your
key file with a password the user has to enter if you like. This is how
SSH handles private keys.
Or are you trying to obfuscate a Ruby program?
It sounds like you are prepared to go to a lot of effort to create a
weak encryption system, which would be a shame.
Les
On 5/22/06, Kris <krisleech@interkonect.com> wrote:
It would take a higher skill set to extract it though.
And you can write code that helps hide a key in a binary file.So is it possible to write a C extension that overrides the ruby require
in the same way as the previous ruby example?
Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.
I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.
We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.
Leslie Viljoen wrote:
On 5/22/06, Kris <krisleech@interkonect.com> wrote:
It would take a higher skill set to extract it though.
And you can write code that helps hide a key in a binary file.So is it possible to write a C extension that overrides the ruby require
in the same way as the previous ruby example?Sorry to be a whiner, but can't you put the key in a file only readable
by the person who should be able to read it? Ie. manage your key
security using your OS's security. Then you can also encrypt your
key file with a password the user has to enter if you like. This is how
SSH handles private keys.Or are you trying to obfuscate a Ruby program?
It sounds like you are prepared to go to a lot of effort to create a
weak encryption system, which would be a shame.Les
--
Posted via http://www.ruby-forum.com/\.
Try to do this. I bet I could break it in 10 minutes.
But against the average person it might work. But the average person
is not your problem...
Ryan
On 5/22/06, Kris Leech <krisleech@interkonect.com> wrote:
Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.
Kris Leech wrote:
Well there are several aspects to this, I want to protect the code from being read, from being modified and from internal attacks.
I could use the file system permissions but its always vunrable to at least one person. This normally would not be a problem but we are dealing with sensative data.
We can make the encrypt key in the interpreter hard to find, not impossible, but much more secure than having open source code.
Google for the phrase "security through obscurity" (STO).
Are you in the US? What is your native language?
Hal
By reading the key from the binary or reading the un-encrypted code from
memory?
Ryan Leavengood wrote:
On 5/22/06, Kris Leech <krisleech@interkonect.com> wrote:
Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.Try to do this. I bet I could break it in 10 minutes.
But against the average person it might work. But the average person
is not your problem...Ryan
--
Posted via http://www.ruby-forum.com/\.
Hal Fulton wrote:
Kris Leech wrote:
Well there are several aspects to this, I want to protect the code from being read, from being modified and from internal attacks.
I could use the file system permissions but its always vunrable to at least one person. This normally would not be a problem but we are dealing with sensative data.
We can make the encrypt key in the interpreter hard to find, not impossible, but much more secure than having open source code.
Google for the phrase "security through obscurity" (STO).
There's a useful difference between full security and a picket fence. Sure, a picket fence is easy to get over, but you know you're trespassing (and legally have shown intent) when you do.
--
Alex
In any case how would you go about securing ruby code or do you think it
is not possible? Is no code secure?
--
Posted via http://www.ruby-forum.com/.
Kris Leech wrote:
By reading the key from the binary or reading the un-encrypted code from memory?
Ryan Leavengood wrote:
Well there are several aspects to this, I want to protect the code from
being read, from being modified and from internal attacks.I could use the file system permissions but its always vunrable to at
least one person. This normally would not be a problem but we are
dealing with sensative data.We can make the encrypt key in the interpreter hard to find, not
impossible, but much more secure than having open source code.Try to do this. I bet I could break it in 10 minutes.
But against the average person it might work. But the average person
is not your problem...Ryan
Haha, you really don't want to go down this road. If you can't accomplish what you are trying to do with proven cryptographic security primitives, then you should probably change the use case. Security through obscurity is really a waste of everyones time. Even if you make it quite difficult for people to figure out, it only takes one person to do the work and then everyone can take advantage of the crack.
-Jeff
On 5/22/06, Kris Leech <krisleech@interkonect.com> wrote:
Yep.
There is work being done to create a Ruby obfuscator by Ryan Davis and
Eric Hodel:
http://blog.zenspider.com/archives/2006/03/obfuscated_hack.html
It is part of the RubyToC project. That may be your best bet.
Ryan
On 5/22/06, Kris Leech <krisleech@interkonect.com> wrote:
By reading the key from the binary or reading the un-encrypted code from
memory?
Google for the phrase "security through obscurity" (STO).
I know what this is. But I'm getting no helpful suggestions on this.
There seems to be a load of resistance to doing anything secure or
commerical in ruby. And yes its a general problem with all interpreted
languages except Coldfusion which I think allows you to encrypt source.
PHP goes part way with obsfucation.
The general feeling I get is it can't be done... Does anyone have any
suggestions how to secure ruby (or other) code.
--
Posted via http://www.ruby-forum.com/\.
The use case can't be changed, it would need to be secure code... At the
moment I dont see any language that offers this, Java and .NET make
bytecode which is easily reversed. There are obsfucator's but I dont
think they provide much protection just a layer against casual file
browsing. PHP's obsfucator's are easily reversed with online services.
Do you not think a binary offers protection for code...? You can't
reverse to code anyway. It whole ruby code base was kept in the binary
and ran inline, like embedded ruby this might offer real protection...
It would need to be encrypted inside the binary.
--
Posted via http://www.ruby-forum.com/.
Kris Leech wrote:
Google for the phrase "security through obscurity" (STO).
I know what this is. But I'm getting no helpful suggestions on this. There seems to be a load of resistance to doing anything secure or commerical in ruby. And yes its a general problem with all interpreted languages except Coldfusion which I think allows you to encrypt source. PHP goes part way with obsfucation.
The general feeling I get is it can't be done... Does anyone have any suggestions how to secure ruby (or other) code.
Oh, anything can be done... but is it worth it, and have you really
accomplished anything?
That's the source of the resistance you perceive. Most of us don't
want or need what you describe.
I venture to say there are numerous people here who might put in
some hours and achieve what you want. But the people who really
understand cryptography (and I am not one) will not spend their
time on an STO scheme.
As for coding... Most people are motivated only two ways to write code:
1. They're paid
2. The project seems cool to them
You're not paying (are you?) and people aren't convinced this is cool.
Actually I remember *someone* making an obfuscator of some kind 3-4
years ago... I played with it awhile and couldn't break it. Others
could, though. Or I could given a few hours.
The best suggestion yet was to keep the code off the client machine
and make a web service. That is relatively secure.
Hal