CCF icon indicating copy to clipboard operation
CCF copied to clipboard
verified publisher icon microsoft

Publish a CCF package with a sanitizer-enabled cchost

Open plietar opened this issue 3 years ago • 3 comments

Is your feature request related to a problem? Please describe. As part of the development of a CCF app, I'd like to be able to build and run the application with ASan/UBSan enabled (as a virtual enclave of course).

This does not currently work for a few reasons:

  • The add_ccf_app cmake function adds the --no-undefined flag, which breaks the linking phase of the enclave shared library (see #1562)
  • I can sidestep this issue by defining SAN=ON, which stops the --no-undefined flag from being added. However, it now adds the -fsanitize-blacklist=${CCF_DIR}/src/ubsan.suppressions flag to the enclave library build, which does not work as this file isn't being distributed.
  • Even if I hack around those two issues by removing the flags manually, cchost cannot load the enclave library since the sanitizer runtime symbols are not available: Could not load virtual enclave: ./libapp.virtual.so: undefined symbol: __ubsan_vptr_type_cache.

Describe the solution you'd like When making a release, publish a debian package which was built with SAN=ON. Additionally, the ubsan.suppressions file needs to be distributed too. Ideally the SAN=ON setting would be persisted in ccf-config.cmake, such that the user of the package doesn't have to repeat it.

Describe alternatives you've considered One of the issues with having two conflicting packages is that it might make it difficult for local development, where one may need to switch between with and without sanitizer versions.

Possible options:

  • Only distribute a sanitizer-enabled cchost in the -dev Docker image, as I think a sanitizer-enabled cchost can load any enclave, whether or not that enclave was built with sanitizers. The -run image has the more performant, no-sanitizer cchost binary.

  • Use a separate installation path and debian package name for the sanitizer-enabled version of CCF. This would allow the two versions to be installed side by side. The -dev image could include both versions installed, and it is up to the user to point to one or the other.

  • Instead of shipping a separate package and Docker image, two copies of cchost could be included in the default package, one with and one without ASAN enabled. sandbox.sh would need a flag to pick which binary to use.

plietar avatar Oct 11 '22 18:10 plietar

Note this was raised before, but the issue was closed without a long term solution: https://github.com/microsoft/CCF/issues/3711

plietar avatar Oct 11 '22 19:10 plietar

I've opened #4353 that makes ASAN CCF suitable to be used in downstream applications. Following some offline discussions, it is unlikely that CCF will publish pre-built ASAN artifacts, but with that PR we can at least rebuilt it ourselves in our CI.

plietar avatar Oct 14 '22 17:10 plietar

@plietar thank you for making that change.

achamayou avatar Oct 14 '22 18:10 achamayou