Protecting Java Code Via Code Obfuscation

Abstract

The language Java was designed to be compiled into a platform independent bytecode format. Much of the information contained in the source code remains in the bytecode, thus decompilation is easy. We will examine how code obfuscation can help protect Java bytecodes.

Introduction

Traditionally it has been difficult to reverse engineer [13] applications because they are large, monolithic and distributed as "stripped" object code. Stripping object code of its symbol table removes information like variable names and obscures references to library routines. For example, a call to the C language library routine printf in the source code might appear in the stripped object code as a procedure call to the memory address 35720.

Since the advent of Java [7], the threat of reverse engineering has been taken seriously. The language was designed to be compiled into a platform independent bytecode format. Being portable, there is little control over the distribution of the bytecodes. Also, much of the information contained in the source code remains in the bytecode, facilitating decompilation [17, 19]. The threat of reverse engineering is thus intensified.

Protection Techniques

One possible way to prevent reverse engineering of source code is to not allow physical access to the program. Instead, users communicate with the program via an interface with a limited number of services. This is the client-server model [14]. Unfortunately, this imposes performance penalties due to limitations on network bandwidth and latency. A partial solution is to keep the parts of the program that need to be hidden on the server and have the user's machine run the rest locally.

Encryption of code is another possibility. However, unless the entire encryption/decryption process takes place in hardware, it is possible for the user to intercept and decrypt the code [8, 18]. Unfortunately, specialised hardware tends to limit the portability of programs.

Transmitting programs in a form less vulnerable to decompilation might seem like a good idea. Native object codes can be supplied instead of Java bytecodes. The task of decompilation is made more difficult, although not impossible [4]. However native object codes are not subject to bytecode verification, which gives Java a measure of protection against malicious programs such as viruses [3]. Digital signatures [15], verifying that the native code is actually from a trusted source and has not been tampered with, can help to alleviate this problem. The downside is that different versions of the program are required for different architectures. This means that the software maintenance effort is increased. With Java, only one version is required, since it is executed by a virtual machine.

If we cannot make reverse engineering impossible, we can at least make the task costly in terms of time and effort. Code obfuscations transform a program so that it is more difficult to understand, yet is functionally identical to the original [5, 6]. The program must still produce the same results, although it may execute slower or have additional side effects, due to added code. There is a trade-off between the security provided by code obfuscation and the execution time-space penalty imposed on the transformed program.

Code Obfuscations

The current work on Java obfuscation has been in the form of freeware, shareware and commercial programs, rather than academic publications. Some of the code obfuscations discussed below are based on traditional compiler optimisations. Examples include array and loop reordering, and procedure inlining [2].

We classify code obfuscations according to what kind of information they target and how they affect their target.

Layout Obfuscations

Information that is unnecessary to the execution of the program, such as identifier names and comments, is altered. There are many utilities (such as [10, 16]) which will change the identifers in a program to less meaningful ones. Identifier scrambling is a common obfuscation that has been applied to other languages. The C Shroud system [9], a source code obfuscator available for the C language, is an example of such a tool.

Data Obfuscations

These affect the data structures used by a program.

Data storage obfuscations affect how data is stored in memory. For example converting a local variable can be converted into a global one. Data encoding obfuscations affect how the stored data is interpreted. For example, replacing an integer variable i by 8 * i + 3. We can see the effect below:

Before		After
int i = 1; while (i < 1000) { ... A[i] ...; i ++; }		int i=11; while (i < 8003) { ... A[(i-3)/8] ...; i += 8; }

Data aggregation obfuscations alter how data is grouped together. For example, a two-dimensional array can be converted into a one-dimensional array and vice-versa. Data ordering obfuscations change how data is ordered. For example, an array used to store a list of integers usually has the ith element in the list at position i in the array. Instead, we could use a function f(i) to determine the position of the ith element in the list.

Control Obfuscations

The idea here is to disguise the real control flow in a program.

Control aggregation obfuscations change the way in which program statements are grouped together. For example, it is possible to inline procedures. That is, replacing a procedure call with the statements from the called procedure itself.

Control ordering obfuscations alter the order in which statements are executed. For example, loops can be made to iterate backwards instead of forwards.

Control computation obfuscations affect the control flow in a program. These can be divided up further:

• "Smoke and mirrors" obfuscations hide the real control flow behind irrelevant statements. For example, code that will never be executed can be inserted (dead code).
• High-level language breaking obfuscations introduce features at the object code level that have no direct source code equivalent. Java has no goto statement, thus cannot represent non-reducible control flow graphs [1]. However there is a Java bytecode goto instruction, so Java bytecodes can represent non-reducible control flow graphs. For example, inserting a jump into the middle of a while-loop creates a non-reducible control flow graph that cannot be transformed back into a standard while-loop without difficulty.
• Control flow abstraction is essentially the inverse of the task that a compiler performs. An example of altering control flow abstraction would be to find a sequence of low-level instructions that are equivalent to a while-loop and then add redundant termination conditions to the loop. The loops both terminate when i equals 1000. i is not divisible by 1000 for all values that i takes on in the loop, namely for 1 <= i < 1000.

