Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

People have different understandings of words, so I'm not claiming there is one, universal meaning of "software reverse engineering." However, here is the definition some researchers came up with: "Reverse engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. It can also be seen as "going backwards through the development cycle." (from https://en.wikipedia.org/wiki/Reverse_engineering#Reverse_en... , original publication: http://win.ua.ac.be/~lore/Research/Chikofsky1990-Taxonomy.pd... )

edit: I just wanted to explain to you which definition I was using earlier, so that you could understand what I meant better.



That quote is quite different from the definition you're using.

Your definition is not what anyone else uses, from what I've seen. You don't have to use the same definition, of course, but be aware that unless you clarify what you mean, you're going to be creating a ton of confusion.


I don't see how it is different. A "higher level of abstraction" means progressively higher-level versions of source code. Binary->machine/assembly code->C++ code for example. Each step involves reverse engineering. Simply disassembling/decompiling a binary is not really sufficient to be considered "reverse engineered". Someone needs to analyze the output of these tools to create reverse-engineered output which is ready to be modified/extended/investigated.


It does not really matter how we are interpreting the term "reverse engineering". What matters is how it was used in the OP article, in the EULAs and the national laws. In the article it was clearly applied to a binary analysis part of pen testing efforts by the Oracle customers, so this is what we should be discussing here.


I disagree. The author implies several times that the main issue, and the reason for the ban on reverse engineering in the agreement, is protection of intellectual property (source code). People may do other types of vulnerability testing, but the piece that Oracle is concerned about is trying to discover their source code (for example, by using static analysis tools...which analyze some version of source code).


Many static analysis tools are working on JVM bytecode level, and there are quite a few for even the raw x86.


I would consider that "some version of the source code".

However, this is one of the reasons I disagree with Oracle on the matter. There are tools which actually can and do find issues at this low level (even if there are false positives), and running those tools can be part of many reasonable verification efforts. I think static analysis at the bytecode or assembly code level still counts as analyzing the source code, but I think it makes sense to do that in many scenarios.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: