Does obfuscation give any measurable security benefit?Why does broad based malware use XOR obfuscation?Obfuscation and Mobile AppObfuscation alternativesDoes a 'mailto:' hyperlink spoil any preceding email obfuscation efforts in PDF?Hash based code obfuscation

Is is possible to externally power my DSLR with the original battery that is connected to the DSLR by means of wires?

Why are second inversion triads considered less consonant than first inversion triads?

Does obfuscation give any measurable security benefit?

Limiting sensor input voltage without biasing measurement

How will the crew exit Starship when it lands on Mars?

How to figure out key from key signature?

Uniform Roe algebra of virtually abelian group is type I C*-algebra?

Are dead worlds a good galactic barrier?

Why does Principal Vagina say, "no relation" after introducing himself?

Charges from Dollar General have never shown up on my debit card. How can I resolve this?

How do I copy an installed steam game on my PC to an external hard drive?

Should I avoid "big words" when writing to a younger audience?

Is oxygen above the critical point always supercritical fluid? Would it still appear to roughly follow the ideal gas law?

Car as a good investment

Does my protagonist need to be the most important character?

I run daily 5kms but I cant seem to improve stamina when playing soccer

How does Data know about his off switch?

How to prove that invoices are really unpaid?

What is the gold linker?

Can we not simply connect a battery to a RAM to prevent data loss during power cuts?

In the twin paradox does the returning twin also come back permanently length contracted flatter than the twin on earth?

How can I check the implementation of a builtin function?

Milk instead of water in bread

Company indirectly discriminating against introverts, specifically INTJ



Does obfuscation give any measurable security benefit?


Why does broad based malware use XOR obfuscation?Obfuscation and Mobile AppObfuscation alternativesDoes a 'mailto:' hyperlink spoil any preceding email obfuscation efforts in PDF?Hash based code obfuscation






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









4

















I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.



However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.



Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.




Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.










share|improve this question






















  • 1





    In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.

    – Steve Sether
    10 hours ago












  • @SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.

    – MechMK1
    10 hours ago











  • One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.

    – Nathan Goings
    4 hours ago

















4

















I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.



However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.



Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.




Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.










share|improve this question






















  • 1





    In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.

    – Steve Sether
    10 hours ago












  • @SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.

    – MechMK1
    10 hours ago











  • One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.

    – Nathan Goings
    4 hours ago













4












4








4








I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.



However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.



Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.




Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.










share|improve this question















I've always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfuscated code back into a more readable state.



However, OWASP recommends the usage of obfuscation for mobile clients, which makes me wonder if there is more credibility to obfuscation than I had given to it.



Hence my question: Does obfuscation give any measurable security benefit? Specifically, a benefit that outweighs the added cost, complexity and reduced performance.




Note: When I say "obfuscation", I am talking about deliberate steps taken to prevent reverse engineering. Compiler optimizations, even though they make the assembly less easy to read, are done for the purpose of improving performance, not to prevent reverse engineering.







obfuscation






share|improve this question














share|improve this question











share|improve this question




share|improve this question










asked 10 hours ago









MechMK1MechMK1

10k5 gold badges34 silver badges53 bronze badges




10k5 gold badges34 silver badges53 bronze badges










  • 1





    In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.

    – Steve Sether
    10 hours ago












  • @SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.

    – MechMK1
    10 hours ago











  • One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.

    – Nathan Goings
    4 hours ago












  • 1





    In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.

    – Steve Sether
    10 hours ago












  • @SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.

    – MechMK1
    10 hours ago











  • One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.

    – Nathan Goings
    4 hours ago







1




1





In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.

– Steve Sether
10 hours ago






In my experience, there's not a whole lot of measurement and empirical evidence gathering in the security world. It's mostly a lot of "well it SHOULD work like this", anecdotal experiences, and extrapolation. Personally I think code obfuscation is more about an attempt to protect business interests and code secrets than it is security.

– Steve Sether
10 hours ago














@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.

– MechMK1
10 hours ago





@SteveSether I thought the same way, but given that I consider OWASP a credible source, I wanted to see if perhaps my assertion was wrong.

– MechMK1
10 hours ago













One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.

– Nathan Goings
4 hours ago





One small benefit of obfuscation is information destruction. Things like spoken language, coding habits, etc. The process (ultimately code) can be re-understood, but identifiers are lost. Although, I can't think of a legitimate reason for this. Additionally, some obfuscation (e.g. Java back in the day) can introduce features in the output that cannot be easily rebuilt with the current technology/decompilers. This made Java excruciatingly cumbersome to decompile. Thus, deterring even experienced users from inferring the code. That's an obfuscation-is-better-than-its-competitors situation.

– Nathan Goings
4 hours ago










2 Answers
2






active

oldest

votes


















7


















There are two benefits to code obfuscation:



  1. It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.

  2. It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).

@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.



But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.




*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.






share|improve this answer




























  • Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

    – MechMK1
    9 hours ago











  • @MechMK1 tried to address your comment in the answer... does that help?

