A Framework to Quantify the Quality of Source Code Obfuscation
<p>Example 2 of a control flow graph.</p> "> Figure 2
<p>Overview of a framework for quantifying obfuscation quality.</p> "> Figure 3
<p>Obfuscation quality quantification experiment for commercial and open-source obfuscation tools.</p> "> Figure 4
<p>Potency measurement results.</p> "> Figure 5
<p>Resilience measurement results.</p> "> Figure 6
<p>Cost measurement results.</p> ">
:1. Introduction
- We are the first to implement a framework that can quantitatively evaluate the quality of obfuscation techniques.
- We define the challenges associated with analyzing and executing obfuscated programs to quantify Potency, Resilience, and Cost and establish 12 measurement indicators based on these definitions.
- Our proposed framework for quantifying obfuscation quality integrates the techniques into the LLVM compiler so that all quantification values can be measured during compilation.
- We conducted extensive quantitative measurement experiments using well-known obfuscation tools and successfully demonstrated our framework’s effectiveness in this paper.
2. Background
2.1. Source Code Obfuscation
2.1.1. Layout Obfuscation
2.1.2. Data Obfuscation
2.1.3. Control Flow Obfuscation
2.2. Source Code Obfuscator
2.3. Dataset for Evaluating Source Code Obfuscation
3. Threat Model
4. Approach
4.1. Potency
4.2. Resilience
4.3. Cost
5. Framework
6. Experiment
6.1. Experimental Process
6.1.1. Experimental Design
- Selection of Dataset: we used 130 C/C++ source codes from the NIST Juliet Test Suite and the Obfuscation-Benchmarks dataset. These datasets were selected to ensure a diverse range of code characteristics.
- Configuration of Obfuscation Tools: four obfuscation tools were used:
- Stunnix C/C++ Obfuscator
- Semantic Designs C-GCC4 Obfuscator
- Tigress Obfuscator (with three levels of obfuscation: Level 1, Level 2, Level 3)
- Obfuscator LLVM
Each tool was configured with specific options to apply distinct obfuscation techniques. - Application of Obfuscation Techniques: the selected datasets were obfuscated using the configured tools. Each obfuscated code was then used to generate the required binaries for analysis.
- Measurement of Metrics: the following metrics were measured:
- Potency: McCabe cyclomatic complexity, control flow graph size, control flow depth, program length, and instruction count.
- Resilience: symbolic execution time, code coverage, static analysis time, and code optimization.
- Cost: time overhead, space overhead, and file size.
- Analysis and Comparison: the measured metrics from the obfuscated codes were compared against the baseline (non-obfuscated) codes to evaluate the impact of each obfuscation technique.
6.1.2. Detailed Protocol
- Experimental Environment:
- Hardware: Intel i9-13900K @ 5.80 GHz CPU, 64 GB RAM, 32 cores
- Software: LLVM version 13.0.0 compiler, Ubuntu 22.04 LTS, Kernel version 5.15.0
- Obfuscation Tool Configuration:
- Stunnix C/C++ Obfuscator: applied formatting changes and comment removal.
- Semantic Designs C-GCC4 Obfuscator: applied identifier scrambling, formatting changes, comment removal, and data encoding.
- Tigress Obfuscator:
- -
- Level 1: Mixed Boolean Arithmetic
- -
- Level 2: Mixed Boolean Arithmetic + Opaque Predicates
- -
- Level 3: Mixed Boolean Arithmetic + Opaque Predicates + Control Flow Flattening
- Obfuscator LLVM: applied control flow flattening, instruction substitution, and bogus control flows.
- Data Collection:
- Potency Metrics: calculated using CFG Analyzer integrated with LLVM.
- Resilience Metrics: measured using the KLEE symbolic execution tool, Clang static analyzer, and LLVM opt optimizer.
- Cost Metrics: assessed using Binary Analyzer developed to measure runtime overhead, memory usage, and binary file size.
- Analysis:
- The results were analyzed to identify the impact of each obfuscation technique on the selected metrics. Comparative analysis was performed to evaluate the effectiveness of different techniques.
