Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...AuditMark
The goal of code obfuscation is to delay the understanding of what a program does. It can be used, for example, in scenarios where the code contains Intellectual Property (algorithms) or when the owner wants to prevent a competitor for stealing and reusing the code. To achieve it, an obfuscation transformation translates easy to understand code into a much harder to understand form. But in order to be resilient, obfuscation transformations need also to resist automatic reversal performed using static or dynamic code analysis techniques. This presentation focuses on the specific case of JavaScript source obfuscation, main usage cases, presents some obfuscation examples and their value in providing real protection against reverse-engineering.
The Ultimate Question of Programming, Refactoring, and EverythingAndrey Karpov
Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The author is Andrey Karpov - technical director of "Program Verification Systems", a team of developers, working on PVS-Studio static code analyzer. Having checked a large number of open source projects, we have seen a large variety of ways to shoot yourself in the foot; there is definitely much to share with the readers. Every recommendation is given with a practical example, which proves the currentness of this question. These tips are intended for C/C++ programmers, but usually they are universal, and may be of interest for developers using other languages.
The Ultimate Question of Programming, Refactoring, and EverythingPVS-Studio
Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The author is Andrey Karpov - technical director of "Program Verification Systems", a team of developers, working on PVS-Studio static code analyzer. Having checked a large number of open source projects, we have seen a large variety of ways to shoot yourself in the foot; there is definitely much to share with the readers. Every recommendation is given with a practical example, which proves the currentness of this question. These tips are intended for C/C++ programmers, but usually they are universal, and may be of interest for developers using other languages.
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...AuditMark
The goal of code obfuscation is to delay the understanding of what a program does. It can be used, for example, in scenarios where the code contains Intellectual Property (algorithms) or when the owner wants to prevent a competitor for stealing and reusing the code. To achieve it, an obfuscation transformation translates easy to understand code into a much harder to understand form. But in order to be resilient, obfuscation transformations need also to resist automatic reversal performed using static or dynamic code analysis techniques. This presentation focuses on the specific case of JavaScript source obfuscation, main usage cases, presents some obfuscation examples and their value in providing real protection against reverse-engineering.
The Ultimate Question of Programming, Refactoring, and EverythingAndrey Karpov
Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The author is Andrey Karpov - technical director of "Program Verification Systems", a team of developers, working on PVS-Studio static code analyzer. Having checked a large number of open source projects, we have seen a large variety of ways to shoot yourself in the foot; there is definitely much to share with the readers. Every recommendation is given with a practical example, which proves the currentness of this question. These tips are intended for C/C++ programmers, but usually they are universal, and may be of interest for developers using other languages.
The Ultimate Question of Programming, Refactoring, and EverythingPVS-Studio
Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The author is Andrey Karpov - technical director of "Program Verification Systems", a team of developers, working on PVS-Studio static code analyzer. Having checked a large number of open source projects, we have seen a large variety of ways to shoot yourself in the foot; there is definitely much to share with the readers. Every recommendation is given with a practical example, which proves the currentness of this question. These tips are intended for C/C++ programmers, but usually they are universal, and may be of interest for developers using other languages.
These slides contain an introduction to Symbolic execution and an introduction to KLEE.
I made this for a small demo/intro for my research group's meeting.
Introducing something like the Vavr Try Monad in your backend API has consequences throughout all the layers of your application. This talk looks at motivation issues, and solutions to adopting this style.
Refactoring legacy code driven by tests - ENGLuca Minudel
re you working on code poorly designed or on legacy code that’s hard to test? And you cannot refactor it because there are no tests?
During this Coding Dojo you’ll be assigned a coding challenge in Java, C#, Ruby, JavaScript or Python. You will face the challenge of improving the design and refactoring existing code in order to make it testable and to write unit tests.
We will discuss SOLID principles, the relation between design and TDD, and how this applies to your solution.
