Managing the insider threat through code obfuscation

[jeremy.epstein at webmethods.com (Jeremy Epstein)]

Ken,

I looked into this a couple of years ago to protect against intellectual
property theft (e.g., reverse engineering) and to make it harder to bypass
software licensing techniques.  My conclusion at that point was that the
obfuscation didn't actually do much good (it was still fairly easy to figure
out what was going on).  It introduced an extra risky step - our developers
want to do their debugging/QA on unobfuscated versions so they can figure
out what goes wrong, but you then have to replicate all of your QA on the
obfuscated version to make sure that the obfuscator didn't break anything.
[I hope that no one would test one version and release another!]  And if
there was a discrepancy, it was likely to be difficult to find what went
wrong.

Most importantly for us, it made support a royal pain - stack traces no
longer meant anything.  And we had to be *very* careful not to obfuscate any
published or undocumented-but-known interfaces.

My conclusion is that it's better than just marketing hooey - there is some
technical advantage - but that if you have an extensible product and/or you
have to provide support, the pain is worse than the advantage.

--Jeremy

> -----Original Message-----
> From: sc-l-bounces at securecoding.org 
> [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth R. van Wyk
> Sent: Thursday, December 15, 2005 8:59 AM
> To: Secure Coding Mailing List
> Subject: [SC-L] Managing the insider threat through code obfuscation
>
> This morning, an article caught my attention -- "Managing the 
> insider threat through code obfuscation",
> http://www.itmanagersjournal.com/article.pl?sid=05/12/13/1736253
>
> The article's premise is that, because attackers can find out 
> a great deal about the internals of databases and such by 
> decompiling bytecode (in Java and .NET), bytecode should be 
> obfuscated to hide its internal details.  The article points 
> to several commercial bytecode obfuscation products: 
> http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx
>
> I hadn't heard of this approach before, although I'm quite 
> familiar with how easy it is to decompile Java bytecode.  My 
> questions for the group are:
>
> o Anyone here have any good/bad experiences with bytecode obfuscation?
> o What is the impact on performance of the bytecode?
> o How about compatibility with various JVMs?
> o How much protection do these obfuscators really provide?
> o Is this all just a bunch of product marketing hooey?
>
> Well, at least the article uses the term "threat" correctly...
>
> Cheers,
>
> Ken van Wyk
> ---
> KRvW Associates, LLC
> http://www.KRvW.com
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - 
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - 
> http://www.securecoding.org/list/charter.php