|
Number of entries: 11
|
Pages:
[1]
[2]
How does it work?
ClassGuard is a tool to prevent Java decompiling. The Java class files are encrypted using a
128Bit AES encryption. The AES key is generated randomly every time you start the encryption tool.
The decryption is done transparently by a custom class loader. The main part of this class loader
is written in C to prevent decompiling and other tampering.
How does Tomcat support work?
As of Version 1.5, ClassGuard supports Tomcat containers. To use ClassGuard in combination with
tomcat, you have to configure your web application for using the ClassGuard tomcat class loader.
This can be set in the context of the web application.
Further links:
How do I crypt my project?
The encryption tool copies an existing jar file into an encrypted one. The ClassGuard class
loader and all needed libraries are automatically included in the resulting jar file.
Further links:
How do I start the encrypted Project?
There are two ways of starting the encrypted project:
- Explicitly set the bootstrap classloader to ClassGuard using the Java property
java.system.class.loader
- Use a wrapper start class using reflection
Further links:
How secure is it really?
There is no way of cracking the used 128Bit AES Encryption. As the main part of ClassGuard is
written in C, the key can't be extracted using a Java decompiler. However, there may be
possibilities to crack the encryption using a debugger on the assembler level. At the moment, no
such attempt is known.
Some experts state, it would be possible to crack byte code encryption by hacking some class
files of the Java language itsself, e.g. defineClass() in java.lang.ClassLoader. Bytecode encrypted
by ClassGuard is passed through to the virtual machine on the native level. The bytecode never
appears in any Java class.
What platforms are supported?
The evaluation version and the basic version support Sun Java 5 and 6 for Windows and Linux on
i386. Java 7 and OpenJDK is currently not supported. The Unix version additionally supports
Solaris on Sparc und HP-UX. More platforms are planned for Version 2.0, including Java 7, MacOS X
and Linux on AMD64. Virtual machines besides Sun Java may work, but are not supported.
When I debug my encrypted project, I get a java.lang.NoClassDefFoundError
Currently, there are three ways to implement a Java debugger or profiler:
- java.lang.instrument (-javaagent)
- jvmti (-agentlib/-agentpath)
- jvmpi (-Xrun)
It is possible to get Java bytecode by all of these ways. Therefor
ClassGuard detects Java debuggers and refuses to decrypt any classes in case of
any running debugger.
Are J2EE containers besides Tomcat supported?
Currently only Tomcat is supported. Support for Jboss is planned for the next version. Support
for other J2EE containers may be implemented on request, please ask.
Can I combine ClassGuard and Code Obfuscation?
As ClassGuard works on the binary level of class files, it does not iterfere with Java code
obfuscation tools.
How can I check if my class encryption tool works reliably?
You may use our debugging agent to test your code encryption tool. Download JSecurityAgent.jar
and run your application with the additional parameter
-javaagent:JSecurityAgent.jar. The bytecode agent displays all classes of which it can get
the bytecode. If you see a line like
BytecodeAgent: Got bytecode of my/encrypted/class
your tool is vulnerable.
Further links:
|
Imprint