[PATCH] D66426: [lld] Enable a watermark of loadable sections to be generated and placed in a note section

Chris Jackson via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Dec 11 06:27:04 PST 2019 

chrisjackson added a comment.

In D66426#1778936 <https://reviews.llvm.org/D66426#1778936>, @ruiu wrote:

> >> As I understand it, the scenario is:
> >> 
> >> 1. Do link; 2) Run the watermark tool to append .note.llvm.watermark; 3) Release SDK; 4) Downstream vendors modify .data and ship to end users; 5) End users verify that .note.llvm.watermark does not match computed watermark of loadable contents.
> >> 
> >>   The build process before 3) are all controlled. The process should ensure there is no modification to .data between 1) and 2). How do you guarantee a linker side feature can prevent modification? How can you prevent the following:
> >> 2. Do link and generate .note.llvm.watermark in one step 1.5) Modify .data 2) Run the watermark tool to update .note.llvm.watermark
> > 
> > This is a motivation to not have an external tool on the watermarking. That being said, as @chrisjackson has said on more than one occasion, this isn't intended to be a security feature so we are not attempting to detect a malicious attacker. It could be possible for downstream LLD producers to add a local salt to the watermark to make it more secure, should they so choose, I suppose.
>
> This is actually going to be an interesting problem. Do your users make post-link modifications to executables by intention or by accident? If it's intentional, you are raising a bar of an arms race, and they'll catch up by adding --update-watermark option or something to their tool, so that they'll update a watermark when a binary is modified, which nullifies the point of this change.


The watermark is intended as a safety measure for several scenarios post-link.

1. A user deliberately modifies a loadable segment but is unaware that they shouldn't.
2. A user accidentally modifies a loadable segment.
3. A tool somewhere in the build system has unexpected behaviour that modifies a loadable segment.

If a user intentionally modifies a loadable segment and updates the watermark, then this is nefarious behaviour that the watermark is not intended to prevent.


CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D66426/new/

https://reviews.llvm.org/D66426

More information about the llvm-commits mailing list