From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from hamster.birch.relay.mailchannels.net (hamster.birch.relay.mailchannels.net [23.83.209.80]) by sourceware.org (Postfix) with ESMTPS id BB4B53858D20 for ; Fri, 11 Aug 2023 15:20:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BB4B53858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 8E836C16A1; Fri, 11 Aug 2023 15:20:41 +0000 (UTC) Received: from pdx1-sub0-mail-a268.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 0DB23C1559; Fri, 11 Aug 2023 15:20:41 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1691767241; a=rsa-sha256; cv=none; b=vcAIRl777WZVAjeO9k29Cj754zm3d0lQ2oTYVFfjymeTEkvOwzdjzbMuvoNeACDPi2LUJi QGS6Pog8WRFL0HR4CztIwBhHx94iyaZrk9qi8kCrjku3ckEyCX6pcdaayq3x4q+qhcdxwd UYZRAKDaAi4EUqr00iLtsoKwxIQ7f3m/nCrjlSIagOe7uT2jqTBINR255/ZyGvrb5CW280 /O1UqJmUnH2R7P2WA9bemyoLLEUi8/b29sBsFUhQSDCC6Ljl6Zw38a39+JXcMgvD0WwA7V 0iRkQOVzyC8jSFPJdVbG+vS8uogsUS2nKKt/hXW7kE8dpEOo+u7FTeJ9jUYy3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1691767241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=TLqx/u59UrtoVyhLGiThptPwrzDHqC0gIBwcFQpTFGY=; b=RowVTOFx7HPufBqChib3PLVhW5YvJCMJuTgxvxwaFQpXTJSYOmdmAXPKO7LUGEOdPnwwp4 k4FWxR+p3lTea3mVvJjj2x23GpMDzVBtaK+f1ikEikhNNb4yFysorMcd43V2eWKDUBOMKZ KHvigvwuftZWuusPuXcZz723YvAjHi+KydLYHCIftGDH1b/xJwrV9vY0wr0HPcptDHDpex p54V8ALaCZZawswxeHxacZ8L1Ec/8rq1O9TadtK8iiRe7ECs4eJXgelYI2PJvth7Ppe2ob MIuGW0Filc/0gzq+y+L1Ml5xeb3nCUCNuyfcVWAcPHCPaRZ2mgvDz3VxA7TWMw== ARC-Authentication-Results: i=1; rspamd-749bd77c9c-wnc8q; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Ski-Spicy: 62621a0d594c5147_1691767241345_1752446174 X-MC-Loop-Signature: 1691767241345:2816417562 X-MC-Ingress-Time: 1691767241345 Received: from pdx1-sub0-mail-a268.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.117.178.17 (trex/6.9.1); Fri, 11 Aug 2023 15:20:41 +0000 Received: from [192.168.224.119] (unknown [24.114.54.40]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a268.dreamhost.com (Postfix) with ESMTPSA id 4RMnYN04Nnz5x; Fri, 11 Aug 2023 08:20:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1691767240; bh=TLqx/u59UrtoVyhLGiThptPwrzDHqC0gIBwcFQpTFGY=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=CZwcJbGo85jyXWiizJucGuftQ6haYPpmGGqXNZ/kSUFQh0Nj9YyzhvWqAUTrlrnlr uHDdsvQDWqnBEBiZuQT14nXExkF7JntjP/AdnIEGlRME2AXB6sT5Cd6u3ZXBNmK6Zf cZ5uHVCzP/oubCWVw5mgDbwjNuhJnjhZfroZ7xXKYvP+IxQOB5kzYbrM7Bz2/v9CyO DnR3XblRZqiH7XiVArbFIq1aJKM0e3gFwPugB+zhV7zZ6Kg+TFNqBpzU3q5+hOE5rA K1mJWqUj0NRKYEd398jQoa2uZbxtiyZrig6zLhA1GFX99alCKJfP45QrvHNDJIamy3 K2CRUsO25DrnQ== Message-ID: <3490e0a6-f450-cb96-600d-ca970e7b5a16@gotplt.org> Date: Fri, 11 Aug 2023 11:20:38 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: [RFC] GCC Security policy Content-Language: en-US To: Paul Koning Cc: David Edelsohn , Richard Biener , Ian Lance Taylor , Jakub Jelinek , GCC Patches , Carlos O'Donell , richard.sandiford@arm.com References: <5dab0019-a28e-f6b1-c822-9217d4d2f59f@gotplt.org> <7d5145fa-85b8-5228-75ed-2ce1010c2aaf@gotplt.org> <2dbb0178-ad06-ca40-1d77-675e0eb58a61@gotplt.org> <794664B2-7241-4A67-B88F-2B3E5BF0BB48@comcast.net> From: Siddhesh Poyarekar In-Reply-To: <794664B2-7241-4A67-B88F-2B3E5BF0BB48@comcast.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-08-11 11:09, Paul Koning wrote: > > >> On Aug 11, 2023, at 10:36 AM, Siddhesh Poyarekar wrote: >> >> On 2023-08-10 14:50, Siddhesh Poyarekar wrote: >>>>> As a result, the only case for a potential security issue in all >>>>> these cases is when it ends up generating vulnerable output for >>>>> valid input source code. >>>> >>>> I think this leaves open the interpretation "every wrong code bug >>>> is potentially a security bug". I suppose that's true in a trite sense, >>>> but not in a useful sense. As others said earlier in the thread, >>>> whether a wrong code bug in GCC leads to a security bug in the object >>>> code is too application-dependent to be a useful classification for GCC. >>>> >>>> I think we should explicitly say that we don't generally consider wrong >>>> code bugs to be security bugs. Leaving it implicit is bound to lead >>>> to misunderstanding. >>> I see what you mean, but the context-dependence of a bug is something GCC will have to deal with, similar to how libraries have to deal with bugs. But I agree this probably needs some more expansion. Let me try and come up with something more detailed for that last paragraph. >> >> How's this: >> >> As a result, the only case for a potential security issue in the compiler is when it generates vulnerable application code for valid, trusted input source code. The output application code could be considered vulnerable if it produces an actual vulnerability in the target application, specifically in the following cases: > > You might make it explicit that we're talking about wrong code errors here -- in other words, the source code is correct (conforms to the standard) and the algorithm expressed in the source code does not have a vulnerability, but the generated code has semantics that differ from those of the source code such that it does have a vulnerability. Ack, thanks for the suggestion. > >> - The application dereferences an invalid memory location despite the application sources being valid. >> >> - The application reads from or writes to a valid but incorrect memory location, resulting in an information integrity issue or an information leak. >> >> - The application ends up running in an infinite loop or with severe degradation in performance despite the input sources having no such issue, resulting in a Denial of Service. Note that correct but non-performant code is not a security issue candidate, this only applies to incorrect code that may result in performance degradation. > > The last sentence somewhat contradicts the preceding one. Perhaps "...may result in performance degradation severe enough to amount to a denial of service". Ack, will fix that up, thanks. Sid