Video: Nikita Lipsky Talks About Java AOT Compilation @JavaZone 2016

Our very own Nikita Lipsky, one of the “fathers” of the Excelsior JET project, was at the JavaZone conference in Oslo last week to give a talk about Java AOT compilation. Here are the video and slides of his talk:

Categories: Java, News

Tags: , , , , ,

An Unorthodox “Solution” to an NPE Puzzle

I’ve been subscribed to Java Performance Tuning by Jack Shirazi and Kirk Pepperdine forever (compared to other e-newsletters), not least because of the introductory pieces. Jack opened the Feb 2014 issue with a small puzzle stemming from a real problem his colleague encountered. I forwarded it to our developers immediately:

This month I’ve got a little puzzle for you. How can you get a null pointer exception from the following piece of code?

    //map is an instance of HashMap
    x = map.get("hello");

To be clear, “map” is not null, it is an instance of the standard HashMap class from the JDK, the get() method and all the other HashMap methods are the normal ones you have in the JDK, and there has been no bytecode injection. Oh, and the process is not out of memory, hasn’t been out of memory, and the HashMap instance has not been used in more than one thread.

If you cannot figure out the answer, take a peek at issue #159 of the newsletter. One of my colleagues, however, have come up with a deliberately coded “solution” to the problem:

import java.util.HashMap;

public class ShootMyselfInTheFoot {
    private static class Damn {
        // Load
        @Override
        public int hashCode() {
            return "hello".hashCode();
        }

        // Aim
        @Override
        public boolean equals(Object obj) {
            obj = obj != null ? null : "";
            return obj.equals(obj);
        }
    }

    public static void main(String[] args) {
        // Fire!
        HashMap map = new HashMap();
        map.put("hello", null);
        map.put(new Damn(), null);

        Object x = map.get("hello");
    }
}

Left me wondering if might make sense for an advanced obfuscator or copy protection tool inject pieces of such meaningful-looking yet unexpectedly failing code into the application, of course making sure that it never receives control (except if license check has failed a few million CPU cycles before.)

Categories: Java

Tags: ,

Breaking: It seems that Excelsior JET already supports JavaFX 2

Update 20-Sep-2015: We are about to release Excelsior JET 11 that will fully support Java SE 8 and JavaFX 8. A public beta is already available. This post is only kept for historical reasons.

Thanks to the persistence of an evaluation user, we have discovered that JavaFX 2 apps can be run without the custom classloader and hence can be fully precompiled with the current version of Excelsior JET! There are a few quirks in the build process, as you will see, and we have not extensively tested it, but the four standard demos seem to be working, at least on Windows.

Read the rest of this entry »

Categories: Excelsior JET

Tags: , ,

The Fastest JVM on Greenland (Perhaps)

The Institute for Arctic Technology at the Technical University of Denmark (DTU) recently worked on a renewable energy project in Greenland. The goal of the project was to determine the impact of combining renewable wind energy with existing diesel generators in small villages. There was just one problem: DTU researchers back in Denmark needed a reliable, affordable way to analyze the data both historically and in real-time. For that solution they turned to Lagoni Engineering Ltd. — and Lagoni turned to Excelsior JET Embedded.

Arctic conditions ruled out upgrading hardware, causing Lagoni to find performance improvements within the existing platform.

“We were looking for a way to reduce the hardware requirements and cost associated with conventional Java, which powers Monatar, our in-house datalogger with a built-in Web server that provides the user interface for the researchers. We found what we needed in Excelsior JET Embedded.”

Thomas Olsen, director of Lagoni Engineering Ltd.

Monatar is a high-performance embedded energy-monitoring device for wind turbine analysis, and it is critical to the DTU researchers’ mission. Excelsior JET Embedded powered — and boosted the performance of — Monatar in the bitter cold of a Greenland winter.

In fact, our product has delivered a 45% improvement on Oracle’s JVM start-up, between 15% and 30% improvement on JVM response, and a full 60% improvement on JVM’s disk footprint size.

Footprint Chart

You can find the remaining charts and further details in the case study.

Categories: Customer Showcase, Excelsior JET, News

Tags: , , , ,

Excelsior JET Secures Intellectual Property for the Mobile Sales Force

This case study shows how Avisod LLC uses Excelsior JET to protect their Tomcat Web applications from potential security risks of reverse engineering.

Excelsior JET for Apache Tomcat case study

By: Karl Self, CIO
Avisod LLC

Avisod LLC, a software company that creates a private communications channel for its customers, has a geographically diverse sales force constantly on the move.

In our Quick Serve Restaurant (QSR) vertical, the sales force needed to demonstrate the power of their unique hardware and software solution that included a Java Web application running on Apache Tomcat.

The advancements of decompilers, the increasing reliance on external configuration within Java Web applications, and the increasing cost and complexity of obfuscator software can make for sleepless nights on product teams. Excelsior JET eliminates those concerns through an easy to use interface capable of providing protection for Java Web applications running on Tomcat 5 and above.

