Obfuscation has been one of my strongest measures for security for a long time. Cold War espionage writing taught me it's absolutely critical to defeating nation-state opponents given they'll always outsmart your specific, known techniques. What obfuscation does, if used effectively, is require the attacker to already have succeeded in some attack to even launch an attack. Defeating that paradox forces them to attack you in many ways, increasing work and exposure risk. The more obfuscation you have built in, the more that goes up. Very important moves to keep them effective are to ensure the obfuscation is invisible from users' or network perspective, make sure obfuscation itself doesn't negate key properties of security controls, make darned sure there are security controls rather than only obfuscation, only a few individual people knowing the obfuscations, and air gapped (or guarded) machines controlling them.
Here are some obfuscations I've used in practice with success, including against strong attackers, per monitoring results, third party tests, and occasional feedback from sysadmins that apply them or independently invented them:
1. Use non-x86 and non-ARM processor combined with strong Linux or BSD configuration that also advertises as x86 box. Leave no visible evidence you're buying non-x86 boxes. This can work for servers. Some did it with PPC Mac's after they got discontinued. This one trick has stopped so many code execution attempts for so long it's crazy. I really thought a clever shortcut would appear by now outside browser Javascript, memory leaks, or something. An expansion on it with FPGA's is randomized instruction sets with logs & fail-safe for significant, repeated failures.
2. Non-standard ports, names, whatever for about everything. Works best if you're not relying on commercial boxes that might assume specific ports and such. So, be careful there. This one, though, just keeps out riff raff. Combine it with strong HIDS and NIDS in case smarter attackers slip up. Don't rely on it for them, though.
3. Covert, port-knocking schemes. An example of a design I think I modified and deployed was SILENTKNOCK. It gives no evidence a port-knocking scheme is in use unless they have clear picture of network activity. Even still, they can't be sure how your traffic was authorized by looking at the packets. Modifications to that scheme that don't negate security properties and/or use of safety-enhanced languages/compilers can improve its effectiveness. My deployment strategy for this and guards was a box in front of the server that did it transparently. Lets you protect Windows services prone to 0-days. Think it stopped an SSH attack or something on Linux once. Can't recall. Very flexible. Can be improved if combined with IP-level tunneling protocol machine-to-machine in intranet. Which can also be obfuscated.
4. Use of unpopular, but well-coded, software for key servers or apps. I especially did this for mail, DNS, web servers, and so on. Black hat economics means they usually focus on what brings them the most hacks for least time investment. This obfuscation counters their economic incentive by making them invest in attacking a niche market with almost no uptake. Works on desktops, too, where I recommended alternative Office suits, PDF readers, browsers, and so on that had at least same quality but not likely same 0-days as what was getting hit.
5. Security via Diversity. This builds on 4 where you combine economics and technology to force black hats to turn a general, one-size-fits-all hack into a targeted attack specifically for you. You might choose among safe libraries, languages, protocols, whatever without advertising their use in the critical app or service. Additionally, there's work in CompSci on compilers that automatically transform your code into equivalent, but slightly different, code with different probabilities of exploits due to different internal structure. That's not mature, yet, imho. You could say all the randomization schemes in things like OpenBSD and grsecurity fit into this too. Those are more mature & field-tested. If Googling, the key words for CompSci research here are "moving target," "security," "diversity," and "obfuscation" in various combinations.
6. My old, polymorphic crypto uses obfuscation. The strongest version combined three AES candidates in counter mode in layers. The candidates, their order, the counters, and of course the keys/nonces were randomized with exception being same one couldn't be used twice. That came from only criticism I got with evidence: DES meet in middle. FPGA's got good at accelerating specific algorithms. So, I modified it to allow weaker ciphers like IDEA or Blowfish in middle layer but no less than one AES candidate in evaluated configuration and implementation preferrably on outer layer. Prefferably two AES + 1 non-AES for computational complexity. All kinds of crypto people griped about this but never posted a single attack against such a scheme. Whereas, I provably stop one-size-fits-all attacks on crypto by layering several randomly with at least one strong one. Later, I saw TripleSec do a tiny subset of it with some praise. Also convinced Markus Ottella of Tinfoil Chat to create a non-OTP variant using a polycipher. He incorporated that plus our covert-channel mitigations to prevent traffic analysis. Fixed-size, fixed-transmission is obfuscation that does that I learned from high-security, military stuff.
7. Last one, inspired by recent research, is to use any SW or HW improvements from academia that have been robustly coded and evaluated. These usually make your system immune to common attacks [2], mitigate unauthorized information flows [3], create minimal TCB's [4] [5], use crypto to protect key ops [6], or obfuscate the crap out of everything [7]. I mainly recommend 1-6, though. ;) Then, don't advertise which ones you use. Also, I encourage FOSS developers to build on any that have been open-sourced to get them into better shape and quality than academics leave them. Academics tend to jump from project to project. They deserve the effort of making something production-quality if they designed a practical approach and kindly FOSS'd the demo for us.
The recommendation to use rarely employed software is a nice example of a trap of obscurity. Enough eyes does indeed make bugs shallow.
