David Malcolm via Gcc <gcc@gcc.gnu.org> writes: > I think I want a way for the user to be able to mark security > boundaries in their code: for example: > * in the Linux kernel the boundary between untrusted user-space data > and kernel data, or, > * for a user-space daemon, the boundary between data coming from the > network and the data of daemon itself > > The analyzer could then make use of this, for example: > > (a) marking untrusted incoming data as "tainted" and prioritizing > analysis of paths that make use of it (e.g. a "might overflow a buffer > when N is really large" goes from being a noisy false positive when we > simply have no knowledge of N (or the buffer's size) to being a serious > issue if N is under the control of an attacker
It would be great if gcc supported address spaces, like sparse (__attribute__((address_space(id))) The Linux kernel already supports this syntax for multiple purposes (user pointers, io memory) and it's nicely extensible to more usages. One possibility would be detection of Spectre gadgets. It would also need sparse like force casts. Of course sparse already does these checks, but it would be great if it was integrated into a standard gcc build. Perhaps it could be used for your analyzer purposes too. -Andi
