Effective CISSP Questions

An in-house development team in your organization is tasked to develop a new information system. As a software developer, which of the following is the best tool to protect the intellectual property of codes?
A. Compiler
B. Obfuscator
C. Debugger
D. Linker

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Obfuscator.

An obfuscator is the software tool that obfuscates the source code (JavaScript), object code (.NET IL/Java Byte code), or machine code so that the obfuscated codes are difficult for humans to understand. 


Obfuscation is a technique of software protection against code comprehension, code tampering, and unauthorized reverse-engineering. It’s a technique of security through obscurity and does not require any inverse transformation as encryption does. Reverse-engineering typically uses disassemblers or de-compiler to transform executable machine code into human-readable code.

In software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic or implicit values embedded in it, primarily, in order to prevent tampering, deter reverse engineering, or even to create a puzzle or recreational challenge for someone reading the source code. This can be done manually or by using an automated tool, the latter being the preferred technique in industry.

Source: Wikipedia

Obfuscation Techniques

However, obfuscation deters attacks only. After spending enough time to inspect the obfuscated code, a determined attacker might crack the program. As a result, obfuscation typically is complemented by other protection approaches, such as code replacement/update, code tampering detection, protections updating (by that the attackers get a limited amount of time to complete their objective), etc. 

Obfuscation methods include:

  1. code re-ordering
  2. transformation to replace meaningful identifier names in the original code with meaningless random names (identifier renaming)
  3. junk code insertions
  4. unconditional jumps
  5. conditional jumps
  6. transparent branch insertion
  7. variable reassigning
  8. random dead code
  9. merge local integers
  10. string encoding
  11. generation of bogus middle level code
  12. suppression of constants
  13. meshing of control flows

Source: Behera and Bhaskari




My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您組織中的內部開發團隊的任務是開發新的信息系統。 作為軟件開發人員,下列哪項是保護代碼知識產權的最佳工具?
A. 編譯器 (Compiler)
B. 混淆器 (Obfuscator)
C. 除錯器 (Debugger)
D. 鏈接器 (Linker)

Leave a Reply