The problem with software obfuscation is that it is simply not that effective: It is applied as a form of “tick-box” security, simply to say that something was done to protect the software from attack. Professional reverse engineers (those who make their living by attempting to analyze and defeat software and hardware security) generally disdain software obfuscation since it is in reality not much of a barrier to the attacks they typically apply, and in most cases, once understood, a given obfuscation technique can be recognized and removed in an automated manner.
At Irdeto we have developed a much more powerful software protection technique called Program Transformation which is significantly more effective than simple software obfuscation while at the same time providing many of the same benefits of being easy to apply in an automated fashion. Understanding the difference between software obfuscation and Program Transformation can be a challenge without getting into a lot of technical detail, but an analogy with anti-piracy technology for movie content illustrates the point nicely.
In the early days of movie distribution via VHS tapes it was desired to prevent pirates from making and selling illicit copies, so techniques were developed which meant that second-generation copies of the original tape would have highly distorted, wavering images. This was a successful anti-piracy technique because the quality of pirated copies was so poor that no one would pay for them ( Figure 1).
However, that didn’t mean that the original content of the pirated movie could not be viewed and understood: It might not have been a pleasant experience, but if you were really stuck and needed to watch a pirated copy (say to write a movie review about it, referencing scenes and dialogue from the movie) it could be done. That’s because the protection technique was really just a simple form of obfuscation, and did not wholly remove the semantic content (meaning) of the original.
In fact, simple obfuscation techniques were used for video distribution in multiple media, including the early days of Cable TV and Pay TV. So, extending our analogy further, just like the simple software obfuscation described above, once a hacker discovered the video scrambling technique that was applied, it could be easily dealt with, whether it was video clamping, sync-tip suppression or video inversion, etc. This was because the fundamental video semantic information (like timing, reference clocks, etc.) remained in place even with the obfuscation. So the simpler forms of video scrambling became ineffective to a determined thief that wanted to steal the content or service.
Program Transformation techniques can do a much better job of removing the semantic content of software than simple obfuscation techniques while still permitting the protections to be applied automatically without impacting software functionality. This is achieved by analyzing the complete application code at a global level and applying algorithmic transformations that affect the code and even embedded data in an entangled, non-local fashion. The global span of Program Transformations and the effective entanglement of code and data makes the attacker’s job much more difficult. To use the movie piracy analogy, after application of the software transformations, it would no longer be possible to write that movie review with a pirated copy since all you would see would be a random-seeming snow-storm of pixels, with all semantic information removed. To learn more about Program Transformations and other effective software protection techniques, like entanglement, see the blog entry on software protection.
In a software defined world, intellectual property increasingly defines the value of large corporations and it needs to be protected from upstart competitors who are looking to steal market share by emulating the hard-earned work without a comparable investment. The question of “how much security is enough” depends very much on who you want to protect against and how much IP you have developed. Obfuscation may be enough to protect against the recreational hacker; Program Transformation is required to protect you from determined attackers.