justan0th3rstud3nt
/
garble
mirror of https://github.com/burrowers/garble
1
0
Fork 0
Code Issues 1 Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
release-v0.12
ci-test
literalRecheck
v0.12.1
v0.12.0
v0.11.0
v0.10.1
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.0
v0.7.2
v0.7.1
v0.7.0
v0.6.0
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c0c5a75454'
${ noResults }
garble/main.go

1463 lines
42 KiB
Go
Raw Normal View History Unescape Escape

set up an AUTHORS file to attribute copyright Many files were missing copyright, so also add a short script to add the missing lines with the current year, and run it. The AUTHORS file is also self-explanatory. Contributors can add themselves there, or we can simply update it from time to time via git-shortlog. Since we have two scripts now, set up a directory for them.
4 years ago
// Copyright (c) 2019, The Garble Authors.
// See LICENSE for licensing information.
initial commit
5 years ago
package main
import (
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
"archive/tar"
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
"bytes"
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
"compress/gzip"
start hashing identifiers
5 years ago
"encoding/base64"
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
"encoding/binary"
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
"errors"
initial commit
5 years ago
"flag"
"fmt"
start hashing identifiers
5 years ago
"go/ast"
garbling imported packages starts being supported
5 years ago
"go/importer"
start hashing identifiers
5 years ago
"go/parser"
"go/printer"
"go/token"
garbling imported packages starts being supported
5 years ago
"go/types"
start hashing identifiers
5 years ago
"io"
"io/ioutil"
add a bit more docs
5 years ago
"log"
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
mathrand "math/rand"
initial commit
5 years ago
"os"
"os/exec"
"path/filepath"
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
"reflect"
make the tool work on Windows, enable tests The tests required a few last tweaks to work on Windows.
5 years ago
"runtime"
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
"runtime/debug"
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
"strconv"
start enforcing the link flags -w -s
5 years ago
"strings"
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
"time"
update dependency versions, drop Go 1.14 Most notably, x/mod now includes the GOPRIVATE pattern-matching API we were copying before, so we can use it directly. Also bump the Go version requirement to 1.15, in preparation for the import path obfuscation PR, and don't let the gotip job fail the entire workflow.
4 years ago
follow-up patches to the 'go version' checking (#139) Give the func a name that tells what the return value means. Add missing newlines to printfs, use consistent quoting, and replace "%s" with %q. Document the Go 1.15 date. Finally, fix the imports via goimports.
4 years ago
"golang.org/x/mod/module"
"golang.org/x/mod/semver"
"golang.org/x/tools/go/ast/astutil"
Use XOR instead of AES for literal obfuscation. Implement a literal obfuscator interface, to allow the easy addition of new encodings. Add literal obfuscation for byte literals. Choose a random obfuscator on literal obfuscation, useful when multiple obfuscators are implemented. Fixes #62
4 years ago
"mvdan.cc/garble/internal/literals"
initial commit
5 years ago
)
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
var (
flagSet = flag.NewFlagSet("garble", flag.ContinueOnError)
version = "(devel)" // to match the default from runtime/debug
)
initial commit
5 years ago
allow easy inpection of garbled code Fixes #17.
4 years ago
var (
flagGarbleLiterals bool
Update filename and add line number obfuscation (#94) Fixes #2. Line numbers are now obfuscated, via `//line` comments. Filenames are now obfuscated via `//line` comments, instead of changing the actual filename. New flag `-tiny` to reduce the binary size, at the cost of reversibility.
4 years ago
flagGarbleTiny bool
allow easy inpection of garbled code Fixes #17.
4 years ago
flagDebugDir string
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
flagSeed string
allow easy inpection of garbled code Fixes #17.
4 years ago
)
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
func init() {
flagSet.Usage = usage
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
flagSet.BoolVar(&flagGarbleLiterals, "literals", false, "Obfuscate literals such as strings")
Update filename and add line number obfuscation (#94) Fixes #2. Line numbers are now obfuscated, via `//line` comments. Filenames are now obfuscated via `//line` comments, instead of changing the actual filename. New flag `-tiny` to reduce the binary size, at the cost of reversibility.
4 years ago
flagSet.BoolVar(&flagGarbleTiny, "tiny", false, "Optimize for binary size, losing the ability to reverse the process")
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
flagSet.StringVar(&flagDebugDir, "debugdir", "", "Write the garbled source to a directory, e.g. -debugdir=out")
Validate the user provided seed. (#126) Also allow base64 seeds without padding. Fixes #123.
4 years ago
flagSet.StringVar(&flagSeed, "seed", "", "Provide a base64-encoded seed, e.g. -seed=o9WDTZ4CN4w\nFor a random seed, provide -seed=random")
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
}
initial commit
5 years ago
func usage() {
fmt.Fprintf(os.Stderr, `
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
Garble obfuscates Go code by wrapping the Go toolchain.
initial commit
5 years ago
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
Usage:
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
garble [flags] build [build flags] [packages]
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
Aside from "build", the "test" command mirroring "go test" is also supported.
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
garble accepts the following flags:
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
initial commit
5 years ago
`[1:])
flagSet.PrintDefaults()
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
fmt.Fprintf(os.Stderr, `
all: fix links after moving repository (#131) A couple of places still linked to the personal repo.
4 years ago
For more information, see https://github.com/burrowers/garble.
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
`[1:])
initial commit
5 years ago
}
func main() { os.Exit(main1()) }
start hashing identifiers
5 years ago
var (
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
fset = token.NewFileSet()
sharedTempDir = os.Getenv("GARBLE_SHARED")
start hashing identifiers
5 years ago
simplify the main code flow somewhat We don't really care about tools other than "compile" and "link". Stop trying to keep a complete list. Use "if err := f(); err != nil {" where it makes sense. Simplify some declarations, and use a better variable name than "fW".
4 years ago
printConfig = printer.Config{Mode: printer.RawFormat}
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
// origImporter is a go/types importer which uses the original versions
// of packages, without any obfuscation. This is helpful to make
// decisions on how to obfuscate our input code.
origImporter = importer.ForCompiler(fset, "gc", func(path string) (io.ReadCloser, error) {
pkg, err := listPackage(path)
if err != nil {
return nil, err
}
return os.Open(pkg.Export)
})
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
// Basic information about the package being currently compiled or linked.
curPkg *listedPackage
clean up global buildInfo a bit, fix up godocs The struct type for buildInfo doesn't need to be named. Plus, the "packageInfo" name was actually pretty misleading, because buildInfo contains data from many packages. Add an importCfg field, so that we don't need to fetch the flag value many times. Simplify reading the importCfg file; we used to also write to it, but that's no longer the case, so we can just use ioutil.ReadFile. Finally, give the function that fills buildInfo a better name, a godoc, and fix the origTypesConfig godoc. We also add a TODO to reuse goobj.ParseImportCfg in the future.
4 years ago
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
buildInfo = struct {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
// TODO: do we still need imports?
clean up global buildInfo a bit, fix up godocs The struct type for buildInfo doesn't need to be named. Plus, the "packageInfo" name was actually pretty misleading, because buildInfo contains data from many packages. Add an importCfg field, so that we don't need to fetch the flag value many times. Simplify reading the importCfg file; we used to also write to it, but that's no longer the case, so we can just use ioutil.ReadFile. Finally, give the function that fills buildInfo a better name, a godoc, and fix the origTypesConfig godoc. We also add a TODO to reuse goobj.ParseImportCfg in the future.
4 years ago
imports map[string]importedPkg // parsed importCfg plus cached info
}{imports: make(map[string]importedPkg)}
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
garbledImporter = importer.ForCompiler(fset, "gc", func(path string) (io.ReadCloser, error) {
return os.Open(buildInfo.imports[path].packagefile)
}).(types.ImporterFrom)
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
opts *flagOptions
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
envGoPrivate = os.Getenv("GOPRIVATE") // complemented by 'go env' later
start hashing identifiers
5 years ago
)
error if the user forgot -trimpath
5 years ago
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
func garbledImport(path string) (*types.Package, error) {
ipkg, ok := buildInfo.imports[path]
if !ok {
return nil, fmt.Errorf("could not find imported package %q", path)
}
if ipkg.pkg != nil {
return ipkg.pkg, nil // cached
}
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
if opts.GarbleDir == "" {
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
return nil, fmt.Errorf("$GARBLE_DIR unset; did you run via 'garble build'?")
}
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
pkg, err := garbledImporter.ImportFrom(path, opts.GarbleDir, 0)
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
if err != nil {
return nil, err
}
ipkg.pkg = pkg // cache for later use
return pkg, nil
}
garbling imported packages starts being supported
5 years ago
type importedPkg struct {
packagefile string
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
pkg *types.Package
garbling imported packages starts being supported
5 years ago
}
initial commit
5 years ago
func main1() int {
if err := flagSet.Parse(os.Args[1:]); err != nil {
return 2
}
add a bit more docs
5 years ago
log.SetPrefix("[garble] ")
initial commit
5 years ago
args := flagSet.Args()
if len(args) < 1 {
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
usage()
return 2
initial commit
5 years ago
}
split main1 with a func returning an error
5 years ago
if err := mainErr(args); err != nil {
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
switch err {
case flag.ErrHelp:
usage()
return 2
case errJustExit:
default:
fmt.Fprintln(os.Stderr, err)
if the seed is random and the build fails, print the seed (#213) Fixes #212
3 years ago
if flagSeed == "random" {
fmt.Fprintf(os.Stderr, "random seed: %s\n", base64.RawStdEncoding.EncodeToString(opts.Seed))
}
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
}
split main1 with a func returning an error
5 years ago
return 1
}
return 0
}
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
var errJustExit = errors.New("")
follow-up patches to the 'go version' checking (#139) Give the func a name that tells what the return value means. Add missing newlines to printfs, use consistent quoting, and replace "%s" with %q. Document the Go 1.15 date. Finally, fix the imports via goimports.
4 years ago
func goVersionOK() bool {
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
const (
formally add support for Go 1.16 This was pretty much just fixing the README and closing the issue. The only other noteworthy user-facing change is that, if the Go version is detected to be too old, we now suggest 1.16.x instead of 1.15.x. While at it, refactor goversion.txt a bit. I wanted it to print a clearer "mocking the go build" error if another command was used like "go build", but I didn't want to learn BAT. So, instead use a simple Go program and build it, which will work on all platforms. The added "go build" step barely takes 100ms on my machine, given how simple the program is. The [short] line also doesn't seem necessary to me. The entire script runs in under 200ms for me, so it's well within the realm of "short", at least compared to many of the other test scripts. Fixes #124.
3 years ago
minGoVersion = "v1.15.0"
suggestedGoVersion = "1.16.x"
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
gitTimeFormat = "Mon Jan 2 15:04:05 2006 -0700"
)
follow-up patches to the 'go version' checking (#139) Give the func a name that tells what the return value means. Add missing newlines to printfs, use consistent quoting, and replace "%s" with %q. Document the Go 1.15 date. Finally, fix the imports via goimports.
4 years ago
// Go 1.15 was released on August 11th, 2020.
