Skip to main content
SpringerLink
Log in

Evaluating Obfuscation Security: A Quantitative Approach

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9482))

Included in the following conference series:

Abstract

State of the art obfuscation techniques rely on an unproven concept of security, therefore it is very hard to evaluate their protection quality. In previous work we introduced algorithmic information theory as a theoretical foundation for code obfuscation security. We propose Kolmogorov complexity, estimated by compression, as a software complexity metric to measure regularities in obfuscated programs. In this paper we provide a theoretical validation for its soundness as a software metric, so it can have as much credibility as other complexity metrics. Then, we conduct an empirical evaluation for 43 obfuscation techniques, which are applied to 10 Java byte code programs of SPECjvm2008 benchmark suite using three different decompilers as a threat model, aiming to provide experimental evidence that support the formal treatments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://sandmark.cs.arizona.edu.

  2. 2.

    http://www.preemptive.com/products/dasho.

  3. 3.

    An opaque predicate is an algebraic expression which always evaluates to same value (true or false) regardless of the input.

  4. 4.

    Any computable function, that is.

  5. 5.

    http://www.spec.org/jvm2008/.

  6. 6.

    http://java.decompiler.free.fr.

  7. 7.

    http://varaneckas.com/jad/.

  8. 8.

    http://jode.sourceforge.net/.

References

  1. Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., Preneel, B.: Program obfuscation: a quantitative approach. In: Proceedings of QoP 2007, pp. 15–20. ACM Press, New York, USA, October 2007

    Google Scholar 

  2. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  3. Briand, L.C., Morasca, S., Basili, V.R.: Property-based software engineering measurement. IEEE Trans. Softw. Eng. 22(1), 68–86 (1996)

    Article  Google Scholar 

  4. Ceccato, M., Capiluppi, A., Falcarin, P., Boldyreff, C.: A large study on the effect of code obfuscation on the quality of java code. Empirical Softw. Eng. 1–39 (2014)

    Google Scholar 

  5. Ceccato, M., Di Penta, M., Nagra, J., Falcarin, P., Ricca, F., Torchiano, M., Tonella, P.: The effectiveness of source code obfuscation: an experimental assessment. In: ICPC, pp. 178–187 (2009)

    Google Scholar 

  6. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations (1997)

    Google Scholar 

  7. Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, Hoboken (2006)

    MATH  Google Scholar 

  8. Garg, S., Raykova, M., Gentry, C., Sahai, A., Halevi, S., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)

    Google Scholar 

  9. Hamilton, J., Danicic, S.: An evaluation of current java bytecode decompilers. In: SCAM 2009, pp. 129–136. IEEE Computer Society, Washington, DC, USA (2009)

    Google Scholar 

  10. Jbara, A., Feitelson, D.G.: On the effect of code regularity on comprehension. In: Proceedings of the 22nd International Conference on Program Comprehension, ICPC, pp. 189–200. ACM, New York, NY, USA (2014)

    Google Scholar 

  11. Kieffer, J.C., Yang, E.H.: Sequential codes, lossless compression of individual sequences, and Kolmogorov complexity. IEEE Trans. Inf. Theor. 42(1), 29–39 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  12. Li, M., Vitnyi, P.M.B.: An Introduction to Kolmogorov Complexity and Its Applications, 3rd edn. Springer, Heiderlberg (2008)

    Book  MATH  Google Scholar 

  13. McCabe, T.J.: A complexity measure. IEEE Trans. Softw. Eng. 2(4), 308–320 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  14. Mohsen, R., Pinto, A.M.: Algorithmic information theory for obfuscation security. In: SECRYPT 2015 - Proceedings of the 12th International Conference on Security and Cryptography, Colmar, Alsace, France, pp. 76–87, 20–22 July 2015

    Google Scholar 

  15. Dalla Preda, M., Giacobazzi, R.: Semantics-based code obfuscation by abstract interpretation. J. Comput. Secur. 17(6), 855–908 (2009)

    Google Scholar 

  16. Tian, J., Zelkowitz, M.V.: A formal program complexity model and its application. J. Syst. Softw. 17(3), 253–266 (1992)

    Article  Google Scholar 

  17. Weyuker, E.J.: Evaluating software complexity measures. IEEE Trans. Softw. Eng. 14(9), 1357–1365 (1988)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computing, Imperial College London, London, UK

    Rabih Mohsen

  2. Information Security Group, Royal Holloway University of London, London, UK

    Alexandre Miranda Pinto

  3. Instituto Universitário da Maia, Maia, Portugal

    Alexandre Miranda Pinto

Authors
  1. Rabih Mohsen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre Miranda Pinto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rabih Mohsen .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. School of Computer Science, Carleton University, Ottawa, Ontario, Canada

    Evangelos Kranakis

  3. École des Mines de Nancy, Université de Lorraine, Nancy Cedex, France

    Guillaume Bonfante

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Mohsen, R., Pinto, A.M. (2016). Evaluating Obfuscation Security: A Quantitative Approach. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds) Foundations and Practice of Security. FPS 2015. Lecture Notes in Computer Science(), vol 9482. Springer, Cham. https://doi.org/10.1007/978-3-319-30303-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30303-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30302-4

  • Online ISBN: 978-3-319-30303-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation