Search code examples
securityhaskelldumpdecompilingtemplate-haskell

Obfuscating values of compile-time parameters in Haskell


In my Haskell application I implemented the following mechanism for passing sensitive information to the binary (without resorting to CLI parameters):

  • I use a TemplateHaskell mechanism for reading environment variables at compile time:
{-# LANGUAGE TemplateHaskell #-}
...
import Language.Haskell.TH.Env
...
myPrecious :: String
myPrecious = fromMaybe "" $$(envQ "MY_PRECIOUS")
...
  • When compiling, I pass the relevant environment variable like so: MY_PRECIOUS=<secret> stack build and it then gets bound to myPrecious on the Haskell side
  • The resulting binary has the value of MY_PRECIOUS compiled in, so it won't be visible from the operating system level (e.g. via ps aux)

Trouble is, I can now open that binary in a text editor or create a memory dump (e.g. with GDB) and with a little determination dig up the secret, especially if I know the context in which it is being used - I'm assuming that some malicious actor might have obtained access to the source code. So I've been wondering, is there any way to force GHC to produce a more obfuscated/garbled binary, in which such values would not be readily visible. I'm aware that no such protection scheme can be bulletproof, but I'm looking for a way to make the intruder's task harder.


Solution

  • Obfuscation is a total waste of time. You'll end up spending days trying to come up with something clever only for a rookie reverse engineer to defeat it in minutes. Instead, you should set up actual security rather than security through obscurity, with something like this:

    1. Create a new UNIX group with no users in it
    2. Put your secrets in a file only readable by root and that group
    3. Code your program to read secrets from that file at startup
    4. Make your binary setgid the group that can read the file

    Now opening the binary in a text editor will yield nothing, since the secrets aren't in it at all, and taking a memory dump is impossible since the kernel doesn't let you do that to a setgid process.