Two among the bugs uncovered by CHERI (the mcel bug [1] and the xgettext bug
[2]) could be found
  - by CHERI, or
  - by "gcc -fsanitize=address", or
  - by "clang -fsanitize=address",
but not by valgrind.

This raises the question: Should we better use CHERI for general pre-release
testing, or the address sanitizers?

The answer is in [3], page 4, table III: CHERI does not detect use-after-free
and stack-use-after-return bugs ("temporal memory safety").

Because of this, I'll be using address sanitizers, not CHERI, for the next
foreseeable time.

Find a writeup at [4].

Although running a desktop where everything, from the kernel to the web browser,
has CHERI-enabled pointer validation would be cool from the security point of
view. But that's a different goal than searching for bugs in a particular
package...

Bruno

[1] https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00034.html
[2] https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00109.html
[3] 
https://www.techrxiv.org/articles/preprint/Towards_a_Hybrid_Approach_to_Protect_Against_Memory_Safety_Vulnerabilities/14680185
[4] https://gitlab.com/ghwiki/gnow-how/-/wikis/Finding_memory_bugs




Reply via email to