Reading list:
Growing Object-Oriented Software, Guided by Tests; Steve Freeman, Nat Pryce
Test Driven Development: By Example; Kent Beck
Working Effectively with Legacy; Michael Feathers
Agile Software Development, Principles, Patterns, and Practices; Robert C. Martin (C++, Java)
Agile Principles, Patterns, and Practices in C#; Robert C. Martin (C#)
ACSAC2016: Code Obfuscation Against Symbolic Execution AttacksSebastian Banescu
Slides from the 2016 Annual Computer Security Applications Conference (ACSAC), about the paper entitled "Code Obfuscation Against Symbolic Execution Attacks"
Unit testing and test-driven development are practices that makes it easy and efficient to create well-structured and well-working code. However, many software projects didn't create unit tests from the beginning.
In this presentation I will show a test automation strategy that works well for legacy code, and how to implement such a strategy on a project. The strategy focuses on characterization tests and refactoring, and the slides contain a detailed example of how to carry through a major refactoring in many tiny steps
Jax Devops 2017 Succeeding in the Cloud – the guidebook of FailSteve Poole
Many have gone before you along this path. Many have failed. A few have succeeded. All have scars. Although the journey is different for everyone there are common aspects to them all. In this talk we will cover our experiences in moving applications into the Cloud. What you must do. What you must not. What matters, what doesn’t.
In moving to the cloud there is no try.
In this talk:
* We’ll cover the core aspects of how the cloud differs from local data centers in terms of application design, runtime characteristics and operational considerations.
* We’ll explain through various real life examples where things worked and where they didnt
* We end with a summary of the key elements to success and the major pitfalls to avoid.
You are already the Duke of DevOps: you have a master in CI/CD, some feature teams including ops skills, your TTM rocks ! But you have some difficulties to scale it. You have some quality issues, Qos at risk. You are quick to adopt practices that: increase flexibility of development and velocity of deployment. An urgent question follows on the heels of these benefits: how much confidence we can have in the complex systems that we put into production? Let’s talk about the next hype of DevOps: SRE, error budget, continuous quality, observability, Chaos Engineering.
Availability in a cloud native world v1.6 (Feb 2019)Haytham Elkhoja
Guidelines for mere mortals. These are a collection of guidelines picked up in the field... hopefully they would help developers and SREs building or modernizing apps ensuring the highest level of availability to their applications.
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
Securing applications in a cloud environment can be difficult. This presentation discusses the automate and changes to be able to embed security into you application pipelines and deployments.
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
** Full webinar recording: **
Two leading developers -- from Jira/ Atlassian and Pushpay -- shared their insights, tip, tricks, and best practices on how to maintain quality across the Dev-Test-Release cycle, without losing speed or coverage.
Talk 1: Reducing the Risk of Rapid Development and Continuous Delivery -- by David Corbett (Director of Engineering @ Pushpay)
In this talk, David showed us what goes on under the hood of Pushpay's development cycle.
He also talked about the ways in which Pushpay is empowering Dev and Test teams to be more autonomous, and prompting them to use advanced test automation tools & techniques, such as visual validation, in order to gain confidence in deploying many times each day.
Talk 2: Testing Hourglass at Jira Frontend -- by Alexey Shpakov (Sr. Developer - Jira Frontend @ Atlassian)
We often hear people talk about the testing pyramid.
In Jira Frontend, we talk about testing hourglass -- that means we expect our developers to be responsible for the whole lifecycle of the code -- starting from creating tests and finishing with running a 24/7 on-call.
In this talk, Alexey did a deep-dive into the various types of testing they have in Jira Frontend, and discussed the various tools that allow them to deliver Jira to customers in a low-risk manner.
Why is dev ops for machine learning so differentRyan Dawson
DevOps instincts tend to be shaped by what has worked well before. Instincts derived from mainstream software development projects get challenged when we turn to enabling machine learning projects. The key reasons are that the development/delivery workflow is different and the kind of software artefacts involved are different. We will explore the differences and look at emerging open source projects in order to appreciate why the DevOps for machine learning space is growing and the needs that it addresses.
