Protecting Java Software Applications Arxan Best Practices White Paper

1Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

2Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

TABLE OF CONTENTS Executive Summary 3 Java Is Powerful, But Also Vulnerable 4

Attacking and Defending Java Applications 7

Deploying GuardIT for Java 8

Notices 8

3Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

Executive SummaryJava is widely used in web application programming. Web and enterprise applications are predominantly programmed in Java today. Java is widely used to build IP-intensive thick client applications such as banking clients, social networking clients and MMORPG game clients; and in software powered devices such as routers, embedded controllers, firewall devices and digital media devices. Ease of development, cross-platform support and increasing performance are all factors driving Java adoption.

Java code is easily hacked, making IP and sensitive data vulnerable. Java code, being a managed language distributed as intermediate-level byte code, is highly susceptible to reverse engineering and tampering attacks. This allows IP theft, data theft and piracy. Ease of code analysis also enables rapid vulnerability discovery, which in turn accelerates the development of damaging malware. As malware moves up the stack to the application layer, insider attacks continue to rise, and IP is targeted by hackers, securing Java code against compromise is vital to safeguarding of an organization’s software and data assets.

Java protection that really works. Enterprises and software vendors are generally aware of the need to protect Java software – whether thick clients, thin clients or enterprise applications. To date, however, the main technology available for protection comprises superficial techniques such as string encryption and variable renaming. Such methods are easily reversed and have a short effective shelf life, leading to the myth that Java cannot be protected. In reality, string encryption and variable renaming form a useful first layer, but are quite inadequate when used in isolation. Arxan combines these popular measures with strong binary-level obfuscation and secure class loading for meaningful protection. Additionally, we provide tamper-evidence to achieve longevity of protection, providing real time security alerts of potential system compromise and allowing software and its managers to react intelligently – for example by self-healing exploits or proactively initiating a security layer renewal.

GuardIT secures your software ecosystem. Arxan’s GuardIT for Java provides a multi-pronged solution to durably fortify your Java code against disassembly, static analysis, dynamic analysis and tampering. The diagram below shows how GuardIT for Java secures code, keys and data throughout the client and server layers of the enterprise. GuardIT for Java also provides defense in depth for perimeter security measures, and enables secure communication (e.g. for tamper evidence notification or forensics information) across components.

4Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

GuardIT for Java is part of the GuardIT family of products, which protects desktop, server and embedded software against malware, IP theft, piracy and tampering on a variety of platforms. GuardIT is the only solution on the market today which seamlessly enables protection spanning managed and native portions of your C/C++, Java, mixed-mode and Java applications.

Java Is Powerful, But Also VulnerableWeb applications and enterprise applications for data management, financial transactions, e-commerce and internal productivity are predominantly coded in Java today. Java is also increasingly used in developing thick client applications that have traditionally been coded as native desktop applications. The major problem with Java, however, is that it is very easily reverse engineered.

Java byte code is intermediate code, rich in metadata and semantic information. It is trivially easy to reverse the Java assembly process. There are a number of free or low cost decompilers such as JAD and DJ which can analyze Java binaries and reconstruct the original source to near perfection. Trends such as outsourcing of development and testing to third party vendors, and the increasing incidence of insider attacks on information security systems, magnify the risk to enterprise applications. This gives rise to the following consequences:

• It is trivial for hackers to steal IP, construct tampering exploits to disable security functions, or discover vulnerabilities and build malware exploits.

• Interfaces between the application and security measures such as license management or user authentication are particularly vulnerable.

• Hard coded credentials, secrets in Java key stores, and similar sensitive assets are easily discovered and abused.

• Feature-rich web 2.0 client applications require special attention to protect them against hackers and malware.

Once hackers find vulnerabilities in the application, they construct exploits to leverage these in the wild. Examples of exploits include:

• In the case of enterprise and web applications, the majority of exploits is built to enable theft of sensitive data – whether from backend databases or from client front ends.

• In the case of licensed software, exploits are built to enable piracy – by circumventing license management, or by building counterfeits. These tampering attacks are particularly easy on unprotected Java applications. The hacker simply decompiles the binary into source, makes the necessary edits, and recompiles.

• In cases of both enterprise and desktop applications, exploits to inject malware - whether by exploiting input-based vulnerabilities or by compromising the authentication methods designed to securely update deployed software.

