My Ruby on Rails app of course contains all business logic and algorithms, and if I install this on a customers server, then they can read my source code, which I want to keep as secret as possible to protect my business.
PHP have several tools which can take the php project and encode it into bytecode, which is exactly what I would like to be able to do for Ruby on Rails.
There are several Ruby on Rails packers, which just bundles it all into an executable, but the plain Ruby source code is still in there.
Question
How to protect your Ruby on Rails source/product when it is installed on a customers server?
There are a few Ruby code obfuscators, that you couple with a packer, to produce something that is at least reasonably hard to reverse-engineer.
If protecting your code is a business need, you might want to try RubyEncoder, a commercial product designed to do exactly what you want. (disclaimer: I didn't)
Note that if secrets in your code are that important to you, you might want to make it a service (e.g. a Web service) that your customer accesses instead of code you deploy on their systems. But that's an option that may not be viable (or desirable) for you for a zillion different reasons…
It is impossible to encode code in such a way that a machine can execute it, but a human cannot read it. In order for your customers to run the code, the CPU must understand the code. CPUs are much, much stupider than humans, so if a CPU can understand the code, then a human can, too.
The only way to protect your code, is to not give it away. Host the app on your own premises and rent access to it out as a service.
Note that reading your code is illegal, so what makes you think that somebody who has no problem with going to prison go get access to your secrets is going to get stopped by some encoding that can be reverse-engineered anyway? (Note that even if they have the un-encoded source code, they still need to reverse-engineer it anyway, since without access to your source repository and design documents, they have no idea why the code is written the way it is.)
Also, for someone who has no problem breaking the law, bribing one of your employees who knows how the code works is going to be much easier than reverse-engineering the code.
There is no general bytecode-format for Ruby. There are several different Ruby implementations, some of them have a bytecode format, some don't. E.g. Opal is a compiler that outputs ECMAScript, no bytecode involved. XRuby was a compiler for the JVM, but it is abandoned. Ruby.NET was a compiler for .NET, but it is abandoned. JRuby is an implementation for the JVM that also includes a compiler. Both YARV, MRuby, and Rubinius have different, incompatible bytecode formats; some of those implementations allow loading bytecode from disk, some don't.
Related
I am evaluating to migrate to Ruby (Ruby on Rails) from PHP. One big concern I have is about the project encryption.
Currently in PHP I encrypt the projects before giving it to the clients by using Source Guardian.
However for Ruby the only option I found is rubyencoder.com (the same company as PHP source Guardian). has anyone tried this software and have first hand experience?
Is there any other software?
Is there any native way in Ruby to encrypt the project?
You should know that this is not really protecting your code. At some point, the code will have to be executed by Ruby's VM (let's assume you're on 1.9.x). The VM itself, unless modified, will only be able to understand the instructions in their unencrypted form.
What this means is that before the encrypted code can be executed, it will have to be transformed back into its original form. And someone badly craving to read your source code could do so by debugging the Ruby process and waiting for that decryption to happen.
Even if it's just the byte code instructions that you will get from this, it's possible to reconstruct quite readable source code from byte code interpretation, here is an example for Java, but similar things are possible for Ruby, too.
Code obfuscation might be more what you are looking for, but it is also a very risky option for Ruby code: it might break sophisticated meta programming features.
I've never been a friend of DRM measures, so it might be that I am quite opinionated here... but are you really, really convinced you will need such features?
There is a simple way of dealing with that if you can use Rubinius to execute the code (there might also exist a similar solution for JRuby since it runs on the JVM): With Rubinius you compile your source code to byte code and ship only the binary code to the client. That code can than be executed on the target system without giving away any source code. For detailed instructions and caveats see this blog post on the rubinius homepage: http://rubini.us/2011/03/17/running-ruby-with-no-ruby/
I am writing an application where the webapp will be rails and it will allow a user to input rules/ruby-logic and save them to the database. Later on, Java will come along and grab these rules (if/else/elseif) and will execute them via jruby engine. I am wondering of the negatives and possible side-effects of this? And having two languages here?
I want to do rails front-end because the available plugins, and speed of development of webapps. For example, groovy doesnt have as many plugins and i believe that it's much slower in development.
Am I missing anything, or possible logic that may be hurtful in the future if I choose this solution?
