Further to the excellent 'attacks' on my 'rubyrun' tool, I have revised 
some of the internal methods used to
protect itself.

So please visit http://users.impulse.net.au/dragoncity
and download the latest attempt at makeing ruby program secure

Thanks,
Brett

On Wed, 2003-12-17 at 23:52, Brett S Hallett wrote:
> Further to the excellent 'attacks' on my 'rubyrun' tool, I have revised 
> some of the internal methods used to
> protect itself.
> 
> So please visit http://users.impulse.net.au/dragoncity
> and download the latest attempt at makeing ruby program secure
> 
> Thanks,
> Brett

I just did

# ln -sf `pwd`/ruby /usr/local/bin/ruby

from my trial directory and used Clifford's little shell script
to get decrypted.rb again. The problem is that you have to rely on a
system that hasn't been tampered with. But on my computer I can
change everything like I want it to be. I can even build a chroot
environment, a kernel or a virtual machine and fake everything
from the executables to the libraries you may rely on. You have
no possibility to make sure that I did not do this unless you
want to use some big brother technology like TCPA. But I doubt
that you could convince me to use that evil technology. ;)

BTW: Your new version isn't really portable:

(flori@lambda:foo/ 0)$ strings rubyrun |grep local
ln -s /usr/local/bin/ruby  X

-- 
o=lambda{|o|p o};O=Struct.new(:a,:b,:c);e=%q(_(?h,_(?h,_(?\ ,_(?s,_(?u,_(74)),
_(?t)),_(?t,_(?o,_(?n,_(?a))))),_(82,_(?r,_(?e),_(32)),_(32,_(98,_(?u),_(?y)))
)),_(?r,_(99,_(97),_(?k,nil,_(?e))),_(10))));def _(*a)O.new(*a)end;class O;def
e(&o)b&&b.e(&o);o[a];c&&c.e(&o)end;end;def p(o)print(''<<o)end;eval(e).e(&o)

Brett might however feel it would be sufficient for his purpose to
build a new Ruby main program that decrypts .rbx into memory and
passes that to the embedded runtime. Not terribly secure still, but
ten times better than his previous attempts.

--uZ3hkaAS1mZxFaxD
Content-Type: text/plain; Format=Flowed; DelSp=Yes; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

On 2003.12.17 22:52, Brett S Hallett wrote:
> Further to the excellent 'attacks' on my 'rubyrun' tool, I have  
> revised some of the internal methods used to
> protect itself.

> So please visit http://users.impulse.net.au/dragoncity
> and download the latest attempt at makeing ruby program secure

Rather than simply replacing the executable - which you could reduce  
the chances of by performing some sort of check on the ruby executable  
file: either running a test script and checking that it performs as  
expected or doing checks on the binary itself, such as looking at the  
symbol table, it's a lot harder to regulate what else is going on.

The method I used was (dare I say it) almost rubyish - I redefined how  
write worked (using LD_PRELOAD) and copied everything written to a file  
descriptor to a file identified by the process id and numerical value  
of the file descriptor in /tmp.

But the method can't be secure while there's the slightest chink of  
light in between the ruby interpreter and the decrypter.

Even then, you can't rule out people reverse engineering the decrypter,  
and extracting the decryption routine, recompiling it and running that.

And I haven't even got as far as mentioning gdb.

But before anyone got that far, they'd probably find it easier to  
modify ruby (source available!) to copy the contents of any script  
loaded by the interpreter to a specified directory...


--uZ3hkaAS1mZxFaxD
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: attachment; filename=catch-write-5326-4

# /home/brett/Ruby_Fox_Gen/addflds.rb
# Generated by RubyFXGen.rb  Ver 0.3 on :Mon Dec 15 10:39:02 EST 2003


require 'fox'
include Fox

class MainWindow < FXMainWindow
 def initialize(app) 
super( app, 'ADD TWO FIELDS', nil, nil, DECOR_ALL, 0 , 0,300,150)

main= FXVerticalFrame.new(self,LAYOUT_FILL_X|LAYOUT_FILL_Y)

flds= FXMatrix.new(main, 2,MATRIX_BY_COLUMNS|LAYOUT_CENTER_X)
  # flds

FXLabel.new(flds, 'Add this :', nil,LABEL_NORMAL|JUSTIFY_LEFT|LAYOUT_FILL_X)

fld1= FXDataTarget.new("")
FXTextField.new(flds,10,  fld1, FXDataTarget::ID_VALUE, FRAME_SUNKEN)