Speaker:
Alex Cruise (Dir. Architecture, Metafor Software)
Abstract:
The rise of the DevOps movement has brought into welcome focus something that is often learned only through painful experience and expense: the success of a software product critically depends not only on its implementation, maintenance and enhancement, but also on how it’s deployed and operated.
Distributed systems are hard, but you can’t escape them: you need to scale out, but wrapping proxy interfaces around remote resources so they look local is a recipe for a fragile system. Plus, as the complexity of components and services increases, local systems aren’t actually as reliable as we think! Concurrency is hard, but you can’t escape it: whether you’re using threads in a single process, or multiple processes on a single machine, you still need to synchronize state between them somehow. Fault tolerance is hard, but you can’t escape it: parts will fail, you need to cope without rebooting the whole application. Correctness is hard, but you can’t escape it: whether through laborious testing or a Sufficiently Advanced Compiler, you need to have some assurance that the software will work as intended.
Let’s talk about a set of architectural patterns (and, yes, frameworks) that can really help us achieve the goals of concurrency, fault tolerance and correctness, while affording us the flexibility we need to scale our deployments when we achieve terrifying success.
Introducing something like the Vavr Try Monad in your backend API has consequences throughout all the layers of your application. This talk looks at motivation issues, and solutions to adopting this style.
Refactoring legacy code driven by tests - ENGLuca Minudel
re you working on code poorly designed or on legacy code that’s hard to test? And you cannot refactor it because there are no tests?
During this Coding Dojo you’ll be assigned a coding challenge in Java, C#, Ruby, JavaScript or Python. You will face the challenge of improving the design and refactoring existing code in order to make it testable and to write unit tests.
We will discuss SOLID principles, the relation between design and TDD, and how this applies to your solution.
Reading list:
Growing Object-Oriented Software, Guided by Tests; Steve Freeman, Nat Pryce
Test Driven Development: By Example; Kent Beck
Working Effectively with Legacy; Michael Feathers
Agile Software Development, Principles, Patterns, and Practices; Robert C. Martin (C++, Java)
Agile Principles, Patterns, and Practices in C#; Robert C. Martin (C#)
ACSAC2016: Code Obfuscation Against Symbolic Execution AttacksSebastian Banescu
Slides from the 2016 Annual Computer Security Applications Conference (ACSAC), about the paper entitled "Code Obfuscation Against Symbolic Execution Attacks"
Unit testing and test-driven development are practices that makes it easy and efficient to create well-structured and well-working code. However, many software projects didn't create unit tests from the beginning.
In this presentation I will show a test automation strategy that works well for legacy code, and how to implement such a strategy on a project. The strategy focuses on characterization tests and refactoring, and the slides contain a detailed example of how to carry through a major refactoring in many tiny steps
Jax Devops 2017 Succeeding in the Cloud – the guidebook of FailSteve Poole
Many have gone before you along this path. Many have failed. A few have succeeded. All have scars. Although the journey is different for everyone there are common aspects to them all. In this talk we will cover our experiences in moving applications into the Cloud. What you must do. What you must not. What matters, what doesn’t.
In moving to the cloud there is no try.
In this talk:
* We’ll cover the core aspects of how the cloud differs from local data centers in terms of application design, runtime characteristics and operational considerations.
* We’ll explain through various real life examples where things worked and where they didnt
* We end with a summary of the key elements to success and the major pitfalls to avoid.
You are already the Duke of DevOps: you have a master in CI/CD, some feature teams including ops skills, your TTM rocks ! But you have some difficulties to scale it. You have some quality issues, Qos at risk. You are quick to adopt practices that: increase flexibility of development and velocity of deployment. An urgent question follows on the heels of these benefits: how much confidence we can have in the complex systems that we put into production? Let’s talk about the next hype of DevOps: SRE, error budget, continuous quality, observability, Chaos Engineering.
