Empirical Assessment of the Code Comprehension Effort Needed to Attack Programs Protected with Obfuscation

TL;DR

This study empirically evaluates how effective obfuscation techniques are in hindering code comprehension efforts, using controlled experiments with students and analyzing complexity metrics.

Contribution

It is the first to assess layered obfuscation effects and correlates complexity metrics with attack success likelihood, providing new insights into obfuscation effectiveness.

Findings

Obfuscation delays code comprehension tasks.

Layered obfuscation increases difficulty for attackers.

Complexity metrics can predict attack success.

Abstract

Evaluating the effectiveness of software protection is crucial for selecting the most effective methods to safeguard assets within software applications. Obfuscation involves techniques that deliberately modify software to make it more challenging to understand and reverse-engineer, while maintaining its original functionality. Although obfuscation is widely adopted, its effectiveness remains largely unexplored and unthoroughly evaluated. This paper presents a controlled experiment involving Master's students performing code comprehension tasks on applications hardened with obfuscation. The experiment's goals are to assess the effectiveness of obfuscation in delaying code comprehension by attackers and to determine whether complexity metrics can accurately predict the impact of these protections on success rates and durations of code comprehension tasks. The study is the first to evaluate the effect of layering multiple obfuscation techniques on a single piece of protected code. It also provides experimental evidence of the correlation between objective metrics of the attacked code and the likelihood of a successful attack, bridging the gap between objective and subjective approaches to estimating potency. Finally, the paper highlights significant aspects that warrant additional analysis and opens new avenues for further experiments.