Joint team with LIX (Laboratoire d'Informatique de l'Ecole Polytechnique) and CNRS.

The research of the COMETE team focuses on the theoretical foundations of distributed and mobile systems. The project follows two main directions: the study, implementation and applications of the probabilistic -calculus, a variant of the -calculus, and the use of higher-order functional programming languages for distributed applications, in particular in the context of peer-to-peer systems.

Our main field of application are large-scale Distributed Mobile Systems (DMS) of computing devices of varying character providing diverse services. In this context, it is a daunting technical and scientific challenge to develop reasoning techniques which allow us to build systems guaranteeing that processes and data move in a secure, highly distributed network of devices which may individually exhibit failures but together work as a reliable, dependable system.

Formal *Specification and Verification*
is of great help for system building and reasoning. The
issue is to formally verifying whether a given system complies with
a given specification typically expressed as temporal/spatial logic
formulas, process expressions, or automata.

*Model checking* prevails in today's
verification techniques. However, model checking usually needs a
*finite-state* representation of systems, while
most DMS are inherently open: there is no bound on the
number of resources/devices that can be part of a system.
In other words, many DMS's phenomena are best represented in models
providing for unbounded or infinite systems. We consider
the challenging problem of extending model checking techniques,
possibly by combining them with deductive techniques, for
the verification of DMS in *unbounded or (infinite)* scenarios.

*Fault tolerance* is a fundamental issue of DMS as they must
often provide reliable services despite the occurrence of various types
of failure. The use of specifications enriched with
*stochastic* information and *probabilistic* reasoning provides
a powerful mathematical tool for analyzing DMS that may exhibit failures.
For example, stochastic information with probabilistic techniques
can be used for specifying the rate at which faulty communication
channels drop messages and for verifying message-delivery properties of
the corresponding system. The probabilistic
specification and verification of DMS
is one of goals of COMETE.

The highly distributed and mobile nature of the systems
under consideration makes them more accessible and hence more vulnerable.
*Security* is therefore crucial for these systems.
The specification and verification of security properties
has until now mainly addressed finite-state, deterministic processes (or protocols). We
believe that more attention needs to be paid to
infinite-state and probabilistic frameworks for the faithful
modeling of features such as *nonce generation*, *cryptographic
attacks*, and an *open number of participants*. Such features
are prominently present in the DMS we are interested.

Our general goal is to provide rigorous theories and tools for the
specification and verification of DMS. In particular, we shall deal
with the following fundamental specific issues in the specification
and verification of DMS: *Infinite (or Unbounded) Systems*, *Probabilistic
Specifications* and *Specification and Verification of Security*.
Our approach will involve the use of tools from Process Calculi,
Constraint Technology and Probabilistic Methods. We shall introduce
these tools before describing our project approach.

Calculi for expressing and formalizing the basic features of concurrent systems

Process calculi treat processes much like the -calculus
treats computable functions. They provide a language in
which the structure of *terms* represents the structure
of processes together with an
*operational semantics* to represent computational
steps. For example, the term , which is built from
P and Q with the *constructor*,
represents the process that results from the parallel execution of
those represented by P and Q. An operational semantics
may dictate that if P can evolve into in a computational step
then can also evolve into in a
computational step.

An appealing feature of process calculi is their *algebraic*
treatment of processes. The constructors are viewed as the
*operators* of an algebraic theory whose equations and
inequalities among terms relate process behavior. For instance, the
construct can be viewed as a commutative operator, hence
the equation states that the behavior
of the two parallel compositions are the same. Because of this algebraic
emphasis, these calculi are often referred to as *process
algebras*.

Typically the operational semantics of process calculi
interpret process term by using transitions
(labeled or not) specifying its computational steps ().
A labeled transition specifies that P
performs and then behaves as Q. The relations
are defined according to the process calculus
under consideration. In the next section we shall see those for the
-calculus ( ) which is perhaps
the most prominent representative of calculi for mobile systems.