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
minGoVersionDate := time.Date(2020, 8, 11, 0, 0, 0, 0, time.UTC)
out, err := exec.Command("go", "version").CombinedOutput()
formally add support for Go 1.16 This was pretty much just fixing the README and closing the issue. The only other noteworthy user-facing change is that, if the Go version is detected to be too old, we now suggest 1.16.x instead of 1.15.x. While at it, refactor goversion.txt a bit. I wanted it to print a clearer "mocking the go build" error if another command was used like "go build", but I didn't want to learn BAT. So, instead use a simple Go program and build it, which will work on all platforms. The added "go build" step barely takes 100ms on my machine, given how simple the program is. The [short] line also doesn't seem necessary to me. The entire script runs in under 200ms for me, so it's well within the realm of "short", at least compared to many of the other test scripts. Fixes #124.
3 years ago
rawVersion := strings.TrimSpace(string(out))
if err != nil || !strings.HasPrefix(rawVersion, "go version ") {
add test for Go version checking (#140) Add tests for Go version checking Fix panic if go version has invalid format Fixes: #121 Co-authored-by: Daniel Martí <mvdan@mvdan.cc>
4 years ago
fmt.Fprintf(os.Stderr, `Can't get Go version: %v
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
This is likely due to go not being installed/setup correctly.
add test for Go version checking (#140) Add tests for Go version checking Fix panic if go version has invalid format Fixes: #121 Co-authored-by: Daniel Martí <mvdan@mvdan.cc>
4 years ago
How to install Go: https://golang.org/doc/install
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
`, err)
return false
}
formally add support for Go 1.16 This was pretty much just fixing the README and closing the issue. The only other noteworthy user-facing change is that, if the Go version is detected to be too old, we now suggest 1.16.x instead of 1.15.x. While at it, refactor goversion.txt a bit. I wanted it to print a clearer "mocking the go build" error if another command was used like "go build", but I didn't want to learn BAT. So, instead use a simple Go program and build it, which will work on all platforms. The added "go build" step barely takes 100ms on my machine, given how simple the program is. The [short] line also doesn't seem necessary to me. The entire script runs in under 200ms for me, so it's well within the realm of "short", at least compared to many of the other test scripts. Fixes #124.
3 years ago
rawVersion = strings.TrimPrefix(rawVersion, "go version ")
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
tagIdx := strings.IndexByte(rawVersion, ' ')
tag := rawVersion[:tagIdx]
if tag == "devel" {
commitAndDate := rawVersion[tagIdx+1:]
// Remove commit hash and architecture from version
add test for Go version checking (#140) Add tests for Go version checking Fix panic if go version has invalid format Fixes: #121 Co-authored-by: Daniel Martí <mvdan@mvdan.cc>
4 years ago
startDateIdx := strings.IndexByte(commitAndDate, ' ') + 1
endDateIdx := strings.LastIndexByte(commitAndDate, ' ')
if endDateIdx <= 0 {
fmt.Fprintf(os.Stderr, "Can't recognize devel build timestamp")
return false
}
date := commitAndDate[startDateIdx:endDateIdx]
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
versionDate, err := time.Parse(gitTimeFormat, date)
if err != nil {
add test for Go version checking (#140) Add tests for Go version checking Fix panic if go version has invalid format Fixes: #121 Co-authored-by: Daniel Martí <mvdan@mvdan.cc>
4 years ago
fmt.Fprintf(os.Stderr, "Can't recognize devel build timestamp: %v\n", err)
return false
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
}
if versionDate.After(minGoVersionDate) {
return true
}
formally add support for Go 1.16 This was pretty much just fixing the README and closing the issue. The only other noteworthy user-facing change is that, if the Go version is detected to be too old, we now suggest 1.16.x instead of 1.15.x. While at it, refactor goversion.txt a bit. I wanted it to print a clearer "mocking the go build" error if another command was used like "go build", but I didn't want to learn BAT. So, instead use a simple Go program and build it, which will work on all platforms. The added "go build" step barely takes 100ms on my machine, given how simple the program is. The [short] line also doesn't seem necessary to me. The entire script runs in under 200ms for me, so it's well within the realm of "short", at least compared to many of the other test scripts. Fixes #124.
3 years ago
fmt.Fprintf(os.Stderr, "Go version %q is too old; please upgrade to Go %s or a newer devel version\n", rawVersion, suggestedGoVersion)
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
return false
}
version := "v" + strings.TrimPrefix(tag, "go")
if semver.Compare(version, minGoVersion) < 0 {
formally add support for Go 1.16 This was pretty much just fixing the README and closing the issue. The only other noteworthy user-facing change is that, if the Go version is detected to be too old, we now suggest 1.16.x instead of 1.15.x. While at it, refactor goversion.txt a bit. I wanted it to print a clearer "mocking the go build" error if another command was used like "go build", but I didn't want to learn BAT. So, instead use a simple Go program and build it, which will work on all platforms. The added "go build" step barely takes 100ms on my machine, given how simple the program is. The [short] line also doesn't seem necessary to me. The entire script runs in under 200ms for me, so it's well within the realm of "short", at least compared to many of the other test scripts. Fixes #124.
3 years ago
fmt.Fprintf(os.Stderr, "Go version %q is too old; please upgrade to Go %s\n", rawVersion, suggestedGoVersion)
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
return false
}
return true
}
split main1 with a func returning an error
5 years ago
func mainErr(args []string) error {
if the seed is random and the build fails, print the seed (#213) Fixes #212
3 years ago
// If we recognize an argument, we're not running within -toolexec.
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
switch command, args := args[0], args[1:]; command {
clarify usage text, add help flags Also remove the -toolexec equivalent, as it's becoming longer now that we have GARBLE_DIR, and it might become out of date in the future again. We don't want users to assume it will work forever.
4 years ago
case "help":
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
return flag.ErrHelp
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
case "version":
include a "garble version" test (#221) Not sure why the last commit came with none. While at it, I noticed that the version command would ignore arguments. Error instead.
3 years ago
if len(args) > 0 {
return fmt.Errorf("the version command does not take arguments")
}
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
// don't overwrite the version if it was set by -ldflags=-X
if info, ok := debug.ReadBuildInfo(); ok && version == "(devel)" {
mod := &info.Main
if mod.Replace != nil {
mod = mod.Replace
}
version = mod.Version
}
fmt.Println(version)
return nil
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
case "reverse":
return commandReverse(args)
case "build", "test", "list":
cmd, err := toolexecCmd(command, args)
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
if err != nil {
return err
complain when GOPRIVATE matches no packages This is important, because it would mean that we would obfuscate nothing. At best, it would be confusing; at worst, it could mislead the user into thinking the binary is obfuscated. Fixes #20. Updates #108.
4 years ago
}
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
split main1 with a func returning an error
5 years ago
return cmd.Run()
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
}
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
start rejecting unknown non-tool commands
5 years ago
if !filepath.IsAbs(args[0]) {
// -toolexec gives us an absolute path to the tool binary to
// run, so this is most likely misuse of garble by a user.
return fmt.Errorf("unknown command: %q", args[0])
}
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
// We're in a toolexec sub-process, not directly called by the user.
// Load the shared data and wrap the tool, like the compiler or linker.
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
if err := loadSharedCache(); err != nil {
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
return err
}
opts = &cache.Options
initial commit
5 years ago
_, tool := filepath.Split(args[0])
make the tool work on Windows, enable tests The tests required a few last tweaks to work on Windows.
5 years ago
if runtime.GOOS == "windows" {
tool = strings.TrimSuffix(tool, ".exe")
}
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
if len(args) == 2 && args[1] == "-V=full" {
return alterToolVersion(tool, args)
}
simplify the main code flow somewhat We don't really care about tools other than "compile" and "link". Stop trying to keep a complete list. Use "if err := f(); err != nil {" where it makes sense. Simplify some declarations, and use a better variable name than "fW".
4 years ago
transform := transformFuncs[tool]
initial commit
5 years ago
transformed := args[1:]
error if the user forgot -trimpath
5 years ago
// log.Println(tool, transformed)
make the tool work on Windows, enable tests The tests required a few last tweaks to work on Windows.
5 years ago
if transform != nil {
garbling imported packages starts being supported
5 years ago
var err error
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if transformed, err = transform(transformed); err != nil {
split main1 with a func returning an error
5 years ago
return err
initial commit
5 years ago
}
}
cmd := exec.Command(args[0], transformed...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
split main1 with a func returning an error
5 years ago
return err
initial commit
5 years ago
}
split main1 with a func returning an error
5 years ago
return nil
initial commit
5 years ago
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
// toolexecCmd builds an *exec.Cmd which is set up for running "go <command>"
// with -toolexec=garble and the supplied arguments.
//
// Note that it uses and modifies global state; in general, it should only be
// called once from mainErr in the top-level garble process.
func toolexecCmd(command string, args []string) (*exec.Cmd, error) {
if !goVersionOK() {
return nil, errJustExit
}
// Split the flags from the package arguments, since we'll need
// to run 'go list' on the same set of packages.
flags, args := splitFlagsFromArgs(args)
for _, f := range flags {
switch f {
case "-h", "-help", "--help":
return nil, flag.ErrHelp
}
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
if err := setFlagOptions(); err != nil {
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
return nil, err
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
// Here is the only place we initialize the cache.
// The sub-processes will parse it from a shared gob file.
cache = &sharedCache{Options: *opts}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
// Note that we also need to pass build flags to 'go list', such
// as -tags.
cache.BuildFlags = filterBuildFlags(flags)
if command == "test" {
cache.BuildFlags = append(cache.BuildFlags, "-test")
}
if err := setGoPrivate(); err != nil {
return nil, err
}
var err error
cache.ExecPath, err = os.Executable()
if err != nil {
return nil, err
}
if err := setListedPackages(args); err != nil {
return nil, err
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
sharedTempDir, err = saveSharedCache()
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
if err != nil {
return nil, err
}
os.Setenv("GARBLE_SHARED", sharedTempDir)
defer os.Remove(sharedTempDir)
goArgs := []string{
command,
"-trimpath",
"-toolexec=" + cache.ExecPath,
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if flagDebugDir != "" {
// In case the user deletes the debug directory,
// and a previous build is cached,
// rebuild all packages to re-fill the debug dir.
goArgs = append(goArgs, "-a")
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
if command == "test" {
// vet is generally not useful on garbled code; keep it
// disabled by default.
goArgs = append(goArgs, "-vet=off")
}
goArgs = append(goArgs, flags...)
goArgs = append(goArgs, args...)
return exec.Command("go", goArgs...), nil
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
var transformFuncs = map[string]func([]string) (args []string, _ error){
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
"asm": transformAsm,
start enforcing the link flags -w -s
5 years ago
"compile": transformCompile,
error if the user forgot -trimpath
5 years ago
"link": transformLink,
start enforcing the link flags -w -s
5 years ago
}
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
func transformAsm(args []string) ([]string, error) {
flags, paths := splitFlagsFromFiles(args, ".s")
symAbis := false
// Note that flagValue only supports "-foo=true" bool flags, but the std
// flag is generally just "-std".
// TODO: Better support boolean flags for the tools.
for _, flag := range flags {
if flag == "-gensymabis" {
symAbis = true
}
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
curPkgPath := flagValue(flags, "-p")
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
// If we are generating symbol ABIs, the output does not actually
// contain curPkgPath. Exported APIs show up as "".FooBar.
// Otherwise, we are assembling, and curPkgPath does make its way into
// the output object file.
