Case Study: Tofino Central Management Platform

Protecting Customers and Intellectual Property with Excelsior JET

A success story by Eric Byres, Chief Technology Officer
and Michael Thomas, Lead Developer
Byres Security Inc.
Canada

Anyone who has worked on a Java project based on the Eclipse Rich Client Platform (RCP) knows how powerful and valuable RCP can be. Unfortunately not all developers realize that there is little protection for their code and embedded resources in the deliverable content they distribute. With the abundance of knowledge and tools for Java disassembly in existence, anyone can obtain a detailed understanding of the inner workings of and intellectual property contained within a RCP application with very little effort.

Of course this is not an issue that only plagues RCP applications, but affects Java applications as a whole. For this reason, Java based products (RCP or otherwise) can seem better suited to open-source projects. So when developing a commercial product using RCP, an extra level of protection is required to protecting your Java bytecode from being reverse engineered and this can be a difficult task.

Tofino Central Management Platform screenshot

Byres Security develops an application called the Tofino Central Management Platform which is used for managing security appliances in critical SCADA applications such as nuclear power plants and oil pipelines. This package is RCP-based, since it allows flexibility in adding plug-ins and is largely OS independent, but the ease of reverse engineering Java code was a serious concern for us for several reasons.

First of all, the protection of our customer's industrial installations is crucial. The pluggable and extendable nature of RCP provides a great architecture for development, but leaves the final product open to being extended and experimented with by individuals (i.e. hackers) who may not have our customer's best interest at heart. We are confident in our abilities to provide smart solutions which cannot be exploited despite reverse engineering, but compilation provides our customers with that extra level of comfort in knowing we have a doubly secure product.

Second, like many high tech companies, our intellectual property is key to our success and must be protected. Our security technologies are at the leading edge of our industry and competitors would love to reverse engineer our products and produce a comparable solution. Without protection from reverse engineering, we would be far too susceptible to the theft of our intellectual property.

When it comes to Eclipse RCP applications, our research indicated that Excelsior JET was really the only solution for code protection. Its ahead-of-time (AOT) compilation of Java bytecode makes the process extremely simple and effective - there was no easier way to protect our RCP application from reverse engineering. Once Excelsior JET was used on our ready-for-release bytecode, our Quality Assurance (QA) team was able to demonstrate that the resulting application met or exceeded all required functions with only two issues that were resolved in less than a day. And on top of the protection, came the added benefits of an embedded JVM for easy distribution and increased performance from the AOT compilation and optimization.

In summary, Excelsior JET really is the only solution for our RCP based product. It is also the best solution we could hope for. We recommend the use of Excelsior JET for anyone developing a Java application containing sensitive code or vital intellectual property which must be protected.