Metrics for Measuring the Effectiveness of Decompilers and Obfuscators

Java developers often use decompilers to aid reverse engineering and obfuscators to prevent it. Decompilers translate low-level class files to Java source and can produce "good" output. Obfuscators transform class files into semantically-equivalent versions that are either: (1) difficult to decompile, or (2) decompilable, but result in "hard- to-understand" Java source. We present a set of metrics developed to quantify the effectiveness of decompilers and obfuscators. The metrics include some selective size and counting metrics and an expression complexity metric. We have applied these metrics to evaluate a collection of decompilers and obfuscators. By quantitatively comparing original Java source against decompiled and obfuscated code respectively, we show which decompilers produce "good" code and whether obfuscations result in "hard-to-understand" code.

[1]  Maurice H. Halstead,et al.  Elements of software science , 1977 .

[2]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[3]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[4]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[5]  Lem O. Ejiogu On diminishing the vibrant confusion in software metrics , 1997, SIGP.

[6]  Laurie J. Hendren,et al.  Programmer-friendly Decompiled Java , 2006, 14th IEEE International Conference on Program Comprehension (ICPC'06).

[7]  Maurice H. Halstead,et al.  Elements of software science (Operating and programming systems series) , 1977 .

[8]  Pierre N. Robillard,et al.  Profiling software through the use of metrics , 1991, Softw. Pract. Exp..

[9]  Chris F. Kemerer,et al.  A Metrics Suite for Object Oriented Design , 2015, IEEE Trans. Software Eng..

[10]  Richard Conn A reusable, academic-strength, metrics-based software engineering process for capstone courses and projects , 2004 .

[11]  Laurie Hendren,et al.  Decompiling Java Bytecode: Problems, Traps and Pitfalls , 2002, CC.

[12]  Pierre Poulin,et al.  Visualization-based analysis of quality for large-scale software systems , 2005, ASE.

[13]  Laurie J. Hendren,et al.  Decompiling Java using staged encapsulation , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[14]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[15]  Kuo-Chung Tai A program complexity metric based on data flow information in control graphs , 1984, ICSE '84.

[16]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[17]  Laurie J. Hendren,et al.  Obfuscating Java: The Most Pain for the Least Gain , 2007, CC.

[18]  G. D. Frewin,et al.  M.H. Halstead's Software Science - a critical examination , 1982, ICSE '82.