2

Currently i have a back-end system written in Java that process, massage and forward the data to a external HSM module for encryption. It was consider secure enough back then. However, recent audit findings requires all back-end Java classes to be secured as well.

I have read about GCJ, it compiles the Java Byte codes to Native code. This will definitely make it harder to reverse engineer.

After more than 30 hours googling & trying, i couldn't even get the compile going. I failed to To compile with GCJ on my 5 servlets and more than hundreds other java classes. That also means, I have not test it with tomcat yet, i have no idea where this is going.

So here are the questions i wish to know:

1) anyone out there has any success compiling java sevlets with GCJ and running it under Tomcat? If yes, is there any guide or sample directly related to compiling a java servlet?

2) am i on the right path in securing java classes? If not, then what is the better approach?

Reusable
  • 1,888
  • 7
  • 27
  • 46

2 Answers2

2

I have read about GCJ, it compiles the Java Byte codes to Native code. This will definitely make it harder to reverse engineer.

This is a false assumption. If you want to obfuscate your Java bytecode use ProGuard.

anyone out there has any success compiling java sevlets with GCJ and running it under Tomcat? If yes, is there any guide or sample directly related to compiling a java servlet?

Think about what you are trying to do here. Tomcat loads servlets dynamically by importing the class files inside a Jar file or directory. GCJ compiles Java classes to executables or native library files. Tomcat won't be able to load these native binary files at run time.

You might be able to make your own web server by embedding Jetty and compiling it with GCJ but I doubt that's what you really want to do. There are a ton of bytecode obfuscation tools out there that are made to solve this very problem. ProGuard is what Google recommends for Android development and is free.

Update

If you are using reflection in your app you can configure ProGuard to not rename/remove certain classes with the following lines in your proguard.cnf file.

-keep public class * extends com.package.ClassName
-keepclassmembers class * extends com.package.ClassName
wm_eddie
  • 3,938
  • 22
  • 22
  • I have tried yGuard, and it kill all my reflection call. Are you saying ProGuard able to avoid obfuscating the reflection methods? – Reusable Apr 17 '12 at 06:22
  • ProGuard by default will try to remove classes that look unused as well as rename classes and class members. However you can configure it to keep certain classes and also prevent renaming certain methods. – wm_eddie Apr 17 '12 at 07:17
  • @wm_eddie "This is a false assumption." Would you please back this statement with facts? – Dmitry Leskov May 03 '12 at 08:43
  • @Reusable Fact is, AOT compilation is interoperable with name obfuscation, so you can use both. – Dmitry Leskov May 03 '12 at 08:44
0

You can compile Tomcat Web apps natively with Excelsior JET (NOTE: I work for Excelsior)

Dmitry Leskov
  • 3,233
  • 1
  • 20
  • 17