-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
 Post subject: Obfusticating hibernate applications
PostPosted: Tue Feb 03, 2004 8:35 pm 
Regular
Regular

Joined: Thu Nov 20, 2003 10:04 pm
Posts: 64
Location: Melbourne, Australia
I was wondering whether there's a way to obfusticate a hibernate application? I'm using tapestry for my frontend and hibernate for my persistence. Both are very dynamic and use a lot of byte code generation. This is going to cause me a problem when I get to the stage of obfusticating my application.

Has anyone ran into this issue before? Any good solutions?


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 7:21 am 
Hibernate Team
Hibernate Team

Joined: Sun Sep 14, 2003 3:54 am
Posts: 7256
Location: Paris, France
It has been asked a while ago, but wo solution.

_________________
Emmanuel


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 1:57 pm 
Pro
Pro

Joined: Tue Aug 26, 2003 1:24 pm
Posts: 213
Location: Richardson, TX
I need to solve this problem too. I haven't done it yet, but here's a thought: Don't obsfucate your POJO, but encrypt them and load them up with a decrypting classloader. The encryption key can either be stored in the classloader (less secure, even if the classloader is obsfucated) or loaded up remotely via SSL. (Single point of failure if this goes wrong, not feasable in non-networked environments.)

I haven't addressed mapping files yet. :) If I was really paranoid I'd do all of the configuration in code and do the same process as above.

Like I said, I haven't tried this yet. Any thoughts?


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 1:59 pm 
Hibernate Team
Hibernate Team

Joined: Tue Sep 09, 2003 2:10 pm
Posts: 3246
Location: Passau, Germany
A nice article on why decrypting classloaders are completely uselses crap can be found here: http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 2:12 pm 
Pro
Pro

Joined: Tue Aug 26, 2003 1:24 pm
Posts: 213
Location: Richardson, TX
I know. Just read it. :)

But, despite what that article says, you can't design security around the "well, SOMEBODY can break it, so why secure it" principle. The trick is to design a security policy that 1) blocks out most casual hacks, and 2) makes a hack difficult enough that it can be detected or not worth the hacker's time.

Just because you can't secure like Fort Knox doesn't mean you leave the front door open...


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 2:17 pm 
Hibernate Team
Hibernate Team

Joined: Tue Sep 09, 2003 2:10 pm
Posts: 3246
Location: Passau, Germany
Well the fun thing about decrypting classloaders is that they are super easy to detect, and everybody inteligent enough to do a google search and read a two-page article can circumvent them in under one minute.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 2:33 pm 
Pro
Pro

Joined: Tue Aug 26, 2003 1:24 pm
Posts: 213
Location: Richardson, TX
Hey, ya can't convince a skeptic. But if you want to leave the keys to your house out on the street, more power to ya...


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 2:34 pm 
Hibernate Team
Hibernate Team

Joined: Tue Sep 09, 2003 2:10 pm
Posts: 3246
Location: Passau, Germany
Everybody who has the energy and knowledge to use a decompiler to read your class files will not be stopped more than two minutes using some "decrypting classloader" stuff, thats a fact. Well thats not really hibernate related, so lets leave it for now.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 6:19 pm 
Regular
Regular

Joined: Thu Nov 20, 2003 10:04 pm
Posts: 64
Location: Melbourne, Australia
Would it be possible to convert the mapping files into code perhaps? Once it's in code form the obfusticator would then know how to deal with it.

This would all depend on whether sufficient API's exist to do such a thing.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 6:21 pm 
Hibernate Team
Hibernate Team

Joined: Tue Sep 09, 2003 2:10 pm
Posts: 3246
Location: Passau, Germany
You could do your configuration programmatically by building the DOM tree and passing it to configure(). Note however that your obfuscator still should not do something like method remaining, or Hibernate will not be able to access your get/set methods by reflection. You could work around by using custom PropertyAcessors which contain the method calls hardwired. Lots of effort though.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 04, 2004 7:33 pm 
Hibernate Team
Hibernate Team

Joined: Sun Sep 14, 2003 3:54 am
Posts: 7256
Location: Paris, France
So far compared to open source...

_________________
Emmanuel


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.