Secure Ruby Compiler

[Randy Lawrence]

One of the killer features lacking in most scripting languages is the
ability to "compile" or sufficiently "obfuscate" scripts so they can be
distributed for execution without revealing the original source code.

Is this possible with Ruby today? If not, is this something planned for
future versions? Are there 3rd party tools that do this?

There are many practical reasons why this feature is important. One
pervasive example is where a small business hosts their website with an
ISP that has the ability to access all the files/scripts. The company
might have scripts that contain database passwords or registration key
algorithms they don't want visible to non-employee system administrators.

If I'm not mistaken, this feature is so needed that there are commercial
perl script obfuscation tools--people are literally willing to pay for
this feature in Perl.

Having such a feature built-in with Ruby would be absolutely fantastic.
Perhaps the bytecode can be optionally generated in a manner that
combats easy reverse engineering (just enough prevent automated reverse
engineering since manual efforts are virtually impossible to prevent).

 

[Lennon Day-Reynolds]

Randy,

First, Ruby scripts are not compiled to bytecode, or any other
persistent format, which rules out a large class of obfuscation
processes.

I am also not aware of any existing tools which are explicitly
designed to hide sensitive strings or other data within a script. The
only real use-case I've heard for such tools is the distribution of
commercial (read: closed-source) software based on a plaintext
scripting language, which may either be anathema to the usual attitude
of developers using Ruby, or just not in enough demand to spark much
interest.

That being said, I'm currently working on a project which may require
some form of encryption of data stong enough to discourage at least
casual copying and modification. We're looking at several possible
options, but nothing really exists off-the-shelf for
purely-interpreted languages in general.

Lennon

 

[Michael Fivis]

If not for discouraging 'casual copying', then are there tools for
general distribution? (Like py2exe for making executables for example)

 

[Lennon Day-Reynolds]

You can generate Windows executables with Excerb, or package an entire
directory of library and resource files into Tar2rubyscript.

Lennon

 

[gabriele renzi]

il Wed, 7 Jul 2004 13:08:45 +0900, Lennon Day-Reynolds

You can generate Windows executables with Excerb, or package an entire
directory of library and resource files into Tar2rubyscript.

that should be exerb , no "c"

 

[Michael Fivis]

thank you. sounds exactly like what I'm looking for.

 

[Neil Stevens]

One of the killer features lacking in most scripting languages is the
ability to "compile" or sufficiently "obfuscate" scripts so they can be
distributed for execution without revealing the original source code.

Is this possible with Ruby today? If not, is this something planned for
future versions? Are there 3rd party tools that do this?

How much are you offering to pay? After all, if you're going to be
obfuscating your code you're clearly not going to be contributing back any
code.

 

[Erik Veenstra]

If not for discouraging 'casual copying', then are there
tools for general distribution? (Like py2exe for making
executables for example)

Well, here's some advertising for my own projects...

gegroet,
Erik V.

----------------------------------------------------------------

"Tar2RubyScript generates a standalone Ruby script from an
existing TAR archive or directory, which contains a complete
Ruby application (scripts plus files). When this Ruby script is
run, it does a temporary installation of that application, just
before executing it. You might think of it as the Ruby version
of Java's JAR... Let's call it an RBA (Ruby Archive)."

http://www.erikveen.dds.nl/tar2rubyscript/index.html

----------------------------------------------------------------

"RubyScript2Exe transforms your Ruby script into a standalone
Windows executable. You can look at it as a "compiler". Not in
the sense of a source-code-to-byte-code compiler, but as a
"collector", for it collects all necessary files to run your
script on an other machine: the Ruby script, the Ruby
interpreter and the Ruby runtime library (stripped down for
this script). Anyway, the result is the same: a standalone
exe-file. And that's what we want!"

http://www.erikveen.dds.nl/rubyscript2exe/index.html

----------------------------------------------------------------

 

[Lothar Scholz]

Hello Erik,


EV> Well, here's some advertising for my own projects...

What can i do when i have 2 or more scripts (think about a
server/client program) that should be executable
but don't want to deliver so much duplicated things.
Is there any way to build two small executable and a shared runtime ?
I know that exerb can build a DLL but i think it only contains a very
fixed sets of shared files, for example a shared "wxruby.so" would still be
wrappend inside two exe files.

 

[Erik Veenstra]

If not for discouraging 'casual copying', then are there

What can i do when i have 2 or more scripts (think about a
server/client program) that should be executable but don't
want to deliver so much duplicated things. Is there any way
to build two small executable and a shared runtime ?

No. The idea of RubyScript2Exe is to let a script run on
Windows in the simplest way possible (or "How can my mother
start an application?"). Manually copying one or more DLL's
isn't the simplest way. You could as well install Ruby...

The "hiding my code" in this thread is just a side effect of
RubyScript2Exe, not one of its goals.

Do you really care about size? I usually don't...

gegroet,
Erik V.

 

[Lothar Scholz]

Hello Erik,


EV> No. The idea of RubyScript2Exe is to let a script run on
EV> Windows in the simplest way possible (or "How can my mother
EV> start an application?"). Manually copying one or more DLL's
EV> isn't the simplest way. You could as well install Ruby...

EV> The "hiding my code" in this thread is just a side effect of
EV> RubyScript2Exe, not one of its goals.

EV> Do you really care about size? I usually don't...

As long as less then 20% of the worlds computer user population has high
bandwidth access there is problem. One of the papers in the marketing
area of "www.download.com" (still the worlds largest download service)
is a statistic about "size <-> download numbers" and there is a clear
indication that programs over 5 MB are getting less downloads
then competitive programms.

So yes, depending on my targeted customers, i care about size.

