Databases Reference
In-Depth Information
int i = 7;
..
int j = i + 4;
while (j < 8003) {
.. arr[(j-3)/(i+1)] ..;
j += (i+1);
}
Control obfuscation
, including reordering techniques, adding irrele-
vant statements as “camouflage,” and more
Adding code that tries to “break” decompilers
. For example, for many
years the most commonly used decompiler for Java was a freeware
program called Mocha. An obfuscator appropriately called HoseMo-
cha appends extra instructions after the return instruction, which
does not affect the execution of the program but causes Mocha to
crash.
Let's look at a simple example. Sun Microsystems obfuscates the core
Java security libraries with DashO by PreEmptive Solutions. If I try to
decompile or run
javap
on the class
com.sun.security.x509.X509Key
, I
get the following errors:
Decompile:
Couldn't fully decompile method buildX509Key
Couldn't resolve all exception handlers in method buildX509Key
Javap:
Error: Binary file 'X509Key' contains
sun.security.x509.X509Key
The important thing for you to remember is that code-obfuscating utili-
ties exist—as freeware, shareware, and commercial products. If you are seri-
ous about removing application vulnerabilities, make sure the developers
use these utilities.
5.3
Secure the database from SQL injection attacks
SQL injection is a technique for exploiting applications that use relational
databases as their back end. The technique uses the fact that applications
have an available connection to the database and that the application layer
composes SQL statements and sends them off to the database to extract
data or perform certain functions. SQL injection often uses the fact that
Search WWH ::
Custom Search