Using GraalVM Native Image instead of obfuscation

Question

I have been developing a backend platforms for different purposes and some times customers want this product get installed in their data center as On-premises softwares. So in order to protect from reverse engineering I used obfuscation tools.

I wonder if compiling deployable applications with GraalVM Native Image technology is an alternative solution for protecting from reverse engineering.

I know that native image cannot be decompiled so reverse engineering is not possible.

Answer 1

In general any software can be reverse engineered, so it's a matter of tradeoffs and complexity to do so.

GraalVM native image indeed produces native executables or shared libraries, and the effort to reverse engineer the logic is higher than with normal jar files.

However one needs to always be careful about their goals and the potential threat vectors. For example native image build process can preserve the strings in the binary. For example, I have a native image built binary primes-serial . Running something like:

strings primes-serial | grep com.oracle.svm.core.VM
Ocom.oracle.svm.core.VM
com.oracle.svm.core.VM.Target.Libraries=stdc++|pthread|dl|z|rt
com.oracle.svm.core.VM=GraalVM 20.2.0 Java 11 EE
com.oracle.svm.core.VM.Target.StaticLibraries=liblibchelper.a|libnet.a|libffi.a|libextnet.a|libnio.a|libjava.a|libfdlibm.a|libsunec.a|libzip.a|libjvm.a
com.oracle.svm.core.VM.Target.LibC=com.oracle.svm.core.posix.linux.libc.GLibC
com.oracle.svm.core.VM.Target.Platform=org.graalvm.nativeimage.Platform$LINUX_AMD64
com.oracle.svm.core.VM.Target.CCompiler=gcc|redhat|x86_64|4.8.5

You can see that some information is preserved in the binary.

So it might be interesting to maybe initially run the obfuscator and then build the native image.

But in general the binary can be disassembled like any native executable.