Does code obfuscation give any measurable security benefit?

There are two benefits to code obfuscation:

  1. It weeds out the shallow end of the attacker pool. Script kiddies who struggle to make sense of your code will go somewhere else.
  2. It increases effort required of skilled attackers. No matter how skilled they are, obfuscation is cheaper than de-obfuscation, and the result is generally less comprehensible than the original (variable names will remain generic, for example, where the originals were descriptive).

@SteveSether is doubly right in his comment - actual measurements will be almost impossible to find, and many code bases are obfuscated for proprietary reasons* rather than security reasons.

But for both security and proprietary reasons, code obfuscation's value is tied to its asymmetric quality - it's cheaper to obfuscate than it is to de-obfuscate.

*By "proprietary reasons" I mean "the desire to keep one's code and algorithms more private, or harder to reproduce, in the interest of maintaining competitive advantage in the market." Companies and individuals are both prone to this tendency.


  • For as long as I have seen obfuscated code (mostly in viruses and rootkits) on potentially everything able to receive from Internet (mail, ftp, web, dns etc., in requests, logs, file transfers), the human time involved in deobfuscating the code well enough to find essential information such as server address, admin id and the hashed password for a botnet, or sensitive strings or library calls for viruses is mostly counted in minutes.

    So in terms of protection against strange code, this is not a big job (if not trivial).

  • On the other hand, building editable sources from this kind of code could take a lot of time (to be counted in days, weeks or even more if the code is big. Anyway, the more deobfuscation processes progress, the more they are efficient and quick, as when light is coming).

  • About OWASP's recommendation, I agree: obfuscation implies human resources, so they represent some cost, making piracy less attractive.

  • About measurablility of security benefit... sorry, but I can't! Depending on who could be interested by hacking your code, which part of your code and why.

Overall, my own recommendation is: using obfuscation is not essentially a bad idea, but it's not to be considered as a big security improvement!

To be more clear: don't ever consider obfuscating code to hide secret keys/functions so that it would be more secure than if they where not obfuscated!


Another point in obfuscation is that makes it harder for attackers to deny their reverse-engineering activity.

If you have a server which lets in any client that sends them a "Hello foobar" string, and someone exploits it, it may be hard to prove in court that the offender really had the intention to attack, and not just misunderstood your license agreement and assumed this was allowed. If your client authenticates with the server using an obfuscated secret key (contained within the client itself), you gain little in terms of security, but someone exploiting your server will have a hard time to prove that they got that key by chance, and not via an intentional reverse engineering effort.

Tags:

Obfuscation

Related

How does a CDN actually prevent DDoS attacks, when an origin server accepts direct connections? If we should encrypt the message rather than the method of transfer, why do we care about wifi security? Is this just security theatre? Is it safe to pay bills over satellite internet? Why are KDFs slow? Is using a KDF more secure than using the original secret? Is storing files under a web server root unsafe if it is handled by PHP and blocked by the web server site configuration file? SSH from a shared workplace computer How can I verify my browser/OS's top level certificate? Should I be able to see patterns in a HS256 encoded JWT? Why do many websites hide input when entering an OTP? Can A chain of exploits count as a CVE? Why using the premaster secret directly would be vulnerable to replay attack? Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?

Recent Posts