<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">On 11/15/19 10:58 AM, JF Bastien via
llvm-dev wrote:<br>
</div>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<h1 style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class=""><span style="font-weight: normal; font-size: 12px;"
class=""><font class="" face="HelveticaNeue">Hello compiler
enthusiasts,</font></span></h1>
<font class="" face="HelveticaNeue"><span style="caret-color:
rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">
<div class=""><font class="" face="HelveticaNeue"><span
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class=""><br class="">
</span></font></div>
The Apple LLVM team would like to propose that a new a
security process and an associated private LLVM Security Group
be created under the umbrella of the LLVM project.</span><br
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">A draft proposal for how we could organize such a
group and what its process could be is </span></font><a
href="https://reviews.llvm.org/D70326" class=""
moz-do-not-send="true">available on Phabricator</a><font
class="" face="HelveticaNeue"><span style="caret-color: rgb(0,
0, 0); color: rgb(0, 0, 0);" class="">. The proposal starts
with a list of goals for the process and Security Group,
repeated here:</span><br style="caret-color: rgb(0, 0, 0);
color: rgb(0, 0, 0);" class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">The LLVM Security Group has the following goals:</span><br
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
</font>
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><font class="" face="HelveticaNeue">Allow LLVM
contributors and security researchers to disclose
security-related issues affecting the LLVM project to
members of the LLVM community.</font></li>
<li class=""><font class="" face="HelveticaNeue">Organize fixes,
code reviews, and release management for said issues.</font></li>
<li class=""><font class="" face="HelveticaNeue">Allow
distributors time to investigate and deploy fixes before
wide dissemination of vulnerabilities or mitigation
shortcomings.</font></li>
<li class=""><font class="" face="HelveticaNeue">Ensure timely
notification and release to vendors who package and
distribute LLVM-based toolchains and projects.</font></li>
<li class=""><font class="" face="HelveticaNeue">Ensure timely
notification to users of LLVM-based toolchains whose
compiled code is security-sensitive, through <a
href="https://cve.mitre.org/" class=""
moz-do-not-send="true">the CVE process</a>.</font></li>
</ol>
<font class="" face="HelveticaNeue"><br style="caret-color: rgb(0,
0, 0); color: rgb(0, 0, 0);" class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">We’re looking for answers to the following questions:</span><br
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
</font>
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><font class="" face="HelveticaNeue"><u class="">On
this list</u>: Should we create a security group and
process?</font></li>
</ol>
</blockquote>
<p><font face="HelveticaNeue">Probably, thought we haven't seen a
strong need to date.</font></p>
<p><font face="HelveticaNeue">If a group does form, we (Azul) are
definitely interested in participating as a vendor. <br>
</font></p>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><font class="" face="HelveticaNeue"><u class="">On
this list</u>: Do you agree with the goals listed in the
proposal?</font></li>
</ol>
</blockquote>
<font face="HelveticaNeue">Yes</font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><font class="" face="HelveticaNeue"><u class="">On
this list</u>: at a high-level, what do you think should
be done differently, and what do you think is exactly right
in the draft proposal?</font></li>
</ol>
</blockquote>
<p><font face="HelveticaNeue">I'm a bit uncomfortable with the board
selected initial group. I see the need for a final decision
maker, but maybe require public on-list nominations before
ratification by the board? If there's broad consensus, no need
to appeal to the final decision maker.</font></p>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><font class="" face="HelveticaNeue"><u class="">On
the Phabricator code review</u>: going into specific
details, what do you think should be done differently, and
what do you think is exactly right in the draft proposal?</font></li>
<li class=""><font class="" face="HelveticaNeue"><u class="">On
this list</u>: to help understand where you’re coming from
with your feedback, it would be helpful to state how you
personally approach this issue:</font></li>
<ol class="">
<li class=""><font class="" face="HelveticaNeue">Are you an
LLVM contributor (individual or representing a company)?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">Yes, in this email responding in both my
capacity as an individual contributor, and on the behalf of my
employer, Azul Systems.</font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">Are you
involved with security aspects of LLVM (if so, which)?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">We have responded to a couple of security
relevant bugs, though we've generally not acknowledged that fact
upstream until substantially later. </font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">Do you
maintain significant downstream LLVM changes?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">Yes.</font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">Do you
package and deploy LLVM for others to use (if so, to how
many people)?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">Yes. Can't share user count. </font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">Is your LLVM
distribution based on the open-source releases?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">No. We build off of periodic ToT
snapshots.</font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">How often do
you usually deploy LLVM?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">We have a new release roughly monthly.
