Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

cog (4665)

Journal of cog (4665)

Monday April 11, 2005
07:01 AM

Obfuscation is not Security

[ #24125 ]
"You can protect your applications from attack by applying obfuscation techniques to convolute your source code."

No, you can't :-) The mere idea!! :-)

Obfuscating code to protect it is like putting a big stone in front of your house's door. It won't prevent people from getting in. It will just give them extra work.

The more you obfuscate, the more likely you are to challenge the great hackers who deobfuscate just for fun :-)

I am yet to see obfuscated code I can't deobfuscate (but sure, if you give me obfuscated code in a language I don't understand... it's going to take me some time).

"Hopefully, you now have a better feel for the compilation process and understand how obfuscation is a powerful tool you can use to protect your code from exploitation and hacking."

No, I don't. I'm sorry, but I have to disagree... :-)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I wonder if I could get a job obfuscating code :-)
  • I wrote the initial set of code that Larry turned into the CRYPTSWITCH enabled encryption filter in early perl3. Carrying forward that ability for encrypting scripts was the initial purpose of the Filter module in perl5, although the ability to apply arbitrary filtering to the incoming code stream was designed into it and the Filter::Crypt module was one of the initial examples of how to use that ability.

    But, the company I was at was never foolish enough to believe that encrypting scripts made the code saf

    • I recall scaring the hell out of a programmer that was relying on Filter::decrypt. He'd thought it was full on encryption rather than just elaborate obfuscation and apparently the company had bought into that, too. I told him I could bust the obfuscation. He didn't believe me so he sent me a simple sample. IIRC my algorithm was something like...

      require the code
      walk the symbol table looking for globals and subroutines
      Data::Dumper the globals
      B::Deparse the subroutines

      The tricky part was the file-scoped
      • I haven't tried it, but what I figured the easiest method (even before B::Deparse came along) would be to write another filter and name it Filter::Decrypt. It would use the "real" Filter::Decrypt but tee the results before passing them on as its "filtered" output. It's the basic man-in-the-middle attack.
  • Man what the heck is that doing on an O’Reilly site.

    I do have to qualify that obscurity is not the devil: there is no need to help an attacker along, regardless how safe you think you are. It’s way foolish to rely on obscurity as the your sole line of defense, though. That’s just asking for trouble.

  • the vast majority of software pirates won't spend 500 hours reverse engineering and patching a simple $10 shareware application

    Every anti-piracy method is based on this assumption. Every one fails because it is not true. It was not true back when it was a bunch of computer nerds copying 5 1/4" floppies using BitNibbler downloaded off a dial-up BBS and its not even remotely true now with your grandma downloading music over BitTorrent.

    The vast majority do not need to break the obfuscation. Just one.