Bug ID 28019
Summary Possibly insecure use of TCP sockets by LLDB
Component All Bugs
As I understand it LLDB uses a client-server architecture. The client and server communicate over TCP sockets. This is insecure. When the client and server are on the same machine and the socket bound to localhost, this allows local execution of arbitrary code by an unpriviliged and untrusted user distinct from the user LLDB is running as. When the client and server are on different machines, this allows for remote execution of arbitrary code. LLDB needs to ensure strong authentication (and, in the remote case, encryption) of all messages. This can be done by using SSH. In the local case, the best answer is to use Unix domain sockets in a secure directory (on *nix) or named pipes with a restrictive (non-default) ACL plus authentication of the server to the client (perhaps by demanding that the server HMAC a random client-generated string using a key found in a temporary file only the client's user has access to). As I understand it LLDB uses an auth hash currently. This works on localhost only, but it would be better to HMAC every message.