Availability in a cloud native world v1.6 (Feb 2019)Haytham Elkhoja
Guidelines for mere mortals. These are a collection of guidelines picked up in the field... hopefully they would help developers and SREs building or modernizing apps ensuring the highest level of availability to their applications.
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
Securing applications in a cloud environment can be difficult. This presentation discusses the automate and changes to be able to embed security into you application pipelines and deployments.
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
** Full webinar recording: **
Two leading developers -- from Jira/ Atlassian and Pushpay -- shared their insights, tip, tricks, and best practices on how to maintain quality across the Dev-Test-Release cycle, without losing speed or coverage.
Talk 1: Reducing the Risk of Rapid Development and Continuous Delivery -- by David Corbett (Director of Engineering @ Pushpay)
In this talk, David showed us what goes on under the hood of Pushpay's development cycle.
He also talked about the ways in which Pushpay is empowering Dev and Test teams to be more autonomous, and prompting them to use advanced test automation tools & techniques, such as visual validation, in order to gain confidence in deploying many times each day.
Talk 2: Testing Hourglass at Jira Frontend -- by Alexey Shpakov (Sr. Developer - Jira Frontend @ Atlassian)
We often hear people talk about the testing pyramid.
In Jira Frontend, we talk about testing hourglass -- that means we expect our developers to be responsible for the whole lifecycle of the code -- starting from creating tests and finishing with running a 24/7 on-call.
In this talk, Alexey did a deep-dive into the various types of testing they have in Jira Frontend, and discussed the various tools that allow them to deliver Jira to customers in a low-risk manner.
Why is dev ops for machine learning so differentRyan Dawson
DevOps instincts tend to be shaped by what has worked well before. Instincts derived from mainstream software development projects get challenged when we turn to enabling machine learning projects. The key reasons are that the development/delivery workflow is different and the kind of software artefacts involved are different. We will explore the differences and look at emerging open source projects in order to appreciate why the DevOps for machine learning space is growing and the needs that it addresses.
Speaker:
Alex Cruise (Dir. Architecture, Metafor Software)
Abstract:
The rise of the DevOps movement has brought into welcome focus something that is often learned only through painful experience and expense: the success of a software product critically depends not only on its implementation, maintenance and enhancement, but also on how it’s deployed and operated.
Distributed systems are hard, but you can’t escape them: you need to scale out, but wrapping proxy interfaces around remote resources so they look local is a recipe for a fragile system. Plus, as the complexity of components and services increases, local systems aren’t actually as reliable as we think! Concurrency is hard, but you can’t escape it: whether you’re using threads in a single process, or multiple processes on a single machine, you still need to synchronize state between them somehow. Fault tolerance is hard, but you can’t escape it: parts will fail, you need to cope without rebooting the whole application. Correctness is hard, but you can’t escape it: whether through laborious testing or a Sufficiently Advanced Compiler, you need to have some assurance that the software will work as intended.
Let’s talk about a set of architectural patterns (and, yes, frameworks) that can really help us achieve the goals of concurrency, fault tolerance and correctness, while affording us the flexibility we need to scale our deployments when we achieve terrifying success.
Session from NDC London 2013
Writing unit tests is hard, isn't it? you need an entire set of tools just to start. One of the crucial decisions when building this set is picking up a mocking framework.
But BEWARE! what you choose has the ability to make you or break you!
Come to the session and see Dror Helper, once a mocking framework developer, show the good and the bad of different mocking frameworks (free and commercial) and make them battle to the death!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
1. Protecting JavaScript
source code using
obfuscation
Facts and Fiction
Pedro Fortuna, Co-Founder and CTO
AuditMark
OWASP Europe Tour 2013
Lisbon - June 21st, 2013
3. 3PART 1 – OBFUSCATION CONCEPTS PART 2 – OBFUSCATION METRICS PART 3 – JAVASCRIPT OBFUSCATION PRACTICAL EXAMPLES
WHAT IS CODE OBFUSCATION?
