From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: David Edelsohn <dje.gcc@gmail.com>
Cc: Richard Biener <richard.guenther@gmail.com>,
Ian Lance Taylor <iant@google.com>,
Jakub Jelinek <jakub@redhat.com>,
GCC Patches <gcc-patches@gcc.gnu.org>,
Carlos O'Donell <carlos@redhat.com>
Subject: Re: [RFC] GCC Security policy
Date: Tue, 8 Aug 2023 10:30:10 -0400 [thread overview]
Message-ID: <df2f2e29-4507-67d8-1c28-aa9416862313@gotplt.org> (raw)
In-Reply-To: <CAGWvny=7AfLUug1SSm6yeOVbbh-GwY6KFkcB_m8CMA_jgS67Rw@mail.gmail.com>
On 2023-08-08 10:14, David Edelsohn wrote:
> On Tue, Aug 8, 2023 at 10:07 AM Siddhesh Poyarekar <siddhesh@gotplt.org
> <mailto:siddhesh@gotplt.org>> wrote:
>
> On 2023-08-08 10:04, Richard Biener wrote:
> > On Tue, Aug 8, 2023 at 3:35 PM Ian Lance Taylor <iant@google.com
> <mailto:iant@google.com>> wrote:
> >>
> >> On Tue, Aug 8, 2023 at 6:02 AM Jakub Jelinek via Gcc-patches
> >> <gcc-patches@gcc.gnu.org <mailto:gcc-patches@gcc.gnu.org>> wrote:
> >>>
> >>> On Tue, Aug 08, 2023 at 02:52:57PM +0200, Richard Biener via
> Gcc-patches wrote:
> >>>> There's probably external tools to do this, not sure if we
> should replicate
> >>>> things in the driver for this.
> >>>>
> >>>> But sure, I think the driver is the proper point to address
> any of such
> >>>> issues - iff we want to address them at all. Maybe a nice little
> >>>> google summer-of-code project ;)
> >>>
> >>> What I'd really like to avoid is having all compiler bugs
> (primarily ICEs)
> >>> considered to be security bugs (e.g. DoS category), it would be
> terrible to
> >>> release every week a new compiler because of the "security" issues.
> >>> Running compiler on untrusted sources can trigger ICEs (which
> we want to fix
> >>> but there will always be some), or run into some compile time
> and/or compile
> >>> memory issue (we have various quadratic or worse spots),
> compiler stack
> >>> limits (deeply nested stuff e.g. during parsing but other areas
> as well).
> >>> So, people running fuzzers and reporting issues is great, but
> if they'd get
> >>> a CVE assigned for each ice-on-invalid-code, ice-on-valid-code,
> >>> each compile-time-hog and each memory-hog, that wouldn't be useful.
> >>> Runtime libraries or security issues in the code we generate
> for valid
> >>> sources are of course a different thing.
> >>
> >>
> >> I wonder if a security policy should say something about the
> -fplugin
> >> option. I agree that an ICE is not a security issue, but I
> wonder how
> >> many people are aware that a poorly chosen command line option can
> >> direct the compiler to run arbitrary code. For that matter the same
> >> is true of setting the GCC_EXEC_PREFIX environment variable, and no
> >> doubt several other environment variables. My point is not that we
> >> should change these, but that a security policy should draw
> attention
> >> to the fact that there are cases in which the compiler will
> >> unexpectedly run other programs.
> >
> > Well, if you run an arbitrary commandline from the internet you get
> > what you deserve, running "echo "Hello World" | gcc -xc - -o
> /dev/sda"
> > as root doesn't need plugins to shoot yourself in the foot. You
> need to
> > know what you're doing, otherwise you are basically executing an
> > arbitrary shell script with whatever privileges you have.
>
> I think it would be useful to mention caveats with plugins though, just
> like it would be useful to mention exceptions for libiberty and similar
> libraries that gcc builds. It only helps makes things clearer in terms
> of what security coverage the project provides.
>
>
> I have added a line to the Note section in the proposed text:
>
> GCC and its tools provide features and options that can run
> arbitrary user code (e.g., -fplugin).
How about the following to make it clearer that arbitrary code in
plugins is not considered secure:
GCC and its tools provide features and options that can run arbitrary
user code, e.g. using the -fplugin options. Such custom code should be
vetted by the user for safety as bugs exposed through such code will not
be considered security issues.
> I believe that the security implication already is addressed because the
> program is not tricked into a direct compromise of security.
>
> Do you have a suggestion for the language to address libgcc, libstdc++,
> etc. and libiberty, libbacktrace, etc.?
