You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
doc(security,aot): added security guidance around AoT binaries (#4867)
* doc(security,aot): added security guidance around AoT binaries
Adds explicit guidance distinguishing trusted AoT binaries from untrusted
Wasm binaries, clarifies that malformed/manipulated AoT files are bugs not
security issues, and cleans up wording in the security checklist section.
Signed-off-by: Stephen Berard <stephen.berard@outlook.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: doc/security_need_to_know.md
+13-4Lines changed: 13 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,6 @@ This document aims to explain the process of identifying a security issue and th
5
5
## identifying a security issue
6
6
7
7
It is commonly stated that a security issue is an issue that:
8
-
9
8
- Exposes sensitive information to unauthorized parties.
10
9
- Allows unauthorized modification of data or system state.
11
10
- Affects the availability of the system or its services.
@@ -15,13 +14,23 @@ It is commonly stated that a security issue is an issue that:
15
14
16
15
Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand.
17
16
17
+
WebAssembly binaries are considered untrusted. A Wasm binary that causes a breach of the Wasm sandbox or a crash of the runtime is considered to be a potential security issue. On the other hand, Ahead-of-Time (AoT) binaries are assumed to be generated by a trusted source and using the supported toolchain. Therefore, AoT binaries are considered trusted. As such, malformed or manipulated AoT binaries that breach the sandbox or cause crashes of the runtime may be considered as bugs but are not classified as security issues.
18
+
19
+
If the AoT compiler and/or related tools emit an AoT binary that breaches the Wasm sandbox or causes the runtime to crash, this indicates a potential security issue in the AoT toolchain. It is assumed that the correct configuration and options are used when generating AoT binaries. Misconfiguration or misuse of the tooling options, therefore, is not considered to be a security issue.
20
+
18
21
### Is this bug considered a security vulnerability?
19
22
20
23
#### For someone who finds a problem
24
+
If a bug **causes a crash or hang**, treat it as a possible security issue and report it to a security advisor. A maintainer will review it and change its category if needed. When in doubt, report it as a security issue.
21
25
22
-
if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
26
+
If the person reporting the issue can answer "Yes" to any question in the checklist below, report it as a security issue. Otherwise, the issue can be treated as a regular bug.
23
27
24
-
If the author of an issue(results in crash or hang) can go through the following checklist and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue.
28
+
Does the issue allow an WebAssembly binary to:
29
+
- break out of the Wasm sandbox?
30
+
- read or modify host memory, runtime memory, or another module's data when it should not?
31
+
- use files, sockets, device access, or other host resources without being the granted capabilities?
32
+
- call host functions or native APIs in a way that bypasses intended checks?
33
+
- make the runtime unavailable or put it into an unrecoverable state?
25
34
26
35
---
27
36
@@ -35,7 +44,7 @@ Actions that differ from Wasm rules (like calculating wrong values) are not seen
35
44
36
45
By default, native APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters or users input malformed options, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue.
37
46
38
-
.wasm are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted .aot can cause anything, including crashes or hangs. They are not considered security issues.
47
+
WebAssembly binaries are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted .aot can cause anything, including crashes or hangs. They are not considered security issues.
39
48
40
49
A denial-of-service (DoS) attack is a cyberattack that aims to make a computer or network resource unavailable to its users. If the service (runtime in this case) can recover and start another module or run another function within the same instance, it is not considered unavailable, and thus not a Denial of Service (DoS).
0 commit comments