Managing the insider threat through code obfuscation

[jose at monkey.org (Jose Nazario)]

On Thu, 15 Dec 2005, Kenneth R. van Wyk wrote:

> The article's premise is that, because attackers can find out a great
> deal about the internals of databases and such by decompiling bytecode
> (in Java and .NET), bytecode should be obfuscated to hide its internal
> details.  The article points to several commercial bytecode obfuscation
> products:  http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx

if the person can develop exploits against the holes in the code, what
makes you think they can't fire up a runtime debugger and trace the code
execution and discover the same things?

the biggest threat internally isn't the one or two people per thousand who
can and will do this, it's the much larger number of people who wont use
exploit development techniques to access things they shouldn't. bytecode
obfuscation does nothing to stop that.

________
jose nazario, ph.d.                     jose at monkey.org
http://monkey.org/~jose/                http://infosecdaily.net/
                                        http://www.wormblog.com/