In addition I think since ruby is dynamic it will be easier for the user to input rules via a 'ruby' syntax instead of another third-party library like bean shell.
I feel like most complex applications end up needing several languages eventually, usually interfacing through the DB as you're planning. I'm not sure what constraint leads to you Java on backend rather than ruby (guessing legacy or performance), but if that's a requirement then your plan sounds reasonable.
As far as negatives/side-effects, Jruby seems to lag a bit behind the latest ruby, but that's not generally a big deal as long as you match versions for the UI & backend. I can't think of anything that would be harmful in this off the top of my head, but the devil is always in the details ;-)
Are there any applications out there that will let me encode my Ruby on Rails code so others can't read it? I plan on selling a few small applications, but I really don't want everyone knowing my code.
Thanks.
Only example I have seen in the wild is Mingle from ThoughtWorks, which runs on JRuby, which I think they must have modified in some way to run the encrypted code.
http://www.thoughtworks-studios.com/mingle-agile-project-management
I think they may have used something like this AOT compiler:
http://kenai.com/projects/jruby/pages/RailsAOT
This also looks promising:
http://www.infoq.com/news/2008/10/rubyencoder
Check out this answer for other ideas.
Can you Distribute a Ruby on Rails Application without Source?
If you want people to able to run your code (and if you don't, then why did you write it in the first place?), then their CPU needs to be able to execute your code. In order to be able to execute the code, the CPU needs to be able to understand it.
Since CPUs are dumb, and humans aren't, this means that humans can understand the code as well.
The only way you can protect your code through technical means, is if you "own" the entire execution path: you need to build your own CPU, your own computer, write your own operating system and your own Ruby interpreter. Then, and only then can you protect your code. (But note that even the tiniest mistake will render all of your protections useless. Microsoft, Apple, Sony, the Music Industry and the Movie Industry can attest to that.)
Or, you could just do nothing, which means that your code will be automatically protected by copyright law.
Thanks for all your answers! Currently I'm looking at jRuby and Ruby Encoder options but if I find neither are what I want then I think I should just sell the code and focus more on getting customers. It really doesn't make sense to spend all this time and money on an encryption that can be easily cracked anyways.
Maybe you could host the application yourself.
This way nobody will have ever access to your code and you're clients will use the application everywhere via Internet and also will pay you for the support.
In order to host rails application the easiest way you could try http://heroku.com/ or even set a small VPS with apache and mod_passenger.
No, there is no way to have executable code that can't be read. Hard to read yes, impossible to read is... impossible. Best you can do is obfuscate, of which there are many examples around the net (but I don't know of any libraries that do it for you).
I want to develop an application that can retrieve information such as, DLL version, DLL build mode(debug or release), info. regarding OS, memory, processer, processes/threads, program version etc. I am developing this mainly for Windows, but it'd be good if the application supports Linux too(wherever applicable).
I am basically a java programmer, and I know C, C++ to some extent.
Which programming language should I go for, that'd make my job easy? i.e. which language has APIs to fetch these kind of information?
Well... APIs are available regardless of the language... But the easiest way to get at what you are trying to do is going to be a C or C++ app. That doesn't mean it'll be easy (getting a DLL version is easy, getting memory and processor type is easy. The other stuff is certainly possible, but you may have to roll up your sleeves and learn the win32 API).
You might want to take a look at an application that already does exactly what you are asking about (Process Explorer) before you try to develop this yourself... It's going to be a big undertaking - and the folks at Sys Internals are really, really good at this stuff, and have already done it.
You commented on Kevin Day's answer that you would prefer to use Java for this.
Java is not very well suited for this, because the information you want to get is very platform-specific, and since Java is designed to be platform-independent, there are not a lot of ways to get at this kind of information from Java.
There are some methods in classes java.lang.System and java.lang.Runtime to get information about the platform that your Java program is running on. For example, class Runtime has a method availableProcessors() that tells you how many processors are available to the Java virtual machine. Note that this is not the same as the number of processors (or cores) that exist in the computer; the documentation even says that the number may change while the program is running.
Lookup the documentation for java.lang.System and java.lang.Runtime for more information.
Most likely you're not going to get exactly the information that you need by using pure Java - C or C++ will be better suited to get this kind of platform-specific information. If you would need this information from a Java program, you could write a small DLL or shared library and use JNI to call into it from your Java program.
