Can obfuscation affect performance?
Almost every commercial application nowadays uses code protection. Traditionally, .NET applications are protected by obfuscation. An obfuscator renames metadata, changes the code, making it difficult to decode, hides resources, encrypts string literals, and so on.
This approach looks very attractive, but developers often wonder whether obfuscation affects performance. The question sounds simple, but the answer is not obvious at all. As usual, “the devil is in the detail” what kind of obfuscation has been used.
In this article, using some exact examples, we will have a look at how different obfuscation methods affect performance and draw conclusions about which of them should be used and when.
Although we consider a certain platform, .NET, the findings of this study can be applied to other environments such as Java; that’s to be expected because the principles of code protection are platform-independent.
As an example in this article, we will take the implementation of the cryptographic hash function sha256, in C#. The project has four classes that calculate the hash. All the classes contain the same code, differing only in which obfuscation method is applied to the methods.
The project is available on GitHub: https://github.com/Softanics/ObfuscationSpeedTest
The program will calculate the hash 1000 times using each of the classes. Then it will display the execution time of each obfuscation method and the speed difference between the original code and the obfuscated code execution time.
In our test we’ve got the following numbers:
Without obfuscation: 0.02298607 msNames obfuscation: 0.02341139 ms (+1%)Control flow obfuscation: 0.06654356 ms (+189%)Virtualization: 1.5812997 ms (+6779%)
Names obfuscation
The very first obfuscators did nothing but change the names of public classes, properties, fields, etc. This method is really simple, but quite effective because the information about the names of classes and methods allows you to understand well what the code is doing. Names such as ShowNagScreen and IsSerialKeyValid speak for themselves!
What can we say about the impact of metadata renaming on the speed of obfuscated code execution? The speed practically does not change, and it is easy to understand why: after all, the method code itself remains the same:
Names obfuscation: 0.02341139 ms (+1%)
Control Flow Obfuscation
This approach extracts all branches from the original code into separate methods (each is assigned an index). After obfuscation, the method is presented as a loop that calls these methods one in a time.
If this approach it is difficult to restore the original code because it’s necessary to find all methods for each branch, as well as to understand the logic of calculating the index for the next method.
ArmDot uses the calli instruction, which slows down the execution (+ 189% in our example), since calling by pointer method is slower than a normal call. In addition, JIT does not have such broad capabilities for optimizing intermediate code, since in this case, the JIT is forced to optimize each method separately:
Code Virtualization
Code virtualization is the most advanced virtualization approach, but also the most expensive in terms of performance. Each instruction of the original code is encoded for execution on a virtual processor. Thus, it turns out that the original code is interpreted, which is always slow. In our example, the speed is reduced by about 60 times. This is the price to pay for the fact that it is almost impossible to deobfuscate the virtualized code:
Conclusions
- The more advanced obfuscation is used, the slower the obfuscated code is executed.
- Name obfuscation does not affect the performance and should always be used.
- You can virtualize methods that are not computationally intensive. Otherwise, control flow obfuscation should be used.
FAQs
The more advanced obfuscation is used, the slower the obfuscated code is executed. Name obfuscation does not affect the performance and should always be used.
Does code obfuscation affect performance? ›
Disadvantages of Code Obfuscation
Some estimate that obfuscation can impact program performance between 10% and 80%. This criticism is reasonable because it's true: adding obfuscation tactics results in extra layers of complexity and affects performance.
What are the disadvantages of obfuscation? ›
In some cases, malicious actors include vendor-specific techniques. Another disadvantage of obfuscation is it can make code more difficult to read. For example, code that uses the string encryption obfuscation method requires decryption of the strings at runtime, which slows performance.
What are the risks of obfuscation? ›
Obfuscation reduces risk of fines, and protects data even if breached. Data sharing: With data sharing growing in importance, data masking is the way forward. You can share with third parties, or even make datasets public, when you mask sensitive information.
Does obfuscation really work? ›
Enhance Security: By making your software's code difficult to read and comprehend, obfuscation can help to protect against hacking attempts and enhance the application's file security. Avoid Code Tampering: Obfuscation can help detract unauthorized code alteration by making it harder to understand.
What is the fallacy of obfuscation? ›
It involves the strategic manipulation of information, language, or visual cues, leading to an altered perception or understanding of a situation. Obfuscation can take many forms, such as cryptic messaging, misleading visuals, complex jargon, or intentionally convoluted explanations.
Is JS obfuscation worth it? ›
JavaScript Obfuscation can make it extremely difficult for hackers to reverse-engineer, analyze and exploit the application. Advanced obfuscation techniques include control flow alteration, literal transformation, property access transformation and local declaration mangling.
What is the obfuscation rule? ›
Obfuscation rules define what logs to apply obfuscation actions to. Obfuscation rule actions define what attributes to look at, what text to obfuscate, and how to obfuscate (either by masking or hashing). Obfuscation expressions are named regular expressions identifying what text to obfuscate.
Can you reverse obfuscation? ›
The difference between the original code and the obfuscated code are then analyzed. The results show that it is possible to reverse engineer obfuscated code but some parts.
What are the benefits of obfuscation? ›
Code obfuscation makes it tough for hackers to figure out how the app works, so they can't easily find ways to break in and steal data. Cryptographic safety: When you use encryption to keep things safe, obfuscation can make sure the encryption stays strong.
Encryption provides confidentiality for sensitive information by converting code into ciphertext, making it unreadable to anyone who does not have the decryption key. Obfuscation, on the other hand, does not provide confidentiality, as the code remains in a readable form, just more difficult to understand.
What is better security through obfuscation? ›
In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician's sleight of hand or the use of camouflage.
What is obfuscation for dummies? ›
Code Obfuscation is the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the output of the program.
What are the pros and cons of obfuscation? ›
Pros and Cons of data obfuscation
Obfuscation makes it easy for an organization to share data with third parties by masking out sensitive data. It also helps in the minimization of security risks. The cons of data obfuscation are it is a complex process and needs much more resources and effort.
What are the most common obfuscation techniques? ›
Compression, encryption, and encoding are some of the most common obfuscation methods used by threat actors. Multiple methods are often used in tandem to evade a wider variety of cybersecurity tools at the initial point of intrusion.
Is obfuscation reversible? ›
Obfuscating data, similar to encoding it, can be reversed if the person accessing it has the algorithm used to make the transformation. Obfuscation does not require a key and indeed it can be manually undone, albeit sometimes with considerable effort.
What is the impact of obfuscation in data hiding? ›
Improved Data Security: Obfuscating data makes it harder for malicious actors to access and misuse sensitive information. By obscuring data, organizations can protect their critical information from potential breaches.
Is obfuscation better than encryption? ›
Encryption provides a higher level of security than obfuscation, but requires more processing power and resources. “Obfuscation is not meant to provide a high level of security, but rather to deter casual attackers and make it more difficult for them to reverse-engineer your code.”