    – gowenfawr
    9 hours ago






  • 1





    Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

    – MechMK1
    9 hours ago











  • You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

    – Steve Sether
    8 hours ago



















1



















  • As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...



    So in term of protection against strange code, this is not a big job (if not trivial)



  • As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)


  • About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.


  • About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...






share|improve this answer





























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );














    draft saved

    draft discarded
















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219346%2fdoes-obfuscation-give-any-measurable-security-benefit%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown


























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    7


















    There are two benefits to code obfuscation:



    1. It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.

    2. It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).

    @SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.



    But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.




    *By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.






    share|improve this answer




























    • Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

      – MechMK1
      9 hours ago











    • @MechMK1 tried to address your comment in the answer... does that help?

      – gowenfawr
      9 hours ago






    • 1





      Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

      – MechMK1
      9 hours ago











    • You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

      – Steve Sether
      8 hours ago
















    7


















    There are two benefits to code obfuscation:



    1. It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.

    2. It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).

    @SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.



    But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.




    *By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.






    share|improve this answer




























    • Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

      – MechMK1
      9 hours ago











    • @MechMK1 tried to address your comment in the answer... does that help?

      – gowenfawr
      9 hours ago






    • 1





      Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

      – MechMK1
      9 hours ago











    • You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

      – Steve Sether
      8 hours ago














    7














    7










    7









    There are two benefits to code obfuscation:



    1. It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.

    2. It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).

    @SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.



    But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.




    *By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.






    share|improve this answer
















    There are two benefits to code obfuscation:



    1. It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.

    2. It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).

    @SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.



    But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.




    *By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited 9 hours ago

























    answered 9 hours ago









    gowenfawrgowenfawr

    58.7k12 gold badges131 silver badges174 bronze badges




    58.7k12 gold badges131 silver badges174 bronze badges















    • Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

      – MechMK1
      9 hours ago











    • @MechMK1 tried to address your comment in the answer... does that help?

      – gowenfawr
      9 hours ago






    • 1





      Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

      – MechMK1
      9 hours ago











    • You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

      – Steve Sether
      8 hours ago


















    • Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

      – MechMK1
      9 hours ago











    • @MechMK1 tried to address your comment in the answer... does that help?

      – gowenfawr
      9 hours ago






    • 1





      Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

      – MechMK1
      9 hours ago











    • You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

      – Steve Sether
      8 hours ago

















    Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

    – MechMK1
    9 hours ago





    Can you please describe what you mean by "proprietary reasons"? I couldn't find a succinct translation

    – MechMK1
    9 hours ago













    @MechMK1 tried to address your comment in the answer... does that help?

    – gowenfawr
    9 hours ago





    @MechMK1 tried to address your comment in the answer... does that help?

    – gowenfawr
    9 hours ago




    1




    1





    Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

    – MechMK1
    9 hours ago





    Yes, thank you very much for that clarification. I'm not a native speaker, and I had some vague idea what it could mean, but always better to ask.

    – MechMK1
    9 hours ago













    You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

    – Steve Sether
    8 hours ago






    You might want to include some costs as well. Obfuscation isn't free, and it might indeed provide more security costs than benefits. e.g. debugging is harder, and it (could) introduce it's own set of bugs since you are of course changing the code to obfuscate.

    – Steve Sether
    8 hours ago














    1



















    • As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...



      So in term of protection against strange code, this is not a big job (if not trivial)



    • As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)


    • About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.


    • About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...






    share|improve this answer
































      1



















      • As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...



        So in term of protection against strange code, this is not a big job (if not trivial)



      • As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)


      • About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.


      • About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...






      share|improve this answer






























        1














        1










        1










        • As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...



          So in term of protection against strange code, this is not a big job (if not trivial)



        • As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)


        • About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.


        • About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...






        share|improve this answer

















        • As long I seen obfuscated code (mostly viruses and rootkits) on potentially everything able to recieve from Internet (mail, ftp, web, dns etc, in requests, logs, file transferts), humain time involved to deobfuscate code enough for finding essential informations like server address, admin id and hashed password for botnet or sensible strings or library calls for viruses is mostly count in minutes...



          So in term of protection against strange code, this is not a big job (if not trivial)



        • As opposite, building editable sources from this kind of code could take a lot of time (to be count in days, week or even more if code is big. Anyway more deobfuscation process progress, more they are efficient and quick... as when light is comming...)


        • About OWASP's recommendation, I agree: Obfuscation implie human ressources, so they represent some cost, making piracy less attractive.


        • About measurablility of security benefit... I'm afraid, but... I can't! Depending on who could be interested by hacking your code, and why...







        share|improve this answer















        share|improve this answer




        share|improve this answer








        edited 9 hours ago

























        answered 9 hours ago









        F. HauriF. Hauri

        3,4311 gold badge15 silver badges28 bronze badges




        3,4311 gold badge15 silver badges28 bronze badges































            draft saved

            draft discarded















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219346%2fdoes-obfuscation-give-any-measurable-security-benefit%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown









            Popular posts from this blog

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її