Obfuscation (software)


In software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements. Programmers may deliberately obfuscate code to conceal its purpose or its logic or implicit values embedded in it, primarily, in order to prevent tampering, deter reverse engineering, or even to create a puzzle or recreational challenge for someone reading the source code. This can be done manually or by using an automated tool, the latter being the preferred technique in industry.

Overview

The architecture and characteristics of some languages may make them easier to obfuscate than others. C, C++, and the Perl programming language are some examples of languages easy to obfuscate. Haskell is also quite obfuscatable despite being quite different in structure—the properties that make a language obfuscatable are not immediately obvious.

Recreational obfuscation

Writing and reading obfuscated source code can be a brain teaser. A number of programming contests reward the most creatively obfuscated code, such as the International Obfuscated C Code Contest and the Obfuscated Perl Contest.
Types of obfuscations include simple keyword substitution, use or non-use of whitespace to create artistic effects, and self-generating or heavily compressed programs.
According to Nick Montfort, techniques may include:
  1. naming obfuscation, which includes naming variables in a meaningless or deceptive way;
  2. data/code/comment confusion, which includes making some actual code look like comments or confusing syntax with data;
  3. double coding, which can be displaying code in poetry form or interesting shapes.
Short obfuscated Perl programs may be used in signatures of Perl programmers. These are JAPHs.

Examples

This is a winning entry from the International Obfuscated C Code Contest written by Ian Phillipps in 1988 and subsequently reverse engineered by Thomas Ball.

/*
LEAST LIKELY TO COMPILE SUCCESSFULLY:
Ian Phillipps, Cambridge Consultants Ltd., Cambridge, England
  • /
  1. include
main
char
a;
+,/*eKK

Advantages of obfuscation

The scripts used by web-pages have to be sent over the network to the user agent that shall run them; the smaller they are, the faster the download.
In antique run-time interpreted languages, like older versions of BASIC, programs executed faster and took less RAM if they used single letter variable names, avoided comments and contained only necessary blank characters.
In such use-cases, minification can produce real advantages.
Where the source code of a program must be sent to the user, for example the scripts in a web-page, any trade secret, licensing mechanism or other intellectual property contained within the program is, in principle, accessible to the user.
Obfuscating the program can, in such cases, make it harder for users to circumvent license mechanisms or obtain information the program's supplier wished to hide.
Likewise, malicious programs may use obfuscation to disguise what they are really doing.
Most users don't even read such programs; and those that do typically have access to software tools that can help them to undo the obfuscation, so this strategy is of limited efficacy.
On some platforms a decompiler can reverse-engineer source code from an executable or library.
Decompilation is sometimes called a man-at-the-end attack, based on the traditional cryptographic attack known as "man-in-the-middle".
It puts source code in the hands of the user, with results similar to those discussed in the previous paragraph.
Obfuscating the program may limit a decompiler's ability to produce equivalent source code, or the user's ability to make sense of the results of decompilation; but, as for the case where the user has the source, this at most slows down the small proportion of users who will even attempt decompillation.

Disadvantages of obfuscation

While obfuscation can make reading, writing, and reverse-engineering a program difficult and time-consuming, it will not necessarily make it impossible. Some anti-virus software, such as AVG AntiVirus, will also alert their users when they land on a site with code that is manually obfuscated, as one of the purposes of obfuscation can be to hide malicious code. However, some developers may employ code obfuscation for the purpose of reducing file size or increasing security. The average user may not expect their antivirus software to provide alerts about an otherwise harmless piece of code, especially from trusted corporations, so such a feature may actually deter users from using legitimate software.
Certain major browsers such as Firefox and Chrome also disallow browser extensions containing obfuscated code.

Obfuscating software

A variety of tools exist to perform or assist with code obfuscation. These include experimental research tools created by academics, hobbyist tools, commercial products written by professionals, and open-source software. There also exist deobfuscation tools that attempt to perform the reverse transformation.
Although the majority of commercial obfuscation solutions work by transforming either program source code, or platform-independent bytecode as used by Java and.NET, there are also some that work directly on compiled binaries.

Obfuscation and copyleft licenses

There has been debate on whether it is illegal to skirt copyleft software licenses by releasing source code in obfuscated form, such as in cases in which the author is less willing to make the source code available. The issue is addressed in the GNU General Public License by requiring the "preferred form for making modifications" to be made available. The GNU website states "Obfuscated 'source code' is not real source code and does not count as source code."