[clang] [llvm] [sanitizer] Document AddressSanitizer security considerations (PR #100937)
via cfe-commits
cfe-commits at lists.llvm.org
Sat Oct 5 10:32:52 PDT 2024
https://github.com/bigb4ng updated https://github.com/llvm/llvm-project/pull/100937
>From 6e2b5abc123261439489ee38a55111d9b6e7e6f0 Mon Sep 17 00:00:00 2001
From: bigb4ng <whatever-llvm at proton.me>
Date: Sun, 28 Jul 2024 18:26:38 +0300
Subject: [PATCH] [sanitizer] Document sanitizers security considerations
Follow-up to PR #92593
---
clang/docs/AddressSanitizer.rst | 8 ++++++++
...HardwareAssistedAddressSanitizerDesign.rst | 8 ++++++++
clang/docs/LeakSanitizer.rst | 8 ++++++++
clang/docs/MemorySanitizer.rst | 8 ++++++++
clang/docs/ThreadSanitizer.rst | 8 ++++++++
clang/docs/UndefinedBehaviorSanitizer.rst | 11 ++++++++++
llvm/docs/GwpAsan.rst | 20 +++++++++++--------
7 files changed, 63 insertions(+), 8 deletions(-)
diff --git a/clang/docs/AddressSanitizer.rst b/clang/docs/AddressSanitizer.rst
index e1997153f20370..76fdf559950599 100644
--- a/clang/docs/AddressSanitizer.rst
+++ b/clang/docs/AddressSanitizer.rst
@@ -313,6 +313,14 @@ Limitations
usually expected.
* Static linking of executables is not supported.
+Security Considerations
+=======================
+
+AddressSanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+AddressSanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
Supported Platforms
===================
diff --git a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
index f89ca117427ad7..20db41c032c561 100644
--- a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
+++ b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
@@ -262,6 +262,14 @@ than that of AddressSanitizer:
`1/TG` extra memory for the shadow
and some overhead due to `TG`-aligning all objects.
+Security Considerations
+=======================
+
+HWASAN is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+HWASAN's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
Supported architectures
=======================
HWASAN relies on `Address Tagging`_ which is only available on AArch64.
diff --git a/clang/docs/LeakSanitizer.rst b/clang/docs/LeakSanitizer.rst
index 6858f32957ebed..adcb6421c6a1f9 100644
--- a/clang/docs/LeakSanitizer.rst
+++ b/clang/docs/LeakSanitizer.rst
@@ -43,6 +43,14 @@ To use LeakSanitizer in stand-alone mode, link your program with
link step, so that it would link in proper LeakSanitizer run-time library
into the final executable.
+Security Considerations
+=======================
+
+LeakSanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+LeakSanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
Supported Platforms
===================
diff --git a/clang/docs/MemorySanitizer.rst b/clang/docs/MemorySanitizer.rst
index bcc6cc808e8bae..886a12ff62adc5 100644
--- a/clang/docs/MemorySanitizer.rst
+++ b/clang/docs/MemorySanitizer.rst
@@ -191,6 +191,14 @@ uninstrumented libc. For example, the authors were able to bootstrap
MemorySanitizer-instrumented Clang compiler by linking it with
self-built instrumented libc++ (as a replacement for libstdc++).
+Security Considerations
+=======================
+
+MemorySanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+MemorySanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
Supported Platforms
===================
diff --git a/clang/docs/ThreadSanitizer.rst b/clang/docs/ThreadSanitizer.rst
index 98d5307d824f9e..5dc78fa5a7a564 100644
--- a/clang/docs/ThreadSanitizer.rst
+++ b/clang/docs/ThreadSanitizer.rst
@@ -135,6 +135,14 @@ Limitations
flag had been supplied if compiling without ``-fPIC``, and as though the
``-pie`` flag had been supplied if linking an executable.
+Security Considerations
+-----------------------
+
+ThreadSanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+ThreadSanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
Current Status
--------------
diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst
index 531d56e313826c..0ca241e96d4e75 100644
--- a/clang/docs/UndefinedBehaviorSanitizer.rst
+++ b/clang/docs/UndefinedBehaviorSanitizer.rst
@@ -256,6 +256,8 @@ Volatile
The ``null``, ``alignment``, ``object-size``, ``local-bounds``, and ``vptr`` checks do not apply
to pointers to types with the ``volatile`` qualifier.
+.. _minimal-runtime:
+
Minimal Runtime
===============
@@ -351,6 +353,15 @@ There are several limitations:
* Check groups (like ``undefined``) can't be used in suppressions file, only
fine-grained checks are supported.
+Security Considerations
+=======================
+
+UndefinedBehaviorSanitizer's runtime is meant for testing purposes and its usage
+in production environment should be carefully considered from security
+perspective as it may compromise the security of the resulting executable.
+For security-sensitive applications consider using :ref:`Minimal Runtime
+<minimal-runtime>` or trap mode for all checks.
+
Supported Platforms
===================
diff --git a/llvm/docs/GwpAsan.rst b/llvm/docs/GwpAsan.rst
index 136506483101ed..675a61de00983f 100644
--- a/llvm/docs/GwpAsan.rst
+++ b/llvm/docs/GwpAsan.rst
@@ -30,14 +30,18 @@ GWP-ASan vs. ASan
Unlike `AddressSanitizer <https://clang.llvm.org/docs/AddressSanitizer.html>`_,
GWP-ASan does not induce a significant performance overhead. ASan often requires
the use of dedicated canaries to be viable in production environments, and as
-such is often impractical.
-
-GWP-ASan is only capable of finding a subset of the memory issues detected by
-ASan. Furthermore, GWP-ASan's bug detection capabilities are only probabilistic.
-As such, we recommend using ASan over GWP-ASan in testing, as well as anywhere
-else that guaranteed error detection is more valuable than the 2x execution
-slowdown/binary size bloat. For the majority of production environments, this
-impact is too high, and GWP-ASan proves extremely useful.
+such is often impractical. Moreover, ASan's runtime is not developed with
+security consideration in mind, making compiled binaries more vulnerable to
+exploits.
+
+However, GWP-ASan is only capable of finding a subset of the memory issues
+detected by ASan. Furthermore, GWP-ASan's bug detection capabilities are
+only probabilistic. As such, we recommend using ASan over GWP-ASan in testing,
+as well as anywhere else that guaranteed error detection is more valuable than
+the 2x execution slowdown/binary size bloat. For the majority of production
+environments, this impact is too high and security is indispensable, so GWP-ASan
+proves extremely useful.
+
Design
======
More information about the cfe-commits
mailing list