 

[Lennon Day-Reynolds]

Lothar,

First, it's worth noting that applications implemented in Ruby usually
(though not always) have much smaller file sizes than equivalent
"native" binaries, since the only download needed is the source code
(which is itself quite compact due to Ruby's compact syntax). In
addition, the entire Ruby runtime is a smaller download than any
recent JRE or Python distribution; with a little judicious pruning, it
could almost certainly be reduced further.

If you're targeting Windows, then I highly recommend Exerb. Along with
UPX, (an executable "packer", which transparently compresses binaries)
I've used it to produce standalone Windows EXE files from Ruby scripts
which were 200-300KB in size. With a full GUI toolkit, you should
still be able to come in around the 1MB mark.

One interesting offshoot of the PP installer distribution of Ruby
might be an ActiveX control version of Ruby, optimized for size. I
think that it should be entirely possible to produce a (mostly) static
binary, compressed with UPX, well under 1MB in size. That would
greatly simplify the requirements for distributing Ruby applications
on Windows, which is where users are likely to be the most put off by
the need to install any additional software.

Just my $0.02.

Lennon

 

[richard lyman]

I use Exerb, EZExerb, and NSIS with HMSoft's interface.

I use SQLite and FXRuby(FOX), and the pre-compressed EXE is over 5
megs. After NSIS compresses it and wraps in all of the other
dependencies I usually get between 1.5 megs and 1.7 megs.

I don't use UPX, though I looked into it once... I should look into it again.

I agree that a 5 meg application is a little outrageous, but when you
think about it... I'm including Scintilla, SQLite, FOX, and OpenGL
support as well - but I'm definetly not using everything that each has
to offer... and that means that I can do more than I've wanted to in
under 2 megs - which isn't that bad in my opinion.

Join all of the above with the fact that I'm writing everything in
Ruby... yeah... I'm almost in heaven.

The only thing I haven't been able to get that I might want would be
_true_ protection of my source code, and a final EXE size of under a
meg ( maybe this could happen with UPX ).

-Rich

 

[Randy Lawrence]

How much are you offering to pay? After all, if you're going to be
obfuscating your code you're clearly not going to be contributing back any
code.

Are you implying that if a person or company wants to obfuscate (hide)
their database passwords or their registration key generation algorithms
from people they don't trust, that they're "clearly not going to be
contributing back any code"? Using that logic...please post all your
passwords here in cleartext so you can prove to us that you're not an
anti-opensource lackey trying to discredit opensource programmers.

If you refer back to my post, you'll see the example scripts I
specifically mentioned were scripts that contained DATABASE PASSWORDS or
REGISTRATION KEY ALGORITHMS.

You ask how much am I offering to pay? For what and to whom? I'm
currently just trying to find out what exists out there and considering
workarounds. If I don't find anything (commercial or free) and the
workarounds aren't satisfactory, I'll probably invest the time to
document requirements sufficient to get bids or to develop it in-house.

If you truly want to know how much other people are willing to pay, look
up commercial Perl or Java obfuscators for the current pricing (prices
were probably adjusted to match demand). As I mentioned in the post,
there is commercial demand for such products.

Best regards.

 

[Neil Stevens]

If you refer back to my post, you'll see the example scripts I
specifically mentioned were scripts that contained DATABASE PASSWORDS or
REGISTRATION KEY ALGORITHMS.

Registration key algorithms. Exactly.

Have fun,

 

[gabriele renzi]

I use Exerb, EZExerb, and NSIS with HMSoft's interface.

I use SQLite and FXRuby(FOX), and the pre-compressed EXE is over 5
megs. After NSIS compresses it and wraps in all of the other
dependencies I usually get between 1.5 megs and 1.7 megs.

are you isng LZMA compression or others? latest nsis should support
LZMA wich is told to be remove an average 20% than the previous best
(don't remeber what it was.. maybe bz2)

 

[Lennon Day-Reynolds]

UPX can only compress the Ruby core files and DLLs you feed into
Exerb, not the finished EXE, but I've found it still usually gives a
40-50% reduction in the total binary size. So, your installed app
might run in the 2.5-3.0MB range, with the installer about the same as
it is now, since multiple compression runs usually don't but you much.

UPX might offer a pretty good way to protect reg. key algorithms and
other sensitive strings, as well; as a naive solution, you could just
try compiling them into a simple C extension, and running UPX on the
shared object for that library. The DLL/SO file would then be in a
packed binary format that should frustrate at least casual crackers,
and forcing you to extern sensitive strings into an outside extension
might help you take into account which items were indeed sensitive,
rather than just obfuscating everything.

Lennon

 

[tony summerfelt]

Randy Lawrence wrote:

unless i missed it nobody mentioned 'thewrap'
(http://trondoc.ezwebtech.com/theWRAP/). the price is hard to beat.

i've used it to successfully wrap wxruby programs (well under 5mb). i
think it uses upx somewhere in the process. it will prevent 'casual
copying'

 

[richard lyman]

The version of theWRAP that I just looked at didn't compress at all...

... in fact the website says it doesn't compress...

... for me compression is a 'must-have-feature'.

I still think that:

1. exerb
2. EZExerb (yes I'm the creator, so I'm biased ;-) )
3. NSIS

is the way to go for getting a ruby project distributed on windows platforms.

I changed the compression in NSIS from the default of zlib to LZW and
I went from 5.1 megs of scattered files to 1.3 megs in a single file
(Zlib went from 5.1 to 1.7).

-Rich

 

[richard lyman]

sorry - I switched from zlib compression to LZMA compression - not LZW!!

-Rich
P.s. - I tried UPX... it didn't even come close to 1.3 megs final.