Re: [RFC] GCC Security policy - Siddhesh Poyarekar

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: Alexander Monakov <amonakov@ispras.ru>
Cc: David Edelsohn <dje.gcc@gmail.com>,
	GCC Patches <gcc-patches@gcc.gnu.org>,
	Carlos O'Donell <carlos@redhat.com>,
	richard.sandiford@arm.com
Subject: Re: [RFC] GCC Security policy
Date: Tue, 15 Aug 2023 06:33:53 -0400	[thread overview]
Message-ID: <4c041fac-c363-9415-72d5-90df74b44abc@gotplt.org> (raw)
In-Reply-To: <7462498c-3d65-a7bd-012e-2d9b200b0b1f@ispras.ru>

On 2023-08-15 01:59, Alexander Monakov wrote:
> 
> On Mon, 14 Aug 2023, Siddhesh Poyarekar wrote:
> 
>> There's no practical (programmatic) way to do such validation; it has to be a
>> manual audit, which is why source code passed to the compiler has to be
>> *trusted*.
> 
> No, I do not think that is a logical conclusion. What is the problem with
> passing untrusted code to a sandboxed compiler?
> 
>> Right, that's what we're essentially trying to convey in the security policy
>> text.  It doesn't go into mechanisms for securing execution (because that's
>> really beyond the scope of the *project's* policy IMO) but it states
>> unambiguously that input to the compiler must be trusted:
>>
>> """
>>                                            ... It is necessary that
>>      all source code inputs to the compiler are trusted, since it is
>>      impossible for the driver to validate input source code beyond
>>      conformance to a programming language standard...
>> """
> 
> I see two issues with this. First, it reads as if people wishing to build
> not-entirely-trusted sources need to seek some other compiler, as somehow
> we seem to imply that sandboxing GCC is out of the question.
> 
> Second, I take issue with the last part of the quoted text (language
> conformance): verifying standards conformance is also impossible
> (consider UB that manifests only during linking or dynamic loading)
> so GCC is only doing that on a best-effort basis with no guarantees.

Does this as the first paragraph address your concerns:

The compiler driver processes source code, invokes other programs such 
as the assembler and linker and generates the output result, which may 
be assembly code or machine code.  It is necessary that all source code 
inputs to the compiler are trusted, since it is impossible for the 
driver to validate input source code for safety.  For untrusted code 
should compilation should be done inside a sandboxed environment to 
ensure that it does not compromise the development environment.  Note 
that this still does not guarantee safety of the produced output 
programs and that such programs should still either be analyzed 
thoroughly for safety or run only inside a sandbox or an isolated system 
to avoid compromising the execution environment.

Thanks,
Sid

next prev parent reply	other threads:[~2023-08-15 10:33 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-07 17:29 David Edelsohn
2023-08-08  8:16 ` Richard Biener
2023-08-08 12:33   ` Siddhesh Poyarekar
2023-08-08 12:52     ` Richard Biener
2023-08-08 13:01       ` Jakub Jelinek
2023-08-08 13:21         ` Richard Biener
2023-08-08 13:24         ` Michael Matz
2023-08-08 13:33         ` Paul Koning
2023-08-08 15:48           ` David Malcolm
2023-08-08 15:55             ` Siddhesh Poyarekar
2023-08-08 16:35               ` Paul Koning
2023-08-08 20:02             ` Joseph Myers
2023-08-08 13:34         ` Ian Lance Taylor
2023-08-08 14:04           ` Richard Biener
2023-08-08 14:06             ` Siddhesh Poyarekar
2023-08-08 14:14               ` David Edelsohn
2023-08-08 14:30                 ` Siddhesh Poyarekar
2023-08-08 14:37                   ` Jakub Jelinek
2023-08-08 14:40                     ` Siddhesh Poyarekar
2023-08-08 16:22                       ` Richard Earnshaw (lists)
2023-08-08 17:35                     ` Ian Lance Taylor
2023-08-08 17:46                       ` David Edelsohn
2023-08-08 19:39                         ` Carlos O'Donell
2023-08-09 13:25                           ` Richard Earnshaw (lists)
2023-08-09 17:32                   ` Siddhesh Poyarekar
2023-08-09 18:17                     ` David Edelsohn
2023-08-09 20:12                       ` Siddhesh Poyarekar
2023-08-10 18:28                     ` Richard Sandiford
2023-08-10 18:50                       ` Siddhesh Poyarekar
2023-08-11 14:36                         ` Siddhesh Poyarekar
2023-08-11 15:09                           ` Paul Koning
2023-08-11 15:20                             ` Siddhesh Poyarekar
2023-08-10 19:27                       ` Richard Biener
2023-08-11 15:12                     ` David Edelsohn
2023-08-11 15:22                       ` Siddhesh Poyarekar
2024-02-09 15:38       ` Martin Jambor
2024-02-09 15:55         ` Siddhesh Poyarekar
2024-02-09 17:14           ` Joseph Myers
2024-02-09 17:39             ` Siddhesh Poyarekar
2024-02-09 20:06               ` Joseph Myers
2024-02-12 13:32                 ` Siddhesh Poyarekar
2024-02-12 13:16           ` Martin Jambor
2024-02-12 13:35             ` Siddhesh Poyarekar
2024-02-12 15:00               ` Richard Biener
2024-02-13 12:34                 ` Siddhesh Poyarekar
2023-08-14 13:26 ` Siddhesh Poyarekar
2023-08-14 18:51   ` Richard Sandiford
2023-08-14 19:31     ` Siddhesh Poyarekar
2023-08-14 21:16       ` Alexander Monakov
2023-08-14 21:50         ` Siddhesh Poyarekar
2023-08-15  5:59           ` Alexander Monakov
2023-08-15 10:33             ` Siddhesh Poyarekar [this message]
2023-08-15 14:07               ` Alexander Monakov
2023-08-15 14:54                 ` Paul Koning
2023-08-15 19:13                 ` Siddhesh Poyarekar
2023-08-15 23:07                   ` Alexander Monakov
2023-08-15 23:45                     ` David Edelsohn
2023-08-16  0:37                       ` Alexander Monakov
2023-08-16  0:50                         ` Paul Koning
2023-08-16  7:53                           ` Alexander Monakov
2023-08-16 13:06                             ` Paul Koning
2023-08-16  9:05                     ` Toon Moene
2023-08-16 12:19                     ` Siddhesh Poyarekar
2023-08-16 15:06                       ` Alexander Monakov
2023-08-16 15:18                         ` Siddhesh Poyarekar
2023-08-16 16:02                           ` Alexander Monakov
2023-08-15 23:45   ` David Malcolm
2023-08-16  8:25     ` Alexander Monakov
2023-08-16 11:39       ` Siddhesh Poyarekar
2023-08-16 11:50         ` Alexander Monakov
2023-09-06 11:23 ` Siddhesh Poyarekar
2023-09-20  7:36 ` Arnaud Charlet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4c041fac-c363-9415-72d5-90df74b44abc@gotplt.org \
    --to=siddhesh@gotplt.org \
    --cc=amonakov@ispras.ru \
    --cc=carlos@redhat.com \
    --cc=dje.gcc@gmail.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=richard.sandiford@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).