Polyscripting vs Obfuscation

By Archis Gore

Polyscripting is often confused with obfuscation, but if we dig deeper, we realize these two techniques solve fundamentally different problems.

Obfuscation is a common term thrown about as one of the cybersecurity technologies of the future, but what is it exactly and why is it supposedly game changing? At the simplest level, obfuscation prevents a malicious actor from understanding the intent of code by expressing it in a convoluted or confusing manner while not changing anything about the original programming language. This makes software code difficult (not impossible) to reverse engineer to protect the developer’s intellectual property (IP). This technique is often used to thwart hackers as a defense-in-depth method. However, it doesn’t prevent a hacker from injecting malicious code if a vulnerability is discovered.

On the other hand, Polyscripting prevents unwanted code execution, by changing the basic language of the program itself unbeknownst to the attacker. This prevents all unsanctioned code, no matter how it is injected, from executing since the programming language is now scrambled.

To better understand the difference, we can illustrate this through a simple example:

Obfuscation of a secret recipe

Suppose Bob wants to communicate a secret recipe such as the famous KFC or Coca Cola formulas to thousands of franchises. They have to employ a third-party, Ted, to carry the formula from the main headquarters to every franchise location. However, this leaves Bob with the problem of Ted, who could possibly steal and replicate the formula.

Let us consider the formula for your secret recipe is the following:

  1. Take 10 cloves of garlic
  2. Smash them together with powdered cinnamon.
  3. Add paprika
  4. Dust with nutmeg.

Pretty easy for any average courier to understand.

Bob has a clever solution though. If Bob can insert a lot of non-sensical, confusing, and irrelevant information in that formula, Ted may be deterred from attempting to replicate it, thinking it is too complicated and not worthwhile:

  1. Start with one goat. Graze it on a green pasture.
  2. Go to the local supermarket and buy garlic.
  3. Bring the goat to the franchise.
  4. Plant a mango tree in the franchise backyard.
  5. Buy nutmeg
  6. Boil 2 dozen eggs
  7. Add paprika to a bowl
  8. Ensure you have toasted bay leaves
  9. Add powdered cinnamon to the bowl above
  10. Tie the goat to the mango tree. Watch the goat to ensure it won’t eat the sapling.
  11. Smash some garlic in the bowl.
  12. Peel the 2 dozen eggs
  13. Dust nutmeg onto the bowl
  14. Deep fry the peeled eggs
  15. Use mixture in the bowl for secret recipe.

You’ll notice that in the new obfuscated formula, the last step gets you the recipe. If you follow what step 15 depends on backwards (i.e. what’s in “the bowl”), you’ll notice steps 13, 11, 9, 7, 5 and 2 are the only ones that matter.

This is exactly what obfuscation achieves. It is arguably much less desirable to steal than the original formula. Without a doubt, obfuscation improves the security and IP protection from the original version but for a determined attacker everything is hackable and eventually obfuscation will break too.

However, even with obfuscation there is still one fundamental attack that Ted can do:

  1. Start with one goat. Graze it on a green pasture.
  2. Go to the local supermarket and buy garlic.
  3. Bring the goat to the franchise.
  4. Plant a mango tree in the franchise backyard.
  5. Buy nutmeg
  6. Boil 2 dozen eggs
  7. Add paprika to a bowl
  8. Ensure you have toasted bay leaves
  9. Add powdered cinnamon to the bowl above
  10. Tie the goat to the mango tree. Watch the goat to ensure it won’t eat the sapling.
  11. Smash some garlic in the bowl.
  12. Peel the 2 dozen eggs
  13. Dust nutmeg onto the bowl
  14. Deep fry the peeled eggs
  15. Use mixture in the bowl for secret recipe.
  16. Add Cyanide to the Secret Soup

Obfuscated or not, Step 16 is a legitimate and valid part of this recipe, and no matter how convoluted or complicated the formula is made, it cannot be detected or avoided. If Ted chooses to bypass the entire recipe and instruct the addition of cyanide, the recipe is now deadly. While this is a great analogy, what does it look like for computer code?

Obfuscation for Computer Code

Imagine you have a simple program to add two numbers:

var sum = 10 + 12;

Now you may obfuscate this in a very complex fashion:

var sum = 5 * 2 + 3^2 + 3;

which an attacker will find quite cumbersome to reverse-engineer.

Instead an attacker can simply add “cyanide” at the end:

var sum = 5 * 2 + 3^2 + 3;
deleteRecursively(“/”);

No matter how much you obfuscate, the fundamental injection of code cannot be stopped, and injected code can simply delete your database.

Polyscripting

So, what can you do? This is where Polyscripting comes in. Polyscripting fundamentally solves the problem by changing the language a computer speaks, instead of just convoluting it. Let’s go back to our example of the recipe and see how Bob fares now.

Polyscripting the secret recipe

Even though Bob tried to obfuscate the recipe to disincentivize Ted from stealing it only partially worked since Ted simply made it deadly by injecting cyanide.

Now Bob has a better idea. What if all restaurants instead spoke in Sanskrit? Ted doesn’t know that the recipe is now in Sanskrit, and by the time Ted could learn the language, Bob will have switched to Klingon. Even if Ted learns every language in the world, Bob can hire fantasy authors to construct new fictional languages to communicate in. In a nutshell this is Polyscripting.

Here is the original recipe:

  1. Take 10 cloves of garlic
  2. Smash them together with powdered cinnamon.
  3. Add paprika
  4. Dust with nutmeg.

Now, let’s Polyscript it in Marathi:

  1. ???? 10 ??????? ????
  2. ??????? ????? ????????? ????? ?????.
  3. ??????? ????
  4. ???????? ???.

Let’s see if Ted can manipulate, steal or share that! But what if Ted resorts to his old tricks of merely adding a malicious deadly step at the end?

Ted’s foolish attempt at poisoning the recipe:

  1. ???? 10 ??????? ????
  2. ??????? ????? ????????? ????? ?????.
  3. ??????? ????
  4. ???????? ???.
  5. Add Cyanide to the secret recipe

That stands out like a sore thumb! Not only do we know this step wasn’t added by Bob (preventing a deadly tragedy), but we also caught Ted being up to no good. If Bob changes his language every day, Ted will never be able to keep up.

Polyscripting for Computer Code

The example provided above is a perfect analogy for Polyscripting. Let’s look again at our simple code:

var sum = 10 + 12;

Let’s polyscript this into a brand-new language!

lhsdsa sum ^ 37 ) 35!

This is a NEW language – the fundamental vocabulary is different. Ted has no idea the language has changed, and resorts to his old tricks:

lhsdsa sum ^ 37 ) 35!

deleteRecursively(“/”);

“deleteRecursively” remains since it is a user-defined symbol. But everything else about the language is different. The semicolon at the end is now an exclamation mark. The right parentheses is the addition operator.

Of course, that malicious code will not execute, and Ted will be caught in the act.

Polyscripting purely stops any and all attempts at executing injected code, because it breaks the most basic fundamental parts of the language it was written in.

This is the power of Polyscripting. Polyscripting is fundamentally different than obfuscation. While obfuscation makes it more difficult for a hacker to reverse engineer the code, it doesn’t prevent code injection. Whereas Polyscripting changes the syntax of the programming language, preventing injected code from running. This approach eliminates code injection attacks. To learn more about Polyscripting read our whitepaper.

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.