Symbol encryption

UDB has the ability to load encrypted symbol files. These files are standard ELF symbol files which have been encrypted to prevent inspection by unauthorized parties. Encrypted symbol files provide a way to give on-site engineers access to essential debugging information while also protecting proprietary data.

Note

Early-access versions of UDB and LiveRecorder for ARM platforms do not support encrypted symbol files. Contact Undo Support for information on early-access releases.

Generating encrypted symbol files

Encrypted symbol files are generated from unencrypted symbol files using the undo encrypt-symbols program included in the UDB release.

undo encrypt-symbols input output [passphrase]

The undo encrypt-symbols program encrypts the input file with passphrase and writes the encrypted result to output. If passphrase is omitted, undo encrypt-symbols prompts the interactive user to input one. For example, to encrypt the symbol file examples/hello-world.symbols and put the encrypted output in examples/hello-world.enc, with a passphrase entered interactively:

$ undo encrypt-symbols examples/hello-world.symbols examples/hello-world.enc
Enter passphrase:
Confirm passphrase:

passphrase

The passphrase to use for encryption.

Warning

Passphrases specified using this option may be recorded in the shell command history.

--help, -h

Display help message and exit.

--version, -v

Print version information and exit.

undo encrypt-symbols uses the AES-128-CTR cipher, and requires a version of openssl supporting this cipher to be installed.

Note

openssl may be installed using your distribution’s package manager.

On Fedora and Red Hat:

$ sudo yum install openssl

On Ubuntu:

$ sudo apt install openssl

Loading encrypted symbol files

Encrypted symbol files may be loaded in UDB using the symbol-file and add-symbol-file commands.

symbol-file [-passphrase passphrase] [options] filename

Load the encrypted symbol file filename, decrypting it using passphrase as the key. The currently loaded symbols are replaced with those from filename. If the -passphrase option is omitted, the command prompts the user to enter a passphrase interactively. For example, to load the symbols from the encrypted file examples/hello-world.enc, with a passphrase entered interactively:

$ udb examples/hello-world
not running> symbol-file examples/hello-world.enc
Passphrase:

-passphrase PASSPHRASE

Specify the passphrase for decrypting the symbol file.

Warning

Passphrases specified using this option may be recorded in the GDB command history.

$ udb examples/hello-world
not running> symbol-file -passphrase secret examples/hello-world.enc
not running>

Other options are the same as in GDB and may viewed by running help symbol-file.

add-symbol-file [-passphrase passphrase] [options] filename

Similar to symbol-file, but adds to the existing symbols, instead of replacing them.

-passphrase PASSPHRASE

Specify the passphrase for decrypting the symbol file.

Warning

Passphrases specified using this option may be recorded in the GDB command history.

Other options are the same as in GDB and may be viewed by running help add-symbol-file.