[clang] [llvm] [sanitizer] Document AddressSanitizer security considerations (PR #100937)

via cfe-commits cfe-commits at lists.llvm.org
Sat Oct 5 10:32:52 PDT 2024


https://github.com/bigb4ng updated https://github.com/llvm/llvm-project/pull/100937

>From 6e2b5abc123261439489ee38a55111d9b6e7e6f0 Mon Sep 17 00:00:00 2001
From: bigb4ng <whatever-llvm at proton.me>
Date: Sun, 28 Jul 2024 18:26:38 +0300
Subject: [PATCH] [sanitizer] Document sanitizers security considerations

Follow-up to PR #92593
---
 clang/docs/AddressSanitizer.rst               |  8 ++++++++
 ...HardwareAssistedAddressSanitizerDesign.rst |  8 ++++++++
 clang/docs/LeakSanitizer.rst                  |  8 ++++++++
 clang/docs/MemorySanitizer.rst                |  8 ++++++++
 clang/docs/ThreadSanitizer.rst                |  8 ++++++++
 clang/docs/UndefinedBehaviorSanitizer.rst     | 11 ++++++++++
 llvm/docs/GwpAsan.rst                         | 20 +++++++++++--------
 7 files changed, 63 insertions(+), 8 deletions(-)

diff --git a/clang/docs/AddressSanitizer.rst b/clang/docs/AddressSanitizer.rst
index e1997153f20370..76fdf559950599 100644
--- a/clang/docs/AddressSanitizer.rst
+++ b/clang/docs/AddressSanitizer.rst
@@ -313,6 +313,14 @@ Limitations
   usually expected.
 * Static linking of executables is not supported.
 
+Security Considerations
+=======================
+
+AddressSanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+AddressSanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
 Supported Platforms
 ===================
 
diff --git a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
index f89ca117427ad7..20db41c032c561 100644
--- a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
+++ b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
@@ -262,6 +262,14 @@ than that of AddressSanitizer:
 `1/TG` extra memory for the shadow
 and some overhead due to `TG`-aligning all objects.
 
+Security Considerations
+=======================
+
+HWASAN is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+HWASAN's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
 Supported architectures
 =======================
 HWASAN relies on `Address Tagging`_ which is only available on AArch64.
diff --git a/clang/docs/LeakSanitizer.rst b/clang/docs/LeakSanitizer.rst
index 6858f32957ebed..adcb6421c6a1f9 100644
--- a/clang/docs/LeakSanitizer.rst
+++ b/clang/docs/LeakSanitizer.rst
@@ -43,6 +43,14 @@ To use LeakSanitizer in stand-alone mode, link your program with
 link step, so that it would link in proper LeakSanitizer run-time library
 into the final executable.
 
+Security Considerations
+=======================
+
+LeakSanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+LeakSanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
 Supported Platforms
 ===================
 
diff --git a/clang/docs/MemorySanitizer.rst b/clang/docs/MemorySanitizer.rst
index bcc6cc808e8bae..886a12ff62adc5 100644
--- a/clang/docs/MemorySanitizer.rst
+++ b/clang/docs/MemorySanitizer.rst
@@ -191,6 +191,14 @@ uninstrumented libc. For example, the authors were able to bootstrap
 MemorySanitizer-instrumented Clang compiler by linking it with
 self-built instrumented libc++ (as a replacement for libstdc++).
 
+Security Considerations
+=======================
+
+MemorySanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+MemorySanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
 Supported Platforms
 ===================
 
diff --git a/clang/docs/ThreadSanitizer.rst b/clang/docs/ThreadSanitizer.rst
index 98d5307d824f9e..5dc78fa5a7a564 100644
--- a/clang/docs/ThreadSanitizer.rst
+++ b/clang/docs/ThreadSanitizer.rst
@@ -135,6 +135,14 @@ Limitations
   flag had been supplied if compiling without ``-fPIC``, and as though the
   ``-pie`` flag had been supplied if linking an executable.
 
+Security Considerations
+-----------------------
+
+ThreadSanitizer is a bug detection tool and its runtime is not meant to be
+linked against production executables. While it may be useful for testing,
+ThreadSanitizer's runtime was not developed with security-sensitive
+constraints in mind and may compromise the security of the resulting executable.
+
 Current Status
 --------------
 
diff --git a/clang/docs/UndefinedBehaviorSanitizer.rst b/clang/docs/UndefinedBehaviorSanitizer.rst
index 531d56e313826c..0ca241e96d4e75 100644
--- a/clang/docs/UndefinedBehaviorSanitizer.rst
+++ b/clang/docs/UndefinedBehaviorSanitizer.rst
@@ -256,6 +256,8 @@ Volatile
 The ``null``, ``alignment``, ``object-size``, ``local-bounds``, and ``vptr`` checks do not apply
 to pointers to types with the ``volatile`` qualifier.
 
+.. _minimal-runtime:
+
 Minimal Runtime
 ===============
 
@@ -351,6 +353,15 @@ There are several limitations:
 * Check groups (like ``undefined``) can't be used in suppressions file, only
   fine-grained checks are supported.
 
+Security Considerations
+=======================
+
+UndefinedBehaviorSanitizer's runtime is meant for testing purposes and its usage
+in production environment should be carefully considered from security
+perspective as it may compromise the security of the resulting executable.
+For security-sensitive applications consider using :ref:`Minimal Runtime
+<minimal-runtime>` or trap mode for all checks.
+
 Supported Platforms
 ===================
 
diff --git a/llvm/docs/GwpAsan.rst b/llvm/docs/GwpAsan.rst
index 136506483101ed..675a61de00983f 100644
--- a/llvm/docs/GwpAsan.rst
+++ b/llvm/docs/GwpAsan.rst
@@ -30,14 +30,18 @@ GWP-ASan vs. ASan
 Unlike `AddressSanitizer <https://clang.llvm.org/docs/AddressSanitizer.html>`_,
 GWP-ASan does not induce a significant performance overhead. ASan often requires
 the use of dedicated canaries to be viable in production environments, and as
-such is often impractical.
-
-GWP-ASan is only capable of finding a subset of the memory issues detected by
-ASan. Furthermore, GWP-ASan's bug detection capabilities are only probabilistic.
-As such, we recommend using ASan over GWP-ASan in testing, as well as anywhere
-else that guaranteed error detection is more valuable than the 2x execution
-slowdown/binary size bloat. For the majority of production environments, this
-impact is too high, and GWP-ASan proves extremely useful.
+such is often impractical. Moreover, ASan's runtime is not developed with
+security consideration in mind, making compiled binaries more vulnerable to
+exploits.
+
+However, GWP-ASan is only capable of finding a subset of the memory issues
+detected by ASan. Furthermore, GWP-ASan's bug detection capabilities are
+only probabilistic. As such, we recommend using ASan over GWP-ASan in testing,
+as well as anywhere else that guaranteed error detection is more valuable than
+the 2x execution slowdown/binary size bloat. For the majority of production
+environments, this impact is too high and security is indispensable, so GWP-ASan
+proves extremely useful.
+
 
 Design
 ======



More information about the cfe-commits mailing list