Jump to content

Obfuscation (software)

From Wikipedia, the free encyclopedia
(Redirected fromCode obfuscation)
For the term as used in natural language, seeobfuscation.

Insoftware development,obfuscationis the act of creatingsourceormachine codethat is difficult for humans or computers to understand. Likeobfuscationinnatural language,it may use needlessly roundabout expressions to compose statements. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic or implicit values embedded in it, primarily, in order to prevent tampering, deterreverse engineering,or even to create apuzzleor recreational challenge for someone reading the source code. This can be done manually or by using an automated tool, the latter being the preferred technique in industry.[1]

Overview[edit]

The architecture and characteristics of some languages may make them easier to obfuscate than others.[2][3]C,[4]C++,[5][6]and thePerlprogramming language[7]are some examples of languages easy to obfuscate.Haskellis also quite obfuscatable[8]despite being quite different in structure.

The properties that make a language obfuscatable are not immediately obvious.

Techniques[edit]

Types of obfuscations include simple keyword substitution, use or non-use of whitespace to create artistic effects, and self-generating or heavily compressed programs.

According toNick Montfort,techniques may include:

  1. naming obfuscation, which includes naming variables in a meaningless or deceptive way;
  2. data/code/comment confusion, which includes making some actual code look like comments or confusing syntax with data;
  3. double coding, which can be displaying code in poetry form or interesting shapes.[9]

Automated tools[edit]

A variety of tools exist to perform or assist with code obfuscation. These include experimental research tools created by academics, hobbyist tools, commercial products written by professionals, andopen-source software.Deobfuscation tools also exist that attempt to perform the reverse transformation.

Although the majority of commercial obfuscation solutions work by transforming either program source code, or platform-independent bytecode as used byJavaand.NET,there are also some that work directly on compiled binaries.

Recreational[edit]

Writing and reading obfuscated source code can be abrain teaser.A number of programming contests reward the most creatively obfuscated code, such as theInternational Obfuscated C Code Contestand theObfuscated Perl Contest.

Short obfuscatedPerlprograms may be used insignaturesof Perl programmers. These are JAPHs ( "Just another Perl hacker").[16]

Cryptographic[edit]

Further information:Indistinguishability obfuscationandBlack-box obfuscation

Cryptographers have explored the idea of obfuscating code so that reverse-engineering the code iscryptographicallyhard. This is formalized in the many proposals forindistinguishability obfuscation,a cryptographic primitive that, if possible to build securely, would allow one to construct many other kinds of cryptography, including completely novel types that no one knows how to make. (A stronger notion,black-box obfuscation,is known to be impossible in general.)[17][18]

Disadvantages of obfuscation[edit]

  • While obfuscation can make reading, writing, and reverse-engineering a program difficult and time-consuming, it will not necessarily make it impossible.[19]
  • It adds time and complexity to the build process for the developers.
  • It can make debugging issues after the software has been obfuscated extremely difficult.
  • Once code is no longer maintained, hobbyists may want to maintain the program, add mods, or understand it better. Obfuscation makes it hard for end users to do useful things with the code.
  • Certain kinds of obfuscation (i.e. code that isn't just a local binary and downloads mini binaries from a web server as needed) can degrade performance and/or require Internet.

Notifying users of obfuscated code[edit]

Some anti-virus softwares, such asAVG AntiVirus,[20]will also alert their users when they land on a website with code that is manually obfuscated, as one of the purposes of obfuscation can be to hide malicious code. However, some developers may employ code obfuscation for the purpose of reducing file size or increasing security. The average user may not expect their antivirus software to provide alerts about an otherwise harmless piece of code, especially from trusted corporations, so such a feature may actually deter users from using legitimate software.

Mozilla and Google disallow browser extensions containing obfuscated code in their add-ons store.[21][22]

Obfuscation and copyleft licenses[edit]

There has been debate on whether it is illegal to skirtcopyleftsoftware licensesby releasing source code in obfuscated form, such as in cases in which the author is less willing to make the source code available. The issue is addressed in theGNU General Public Licenseby requiring the "preferred form for making modifications" to be made available.[23]The GNU website states "Obfuscated 'source code' is not real source code and does not count as source code."[24]

Decompilers[edit]

Adecompilercan reverse-engineer source code from an executable or library. Decompilation is sometimes called a man-in-the-end (mite) attack, based on the traditional cryptographic attack known as "man-in-the-middle".It puts source code in the hands of the user, although this source code is often difficult to read. The source code is likely to have random function and variable names, incorrect variable types, and use different logic than the original source code (due to compiler optimizations).