// To obfuscate the path in the -p flag, we need the current action ID,
// which we recover from the file that transformCompile wrote for us.
if !symAbis && curPkgPath != "main" && isPrivate(curPkgPath) {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
curPkgPathFull := curPkgPath
if curPkgPathFull == "main" {
// TODO(mvdan): this can go with TOOLEXEC_IMPORTPATH
curPkgPathFull = cache.MainImportPath
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
newPkgPath := hashWith(cache.ListedPackages[curPkgPathFull].GarbleActionID, curPkgPath)
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
flags = flagSetValue(flags, "-p", newPkgPath)
}
return append(flags, paths...), nil
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
func transformCompile(args []string) ([]string, error) {
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
var err error
garbling imported packages starts being supported
5 years ago
flags, paths := splitFlagsFromFiles(args, ".go")
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
// We will force the linker to drop DWARF via -w, so don't spend time
// generating it.
flags = append(flags, "-dwarf=false")
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
curPkgPath := flagValue(flags, "-p")
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
if (curPkgPath == "runtime" && opts.Tiny) || curPkgPath == "runtime/internal/sys" {
add runtime API to suppress printing fatal errors Fixes #50.
4 years ago
// Even though these packages aren't private, we will still process
remove unnecessary data from runtime if -tiny is passed Fixes #127. Saves an additional ~1-2% binary size in my testing.
4 years ago
// them later to remove build information and strip code from the
// runtime. However, we only want flags to work on private packages.
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
opts.GarbleLiterals = false
opts.DebugDir = ""
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
} else if !isPrivate(curPkgPath) {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return append(flags, paths...), nil
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
allow garble to test itself With this patch, 'go install && garble test' works.
4 years ago
for i, path := range paths {
if filepath.Base(path) == "_gomod_.go" {
// never include module info
paths = append(paths[:i], paths[i+1:]...)
break
}
}
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
if len(paths) == 1 && filepath.Base(paths[0]) == "_testmain.go" {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return append(flags, paths...), nil
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
start enforcing the link flags -w -s
5 years ago
garbling imported packages starts being supported
5 years ago
// If the value of -trimpath doesn't contain the separator ';', the 'go
// build' command is most likely not using '-trimpath'.
error if the user forgot -trimpath
5 years ago
trimpath := flagValue(flags, "-trimpath")
garbling imported packages starts being supported
5 years ago
if !strings.Contains(trimpath, ";") {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, fmt.Errorf("-toolexec=garble should be used alongside -trimpath")
error if the user forgot -trimpath
5 years ago
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
curPkgPathFull := curPkgPath
if curPkgPathFull == "main" {
// TODO(mvdan): this can go with TOOLEXEC_IMPORTPATH
curPkgPathFull = cache.MainImportPath
}
curPkg = cache.ListedPackages[curPkgPathFull]
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
newImportCfg, err := fillBuildInfo(flags)
if err != nil {
return nil, err
garbling imported packages starts being supported
5 years ago
}
add runtime API to suppress printing fatal errors Fixes #50.
4 years ago
garbling imported packages starts being supported
5 years ago
var files []*ast.File
for _, path := range paths {
don't remove "//go:" compile directives For example, this broke cgo, since it uses go:linkname. Updates #12.
4 years ago
file, err := parser.ParseFile(fset, path, nil, parser.ParseComments)
garbling imported packages starts being supported
5 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
garbling imported packages starts being supported
5 years ago
}
files = append(files, file)
}
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
randSeed := opts.Seed
if len(randSeed) == 0 {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
randSeed = curPkg.GarbleActionID
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
}
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
// log.Printf("seeding math/rand with %x\n", randSeed)
mathrand.Seed(int64(binary.BigEndian.Uint64(randSeed)))
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
tf := &transformer{
info: &types.Info{
Types: make(map[ast.Expr]types.TypeAndValue),
Defs: make(map[*ast.Ident]types.Object),
Uses: make(map[*ast.Ident]types.Object),
},
garbling imported packages starts being supported
5 years ago
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
support typechecking all of std (#236) There was one bug keeping the command below from working: GOPRIVATE='*' garble build std The bug is rather obscure; I'm still working on a minimal reproducer that I can submit upstream, and I'm not yet convinced about where the bug lives and how it can be fixed. In short, the command would fail with: typecheck error: /go/src/crypto/ecdsa/ecdsa.go:122:12: cannot use asn1.SEQUENCE (constant 48 of type asn1.Tag) as asn1.Tag value in argument to b.AddASN1 Note that the error is ambiguous; there are two asn1 packages, but they are actually mismatching. We can see that by manually adding debug prints to go/types: constant: asn1.SEQUENCE (constant 48 of type golang.org/x/crypto/cryptobyte/asn1.Tag) argument type: vendor/golang.org/x/crypto/cryptobyte/asn1.Tag It's clear that, for some reason, go/types ends up confused and loading a vendored and non-vendored version of asn1. There also seems to be no way to work around this with our lookup function, as it just receives an import path as a parameter, and returns an object file reader. For now, work around the issue by *not* using a custom lookup function in this rare edge case involving vendored dependencies in std packages. The added code has a lengthy comment explaining the reasoning. I still intend to investigate this further, but there's no reason to keep garble failing if we can work around the bug. Fixes #223.
3 years ago
standardLibrary := false
// Note that flagValue only supports "-foo=true" bool flags, but the std
// flag is generally just "-std".
// TODO: Better support boolean flags for the tools.
for _, flag := range flags {
if flag == "-std" {
standardLibrary = true
}
}
// The standard library vendors external packages, which results in them
// listing "golang.org/x/foo" in go list -json's Deps, plus an ImportMap
// entry to remap them to "vendor/golang.org/x/foo".
// We support that edge case in listPackage, presumably, though it seems
// like importer.ForCompiler with a lookup function isn't capable of it.
// It does work without an explicit lookup func though, which results in
// extra calls to 'go list'.
// Since this is a rare edge case and only occurs for a few std
// packages, do the extra 'go list' calls for now.
// TODO(mvdan): report this upstream and investigate further.
if standardLibrary && len(cache.ListedPackages[curPkgPath].ImportMap) > 0 {
origImporter = importer.Default()
}
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
origTypesConfig := types.Config{Importer: origImporter}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
tf.pkg, err = origTypesConfig.Check(curPkgPathFull, fset, files, tf.info)
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, fmt.Errorf("typecheck error: %v", err)
garbling imported packages starts being supported
5 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
tf.recordReflectArgs(files)
skip literals used in constant expressions Fixes #39.
4 years ago
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
if opts.GarbleLiterals {
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
// TODO: use transformer here?
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
files = literals.Obfuscate(files, tf.info, fset, tf.ignoreObjects)
don't obfuscate some literals which might break typechecking
4 years ago
}
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
// Add our temporary dir to the beginning of -trimpath, so that we don't
// leak temporary dirs. Needs to be at the beginning, since there may be
// shorter prefixes later in the list, such as $PWD if TMPDIR=$PWD/tmp.
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
flags = flagSetValue(flags, "-trimpath", sharedTempDir+"=>;"+trimpath)
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
// log.Println(flags)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
More correct comments transformation (#152) More correct comments transformation was implemented. Added processing of //go:linkname localname [importpath.name] directive, now localname is not renamed. This is safe and does not cause a name disclosure because the functions marked //linkname do not have a name in the resulting binary. Added cgo directives support Fixed filename leak protection for cgo Part of #149
4 years ago
detachedComments := make([][]string, len(files))
for i, file := range files {
rewrite go:linkname directives with garbled names (#200) If code includes a linkname directive pointing at a name in an imported package, like: //go:linkname localName importedpackage.RemoteName func localName() We should rewrite the comment to replace "RemoteName" with its obfuscated counterpart, if the package in question was obfuscated and that name was as well. We already had some code to handle linkname directives, but only to ensure that "localName" was never obfuscated. This behavior is kept, to ensure that the directive applies to the right name. In the future, we could instead rewrite "localName" in the directive, like we do with "RemoteName". Add plenty of tests, too. The linkname directive used to be tested in imports.txt and syntax.txt, but that was hard to maintain as each file tested different edge cases. Now that we have build caching, adding one extra testscript file isn't a big problem anymoree. Add linkname.txt, which is self-explanatory. The other two scripts also get a bit less complex. Fixes #197.
4 years ago
name := filepath.Base(filepath.Clean(paths[i]))
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
comments, file := tf.transformLineInfo(file, name)
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
tf.handleDirectives(comments)
rewrite go:linkname directives with garbled names (#200) If code includes a linkname directive pointing at a name in an imported package, like: //go:linkname localName importedpackage.RemoteName func localName() We should rewrite the comment to replace "RemoteName" with its obfuscated counterpart, if the package in question was obfuscated and that name was as well. We already had some code to handle linkname directives, but only to ensure that "localName" was never obfuscated. This behavior is kept, to ensure that the directive applies to the right name. In the future, we could instead rewrite "localName" in the directive, like we do with "RemoteName". Add plenty of tests, too. The linkname directive used to be tested in imports.txt and syntax.txt, but that was hard to maintain as each file tested different edge cases. Now that we have build caching, adding one extra testscript file isn't a big problem anymoree. Add linkname.txt, which is self-explanatory. The other two scripts also get a bit less complex. Fixes #197.
4 years ago
detachedComments[i], files[i] = comments, file
More correct comments transformation (#152) More correct comments transformation was implemented. Added processing of //go:linkname localname [importpath.name] directive, now localname is not renamed. This is safe and does not cause a name disclosure because the functions marked //linkname do not have a name in the resulting binary. Added cgo directives support Fixed filename leak protection for cgo Part of #149
4 years ago
}
Rewrite renaming logic for private names and reduce length of public names (#135) 1. Now private names are obfuscated based on the counter in scope of the package. 2. The length of public names is reduced to 4 bytes.
4 years ago
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
obfSrcArchive := &bytes.Buffer{}
obfSrcGzipWriter := gzip.NewWriter(obfSrcArchive)
defer obfSrcGzipWriter.Close()
obfSrcTarWriter := tar.NewWriter(obfSrcGzipWriter)
defer obfSrcTarWriter.Close()
properly fix obfuscated imports with their package names (#245) The TODO I left there didn't take long to surface as a bug. If the package path ends with a word containing a hyphen, that's not a valid identifier, so we end up with invalid Go syntax. Add that test case, as well as one where an import was already named. To fix the issue, we just need to use the package name we got from 'go list -json'. Fixes #243.
3 years ago
// If this is a package to obfuscate, swap the -p flag with the new
// package path.
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
newPkgPath := curPkgPath
if curPkgPath != "main" && isPrivate(curPkgPath) {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
newPkgPath = hashWith(curPkg.GarbleActionID, curPkgPath)
// println("compile -p:", curPkgPath, newPkgPath)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = flagSetValue(flags, "-p", newPkgPath)
}
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
// TODO: randomize the order and names of the files
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
newPaths := make([]string, 0, len(files))
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
for i, file := range files {
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
origName := filepath.Base(filepath.Clean(paths[i]))
don't leak build version information via a const either This requires a bit of extra magic to replace one constant in runtime/internal/sys, but that was simple enough given that we can reuse a lot of the code to parse the files and write them to a temporary dir. We can also drop the -X flags, as runtime.buildVersion is based on the constant that we replace here. Fixes #44, again.
4 years ago
name := origName
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
switch {
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
case curPkgPath == "runtime":
remove unnecessary data from runtime if -tiny is passed Fixes #127. Saves an additional ~1-2% binary size in my testing.