In the early 90's Milner, Parrow, and Walker proposed the -calculus ( ), a small paradigm for concurrency similar to CCS (the calculus for Communicating Systems, ) but enriched with constructs to support the the novel and powerful notion of link mobility. This proposal has had a tremendous impact on the community of Formal Methods for Concurrency, and stimulated or influenced research in other areas too, like for instance Security (cfr. the spi-calculus, ).

The -calculus, like CCS, models communication by
handshaking, namely as a *synchronous* interaction of both partners
(rules Com and Close).
A few years after the introduction of the -calculus,
Honda and Tokoro ( ) and, independently,
Boudol ( ), proposed a variant which
models asynchronous communication instead.
This variant has become known under the name of
asynchronous -calculus (_{a}-calculus for short).

The _{a}-calculus became quickly very popular, for several reasons:

it is an elegant model of asynchronous communication, more abstract and more symmetric than previously proposed calculi for asynchronous communication,

it has been ``faithfully'' implemented ( ),

it is simpler than the -calculus, because it has fewer constructs, and yet

it was believed to have the same expressive power as the
-calculus. This equivalence was not formally proved, but there were several
hints in this direction: Milner's encoding of the
lambda calculus in the -calculus was re-done for
_{a} ( ), it was shown that
output prefix can be simulated
( ), and input-guarded choice
as well
( ).
Note that this justifies the more recent presentations
of the _{a}-calculus, which include
input-guarded choice as an explicit operator ( ).

It was not only until some years later that the claim of equivalence
was refuted: in it was shown that the
-calculus is strictly more expressive than
the _{a}-calculus, in the sense that it is not possible
to encode the first into the latter in a *uniform* way while
preserving a *reasonable* semantics. Uniform essentially means
homomorphic with respect to the parallel and the renaming operators, and reasonable means
sensitive to the capability of achieving success in all
possible computations. This result is based on the
fact that in the -calculus it is possible to define an algorithm for
leader election in a symmetric network,
while this cannot be done with the _{a}-calculus. In it was shown that the additional expressive
power is due exactly to the mixed choice construct: choices with homogeneous
guards (i.e. with input guards only, or output guards only) can be eliminated.

A consequence of the above results, however, is that the
-calculus cannot be implemented deterministically

Logics for expressing and formalizing properties of concurrent systems

In COMETE we are interested in verifying whether a given process satisfies certain properties. These properties are often expressed in some logical formalism.

A way of expressing process specifications is by using a process logic. One such a logic is the Hennesy-Milner's modal logic. The discriminating power of this logic with respect to a finite processes (i.e., recursion-free processes) coincides with strong bisimilarity (see ). That is, two finite processes are strongly bisimilar if and only if they satisfy the same formulas in the Hennessy-Milner's logic.

Hennesy-Milner's logic can express
local properties such as ``an action must happen next'' but it
cannot express long-term properties such as
``an action eventually happens''. This kind of property, which
falls into the category of *liveness properties* (expressing that
``something good eventually happens''), and also *safety
properties*
(expressing that ``something bad never happens'') have been found to
be useful for reasoning about concurrent systems.
The modal logics attempting to capture
properties of the kind above are often referred to as *temporal-logics*.

Temporal logics were introduced into computer science by
Pnueli ( )
and thereafter proven to be a good basis for specification as
well as for (automatic and machine-assisted) reasoning about
concurrent systems. Temporal logics can be classified into linear
and branching time logics.
In the *linear* case at each
moment there is only one possible future whilst in the *branching* case at
each moment time may split into alternative futures.

This research is carried over in cooperation with Biorn Victor (Uppsala University), Vijay Saraswat (IBM, USA), and Stefan Dantchev (University of Durham, UK)

Constraints and process calculi approaches for proving properties of infinite-state systems

Verifying infinite systems is a particularly challenging and a relatively new area. Practical applications of this are still at a preliminary stage.

