Guaranteed compile-time string literal obfuscation header-only library for C++14.
- Copy
obfuscate.hinto your project - Wrap security sensitive strings with
AY_OBFUSCATE("My String")
Now your project will not expose those strings in plain text in the binary image.
When plain text string literals are used in C++ programs, they will be compiled as-is into the resultant binary. This causes them to be incredibly easy to find. One can simply open up the binary file in a text editor to see all of the embedded string literals in plain view. A special utility called strings actually exists which can be used to search binary files for plain text strings.
This header-only library seeks to make it much much more difficult (but not impossible) for embedded string literals in binary files to be found by encrypting them with an XOR cipher at compile-time using a constexpr, forcing the compiler to work with the encrypted string instead of the plain text literal. Usage of AY_OBFUSCATE additionally removes the need for a const pointer to the string, which more often than not (for small strings) convinces the compiler to inline the encrypted string, building it up at runtime in a series of mov operations, protecting the binary image against simple XOR decryption attacks. Encrypted strings will then be decrypted at runtime to be utilised within the program.
- Guaranteed compile-time obfuscation - the string is compiled via a constexpr expression.
- Global lifetime - the obfuscated string is stored in a function level static variable in a unique lambda.
- Implicitly convertible to a char* - easy to integrate into existing codebases.
By simply wrapping your string literal "My String" with AY_OBFUSCATE("My String") it will be encrypted at compile time and stored in an ay::obfuscated_data object which you can manipulate at runtime. For convenience it is also implicitly convertable to a char*.
For example, the following program will not store the string "Hello World" in plain text anywhere in the compiled executable.
#include "obfuscate.h"
int main()
{
std::cout << AY_OBFUSCATE("Hello World") << std::endl;
return 0;
}Strings are encrypted with a '.' by default. To increase security it is recommended to generate a random single char key at compile time and pass it into AY_OBFUSCATE_KEY("Hello World", KEY).
Because the obfuscated data that is generated by AY_OBFUSCATE has global lifetime it is completely fine to also use it in both a local and a temporary context.
char* var = AY_OBFUSCATE("string");
const char* var = AY_OBFUSCATE("string");
static const char* var = AY_OBFUSCATE("string");
std::string var(AY_OBFUSCATE("string"));
function_that_takes_char_pointer(AY_OBFUSCATE("string"));This does come at a small cost. In a very naive login program, which obfuscates two strings (username and password) the following binary file bloat exists.
| Config | Plain string literals | Obfuscated strings | Bloat |
|---|---|---|---|
| Release | 18944 | 21504 | 2560 (13.5%) |
| Debug | 95232 | 101888 | 6656 (7.0%) |
This output is generated by running calculate_bloat.py