4 years ago
// strip unneeded runtime code
stripRuntime(origName, file)
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
case curPkgPath == "runtime/internal/sys":
don't leak build version information via a const either This requires a bit of extra magic to replace one constant in runtime/internal/sys, but that was simple enough given that we can reuse a lot of the code to parse the files and write them to a temporary dir. We can also drop the -X flags, as runtime.buildVersion is based on the constant that we replace here. Fixes #44, again.
4 years ago
// The first declaration in zversion.go contains the Go
// version as follows. Replace it here, since the
// linker's -X does not work with constants.
//
// const TheVersion = `devel ...`
//
// Don't touch the source in any other way.
if origName != "zversion.go" {
break
}
spec := file.Decls[0].(*ast.GenDecl).Specs[0].(*ast.ValueSpec)
lit := spec.Values[0].(*ast.BasicLit)
lit.Value = "`unknown`"
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
case strings.HasPrefix(origName, "_cgo_"):
// Cgo generated code requires a prefix. Also, don't
// garble it, since it's just generated code and it gets
// messy.
name = "_cgo_" + name
default:
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
file = tf.transformGo(file)
add a bit of code to aid debugging tests
4 years ago
// Uncomment for some quick debugging. Do not delete.
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
// fmt.Fprintf(os.Stderr, "\n-- %s/%s --\n", curPkgPath, origName)
simplify the main code flow somewhat We don't really care about tools other than "compile" and "link". Stop trying to keep a complete list. Use "if err := f(); err != nil {" where it makes sense. Simplify some declarations, and use a better variable name than "fW".
4 years ago
// if err := printConfig.Fprint(os.Stderr, fset, file); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
// return nil, err
add a bit of code to aid debugging tests
4 years ago
// }
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
ast.Inspect(file, func(node ast.Node) bool {
imp, ok := node.(*ast.ImportSpec)
if !ok {
return true
}
path, err := strconv.Unquote(imp.Path.Value)
if err != nil {
panic(err) // should never happen
}
properly fix obfuscated imports with their package names (#245) The TODO I left there didn't take long to surface as a bug. If the package path ends with a word containing a hyphen, that's not a valid identifier, so we end up with invalid Go syntax. Add that test case, as well as one where an import was already named. To fix the issue, we just need to use the package name we got from 'go list -json'. Fixes #243.
3 years ago
if !isPrivate(path) {
return true
}
// We're importing an obfuscated package.
// Replace the import path with its obfuscated version.
// If the import was unnamed, give it the name of the
// original package name, to keep references working.
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
lpkg, err := listPackage(path)
if err != nil {
panic(err) // should never happen
}
newPath := hashWith(lpkg.GarbleActionID, path)
properly fix obfuscated imports with their package names (#245) The TODO I left there didn't take long to surface as a bug. If the package path ends with a word containing a hyphen, that's not a valid identifier, so we end up with invalid Go syntax. Add that test case, as well as one where an import was already named. To fix the issue, we just need to use the package name we got from 'go list -json'. Fixes #243.
3 years ago
imp.Path.Value = strconv.Quote(newPath)
if imp.Name == nil {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
imp.Name = &ast.Ident{Name: lpkg.Name}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
return true
})
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if curPkgPath != "main" && isPrivate(curPkgPath) {
file.Name.Name = newPkgPath
}
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
tempFile, err := ioutil.TempFile(sharedTempDir, name+".*.go")
garbling imported packages starts being supported
5 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
garbling imported packages starts being supported
5 years ago
}
allow easy inpection of garbled code Fixes #17.
4 years ago
defer tempFile.Close()
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
obfSrc := &bytes.Buffer{}
printWriter := io.MultiWriter(tempFile, obfSrc)
allow easy inpection of garbled code Fixes #17.
4 years ago
rewrite go:linkname directives with garbled names (#200) If code includes a linkname directive pointing at a name in an imported package, like: //go:linkname localName importedpackage.RemoteName func localName() We should rewrite the comment to replace "RemoteName" with its obfuscated counterpart, if the package in question was obfuscated and that name was as well. We already had some code to handle linkname directives, but only to ensure that "localName" was never obfuscated. This behavior is kept, to ensure that the directive applies to the right name. In the future, we could instead rewrite "localName" in the directive, like we do with "RemoteName". Add plenty of tests, too. The linkname directive used to be tested in imports.txt and syntax.txt, but that was hard to maintain as each file tested different edge cases. Now that we have build caching, adding one extra testscript file isn't a big problem anymoree. Add linkname.txt, which is self-explanatory. The other two scripts also get a bit less complex. Fixes #197.
4 years ago
for _, comment := range detachedComments[i] {
reduce the amount of code to handle compiler directives (#199) First, we don't need the nameSpecialDirectives list as a separate thing. cgo types aren't obfuscated anymore, so the only item in that list that made a difference in the tests was go:linkname, which we'll overhaul soon. For now, keep its code around. Second, processDetachedDirectives can be replaced by just seven lines. Third, we don't need to separate build tag directives from the rest of the detached directives. Their relative order (with other comments) does not matater. Fourth and last, ranging over a nil slice is a no-op, so a nil check around a slice range is unnecessary. This is some prep work to make the patch to support go:linkname smaller and easier to review.
4 years ago
if _, err := printWriter.Write([]byte(comment + "\n")); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
Update filename and add line number obfuscation (#94) Fixes #2. Line numbers are now obfuscated, via `//line` comments. Filenames are now obfuscated via `//line` comments, instead of changing the actual filename. New flag `-tiny` to reduce the binary size, at the cost of reversibility.
4 years ago
}
}
simplify the main code flow somewhat We don't really care about tools other than "compile" and "link". Stop trying to keep a complete list. Use "if err := f(); err != nil {" where it makes sense. Simplify some declarations, and use a better variable name than "fW".
4 years ago
if err := printConfig.Fprint(printWriter, fset, file); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
garbling imported packages starts being supported
5 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if opts.DebugDir != "" {
osPkgPath := filepath.FromSlash(curPkgPath)
pkgDebugDir := filepath.Join(opts.DebugDir, osPkgPath)
if err := os.MkdirAll(pkgDebugDir, 0o755); err != nil {
return nil, err
}
debugFilePath := filepath.Join(pkgDebugDir, origName)
debugFile, err := os.Create(debugFilePath)
if err != nil {
return nil, err
}
if err := printConfig.Fprint(debugFile, fset, file); err != nil {
return nil, err
}
if err := debugFile.Close(); err != nil {
return nil, err
}
}
allow easy inpection of garbled code Fixes #17.
4 years ago
if err := tempFile.Close(); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
garbling imported packages starts being supported
5 years ago
}
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
if err := obfSrcTarWriter.WriteHeader(&tar.Header{
Name: name,
Mode: 0o755,
ModTime: time.Now(), // Need for restoring obfuscation time
Size: int64(obfSrc.Len()),
}); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
}
if _, err := obfSrcTarWriter.Write(obfSrc.Bytes()); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
Store obfuscated sources in object files (#158) Now the flag "-debugdir" does not trigger a full recompilation. Obfuscated source files are saved to object files and are extracted during linking.
4 years ago
}
allow easy inpection of garbled code Fixes #17.
4 years ago
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
newPaths = append(newPaths, tempFile.Name())
garbling imported packages starts being supported
5 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = flagSetValue(flags, "-importcfg", newImportCfg)
speed up builds with the compiler's -dwarf=false flag Generating DWARF in the compiler object files could take as much as 10% extra CPU time, while we ignore it entirely at the link stage. Speeds up 'go test -short' from ~19.5s to ~18.5s on my laptop.
4 years ago
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return append(flags, newPaths...), nil
garbling imported packages starts being supported
5 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// handleDirectives looks at all the comments in a file containing build
// directives, and does the necessary for the obfuscation process to work.
//
// Right now, this means recording what local names are used with go:linkname,
// and rewriting those directives to use obfuscated name from other packages.
func (tf *transformer) handleDirectives(comments []string) {
for i, comment := range comments {
if !strings.HasPrefix(comment, "//go:linkname ") {
continue
}
fields := strings.Fields(comment)
if len(fields) != 3 {
continue
}
// This directive has two arguments: "go:linkname localName newName"
localName := fields[1]
// The local name must not be obfuscated.
obj := tf.pkg.Scope().Lookup(localName)
if obj != nil {
tf.ignoreObjects[obj] = true
}
// If the new name is of the form "pkgpath.Name", and
// we've obfuscated "Name" in that package, rewrite the
// directive to use the obfuscated name.
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
target := strings.Split(fields[2], ".")
if len(target) != 2 {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
continue
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
pkgPath, name := target[0], target[1]
if pkgPath == "runtime" && strings.HasPrefix(name, "cgo") {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
continue // ignore cgo-generated linknames
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
if !isPrivate(pkgPath) {
fixed some bugs related to additional linkname corner cases (#210)
3 years ago
continue // ignore non-private symbols
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
lpkg, err := listPackage(pkgPath)
if err != nil {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
continue // probably a made up symbol name
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
garbledPkg, _ := garbledImport(pkgPath)
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
if garbledPkg != nil && garbledPkg.Scope().Lookup(name) != nil {
continue // the name exists and was not garbled
}
// The name exists and was obfuscated; replace the
// comment with the obfuscated name.
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
newName := hashWith(lpkg.GarbleActionID, name)
newPkgPath := pkgPath
if pkgPath != "main" {
newPkgPath = hashWith(lpkg.GarbleActionID, pkgPath)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
fields[2] = newPkgPath + "." + newName
obfuscate unexported names like exported ones (#227) In 90fa325da7, the obfuscation logic was changed to use hashes for exported names, but incremental names starting at just one letter for unexported names. Presumably, this was done for the sake of binary size. I argue that this is not a good idea for the default mode for a number of reasons: 1) It makes reversing of stack traces nearly impossible for unexported names, since replacing an obfuscated name "c" with "originalName" would trigger too many false positives by matching single characters. 2) Exported and unexported names aren't different. We need to know how names were obfuscated at a later time in both cases, thanks to use cases like -ldflags=-X. Using short names for one but not the other doesn't make a lot of sense, and makes the logic inconsistent. 3) Shaving off three bytes for unexported names doesn't seem like a huge deal for the default mode, when we already have -tiny to optimize for size. This saves us a bit of work, but most importantly, simplifies the obfuscation state as we no longer need to carry privateNameMap between the compile and link stages. name old time/op new time/op delta Build-8 153ms ± 2% 150ms ± 2% ~ (p=0.065 n=6+6) name old bin-B new bin-B delta Build-8 7.09M ± 0% 7.08M ± 0% -0.24% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 296ms ± 5% 277ms ± 6% -6.50% (p=0.026 n=6+6) name old user-time/op new user-time/op delta Build-8 562ms ± 1% 558ms ± 3% ~ (p=0.329 n=5+6) Note that I do not oppose using short names for both exported and unexported names in the future for -tiny, since reversing of stack traces will by design not work there. The code can be resurrected from the git history if we want to improve -tiny that way in the future, as we'd need to store state in header files again. Another major cleanup we can do here is to no longer use the garbledImports map. From a look at obfuscateImports, we hash a package's import path with its action ID, much like exported names, so we can simply re-do that hashing for the linker's -X flag. garbledImports does have some logic to handle duplicate package names, but it's worth noting that should not affect package paths, as they are always unique. That area of code could probably do with some simplification in the future, too. While at it, make hashWith panic if either parameter is empty. obfuscateImports was hashing the main package path without a salt due to a bug, so we want to catch those in the future. Finally, make some tiny spacing and typo tweaks to the README.
