This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Bytecode obfuscation"

From OWASP
Jump to: navigation, search
(Links)
(Added Google's R8 tool)
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
==Status==
 
==Status==
 +
Completely Updated: 7 March 2018<br>
 
Released: 14/1/2008
 
Released: 14/1/2008
 
==Author==
 
==Author==
Line 6: Line 7:
 
== Principles ==
 
== Principles ==
  
 
+
Java source code is typically compiled into Java bytecode -- the instruction set of the Java virtual machine. The compiled Java bytecode can be easily reversed engineered back into source code by a freely available decompilers.
Java is a language where the source code is quite intuitive to read. And in many cases, the compiled bytecode can also be reversed (or decompiled) into source code. This presents problems for projects that require confidentiality of the source code. This article provides an introduction to protecting bytecode through obfuscation.
+
Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Almost all code can be reverse-engineered with enough skill, time and effort. However, for some platforms such as Java, Android, or.NET, free decompilers can easily reverse-engineer source code from an executable or library with no real time or effort.  
 +
Automated bytecode obfuscation makes reverse-engineering a program difficult and economically unfeasible. Other advantages could include helping to protect licensing mechanisms and unauthorized access, hiding vulnerabilities and shrinking the size of the executable.
  
 
=== How to recover Source Code from Bytecode? ===
 
=== How to recover Source Code from Bytecode? ===
 +
There are a number of freely available Java decompilers that can recreate source code from Java bytecode (executables or libraries). Popular decompilers include:
 +
* [https://bytecodeviewer.com Bytecode Viewer] - A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
 +
* [http://www.benf.org/other/cfr/ CFR] - Another Java decompiler
 +
* [http://jd.benow.ca/ JDGui] - Yet another fast Java decompiler
 +
* [https://github.com/fesh0r/fernflower Fernflower] - An analytical decompiler for Java
  
There are a number of freely available Java decompilers that all provide similar functionality, including:
+
=== How to help prevent Java source code from being Reverse-Engineered? ===
 
+
Java bytecode obfuscation consists of multiple complementary techniques that can help create a layered defense against reverse engineering and tampering. Some typical examples of obfuscation techniques include:
* Recover source code from Java bytecode,
+
* <b>Renaming</b> to alter the name of methods and variables to make the decompiled source much harder for a human to understand.
* Retrieve names of local Variables and parameters,
+
* <b>Control Flow Obfuscation</b>creates conditional, branching, and iterative constructs that produce valid executable logic, but yield non-deterministic semantic results when decompiled.
* Retrieve comments and JavaDoc
+
* <b>String Encryption</b> hides strings in the executable and only restores their original value when needed
 
+
* <b>Instruction Pattern Transformation</b> converts common instructions to other, less obvious constructs potential confusing decompliers.
Popular decompilers include:
+
* <b>Dummy Code Insertion</b> inserts code that does not affect the program’s logic, but breaks decompilers or makes reverse-engineered code harder to analyze.
* [http://www.kpdus.com/jad.html JAD (JAva Decompiler)] - a little dated now and does not support Java 5.0
+
* <b>Unused Code and Metadata Removal</b> prunes out debug, non-essential metadata and used code from applications to reduce the information available to an attacker.
* [http://jode.sourceforge.net Jode] - Written entirely in Java and provides a Swing GUI
+
* <b>Class file encryption</b> requires the JVM to decrypt the java executable before running confusing decompilers. Unlike some of the other transforms, this one is easy to circumvent by modifing the local JVM to simply write the executable to disk in its unencrypted form. See: [http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html?page=2 Javaworld article]).<br>
* [http://jreversepro.blogspot.com/ jReversePro] - 100% Java, also slightly dated
 
 
 
