JShadObf: A JavaScript Obfuscator Based on Multi-Objective Optimization Algorithms

  • Benoît Bertholon
  • Sébastien Varrette
  • Pascal Bouvry
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


With the advent of the Cloud Computing (CC) paradigm and the explosion of new Web Services proposed over the Internet (such as Google Office Apps, Dropbox or Doodle just to cite a few of them), the protection of the programs at the heart of these services becomes more and more crucial, especially for the companies making business on top of these services. In parallel, the overwhelming majority of modern websites use the JavaScript programming language as all modern web browsers - either on desktops, game consoles, tablets or smart phones - include JavaScript interpreters making it the most ubiquitous programming language in history. Thus, JavaScript is the core technology of most web services. In this context, this article focuses on novel obfuscation techniques to protect JavaScript program contents.

Informally, the goal of obfuscation is to make a program ”unintelligible” without altering its functionality, thus preventing reverse-engineering on the program. However, this approach hardly caught attention from the research community after stand-alone obfuscation for arbitrary programs has been proven impossible in 2001. Here we would like to renew this interest with the proposal of JShadObf, an obfuscation framework based on evolutionary heuristics designed to optimize for a given input JavaScript program, the sequence of transformations that should be applied to the source code to improve its obfuscation capacity. Measuring this capacity is based on the combination of several metrics optimized simultaneously withMulti-Objective Evolutionary Algorithms (MOEAs). Whereas our approach cannot pretend to offer an absolute protection, the objective remains to protect the target program for a sufficiently long period of time. The experiment results initially conducted on a pedagogical example then on JQuery - the most popular and widely used JavaScript library - outperform existing solutions. It demonstrates the validity of the approach and its concrete usage in reference codes used worldwide.


Obfuscation JavaScript Compilation MOEA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
    Jquery (2012),
  10. 10.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Byung-Ik Kim, H.-C.J., Im, C.-T.: Suspicious malicious web site detection with strength analysis of a javascript obfuscation. International Journal of Advanced Science and TechnologyGoogle Scholar
  12. 12.
    Chidamber, S.R., Kemerer, C.F.: A metrics suite for object oriented design (1994)Google Scholar
  13. 13.
    Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley Professional (2009)Google Scholar
  14. 14.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Rapport technique l’Université d’Auckland, -1 (1997)Google Scholar
  15. 15.
    Darwin, C.: The Origin of Species. John Murray (1859)Google Scholar
  16. 16.
    Deb, K., Agrawal, S., Pratap, A., Meyarivan, T.: A fast elitist non-dominated sorting genetic algorithm for multi-objective optimization: NSGA-II. In: Deb, K., Rudolph, G., Lutton, E., Merelo, J.J., Schoenauer, M., Schwefel, H.-P., Yao, X. (eds.) PPSN 2000. LNCS, vol. 1917, pp. 849–858. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Feinstein, B., Peck, D.: Caffeine monkey: Automated collection, detection and analysis of malicious javascript. In: DEFCON 15 (2007)Google Scholar
  18. 18.
    Flanagan, D.: JavaScript: The Definitive Guide Activate Your Web Pages, 6th edn. O’Reilly Media, Inc. (2011)Google Scholar
  19. 19.
    Halstead, M.H.: Elements of software science (1977)Google Scholar
  20. 20.
    Harrison, W.A., Magel, K.I.: A complexity measure based on nesting level. SIGPLAN Notices 16(3), 63–74 (1981)CrossRefGoogle Scholar
  21. 21.
    Henry, S., Kafura, D.: Software structure metrics based on information flow. IEEE Transactions on Software Engineering SE-7(5) (1981)Google Scholar
  22. 22.
    E. C. M. A. International. ECMA-262: ECMAScript Language Specification. ECMA (European Association for Standardizing Information and Communication Systems), 3rd edn., Geneva, Switzerland (December 1999)Google Scholar
  23. 23.
    McCabe, T.J.: A complexity measure. IEEE Transactions on Software Engineering SE-2(4) (1976)Google Scholar
  24. 24.
    Oviedo, E.I.: Control flow, data flow, and program complexity. In: Proceedings of IEEE COMPSAC, pp. 146–152 (1980)Google Scholar
  25. 25.
    Parr, T.J., Parr, T.J., Quong, R.W.: Antlr: A predicated-ll(k) parser generator (1995)Google Scholar
  26. 26.
    Reeves, C.R., Rowe, J.E.: Genetic algorithms: principles and perspectives. A guide to GA theory. Kluwer Academic Publishers (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Benoît Bertholon
    • 1
  • Sébastien Varrette
    • 2
  • Pascal Bouvry
    • 2
  1. 1.Interdisciplinary Centre for Security Reliability and TrustUniversity of LuxembourgLuxembourgLuxembourg
  2. 2.Computer Science and Communication (CSC) Research UnitUniversity of LuxembourgLuxembourgLuxembourg

Personalised recommendations