Morphing Code to Prevent Reverse Engineering? 507
ptolemu writes "Cringely's latest article discusses a new obfuscation technique currently being researched called PSCP (Program State Code Protection). An informative read that concludes with some interesting insight on the software giants that heavily depend on this kind of technology."
do what i do (Score:5, Funny)
delete all the white space, and comment in Hungarian
Re:do what i do (Score:5, Funny)
Re:do what i do (Score:3, Funny)
Re:do what i do (Score:3, Interesting)
The scope tag is probably more useful than the data type.
Re:do what i do (Score:5, Insightful)
It's like the comments. They tell you what the programmer *meant* to do, not what he or she did.
Similarly, Hungarian notation tells you the *intended* scope, type, etc, but the compiler may have a very different view of things.
Re:do what i do (Score:5, Funny)
Re:do what i do (Score:3, Insightful)
Hungarian notation was designed for large, multi-developer projects where you're frequently working
Re:do what i do (Score:5, Insightful)
Hungarian notation is only truly useful in classic Win32 programming, because by now it's really its own programming language based loosely on C, where lpszfoobar takes the place of strong typing. But, if you're starting a project from scratch, you don't need to support legacy LPARAM/WPARAM/WPARAM_which_is_really_LPARAM, and thus there's no need for hungarian notation. Especially if you use a strongly-typed OOP language such as Java, and, AFAIK, C#.
Re:do what i do (Score:5, Insightful)
Unless you're using something like BASIC where variables just suddenly appear out of the ether I really can't see how Hungarian notation is necessary. Especially in an age where we have advanced editors with split windows, and powerful search tools like glimpse, cscope, and ctags.
Besides, why should I trust some agglutinated letters on a variable name when I can do the same thing the compiler will do and look at the type declaration and be totally _sure_ of the type of the variable? What if some doofus changed the type of the variable in the declaration but was too lazy to update all the instances of Hungarian notation? Hungarian notation can only lead to a code maintainence nightmare!
Re:do what i do (Score:5, Funny)
Re:do what i do (Score:4, Insightful)
Those are questions that the editor/gui should be able to answer without the need to add typing work for the programmer. I'm sure there are a lot of variables with erroneous hungarian notation, either because of programmer error, or programmer misunderstanding, or a 'forgot to update that' type of thing...Usually no information is better than misinformation.
Re:do what i do (Score:5, Insightful)
tmp is less clear, but it certainly would have local scope, and only exists because of shortcomings in the implementation language (like not having a primitive operation for swapping the values of two variables without introducing a temporary variable), but no real significance in the problem domain.
These variable names are perfectly acceptable and clear - unless you abuse them, of course, but you can abuse all nameing schemes. Nothing stops you from calling a global integer m_pszHelloKitty.
Hungarian notation on the other hand is problematic because a) it is just a non-functional workaround for the weak typing in C and C++ (and their habit to make type errors crash your program in random unrelated places, or just corrupt your data) and b) there aren't actually enough rules, and if there were, nobody could remember them all. "iSomeInteger" and "sSomeString" are pretty common, but if you happen to use more interesting types, or even a whole C++ class hierarchy, it just doesn't work anymore. The only use of Hungarian Notation is to make clueless middle managers happy, similar to a long-winded format for mandatory comments preceding any trivial function or multi-page e-mail disclaimers. Source code is readable when you can actually read it out loud and people would understand whats going on, not if you encrypt redundant information in variable names.
Comment removed (Score:4, Insightful)
Re:do what i do (Score:5, Insightful)
The language I use most of the time is Common Lisp, which started as a compromise between several Lisp dialects that have evolved since the late 50ies, together with new functionality designed in the 90ies. This lead to standard function names ranging from cdr and rplacd to update-instance-for-redefined-class. While there are more or less consistent rules explaining either of these, I think they are all bad. The trick is to come up with names that are both unambigous and short. This is very hard (and the fact that ANSI CL defines nearly 1000 names, all on one package, doesn't help). In fact, I often have the feeling that coming up with good names for my functions, classes etc. is harder than their actual implementation. But it is also more important, because that is what others will have to use and understand, and communication between humans is a more serious issue in programming than communication with the computer.
Besides, any sensible IDE would allow you to search for an exact name or at least a regular expression, so that a search for "i" would not find all mentions of "update-instance-for-redefined-class".
Re:do what i do (Score:3, Funny)
Comment?
Re:do what i do (Score:5, Funny)
In fact, it obfuscated my Python code so badly even the interpreter couldn't figure out what the hell it meant.
Maybe I need to improve my Hungarian.
KFG
Re:do what i do (Score:5, Funny)
Ha, you laugh. At my first job, the documentation for our product (a medical management system) was written by the original software developer - who was Hungarian. Screen after screen, there were pages filled with explanations like this:
LOBExpCode. This is the LOBExpCode for the system. Enter your LOBExpCode here.
