6898d61637
When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6) |
3 years ago | |
|---|---|---|
| .github | 3 years ago | |
| internal | 3 years ago | |
| scripts | 3 years ago | |
| testdata | 3 years ago | |
| .gitattributes | 5 years ago | |
| .gitignore | 4 years ago | |
| AUTHORS | 4 years ago | |
| CONTRIBUTING.md | 4 years ago | |
| LICENSE | 4 years ago | |
| README.md | 3 years ago | |
| bench_test.go | 3 years ago | |
| go.mod | 3 years ago | |
| go.sum | 3 years ago | |
| hash.go | 3 years ago | |
| line_obfuscator.go | 3 years ago | |
| main.go | 3 years ago | |
| main_test.go | 3 years ago | |
| reverse.go | 3 years ago | |
| runtime_strip.go | 3 years ago | |
| shared.go | 3 years ago | |
README.md
garble
GO111MODULE=on go get mvdan.cc/garble
Obfuscate Go code by wrapping the Go toolchain. Requires Go 1.15 or later.
garble build [build flags] [packages]
See garble -h for up to date usage information.
Purpose
Produce a binary that works as well as a regular build, but that has as little information about the original source code as possible.
The tool is designed to be:
- Coupled with
cmd/go, to support modules and build caching - Deterministic and reproducible, given the same initial source code
- Reversible given the original source, to deobfuscate panic stack traces
Mechanism
The tool wraps calls to the Go compiler and linker to transform the Go build, in order to:
- Replace as many useful identifiers as possible with short base64 hashes
- Replace package paths with short base64 hashes
- Remove all build and module information
- Strip filenames and shuffle position information
- Strip debugging information and symbol tables
- Obfuscate literals, if the
-literalsflag is given - Remove extra information if the
-tinyflag is given
Options
By default, the tool obfuscates the packages under the current module. If not
running in module mode, then only the main package is obfuscated. To specify
what packages to obfuscate, set GOPRIVATE, documented at go help module-private.
Note that commands like garble build will use the go version found in your
$PATH. To use different versions of Go, you can
install them
and set up $PATH with them. For example, for Go 1.15.8:
$ go get golang.org/dl/go1.15.8
$ go1.15.8 download
$ PATH=$(go1.15.8 env GOROOT)/bin:${PATH} garble build
You can also declare a function to make multiple uses simpler:
$ withgo() {
local gocmd=go${1}
shift
PATH=$(${gocmd} env GOROOT)/bin:${PATH} "$@"
}
$ withgo 1.15.8 garble build
Caveats
Most of these can improve with time and effort. The purpose of this section is to document the current shortcomings of this tool.
-
Exported methods are never obfuscated at the moment, since they could be required by interfaces and reflection. This area is a work in progress.
-
Functions implemented outside Go, such as assembly, aren't obfuscated since we currently only transform the input Go source.
-
Go plugins are not currently supported; see #87.
-
There are cases where garble is a little too agressive with obfuscation, this may lead to identifiers getting obfuscated which are needed for reflection, e.g. to parse JSON into a struct; see #162. To work around this you can pass a hint to garble, that an type is used for reflection via passing it to
reflect.TypeOforreflect.ValueOfin the same file:// this is used for parsing json type Message struct { Command string Args string } // never obfuscate the Message type var _ = reflect.TypeOf(Message{})
Tiny Mode
When the -tiny flag is passed, extra information is stripped from the resulting
Go binary. This includes line numbers, filenames, and code in the runtime the
prints panics, fatal errors, and trace/debug info. All in all this can make binaries
6-10% smaller in our testing.
Note: if -tiny is passed, no panics, fatal errors will ever be printed, but they can
still be handled internally with recover as normal. In addition, the GODEBUG
environmental variable will be ignored.
Contributing
We actively seek new contributors, if you would like to contribute to garble use the CONTRIBUTING.md as a starting point.