PART 1
PART 1 – OBFUSCATION CONCEPTS
4. 4
Obfuscation
“transforms a program into a form that is more difficult for an
adversary to understand or change than the original code” [1]
Where more difficult means
“requires more human time, more money, or more computing power
to analyze than the original program.”
[1] in Collberg, C., and Nagra, J., “Surreptitious software: obfuscation, watermarking, and
tamperproofing for software protection.”, Addison-Wesley Professional, 2010.
Code Obfuscation
OWASP Europe Tour 2013
5. 5
Lowers the code quality in terms of
Readability Maintainability
Delay program understanding
Time required to reverse it > program
useful lifetime
Resources needed to reverse it > value
obtained from reversing it
Delay program modification
Cost reversing it > cost of developing it
from scratch
Code Obfuscation
OWASP Europe Tour 2013
6. 6
Obfuscation != Encryption
Web
Application
Encryption
Algorithm
Decryption
Algorithm
JS Engine
Executable JavaScript
Source Code
Executable JavaScript
Source Code
Non-Executable
Encrypted Code
Encryption Key Decryption Key
{
{
{
• This is a common misconception
• Encrypted code is not executable by the browser or JS Engine
• A decryption process is always needed
OWASP Europe Tour 2013
7. 7
Obfuscation != Encryption
Web
Application
Obfuscation
Engine
JS Engine
Executable JavaScript
Source Code
Executable JavaScript
Source Code
{
{
• JavaScript obfuscated code is still valid, ready to execute code
• It does not require a symmetric deobfuscation function
OWASP Europe Tour 2013
8. 8
JavaScript Obfuscation Example #1
HTML5 Canvas
example from
mozilla.org
• Being JavaScript, this code is delivered to the browser as clear
text, and as such, it can be captured by anyone
9. 9
JavaScript Obfuscation Example #1
• This is the obfuscated version of the code.
• It can still be captured by anyone, but it is much harder to
grasp and to change.
10. What is it good for?
Good
• Prevent code theft and reuse
– E.g. Stop a competitor from using your code
as a quickstart to build its own
• Protect Intellectual Property
– Hide algorithms
– Hide data
– DRM (e.g. Watermarks)
• Enforce license agreements
– e.g. domain-lock the code
• As an extra security layer
– Harder to find vulnerabilities in the client-side
• Test the strength of security controls
(IDS/IPS/WAFs/web filters)
Evil
• Test the strength of security controls
(IDS/IPS/WAFs/web filters)
• Hide malicious code
• Make it look like harmless code
OWASP Europe Tour 2013
11. 11
• Question often raised: why not move security sensitive code to
the server and have JS request it whenever needed ?
• Sometimes you can... and you should!
• But there are plenty situations where you can’t:
– You may not have a server
• Widgets
• Mobile Apps
• Standalone, offline-playable games
• Windows 8 Apps made with WinJS
– You may not want to have a server
• May not be cost effective doing computations on a server (you have to guarantee 100% uptime,
support teams)
• Latency
Why not rely on the Server?
OWASP Europe Tour 2013
12. 12PART 1 – OBFUSCATION CONCEPTS PART 2 – OBFUSCATION METRICS PART 3 – JAVASCRIPT OBFUSCATION PRACTICAL EXAMPLES
CODE OBFUSCATION METRICS
PART 2
PART 2 – OBFUSCATION METRICS
13. 13
• Potency
• Resilience
• Stealthiness
• Execution Cost
• Maintainability
Measuring Obfuscation
Next:
• We’ll present each metric using
simple examples
• This is intentional, to ease the
process of understanding the
metrics
• However, they do not represent to
the full extent what you can obtain
if you combine a large set of
different obfuscation
transformations.
