File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes A strategy for preventing code theft and attacks! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "A strategy for preventing code theft and attacks!" Watch "A strategy for preventing code theft and attacks!" New topic
Author

A strategy for preventing code theft and attacks!

Tohasas Necular
Greenhorn

Joined: Nov 16, 2011
Posts: 2
First, thanks for reading this.

I've been assigned to a java project which consists of multiple applications connected together. There are some applications that run on web servers, and some other applications have some network-intensive tasks. Our team is currently focusing on the security implementation over these applications. Strangely, our project manager came up with a security strategy which he claims to be less time-consuming to implement, and a more reliable way of implementing security constraints. Here how that strategy goes.

1. He needs me to make some misleading methods (with misleading method names and functionality), so whenever the class files are decompiled by an attacker, he will be in a trouble in identifying what these methods are and how they work together.

2. He needs me to deliberately develop something in a 'hackable' way, but it gives incorrect information for the bad guy. For instance, a false web.xml and a false .properties files should be obtainable through a directory traversal attack. But these files should contain incorrect information, such as incorrect usernames and passwords, so the attacker will be focusing on working on that, instead of having further investigation for seeing what are the other vulnerabilities.

For me, both of these strategies sound odd. But what he tries to claim is this is a strategy which is heavily used in the software industry. Is that really true? Have you ever been worked in an application with this kind of implementation? And do you find that these are reasonable security implementations? Thoughts?
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Tohasas Necular wrote:First, thanks for reading this.
1. He needs me to make some misleading methods


That is security through obscurity, and while it will slow down script kiddies and Sunday rubberneckers, it will provide about as much security against a real attach as an open safe full of Monopoly money would against a burglar going after your jewelry.

2. He needs me to deliberately develop something in a 'hackable' way, but it gives incorrect information for the bad guy.


Ditto.

But these files should contain incorrect information, such as incorrect usernames and passwords,


I just threw up in my mouth a little. I don't know where to begin describing what's wrong with that. It's so wrong it's not even wrong.

For me, both of these strategies sound odd. But what he tries to claim is this is a strategy which is heavily used in the software industry.


I wouldn't be surprised if this stuff is common. There are still a lot of web developer wannabes and sham consultants swirling around the dot-com bowl, offering cheap rates for highly exaggerated services. This stuff is no reasonable kind of security at all.

Before even considering what kind of approach to take, somebody needs to do an honest threat assessment. How likely is it, honestly, that somebody will try to steal your code? How hard will they be willing to work? What will be the actual cost to your company in lost revenue if they do? What will it cost to stop them? How much burden will these "security" measures put on your customers, and how much lost revenue will that cost you?

At some point the powers that be need to consider that 1) You want people using your software, so come up with a reasonable pricing model so that enough people will be willing to pay for it and get support,and 2) For significant threats, legal approaches, such as licensing agreements, are often more effective than technical approaches.

I cannot imagine a situation in which the kind of approach you describe would provide protection that was worth even a fraction of what it cost to develop and maintain it. Good luck.

Unfortunately, based on the picture you paint of your boss so far, this sounds like it's going to end up on thedailywtf.com. He doesn't sound like the type to be persuaded that he doesn't know everything.
Tohasas Necular
Greenhorn

Joined: Nov 16, 2011
Posts: 2
Jeff Verdegan wrote:this sounds like it's going to end up on thedailywtf.com.



For the first one, which is about protecting class decompilation, I suggested the use of ofuscators as it might work for some extent. Unfortunately, the above strategy is what I eventually heard back. Worst though, he also needs me to develop two versions of the program - one, which is the correct code, that will be compiled and go for the classes directory; and then the other one, which is should be damn 'complex', but doesn't work for any extent, and that should go for the src directory, so the attacker will focus on the available source without going to decompile the actual source and see what's in it.

He appears to have a huge confidence in these two implementations, as he claims his know of its industrial usage!
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Tohasas Necular wrote:
Jeff Verdegan wrote:this sounds like it's going to end up on thedailywtf.com.



For the first one, which is about protecting class decompilation, I suggested the use of ofuscators as it might work for some extent.


Obfuscators will stop the casual hacker. But again, how much real damage is a casual hacker going to do? And obfuscators can screw up reflection and possibly make problems harder to diagnose in the field, though I'm not sure how far the state of the art has come; those may not be major problems any more.


Unfortunately, the above strategy is what I eventually heard back. Worst though, he also needs me to develop two versions of the program - one, which is the correct code, that will be compiled and go for the classes directory; and then the other one, which is should be damn 'complex', but doesn't work for any extent, and that should go for the src directory, so the attacker will focus on the available source without going to decompile the actual source and see what's in it.


This makes no sense. Why would you deliver a src directory in the first place?

Your boss sounds insane and/or incompetent.

He appears to have a huge confidence in these two implementations, as he claims his know of its industrial usage!


Then his industry experience must include a lot of cheap offshore programmers and owners' nephews who are "into computers". There is no serious, competent company that would do this and consider it valid security. But that's just my word against his, so I'm just glad I'm not you. :-)
Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 7798
    
  21

Tohasas Necular wrote:He appears to have a huge confidence in these two implementations, as he claims his know of its industrial usage!

Then his confidence is misplaced. I was a security administrator for a few years and one of the first things you're taught is that nothing is safe.
Nothing.

If some sad nerd or determined cracker has time and money enough, they will get to anything they want; so most admins focus (a) on making that job as hard, frustrating and time-consuming as possible, and (b) logging all points of contact.
Added to that is the fact that Java was never designed with code security in mind. Obfuscators (at least a good one; and there are plenty that aren't) may delay a cracker, but don't be under any illusion that they will stop one.

I believe it's already been mentioned, but building a wall around your code is old thinking and, with the possible exception of Microsoft, most companies focus on selling the product and after-sales service rather than guarding their code to grim death.
Take databases: 20 years ago they were a major value item; today, they're given away for free.

Winston


Isn't it funny how there's always time and money enough to do it WRONG?
Articles by Winston can be found here
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 38851
    
  23
Not a “beginning” topic, so I shall move it.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: A strategy for preventing code theft and attacks!