From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from fuchsia.ash.relay.mailchannels.net (fuchsia.ash.relay.mailchannels.net [23.83.222.64]) by sourceware.org (Postfix) with ESMTPS id 5BAF23858D33 for ; Wed, 16 Aug 2023 15:19:04 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5BAF23858D33 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 388782C1EFB; Wed, 16 Aug 2023 15:19:01 +0000 (UTC) Received: from pdx1-sub0-mail-a284.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id C29E12C0C88; Wed, 16 Aug 2023 15:18:59 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1692199139; a=rsa-sha256; cv=none; b=B/nwvfT4Nps8TC8NmB6VmEsemwrnYTTevK+MMa0J6/PzDWcMfJ2G5HEfzaHWUz3OzuWtj+ ugrXStxrYB77tq9SI1ed6XgA7Y6YypUjXUDoKGVbQsPmeOykMMfO286O3sVZGgDV62uVKI RyuqmsBjGTgrjmyxrn6WQN3RekVJfDXZST7is6qsLjp7sqx30+EMbuScNb75ByRNj1JFIh 7Yhpz+s1VPlusaT+GbSqXmTgsCU1kyKI40AbTIprEhBvh3oo1dh8y5ByBpkrE9deU0atem f5vz6tFKE33yWjTez1Yn8nz4SJGb/RIP34k51Bpn74RTIkvbYNTt0Qt8u8ZfWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1692199139; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=nBn32HT5iZhN9e8To5fvPOaJ6uz+6gJGDRhZdo/AJ+U=; b=219oNCCMwtSgAS2loKNmSJ2X0IyC3ntoCNO8IxrNndRIPMcpziajGi0dtwSnpfmP2A4vIR gohElGTYc9ZrOP9I5i7OkEVqKbUO5UlMAErERk8TxQZzripvQovihUvnFxmKszE4Q4Yr/c N3VciRnICxlxAny1vQJwssuk39PiYSrF9HEwncwdUMSnJeJPaAsNkikuQPW1s4CGcZ2+R9 WFul2y/YNv6LpprOFj3rixxUb0GTGnaiXAo+7emwn3iK3ZvhTQIUkZDXPxOwwPUjVdMJDq xEwGw9zK6yfZg4lmjIv/sVTDiNUchW5PxBNJJ/kJDiFBRSTBQ0Ig+cAbf962wA== ARC-Authentication-Results: i=1; rspamd-749bd77c9c-wfpjf; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Thread-Bottle: 773a818942dbe486_1692199141057_1405910160 X-MC-Loop-Signature: 1692199141057:733441917 X-MC-Ingress-Time: 1692199141056 Received: from pdx1-sub0-mail-a284.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.117.178.17 (trex/6.9.1); Wed, 16 Aug 2023 15:19:01 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-02-142-113-138-184.dsl.bell.ca [142.113.138.184]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a284.dreamhost.com (Postfix) with ESMTPSA id 4RQsH71VwDz3k; Wed, 16 Aug 2023 08:18:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1692199139; bh=nBn32HT5iZhN9e8To5fvPOaJ6uz+6gJGDRhZdo/AJ+U=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=MaM0wyJWg+cFT7F1JJ7nQKQKAw+zERPgmp80lRu7Kjw2mV51Hd46V7C3Nu50jaouu mcwH6WT4g6dXEajG9eaZtbApAUd2mUmrs5VN8R3nzhCwciIfn7UzPwncS39x/bE0OJ FiJ/0NBzDYIRS5nC9pBC7GB5yFj6GS0kASV1a5EaywViA0XWTDqw6wuVyDbq5CeMuU 75on/FHGm2KP4tYcgfPH4nqlibs99DM1g9Oq0700eR0upGYBWQaw77vdEIPfsVBBNR 4ZIGbSn2tpZHUzv5dNYYtmzccS21VAhrMx150ThUrKxfpd0xYzJfpvuk9sUU5xZpUY MYJQnPARmdytg== Message-ID: Date: Wed, 16 Aug 2023 11:18:57 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: [RFC] GCC Security policy Content-Language: en-US To: Alexander Monakov Cc: David Edelsohn , GCC Patches , Carlos O'Donell , richard.sandiford@arm.com References: <97b01db2-d1bf-9859-f75e-452e677ffe63@gotplt.org> <5f0e849e-92bf-8b4d-caff-602e37a0b75e@gotplt.org> <94529934-59a1-84e6-b93e-cd3e3ad82707@ispras.ru> <141b257b-a45d-0afc-5391-acd9547d6806@gotplt.org> <7462498c-3d65-a7bd-012e-2d9b200b0b1f@ispras.ru> <4c041fac-c363-9415-72d5-90df74b44abc@gotplt.org> <509079b9-ead2-c5d6-c0b5-233354a1140a@ispras.ru> <64b1b7db-a6f7-65d6-b499-d0d510f63afd@gotplt.org> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3031.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-08-16 11:06, Alexander Monakov wrote: >> No I understood the distinction you're trying to make, I just wanted to point >> out that the effect isn't all that different. The intent of the wording is >> not to prescribe a solution, but to describe what the compiler cannot do and >> hence, users must find a way to do this. I think we have a consensus on this >> part of the wording though because we're not really responsible for the >> prescription here and I'm happy with just asking users to sandbox. > > Nice! > >> I suppose it's kinda like saying "don't try this at home". You know many will >> and some will break their leg while others will come out of it feeling >> invincible. Our job is to let them know that they will likely break their leg >> :) > > Continuing this analogy, I was protesting against doing our job by telling > users "when trying this at home, make sure to wear vibranium shielding" > while knowing for sure that nobody can, in fact, obtain said shielding, > making our statement not helpful and rather tautological. :) >> How about this in the last section titled "Security features implemented in >> GCC", since that's where we also deal with security hardening. >> >> Similarly, GCC may transform code in a way that the correctness of >> the expressed algorithm is preserved but supplementary properties >> that are observable only outside the program or through a >> vulnerability in the program, may not be preserved. This is not a >> security issue in GCC and in such cases, the vulnerability that >> caused exposure of the supplementary properties must be fixed. > > Yeah, indicating scenarios that fall outside of intended guarantees should > be helpful. I feel the exact text quoted above will be hard to decipher > without knowing the discussion that led to it. Some sort of supplementary > section with examples might help there. Ah, so I had started out by listing examples but dropped them before emailing. How about: Similarly, GCC may transform code in a way that the correctness of the expressed algorithm is preserved but supplementary properties that are observable only outside the program or through a vulnerability in the program, may not be preserved. Examples of such supplementary properties could be the state of memory after it is no longer in use, performance and timing characteristics of a program, state of the CPU cache, etc. Such issues are not security vulnerabilities in GCC and in such cases, the vulnerability that caused exposure of the supplementary properties must be fixed. > In any case, I hope further discussion, clarification and wordsmithing > goes productively for you both here on the list and during the Cauldron. Thanks! Sid