From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: David Edelsohn <dje.gcc@gmail.com>,
Richard Biener <richard.guenther@gmail.com>,
Ian Lance Taylor <iant@google.com>,
Jakub Jelinek <jakub@redhat.com>,
GCC Patches <gcc-patches@gcc.gnu.org>,
Carlos O'Donell <carlos@redhat.com>,
richard.sandiford@arm.com
Subject: Re: [RFC] GCC Security policy
Date: Thu, 10 Aug 2023 14:50:54 -0400 [thread overview]
Message-ID: <2dbb0178-ad06-ca40-1d77-675e0eb58a61@gotplt.org> (raw)
In-Reply-To: <mptttt6sqf5.fsf@arm.com>
On 2023-08-10 14:28, Richard Sandiford wrote:
> Siddhesh Poyarekar <siddhesh@gotplt.org> writes:
>> On 2023-08-08 10:30, Siddhesh Poyarekar wrote:
>>>> Do you have a suggestion for the language to address libgcc,
>>>> libstdc++, etc. and libiberty, libbacktrace, etc.?
>>>
>>> I'll work on this a bit and share a draft.
>>
>> Hi David,
>>
>> Here's what I came up with for different parts of GCC, including the
>> runtime libraries. Over time we may find that specific parts of runtime
>> libraries simply cannot be used safely in some contexts and flag that.
>>
>> Sid
>>
>> """
>> What is a GCC security bug?
>> ===========================
>>
>> A security bug is one that threatens the security of a system or
>> network, or might compromise the security of data stored on it.
>> In the context of GCC there are multiple ways in which this might
>> happen and they're detailed below.
>>
>> Compiler drivers, programs, libgccjit and support libraries
>> -----------------------------------------------------------
>>
>> The compiler driver processes source code, invokes other programs
>> such as the assembler and linker and generates the output result,
>> which may be assembly code or machine code. It is necessary that
>> all source code inputs to the compiler are trusted, since it is
>> impossible for the driver to validate input source code beyond
>> conformance to a programming language standard.
>>
>> The GCC JIT implementation, libgccjit, is intended to be plugged
>> into applications to translate input source code in the application
>> context. Limitations that apply to the compiler
>> driver, apply here too in terms of sanitizing inputs, so it is
>> recommended that inputs are either sanitized by an external program
>> to allow only trusted, safe execution in the context of the
>> application or the JIT execution context is appropriately sandboxed
>> to contain the effects of any bugs in the JIT or its generated code
>> to the sandboxed environment.
>>
>> Support libraries such as libiberty, libcc1 libvtv and libcpp have
>> been developed separately to share code with other tools such as
>> binutils and gdb. These libraries again have similar challenges to
>> compiler drivers. While they are expected to be robust against
>> arbitrary input, they should only be used with trusted inputs.
>>
>> Libraries such as zlib and libffi that bundled into GCC to build it
>> will be treated the same as the compiler drivers and programs as far
>> as security coverage is concerned.
>>
>> As a result, the only case for a potential security issue in all
>> these cases is when it ends up generating vulnerable output for
>> valid input source code.
>
> I think this leaves open the interpretation "every wrong code bug
> is potentially a security bug". I suppose that's true in a trite sense,
> but not in a useful sense. As others said earlier in the thread,
> whether a wrong code bug in GCC leads to a security bug in the object
> code is too application-dependent to be a useful classification for GCC.
>
> I think we should explicitly say that we don't generally consider wrong
> code bugs to be security bugs. Leaving it implicit is bound to lead
> to misunderstanding.
I see what you mean, but the context-dependence of a bug is something
GCC will have to deal with, similar to how libraries have to deal with
bugs. But I agree this probably needs some more expansion. Let me try
and come up with something more detailed for that last paragraph.
> There's another case that I think should be highlighted explicitly:
> GCC provides various security-hardening features. I think any failure
> of those feature to act as documented is poentially a security bug.
> Failure to follow reasonable expectations (even if not documented)
> might sometimes be a security bug too.
Missed hardening in general does not put systems at immediate risk, so
they're not considered CVE-worthy. In fact when bugs are evaluated for
security risk at a source level (e.g. when NIST does it), hardening does
not come into the picture at all. It's only at product levels that
hardening features are accounted for, e.g. where -fstack-protector would
reduce the seriousness of a stack buffer overflow and even there one
must do an analysis to see if the generated code actually mitigated the
overflow using the stack protector canary.
