JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark.

Slides:

Advertisements

Similar presentations

Introducing JavaScript

Advertisements

Saumya Debray The University of Arizona Tucson, AZ

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

Protecting the code of Web Applications

Preventing Reverse Engineering by Obfuscating Bharath Kumar.

Códigos y Criptografía Francisco Rodríguez Henríquez Software Security Through Code Obfuscation.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

Software-based Code Attestation for Wireless Sensors.

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Name: Hao Yuan Supervisor: Len Hamey ITEC810 ProjectTransformations for Obfuscating Object-Oriented Programs1.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Obfuscation techniques in Java Therese Berge Jonas Ringedal.

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

Course Textbook: Build Your Own ASP.Net Website: Chapter 2

Breaking Abstractions and Unstructuring Data Structures Christian Collberg Clark Thomborson Douglas Low “Mobile programs are distributed in forms that.

Cryptography Week-6.

+ Java vs. Javascript Jessi Style. + Java Compiled Can stand on its own Written once, run anywhere Two-stage debugging Java is an Object Oriented Programming.

1 CIS336 Website design, implementation and management (also Semester 2 of CIS219, CIS221 and IT226) Lecture 9 JavaServer Pages (JSP) (Based on Møller.

Copyright 2007, Information Builders. Slide 1 Maintain & JavaScript: Two Great Tools that Work Great Together Mark Derwin and Mark Rawls Information Builders.

JavaScript & jQuery the missing manual Chapter 11

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Security in Computing Cryptography (Introduction) Derived from Greek words: ‘Kruptos’ (hidden) and ‘graphein’ (writing.

Topic #10: Optimization EE 456 – Compiling Techniques Prof. Carl Sable Fall 2003.

Self-Protecting Mobile Agents Lee Badger Brian Matt Steven Kiernan Funded by both ITS and Active Networks Programs NAI Labs, Network Associates, Inc. 17.

1 “Operating System Protection Through Program Evolution” Dr. Frederick B. Cohen “…one of the major reasons attacks succeed is because of the static nature.

Client Scripting1 Internet Systems Design. Client Scripting2 n “A scripting language is a programming language that is used to manipulate, customize,

CMPS 211 JavaScript Topic 1 JavaScript Syntax. 2Outline Goals and Objectives Goals and Objectives Chapter Headlines Chapter Headlines Introduction Introduction.

1 JavaScript in Context. Server-Side Programming.

1 3. Computing System Fundamentals 3.1 Language Translators.

 2003 Prentice Hall, Inc. All rights reserved. CHAPTER 3 JavaScript 1.

© 2006 IBM Corporation Agile Planning Web UI. © 2006 IBM Corporation Agenda  Overview of APT Web UI  Current Issues  Required Infrastructure  API.

FIRST JAVA PROGRAM. JAVA PROGRAMS Every program may consist of 1 or more classes. Syntax of a class: Each class can contain 1 or more methods. public.

Intro to PHP IST2101. Review: HTML & Tags 2IST210.

What is PHP? PHP stands for PHP: Hypertext Preprocessor PHP is a server-side scripting language, like ASP PHP scripts are executed on the server PHP supports.

C++ Memory Overview 4 major memory segments Key differences from Java

Protecting Software Code By Guards The George Washington University Cs297 YU-HAO HU.

JavaScript Introduction.  JavaScript is a scripting language  A scripting language is a lightweight programming language  A JavaScript can be inserted.

1 JavaScript in Context. Server-Side Programming.

Introduction to Web Frontend Development with JavaScript.

1 CSCD 326 Data Structures I Hashing. 2 Hashing Background Goal: provide a constant time complexity method of searching for stored data The best traditional.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

Formal Refinement of Obfuscated Codes Hamidreza Ebtehaj 1.

Rich Internet Applications 2. Core JavaScript. The importance of JavaScript Many choices open to the developer for server-side Can choose server technology.

Code Obfuscation Tool for Software Protection. Outline  Why Code Obfuscation  Features of a code obfuscator Potency Resilience Cost  Classification.

Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.

Dr. Abdullah Almutairi Spring PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used,

1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.

Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.

Google Web Toolkit for Mobile Applications Development INGENUITY AT ITS BEST……………….

1 Agenda  Unit 7: Introduction to Programming Using JavaScript T. Jumana Abu Shmais – AOU - Riyadh.

IST 210: PHP Basics IST 210: Organization of Data IST2101.

Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.

Cheaters Gonna Cheat Battling Fake High Scores Nataly Eliyahu CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015.

Web Programming Java Script-Introduction. What is Javascript? JavaScript is a scripting language using for the Web. JavaScript is a programming language.

Shellcode COSC 480 Presentation Alison Buben.

Code Optimization.

Application of Obfuscation Techniques on Android Applications

Cash Me Presented By Group 8 Kartik Patel, Aaron Zhong, Wen-Kai Chen,

Tutorial 10 Programming with JavaScript

Dynamic SQL Writing Efficient Queries on the Fly

By mohamed saher and ahmed garhy

Un</br>able’s MySecretSecrets

Security by Obscurity: Code Obfuscation

T. Jumana Abu Shmais – AOU - Riyadh

Tonga Institute of Higher Education

JavaScript CS 4640 Programming Languages for Web Applications

Intro to Programming (in JavaScript)

Presentation transcript:

JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark

2 Agenda Obfuscation concepts Practical Examples

3 P ART 1 – O VERVIEW P ART 2 – T IZEN 2. X S UPPORT P ART 3 – T IZEN 2. X C OMPLIANCE AND B ENCHMARK P ART 4 - A DDITIONAL I NFORMATION S OURCE CODE O BFUSCATION P ART 1 P ART 1 – S OURCE C ODE OBFUSCATION