The Client TierClient tier applications, thick client applets and thin clients run in hostile, untrusted environments yet. They perform real work in terms of validation, data processing and calculations. In the case of desktop applications, they also incorporate significant proprietary IP and generally have a license management component. Code in the client tier generally exposes business logic, hard coded credentials, SQL query structure, and similar sensitive information. These assets are easy targets of attack since hackers have complete control over the client and its execution environment.

Clients are vulnerable to reverse engineering to discover these assets, and exploitable vulnerabilities in both the client and the backend enterprise system. They are also vulnerable to tampering attacks for data and IP theft, as well as malicious invasions of the backend server. Attackers simply decompile the client code, which they have full access to. They then edit the code as necessary, and recompile.

5Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

The Web Tier

Web tier applications include those running in a data management zone (DMZ) as well as those running inter-nally in the enterprise. Such applications are somewhat protected by perimeter security measures such as intru-sion detection systems and web application firewalls (WAFs). However, they are still vulnerable to exploitation by malware and to insider attacks. Studies show, for example, that over 60% of departing employees steal corporate data. Employees and system administrators often have access to hard coded credentials and keys that can also be abused. Additionally, employees can unwittingly infect their computers with malware, subsequently exposing internal data and applications to compromise. As companies expand to selling in emerging markets and outsourcing service units to other countries, web tier applications are increasingly vulnerable to reverse engineering and tampering attacks.

Web tier applications are vulnerable to reverse engineering to discover corporate IP, secure authentication credentials and keys embedded in the code. They require protection against malware injection and tampering. Real time security alerts regarding running applications, with information on tamper evidence and attempted intrusions, is particularly important for this class of applications.

The Web Tier

The diagram above and table below discuss the various types of assets at risk in the Java ecosystem, the types of threats used to exploit these assets.

6Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

Java Application Type Threats Resulting Compromise

Thick client or applet Reverse engineering • Discovery of proprietary IP such as business logic • Discovery of hard coded credentials• Discovery of coding vulnerabilities exploitable by insiders or malware

Tampering • Malware invasion• Disabling authentication-based data access control and similar data security functionality• Altering functionality of gaming (MMORPG) clients for cheating

Java Web Start Applications Tampering • Injection of malicious code• Altering of security routines

Desktop applications Reverse engineering • Identification of proprietary IP• Find vulnerabilities in license management component, and in interface between application and license management• Find vulnerabilities in methods used to authenticate software updates

Code lifting • Counterfeiting

Tampering • Widespread piracy of software• Injection of malware into software platform

Thick or thin clients Reverse engineering • Discovery of secret keys used to prove identity and secure internet communications

Perimeter security appliances-such as a WAF or anti-malware device

Tampering • Invasion by malware

Web tier applications such as servlets

Reverse engineering • Discovery of vulnerabilities exploitable by malware• Discovery of proprietary IP such as business logic• Discovery of hard coded credentials and secret keys, and consequent data theft

Tampering • Malware invasion

Business tier applications such as EJB model

Reverse engineering • Discovery of vulnerabilities exploitable by malware• Discovery of proprietary IP such as business logic• Discovery of hard coded credentials and secret keys, and consequent data theft

Backend enterprise applications and services

Reverse engineering • Discovery of vulnerabilities exploitable by malware• Discovery of proprietary IP such as business logic• Discovery of hard coded credentials and secret keys, and consequent data theft

Tampering • Malware invasion• Unauthorized access to data• Unauthorized access to application or service• Unauthorized use of application or service

Code lifting • Theft of proprietary business logic and applications

Backend database Reverse engineering • Theft of proprietary business logic and applications

7Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

Across all software segments and uses, hardening of Java applications is imperative to protect your intellectual property and sensitive data against piracy, theft and malware. It is no surprise that application security is a new top initiative among Fortune 1000 organizations.

Attacking and Defending Java ApplicationsAcross all software segments and uses, hardening of Java applications is imperative to protect your intellectual property and sensitive data against piracy, theft and malware. It is no surprise that application security is a new top initiative among Fortune 1000 organizations.

STEP 1: Decompile the binary. This results in recovery of source code. Recovering high quality source code is critical to the subsequent hacking process.