We backport selectively as needed.</font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">How fast can
you deploy an update?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">Usual process would be a week or two. In
a true emergency, much less. </font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">Does your
LLVM distribution handle untrusted inputs, and what kind?</font></li>
</ol>
</ol>
</blockquote>
<font face="HelveticaNeue">Yes, for any well formed java input we
may generate IR and invoke the optimizer. We fuzz extensively for
this reason. </font><br>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com">
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<ol class="">
<li class=""><font class="" face="HelveticaNeue">What’s the
threat model for your LLVM distribution?</font></li>
</ol>
</ol>
</blockquote>
<p><font face="HelveticaNeue">In the worst case, attacker controlled
bytecode. Given that, the attacker can influence, but not
entirely control IR fed to the compiler.<br>
</font></p>
<blockquote type="cite"
cite="mid:66957BA4-1C47-41EF-8DE4-687CF017BF13@apple.com"><font
class="" face="HelveticaNeue"><br style="caret-color: rgb(0, 0,
0); color: rgb(0, 0, 0);" class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">Other open-source projects have security-related
groups and processes. They structure their group very
differently from one another. This proposal borrows from some
of these projects’ processes. A few examples:</span><br
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
</font>
<ul style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><a href="https://webkit.org/security-policy/"
class="" moz-do-not-send="true"><font class=""
face="HelveticaNeue">https://webkit.org/security-policy/</font></a></li>
<li class=""><a
href="https://chromium.googlesource.com/chromium/src/+/lkgr/docs/security/faq.md"
class="" moz-do-not-send="true"><font class=""
face="HelveticaNeue">https://chromium.googlesource.com/chromium/src/+/lkgr/docs/security/faq.md</font></a></li>
<li class=""><a href="https://wiki.mozilla.org/Security"
class="" moz-do-not-send="true"><font class=""
face="HelveticaNeue">https://wiki.mozilla.org/Security</font></a></li>
<li class=""><a href="https://www.openbsd.org/security.html"
class="" moz-do-not-send="true"><font class=""
face="HelveticaNeue">https://www.openbsd.org/security.html</font></a></li>
<li class=""><a
href="https://security-team.debian.org/security_tracker.html"
class="" moz-do-not-send="true"><font class=""
face="HelveticaNeue">https://security-team.debian.org/security_tracker.html</font></a></li>
<li class=""><a href="https://www.python.org/news/security/"
class="" moz-do-not-send="true"><font class=""
face="HelveticaNeue">https://www.python.org/news/security/</font></a></li>
</ul>
<font class="" face="HelveticaNeue"><span style="caret-color:
rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">When providing
feedback, it would be great to hear if you’ve dealt with these
or other projects’ processes, what works well, and what can be
done better.</span><br style="caret-color: rgb(0, 0, 0);
color: rgb(0, 0, 0);" class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">I’ll go first in answering my own questions above:</span><br
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
</font>
<ol style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<li class=""><font class="" face="HelveticaNeue">Yes! We should
create a security group and process.</font></li>
<li class=""><font class="" face="HelveticaNeue">We agree with
the goals listed.</font></li>
<li class=""><font class="" face="HelveticaNeue">We think the
proposal is exactly right, but would like to hear the
community’s opinions.</font></li>
<li class=""><font class="" face="HelveticaNeue">Here’s how we
approach the security of LLVM:</font></li>
<ol class="">
<li class=""><font class="" face="HelveticaNeue">I contribute
to LLVM as an Apple employee.</font></li>
<li class=""><font class="" face="HelveticaNeue">I’ve been
involved in a variety of LLVM security issues, from
automatic variable initialization to security-related
diagnostics, as well as deploying these mitigations to
internal codebases.</font></li>
<li class=""><font class="" face="HelveticaNeue">We maintain
significant downstream changes.</font></li>
<li class=""><font class="" face="HelveticaNeue">We package
and deploy LLVM, both internally and externally, for a
variety of purposes, including the clang, Swift, and
mobile GPU shader compilers.</font></li>
<li class=""><font class="" face="HelveticaNeue">Our LLVM
distribution is not directly derived from the open-source
release. In all cases, all non-upstream public patches for
our releases are available in repository branches at <a
href="https://github.com/apple" class=""
moz-do-not-send="true">https://github.com/apple</a>.</font></li>
<li class=""><font class="" face="HelveticaNeue">We have many
deployments of LLVM whose release schedules vary
significantly. The LLVM build deployed as part of Xcode
historically has one major release per year, followed by
roughly one minor release every 2 months. Other releases
of LLVM are also security-sensitive and don’t follow the
same schedule.</font></li>
<li class=""><font class="" face="HelveticaNeue">This depends
on which release of LLVM is affected.</font></li>
<li class=""><font class="" face="HelveticaNeue">Yes, our
distribution sometimes handles untrusted input.</font></li>
<li class=""><font class="" face="HelveticaNeue">The threat
model is highly variable depending on the particular
language front-ends being considered.</font></li>
</ol>
</ol>
<font class="" face="HelveticaNeue"><span style="caret-color:
rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">Apple is involved
with a variety of open-source projects and their disclosures.
For example, we frequently work with the WebKit community to
handle security issues through their process.</span><br
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">Thanks,</span><br style="caret-color: rgb(0, 0, 0);
color: rgb(0, 0, 0);" class="">
<br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class="">JF</span></font><br style="caret-color: rgb(0, 0, 0);
color: rgb(0, 0, 0);" class="">
<div class=""><font class="" face="HelveticaNeue"><span
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"
class=""><br class="">
</span></font></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
LLVM Developers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>
<a class="moz-txt-link-freetext" href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a>
</pre>
</blockquote>
</body>
</html>