6.2. Potency Measurement Results
6.3. Resilience Measurement Results
6.4. Cost Measurement Results
7. Discussion
8. Related Works
9. Conclusions
Author Contributions
Data Availability Statement
Conflicts of Interest
- Banescu, S.; Ochoa, M.; Pretschner, A. A framework for measuring software obfuscation resilience against automated attacks. In Proceedings of the 2015 IEEE/ACM 1st International Workshop on Software Protection, Florence, Italy, 16–24 May 2015; IEEE: New York, NY, USA, 2015; pp. 45–51. [Google Scholar]
- Akhunzada, A.; Sookhak, M.; Anuar, N.B.; Gani, A.; Ahmed, E.; Shiraz, M.; Furnell, S.; Hayat, A.; Khan, M.K. Man-At-The-End attacks: Analysis, taxonomy, human aspects, motivation and future directions. J. Netw. Comput. Appl. 2015, 48, 44–57. [Google Scholar] [CrossRef]
- Collberg, C.S.; Thomborson, C. Watermarking, tamper-proofing, and obfuscation-tools for software protection. IEEE Trans. Softw. Eng. 2002, 28, 735–746. [Google Scholar] [CrossRef]
- Bhansali, S.; Aris, A.; Acar, A.; Oz, H.; Uluagac, A.S. A first look at code obfuscation for webassembly. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, San Antonio, TX, USA, 16–19 May 2022; pp. 140–145. [Google Scholar]
- Collberg, C.; Thomborson, C.; Low, D. A Taxonomy of Obfuscating Transformations; Technical Report; Department of Computer Science, The University of Auckland: Auckland, New Zealand, 1997. [Google Scholar]
- Obfuscator, S. Protect your C/C++ Code. Available online: http://stunnix.com/prod/cxxo/ (accessed on 12 October 2023).
- Designs, S. Source Code Obfuscator. Available online: http://www.semdesigns.com/Obfuscators/ (accessed on 12 October 2023).
- Obfuscator, T. The Tigress C Diversifier/Obfuscator. Available online: http://http://tigress.cs.arizona.edu/ (accessed on 12 October 2023).
- Junod, P.; Rinaldini, J.; Wehrli, J.; Michielin, J. Obfuscator-LLVM–software protection for the masses. In Proceedings of the 2015 IEEE/ACM 1st International Workshop on Software Protection, Florence, Italy, 16–24 May 2015; IEEE: New York, NY, USA, 2015; pp. 3–9. [Google Scholar]
- Balachandran, V.; Emmanuel, S. Potent and stealthy control flow obfuscation by stack based self-modifying code. IEEE Trans. Inf. Forensics Secur. 2013, 8, 669–681. [Google Scholar] [CrossRef]
- Sultan, A.B.M.; Ghani, A.A.A.; Ali, N.M.; Admodisastro, N.I. Hybrid obfuscation technique to protect source code from prohibited software reverse engineering. IEEE Access 2020, 8, 187326–187342. [Google Scholar]
- Ahire, P.; Abraham, J. Mechanisms for source code obfuscation in C: Novel techniques and implementation. In Proceedings of the 2020 International Conference on Emerging Smart Computing and Informatics (ESCI), Pune, India, 12–14 March 2020; IEEE: New York, NY, USA, 2020; pp. 52–59. [Google Scholar]
- Bertholon, B.; Varrette, S.; Martinez, S. Shadobf: A c-source obfuscator based on multi-objective optimisation algorithms. In Proceedings of the 2013 IEEE International Symposium on Parallel & Distributed Processing, Workshops and Phd Forum, Cambridge, MA, USA, 20–24 May 2013; IEEE: New York, NY, USA, 2013; pp. 435–444. [Google Scholar]
- Styugin, M.; Zolotarev, V.; Prokhorov, A.; Gorbil, R. New approach to software code diversification in interpreted languages based on the moving target technology. In Proceedings of the 2016 IEEE 10th International Conference on Application of Information and Communication Technologies (AICT), Baku, Azerbaijan, 12–14 October 2016; IEEE: New York, NY, USA, 2016; pp. 1–5. [Google Scholar]