Constraint-based verification ( ) has shown to be promising approach for infinite systems since a constraint formula is a natural symbolic representation of an infinite state set.

*Open Constraint Satisfaction Problems* have been recently introduced
for specifying and solving constraints problems in highly distributed
networks. In such a context typically there is no bound on the number
of devices/resources that can be part of a given network. Algorithms
for this kind of problems and their applications have been considered
in . Nevertheless
little attention has been paid to the computational limits of these
problems. I.e., studies establishing, for interesting classes of these
problems are actually computationally solvable. This is certainly
an issue when you allow unbounded number of resources as it is the
case in DMS.

The study of expressive power of different forms of specifying infinite-behavior in Process Calculi is a recent line of research bringing understanding for infinite behavior of concurrent systems in terms of decidability.

Our work in (see also ), to our knowledge the first of this kind, deepened the understanding of process calculi for concurrent constraint programming by establishing an expressive power hierarchy of several temporal ccp languages which were proposed in the literature by other authors. These calculi, differ in their way of defining infinite behavior (i.e., replication or recursion) and the scope of variables (i.e., static or dynamic scope). In particular, it is shown that (1) recursive procedures with parameters can be encoded into parameterless recursive procedures with dynamic scoping, and vice-versa; (2) replication can be encoded into parameterless recursive procedures with static scoping, and vice-versa; (3) the calculi from (1) are strictly more expressive than the calculi from (2). Moreover, it is shown that the behavioral equivalence for these calculi is undecidable for those from (1), but decidable for those from (2). Interestingly, the undecidability result holds even if the variables in the corresponding languages take values from a fixed finite domain whilst the decidability holds for arbitrary domains. The works present similar results in the context of the calculus for communicating systems (CCS).

Both the expressive power hierarchy and decidability/undecidability results give theoretical distinctions among different ways of expressing infinite behavior. The above work, however, pay little attention to the existence efficient algorithms for the corresponding decidability questions or the existence of semi-decision procedures for the undecidable cases. These issues are fundamental if we wish to verify infinite-state process specifications, and hence we shall address it in this project.

Formalisms to express security properties and protocols and to verify them

Security protocols, also known as cryptographic protocols, are small concurrent programs designed to provide various security services across a distributed system. These goals include: authentication of agents and nodes, establishing session keys between nodes, ensuring secrecy, integrity, anonymity, non-repudiation, fairness, and so on. The challenge comes from the fact that we want to guarantee security of exchanges between participants using non-secure mediums, whose weaknesses can be exploited by malicious adversaries. In certain cases, like in the non-repudiation and fairness problems, we cannot even be sure that the participants are honest.

With the increasing degree of distribution and mobility of modern systems, and the increasing number of applications such as electronic commerce, electronic vote, etc, these protocols are becoming more and more used, and their correctness more and more crucial. Establishing the correctness of these protocols, however, is not an easy task; the difficulties arise from a number of considerations:

The properties that they are supposed to ensure are extremely subtle; the precise meaning of a property is often a matter of debate and needs to be formally specified.

The capabilities of adversaries (intruders, attackers, ...) are difficult to capture.

By their nature security protocols involve a high degree of concurrency, which makes the analysis much more complicated.

Several formalisms have been proposed for the specification of the protocols and intruders, for the description of the security properties, and for proving correctness. For example, the Strand spaces ( ), the spi-calculus ( ) and other process calculi ( ), formalisms based on linear logic ( ), on set-rewriting ( ), on rewriting logic ( ), on tree automata ( ), and on set constraints ( ).