3 years ago
comments[i] = strings.Join(fields, " ")
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
}
}
obfuscate fewer std packages (#196) Previously, we were never obfuscating runtime and its direct dependencies. Unfortunately, due to linkname, the runtime package is actually closely related to dozens of other std packages as well. Until we can obfuscate the runtime and properly support go:linkname directives, obfuscating fewer std packages is a better outcome than breaking and not producing any obfuscated code at all. The added test case is building runtime/pprof, which used to cause failures: # runtime/pprof /go/src/runtime/pprof/label.go:27:21: undefined: context.Context /go/src/runtime/pprof/label.go:59:21: undefined: context.Context /go/src/runtime/pprof/label.go:93:16: undefined: context.Context /go/src/runtime/pprof/label.go:101:20: undefined: context.Context The net package was also very close to obfuscating properly thanks to this change, so its test is now run as well. The only other remaining fix was to not obfuscate fields on cgo types, since those aren't obfuscated at the moment. The map is pretty long, but it's only a temporary solution and the command to obtain the list again is included. Never obfuscating the entire std library is also an option, but it's a bit unnecessary. Fixes #134.
4 years ago
// runtimeRelated is a snapshot of all the packages runtime depends on, or
// packages which the runtime points to via go:linkname.
//
// Once we support go:linkname well and once we can obfuscate the runtime
// package, this entire map can likely go away.
//
update the list of runtime-related packages for 1.16 (#246) With a few extra lines, we can keep Go 1.15 support in the table too. Re-enables the goprivate.txt test for Go 1.16. While at it, make the script's use of grep a bit simpler with -E, which also uses the same syntax as Go's regexp. Its skip logic was also buggy, resulting in the macos results always being empty. Updates #124.
3 years ago
// The list was obtained via scripts/runtime-related.sh on Go 1.16.
obfuscate fewer std packages (#196) Previously, we were never obfuscating runtime and its direct dependencies. Unfortunately, due to linkname, the runtime package is actually closely related to dozens of other std packages as well. Until we can obfuscate the runtime and properly support go:linkname directives, obfuscating fewer std packages is a better outcome than breaking and not producing any obfuscated code at all. The added test case is building runtime/pprof, which used to cause failures: # runtime/pprof /go/src/runtime/pprof/label.go:27:21: undefined: context.Context /go/src/runtime/pprof/label.go:59:21: undefined: context.Context /go/src/runtime/pprof/label.go:93:16: undefined: context.Context /go/src/runtime/pprof/label.go:101:20: undefined: context.Context The net package was also very close to obfuscating properly thanks to this change, so its test is now run as well. The only other remaining fix was to not obfuscate fields on cgo types, since those aren't obfuscated at the moment. The map is pretty long, but it's only a temporary solution and the command to obtain the list again is included. Never obfuscating the entire std library is also an option, but it's a bit unnecessary. Fixes #134.
4 years ago
var runtimeRelated = map[string]bool{
update the list of runtime-related packages for 1.16 (#246) With a few extra lines, we can keep Go 1.15 support in the table too. Re-enables the goprivate.txt test for Go 1.16. While at it, make the script's use of grep a bit simpler with -E, which also uses the same syntax as Go's regexp. Its skip logic was also buggy, resulting in the macos results always being empty. Updates #124.
3 years ago
"bufio": true,
"bytes": true,
"compress/flate": true,
"compress/gzip": true,
"context": true,
"crypto/x509/internal/macos": true,
"encoding/binary": true,
"errors": true,
"fmt": true,
"hash": true,
"hash/crc32": true,
"internal/bytealg": true,
"internal/cpu": true,
"internal/fmtsort": true,
"internal/nettrace": true,
"internal/oserror": true,
"internal/poll": true,
"internal/race": true,
"internal/reflectlite": true,
"internal/singleflight": true,
"internal/syscall/execenv": true,
"internal/syscall/unix": true,
"internal/syscall/windows": true,
"internal/syscall/windows/registry": true,
"internal/syscall/windows/sysdll": true,
"internal/testlog": true,
"internal/unsafeheader": true,
"io": true,
"io/fs": true,
"math": true,
"math/bits": true,
"net": true,
"os": true,
"os/signal": true,
"path": true,
"plugin": true,
"reflect": true,
"runtime": true,
"runtime/cgo": true,
"runtime/debug": true,
"runtime/internal/atomic": true,
"runtime/internal/math": true,
"runtime/internal/sys": true,
"runtime/metrics": true,
"runtime/pprof": true,
"runtime/trace": true,
"sort": true,
"strconv": true,
"strings": true,
"sync": true,
"sync/atomic": true,
"syscall": true,
"text/tabwriter": true,
"time": true,
"unicode": true,
"unicode/utf16": true,
"unicode/utf8": true,
"unsafe": true,
"vendor/golang.org/x/net/dns/dnsmessage": true,
"vendor/golang.org/x/net/route": true,
// These packages were moved in Go 1.16, but 1.15's runtime still
// linknames to them.
"io/ioutil": true,
"path/filepath": true,
// Go 1.15's "net" package depends on "math/rand", but 1.16's does not.
// Keep it here to support 1.15.
"math/rand": true,
obfuscate fewer std packages (#196) Previously, we were never obfuscating runtime and its direct dependencies. Unfortunately, due to linkname, the runtime package is actually closely related to dozens of other std packages as well. Until we can obfuscate the runtime and properly support go:linkname directives, obfuscating fewer std packages is a better outcome than breaking and not producing any obfuscated code at all. The added test case is building runtime/pprof, which used to cause failures: # runtime/pprof /go/src/runtime/pprof/label.go:27:21: undefined: context.Context /go/src/runtime/pprof/label.go:59:21: undefined: context.Context /go/src/runtime/pprof/label.go:93:16: undefined: context.Context /go/src/runtime/pprof/label.go:101:20: undefined: context.Context The net package was also very close to obfuscating properly thanks to this change, so its test is now run as well. The only other remaining fix was to not obfuscate fields on cgo types, since those aren't obfuscated at the moment. The map is pretty long, but it's only a temporary solution and the command to obtain the list again is included. Never obfuscating the entire std library is also an option, but it's a bit unnecessary. Fixes #134.
4 years ago
}
add blacklist for runtime std packages
4 years ago
complain when GOPRIVATE matches no packages This is important, because it would mean that we would obfuscate nothing. At best, it would be confusing; at worst, it could mislead the user into thinking the binary is obfuscated. Fixes #20. Updates #108.
4 years ago
// isPrivate checks if GOPRIVATE matches path.
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
//
// To allow using garble without GOPRIVATE for standalone main packages, it will
// default to not matching standard library packages.
complain when GOPRIVATE matches no packages This is important, because it would mean that we would obfuscate nothing. At best, it would be confusing; at worst, it could mislead the user into thinking the binary is obfuscated. Fixes #20. Updates #108.
4 years ago
func isPrivate(path string) bool {
make the handling of import paths more robust First, make isPrivate panic on malformed import paths, since that should never happen. This catches the errors that some users had run into with packages like gopkg.in/yaml.v2 and github.com/satori/go.uuid: panic: malformed import path "gopkg.in/garbletest%2ev2": invalid char '%' This seems to trigger when a module path contains a dot after the first element, *and* that module is fetched via the proxy. This results in the toolchain URL-encoding the second dot, and garble ends up seeing that encoded path. We reproduce this behavior with a fake gopkg.in module added to the test module proxy. Using yaml.v2 directly would have been easier, but it's pretty large. Note that we tried a replace directive, but that does not trigger the URL-encoding bug. Also note that we do not obfuscate the gopkg.in package; that's fine, as the isPrivate path validity check catches the bug either way. For now, make initImport use url.PathUnescape to work around this issue. The underlying bug is likely in either the goobj2 fork, or in the upstream Go toolchain itself. hashImport also gives a better error if it cannot find a package now, rather than just an "empty seed" panic. Finally, the sanity check in isPrivate unearthed the fact that we do not support garbling test packages at all, since they were invalid paths which never matched GOPRIVATE. Add an explicit check and TODO about that. Fixes #224. Fixes #228.
3 years ago
// isPrivate is used in lots of places, so use it as a way to sanity
// check that none of our package paths are invalid.
// This can happen if we end up with an escaped or corrupted path.
// TODO: Do we want to support obfuscating test packages?
// It is a bit tricky as their import paths are confusing, such as
// "test/bar.test" and "test/bar [test/bar.test]".
if strings.HasSuffix(path, ".test") || strings.HasSuffix(path, ".test]") {
return false
}
if err := module.CheckImportPath(path); err != nil {
panic(err)
}
obfuscate fewer std packages (#196) Previously, we were never obfuscating runtime and its direct dependencies. Unfortunately, due to linkname, the runtime package is actually closely related to dozens of other std packages as well. Until we can obfuscate the runtime and properly support go:linkname directives, obfuscating fewer std packages is a better outcome than breaking and not producing any obfuscated code at all. The added test case is building runtime/pprof, which used to cause failures: # runtime/pprof /go/src/runtime/pprof/label.go:27:21: undefined: context.Context /go/src/runtime/pprof/label.go:59:21: undefined: context.Context /go/src/runtime/pprof/label.go:93:16: undefined: context.Context /go/src/runtime/pprof/label.go:101:20: undefined: context.Context The net package was also very close to obfuscating properly thanks to this change, so its test is now run as well. The only other remaining fix was to not obfuscate fields on cgo types, since those aren't obfuscated at the moment. The map is pretty long, but it's only a temporary solution and the command to obtain the list again is included. Never obfuscating the entire std library is also an option, but it's a bit unnecessary. Fixes #134.
4 years ago
if runtimeRelated[path] {
add blacklist for runtime std packages
4 years ago
return false
}
complain when GOPRIVATE matches no packages This is important, because it would mean that we would obfuscate nothing. At best, it would be confusing; at worst, it could mislead the user into thinking the binary is obfuscated. Fixes #20. Updates #108.
4 years ago
if path == "main" || path == "command-line-arguments" || strings.HasPrefix(path, "plugin/unnamed") {
support building ad-hoc plugin packages That is, plugin packages by source file names, not by package path. Fixes #19.
4 years ago
// TODO: why don't we see the full package path for main
// packages? The linker has it at the top of -importcfg, but not
// the compiler.
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
return true
}
update dependency versions, drop Go 1.14 Most notably, x/mod now includes the GOPRIVATE pattern-matching API we were copying before, so we can use it directly. Also bump the Go version requirement to 1.15, in preparation for the import path obfuscation PR, and don't let the gotip job fail the entire workflow.
