-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The in-file heuristic ignores the --oraclename command-line option #478
Comments
This is the expected behavior. Using the In my opinion such a behavior would not be very intuitive and I don't see the need for it. In your case, you can specify the oracle file directly in the model like To avoid misconceptions in the future, I'm in favor of integrating the Specifying |
There is a security consideration that we should at least discuss: an untrusted spthy file could unexpectedly call a script that damages the system. This also came up in the discussion for #220. My proposal would be to guarantee that file |
Unintentional or even malicious code execution through oracles is definitively a thing we should avoid. However, allowing
Instead, I propose asking the user if they trust all the oracles that are specified in the theory like
To suppress these questions and trust all oraacles, we can add a flag |
Hi!
On 2. Sep 2022, at 10:52, Kevin Morio ***@***.***> wrote:
Unintentional or even malicious code execution through oracles is definitively a thing we should avoid.
However, allowing bla.spthy to only call bla.spthy would severely limit the usefulness of the feature and be diametrical to the original intentions I had with it: Using different oracles for different lemmas.
I think that's supported, at least I saw it in some oracles, e.g., `examples/csf19-wrapping/gcm.spthy.oracle`. ARGV[1] gives the current lemma name, which the default oracle can use.
(Note: this does not seem to be documented in https://tamarin-prover.github.io/manual/book/011_advanced-features.html)
Instead, I propose asking the user if they trust all the oracles that are specified in the theory like
Do you trust "./bla-default"? [y/N]
Do you trust "./bla-A"? [y/N]
Do you trust "./bla-B"? [y/N]
To suppress these questions and trust all oraacles, we can add a flag --trust-oracles or even --trust-oracles "./bla-default" "./bla-A" "./bla-B".
That seems like a lot of work for the user and some engineering, too (how to do interactive prompts in GUI mode? Can we always to this if we are not in the IOMonad?).
Cheers, Robert
|
The global file heuristic introduced in PR #303 (and included in PR #304) ignores the
--oraclename
command-line option.If a theory specifies the global file heuristic as
o
orO
, Tamarin ignores the oracle specified in--oraclename
. Instead, it tries to use the default oraclename ("./oracle").Steps to invoke this behavior:
heuristic:o
orheuristic:O
.--prove --oraclename=oracle_for_the_theory.oracle
(some oracle with a filename different thanoracle
). Do not specify another heuristic in the command line, as this would overwrite the in-file heuristic."./oracle" is the default oraclename used by Tamarin when no oraclename was specified.
Yet, Tamarin tried to use it, although
--oraclename
was specified in the command line.Note:
Heuristics in lemma attributes exhibit the same behavior (issue #372). As per PR #406, this is considered correct behaviour for them.
Edit: rewrote/added the note
The text was updated successfully, but these errors were encountered: