javascript obfuscation facts and fiction pedro fortuna, co-founder and cto auditmark
TRANSCRIPT
JavaScript ObfuscationFacts and Fiction
Pedro Fortuna, Co-Founder and CTOAuditMark
2
Agenda
Obfuscation concepts
Practical Examples
3PART 1 – OVERVIEW PART 2 – TIZEN 2.X SUPPORT PART 3 – TIZEN 2.X COMPLIANCE AND BENCHMARK PART 4 - ADDITIONAL INFORMATION
SOURCE CODE OBFUSCATION PART 1
PART 1 – SOURCE CODE OBFUSCATION
4
• Lowers the code quality in terms of readability and maintainability
• Goall: delay program understanding, hopefully to the point where the time needed for an expert professional to reverse it, clearly exceeds the useful lifetime of the program.
• Different from Code Encryption
• Source Code Obfuscation != Code Obfuscation
Source Code Obfuscation
5
Example Source
6
Obfuscated #1
7
Obfuscated #2
What is it good for?Good• Protect Intellectual Property
(algorithms, data)• Prevent code theft and reuse• Enforce license agreements• Test the strength of security controls
(IDS/IPS/WAFs/web filters)
Evil• Test the strength of security controls
(IDS/IPS/WAFs/web filters)• Hide malicious code• Make it look like harmless code
9
• Potency• Resilience• Stealthiness• Execution Cost• Maintainability
Measuring Obfuscation
10
• Generate confusion
Obfuscation PotencyMeasuring Obfuscation
11
• Resistance to deobfuscation techniques, be it manual or automatic
Obfuscation ResilienceMeasuring Obfuscation
Rename all + whitespace removal
String splitting
12
• 1. Parses the code• 2. Transforms it to fullfill a purpose
– Usually to make it simpler => better performance– Simpler also fullfills reverse-engineering purpose
• A compiler is a static code analyser• Things it can do
– Constant folding, constant propagation– Remove (some) dead code
• Automatic!• Next: an example
Static Code Analysisfor defeating obfuscation
13
14
• Analysis performed by executing the code– Retrieve information of the code while running– Resulting AST can be analysed using any method
• Can be done in step by step debugging• How it can be used to defeat obfuscation
– For the goal of understanding (one instance of) program execution
– Not for the goal of retrieving the original source code (for code theft and reuse)
– However it can be used to gain knowledge about the code that can be used to remove code checks or to simplify it for higher maintainability
– May help breaking license agreements (piracy)
Dynamic Code Analysisfor defeating obfuscation
15
• How hard is to spot?• Avoid telltale indicators
– eval()– unescape()– Large blocks of meaningless text
• Example: Kolisar’s whitespace obfuscation
• How to measure?
Obfuscation StealthinessMeasuring Obfuscation
16
• Impact on performance• Impact on loading times• Impact on FPS
Obfuscation Execution CostMeasuring Obfuscation
17
• 1/potency• How easy to read after static code
analysis ?• How segmented is the code ?• Higher maintainability => code
theft and reuse
Obfuscation & MaintainabilityMeasuring Obfuscation
18PART 1 – OVERVIEW PART 2 – TIZEN 2.X SUPPORT PART 3 – TIZEN 2.X COMPLIANCE AND BENCHMARK PART 4 - ADDITIONAL INFORMATION
PRACTICAL EXAMPLESPART 2
PART 2 – PRACTICAL EXAMPLES
19
Compression/Minification vs Obfuscation
20
Compression/Minification vs Obfuscation
21
eval((function(....)));
document.write(‘<textarea>(function(...))</textarea>’);
A simple trick will do it
22
Reverse-engineered result
23
• Encoding method using strictly non-alphanumeric symbols• Like other types of encoding (e.g. Compression) it uses eval• Example: alert(1)
Non alphanumeric Obfuscation
24
• Using type cohersion and browser quirks• We can obtain alphanumeric characters indirectly
How is that possible ?
+[] -> 0 +!+[] -> 1+!+[]+!+[] -> 2 Easy to get any number+”1” -> 1 Type cohersion to number“”+1 = “1” Type cohersion to stringHow to get letters?+”a” -> NaN +”a”+”” -> “NaN”(+”a”+””)[0] -> “N”
Ok, but now without alphanumerics:(+”a”+””)[+[]] -> “N”How to get an “a” ?![] -> false![]+“” -> “false”(![]+””)[1] -> “a”(![]+””)[+!+[]](+(![]+"")[+!+[]]+””)[+[]] -> “N”
eval( (![]+"")[1]+"lert(1)");
25
26
• eval() is not the only way to eval() !• You have 4 or 5 methods more• Example: Array.constructor(alert(1))()
• []["sort"]["constructor"]("alert(1)")()– Dot notation– Strings !
Wait... where’s the eval ?
27
Let me see that again!
28
• 100% potent• 0% stealthy• High execution cost
– eval is slower– File is much larger => slower loading times
• Does not work in all browsersProblema:
• What about resilience ?
Non alphanumeric Obfuscation
29
• Creates new functions out of statements in the code
• Statements are randomly selected• New functions are added to different scopes• Functions are added to object literals to reduce
the scope pollution• Increases complexity by using multiple
namespaces• Function reordering is possible
Function outlining
30
• Creates new functions out of statements in the code
• Statements are randomly selected
Function outlining
31
Function outlining• New functions are added to
different scopes• Functions are added to object
literals to reduce the scope pollution
• Increases complexity by using multiple namespaces
• Function reordering is possible
32
• Insert code to increase confusion• It isn’t executed
Deadcode insertion (with predicate Opaques)
33
Deadcode insertion
34
• Randomly injected (++potency)• Increase complexity of control flow (++potency)• Some places are avoided (e.g. loops)• Dummy statements created out of own code (++stealth, +
+potency)• Opaque predicates
– Not removable using Static Code Analysis– Predicates injected are similar to ones found in the original
source
Deadcode insertion (with predicate Opaques)
35
• It can really help prevent code theft and reuse• Buys you time• You can always try to make a request to the server side and
process it there, but sometimes that is not feasiable– Widgets– Mobile Apps– Standalone, offline-playable games – Windows 8 Apps made with WinJS
• Prefer transformations with negligible execution cost• Prefer transformations with high resilience• Sometimes it is a trial and error experience• Code execution control is a great allied
JavaScript Obfuscation
Contact Information
Pedro Fortuna Owner & Co-Founder & [email protected] Phone: +351 917331552
Porto - HeadquartersEdifício Central da UPTECRua Alfredo Allen, 4554200-135 Porto, Portugal
Lisbon officeStartup LisboaRua da prata, 121 5A1100-415 Lisbon, Portugal