Module obfuscation

Expand description

Error code obfuscation (always on).

Makes systematic error code fingerprinting harder by adding per-session offsets to error codes. The same semantic error will have different codes across sessions, making it harder for attackers to build a code map.

§Security Model

Namespace preserved: Still “CFG”, “IO”, etc. (needed for Display)
Category preserved: Still Configuration, I/O, etc.
Numeric code obfuscated: E-CFG-100 becomes E-CFG-103, E-CFG-107, etc.
Session-specific: Different salt per connection/session
Deterministic within session: Same error = same obfuscated code

§Threat Mitigation

Without obfuscation:

Attacker triggers 100 errors, sees:
E-CFG-100 (repeated 50x)
E-CFG-101 (repeated 30x)
E-CFG-104 (repeated 20x)

Maps to source code, identifies:
- 100 = parser.rs:42
- 101 = validator.rs:89
- 104 = permissions.rs:156

With obfuscation:

Session 1: E-CFG-103, E-CFG-104, E-CFG-107
Session 2: E-CFG-101, E-CFG-102, E-CFG-105
Session 3: E-CFG-106, E-CFG-107, E-CFG-110

Attacker cannot correlate codes across sessions.
Fingerprinting requires compromising a session to learn its salt.

§Performance

Overhead: Initialize session salt: 352 ps (2.8T ops/sec) Obfuscate error code: 14 ns (71.4M ops/sec) Generate random salt: 72 ns (13.9M ops/sec) Error with obfuscation: 243 ns (4.1M errors/sec)

Functions§

clear_session_salt: Clear session salt (revert to no obfuscation).
generate_random_salt: Generate a random session salt using system entropy.
get_session_salt: Get current session salt value.
init_session_salt: Initialize session-specific error code salt.
obfuscate_code: Apply obfuscation to an error code using current session salt.