NGFTSMapC. This is the NGFTSMapC for the system. Enter your NGFTSMapC here.
And so on. And no, no data dictionary. Occasionally there would be half-pages of attempted explanation in extremely broken English. Even our own developers couldn't tell what half the stuff did. So that's one form of code obfuscation...
Re:do what i do (Score:4, Funny)
Re:do what i do (Score:4, Interesting)
Hungarian? Forget about it. Use Finnish. (Score:3, Funny)
As a Finn, I must propose our language as a viable alternative for obfuscation purposes. Please allow me to demonstrate:
Tama koodi ei toimi ja siina on ladonoven kokoinen aukko - mutta ei Linus sita tajua.
Re:Hungarian? Forget about it. Use Finnish. (Score:5, Insightful)
Writing code and/or comments in finnish or hungarian would be the ultimate obfuscation technique. People who know english have a bigger chance to guess what words could mean if they were written in persian.
Re:Hungarian? Forget about it. Use Finnish. (Score:5, Interesting)
Umm no. You're way off, sorry.
Finnish and Hungarian are related, but not very closely. They're both Finno-Ugric languages, but the relation is roughly as distant as that between, say, German and Greek for instance. And probably less apparent, since German has quite a few Greek loan-words, particularly in scientific fields, but Hungarian and Finnish don't borrow from each other noticeably.
Other Finno-Ugric languages include Mansi, Khanty, Udmurts, and Mordvin, the balto-finnic languages (or dialects, depending on who you ask) which includes Finnish, Estonian, Karelian, Izhora, Veps, Vod, and Liv; and the closely related Saami languages spoken in the far north of Sweden, Norway, Finland, and northwest Russia.
This group is in turn more distantly related to the Samoyedic languages spoken in parts of Siberia.
Basque isn't closely enough related to any of these for linguists to have established any relationship, although many have suspected there was one and put a lot of time and energy into trying to find evidence of one.
Re:Security by obscurity (Score:5, Informative)
Are folks really using obfuscation for Java? (Score:5, Insightful)
- the jar files were secure because they were on the server and
- bytecode optimization and jar size was the least of our problems
Obfuscation seems to be useful only for client-side Java applications that contains super-secret valuable algorithms. I mean, who cares if somebody decompiles your code to see how you did sortable JTables or whatever?
Re:Are folks really using obfuscation for Java? (Score:3, Interesting)
But then again, our software isn't on 90% of all computers or whatever, so I guess we're less worried about exploi
Re:Are folks really using obfuscation for Java? (Score:4, Insightful)
Re:Are folks really using obfuscation for Java? (Score:3, Interesting)
I think on top of that, Java does so much stuff, like garbage collection, that programmers don't need to worry about it. But the Java optimizations are always implemented conservatively. If I did my own garbage collection, I could free the memory as soon as I'm done with it, but under Java GC is done only periodically, and only sweeps
Re:Are folks really using obfuscation for Java? (Score:5, Insightful)
Or you can do like many C++/C projects do and simply forget to free the memory (i.e. memory leaks).
Greetings,
Re:Are folks really using obfuscation for Java? (Score:5, Insightful)
I disagree, the theory of an optimising JIT compiler (such as HotSpot) disagrees, and a whole bunch of studies disagree. But you are entitled to your opinion.
If I did my own garbage collection, I could free the memory as soon as I'm done with it, but under Java GC is done only periodically, and only sweeps items that fulfill certain qualities (so it might not get everything as soon as it should).
Firstly, there are a number of GC strategies available, you only describe the most common. Secondly, what is the performance hit of an object staying around for too long? As soon as memory becomes tight the JVM will become more aggressive with GCs in order to free up space. If memory is not tight however, then NOT doing a GC is actually more performant (a no-op is always faster than a dealloc). Thirdly, Java GC is not really "conservative". An object is eligable for collection when (and only when) the reference count is zero. Off the top of my head I can't think of any reasonable argument that says it is safe to dealloc an object to which there is a live reference. If you know that the object is dead - just null the reference and voila - it's eligable for GC. In the apps I am responsible for the number one overriding priority is reliability - memory leaks, buffer overflows and magically vanishing objects are way too much of a risk and hence C++ is not a suitable environment for us.
Re:Are folks really using obfuscation for Java? (Score:4, Interesting)
I enjoy Java and program in Java and will confess that the stuff they include is usually useful (our software would probably be fscked if we didn't have GC or any of these other features, they just degrade performance (and I believe they have to). I would love to hear your response.
When I describe the mark and sweep method, it is the most common, and will likely be the most frequently used. However check here [javaperfor...tuning.com] for an analysis of the other types. If garbage collection were a lightweight, trivial process, then why would Java need to implement 6 different schemes?
Incidentally, we tried testing the various different schemes here and it was a mess trying to get anything out of it.
Yeah, all you have to do is null the object and it'll be collected. Keep in mind, though, that in C++ you just do a delete (or a dealloc) and it's gone, you don't need to scan the whole environment doing reference counts and then doing the corresponding deallocs.
