RFC: Adding a SECURITY.md document to the Binutils

Richard Earnshaw Richard.Earnshaw@foss.arm.com
Thu Apr 13 16:06:23 GMT 2023



On 13/04/2023 16:08, Paul Koning wrote:
> 
> 
>> On Apr 13, 2023, at 11:02 AM, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
>>
>> On 2023-04-13 10:50, Richard Earnshaw wrote:
>>> No, whilst elf can be executed, objdump should never be doing that: it's a tool for examining a file, not running it.  You have to have a tool that can safely examine the contents of an elf file or you can never verify it for issues - opening it up in emacs to examine the contents is not the way to do that :)
>>
>> You can verify it for issues, in a sandbox.
>>
>>> But all that is beside the point.  The original case I gave was a /corrupt/ elf file that caused a buffer overrun in the objdump binary.
>>
>> ... and that's a robustness issue.  Any buffer overrun in any program could in theory be exploited to send out files.
> 
> No.  Buffer overruns are generally recognized as security issues, precisely because they (often) can be used to produce arbitrary code execution exploits.
> 
> A buiffer overrun would be merely a robustness issue if it is guaranteed to cause nothing worse than a program abort.
> 
> 	paul
> 

Thank you Paul, you put that better than I did.

So lets try to come up with a more robust taxonomy...

A script file is a file that contains plain text that might be fully 
viewed in a traditional text editor.

For binutils there are three scenarios:

1) Tools that examine the contents of some non-script files and dump a 
textual representation of their contents (primarily to stdout).

2) Tools that process the contents of files and create new files based 
on them

3) Tools that might try to 'execute' the contents of a non-script file.

Binutils really only has tools in classes 1 and 2.

For scenario one, only files specified on the command line as output 
files should be written to (or otherwise modified).  Script files are 
not processed.  Tools that fit into this category include nm, objdump 
and readelf.

For scenario two, only files specified on the command line or in script 
files as output files should be written to (or otherwise modified). 
Tools here include 'as', 'ar', objcopy, ld.  Temporary files may be 
generated (in a secure manner) as part of the process of doing this.

For scenario three a non-script file might be executed, but I think that 
there are no tools in binutils that need to do this.

Given the above, a security issue would exist in a tool if it could be 
made to violate the constraints on the scenario specified for the tool.

R.


More information about the Gdb mailing list