4 years ago
return module.MatchPrefixPatterns(envGoPrivate, path)
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
// fillBuildInfo initializes the global buildInfo struct via the supplied flags,
// and constructs a new importcfg with the obfuscated import paths changed as
// necessary.
func fillBuildInfo(flags []string) (newImportCfg string, _ error) {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
importCfg := flagValue(flags, "-importcfg")
if importCfg == "" {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return "", fmt.Errorf("could not find -importcfg argument")
garbling imported packages starts being supported
5 years ago
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
data, err := ioutil.ReadFile(importCfg)
garbling imported packages starts being supported
5 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return "", err
garbling imported packages starts being supported
5 years ago
}
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
importMap := make(map[string]string)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
for _, line := range strings.SplitAfter(string(data), "\n") {
garbling imported packages starts being supported
5 years ago
line = strings.TrimSpace(line)
if line == "" || strings.HasPrefix(line, "#") {
start hashing identifiers
5 years ago
continue
}
garbling imported packages starts being supported
5 years ago
i := strings.Index(line, " ")
if i < 0 {
continue
}
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
verb := line[:i]
switch verb {
case "importmap":
args := strings.TrimSpace(line[i+1:])
j := strings.Index(args, "=")
if j < 0 {
continue
}
beforePath, afterPath := args[:j], args[j+1:]
importMap[afterPath] = beforePath
case "packagefile":
args := strings.TrimSpace(line[i+1:])
j := strings.Index(args, "=")
if j < 0 {
continue
}
importPath, objectPath := args[:j], args[j+1:]
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
impPkg := importedPkg{packagefile: objectPath}
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
buildInfo.imports[importPath] = impPkg
if otherPath, ok := importMap[importPath]; ok {
buildInfo.imports[otherPath] = impPkg
}
start hashing identifiers
5 years ago
}
}
garbling imported packages starts being supported
5 years ago
// log.Printf("%#v", buildInfo)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
// Produce the modified importcfg file.
properly fix obfuscated imports with their package names (#245) The TODO I left there didn't take long to surface as a bug. If the package path ends with a word containing a hyphen, that's not a valid identifier, so we end up with invalid Go syntax. Add that test case, as well as one where an import was already named. To fix the issue, we just need to use the package name we got from 'go list -json'. Fixes #243.
3 years ago
// This is mainly replacing the obfuscated paths.
// Note that we range over maps, so this is non-deterministic, but that
// should not matter as the file is treated like a lookup table.
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
newCfg, err := ioutil.TempFile(sharedTempDir, "importcfg")
if err != nil {
return "", err
}
for beforePath, afterPath := range importMap {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
if isPrivate(beforePath) {
println(beforePath, afterPath)
pkg, err := listPackage(beforePath)
if err != nil {
panic(err) // shouldn't happen
}
afterPath = hashWith(pkg.GarbleActionID, afterPath)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
fmt.Fprintf(newCfg, "importmap %s=%s\n", beforePath, afterPath)
}
for impPath, pkg := range buildInfo.imports {
if isPrivate(impPath) {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
pkg, err := listPackage(impPath)
if err != nil {
panic(err) // shouldn't happen
}
impPath = hashWith(pkg.GarbleActionID, impPath)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
fmt.Fprintf(newCfg, "packagefile %s=%s\n", impPath, pkg.packagefile)
}
if err := newCfg.Close(); err != nil {
return "", err
}
return newCfg.Name(), nil
garbling imported packages starts being supported
5 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// recordReflectArgs collects all the objects in a package which are known to be
// used as arguments to reflect.TypeOf or reflect.ValueOf. Since we obfuscate
// one package at a time, we only detect those if the type definition and the
// reflect usage are both in the same package.
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
//
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// The resulting map mainly contains named types and their field declarations.
func (tf *transformer) recordReflectArgs(files []*ast.File) {
tf.ignoreObjects = make(map[types.Object]bool)
simplify detection of reflection
4 years ago
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
visitReflectArg := func(node ast.Node) bool {
Allow struct fields to be garbled, fixes #48 (#159) * Allow struct fields to be garbled, fixes #48 * fix syntax test script * simplified code according to review
4 years ago
expr, _ := node.(ast.Expr) // info.TypeOf(nil) will just return nil
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
named := namedType(tf.info.TypeOf(expr))
simplify detection of reflection
4 years ago
if named == nil {
return true
}
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
obj := named.Obj()
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
if obj == nil || obj.Pkg() != tf.pkg {
simplify detection of reflection
4 years ago
return true
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
recordStruct(named, tf.ignoreObjects)
simplify detection of reflection
4 years ago
return true
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
}
simplify detection of reflection
4 years ago
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
visit := func(node ast.Node) bool {
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
if opts.GarbleLiterals {
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
// TODO: use transformer here?
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
literals.RecordUsedAsConstants(node, tf.info, tf.ignoreObjects)
skip literals used in constant expressions Fixes #39.
4 years ago
}
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
call, ok := node.(*ast.CallExpr)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
if !ok {
return true
}
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
sel, ok := call.Fun.(*ast.SelectorExpr)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
if !ok {
return true
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
fnType := tf.info.ObjectOf(sel.Sel)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
if fnType.Pkg() == nil {
return true
}
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
if fnType.Pkg().Path() == "reflect" && (fnType.Name() == "TypeOf" || fnType.Name() == "ValueOf") {
simplify detection of reflection
4 years ago
for _, arg := range call.Args {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
ast.Inspect(arg, visitReflectArg)
simplify detection of reflection
4 years ago
}
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
return true
}
for _, file := range files {
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
ast.Inspect(file, visit)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
// transformer holds all the information and state necessary to obfuscate a
// single Go package.
type transformer struct {
// The type-checking results; the package itself, and the Info struct.
pkg *types.Package
info *types.Info
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// ignoreObjects records all the objects we cannot obfuscate. An object
// is any named entity, such as a declared variable or type.
//
// So far, this map records:
//
// * Types which are used for reflection; see recordReflectArgs.
// * Identifiers used in constant expressions; see RecordUsedAsConstants.
// * Identifiers used in go:linkname directives; see handleDirectives.
// * Types or variables from external packages which were not
// obfuscated, for caching reasons; see transformGo.
ignoreObjects map[types.Object]bool
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
}
support type switches with symbolic vars
5 years ago
// transformGo garbles the provided Go syntax node.
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
func (tf *transformer) transformGo(file *ast.File) *ast.File {
support type switches with symbolic vars
5 years ago
pre := func(cursor *astutil.Cursor) bool {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
node, ok := cursor.Node().(*ast.Ident)
if !ok {
return true
}
if node.Name == "_" {
return true // unnamed remains unnamed
}
if strings.HasPrefix(node.Name, "_C") || strings.Contains(node.Name, "_cgo") {
return true // don't mess with cgo-generated code
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
obj := tf.info.ObjectOf(node)
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
if obj == nil {
return true
}
pkg := obj.Pkg()
first version of plugins working Add a caveat about -trimpath too. Fixes #18.
4 years ago
if vr, ok := obj.(*types.Var); ok && vr.Embedded() {
// ObjectOf returns the field for embedded struct
// fields, not the type it uses. Use the type.
handle embedded struct fields with universe scope Whilst it may not be particularly common, it is legal to embed fields where the type has universe scope (e.g. int, error, etc). This can cause a panic in 2 difference places: - When embedding `error`, a named type is resolved but the package is nil. The call to `pkg.Name()` results in a panic - When embedding a basic type such as `int`, no named type is resolved at all. The call to `namedType(obj.Type()).Obj()` results in a panic I'm assuming it is OK to return early when a named type cannot be resolved.. we could let it continue but I think `pkg` should be set to nil to be correct, so it'd end up returning straight away anyway.
4 years ago
named := namedType(obj.Type())
if named == nil {
return true // unnamed type (probably a basic type, e.g. int)
}
obj = named.Obj()
first version of plugins working Add a caveat about -trimpath too. Fixes #18.
4 years ago
pkg = obj.Pkg()
}
handle embedded struct fields with universe scope Whilst it may not be particularly common, it is legal to embed fields where the type has universe scope (e.g. int, error, etc). This can cause a panic in 2 difference places: - When embedding `error`, a named type is resolved but the package is nil. The call to `pkg.Name()` results in a panic - When embedding a basic type such as `int`, no named type is resolved at all. The call to `namedType(obj.Type()).Obj()` results in a panic I'm assuming it is OK to return early when a named type cannot be resolved.. we could let it continue but I think `pkg` should be set to nil to be correct, so it'd end up returning straight away anyway.
4 years ago
if pkg == nil {
return true // universe scope
}
first version of plugins working Add a caveat about -trimpath too. Fixes #18.
4 years ago
if pkg.Name() == "main" && obj.Exported() && obj.Parent() == pkg.Scope() {
// TODO: only do this when -buildmode is plugin? what
// about other -buildmode options?
return true // could be a Go plugin API
}
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// We don't want to obfuscate this object.
if tf.ignoreObjects[obj] {
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
return true
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
path := pkg.Path()
if !isPrivate(path) {
return true // only private packages are transformed
}
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
// log.Printf("%#v %T", node, obj)
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
parentScope := obj.Parent()
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
switch x := obj.(type) {
case *types.Var:
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
if parentScope != nil && parentScope != pkg.Scope() {
Only obfuscate required identifiers (#79) The following identifiers are now skipped, because they never show up in the binary: - constant identifiers - identifiers of local variables (includes function params and named returns) - identifiers of local types
4 years ago
// identifiers of non-global variables never show up in the binary
return true
}
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
// if the struct of this field was not garbled, do not garble
// any of that struct's fields
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
if parentScope != tf.pkg.Scope() && x.IsField() && !x.Embedded() {
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
parent, ok := cursor.Parent().(*ast.SelectorExpr)
if !ok {
break
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
parentType := tf.info.TypeOf(parent.X)
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
if parentType == nil {
break
}
named := namedType(parentType)
if named == nil {
break
}
obfuscate fewer std packages (#196) Previously, we were never obfuscating runtime and its direct dependencies. Unfortunately, due to linkname, the runtime package is actually closely related to dozens of other std packages as well. Until we can obfuscate the runtime and properly support go:linkname directives, obfuscating fewer std packages is a better outcome than breaking and not producing any obfuscated code at all. The added test case is building runtime/pprof, which used to cause failures: # runtime/pprof /go/src/runtime/pprof/label.go:27:21: undefined: context.Context /go/src/runtime/pprof/label.go:59:21: undefined: context.Context /go/src/runtime/pprof/label.go:93:16: undefined: context.Context /go/src/runtime/pprof/label.go:101:20: undefined: context.Context The net package was also very close to obfuscating properly thanks to this change, so its test is now run as well. The only other remaining fix was to not obfuscate fields on cgo types, since those aren't obfuscated at the moment. The map is pretty long, but it's only a temporary solution and the command to obtain the list again is included. Never obfuscating the entire std library is also an option, but it's a bit unnecessary. Fixes #134.
4 years ago
if name := named.Obj().Name(); strings.HasPrefix(name, "_Ctype") {
// A field accessor on a cgo type, such as a C struct.
// We're not obfuscating cgo names.
return true
}
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
if garbledPkg, _ := garbledImport(path); garbledPkg != nil {
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
if garbledPkg.Scope().Lookup(named.Obj().Name()) != nil {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
recordStruct(named, tf.ignoreObjects)
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
return true
}
}
}
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
case *types.TypeName:
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
if parentScope != pkg.Scope() {
Only obfuscate required identifiers (#79) The following identifiers are now skipped, because they never show up in the binary: - constant identifiers - identifiers of local variables (includes function params and named returns) - identifiers of local types
4 years ago
// identifiers of non-global types never show up in the binary
return true
}
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
// if the type was not garbled in the package were it was defined,
// do not garble it here
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
if parentScope != tf.pkg.Scope() {
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
named := namedType(x.Type())
if named == nil {
break
}
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
if garbledPkg, _ := garbledImport(path); garbledPkg != nil {
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
if garbledPkg.Scope().Lookup(x.Name()) != nil {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
recordStruct(named, tf.ignoreObjects)
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
return true
}
}
}
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
case *types.Func:
sign := obj.Type().(*types.Signature)
if obj.Exported() && sign.Recv() != nil {
return true // might implement an interface
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
}
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
if implementedOutsideGo(x) {
return true // give up in this case
}
switch node.Name {
case "main", "init", "TestMain":
return true // don't break them
}
if strings.HasPrefix(node.Name, "Test") && isTestSignature(sign) {
return true // don't break tests
}
default:
return true // we only want to rename the above
}
fix garbling names belonging to indirect imports (#203) main.go includes a lengthy comment that documents this edge case, why it happened, and how we are fixing it. To summarize, we should no longer error with a build error in those cases. Read the comment for details. A few other minor changes were done to allow writing this patch. First, the actionID and contentID funcs were renamed, since they started to collide with variable names. Second, the logging has been improved a bit, which allowed me to debug the issue. Third, the "cache" global shared by all garble sub-processes now includes the necessary parameters to run "go list -toolexec", including the path to garble and the build flags being used. Thanks to lu4p for writing a test case, which also applied gofmt to that testdata Go file. Fixes #180. Closes #181, since it includes its test case.
