agree. besides, even without symbols, one can still use function signatures to determine whether the function is in std. lib and what does it do.
obscurity won't lead to security.
i'd rather not see -s is being applied to application like this, because it's a false sense of security.
On Sep 17, 2013 6:38 PM, "Dave Cheney" <da...@cheney.net> wrote:
>
> ldflags -s doesn't do what you want, unless that is to produce a broken binary.
>
> I agree with Minux that -s should be removed.
yeah, at least for Go 1.2, we'd better first make it an noop because there isn't enough time to fix it, and i see the trend for runtine to depend more on symbol tables.
for those who wants smaller sizes, please check out -ldflags -w, which removes dwarf debugging information in a binary.
On Sep 19, 2013 1:32 PM, <d...@nanard.net> wrote:
>
> Sure it is not secure... my application - a server - can't be secure as I should enter a password at startup (or make it communicate with another service physically secured) to make it really secure, and I don't want this. This is just a way to slow the break. With plain functions names, it is so easy to focus on a few functions set, not to mention the overall reverse engeneering process becoming far easier.
if it is a server, i think it will be a more serious problem that an adversary get hold of your binaries.
using function signature to determine what a (open souce) function does is well-known to the reverse engineering society, and besides, they also have more intrusive ways to break your protection.
stripping symbols just won't stop them.
Stripping symbols won't stop them but will slow reverse ingeneering. With expressive function names, understanding what a function does is trivial. With obfuscation, more work is required, and reaching a complexity level, it is very costly to do it.
Ok I see. Can I considere this true for C built programs too, as they make extensive use of the OS libraries ? In other words, do you think that nowadays, the
cost of reverse engineering - whatever compiler used - is so low than we can't rely on this to discourage work theft ?
Ok I see. Can I considere this true for C built programs too, as they make extensive use of the OS libraries ? In other words, do you think that nowadays, the cost of reverse engineering - whatever compiler used - is so low than we can't rely on this to discourage work theft ?
--
And true cryptographic protection of a binary, short of help from the kernel and hardware, is pointless to protect a binary.