Summarizer

> It has been over a decade since any ordinary off-the-shelf closed-source software was meaningfully obscured from serious adversaries. Probably goes without saying but the last line of defense is not deploying your software publicly and instead relying on server-client architectures to do anything. Maybe this will be more common as vulnerabilities are more easily detected and exploited. Of course its not always feasible. It has been annoying seeing my (proguard obfuscated) game client binaries decompiled and published on github many times over the last 11 years. Only the undeployed server code has remained private. Interestingly I didn't have a problem with adversaries reverse engineering my network protocols until I was updating them less frequently than weekly. LLM assisted adversaries could probably keep up with that now too.

> BinDiff: you can't patch software without disclosing vulnerabilities That’s why Microsoft has been obfuscating its binary builds for at least the last two decades so that even the two builds from the same source would produce very different blobs.

Sounds dubious, do you have a citation? The disassembly looks very straightforward for a lot of Windows code.

They're not encoded, but the code blocks are shuffled. That's why disassembly does look straightforward, but it used to thwart BinDiff at the time.

If I understand correctly, that is just randomness comes from parallel compiling and linking. If you saying there is a whole step just scrambling blobs, i will be very surprised.

That sounds a lot like US9116712, but I don't think its ever been publicly said that Windows does this.

What made you believe this is the case? any examples/links/etc.?

It was a part of our Windows build process when I was at Microsoft. I only assumed that they would keep doing it, but they might have as well dropped the practice.

I don't see how that can be useful when Microsoft publishes debug symbols for almost everything.

How are they obfuscated?

See my sibling comment.

Everything I can find says they are not obfuscating

I like how after so many years, people finally start recognizing that obscurity is a part of security. Not the whole security, obviously, but a part of it.

Just like there's LLM-automated vulnerability fuzzing, there's LLM-automated decompilation. Compilation is no longer a meaningful way to obscure code.

You would be surprised how adept SOTA models are at reverse engineering with IDA/Ghidra or even plain old objdump. Opus basically knows IDAPython on the back of its hand.

Decompilation is quite good these days as well

A 3rd culture - the "security though obscurity" culture where some random little library might be a potential weak link, but will anyone really bother to hack it? Not as worrysome in a philosophical way (since it's not a serious culture) but it's a real issue. And just wait for a nation state to start astroturing helpful little libraries at scale ...