How do you decide that a piece of software is "well-written"? Even very strict review processes missed critical issues... and none of those are team for rare software.
Instead, the proper advice is to reduce attack surface, not rely on some allegedly obscure piece of software.
Using results from academia is often supremely impractical. The actual software and designs are often unavailable or perhaps impossible, very definitely unverified.
Your homegrown CTR crypto might expose you for a related key attack. How do you know, since nobody targets it, until it is broken?
Guessing target architecture given an exploitable but is trivial. You need a simplest of data leaks. There aren't many options available either. You can use x86, MIPS or arm, the latter two in big endian or little endian. Other much more unlikely targets can be POWER or ia64.
Custom micros can be PIC or MCP51, maybe Atmel.
That gives only a bunch of options to try out.
You already have to tangle with much stronger security measures such as ASLR or NX. Or various operating systems.
It is an obfuscation. It tries to obscure where something will be rather than directly prevent or detect the attack as strong controls do. Useful, as other obfuscations are, to add speedbumps in for the attacker while preserving some level of compatibility with existing code or performance that strong security might sacrifice. That an obfuscation was recommended in a counterpoint against obfuscations was most interesting. :)
Common refrain that things like OpenSSL counter nicely. Massive use, open code, and basically no code quality. Instead, all of them seem to have bugs and exploits available regularly throughout the year. You'd think using an obscure program would make things worse but software's baseline is so low it's often not the case. Instead, the high-quality stuff in both closed and open source seems to be made by skilled developers that care about quality. Only common denominator. Note, though, my recommendations are to use obfuscation on this with good, security controls in place plus well-coded apps. On to that.
"How do you decide that a piece of software is "well-written"? Even very strict review processes missed critical issues... and none of those are team for rare software."
For binaries, you can look at the software itself and how it runs to get a decent handle on how well it's written. Classic example is Bittorrent vs uTorrent. uTorrent had amazing amount of functions in tiny executable that loaded and ran fast without any issues for me. Clearly a great programmer wrote it. Adobe Reader vs Foxit has similar properties suggesting people at Foxit at least care about quality of their code and make a good attempt. You can also apply tech that isolates or hardens the excecutables themselves to care less about it. Nonetheless, had I chose Reader, the many eyeballs effect would've meant I'd have a new attack on my hands about every month (or more) whereas Foxit users weren't being affected as much. Tide might have shifted where it got popular enough & secretly had terrible enough code that CVE's are popping up all over the place. I haven't followed Foxit since I've been off Windows. I'd ditch it at that point if it got that bad. It will have done its job for a long time in reducing my headaches vs Adobe, though.
Now, for FOSS or even shared-source proprietary, you have even more options. The first is simply looking at the code to see if it's well-organized, has proper checks, has tests, and so on. For PDF readers, I remember Marc Espie telling me MuPDF had really, good code. Great coders like him know good code when they see it. More objective metrics might be found by running static analysis tools or something on a bunch of them to see how many warnings or issues show up. Lower the better. Also, remember my methods don't work in isolation: picked an obscure PDF reader, ensured it had noticeably better quality than most-targeted one, and with source may applied a transformation that added more checks and stuff.
"the proper advice is to reduce attack surface, not rely on some allegedly obscure piece of software."
The proper advice is to do both. Each technique I listed reduced issues either arguably or in the field. Testing it was easy: honeypots with known vulnerable stuff. Attacks didn't work. Obfuscation by itself had great benefit. So, combining strong security such as separation kernels, safer languages, static analysis, and so on with such obfuscation just makes strong security even stronger.
"Your homegrown CTR crypto might expose you for a related key attack. How do you know, since nobody targets it, until it is broken?"
Do you have references on this? Let's focus on the strong one to prove or disprove the principle: using one to three AES candidates with separate keys each in the way it's supposed to be used. My only modifications to AES candidate in isolation are using one after the other, randomizing the initial value of the counter, and changing the order of cipher application per session. So, it's AES-256/CTR + Twofish-256/CTR + Serpent-256/CTR in order or some other combo of them. Keys and counters come from a CRNG or TRNG. No repetition is allowed such as Twofish followed by Twofish in case theres internal interactions. Wheres the vulnerability in this construction that can be exploited by someone possessing only ciphertext?
"Guessing target architecture given an exploitable but is trivial. You need a simplest of data leaks."
It is but they rarely do. Field results show they just basically never do. It has to be a highly-determined, smart attacker that also knows odd ISA's. That's why I have other things waiting for them. Randomized instruction sets generated per application with enforcement doing with modified CPU's is the state of the art in this IIRC. I recommend stronger methods like in Hardbound or CHERI architecture that arguably immunize you to specific issues. Yet, CPU obfuscation often blocks riff raff and sometimes smart attackers constrained by time or boredom.
"There aren't many options available either."
That's true. Yet, how many Super-H coders do you know in malware market? Or even Alpha? Economics and laziness are why it still helps despite limited options.
"You already have to tangle with much stronger security measures such as ASLR or NX. Or various operating systems."
