Java Code ObfuscationReverse EngineeringProblem of Reverse EngineeringCode ObfuscationCode Obfuscation TechniquesDesign ObfuscationsClass Coalescing ObfuscationClass Coalescing Obfuscation ExampleSlide 9Class Coalescing Obfuscation ShortcomingsClass Splitting ObfuscationSlide 12Slide 13Class Splitting Obfuscation ShortcomingsType HidingSlide 16Slide 17Type Hiding ShortcomingsObfuscation ProductsConclusionJava Code ObfuscationNeerja BhatnagarReverse EngineeringFiguring out source code corresponding to a given byte codeSource code intellectual property, needs protectionMoney, intelligence, hard work, time put to work to develop codeProblem of Reverse EngineeringJava code especially prone to reverse engineering, becauseJava byte code well documented and well structured (freely available in JVM specs)Most of the information contained in source code also present in byte code.Software engineers have little control over distribution of Java applications and their source code because most Java applications distributed over the Internet (easy downloads)Code ObfuscationTechnique to discourage and deter reverse engineeringScrambles byte code to make it unintelligible, difficult to understandAlters structure and appearance of code Attempts to make in uneconomical for an attacker to reverse engineer codeDoes not affect function of original programDoes not alter source code, alters byte codeCode Obfuscation TechniquesLow-Level Layout ObfuscationsControl ObfuscationsData ObfuscationsHigh-Level or Design ObfuscationsClass Coalescing ObfuscationClass Splitting ObfuscationType HidingDesign ObfuscationsLow-level obfuscation techniques not sufficient because they do not hide design informationDesign information can facilitate an attacker from gaining general understanding of code and what it doesDesign obfuscations aim at hiding valuable high-level design informationClass Coalescing ObfuscationCombines two or more classes into a single classIf the classes to be coalesced have attributes with same name, these are renamed to distinguish among themhave non-constructor methods with same signature, except for one non-constructor methods, all others are renamed and alteredClass Coalescing Obfuscation Examplepublic class Animal { String name; int age; public Animal() { name = “Goofy”; age = 1; } public int calcAge() { return 2004 – 1985; } public void comments() { System.out.println(“Fluffy”); }}public class A { String name; String model; int age; int age2; public Animal() { name = “Goofy”; age = 1; } public Car() { name = “VW”; age = 2; } public int calcAge() { return 2004 – 1985; } public int calcAge(int make) { return 2004 – make; } public void comments() { System.out.println(“Fluffy”); } public void commentsFromCar() { System.out.println(“Smooth”); } }public class Car { String model; int age; public Car() { name = “VW”; age = 2; } public int calcAge(int make) { return 2004 – make; } public void comments() { System.out.println(“Smooth”); }}Class Coalescing Obfuscation ShortcomingsBecomes very complicated when classes extend other classes or implement interfaces because superclasses and interfaces need to be coalesced toovariable names and method signatures cannot be altered in any wayCannot be performed when classes extend classes from Java standard libraryJava standard library classes need to be coalesced tooMakes code non-portableClasses with native methods cannot be coalesced because analyzing native code very difficultClass Splitting ObfuscationSplits a class into multiple classes Several ways to split a classValid split function preserves dependencies among class’s methods and fieldsValid split functions include Split class A into classes A1 and A2, where A2 extends A1Split methods defined in class A between classes A1 and A2Class Splitting Obfuscation Examplepublic class Dog { String name; int age; String sound; public Dog() { name = “Bruno”; age = 5; sound = “woof”; } public void bark() { System.out.println(“Woof! Woof!”); } public void sleep() { System.out.println(“zzz…zzz”); }}public class Animal { String name; int age; public Animal() { name = “Bruno”; age = 5; } public void sleep() { System.out.println(“zzz…zzz”); }}public class Doggie extends Animal { String sound; public Doggie() { super(); sound = “woof”; } public void bark() { System.out.println(“Woof! Woof!”); }}Class Splitting Obfuscation ShortcomingsSplitting a class very difficult unless initial design faultyMay have reverse effect Splitting a class may improve overall code design, and get rid of spaghetti code!Might actually help the attacker, rather than deter himType HidingUses the concept of Java interfaceTransforms a concrete class into several interfacesEach interface contains a random subset of the concrete class’s methods and fieldsObscures by declaring a concrete class that implements those interfacesType Hiding Examplepublic class Dog { String name; int age; String sound; public Dog() { name = “Bruno”; age = 5; sound = “woof”; } public void bark() { System.out.println(“Woof! Woof!”); } public void sleep() { System.out.println(“zzz…zzz”); }}interface LivingCreature { public void bark();}interface Animal { public void sleep();}public class Doggie { String name; int age; String sound; public Dog() { name = “Bruno”; age = 5; sound = “woof”; } public void bark() { System.out.println(“Woof! Woof!”); } public void sleep() { System.out.println(“zzz…zzz”); } }Type Hiding ShortcomingsType hiding done the way described in previous slide especially vulnerable to reverse engineeringMore effective when combined with low-level obfuscation techniquesCan be made stronger when randomly selected classes go through type hiding, instead of all classesObfuscation ProductsRetroGuard by Retrologic SystemsKlassmaster by ZelixJObfuscator by Duckware Semantic DesignsConclusionNone of the obfuscation techniques sufficient by themselvesA combination of these techniques might provide strong resistance to reverse engineeringSome claim code obfuscation slows down
View Full Document
Unlocking...