I agree that Java is fine, and it's sturdy, and it's a delight to use, it's just that (all the way up to the great-grandparent) I think that he got it right when Java programmers are (rightfully so) more concerned about all these optimizations (why do you think they're necessary?) than about any sort of run-time security.
Again, just my opinion.
Re:Are folks really using obfuscation for Java? (Score:5, Interesting)
If you need a tamper-resistant client-side binary, don't use Java. It's that simple. A good engineer understands many different tools and selects the best one for the job.
Re:Are folks really using obfuscation for Java? (Score:5, Insightful)
You're obviously not living in the "real world". Here, an engineer uses the tool that the PHB management selects for him, based on buzzwords, what competitors are doing, and what schmoozing vendors have sold to them.
Re:Are folks really using obfuscation for Java? (Score:5, Insightful)
If a CPU can understand your code, so can a human. The solution to this problem are licenses, not obfuscators.
Yes (Score:5, Insightful)
Obfuscation does also provide a speed bump to those attempting to disassemble your code. Without obfuscation, anybody with a casual interest could just glance at your code using javap, etc. Retroguard [retrologic.com] fits saemlessly enough into the build process that adding a simple level of protection to the code is usually simple and transparent.
Re:Yes (Score:5, Insightful)
Right, yup, obfuscation reduces class file size. Certainly, that can be important in some environments.
> anybody with a casual interest could just
> glance at your code using javap,
Sure. But what will they learn? How the code processes MouseEvent.MOUSE_CLICKED? How you use sockets? How you show that nifty splash screen? I mean... who cares?
Going off topic now, but, anyhow, nifty [pensamos.com]!
It's not about learning, it's about plagiarism (Score:5, Interesting)
Reverse engineering is not the problem (Score:5, Insightful)
This technique might be interesting for stopping people from stealing your closed source code, but as far as security goes it's pretty much worthless. 99% of the vulnerabilities in MS's code were found before their code was leaked, and if you believe them, even the major exploit found after it was leaked had more to do with bad code than someone finding the existing problem by reading the code.
Re:Reverse engineering is not the problem (Score:5, Interesting)
For instance, consider Quake. Quake is a great deal of fun, so long as everybody is playing fair. However, when somebody cracks the game and develops an aimbot (they're real), it's not fun anymore. Even if Quake were open source, some kind of run-time obfuscation would be great just to help prevent cheaters.
I recall reading about an exploit for Age of Empires (or was it Age of Kings...) where in a networked game, you could run a monitor program that would let you see what resources your opponent had. Then, by watching changes in their resource supply, you could guess what units they were building. That was automated for you, of course. "Ah, they keep spending 45 wood and 25 gold, they must be building archers! I should build cavalry."
Anyway, even when we're not talking about greedy corporations protecting their intellectual property rights, there are still good reasons for keeping what's going on in your program hidden from prying eyes.
Re:Reverse engineering is not the problem (Score:5, Insightful)
Re:Reverse engineering is not the problem (Score:5, Insightful)
Because of the n millions of lines of code in Redmond it's certainly daunting to actually go through and make good code out of the mess, rather than the obscurity.
The fact that there's an open vulnerable port is a flaw, and the FIX is to make the port secure, rather than to shift its address every five seconds or whatever, which is only a Band-Aid.
MS is just lucky that the bulk of its customers don't truly know what's going on, otherwise the business model they have wouldn't work.
I.e. since I'm not a doctor, my doctor can prescribe whatever for me, or insist that I do whatever, and I'll take it as scripture. If what he recommends is the stupidest thing in the world, or he's blatantly a horrible doctor, I would have no idea and suffer the consequences. If I were also a doctor, though, I'd be able to call shenanigans the very second he did something wrong. That's why educating the consumer is the most crucial point of this whole issue.
Enough (Score:4, Funny)
Re:Enough (Score:5, Funny)
Wonder Twins. (Score:5, Funny)
Form of, illegible code.
Shape of, encrypted executables.
Not sure where the monkey fits into all of this.
Won't work (Score:4, Insightful)
Re:Won't work (Score:5, Insightful)
That IS the point, I'm sure you realize.
Re:Won't work (Score:3, Insightful)
Automation just breeds counter-automation. It's an arms race, and I don't really think JITO (Just In Time Obfuscation) is the answer.
Re:Won't work (Score:5, Insightful)
Most of the time it's not even worth reverse engineering unencrypted code, because it's really hard. There are open source projects that go undone because people don't want to expend the effort.
The trick is not to make it impossible, but to make it hard enough that it isn't done. That level is different for different projects, but it's always finite.
Re:Won't work (Score:5, Interesting)
There was a section of code hidden by about forty layers of byte-by-byte XORing against bytes looked up in a table. At each level, it would intercept the Debug and Single Step interrupts, XOR the next layer, and jump into it. In those floppy-only days, it had to be reverse engineered a layer at a time, each step producing a disk with one less layer. Approximately the 40th disk had the actual copy-test code...which turned out to be pirated code!