=== How to prevent Java code from being Reverse-engineered ? ===
 
  
Several actions can be taken for preventing reverse-engineering :
+
=== What obfuscation tools are available? ===
 +
You can find popular tools for Java bytecode obfuscation below, or simply type 'java obfuscator' in your favorite search engine.
 +
* [https://sourceforge.net/projects/proguard/ ProGuard Java Optimizer] is a very popular open source Java class file shrinker, optimizer, obfuscator, and preverifier.
 +
* [https://www.preemptive.com/products/dasho/overview DashO Android & Java Obfuscator] a Java, Kotlin and Android application hardening and obfuscation tool that provides passive and active protection.
 +
* [http://www.zelix.com/klassmaster/ KlassMaster Heavy Duty Protection], shrinks and obfuscates both code and string constants. It can also translate stack traces back to readable form if you save the obfuscation log.
 +
* [http://sourceforge.net/projects/javaguard/ Javaguard], a simple obfuscator without a lot of documentation.
 +
* [https://discotek.ca/modifly.xhtml Modifly], a feature-rich byte code obfuscator capable of run-time transformations (never run the same byte code twice, yet each run is functionally equivalent).
  
* Code Obfuscation. This is done mainly through variable renaming; see next paragraph for more precisions,
+
For Android also see:
* Suppression of End Of Line Characters. This makes the code difficult to parse,
+
* [https://r8-docs.preemptive.com/ Google's R8 code shrinker] Google intends R8 to be a drop-in replacement for ProGuard.
* Use of anonymous classes for handling events. This seems not to be handled by many Decompiler; however, JAD copes pretty well with this.
 
* Class file encryption. This implies some overhead for uncyphering at runtime. Several tools are available:: [http://www.cinnabarsystems.com/canner.html Canner], by Cinnabar Systems, or  [http://www.jbitsoftware.com/JBit/do/displayPage?targetPageId=products.jlockinfo JLock by JSoft]. They are available for evaluation, and the first is proposed currently for Windows Platforms only.
 
* Replacing the method names with certain characters e.g '/' or '.' in the class header causes the popular decompilation tools such as JAD to dump the source code which is incomprehensible (you cannot determine the control flow from the source).
 
<b>Note:</b> Beware of 100% Java solutions using encryption to protect class files as these are more than likely snake oil.  Since the JVM has to read unencrypted class files at some point, even if the class files are encrypted on the disk, they will have to be decrypted before being passed to the JVM.  An attacker could modify the local JVM to simply write the class files to disk in their unencrypted form at this point.  (See: [http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html?page=2 Javaworld article]).<br>
 
<b>Conjecture:</b> It's is very easy to circumvent these methods to reveal bytecode using a Java profiler.
 
 
 
=== What obfuscation tools are available ? ===
 
 
 
A lot of tools exist for Java code Obfuscation. You can find extensive lists under following URLs, or simply type 'obfuscator' in your favorite search engine :
 
 
 
* http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/
 
* http://proguard.sourceforge.net/alternatives.html
 
 
 
Among those projects, some are open source project, and therefore more suitable for research - but also for enterprises who wish to control the programs they use (without any warranty):
 
 
 
* [http://www.zelix.com/klassmaster/ KlassMaster], shrinks and obfuscates both code and string constants. It can also translate stack traces back to readable form if you save the obfuscation log.
 
* [http://proguard.sourceforge.net/ Proguard] is a shrinker (make code more compact), and optimizer and obfuscator.
 
* [http://jode.sourceforge.net/ Jode] is a decompiler, an optimizer and an obfuscator. It contains facilities for cleaning logging statements,,
 
* [http://jarg.sourceforge.net/ Jarg],
 
* [http://sourceforge.net/projects/javaguard/ Javaguard], which is a simple obfuscator, without many documentation,
 
* [http://www.geocities.com/CapeCanaveral/Hall/2334/Programs/cafebabe.html CafeBabe], which allows precise view of Bytecode files and single file obfuscation; a good tool for teaching ByteCode Structure, more than a production tool.  
 
  
 
== Using Proguard ==
 
== Using Proguard ==
 
 
The following section provides a short tutorial for using [http://proguard.sourceforge.net/ Proguard].
 
The following section provides a short tutorial for using [http://proguard.sourceforge.net/ Proguard].
 
+
First, download the code under [http://sourceforge.net/project/showfiles.php?group_id=54750 following url] and unzip it.
First, download the code under [http://sourceforge.net/project/showfiles.php?group_id=54750 following url ] and unzip it.
 
