justan0th3rstud3nt
/
garble
mirror of https://github.com/burrowers/garble
1
0
Fork 0
Code Issues 1 Projects Releases Wiki Activity

remove unnecessary data from runtime if -tiny is passed

Browse Source
pull/133/head
Andrew LeFevre 5 years ago
parent d679944408
commit 901d8752a2
6 changed files with 189 additions and 209 deletions
Show Stats Download Patch File Download Diff File

38
README.md
Unescape Escape View File

@ -31,8 +31,7 @@ order to:
* Strip filenames and shuffle position information
* Strip debugging information and symbol tables
* Obfuscate literals, if the `-literals` flag is given
* Expose [additional functions](#runtime-api) in the runtime package that can
optionally hide information during execution
* Removes unnecessary data if the `-tiny` flag is given
### Options
@ -56,32 +55,13 @@ to document the current shortcomings of this tool.
* Go plugins are not currently supported; see [#87](https://github.com/burrowers/garble/issues/87).
### Runtime API
### Tiny Mode
The tool adds additional functions to the runtime that can optionally be used to
hide information during execution. The functions added are:
When the `-tiny` flag is passed, unneeded information from is stripped from the
resulting Go binary. This includes line numbers, filenames, and code in the runtime
the prints panics, fatal errors, and trace/debug info. All in all this can make binaries
6-10% smaller in our testing.
```go
// hideFatalErrors suppresses printing fatal error messages and
// fatal panics when hide is true. This behavior can be changed at
// any time by calling hideFatalErrors again. All other behaviors of
// panics remains the same.
func hideFatalErrors(hide bool)
```
These functions must be used with the `linkname` compiler directive, like so:
```go
package main
import _ "unsafe"
//go:linkname hideFatalErrors runtime.hideFatalErrors
func hideFatalErrors(hide bool)
func init() { hideFatalErrors(true) }
func main() {
panic("ya like jazz?")
}
```
Note: if `-tiny` is passed, no panics, fatal errors will ever be printed, but they can
still be handled internally with `recover` as normal. In addition, the `GODEBUG`
environmental variable will be ignored.

11
main.go
Unescape Escape View File

@ -423,11 +423,10 @@ func transformCompile(args []string) ([]string, error) {
flags = append(flags, "-dwarf=false")
pkgPath := flagValue(flags, "-p")
if pkgPath == "runtime" || pkgPath == "runtime/internal/sys" {
if (pkgPath == "runtime" && envGarbleTiny) || pkgPath == "runtime/internal/sys" {
// Even though these packages aren't private, we will still process
// them later to remove build information and add additional
// functions to the runtime. However, we only want flags to work on
// private packages.
// them later to remove build information and strip code from the
// runtime. However, we only want flags to work on private packages.
envGarbleLiterals = false
envGarbleDebugDir = ""
} else if !isPrivate(pkgPath) {
@ -526,8 +525,8 @@ func transformCompile(args []string) ([]string, error) {
name := origName
switch {
case pkgPath == "runtime":
// Add additional runtime API
addRuntimeAPI(origName, file)
// strip unneeded runtime code
stripRuntime(origName, file)
case pkgPath == "runtime/internal/sys":
// The first declaration in zversion.go contains the Go
// version as follows. Replace it here, since the