4 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
lpkg, err := listPackage(path)
if err != nil {
panic(err) // shouldn't happen
fix garbling names belonging to indirect imports (#203) main.go includes a lengthy comment that documents this edge case, why it happened, and how we are fixing it. To summarize, we should no longer error with a build error in those cases. Read the comment for details. A few other minor changes were done to allow writing this patch. First, the actionID and contentID funcs were renamed, since they started to collide with variable names. Second, the logging has been improved a bit, which allowed me to debug the issue. Third, the "cache" global shared by all garble sub-processes now includes the necessary parameters to run "go list -toolexec", including the path to garble and the build flags being used. Thanks to lu4p for writing a test case, which also applied gofmt to that testdata Go file. Fixes #180. Closes #181, since it includes its test case.
4 years ago
}
// TODO: Make this check less prone to bugs, like the one we had
// with indirect dependencies. If "path" is not our current
// package, then it must exist in buildInfo.imports. Otherwise
// we should panic.
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
if buildInfo.imports[path].packagefile != "" {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
garbledPkg, err := garbledImport(path)
if err != nil {
panic(err) // shouldn't happen
garbling imported packages starts being supported
5 years ago
}
clean up global buildInfo a bit, fix up godocs The struct type for buildInfo doesn't need to be named. Plus, the "packageInfo" name was actually pretty misleading, because buildInfo contains data from many packages. Add an importCfg field, so that we don't need to fetch the flag value many times. Simplify reading the importCfg file; we used to also write to it, but that's no longer the case, so we can just use ioutil.ReadFile. Finally, give the function that fills buildInfo a better name, a godoc, and fix the origTypesConfig godoc. We also add a TODO to reuse goobj.ParseImportCfg in the future.
4 years ago
// Check if the imported name wasn't garbled, e.g. if it's assembly.
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
// If the object returned from the garbled package's scope has a different type as the object
// we're searching for, they are most likely two separate objects with the same name, so ok to garble
if o := garbledPkg.Scope().Lookup(obj.Name()); o != nil && reflect.TypeOf(o) == reflect.TypeOf(obj) {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
return true
start hashing identifiers
5 years ago
}
}
Rewrite renaming logic for private names and reduce length of public names (#135) 1. Now private names are obfuscated based on the counter in scope of the package. 2. The length of public names is reduced to 4 bytes.
4 years ago
fix garbling names belonging to indirect imports (#203) main.go includes a lengthy comment that documents this edge case, why it happened, and how we are fixing it. To summarize, we should no longer error with a build error in those cases. Read the comment for details. A few other minor changes were done to allow writing this patch. First, the actionID and contentID funcs were renamed, since they started to collide with variable names. Second, the logging has been improved a bit, which allowed me to debug the issue. Third, the "cache" global shared by all garble sub-processes now includes the necessary parameters to run "go list -toolexec", including the path to garble and the build flags being used. Thanks to lu4p for writing a test case, which also applied gofmt to that testdata Go file. Fixes #180. Closes #181, since it includes its test case.
4 years ago
origName := node.Name
_ = origName // used for debug prints below
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
node.Name = hashWith(lpkg.GarbleActionID, node.Name)
// log.Printf("%q hashed with %x to %q", origName, lpkg.GarbleActionID, node.Name)
start hashing identifiers
5 years ago
return true
support type switches with symbolic vars
5 years ago
}
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
return astutil.Apply(file, pre, nil).(*ast.File)
start hashing identifiers
5 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// recordStruct adds the given named type to the map, plus all of its fields if
// it is a struct. This function is mainly used for types used via reflection,
// so we want to record their members too.
func recordStruct(named *types.Named, m map[types.Object]bool) {
m[named.Obj()] = true
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
strct, ok := named.Underlying().(*types.Struct)
if !ok {
return
}
for i := 0; i < strct.NumFields(); i++ {
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
m[strct.Field(i)] = true
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
}
}
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
// implementedOutsideGo returns whether a *types.Func does not have a body, for
don't remove "//go:" compile directives For example, this broke cgo, since it uses go:linkname. Updates #12.
4 years ago
// example when it's implemented in assembly, or when one uses go:linkname.
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
//
// Note that this function can only return true if the obj parameter was
// type-checked from source - that is, if it's the top-level package we're
// building. Dependency packages, whose type information comes from export data,
// do not differentiate these "external funcs" in any way.
func implementedOutsideGo(obj *types.Func) bool {
return obj.Type().(*types.Signature).Recv() == nil &&
fix implementedOutsideGo, fixes #56 (#59) Injected functions were mistaken for functions implemented outside go. Asm functions: obj.Scope().Pos() == 0 obj.Scope().End() == 0 Injected functions: obj.Scope().Pos() == 0 obj.Scope().End() == 1 We now check for the End instead of the Pos.
4 years ago
(obj.Scope() != nil && obj.Scope().End() == token.NoPos)
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
}
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
// named tries to obtain the *types.Named behind a type, if there is one.
// This is useful to obtain "testing.T" from "*testing.T", or to obtain the type
// declaration object from an embedded field.
func namedType(t types.Type) *types.Named {
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
switch t := t.(type) {
case *types.Named:
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
return t
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
case interface{ Elem() types.Type }:
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
return namedType(t.Elem())
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
default:
return nil
}
}
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
// isTestSignature returns true if the signature matches "func _(*testing.T)".
func isTestSignature(sign *types.Signature) bool {
if sign.Recv() != nil {
avoid panic on funcs that almost look like tests (#235) The added test case used to crash garble: panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x8fe71b] goroutine 1 [running]: golang.org/x/tools/go/ast/astutil.Apply.func1(0xc0001e8880, 0xc000221570) /go/pkg/mod/golang.org/x/tools@v0.0.0-20210115202250-e0d201561e39/go/ast/astutil/rewrite.go:47 +0x97 panic(0x975bc0, 0xd6c610) /sdk/go1.15.8/src/runtime/panic.go:969 +0x1b9 go/types.(*Named).Obj(...) /sdk/go1.15.8/src/go/types/type.go:473 mvdan.cc/garble.isTestSignature(0xc0001e7080, 0xa02e84) /src/garble/main.go:1170 +0x7b mvdan.cc/garble.(*transformer).transformGo.func2(0xc000122df0, 0xaac301) /src/garble/main.go:1028 +0xff1 We were assuming that the first parameter was a named type, but that might not be the case. This crash was found out in the wild, from which a minimal repro was written. We add two variants of it to the test data, just in case.
3 years ago
return false // test funcs don't have receivers
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
params := sign.Params()
if params.Len() != 1 {
avoid panic on funcs that almost look like tests (#235) The added test case used to crash garble: panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x8fe71b] goroutine 1 [running]: golang.org/x/tools/go/ast/astutil.Apply.func1(0xc0001e8880, 0xc000221570) /go/pkg/mod/golang.org/x/tools@v0.0.0-20210115202250-e0d201561e39/go/ast/astutil/rewrite.go:47 +0x97 panic(0x975bc0, 0xd6c610) /sdk/go1.15.8/src/runtime/panic.go:969 +0x1b9 go/types.(*Named).Obj(...) /sdk/go1.15.8/src/go/types/type.go:473 mvdan.cc/garble.isTestSignature(0xc0001e7080, 0xa02e84) /src/garble/main.go:1170 +0x7b mvdan.cc/garble.(*transformer).transformGo.func2(0xc000122df0, 0xaac301) /src/garble/main.go:1028 +0xff1 We were assuming that the first parameter was a named type, but that might not be the case. This crash was found out in the wild, from which a minimal repro was written. We add two variants of it to the test data, just in case.
3 years ago
return false // too many parameters for a test func
}
named := namedType(params.At(0).Type())
if named == nil {
return false // the only parameter isn't named, like "string"
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
avoid panic on funcs that almost look like tests (#235) The added test case used to crash garble: panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x8fe71b] goroutine 1 [running]: golang.org/x/tools/go/ast/astutil.Apply.func1(0xc0001e8880, 0xc000221570) /go/pkg/mod/golang.org/x/tools@v0.0.0-20210115202250-e0d201561e39/go/ast/astutil/rewrite.go:47 +0x97 panic(0x975bc0, 0xd6c610) /sdk/go1.15.8/src/runtime/panic.go:969 +0x1b9 go/types.(*Named).Obj(...) /sdk/go1.15.8/src/go/types/type.go:473 mvdan.cc/garble.isTestSignature(0xc0001e7080, 0xa02e84) /src/garble/main.go:1170 +0x7b mvdan.cc/garble.(*transformer).transformGo.func2(0xc000122df0, 0xaac301) /src/garble/main.go:1028 +0xff1 We were assuming that the first parameter was a named type, but that might not be the case. This crash was found out in the wild, from which a minimal repro was written. We add two variants of it to the test data, just in case.
3 years ago
obj := named.Obj()
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
return obj != nil && obj.Pkg().Path() == "testing" && obj.Name() == "T"
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
func transformLink(args []string) ([]string, error) {
initial support for build caching (#142) As per the discussion in https://github.com/golang/go/issues/41145, it turns out that we don't need special support for build caching in -toolexec. We can simply modify the behavior of "[...]/compile -V=full" and "[...]/link -V=full" so that they include garble's own version and options in the printed build ID. The part of the build ID that matters is the last, since it's the "content ID" which is used to work out whether there is a need to redo the action (build) or not. Since cmd/go parses the last word in the output as "buildID=...", we simply add "+garble buildID=_/_/_/${hash}". The slashes let us imitate a full binary build ID, but we assume that the other components such as the action ID are not necessary, since the only reader here is cmd/go and it only consumes the content ID. The reported content ID includes the tool's original content ID, garble's own content ID from the built binary, and the garble options which modify how we obfuscate code. If any of the three changes, we should use a different build cache key. GOPRIVATE also affects caching, since a different GOPRIVATE value means that we might have to garble a different set of packages. Include tests, which mainly check that 'garble build -v' prints package lines when we expect to always need to rebuild packages, and that it prints nothing when we should be reusing the build cache even when the built binary is missing. After this change, 'go test' on Go 1.15.2 stabilizes at about 8s on my machine, whereas it used to be at around 25s before.
4 years ago
// We can't split by the ".a" extension, because cached object files
// lack any extension.