I'll work on this a bit and share a draft.
Thanks,
Sid
next prev parent reply other threads:[~2023-08-08 14:30 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-07 17:29 David Edelsohn
2023-08-08 8:16 ` Richard Biener
2023-08-08 12:33 ` Siddhesh Poyarekar
2023-08-08 12:52 ` Richard Biener
2023-08-08 13:01 ` Jakub Jelinek
2023-08-08 13:21 ` Richard Biener
2023-08-08 13:24 ` Michael Matz
2023-08-08 13:33 ` Paul Koning
2023-08-08 15:48 ` David Malcolm
2023-08-08 15:55 ` Siddhesh Poyarekar
2023-08-08 16:35 ` Paul Koning
2023-08-08 20:02 ` Joseph Myers
2023-08-08 13:34 ` Ian Lance Taylor
2023-08-08 14:04 ` Richard Biener
2023-08-08 14:06 ` Siddhesh Poyarekar
2023-08-08 14:14 ` David Edelsohn
2023-08-08 14:30 ` Siddhesh Poyarekar [this message]
2023-08-08 14:37 ` Jakub Jelinek
2023-08-08 14:40 ` Siddhesh Poyarekar
2023-08-08 16:22 ` Richard Earnshaw (lists)
2023-08-08 17:35 ` Ian Lance Taylor
2023-08-08 17:46 ` David Edelsohn
2023-08-08 19:39 ` Carlos O'Donell
2023-08-09 13:25 ` Richard Earnshaw (lists)
2023-08-09 17:32 ` Siddhesh Poyarekar
2023-08-09 18:17 ` David Edelsohn
2023-08-09 20:12 ` Siddhesh Poyarekar
2023-08-10 18:28 ` Richard Sandiford
2023-08-10 18:50 ` Siddhesh Poyarekar
2023-08-11 14:36 ` Siddhesh Poyarekar
2023-08-11 15:09 ` Paul Koning
2023-08-11 15:20 ` Siddhesh Poyarekar
2023-08-10 19:27 ` Richard Biener
2023-08-11 15:12 ` David Edelsohn
2023-08-11 15:22 ` Siddhesh Poyarekar
2024-02-09 15:38 ` Martin Jambor
2024-02-09 15:55 ` Siddhesh Poyarekar
2024-02-09 17:14 ` Joseph Myers
2024-02-09 17:39 ` Siddhesh Poyarekar
2024-02-09 20:06 ` Joseph Myers
2024-02-12 13:32 ` Siddhesh Poyarekar
2024-02-12 13:16 ` Martin Jambor
2024-02-12 13:35 ` Siddhesh Poyarekar
2024-02-12 15:00 ` Richard Biener
2024-02-13 12:34 ` Siddhesh Poyarekar
2023-08-14 13:26 ` Siddhesh Poyarekar
2023-08-14 18:51 ` Richard Sandiford
2023-08-14 19:31 ` Siddhesh Poyarekar
2023-08-14 21:16 ` Alexander Monakov
2023-08-14 21:50 ` Siddhesh Poyarekar
2023-08-15 5:59 ` Alexander Monakov
2023-08-15 10:33 ` Siddhesh Poyarekar
2023-08-15 14:07 ` Alexander Monakov
2023-08-15 14:54 ` Paul Koning
2023-08-15 19:13 ` Siddhesh Poyarekar
2023-08-15 23:07 ` Alexander Monakov
2023-08-15 23:45 ` David Edelsohn
2023-08-16 0:37 ` Alexander Monakov
2023-08-16 0:50 ` Paul Koning
2023-08-16 7:53 ` Alexander Monakov
2023-08-16 13:06 ` Paul Koning
2023-08-16 9:05 ` Toon Moene
2023-08-16 12:19 ` Siddhesh Poyarekar
2023-08-16 15:06 ` Alexander Monakov
2023-08-16 15:18 ` Siddhesh Poyarekar
2023-08-16 16:02 ` Alexander Monakov
2023-08-15 23:45 ` David Malcolm
2023-08-16 8:25 ` Alexander Monakov
2023-08-16 11:39 ` Siddhesh Poyarekar
2023-08-16 11:50 ` Alexander Monakov
2023-09-06 11:23 ` Siddhesh Poyarekar
2023-09-20 7:36 ` Arnaud Charlet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df2f2e29-4507-67d8-1c28-aa9416862313@gotplt.org \
--to=siddhesh@gotplt.org \
--cc=carlos@redhat.com \
--cc=dje.gcc@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=iant@google.com \
--cc=jakub@redhat.com \
--cc=richard.guenther@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).