OWASP Europe Tour 2013
14. 14
Generates confusion
Obfuscation Potency
Measuring Obfuscation
• Measure of confusion that a certain
obfuscation adds
• Or “how harder it gets to read and
understand the new form when
compared with the original”
• To the left you can see a simple
example of a factorial function
OWASP Europe Tour 2013
15. 15
Generates confusion
Obfuscation Potency
Measuring Obfuscation
Rename all + Comment removal
• Now to the right you see the result of renaming every symbol to a mix of lower and upper O’s.
We all know that function names and variable names are quite useful for the purpose of
understanding the code. Not only we’ve lost that, but the new names can be easily confused.
• Also comments were removed. They are also important to understand a program.
• So we can definitely say that the obfuscation introduced a certain degree of confusion. It has
added some potency.
16. 16
Generates confusion
Obfuscation Potency
Measuring Obfuscation
Rename all + Comment removal
Whitespace removal
• Now, below, you can see the result of removing
whitespaces from the code. It becomes slightly more
confusing, so we can say it is slighly more potent than
the previous example.
17. 17
Resistance to deobfuscation techniques
be it manual or automatic
Obfuscation Resilience
Measuring Obfuscation
• Represents the measure of the
resistance that a certain obfuscation
offers to deobfuscation techniques
• Or “how hard it is to undo the back
to the original form”
• To the left you can see the same
example function as before
OWASP Europe Tour 2013
18. 18
Resistance to deobfuscation techniques
be it manual or automatic
Obfuscation Resilience
Measuring Obfuscation
Rename all + Comment removal
• On the right you can see the result of applying rename_all
obfuscation.
• This is an example of an obfuscation which is 100% resilient,
because, assuming that you don’t have access to the original
source code, it’s impossible to tell what were the original names.
• The comment removal obfuscation is also 100% resilient as you
can’t possibly know if the original form had any comments and
recover them
19. 19
Resistance to deobfuscation techniques
be it manual or automatic
Obfuscation Resilience
Measuring Obfuscation
Rename all + Comment removal
String splitting• on the bottom, you see the result after applying string
splitting.
• You can definitly see that it is more potent than the
previous, but if you look carefully, you can see that its
not hard to revert back to the previous form.
• So we can say that this version does not really add
much resilience when compared with the previous
form.
20. 20
One way of attacking obfuscation is using a Static Code Analyser
1. Parses the code
2. Transforms it to fullfill a purpose
– Usually to make it simpler => better performance
– Simpler also fullfills reverse-engineering purpose
• Example simplifications
– Constant propagation, constant folding
– Remove (some) dead code
• And most importantly, it is automatic!
Static Code Analysis
for defeating obfuscation
Constant propagation:
x = 10;
y = 7 – x / 2;
x = 10;
y = 7 – 10 / 2;
Constant folding:
N = 12 + 4 – 2;
N = 14;
OWASP Europe Tour 2013
21. 21
• We used Google Closure Compiler, a Static Code Analyser to simplify the code.
• The result is on the right, which as you can see returned much easier to read code.
22. 22
• If we compare the code on the right with the original code (on the left) we
can see that they are not far apart.
• So the potency of the obfuscation is only apparent. The real potency or the
potency we should consider is the one that you get after using automated
ways of reversing the code.
• This does not mean that the string-splitting obfuscation is useless. It has to
be combined with other obfuscations that provide more resilience.
23. 23
• Another way of attacking obfuscation
• Analysis performed by executing the code
– Retrieves the Control flow graph (CFG) of the code executed
– Retrieve values of some expressions
• How it can be used to defeat obfuscation
– Understand (one instance of) the program execution
• You can focus on parts that you are sure that are executed
– Retrieve values of some expressions
• Aids code simplification
• Find needle in the haystack => e.g. retrieve encryption key
– Bypasses deadcode
– Not very good for automatic reversal of obfuscation
• May not “see” all useful code
• If you need to make sure the code will remain 100% functional, you cannot use this technique
– Gather knowledge for manual reverse engineering
Dynamic Code Analysis
for defeating obfuscation
OWASP Europe Tour 2013
24. 24
• How hard is to spot?
