Secure Coding mailing list archives
Managing the insider threat through code obfuscation
From: bishop at cs.ucdavis.edu (Matt Bishop)
Date: Thu, 15 Dec 2005 08:42:40 -0800
Hi, Ken,
This morning, an article caught my attention -- "Managing the insider threat through code obfuscation", http://www.itmanagersjournal.com/article.pl?sid=05/12/13/1736253 The article's premise is that, because attackers can find out a great deal about the internals of databases and such by decompiling bytecode (in Java and .NET), bytecode should be obfuscated to hide its internal details. The article points to several commercial bytecode obfuscation products: http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx
I heard about code obfuscation in the late 1970's. A friend (and fellow student) in my graduate program said a company he worked at did exactly that. But the goal was *not* security; it was copyright protection. If anyone copied their binary, and claimed to have written it independently (and so did not need to pay a licensing fee), the company could easily prove to a court that the other user had not written it on their own by showing the convoluted logic in the program. I don't remember if he said they ever actually had to do this in court, but it seemed a pretty effective way to trace code lineage. The application was not one in which speed was critical, so the loss of speed due to the obfuscation was apparently tolerable (if not unnoticeable). I don't remember the language involved, but suspect pretty strongly it was *not* Java, because our discussion was some 15-20 years before Java was released ... :-) Cheers to all! Matt
Current thread:
- Managing the insider threat through code obfuscation Kenneth R. van Wyk (Dec 15)
- Managing the insider threat through code obfuscation Jose Nazario (Dec 15)
- Managing the insider threat through code obfuscation Kenneth R. van Wyk (Dec 15)
- Managing the insider threat through code obfuscation Dana Epp (Dec 15)
- Managing the insider threat through code obfuscation Kenneth R. van Wyk (Dec 15)
- Managing the insider threat through code obfuscation Matt Bishop (Dec 15)
- <Possible follow-ups>
- Managing the insider threat through code obfuscation Jeremy Epstein (Dec 15)
- Managing the insider threat through code obfuscation James Stibbards (Dec 15)
- Managing the insider threat through code obfuscation Jose Nazario (Dec 15)