From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from crocodile.elm.relay.mailchannels.net (crocodile.elm.relay.mailchannels.net [23.83.212.45]) by sourceware.org (Postfix) with ESMTPS id A46533858D28; Wed, 12 Apr 2023 17:10:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A46533858D28 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id E3118141AF1; Wed, 12 Apr 2023 17:10:03 +0000 (UTC) Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6074E141AFC; Wed, 12 Apr 2023 17:10:03 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1681319403; a=rsa-sha256; cv=none; b=sIBR8soD1DQwU2IIh4f6CyzQPrdFcD+6+1/eCDD//LwJ3f4WequzYGU87DU6a7KQ/dmoMF 5P5WeNnM/iyxxJCeJRsjf03XXIhRoamxuPxxYqojSEqdnODGkqiQFuawbtYO7xGLe6Hyyz dFAiaZPMqsYz0rJXvtUByPGgkZvF4wA9CmokQeOZI0dQCEEfs8Ql6ibUMocLfoSnpruHNS y0EqcJFWOXEa0p+IhYuySUWHbtz3Dn0LgW4NPkTxgA0uGlPRAAQ/eAtqrNFN7X6naXddXJ 7kHCgwK9ZG2pSJvrSds6B/KhANEODS391BXPep6ejCzhx8vCOo3wo0huY0CFfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1681319403; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DzYBFhAHqh6BwOF7/+u0chXVU8AOaGipufNfbQGQybQ=; b=L0gymLUf0//EqOqgLr6xl9RhklDE1HHe1refptX5E9y6GKzFkbnb3pGLjUGU0f7AKo7WLl adJrxAdOpQkgd+0c1nrlZbmaQ0mNQZVfPVF5yKYeCqb3heXRIgtF/O0E66l820tSi4Qr7f XzD3xo/780KJtGlVW2nyJRjhRAaHQqm1c1SzAI1SYZivoH/7HdWq8DW4JKQ5zRcByrHLZ2 jLTOfpdnwbxUs21HQ6YlNr/U1byYzO01SeZjZoRH7XEdoEcju9T56YxaYEvzJMwku9Y3jO CyxQMUFOsD6F4oMDo2GWU/YXDin12ifhHEY3qZ9LJBZaYL2+pJcMV4h01G2pfQ== ARC-Authentication-Results: i=1; rspamd-786cb55f77-td5r7; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Duck-Occur: 32212589441fc253_1681319403686_3066586616 X-MC-Loop-Signature: 1681319403686:850861830 X-MC-Ingress-Time: 1681319403686 Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.116.217.200 (trex/6.7.2); Wed, 12 Apr 2023 17:10:03 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4PxTjQ4rp6z8n; Wed, 12 Apr 2023 10:10:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1681319403; bh=DzYBFhAHqh6BwOF7/+u0chXVU8AOaGipufNfbQGQybQ=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=DHS4CeL6ot5ih+cUDqZY/wj2hN/kmLT4UxvFt3S+3xn34Bu4m7RZrv0Z4MrSCaeDH 2SbNExe/i0THewt5GN5XOoc8Ae5P/rwBrbxv7MtQ9BHIFSjyn2kx3IlTddQDLQT+tC HULaNJqfjPpzuiZwNaQbcVBjNp3Vl27COkgApcfN7ptEF89Wu9YRdqoW+jHTmCQy9x sQUWnVg6sg+Q8k/s/pI1undlVDcP+o5IC0VOvVJ7O2RRxMMJZ9BjpdGndr1OqxiK4L iir0nAZFMBWbdJYIwNTIVOxQZe9OJEjHTsyQKTnGwfLeeQXi2FFXqR5z9bqUMTrDZk yEp0fDrqnSugQ== Message-ID: <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> Date: Wed, 12 Apr 2023 13:10:01 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-US To: Richard Earnshaw , Nick Clifton , Binutils Cc: "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3027.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_ASCII_DIVIDERS,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-04-12 12:52, Richard Earnshaw wrote: > > > On 12/04/2023 17:26, Siddhesh Poyarekar wrote: >> On 2023-04-12 12:02, Richard Earnshaw wrote: >>> >>> >>> On 07/04/2023 09:42, Nick Clifton via Binutils wrote: >>>> Hi Guys, >>>> >>>>    Many open source projects have a SECURITY.md file which explains >>>>    their stance on security related bugs.  So I thought that it would >>>>    be a good idea if we had one too.  The top level file would actually >>>>    just be a placeholder, like this: >>>> >>>> ------------- ./SECURITY.md ------------------------------------------ >>>> For details on the Binutils security process please see >>>> the SECURITY.md file in the binutils sub-directory. >>>> >>>> For details on the GDB security process please see >>>> the SECURITY.md file in the gdb sub-directory. >>>> -------------------------------------------------------------------- >>>> >>>>    So this email is mostly about the wording for the Binutils specific >>>>    version.  