Abstract
Bytecode, Java’s binary form, is relatively high-level and therefore susceptible to decompilation attacks. An obfuscator transforms code such that it becomes more complex and therefore harder to reverse engineer. We develop bytecode obfuscations that are complex to reverse engineer but also do not significantly degrade performance. We present three kinds of techniques that: (1) obscure intent at the operational level; (2) complicate control flow and object-oriented design (i.e. program structure); and (3) exploit the semantic gap between what is legal in source code and what is legal in bytecode. Obfuscations are applied to a benchmark suite to examine their affect on runtime performance, control flow graph complexity and decompilation. These results show that most of the obfuscations have only minor negative performance impacts and many increase complexity. In almost all cases, tested decompilers fail to produce legal source code or crash completely. Those obfuscations that are decompilable greatly reduce the readability of output source.
This work was supported, in part, by NSERC and FQRNT.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Appel, A.W.: Deobfuscation is in NP (Aug. 21, 2002)
Goldreich, O., et al.: On the (Im)possibility of Obfuscating Programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 1. Springer, Heidelberg (2001)
Benander, B.A., Gorla, N., Benander, A.C.: An empirical study of the use of the goto statement. J. Syst. Softw. 11(3), 217–223 (1990)
Chidamber, S.R., Kemerer, C.F.: A metrics suite for object oriented design. IEEE Trans. Softw. Eng. 20(6), 476–493 (1994), doi:10.1109/32.295895
Cohen, F.B.: Operating system protection through program evolution. Comput. Secur. 12(6), 565–584 (1993)
Collberg, C., Thomborson, C., Low, D.: Breaking abstractions and unstructuring data structures. In: ICCL ’98: Proceedings of the 1998 International Conference on Computer Languages, Washington, DC, USA, p. 28. IEEE Computer Society Press, Los Alamitos (1998)
Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation - tools for software protection. In: IEEE Transactions on Software Engineering, vol. 28, Aug. 2002, pp. 735–746. IEEE Computer Society Press, Los Alamitos (2002), citeseer.ist.psu.edu/collberg02watermarking.html
Gosling, J., et al.: The Java Language Specification, 2nd edn. Addison-Wesley, Reading (2000)
Gu, D., Verbrugge, C., Gagnon, E.: Code layout as a source of noise in JVM performance. In: Component And Middleware Performance workshop, OOPSLA 2004, Vancouver, BC, Canada (2004)
Gu, D., Verbrugge, C., Gagnon, E.M.: Relative factors in performance analysis of Java virtual machines. In: VEE ’06: Proceedings of the 2nd international conference on Virtual execution environments, Ottawa, Ontario, Canada, pp. 111–121. ACM Press, New York (2006), doi:10.1145/1134760.1134776
Henry, S., Kafura, K.: Software structure metrics based on information flow. IEEE Transactions on Software Engineering 7(5), 510–518 (1981)
Jad - the fast Java Decompiler. Available on: http://www.kpdus.com/jad.html
Miecnikowski, J., Hendren, L.J.: Decompiling Java bytecode: problems, traps and pitfalls. In: Horspool, R.N. (ed.) CC 2002 and ETAPS 2002. LNCS, vol. 2304, pp. 111–127. Springer, Heidelberg (2002)
Miecznikowski, J., Hendren, L.: Decompiling Java using staged encapsulation. In: Proceedings of the Working Conference on Reverse Engineering, October 2001, pp. 368–374 (2001)
Mocha, the Java Decompiler. Available on: http://www.brouhaha.com/~eric/computers/mocha.html
Munson, J.C., Khoshgoftaar, T.M.: Measurement of data structure complexity. J. Syst. Softw. 20(3), 217–225 (1993)
Naeem, N.A., Hendren, L.: Programmer-friendly decompiled Java. In: Proceedings of the 14th IEEE International Conference on Program Comprhension, Athens, Greece, IEEE Computer Society Press, Los Alamitos (2006)
Miyaji, A., Soshi, M., Sakabe, Y.: Java Obfuscation with a Theoretical Basis for Building Secure Mobile Agents. In: Lioy, A., Mazzocchi, D. (eds.) CMS 2003. LNCS, vol. 2828, pp. 89–103. Springer, Heidelberg (2003)
Sosonkin, M., Naumovich, G., Memon, N.: Obfuscation of design intent in object-oriented applications. In: DRM ’03: Proceedings of the 3rd ACM workshop on Digital rights management, Washington, DC, USA, pp. 142–153. ACM Press, New York (2003), doi:10.1145/947380.947399
Source Again - A Java Decompiler. Available on: http://www.ahpah.com/
Vallée-Rai, R., et al.: Soot - a Java optimization framework. In: Proceedings of CASCON 1999, pp. 125–135 (1999), www.sable.mcgill.ca/publications
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Batchelder, M., Hendren, L. (2007). Obfuscating Java: The Most Pain for the Least Gain. In: Krishnamurthi, S., Odersky, M. (eds) Compiler Construction. CC 2007. Lecture Notes in Computer Science, vol 4420. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71229-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-71229-9_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71228-2
Online ISBN: 978-3-540-71229-9
eBook Packages: Computer ScienceComputer Science (R0)