Software obfuscation is an attempt to hide the real intent of a piece of software. The first obfuscated malware appeared in 1986, and sophistication has steadily increased since then. Commercial vendors obfuscate their software to block reverse engineering and thereby protect intellectual property. Good guys and bad guys sit on both sides of this aisle, implementing and analyzing obfuscation techniques. Despite decades of practice, though, the effectiveness of obfuscation is still a controversial subject. It’s the intent of this paper to quantify the state of obfuscation and analysis, to measure the arms race and replace opinions with numbers.
The paper is formatted as a survey. It opens with a concise history of code obfuscation followed by a review of prominent research papers. The authors then make their own contribution to the field by categorizing techniques of obfuscation and analysis and building a matrix of obfuscation technique versus analysis technique in order to rank the relative resistance/effectiveness of each method. Where possible, the ranking is based on results reported in the literature; where no results are available, the authors argue their case for a particular ranking.
Their results show that obfuscation can slow down or even block analysis in some cases. As professed by the authors, this is just a beginning, not the last word. The rank is currently only on a scale of 1 to 3; rankings from literature are spotty; and the authors’ rankings are fairly subjective. Most obfuscation analysis has been performed in isolation and with limited resources. Perhaps now that the authors have framed the competition and have built the “March Madness” rankings, additional investigators can examine each match-up in detail and contribute more precise evaluations and weightings for each category.
Even though this paper is not the final word (in fact, the authors fell somewhat short of a definitive answer on the effectiveness of software obfuscation), the material and organization are both valuable for anyone practicing or considering obfuscation. The field has been improved by the authors’ contribution.