Here is my current proposal: >>>> >>>> ---------------- binutils/SECURITY.md ------------------------------ >>>> Binutils Security Process >>>> ========================= >>>> >>>> What is a binutils security bug? >>>> ================================ >>>> >>>>     A security bug is one that threatens the security of a system or >>>>     network.  In the context of the GNU Binutils this means a bug that >>>>     relates to the creation of corrupt output files from valid, trusted >>>>     inputs.  Even then the bug would only have a security impact if the >>>>     the code invokes undefined behaviour or results in a privilege >>>>     boundary being crossed. >>>> >>>>     Other than that, all other bugs will be treated as non-security >>>>     issues.  This does not mean that they will be ignored, just that >>>>     they will not be given the priority that is given to security bugs. >>>> >>>>     This stance applies to the creation tools in the GNU Binutils (eg >>>>     as, ld, gold, objcopy) and the libraries that they use.  Bugs in Perhaps also name libbfd, libopcode, etc. in the libraries to make it clearer. >>>>     inspection tools (eg readelf, nm objdump) will not be considered >>>>     to be security bugs, since they do not create executable output >>>>     files.  When used on untrusted inputs, these inspection tools >>>>     should be appropriately sandboxed to mitigate potential damage >>>>     due to any malicious input files. >>> >>> I'd expect that any program used on untrusted input to be run only at >>> user-level privileges.  So we should exclude issues where an account >>> with elevated privileges (eg root) is used with either inspection or >>> generation tools. >> >> Agreed, I think this should be addressed by the "or results in a >> privilege boundary being crossed".  By running these programs as root, >> the user is elevating privileges themselves, so it's not a binutils >> problem. > > My reading of the text is that "privilege boundary being crossed" (in > the first paragraph) is specifically related to the generated output, > not to the program itself being run with elevated privileges. OK, then how about this for the first paragraph: ~~~ A security bug is one that threatens the security of a system or network. In the context of GNU Binutils, there are two ways in which a bug could have security consequences. The primary method is when the tools introduce a vulnerability in the output file that was not present in the input files being processed. The other, albeit unlikely way is when a bug in the tools results in a privilege boundary is crossed in either the tools themselves or in the code they generate. ~~~ >>> The other area of concern is where the tools (particularly the >>> linker) 'generate' code; so bugs in the opcodes the assembler >>> generates (eg by not setting some don't care bits to something safe) >>> or with code generated by the linker to glue functions together >>> (relocation handling, PLTs, veneers, etc) would also count. >> >> Ack, I reckon this should be addressed by "corrupt output files from >> valid trusted inputs".  If that's not clear enough, could you suggest >> alternative phrasing that makes it clearer? > > I'm not sure corrupt is general enough.  Each instruction in the binary > might be completely legal, but their sequencing could leave some > vulnerabilities (think spectre, for example, but that's pretty extreme). > > Perhaps something like "... this means that the tools introduce a > vulnerability in the output file that was not present in the input files > being processed".  I think with that wording you probably don't even > need the last sentence in the first paragraph. Agreed, that sounds more precise. I've incorporated that into the paragraph above. How does that sound overall? Thanks, Sid