146
runtime_api.go
Unescape Escape View File

@ -1,146 +0,0 @@
// Copyright (c) 2020, The Garble Authors.
// See LICENSE for licensing information.
package main
import (
"go/ast"
"go/token"
ah "mvdan.cc/garble/internal/asthelper"
)
// addRuntimeAPI exposes additional functions in the runtime
// package that may be helpful when hiding information
// during execution is required.
func addRuntimeAPI(filename string, file *ast.File) {
switchPanicPrints := func(node ast.Node) bool {
call, ok := node.(*ast.CallExpr)
if !ok {
return true
}
id, ok := call.Fun.(*ast.Ident)
if !ok {
return true
}
switch id.Name {
case "print":
id.Name = "panicprint"
return false
case "println":
id.Name = "panicprint"
call.Args = append(call.Args, &ast.BasicLit{Kind: token.STRING, Value: `"\n"`})
return false
default:
return true
}
}
switch filename {
case "debug.go":
// Add hideFatalErrors function and internal fatalErrorsHidden variable
file.Decls = append(file.Decls, hideFatalErrorsDecls...)
case "error.go":
// Add a function panicprint, that does nothing if panics are
// hidden, otherwise forwards arguments to printany to print them
// as normal. Although we add an if statement to printany to do
// nothing if panics are hidden, printany only takes one argument,
// and both print and printany are used to print panic messages.
// panicprint's entire purpose is to act as a replacement to print
// that respects hideFatalErrors, and print is variadic, so print
// must be replaced by a variadic function, hence panicprint.
//
// We will also add two statements to printany:
// 1. An if statement that returns early if panics are hidden
// 2. An additional case statement that handles printing runtime.hex
// values. Without this case statement, the default case will print
// the runtime.hex values in a way not consistent with normal panic
// outputs
for _, decl := range file.Decls {
decl, ok := decl.(*ast.FuncDecl)
if !ok || decl.Name.Name != "printany" {
continue
}
for _, stmt := range decl.Body.List {
if stmt, ok := stmt.(*ast.TypeSwitchStmt); ok {
stmt.Body.List = append(stmt.Body.List, printanyHexCase)
break
}
}
decl.Body.List = append([]ast.Stmt{fatalErrorsHiddenCheckStmt}, decl.Body.List...)
break
}
file.Decls = append(file.Decls, panicprintDecl)
default:
// Change all calls to print, which we don't control, to
// panicprint, which we do control and does the same thing.
ast.Inspect(file, switchPanicPrints)
}
}
var fatalErrorsHiddenCheckStmt = &ast.IfStmt{
Cond: ah.Ident("fatalErrorsHidden"),
Body: ah.BlockStmt(ah.ReturnStmt()),
}
var hideFatalErrorsDecls = []ast.Decl{
&ast.GenDecl{
Tok: token.VAR,
Specs: []ast.Spec{&ast.ValueSpec{
Names: []*ast.Ident{ah.Ident("fatalErrorsHidden")},
Type: ah.Ident("bool"),
}},
},
&ast.FuncDecl{
Name: ah.Ident("hideFatalErrors"),
Type: &ast.FuncType{Params: &ast.FieldList{
List: []*ast.Field{{
Names: []*ast.Ident{ah.Ident("hide")},
Type: ah.Ident("bool"),
}},
}},
Body: ah.BlockStmt(
&ast.AssignStmt{
Lhs: []ast.Expr{ah.Ident("fatalErrorsHidden")},
Tok: token.ASSIGN,
Rhs: []ast.Expr{ah.Ident("hide")},
},
),
},
}
var printanyHexCase = &ast.CaseClause{
List: []ast.Expr{ah.Ident("hex")},
Body: []ast.Stmt{
ah.ExprStmt(ah.CallExpr(ah.Ident("print"), ah.Ident("v"))),
},
}
var panicprintDecl = &ast.FuncDecl{
Name: ah.Ident("panicprint"),
Type: &ast.FuncType{Params: &ast.FieldList{
List: []*ast.Field{{
Names: []*ast.Ident{{Name: "args"}},
Type: &ast.Ellipsis{Elt: &ast.InterfaceType{
Methods: &ast.FieldList{},
}},
}},
}},
Body: ah.BlockStmt(
&ast.IfStmt{
Cond: ah.Ident("fatalErrorsHidden"),
Body: ah.BlockStmt(ah.ReturnStmt()),
},
&ast.RangeStmt{
Key: ah.Ident("_"),
Value: ah.Ident("arg"),
Tok: token.DEFINE,
X: ah.Ident("args"),
Body: ah.BlockStmt(
ah.ExprStmt(ah.CallExpr(ah.Ident("printany"), ah.Ident("arg"))),
),
},
),
}

