Programming Experience Might Not Help in Comprehending Obfuscated Source Code Efficiently

Software obfuscation is a technique to protect programs from malicious reverse engineering by explicitly making them harder to understand. We investigate the effect of two specific source code obfuscation methods on the program comprehension efforts of 66 university students playing the role of attackers in a reverse engineering experiment by partially replicating experiments of Ceccatto et al. We confirm that the two obfuscation methods have a measurable negative effect on program comprehension in general but also show that this effect inversely correlates with the programming experience of attackers. So while the comprehension effectiveness of experienced programmers is generally higher than for inexperienced programmers, the comprehension gap between these groups narrows considerably if source code obfuscation is used. In extension of previous work, an investigation of the code analysis behavior of attackers reveals that there exist obfuscation techniques that significantly impede comprehension even if tool support exists to revert them, giving first supportive empirical evidence for the classical distinction between potent and resilient obfuscation techniques defined by Collberg et al. more than 20 years ago.

[1]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[2]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  Marco Torchiano,et al.  The effectiveness of source code obfuscation: An experimental assessment , 2009, 2009 IEEE 17th International Conference on Program Comprehension.

[4]  Maurice Herlihy,et al.  Virtual Leashing: Creating a computational foundation for software protection , 2006, J. Parallel Distributed Comput..

[5]  Gondy Leroy,et al.  Designing User Studies in Informatics , 2011 .

[6]  Margaret-Anne D. Storey,et al.  Theories, tools and research methods in program comprehension: past, present and future , 2006, Software Quality Journal.

[7]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[8]  Marco Torchiano,et al.  Assessment of Source Code Obfuscation Techniques , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[9]  A. Capiluppi,et al.  Code Defactoring: Evaluating the Effectiveness of Java Obfuscations , 2012, 2012 19th Working Conference on Reverse Engineering.

[10]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[11]  Simson L. Garfinkel,et al.  Usable Security: History, Themes, and Challenges , 2014, Usable Security: History, Themes, and Challenges.

[12]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[13]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[14]  Bogdan Dit,et al.  Feature location in source code: a taxonomy and survey , 2013, J. Softw. Evol. Process..

[15]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[16]  A. Field Discovering statistics using IBM SPSS statistics, 5th edition , 2017 .

[17]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[18]  Marco Torchiano,et al.  A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques , 2013, Empirical Software Engineering.

[19]  Ugo Piazzalunga,et al.  Security Strength Measurement for Dongle-Protected Software , 2007, IEEE Security & Privacy.

[20]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[21]  Graham J Hole,et al.  How to Design and Report Experiments , 2002 .

[22]  Marco Torchiano,et al.  Towards experimental evaluation of code obfuscation techniques , 2008, QoP '08.

[23]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[24]  Brad A. Myers,et al.  Capturing and analyzing low-level events from the code editor , 2011, PLATEAU '11.

[25]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[26]  Eileen Kraemer,et al.  Designing your Next Empirical Study on Program Comprehension , 2007, 15th IEEE International Conference on Program Comprehension (ICPC '07).

[27]  Christian S. Collberg,et al.  Surreptitious Software - Obfuscation, Watermarking, and Tamperproofing for Software Protection , 2009, Addison-Wesley Software Security Series.

[28]  Arie van Deursen,et al.  A Systematic Survey of Program Comprehension through Dynamic Analysis , 2008, IEEE Transactions on Software Engineering.

[29]  Saumya Debray,et al.  A Generic Approach to Automatic Deobfuscation of Executable Code , 2015, 2015 IEEE Symposium on Security and Privacy.