Insecure C identifiers mass-scan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I just finished my C23++ proposal to apply the proper Unicode Identifier Security mechanisms from TR39 to C++ and therefore also C.
Therefore I've developed a linter to check for insecure identifiers in source code (for most programming languages), as well via readelf for libraries (with insecure symbols). 

I don't expect any security problems, as thankfully nobody uses unicode identifiers. It was an extremely bad idea. But they were just allowed in GCC with 10, but now we have the mess that GCC actually follows the insecure C11 standard (they called it a bugifx) and you can be fooled with confusable identifiers. Identifiers are not identifiable anymore, but they didn't rename their identifiers to symbols.

It would be nice if some admin could try a mass-scan on the library symbols, and on src code, and report some security warnings.
For source there's https://github.com/rurban/libu8ident `u8idlint -r`
and for libs there's https://github.com/rurban/binutils-gdb/commit/94cf9a1ac92d1d241793ce891e04bb35978c2e2f
vie `readelf -L -Ue`
The lib comes with several security examples, in texts/*-sec*.c. (ie. arabic bidis, and cyrillic homoglyphs), the most common attack vectors.
An overview of the state of insecure identifiers is in doc/c11.md (i.e. only Java, cperl and Rust do TR39 checks, zig and J are safe by using ASCII only.

The paper is here https://rurban.github.io/libu8ident/doc/P2528R0.html
This is similar to the trojansource.codes effort and the new nfc and bidi warnings in GCC, but limited to identifiers (and its exported symbols) only.
Results would be interesting to WG21 and WG14, e.g. if violations should just warn or error. And for security reasons if we already have some open-source trojan libs or files.
--
Reini Urban
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux