From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by sourceware.org (Postfix) with ESMTP id 2900E3858D20; Thu, 13 Apr 2023 14:50:16 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2900E3858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=foss.arm.com Authentication-Results: sourceware.org; spf=none smtp.mailfrom=foss.arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 59F1CD75; Thu, 13 Apr 2023 07:51:00 -0700 (PDT) Received: from [10.2.78.76] (unknown [10.2.78.76]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 10ED83F73F; Thu, 13 Apr 2023 07:50:14 -0700 (PDT) Message-ID: Date: Thu, 13 Apr 2023 15:50:13 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-GB To: Siddhesh Poyarekar , Nick Clifton , Binutils Cc: "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org> <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> From: Richard Earnshaw In-Reply-To: <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3487.4 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,MEDICAL_SUBJECT,NICE_REPLY_A,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 13/04/2023 14:56, Siddhesh Poyarekar wrote: > On 2023-04-13 09:40, Richard Earnshaw wrote: >>> it just feels different because you elided the transport mechanism. >>> Fundamentally, it is unsafe to do anything with untrusted content >>> without sandboxing, so objdump is no different.  Sure, objdump is an >>> analysis tool, so it should be able to analyze foo.o without >>> crashing, but that's a robustness issue, not a security one.  The >>> security aspect should be handled by a sandbox. >> >> Sorry, I disagree.  Sending files to third parties is completely >> outside of the intended scope of objdump, so if it ends up being able >> to do so, that's a security issue. > > You're mixing up scope.  Given the flexibility of ELF, it is possible to > get any ELF interpreter to do pretty much anything[1], including sending > files to arbitrary places, deleting parts of the filesystem the > executing user has access to, etc.  It is the responsibility of the > layer outside of objdump (i.e. the execution environment) to constrain > this. > > To secure objdump and other tools from such compromise, what you'd > actually need is, e.g. a --isolate flag that does an unshare()/chroot() > holding the open file descriptor and does a very constrained analysis of > untrusted binaries.  That's one way we could control the execution > environment to make sure none of it leaks. > > Sid > > [1] > https://www.usenix.org/system/files/conference/woot13/woot13-shapiro.pdf No, whilst elf can be executed, objdump should never be doing that: it's a tool for examining a file, not running it. You have to have a tool that can safely examine the contents of an elf file or you can never verify it for issues - opening it up in emacs to examine the contents is not the way to do that :) But all that is beside the point. The original case I gave was a /corrupt/ elf file that caused a buffer overrun in the objdump binary. R.