The foundational research of COMETE (process calculi, communication and mobility, probablistic studies, semantics and logics for concurrency, etc.) and the software tools we develop address the needs of many application domains. They are virtually applicable to any system or protocol made of distributed agents communicating by asynchronous messages, and where, possibly, the communication structure can change dynamically. Here we list the main domains of applications we envisage:

Distributed and mobile systems: election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms;

Databases: transaction protocols, distributed knowledge bases;

Security protocols: authentication, electronic transactions;

Telecommunications: mobile telephony, active network management, hot reconfigurations, feature interaction detection;

*MLdonkey* is a multi-networks peer-to-peer file-sharing
client. It is widely used in the Unix community (more than 10,000 users),
and allows connections to the most important networks
(eDonkey, Overnet, Kazaa,
Gnutella, etc...). It is available at
http://www.mldonkey.net.
See also the forum for mldonkey users:
http://www.mldonkeyworld.com/.

The *Ocaml Memory Profiler* is a tool to
instrument Objective-Caml programs, to gather information about how
memory is used during an execution, and how the memory footprint of a program
can be decreased.
It is available at
http://pauillac.inria.fr/~lefessan/src/memprof-ocaml-3.07.tar.gz.

Our proposal, _{pa} (probabilistic asynchronous -calculus)
is based on the model of probabilistic automata of Segala and Lynch
( ), which has the above discussed
characteristic of distinguishing between probabilistic and
nondeterministic behavior.

In we have defined a uniform, compositional
encoding from to _{pa}. Our encoding involves solving a
resource allocation problem that can be regarded as a generalization
of the dining philosophers problem, in the sense that there may be
more philosophers than forks . The correctness
of the encoding is proved with respect to a notion of testing
semantics adapted to the probabilistic asynchronous pi-calculus. More
precisely, we have shown that our encoding is correct with probability
1 with respect to any adversary.

An implementation of _{pa} into a Java-like
language was outlined in
.
The idea is to compile processes into threads, and channels
as (shared) objects with synchronized methods for the send and
receive operations.

Although Java is shared-memory, we regard the proposed implementation as a basis for a distributed implementation. In fact, in the compiled code, the threads corresponding to processes communicate only via the objects representing the channels. Furthermore the translation is distributed in the strong sense of being homomorphic with respect to the parallel operator. Namely, the translation does not introduce any ``central process'' to coordinate the activities of the treads corresponding to the original processes.

In the future we plan to develop
a fully distributed, efficient, and failure-robust implementation for
pi_{pa}.
Copying with failures may influence the design of the language as well.

One of the medium-term goals of COMETE is to provide an axiomatization for the probabilistic asynchronous -calculus described in Section .

Some preliminary steps in this direction have been achieved in . In that paper we have studied a process calculus which combines both nondeterministic and probabilistic behavior in the style of Segala and Lynch's probabilistic automata. We have considered various strong and weak behavioral equivalences, and we have provided complete axiomatizations for finite-state processes, restricted to guarded definitions in case of the weak equivalences. We conjecture that in the general case of unguarded recursion the ``natural'' weak equivalences are undecidable.

This is the first work, to our knowledge, that provides a complete axiomatization for weak equivalences in the presence of recursion and both nondeterministic and probabilistic choice.

In systems that model quantitative processes, steps are associated with a given quantity, such as the probability that the step will happen or the resources (e.g. time or cost) needed to perform that step. The standard notion of bisimulation can be adapted to these systems by treating the quantities as labels, but this does not provide a robust relation, since quantities are matched only when they are identical. Processes that differ for a very small probability, for instance, would be considered just as different as processes that perform completely different actions. This is particularly relevant to security systems where specifications can be given as perfect, but impractical processes and other, practical processes are considered safe if they only differ from the specification with a negligible probability.

To find a more flexible way to differentiate processes, we have
considered the notion of metric, which is a function that associates a
real number (distance) with a pair of elements. In ,
we have studied metric semantic for a general framework that we call
*Action-labeled Quantitative Transition Systems* (AQTS). This
framework subsumes some other well-known quantitative systems such as
probabilistic automata ( ), reactive and
generative models ( ), and (a simplified
version of) weighted automata
( ).

The metric semantics that we have investigated in is based on rather sophisticated techniques. In particular, we needed to resort to the notion of Hutchinson distance.

Our ultimate goal is to investigate metric semantics for the probabilistic asynchronous -calculus described in Section .