This was also before BIOS shadowing in RAM, and the BIOS executed straight from ROM. The test for the laser burn required hooking into it, which of course they couldn't do in ROM. Instead of working out their own shadowing routine they copied some 700 bytes of the IBM Fixed Disk BIOS, inserted their hooks, and then made a weaselly attempt to cover their tracks by interchanging logical-shift with arithmetic-shift instructions wherever it was guaranteed that nothing would go through the carry bit.
And all that meshugass was there only to hide the publisher's own piracy...the copycrack consisted of a two-byte change elsewhere on the disk.
rj
Re:Won't work (Score:5, Interesting)
One forms logical boxes around things. For instance, a good cracker knows to identify the boundary between the JIT and the bytecode, know where the security check call is made, and what threads are monitoring the heap and garbage collector.
When cracking, you initially "freeze" the code, the machine, the stack, and the registers. You're working at such a low level, it begins with a step-by-step of understanding how everything fits together.
For example: Imagine the
Also, you look at the program file itself. THIS is what the article seems to be saying: the bytecode is obsfucated...without context clues you're not going to discern how it works. But you can snap up context many times with a cracking tool. In this article, they seem to imply that each snapshot will be different by scrambling the variable names, or program locations. By seeing how all the names have been crammed, a pattern develops.
Also, I take issue that
Lastly, what makes these tools immune from reverse-engineering themselves? If I know the patterns this DASH-stuff uses, I can begin to reverse them. Unless there's one-way hashing or hardward/networked keys flying around, everything to solve the puzzle is right there, for me and my friends to examine at our leisure. This is done today by virus writers to try to avoid detection by checkers; they know how they work.
If this tool becomes actually as valuable as he claims, then I expect it's own design (stolen or RE'd) to appear in the cracker circles like any other.
But perhaps I'm missing something?
Re:Won't work (Score:3, Insightful)
Personally though, I think advanced obfuscation would make it REALLY easy for closed source applications to conceal swiped GPL code. I'm sure its already happened, but up to this point, you could do some binary comparisons, or trace it in runtime. With this stuff the article was talking about, you couldn't do that anymore. What's to stop companies from violating the GPL license? their own sense of ethics. Yeah, we're in trouble.
By the way, if
Re:Won't work (Score:3, Insightful)
The only thing even close is "the source code for a work means the preferred form of the work for making modifications to it." I don't see that as explicitly ruling out obfuscation.
Try telling the judge that you name all your variables v0001, v0002, v001, and so on. Simply stated, obfuscation is something you do specifically to stop somebody from understanding the code.
zzzzzzz (Score:3, Insightful)
easy to do (Score:3, Funny)
Not enough eyes to make the bugs shallow... (Score:5, Insightful)
With Open Source, *everyone* gets to look at the code, so there any many eyes, and the bugs get shallower.
Re:Not enough eyes to make the bugs shallow... (Score:5, Insightful)
You're a asuming that there is a Microsoft way to look at code and that every MS developer is a robot brain washed to think that way. MS hire very capable and brilliant people, you couldn't tell the difference between a bunch of NT kernel hackers and a bunch of Linux kernel hackers, both groups are extremely knowledgeable and manufacture high quallity code.
MS has the biggest industrial infrastructure in the world of quallity assurance. Every developer should go trhough an internship in Redmond to see this.
Large software *is* complex, period. Given a finite amount of talent and time, bugs are depedent of the size of the project, it really don't make a difference whether you're code is open source or not.
How many people do you think actually look at open source code to look for bugs?
Moral: if MS releases buggy, exploitalbe and potentially unsafe code is *not* because they are sloppy or because propietary code is inherently worse than open source, is because large software is complex and takes a lot of time to do it right [joelonsoftware.com].
It's ironic (Score:5, Insightful)
With software, though, people still insist on trying hide and pretend as if there were no viruses out there and that we would be impervious to them.
Can we finally just open all of our code so we can vaccinate it against all these exploits?
Isn't this just self-modifying code? (Score:5, Insightful)
The thing I don't understand about the article (and how it describes the PSCP process) is this: how will this make reverse engineering more difficult?
When you're starting to crack something, you work backwards from system calls, library calls, and known behaviors. "Known behaviors" are, well, patterns of code that people (or compilers) use to do things. Anyone good at low-level stuff can probably identify the compiler used to build the code. Likewise, if you think about something enough, you can probably figure out three or four ways to do something, and look for that pattern in the code.
PSCP prevents this...how? By making this process happens as the program runs? How else do you reverse engineer something?
Anyway, it sounds like this thing sits right before the
What am I not getting here?
Re:Isn't this just self-modifying code? (Score:5, Informative)
Re:Isn't this just self-modifying code? (Score:5, Interesting)
Re:Isn't this just self-modifying code? (Score:5, Insightful)
Have these people learned nothing?