- Ebad, S.A.; Darem, A.A.; Abawajy, J.H. Measuring software obfuscation quality—A systematic literature review. IEEE Access 2021, 9, 99024–99038. [Google Scholar] [CrossRef]
- Hosseinzadeh, S.; Rauti, S.; Laurén, S.; Mäkelä, J.M.; Holvitie, J.; Hyrynsalmi, S.; Leppänen, V. Diversification and obfuscation techniques for software security: A systematic literature review. Inf. Softw. Technol. 2018, 104, 72–93. [Google Scholar] [CrossRef]
- Ceccato, M.; Capiluppi, A.; Falcarin, P.; Boldyreff, C. A large study on the effect of code obfuscation on the quality of java code. Empir. Softw. Eng. 2015, 20, 1486–1524. [Google Scholar] [CrossRef]
- Capiluppi, A.; Falcarin, P.; Boldyreff, C. Code defactoring: Evaluating the effectiveness of java obfuscations. In Proceedings of the 2012 19th Working Conference on Reverse Engineering, Kingston, ON, Canada, 15–18 October 2012; IEEE: New York, NY, USA, 2012; pp. 71–80. [Google Scholar]
- Dunaev, D.; Lengyel, L. Cognitive evaluation of intermediate level obfuscator. In Proceedings of the 2014 5th IEEE Conference on Cognitive Infocommunications (CogInfoCom), Vietri sul Mare, Italy, 5–7 November 2014; IEEE: New York, NY, USA, 2014; pp. 521–525. [Google Scholar]
- Sebastian, B.; Christian, C.; Alexander, P. Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning. In Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, Canada, 16–18 August 2017; pp. 661–678. [Google Scholar]
- Duchêne, J.; Alata, E.; Nicomette, V.; Kaâniche, M.; Le Guernic, C. Specification-based protocol obfuscation. In Proceedings of the 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Luxembourg, 25–28 June 2018; IEEE: New York, NY, USA, 2018; pp. 478–489. [Google Scholar]
- Omar, R.; El-Mahdy, A.; Rohou, E. Arbitrary control-flow embedding into multiple threads for obfuscation: A preliminary complexity and performance analysis. In Proceedings of the 2nd International Workshop on Security in Cloud Computing, Kyoto, Japan, 3 June 2014; pp. 51–58. [Google Scholar]
- Han, S.; Ryu, M.; Cha, J.; Choi, B.U. HOTDOL: HTML obfuscation with text distribution to overlapping layers. In Proceedings of the 2014 IEEE International Conference on Computer and Information Technology, Xi’an, China, 11–13 September 2014; IEEE: New York, NY, USA, 2014; pp. 399–404. [Google Scholar]
- Ibrahim, A.; Banescu, S. StIns4CS: A State Inspection Tool for C#. In Proceedings of the 2016 ACM Workshop on Software PROtection, Vienna, Austria, 28 October 2016; pp. 61–71. [Google Scholar]
- Lackner, M.; Berlach, R.; Weiss, R.; Steger, C. Countering type confusion and buffer overflow attacks on Java smart cards by data type sensitive obfuscation. In Proceedings of the First Workshop on Cryptography and Security in Computing Systems, Vienna, Austria, 20 January 2014; pp. 19–24. [Google Scholar]
- Liu, W.; Li, W. Unifying the method descriptor in Java obfuscation. In Proceedings of the 2016 2nd IEEE International Conference on Computer and Communications (ICCC), Chengdu, China, 14–17 October 2016; IEEE: New York, NY, USA, 2016; pp. 1397–1401. [Google Scholar]
- Ko, S.; Choi, J.; Kim, H. COAT: Code obfuscation tool to evaluate the performance of code plagiarism detection tools. In Proceedings of the 2017 International Conference on Software Security and Assurance (ICSSA), Altoona, PA, USA, 24–25 July 2017; IEEE: New York, NY, USA, 2017; pp. 32–37. [Google Scholar]
- Li, Y.; Sha, Z.; Xiong, X.; Zhao, Y. Code Obfuscation Based on Inline Split of Control Flow Graph. In Proceedings of the 2021 IEEE International Conference on Artificial Intelligence and Computer Applications (ICAICA), Dalian, China, 28–30 June 2021; IEEE: New York, NY, USA, 2021; pp. 632–638. [Google Scholar]
