> On Aug 15, 2023, at 8:37 PM, Alexander Monakov <amona...@ispras.ru> wrote:
>
>> ...
>> At some point the system tools need to respect the programmer or operator.
>> There is a difference between writing "Hello, World" and writing
>> performance critical or safety critical code. That is the responsibility
>> of the programmer and the development team to choose the right software
>> engineers and right tools. And to have the development environment and
>> checks in place to ensure that the results are meeting the requirements.
>>
>> It is not the role of GCC or its security policy to tell people how to do
>> their job or hobby. This isn't a safety tag required to be attached to a
>> new mattress.
>
> Yes (though I'm afraid the analogy with the mattress is a bit lost on me).
> Those examples were meant to illustrate the point I tried to make earlier,
> not as additions proposed for the Security Policy. Specific examples
> where we can tell people in advance that compiler output needs to be
> verified, because the compiler is not engineered to preserve those
> security-relevant properties from the source code (and we would not
> accept such accidents as security bugs).
Now I'm confused. I thought the whole point of what GCC is trying to, and
wants to document, is that it DOES preserve security properties. If the source
code is standards-compliant and contains algorithms free of security holes,
then the compiler is supposed to deliver output code that is likewise free of
holes -- in other words, the transformation performed by GCC does not introduce
holes in a hole-free input.
> Granted, it is a bit of a stretch since the notion of timing-safety is
> not really well-defined for C source code, but I didn't come up with
> better examples.
Is "timing-safety" a security property? Not the way I understand that term.
It sounds like another way to say that the code meets real time constraints or
requirements. No, compilers don't help with that (at least C doesn't -- Ada
might be better here but I don't know enough). For sufficiently strict
requirements you'd have to examine both the generated machine code and
understand, in gruesome detail, what the timing behaviors of the executing
hardware are. Good luck if it's a modern billion-transistor machine.
Again, I don't see that as a security property. If it's considered desirable
to say something about this, fine, but the words Siddesh crafted don't fit for
that kind of property.
paul