Presentation is loading. Please wait.

Presentation is loading. Please wait.

JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark.

Published byReagan Emmerson Modified over 9 years ago

Similar presentations

Presentation on theme: "JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark."— Presentation transcript:

1 JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark

2 2 Agenda Obfuscation concepts Practical Examples

3 3 P ART 1 – O VERVIEW P ART 2 – T IZEN 2. X S UPPORT P ART 3 – T IZEN 2. X C OMPLIANCE AND B ENCHMARK P ART 4 - A DDITIONAL I NFORMATION S OURCE CODE O BFUSCATION P ART 1 P ART 1 – S OURCE C ODE OBFUSCATION

4 4 Lowers the code quality in terms of readability and maintainability Goall: delay program understanding, hopefully to the point where the time needed for an expert professional to reverse it, clearly exceeds the useful lifetime of the program. Different from Code Encryption Source Code Obfuscation != Code Obfuscation Source Code Obfuscation

5 5 Example Source

6 6 Obfuscated #1

7 7 Obfuscated #2

8 What is it good for? Good Protect Intellectual Property (algorithms, data) Prevent code theft and reuse Enforce license agreements Test the strength of security controls (IDS/IPS/WAFs/web filters) Evil Test the strength of security controls (IDS/IPS/WAFs/web filters) Hide malicious code Make it look like harmless code

9 9 Potency Resilience Stealthiness Execution Cost Maintainability Measuring Obfuscation

10 10 Generate confusion Obfuscation Potency Measuring Obfuscation

11 11 Resistance to deobfuscation techniques, be it manual or automatic Obfuscation Resilience Measuring Obfuscation Rename all + whitespace removal String splitting

12 12 1. Parses the code 2. Transforms it to fullfill a purpose – Usually to make it simpler => better performance – Simpler also fullfills reverse-engineering purpose A compiler is a static code analyser Things it can do – Constant folding, constant propagation – Remove (some) dead code Automatic! Next: an example Static Code Analysis for defeating obfuscation

13 13

14 14 Analysis performed by executing the code – Retrieve information of the code while running – Resulting AST can be analysed using any method Can be done in step by step debugging How it can be used to defeat obfuscation – For the goal of understanding (one instance of) program execution – Not for the goal of retrieving the original source code (for code theft and reuse) – However it can be used to gain knowledge about the code that can be used to remove code checks or to simplify it for higher maintainability – May help breaking license agreements (piracy) Dynamic Code Analysis for defeating obfuscation

15 15 How hard is to spot? Avoid telltale indicators – eval() – unescape() – Large blocks of meaningless text Example: Kolisar’s whitespace obfuscation How to measure? Obfuscation Stealthiness Measuring Obfuscation

16 16 Impact on performance Impact on loading times Impact on FPS Obfuscation Execution Cost Measuring Obfuscation

17 17 1/potency How easy to read after static code analysis ? How segmented is the code ? Higher maintainability => code theft and reuse Obfuscation & Maintainability Measuring Obfuscation

18 18 P ART 1 – O VERVIEW P ART 2 – T IZEN 2. X S UPPORT P ART 3 – T IZEN 2. X C OMPLIANCE AND B ENCHMARK P ART 4 - A DDITIONAL I NFORMATION PRACTICAL EXAMPLES P ART 2 P ART 2 – P RACTICAL E XAMPLES

19 19 Compression/Minification vs Obfuscation

20 20 Compression/Minification vs Obfuscation

21 21 eval( (function(....)) ); document.write(‘ (function(...)) ’); A simple trick will do it

22 22 Reverse-engineered result

23 23 Encoding method using strictly non-alphanumeric symbols Like other types of encoding (e.g. Compression) it uses eval Example: alert(1) Non alphanumeric Obfuscation

24 24 Using type cohersion and browser quirks We can obtain alphanumeric characters indirectly How is that possible ? +[] -> 0 +!+[] -> 1 +!+[]+!+[] -> 2 Easy to get any number +”1” -> 1 Type cohersion to number “”+1 = “1” Type cohersion to string How to get letters? +”a” -> NaN +”a”+”” -> “NaN” (+”a”+””)[0] -> “N” Ok, but now without alphanumerics: (+”a”+””)[+[]] -> “N” How to get an “a” ? ![] -> false ![]+“” -> “false” (![]+””)[1] -> “a” (![]+””)[+!+[]] (+(![]+"")[+!+[]]+””)[+[]] -> “N” eval( (![]+"")[1]+"lert(1)");

25 25

26 26 eval() is not the only way to eval() ! You have 4 or 5 methods more Example: Array.constructor(alert(1))() []["sort"]["constructor"]("alert(1)")() – Dot notation – Strings ! Wait... where’s the eval ?

