Best possible obfuscation makes the relaxed requirement that the obfuscated program leaks as little information as any other program with the same functionality (and of similar size). This work is a study of a new notion of obfuscation, which we call best-possible obfuscation. Subsequent research has showed further negative results as well as positive results for obfuscating very specific families of circuits, all with respect to black box obfuscation. A family of functionalities that cannot be obfuscated was demonstrated. 1–18, 2001) initiated a theoretical study of obfuscation, which focused on black-box obfuscation, where the obfuscated circuit should leak no information except for its (black-box) input-output functionality.
SECURITY VIA OBSCURITY SOFTWARE
Obfuscation has applications for cryptography and for software protection. Content Indicators: D.2.5 (Testing and Debugging), D.4.9 (Programs and Utilities), General terms: random testing, reliability, UNIX.Īn obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same input-output functionality as the original program, but is “unintelligible”. We could crash almost half of the programs that we tested in this way. We also tested how utility programs checked their return codes from the memory allocation library routines by simulating the unavailability of virtual memory. The reliability of the basic utilities from GNU and Linux were noticeably better than those of the commercial systems. This study parallels our 1990 study (that tested only the basic UNIX utilities) all systems that we compared between 19 noticeably improved in reliability, but still had significant rates of failure. We were not able to crash any of the network services that we tested nor any of X-Window servers. The result of our testing is that we can crash (with core dump) or hang (infinite loop) over 40% (in the worst case) of the basic programs and over 25% of the X-Window applications. We report which programs failed on which systems, and identify and categorize the causes of these failures. We tested programs on nine versions of the UNIX operating system, including seven commercial systems and the freely-available GNU utilities and Linux. Our testing methods and tools are largely automatic and simple to use. We used a simple testing method of subjecting these programs to a random input stream. We have tested the reliability of a large collection of basic UNIX utility programs, X-Window applications and servers, and network services.
In showing that obscurity measures are an achievable and desirable supplement to other security measures, it is apparent that the in-depth defense of an organization's assets can be enhanced by intentional and effective use of security by obscurity. Exploring effective methods for employing security by obscurity, it can be seen that examples are already embedded unrecognized in other viable security disciplines, such as information hiding, obfuscation, diversity, and moving target defense.
The ramifications of this has resulted in these techniques going underused and underappreciated by defenders, while they continue to provide value to attackers, which creates an unfortunate information asymmetry. Through the perceived absence of true security, the field of security by obscurity has not coalesced into a viable or recognizable approach for security practitioners. This usage initially stemmed from applications and experience in the areas of cryptographic theory, and the open vs. "Security by obscurity" is a bromide which is frequently applied to undermine the perceived value of a certain class of techniques in security.