Model obfuscation[edit]

Model obfuscationis a technique to hide the internal structure of amachine learningmodel.[25]Obfuscation turns a model into a black box. It is contrary toexplainable AI.Obfuscation models can also be applied to training data before feeding it into the model to add random noise. This hides sensitive information about the properties of individual and groups of samples.[26]

See also[edit]

References[edit]

  1. ^"What is obfuscation (obfu)? - Definition from WhatIs.com".SearchSoftwareQuality.Archivedfrom the original on February 2, 2019.RetrievedFebruary 1,2019.
  2. ^Binstock, Andrew (March 6, 2003)."Obfuscation: Cloaking your Code from Prying Eyes".Archived fromthe originalon April 20, 2008.RetrievedNovember 25,2013.
  3. ^Atwood, Jeff (May 15, 2005)."Jeff Atwood, May 15, 2005".Codinghorror.com. Archived fromthe originalon January 9, 2010.RetrievedNovember 25,2013.
  4. ^"Obfuscation".Kenter.demon.nl. Archived fromthe originalon March 4, 2016.RetrievedNovember 25,2013.
  5. ^"C++ Tutorials – Obfuscated Code – A Simple Introduction".DreamInCode.net.Archivedfrom the original on June 28, 2008.RetrievedNovember 25,2013.
  6. ^"C Tutorials – Obfuscated Code in C".July 7, 2011. Archived fromthe originalon December 27, 2013.RetrievedNovember 25,2013.
  7. ^As of 2013-11-25 18:22 GMT."Pe(a)rls in line noise".Perlmonks.org.Archivedfrom the original on January 16, 2009.RetrievedNovember 25,2013.{{cite web}}:CS1 maint: numeric names: authors list (link)
  8. ^"Obfuscation – Haskell Wiki".February 16, 2006.Archivedfrom the original on August 30, 2017.RetrievedMarch 3,2020.
  9. ^Montfort, Nick."Obfuscated code"(PDF).Archived fromthe original(PDF)on April 24, 2019.RetrievedNovember 24,2017.
  10. ^Ben Kurtovic."Obfuscating" Hello world! "".benkurtovic.com.Archivedfrom the original on September 14, 2017.RetrievedOctober 18,2017.
  11. ^"Obfuscated Python".wiki.c2.com.Archivedfrom the original on February 14, 2017.RetrievedOctober 18,2017.
  12. ^"The First Annual Obfuscated Python Content".code.activestate.com.Archived fromthe originalon May 25, 2023.RetrievedOctober 18,2017.
  13. ^domas (November 3, 2022),xoreaxeaxeax/movfuscator,archivedfrom the original on November 12, 2022,retrievedNovember 5,2022
  14. ^Break Me00 The MoVfuscator Turning mov into a soul crushing RE nightmare Christopher Domas,archivedfrom the original on October 21, 2022,retrievedNovember 5,2022
  15. ^Williams, Al (March 21, 2021)."One Instruction To Rule Them All: C Compiler Emits Only MOV".Hackaday.RetrievedOctober 23,2023.
  16. ^"JAPH – Just Another Perl Hacker".pm.org.Perl Mongers. Archived fromthe originalon May 16, 2013.RetrievedFebruary 27,2015.
  17. ^"Cryptography Breakthrough Could Make Software Unhackable".Wired.ISSN1059-1028.Archivedfrom the original on April 14, 2022.RetrievedMarch 14,2021.
  18. ^Jain, Aayush; Lin, Huijia; Sahai, Amit (2020)."Indistinguishability Obfuscation from Well-Founded Assumptions".Cryptology ePrint Archive.arXiv:2008.09317.Archivedfrom the original on March 3, 2022.RetrievedMarch 14,2021.
  19. ^""Can We Obfuscate Programs?" by Boaz Barak ".Math.ias.edu. Archived fromthe originalon March 23, 2016.RetrievedNovember 25,2013.
  20. ^"Blocking website and only way to fix is disabling HTTPS s... | AVG".support.avg.com.July 21, 2020.Archivedfrom the original on February 4, 2022.RetrievedFebruary 4,2022.
  21. ^at 05:01, Thomas Claburn in San Francisco 2 Oct 2018."Google taking action against disguised code in Chrome Web Store".www.theregister.co.uk.Archivedfrom the original on November 12, 2019.RetrievedNovember 12,2019.{{cite web}}:CS1 maint: numeric names: authors list (link)
  22. ^Cimpanu, Catalin."Mozilla announces ban on Firefox extensions containing obfuscated code".ZDNet.Archivedfrom the original on March 5, 2020.RetrievedNovember 12,2019.
  23. ^"Reasoning behind the" preferred form of the work for making modifications to it "language in the GPL".Lwn.net.Archivedfrom the original on December 2, 2013.RetrievedNovember 25,2013.
  24. ^"What is free software?".gnu.org.Archivedfrom the original on October 14, 2013.RetrievedDecember 18,2014.
  25. ^Zhou, Mingyi; Gao, Xiang; Wu, Jing; Grundy, John C.; Chen, Xiao; Chen, Chunyang; Li, Li (2023)."Model Obfuscation for Securing Deployed Neural Networks".{{cite journal}}:Cite journal requires|journal=(help)
  26. ^Zhang, Tianwei; He, Zecheng; Lee, Ruby B. (July 12, 2018). "Privacy-preserving Machine Learning through Data Obfuscation".arXiv:1807.01860[cs.CR].

Further reading[edit]

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Obfuscation_(software)&oldid=1231760450"