Menu
I have an application that logs exception strack traces and I wanted those stack traces to include file names and line numbers when deployed in production. I figured out how to deploy the debug symbols w/ the assembly, but in the process of researching the issue I ran accross this question, which implies that it's not a good idea to include pdb files in a production environment. A comment to the accepted answer says "...debugging information can give away sensitive data and be an attack vector. Depending on what your app is."
So what sort of sensitive data might be exposed? How can debug symbols be used to compromise an application? I'm curious about the technical details, but what I'm really looking for is a practical way to evaluate the risk of including debug symbols for any given application and production environment. Or to put it another way: what's the worst that could happen?
EDIT: follow-up question/clarification
So based on everyone's answers so far, it seems like this question can be simplified a bit for .NET applications. This bit from the John Robbins blog linked in Michael Maddox's answer kind of leaped out at me:
A .NET PDB only contains two pieces of information, the source file names and their lines and the local variable names. All the other information is already in the .NET metadata so there is no need to duplicate the same information in a PDB file.
To me, this reiterates what others have been saying about Reflector, with the implication being that the real issue is access to the assemblies. Once that's been determined, the only decision to make with respect to PDBs is whether or not you care about exposing file names, line numbers, and local variable names (assuming that you're not showing stack traces to end users to begin with). Or have I oversimplified this too much?
285
The inclusion of . PDB files in a web application's deployment is safe and doesn't include the risks associated with publishing a Debug build.
The executive summary answer: no, generating PDB files will have no impact on performance whatsoever.
No, you don't have to deploy the . pdb file. To quote from MSDN, "A PDB file is created when you build with /debug (Visual Basic/C#).", so it shouldn't be creating the debug database when compiling for release.
Program database (PDB) is a file format (developed by Microsoft) for storing debugging information about a program (or, commonly, program modules such as a DLL or EXE). PDB files commonly have a . pdb extension. A PDB file is typically created from source files during compilation.
Here is another question to look at:
Are there any security issues leaving the PDB debug files on the live servers?
And more info on PDB files:
PDB Files: What Every Developer Must Know
In general, I always include pdb files in my deployments, the gains are too huge to ignore.
If you never expose a stack trace to your users (and generally you shouldn't), there isn't really any additional security risk of deploying PDB files.
When a user visible stack trace happens, the user can see the full stack trace including your file name and file line numbers. This could give them some idea of how your app is architected which would potentially help them if hacking.
A bigger security threat is something like Reflector which when used on your DLLs will allow them to view your source code, with or without pdb files.
159
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
