Re: Code Cracking in Java

["Frank O'Dwyer" <fod () littlecatZ com>]

Suresh Ponnusami wrote:

> All said, .class files are very vulnerable 
> to attack due to their platform independent nature
> and open architecture. (Oops! i might spark a debate
> due to this statement!). But sadly, it is true.
>
> Also, read the Java JVM vulnerabilities by LSD Group.
>  
It's been said already, but I think it's worth reinforcing the point 
that this is not a problem peculiar to Java. There are people out there 
who can convert compiled code back to C/C++ as fast as they can write. 
There are also plenty of tools for debugging/patching code written in 
just about any language. If you doubt this, try releasing some useful 
commercial package with a registration check, and see how long it takes 
before a version of that package with the registration check patched out 
appears somewhere on the net.

As others have mentioned, unless your clients are running in a 
trustworthy environment (which for all practical purposes is never the 
case), then the only worthwhile approach for dealing with this is to do 
server side checks. This especially applies to authentication and 
authorisation, which must be validated and maintained on the server, 
rather than presuming the client has done some check. And yes, there is 
plenty of code out there which does rely on the client to do it, e.g. 
clients that retrieve the user's current Windows login identity and then 
assert it to the server, which then blindly trusts it.

Cheers,
Frank

--
Frank O'Dwyer     <fod () littlecatZ com>
Little cat Z Ltd  http://www.littlecatZ.com/

Upcoming events: One day Information Risk Management Seminar - Lord's Cricket Ground London - May 26th 2004 - 
http://www.littlecatz.com/seminar.html