In software development, obfuscation is the act of creating source or machine code that is difficult for humans or computers to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic or implicit values embedded in it, primarily, in order to prevent tampering, deter reverse engineering, or even to create a puzzle or recreational challenge for someone reading the source code. This can be done manually or by using an automated tool, the latter being the preferred technique in industry.
The architecture and characteristics of some languages may make them easier to obfuscate than others. C, C++, and the Perl programming language are some examples of languages easy to obfuscate. Haskell is also quite obfuscatable despite being quite different in structure.
The properties that make a language obfuscatable are not immediately obvious.
Writing and reading obfuscated source code can be a brain teaser. A number of programming contests reward the most creatively obfuscated code, such as the International Obfuscated C Code Contest and the Obfuscated Perl Contest.
Types of obfuscations include simple keyword substitution, use or non-use of whitespace to create artistic effects, and self-generating or heavily compressed programs.
According to Nick Montfort, techniques may include:
- naming obfuscation, which includes naming variables in a meaningless or deceptive way;
- data/code/comment confusion, which includes making some actual code look like comments or confusing syntax with data;
- double coding, which can be displaying code in poetry form or interesting shapes.
Disadvantages of obfuscationEdit
- While obfuscation can make reading, writing, and reverse-engineering a program difficult and time-consuming, it will not necessarily make it impossible.
- It adds time and complexity to the build process for the developers.
- It can make debugging issues after the software has been obfuscated extremely difficult.
- Once code becomes abandonware and is no longer maintained, hobbyists may want to maintain the program, add mods, or understand it better. Obfuscation makes it hard for end users to do useful things with the code.
- Certain kinds of obfuscation (i.e. code that isn't just a local binary and downloads mini binaries from a web server as needed) can degrade performance and/or require Internet.
A decompiler can reverse-engineer source code from an executable or library. Decompilation is sometimes called a man-at-the-end attack, based on the traditional cryptographic attack known as "man-in-the-middle". It puts source code in the hands of the user, although this source code is often difficult to read. The source code is likely to have random function and variable names, incorrect variable types, and use different logic than the original source code (due to compiler optimizations).
Cryptographers have explored the idea of obfuscating code so that reverse-engineering the code is cryptographically hard. This is formalized in the many proposals for indistinguishability obfuscation, a cryptographic primitive that, if possible to build securely, would allow one to construct many other kinds of cryptography, including completely novel types that no one knows how to make. (A stronger notion, black-box obfuscation, was shown impossible in 2001 when researchers constructed programs that cannot be obfuscated in this notion.)
Notifying users of obfuscated codeEdit
Some anti-virus softwares, such as AVG AntiVirus, will also alert their users when they land on a website with code that is manually obfuscated, as one of the purposes of obfuscation can be to hide malicious code. However, some developers may employ code obfuscation for the purpose of reducing file size or increasing security. The average user may not expect their antivirus software to provide alerts about an otherwise harmless piece of code, especially from trusted corporations, so such a feature may actually deter users from using legitimate software.
A variety of tools exist to perform or assist with code obfuscation. These include experimental research tools created by academics, hobbyist tools, commercial products written by professionals, and open-source software. Deobfuscation tools also exist that attempt to perform the reverse transformation.
Although the majority of commercial obfuscation solutions work by transforming either program source code, or platform-independent bytecode as used by Java and .NET, there are also some that work directly on compiled binaries.
Obfuscation and copyleft licensesEdit
There has been debate on whether it is illegal to skirt copyleft software licenses by releasing source code in obfuscated form, such as in cases in which the author is less willing to make the source code available. The issue is addressed in the GNU General Public License by requiring the "preferred form for making modifications" to be made available. The GNU website states "Obfuscated 'source code' is not real source code and does not count as source code."
