Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: JAVA more insecure than true compiled code?

Re: JAVA more insecure than true compiled code?

From: <dirk.dussart_at_pwc.be>
Date: Mon, 8 Apr 2002 10:06:24 +0200

Hi,

This really has nothing to do with the Java language as such, but it has
more to do with the JAVA VM and the compilation process.
In case you need more obfuscation you can always resort to using a native
compiler.

If you are really interested in decompilation, take a look at the research
of Cifuentes "Reverse Compilation Techniques".
In the context of a PhD thesis the author has shown how to decompile C
programs. Alan Mycroft has shown how to apply Type based
techniques to achieve the same results. The paper is called "Type Based
Decompilation".

Regards,

-- Dirk

                                                                                                                   
                    Hack Hawk
                    <hugh_at_hackhaw To: <steven.sporen_at_za.pwcglobal.com>, vuln-dev_at_securityfocus.com
                    k.net> cc: "James Washer" <washer_at_us.ibm.com>
                                         Subject: Re: JAVA more insecure than true compiled code?
                    06/04/2002
                    20:49
                                                                                                                   
                                                                                                                   

At 05:17 AM 04/05/2002, steven.sporen_at_za.pwcglobal.com wrote:
>Hi,
>
>I was wondering what people's thoughts are regarding the security of code
>written in JAVA, I recently reverse engineered a product with a freely
>available JAVA decoder and found that it produced code with variable names
>imports etc, making it very easy to find out how it hung together. Could
>this be construed as a security flaw with JAVA?

I wouldn't call it a flaw, but its definitively a deterrent to using JAVA
in certain situations.

Your comments are the *exact* reason why I use c/c++ instead of JAVA for
certain applications. Of course I understand that binary executables
compiled from c/c++ can be disassembled and reverse engineered too. But it

is orders of magnitude more difficult to do, and there's far less people
capable of doing such a thing.

James Washer said...
>> security-through-obscurity

The choice to use c/c++ instead of JAVA is in deed an choice to ADD
obscurity on top of real security. Obscurity can be a good thing so long
as it's not the ONLY thing your security relies on.

- hawk

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************
Received on Apr 08 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos