Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: JAVA more insecure than true compiled code?

From: dirk.dussart () pwc be
Date: Mon, 8 Apr 2002 10:06:24 +0200

Hi,

This really has nothing to do with the Java language as such, but it has
more to do with the JAVA VM and the compilation process.
In case you need more obfuscation you can always resort to using a native
compiler.

If you are really interested in decompilation, take a look at the research
of Cifuentes "Reverse Compilation Techniques".
In the context of a PhD thesis the author has shown how to decompile C
programs. Alan Mycroft has shown how to apply Type based
techniques to achieve the same results. The paper is called "Type Based
Decompilation".

Regards,

--  Dirk


                                                                                                                   
                    Hack Hawk                                                                                      
                    <hugh@hackhaw        To:     <steven.sporen () za pwcglobal com>, vuln-dev () securityfocus com     
 
                    k.net>               cc:     "James Washer" <washer () us ibm com>                                
                                         Subject:     Re: JAVA more insecure than true compiled code?              
                    06/04/2002                                                                                     
                    20:49                                                                                          
                                                                                                                   
                                                                                                                   




At 05:17 AM 04/05/2002, steven.sporen () za pwcglobal com wrote:

Hi,

I was wondering what people's thoughts are regarding the security of code
written in JAVA, I recently reverse engineered a product with a freely
available JAVA decoder and found that it produced code with variable names
imports etc, making it very easy to find out how it hung together. Could
this be construed as a security flaw with JAVA?


I wouldn't call it a flaw, but its definitively a deterrent to using JAVA
in certain situations.

Your comments are the *exact* reason why I use c/c++ instead of JAVA for
certain applications.  Of course I understand that binary executables
compiled from c/c++ can be disassembled and reverse engineered too.  But it

is orders of magnitude more difficult to do, and there's far less people
capable of doing such a thing.

James Washer said...

security-through-obscurity


The choice to use c/c++ instead of JAVA is in deed an choice to ADD
obscurity on top of real security.  Obscurity can be a good thing so long
as it's not the ONLY thing your security relies on.

- hawk







**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: