AffiliationUniv Arizona, Dept Comp Sci
digital rights management
MetadataShow full item record
PublisherASSOC COMPUTING MACHINERY
CitationCollberg, C. (2018, March). Code obfuscation: Why is this still a thing?. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (pp. 173-174). ACM.
JournalPROCEEDINGS OF THE EIGHTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY (CODASPY'18)
Rights© 2018 Copyright held by the owner/author(s).
Collection InformationThis item from the UA Faculty Publications collection is made available by the University of Arizona with support from the University of Arizona Libraries. If you have questions, please contact us at email@example.com.
AbstractEarly developments in code obfuscation were chiefly motivated by the needs of Digital Rights Management (DRM) . Other suggested applications included intellectual property protection of software  and code diversification to combat the monoculture problem of operating systems . Code obfuscation is typically employed in security scenarios where an adversary is in complete control over a device and the software it contains and can tamper with it at will. We call such situations the Man-At-The-End (MATE)  scenario. MATE scenarios are the best of all worlds for attackers and, consequently, the worst of all worlds for defenders: Not only do attackers have physical access to a device and can reverse engineer and tamper with it at their leisure, they often have unbounded resources (time, computational power, etc.) to do so. Defenders, on the other hand, are often severely constrained in the types of protective techniques available to them and the amount of overhead they can tolerate. In other words, there is an asymmetry between the constraints of attackers and defenders. Moreover, DRM is becoming less prevalent (songs for sale on the Apple iTunes Store are no longer protected by DRM, for example); there are new cryptographically-based obfuscation techniques  that promise provably secure obfuscation; secure enclaves  are making it into commodity hardware, providing a safe haven for security sensitive code; and recent advances in program analysis  and generic de-obfuscation  provide algorithms that render current code obfuscation techniques impotent. Thus, one may reasonably ask the question: "Is Code Obfuscation Still a Thing?" Somewhat surprisingly, it appears that the answer is yes. In a recent report, Gartner  lists 19 companies active in this space (8 of which were founded since 2010) and there are still (in 2017) many papers published on code obfuscation, code de-obfuscation, anti-tamper protection, reverse engineering, and related technologies. One of the reasons for this resurgence of code obfuscation as a protective technology is that, more and more, we are faced with applications where security-sensitive code needs to run on unsecured endpoints. In this talk we will show MATE attacks that appear in many novel and unlikely scenarios, including smart cars , smart meters , mobile applications such as Snapchat and smartphone games, Internet of Things applications , and ad blockers in web browsers . We will furthermore show novel code obfuscation techniques that increase the workload of attackers  and which, at least for a time, purport to restore the symmetry between attackers and defenders.
VersionFinal accepted manuscript
SponsorsNSFNational Science Foundation (NSF) [CNF-1145913]