Q

Home » Top Secret » The Art of Obfuscation

The Art of Obfuscation

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 45 other followers

In 2008, The Freedom of Information act combined with pressure from too many places to list resulted in a revision to security clearances and a reclassification and declassification of information throughout the US government.

Nowhere was it more critical and important than with the NSA and CIA, which had held in secret information that went as far back as World War 2, which because of a respect for the protection of living people, still couldn’t blanketly be released to the public.

Among the responsibilities of the intelligence operation known as Central Services was to collaborate the timed release of information held by the CIA and NSA for what was going to be released, how, and when to the general public.

The importance was obvious. If something was released by the NSA before the CIA, and the information appeared in the very slightest contradictory or incriminatory, Central Services and those like me who served within this group provided additional oversight to correlate the release and guarantee consistency with the information released.

There were two primary releases scheduled.

The first, was declassified documentation – literally millions of pages of classified secret and top secret information which had analysts busy for years drawing lines through still classified information that wasn’t deemed ready for the public yet.

The release would be timed to occur both online and available to real world inquiries simultaneously.

The second, and a far more fragile subject – was the release of computer source code.

The United States had been criticized internally by business owners for both unfair competition as well as favoritism (aka Crony Capitalism) which favored established businesses at the expense of start up businesses. and while reams of documentation would be nice to understand the country’s history more, particularly here in a digital age everyone – myself included – knew that as hard as it was to swallow, that a great deal of the source code that had been produced while working for the government deserved to be in the public domain.

When the release of the historical documentation resulted in hammered financial markets around the world and numerous unexpected breaches based on ingenious software that had been developed around the world by competitive nations such as China and Russia which exploited intelligence holes in software based on analysis of our country’s logic alone, we knew we had our work cut out for us in the release of software information used to develop and protect our nation.

Some – many in fact – especially in the US Senate – had questioned the intelligence behind releasing more critical information contained in programmed code, and insisted that because of the exploits which had occurred, that it not happen at all.

MANY individuals – I wont name names – blocked the attempts to deliver this computer information to the public.

Which I found to be downright weird.

But the wheels were in motion.

Prior to this point, I had dealt with something called code obfuscation.

I’d mostly done it – for fun – with friend/programmers or to annoy people who were maintaining my code, or – as I became more mature in my career – I’d realized there was another use for it – to protect the integrity of the code itself.

To explain.

The dictionary definition of obfuscation is “the action of making something obscure, unclear, or unintelligible.”

SO when dealing with computer based code, a ‘line’ of code is processed by something called an interpreter which takes the statements a programmer types in, translates those statements into a machine language which are then linked together to create an application which the machine then uses to perform a task or set of tasks.

And to the programmer, obfuscation is altering these original statements – and through substitution, redefinition, and other methods, to substantially alter the appearance of the code which gets processed to produce the same machine results.

One drawback about code obfuscation is – there’s a tendency to lose performance and maintainability.

But if you’re interested in security – especially securing your intellectual property, or you’re interested in preventing alterations by those who may not fully understand what you’re doing and why you’re doing it in your code lest they threaten the integrity of the entire system, it’s a wonderful way to reinforce the developer/programmer educates themselves about why you’ve done what you’ve done before they make changes to it.

And finally.

Another reason to obfuscate is quite simply to prevent anyone reading it from understanding what it’s doing.

So first, when the classified documents were released and we realized the very strange truth to who our audience was and how THEY thought, we realized that code obfuscation was an absolute imperative.

Put specifically. We realized our code wasn’t going to be looked at and analyzed in the way that we as humans might analyze it, and that it was the machine level information that was being looked at. And to increase the sheer volume and complexity of machine level instructions to be analyzed, obfuscation became an absolute necessity, if at the very least to encourage understanding the origin of the machine level instructions, which hopefully would lead to the actual comprehension of human readable language and programming languages which provided a way for humans to talk to machines in a human readable format.

Obtuse explanation?

Perhaps.

I won’t explain further, and hope that explanation gets the point across on what happened.

So for the next three years. I worked with too many people to count to intentionally set up distribution points for the source code.

Github.com and Sourceforge.net being two of the primary release sites for source code.

And instead of seeing a line like this in code:

if(( 1 + 2 ) = 3) then

From there I might algebraically substitute as a first form of obfuscation by refactoring the code as follows:

dim nA as integer
dim nB as integer
dim nC as integer

nA = 1
nB = 2
nC = 3

If((nA + nB) = nC) then

The same operation occurs. Only I added some more steps to get it to happen.

And let’s say I’m feeling creative. And maybe a little annoying. I can then change the code to be this:

dim nA as integer
dim nB as integer
dim nC as integer

nA = ( ( 27 - 13 ) / 7 ) / 2
nB = ( nA * 100 ) mod 49
nC = 2 ^ 7 - 2 ^ 2 + 1

If((nA + nB) = nC) then

So now I’ve obscured the values I’m checking for, there’s no real limit to how far I can obfuscate code, and the methods are completely at the discretion – and oftentimes – the experience and awareness of the language the programmer’s working within.

Occasionally, I’d do things like this in my Visual Basic 6.0 code:

dim nA as integer
nA = 11
if( not nA = "11") then

Now statement like this, at least in Visual Basic 6.0, regardless of the values contained in double quotes, will ALWAYS be valid, even if the value in nA is 11 as demonstrated above. This is a lesson in creative expression – so when someone is reading the code, if you don’t know data types, you may not know the rules of Visual Basic and you’ll assume that everything will get processed.

Which is an important part of obfuscation.

Obfuscation isn’t just about substitution, it’s about leading those reviewing the code astray by creating logical conditions which require you to understand the semantics and nuances of the language to understand how it logically operates.

An analogy I have is when I went to Sofia, Bulgaria and was really drunk one night with two of my friends, taking a taxi back to the hostel and I was in charge of giving directions.

The taxi driver pointed his finger to the left and I shook my head up and down, not knowing ‘da’ and ‘nu’, nor knowing that shaking my head was the equivalent of a no. So the taxi driver made a right.

And while all of us were braced for a left turn. We all suddenly found ourselves on the left side of the car as the driver made a right.

Being drunk it’s funny as hell.

But sober, seeing code that asks one thing and ignores the statement or does something opposite of expectation can be frustrating as hell.

But being honest.

This whole blog entry.

I can’t say I’m really going anywhere with it.

I suppose that’s the art of doing or saying absolutely nothing in a lot more words and statements than “I ain’t got shit goin on here”.

Sometimes. YA just make shit up. Pull it out yo ass.

And should someone stumble on your words.

Knowing you called yourself the Master of Smoke and Mirrors.

While I was and am a good coder.

I am SO much better at misdirection.

An artist, you could say.

Maybe even.

A Magician.

God I loved that movie Office Space.

 


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.