ObfSec: Measuring the Security of Obfuscations from a Testing Perspective

Abstract

Code obfuscation protects the intellectual property of software. However, systematically altering the control- and data-flow of a program can deteriorate the security of the resulting program. There is a wide-range of obfuscation methods available that alter the layout of the program in different ways. These modifications can introduce bugs in the program or modify the nature and the severity of existing ones.

We propose a novel strategy, called ObfSec (Obfuscation Security), to understand the implications behind obfuscating software. ObfSec starts by detecting errors in software and exposes how the obfuscation can change the nature of those errors, looking in particular at transformations that turn software bugs into exploitable vulnerable programs. Our results, on a corpus of around 70,000 programs and obfuscations, show that obfuscation can deteriorate the security of a program.