Skip to Content.
Sympa Menu

coq-club - Re: [Coq-Club] Safe to download and compile .v from evil source ?

coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] Safe to download and compile .v from evil source ?


Chronological Thread 
  • From: Timothy Carstens <intoverflow AT gmail.com>
  • To: coq-club AT inria.fr
  • Subject: Re: [Coq-Club] Safe to download and compile .v from evil source ?
  • Date: Sat, 1 Feb 2020 15:14:58 -0800
  • Authentication-results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=intoverflow AT gmail.com; spf=Pass smtp.mailfrom=intoverflow AT gmail.com; spf=None smtp.helo=postmaster AT mail-lj1-f173.google.com
  • Ironport-phdr: 9a23:T8XhdxKYh/BjpxoZndmcpTZWNBhigK39O0sv0rFitYgeK//xwZ3uMQTl6Ol3ixeRBMOHsq4C17Gd6/6oGTRZp8rY6zZaKN0EfiRGoP1epxYnDs+BBB+zB9/RRAt+Iv5/UkR49WqwK0lfFZW2TVTTpnqv8WxaQU2nZkJ6KevvB4Hdkdm82fys9J3PeQVIgye2ba9vIBmsogjdq8YbjZFtJ6s/xRfFvnpFcPlSyW90OF6fhRnx6tq+8ZJ57yhcp/ct/NNcXKvneKg1UaZWByk8PWAv483ruxjDTQ+R6XYZT24bjBlGDRXb4R/jRpv+vTf0ueR72CmBIM35Vqs0Vii476dqUxDnliEKPCMk/W7Ni8xwiKVboA+9pxF63oXZbp2ZOOZ4c6jAe94RWGhPUdtLVyFZDYy8YYkAAeoPM+hbsofzuUcBoACkCgWwHu7i0CNEimP00KA8zu8vERvG3AslH98WrnrUrdD1NKAOUeC1zKjD0CvOYOlM2Tfm9IjHbBYhoeqRVr93cMrRz1UvFwTbjlqOs4zlMTeV1uMDsmWA4OpgUPigi28jqw1rvjevwcIsh5DPi4kIxF7E8iB5z5w0Jd2+UEN7esKkH4FMuCGZKYR3Td8tQ2FytyY8xb0Jp4S3czQNyJQiwRPUdv+Jc5CQ7x79SOqcJS10iXFldb6lmRq+7UutxvfhWsS23ltHqDdOnMPWuXAXzRPT79CKSvtj8Uel3jaCzwXT5ftFIUAwjKbbL5whzqMpmpodrEjOHCH7lF/5jK+RcUUk9eyo5Pr9brr6oZ+cMpd4igD4MqswhsyyGfo0PhQKUmSB+umx1Kfv8VPlTLhJlPE6j6vUvZ7CKcQevKG5AgtV0og56xa4CjeryNUYnX8bLFJCZhKIkZLpO1/KIPD/A/aymFuskDJxyPDHOr3tGInCLn/GkLv5Z7Zy91ZcyBYvzdBY/59bFrYBIOvqVkDtsNzYEwQ2Phevw+fnDdV9zpkRVXiOAq+fKqPSsEWH6vghI+mWN8cpv2P2LOFg7Przh1c4n0UcdO+nx8g5cne9S8hnJkKFYWukqd4bCnsHuBF2GO3slFqcXCRdY3Gtd6057zA/TomhCNGQFciWnLWd0XLjTdVtbWdcBwXUSCa6R8C/Q/4JLRmqDIpkmz0AW6KmTtZ4hx6rvQ7+jbFgK7iNo3BKhdfYzNFwotbru1Qy+DhzVZrP1miMSyRwnDpNSWZph+ZwpktyzlrF2q990aQBSY5joshRWwJ/DqbyivRgAomrCA3Ed9aNDl2hR4f+DA==



On Sat, Feb 1, 2020 at 2:54 PM Tej Chajed <tchajed AT mit.edu> wrote:
I think you should assume that it's unsafe unless you run it in a carefully-designed sandbox. At the very least one can easily write files which take huge amounts of time, memory, or disk space while compiling.

That assumption is why I asked the Q :) As for resource usage, I can set ulimits. That's the easy part. But it's harder for me to anticipate the consequences of arbitrary OCaml. I could selinux everything but that's also a ton of hassle in practice. No, I think the right way to go is for the type checking to be a pure operation :), modulo disk reads for .v and disk writes for compiled output.
 
For some idea of some of the issues, see this thread on a similar question for compiling C: https://security.stackexchange.com/questions/138881/is-it-dangerous-to-compile-arbitrary-c. In particular see Matt G's answer, since he runs a site that compiles arbitrary C. Essentially he runs the whole thing in a VM that doesn't have secrets, and then has extra mitigations to give nicer error messages when people try to exploit the compiler.

I respect Matt G's approach but I lack his confidence. A VM with no secrets is a beautiful ideal but in practice this is a giant hassle to actually implement and maintain. For instance, a VM with no secrets has no IAM role. It has no GitHub keys. It also has no route to the Internet, lest it be used as a staging box for other hacks.

Don't get me wrong - there are ways to approach this ideal. But they require as much engineering as the collaborative system I'd like to toss together:

Sorry if I sound obstinate on this point; my professional work is in computer security and when my clients go the sandbox route we put a *lot* of work into making sure it's done right - more than I can do by myself for this project.

-t



Archive powered by MHonArc 2.6.18.

Top of Page