, 2009-04-17
Antivirus analysts and security testers have to deal with a fundamental question every day: Is obfuscated code good or bad?
Expand all |
Post comment
|
Good Obfuscation, Bad Code
, 2009-04-17 Antivirus analysts and security testers have to deal with a fundamental question every day: Is obfuscated code good or bad?
Expand all |
Post comment
|
|
|
Privacy Statement |
In fact, we always talk about how to against the attacker to reverse the code and cause possible break-in and give birth to piracy. I could share experiences as I am in Hong Kong.I could easily buy some China-based hacker magazines and talk about keygen to simulate the challenge-based authentication on licensing. If you use dongle, I could simply duplicate a dongle; If the software use serial number, never expect the software could be protected by NOP the checking routines over serial number and/or JMP over it.
It seems that we need a super crypto processor? Let's say IEEE and Intel establish a SUPER Crypto Processor and provide APIs to software vendor, only products could be run with that. (Hahaha..I believe attackers would like to cheat the software it is run with a crypto processor, and hid some communication token/string/signals when it is running, it is readily an endless game). Even you use encyrption applied to the code, the key is somehow figured out and reversed as the key is stored in the code. Unless each processor possess a public key, the user needs to upload its processor's key to software vendor, the vendor needs to make signing and encryption afterwards. I don't know whether it is the only ultimate method to engage such kind of PKI over software security. '-)
The issue is people love to use the software but they can't and don't want to pay. Why does the software vendor simply provide a limited version without embedding any advanced modules to it yet. If they need to want a full version, or the user could pay it by module. (Anyone could guarantee you have utilized all the functions in MS Word and Excel?
Technical issue is not the only mean to solve it. Obfuscation is done because of giving best efforts to protect the code and intellectual properties right. We, as software developers, understood days-and-nights pressure to complete the software but others can't get it.
We still respect those developer doing their best to protect the code.
However, we lack a global and established standard on code encryption/signing/obfuscation and we need a processor and additional token to make a three-way protection to delay the break-in and class break.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/498/35470#35470