Epona and the Obfuscation Paradox: Transparent for Users and Developers, a Pain for Reversers

Code obfuscation aims at protecting the intellectual property of applications delivered in an unmanaged environment. The process usually involves selecting and successively applying various transformation techniques, for instance at compile time, with the goal of providing a good trade-off between protection and performance. However, solving this problem is known to be very difficult as the selection of the assets to protect is application and context dependent, the number of transformation combinations can be overwhelming, and modeling the transformation combinations impact on performances can be tricky. Obfuscators thus usually rely on some guidance from the users, but this displaces the responsibility of the protection quality on their shoulders. Some feedback about the effects of the transformations is then necessary for the users to be able to assess the requested protection. Therefore, developing a code obfuscator amounts to solving several paradoxes: hiding code and data to the attacker vs. providing traceability for the user; helping balancing obfuscation quality vs. performance penalty; ensuring obfuscation diversity vs. ease of development and usage. While developing the Epona obfuscator, we found out that several of these aspects concern the management of the flow of information in the obfuscator: external reporting to the user or verifying tools, and internal reporting between code transformations. This paper presents the framework we set up to unify this management, and achieve the double challenge of facilitating the everyday experience of both Epona users and maintainers. Epona maintainers can now quickly develop new user-exposed high-level obfuscations, combining several existing basic obfuscation bricks, thus promoting protection diversity and limiting performance penalty by allowing to distinctively protect the newly produced code. In addition, this greatly enhances the feedback to the users, and eases our development of a verifying tool that checks some protection properties of the generated code at the user request.