diff options
Diffstat (limited to 'docs/user_guide/advanced.dox')
| -rw-r--r-- | docs/user_guide/advanced.dox | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/docs/user_guide/advanced.dox b/docs/user_guide/advanced.dox index 86ee2ce756..2b9e0d02f7 100644 --- a/docs/user_guide/advanced.dox +++ b/docs/user_guide/advanced.dox @@ -110,5 +110,30 @@ After the first run, the CLTuner's results can be exported to a file using the m This file can be also imported using the method "load_from_file("results.csv")". - tuner.load_from_file("results.csv"); +@section Security Concerns +Here are some security concerns that may affect Compute Library. + +@subsection A process running under the same uid could read another process memory + +Processes running under same user ID (UID) may be able to read each other memory and running state. Hence, This can +lead to information disclosure and sensitive data can be leaked, such as the weights of the model currently executing. +This mainly affects Linux systems and it's the responsibility of the system owner to make processes secure against +this vulnerability. Moreover, the YAMA security kernel module can be used to detect and stop such a trial of hacking, +it can be selected at the kernel compile time by CONFIG_SECURITY_YAMA and configured during runtime changing the +ptrace_scope in /proc/sys/kernel/yama. + +Please refer to: https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html for more information on this regard. + +@subsection Malicious users could alter Compute Library related files + +Extra care must be taken in order to reduce the posibility of a user altering sensitive files. CLTuner files +should be protected by arbitrary writes since this can lead Compute Library to crash or waste all system's resources. + +@subsection Various concerns + +Sensitive applications that use Compute Library should consider posible attack vectors such as shared library hooking, +information leakage from the underlying OpenCL driver or previous excecution and running arbitrary networks that consume +all the available resources on the system, leading to denial of service. + */ } // namespace
\ No newline at end of file |