Java Control Flow Obfuscation

The language Java was designed to be compiled into a platform independent bytecode format. Much of the information contained in the source code remains in the bytecode, which means that decompilation is easier than with traditional native codes. As a result, software developers are taking seriously the threat of competitors using reverse-engineering to extract proprietary algorithms from compiled Java programs. We examine several technical protection techniques that could be used to hinder the reverse-engineering of software. We claim that code obfuscation is the most suitable technical protection technique that can be applied to a portable language like Java. The technique of code obfuscation involves applying obfuscating transformations to a program. These transformations make the program more di cult for a reverse-engineer to understand but do not a ect the functionality of the program. We focus on a particular category of obfuscating transformations | control ow obfuscation. Control ow obfuscations disguise the algorithms used by a program by introducing new fake control ows, creating features at the object code level which have no source code equivalent or altering the way in which statements are grouped. There are many practical aspects to be considered when applying obfuscating transformations to Java programs. The fact that Java programs are portable and are veri ed before execution makes obfuscating transformations more di cult to apply. The veri cation stage ensures that programs do not perform illegal operations, such as corrupting a user's system. Obfuscating transformations can be applied automatically to a program by a tool called an obfuscator. In this thesis, we present one possible method of implementing such an obfuscator. We rst discuss the design decisions made to address implementation problems. Then, we use the obfuscator on examples of Java code and examine how e ective the obfuscating transformations are in impeding reverse-engineering.