Obfuscation of Abstract Data-Types - Rowan
Obfuscation of Abstract Data-Types - Rowan
Obfuscation of Abstract Data-Types - Rowan
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 3. TECHNIQUES FOR OBFUSCATION 48<br />
could define length as follows:<br />
public static int length(list l)<br />
{<br />
int s = 0;<br />
while (l ! = null)<br />
{ s = s + 1;<br />
l = l.next; }<br />
return s;<br />
}<br />
We can consider this to be an operation on the data-type <strong>of</strong> lists which leaves a<br />
list unchanged but gives a natural number as an output. This conversion from<br />
“function” to “operation” is valid for all our definitions and so, in our cases,<br />
these two notions are equivalent. Thus we will write operation or function to<br />
denote the actions that we allow on our data-types.<br />
3.2 <strong>Obfuscation</strong> as data refinement<br />
Suppose that we have a data-type D and we want to obfuscate it to obtain the<br />
data-type O. Obfuscating D involves giving definitions for the obfuscation <strong>of</strong><br />
each <strong>of</strong> the operations defined in D and ensuring that they are correct. What<br />
does it mean to be correct and how can we prove correctness?<br />
To provide a framework for obfuscating data-types (and establishing the<br />
correctness <strong>of</strong> the obfuscated operations) we view obfuscation as data refinement<br />
[16]. A refinement can be achieved by a relation R between an abstract and a<br />
concrete state:<br />
R :: A ↔ C<br />
that satisfies a simulation condition [16, Section 2.1]. A refinement is called<br />
functional if and only if there exists a data-type invariant dti and a function af<br />
called an abstraction function with type:<br />
af :: C → A<br />
such that R has the form<br />
a R c ≡ af (c) = a ∧ dti(c)<br />
If we have a functional refinement then each instance <strong>of</strong> the concrete state satisfying<br />
the data-type invariant is related to at most one instance <strong>of</strong> the abstract<br />
state. That corresponds to the concrete state having more “structure” than the<br />
abstract state. In general, when obfuscating we aim to obscure the data-type by<br />
adding more structure and so we propose that the obfuscated data-type O will<br />
be no more abstract than the original data-type D. Thus the most general form<br />
<strong>of</strong> refinement for us is functional refinement. This formulation allows us to have<br />
many obfuscations which can be “undone” by the same abstraction function<br />
(see Section 7.2.2 for an example using trees). We may have a situation where<br />
we obfuscate a data-type by first performing a (possibly non-functional) refinement<br />
and then obfuscating this refinement. As data refinement is a well-known<br />
technique, we will concentrate on just the obfuscation part <strong>of</strong> the refinement.