152
runtime_strip.go
Unescape Escape View File

@ -0,0 +1,152 @@
// Copyright (c) 2020, The Garble Authors.
// See LICENSE for licensing information.
package main
import (
"go/ast"
"go/token"
"strings"
ah "mvdan.cc/garble/internal/asthelper"
)
// stripRuntime removes unnecessary code from the runtime,
// such as panic and fatal error printing, and code that
// prints trace/debug info of the runtime.
func stripRuntime(filename string, file *ast.File) {
stripPrints := func(node ast.Node) bool {
call, ok := node.(*ast.CallExpr)
if !ok {
return true
}
id, ok := call.Fun.(*ast.Ident)
if !ok {
return true
}
switch id.Name {
case "print", "println":
id.Name = "hidePrint"
return false
default:
return true
}
}
switch filename {
case "error.go":
for _, decl := range file.Decls {
fun, ok := decl.(*ast.FuncDecl)
if !ok {
continue
}
// only used in panics
switch fun.Name.Name {
case "printany", "printanycustomtype":
fun.Body.List = nil
}
}
case "mprof.go":
for _, decl := range file.Decls {
fun, ok := decl.(*ast.FuncDecl)
if !ok {
continue
}
// remove all functions that print debug/tracing info
// of the runtime
switch {
case strings.HasPrefix(fun.Name.Name, "trace"):
fun.Body.List = nil
}
}
case "print.go":
for _, decl := range file.Decls {
fun, ok := decl.(*ast.FuncDecl)
if !ok {
gen, ok := decl.(*ast.GenDecl)
if !ok || gen.Tok != token.IMPORT {
continue
}
for i, spec := range gen.Specs {
imp := spec.(*ast.ImportSpec)
if imp.Path.Value == `"runtime/internal/sys"` {
// remove 'runtime/internal/sys' import, as it was used
// in hexdumpWords
gen.Specs = append(gen.Specs[:i], gen.Specs[i+1:]...)
break
}
}
continue
}
// only used in tracebacks
if fun.Name.Name == "hexdumpWords" {
fun.Body.List = nil
break
}
}
// add hidePrint declaration
file.Decls = append(file.Decls, hidePrintDecl)
case "runtime1.go":
for _, decl := range file.Decls {
fun, ok := decl.(*ast.FuncDecl)
if !ok {
continue
}
switch fun.Name.Name {
case "parsedebugvars":
// set defaults for GODEBUG cgocheck and
// invalidptr, remove code that reads in
// GODEBUG
fun.Body = parsedebugvarsStmts
case "setTraceback":
// tracebacks are completely hidden, no
// sense keeping this function
fun.Body.List = nil
}
}
default:
// replace all 'print' and 'println' statements in
// the runtime with an empty func, which will be
// optimized out by the compiler
ast.Inspect(file, stripPrints)
}
}
var hidePrintDecl = &ast.FuncDecl{
Name: ah.Ident("hidePrint"),
Type: &ast.FuncType{Params: &ast.FieldList{
List: []*ast.Field{{
Names: []*ast.Ident{{Name: "args"}},
Type: &ast.Ellipsis{Elt: &ast.InterfaceType{
Methods: &ast.FieldList{},
}},
}},
}},
Body: &ast.BlockStmt{},
}
var parsedebugvarsStmts = ah.BlockStmt(
&ast.AssignStmt{
Lhs: []ast.Expr{&ast.SelectorExpr{
X: ah.Ident("debug"),
Sel: ah.Ident("cgocheck"),
}},
Tok: token.ASSIGN,
Rhs: []ast.Expr{ah.IntLit(1)},
},
&ast.AssignStmt{
Lhs: []ast.Expr{&ast.SelectorExpr{
X: ah.Ident("debug"),
Sel: ah.Ident("invalidptr"),
}},
Tok: token.ASSIGN,
Rhs: []ast.Expr{ah.IntLit(1)},
},
)

23
testdata/scripts/panic.txt vendored
Unescape Escape View File

@ -1,23 +0,0 @@
env GOPRIVATE=test/main
garble build
! exec ./main
cmp stderr main.stderr
-- go.mod --
module test/main
-- main.go --
package main
import _ "unsafe"
//go:linkname hideFatalErrors runtime.hideFatalErrors
func hideFatalErrors(hide bool)
func init() { hideFatalErrors(true) }
func main() {
panic("ya like jazz?")
}
-- main.stderr --

28
testdata/scripts/tiny.txt vendored
Unescape Escape View File

@ -2,12 +2,15 @@ env GOPRIVATE=test/main
# Tiny mode
garble -tiny build
exec ./main$exe
env GODEBUG='allocfreetrace=1,gcpacertrace=1,gctrace=1,scavtrace=1,scheddetail=1,schedtrace=10'
! exec ./main$exe
cmp stdout main.stdout
stderr '\? 0'
[short] stop # no need to verify this with -short
# Default mode
env GODEBUG=
garble -debugdir=.obf-src build
# Check for file name leak protection
@ -15,8 +18,8 @@ grep '^\/\/line :1$' .obf-src/main/main.go
# Check for default line obfuscation
grep '^\/\/line \w\.go:[1-9][0-9]*$' .obf-src/main/main.go
exec ./main$exe
! exec ./main$exe
cmp stdout main.stdout
stderr '\w\.go [1-9]'
-- go.mod --
@ -24,9 +27,24 @@ module test/main
-- main.go --
package main
import "runtime"
import (
"fmt"
"runtime"
)
func main() {
defer func() {
if r := recover(); r != nil {
fmt.Println(r)
panic("oh noes")
}
}()
_, file, line, _ := runtime.Caller(0)
println(file, line)
}
panic("ya like jazz?")
}
-- main.stdout --
ya like jazz?
Write Preview
Loading…
Cancel
Save