Secure Envoy profile

[htuch]

This issue continues from #5348 and tracks the security specific concerns in a "secure Envoy" build. Ideas that we have heard about so far include:

• Conservative defaults for all buffer sizes and timeouts in the configuration.
• A SECURITY_ASSERT macro that might promote some extant ASSERT to RELEASE_ASSERT.
• Additional data structure and data plane payload integrity checks.
• Restricting allowed extensions to those tagged as valid for untrusted downstream/upstreams (see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions)
• Build with Scudo allocator (Build with Scudo Allocator #9365)
• -fstack-protector-all
• -fstack-clash-protection
• https://clang.llvm.org/docs/ControlFlowIntegrity.html
• Anything else in https://wiki.debian.org/Hardening
• Enabling ABSL_HARDENING_ASSERT

Please propose others.

[jpeach]

Does this also include building with additional compiler flags?

[htuch]

@jpeach I think we should have these as the defaults in all builds. I know we already do PIE, not sure about -z now.

[htuch]

@jpeach -z now is addressed in #9812.

[antoniovicente]

Some of the parts of the secure profile clearly need to be done at compile time, but it may make sense to have some of them be controlled by startup config. One example includes the allowed security_policy level for extensions and internal components instantiated by the rest of the config, with escape hatches that allow whitelisting specific extensions that are needed by the proxy anyway despite having an otherwise incompatible security_policy. We will need some way to take the security_policy and maturity level parameters and internalize them into the binary, which could be done with the help of some codegen genrules.

Defaults are a tricky one. I wonder if would be possible to have config params that serve as defaults for other parameters that allow you to reduce all timeout or buffering related defaults to more manageable levels. Or even an option to disable defaults or warn on use of defaults for fields that are known to be very security sensitive to encourage that they be explicitly configured.

Defaults also play a role on the safety of certain extensions that require some buffering of request/response bodies; they can only be robust to untrusted input if buffer limits are set to appropriate values which are specific to the proxy use case.

[htuch]

Adding another @antoniovicente suggestion for posterity: we can annotate proto fields that are potentially dangerous and need to be configured for safe operation at edge or in untrusted environments. This will allow easier machine checking of configuration for safety, and in the secure profile mode we can verify these are set appropriately.