Using Excelsior JET 7.2, we were able to secure our Java Web application running on Apache Tomcat 5.5 in less than hour.

Administration Dashboard of Avisod’s L3, an innovative messaging system that delivers targeted text and video messages to individuals on demand.

With JET’s AOT feature, the web container, application code, and JRE were compiled into native binary code. Now our sales force can move freely through airports, train station, hotels, and customer sites knowing Avisod’s intellectual property is safe from potential security risks of traditional decompilers.

Given the alternative’s cost, both in product cost and training, Excelsior JET was an easy choice. Beyond securing Avisod’s intellectual property, Excelsior’s JET 7.2 Enterprise Edition also provides the additional benefits of improved performance and reduced cold startup time. Salesmen typically have only a few minutes of face to face time with potential customers. Every second counts and the Excelsior’s solution helped Avisod’s sales force to make the most of every second.

Excelsior JET provided us with best in class security for our Java Web application giving us more time to focus on our clients and improving our product line.

Categories: Excelsior JET, Java, Tomcat

Tags: , ,

CERT Secure Coding Standard for Java: Theory and Practice

The CERT Secure Coding Standard for Java is a comprehensive set of rules and recommendations for writing secure Java applications. If you care about the security of Java code that you write, make sure to check it out (the C Secure Coding Standard has already made it into a book, and its C++ sibling is in progress, just in case.)

In practice, however, developers that read secure coding guidelines or best practices documents mostly apply the new knowledge to their future work. In the best case, they may have the time to review the code they have written recently. And even then, their now-more-secure code may be just a tiny portion of a large enterprise application combining lots of legacy stuff with code written in other departments, commercial components, etc., running on top of an open-source framework inside a proprietary container.

Even with the help of static code analysis tools, the costs of discovering and eliminating all the security vulnerabilities in such an application may be prohibitive. However, the costs of reducing their exposure may be acceptable. But why is the level of such exposure so high for Java apps in the first place?

For further discussion, continue to my article “Protect Your Java Code – Through Obfuscation And Beyond“.


Excelsior provides practical solutions for the protection of desktop applications based on Eclipse RCP, Tomcat Web applications, and plain Java SE applications.

Categories: Java

Tags: , ,

Nicolas Fränkel: Safely give away your demo applications

Nicolas Fränkel in his blog recommends using Excelsior JET to protect your demo Web applications.

Categories: Excelsior JET, Java, Tomcat

Tags: , , ,

Export RCP Apps As Native Executables Right From Your Eclipse IDE

Excelsior JET Eclipse plug-in for RCP developers enables you to export your Eclipse RCP application in native code form and deploy it in the wild without the easy-to-hack jar files.

Just compare the structure of exported RCP applications to see the difference:

How Excelsior JET works

With the Eclipse plug-in for Excelsior JET , the exporting of RCP applications to native code can be done in three simple steps.

STEP 1: Invoke the Export wizard

Click the Excelsior JET button in the Eclipse toolbar.

Eclipse toolbar

The export wizard window will appear.

STEP 2: Select destination

You may export your RCP application into a directory as if you were using
the standard Eclipse Product export wizard, or wrap the application
into Excelsior Installer to enhance the end-user experience.




Specify the desired Product Configuration file and enter the path to the destination directory or to the installer executable you wish to create.

STEP 3: Export!

Click Finish. The exporting process will start.




Upon successful completion, a dialog will appear, displaying
the location of the exported application.

From this dialog, you may also get instructions for the headless build of your RCP application with Excelsior JET and test drive the application installer, if you opted for its creation on STEP 2.

Note: Eclipse RCP applications exported with Excelsior JET no longer need
the JRE to run.

Plug-in installation

You may find detailed instructions and Update Site URL to install this plug-in into your Eclipse IDE on this page.

Resources

Whitepaper: Two Ways of Securing Eclipse RCP Applications (obfuscation vs. native pre-compilation.)

Case studies: RCP developers share their experience with Excelsior JET.

Video tutorial: standalone tools providing the advanced features of Excelsior JET, such as startup time optimization, Java Runtime Slim-Down, installer branding, and others.

Excelsior JET for Eclipse RCP page: product information, sample applications, etc.

Categories: Eclipse RCP, Excelsior JET, Product Updates

Tags: , , , , ,

Excelsior JET 7.0 Ships

As promised, Excelsior JET 7.0 enables you to protect your Java Web applications running on Apache Tomcat by compiling them together with the Tomcat server itself into an optimized native executable.

Multi-app executables enable you to compile several applications into one executable, thus maximizing code and data sharing at run time. Another benefit is the ability to specify JVM options and Java system properties on the command-line in the conventional manner:


MyApp -Xmx512m -Dmonitor.port=7000 com.XYZ.server.Main
MyApp -Dport=7000 com.XYZ.monitor.Main

On Windows, the same binary may now be run as a conventional executable and installed as a service.

