Project

General

Profile

Bug #2645

Security

Added by Roland Schulz 11 months ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Affected version - extra info:
Affected version:
Difficulty:
uncategorized
Close

Description

We have no security checks in GROMACS (4). Thus it is very likely that any malicious input files could easily execute code (1). I suspect we don't have the resources to make all input file reading secure (2). Unless we make input file reading secure, we should document for users the situation. So that users are aware that when they download input files (3), they need to trust input files to the same level as they require for executable files (such as shell scripts or binaries). The install-guide might be a good place to put a warning.

1) Any malicious code would run with with the same permissions as GROMACS. There are likely multiple possible attack methods. But simple buffer overflows with executable payload is the most likeliest.
2) It might be possible to make a subset of input file reading secure (e.g. just TPR reading)
3) If the generate input files themselves there is no issue. But if files are downloaded (e.g. for benchmarking, tutorial or parts for system setup) those need to be trusted.
4) We have no runtime tools (e.g. fuzzing) and we disable checks in e.g. msvc and clang-tidy.

Associated revisions

Revision 40f1c8ea (diff)
Added by Mark Abraham 11 months ago

Fix gcc-8 warnings about strings

A bunch of slightly risky string handling is now safer or simpler.

Refs #2645

Change-Id: I0e02a34ecf7be16135e406ba2aaefab8a6e6ba39

Revision 21becc05 (diff)
Added by Paul Bauer 11 months ago

Add short security notice

Cherry picked from master.

Refs #2645

Change-Id: I5fba37bca803c13ee9251aae0aae54c155537890

History

#1 Updated by Mark Abraham 11 months ago

I agree that we should have a note in the docs somewhere. User guide feels like a better place than install guide, to me.

#2 Updated by Gerrit Code Review Bot 11 months ago

Gerrit received a related patchset '1' for Issue #2645.
Uploader: Paul Bauer ()
Change-Id: gromacs~master~I5fba37bca803c13ee9251aae0aae54c155537890
Gerrit URL: https://gerrit.gromacs.org/8375

#3 Updated by Gerrit Code Review Bot 11 months ago

Gerrit received a related patchset '1' for Issue #2645.
Uploader: Paul Bauer ()
Change-Id: gromacs~release-2018~I5fba37bca803c13ee9251aae0aae54c155537890
Gerrit URL: https://gerrit.gromacs.org/8378

#4 Updated by Szilárd Páll 11 months ago

Perhaps a better place to note than in CR where I mentioned it before: a practical security-related information that could be useful to admins as well as Linux distro security audits is a description of what the different GROMACS tools are expected to, what kind of behavior do the exhibit that can be relevant to security (or possibly also matching job to hardware_ needs.
For instance a brief description of how the various tools consume/use system resources (ports, pipes, files created/operated on, cores/hw threads used, pinning, etc.) may be beneficial.

#5 Updated by Paul Bauer 11 months ago

This would be indeed good to have for people setting up GROMACS on large scale systems.
Can you point me to some documentation where I can read up on this to make a list about what needs to be mentioned?

#6 Updated by Szilárd Páll 11 months ago

To be honest, I do not know of examples of what needs/is useful to be mentioned.
Perhaps it'd be best to draft something general and ask for feedback from i) some HPC admins ii) some Linux maintainers (we've been in contact with at least the Debian maintainer)?

#7 Updated by Gerrit Code Review Bot 11 months ago

Gerrit received a related patchset '1' for Issue #2645.
Uploader: Mark Abraham ()
Change-Id: gromacs~master~I0e02a34ecf7be16135e406ba2aaefab8a6e6ba39
Gerrit URL: https://gerrit.gromacs.org/8447

Also available in: Atom PDF