4 Lowers the code quality in terms of readability and maintainability Goall: delay program understanding, hopefully to the point where the time needed for an expert professional to reverse it, clearly exceeds the useful lifetime of the program. Different from Code Encryption Source Code Obfuscation != Code Obfuscation Source Code Obfuscation

5 Example Source

6 Obfuscated #1

7 Obfuscated #2

What is it good for? Good Protect Intellectual Property (algorithms, data) Prevent code theft and reuse Enforce license agreements Test the strength of security controls (IDS/IPS/WAFs/web filters) Evil Test the strength of security controls (IDS/IPS/WAFs/web filters) Hide malicious code Make it look like harmless code

9 Potency Resilience Stealthiness Execution Cost Maintainability Measuring Obfuscation

10 Generate confusion Obfuscation Potency Measuring Obfuscation

11 Resistance to deobfuscation techniques, be it manual or automatic Obfuscation Resilience Measuring Obfuscation Rename all + whitespace removal String splitting

12 1. Parses the code 2. Transforms it to fullfill a purpose – Usually to make it simpler => better performance – Simpler also fullfills reverse-engineering purpose A compiler is a static code analyser Things it can do – Constant folding, constant propagation – Remove (some) dead code Automatic! Next: an example Static Code Analysis for defeating obfuscation

13

14 Analysis performed by executing the code – Retrieve information of the code while running – Resulting AST can be analysed using any method Can be done in step by step debugging How it can be used to defeat obfuscation – For the goal of understanding (one instance of) program execution – Not for the goal of retrieving the original source code (for code theft and reuse) – However it can be used to gain knowledge about the code that can be used to remove code checks or to simplify it for higher maintainability – May help breaking license agreements (piracy) Dynamic Code Analysis for defeating obfuscation

15 How hard is to spot? Avoid telltale indicators – eval() – unescape() – Large blocks of meaningless text Example: Kolisar’s whitespace obfuscation How to measure? Obfuscation Stealthiness Measuring Obfuscation

16 Impact on performance Impact on loading times Impact on FPS Obfuscation Execution Cost Measuring Obfuscation

17 1/potency How easy to read after static code analysis ? How segmented is the code ? Higher maintainability => code theft and reuse Obfuscation & Maintainability Measuring Obfuscation

18 P ART 1 – O VERVIEW P ART 2 – T IZEN 2. X S UPPORT P ART 3 – T IZEN 2. X C OMPLIANCE AND B ENCHMARK P ART 4 - A DDITIONAL I NFORMATION PRACTICAL EXAMPLES P ART 2 P ART 2 – P RACTICAL E XAMPLES

19 Compression/Minification vs Obfuscation

20 Compression/Minification vs Obfuscation

21 eval( (function(....)) ); document.write(‘ (function(...)) ’); A simple trick will do it

22 Reverse-engineered result

23 Encoding method using strictly non-alphanumeric symbols Like other types of encoding (e.g. Compression) it uses eval Example: alert(1) Non alphanumeric Obfuscation

24 Using type cohersion and browser quirks We can obtain alphanumeric characters indirectly How is that possible ? +[] -> 0 +!+[] -> 1 +!+[]+!+[] -> 2 Easy to get any number +”1” -> 1 Type cohersion to number “”+1 = “1” Type cohersion to string How to get letters? +”a” -> NaN +”a”+”” -> “NaN” (+”a”+””)[0] -> “N” Ok, but now without alphanumerics: (+”a”+””)[+[]] -> “N” How to get an “a” ? ![] -> false ![]+“” -> “false” (![]+””)[1] -> “a” (![]+””)[+!+[]] (+(![]+"")[+!+[]]+””)[+[]] -> “N” eval( (![]+"")[1]+"lert(1)");

25

26 eval() is not the only way to eval() ! You have 4 or 5 methods more Example: Array.constructor(alert(1))() []["sort"]["constructor"]("alert(1)")() – Dot notation – Strings ! Wait... where’s the eval ?

27 Let me see that again!

28 100% potent 0% stealthy High execution cost – eval is slower – File is much larger => slower loading times Does not work in all browsersProblema: What about resilience ? Non alphanumeric Obfuscation

29 Creates new functions out of statements in the code Statements are randomly selected New functions are added to different scopes Functions are added to object literals to reduce the scope pollution Increases complexity by using multiple namespaces Function reordering is possible Function outlining

30 Creates new functions out of statements in the code Statements are randomly selected Function outlining

31 Function outlining New functions are added to different scopes Functions are added to object literals to reduce the scope pollution Increases complexity by using multiple namespaces Function reordering is possible

32 Insert code to increase confusion It isn’t executed Deadcode insertion (with predicate Opaques)

33 Deadcode insertion

34 Randomly injected (++potency) Increase complexity of control flow (++potency) Some places are avoided (e.g. loops) Dummy statements created out of own code (++stealth, ++potency) Opaque predicates – Not removable using Static Code Analysis – Predicates injected are similar to ones found in the original source Deadcode insertion (with predicate Opaques)

35 It can really help prevent code theft and reuse Buys you time You can always try to make a request to the server side and process it there, but sometimes that is not feasiable – Widgets – Mobile Apps – Standalone, offline-playable games – Windows 8 Apps made with WinJS Prefer transformations with negligible execution cost Prefer transformations with high resilience Sometimes it is a trial and error experience Code execution control is a great allied JavaScript Obfuscation

Contact Information Pedro Fortuna Owner & Co-Founder & CTO Phone: Porto - Headquarters Edifício Central da UPTEC Rua Alfredo Allen, Porto, Portugal Lisbon office Startup Lisboa Rua da prata, 121 5A Lisbon, Portugal