– Or “how hard is to spot the changes performed by the
obfuscation”
– Or “how successfull the obfuscation was in making the
obfuscated targets look like other parts of the code”
• An obfuscation is more stealthy if it avoids common telltale
indicators
– eval()
– unescape()
– Large blocks of meaningless text
Obfuscation Stealthiness
Measuring Obfuscation
OWASP Europe Tour 2013
25. 25
• Impact on performance
– Runs per second
– FPS (e.g. Games)
– Usually obfuscation does not have a positive impact on performance, but it does
not necessarily have a negative impact. It depends on the mix of transformations
chosen and on the nature of the original source code.
• E.g. Renaming symbols => Same execution cost
• Impact on loading times
– Time before starting executing
– Usually a function of file size
– Usually obfuscation tends to grow filesize. But there are also some obfuscation
transformations which also makes it smaller.
• E.g. Renaming symbols again
Obfuscation Execution Cost
Measuring Obfuscation
26. 26
Effect on maintainability = 1/potency (after static code analysis)
Lower maintainability => mitigates code theft and reuse
This is one of the most important
concepts around obfuscation
Obfuscation & Maintainability
Measuring Obfuscation
OWASP Europe Tour 2013
27. 27PART 1 – OBFUSCATION CONCEPTS PART 2 – OBFUSCATION METRICS PART 3 – JAVASCRIPT OBFUSCATION PRACTICAL EXAMPLES
PRACTICAL EXAMPLES
PART 3
PART 3 – JAVASCRIPT OBFUSCATION PRACTICAL EXAMPLES
28. 28
Compression/Minification vs Obfuscation
• This first example aims to clarify one of the most common
misconceptions around obfuscation: a lot of people do not
understand very well the difference between compressing
or minifying the code and obfuscating it.
• This code is a portion of a md5 function in JavaScript.
30. 30
Compression/Minification vs Obfuscation
• But look, it has got an eval()
on it. Not much stealthy.
• It is needed because the
javascript has been encoded
and the result of decoding it
must be evaluated in
runtime.
• When encoding is used,
there is always a decoding
function somehwere.
• The real questions is: Is it
resilient ?
32. 32
Reverse-engineered result
Original source
• And that results in the code you see on the right. If you compare with the original source code, you can see that it’s pretty much
the same code.
• To many this isn’t surprising, but a lot of people uses JavaScript compressors or minifiers with the intention of protecting the code.
• This is perfect example of a code transformation that is very potent but with almost null resilience.
• Compressor/Minifier tools do not aim at protecting the code. Their sole purpose is to make it smaller and faster.
33. 33
• First JavaScript version proposed by Yosuke Hasegawa (in sla.ckers.org, Jun 2009)
• Encoding method which uses strictly non-alphanumeric symbols
• Example: alert(1) (obfuscated version below)
Non alphanumeric Obfuscation
34. 34
• Using type coercion and browser quirks
• We can obtain alphanumeric characters indirectly
How is that possible ?
+[] -> 0
+!+[] -> 1
+!+[]+!+[] -> 2 Easy to get any number
+”1” -> 1 Type coercion to number
“”+1 = “1” Type coercion to string
How to get letters?
+”a” -> NaN
+”a”+”” -> “NaN”
(+”a”+””)[0] -> “N”
Ok, but now without alphanumerics:
(+”a”+””)[+[]] -> “N”
How to get an “a” ?
![] -> false
![]+“” -> “false”
(![]+””)[1] -> “a”
(![]+””)[+!+[]]
(+(![]+"")[+!+[]]+””)[+[]] -> “N”
eval( (![]+"")[+!+[]]+"lert(1)");
OWASP Europe Tour 2013
36. 36
• “eval” uses alphanumeric characters!
• eval() is not the only way to eval() !