- AARD code
- Spaghetti code
- Write-only language
- Esoteric programming language
- Overlapping instructions
- Polymorphic code
- Hardware obfuscation
- Underhanded C Contest
- Source-to-source compiler
- ProGuard (Java Obfuscator)
- Dotfuscator (.Net Obfuscator)
- Digital rights management
- Indistinguishability obfuscation
- Source code beautification
- "What is obfuscation (obfu)? - Definition from WhatIs.com". SearchSoftwareQuality. Retrieved February 1, 2019.
- Binstock, Andrew (March 6, 2003). "Obfuscation: Cloaking your Code from Prying Eyes". Archived from the original on April 20, 2008. Retrieved November 25, 2013.
- Atwood, Jeff (May 15, 2005). "Jeff Atwood, May 15, 2005". Codinghorror.com. Retrieved November 25, 2013.
- "Obfuscation". Kenter.demon.nl. Archived from the original on March 4, 2016. Retrieved November 25, 2013.
- "C++ Tutorials – Obfuscated Code – A Simple Introduction". DreamInCode.net. Retrieved November 25, 2013.
- "C Tutorials – Obfuscated Code in C". July 7, 2011. Retrieved November 25, 2013.
- As of 2013-11-25 18:22 GMT. "Pe(a)rls in line noise". Perlmonks.org. Retrieved November 25, 2013.
- "Obfuscation – Haskell Wiki". February 16, 2006. Archived from the original on August 30, 2017. Retrieved March 3, 2020.
- Montfort, Nick. "Obfuscated code" (PDF). Archived from the original (PDF) on April 24, 2019. Retrieved November 24, 2017.
- "JAPH – Just Another Perl Hacker". pm.org. Perl Mongers. Archived from the original on May 16, 2013. Retrieved February 27, 2015.
- Ben Kurtovic. "Obfuscating "Hello world!"". benkurtovic.com.
- "Obfuscated Python". wiki.c2.com.
- "The First Annual Obfuscated Python Content". code.activestate.com.
- domas (November 3, 2022), xoreaxeaxeax/movfuscator, retrieved November 5, 2022
- Break Me00 The MoVfuscator Turning mov into a soul crushing RE nightmare Christopher Domas, retrieved November 5, 2022
- ""Can We Obfuscate Programs?" by Boaz Barak". Math.ias.edu. Archived from the original on March 23, 2016. Retrieved November 25, 2013.
- "Cryptography Breakthrough Could Make Software Unhackable". Wired. ISSN 1059-1028. Retrieved March 14, 2021.
- Jain, Aayush; Lin, Huijia; Sahai, Amit (2020). "Indistinguishability Obfuscation from Well-Founded Assumptions". Cryptology ePrint Archive. arXiv:2008.09317.
- "Blocking website and only way to fix is disabling HTTPS s... | AVG". support.avg.com. July 21, 2020. Retrieved February 4, 2022.
- at 05:01, Thomas Claburn in San Francisco 2 Oct 2018. "Google taking action against disguised code in Chrome Web Store". www.theregister.co.uk. Retrieved November 12, 2019.
- Cimpanu, Catalin. "Mozilla announces ban on Firefox extensions containing obfuscated code". ZDNet. Retrieved November 12, 2019.
- "Reasoning behind the "preferred form of the work for making modifications to it" language in the GPL". Lwn.net. Retrieved November 25, 2013.
- "What is free software?". gnu.org. Retrieved December 18, 2014.
- Seyyedhamzeh, Javad, ABCME: A Novel Metamorphic Engine, 17th National Computer Conference, Sharif University of Technology, Tehran, Iran, 2012.
- B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan and K. Yang. "On the (Im)possibility of Obfuscating Programs". 21st Annual International Cryptology Conference, Santa Barbara, California, USA. Springer Verlag LNCS Volume 2139, 2001.
- Mateas, Michael; Nick Montfort. "A Box, Darkly: Obfuscation, Weird Languages, and Code Aesthetics" (PDF). Proceedings of the 6th Digital Arts and Culture Conference, IT University of Copenhagen, 1–3 December 2005. pp. 144–153.