lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: ruff.lists at edelweb.fr (Nicolas RUFF (lists))
Subject: Re: Java class obfuscation

northern snowfall wrote:
>> I was wondering if anyone has any documents compairing the different 
>> java class / method obfusction tools that are available.
>> I am in particular currious to know about the ones that are very easy 
>> to bypass vs. those that are extremely difficult.
> 
> You can't obfuscate java interpreted byte code just like
> you can't obfuscate CPU machine code. The JVM would have
> to be altered to ingest your obfuscated machine code.
> Every type of obfuscation can be defeated as soon as it
> loads the byte-code into memory for analysis by the JVM.
> Thus, you may not have readible byte-code on the disk,
> but, you *will* have it in core.

Sure, basic bytecode obfuscation is known to be reversible and to cause 
trouble depending on your JVM (Sun, Microsoft, Netscape, Symantec, ...).

Even if you cannot make the code unreadable, you certainly can make it 
unusable by a human reader. I recently had a look at Citrix Java ICA 
Client, and they use at least the following techniques :

- Replace all variables by letters (a, b, c, ...)
- Use the same variable names in all scopes (global, class local, 
function local, ...) => you cannot substitute variable names with a 
find/replace tool that is not aware of Java language grammar
- Replace variables by language keywords when possible (after byte-code 
generation, variable names are not restricted by the JVM) => you cannot 
recompile the code
- And so on ...

Believe me, such obfuscated code is really hard to understand.

PS. AFAIK, native CPU machine code encryption is part of the TCPA/NGSCB 
project ...

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------


Powered by blists - more mailing lists