Code Obfuscation: Why is This Still a Thing?

Abstract

Early developments in code obfuscation were chiefly motivated by the needs of Digital Rights Management (DRM) [7]. Other suggested applications included intellectual property protection of software [4] and code diversification to combat the monoculture problem of operating systems [2]. Code obfuscation is typically employed in security scenarios where an adversary is in complete control over a device and the software it contains and can tamper with it at will. We call such situations the Man-At-The-End (MATE) [3] scenario. MATE scenarios are the best of all worlds for attackers and, consequently, the worst of all worlds for defenders: Not only do attackers have physical access to a device and can reverse engineer and tamper with it at their leisure, they often have unbounded resources (time, computational power, etc.) to do so. Defenders, on the other hand, are often severely constrained in the types of protective techniques available to them and the amount of overhead they can tolerate. In other words, there is an asymmetry between the constraints of attackers and defenders. Moreover, DRM is becoming less prevalent (songs for sale on the Apple iTunes Store are no longer protected by DRM, for example); there are new cryptographically-based obfuscation techniques [1] that promise provably secure obfuscation; secure enclaves [5] are making it into commodity hardware, providing a safe haven for security sensitive code; and recent advances in program analysis [12] and generic de-obfuscation [13] provide algorithms that render current code obfuscation techniques impotent. Thus, one may reasonably ask the question: "Is Code Obfuscation Still a Thing?" Somewhat surprisingly, it appears that the answer is yes. In a recent report, Gartner [14] lists 19 companies active in this space (8 of which were founded since 2010) and there are still (in 2017) many papers published on code obfuscation, code de-obfuscation, anti-tamper protection, reverse engineering, and related technologies. One of the reasons for this resurgence of code obfuscation as a protective technology is that, more and more, we are faced with applications where security-sensitive code needs to run on unsecured endpoints. In this talk we will show MATE attacks that appear in many novel and unlikely scenarios, including smart cars [6], smart meters [9], mobile applications such as Snapchat and smartphone games, Internet of Things applications [8], and ad blockers in web browsers [11]. We will furthermore show novel code obfuscation techniques that increase the workload of attackers [10] and which, at least for a time, purport to restore the symmetry between attackers and defenders.