Taxonomy of Approaches to Trusted Extension of Interactive Theorem Provers

LCF-style trust (thm data type with approved inference rules)
Note: Randy Pollack has noted in his paper "On extensibility of proof checkers" (volume 996 of LNCS, 1995) that, according to an email from Randy,
explains several variations on LCF and what they each mean for the power of tactics. BTW, Isabelle uses another variation on LCF style that is not covered in my paper.
Trust based on proof objects
Trust based on well-specified logic and careful coding
Others?

Bold items are those that have the strongest trust stories. Italic bold items have a somewhat strong trust story.

Theory extensions
- Definitions (constants/functions; data types); recursion
- Generic and partial definitions
- Non-conservative extensions
- Language extensions
  - Pattern-matching
  - Macros
  - Other
- Scoping
- Practicalities of theory development: theory files, certified books (ACL2), package management (OpenTheory), module systems (which may be parametric), conservativity issues, ....
Automating inferences
- LCF-style: Small set of primitive rules applied via tactics
- Non LCF-style: Large trusted kernel to automate rule application (e.g., rewrite rules)
- Metatheoretic approaches, reflection
- Tags
Code extension
- External tools
  - Formally verified use
    - tool proved correct (reflection)
    - each use verified (proof traces)
    - hybrid?
  - Informally verified use
    - use of tags
    - correct translation
    - social process
  - Hacked-up connection without logical story
- System code extension
- Practical issues: interfaces, standards, version control
- Execution on concrete data
  - ... in support of proofs
  - ... for testing, including counterexample generation
  - Support for efficiency (compilation, parallelism, alternate definitions, ...)
Higher-level approaches
- Extension to verification systems (VCGs etc.)
- Decompilation, reducing imperative to functional programs
- Other?
Interfaces
- GUIs
- Multi-user support
- Trust issues