The concept of anonymity comes into play in a wide range of situations, varying from voting and anonymous donations to postings on bulletin boards and sending mails. A formal definition of this concept has been given in literature in terms of nondeterminism.

The ntcc process calculus is a timed concurrent constraint programming (ccp) model equipped with a first-order linear-temporal logic (LTL) for expressing process specifications. A typical behavioral observation in ccp is the strongest postcondition. In ntcc strongest postcondition denotes the set of all infinite output sequences that a given process can exhibit. The verification problem is then whether the sequences in the strongest postcondition of a given process satisfy a given ntcc LTL formula.

In literature there are several process calculi differing in the constructs for the specification of infinite behavior and in the scoping rules for channel names. In we have studied various representatives of these calculi based upon both their relative expressiveness and the decidability of divergence. We regard any two calculi as being equally expressive if and only if for every process in each calculus, there exists a weakly bisimilar process in the other. By providing weak bisimilarity preserving mappings among the various variants, we showed that in the context of relabeling-free and finite summation calculi: (1) CCS with parameterless (or constant) definitions is equally expressive to the variant with parametric definitions. (2) The CCS variant with replication is equally expressive to that with recursive expressions and static scoping. We also stated that the divergence problem is undecidable for the calculi in (1) but decidable for those in (2). We obtain this from (un)decidability results by Busi, Gabbrielli and Zavattaro, and by showing the relevant mappings to be computable and to preserve divergence and its negation. From (1) and the well-known fact that parametric definitions can replace injective relabellings, we showed that injective relabellings are redundant (i.e., derived) in CCS (which has constant definitions only).

In particular, we have studied open constraint satisfaction problems
allowing *infinitely*, or *unboundedly*, many *indexed*
variables as in, e.g., x_{i}>x_{i + 2} for each i = 1, 2, .... We
first showed that (1) if the indices are one-dimensional and specified
in the theory of the natural numbers with linear order (the theory of
) then the satisfiability problem is
*decidable*. We then proved that, in contrast to (1), (2) if we
move to the two-dimensional case then the satisfiability problem is
*undecidable* for indices specified in
and even in
. Finally, we showed that, in contrast to (1)
and (2), already in the one-dimensional case (3) if we also allow
addition, we get undecidability. I.e., if the one-dimensional indices
are specified in *Presburger arithmetic* (i.e., the theory of
) then satisfiability is
*undecidable*.

Arc-Consistency (AC) techniques have been used extensively in the study of Constraint Satisfaction Problems (CSP). These techniques are used to simplify the CSP before or during the search for its solutions. Some of the most efficient algorithms for AC computation are AC6++ and AC-7. The novelty of these algorithms is that they satisfy the so-called four desirable properties for AC computation. The main purpose of these interesting properties is to reduce as far as possible the number of constraint checks during AC computation while keeping a reasonable space complexity.

We studied the solvability of agreement algorithms in synchronous systems
with failures, from their complexity point of view. In particular, we
designed algorithms to solve a family of agreement problems, called the
k-Tag problems, in the optimal number of rounds depending only on the
number of failures appearing in the system. k-Tag problems share the *Uniformity* and *Termination* conditions of the Consensus problem, while
the *Validity* condition is parameterized on k. This family includes
problems where the decided value must be proposed by a majority of members,
together with the well-known Uniform Consensus and Non-Blocking Atomic
Commitment problems. This work has been published in SOFSEM'2004 .

