coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] Safe to download and compile .v from evil source ?

From: "jonikelee AT gmail.com" <jonikelee AT gmail.com>
To: Adam Chlipala <adamc AT csail.mit.edu>
Cc: coq-club AT inria.fr
Subject: Re: [Coq-Club] Safe to download and compile .v from evil source ?
Date: Sun, 2 Feb 2020 14:34:46 -0500
Authentication-results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=jonikelee AT gmail.com; spf=Pass smtp.mailfrom=jonikelee AT gmail.com; spf=None smtp.helo=postmaster AT mail-qt1-f196.google.com
Ironport-phdr: 9a23:XcFvXBGTGboNticaZLNNqp1GYnF86YWxBRYc798ds5kLTJ7yp8SwAkXT6L1XgUPTWs2DsrQY0raQ7/2rADZcqdbZ6TZeKccKD0dEwewt3CUYSPafDkP6KPO4JwcbJ+9lEGFfwnegLEJOE9z/bVCB6le77DoVBwmtfVEtfre9FYHdldm42P6v8JPPfQpImCC9YbRvJxmqsAndrMYbjZZtJ6orxRbEonREd/lIyW5nOFmfmwrw6tqq8JNs7ihdtegt+9JcXan/Yq81UaFWADM6Pm4v+cblrwPDTQyB5nsdVmUZjB9FCBXb4R/5Q5n8rDL0uvJy1yeGM8L2S6s0WSm54KdwVBDokiYHOCUn/2zRl8d9kbhUoBOlpxx43o7UfISYP+dwc6/BYd8XQ3dKU91PXCJdHIyzc4oPD/IAPelGqYn9u0AOpga6CQW1Ge/j1iNEinrw0KYn0eouDBvG0RQuEdwOrnrasdb7O6UcUe6yw6bH0TrNYuhK2Tfk5oXEbgosre2OUL92bMHfyVMvFwTAjliIp4DlPTSV1uIMs2iY8eVgUfyghHA8pgF+pzig3MYsio3Tio0JzVDE8Ct1y5syKN26T057Z9+kEJhOuCGeKYR5XNgvQ25tuCkgy70GvYS3czQNyJQi3hPSbeGMfYuQ4h/7SuqdPTN1iGhmdb+/nRq+7EmtxvHmWsWp1FtHrzJJnsfNu3wRyhDe79WLR/9h8Uqk1juC1hzf5v1BLE06lKfUN5ssz7E/m5YNrEvOGzH5l1jqgKOLc0gr5/ak5uf7brjjqZKTKpJ4hR34P68zgMKwG/44PRILX2WD+eSzyrnj/UrhTbVPlPI2k63ZvInDJcQHu6K1GgFV3psn5hu+FTum39MYnX4ILFJBZh2LlZTmO1bLIPzgDPe/hUqjkCtzyvzYIrHsBo/BI3vDnbv7YLpw6lJQxBAuwd1b5p9YErQBL+jyWk/1utzYFBg5MwmszublD9V90IIeWWGRDa+dLqzdr0SF5u0qI+aWZY8VvCzxJOQi5/7rlXM5g0MSfbG13ZsLb3C1BuhpI0KAYXb1ntgBFXoKsRElQezxiFyCVCZTaGyoU6I94DE7EoOmAp3ZSoCjmrzSlBu8S7Rab2UOIVCIEG/hc4zMD/4AYSeZCsR6mz0AE72gV8ks2Qz45yHgzL8yZOjT/CwbuJbu2fB64uTSkVc58jk+R5Cf1GeMTGxwk24gSDo/3aQ5qkt4nATQmZNkiuBVQIQAr8hCVR03YNuFl7QjWoLCHznZd9LMc26IB9CvADU/VNU0moZcbEN0GtHkhRfGjXPzXu0l0oeTDZlxyZrymnj8I8EnlSTD3aglykA6G45BbDz4wKF48AfXCsjClEDLz//2J5RZ5zbE8SK49UTLpFtRCVciXqDMXHRZbUzT/4z0

On Sun, 2 Feb 2020 09:51:46 -0500
Adam Chlipala
<adamc AT csail.mit.edu>
wrote:

> On 2/1/20 11:30 PM, Timothy Carstens wrote:
> > Consider the following workflow:[...]
> > 5. User runs coqc foo.v
> >
> > [...]
> >
> > If so, then (5) is inherently an unsafe thing to do, and in that
> > case I don't see how Coq could be used to certify untrusted code.
> > You'd need to first do a code review of the ltac and everything
> > else to convince yourself that it was safe to compile.
>
> I think this might be a case of many people on this mailing list
> taking workflow details for granted and not realizing they should be
> spelled out. No, the clear community recommendation would be to
> check .vo files, not .v files. However, that mode requires
> additional code-review tools that pretty-print crucial parts of .vo
> files in sufficiently readable ways (definitely not involving Ltac,
> plugins, etc., and in fact with no need to display proof terms, just
> "final" theorem statements and their dependencies).
>
> jonikelee AT gmail.com
> wrote:
>
> > I once used an
> > antequated proof system (pvs) that had a tactic language but also
> > had the ability to "macro-expand" the tactics into atomic proof
> > steps and record the resulting fully expanded proofs in a file.
> > Having that eliminates the need to run the tactic language later to
> > verify the proof, and thus the possibility that someone can exploit
> > the tactic language.
> That sure sounds like .vo files and, in general, the trust philosophy
> at the heart of the Coq project since the beginning.
>

If the tools you requested above existed, I might be able to see that
this is the case! So, that request gets a +1 from me.

Re: [Coq-Club] Safe to download and compile .v from evil source ?, (continued)
- Re: [Coq-Club] Safe to download and compile .v from evil source ?, Emilio Jesús Gallego Arias, 02/02/2020