Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider context section on why software security is different for compilers #48

Open
lyndon160 opened this issue Oct 11, 2021 · 4 comments
Open

Consider context section on why software security is different for compilers #48

lyndon160 opened this issue Oct 11, 2021 · 4 comments
Labels
content New content for the book

Comments

@lyndon160
Copy link

Consider whether there would be value in adding a section around why software security is different for compilers than other software categories.

Tentative section header: "Importance of software security for compilers"

Topics/subsections to cover:

  1. General overview of compiler specific attacks
  2. How the attacks differ from other software categories
  3. History of compiler vulnerabilities
  4. The potential impact of poor software security in compilers

This would be a relatively high level section near the start which would help set the context (and justification) for the rest of the book.
@kbeyls
Copy link
Member

kbeyls commented Oct 11, 2021

Thank you for sharing this suggestion @lyndon160 !

Your suggestion is making me realize that maybe we should model the security topics in the book as split between:

  1. A compiler is a piece of software, just like any other. It may have specific typical vulnerability classes that general software does not have. It seems that maybe the ideas raised in Consider section on supply chain attacks? #45 and Consider section on run-time vulnerabilities in compilers? #46 map into this?
  2. A compiler, as a tool that translates software from one representation to another (binary) one, is well-placed to apply mitigations and hardening techniques for general software.

At the moment, at least I was thinking almost exclusively about the second class of topics for the scope of this book. Making it very clear that compilers have the above two roles could be very helpful in avoid confusion and bringing more structure to the content of the book, making it easier to process.

@kbeyls
Copy link
Member

kbeyls commented Oct 11, 2021

@allcontributors please add @lyndon160 for bug, ideas

@allcontributors allcontributors bot mentioned this issue Oct 11, 2021
Merged
@allcontributors
Copy link
Contributor

@kbeyls

I've put up a pull request to add @lyndon160! 🎉

@JLouisKaplan-Arm
Copy link
Collaborator

JLouisKaplan-Arm commented Feb 8, 2022
edited
Loading

Reading through PR #80 had me wondering about a related question. Are interpreters considered 'in-scope' in the book? That might inform this context section if distinctions need to be made on security issues concerning AOT, JIT compilation vs. interpreted languages.

@kbeyls kbeyls added the content New content for the book label Jan 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
content New content for the book
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lyndon160 @kbeyls @JLouisKaplan-Arm