From: "Willgerodt, Felix" <felix.willgerodt@intel.com>
To: Andrew Burgess <aburgess@redhat.com>,
"gdb-patches@sourceware.org" <gdb-patches@sourceware.org>
Cc: Siddhesh Poyarekar <siddhesh@redhat.com>,
Kevin Buettner <kevinb@redhat.com>,
Simon Marchi <simark@simark.ca>,
Paul Koning <paulkoning@comcast.net>
Subject: RE: [RFC] Adding a SECURITY policy for GDB
Date: Tue, 12 Dec 2023 07:27:44 +0000 [thread overview]
Message-ID: <MN2PR11MB45666EFD58779CB4A3F5028A8E8EA@MN2PR11MB4566.namprd11.prod.outlook.com> (raw)
In-Reply-To: <87wmtog2f4.fsf@redhat.com>
> -----Original Message-----
> From: Andrew Burgess <aburgess@redhat.com>
> Sent: Freitag, 8. Dezember 2023 16:06
> To: gdb-patches@sourceware.org
> Cc: Siddhesh Poyarekar <siddhesh@redhat.com>; Kevin Buettner
> <kevinb@redhat.com>; Simon Marchi <simark@simark.ca>; Willgerodt, Felix
> <felix.willgerodt@intel.com>; Paul Koning <paulkoning@comcast.net>
> Subject: Re: [RFC] Adding a SECURITY policy for GDB
>
>
> Hello!
>
> Apologies for taking so long to get a second version of this document
> prepared. I've been through several iterations of this text since I
> last posted trying to get something semi-reasonable... It would be great
> to get your feedback on this new text.
>
> This is basically a complete rewrite since V1, I'll try cover how this
> new text addresses the feedback on V1:
>
> 1. A part of the original hope was that I could write some text that
> would allow bugs triggered by just loading a binary into GDB (but not
> running it) as non-security bugs. Why? Well, most of the bugs we
> see in this area are from folk throwing fuzzed binaries at GDB,
> raising a bug, and then raising a CVE on the back of that. The
> first part of this process is useful for sure. The CVE part is just
> a resource drain for downstream distributions.
>
> I did make several attempts to write some text that would classify
> bugs in this way ... but, to be honest, after about my fourth
> attempt, all I'd managed to do was convince myself that this was not
> a good idea.
>
> So, instead, I've just given up on that. I think Simon, Paul, and
> Felix should find (at least this part of) the new text satisfactory;
> loading a binary, but not executing it, should be safe to do, and if
> that's not the case, then this is a security issue.
>
> 2. As an aside, but not really relevant to the new text, given my
> evolving position, I would say that I now disagree with the binutils
> SECURITY position w.r.t. tools like objdump and readelf that Felix
> mentioned. I think it's not unreasonable that a user might run an
> analysis tool on an untrusted binary, and if such a tool can be
> tricked (via a bug) into executing code, even with the permissions
> of the original user, then I would see this as a security risk.
>
> 3. Kevin asked for discussion about running crash diagnostic tools that
> wrap around GDB. I believe this is covered by the new text which
> discusses in more detail how to safely run against trusted vs
> untrusted binaries. Kevin: If you feel there are still things
> missing that you'd like to see, then maybe you could suggest at
> least some bullet points for what should be said, and I'll have a go
> at fleshing it out.
>
> One last thing, while writing this, I did wonder if this text would be
> better moved into the GDB manual, and the gdb/SECURITY.txt document
> should just say "See the GDB manual", but I figure that's a problem for
> future me, for now I just need to find some words we can all agree on.
>
> Thanks,
> Andrew
Hi Andrew,
Thanks again for taking the time to write this! I think the new text is great
and I am in favor of it.
Regards,
Felix
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928
next prev parent reply other threads:[~2023-12-12 7:28 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:26 Andrew Burgess
2023-11-06 18:55 ` Kevin Buettner
2023-11-06 19:34 ` Simon Marchi
2023-11-06 20:09 ` Siddhesh Poyarekar
2023-11-06 20:15 ` Simon Marchi
2023-11-07 12:17 ` Siddhesh Poyarekar
2023-11-07 14:22 ` Simon Marchi
2023-11-09 14:35 ` Willgerodt, Felix
2023-11-16 17:19 ` Andrew Burgess
2023-11-16 17:27 ` Paul Koning
2023-11-16 21:35 ` Siddhesh Poyarekar
2023-12-08 15:05 ` Andrew Burgess
2023-12-09 10:55 ` Eli Zaretskii
2024-02-04 15:32 ` Andrew Burgess
2024-02-04 17:18 ` Eli Zaretskii
2024-02-04 17:43 ` Andreas Schwab
2024-02-04 18:56 ` Eli Zaretskii
2024-02-05 11:06 ` Andrew Burgess
2023-12-12 7:27 ` Willgerodt, Felix [this message]
2024-02-04 15:36 ` [V3] " Andrew Burgess
2024-02-18 13:55 ` Andrew Burgess
2024-03-27 11:00 ` [V4] " Andrew Burgess
2024-04-08 11:01 ` [V5] " Andrew Burgess
2024-04-09 20:30 ` Tom Tromey
2024-04-10 10:22 ` Willgerodt, Felix
2024-04-26 15:44 ` Andrew Burgess
2024-02-05 21:01 ` Tom Tromey
2024-02-09 15:59 ` Andrew Burgess
2024-02-12 16:43 ` Guinevere Larsen
2024-02-12 17:06 ` Siddhesh Poyarekar
2024-02-14 15:03 ` Andrew Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN2PR11MB45666EFD58779CB4A3F5028A8E8EA@MN2PR11MB4566.namprd11.prod.outlook.com \
--to=felix.willgerodt@intel.com \
--cc=aburgess@redhat.com \
--cc=gdb-patches@sourceware.org \
--cc=kevinb@redhat.com \
--cc=paulkoning@comcast.net \
--cc=siddhesh@redhat.com \
--cc=simark@simark.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox