Hi, Ken,
This morning, an article caught my attention -- "Managing the insider threat
through code obfuscation",
http://www.itmanagersjournal.com/article.pl?sid=05/12/13/1736253
The article's premise is that, because attackers can find out a great deal
about the internals of databases and such by decompiling bytecode (in Java
and .NET), bytecode should be obfuscated to hide its internal details. The
article points to several commercial bytecode obfuscation products:
http://www.devdirect.com/ALL/OBFUSCATIORS_PCAT_2014.aspx
I heard about code obfuscation in the late 1970's. A friend (and fellow
student) in my graduate program said a company he worked at did exactly
that. But the goal was *not* security; it was copyright protection. If
anyone copied their binary, and claimed to have written it independently
(and so did not need to pay a licensing fee), the company could easily
prove to a court that the other user had not written it on their own by
showing the convoluted logic in the program.
I don't remember if he said they ever actually had to do this in court,
but it seemed a pretty effective way to trace code lineage. The
application was not one in which speed was critical, so the loss of
speed due to the obfuscation was apparently tolerable (if not unnoticeable).
I don't remember the language involved, but suspect pretty strongly it
was *not* Java, because our discussion was some 15-20 years before Java
was released ... :-)
Cheers to all!
Matt
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