- Cadar, C.; Dunbar, D.; Engler, D.R. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the OSDI, San Diego, CA, USA, 8–10 December 2008; Volume 8, pp. 209–224. [Google Scholar]
- Kremenek, T. Finding Software Bugs with the Clang Static Analyzer; Apple Inc.: Cupertino, CA, USA, 2008; p. 2008. [Google Scholar]
- Lattner, C.; Adve, V. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the International Symposium on Code Generation and Optimization, CGO 2004, San Jose, CA, USA, 20–24 March 2004; IEEE: New York, NY, USA, 2004; pp. 75–86. [Google Scholar]
- Black, P.E.; Black, P.E. Juliet 1.3 Test Suite: Changes from 1.2; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [Google Scholar]
- Banescu, S.; Collberg, C.; Ganesh, V.; Newsham, Z.; Pretschner, A. Code obfuscation against symbolic execution attacks. In Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, USA, 5–8 December 2016; pp. 189–200. [Google Scholar]
- Hachez, G. A Comparative Study of Software Protection Tools Suited for E-Commerce with Contributions to Software Watermarking and Smart Cards. Ph.D. Thesis, Universite Catholique de Louvain, Ottignies-Louvain-la-Neuve, Belgium, 2003. [Google Scholar]
- Chan, J.T.; Yang, W. Advanced obfuscation techniques for Java bytecode. J. Syst. Softw. 2004, 71, 1–10. [Google Scholar] [CrossRef]
- Zhu, W.F. Concepts and Techniques in Software Watermarking and Obfuscation. Ph.D. Thesis, The Department of Computer Sciences The University of Auckland, Auckland, New Zealand, 2007. [Google Scholar]
- Liu, B.; Feng, W.; Zheng, Q.; Li, J.; Xu, D. Software obfuscation with non-linear mixed boolean-arithmetic expressions. In Proceedings of the Information and Communications Security: 23rd International Conference, ICICS 2021, Chongqing, China, 19–21 November 2021; Proceedings, Part I 23. Springer: Berlin/Heidelberg, Germany, 2021; pp. 276–292. [Google Scholar]
- Kang, S.; Lee, S.; Kim, Y.; Mok, S.K.; Cho, E.S. Obfus: An obfuscation tool for software copyright and vulnerability protection. In Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, Virtual, 26–28 April 2021; pp. 309–311. [Google Scholar]
- Ahire, P.; Abraham, J. Secure cloud model for intellectual privacy protection of arithmetic expressions in source codes using data obfuscation techniques. Theor. Comput. Sci. 2022, 922, 131–149. [Google Scholar] [CrossRef]
- Schloegel, M.; Blazytko, T.; Contag, M.; Aschermann, C.; Basler, J.; Holz, T.; Abbasi, A. Loki: Hardening code obfuscation against automated attacks. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA, 10–12 August 2022; pp. 3055–3073. [Google Scholar]
- Rajba, P.; Mazurczyk, W. Data hiding using code obfuscation. In Proceedings of the 16th International Conference on Availability, Reliability and Security, Vienna, Austria, 17–20 August 2021; pp. 1–10. [Google Scholar]
- Xu, D.; Ming, J.; Wu, D. Generalized dynamic opaque predicates: A new control flow obfuscation method. In Proceedings of the Information Security: 19th International Conference, ISC 2016, Honolulu, HI, USA, 3–6 September 2016; Proceedings 19. Springer: Berlin/Heidelberg, Germany, 2016; pp. 323–342. [Google Scholar]
- Ge, J.; Chaudhuri, S.; Tyagi, A. Control flow based obfuscation. In Proceedings of the 5th ACM Workshop on Digital Rights Management, Alexandria, VA, USA, 7 November 2005; pp. 83–92. [Google Scholar]
- Balachandran, V.; Keong, N.W.; Emmanuel, S. Function level control flow obfuscation for software security. In Proceedings of the 2014 Eighth International Conference on Complex, Intelligent and Software Intensive Systems, Birmingham, UK, 2–4 July 2014; IEEE: New York, NY, USA, 2014; pp. 133–140. [Google Scholar]
