From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.ash.relay.mailchannels.net (dog.ash.relay.mailchannels.net [23.83.222.48]) by sourceware.org (Postfix) with ESMTPS id 04EF23858C27; Thu, 13 Apr 2023 13:56:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 04EF23858C27 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 7DB85261ACF; Thu, 13 Apr 2023 13:56:40 +0000 (UTC) Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id B6921261F22; Thu, 13 Apr 2023 13:56:37 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1681394199; a=rsa-sha256; cv=none; b=AejrEYfKkFzGo/9UghCZWAZgG8htgSQgc+Hw3MgB2lcJeD5Hp7mERgBVznHPluQ4bsu9cD Xeew/NwNf6aR0Qfy5/dwuXmo7vYFxMmyvo7gYPMVHoKPmpelnvGMWM0ct8ac2jPNCzf70A TwzrgQr4gw4Yk7o0pQwW/3z4iJpE8s2zEOgMJbv2qgm7FOboueJnPO6RohktUSOvOnHC6x oj/lW5h6eseG4ivwwBYYmMvHaNyCQ6UOQLlq3/7Qj09GMKCczPivGU2C2hbeYklda+ZsWE 4gGjVKg3pFsf3QrBmH2r9Pl4nXLkb7kl9Eo9VMz6y2JKgp9qn342oYmxa/Z+yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1681394199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=nf9Vz9t8mGpksOl4vhFAAfOQlXSez2/CCAuCa19K0/Y=; b=YOy2whqirVtwwMhtkabLUXZ1xnoHWlwAAHw4eHqRA8/AkR49hpEuT5cZGDMxIhVRF3iYCL KayRaGt9xET49sdYeGPfeyzNK1zVoQUlAqDO7sdHKR+4MK7jLl1FXBNIW3hUIrU0on1omI QSaT10TMkQCg4DNs2EVf8M+PNKWhFB7iF0+GOV4O6sosqU9c9R5CrcJtjEZehxMVSgDDrw LtdAXI0lA1CdqmJVOiiSgGcCxomx6afhkaGFLIgfBHju5Xxknx1bUB5idMCxO5Tn1sVuEb SdxR1sZzCCcXcIeqLHkCzTKcMzvxjIbFare+XbOHCtfTUfo138kULfeReaTlrQ== ARC-Authentication-Results: i=1; rspamd-7f66b7b68c-4fxhg; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Troubled-Shrill: 6e1eb3f7417c9ce8_1681394200247_135487720 X-MC-Loop-Signature: 1681394200247:2847547358 X-MC-Ingress-Time: 1681394200246 Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.24.77 (trex/6.7.2); Thu, 13 Apr 2023 13:56:40 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4Py1Mn1QHCzRQ; Thu, 13 Apr 2023 06:56:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1681394197; bh=nf9Vz9t8mGpksOl4vhFAAfOQlXSez2/CCAuCa19K0/Y=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=TqrN8KqUm+VwbzV8HVpxahK4vu6Gg95zC6SYnV/cRo4EgVMmUbV3Vfnl+NV6vTzkE iYLwE3kwhg3GB0phpVusczuQy1q6frjoKabIUUvqlL3WcGqbz0AmTc830Md+SCb04C CZKlY7DLZQT43/YKYwNmeO0AdmeZAAsbYviHmNCZNptqqmbGq/UaOBtYu30tJ+mqdX PdlEujhMd18ni2Hr2SanZni5nGSD5cZSUWupE6iIKXvTLoi9fb5iYXjSWFCiKcvwMR ba0I0pnuOMNb5kFTbEgtyhM/tnLorEU3N6OACtiYRGrwf1qIjs55LFEhFAxGfbs/Qv a4GpM2luQ2qSg== Message-ID: <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> Date: Thu, 13 Apr 2023 09:56:36 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-US To: Richard Earnshaw , Nick Clifton , Binutils Cc: "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org> <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> From: Siddhesh Poyarekar In-Reply-To: <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3027.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-04-13 09:40, Richard Earnshaw wrote: >> it just feels different because you elided the transport mechanism. >> Fundamentally, it is unsafe to do anything with untrusted content >> without sandboxing, so objdump is no different.  Sure, objdump is an >> analysis tool, so it should be able to analyze foo.o without crashing, >> but that's a robustness issue, not a security one.  The security >> aspect should be handled by a sandbox. > > Sorry, I disagree.  Sending files to third parties is completely outside > of the intended scope of objdump, so if it ends up being able to do so, > that's a security issue. You're mixing up scope. Given the flexibility of ELF, it is possible to get any ELF interpreter to do pretty much anything[1], including sending files to arbitrary places, deleting parts of the filesystem the executing user has access to, etc. It is the responsibility of the layer outside of objdump (i.e. the execution environment) to constrain this. To secure objdump and other tools from such compromise, what you'd actually need is, e.g. a --isolate flag that does an unshare()/chroot() holding the open file descriptor and does a very constrained analysis of untrusted binaries. That's one way we could control the execution environment to make sure none of it leaks. Sid [1] https://www.usenix.org/system/files/conference/woot13/woot13-shapiro.pdf