Introduction to Code Obfuscation

Paladion
By Paladion

December 15, 2004

Obfuscation means "to make difficult to perceive or understand". Code obfuscation in programming world means making code harder to understand or read, generally for privacy or security purposes. Security through obscurity has long been viewed with disregard in the security community. However, there are applications where obscurity can provide a higher level of protection to its source code. Recent theories have shown usefulness of this technique; a popular paper Code Obfuscation techniques by Collberg shows just that.

Obfuscation means "to make difficult to perceive or understand". Code obfuscation in programming world means making code harder to understand or read, generally for privacy or security purposes. Security through obscurity has long been viewed with disregard in the security community. However, there are applications where obscurity can provide a higher level of protection to its source code. Recent theories have shown usefulness of this technique; a popular paper Code Obfuscation techniques by Collberg shows just that.

There are three general methods for protecting source code, namely -

  1. Code authentication and verification - meant to protect against unauthorized tampering and unauthorized access to the code. This method is most efficient when authentication data is sent via the network. User has the complete code, which in theory can also be in mangled form.
  2. Server side invocation - provides protection by restricting the distribution of the code. This method allows avoiding sending of the final code to the user. A fundamental requirement for this method is high bandwidth.
  3. Code obfuscation - You may need to distribute the code to several entities and want to protect against reverse engineering or copying. It involves transformation of executable code to make its hard through tools like decompilers.

With obfuscated code, information accessed by third-party is garbled or hidden, and generally harder to understand. And if anyone wants to crack the obfuscated code, just like hash functions, it will require significantly more processing to de-obfuscate than what was required to obfuscate it.

Code obfuscation can be achieved through one or more of the following methods:

  1. Source or binary structure obfuscation - A source code obfuscator accepts a program source file, and generates another functionally equivalent source file, which is much harder to understand or reverse-engineer. This is useful for technical protection of intellectual property when source code must be delivered for public execution purposes.
  2. Data Obfuscation - This is aimed at obscuring data and data structures. Techniques used in this method range from splitting variables, promoting scalars to objects, converting static data to procedure, change the encoding, changing the variable lifetime etc.
  3. Control Flow Obfuscation - This aims at changing the control hierarchy with logic preservation. Here false conditional statements and other misleading constructs are introduced to confuse decompilers, but the logic of the code remains intact.
  4. Preventive Obfuscation - Here the focus is on protection against decompilers and reverse engineering methods. Renaming metadata to gibberish or less obvious identifiers is one such technique, like defining function InterestCalculation() as x().

There are many commercial tools and some open source tools available in the market for achieving code obfuscation. For example, Oracle provides a way for shipping PL/SQL code, using the wrap utility that ships with the database. It will encrypt the source code into a format that cannot be reverse-engineered or edited. Code obfuscation introduces greater overhead. Unless the transform is optimized, obfuscated code runs slower in general than normal source code and wrapped package can be larger in size too. These however may be the price to be paid for enhanced protection of the source code.

Links to Obfuscation Tools

  1. JODE (Java Optimize and Decompile Environment)
  2. Dotfuscator, for the .NET platform
  3. Java Obfuscator
  4. .NET Obfuscator

Other Articles in the series


Tags: Technical

About

Paladion