We measure the quality of our obfuscation transformations by following the metrics described in Collberg's "A Taxonomy of Obfuscation Transformations". The metrics are Potency, Resilience and Cost, and are described in the following sections.
Although Collberg provides different scales for each of the metrics, we've simplified and adapted the measurements, so each of the metrics is categorized as none, low, medium and high.
You will find values for Potency, Resilience and Cost for each transformation. Here are the metrics of the Variable Grouping transformation:
Potency measures how difficult it is for a human to understand the obfuscated code when compared to the original code. To calculate Potency, we resorted to Software Complexity Metrics, such as Halstead's Metrics and Cyclomatic Complexity, which were designed to aid in the development of readable and maintainable programs. These metrics allow us to determine the impact of the transformations in the code.
Resilience measures the difficulty to revert the transformed code into its original form. Resilience goes hand-in-hand with Potency since some transformations may fool a Human reading the code but can be easily reversed by a deobfuscator. An example would be adding an if statement which introduces a dummy variable. A Human might not be able to identify the code as dummy code where a deobfuscator would easily be able to remove the statement.
Resilience is calculated by combining the following metrics:
Cost represents the impact of a given transformation in the execution time of a transformed application as well as the impact on the application's file size.