Is defining a value in C a security issue?

Question

If I were to have a program where I used:

#define SECRETNUMBER "1234567890"

Would this be a potential security issue/vulnerability?

I have this bit of code with this define statement and naturally it seemed to me that since this information is just defined right at the top without encryption or anything, this might be a security risk. I just wanted to know what the exact reason is and how this might be exploited?

What do you mean by “private” and “secure”? What is your program going to do with this “secret number”? And what are the threats you want to guard against? — 5gon12eder, Feb 11 '16 at 22:26
No it's not. You're asking about "secure", not "safe" and this is far from it. "Secure" is much harder than what you'd think, explain your case better — Sten Petrov, Feb 11 '16 at 22:35
As others have pointed out, that line of code does not do anything in itself because it is just a macro. But I guess you are really asking whether string literals can be extracted from the final binary. The answer is yes it can. And very easily too. This may be relevant: [How to hide a string in binary code?](https://stackoverflow.com/questions/1356896/how-to-hide-a-string-in-binary-code) — kaylum, Feb 11 '16 at 22:38
No, it's not secure, in fact if you open the binary with an editor you can see something like `^?ELF^B^A^A^@^@^B^@1234567890` — David Ranieri, Feb 11 '16 at 22:38
Why was this closed? It's perfectly clear what he's asking and all you guys whining about defining terms and so forth need to re-read the question. He simply asked _is it a potential security issue/vulnerability?_ The answer is yes. An explanation of why it's a potential vulnerability would make a good answer. — Carey Gregory, Feb 12 '16 at 00:30

score 2 · Answer 1 · answered Feb 11 '16 at 22:36

2

No it's not secure, anywhere the macro was used it would be substituted in plain (readable) form. For data to be secure it needs to be encrypted somehow, so that it cannot be read without knowledge of the decryption key.

answered Feb 11 '16 at 22:36

user2612740

29
5

That begs the question: How will the encryption key be made secure? – zaph Feb 11 '16 at 23:06
By not storing them on any device you don't physically control. If your crypto key is built into your app and can be used without some piece of data coming from a user or server, its insecure. – Gabe Sechan Feb 11 '16 at 23:34
@zaph It would beg the question if we were spec'ing a solution. But we're not. We're answering a very narrow question with a very well defined answer. – Carey Gregory Feb 12 '16 at 00:34

Jonh Doe · Answer 2 · 2016-02-12T00:07:11.133

Obviously it's not secure since it's visible in your code. Let me add that once you add computations in your C preprocessor you also create side effects that may affect security. I suggest you this the secret number so that even if it is compromised,

Create a salt by generating a random piece of data. Apply the salt to the secret number Generate the hash for the salted password. Store the secret number, the hash and the salt in the data store

Is defining a value in C a security issue?

2 Answers2