- Tang, Z.; Chen, X.; Fang, D.; Chen, F. Research on java software protection with the obfuscation in identifier renaming. In Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC), Kaohsiung, Taiwan, 7–9 December 2009; IEEE: New York, NY, USA, 2009; pp. 1067–1071. [Google Scholar]
- Balachandran, V.; Emmanuel, S. Software code obfuscation by hiding control flow information in stack. In Proceedings of the 2011 IEEE International Workshop on Information Forensics and Security, Iguacu Falls, Brazil, 29 November–2 December 2011; IEEE: New York, NY, USA, 2011; pp. 1–6. [Google Scholar]
- Ertaul, L.; Venkatesh, S. Novel obfuscation algorithms for software security. In Proceedings of the 2005 International Conference on Software Engineering Research and Practice, SERP, Citeseer, Las Vegas, NV, USA, 27–29 June 2005; Volume 5. [Google Scholar]
- Fukushima, K.; Kiyomoto, S.; Tanaka, T.; Sakurai, K. Analysis of program obfuscation schemes with variable encoding technique. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2008, 91, 316–329. [Google Scholar] [CrossRef]
- Kovacheva, A. Efficient code obfuscation for Android. In Proceedings of the Advances in Information Technology: 6th International Conference, IAIT 2013, Bangkok, Thailand, 12–13 December 2013; Proceedings 6. Springer: Berlin/Heidelberg, Germany, 2013; pp. 104–119. [Google Scholar]
- Hessler, A.; Kakumaru, T.; Perrey, H.; Westhoff, D. Data obfuscation with network coding. Comput. Commun. 2012, 35, 48–61. [Google Scholar] [CrossRef]
- LeDoux, C.; Sharkey, M.; Primeaux, B.; Miles, C. Instruction embedding for improved obfuscation. In Proceedings of the 50th Annual Southeast Regional Conference, Tuscaloosa, AL, USA, 29–31 March 2012; pp. 130–135. [Google Scholar]
- Darwish, S.M.; Guirguis, S.K.; Zalat, M.S. Stealthy code obfuscation technique for software security. In Proceedings of the The 2010 International Conference on Computer Engineering & Systems, Cairo, Egypt, 30 November–2 December 2010; IEEE: New York, NY, USA, 2010; pp. 93–99. [Google Scholar]
- Eyrolles, N. Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools. Ph.D. Thesis, Université Paris Saclay (COmUE), Paris, France, 2017. [Google Scholar]
- Zhou, Y.; Main, A.; Gu, Y.X.; Johnson, H. Information hiding in software with mixed boolean-arithmetic transforms. In Proceedings of the International Workshop on Information Security Applications, Jeju Island, Republic of Korea, 27–29 August 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 61–75. [Google Scholar]
- László, T.; Kiss, Á. Obfuscating C++ programs via control flow flattening. Ann. Univ. Sci. Budapestinensis De Rolando Eötvös Nomin. Sect. Comput. 2009, 30, 3–19. [Google Scholar]
- Schloegel, M.; Blazytko, T.; Contag, M.; Aschermann, C.; Basler, J.; Holz, T.; Abbasi, A. Technical Report: Hardening Code Obfuscation Against Automated Attacks. arXiv 2021, arXiv:2106.08913. [Google Scholar]
- Tatzer, C. Opcode Coverage-Guided Virtualization Deobfuscation Based on Symbolic Execution. Ph.D. Thesis, Technische Universität Wien, Vienna, Austria, 2020. [Google Scholar]
- Watson, A.H.; Wallace, D.R.; McCabe, T.J. Structured Testing: A Testing Methodology Using the Cyclomatic Complexity Metric; US Department of Commerce, Technology Administration, The National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 1996; Volume 500. [Google Scholar]
- Ceccato, M.; Di Penta, M.; Nagra, J.; Falcarin, P.; Ricca, F.; Torchiano, M.; Tonella, P. Towards experimental evaluation of code obfuscation techniques. In Proceedings of the 4th ACM Workshop on Quality of Protection, Alexandria, VA, USA, 27 October 2008; pp. 39–46. [Google Scholar]
