The Effect of Code Obfuscation on Human Program Comprehension

TL;DR

This study examines how different levels and types of code obfuscation affect human programmers' ability to understand code, revealing increased difficulty and altered reasoning strategies across Python and JavaScript.

Contribution

It provides a detailed analysis of how various obfuscation techniques impact human comprehension, highlighting language-specific effects and the role of deliberate reasoning.

Findings

Obfuscation generally increases reasoning time and reduces accuracy.

JavaScript shows a clear difficulty increase with stronger obfuscation.

Python's performance varies, sometimes improving with certain transformations.

Abstract

We investigate how code obfuscation influences human understanding of programs through an output-prediction task. To study this effect, we construct multiple levels of obfuscation, ranging from unobfuscated code to transformations involving identifier renaming, adversarially misleading identifiers, control-flow modifications, and combinations of these techniques. These transformations are applied to function-level programs written in Python and JavaScript. Participants were asked to predict program outputs while we recorded correctness, response time, and self-reported programming experience. Our results show that obfuscation generally increases the time required to reason about code and tends to reduce prediction accuracy. However, the relationship between obfuscation strength and performance is not strictly monotonic and varies across programming languages. JavaScript exhibits the expected pattern of increasing difficulty with stronger obfuscation, whereas Python displays a more complex trend in which certain renaming transformations can perform comparably to, or occasionally better than, the unobfuscated baseline. Response-time analyses further suggest that obfuscation shifts participants away from rapid, heuristic reasoning toward slower and more deliberate reasoning processes. Performance appears highest within a moderate range of response times, indicating that careful deliberation can improve accuracy, while extremely long response times often correspond to confusion. Finally, programming experience predicts performance primarily within a given language, with limited transfer across languages, suggesting that obfuscation challenges language-specific familiarity more than general programming ability.