Thanks,
Sid
next prev parent reply other threads:[~2023-08-10 18:51 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-07 17:29 David Edelsohn
2023-08-08 8:16 ` Richard Biener
2023-08-08 12:33 ` Siddhesh Poyarekar
2023-08-08 12:52 ` Richard Biener
2023-08-08 13:01 ` Jakub Jelinek
2023-08-08 13:21 ` Richard Biener
2023-08-08 13:24 ` Michael Matz
2023-08-08 13:33 ` Paul Koning
2023-08-08 15:48 ` David Malcolm
2023-08-08 15:55 ` Siddhesh Poyarekar
2023-08-08 16:35 ` Paul Koning
2023-08-08 20:02 ` Joseph Myers
2023-08-08 13:34 ` Ian Lance Taylor
2023-08-08 14:04 ` Richard Biener
2023-08-08 14:06 ` Siddhesh Poyarekar
2023-08-08 14:14 ` David Edelsohn
2023-08-08 14:30 ` Siddhesh Poyarekar
2023-08-08 14:37 ` Jakub Jelinek
2023-08-08 14:40 ` Siddhesh Poyarekar
2023-08-08 16:22 ` Richard Earnshaw (lists)
2023-08-08 17:35 ` Ian Lance Taylor
2023-08-08 17:46 ` David Edelsohn
2023-08-08 19:39 ` Carlos O'Donell
2023-08-09 13:25 ` Richard Earnshaw (lists)
2023-08-09 17:32 ` Siddhesh Poyarekar
2023-08-09 18:17 ` David Edelsohn
2023-08-09 20:12 ` Siddhesh Poyarekar
2023-08-10 18:28 ` Richard Sandiford
2023-08-10 18:50 ` Siddhesh Poyarekar [this message]
2023-08-11 14:36 ` Siddhesh Poyarekar
2023-08-11 15:09 ` Paul Koning
2023-08-11 15:20 ` Siddhesh Poyarekar
2023-08-10 19:27 ` Richard Biener
2023-08-11 15:12 ` David Edelsohn
2023-08-11 15:22 ` Siddhesh Poyarekar
2024-02-09 15:38 ` Martin Jambor
2024-02-09 15:55 ` Siddhesh Poyarekar
2024-02-09 17:14 ` Joseph Myers
2024-02-09 17:39 ` Siddhesh Poyarekar
2024-02-09 20:06 ` Joseph Myers
2024-02-12 13:32 ` Siddhesh Poyarekar
2024-02-12 13:16 ` Martin Jambor
2024-02-12 13:35 ` Siddhesh Poyarekar
2024-02-12 15:00 ` Richard Biener
2024-02-13 12:34 ` Siddhesh Poyarekar
2023-08-14 13:26 ` Siddhesh Poyarekar
2023-08-14 18:51 ` Richard Sandiford
2023-08-14 19:31 ` Siddhesh Poyarekar
2023-08-14 21:16 ` Alexander Monakov
2023-08-14 21:50 ` Siddhesh Poyarekar
2023-08-15 5:59 ` Alexander Monakov
2023-08-15 10:33 ` Siddhesh Poyarekar
2023-08-15 14:07 ` Alexander Monakov
2023-08-15 14:54 ` Paul Koning
2023-08-15 19:13 ` Siddhesh Poyarekar
2023-08-15 23:07 ` Alexander Monakov
2023-08-15 23:45 ` David Edelsohn
2023-08-16 0:37 ` Alexander Monakov
2023-08-16 0:50 ` Paul Koning
2023-08-16 7:53 ` Alexander Monakov
2023-08-16 13:06 ` Paul Koning
2023-08-16 9:05 ` Toon Moene
2023-08-16 12:19 ` Siddhesh Poyarekar
2023-08-16 15:06 ` Alexander Monakov
2023-08-16 15:18 ` Siddhesh Poyarekar
2023-08-16 16:02 ` Alexander Monakov
2023-08-15 23:45 ` David Malcolm
2023-08-16 8:25 ` Alexander Monakov
2023-08-16 11:39 ` Siddhesh Poyarekar
2023-08-16 11:50 ` Alexander Monakov
2023-09-06 11:23 ` Siddhesh Poyarekar
2023-09-20 7:36 ` Arnaud Charlet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2dbb0178-ad06-ca40-1d77-675e0eb58a61@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=carlos@redhat.com \
--cc=dje.gcc@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=iant@google.com \
--cc=jakub@redhat.com \
--cc=richard.guenther@gmail.com \
--cc=richard.sandiford@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).