- Viticchié, A.; Regano, L.; Torchiano, M.; Basile, C.; Ceccato, M.; Tonella, P.; Tiella, R. Assessment of source code obfuscation techniques. In Proceedings of the 2016 IEEE 16th international working conference on source code analysis and manipulation (SCAM), Raleigh, NC, USA, 2–3 October 2016; IEEE: New York, NY, USA, 2016; pp. 11–20. [Google Scholar]
- Kumar, K.; Kehar, V.; Kaur, P. A comparative analysis of static java bytecode software watermarking algorithms. Afr. J. Comput. ICT 2015, 8, 201–208. [Google Scholar]
- Yadegari, B.; Debray, S. Symbolic execution of obfuscated code. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 732–744. [Google Scholar]
Categories | Obfuscation Techniques | Description |
Scramble Identifiers | Mangles symbols such as function names and variable names | |
Layout Obfuscation | Change Formatting | Changes the format of source code by deleting or adding white space, newline characters, etc. |
Remove Comments | Deletes comments written by programmers | |
Data Encoding | Transforms strings, values, and similar elements to obscure recognition | |
Data Obfuscation | Instruction Substitution | Complicates the structure of instruction calculation expressions such as add, sub, etc. |
Mixed Boolean Arithmetic | Uses formulas that combine Boolean algebra and arithmetic operations | |
Bogus Control Flows | Complicates the code by inserting dummy code, thus affecting the control flow graph | |
Control Obfuscation | Opaque Predicates | Creates a conditional statement that executes in one direction and inserts garbage code in the part that does not execute |
Control Flow Flattening | Puts all control flows, such as loop and conditional branches, into one huge switch statement to move all other blocks from just one block |
Obfuscators | Options | Obfuscation Techniques | Obfuscator Type |
Stunnix C/C++ Obfuscator | protect everything but leave symbol names as is | Change Formatting | Commercial |
Remove Comments | |||
Instruction Substitution | |||
Semantic Designs C-GCC4 Obfuscator | +PrintAsis +Obfuscate +ObfuscateLiterals | Scramble Identifiers | Commercial |
Change Formatting | |||
Remove Comments | |||
Data Encoding | |||
Tigress Obfuscator | Level 1: Enc.Arithmetic | Mixed Boolean Arithmetic | Open-source |
Level 2: Enc.Arithmetic and Add Opaque | Mixed Boolean Arithmetic | ||
Opaque Predicates | |||
Level 3: Enc.Arithmetic and Add Opaque and Flatten | Mixed Boolean Arithmetic | ||
Opaque Predicates | |||
Control Flow Flattening | |||
Obfuscator LLVM | Control Flow Flattening and Instruction Substitution and Bogus Control Flows | Instruction Substitution | Open-source |
Bogus Control Flows | |||
Control Flow Flattening |
Categories | Measurement Indicators | Description |
Potency | McCabe Cyclomatic Complexity | {Number of Edges} − {Number of Nodes} + 2 |
Control Flow Graph Size | Number of Nodes | |
Control Flow Depth | The maximum number of Edges it takes to get from one Node to another Node | |
Program Length | Lines of Code (LoC) in source code | |
Instruction Count | Number of Instructions | |
Resilience | Symbolic Execution Time | Time taken by the Symbolic Execution tool to complete the analysis |
Code Coverage | Percentage of instructions for which the Symbolic Execution tool performed analysis among all instructions | |
Static Analysis Time | Analysis time of Static Analysis tools | |
Code Optimization | Percentage of instructions optimized by Code Optimization tools | |
Cost | Time Overhead | Run time of compiled binary |
