Presentation is loading. Please wait.

Presentation is loading. Please wait.

JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark.

Similar presentations


Presentation on theme: "JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark."— Presentation transcript:

1 JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark

2 2 Agenda Obfuscation concepts Practical Examples

3 3 P ART 1 – O VERVIEW P ART 2 – T IZEN 2. X S UPPORT P ART 3 – T IZEN 2. X C OMPLIANCE AND B ENCHMARK P ART 4 - A DDITIONAL I NFORMATION S OURCE CODE O BFUSCATION P ART 1 P ART 1 – S OURCE C ODE OBFUSCATION

4 4 Lowers the code quality in terms of readability and maintainability Goall: delay program understanding, hopefully to the point where the time needed for an expert professional to reverse it, clearly exceeds the useful lifetime of the program. Different from Code Encryption Source Code Obfuscation != Code Obfuscation Source Code Obfuscation

5 5 Example Source

6 6 Obfuscated #1

7 7 Obfuscated #2

8 What is it good for? Good Protect Intellectual Property (algorithms, data) Prevent code theft and reuse Enforce license agreements Test the strength of security controls (IDS/IPS/WAFs/web filters) Evil Test the strength of security controls (IDS/IPS/WAFs/web filters) Hide malicious code Make it look like harmless code

9 9 Potency Resilience Stealthiness Execution Cost Maintainability Measuring Obfuscation

10 10 Generate confusion Obfuscation Potency Measuring Obfuscation

11 11 Resistance to deobfuscation techniques, be it manual or automatic Obfuscation Resilience Measuring Obfuscation Rename all + whitespace removal String splitting

12 12 1. Parses the code 2. Transforms it to fullfill a purpose – Usually to make it simpler => better performance – Simpler also fullfills reverse-engineering purpose A compiler is a static code analyser Things it can do – Constant folding, constant propagation – Remove (some) dead code Automatic! Next: an example Static Code Analysis for defeating obfuscation

13 13

14 14 Analysis performed by executing the code – Retrieve information of the code while running – Resulting AST can be analysed using any method Can be done in step by step debugging How it can be used to defeat obfuscation – For the goal of understanding (one instance of) program execution – Not for the goal of retrieving the original source code (for code theft and reuse) – However it can be used to gain knowledge about the code that can be used to remove code checks or to simplify it for higher maintainability – May help breaking license agreements (piracy) Dynamic Code Analysis for defeating obfuscation

15 15 How hard is to spot? Avoid telltale indicators – eval() – unescape() – Large blocks of meaningless text Example: Kolisar’s whitespace obfuscation How to measure? Obfuscation Stealthiness Measuring Obfuscation

16 16 Impact on performance Impact on loading times Impact on FPS Obfuscation Execution Cost Measuring Obfuscation

17 17 1/potency How easy to read after static code analysis ? How segmented is the code ? Higher maintainability => code theft and reuse Obfuscation & Maintainability Measuring Obfuscation

18 18 P ART 1 – O VERVIEW P ART 2 – T IZEN 2. X S UPPORT P ART 3 – T IZEN 2. X C OMPLIANCE AND B ENCHMARK P ART 4 - A DDITIONAL I NFORMATION PRACTICAL EXAMPLES P ART 2 P ART 2 – P RACTICAL E XAMPLES

19 19 Compression/Minification vs Obfuscation

20 20 Compression/Minification vs Obfuscation

21 21 eval( (function(....)) ); document.write(‘ (function(...)) ’); A simple trick will do it

22 22 Reverse-engineered result

23 23 Encoding method using strictly non-alphanumeric symbols Like other types of encoding (e.g. Compression) it uses eval Example: alert(1) Non alphanumeric Obfuscation

24 24 Using type cohersion and browser quirks We can obtain alphanumeric characters indirectly How is that possible ? +[] -> 0 +!+[] -> 1 +!+[]+!+[] -> 2 Easy to get any number +”1” -> 1 Type cohersion to number “”+1 = “1” Type cohersion to string How to get letters? +”a” -> NaN +”a”+”” -> “NaN” (+”a”+””)[0] -> “N” Ok, but now without alphanumerics: (+”a”+””)[+[]] -> “N” How to get an “a” ? ![] -> false ![]+“” -> “false” (![]+””)[1] -> “a” (![]+””)[+!+[]] (+(![]+"")[+!+[]]+””)[+[]] -> “N” eval( (![]+"")[1]+"lert(1)");

25 25

26 26 eval() is not the only way to eval() ! You have 4 or 5 methods more Example: Array.constructor(alert(1))() []["sort"]["constructor"]("alert(1)")() – Dot notation – Strings ! Wait... where’s the eval ?

27 27 Let me see that again!

28 28 100% potent 0% stealthy High execution cost – eval is slower – File is much larger => slower loading times Does not work in all browsersProblema: What about resilience ? Non alphanumeric Obfuscation

29 29 Creates new functions out of statements in the code Statements are randomly selected New functions are added to different scopes Functions are added to object literals to reduce the scope pollution Increases complexity by using multiple namespaces Function reordering is possible Function outlining

30 30 Creates new functions out of statements in the code Statements are randomly selected Function outlining

31 31 Function outlining New functions are added to different scopes Functions are added to object literals to reduce the scope pollution Increases complexity by using multiple namespaces Function reordering is possible

32 32 Insert code to increase confusion It isn’t executed Deadcode insertion (with predicate Opaques)

33 33 Deadcode insertion

34 34 Randomly injected (++potency) Increase complexity of control flow (++potency) Some places are avoided (e.g. loops) Dummy statements created out of own code (++stealth, ++potency) Opaque predicates – Not removable using Static Code Analysis – Predicates injected are similar to ones found in the original source Deadcode insertion (with predicate Opaques)

35 35 It can really help prevent code theft and reuse Buys you time You can always try to make a request to the server side and process it there, but sometimes that is not feasiable – Widgets – Mobile Apps – Standalone, offline-playable games – Windows 8 Apps made with WinJS Prefer transformations with negligible execution cost Prefer transformations with high resilience Sometimes it is a trial and error experience Code execution control is a great allied JavaScript Obfuscation

36 Contact Information Pedro Fortuna Owner & Co-Founder & CTO Phone: Porto - Headquarters Edifício Central da UPTEC Rua Alfredo Allen, Porto, Portugal Lisbon office Startup Lisboa Rua da prata, 121 5A Lisbon, Portugal


Download ppt "JavaScript Obfuscation Facts and Fiction Pedro Fortuna, Co-Founder and CTO AuditMark."

Similar presentations


Ads by Google