Bugfuscation
摘要
We introduce bugfuscation, a code obfuscation technique relying on bugs or vulnerabilities to hide part of the control flow of a target program. The technique has been evaluated on Java programs on the Java virtual machine and also affects Android’s Dalvik virtual machine and the more modern Android Run time ART. The approach bypasses automated static program verification and validation techniques such as state-of-the-art taint trackers. At least 95.6% of all OpenJDK versions from 1.6 to 21.0.4 and 71.6% of Android versions from version 2.3 to 15 contain the necessary vulnerability to bugfuscate Java or Android code.