Space Overhead | Process memory usage, including .data sections, .text sections, etc. | |
File Size | Size of binary file |
Tools | Potency (Num) | |||||
McCabe | CFG Size | CF Depth | Program Length | Instruction Count | ||
Baseline | Average | 6.60 | 14.00 | 5.20 | 94.08 | 79.17 |
Stunnix C/C++ Obfuscator | Average | 6.60 | 14.00 | 5.20 | 33.32 | 79.17 |
Growth Rate | 0% | 0% | 0% | −64.54% | 0% | |
Semantic Designs C Obfuscator | Average | 6.60 | 14.00 | 5.20 | 116.89 | 79.17 |
Growth Rate | 0% | 0% | 0% | 24.77% | 0% | |
Obfuscator LLVM | Average | 43.71 | 111.86 | 5.78 | 723.14 | 1311.50 |
Growth Rate | 530.50% | 735.44% | 78.25% | 674.41% | 1529.57% | |
Tigress C Obfuscator (Level 1) | Average | 7.28 | 13.95 | 4.37 | 119.48 | 126.70 |
Growth Rate | 12.77% | 7.51% | −6.26% | 27.55% | 59.02% | |
Tigress C Obfuscator (Level 2) | Average | 12.87 | 24.78 | 5.61 | 343.41 | 363.35 |
Growth Rate | 103.42% | 116.41% | 44.82% | 264.23% | 359.91% | |
Tigress C Obfuscator (Level 3) | Average | 49.59 | 69.50 | 5.00 | 654.50 | 502.63 |
Growth Rate | 679.42% | 533.65% | 57.86% | 595.34% | 536.32% |
Tools | Resilience (ms,%) | ||||
Symbolic Execution Time | Code Coverage | Static Analysis Time | Code Optimization | ||
Baseline | Average | 55.81 | 73.17 | 104.95 | 55.02 |
Stunnix C/C++ Obfuscator | Average | 38.66 | 73.13 | 109.04 | 55.02 |
Growth Rate | −25.77% | 0.05% | 7.21% | 0% | |
Semantic Designs C Obfuscator | Average | 54.92 | 73.05 | 108.69 | 55.02 |
Growth Rate | 6.01% | 0.15% | 8.29% | 0% | |
Obfuscator LLVM | Average | 84.38 | 64.80 | 278.08 | 15.63 |
Growth Rate | 74.89% | −10.58% | 402.55% | −72.55% | |
Tigress C Obfuscator (Level 1) | Average | 47.24 | 70.41 | 109.26 | 52.34 |
Growth Rate | −13.96% | 4.08% | 12.33% | −4.03% | |
Tigress C Obfuscator (Level 2) | Average | 481.89 | 80.90 | 118.47 | 58.01 |
Growth Rate | 486.02% | −11.30% | 29.83% | 8.95% | |
Tigress C Obfuscator (Level 3) | Average | 666.15 | 79.27 | 118.71 | 60.68 |
Growth Rate | 693.74% | −9.44% | 37.45% | 15.31% |
Tools | Cost (ms, Kilo-Byte) | |||
Time Overhead | Space Overhead | File Size | ||
Baseline | Average | 0.768 | 2.29 | 15.78 |
Stunnix C/C++ Obfuscator | Average | 0.770 | 2.29 | 15.78 |
Growth Rate | 0.30% | 0% | 0% | |
Semantic Designs C Obfuscator | Average | 0.778 | 2.29 | 15.77 |
Growth Rate | 1.23% | 0% | −0.07% | |
Obfuscator LLVM | Average | 0.767 | 10.73 | 23.30 |
Growth Rate | −0.13% | 376.01% | 47.94% | |
Tigress C Obfuscator (Level 1) | Average | 0.782 | 2.50 | 15.88 |
Growth Rate | 1.83% | 9.31% | 0.69% | |
Tigress C Obfuscator (Level 2) | Average | 0.761 | 3.88 | 16.99 |
Growth Rate | −0.92% | 69.91% | 7.69% | |
Tigress C Obfuscator (Level 3) | Average | 0.776 | 5.33 | 18.09 |
Growth Rate | 1.07% | 133.43% | 14.63% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Jin, H.; Lee, J.; Yang, S.; Kim, K.; Lee, D.H. A Framework to Quantify the Quality of Source Code Obfuscation. Appl. Sci. 2024, 14, 5056. https://doi.org/10.3390/app14125056
Jin H, Lee J, Yang S, Kim K, Lee DH. A Framework to Quantify the Quality of Source Code Obfuscation. Applied Sciences. 2024; 14(12):5056. https://doi.org/10.3390/app14125056
Chicago/Turabian StyleJin, Hongjoo, Jiwon Lee, Sumin Yang, Kijoong Kim, and Dong Hoon Lee. 2024. "A Framework to Quantify the Quality of Source Code Obfuscation" Applied Sciences 14, no. 12: 5056. https://doi.org/10.3390/app14125056
APA StyleJin, H., Lee, J., Yang, S., Kim, K., & Lee, D. H. (2024). A Framework to Quantify the Quality of Source Code Obfuscation. Applied Sciences, 14(12), 5056. https://doi.org/10.3390/app14125056