JavaScript ObfuscationFacts and Fiction

Pedro Fortuna, Co-Founder and CTOAuditMark

2

Agenda

Obfuscation concepts

Practical Examples

3PART 1 – OVERVIEW PART 2 – TIZEN 2.X SUPPORT PART 3 – TIZEN 2.X COMPLIANCE AND BENCHMARK PART 4 - ADDITIONAL INFORMATION

SOURCE CODE OBFUSCATION PART 1

PART 1 – SOURCE CODE OBFUSCATION

4

• Lowers the code quality in terms of readability and maintainability

• Goall: delay program understanding, hopefully to the point where the time needed for an expert professional to reverse it, clearly exceeds the useful lifetime of the program.

• Different from Code Encryption

• Source Code Obfuscation != Code Obfuscation

Source Code Obfuscation

5

Example Source

6

Obfuscated #1

7

Obfuscated #2

What is it good for?Good• Protect Intellectual Property

(algorithms, data)• Prevent code theft and reuse• Enforce license agreements• Test the strength of security controls

(IDS/IPS/WAFs/web filters)

Evil• Test the strength of security controls

(IDS/IPS/WAFs/web filters)• Hide malicious code• Make it look like harmless code

9

• Potency• Resilience• Stealthiness• Execution Cost• Maintainability

Measuring Obfuscation

10

• Generate confusion

Obfuscation PotencyMeasuring Obfuscation

11

• Resistance to deobfuscation techniques, be it manual or automatic

Obfuscation ResilienceMeasuring Obfuscation

Rename all + whitespace removal

String splitting

12

• 1. Parses the code• 2. Transforms it to fullfill a purpose

– Usually to make it simpler => better performance– Simpler also fullfills reverse-engineering purpose

• A compiler is a static code analyser• Things it can do

– Constant folding, constant propagation– Remove (some) dead code

• Automatic!• Next: an example

Static Code Analysisfor defeating obfuscation

13

14

• Analysis performed by executing the code– Retrieve information of the code while running– Resulting AST can be analysed using any method

• Can be done in step by step debugging• How it can be used to defeat obfuscation

– For the goal of understanding (one instance of) program execution– Not for the goal of retrieving the original source code (for code

theft and reuse)– However it can be used to gain knowledge about the code that can

be used to remove code checks or to simplify it for higher maintainability

– May help breaking license agreements (piracy)

Dynamic Code Analysisfor defeating obfuscation

15

• How hard is to spot?• Avoid telltale indicators– eval()– unescape()– Large blocks of meaningless text

• Example: Kolisar’s whitespace obfuscation

• How to measure?

Obfuscation StealthinessMeasuring Obfuscation

16

• Impact on performance• Impact on loading times• Impact on FPS

Obfuscation Execution CostMeasuring Obfuscation

17

• 1/potency• How easy to read after static code

analysis ?• How segmented is the code ?• Higher maintainability => code

theft and reuse

Obfuscation & MaintainabilityMeasuring Obfuscation

18PART 1 – OVERVIEW PART 2 – TIZEN 2.X SUPPORT PART 3 – TIZEN 2.X COMPLIANCE AND BENCHMARK PART 4 - ADDITIONAL INFORMATION

PRACTICAL EXAMPLESPART 2

PART 2 – PRACTICAL EXAMPLES

19

Compression/Minification vs Obfuscation

20

Compression/Minification vs Obfuscation

21

eval((function(....)));

document.write(‘<textarea>(function(...))</textarea>’);

A simple trick will do it

22

Reverse-engineered result

23

• Encoding method using strictly non-alphanumeric symbols• Like other types of encoding (e.g. Compression) it uses eval• Example: alert(1)

Non alphanumeric Obfuscation

24

• Using type cohersion and browser quirks• We can obtain alphanumeric characters indirectly

How is that possible ?

+[] -> 0 +!+[] -> 1+!+[]+!+[] -> 2 Easy to get any number+”1” -> 1 Type cohersion to number“”+1 = “1” Type cohersion to stringHow to get letters?+”a” -> NaN +”a”+”” -> “NaN”(+”a”+””)[0] -> “N”

Ok, but now without alphanumerics:(+”a”+””)[+[]] -> “N”How to get an “a” ?![] -> false![]+“” -> “false”(![]+””)[1] -> “a”(![]+””)[+!+[]](+(![]+"")[+!+[]]+””)[+[]] -> “N”

eval( (![]+"")[1]+"lert(1)");

25

26

• eval() is not the only way to eval() !• You have 4 or 5 methods more• Example: Array.constructor(alert(1))()

• []["sort"]["constructor"]("alert(1)")()– Dot notation– Strings !

Wait... where’s the eval ?

27

Let me see that again!

28

• 100% potent• 0% stealthy• High execution cost

– eval is slower– File is much larger => slower loading times

• Does not work in all browsersProblema:• What about resilience ?

Non alphanumeric Obfuscation

29

• Creates new functions out of statements in the code

• Statements are randomly selected• New functions are added to different scopes• Functions are added to object literals to reduce

the scope pollution• Increases complexity by using multiple

namespaces• Function reordering is possible

Function outlining

30

• Creates new functions out of statements in the code

• Statements are randomly selected

Function outlining

31

Function outlining• New functions are added to

different scopes• Functions are added to object

literals to reduce the scope pollution

• Increases complexity by using multiple namespaces

• Function reordering is possible

32

• Insert code to increase confusion• It isn’t executed

Deadcode insertion (with predicate Opaques)

33

Deadcode insertion

34

• Randomly injected (++potency)• Increase complexity of control flow (++potency)• Some places are avoided (e.g. loops)• Dummy statements created out of own code (++stealth, +

+potency)• Opaque predicates

– Not removable using Static Code Analysis– Predicates injected are similar to ones found in the original

source

Deadcode insertion (with predicate Opaques)

35

• It can really help prevent code theft and reuse• Buys you time• You can always try to make a request to the server side and

process it there, but sometimes that is not feasiable– Widgets– Mobile Apps– Standalone, offline-playable games – Windows 8 Apps made with WinJS

• Prefer transformations with negligible execution cost• Prefer transformations with high resilience• Sometimes it is a trial and error experience• Code execution control is a great allied

JavaScript Obfuscation

Contact Information

Pedro Fortuna Owner & Co-Founder & CTOpedro.fortuna@auditmark.com Phone: +351 917331552

Porto - HeadquartersEdifício Central da UPTECRua Alfredo Allen, 4554200-135 Porto, Portugal

Lisbon officeStartup LisboaRua da prata, 121 5A1100-415 Lisbon, Portugal