Since DLLs are mentioned I presume we are talking about Windows.
I would recommend using WMI queries. They look very much like SQL and give you access to many very useful classes.
e.g. all info about the OS can be found here - in W32_OperatingSystem:
http://msdn.microsoft.com/en-us/library/aa394239(VS.85).aspx
You can use WMI classes from any language including C++.
As a side note - if you start a new application from scratch consider using PowerShell - new scripting language from Microsoft.
I'm wondering if it's possible to distribute a RoR app for production use without source code? I've seen this post on SO, but my situation is a little different. This would be an app administered by people with some clue, so I'm cool with still requiring an Apache/Mongrel/MySQL setup on the customer end. All I really want is for the source to be protected. Encoding seems a popular way to go for distributing PHP apps (eg: Helpspot).
I've found these potential solutions:
Zenobfuscate - not all types of Ruby code is supported however, so that counts that out
Ruby Encoder - may be the best option, as their PHP encoder looks alright (I haven't tried it however) but it's not available yet. I've used IONcube for PHP before and it worked well, but it doesn't seem that IONcube is interested yet.
Slingshot - it was mentioned in the other SO post, but it solves a different problem to mine and the source is still visible.
RubyScript2Exe - from the doco, it's not production ready, so that counts that out.
I've heard that potentially using JRuby and distributing bytecode might be a way to achieve this, but I've never used JRuby so I'm not sure what's involved.
Can anyone offer any ideas and/or known examples? Ideally I'd love to have some kind of automated build scenario as well.
Your best option right now is to use JRuby. A little bit of background: My company (BitRock) works with many proprietary and commercial open source vendors. We help them package their server software, which is typically based on PHP, Java or Ruby together with a web server or application server (Apache, Tomcat), the language runtime and a database (typically Postgres, MySQL) into a self-contained, easy to use installer. We have a large number of PHP-based customers (including HelpSpot, which you mention) but also several Rails-based ones. In the case of the RoR customers the norm is to use JRuby together with Tomcat or Glassfish although in some cases we also bundle a native Ruby interpreter to run specific scripts that rely on libraries not yet ported to JRuby (usually not core to the application). JRuby has matured quickly and in many cases it actually runs their code faster than regular Ruby. You will need to also consider that although porting your code to JRuby is fairly straightforward, you will need to invest some time on that. You may want to check JRuby Stack which is a free installer of everything you need to get started. Good luck!
If you release the source, obfuscated or otherwise, your app will be pirated. See, for example, Mint. It depends on what you're building, but you may find that you're better off releasing the app as a hybrid of sorts: A hosted app with a well-defined API, and a component that runs on the customer's server. As long as the true value of your product lives on the server side, you don't need to obfuscate your code, and you can just release the source code unmodified. Additionally, this may also give you the opportunity to reach clients running, say, PHP rather than Ruby. See, for example, Google Analytics, HopToad, Scout, etc, etc.
You can, but it wouldn't do anything to prevent somebody from reverse-engineering or modifying it. I remember there was an article about similar attempts to obfusticate Perl and how they could be effectively bypassed by a debugger and 5 minutes of effort.
If you can't wait for the delivery of RubyEncoder, then I think ZenObfuscate is the most promising. Though it may require some modifications to your source code, they do say this on their site:
ZenObfuscate costs $2500 for a site license or is individually negotiable for other licensing schemes. Yes, that is expensive. That was on purpose. But don't let that thwart you too much. If your product is really cool and we want to see it succeed, we'll make it work. "Really cool" is not freecell.
Of course, for $2500 (or more), you'd hope to get a few tweaks to the compiler that'd make your codebase fully supported. It might be worth engaging them in the conversation.
You can also take a look at Mingle from ThoughtWorks studios as an example of using JRuby for this.
It's a Ruby on Rails app, they run it using JRuby. They've customized jruby to load encrypted .rb files.
Take a look at JumpBox.
I've had conversations with them on the topic, and they seem to have a solution that will work soon for Rails apps.
I'm wondering if you could just "compile" the ruby code into an executable using something like RubyScript2Exe ?
To be honest I haven't used it but it seems like it could be what you want, even if it just packages up the scripts with the interpreter into a single executable.