Any application that accepts input from a user, from a file, or from the network has to store that input, at least temporarily. Except in special cases, most application memory is stored in one of two places, the stack or the heap. Generally, the stack is a part of an application's address space devoted to storing data specific to a particular instance of a construct, such as, for example, function local variables that are valid for a single function call. The heap, however, is more general-purpose storage for an application. Memory dynamically allocated by a software program generally will be allocated within the program's heap. Data stored in heap allocated memory persists for the duration of the program, or until the program de-allocates the memory. Controlling the visibility of heap memory allocations creates a special kind of access control problem. Without some additional security, sensitive data stored in runtime heap allocations could become vulnerable to unwanted access by reverse engineers.
Reverse engineering is one process by which secure or protected aspects of data, software or hardware products can be uncovered through the analysis of the operation of the products. A reverse engineer can attack a product from several paths, one of which is the analysis of the product's data flow. By analyzing a product's data flow, protected information, such as an encryption key, can be uncovered from software that is intended to be secure. Protecting the logical structure of data in the memory of a running program can be particularly challenging because the program has to be able to make use of the data during the execution of the program. Any method or mechanism used to protect the data can also interfere with the speed or efficiency of the program flow.
One manner of protecting a program against data flow analysis is to use data obfuscation to make the reverse engineering of program data structures more difficult. Data obfuscation is a technique in which data stored in memory is scrambled, encrypted or rearranged in a manner that makes it difficult for an external user or program to make use of protected data should it be accessed by unauthorized parties. However, any manner of data obfuscation may impose overhead in a program that causes it to consumer extra resources or may slow program execution.