[SC-L] Managing the insider threat through code obfuscation
Matt Bishop
bishop at cs.ucdavis.edu
Thu Dec 15 11:42:40 EST 2005
Hi, Ken,
> This morning, an article caught my attention -- "Managing the insider threat
> through code obfuscation",
> http://www.itmanagersjournal.com/article.pl?sid=05/12/13/1736253
>
> The article's premise is that, because attackers can find out a great deal
> about the internals of databases and such by decompiling bytecode (in Java
> and .NET), bytecode should be obfuscated to hide its internal details. The
> article points to several commercial bytecode obfuscation products:
> http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx
I heard about code obfuscation in the late 1970's. A friend (and fellow
student) in my graduate program said a company he worked at did exactly
that. But the goal was *not* security; it was copyright protection. If
anyone copied their binary, and claimed to have written it independently
(and so did not need to pay a licensing fee), the company could easily
prove to a court that the other user had not written it on their own by
showing the convoluted logic in the program.
I don't remember if he said they ever actually had to do this in court,
but it seemed a pretty effective way to trace code lineage. The
application was not one in which speed was critical, so the loss of
speed due to the obfuscation was apparently tolerable (if not unnoticeable).
I don't remember the language involved, but suspect pretty strongly it
was *not* Java, because our discussion was some 15-20 years before Java
was released ... :-)
Cheers to all!
Matt
More information about the SC-L
mailing list