STEP 2: Comprehend the code. Based on the results of decompilation (step 1), the attacker analyzes and attempts to comprehend the source code to identify valuable intellectual property, discover exploitable vulnerabilities, and find secret keys. Popular targets include routines for license management, data access management, transaction session management, and application extension/update channels.

STEP 3: Build the exploit. Knowledge acquired from comprehension (step 2) is used to build a tampering or malware injection exploit.

Successful construction of an exploit is dependent on accurate comprehension of code, which in turn can be achieved only after a high-quality decompilation. Traditional techniques to protect Java applications focus on preventing comprehension of the reconstructed source code through string encryption and variable renaming. GuardIT for Java provides effective and durable protection by hardening against all three phases of the attack process. Salient protection features include:

• Control flow obfuscation. By breaking the correlation between byte code and semantically meaningful source code constructs, the quality of decompilation is degraded. By removing structure from the code, it eliminates tell tale patterns and breaks the predictable relationship between byte code and decompiled source. This degrades the results of decompilation and makes comprehension and reverse engineering very difficult. Rather than rely on tactics that break leading disassemblers, Arxan’s obfuscation uses underlying language characteristics to achieve resistance to accurate decompilation. The result is reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements. Strong control flow obfuscation is a crucial component of any effective protection solution for Java.

• String encryption and variable renaming. By removing semantically meaningful variable names, strings and thus context from the code, these commonly used techniques make the comprehension and reverse engineering process more difficult and time consuming. While inadequate in isolation, they are a valuable complement to strong obfuscation and encryption measures.

• Class File Encryption. By encrypting JAR files, and using custom class loaders at load time for decryption, this blocks static reverse engineering and tampering of class files. This measure also prevents injection of malicious code or methods into the class at run time, and provides robustness to Java’s security hooks such as sealed classes and signature verification. Secure class file loading does not alter the portability of Java byte code.

• Key Protection. Complementary to GuardIT for Java’s code and data protection capability is Arxan’s TransformIT white box cryptography technology. TransformIT provides strong protection for keys used within Java applications – e.g. to encrypt sensitive data in databases, to encrypt communication during a secure internet session or to verify credentials - against discovery and tampering.

• Real time security alerts. Arxan’s active protection technology provides real time security alerts with full context from a running application. This tamper-evidence mechanism reports forensics information back to an appropriate central entity (enterprise security management console) when malware invasion or other forms of tampering are detected. This allows potential breaches to be dealt with quickly and accurately, providing visibility and limiting damage. Since these application alerts have full knowledge of the context of the application and its current state, security alerts are accurate and informative. The application centric nature and secure communication capabilities of real time security alerts can be used by itself or to work with and augment other security technologies such as SIEM, whitelisting and WAFs by providing stronger application context.

1Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

Deploying GuardIT for JavaFast. GuardIT for Java is applied directly to your compiled binary.

Easy. GuardIT for Java provides a host of easy-use features including wild-card inclusion and exclusion for variable names and function names. This allows you to quickly and easily define which areas of your program need protection. Protected binaries remain managed mode applications – there is no native compilation, and you retain all the portability advantages of the Java platform.

Strong. GuardIT for Java is built to work closely with GuardIT, Arxan’s flagship application hardening solution for native applications. This makes GuardIT the only solution on the market today which seamlessly enables protection spanning a variety of native and managed application development technologies across a variety of operating systems and execution platforms.

For more information about GuardIT, GuardIT for Java, and maximizing your profits by minimizing your application risk, please contact us at info@arxan.com or visit our website at www.arxan.com.

NoticesArxan Technologies, Inc. makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Arxan Technologies shall not be liable for errors contained herein or for incidental, consequential, or other indirect damages in connection with the furnishing, performance, or use of this material. Arxan, the Arxan logo, Securing Critical Assets, Guard and GuardScript are either registered trademarks or trademarks of Arxan Technologies, Inc. in the United States and/or other countries. Microsoft, Windows, Windows NT and Visual C++ are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Portions of the information disclosed herein are protected by U.S. Patent No. 6,941,463; U.S. Patent No. 6,957,341; U.S. Patent No. 7,287,166 and Patents Pending. Copyright © 2007 Arxan Technologies, Inc. All rights reserved. No part of this document may be photocopied or reproduced without the prior written consent of Arxan Technologies, Inc.

8