Re:Isn't this just self-modifying code? (Score:5, Insightful)
If so, this raises a couple of issues:
And there is even an Open Source aspect to this new form of protection: It can be used as a new form of attribution. Who wrote what part of that Open Source program? Copyright notices and comments can be removed, but the PSCP code renaming signature can't be.
Open source code which can only submitted while obfuscated (thus preserving its signature) is not open source any more, so I don't buy this as a benefit of the technology.
I think the main dangers to people protecting their source code in the medium term will remain what they are now: Incompetence and conspiracy from within (witness the win2k code leakage)
Re:Isn't this just self-modifying code? (Score:3, Insightful)
Yes, I was puzzled by his statements about watermarking open-source code. You would still have to distribute the original, unobfuscated source to allow people to make changes. The GPL even explicitly forbids distributing obfuscated code. It says something the like the code must be distributed in the "preferred format for making chang
Just need to tap the Analog Out... (Score:5, Insightful)
Just like all the hubbub over proprietary signal encryption to "protect" digital audio streams, all you need here would be the CPU-equivalent of the old Analog Out jack.
Break it down to the Universal Turing Machine and tape analogy. The program code is the tape, and the state of the machine is in the tape-executing device. If the tape were to somehow morph itself dynamically, and yet execute properly by morphing to a well-designed program at the moment it is read for execution, all you have to do is to watch the read/write head of the UTM itself.
If they find ways to monkey around with bytecodes so that they're shifted around between disk and executor, just run it with a special version of the executor. Shouldn't be hard... the standard for what the unencrypted bytecodes are capable of accomplishing are standardized. Execute the code once, and take "notes" of what is being accomplished. Run through a code coverage test suite, even a crude black-box analysis, and you should get an unscrambled bytecode equivalent.
It just doesn't make sense. If obfuscation, i.e. obscurity, is your only security, it is no security at all.
Wow (Score:5, Insightful)
Compilation to bytecode and an "interpreted language" are NOT THE SAME THING. Both the CLR and a compiled java class are effectively machine code for a machine that doesn't exist. These abstract machines have machine code that reveal *MORE* information to a disassembler/reverse engineer than, say, x86 or PPC assembly, but it is still far, far from being code. This is reaction one that I have. The rest of the article is so confused I don't even know how to respond to it.
Re:Wow (Score:5, Informative)
The Java Virtual Machine is a stack machine - there are no CPU registers. There's a seperate memory store for local variables. That tends to make it easy to tell exactly what data is being operated on at any given time.
I've seen Java decompilers that return very clear, readable code.
Reverse Engineering is Good (Score:5, Insightful)
Think about R.E. like about game. It's like cracking, but it's good. And it's about creating, not about destroying.
Re:Reverse Engineering is Good (Score:4, Interesting)
the dark side (Score:5, Interesting)
ex. I write YourDoom.A and i write it using this new code morphing obfuscator. how exactly are Anti-virus programs 1. suppose to remove this? 2. identify this?
Given the numberous amount of VB/Outlook bugs and considering that
Couldn't this be applied to P2P? (Score:4, Interesting)
And maybe this is already being done -- or maybe this is just pure stupidity on my part for asking the question -- but couldn't this sort of "morph-as-you-go" theory be used to obfuscate -- and essentially hide -- a network path used to get (or put) a piece of data? Kinda like BitTorrent -- but in a much more severe, much more shifty way? You getting the data -- eventually -- and you're both downloading and uploading as you go -- but the paths through which your current bit of data is being retrieved are both unknown until you visit it and obscured once you leave it?
virus writers dream (Score:3, Insightful)
Re:virus writers dream (Score:5, Informative)
Of course, virus writers have been using this since the early 1990s. One particular virus called Ontario III [nai.com] (there might be others before it) used this trick. An interesting part from the virus writeup: "The Ontario III virus uses a very complex form of encryption with no more than two bytes remaining constant in replicated samples."
performance (Score:5, Insightful)
Millions of paths implies some sort of jump instruction, whether or not that translates to millions of function calls, i don't know. assume it does. then instead of making millions of function calls, your making billions of function calls. Going from millions to billions is a large step, bigger than just swapping an "m" for a "b" in marketingspeak. So are they planning on passing this performance hit to the legitimate consumer? No thanks, I'll take my Free source code and like it.
Anti-virus software and heuristics (Score:5, Interesting)
Great. (Score:5, Insightful)
Top 12 Things A Klingon Programmer Would Say (Score:3, Funny)
11. This machine is a piece of GAGH! I need dual
processors if I am to do battle with this code!
10. You cannot really appreciate Dilbert unless you've read
it in the original Klingon.
9. Indentation?! -- I will show you how to indent
when I indent your skull!
8. What is this talk of 'release'? Klingons do not make
software 'releases'. Our software 'escapes' leaving a bloody
trail of designers and quality assurance people in its wake.
