Famed obfuscator proving thus far to be unhackable

Feb 05, 2014 by Bob Yirka report
Famed obfuscator proving thus far to be unhackable
Professor Amit Sahai is a co-author of this research. Credit: UCLA

(Phys.org) —This past summer a team of researchers from MIT and UCLA, with affiliations with IBM and Microsoft published two papers on Cryptology ePrint Archive. The first described a protocol the team had developed that described how software could be scrambled to prevent someone else from seeing its code. The second paper added more information. The protocol describes a method of creating an obfuscator—as it's known in computer science—a means for hiding everything about the workings of a computer program except inputs and outputs. For most of the history of computer science the possibility of creating a real obfuscator was more dream than reality. Now, it appears that after extensive testing (attempting to hack the code), it appears, according to an in-depth article published in Quanta Magazine, that not only is it possible to create such a virtual device, but it has been done—successfully.

Protecting from prying eyes is just the tip of the iceberg—if code can be hidden and not cracked, then so too can other information, such as passwords or keys for using other systems. It would be the ultimate encryption scheme—a means for sending anything to anyone else without fear of it being snooped on (even by the government).

The obfuscator does its magic by adding code that is not really code and by mixing pieces of the real code around—like a jigsaw puzzle. To a hacker the code would be nonsensical. And thus far, it seems the scheme is working as envisioned—all attempts at hacking the code have failed.

Amid the good news there is still some bit of caution—while the obfuscator does indeed obfuscate the code, it requires a hefty amount of overhead to do so—too much at this point for it to be used in real world applications. But that, the team suggests, will likely become less and less of an issue as other teams set to work using the ideas the team developed to create leaner code that hopefully will one day soon result in a wide range of products—applications that prevent hackers from stealing identities or other personal information, comes to mind. Of course, it should be noted that the same technology could also be used for other types of applications such as rendering DVD's (or digital videos) impervious to copying, a development some might find a little less exciting.

Explore further: OpenWorm project reaches new milestone—muscle simulation

More information: Paper 1. Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits: eprint.iacr.org/2013/451.pdf
Paper 2. How to Use Indistinguishability Obfuscation: Deniable Encryption, and More: eprint.iacr.org/2013/454.pdf

Related Stories

Tech blog AllThingsD relaunches as Re/code

Jan 02, 2014

The technology news blog AllThingsD has relaunched under the name Re/code under a partnership with NBCUniversal, after splitting with News Corp's Wall Street Journal.

Shape Security develops world's first "botwall"

Jan 23, 2014

(Phys.org) —Newly created company Shape Security has announced new technology aimed at combating botnets. Called the ShapeShifter, the product helps protect website owners against website breaches, most s ...

Scientists discover double meaning in genetic code

Dec 12, 2013

Scientists have discovered a second code hiding within DNA. This second code contains information that changes how scientists read the instructions contained in DNA and interpret mutations to make sense of health and disease.

Recommended for you

Avatars make the Internet sign to deaf people

20 hours ago

It is challenging for deaf people to learn a sound-based language, since they are physically not able to hear those sounds. Hence, most of them struggle with written language as well as with text reading ...

Chameleon: Cloud computing for computer science

Aug 26, 2014

Cloud computing has changed the way we work, the way we communicate online, even the way we relax at night with a movie. But even as "the cloud" starts to cross over into popular parlance, the full potential ...

User comments : 11

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
5 / 5 (3) Feb 05, 2014
And thus far, it seems the scheme is working as envisioned—all attempts at hacking the code have failed

How about just running the code (making a complete test set of all functionalities)? That would give you a protocol of all the parts that are actually used and elimiate the gratuitous lines of code.
After that it's pretty straight forward disassembly (as with any other obfuscated code).

I realize that getting complete (test) coverage is a lot of effort. But certainly doable with a finite amount of reasources.

One could thwart this by including some gratuitous long-running method, though.

But basically it's like with video/audio files: If you can run it you can copy/disassemble it.
ViperSRT3g
5 / 5 (1) Feb 05, 2014
I also fail to see how it's completely irreversible. For many of the reasons mentioned above.
Argiod
not rated yet Feb 05, 2014
Unhackable...
...is meaningless if it's...
Unaffordable...
baudrunner
5 / 5 (1) Feb 05, 2014
Some code obfuscators are free for use under the GNU public license. And they work like a charm, I know, because I used one once when I created an executable using an open source application for a Java app that I wrote using Netbeans. So nothing has to cost anything, actually. As for the overhead, no biggy, I mean, look at Windows with its ridiculous amount of overhead. Today's computers seem to have no problem managing bulky software. It's a great solution to a pressing need for addressing the paranoia common to software developers who want to make a buck for their efforts.
Jotaf
not rated yet Feb 05, 2014
For more details, there's this blog post by the folks at Microsoft Research:
http://windowsont...art-iii/

Antialias: What you're proposing is possible, but would take time that is exponential in the inputs. If a polynomial-time algorithm can do it, then you're in trouble, and what they're trying to prove is that no algorithms scale well with the size of the problem (what they call an "attack"). (Disclaimer: I am no expert in cryptography.)
DonGateley
3.7 / 5 (3) Feb 06, 2014
This implies the ability to create viruses that cannot be detected in any way other than via their effects. If so, and since you can't sandbox everything, this is the end of the internet as we know it and possibly of any kind of inter computer communication. If I understand it this mark's the end of an epoch and an upheaval like no other in history. Back to paper and pen and strictly proximal communication of data.
alfie_null
5 / 5 (1) Feb 06, 2014
Regarding deobfuscation: In IT security, "can't be done" often means something like "can't be done for maybe the next five to ten years or so". Consider how many times we have had to extend the length of crypto keys.
antialias_physorg
5 / 5 (1) Feb 06, 2014
What you're proposing is possible, but would take time that is exponential in the inputs. If a polynomial-time algorithm can do it, then you're in trouble

I agree. I just refuse to accept that it's 'unhackable'. Such statements lead to wrong/unrealistic expectations by managers ("Yeah, we'll use this and we'll be safe")
That they have created an obfuscator that is better than anything on the market is probably true (not knocking their achievement).

But if you go to any type of crypotagraphy seminar they'll tell you: If you rely on "security by obscurity" then you're taking the weakest approach possible.

Even software that can have many inputs (large test-space if you will) can be fuzzed in acceptable time with a monte-carlo approach to an arbitrarily good degree.
Ens
not rated yet Feb 06, 2014
Skynet approves.
dav_daddy
not rated yet Feb 09, 2014
This implies the ability to create viruses that cannot be detected in any way other than via their effects. If so, and since you can't sandbox everything, this is the end of the internet as we know it and possibly of any kind of inter computer communication. If I understand it this mark's the end of an epoch and an upheaval like no other in history. Back to paper and pen and strictly proximal communication of data.


I gathered from the article that this would be useless to attempt to hide malware with. The amount of resources required would mean that it would slow the system to a crawl first, secondly having a big chunk of resources used for gibberish suddenly would be kind of a dead giveaway. That's not even getting into the bandwidth required assuming you are trying to get data off of the infected machine.
DonGateley
not rated yet Feb 09, 2014
@dav_daddy:

Ah, so this obfuscation would slow and bloat executables such that it would be impractical for use in a personal computer? I sure hope that's the case.