Modifly Run-time Obfuscation Details

Why Are Run-time Transformations Important?

Traditionally, software obfuscation is applied toward the end of the software build process. Obfuscations may include removing semantic value from all identifiers and re-structuring. These obfuscation techniques have unquestionable value. A semantic obfuscation removes meaning from identifiers. However, as long as these identifiers are static in nature, they can be used as a foothold by an attacker. They can be used as reference points to build up intelligence concerning the software behavior. For example, if an attacker uses a debugger to pause program execution, the stack can be examined. The values on the stack may contain clues to a module's functionality. If a value on the stack has the text "Invalid License Key!", an attacker could assume that the enclosing module is related to disabling the software for unlicensed users. If the obfuscated class name is "a", the attacker can begin crafting an attack by injecting code into class "a". Modifly's run-time transformation feature can randomly choose a class's name every time the program is run. If an attacker cannot depend on the name of a class to be consistent between independent runs of a program, it eliminates this approach to gaining a foothold.

The run-time transformation of program's identifiers is not enough to subvert a determined attacker. Program structure can also be used as a unique signature for identifying classes within a program. Specifically, the following program attributes can provide much information for developing a unique signature for a given class. the number of fields and methods, the order of the fields and methods, the field and method types (parameter and return), and the number of method parameters to Classes can be analyzed at run time using reflection or byte code engineering libraries to develop unique signatures.

  • Number of fields
  • Field type
  • Field order
  • Field modifiers (access, static, volatile, etc)
  • Number of methods
  • Method return type
  • Method parameter types
  • Number of method parameter types
  • Method throws clause
  • Method modifiers (access, static, synchronized, etc)

This program meta-data can undermine the run-time transformation of identifiers. However, Modifly can not only re-order a class's field and methods, but can change class names at run-time. Consequently, an attacker can no longer rely on field and method ordering or field and method types to create a foothold.