So what you are saying is that when writing J scripts you are really writing compiled code.
2007/4/26, Alex Rufon <[EMAIL PROTECTED]>:
Leigh, I would suggest not encrypting the file anymore and just implement a licensing module. I agree with Dan's assertion here: ------------------------------ And, bear in mind that J itself is a kind of encoding, and it is fairly difficult to "decrypt". Becoming adept enough at J to read your scripts is probably at least as difficult as becoming adept enough at disassembling to figure out 3!:6 . ------------------------------ This is actually what I do in my day job, I just ship the J scripts in the normal readable format. It also comes with a big advantage of being able to debug and fix any unforeseen bugs later on. :) r/Alex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Bron Sent: Thursday, April 12, 2007 6:17 AM To: Programming forum Subject: RE: [Jprogramming] Licensing/Controling J Applications Leigh, First, it appears that locked scripts must be stored in a file. That is to say, you can't execute a locked script from a noun. I don't know why. Maybe the frontend unlocks the script. In any case, the documentation does not reflect this requirement and should be expanded [A] . Second, be aware that the argument to 3!:6 is the _text_ to "encrypt", not a filename. So, if you're saying something like this: 3!:6 'filename' change it to this: 3!:6 ] 1!:1 < 'filename' Third, I quoted the word "encrypt" on purpose. Be aware that there is no way, even in theory, for a system to be able to automatically read a locked script but a human user not. Encryption requires that the stakeholder hold a secret key and intervene when he wants to clear (make readable) the text. If J is clearing the script, without you (the stakeholder) entering a secret key every time, then J is holding that secret key. And if J is holding the key, and the user is holding J, then the user is holding the key. So anything J can do, the human user can duplicate. Here is a concrete example of the problem: NB. Create a locked script (3!:6 ] 0 : 0) 1!:2 fl =. < jpath 'temp\test.ijl' secret =: sauce@:* sauce =: +/ ) NB. Verify that the names don't exist yet... nc ;: 'secret sauce' _1 _1 NB. Load the locked script 0!:0 fl NB. Verify that now they do... nc ;: 'secret sauce' 3 3 NB. Now, verify that the definitions of the names are hidden NB. from prying eyes. secret secret NB. Seems pretty safe. secret f. secret NB. Unlock: 'secret' f. sauce@:* NB. That cheat approach won't do much good unless which know NB. which names are locked, so: ] locked_names =: > {. 4!:5&.>i._2 [ 0!:0 fl [ 4!:5&>i. 2 +-----------+------------+ |sauce_base_|secret_base_| +-----------+------------+ NB. Voila (,. 3 : 'y f. 1 : ''5!:5 {.;:''''u'''' '' '&.> ) locked_names +------------+--------+ |sauce_base_ |+/ | +------------+--------+ |secret_base_|sauce@:*| +------------+--------+ NB. See postscript [B] for comprehensive solution I want to stress that the exploit above isn't the problem, only an demonstration of it. Even if Roger "fixed" f. and 4!:5 , other approaches are possible. For example, I could use 15!:6 and 15!:7 . And if Roger made J impregnable through reflection, then, were I adept, I could run J through a disassembler, step through until I got to the section that "decrypts" 3!:6 style strings, and duplicate that logic in a separate utility. In fact, I'd wager that 3!:6 is just encoder anyway (not an encrypter which uses, e.g., AES and stores the private key in the binary), and is vulnerable to commonplace attacks, particularly since anyone can convert plaintexts to locked texts for testing. So, the questions you need to ask yourself are "how difficult should it be for a user to duplicate the clearing process?" and "how much is each additional layer of difficulty worth to me?". And, bear in mind that J itself is a kind of encoding, and it is fairly difficult to "decrypt". Becoming adept enough at J to read your scripts is probably at least as difficult as becoming adept enough at disassembling to figure out 3!:6 . So, how likely is it that your clients will know or be able to learn enough J to be able to extend their license by modifying your script? If it's likely, then you can obscure your code. If you used lines like those below, THEN how likely would it be that your clients could "decrypt" it? temps =. (+0 _17 _3 _12 _20 _1 _16 _16 _78 _3 _16 _78 _4 _2 +117);(+100 +11 _3 11 21 0 10 16) 29 (p:5)!:8@: [^:] 36b1mp2<enthalpy~3{.6!:0$~0[".]>{.'entropy enthalpy'=.a.&i.^:_1:L: 0]59796160561 4641 A.&.> temps -Dan [A] The requirement should be mentioned at http://www.jsoftware.com/help/dictionary/dx000.htm or http://www.jsoftware.com/help/dictionary/dx003.htm#6 or both. [B] I've created script to unlock 3!:6 files and create a reasonable approximation of the original cleartext. The fundamental principles are the same as the demonstration exploit, but the script handles all the edge conditions wrt parts of speech, explicit code, etc. Here's an example (using the locked script created above): > cd x:\path\to\j\root > jconsole ~user\general\unlock.ijs ~temp\test.ijl > temp\test.ijs > type temp\test.ijs sauce_base_ =: +/ secret_base_ =: sauce@:* Get the script here: http://www.jsoftware.com/svn/DanBron/trunk/general/unlock.ijs ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
-- Björn Helgason, Verkfræðingur Fugl&Fiskur ehf, Þerneyjarsund 23, Box 127 801 Grímsnes ,t-póst: [EMAIL PROTECTED] Skype: gosiminn, gsm: +3546985532 Landslags og skrúðgarðagerð, gröfuþjónusta http://groups.google.com/group/J-Programming Tæknikunnátta höndlar hið flókna, sköpunargáfa er meistari einfaldleikans góður kennari getur stigið á tær án þess að glansinn fari af skónum /|_ .-----------------------------------. ,' .\ / | Með léttri lund verður | ,--' _,' | Dagurinn í dag | / / | Enn betri en gærdagurinn | ( -. | `-----------------------------------' | ) | (\_ _/) (`-. '--.) (='.'=) `. )----' (")_(")
---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
