RE: JAVA more insecure than true compiled code?

From: The Picard (thepicardat_private)
Date: Fri Apr 05 2002 - 20:20:58 PST

Next message: Hack Hawk: "Re: JAVA more insecure than true compiled code?"

Previous message: Oliver Petruzel: "RE: hello"
In reply to: steven.sporenat_private: "JAVA more insecure than true compiled code?"
Next in thread: Hack Hawk: "Re: JAVA more insecure than true compiled code?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the code is security-sensitive, then it should not reach an untrusted party in any form (machine language as resulted from  compiled code or byte-code as resulted from Java). If you want to hide the code from others, use a client-server approach (such as through a web interface) and then the sensitive code will run on the server. The issue is no different than with other languages: you cannot trust what runs on the client (because it's outside your control). Whether it's compiled code, client-side scripting (like Javascript and VBScript) or a Java applet makes no difference.

On the other hand, Java makes it easier to reverse-engineer the code. Decompilers have been around for years and it's a known design characteristic of the bytecode. It's less of a security issue (compiled programs have been cracked for years, after all) but more of an issue on protecting intellectual property. For a native Java product (which necessarily is given to the customer in bytecode), reverse engineering it is easier to potentially interested competitors. Decompiling can be made harder with code obfuscators and although not perfect, they raise the barrier of entry and casually interested people will probably give up. Quite a few of commercial Java applications use obfuscators.

So, to answer your question, it's not a security flaw unless the language is misused.

-----Original Message-----
From: steven.sporenat_private
[mailto:steven.sporenat_private]
Sent: Friday, April 05, 2002 8:17 AM
To: vuln-devat_private
Subject: JAVA more insecure than true compiled code?


Hi,

I was wondering what people's thoughts are regarding the security of code
written in JAVA, I recently reverse engineered a product with a freely
available JAVA decoder and found that it produced code with variable names
imports etc, making it very easy to find out how it hung together. Could
this be construed as a security flaw with JAVA?

Thoughts comments are appreciated.

  Steven
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.

Next message: Hack Hawk: "Re: JAVA more insecure than true compiled code?"
Previous message: Oliver Petruzel: "RE: hello"
In reply to: steven.sporenat_private: "JAVA more insecure than true compiled code?"
Next in thread: Hack Hawk: "Re: JAVA more insecure than true compiled code?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 07 2002 - 11:24:19 PDT