FXLabel.new(flds, 'To  this :', nil,LABEL_NORMAL|JUSTIFY_LEFT|LAYOUT_FILL_X)

fld2= FXDataTarget.new("")
FXTextField.new(flds,10,  fld2, FXDataTarget::ID_VALUE, FRAME_SUNKEN)

FXLabel.new(flds, 'Giving   :', nil,LABEL_NORMAL|JUSTIFY_LEFT|LAYOUT_FILL_X)

fld3= FXDataTarget.new("")
FXTextField.new(flds,10,  fld3, FXDataTarget::ID_VALUE, FRAME_SUNKEN)

btns= FXHorizontalFrame.new(main, LAYOUT_CENTER_X|PACK_UNIFORM_WIDTH)
  # btns

addbtn= FXButton.new(btns,'Add' ,nil, nil, 0, BUTTON_NORMAL)
addbtn.connect(SEL_COMMAND) do |sender, sel, checked|
# ## your button press code here ##
  fld3.value = fld1.value.to_f + fld2.value.to_f
end # addbtn

exitbtn= FXButton.new(btns,'Quit' ,nil, nil, 0, BUTTON_NORMAL)
exitbtn.connect(SEL_COMMAND) do |sender, sel, checked|
# ## your button press code here ##
  exit()
end # exitbtn
end # def initilize 

 def create 
 	super 
   show(PLACEMENT_SCREEN) 
 end # create 

end  # class MainWindow 

# ============= main prog ============ 
 # Construct an application 
 theApp = FXApp.new('Smithy','Max') 

 # Construct the main window  
 MainWindow.new(theApp) 

# Create and show the application windows  
 theApp.create 

 # Run the application  
 theApp.run 
# ============= end ============  

--uZ3hkaAS1mZxFaxD
Content-Type: text/x-c; charset=unknown-8bit
Content-Disposition: attachment; filename="preload.c"

#include <stdio.h>
#define __USE_GNU 1
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <dlfcn.h>

typedef ssize_t (*write_t) (int fd, const void *buf, size_t count);

static void *original(const char *func)
{
    void *res;

    if ((res = dlsym(RTLD_NEXT, func)) == NULL) {
	fprintf(stderr, "dlsym %s error:%s\n", func, dlerror());
	_exit(1);
    }
    return res;
}

ssize_t write(int fd, const void *buf, size_t count)
{
    static write_t super = (void*)0;
    char file[4096];
    int fd2;

    if(super == (void*)0)
        super = original(__FUNCTION__);

    snprintf(file,4096,"/tmp/catch-write-%i-%i",getpid(),fd);
    fd2 = open(file, O_CREAT|O_APPEND|O_WRONLY|O_SYNC);
    super(fd2, buf, count);
    close(fd2);
    return super(fd, buf, count);
}


--uZ3hkaAS1mZxFaxD--

Hi , I've tried your version of 'ln' under Debian and it does not like it,
giving either permission errors or saying 'ruby' already exists.

It would appear that your version of Linux is somewhat 'changed'
from the usual installation. :-)

It may well be all we are proving is that Linux ( & therefore Ruby) cannot 
ever be reasonably 'secure'. 

Thanks for your input.
Yours,
Brett


On Thu, 18 Dec 2003 13:26, you wrote:
> On Wed, 2003-12-17 at 23:52, Brett S Hallett wrote:
> > Further to the excellent 'attacks' on my 'rubyrun' tool, I have revised
> > some of the internal methods used to
> > protect itself.
> >
> > So please visit http://users.impulse.net.au/dragoncity
> > and download the latest attempt at makeing ruby program secure
> >
> > Thanks,
> > Brett
>
> I just did
>
> # ln -sf `pwd`/ruby /usr/local/bin/ruby
>
> from my trial directory and used Clifford's little shell script
> to get decrypted.rb again. The problem is that you have to rely on a
> system that hasn't been tampered with. But on my computer I can
> change everything like I want it to be. I can even build a chroot
> environment, a kernel or a virtual machine and fake everything
> from the executables to the libraries you may rely on. You have
> no possibility to make sure that I did not do this unless you
> want to use some big brother technology like TCPA. But I doubt
> that you could convince me to use that evil technology. ;)
>
> BTW: Your new version isn't really portable:
>
> (flori@lambda:foo/ 0)$ strings rubyrun |grep local
> ln -s /usr/local/bin/ruby  X

Hi,

At Thu, 18 Dec 2003 07:52:27 +0900,
Brett S Hallett wrote:
> Further to the excellent 'attacks' on my 'rubyrun' tool, I have revised 
> some of the internal methods used to
> protect itself.

It remains the decrypted temporary file if fox.so is not found.

-- 
Nobu Nakada