Paolo Falcarin scite author profile

Context: code obfuscation is intended to obstruct code understanding and, eventually, to delay malicious code changes and ultimately render it uneconomical. Although code understanding cannot be completely impeded, code obfuscation makes it more laborious and troublesome, so as to discourage or retard code tampering. Despite the extensive adoption of obfuscation, its assessment has been addressed indirectly either by using internal metrics or taking the point of view of code analysis, e.g., considering the associated computational complexity. To the best of our knowledge, there is no publicly available user study that measures the cost of understanding obfuscated code from the point of view of a human attacker. Aim: this paper experimentally assesses the impact of code obfuscation on the capability of human subjects to understand and change source code. In particular, it considers code protected with two well-known code obfuscation techniques, i.e., identifier renaming and opaque predicates. Method: We have conducted a family of five controlled experiments, involving undergraduate and graduate students from four Universities. During the experiments, subjects had to perform comprehension or attack tasks on decompiled clients of two Java network-based ap- plications, either obfuscated using one of the two technique, or not. To assess and compare the obfuscation techniques, we measured the correctness and the efficiency of the performed task. Results: -at least for the tasks we considered-simpler techniques (i.e., identifier renaming) prove to be more effective than more complex ones (i.e., opaque predicates) in impeding subjects to complete attack tasks.

show abstract

The effectiveness of source code obfuscation: An experimental assessment

Ceccato

Penta

Nagra

et al. 2009

View full text Add to dashboard Cite

show abstract

How Professional Hackers Understand Protected Code while Performing Attack Tasks

Ceccato

Tonella

Basile

et al. 2017

View full text Add to dashboard Cite

Code protections aim at blocking (or at least delaying) reverse engineering and tampering attacks to critical assets within programs. Knowing the way hackers understand protected code and perform attacks is important to achieve a stronger protection of the software assets, based on realistic assumptions about the hackers' behaviour. However, building such knowledge is difficult because hackers can hardly be involved in controlled experiments and empirical studies.The FP7 European project Aspire has given the authors of this paper the unique opportunity to have access to the professional penetration testers employed by the three industrial partners. In particular, we have been able to perform a qualitative analysis of three reports of professional penetration test performed on protected industrial code.Our qualitative analysis of the reports consists of open coding, carried out by 7 annotators and resulting in 459 annotations, followed by concept extraction and model inference. We identified the main activities: understanding, building attack, choosing and customizing tools, and working around or defeating protections. We built a model of how such activities take place. We used such models to identify a set of research directions for the creation of stronger code protections.2 https://aspire-fp7.eu

show abstract

Synthesizing Service Composition Models on the Basis of Temporal Business Rules

Han

et al. 2008

J. Comput. Sci. Technol.

View full text Add to dashboard Cite

Transformational approaches to generating design and implementation models from requirements can bring effectiveness and quality to software development. In this paper we present a framework and associated techniques to generate the process model of a service composition from a set of temporal business rules. Dedicated techniques including pathfinding, branching structure identification and parallel structure identification are used for semi-automatically synthesizing the process model from the semantics-equivalent Finite State Automata of the rules. These process models naturally satisfy the prescribed behavioral constraints of the rules. With the domain knowledge encoded in the temporal business rules, an executable service composition program, e.g., a BPEL program, can be further generated from the process models. A running example in the e-business domain is used for illustrating our approach throughout this paper.

show abstract

Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge

et al. 2018

View full text Add to dashboard Cite

When critical assets or functionalities are included in a piece of software accessible to the end users, code protections are used to hinder or delay the extraction or manipulation of such critical assets. The process and strategy followed by hackers to understand and tamper with protected software might differ from program understanding for benign purposes. Knowledge of the actual hacker behaviours while performing real attack tasks can inform better ways to protect the software and can provide more realistic assumptions to the developers, evaluators, and users of software protections.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Paolo Falcarin

A family of experiments to assess the effectiveness and efficiency of source code obfuscation techniques

The effectiveness of source code obfuscation: An experimental assessment

How Professional Hackers Understand Protected Code while Performing Attack Tasks

Synthesizing Service Composition Models on the Basis of Temporal Business Rules

Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge

Contact Info

Product

Resources

About