7. Klingon function calls do not have 'parameters' -- they
have 'arguments' -- and they ALWAYS WIN THEM.
6. Debugging? Klingons do not debug. Our software
does not coddle the weak.
5. I have challenged the entire quality assurance
team to a Bat-Leth contest. They will not concern us again.
4. A TRUE Klingon Warrior does not comment his code!
3. By filing this SPR you have challenged the honor
of my family. Prepare to die!
2. You question the worthiness of my code? I should
kill you where you stand!
1. Our users will know fear and cower before our software.
Ship it! Ship it, and let them flee like the dogs they are!
I can see a market for this. (Score:5, Insightful)
Yet, I have no doubt that if someone came up to them and warned them about the dangers of IP theft and showed them this solution, they would bite.
If they really wanted to do maximum damage to their competition they should have just released the source code and hoped their competitors tried to used that as guidance.
There are probably some rare instances when a specialized software technique is developed and you want to keep its implementation specifics secret. I have yet to run into a single instance of this after many years in the industry.
Hmm... (Score:5, Informative)
The software arms race. (Score:5, Insightful)
Every single one of these is broken. Almost all good programmers are capable of deciphering the standardised, retail-boxed algorithm used for the obfuscation, and can easily un-obfuscate it. Are all the Java variables named "a"? Diddums! You don't have a Java decompiler with the option to ignore that simple tweak.
All that matters is:
1) How important is the code behind the obfuscation?
2) How much time and effort is the reverse engineer willing to spend?
If you use a company's retail-box obfuscator, anyone with the "'Brand X obfuscator' deobfuscator v1.0" can get straight at your code. It's a technological arms race, nothing more.
Disagreements with the Premise (Score:5, Insightful)
I don't love microsoft, but I think this article makes several claims without backing them up or offering any explanation as to their merits. Such as:
And "You can write a program in C# or Visual Basic.NET." while factually accurate, ignores Delphi.NET, C++ managed code using the CRL, and other implementations of the CRL (COBOL, etc).
I think the basic premise of the article, where if someone is using your objects it is obviously a bad thing/security breach, is flawed. If you need to secure your objects, SECURE them! Seal them, see who is calling you, etc.
Lastly, As shown by previous posts, Obfuscation is not the end-all panacea to security. In my opinion, it's barely a detour. Otherwise, Open Source literally could not be secure.
Just one question (Score:5, Insightful)
Obscurity generation... (Score:3, Informative)
E.g. all states and variables are in an array called n[][] and the program is basically a big loop.
Quite impossible to know whats going on
Two completely different issues (Score:5, Insightful)
In theory, if you don't run the binary you have, you don't need to worry about it modifying itself. The same techniques that work on obfuscated byte code now should work on the the binary. Now if you were trying to reverse engineer a program by running it and tracing it, that's where PSCP seems like it would help.
Sounds like a way to make things more unstable (Score:5, Insightful)
I'm sure this would make QA testing a nightmare.
Let's try an experiment! (Score:4, Funny)
How does this protect your .NET assembly? (Score:5, Interesting)
We'll ignore the obvious problem presented by the fact that your
We'll ignore the fact that instructions which modify other code are generally very easy to spot -- because they must refer to regions of a program's address space where code resides -- and it should be easy to find these code morphing instructions and turn them into no-ops.
We'll set both of those tricky issues aside and focus on the crux of the matter. How does this PSCP protect the program *before* it starts running? When the cracker gets his hands on my juicy
So, the school of crackers that likes to use a debugger to deduce program behavior may find themselves having trouble. But in the worst case, all I need to do is run the morphing code in a debugger, record the location of the program counter at the point in the program's execution in which I'm interested, and then consult the corresponding section of the program code that resides in the original
Think about it: if PSCP wanted to change the location of a jump target, for example, it would need to track down every other instruction in the program that jumped to that instruction, and modify the jump to point to the new location of the jump target.
Such solutions for Java already exist (Score:3, Informative)
Retrologic awarded Java byte code obfucator (Open Source! and free!) [retrologic.com]
not free but you can try before you buy [condensity.com]
ZelixKlassMaster [zelix.com]Yet Another Java Byte Code Obfuscator (YAJBCO)
But I'm not sure they really work - just provide level of security similar to classical machine code. Btw. the MyDoom virus was BurnEye encrypted - so what?
Yawn (Score:4, Insightful)
Yeah, users demand that their executables should change randomly at runtime. I'm sure that there can never be any bugs introduced by this process. Applications won't randomly crash for no reason...
Oh, wait. I guess this is MSFT. They wouldn't care about random crashes, data corruption, security holes, or any of that boring stuff.
It must be said (Score:3, Funny)
Imagine the ramifications of that statement. Actually it's kind of true--my increasingly bad sleep patterns and worsening ability to attract women are probably direct results of coding! But hey, at least I can't get reverse-engineered (that sounds like sodomy, so I think it's a Very Good Thing(TM))
Cloakware (Score:4, Informative)
If it can be compiled, it can be cracked (Score:5, Interesting)
Examples of Stupid Obfuscator Tricks include:
- Scrambling exception ranges so they don't nest.
