From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=b9jX=D4=gotplt.org=siddhesh@sourceware.org>
Received: from olivedrab.birch.relay.mailchannels.net (olivedrab.birch.relay.mailchannels.net [23.83.209.135])
	by sourceware.org (Postfix) with ESMTPS id 84F853858D28
	for <gcc-patches@gcc.gnu.org>; Fri, 11 Aug 2023 14:36:14 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 84F853858D28
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 75A64141AA4;
	Fri, 11 Aug 2023 14:36:13 +0000 (UTC)
Received: from pdx1-sub0-mail-a268.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id 35BF4140D37;
	Fri, 11 Aug 2023 14:36:12 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1691764572; a=rsa-sha256;
	cv=none;
	b=SwweWRiJrn8cG7Erbz8S5CGhwjv1uLzzT7St3g9h1xQL/Rn+G/7ZYt2saMlqBP8nQHNwz2
	rxtebYTUhiEArdlkX1vpF1IecrLYIxHKGBuN5AgMECkMVRpT8m6kVgWC0p5U3fMXXKaXGj
	ECla0k6ILItiQwKLkBLU9F5FKlQV+V0tH117cSYRNUb0r/EWNAfPRCFcb9vEaKOP9lH9M2
	WCeCPGATltjMQWmtUUftdgT9bzDfx2RWp+Kq7/Nyak5YxA9TMsL0qqIt3PjRZhYgwmFbfE
	/oT0csSMFw7O42wpuhqWHq1DB+Ag/8iZFIlHqJXbBgF3MR6f8l2ZOpiF7e0pHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1691764572;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=O7Khwoag0NUhknqapbEDTQEKxAJxhUNtZzZ9Lcm1+vc=;
	b=Bp9i69wk4JLMPzr1gVuGYFHkG4AUERyn6m9IX+LYZpWM53EMBUzDUpHtOqHDkNLLipCj8V
	7ulyf+ir88E51BNZF1qc/U5e5KDYwAzuoOS2VtXSO338dt4CnYpYUULsbEQAZuWNuY/4SF
	9pvUJVTozatmTYowT2havVKCKSeo+jDRVcRc8O+0cApSaOtGUeu77gY7V2TReo1ZVKsFoz
	40uMAR8tZosJ0PAqDgUT30+9tsCfEsqnEQ9IZKEKOvaJzvlwSB6tAE+Vhw9mu4qikmRGn0
	1lzrBFhxTjYHu4H6RPJpPAEa8YlJzRErBN+/dShVr8zBTSYFeVOWUYQpd3k/Nw==
ARC-Authentication-Results: i=1;
	rspamd-749bd77c9c-6xj7s;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Fumbling-Obese: 6724d02f50777cbd_1691764573199_1368800590
X-MC-Loop-Signature: 1691764573199:157979720
X-MC-Ingress-Time: 1691764573198
Received: from pdx1-sub0-mail-a268.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.121.110.70 (trex/6.9.1);
	Fri, 11 Aug 2023 14:36:13 +0000
Received: from [192.168.224.119] (unknown [24.114.54.40])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a268.dreamhost.com (Postfix) with ESMTPSA id 4RMmZ31wpXzkh;
	Fri, 11 Aug 2023 07:36:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
	s=dreamhost; t=1691764572;
	bh=O7Khwoag0NUhknqapbEDTQEKxAJxhUNtZzZ9Lcm1+vc=;
	h=Date:Subject:From:To:Content-Type:Content-Transfer-Encoding;
	b=XYTVKUtryg+WGt1VknpFL/tiGFI+dnruv9kOVIw4HSaQp5MuJHrc2x8FJvgqnYnjM
	 +vAUv+n4NJ5XCnx1VyoNeKSClR5HfrdFmKyM6jlAlh7QwQqXowZbT5fNWS1W5yAmUv
	 rZN25DM838CIq1LkoFSSKE8ioF8Q7Y6O0Qe1WO4BH3HmzBc8k11wRmccvKOOaYa6R9
	 z3OSZxtL5grC7DGJDx1Qeqe1WGG6nlflhX/UOzBGpC0K+jLX7d1QXguXp8pOUvAJgc
	 NH8cNpdkyYlvKS+uG9s6+aP7cT21RQToUfuUrfwvw2lwmNaNmzSwLPJr0Qy/SAM8V9
	 sHlO+EVcpgC1Q==
Message-ID: <fba6180c-c43e-afc8-0d34-639677df2423@gotplt.org>
Date: Fri, 11 Aug 2023 10:36:09 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.12.0
Subject: Re: [RFC] GCC Security policy
Content-Language: en-US
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
To: David Edelsohn <dje.gcc@gmail.com>,
 Richard Biener <richard.guenther@gmail.com>,
 Ian Lance Taylor <iant@google.com>, Jakub Jelinek <jakub@redhat.com>,
 GCC Patches <gcc-patches@gcc.gnu.org>, Carlos O'Donell <carlos@redhat.com>,
 richard.sandiford@arm.com
References: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com>
 <CAFiYyc0QW53dapAXy1b8A8XnFqOypWaG2veVkruv2Fi_DyekBg@mail.gmail.com>
 <5dab0019-a28e-f6b1-c822-9217d4d2f59f@gotplt.org>
 <CAFiYyc3nQ3ihNvUL1-URVn74ExMPXsxcbFq5SZ6ESM5WZEK40g@mail.gmail.com>
 <ZNI8s5PRPxEE1Awe@tucnak>
 <CAKOQZ8zSy5f9JKv2JuDE-OgWAnY3CYO_fsvajE8BhBYKwVOQ_A@mail.gmail.com>
 <CAFiYyc2eiOX-Tw4mRPWhw86kiHNXq0LoEAAU0N1gB7EhyO493Q@mail.gmail.com>
 <ea16c3bd-8653-72d2-b7d4-8677f1a11f59@gotplt.org>
 <CAGWvny=7AfLUug1SSm6yeOVbbh-GwY6KFkcB_m8CMA_jgS67Rw@mail.gmail.com>
 <df2f2e29-4507-67d8-1c28-aa9416862313@gotplt.org>
 <7d5145fa-85b8-5228-75ed-2ce1010c2aaf@gotplt.org> <mptttt6sqf5.fsf@arm.com>
 <2dbb0178-ad06-ca40-1d77-675e0eb58a61@gotplt.org>
In-Reply-To: <2dbb0178-ad06-ca40-1d77-675e0eb58a61@gotplt.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3028.6 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_MANYTO,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

