How to "virtualize" a string for code obfuscation

Question

This is a real newbie question. Please don't yell at me. I did do searches on it with no luck. What does it mean in C# DotNet to "virtualize a string"? Let's say I have the code below. What does it mean to virtualize the string?

using System;

namespace MyNameSpace
{
    public class MyClass
    {
        private const string _SECRET_STRING = "keep this secret";
        private string GetSecretString()
        {
            return(_SECRET_STRING);
        }
    }
}

Well, never heard about the term "virtualize a string", curious about the incoming answers — Rand Random, Feb 11 '19 at 17:56
I think you might be using the wrong word. Maybe you mean "intern" (as in string interning) or "secure" (as in SecureString API). — Kit, Feb 11 '19 at 17:57
Where did you read/here "virtualize a string"? In which context? — R1PFake, Feb 11 '19 at 17:57
If anyone yells at you on SO, report them for being unfriendly. — , Feb 11 '19 at 17:58
Are you talking about having a private string that you set with a public property? — Syntax Error, Feb 11 '19 at 18:00
The only thing I can think of is `public virtual string Foo { get; set; }` (see [`virtual` keyword docs](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/virtual)). But I've never heard of "virtualize a string". — user247702, Feb 11 '19 at 18:02
The only context in which i heard about virtualizing a string is in "virtualizing a string instrument". It isn't related to text strings, though ;-) — , Feb 11 '19 at 18:02
Ok, so now I don't feel (quite so) stupid. I am evaluating a couple of DotNet obfuscators. And the instructions on one of them say that the best way to protect strings from decompilation is to "virtualize" them, whatever that is supposed to mean. Will have to ask them for clarification. — Neil Weicher, Feb 11 '19 at 18:07
In your code, think carefully and please explain to us what you mean by "secret". Are you wanting to move that string somewhere more secure? And if so, where? To a file (a .settings or .config file for example)? Perhaps with encryption (DAPI via Asp.net UserSecrets. for example)? To an external service (Azure KeyVault, for example). There are lots of options - it's difficult to answer your question without knowing exactly what you are trying to achieve. — Matt Johnson-Pint, Feb 11 '19 at 18:09
@NeilWeicher I think this? https://www.gapotchenko.com/eazfuscator.net/features/virtualization — , Feb 11 '19 at 18:11
What you're wanting is going to have to come from another product as code virtualization is not an in-built .NET thing. — Kit, Feb 11 '19 at 18:15
If your question is strictly about protecting secrets via obfuscation, then [this question](https://stackoverflow.com/questions/6018215/how-to-obfuscate-string-constants) is probably a duplicate. Please read it. — Matt Johnson-Pint, Feb 11 '19 at 18:15
@Amy Based on his implementation I would almost assume it is a `SecureString` form of implementation with C++ pointer reference. I've seen that layout in some tutorials, not saying that is his intent but it looks vaguely familiar in other documents. — Greg, Feb 11 '19 at 18:15
@Greg OP said this is about evaluating an obfuscator in the comments. Code virtualization is an obfuscation technique. — , Feb 11 '19 at 18:17
@MattJohnson - I have an EXE and a class library that contains 'GetSecretString'. Let's say that `_SECRET_STRING` is a SQL ODBC connection string. — Neil Weicher, Feb 11 '19 at 18:18
@Amy - EazFuscator is one of the products I am looking at, but according to the documentation, data virtualization cannot be applied to strings. — Neil Weicher, Feb 11 '19 at 18:55
@NeilWeicher Then that either answers your question, or that statement only applies to that product. Either way, "what does it mean" is answered, is it not? — , Feb 11 '19 at 19:29
@NeilWeicher - Code obfuscation isn't going to help you with database connection strings. Typically one doesn't put these directly into code, but reads them from a configuration file using an encryption API, or preferably from a third-party secrets store. Solutions to this vary considerably depending on the nature of the application (asp.net web site, etc.) and where it is hosted (Azure, etc.). Thus, your question is what we call [an XY problem](https://meta.stackexchange.com/a/66378/201534), in that you are asking about string virtualization instead of how to protect a connection string. — Matt Johnson-Pint, Feb 11 '19 at 22:13
Also, you'll find that there are many questions already asked and answered about how to protect a connection string. Again, these vary wildly depending on what kind of application you are writing, so I can't point you directly at a single answer without additional details. — Matt Johnson-Pint, Feb 11 '19 at 22:14
@Amy, _"what does it mean is answered, is it not?"_. Yes, I agree, but there is no actual answer to cite. They are all comments. Not sure what to do. — Neil Weicher, Feb 13 '19 at 04:50

How to "virtualize" a string for code obfuscation

0 Answers0