diff --git a/doc/security_need_to_know.md b/doc/security_need_to_know.md index f760e1e110..c870453bc9 100644 --- a/doc/security_need_to_know.md +++ b/doc/security_need_to_know.md @@ -5,7 +5,6 @@ This document aims to explain the process of identifying a security issue and th ## identifying a security issue It is commonly stated that a security issue is an issue that: - - Exposes sensitive information to unauthorized parties. - Allows unauthorized modification of data or system state. - Affects the availability of the system or its services. @@ -15,13 +14,25 @@ It is commonly stated that a security issue is an issue that: Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand. +WebAssembly binaries are considered untrusted. A Wasm binary that causes a breach of the Wasm sandbox or a crash of the runtime is considered to be a potential security issue. On the other hand, Ahead-of-Time (AoT) binaries are assumed to be generated by a trusted source and using the supported toolchain. Therefore, AoT binaries are considered trusted. As such, malformed or manipulated AoT binaries that breach the sandbox or cash crashes may be considered as bugs but are not classified as security issues. + +If the AoT compiler and/or related tools emit an AoT binary that causes a breach of the Wasm sandbox or a crash is considered a potential security issue. It is assumed that the correct configuration and options are used when generating AoT binaries. Misconfiguration or misuse of the tooling options, therefore, are not considered to be security issues. + ### Is this bug considered a security vulnerability? #### For someone who finds a problem if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry. -If the author of an issue(results in crash or hang) can go through the following checklist and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue. +If the author of an issue(results in crash or hang) can go through the checklist below and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue. + +Does the +- Exposes sensitive information to unauthorized parties. +- Allows unauthorized modification of data or system state. +- Affects the availability of the system or its services. +- Permits unauthorized access to the system. +- Enables users to perform actions they should not be able to. +- Allows users to deny actions they have performed. --- @@ -35,7 +46,7 @@ Actions that differ from Wasm rules (like calculating wrong values) are not seen By default, native APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters or users input malformed options, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue. -.wasm are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted .aot can cause anything, including crashes or hangs. They are not considered security issues. +WebAssembly binaries are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted .aot can cause anything, including crashes or hangs. They are not considered security issues. A denial-of-service (DoS) attack is a cyberattack that aims to make a computer or network resource unavailable to its users. If the service (runtime in this case) can recover and start another module or run another function within the same instance, it is not considered unavailable, and thus not a Denial of Service (DoS).