This work has been done in collaboration with Anne-Marie Kermarrec (IRISA), Laurent Massoulie (Microsoft Research Cambridge), Simon Patarin (University of Bologna) and Sidath Handurukande (EPFL). We designed a protocol to improve searches in file-sharing networks, using semantic links between peers based on semantic clustering (the proximity of users' tastes). The originality of this work, published in SIGOPS'2004 , resides in the use of real traces we collected from the Edonkey network to measure the efficiency of the algorithm. These traces were collected during a few months using a modified version of MLdonkey, a peer-to-peer client written in a functional language, Objective-Caml by Fabrice Le Fessant. An analysis of these traces also appeared in the IPTPS'2004 workshop and a more detailed one has been submitted recently to the conference NSDI'2005 . We also worked on the collection of another trace of the encrypted part of the Kazaa protocol, to obtain real information on the publications and requests issued by the clients, together with the topology on the network, which are currently not available in the research community and necessary to evaluate discovery protocols and to model real peer-to-peer networks. The interest of this topic is shown by the increasing number of collaborators joining our working group, such as Matthieu Latapy (LIAFA), Etienne Rivière (IRISA) and Laurent Viennot (INRIA).

Distributed applications differ from standard applications by their lifetime, ranging from several days to several months, and thus, relying heavily on the efficiency of the automatic memory-management to reclaim unnecessary memory. In particular, a special kind of memory leak appears almost only in these applications: unnecessary data which is however reachable from a global root, and thus cannot be reclaimed by automatic memory-management. We worked on a memory profiler for Objective-Caml, that could be used to analyze the memory footprint of running applications (using snapshots dumped in files), to detect where the memory is used, and which global roots might be responsible for memory leaks. A first version of this profiler was released in the current of the year.

The project ROSSIGNOL has started in 2003 and includes the following participants:

LIF. Responsable: D. Lugiez

INRIA Futurs. Responsable: C. Palamidessi

LSV. Responsable: F. Jacquemard

VERIMAG.Responsable: Y. Lakhnech

ROSSIGNOL focuses on the foundations of Security Protocols. The goal of this project is the development of abstract models, simple enough to be used for the definition of a comprehensible semantics for the language of security properties. In particular, the project focuses on probabilistic models.

The EGIDE/PAI program PICASSO aims at promoting the scientific and technological exchanges between France and Spain. The equip COMETE is participating, within this program, to a project whose participants are:

INRIA Futurs. Responsables: C.Palamidessi and D. Miller

Universidad Politécnica de Madrid. Responsables: James Lipton and Manuel Hermenegildo

The main aims of our project are the integration of the approaches developed by the INRIA and the UPM teams to the analysis and implementation of Higher-Order Languages (both sequential and concurrent), coinductive techniques (with special emphasis on lazy features), and in the areas of code validation, proof carrying code and security.

This project has been accepted in 2004 and will start its activities in January 2005.

Note: In this section we include only the activities of the permanent internal members of COMETE.

Frank D. Valencia and Kostas Chatzikokolakis are the organizers of the Comète-Parsifal Seminar. This seminar takes place weekly at LIX, and it is meant as a forum where the members of Comète and Parsifal present their current works and exchange ideas. See http://www.lix.polytechnique.fr/comete/seminarFrame.html.

Catuscia Palamidessi has been the co-organizer (together with Pierre-Louis Curien and Vincent Danos) of the ``Groupe de travail en Concurrence'' (Working group on Concurrency) at PPS, University of Paris VII, during the academic year 2003/04.

Catuscia Palamidessi is member of the Editorial Board of the journal on Theory and Practice of Logic Programming, published by the Cambridge University Press.

Catuscia Palamidessi is member of the Editorial Board of the Electronic Notes of Theoretical Computer Science, Elsevier Science.

Frank D. Valencia is area editor (for the area of Concurrency) of the ALP Newsletter.

Catuscia Palamidessi is the Program Committee Chair of ICALP 2005 Track B. 32nd International Colloquium on Automata, Languages and Programming. Lisboa, Portugal, 11-15 July 2005.

Catuscia Palamidessi has been a member of the program committees of the following conferences:

ICLP 2005. International Conference on Logic Programming. Barcelona, Spain, October 2005.

CONCUR 2005. International Conference on Concurrency Theory. San Francisco, California, USA, August 2005.

ESOP 2005. European Symposium on Programming. (Part of ETAPS 2005.) Edinburgh, Scotland, April 2005.