- Inserting non-structured GOTOs
- Inserting never-executed exits from synchronized blocks
There are others, these are just the ones that I recall. A compiler (static or JIT, it does not matter) must deal with all of these.There are two outs that I know of. One is to only use interpreted code and morph it on the fly (still seems vulnerable to an observant interpreter, but perhaps the amount of necessary observations can be made extravagantly large), the other is to require use of a "trusted" compiler (which, in turn, requires use of a "trusted" OS to prevent substitution of an untrusted compiler, which in turn requires "trusted" hardware to prevent substitution of an untrusted OS).
Certified Applications. (Score:3, Interesting)
The FDA come a knocking and start asking about the checks in place that ensure that the code that you write and document is the code that actually gets performed.
FDA Auditor: So, this code specified in this document. Can you please show me how you ensure that this code is actually performed when you run the program here that you say is the one that this document references.
IT Guy: Sorry, Cant
FDA Auditor: Why isnt it?
IT Guy: because the code that gets run is different every time it is run, and indeed during a single run it changes.
FDA Auditor: So, What your saying is that you cannot guarantee that the applications specified in all these documents is the application code that actually runs.
IT Guy: Yep, thats about it...
Oh, now at this point in the discussion it gets serious.
Who on this list actually thinks that dynamic code obfustication like they propose is actually worth a damn.
What happens when this mutating mess gets it wrong?
Who is to blame?
Come on now, this is stupid, this is the worst form of pandering to corporate paranoia.
This is true snakeoil.
These are all just turing machines.
This argument is so stupid. (Score:5, Interesting)
Like Ultra-Wide-Band networking and enterprise XML integration, this column fits a Cringely mold of writing an entire article about the business plan of one small company most people haven't heard of, and passing it off as an important insight about the IT industry as a whole. It works for the most part because there are a lot of neat-sounding business plans out there. Every start-up company in the world has a story about how their vision, fully realized, would shake up the entire industry. It makes for great column-fodder, but provides poor analyses.
If you read the whole column here twice, you immediately become aware of the fact that Cringely's entire "argument" turns on the idea that security rests on keeping source code secret. Because "interpeted" code "always" discloses code secrets, "interpreted" platforms like .NET will require the intellectual property wrapped up in schemes like PSCP. Therefore, the "inventors" or PSCP hold an important position on the chess-board of the entire IT industry. Microsoft and Sun will launch bidding wars to ensure they control the PSCP IP.
Of course this is just crazy-talk. Just for a moment, leave aside the argument that something like PSCP can really prevent reverse engineering. In the post-PSCP world, all security rests in a distributed repository of millions of lines of source code "locked up" in an organization that spans 45 buildings and untold tens of thousands of people in Redmond. You can't keep source code secret. Closed source is a speed-bump to dedicated attackers, who will break into networks, find corrupt insiders, or even get janitor temp positions in order to get the code.
Nobody working in security seriously believes that the source code for Windows 2000 wasn't floating around the computer underground years before the most recent disclosure. 'Twas ever thus: most of the SunOS and Solaris exploits that powered attackers in the mid-90's were derived from stolen Sun source code. Stolen source trees have always been the most stable currency in the computer underground for exactly that reason. What you do with the compiled product of that code makes no difference if the blueprints are already in enemy hands.
I'm not sure it's even worth confronting Cringely's argument (that PSCP is a strategic technology that is crucial to .NET security) head-on, but I think I can make a decent response simply by evoking video game copy protection. Companies went through all sorts of contortion to devise copy-protection schemes. Kids with the Microsoft Macro Assembler bible thwarted them, because, just like in the DRM/Media battle, when you control the entire player architecture, it is impossible to completely secure the content. Regardless of whether PSCP makes it harder to grep out the cookie cutter exploit from the .NET IR, the payoff in the "battle" between code-obfuscation and exploit generation is much higher than the payoff to defeat copy protection, and nobody has ever won the copy protection battle.
Cringley is right every once in awhile (business plans occasionally do pan out!), like with Eolas and Burst. I normally wouldn't care enough to comment, but this time he's inadvertantly promoting a damaging and popular misconception in his article.
I Should be paid to read articles like that... (Score:4, Interesting)
First of all, anyone that intends to write an article about a "new" software engineering theory or theoretical application needs to make sure they not only understand what they are talking about, but they also choose to collect quotes from people who know what they are talking about.
Here's a hint, if the person says "leverages" in a serious tone of voice they are either a sales-person or only received information from the sales team.
Now, beyond the other comments I could add, such as bad definitions of the framework, and the authors inability to name more than 2 examples of languages available to interact with that framework, there seems to be a large problem with the research content. There isn't any.
