GH-48868: [Doc] Document security model for the Arrow formats

[pitrou]

Rationale for this change

Accessing Arrow data or any of the formats can have non-trivial security implications, this is an attempt at documenting those.

What changes are included in this PR?

Add a Security Considerations page in the Format section.

Doc preview: https://s3.amazonaws.com/arrow-data/pr_docs/48870/format/Security.html

Are these changes tested?

N/A

Are there any user-facing changes?

No.

• GitHub Issue: [Doc] Document security model for the Arrow formats #48868

[pitrou]

@github-actions crossbow submit preview-docs

[github-actions]

Revision: 593babb

Submitted crossbow builds: ursacomputing/crossbow @ actions-4f7018459b

Task	Status
preview-docs

[raboof]

Looks reasonable (without any particular Arrow expertise)

(noticed two typo's)

[raboof]

Suggested change

	For example, if a element of a primitive Arrow array is marked null through its
	For example, if an element of a primitive Arrow array is marked null through its

[raboof]

Suggested change

	However, this then introduces a serious security if the Arrow data is serialized
	However, this then introduces a serious security risk if the Arrow data is serialized

[felipecrv]

Worth pointing out something about query engines and dataframe libraries deciding to not do so for internal/intermediate values in computations but applying a canonicalization pass when data leaves the system.

[alamb]

Perhaps we can emphasize that all bytes in an Arrow array, regardless if they are "reachable", are readable by other libraries and users. Thus they should contain no potentially sensitive data (like uninitialized values).

And therefore, if query engines choose to use uninitialized memory internally as an optimization, they should ensure all such uninitialized values are cleared before passing the Arrays to another system

[felipecrv]

Suggested change

	In addition to invalid pointers, some array types have offsets, sizes, and buffer indices that might be out-of-bounds. The library producing arrays through the
	C data interface might be performing only very light validation of these values.

[alamb]

Thank you @pitrou -- this is much needed and very helpful

I had some suggestions on structure. Hopefully they are helpful

[alamb]

Avoiding a double negative might make this read better

Suggested change

	process' address space. As such, in-memory Arrow data should not be accessed
	without care.
	process' address space. As such, in-memory Arrow data should be accessed with care.

[alamb]

I think the core point of this paragraph may get a little lost in the specific details. I would suggest we start by explicitly stating the root cause of potential safety concerns. Something like

Suggested change

	Reading and interpreting Arrow data involves reading into several buffers,
	sometimes in non-trivial ways. This may for instance involve data-dependent
	indirect addressing: to read a value from a Binary array, you need to
	1) read its offsets in buffer #2, and 2) read the range of bytes delimited by
	these offsets in buffer #3. If the offsets are invalid (deliberately or not),
	then step 2) can access invalid memory (potentially crashing the process) or
	memory unrelated to Arrow (potentially allowing an attacker to exfiltrate
	confidential data).
	Arrow is a low level memory format, and the contents of Arrow
	buffers are often combined and treated as pointers into the process
	memory space. Invalid Arrow data may cause invalid memory accesses
	(potentially crashing the process) or permit access to non-Arrow data
	(potentially allowing an attacker to exfiltrate confidential information).
	For example, reading and interpreting Arrow data involves reading into several buffers,
	sometimes in non-trivial ways. This may for instance involve data-dependent
	indirect addressing: to read a value from a Binary array, you need to
	1) read its offsets in buffer #2, and 2) read the range of bytes delimited by
	these offsets in buffer #3. If the offsets are invalid (deliberately or not),
	then step 2) can access invalid memory.

[alamb]

I suggest we also make the point about performance here to give context about why
validation is not always performed

Perhaps something like this:

"Arrow implementations often assume Arrays follow the specification
to provide high speed processing. It is extremely important that
your application either trusts or validates the Arrays it receives from
other sources.

Many Arrow implementations provide APIs to do such validation.

In terms of APIs, the Rust implementation always validates data from external sources, unless the validation is explicitly turned off with APIs marked as unsafe (a special Rust keyword).

[alamb]

Perhaps we can emphasize that all bytes in an Arrow array, regardless if they are "reachable", are readable by other libraries and users. Thus they should contain no potentially sensitive data (like uninitialized values).

And therefore, if query engines choose to use uninitialized memory internally as an optimization, they should ensure all such uninitialized values are cleared before passing the Arrays to another system

[alamb]

I don't think this is any different than the other APIs -- basically "if you don't trust the producer source, you should always explicitly validate the arrays before processing them"

This doesn't seem any different for the C Data Interface than for the other APIs (like IPC files. etc)

[alamb]

As above, I think we could combine this into the section about validating data from untrusted sources, and give C Data Interface and IPC Format as examples of potentially untrusted sources.

[raulcd]

Suggested change

	Hereafter we try list potential security concerns when dealing with the various
	Hereafter we try to list potential security concerns when dealing with the various