From: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>,
Nick Clifton <nickc@redhat.com>,
Binutils <binutils@sourceware.org>
Cc: "gdb@sourceware.org" <gdb@sourceware.org>
Subject: Re: RFC: Adding a SECURITY.md document to the Binutils
Date: Fri, 14 Apr 2023 10:52:18 +0100 [thread overview]
Message-ID: <b08b6a71-e681-c205-cc7a-05e771b4a99a@foss.arm.com> (raw)
In-Reply-To: <613a6e55-846c-9f1f-cfd0-046b52487ae3@gotplt.org>
On 13/04/2023 17:42, Siddhesh Poyarekar wrote:
> On 2023-04-13 11:05, Richard Earnshaw wrote:
>> On 13/04/2023 16:02, Siddhesh Poyarekar wrote:
>>> On 2023-04-13 10:50, Richard Earnshaw wrote:
>>>> No, whilst elf can be executed, objdump should never be doing that:
>>>> it's a tool for examining a file, not running it. You have to have
>>>> a tool that can safely examine the contents of an elf file or you
>>>> can never verify it for issues - opening it up in emacs to examine
>>>> the contents is not the way to do that :)
>>>
>>> You can verify it for issues, in a sandbox.
>>
>> Maybe. But not always, it might not crash the program, but still lead
>> to issues once taken outside of the sandbox.
>
> You don't analyze untrusted data outside of a sandbox. Really, it's
> security 101.
I think your definition of trusted and untrusted must vary from mine.
And I think your expectations on users is somewhat unreasonable.
In my book any binary object obtained from the internet is /potentially/
untrusted. That includes any object file that is downloaded from, say,
a Red Hat server in an RPM package (even if it's been signed). Are you
seriously suggesting that every user should deal with every file as
though it was completely untrustworthy?
>
>>>> But all that is beside the point. The original case I gave was a
>>>> /corrupt/ elf file that caused a buffer overrun in the objdump binary.
>>>
>>> ... and that's a robustness issue. Any buffer overrun in any program
>>> could in theory be exploited to send out files.
>>>
>>
>> So what's your point? These /are/ vulnerabilities in the program and
>> need to be considered security issues.
>
> I already made my point; I agree that they are security issues but the
> security mitigation mechanism is in the environment, not the program. I
> do not think it is in the interest of the binutils project to guarantee
> safety in analysis of untrusted programs without requisite protections
> of the environment.
>
> Sid
Any buffer overflow where the data used to do the overflow comes from an
object file is a potential breach, unless the program can detect this
and make a controlled abort before any possible break-out can occur.
The key here is defence in depth. It's not enough to say that
everything must be done in a sandbox, even if that is advisable.
R.
next prev parent reply other threads:[~2023-04-14 9:52 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-07 8:42 Nick Clifton
2023-04-07 10:36 ` Eli Zaretskii
2023-04-11 13:29 ` Nick Clifton
2023-04-11 14:23 ` Simon Marchi
2023-04-11 15:00 ` Eli Zaretskii
2023-04-11 16:22 ` Nick Clifton
2023-04-11 16:32 ` Matt Rice
2023-04-11 18:18 ` J.W. Jagersma
2023-04-12 8:43 ` Nick Clifton
2023-04-08 6:30 ` Jan Beulich
2023-04-10 18:30 ` John Baldwin
2023-04-20 15:56 ` Nick Clifton
2023-04-11 19:45 ` Ian Lance Taylor
2023-04-12 16:02 ` Richard Earnshaw
2023-04-12 16:26 ` Siddhesh Poyarekar
2023-04-12 16:52 ` Richard Earnshaw
2023-04-12 16:58 ` Paul Koning
2023-04-12 17:10 ` Siddhesh Poyarekar
2023-04-13 3:51 ` Alan Modra
2023-04-13 4:25 ` Siddhesh Poyarekar
2023-04-13 5:16 ` Alan Modra
2023-04-13 12:00 ` Siddhesh Poyarekar
2023-04-13 10:25 ` Richard Earnshaw
2023-04-13 11:53 ` Siddhesh Poyarekar
2023-04-13 12:37 ` Richard Earnshaw
2023-04-13 12:54 ` Siddhesh Poyarekar
2023-04-13 13:11 ` Richard Earnshaw
2023-04-13 13:35 ` Siddhesh Poyarekar
2023-04-13 13:40 ` Richard Earnshaw
2023-04-13 13:56 ` Siddhesh Poyarekar
2023-04-13 14:50 ` Richard Earnshaw
2023-04-13 15:02 ` Siddhesh Poyarekar
2023-04-13 15:05 ` Richard Earnshaw
2023-04-13 16:42 ` Siddhesh Poyarekar
2023-04-14 9:52 ` Richard Earnshaw [this message]
2023-04-14 12:43 ` Siddhesh Poyarekar
2023-04-14 12:49 ` Richard Earnshaw
2023-04-14 13:13 ` Siddhesh Poyarekar
2023-04-13 15:08 ` Paul Koning
2023-04-13 16:02 ` Siddhesh Poyarekar
2023-04-13 16:49 ` Paul Koning
2023-04-13 17:00 ` Siddhesh Poyarekar
2023-04-13 17:05 ` Paul Koning
2023-04-13 17:29 ` Siddhesh Poyarekar
2023-04-13 17:37 ` Paul Koning
2023-04-13 18:16 ` Siddhesh Poyarekar
2023-04-14 17:37 ` Ian Lance Taylor
2023-04-14 18:27 ` Siddhesh Poyarekar
2023-04-14 20:46 ` Ian Lance Taylor
2023-04-14 21:24 ` Siddhesh Poyarekar
2023-04-17 15:31 ` Michael Matz
2023-04-17 19:55 ` Ian Lance Taylor
2023-04-14 19:45 ` DJ Delorie
2023-04-14 20:49 ` Ian Lance Taylor
2023-04-15 6:41 ` Xi Ruoyao
2023-04-13 16:06 ` Richard Earnshaw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b08b6a71-e681-c205-cc7a-05e771b4a99a@foss.arm.com \
--to=richard.earnshaw@foss.arm.com \
--cc=binutils@sourceware.org \
--cc=gdb@sourceware.org \
--cc=nickc@redhat.com \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).