From 6e2b5abc123261439489ee38a55111d9b6e7e6f0 Mon Sep 17 00:00:00 2001 From: bigb4ng Date: Sun, 28 Jul 2024 18:26:38 +0300 Subject: [PATCH] [sanitizer] Document sanitizers security considerations Follow-up to PR #92593 --- clang/docs/AddressSanitizer.rst | 8 ++++++++ ...HardwareAssistedAddressSanitizerDesign.rst | 8 ++++++++ clang/docs/LeakSanitizer.rst | 8 ++++++++ clang/docs/MemorySanitizer.rst | 8 ++++++++ clang/docs/ThreadSanitizer.rst | 8 ++++++++ clang/docs/UndefinedBehaviorSanitizer.rst | 11 ++++++++++ llvm/docs/GwpAsan.rst | 20 +++++++++++-------- 7 files changed, 63 insertions(+), 8 deletions(-) diff --git a/clang/docs/AddressSanitizer.rst b/clang/docs/AddressSanitizer.rst index e1997153f20370..76fdf559950599 100644 --- a/clang/docs/AddressSanitizer.rst +++ b/clang/docs/AddressSanitizer.rst @@ -313,6 +313,14 @@ Limitations usually expected. * Static linking of executables is not supported. +Security Considerations +======================= + +AddressSanitizer is a bug detection tool and its runtime is not meant to be +linked against production executables. While it may be useful for testing, +AddressSanitizer's runtime was not developed with security-sensitive +constraints in mind and may compromise the security of the resulting executable. + Supported Platforms =================== diff --git a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst index f89ca117427ad7..20db41c032c561 100644 --- a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst +++ b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst @@ -262,6 +262,14 @@ than that of AddressSanitizer: `1/TG` extra memory for the shadow and some overhead due to `TG`-aligning all objects. +Security Considerations +======================= + +HWASAN is a bug detection tool and its runtime is not meant to be +linked against production executables. While it may be useful for testing, +HWASAN's runtime was not developed with security-sensitive +constraints in mind and may compromise the security of the resulting executable. + Supported architectures ======================= HWASAN relies on `Address Tagging`_ which is only available on AArch64. diff --git a/clang/docs/LeakSanitizer.rst b/clang/docs/LeakSanitizer.rst index 6858f32957ebed..adcb6421c6a1f9 100644 --- a/clang/docs/LeakSanitizer.rst +++ b/clang/docs/LeakSanitizer.rst @@ -43,6 +43,14 @@ To use LeakSanitizer in stand-alone mode, link your program with link step, so that it would link in proper LeakSanitizer run-time library into the final executable. +Security Considerations +======================= + +LeakSanitizer is a bug detection tool and its runtime is not meant to be +linked against production executables. While it may be useful for testing, +LeakSanitizer's runtime was not developed with security-sensitive +constraints in mind and may compromise the security of the resulting executable. + Supported Platforms =================== diff --git a/clang/docs/MemorySanitizer.rst b/clang/docs/MemorySanitizer.rst index bcc6cc808e8bae..886a12ff62adc5 100644 --- a/clang/docs/MemorySanitizer.rst +++ b/clang/docs/MemorySanitizer.rst @@ -191,6 +191,14 @@ uninstrumented libc. For example, the authors were able to bootstrap MemorySanitizer-instrumented Clang compiler by linking it with self-built instrumented libc++ (as a replacement for libstdc++). +Security Considerations +======================= + +MemorySanitizer is a bug detection tool and its runtime is not meant to be +linked against production executables. While it may be useful for testing, +MemorySanitizer's runtime was not developed with security-sensitive +constraints in mind and may compromise the security of the resulting executable. + Supported Platforms =================== diff --git a/clang/docs/ThreadSanitizer.rst b/clang/docs/ThreadSanitizer.rst index 98d5307d824f9e..5dc78fa5a7a564 100644 --- a/clang/docs/ThreadSanitizer.rst +++ b/clang/docs/ThreadSanitizer.rst @@ -135,6 +135,14 @@ Limitations flag had been supplied if compiling without ``-fPIC``, and as though the ``-pie`` flag had been supplied if linking an executable. +Security Considerations +----------------------- + +ThreadSanitizer is a bug detection tool and its runtime is not meant to be +linked against production executables. While it may be useful for testing, +ThreadSanitizer's runtime was not developed with security-sensitive +constraints in mind and may compromise the security of the resulting executable. + Current Status -------------- diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst index 531d56e313826c..0ca241e96d4e75 100644 --- a/clang/docs/UndefinedBehaviorSanitizer.rst +++ b/clang/docs/UndefinedBehaviorSanitizer.rst @@ -256,6 +256,8 @@ Volatile The ``null``, ``alignment``, ``object-size``, ``local-bounds``, and ``vptr`` checks do not apply to pointers to types with the ``volatile`` qualifier. +.. _minimal-runtime: + Minimal Runtime =============== @@ -351,6 +353,15 @@ There are several limitations: * Check groups (like ``undefined``) can't be used in suppressions file, only fine-grained checks are supported. +Security Considerations +======================= + +UndefinedBehaviorSanitizer's runtime is meant for testing purposes and its usage +in production environment should be carefully considered from security +perspective as it may compromise the security of the resulting executable. +For security-sensitive applications consider using :ref:`Minimal Runtime +` or trap mode for all checks. + Supported Platforms =================== diff --git a/llvm/docs/GwpAsan.rst b/llvm/docs/GwpAsan.rst index 136506483101ed..675a61de00983f 100644 --- a/llvm/docs/GwpAsan.rst +++ b/llvm/docs/GwpAsan.rst @@ -30,14 +30,18 @@ GWP-ASan vs. ASan Unlike `AddressSanitizer `_, GWP-ASan does not induce a significant performance overhead. ASan often requires the use of dedicated canaries to be viable in production environments, and as -such is often impractical. - -GWP-ASan is only capable of finding a subset of the memory issues detected by -ASan. Furthermore, GWP-ASan's bug detection capabilities are only probabilistic. -As such, we recommend using ASan over GWP-ASan in testing, as well as anywhere -else that guaranteed error detection is more valuable than the 2x execution -slowdown/binary size bloat. For the majority of production environments, this -impact is too high, and GWP-ASan proves extremely useful. +such is often impractical. Moreover, ASan's runtime is not developed with +security consideration in mind, making compiled binaries more vulnerable to +exploits. + +However, GWP-ASan is only capable of finding a subset of the memory issues +detected by ASan. Furthermore, GWP-ASan's bug detection capabilities are +only probabilistic. As such, we recommend using ASan over GWP-ASan in testing, +as well as anywhere else that guaranteed error detection is more valuable than +the 2x execution slowdown/binary size bloat. For the majority of production +environments, this impact is too high and security is indispensable, so GWP-ASan +proves extremely useful. + Design ======