-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Monad attacks #154
Monad attacks #154
Conversation
… to cope with UntypedAttack
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked at the first 6 files today. So far the interface looks approachable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed one more file.
-- combinations where /at most/ three (one for each focus) extra constraints | ||
-- are added. One of these combinations is of course the one where nothing | ||
-- is added, and that one is omitted, which brings the grand total down to | ||
-- 71 options. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't figure out from this paragraph what combination of constraints are applied in each modified transaction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In a similar vein, making sure I'm following... you get 72 because you try 0, 1, or 2 additional SpendsScript
constraints for the first PaysScript
constraint, then 0, 1, 2, or 3 for the second, etc.? Hence (2+1)(3+1)(5+1)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll enumerate them explicitly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I finished reviewing all the files. I payed full attention to the documentation, and some to the implementation.
On the documentation side, I think the PR is a net improvement, despite of the requests for clarification that I left in comments.
The PR is larger than ideal, but I don't think it is worth splitting it. If we were to question fundamental assumptions, a lot of it might need to be redone. As possible, it would be better to submit pieces of the work as they are created, even if some parts need amends later on.
That said, I like the direction of the changes which gives more opportunity to reuse the code that defines the attacks (so called composability). We would need to collect some custom attacks to show the reuse in action, which I guess would be the substance of motivating the change. Maybe it is already possible to build the case with the implemented attacks, I'm not sure.
I edited my review to add nothing less than the positive feedback. Please, excuse me for the hiccup. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me, the PR is too large to be merged directly. The ideal timeline would be :
- a PR that presents the new Attack type as well as the direct abstract attacks deduced from it
- a PR with single steps modifications working on concrete elements such as paysScripts
- a PR with higher scale modification covering for example all misc constraints
- a PR with the new implementation for each of our "real" attacks such as DoubleSat
- a PR with new examples / updated examples
This way, it would be a lot easier to review, a lot easier to implement changes based on the previous reviews and, overall, this would lead to a result that will more likely suit each of us. Not saying, of course, that the current result is not suitable, just that a better process in such big PRs can go a long way into improving our work, getting better feedback and ultimately coming up with a refined and improved final result.
On another note, this is a great work, we get most of the features we wanted as well as a nice flow to build attacks based on smaller steps modifications. I'm eager to see these changes merged once the process leading to the full merge has been improved.
I suggest to stash the modifications, checkout the current main version and integrate the stashed changes following the outline presented at the beginning of this review comment.
module Cooked.Attack.TamperDatum, | ||
) | ||
where | ||
module Cooked.Attack (module X) where |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still unsure that the single steps modifications should be called attacks. Why not
- call the single steps modifications "Modifications" although there might be conflict there with the meaning of modifications in LTL
- call actual aggregations of modifications toward a specific goal "Attacks"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have mostly nitpicking and bikeshedding comments. Feel free to ignore!
Also, I've seen from left to right
in the docs in a couple of places where indexing is mentioned. I'm not sure there's a natural order to constraints/etc (that's not defined in a circular way on indexing).
|
||
instance MonadPlus Attack | ||
|
||
-- * Simple attacks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is largely bikeshedding, but how do you reckon renaming the attacks to drop the Attack
word everywhere (and renaming what clashes with optics here)? I'd rather import this module qualified instead of having Attack
everywhere, especially when writing more complex ones. As for these simple attacks, we could adopt either MonadState
or optics lingo, and for the former we could rename mcstAttack
→ get
, viewAttack
→ gets
, and so on.
After all, the Attack
monad itself seems out to be not just about attacks, but rather more generic and about state (that just happens to be MockChainSt
in our case) and non-determinism over it.
But, again, this is very much a personal preference, so please feel free to leave it as is it now.
Co-authored-by: 0xd34df00d <georg.rudoy@tweag.io>
So, let me summarise the state of this PR:
|
I think that my last question is interesting enough to warrant its own issue, which I opened: #165. For the purposes of this PR, I think we should leave |
In my perception, after talking to many of you, all unanswered questions are now recorded as issues, and only these two remain:
|
I think is much better. Thanks.
Tweak is good. Should it be plural? An attack can produce more than one modification, right? |
* Start experimenting with attacks in an arbitraty monad * Try Attack = MockChainSt -> TxSkel -> Maybe (TxSkel, a) * Rewrite the dupTokenAttack as a combination of smaller attacks * Add tests for the modified dupTokenAttack * Rewrite the datumHijackingAttack in the new language * Better rewriting of the datumHijackingAttack * Make attacks return lists, revert the LTL module to main * Move 'somewhere' and 'everywhere' to MockChain.Monad.Staged, in order to cope with UntypedAttack * Tests for datumHijackingAttack; weird behaviour in mkSelectAttack * Found the culprit in mkSelectAttack, added regression test * Redefine mkAttack and the datumTamperingAttack * Rewrite permutOutAttack and its tests * Reintroduce non-attack tests, remove tests for '<>' on 'Attack's * Status save on doubleSatAttack * Make an extra module for attacks that add/remove constraints * Rewrote the doubleSatAttack * Some better comments at the double satisfaction attack * Rewrite tests for doubleSatAttack * Test the addConstraintsAttack * Adapt the examples to the new attacks * Some attacks to add and remove OutConstraints * Make cooked export everything * Address Facundo's and Lucas' comments, first half * Rework the test for the doubleSatAttack * Address more comments from Facundo an Mathieu * Make some tests more structured, as suggested by Facundo * Incorporate suggestions from Georg * Update cooked-validators/src/Cooked/Attack/AddConstraints.hs Co-authored-by: 0xd34df00d <georg.rudoy@tweag.io> * Cleanup from the last commit * Repair 'sameConstraints', yet again * Rename Attack -> Tweak Co-authored-by: 0xd34df00d <georg.rudoy@tweag.io>
This PR defines
and uses the fact that this type is a monad with branching and failure capabilities to rework our attack language. A good first example to see this in action is probably the simplest of the "big" attacks: The token duplication attack.
This is not yet completely finished, in particular:
Cooked.Attack.AddConstraints
are heavily biased towards input constraints, because that's what I needed so far. This should be made more symmetric.Cooked.Tx.Constraints.Optics
However, it's ready for feedback and review!
If merged, this PR will close #143 .