[llvm-dev] LLDB security and the use of an IPC library (original) (raw)

David Chisnall via llvm-dev llvm-dev at lists.llvm.org
Thu Apr 27 05:00:14 PDT 2017

• Previous message: [llvm-dev] LLDB security and the use of an IPC library
• Next message: [llvm-dev] LLDB security and the use of an IPC library
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 26 Apr 2017, at 20:26, Demi Marie Obenour via llvm-dev <llvm-dev at lists.llvm.org> wrote:

LLDB currently uses a client-server architecture. That appears fine, but runs into an annoying security problem: other users on the same machine can connect to the TCP socket and take over LLDB and thus the user’s system. This means that LLDB is useless in multiuser enviromnents on Linux, such as academic computer labs. The immediate problem can be solved by using either HMAC authentication of all messages or by using Unix domain sockets. However, it might be simpler to use a 3rd party library for the purpose: https://github.com/DemiMarie/SlipRock (Disclaimer: I wrote SlipRock). Questions: - Would you be interested in using SlipRock?

A cursory glance at SlipRock raises a few concerns:

• It depends on libsodium (I like libsodium, but it adds another external dependency).

• It doesn’t appear to have been tested on non-Linux *NIX systems (LLDB is the default debugger on macOS / iOS, is about to be on FreeBSD, and is used on NetBSD, OpenBSD and Solaris). I include build testing in this, as the build system only looks for sodium.h in the default location on Linux.

• The Windows support is not yet done (at least, there’s no tick in the ‘compiles on Windows’ status item).

• Attempting to compile it on FreeBSD gives 9 warnings and 8 errors, with several warnings referring to playing fast and loose with pointer aliasing rules. This makes me very nervous in code that’s intended for security.

• It uses assert() instead of real error handling, which is inappropriate in a library, and requires that the file be compiled without -DNDEBUG, which makes it annoying to integrate into other build systems.

• The APIs appear to be entirely undocumented.

• The error handling does not match the lexical scoping and so is very difficult to follow (and therefore potentially error prone). I was unable to run the static analyser on the code because it doesn’t compile on FreeBSD or macOS.

David

• Previous message: [llvm-dev] LLDB security and the use of an IPC library
• Next message: [llvm-dev] LLDB security and the use of an IPC library
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the llvm-dev mailing list