Secure Coding mailing list archives
Managing the insider threat through code obfuscation
From: Ken at krvw.com (Kenneth R. van Wyk)
Date: Thu, 15 Dec 2005 08:59:29 -0500
This morning, an article caught my attention -- "Managing the insider threat through code obfuscation", http://www.itmanagersjournal.com/article.pl?sid=05/12/13/1736253 The article's premise is that, because attackers can find out a great deal about the internals of databases and such by decompiling bytecode (in Java and .NET), bytecode should be obfuscated to hide its internal details. The article points to several commercial bytecode obfuscation products: http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx I hadn't heard of this approach before, although I'm quite familiar with how easy it is to decompile Java bytecode. My questions for the group are: o Anyone here have any good/bad experiences with bytecode obfuscation? o What is the impact on performance of the bytecode? o How about compatibility with various JVMs? o How much protection do these obfuscators really provide? o Is this all just a bunch of product marketing hooey? Well, at least the article uses the term "threat" correctly... Cheers, Ken van Wyk --- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Managing the insider threat through code obfuscation Kenneth R. van Wyk (Dec 15)
- Managing the insider threat through code obfuscation Jose Nazario (Dec 15)
- Managing the insider threat through code obfuscation Kenneth R. van Wyk (Dec 15)
- Managing the insider threat through code obfuscation Dana Epp (Dec 15)
- Managing the insider threat through code obfuscation Kenneth R. van Wyk (Dec 15)
- Managing the insider threat through code obfuscation Matt Bishop (Dec 15)
- <Possible follow-ups>
- Managing the insider threat through code obfuscation Jeremy Epstein (Dec 15)
- Managing the insider threat through code obfuscation James Stibbards (Dec 15)
- Managing the insider threat through code obfuscation Jose Nazario (Dec 15)