SOFSEM 2005 Track on Foundations of Computer Science. 31st Annual Conference on Current Trends in Theory and Practice of Informatics, Liptovsky Jan, Slovak Republic, January 2005.

CONCUR 2004. International Conference on Concurrency Theory. London, UK, August 2004.

TCS 2004. Track 2. 3rd IFIP International Conference on Theoretical Computer Science. Toulouse, France, August 2004.

ICALP 2004 Track B. 31st International Colloquium on Automata, Languages and Programming. Turku, Finland, July 2004.

Catuscia Palamidessi has been a member of the program committees of the following workshops:

FInCo 2005. Workshop on the Foundations of Interactive Computation. Edinburgh, Scotland, April 200

EXPRESS'04. 10th International Workshop on Expressiveness in Concurrency. London, UK, August 2004.

DCFS 2004. Workshop on Descriptional Complexity of Formal Systems. London, Canada, July 2004.

JFPLC 2004 Treizièmes Journées Francophones de Programmation en Logique et de programmation par Contraintes. Angers, France, June 2004.

SBLP 2004 Brazilian Symposium on Programming Languages. Niterói, Brazil, May 2004.

Frank D. Valencia has been a member of the program committee of:

ICLP 2005. 21st International Conference on Logic Programming. Barcelona, Spain, October 2005.

Fabrice Le Fessant has been a member of the program committee of:

ALGOTEL 2005, Septièmes Rencontres Francophones sur les aspects Algorithmiques des Télécommunications

ACM Transactions on Programming Languages, Theoretical Computer Science, Journal of Algebraic and Logic Programming, Information and Computation.

ESOP 2005, ICDCS 2005, SOFSEM 2005, CONCUR 2004, ICALP 2004, SOFSEM 2004, TCS 2004, ESOP 2003, POPL 2003.

Fabrice Le Fessant was Technical Director of the South-Western European Regional Contest of the ACM International Collegial Programming Contest, November 2004.

Note: In this section we include only the activities of the permanent internal members of COMETE.

Catuscia will teach a course on ``The process-calculus approach to security'' at the CIMPA-UNESCO School on Security of Computer Systems and Networks. Bangalore, INDIA, Jan-Feb 2005.

Fabrice Le Fessant has been teaching (with Cédric Fournet) a course on ``Programming in JoCaml'' at the Advanced Functional Programming Summer School, Oxford, August 2002.

Catuscia Palamidessi is co-teaching (together with Jean-Jacques Lévy, Pierre-Louis Curien, Erik Gobault and James Leifer) the course ``Concurrence'' at the ``Master Parisien de Recherche en Informatique'' MPRI in Paris. Winter semester 2004-05.

Catuscia Palamidessi has been teaching a Course on ``Probabilistic Methods in Concurrency'' at the PhD program in Pisa. July 2004.

Catuscia Palamidessi has been co-teaching (together with Jean-Jacques Lévy) the course ``Concurrence'' at the D.E.A. Sémantique, Preuve et Programmation in Paris. Winter semester 2003-04.

``Optimisation de programmes'' (programs optimization), Fabrice Le Fessant (with Behshad Behzadi), École Polytechnique, training for the ACM Programming Contest, May 1994.

Majeure ``Programmation Système sous Unix'', Fabrice Le Fessant (with Didier Rémy), January 2004.

The team COMETE has supervised the following internship students during 2004:

AdrianBalan (Ecole Polytechnique. Intern in COMETE since 1/11/2004 )

MohitBhargava (IIT Delhi, India. Intern in COMETE during 1/5–31/7/2004 )

Jean-BaptisteBianquis(DEA Programmation. Intern in COMETE during 1/4–30/9/2004)

Kostas Chatzikokolakis(DEA Programmation. Intern in COMETE during 1/4–30/9/2004)

Axelle Ziegler(DEA Programmation. Intern in COMETE during 1/4–30/9/2004)