Does obfuscation give any measurable security benefit?Why does broad based malware use XOR obfuscation?Obfuscation and Mobile AppObfuscation alternativesDoes a 'mailto:' hyperlink spoil any preceding email obfuscation efforts in PDF?Hash based code obfuscation
Is is possible to externally power my DSLR with the original battery that is connected to the DSLR by means of wires?
Why are second inversion triads considered less consonant than first inversion triads?
Does obfuscation give any measurable security benefit?
Limiting sensor input voltage without biasing measurement
How will the crew exit Starship when it lands on Mars?
How to figure out key from key signature?
Uniform Roe algebra of virtually abelian group is type I C*-algebra?
Are dead worlds a good galactic barrier?
Why does Principal Vagina say, "no relation" after introducing himself?
Charges from Dollar General have never shown up on my debit card. How can I resolve this?
How do I copy an installed steam game on my PC to an external hard drive?
Should I avoid "big words" when writing to a younger audience?
Is oxygen above the critical point always supercritical fluid? Would it still appear to roughly follow the ideal gas law?
Car as a good investment
Does my protagonist need to be the most important character?
I run daily 5kms but I cant seem to improve stamina when playing soccer
How does Data know about his off switch?
How to prove that invoices are really unpaid?
What is the gold linker?
Can we not simply connect a battery to a RAM to prevent data loss during power cuts?
In the twin paradox does the returning twin also come back permanently length contracted flatter than the twin on earth?
How can I check the implementation of a builtin function?
Milk instead of water in bread
Company indirectly discriminating against introverts, specifically INTJ
Does obfuscation give any measurable security benefit?
Why does broad based malware use XOR obfuscation?Obfuscation and Mobile AppObfuscation alternativesDoes a 'mailto:' hyperlink spoil any preceding email obfuscation efforts in PDF?Hash based code obfuscation
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.
However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.
Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.
Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.
obfuscation
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
add a comment
|
I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.
However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.
Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.
Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.
obfuscation
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
1
In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.
– Steve Sether
10 hours ago
@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.
– MechMK1
10 hours ago
One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.
– Nathan Goings
4 hours ago
add a comment
|
I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.
However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.
Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.
Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.
obfuscation
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.
However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.
Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.
Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.
obfuscation
obfuscation
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
asked 10 hours ago
MechMK1MechMK1
10k5 gold badges34 silver badges53 bronze badges
10k5 gold badges34 silver badges53 bronze badges
1
In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.
– Steve Sether
10 hours ago
@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.
– MechMK1
10 hours ago
One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.
– Nathan Goings
4 hours ago
add a comment
|
1
In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.
– Steve Sether
10 hours ago
@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.
– MechMK1
10 hours ago
One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.
– Nathan Goings
4 hours ago
1
1
In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.
– Steve Sether
10 hours ago
In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.
– Steve Sether
10 hours ago
@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.
– MechMK1
10 hours ago
@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.
– MechMK1
10 hours ago
One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.
– Nathan Goings
4 hours ago
One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.
– Nathan Goings
4 hours ago
add a comment
|
2 Answers
2
active
oldest
votes
There are two benefits to code obfuscation:
- It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.
- It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).
@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.
But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.
*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
1
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
add a comment
|
As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...
So in term of protection against strange code, this is not a big job (if not trivial)
As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)
About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.
About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219346%2fdoes-obfuscation-give-any-measurable-security-benefit%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are two benefits to code obfuscation:
- It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.
- It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).
@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.
But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.
*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
1
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
add a comment
|
There are two benefits to code obfuscation:
- It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.
- It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).
@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.
But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.
*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
1
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
add a comment
|
There are two benefits to code obfuscation:
- It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.
- It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).
@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.
But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.
*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
There are two benefits to code obfuscation:
- It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.
- It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).
@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.
But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.
*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
edited 9 hours ago
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
answered 9 hours ago
gowenfawrgowenfawr
58.7k12 gold badges131 silver badges174 bronze badges
58.7k12 gold badges131 silver badges174 bronze badges
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
1
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
add a comment
|
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
1
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation
– MechMK1
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
@MechMK1 tried to address your comment in the answer... does that help?
– gowenfawr
9 hours ago
1
1
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.
– MechMK1
9 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.
– Steve Sether
8 hours ago
add a comment
|
As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...
So in term of protection against strange code, this is not a big job (if not trivial)
As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)
About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.
About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
add a comment
|
As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...
So in term of protection against strange code, this is not a big job (if not trivial)
As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)
About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.
About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
add a comment
|
As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...
So in term of protection against strange code, this is not a big job (if not trivial)
As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)
About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.
About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...
So in term of protection against strange code, this is not a big job (if not trivial)
As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)
About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.
About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
edited 9 hours ago
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
answered 9 hours ago
F. HauriF. Hauri
3,4311 gold badge15 silver badges28 bronze badges
3,4311 gold badge15 silver badges28 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219346%2fdoes-obfuscation-give-any-measurable-security-benefit%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.
– Steve Sether
10 hours ago
@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.
– MechMK1
10 hours ago
One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.
– Nathan Goings
4 hours ago