Re: JAVA more insecure than true compiled code?

From: dirk.dussart@pwc.be
Date: Mon Apr 08 2002 - 04:06:24 EDT

• Next message: Kayne Ian (Softlab): "RE: combinations of 4"
• Previous message: tmorgan-security@kavi.com: "Re: hello"
• Maybe in reply to: steven.sporen@za.pwcglobal.com: "JAVA more insecure than true compiled code?"
• Next in thread: -l0rt-: "Re: JAVA more insecure than true compiled code?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

This really has nothing to do with the Java language as such, but it has
more to do with the JAVA VM and the compilation process.
In case you need more obfuscation you can always resort to using a native
compiler.

If you are really interested in decompilation, take a look at the research
of Cifuentes "Reverse Compilation Techniques".
In the context of a PhD thesis the author has shown how to decompile C
programs. Alan Mycroft has shown how to apply Type based
techniques to achieve the same results. The paper is called "Type Based
Decompilation".

Regards,

-- Dirk

                                                                                                                   
                    Hack Hawk
                    <hugh@hackhaw To: <steven.sporen@za.pwcglobal.com>, vuln-dev@securityfocus.com
                    k.net> cc: "James Washer" <washer@us.ibm.com>
                                         Subject: Re: JAVA more insecure than true compiled code?
                    06/04/2002
                    20:49
                                                                                                                   
                                                                                                                   

At 05:17 AM 04/05/2002, steven.sporen@za.pwcglobal.com wrote:
>Hi,
>
>I was wondering what people's thoughts are regarding the security of code
>written in JAVA, I recently reverse engineered a product with a freely
>available JAVA decoder and found that it produced code with variable names
>imports etc, making it very easy to find out how it hung together. Could
>this be construed as a security flaw with JAVA?

I wouldn't call it a flaw, but its definitively a deterrent to using JAVA
in certain situations.

Your comments are the *exact* reason why I use c/c++ instead of JAVA for
certain applications. Of course I understand that binary executables
compiled from c/c++ can be disassembled and reverse engineered too. But it

is orders of magnitude more difficult to do, and there's far less people
capable of doing such a thing.

James Washer said...
>> security-through-obscurity

The choice to use c/c++ instead of JAVA is in deed an choice to ADD
obscurity on top of real security. Obscurity can be a good thing so long
as it's not the ONLY thing your security relies on.

- hawk

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************

• Next message: Kayne Ian (Softlab): "RE: combinations of 4"
• Previous message: tmorgan-security@kavi.com: "Re: hello"
• Maybe in reply to: steven.sporen@za.pwcglobal.com: "JAVA more insecure than true compiled code?"
• Next in thread: -l0rt-: "Re: JAVA more insecure than true compiled code?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:28:03 EDT