Go: cmd/compile: Go compiled binaries with ldflags "-s -w" reveal too much information

Created on 21 Feb 2017  路  10Comments  路  Source: golang/go

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.8 darwin/amd64

What operating system and processor architecture are you using (go env)?

Darwin amd64

What did you do?

go build -ldflags "-s -w" <-- trying to strip/remove information from distributed binary

strings binaryname

What did you expect to see?

I expected to not see all vendored library paths and path names used to compile the binary file.

What did you see instead?

If you run strings on any Go binary you can see all vendored packages used as well as the path of all packages used to compile the binary. This is not ideal in a commercial setting and probably useful to find/use exploits in a compiled binary.

FrozenDueToAge
Source
picture sanbornm
👍1

Most helpful comment

go build -gcflags=-trimpath=x/y
picture ianlancetaylor on 23 Feb 2017
👍4

All 10 comments

Stripping package paths would break runtime.Caller and reflect.Type.PkgPath. I don't think there is any reasonable way that we can do it.

ianlancetaylor picture ianlancetaylor on 21 Feb 2017
👍1

I found that too, and it makes me unhappy
@ianlancetaylor

Stripping package paths would break runtime.Caller and reflect.Type.PkgPath. I don't think there is any reasonable way that we can do it.

is it possible to set an argument or something as a choice to switch those on or off for a distributed version?

dongweigogo picture dongweigogo on 22 Feb 2017

Stripping the package paths to prevent exploits is security by obscurity.
People can do pattern matching on the instructions to match a given package
just as easily.

minux picture minux on 22 Feb 2017

Stripping the package paths to prevent exploits is security by obscurity.
People can do pattern matching on the instructions to match a given package
just as easily.

Sure, but the current behavior shows personal information like the full URI including Github/Bitbucket username and names of internal packages.

sanbornm picture sanbornm on 22 Feb 2017

The username part seems like a red herring. It's just the package's import path, no?

slrz picture slrz on 22 Feb 2017

I think the point is that the import path can contain confidential information. Not every Go project is open source, some use it to displace C++ in their organization and are surprised when strip has different semantics. Security-sensitive projects strip binaries to protect intellectual property as part of a defense in depth approach.

as picture as on 22 Feb 2017

People concerned about import paths may find the compiler's -trimpath option to be useful.

I don't think there is anything we can actually do here, so I'm going to close this issue. If anybody has a concrete proposal for a change here, please comment or open a new issue. (I don't think that "drop all package path information" can work, as it would break too many libraries.)

ianlancetaylor picture ianlancetaylor on 22 Feb 2017
👍1

@ianlancetaylor
May I ask how to pass the -trimpath to Go toolchain?

dongweigogo picture dongweigogo on 23 Feb 2017 
go build -gcflags=-trimpath=x/y
ianlancetaylor picture ianlancetaylor on 23 Feb 2017
👍4

@ianlancetaylor
thanks. I thought the -trimpath was a asm flag

dongweigogo picture dongweigogo on 24 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

derekmarcotte picture derekmarcotte  路  243Comments
ghost picture ghost  路  222Comments
adg picture adg  路  816Comments
bradfitz picture bradfitz  路  176Comments
rsc picture rsc  路  242Comments