  
 
For this tutorial, we use the [http://www.rzo.free.fr/applis/fr.inria.ares.sfelixutils-0.1.jar fr.inria.ares.sfelixutils-0.1.jar package].
 
For this tutorial, we use the [http://www.rzo.free.fr/applis/fr.inria.ares.sfelixutils-0.1.jar fr.inria.ares.sfelixutils-0.1.jar package].
  
Go to the main directory of Proguard. For lauching it, you can use following script with given parameters :
+
Go to the main directory of Proguard. To launch it, use following script and parameters:
  
 
       java -jar lib/proguard.jar @config-genericFrame.pro
 
       java -jar lib/proguard.jar @config-genericFrame.pro
Line 77: Line 64:
 
Remark that the 'keep' option is mandatory, we use this default class for not keep anything out.
 
Remark that the 'keep' option is mandatory, we use this default class for not keep anything out.
  
The example dictionnary (here compact.txt) is given with the code.
+
The example dictionary (here compact.txt) is given with the code.
  
 
The output is stored in the package 'genericFrameOut.jar'.
 
The output is stored in the package 'genericFrameOut.jar'.
  
You can observe the modifications implied by obfuscation with following commands :
+
You can observe the modifications implied by obfuscation with following commands:
  
 
  jar xvf genericFrameOut.jar
 
  jar xvf genericFrameOut.jar
Line 88: Line 75:
 
  more c.jad more c.jad
 
  more c.jad more c.jad
  
Remark than Strings are kept unmodified. If you want you code to be hard to read, do not forget to remove any debugging and logging comments. Jode has some facilities for making this easier.
 
 
== Using CafeBabe ==
 
 
CafeBabe is a convenient tool for teaching structure of ByteCode files. You can [http://www.geocities.com/CapeCanaveral/Hall/2334/programs.html download it at this URL].
 
 
Unzip it and execute following command :
 
java -classpath CafeBabe.jar org.javalobby.apps.cafebabe.CafeBabe
 
 
Have a look at some class from the original genericFrame.jar package.
 
 
Then obfuscate it, and compare both - original and modified class :
 
 
* with the CafeBabe viewer,
 
* after decompiling it with JAD.
 
 
What conclusion can you draw of it ?
 
 
== Using Jode ==
 
 
Jode is to be found [http://jode.sourceforge.net/ here] with instructions on how to use the decompiler and obfuscator functions [http://jode.sourceforge.net/usage.html here].
 
  
 
== Links ==
 
== Links ==
 
+
* [https://www.guardsquare.com/en/proguard Proguard]
* [http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/  Obfuscator list, by Google]
 
* [http://proguard.sourceforge.net/alternatives.html alternatives proposed by proguard]
 
* [http://www.geocities.com/CapeCanaveral/Hall/2334/Programs/cafebabe.html CafeBabe]
 
* [http://www.cinnabarsystems.com/canner.html Canner]
 
* [http://www.varaneckas.com/jad/ JAD (JAva Decompiler)]
 
* [http://jarg.sourceforge.net/ Jarg]
 
 
* [http://sourceforge.net/projects/javaguard/ Javaguard]
 
* [http://sourceforge.net/projects/javaguard/ Javaguard]
* [http://www.jbitsoftware.com/JBit/do/displayPage?targetPageId=products.jlockinfo JLock by JSoft]
+
* [https://www.preemptive.com/obfuscation Elements of Java Obfuscation]
* [http://jode.sourceforge.net/ Jode]
+
* [https://en.wikipedia.org/wiki/Obfuscation_(software) Software Obfuscation]
* [http://proguard.sourceforge.net/ Proguard]
+
[[Category:Java]]
 
 
[[Category:OWASP Java Project]]
 
 
[[Category:How To]]
 
[[Category:How To]]
[[Category: Control]]
+
[[Category:Control]]

