Java Control Flow Obfuscation

The language Java was designed to be compiled into a platform independent bytecode format. Much of the information contained in the source code remains in the bytecode, which means that decompilation is easier than with traditional native codes. As a result, software developers are taking seriously the threat of competitors using reverse-engineering to extract proprietary algorithms from compiled Java programs. We examine several technical protection techniques that could be used to hinder the reverse-engineering of software. We claim that code obfuscation is the most suitable technical protection technique that can be applied to a portable language like Java. The technique of code obfuscation involves applying obfuscating transformations to a program. These transformations make the program more di cult for a reverse-engineer to understand but do not a ect the functionality of the program. We focus on a particular category of obfuscating transformations | control ow obfuscation. Control ow obfuscations disguise the algorithms used by a program by introducing new fake control ows, creating features at the object code level which have no source code equivalent or altering the way in which statements are grouped. There are many practical aspects to be considered when applying obfuscating transformations to Java programs. The fact that Java programs are portable and are veri ed before execution makes obfuscating transformations more di cult to apply. The veri cation stage ensures that programs do not perform illegal operations, such as corrupting a user's system. Obfuscating transformations can be applied automatically to a program by a tool called an obfuscator. In this thesis, we present one possible method of implementing such an obfuscator. We rst discuss the design decisions made to address implementation problems. Then, we use the obfuscator on examples of Java code and examine how e ective the obfuscating transformations are in impeding reverse-engineering.

[1]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[2]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[3]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[4]  A. Fleischmann Distributed Systems , 1994, Springer Berlin Heidelberg.

[5]  Xiangmin Zhang,et al.  Java Security , 2000 .

[6]  David F. Bacon,et al.  Compiler transformations for high-performance computing , 1994, CSUR.

[7]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[8]  Bernhard Steffen,et al.  Parallelism for Free : E cient and Optimal Bitvector Analyses for Parallel Programs , 1996 .

[9]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[10]  Christian S. Collberg,et al.  Breaking abstractions and unstructuring data structures , 1998, Proceedings of the 1998 International Conference on Computer Languages (Cat. No.98CB36225).

[11]  John J. Marciniak,et al.  Encyclopedia of Software Engineering , 1994, Encyclopedia of Software Engineering.

[12]  Taghi M. Khoshgoftaar,et al.  Measurement of data structure complexity , 1993, J. Syst. Softw..

[13]  Liwu Li,et al.  The Java Language , 1998 .

[14]  Maurice H. Halstead,et al.  Elements of software science , 1977 .

[15]  Uwe Schöning,et al.  Complexity Cores and Hard Problem Instances , 1990, SIGAL International Symposium on Algorithms.

[16]  Warren A. Harrison,et al.  A complexity measure based on nesting level , 1981, SIGP.

[17]  Cristina Cifuentes,et al.  Decompilation of binary programs , 1995, Softw. Pract. Exp..

[18]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[19]  Pamela Samuelson Reverse-engineering someone else's software: is it legal? , 1990, IEEE Software.

[20]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[21]  James R. Gosler,et al.  Software Protection: Myth or Reality? , 1985, CRYPTO.

[22]  Michael Wolfe,et al.  High performance compilers for parallel computing , 1995 .

[23]  Sallie M. Henry,et al.  Software Structure Metrics Based on Information Flow , 1981, IEEE Transactions on Software Engineering.

[24]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[25]  Todd A. Proebsting,et al.  Krakatoa: Decompilation in Java (Does Bytecode Reveal Source?) , 1997, COOTS.

[26]  Susan Horwitz,et al.  Precise flow-insensitive may-alias analysis is NP-hard , 1997, TOPL.

[27]  Craig Chambers,et al.  Whole-program optimization of object-oriented languages , 1996 .

[28]  John H. Hartman,et al.  Toba: Java for Applications - A Way Ahead of Time (WAT) Compiler , 1997, COOTS.

[29]  U. Wilhelm Cryptographically Protected Objects , 1997 .

[30]  David Aucsmith,et al.  Tamper Resistant Software: An Implementation , 1996, Information Hiding.

[31]  Nader Bagherzadeh,et al.  Software Authorization Systems , 1986, IEEE Software.

[32]  John C. Gyllenhaal,et al.  Java bytecode to native code translation: the Caffeine prototype and preliminary results , 1996, Proceedings of the 29th Annual IEEE/ACM International Symposium on Microarchitecture. MICRO 29.

[33]  Chris F. Kemerer,et al.  A Metrics Suite for Object Oriented Design , 2015, IEEE Trans. Software Eng..

[34]  Amir Herzberg,et al.  Public protection of software , 1985, TOCS.

[35]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[36]  Douglas Low,et al.  Protecting Java code via code obfuscation , 1998, CROS.

[37]  John C. Gyllenhaal,et al.  Optimizing NET Compilers for Improved Java Performance , 1997, Computer.