Skip to content

Latest commit

 

History

History
46 lines (39 loc) · 5.18 KB

threat-modeling.md

File metadata and controls

46 lines (39 loc) · 5.18 KB

Threat Model Analysis for google/sanitizers

Threat: Development/Testing Environment Denial of Service (DoS)

  • Description: An attacker (likely an insider or someone with access to the testing environment) crafts specific inputs or test cases designed to exploit the increased resource consumption of instrumented code. They leverage the overhead introduced by the sanitizers to cause excessive memory allocation, deep recursion, or other resource-intensive operations. This overwhelms the testing/development environment, making it unusable. The attack specifically targets the performance impact of the sanitizers.
    • Impact: The development and testing process is halted or significantly slowed down. Build servers or developer workstations may become unresponsive, requiring restarts or resource reallocation. This delays development and can impact deadlines.
    • Affected Sanitizer Component: Primarily AddressSanitizer (ASan) and MemorySanitizer (MSan), due to their significant memory overhead. ThreadSanitizer (TSan) can also contribute, though typically less dramatically.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement strict resource limits (CPU time, memory) on test executions within the CI/CD pipeline or testing environment.
      • Use smaller, focused unit tests and integration tests during early development stages.
      • Employ "smart" fuzzing techniques that guide input generation to avoid creating excessively large or complex inputs that trigger extreme sanitizer overhead.
      • Monitor resource usage during testing and automatically terminate tests that exceed predefined thresholds.
      • Profile the application under sanitizer instrumentation to identify performance bottlenecks and optimize code accordingly.

Threat: Information Disclosure via Sanitizer Reports

  • Description: An attacker gains unauthorized access to sanitizer reports. These reports are a direct product of the sanitizers and contain detailed information about memory errors, data races, and undefined behavior, including stack traces, memory addresses, and potentially sensitive data values involved in the errors. The attacker uses this information, generated by the sanitizers, to understand the application's internal workings and identify potential vulnerabilities for exploitation in the production environment.
    • Impact: The attacker gains valuable intelligence that can be used to craft more effective exploits against the production system. This can lead to data breaches, system compromise, or other security incidents. The leaked information significantly reduces the attacker's effort.
    • Affected Sanitizer Component: All sanitizers (ASan, MSan, TSan, UBSan, LSan) generate reports that could contain sensitive information. The specific content varies depending on the error type.
    • Risk Severity: High
    • Mitigation Strategies:
      • Store sanitizer reports in a secure, access-controlled repository.
      • Implement strict access controls, limiting access based on the principle of least privilege.
      • Consider a dedicated, isolated network segment for storing and processing reports.
      • Automatically redact or obfuscate potentially sensitive data from reports.
      • Implement audit logging to track access to reports.
      • Use secure communication channels (e.g., HTTPS, SSH) when transferring reports.
      • Establish a data retention policy and automatically delete old reports.

Threat: Build System Compromise and Sanitizer Disablement

  • Description: An attacker gains control of the build system. They modify the build configuration to disable the sanitizers, alter their settings to reduce their effectiveness, or inject malicious code that interferes with their operation. This directly prevents the sanitizers from functioning as intended, allowing vulnerabilities to be introduced without detection.
    • Impact: The application is built without the protection of the sanitizers, increasing the likelihood of vulnerabilities in the production environment. The attacker bypasses a critical security control.
    • Affected Sanitizer Component: All sanitizers (ASan, MSan, TSan, UBSan, LSan) are affected, as the compromise prevents their use during the build.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Implement strong access controls and authentication for the build system.
      • Use multi-factor authentication for all build system administrators.
      • Regularly patch and update the build server software and operating system.
      • Implement build integrity checks (e.g., cryptographic signatures).
      • Use a trusted and verified compiler toolchain.
      • Monitor the build system for suspicious activity.
      • Consider a dedicated, isolated network segment for the build system.
      • Implement a robust change management process for build system configurations.