27 27 Let me see that again!

28 28 100% potent 0% stealthy High execution cost – eval is slower – File is much larger => slower loading times Does not work in all browsersProblema: What about resilience ? Non alphanumeric Obfuscation

29 29 Creates new functions out of statements in the code Statements are randomly selected New functions are added to different scopes Functions are added to object literals to reduce the scope pollution Increases complexity by using multiple namespaces Function reordering is possible Function outlining

30 30 Creates new functions out of statements in the code Statements are randomly selected Function outlining

31 31 Function outlining New functions are added to different scopes Functions are added to object literals to reduce the scope pollution Increases complexity by using multiple namespaces Function reordering is possible

32 32 Insert code to increase confusion It isn’t executed Deadcode insertion (with predicate Opaques)

33 33 Deadcode insertion

34 34 Randomly injected (++potency) Increase complexity of control flow (++potency) Some places are avoided (e.g. loops) Dummy statements created out of own code (++stealth, ++potency) Opaque predicates – Not removable using Static Code Analysis – Predicates injected are similar to ones found in the original source Deadcode insertion (with predicate Opaques)

35 35 It can really help prevent code theft and reuse Buys you time You can always try to make a request to the server side and process it there, but sometimes that is not feasiable – Widgets – Mobile Apps – Standalone, offline-playable games – Windows 8 Apps made with WinJS Prefer transformations with negligible execution cost Prefer transformations with high resilience Sometimes it is a trial and error experience Code execution control is a great allied JavaScript Obfuscation

36 Contact Information Pedro Fortuna Owner & Co-Founder & CTO pedro.fortuna@auditmark.com Phone: +351 917331552 Porto - Headquarters Edifício Central da UPTEC Rua Alfredo Allen, 455 4200-135 Porto, Portugal Lisbon office Startup Lisboa Rua da prata, 121 5A 1100-415 Lisbon, Portugal

Download ppt "JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark."

Similar presentations

Introducing JavaScript

Introducing JavaScript
Saumya Debray The University of Arizona Tucson, AZ 85721.

Saumya Debray The University of Arizona Tucson, AZ
School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
Protecting the code of Web Applications

Protecting the code of Web Applications
Preventing Reverse Engineering by Obfuscating Bharath Kumar.

Preventing Reverse Engineering by Obfuscating Bharath Kumar.
Códigos y Criptografía Francisco Rodríguez Henríquez Software Security Through Code Obfuscation.

Códigos y Criptografía Francisco Rodríguez Henríquez Software Security Through Code Obfuscation.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
Software-based Code Attestation for Wireless Sensors.

Software-based Code Attestation for Wireless Sensors.
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
Name: Hao Yuan Supervisor: Len Hamey ITEC810 ProjectTransformations for Obfuscating Object-Oriented Programs1.

Name: Hao Yuan Supervisor: Len Hamey ITEC810 ProjectTransformations for Obfuscating Object-Oriented Programs1.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.

Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
Obfuscation techniques in Java Therese Berge Jonas Ringedal.

Obfuscation techniques in Java Therese Berge Jonas Ringedal.
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.

CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.
2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.
Course Textbook: Build Your Own ASP.Net Website: Chapter 2

Course Textbook: Build Your Own ASP.Net Website: Chapter 2
Breaking Abstractions and Unstructuring Data Structures Christian Collberg Clark Thomborson Douglas Low “Mobile programs are distributed in forms that.

Breaking Abstractions and Unstructuring Data Structures Christian Collberg Clark Thomborson Douglas Low “Mobile programs are distributed in forms that.
Cryptography Week-6.

Cryptography Week-6.
+ Java vs. Javascript Jessi Style. + Java Compiled Can stand on its own Written once, run anywhere Two-stage debugging Java is an Object Oriented Programming.

+ Java vs. Javascript Jessi Style. + Java Compiled Can stand on its own Written once, run anywhere Two-stage debugging Java is an Object Oriented Programming.

Similar presentations

Ads by Google