Speaking about Windows and sevens, Excelsior JET 7.0 has passed the Java SE 6 compatibility testsuite (JCK) on Windows 7 and is supported on that platform.

An important usability enhancement, performance and stability improvements, and reduced memory usage are also waiting for you to enjoy them!

Full list of new features and improvements in Excelsior JET 7.0

Download Excelsior JET 7.0 Evaluation Package

Categories: Excelsior JET, News, Product Updates, Tomcat

Tags: , ,

Excelsior JET 7.0 Beta Announcement In `tomcat-users’

Yesterday I announced the Excelsior JET 7.0 public beta program in the `tomcat-users’ mailing list at apache.org. The announcement has sparked a small discussion, but the follow-up would be a bit too long for email to my taste, so I am responding here and will then send a link to this post to the mailing list.

I will start with the concern that is easier to address. Leon Rosenberg wrote:

Wouldn’t that make the application slower? I assume this compiled code can’t be uncompiled and optimized by the hotspot, so it is not for performance.

Excelsior JET is an optimizing compiler originally developed as a tool for accelerating Java applications. True, Sun HotSpot Server 6 is very good, and so is Oracle JRockit, but there is no silver bullet – we have happy customers reporting substantial speedup of their apps as a result of AOT compilation, and we have prospects canceling evaluation because of the slowdown. I can point you to some third-party benchmarks, but your mileage will vary, one way or another.

Leon went on to write:

As for preventing decompilation, how many people/companies are actually delivering a war which they need to protect from decompiling? How many people would install such a product, one they can’t configure anymore, one that is even infectable by viruses?

We fully realize that Excelsior JET is unlikely replace the conventional JRE in the majority of Tomcat installations (unless Oracle starts charging for the JRE. 🙂 ) So the question is if there are any Web application authors who might need our solution? We are sure there are some, and here is why:

  • We already have a few paying customers (technically it has been possible to compile Tomcat for years, but the process was difficult and error prone, plus the current version imposes some restrictions on your Web apps if you need protection, yet that does not stop people who really want it)
  • Customers and prospects keep asking if they could use our tool to protect their Web applications
  • “Tomcat” is the #5 search query of all times on our Web site, trailing only “SWT”, “Eclipse”, “DLL”, and “Swing”.

As you may see, our decision to add this feature is 100% customer-driven!

I have also spoken to the author of a popular Tomcat book, and he sees deployment as a big issue. Not deployment of web applications onto a Tomcat instance, but rather deployment of the entire solution, that is, Java Runtime plus Tomcat plus one or more Web applications. Ah, and don’t forget the database engine!

Imagine you are in sales engineering and a prospective customer wants to test drive your app just to get a feeling of its capabilities and such. If you could give them a single installer that would install and run on any manager’s PC with little to no configuration, and at the same time would be much more difficult to tamper with, would not you call this a competitive advantage?

The inability to configure Tomcat after native compilation is a misconception. If you download and install one of the sample packages, you would notice that the wars and jars are gone, but the Tomcat directory structure is retained and you still have the startup scripts and XML descriptors at your disposal. (Some people asked for an option to hide these as well, though.)

Moreover, Excelsior JET Runtime includes a JIT compiler, otherwise it would not have been certified Java Compatible and our company would not appear in the list of Java Licensees. So you may drop a WAR into webapps/ and it will work as usual. (Of course, out JIT is much less sophisticated than HotSpot, so that particular app would start slower and its response time would be worse than if you AOT-compiled it.)

As for viruses, last lime I checked java.exe was not immune to them either. 😉

Ramzi Khlil wrote:

I think it’s not a good idea especially when application are subject to modification frequetly or if we plan to deploy a new application on the server. Tomcat has a very interesting feature which allows user to load application on fly without closing the server. But If I compile tomcat and webapps into single package, I will lost this feature.

I see that’s a very limited functionnality.

Again, there are use cases where you want to prevent (unauthorized) modification of your application. As Serge Fonville noted in his follow-up, there are ISVs whose shrink-wrapped products are essentially Web applications. Sure, those use cases may constitute a minority, but what we hear from our customers and prospects makes us believe it is not such a limited functionality.

Finally, I cannot resist quoting the André Warnier’s follow-up almost entirely:

…I have a number of corporate customers who have sub-contracted their
IT infrastructure to an external service company. In my experience these external people then, usually, tend to adopt the “umbrella” attitude, whereby they want every other external software supplier to supply their software in a manner that will cause themselves the least work and the least trouble. In other words, their ideal is that the software be delivered in the form of a single executable, pre-parameterised so that they don’t even have to choose options in an installer, and that they would not bear any responsibility if anything should not work as expected.

They are certainly not interested in even having to think about tricky customising options.

I am not saying that these are my preferred kind of customers. (I prefer smart ones, up to a point).

But this is a “use case” for the proposed package, it seems to me.

Categories: Excelsior JET, Java

Tags: , ,

|