| With the development of embedded systems and software technology, mobile device plays an increasingly important role in people's lives. Desktop applications are gradually transferred to mobile platform, for example e-commerce and mobile Internet application. At the same time, security for mobile devices becomes debatable. As a most popular development platform, Java brings new life to mobile application market with platform-independence and security assurance. Java implemented both language-level and VM-level security, however ignored the need to protect class files. Since class files contain massive information about source code and bytecode has a simple format, the class files can be de-compiled easily. Researchers have brought forward many protective solutions for Java bytecode, such as bytecode obfuscation, watermarking, native code, but none has ever completely eliminated the security risk.We study the inherent security architecture of Java, and focus on the format of Java bytecode and class file. Then we reveal the inadequacy of Java's security architecture. Based on reference [1], we abstract the variable instruction set principle, modify it and create a proper transformation algorithm which comply with Java bytecode format. Then we realise corresponding transformer, and customize Java class loader, making the priciple fit into JVM.With variability of instruction set, Java bytecodes become incomprehensible. Since instruction set has changed, de-compilation becomes difficult. Transformed class files must be de-transformed by corresponding class loader to run properly on JVM. Also, with the help of both class loader and class file verifier, tampered bytecode can't be executed on client JVM, thus insured the copyright of Java software owner and the security of client applications, and filled up the security hole of JVM. |
PDF Full Text Request