I could likely spend 20 to 30 minutes researching background informaiton on the internet and still have a more solid article, simply because I would have real information.
The information provided in this article appears to be the results of carefully skimming sales brochures. There is no real information on the processes involved, reverse engineering, or numbers invilved in terms of performance.
We find out that there are "...billions of paths..." but this is just marketing talk, obvious for it's lack of detail. Reverse engineering is detailed as something used by hackers (in the newer, negative sense) to find holes in code. There is no mention of the other side, ie reverse engineering old software when the original developers are not available and no one felt documentation or up-to-date source code was necessary, among many other valid and legal reasons for reverse engineering. There is a brief comment about the extra resource usage, but it is considered negligable (in comparison to...?) and in fact this process is also mentioned as having no negative impact. tanstaffl.
All in all this sounds like something that will be overhyped, overused, and in the end more of a pain than anything else. Clueless managers everywhere will demand all of the code use this new and impervious format when there are many easier ways to prevent security loss without the so far unknown problems with this new method (not to mention security holes in the obfuscation methods itself).
Now when people try to reverse engineer code to look for security holes they won't find them because the holes were swept under the carpet. I may stand up for MS more often than deride them, but the kindest way I can say this is that this new method of obscurity is a little less than bright. Just as I wouldn't use anything beta from MS, you can bet that I won't be using this technology either. I prefer solid code, testing, and a solid license. By the time they have finished reverse engineering version 1, the next version will be underway, leaving them just as far behind as before.
Snake Oil (Score:3, Interesting)
sorry, I am bitter
On the other hand byte code obfuscators will not stop anyone who wants to disassemble. I remember about 9 or 8 years ago I was disassembling a simple DOS com file (anyone remembers inclogo.com, with a INCLOGO word being printed in a 320x200 graphics mode with some simple 256 byte coloring and shading that changed in a loop? It looked cool, so I wanted to find out how it worked.) Couldn't figure out the machine code for some reason, so loaded it into the Turbo Debugger
Ta da!
done.
How is this going to be any different? Code cannot be obscured to the hardware and a cracker works at the hardware level.
Doesn't this sound to you like the commercials for the 'new and improved 1024 bit encryption' that sometime ago was put out by one Israeli company (there was an article on
This is snake oil.
Solution in search for a problem (Score:3, Interesting)
Oooo... Self Modifying Code, version 2. (Score:4, Insightful)
Self modifying code did little more than provide an extra 30 minutes of amusement.
It didn't stop any of us back then, it sure as hell won't stop anyone now. Apparently, these idiots have never heard of things like Soft-ICE.
Reverse engineering isn't hard, it's just tedious without the source. OTOH, we've been doing it for decades without source... it's only recently that we've had the luxury of (sometimes) having it. Regardless, these boneheads seem to confuse "reverse engineering" with "decompiling" - the two have nothing to do with each other.
"Changes variable names"... rofl, that's really gonna screw up DEBUG, isn't it...
Never the same code twice? Yikes... (Score:5, Insightful)
Just suppose that every once in a while the obfuscated version of the code just isn't exactly 100% functionally equivalent to all the others.
How are you ever going to debug that?
It's far worse than a bug in a compiler optimizer.
Worse yet, this could even be used to attack competitors. Let's say the obfuscator has the ability to distinguish code from different vendors in some way... (well, for example, let's supposed the code is signed). It could subtly sabotage the products of certain vendors so that they seemed to be buggy or unreliable... and the victim would never know what had happened or have any way of knowing what had happened (assuming the victim could not reverse the obfuscation).
Code like this will be slower and more fragile (Score:5, Insightful)
I don't believe it. This stuff can't cost "almost nothing" if it works with threads. If you have multiple paths of execution running through the same code, and the code is being dynamically morphed as the threads run, then either:
The morpher is fully thread-aware, to keep morph operations for thread A from pulling the rug out from under thread B (or C, D, ...). This implies extra sempahores, locking, unlocking, and the overhead of handling them.
The morhper is not fully thread-aware, and every so often the morpher for one thread will clobber another thread.
Am I missing something here?
Huh? (Score:4, Insightful)
The result is that nearly every emerging Microsoft product is vulnerable, including the OS itself
Now, it seems to be that the only conclusion being drawn is that my OS is vulnerable because someone can reverse engineer its code as if understanding it makes it less secure. Is Linux any less secure than Windows because everyone has access to its source code? Isn't this really an issue for people who "need" to keep their source code from prying eyes so their IP is not stolen?
This one is quite confounding:
Microsoft is absolutely committed to
What is a "security lapse" and why does lack of good obfuscation tools allow it? Am I vulnerable without tried and trusted security through obscurity?
Looking further back at the article on
Watch out everybody, the black helicopters are circling overhead.
Re:Resource Waste (Score:3, Insightful)
Remember, computers are now large enough and fast enough that there are plenty of cycles going to waste anyway. This theory is that if those idle cycles are spent rearranging the code, the reverse en