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags, args := splitFlagsFromArgs(args)
Garble imports and package paths in GOPRIVATE (#116) Finally, finally this is done. This allows import paths to be obfuscated by modifying object/archive files and garbling import paths contained within. The bulk of the code that makes parsing and writing Go object/archive files possible lives at https://github.com/Binject/debug/tree/master/goobj2, which I wrote as well. I have tested by garbling and checking for import paths via strings and grep (in order of difficulty) https://github.com/lu4p/binclude, garble itself, and https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck. This only supports object/archive files produced from the Go 1.15 compiler. The object file format changed at 1.15, and 1.14 and earlier is not supported. Fixes #13.
4 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
curPkg = cache.ListedPackages[cache.MainImportPath]
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
newImportCfg, err := fillBuildInfo(flags)
Garble imports and package paths in GOPRIVATE (#116) Finally, finally this is done. This allows import paths to be obfuscated by modifying object/archive files and garbling import paths contained within. The bulk of the code that makes parsing and writing Go object/archive files possible lives at https://github.com/Binject/debug/tree/master/goobj2, which I wrote as well. I have tested by garbling and checking for import paths via strings and grep (in order of difficulty) https://github.com/lu4p/binclude, garble itself, and https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck. This only supports object/archive files produced from the Go 1.15 compiler. The object file format changed at 1.15, and 1.14 and earlier is not supported. Fixes #13.
4 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
Garble imports and package paths in GOPRIVATE (#116) Finally, finally this is done. This allows import paths to be obfuscated by modifying object/archive files and garbling import paths contained within. The bulk of the code that makes parsing and writing Go object/archive files possible lives at https://github.com/Binject/debug/tree/master/goobj2, which I wrote as well. I have tested by garbling and checking for import paths via strings and grep (in order of difficulty) https://github.com/lu4p/binclude, garble itself, and https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck. This only supports object/archive files produced from the Go 1.15 compiler. The object file format changed at 1.15, and 1.14 and earlier is not supported. Fixes #13.
4 years ago
}
// Make sure -X works with garbled identifiers. To cover both garbled
// and non-garbled names, duplicate each flag with a garbled version.
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
flagValueIter(flags, "-X", func(val string) {
// val is in the form of "pkg.name=str"
i := strings.IndexByte(val, '=')
if i <= 0 {
return
}
name := val[:i]
str := val[i+1:]
Handle ldflags set variable with . in package name Fixes #84
4 years ago
j := strings.LastIndexByte(name, '.')
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
if j <= 0 {
return
}
pkg := name[:j]
name = name[j+1:]
pkgPath := pkg
if pkgPath == "main" {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
pkgPath = cache.MainImportPath
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
id := cache.ListedPackages[pkgPath].GarbleActionID
obfuscate unexported names like exported ones (#227) In 90fa325da7, the obfuscation logic was changed to use hashes for exported names, but incremental names starting at just one letter for unexported names. Presumably, this was done for the sake of binary size. I argue that this is not a good idea for the default mode for a number of reasons: 1) It makes reversing of stack traces nearly impossible for unexported names, since replacing an obfuscated name "c" with "originalName" would trigger too many false positives by matching single characters. 2) Exported and unexported names aren't different. We need to know how names were obfuscated at a later time in both cases, thanks to use cases like -ldflags=-X. Using short names for one but not the other doesn't make a lot of sense, and makes the logic inconsistent. 3) Shaving off three bytes for unexported names doesn't seem like a huge deal for the default mode, when we already have -tiny to optimize for size. This saves us a bit of work, but most importantly, simplifies the obfuscation state as we no longer need to carry privateNameMap between the compile and link stages. name old time/op new time/op delta Build-8 153ms ± 2% 150ms ± 2% ~ (p=0.065 n=6+6) name old bin-B new bin-B delta Build-8 7.09M ± 0% 7.08M ± 0% -0.24% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 296ms ± 5% 277ms ± 6% -6.50% (p=0.026 n=6+6) name old user-time/op new user-time/op delta Build-8 562ms ± 1% 558ms ± 3% ~ (p=0.329 n=5+6) Note that I do not oppose using short names for both exported and unexported names in the future for -tiny, since reversing of stack traces will by design not work there. The code can be resurrected from the git history if we want to improve -tiny that way in the future, as we'd need to store state in header files again. Another major cleanup we can do here is to no longer use the garbledImports map. From a look at obfuscateImports, we hash a package's import path with its action ID, much like exported names, so we can simply re-do that hashing for the linker's -X flag. garbledImports does have some logic to handle duplicate package names, but it's worth noting that should not affect package paths, as they are always unique. That area of code could probably do with some simplification in the future, too. While at it, make hashWith panic if either parameter is empty. obfuscateImports was hashing the main package path without a salt due to a bug, so we want to catch those in the future. Finally, make some tiny spacing and typo tweaks to the README.
3 years ago
newName := hashWith(id, name)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
newPkg := pkg
if pkg != "main" && isPrivate(pkg) {
newPkg = hashWith(id, pkg)
}
flags = append(flags, fmt.Sprintf("-X=%s.%s=%s", newPkg, newName, str))
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
})
strip buildid information from linked binaries Otherwise, one can use 'go tool buildid' to obtain the main package's build ID, which can make de-obfuscating the main package much simpler. Fixes #43.
4 years ago
// Ensure we strip the -buildid flag, to not leak any build IDs for the
// link operation or the main package's compilation.
flags = flagSetValue(flags, "-buildid", "")
speed up builds with the compiler's -dwarf=false flag Generating DWARF in the compiler object files could take as much as 10% extra CPU time, while we ignore it entirely at the link stage. Speeds up 'go test -short' from ~19.5s to ~18.5s on my laptop.
4 years ago
// Strip debug information and symbol tables.
start enforcing the link flags -w -s
5 years ago
flags = append(flags, "-w", "-s")
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = flagSetValue(flags, "-importcfg", newImportCfg)
return append(flags, args...), nil
start enforcing the link flags -w -s
5 years ago
}
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
func splitFlagsFromArgs(all []string) (flags, args []string) {
for i := 0; i < len(all); i++ {
arg := all[i]
if !strings.HasPrefix(arg, "-") {
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
return all[:i:i], all[i:]
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
}
if booleanFlags[arg] || strings.Contains(arg, "=") {
// Either "-bool" or "-name=value".
continue
}
// "-name value", so the next arg is part of this flag.
i++
}
return all, nil
}
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
// buildFlags is obtained from 'go help build' as of Go 1.15.
var buildFlags = map[string]bool{
"-a": true,
"-n": true,
"-p": true,
"-race": true,
"-msan": true,
"-v": true,
"-work": true,
"-x": true,
"-asmflags": true,
"-buildmode": true,
"-compiler": true,
"-gccgoflags": true,
"-gcflags": true,
"-installsuffix": true,
"-ldflags": true,
"-linkshared": true,
"-mod": true,
"-modcacherw": true,
"-modfile": true,
"-pkgdir": true,
"-tags": true,
"-trimpath": true,
"-toolexec": true,
}
// booleanFlags is obtained from 'go help build' and 'go help testflag' as of Go
// 1.15.
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
var booleanFlags = map[string]bool{
// Shared build flags.
"-a": true,
"-i": true,
"-n": true,
"-v": true,
"-x": true,
"-race": true,
"-msan": true,
"-linkshared": true,
"-modcacherw": true,
"-trimpath": true,
// Test flags (TODO: support its special -args flag)
"-c": true,
"-json": true,
"-cover": true,
"-failfast": true,
"-short": true,
"-benchmem": true,
}
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
func filterBuildFlags(flags []string) (filtered []string) {
for i := 0; i < len(flags); i++ {
arg := flags[i]
name := arg
if i := strings.IndexByte(arg, '='); i > 0 {
name = arg[:i]
}
buildFlag := buildFlags[name]
if buildFlag {
filtered = append(filtered, arg)
}
if booleanFlags[arg] || strings.Contains(arg, "=") {
// Either "-bool" or "-name=value".
continue
}
// "-name value", so the next arg is part of this flag.
properly skip non-build flags for 'go list' If the flags list included ["-o" "binary"], we would properly skip "-o", but we wouldn't skip "binary". Thus, 'go list' would receive "binary" as the first argument, and assume that's the first parameter and the end of the flags. And add a unit test case. Fixes #82, again.
4 years ago
if i++; buildFlag && i < len(flags) {
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
filtered = append(filtered, flags[i])
}
}
return filtered
}
add a bit more docs
5 years ago
// splitFlagsFromFiles splits args into a list of flag and file arguments. Since
// we can't rely on "--" being present, and we don't parse all flags upfront, we
// rely on finding the first argument that doesn't begin with "-" and that has
garbling imported packages starts being supported
5 years ago
// the extension we expect for the list of paths.
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
//
// This function only makes sense for lower-level tool commands, such as
// "compile" or "link", since their arguments are predictable.
func splitFlagsFromFiles(all []string, ext string) (flags, paths []string) {
for i, arg := range all {
start enforcing the link flags -w -s
5 years ago
if !strings.HasPrefix(arg, "-") && strings.HasSuffix(arg, ext) {
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
return all[:i:i], all[i:]
start enforcing the link flags -w -s
5 years ago
}
}
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
return all, nil
initial commit
5 years ago
}
error if the user forgot -trimpath
5 years ago
add a bit more docs
5 years ago
// flagValue retrieves the value of a flag such as "-foo", from strings in the
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
// list of arguments like "-foo=bar" or "-foo" "bar". If the flag is repeated,
// the last value is returned.
error if the user forgot -trimpath
5 years ago
func flagValue(flags []string, name string) string {
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
lastVal := ""
flagValueIter(flags, name, func(val string) {
lastVal = val
})
return lastVal
}
// flagValueIter retrieves all the values for a flag such as "-foo", like
// flagValue. The difference is that it allows handling complex flags, such as
// those whose values compose a list.
func flagValueIter(flags []string, name string, fn func(string)) {
error if the user forgot -trimpath
5 years ago
for i, arg := range flags {
if val := strings.TrimPrefix(arg, name+"="); val != arg {
// -name=value
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
fn(val)
error if the user forgot -trimpath
5 years ago
}
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
if arg == name { // -name ...
start hashing identifiers
5 years ago
if i+1 < len(flags) {
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
// -name value
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
fn(flags[i+1])
start hashing identifiers
5 years ago
}
error if the user forgot -trimpath
5 years ago
}
}
}
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
func flagSetValue(flags []string, name, value string) []string {
for i, arg := range flags {
if strings.HasPrefix(arg, name+"=") {
// -name=value
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
flags[i] = name + "=" + value
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
return flags
}
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
if arg == name { // -name ...
if i+1 < len(flags) {
// -name value
flags[i+1] = value
return flags
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
}
return flags
}
}
return append(flags, name+"="+value)
}
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
func setGoPrivate() error {
if envGoPrivate == "" {
// Try 'go env' too, to query ${CONFIG}/go/env as well.
out, err := exec.Command("go", "env", "GOPRIVATE").CombinedOutput()
if err != nil {
return fmt.Errorf("%v: %s", err, out)
}
envGoPrivate = string(bytes.TrimSpace(out))
}
// If GOPRIVATE isn't set and we're in a module, use its module
// path as a GOPRIVATE default. Include a _test variant too.
if envGoPrivate == "" {
modpath, err := exec.Command("go", "list", "-m").Output()
if err == nil {
path := string(bytes.TrimSpace(modpath))
envGoPrivate = path + "," + path + "_test"
}
}
// Explicitly set GOPRIVATE, since future garble processes won't
// query 'go env' again.
os.Setenv("GOPRIVATE", envGoPrivate)
return nil
}