RFC: Adding a SECURITY.md document to the Binutils
Siddhesh Poyarekar
siddhesh@gotplt.org
Thu Apr 13 13:56:36 GMT 2023
On 2023-04-13 09:40, Richard Earnshaw wrote:
>> it just feels different because you elided the transport mechanism.
>> Fundamentally, it is unsafe to do anything with untrusted content
>> without sandboxing, so objdump is no different. Sure, objdump is an
>> analysis tool, so it should be able to analyze foo.o without crashing,
>> but that's a robustness issue, not a security one. The security
>> aspect should be handled by a sandbox.
>
> Sorry, I disagree. Sending files to third parties is completely outside
> of the intended scope of objdump, so if it ends up being able to do so,
> that's a security issue.
You're mixing up scope. Given the flexibility of ELF, it is possible to
get any ELF interpreter to do pretty much anything[1], including sending
files to arbitrary places, deleting parts of the filesystem the
executing user has access to, etc. It is the responsibility of the
layer outside of objdump (i.e. the execution environment) to constrain this.
To secure objdump and other tools from such compromise, what you'd
actually need is, e.g. a --isolate flag that does an unshare()/chroot()
holding the open file descriptor and does a very constrained analysis of
untrusted binaries. That's one way we could control the execution
environment to make sure none of it leaks.
Sid
[1] https://www.usenix.org/system/files/conference/woot13/woot13-shapiro.pdf
More information about the Gdb
mailing list