Insecurity of insecure__use_cmdline_argv

12 views
Skip to first unread message

Arne Vogel

unread,
May 11, 2022, 7:23:42 AMMay 11
to us...@gramineproject.io
Hello,

in the gramine documentation for `loader.insecure__use_cmdline_argv` it
says that it is "insecure in almost all cases" [1]. What is the source
of this insecurity? Is this a problem with gramine or does this allude
to the fact that the programs run in this manner are not designed with
security in mind and could contain vulnerabilities that could be
exploited?

In other words: If I do proper sanitization on the arguments with all
the risk in mind is it still insecure?

Thanks
Arne

[1] https://gramine.readthedocs.io/en/latest/manifest-syntax.html?highlight=loader.insecure__use_cmdline_argv#command-line-arguments

Michał Kowalczyk

unread,
May 11, 2022, 7:58:33 AMMay 11
to Arne Vogel, us...@gramineproject.io
Hi,

On 5/11/22 10:33, Arne Vogel wrote:

> Is this a problem with gramine or does this allude
> to the fact that the programs run in this manner are not designed with
> security in mind and could contain vulnerabilities that could be
> exploited?
This one, although these doesn't have to be vulnerabilities in the
programs. See for example `-c` in Python - it's a perfectly valid
feature, but in the enclave security model you have to block it (amongst
many other cmdline switches).

> In other words: If I do proper sanitization on the arguments with all
> the risk in mind is it still insecure?
Yes, although this is rather hard, especially if you run programs with
rich runtimes. It should be doable in C and C++, but pretty hard in
other cases, where the runtimes often have some magic arguments to
control the execution. That's why we don't recommend doing this to the
users, I don't believe that they will do it right ;)

Best,
Michał

Reply all
Reply to author
Forward
0 new messages