Skip to content

Allow loading dependencies by name #1594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 45 commits into from
Mar 21, 2025
Merged

Allow loading dependencies by name #1594

merged 45 commits into from
Mar 21, 2025

Conversation

aleksei-fedotov
Copy link
Contributor

@aleksei-fedotov aleksei-fedotov commented Jan 7, 2025
edited
Loading

Description

This PR allows loading dependencies by module name only as it is proposed in this RFC. To strengthen the security and avoid loading malicious code, the signature verification for modules being loaded is also introduced.
However, to avoid breaking compatibility with existing scenarios, the signature verification is disabled by default. To notify about that the following CMake warning appears on the console when cmake command is invoked for the first time:

CMake Warning at CMakeLists.txt:142 (message):
  Dependency signature verification during dynamic linking in run-time is
  disabled by default.  This may lead to security vulnerabilities.  See
  installation section in oneTBB documentation for more details.

, drawing user's attention to this change and allowing to explicitly choose whether user wants unsigned or having incorrect signature modules to be loaded or not.
To avoid loading of such modules, user needs specifying -DTBB_VERIFY_DEPENDENCY_SIGNATURE=ON flag in the invocation command of CMake. In this case the warning transforms in a regular status message of the form:

-- Dependency signature verification during dynamic linking in run-time is ENABLED

If, however, user ignores the warning, the following invocations of cmake command show that the signature verification setting remains disabled:

-- Dependency signature verification during dynamic linking in run-time is DISABLED

The patch also adds optional reporting of dynamic link issues. Examples of the output:

oneTBB dynamic link warning: The module "<path-to-dll>" is unsigned or has invalid signature.
oneTBB dynamic link warning: The module "<path-to-dll>" was not found. System error: 126

The issues reporting is disabled by default and can be enabled by setting TBB_DYNAMIC_LINK_WARNING macro during the build.

@aleksei-fedotov aleksei-fedotov marked this pull request as ready for review January 8, 2025 16:11
@aleksei-fedotov aleksei-fedotov requested review from pavelkumbrasev and removed request for pavelkumbrasev January 8, 2025 16:11
egfefey
egfefey reviewed Jan 9, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 9, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 9, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 13, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 13, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 13, 2025
View reviewed changes
@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from 3872b7b to 4605226 Compare January 14, 2025 13:13
kboyarinov
kboyarinov reviewed Jan 14, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 17, 2025
View reviewed changes
egfefey
egfefey reviewed Jan 17, 2025
View reviewed changes
Copy link
Contributor

@egfefey egfefey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the security standpoint, this is good for now.
A few notes:

  • This is still up for discussion but anything beside ERROR_SUCCESS from WinVerifyTrust should result in an error instead of a warning sometimes. The user always has to option to turn off signature verification if they want, so once it's on, it's either success or failure.
  • Might also need review from the TBB team.
  • If there are some testing results that we can share, that will be great.

egfefey
egfefey reviewed Jan 29, 2025
View reviewed changes
Copy link
Contributor

@egfefey egfefey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update to use SearchPathA is good from the security point of view.

@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from dd5a544 to 5e6c672 Compare January 29, 2025 11:05
@aleksei-fedotov
Copy link
Contributor Author

Update to use SearchPathA is good from the security point of view.

Thanks, @egfefey! Then I proceed with productization of this patch.

isaevil
isaevil reviewed Feb 11, 2025
View reviewed changes
@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from 6f001d1 to 65b3f89 Compare February 14, 2025 19:56
isaevil
isaevil reviewed Feb 18, 2025
View reviewed changes
@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from 81f5e1b to 6b276c7 Compare February 25, 2025 15:11
@aleksei-fedotov aleksei-fedotov force-pushed the load-dependencies-by-name branch from 6b276c7 to d11e413 Compare March 6, 2025 15:35
@isaevil isaevil requested review from kboyarinov and isaevil March 11, 2025 11:47
aleksei-fedotov
aleksei-fedotov commented Mar 17, 2025
View reviewed changes
isaevil
isaevil reviewed Mar 20, 2025
View reviewed changes
@aleksei-fedotov aleksei-fedotov changed the title Load dependencies by name Allow loading dependencies by name Mar 20, 2025
kboyarinov
kboyarinov previously approved these changes Mar 20, 2025
View reviewed changes
Copy link
Contributor

@kboyarinov kboyarinov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall but I didn't review warnings and error codes in details

@omalyshe
Copy link
Contributor

@aleksei-fedotov Please adjust the description because signature check is now OFF by default.

isaevil
isaevil previously approved these changes Mar 21, 2025
View reviewed changes
@aleksei-fedotov aleksei-fedotov dismissed stale reviews from isaevil and kboyarinov via 81072c0 March 21, 2025 09:19
@aleksei-fedotov aleksei-fedotov merged commit 621af05 into master Mar 21, 2025
29 checks passed
@aleksei-fedotov aleksei-fedotov deleted the load-dependencies-by-name branch March 21, 2025 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@egfefey egfefey egfefey left review comments

@isaevil isaevil isaevil approved these changes

@kboyarinov kboyarinov kboyarinov left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aleksei-fedotov @omalyshe @kboyarinov @isaevil @egfefey