SecureSWF

[Alec McEachran]

Does anyone have any experience of using RobotLegs with SecureSWF? I'm pretty desperate and it's pretty urgent. Please let me know ASAP - skype @alecmce, twitter @alecmce. Thanks.

[C. Duneau]

Hi

I don't use robotlegs and SecureSWF together, but pureMVC and SecureSWF.

What is the thing that worries you? I think that, as far as you obfuscate all your swfs together (in case you have several swfs to deploy), it will work fine.

With pureMVC, we have to deploy 2 swfs, if they are obfuscated together (so the reference names are obfuscated the same way), it works like a charm.

c++

---

De : Alec McEachran <al...@alecmce.com>
À : robo...@googlegroups.com
Envoyé le : Mercredi 18 juillet 2012 22h21
Objet : [robotlegs] SecureSWF

Does anyone have any experience of using RobotLegs with SecureSWF? I'm pretty desperate and it's pretty urgent. Please let me know ASAP - skype @alecmce, twitter @alecmce. Thanks. --
You received this message because you are subscribed to the Google
Groups "Robotlegs" group.
To post to this group, send email to robo...@googlegroups.com
To unsubscribe from this group, send email to
robotlegs+...@googlegroups.com
for support visit http://knowledge.robotlegs.org

[Alec McEachran]

It appears that SecureSWF breaks reflection. If you can't reflect, you can't use RobotLegs. I'm currently pulling RobotLegs back out of a project I've just spent a month putting it into, for a release this evening :(.

-- Alec

[Neil Manuell]

eek I feel for you!

[Joni Bekenstein]

Why is it so important to Secure the SWF?

[Michael Wills]

Hi Alec,

I don't know if this will help but you can apparently exclude some identifiers from renaming. Would that allow reflection to work? 

Note: I haven't tried this.

http://www.kindi.com/secureSWF-manual.php#Identifiers_Renaming_Troubleshooting

and there is a stack trace deobfuscator to help pin down the places it breaks

http://www.kindi.com/secureSWF-manual.php#Stack_Trace_Deobfuscator

You can also add metadata to prevent renaming, etc., at a class level.

http://www.kindi.com/secureSWF-manual.php#In-Code_Configuration

Have you had a look at those already?

Sent from my iPad

[Alec McEachran]

Build Requirements. It's a question you can raise only when people aren't waiting for a new build sadly.

-- Alec

[Till Schneidereit]

You can use Injector#addTypeDescription to set up your own type
descriptions without reflection. Add a quickly hacked-up version of
the reflector that can trace out all cached descriptions as json or
whatever and that should be pretty quick to pull off.

[Alec McEachran]

Thanks Till. That sounds great. Only concern would be how SecureSWF changes the names and how to keep correspondence, but at least it's a medium-term solution! 

-- Alec

[Stray]

Possible solution: we have talked about (but not yet implemented) being able to dump the cache of description types.

How many classes have injection points? You *should* be able to capture that describe type data (by dumping the cache in the injector) before you secure the swf, then simply instantiate that cache, so no further reflection is required.

Also - RL1 or RL2? Not that it will make much difference. It's quite a simple task, the only question is whether it's too expansive, which depends on the number of injection points.

hth

Sx

[Stray]

Darn it - if I'd added one less sentence I'd have beaten Till to it :)

Still - always nice when we're on the same page!

[Till Schneidereit]

Right, in the face of renamed classes that scheme would fail pretty
hard. In a pinch, you could think about adding a static field to the
affected classes containing the original name, but that gets tedious
and ugly pretty quickly. Maybe in combination with the SecureSWF
config Michael mentioned above things could work?

@stray: heh, who would've thought that I'd beat you in response time - ever? ;)

[Stray]

:) As you may have guessed, I was away from my computer!

Damn, class renaming is an annoying one.

Does SecureSWF also change field names? In which case it's a seriously uphill battle...

[Alec McEachran]

It's an option definitely. I don't see a way around it… I'm considering rolling my own RL-style non-DI framework… I could call it PureRL :-P

-- Alec

[Till Schneidereit]

"Pure" in the sense of "forces lots of old school boilerplate down
your throat", I presume? ;)

[Stray]

If you could be bothered, you could write a ruby script that found all injected properties and created a describe-type property map for each class as a static property of that class. Presumably SecureSWF would keep the property / type names lined up, even if it changed them.

Change the injector to read that property (if it exists).

How annoying for you!

But not as annoying as 2 full pints of boilerplate.

[Alec McEachran]

Thanks. You guys are great, I'm extremely grateful for you jumping on this. I'm a little out-on-a-limb here, trying to convince a new team the virtues of RL. It's not made easier by their legacy use of a piece of technology that conflicts with it, but the fact that I can get such a lot of thoughtful feedback so quickly after encountering the problem is an excellent counter-point to the problems we've had. I'll keep you posted on how we solve them!

Meanwhile, I'd like you all to close your eyes, and imagine all your config classes mutated into a long list of public static vars all attached to one GLOBAL.as class, Commands constructed up-front, with payloads moved into execute as a parameter, and manually mediated views. If you start sweating profusely, it's ok, open your eyes and remember it's Somebody Else's Problem!

Thanks again.

-- Alec

[Stray]

*high fives all round*

Good luck - I'll try not to have nightmares about your solution...

Sx

[gooreco]

Hi Alec,

would you share with us how you did follow up on respectively solved this issue? I will probably deal with the same issue (using SecureSWF within a RL driven Application) soon and wanted to know how I can solve that. 

Cheers,

Martin