[Sorry for the way-late response... was on vacation]
On Fri, Aug 19, 2005 at 02:16:53PM -0700, Ian Lance Taylor wrote:
> > The idea of letting gcc load a .so to do the checking also seems fine.
> > At least then the checking language is a standard one, not one we made
> > up.
I think this is a wonderfully good idea.
> Yes. My main concerns would be
>
> * It's obviously vastly more powerful than anything we actually need,
> and using dlopen exposes the compiler to bugs in the implementation
> of the format checker--slowness, random memory clobbering, etc.
I just don't see this as a problem.
> * The compiler is, in its own way, a system security component. If
> somebody were to put format checking into a system header file which
> used a shared library, then substituting that shared library--
> perhaps by just getting the compiler to pick up a different version
> of it--becomes an avenue for a complex but subtle attack on the
> system as a whole.
I see this as a problem. OK, let's solve it. The solution has two
parts:
- Allow arbitrary shared libraries to be specified on the command
line. BFD can then build one before it compiles, and pass it as
an argument to GCC.
- Define a trusted directory to allow shared libraries to be loaded
by the installed system compiler, via #pragma.
I think this has a lot more mileage in it than spending months debating
how to represent the format specifiers in source code. Of course,
we'll need to create a C interface for doing this, which will take some
time to do right. But we know how to do that!
--
Daniel Jacobowitz
CodeSourcery, LLC
