Skip to content

Commit

Permalink
[sanitizer] Document sanitizers security considerations
Browse files Browse the repository at this point in the history
Follow-up to PR #92593
  • Loading branch information
bigb4ng committed Sep 10, 2024
1 parent 1b58940 commit 7f45c42
Show file tree
Hide file tree
Showing 7 changed files with 62 additions and 8 deletions.
8 changes: 8 additions & 0 deletions clang/docs/AddressSanitizer.rst
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,14 @@ Limitations
usually expected.
* Static linking of executables is not supported.

Security Considerations
=======================

AddressSanitizer is a bug detection tool and its runtime is not meant to be
linked against production executables. While it may be useful for testing,
AddressSanitizer's runtime was not developed with security-sensitive
constraints in mind and may compromise the security of the resulting executable.

Supported Platforms
===================

Expand Down
8 changes: 8 additions & 0 deletions clang/docs/HardwareAssistedAddressSanitizerDesign.rst
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,14 @@ than that of AddressSanitizer:
`1/TG` extra memory for the shadow
and some overhead due to `TG`-aligning all objects.

Security Considerations
=======================

HWASAN is a bug detection tool and its runtime is not meant to be
linked against production executables. While it may be useful for testing,
HWASAN's runtime was not developed with security-sensitive
constraints in mind and may compromise the security of the resulting executable.

Supported architectures
=======================
HWASAN relies on `Address Tagging`_ which is only available on AArch64.
Expand Down
8 changes: 8 additions & 0 deletions clang/docs/LeakSanitizer.rst
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,14 @@ To use LeakSanitizer in stand-alone mode, link your program with
link step, so that it would link in proper LeakSanitizer run-time library
into the final executable.

Security Considerations
=======================

LeakSanitizer is a bug detection tool and its runtime is not meant to be
linked against production executables. While it may be useful for testing,
LeakSanitizer's runtime was not developed with security-sensitive
constraints in mind and may compromise the security of the resulting executable.

Supported Platforms
===================

Expand Down
8 changes: 8 additions & 0 deletions clang/docs/MemorySanitizer.rst
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,14 @@ uninstrumented libc. For example, the authors were able to bootstrap
MemorySanitizer-instrumented Clang compiler by linking it with
self-built instrumented libc++ (as a replacement for libstdc++).

Security Considerations
=======================

MemorySanitizer is a bug detection tool and its runtime is not meant to be
linked against production executables. While it may be useful for testing,
MemorySanitizer's runtime was not developed with security-sensitive
constraints in mind and may compromise the security of the resulting executable.

Supported Platforms
===================

Expand Down
8 changes: 8 additions & 0 deletions clang/docs/ThreadSanitizer.rst
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,14 @@ Limitations
flag had been supplied if compiling without ``-fPIC``, and as though the
``-pie`` flag had been supplied if linking an executable.

Security Considerations
-----------------------

ThreadSanitizer is a bug detection tool and its runtime is not meant to be
linked against production executables. While it may be useful for testing,
ThreadSanitizer's runtime was not developed with security-sensitive
constraints in mind and may compromise the security of the resulting executable.

Current Status
--------------

Expand Down
10 changes: 10 additions & 0 deletions clang/docs/UndefinedBehaviorSanitizer.rst
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,8 @@ Volatile
The ``null``, ``alignment``, ``object-size``, ``local-bounds``, and ``vptr`` checks do not apply
to pointers to types with the ``volatile`` qualifier.

.. _minimal-runtime:

Minimal Runtime
===============

Expand Down Expand Up @@ -351,6 +353,14 @@ There are several limitations:
* Check groups (like ``undefined``) can't be used in suppressions file, only
fine-grained checks are supported.

Security Considerations
=======================

UndefinedBehaviorSanitizer's runtime is meant for testing purposes and its usage
in production environment should be carefully considered from security
perspective as it may compromise the security of the resulting executable.
For security-sensitive applications consider using :ref:`Minimal Runtime <minimal-runtime>`.

Supported Platforms
===================

Expand Down
20 changes: 12 additions & 8 deletions llvm/docs/GwpAsan.rst
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,18 @@ GWP-ASan vs. ASan
Unlike `AddressSanitizer <https://clang.llvm.org/docs/AddressSanitizer.html>`_,
GWP-ASan does not induce a significant performance overhead. ASan often requires
the use of dedicated canaries to be viable in production environments, and as
such is often impractical.

GWP-ASan is only capable of finding a subset of the memory issues detected by
ASan. Furthermore, GWP-ASan's bug detection capabilities are only probabilistic.
As such, we recommend using ASan over GWP-ASan in testing, as well as anywhere
else that guaranteed error detection is more valuable than the 2x execution
slowdown/binary size bloat. For the majority of production environments, this
impact is too high, and GWP-ASan proves extremely useful.
such is often impractical. Moreover, ASan's runtime is not developed with
security consideration in mind, making compiled binaries more vulnerable to
exploits.

However, GWP-ASan is only capable of finding a subset of the memory issues
detected by ASan. Furthermore, GWP-ASan's bug detection capabilities are
only probabilistic. As such, we recommend using ASan over GWP-ASan in testing,
as well as anywhere else that guaranteed error detection is more valuable than
the 2x execution slowdown/binary size bloat. For the majority of production
environments, this impact is too high and security is indispensable, so GWP-ASan
proves extremely useful.


Design
======
Expand Down

0 comments on commit 7f45c42

Please sign in to comment.