From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24]) by sourceware.org (Postfix) with ESMTPS id EECC63858D32; Thu, 13 Apr 2023 18:16:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EECC63858D32 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 5518A8C15C1; Thu, 13 Apr 2023 18:16:33 +0000 (UTC) Received: from pdx1-sub0-mail-a307.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D00298C0C79; Thu, 13 Apr 2023 18:16:32 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1681409792; a=rsa-sha256; cv=none; b=+AfXL6JMqZhI2qTY3d3FARq2zkbjFbtHBkfb1RVrgBzN7dTKv9Y3/00+SJXrKzUFZgl+Ma vOFF7YkeRQOBFYl65prAxXVGtX+5napCIjmRPbKH8TY6OJqhv3FGzBm/kFAE2gWnOZukxG 0zaBRH8LE45HpDWTmzHHNS/pGa/aKK/RWcj3iGsFXjp/cmqfODMJULwvua53ml/eLtUpiT cqMFWOgHLd4lscBQxHjdH2VDV2xZ9jFqTjHPnaSuLz6J/kSlGpjhwxM+fGuafnfrYNnL5f VkqvymlczvOWXhLHfpnabeXDxWzVU5DNkZii6iuDwLCD0V3L1TAeqXkZPuGalw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1681409792; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PgJJn/v8Qr2e4WLzFZR7njoGmYX9/RWeYg70o/Iihzw=; b=XNDszPfzWghdgnGGZ8sXq4mKJQ9fyysZWo+gdeqnDOYQxNOqlSBv7hEbOPAJrNKxb6BJ0j /KZg3maPJdvZFubWh9PWvyorbwf8PIPlCvQIiiNMw1PApc7lq0MDMNMGZbeLLAZEOhQBgo NgtpMnXbsAWP+nMBk06FRvG+Ep0X5vmphHbCdkRNAz14JUp/bVOtdVQiZe7w84ArfTYmAZ Iy8h2zx26v7Soaba6fi8c68KHKZhiUhnDRDWDv+Lx+279T7F6UVOJk9t6CMtL+/JKdLwTu RbP7SefPWwTTLYwm8qbI798D7TX261JcrmDfsbFaYH0QC7F7wwUV/JW1Zq5Rcg== ARC-Authentication-Results: i=1; rspamd-548d6c8f77-d8k59; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Ski-Irritate: 73c4502e1c47c277_1681409793131_959257813 X-MC-Loop-Signature: 1681409793131:2030297693 X-MC-Ingress-Time: 1681409793131 Received: from pdx1-sub0-mail-a307.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.193.177 (trex/6.7.2); Thu, 13 Apr 2023 18:16:33 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a307.dreamhost.com (Postfix) with ESMTPSA id 4Py77h1bDGzFN; Thu, 13 Apr 2023 11:16:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1681409792; bh=PgJJn/v8Qr2e4WLzFZR7njoGmYX9/RWeYg70o/Iihzw=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=tywUrRX5GkN1ezMhCUoENsnVCQZ3Ikn9h3Pgm09Hs0hoyRYQMdZsppSwnOH6k3lFa PE2fRYndo/PNwMU5leIewKD58Hw9Rl/yAW0VpegelZp5VkhcrfCH9gE/ENgCR3UhjM P2WGZ/rKH4LxoIb5WET7XK5sIyiKP9TkGe0I/XJQYY0OSwg/4c/JTpyzK/HareFSTb 8W16uX+cRCy4XitoYLT5H8waVgrg4+oHyKJQEx2SDnKenIzUpt9UWFyPTS0lg0AcKr cFDb2luiNeV07bO5bqV6BYmYKLICLcT2DHaVjuKWScEWZ/4xZPC9QXGG053H71ymjd dYzQu7tp60kNQ== Message-ID: Date: Thu, 13 Apr 2023 14:16:31 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-US To: Paul Koning Cc: Richard Earnshaw , Nick Clifton , Binutils , "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org> <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> <96e2ec59-11c6-329e-18c4-bf284eb752ac@gotplt.org> <1F7CF3D5-5AC3-4832-BE19-60F956A047F7@comcast.net> <2FDDD795-B713-41B8-A650-1CA06F027416@comcast.net> From: Siddhesh Poyarekar In-Reply-To: <2FDDD795-B713-41B8-A650-1CA06F027416@comcast.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3027.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-04-13 13:37, Paul Koning wrote: >> I haven't seen anyone suggest (and have seen many balk at) the idea of crashes/buffer overruns in compilers being considered security issues. > > Not all buffer overruns cause security issues. Those that crash the program with the buffer overrun are not security issues (unless you're considering the category of Denial of Service attacks). But a buffer overrun that enables the execution of arbitrary code IS a security issue. > > Who do you know to "balk at" that principle? I've discussed the idea of compiler bugs in general being considered security issues, not specifically about arbitrary code execution through a buffer overflow because of untrusted/crafted inputs. I do in fact intend to write up a SECURITY.md for gcc, so perhaps it will become an opportunity to formalize this. For binutils we need more people to pitch in to decide a direction since we don't have agreement yet. > This is no different from how one analyzes buffer overruns in networking applications. If the consequence of the error is nothing worse than an abort of that application, it's DoS and would typically not be considered serious. If it allows code to be inserted and executed in the context of the application, then that is serious and is a security defect. The same goes for any other application whose specification says that it processes -- but does not execute -- its inputs. The seriousness of the DoS depends on the triviality of an attack. There can, for example, be Important DoS if it's trivial to invoke and is widely possible in default configurations. Also, arbitrary code execution does not require code to be inserted; it's common to use ROPs/JOPs in existing code to achieve that. This is also why memory safety bugs that don't always immediately result in a crash can be assumed in the worst case to result in arbitrary code execution. Now whether that arbitrary code execution is security relevant depends on the context in which the bug can be exploited: 1. It could be through local access, in which case it is not security relevant because the user could run arbitrary code anyway 2. Untrusted local input (such as files downloaded off the internet), in which case it is security relevant if the application is hardened and designed to work on untrusted input 3. Remote input, in which case inputs are assumed to be untrusted and hence always security relevant Binutils falls in 1. (for as, ld, etc.) and 2. (for readelf, objdump, etc.) and for case 2, it's upon us to decide whether we consider the tools hardened to work on untrusted inputs. I don't think they are, which is why they need to be sandboxed to eliminate the security aspect of any bugs in them. Sid