coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] Safe to download and compile .v from evil source ?

From: Timothy Carstens <intoverflow AT gmail.com>
To: coq-club AT inria.fr
Subject: Re: [Coq-Club] Safe to download and compile .v from evil source ?
Date: Sat, 1 Feb 2020 15:35:53 -0800
Authentication-results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=intoverflow AT gmail.com; spf=Pass smtp.mailfrom=intoverflow AT gmail.com; spf=None smtp.helo=postmaster AT mail-lj1-f178.google.com
Ironport-phdr: 9a23:O8LB6R82snjRj/9uRHKM819IXTAuvvDOBiVQ1KB30OscTK2v8tzYMVDF4r011RmVBNmdt6kP0rKe8/i5HzBZutDZ6DFKWacPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIxi6sArcutMZjIZsJao91wfFqWZMd+hK2G9kP12ekwvy68uq4JJv7yFcsO89+sBdVqn3Y742RqFCAjQ8NGA16szrtR3dQgaK+3ARTGYYnAdWDgbc9B31UYv/vSX8tupmxSmVJtb2QqwuWTSj9KhkVhnlgzoaOjEj8WHXjstwjL9HoB+kuhdyzZLYbJ2TOfFjeK7WYNEUSndbXstJWCNBDIGzYYsBAeQCIOhWsZXyqkAUoheiHwShHv/jxiNKi3LwwKY00/4hEQbD3AE4AdwOsXHUrNLpNKcSUeG+0bfFwi/Zb/NNxTfy9o7Icgs8qvyLXLJwd9bRyU4xFwzblFWQp4jlPzSb1+kWvGib6vBvVeOri2I9tw5xpT2vy94qh4LUiIwVzVXE+j94wIYzPdC4U1J7bsS4H5tTqS6bOJd5QsM4TGFutyY11KcKtoK8fCgP0Jgmxxnfa+Gbc4iV+B7sT/ieLDFlj3xmYLKynwi+/VSkx+HmVcS50ExGojRZntTPrHwByh7e58uBR/Bg5EmuwyyP2BrW6uxcIUA7i67bK5k5z741jJUTsEDDEjbymEX0kaOab0sk9vWq5unkeLnmqZicN4h7igH6LKsigNCwAeM9MgQWXmib//qz1KH78EHnXLlHiuc6n6rZvZzAO8gXuq20DxVI3osh6BuzFzKm384ZnXkDIlJFYhWHj43xNlHPJvD4EfC/g0qynzdxyfDGOrrhA5vWI3jMlbfuZ7d960pGxAUvytBf4opYCqsdL/LrRk/xqNvYAwclPAyz2ubrEcly1ocDWW2UGaKZK6PTsVqQ5u01OeWMZYkVuCz8K/c//fLug2U5yhchevyi2oJSY3SlFNxnJV+YaDzimIQvC2AP6zY/Sev2iEzKejdJfGq/Wbl0sjA9FIW4AJ3NQoeyqLOE1Sa/WJZRYzYVWRi3DX70etDcCL83YyWIL5o5y2FWZf2aU4YkkCqWmkr6xr5gdLSG/yQZsdfn1oEw6bSMxVc98jt7C8nb2GaIHTktzzE4AgQu1aU6mnRTj1KK0Kx2mftdTIUB6PZAUwN8PpnZnbUjV4LCHznZd9LMc26IB828CGhoHN00yt4KJU16Hof6gw==

Thank you for the link, it's an excellent talk! And extra-thank you for time-stamping it to the part about security :)

It sounds like my Q has been answered; thank you for all the replies. I'll need to mull over next steps.

Everything that follows is just IMHO:

I don't think gcc should be the model to emulate, and it would be nice if Coq could be used to certify code from untrusted sources.

If none of the maintained projects are using these exotic capabilities, they should to be removed given the impact it has on Coq's use cases. The sandboxing response is inviting trouble: perhaps Matt G is smart enough to get it right, perhaps a few other people are, but I assure you most engineers are not. Sandboxing should be used as a last-ditch "defense in depth," not as a front-line defense. It's hard to maintain for tons of reasons. For example, you need to re-evaluate your config every time you do a system update, since there's no computerized mechanism in place that guarantees that the update won't effect /etc or initd or any of a number of sandbox-relevant things.

For this reason, containers & VMs are awesome for sharing working environments, but are expensive and error-prone as a security boundary. Best practice yes, but only as a last line of defense.

But I also know that everyone's super busy and what I'm asking for is probably a hassle at this time - no worries and keep up the good work :)

On Sat, Feb 1, 2020 at 3:18 PM Clément Pit-Claudel <cpitclaudel AT gmail.com> wrote:

On 2020-02-01 17:53, Tej Chajed wrote:
> For some idea of some of the issues, see this thread on a similar
> question for compiling C:
> https://security.stackexchange.com/questions/138881/is-it-dangerous-to-compile-arbitrary-c.
> In particular see Matt G's answer, since he runs a site that compiles
> arbitrary C. Essentially he runs the whole thing in a VM that doesn't
> have secrets, and then has extra mitigations to give nicer error
> messages when people try to exploit the compiler.

Matt has a talk in which he mentions the security of Compiler Explorer where he goes into a bit more details; see here: https://youtu.be/bSkpMdDe4g4?t=3193

Clément.

[Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/01/2020
- Re: [Coq-Club] Safe to download and compile .v from evil source ?, Jay Kruer, 02/01/2020
  - Re: [Coq-Club] Safe to download and compile .v from evil source ?, Andres Erbsen, 02/01/2020
    - Re: [Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/01/2020
    - Re: [Coq-Club] Safe to download and compile .v from evil source ?, Tej Chajed, 02/01/2020
      - Re: [Coq-Club] Safe to download and compile .v from evil source ?, jonikelee AT gmail.com, 02/02/2020
      - Re: [Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/02/2020
      - Re: [Coq-Club] Safe to download and compile .v from evil source ?, Clément Pit-Claudel, 02/02/2020
        
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/02/2020
        
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, jonikelee AT gmail.com, 02/02/2020
        
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/02/2020
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Marco Servetto, 02/02/2020
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Jason Gross, 02/02/2020
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/02/2020
        
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, jonikelee AT gmail.com, 02/02/2020
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Timothy Carstens, 02/02/2020
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Jason Gross, 02/02/2020
        
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, jonikelee AT gmail.com, 02/02/2020
        
        Re: [Coq-Club] Safe to download and compile .v from evil source ?, Adam Chlipala, 02/02/2020