Re: [PATCH RFC 4/5] tools/nolibc: add support for stack protector

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: Shuah Khan <shuah@kernel.org>,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH RFC 4/5] tools/nolibc: add support for stack protector
Date: Mon, 13 Mar 2023 04:24:24 +0100	[thread overview]
Message-ID: <ZA6XaPxSg7mKbDLU@1wt.eu> (raw)
In-Reply-To: <68b4b33d-711b-4b5d-b932-6beceffbcf28@t-8ch.de>

On Sun, Mar 12, 2023 at 11:06:58PM +0000, Thomas Weißschuh wrote:
> On Sun, Mar 12, 2023 at 01:56:43PM +0100, Willy Tarreau wrote:
> > Hi Thomas,
> > 
> > thanks for this patchset. I must confess it's not very clear to me which
> > class of programs using nolibc could benefit from stack protection, but
> > if you think it can improve the overall value (even if just by allowing
> > to test more combinations), I'm fine with this given that it doesn't
> > remove anything.
> 
> I forgot the rationale, will add it properly to the next revision:
> 
> This is useful when using nolibc for security-critical tools.
> Using nolibc has the advantage that the code is easily auditable and
> sandboxable with seccomp as no unexpected syscalls are used.
> Using compiler-assistent stack protection provides another security
> mechanism.

I hadn't thought about such a use case at all. Till now the code has
been developped in a more or less lenient way because it was aimed at
tiny tools (a small preinit code, and regtests) with no particular
focus on security. I'm fine with such use cases but I think we need
to place the cursor at the right place in terms of responsibilities
between the lib and the application. For example IMHO we should make
sure it's never the lib's responsibility to erase some buffers that
might have contained a password, to provide constant-time memcmp(),
nor to pad/memset the structures in functions stacks, otherwise it
will significantly complicate contributions and reviews in the future.
This means the lib should continue to focus on providing convenient
access to syscalls and very basic functions and if certain security-
sensitive functions are ever needed, we should probably refrain from
implementing them so that users know it's their job to provide them
for their application. I don't have any such function in mind but I
prefer that we can draw this line early.

But I definitely understand how such a model based on inlined code
can provide some benefits in terms of code auditing! You can even
copy the code in the application's repository and have everything
available without even depending on any version so that once the
code has been audited, you know it will not change by a iota. Makes
sense!

Thanks for the background,
Willy

next prev parent reply	other threads:[~2023-03-13  3:24 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-07 22:22 [PATCH RFC 0/5] tools/nolibc: add support for stack protector Thomas Weißschuh
2023-03-07 22:22 ` [PATCH RFC 1/5] tools/nolibc: add definitions for standard fds Thomas Weißschuh
2023-03-07 22:22 ` [PATCH RFC 2/5] tools/nolibc: add helpers for wait() signal exits Thomas Weißschuh
2023-03-07 22:22 ` [PATCH RFC 3/5] tools/nolibc: tests: constify test_names Thomas Weißschuh
2023-03-07 22:22 ` [PATCH RFC 4/5] tools/nolibc: add support for stack protector Thomas Weißschuh
2023-03-12 12:56   ` Willy Tarreau
2023-03-12 23:06     ` Thomas Weißschuh
2023-03-13  3:24       ` Willy Tarreau [this message]
2023-03-07 22:22 ` [PATCH RFC 5/5] tools/nolibc: tests: add test for -fstack-protector Thomas Weißschuh
2023-03-12 13:07   ` Willy Tarreau
2023-03-12 23:12     ` Thomas Weißschuh
2023-03-13  3:08       ` Willy Tarreau
2023-03-18 16:49         ` Thomas Weißschuh
2023-03-19 13:58           ` Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZA6XaPxSg7mKbDLU@1wt.eu \
    --to=w@1wt.eu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux@weissschuh.net \
    --cc=shuah@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox