On Thu, 15 Dec 2005, Kenneth R. van Wyk wrote: > The article's premise is that, because attackers can find out a great > deal about the internals of databases and such by decompiling bytecode > (in Java and .NET), bytecode should be obfuscated to hide its internal > details. The article points to several commercial bytecode obfuscation > products: http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx
if the person can develop exploits against the holes in the code, what makes you think they can't fire up a runtime debugger and trace the code execution and discover the same things? the biggest threat internally isn't the one or two people per thousand who can and will do this, it's the much larger number of people who wont use exploit development techniques to access things they shouldn't. bytecode obfuscation does nothing to stop that. ________ jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/ http://infosecdaily.net/ http://www.wormblog.com/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php