  Before		After
  int i = 1; while (i < 1000) { ... i ++; }		int i = 1; while ((i < 1000) || (i % 1000 == 0)) { ... i ++; }

Preventative Transformations

These attempt to stop decompilers from operating, by exploiting their weaknesses. HoseMocha [11] is a utility which appends extra instructions after a return instruction. The execution of the program is unaffected but the obfuscation causes the Java decompiler Mocha [17] to crash.

Conclusion

The task of making reverse engineering difficult is not easy. Client-server models of protection, while providing the best security, suffer from limitations on the network. Encryption requires the use of specialised hardware, which limits the portability of programs. Using native object codes makes reverse engineering harder but increases the software support effort. Also, digital signatures are required to prevent tampering. Code obfuscation, while not providing absolute security, is portable, does not require specialised hardware and is transparent to the Java bytecode verifier. However, it does impose an execution time-space penalty on the program being protected.

Code obfuscation is a fruitful area for further research. There are many issues and implications remaining that need to be resolved, both theoretical and practical [5].

Acknowledgements

My Masters Thesis research into Java obfuscation has been performed jointly with my supervisors Dr. Christian Collberg and Professor Clark Thomborson.

Glossary

Reverse engineering
The process by which information about a program is obtained. This includes obtaining source code from compiled programs.

Native object codes
Binary files designed to execute directly on a specific computer platform.

References

1

Alfred V. Aho, Ravi Sethi and Jeffrey D. Ullman. Compilers, Principles, Techniques, and Tools, chapter Code Optimization, pp 606-608. Addison-Wesley, 1986. ISBN 0-201-10088-6.

2

David F. Bacon, Susan L. Graham and Oliver J. Sharp. Compiler transformations for high-performance computing. ACM Computing Surveys, vol. 26, no. 4, pp 345 - 420, December 1994. http://www.acm.org/pubs/toc/Abstracts/0360-0300/197406.html.

3

Joseph A. Bank. Java Security. http://swissnet.ai.mit.edu/~jbank/javapaper/javapaper.html, December 1995.

4

Cristina Cifuentes and K. John Gough. Decompilation of binary programs. Software - Practice and Experience, vol. 25, no. 7, pp 811-829, July 1995.

5

Christian Collberg, Clark Thomborson and Douglas Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, New Zealand, July 1997. http://www.cs.auckland.ac.nz/~collberg/Research/Publications/CollbergThomborsonLow97a/index.html.

6

Christian Collberg, Clark Thomborson and Douglas Low. Manufacturing cheap, resilient, and stealthy opaque constructs. Department of Computer Science, University of Auckland, New Zealand, July 1997. http://www.cs.auckland.ac.nz/~collberg/Research/Publications/CollbergThomborsonLow98a/index.html. To appear in ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98).

7

James Gosling, Bill Joy and Guy Steele. The Java Language Specification. Addison-Wesley, 1996. ISBN 0-201-63451-1.

8

Amir Herzberg and Shlomit S. Pinter. Public protection of software. ACM Transactions on Computer Systems, vol. 5, no. 4, pp 371-393, November 1987.

9

Rex Jaeschke. Encrypting C source for distribution. Journal of C Language Translation, vol. 2, no. 1, 1990. http://jclt.iecc.com

10

Eron Jokipii. Jobe - The Java obfuscator. http://www.primenet.com/~ej/index.html, 1996.

11

Mark D. LaDue. HoseMocha. http://www.oasis.leo.org/java/development/bytecode/obfuscators/HoseMocha.dsc.html, January 1997.

12

Tim Lindholm and Frank Yellin. The Java Virtual Machine Specification. http://java.sun.com:80/docs/books/vmspec/html/VMSpecTOC.doc.html, September 1996.

13

John J. Marciniak, editor. Encyclopedia of Software Engineering, chapter Reverse Engineering, pp 1077-1084. John Wiley & Sons, Inc, 1994. ISBN 0-471-54004-8.

14

Sape Mullender, editor. Distributed Systems. Addison-Wesley, 2nd edition, 1993. ISBN 0-201-6246-3.

15

R. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM. February 1978. pp 120-126.

16

Hans Peter van Vliet. Crema - The Java obfuscator. http://www.ph-erfurt.de/information/java/dev/misc/Crema/index.html, January 1996.

17

Hans Peter van Vliet. Mocha - The Java decompiler. http://wkweb4.cableinet.co.uk/jinja/mocha.html, January 1996.

18

Uwe G. Wilhelm. Cryptographically protected objects. http://lsewww.epfl.ch/~wilhelm/CryPO.html, May 1997. A french version appeared in the Proceedings of RenPar'9, Lausanne.

19

WingSoft Company. JavaDis - The Java Decompiler. http://www.wingsoft.com/wingdis.shtml, March 1997.

Douglas Low is currently a graduate student at the University of Auckland, New Zealand, working on the application of code obfuscation to Java. His research interests include compiler implementation, computational combinatorics and constraint satisfaction (AI). Electronic versions of papers that he has co-authored can be found at http://www.cs.auckland.ac.nz/~collberg/Research/Students/DouglasLow/index.html.