Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Good Obfuscation, Bad Code
Chris Wysopal, 2009-04-17

Antivirus analysts and security testers have to deal with a fundamental question every day: Is obfuscated code good or bad?

Comments Mode:
Good Obfuscation, Bad Code 2009-04-18
Chris (2 replies)
This is a very well written article. Good work, and it got me thinking from new angles! I politely disagree on a couple of premises, however. First, it is not best to presume that obfuscation techniques indicate bad behavior. In the most common use case, the software vendor is legitimate, the co...

[ more ]  [ reply ]
Re: Good Obfuscation, Bad Code 2009-04-20
Kyle Quest
Encrypting data and software vendors turning their applications into black boxes are totally different things. Data is passive. It doesn't do anything on its own. On the other hand, applications are active. When you install an application on your computer it's going to do a lot of thing there, which...

[ more ]  [ reply ]
Re: Good Obfuscation, Bad Code 2009-05-29
Anthony Lai, Hong Kong
I go with your idea, Chris.

In fact, we always talk about how to against the attacker to reverse the code and cause possible break-in and give birth to piracy. I could share experiences as I am in Hong Kong.I could easily buy some China-based hacker magazines and talk about keygen to simulate the...

[ more ]  [ reply ]
Good Obfuscation, Bad Code 2009-04-22
Anonymous
One problem with the assertion that "users should be able to decide whether or not they want obfuscated code on their system" is that it isn't always obvious what's obfuscation and what isn't. Something that looks like obfuscation to someone may in fact have nothing at all to do with DRM or anti-rev...

[ more ]  [ reply ]
Good Obfuscation, Bad Code 2009-04-23
TimD (1 replies)
The real question here is, how do you determine whether code is "obfuscated" at the machine level? By that I mean, how do you make a scanning software that can tell the difference between a complicated piece of code and an obfuscated one? Isn't obfuscation a pretty subjective thing? If I have a b...

[ more ]  [ reply ]
Re: Good Obfuscation, Bad Code 2009-04-26
Chris Wysopal
The obfuscation I am talking about is self modifying code so you can't inspect what APIs or determine what high level behavior a program has. I'm not talking about code such as in the obfuscated code contest where it is difficult to determine what an algorithm is doing by viewing the code. It is a ...

[ more ]  [ reply ]
Good Obfuscation, Bad Code 2009-04-27
Jack
"Legitimate reasons exist for doing this ... or to hide behavior the user might not appreciate."

I contest that software doing anything that I do not want is not legitimate....

[ more ]  [ reply ]
Good Obfuscation, Bad Code 2009-09-04
Drew
It would be helpful if legit code would not obfuscate code for sure. Eventually, a decent white list repository could then be created (can be anyway, but still have to allow for gaps for all of the software out there).

Obfuscation then can be trivially detected by entropy analysis with a high deg...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus