OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: dirk.dussartpwc.be
Date: Mon Apr 08 2002 - 03:06:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    This really has nothing to do with the Java language as such, but it has
    more to do with the JAVA VM and the compilation process.
    In case you need more obfuscation you can always resort to using a native
    compiler.

    If you are really interested in decompilation, take a look at the research
    of Cifuentes "Reverse Compilation Techniques".
    In the context of a PhD thesis the author has shown how to decompile C
    programs. Alan Mycroft has shown how to apply Type based
    techniques to achieve the same results. The paper is called "Type Based
    Decompilation".

    Regards,

    -- Dirk

                                                                                                                       
                        Hack Hawk
                        <hughhackhaw To: <steven.sporenza.pwcglobal.com>, vuln-devsecurityfocus.com
                        k.net> cc: "James Washer" <washerus.ibm.com>
                                             Subject: Re: JAVA more insecure than true compiled code?
                        06/04/2002
                        20:49
                                                                                                                       
                                                                                                                       

    At 05:17 AM 04/05/2002, steven.sporenza.pwcglobal.com wrote:
    >Hi,
    >
    >I was wondering what people's thoughts are regarding the security of code
    >written in JAVA, I recently reverse engineered a product with a freely
    >available JAVA decoder and found that it produced code with variable names
    >imports etc, making it very easy to find out how it hung together. Could
    >this be construed as a security flaw with JAVA?

    I wouldn't call it a flaw, but its definitively a deterrent to using JAVA
    in certain situations.

    Your comments are the *exact* reason why I use c/c++ instead of JAVA for
    certain applications. Of course I understand that binary executables
    compiled from c/c++ can be disassembled and reverse engineered too. But it

    is orders of magnitude more difficult to do, and there's far less people
    capable of doing such a thing.

    James Washer said...
    >> security-through-obscurity

    The choice to use c/c++ instead of JAVA is in deed an choice to ADD
    obscurity on top of real security. Obscurity can be a good thing so long
    as it's not the ONLY thing your security relies on.

    - hawk

    **********************************************************************
    This email and any files transmitted with it are confidential and
    intended solely for the use of the individual or entity to whom they
    are addressed. If you have received this email in error please notify
    the system manager.

    **********************************************************************