ASLR and various operating systems doing such things are in my list. We totally agree on them as nice speed-bumps for attackers. Also recommended some things that do full-safety or microkernel with small TCB + resource isolation. Even stronger. Personally, I'd probably add obfuscations like ASLR to them, too.
Here are some obfuscations I've used in practice with success, including against strong attackers, per monitoring results, third party tests, and occasional feedback from sysadmins that apply them or independently invented them:
1. Use non-x86 and non-ARM processor combined with strong Linux or BSD configuration that also advertises as x86 box. Leave no visible evidence you're buying non-x86 boxes. This can work for servers. Some did it with PPC Mac's after they got discontinued. This one trick has stopped so many code execution attempts for so long it's crazy. I really thought a clever shortcut would appear by now outside browser Javascript, memory leaks, or something. An expansion on it with FPGA's is randomized instruction sets with logs & fail-safe for significant, repeated failures.
2. Non-standard ports, names, whatever for about everything. Works best if you're not relying on commercial boxes that might assume specific ports and such. So, be careful there. This one, though, just keeps out riff raff. Combine it with strong HIDS and NIDS in case smarter attackers slip up. Don't rely on it for them, though.
3. Covert, port-knocking schemes. An example of a design I think I modified and deployed was SILENTKNOCK. It gives no evidence a port-knocking scheme is in use unless they have clear picture of network activity. Even still, they can't be sure how your traffic was authorized by looking at the packets. Modifications to that scheme that don't negate security properties and/or use of safety-enhanced languages/compilers can improve its effectiveness. My deployment strategy for this and guards was a box in front of the server that did it transparently. Lets you protect Windows services prone to 0-days. Think it stopped an SSH attack or something on Linux once. Can't recall. Very flexible. Can be improved if combined with IP-level tunneling protocol machine-to-machine in intranet. Which can also be obfuscated.
4. Use of unpopular, but well-coded, software for key servers or apps. I especially did this for mail, DNS, web servers, and so on. Black hat economics means they usually focus on what brings them the most hacks for least time investment. This obfuscation counters their economic incentive by making them invest in attacking a niche market with almost no uptake. Works on desktops, too, where I recommended alternative Office suits, PDF readers, browsers, and so on that had at least same quality but not likely same 0-days as what was getting hit.
5. Security via Diversity. This builds on 4 where you combine economics and technology to force black hats to turn a general, one-size-fits-all hack into a targeted attack specifically for you. You might choose among safe libraries, languages, protocols, whatever without advertising their use in the critical app or service. Additionally, there's work in CompSci on compilers that automatically transform your code into equivalent, but slightly different, code with different probabilities of exploits due to different internal structure. That's not mature, yet, imho. You could say all the randomization schemes in things like OpenBSD and grsecurity fit into this too. Those are more mature & field-tested. If Googling, the key words for CompSci research here are "moving target," "security," "diversity," and "obfuscation" in various combinations.
6. My old, polymorphic crypto uses obfuscation. The strongest version combined three AES candidates in counter mode in layers. The candidates, their order, the counters, and of course the keys/nonces were randomized with exception being same one couldn't be used twice. That came from only criticism I got with evidence: DES meet in middle. FPGA's got good at accelerating specific algorithms. So, I modified it to allow weaker ciphers like IDEA or Blowfish in middle layer but no less than one AES candidate in evaluated configuration and implementation preferrably on outer layer. Prefferably two AES + 1 non-AES for computational complexity. All kinds of crypto people griped about this but never posted a single attack against such a scheme. Whereas, I provably stop one-size-fits-all attacks on crypto by layering several randomly with at least one strong one. Later, I saw TripleSec do a tiny subset of it with some praise. Also convinced Markus Ottella of Tinfoil Chat to create a non-OTP variant using a polycipher. He incorporated that plus our covert-channel mitigations to prevent traffic analysis. Fixed-size, fixed-transmission is obfuscation that does that I learned from high-security, military stuff.
7. Last one, inspired by recent research, is to use any SW or HW improvements from academia that have been robustly coded and evaluated. These usually make your system immune to common attacks [2], mitigate unauthorized information flows [3], create minimal TCB's [4] [5], use crypto to protect key ops [6], or obfuscate the crap out of everything [7]. I mainly recommend 1-6, though. ;) Then, don't advertise which ones you use. Also, I encourage FOSS developers to build on any that have been open-sourced to get them into better shape and quality than academics leave them. Academics tend to jump from project to project. They deserve the effort of making something production-quality if they designed a practical approach and kindly FOSS'd the demo for us.
[1] http://www-users.cs.umn.edu/~hopper/silentknock_esorics.pdf
[2] https://www.cis.upenn.edu/acg/softbound/
[3] https://www.cs.cornell.edu/projects/fabric/
Note: See related project in bottom-right for other good tech this builds on or was inspired by.
[4] http://genode.org/
[5] https://robigalia.org/
[6] https://theses.lib.vt.edu/theses/available/etd-10112006-2048...
[7] http://www.ics.forth.gr/_publications/papadog-asist-ccs.pdf