A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques
Article
Ceccato, Mariano, Di Penta, Massimiliano, Falcarin, P., Ricca, Filippo, Torchiano, Marco and Tonella, Paolo 2013. A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques. Empirical Software Engineering. 19 (4), pp. 1040-1074. https://doi.org/10.1007/s10664-013-9248-x
Authors | Ceccato, Mariano, Di Penta, Massimiliano, Falcarin, P., Ricca, Filippo, Torchiano, Marco and Tonella, Paolo |
---|---|
Abstract | Context: code obfuscation is intended to obstruct code understanding and, eventually, to delay malicious code changes and ultimately render it uneconomical. Although code understanding cannot be completely impeded, code obfuscation makes it more laborious and troublesome, so as to discourage or retard code tampering. Despite the extensive adoption of obfuscation, its assessment has been addressed indirectly either by using internal metrics or taking the point of view of code analysis, e.g., considering the associated computational complexity. To the best of our knowledge, there is no publicly available user study that measures the cost of understanding obfuscated code from the point of view of a human attacker. Aim: this paper experimentally assesses the impact of code obfuscation on the capability of human subjects to understand and change source code. In particular, it considers code protected with two well-known code obfuscation techniques, i.e., identifier renaming and opaque predicates. Method: We have conducted a family of five controlled experiments, involving undergraduate and graduate students from four Universities. During the experiments, subjects had to perform comprehension or attack tasks on decompiled clients of two Java network-based applications, either obfuscated using one of the two techniques, or not. To assess and compare the obfuscation techniques, we measured the correctness and the efficiency of the performed task. Results: —at least for the tasks we considered—simpler techniques (i.e., identifier renaming) prove to be more effective than more complex ones (i.e., opaque predicates) in impeding subjects to complete attack tasks. |
Keywords | Empirical studies; Software obfuscation; Program comprehension |
Journal | Empirical Software Engineering |
Journal citation | 19 (4), pp. 1040-1074 |
ISSN | 1382-3256 |
1573-7616 | |
Year | 2013 |
Publisher | Springer Verlag |
Accepted author manuscript | License CC BY |
Digital Object Identifier (DOI) | https://doi.org/10.1007/s10664-013-9248-x |
Web address (URL) | https://doi.org/10.1007/s10664-013-9248-x |
Publication dates | |
23 Feb 2013 | |
Publication process dates | |
Deposited | 15 Jun 2017 |
Copyright information | The final publication is available at Springer via http://dx.doi.org/10.1007/s10664-013-9248-x |
https://repository.uel.ac.uk/item/85xv3
Download files
Accepted author manuscript
279
total views531
total downloads0
views this month0
downloads this month