Evaluating Obfuscation Security: A Quantitative Approach

  • Rabih MohsenEmail author
  • Alexandre Miranda Pinto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9482)


State of the art obfuscation techniques rely on an unproven concept of security, therefore it is very hard to evaluate their protection quality. In previous work we introduced algorithmic information theory as a theoretical foundation for code obfuscation security. We propose Kolmogorov complexity, estimated by compression, as a software complexity metric to measure regularities in obfuscated programs. In this paper we provide a theoretical validation for its soundness as a software metric, so it can have as much credibility as other complexity metrics. Then, we conduct an empirical evaluation for 43 obfuscation techniques, which are applied to 10 Java byte code programs of SPECjvm2008 benchmark suite using three different decompilers as a threat model, aiming to provide experimental evidence that support the formal treatments.


Kolmogorov Complexity Control Flow Graph Benchmark Program Universal Turing Machine Cyclomatic Complexity 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., Preneel, B.: Program obfuscation: a quantitative approach. In: Proceedings of QoP 2007, pp. 15–20. ACM Press, New York, USA, October 2007Google Scholar
  2. 2.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Briand, L.C., Morasca, S., Basili, V.R.: Property-based software engineering measurement. IEEE Trans. Softw. Eng. 22(1), 68–86 (1996)CrossRefGoogle Scholar
  4. 4.
    Ceccato, M., Capiluppi, A., Falcarin, P., Boldyreff, C.: A large study on the effect of code obfuscation on the quality of java code. Empirical Softw. Eng. 1–39 (2014)Google Scholar
  5. 5.
    Ceccato, M., Di Penta, M., Nagra, J., Falcarin, P., Ricca, F., Torchiano, M., Tonella, P.: The effectiveness of source code obfuscation: an experimental assessment. In: ICPC, pp. 178–187 (2009)Google Scholar
  6. 6.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations (1997)Google Scholar
  7. 7.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, Hoboken (2006)zbMATHGoogle Scholar
  8. 8.
    Garg, S., Raykova, M., Gentry, C., Sahai, A., Halevi, S., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)Google Scholar
  9. 9.
    Hamilton, J., Danicic, S.: An evaluation of current java bytecode decompilers. In: SCAM 2009, pp. 129–136. IEEE Computer Society, Washington, DC, USA (2009)Google Scholar
  10. 10.
    Jbara, A., Feitelson, D.G.: On the effect of code regularity on comprehension. In: Proceedings of the 22nd International Conference on Program Comprehension, ICPC, pp. 189–200. ACM, New York, NY, USA (2014)Google Scholar
  11. 11.
    Kieffer, J.C., Yang, E.H.: Sequential codes, lossless compression of individual sequences, and Kolmogorov complexity. IEEE Trans. Inf. Theor. 42(1), 29–39 (1996)CrossRefMathSciNetzbMATHGoogle Scholar
  12. 12.
    Li, M., Vitnyi, P.M.B.: An Introduction to Kolmogorov Complexity and Its Applications, 3rd edn. Springer, Heiderlberg (2008)CrossRefzbMATHGoogle Scholar
  13. 13.
    McCabe, T.J.: A complexity measure. IEEE Trans. Softw. Eng. 2(4), 308–320 (1976)CrossRefMathSciNetzbMATHGoogle Scholar
  14. 14.
    Mohsen, R., Pinto, A.M.: Algorithmic information theory for obfuscation security. In: SECRYPT 2015 - Proceedings of the 12th International Conference on Security and Cryptography, Colmar, Alsace, France, pp. 76–87, 20–22 July 2015Google Scholar
  15. 15.
    Dalla Preda, M., Giacobazzi, R.: Semantics-based code obfuscation by abstract interpretation. J. Comput. Secur. 17(6), 855–908 (2009)Google Scholar
  16. 16.
    Tian, J., Zelkowitz, M.V.: A formal program complexity model and its application. J. Syst. Softw. 17(3), 253–266 (1992)CrossRefGoogle Scholar
  17. 17.
    Weyuker, E.J.: Evaluating software complexity measures. IEEE Trans. Softw. Eng. 14(9), 1357–1365 (1988)CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of ComputingImperial College LondonLondonUK
  2. 2.Information Security GroupRoyal Holloway University of LondonLondonUK
  3. 3.Instituto Universitário da MaiaMaiaPortugal

Personalised recommendations