Latest revision as of 20:03, 3 December 2019

Status

Completely Updated: 7 March 2018
Released: 14/1/2008

Author

Pierre Parrend

Principles

Java source code is typically compiled into Java bytecode -- the instruction set of the Java virtual machine. The compiled Java bytecode can be easily reversed engineered back into source code by a freely available decompilers. Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Almost all code can be reverse-engineered with enough skill, time and effort. However, for some platforms such as Java, Android, or.NET, free decompilers can easily reverse-engineer source code from an executable or library with no real time or effort. Automated bytecode obfuscation makes reverse-engineering a program difficult and economically unfeasible. Other advantages could include helping to protect licensing mechanisms and unauthorized access, hiding vulnerabilities and shrinking the size of the executable.

How to recover Source Code from Bytecode?

There are a number of freely available Java decompilers that can recreate source code from Java bytecode (executables or libraries). Popular decompilers include:

  • Bytecode Viewer - A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
  • CFR - Another Java decompiler
  • JDGui - Yet another fast Java decompiler
  • Fernflower - An analytical decompiler for Java

How to help prevent Java source code from being Reverse-Engineered?

Java bytecode obfuscation consists of multiple complementary techniques that can help create a layered defense against reverse engineering and tampering. Some typical examples of obfuscation techniques include:

  • Renaming to alter the name of methods and variables to make the decompiled source much harder for a human to understand.
  • Control Flow Obfuscationcreates conditional, branching, and iterative constructs that produce valid executable logic, but yield non-deterministic semantic results when decompiled.
  • String Encryption hides strings in the executable and only restores their original value when needed
  • Instruction Pattern Transformation converts common instructions to other, less obvious constructs potential confusing decompliers.
  • Dummy Code Insertion inserts code that does not affect the program’s logic, but breaks decompilers or makes reverse-engineered code harder to analyze.
  • Unused Code and Metadata Removal prunes out debug, non-essential metadata and used code from applications to reduce the information available to an attacker.
  • Class file encryption requires the JVM to decrypt the java executable before running confusing decompilers. Unlike some of the other transforms, this one is easy to circumvent by modifing the local JVM to simply write the executable to disk in its unencrypted form. See: Javaworld article).

What obfuscation tools are available?

You can find popular tools for Java bytecode obfuscation below, or simply type 'java obfuscator' in your favorite search engine.

  • ProGuard Java Optimizer is a very popular open source Java class file shrinker, optimizer, obfuscator, and preverifier.
  • DashO Android & Java Obfuscator a Java, Kotlin and Android application hardening and obfuscation tool that provides passive and active protection.
  • KlassMaster Heavy Duty Protection, shrinks and obfuscates both code and string constants. It can also translate stack traces back to readable form if you save the obfuscation log.
  • Javaguard, a simple obfuscator without a lot of documentation.
  • Modifly, a feature-rich byte code obfuscator capable of run-time transformations (never run the same byte code twice, yet each run is functionally equivalent).

For Android also see:

Using Proguard

The following section provides a short tutorial for using Proguard. First, download the code under following url and unzip it.

For this tutorial, we use the fr.inria.ares.sfelixutils-0.1.jar package.

Go to the main directory of Proguard. To launch it, use following script and parameters:

      java -jar lib/proguard.jar @config-genericFrame.pro

config-genericFrame.pro is the option file (do not forget to adapt the libraryjars parameter to your own system) :

-obfuscationdictionary ./examples/dictionaries/compact.txt
-libraryjars /usr/java/j2sdk1.4.2_10/jre/lib/rt.jar
-injars fr.inria.ares.sfelixutils-0.1.jar
-outjar fr.inria.ares.sfelixutils-0.1-obs.jar
-dontshrink
-dontoptimize
-keep public class proguard.ProGuard {
public static void main(java.lang.String[]);
}

Remark that the 'keep' option is mandatory, we use this default class for not keep anything out.

The example dictionary (here compact.txt) is given with the code.

The output is stored in the package 'genericFrameOut.jar'.

You can observe the modifications implied by obfuscation with following commands:

jar xvf genericFrameOut.jar
cd genericFrame/pub/gui/
jad c.class
more c.jad more c.jad


Links