• You have 4 or 5 methods more
• Examples
– Function("alert(1)")()
– Array.constructor(alert(1))()
– []["sort"]["constructor"]("alert(1)")()
• Subscript notation
• Strings (we already know how to convert them)
Wait... What about the eval ?
OWASP Europe Tour 2013
38. 38
• 100% potent
• 0% stealthy (when you see it, you know someone is trying to hide something)
• High execution cost
– eval is a bit slower
– But the worst is: file is much larger => slower loading times
• May not work in all browsers
• What about resilience ?
– Unfortunately, not much (you can get a parser to simplify it back to the
original source)
• Good for bypassing filters (e.g. WAFs)
Non alphanumeric Obfuscation
OWASP Europe Tour 2013
41. 41
• Deadcode insertion is a natural way of adding confusion to a source code, and thus increasing
the potency of obfuscation.
• Being deadcode, the code isn’t really executed, so this has no impact on Execution Cost
• Would a Static Code Analyser remove this particular dead code?
• No, because it relies on opaque predicates
– Not removable using Static Code Analysis
– Predicates similar to ones found in the original source ( ++stealthiness )
• Randomly injected ( ++potent )
• Increase complexity of control flow ( ++potent )
• Dummy statements created out of own code (++potent & ++stealthiness )
Deadcode injection
OWASP Europe Tour 2013
42. 42
All Together Now
HTML5 Canvas
example from
mozilla.org
• Up to now we have mostly
seen no more than two or
three obfuscation
transformations working
together.
• Let’s go back to the first
example and see what
happens when we mix a
larger number of code
obfuscation transformations
together.
43. 43
All Together Now
• remove comments
• dot notation
• rename local
• member enumeration
• literal hooking :low
• deadcode injection
• string splitting :high
• function reordering
• function outlining
• literal duplicates
• expiration date "2199-12-31
00:00:00"
44. 44
All Together Now
• As you can see, you get and heavily obfuscated
result.
• We intentionally didn’t used any encoding-
based obfuscation in this example to let you
see the effect of these transformations
together. Also, you are not seeing the whole
code here.
• For the record, not all encoding
transformations are easily reversed. We could
use for instance a Domain-lock encoding which
needs to get the correct information from the
browser to decode properly.
45. 45
After Closure Compiler
• And this is the result after running the code
through Google Closure Compiler.
• It didn’t improved the readability much because
the obfuscation transformations offered a good
degree of resillience.
46. 46
• People often judge obfuscation based on its (aparent) potency
• Its resilience and the “real” potency that matters
– Potency that you get after applying automated tools to reverse it
• Evaluating resilience is not trivial
– Looking at simpler examples it may be relatively easy “at naked eye” to tell which
of two obfuscations is more resilient
– But looking when comparing complicated obfuscated versions, that use many
code transformations, its not easy to say which version is more resilient.
– This is a job for JavaScript obfuscators
• They should offer not only potency, but also resilience
• Make an effort to explain its users what is best to protect their code
• Avoid making available options that may reduce resilience
Conclusion
OWASP Europe Tour 2013
47. 47
• Don’t forget execution cost
– And where the code is executed. A Smartphone usually has less resources than a
desktop computer. Obfuscation should be tuned to the platform where the code is
being executed.
• Obfuscation can be very effective as a way to prevent code theft and reuse, by
– Making it a real pain to understand of the code
– Making it a real pain to change the code successfully
– Significantly lower the value that can be obtained by an attacker from reversing a
code
Conclusion
OWASP Europe Tour 2013
48. Contact Information
Pedro Fortuna
Owner & Co-Founder & CTO
pedro.fortuna@auditmark.com
Phone: +351 917331552
Porto - Headquarters
Edifício Central da UPTEC
Rua Alfredo Allen, 455
4200-135 Porto, Portugal
Lisbon office
Startup Lisboa
Rua da prata, 121 5A
1100-415 Lisboa, Portugal