On 2023-08-10 14:50, Siddhesh Poyarekar wrote:
>>>       As a result, the only case for a potential security issue in all
>>>       these cases is when it ends up generating vulnerable output for
>>>       valid input source code.
>>
>> I think this leaves open the interpretation "every wrong code bug
>> is potentially a security bug".  I suppose that's true in a trite sense,
>> but not in a useful sense.  As others said earlier in the thread,
>> whether a wrong code bug in GCC leads to a security bug in the object
>> code is too application-dependent to be a useful classification for GCC.
>>
>> I think we should explicitly say that we don't generally consider wrong
>> code bugs to be security bugs.  Leaving it implicit is bound to lead
>> to misunderstanding.
> 
> I see what you mean, but the context-dependence of a bug is something 
> GCC will have to deal with, similar to how libraries have to deal with 
> bugs.  But I agree this probably needs some more expansion.  Let me try 
> and come up with something more detailed for that last paragraph.

How's this:

As a result, the only case for a potential security issue in the 
compiler is when it generates vulnerable application code for valid, 
trusted input source code.  The output application code could be 
considered vulnerable if it produces an actual vulnerability in the 
target application, specifically in the following cases:

- The application dereferences an invalid memory location despite the 
application sources being valid.

- The application reads from or writes to a valid but incorrect memory 
location, resulting in an information integrity issue or an information 
leak.

- The application ends up running in an infinite loop or with severe 
degradation in performance despite the input sources having no such 
issue, resulting in a Denial of Service.  Note that correct but 
non-performant code is not a security issue candidate, this only applies 
to incorrect code that may result in performance degradation.

- The application crashes due to the generated incorrect code, resulting 
in a Denial of Service.