How to protect Java programs from being deserialized

Java is across-platform, interpreted languageJava Source Code compilation Intermediate "bytecode" is stored in the class file. A class file is an intermediate code in the form of a bytecode that includes a lot of source code information, such as variable names, method names, and so on. Therefore, the anti-compilation of the Java intermediate code becomes very easy. There are many free, commercially available anti-compilation software on the market that can generate high-quality, post-compiled source code. So, for developers,How to protect Java programs becomes a very important challenge ..
let's consider a case study

basic ways to protect Java programs Then, the problem of code obfuscation is studied in depth , Finally, a practical application is combined to analyze how to protect Java programs in practice.
Anti-compilation becomes the biggest challenge to protect Java programs
Programs developed in programming languages, such as C and C + +, are compiled into object code, which is the object code of this machine. BinaryExecutable code. Usually all source files are compiled and linked into an executable file. In these executables, the compiler removes information such as variable names, method names, and so on in the program, which are often represented by memory addresses, such as if a variable is needed, often accessed through the address of the variable. Therefore, it is very difficult to decompile these local target code.
the advent of the Java language makes it very easy and effective to decompile.
The reasons are as follows:
1. Because of the cross-platform requirements, the Java instruction set is relatively simple and universal, it is easier to derive the semantic information of the program; 2. The Java compiler compiles each of the classes into a single file, which simplifies the work of decompile; 3. In Java's class file, all method names, variable names are preserved, and variables and methods are accessed through these names, often with many semantic information.due to the characteristics of the Java program itself, it is very good to decompile the non-processed Java program.
At present, there are many Java anti-compilation tools in the market, there are free, there are commercial use, there are open source code. The anti-compilation speed and effect of these tools are very good. Good anti-compilation software, able to decompile a very close to the source code of the program.therefore, through the anti-compiler, hackers can make changes to these programs, or reuse the program. Therefore, how to protect Java programs from being deserialized is a very important issue.
Common Protection technologies

Because Java bytecode has a high level of abstraction, they are easier to decompile. Here are a few common ways to protect Java bytecode from being deserialized. In general, these methods do not absolutely prevent the program from being recompiled, but rather to increase the difficulty of anti-compilation.because these methods have their own use of environment and weaknesses.
Isolating Java Programs
The simplest approach is to let users not access to the Java class program, this method is the most fundamental method, concrete implementation there are many ways. For example, developers can put the critical Java class on the server side, and the client accesses the server's interface to get the service, rather than accessing the class file directly. This way, hackers have no way to decompile class files.Currently, there are more and more standards and protocols for providing services through interfaces, such as HTTP, Web service, RPC, and so on. However, there are many applications that are not suitable for this type of protection, such as the inability to isolate Java programs for a single-machine running program. This protection is shown in the following way.encrypt the class file
To prevent class files from being directly deserialized, many developers encrypt key class files, such as those related to registration codes, serial number management, and so on. Before using these encrypted classes, the program first needs to decrypt the classes and then load them into the JVM. The decryption of these classes can be done either by hardware or by using software.
When implemented, developers often complete the loading of cryptographic classes by customizing the ClassLoader class (note that applets cannot support custom ClassLoader for security reasons). The custom ClassLoader first finds the encrypted class, decrypts it, and finally loads the decrypted class into the JVM. In this protection mode, the custom ClassLoader is a very critical class.since it is not inherently encrypted, it may be the first target for hackers to attack. If the associated decryption keys and algorithms are conquered, then the encrypted classes are also easily decrypted. This way of protection is seen.convert cost to code
converting programs to cost-to-place code is also an effective way to prevent anti-compilation。 Because local code is often difficult to decompile. Developers can choose to convert the entire application to cost code, or to key module conversions. If only the key parts of the module are converted, Java programs need to use JNI technology to invoke them when using these modules.
Of course, while using this technology to protect Java programs,alsosacrificing the cross-platform nature of Java。 For different platforms, we need to maintain different versions of local code, which will add to the work of software support and maintenance. However, for some key modules, sometimes this scenario is often necessary.
To ensure that these native code is not modified and replaced, it is often necessary toDigital Signatures。 Before using these native code, it is often necessary to certify these native code to ensure that the code is not changed by the hacker. If the signature check passes, the associated JNI method is called. This protection method is shown
Code Obfuscationconvert cost to code
Code obfuscation is the re-organization and processing of class files, which makes the processed code the same functionality (semantics) as the pre-processing code. However, the confusing code is difficult to decompile, that is, the anti-compilation code is very difficult to understand, obscure, so it is difficult for the anti-compiler to derive the true semantics of the program. In theory, if hackers have enough time, the confusing code can still be cracked, and even some people are developing anti-obfuscation tools. But from the actual situation, because of the diversification of the obfuscation technology, the confusion of the theory of maturity, the confusing Java code can be good to prevent the anti-compilation. The obfuscation technique is described in detail below, because obfuscation is an important technique for protecting Java programs. Code obfuscation
The above several technologies have different application environment, each have their own weaknesses, table 1 is related to the characteristics of the comparison.
Obfuscation Technology Introduction
Table 1 Comparison table of different protection technologies
Until now, the obfuscation technique is the most basic protection method for Java programs.There are also a number of Java obfuscation tools, including commercial, free, and open source. Sun has also provided its own obfuscation tools. Most of them are confusing class files, and there are a handful of tools that first process the source code and then process the class, which increases the amount of obfuscation. At present, the commercially successful obfuscation tools include the Jproof company's 1stBarrier series, Eastridge Company's Jshrink and 4thpass.com Sourceguard. The main obfuscation techniques can be categorized according to the confusion target, respectively, as follows:Symbol Confusion (Lexical obfuscation), data obfuscation, control obfuscation, and preventive Confusion ( Prevent transformation).

Case Analysis
in practice, protecting a large Java program often requires a combination of these methods, rather than a single use of one method. This is because each approach has its weaknesses and application environment. Using these methods in a comprehensive manner makes the protection of Java programs more efficient. In addition, we often need to use other related security, such as security certification, digital signature, PKI and so on.
Now we're going to analyze a Java application, which is a SCJP (Sun Certificate Java Programmer) simulation exam software. The application has a large number of simulation topics, all of which are encrypted and stored in the file.since it is the core of the software, the access and access to the question bank becomes a very core class. Once these related classes are deserialized, all the question bank will be cracked. Now, let's consider how to protect these question-bank and related classes.
In this example, we consider the use of comprehensive protection techniques, includingLocal code and obfuscation techniques。 Because the software is primarily published on Windows, it is only necessary to maintain a version of the local code after the cost code is converted. In addition, obfuscation is also very effective for Java programs, and is suitable for this standalone application system.
in the specific scenario, we divide the program into two parts, one is the module that is written by the local code, and the other is the other module developed by Java. This allows for a higher degree of protection of the problem management module from being deserialized. For Java-developed modules, we still need to use obfuscation techniques.
The programme is as follows:

How to protect Java programs from being deserialized