From: Siddhesh Poyarekar <siddhesh@redhat.com>
To: Paul Koning <paulkoning@comcast.net>
Cc: Andrew Burgess <aburgess@redhat.com>,
Simon Marchi <simark@simark.ca>,
gdb-patches@sourceware.org, felix.willgerodt@intel.com
Subject: Re: [RFC] Adding a SECURITY policy for GDB
Date: Thu, 16 Nov 2023 16:35:23 -0500 [thread overview]
Message-ID: <CAAmeS-YC5uaWU8PmMTGajbbbtKdLyXM6nbv_nEOsF_paWSCB5g@mail.gmail.com> (raw)
In-Reply-To: <8662D372-9C8D-4391-B2F4-F6871618136B@comcast.net>
On Thu, Nov 16, 2023 at 12:29 PM Paul Koning <paulkoning@comcast.net> wrote:
> > And if we accept that such a bug could exist, then it seems like we have
> > a choice: we can declare that a user should sandbox GDB before touching
> > an untrusted binary, or we can say that any bugs in GDB related to
> > simply inspecting a binary that might cause undefined behaviour in GDB,
> > could, potentially, cause GDB to execute the inferior unasked, and could
> > be considered security issues.
>
> I would lean towards "security issue". Yes, the paranoid can use sandboxes, but that's a pain in the neck that people would not expect to do for software that by design and intent should not need such precautions. With GDB, the expectation is that it executes supplied binaries, with all that implies, if and only if you ask it to do so. There are cases where that happens even if you didn't say "run" (invoking target functions from the command line, for example). But loading and examining a binary are not expected to cause execution, so a hypothetical bug that does execute bits other than GDB itself in such a case are very much unexpected and deserve to be called a security bug.
>
That does not reflect reality though. Given how bfd, etc. are today,
the idea of gdb being able to securely load untrusted binaries (even
without running them) is a pretty ambitious target IMO. Basically all
bfd memory safety bugs become *gdb* memory safety bugs and all of the
current fuzzing results then become incredibly relevant as security
issues because then it's just a matter of tricking users into
loading/inspecting arbitrary binaries to compromise their systems.
They're no longer just minor annoyances that distract us from regular
development.
Bubbling up and out a bit, when we state some threat scenario as being
accepted as a security issue in the security policy, we not only
promise users that we'll treat those issues as security issues, we
also make the implicit statement that gdb protects them from that
threat scenario, thus endorsing such use. This implicit statement has
more serious consequences and based on the current state of bugs, does
not correspond to reality.
The promise of treating such bugs as security issues however is
subjective, i.e. it depends on whether the gdb community considers
that it has the resources to respond to all such bugs as if they were
security issues, i.e. promptly fix them in master, all supported
release branches and then in downstream packages. Even if this were
fixed with that en vogue holy grail of rewriting things in rust, I
would hesitate to make such a guarantee without sandboxing (e.g. with
a --insecure flag that does the loading and inspection in an isolated
namespace with a limited set of fds), but that's just my personal
opinion.
Thanks,
Sid
next prev parent reply other threads:[~2023-11-16 21:36 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:26 Andrew Burgess
2023-11-06 18:55 ` Kevin Buettner
2023-11-06 19:34 ` Simon Marchi
2023-11-06 20:09 ` Siddhesh Poyarekar
2023-11-06 20:15 ` Simon Marchi
2023-11-07 12:17 ` Siddhesh Poyarekar
2023-11-07 14:22 ` Simon Marchi
2023-11-09 14:35 ` Willgerodt, Felix
2023-11-16 17:19 ` Andrew Burgess
2023-11-16 17:27 ` Paul Koning
2023-11-16 21:35 ` Siddhesh Poyarekar [this message]
2023-12-08 15:05 ` Andrew Burgess
2023-12-09 10:55 ` Eli Zaretskii
2024-02-04 15:32 ` Andrew Burgess
2024-02-04 17:18 ` Eli Zaretskii
2024-02-04 17:43 ` Andreas Schwab
2024-02-04 18:56 ` Eli Zaretskii
2024-02-05 11:06 ` Andrew Burgess
2023-12-12 7:27 ` Willgerodt, Felix
2024-02-04 15:36 ` [V3] " Andrew Burgess
2024-02-18 13:55 ` Andrew Burgess
2024-03-27 11:00 ` [V4] " Andrew Burgess
2024-04-08 11:01 ` [V5] " Andrew Burgess
2024-04-09 20:30 ` Tom Tromey
2024-04-10 10:22 ` Willgerodt, Felix
2024-04-26 15:44 ` Andrew Burgess
2024-02-05 21:01 ` Tom Tromey
2024-02-09 15:59 ` Andrew Burgess
2024-02-12 16:43 ` Guinevere Larsen
2024-02-12 17:06 ` Siddhesh Poyarekar
2024-02-14 15:03 ` Andrew Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAmeS-YC5uaWU8PmMTGajbbbtKdLyXM6nbv_nEOsF_paWSCB5g@mail.gmail.com \
--to=siddhesh@redhat.com \
--cc=aburgess@redhat.com \
--cc=felix.willgerodt@intel.com \
--cc=gdb-patches@sourceware.org \
--cc=paulkoning@comcast.net \
--cc=simark@simark.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox