We have continued our work on using superposition calculi in connection with combination methods. After our study of the disjoint case  , we are now focusing on some non-disjoint cases where the shared theories correspond to fragments of arithmetic. In  , we present some decidability results for the universal fragment of theories modeling data structures and endowed with arithmetic constraints. More precisely, all the theories taken into account extend a theory that constrains the function symbol for the successor. A general decision procedure is obtained, by devising an appropriate calculus based on superposition. Moreover, we derive a decidability result for the combination of the considered theories for data structures and some fragments of arithmetic by applying a general combination schema for theories sharing a common subtheory. The effectiveness of the resulting algorithm is ensured by using the proposed calculus and a careful adaptation of standard methods for reasoning about arithmetic, such as Gauss elimination, Fourier-Motzkin elimination and Groebner bases computation.

The Krakatoa Modeling Language (KML) is a specification language for Java. It is designed to allow algebraic-style specifications, which are more easily discharged by automated theorem provers than program-oriented specifications. A new feature introduced in Java 5 is genericity. We propose  extensions to KML for the algebraic specification of generic Java programs. The key features are the introduction of parametricity both for types and for theories and an instantiation relation between theories. Two significant examples illustrate this extension: the specification of the generic method for sorting arrays and the specification of a generic hash map and its use for memoization. We discuss soundness conditions and their verification.

With Florent Jacquemard (project-team Dahu) we have proposed in   a model for XML update primitives of the W3C XQuery Update Facility as parameterized rewriting rules of the form: "insert an unranked tree from a regular tree language Las the first child of a node labeled by a". For these rules, we give type inference algorithms, considering types defined by several classes of unranked tree automata. We show that typechecking for arbitrary sequences of XML update primitives can be done in polynomial time when the unranked tree automaton defining the output type is deterministic and complete, and that it is EXPTIME-complete otherwise.

We then apply the results to checking the local consistency of a policy, that is, the non-existence of a sequence of authorized update operations starting from a given document that simulates a forbidden update operation.

Some attacks exploit in a clever way the interaction between protocol rules and algebraic properties of cryptographic operators. In  , we provide a list of such properties and attacks as well as existing formal approaches for analyzing cryptographic protocols under algebraic properties.

Focusing on ground deducibility and static equivalence (checking whether two sequences of messages are indistinguishable to an attacker), we propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of these theories. We have also shown that decidability results can be easily combined for any disjoint equational theories: if the deducibility and indistinguishability relations are decidable for two disjoint theories, they are also decidable for their union. These two results are presented in  .

Encryption “distributing over pairs” is employed in several cryptographic protocols. We have shown that unification is decidable for an equational theory HE specifying such an encryption  We have given an algorithm for solving intruder constraints in HE and general intruder constraints in the equational theory ACI  . This last result is useful for handling set datastructures and also multiple intruders.

We have defined in  a translation from a protocol narration to the sequences of operations to be performed by each protocol role. Unlike previous works, we reduce this compilation process to known decision problems from formal protocol verification. This allows one to define a precise notion of prudent implementation and to reuse results from the literature in order to cover more crypto-primitives. In particular this is a first work showing how to compile protocols parameterised by the algebraic properties of their symbols.

Most previous results focus on secrecy and authentication for simple protocols like the ones from Clark & Jacob library. We explore several directions to cover more complex security properties.

Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, in collaboration with F. Klay (France Telecom R&D), we have shown how to partially represent non-repudiation as a combination of authentications, and also defined a new method, based on the handling of the knowledge of protocol participants. This last method has been implemented in the AVISPA Tool, and used for analyzing several protocols. In particular, it has been used with L. Jing (Sun Yat-Sen University, China) for defining and analyzing a non-repudiation protocol for which there is no assumption of existence of resilient channels between the TTP and each protocol participant  .

Revisiting and extending the NP-complete decision procedure for a bounded number of sessions developped by Hubert Comon-Lundh, we show how to decide several new properties such as the non-existence of key-cycles (required by recent works relating computational and symbolic models), authentication-like properties and the decidability of a significant fragment of protocols with timestamps  .

Observational equivalence is a crucial notion for specifying security properties such as anonymity or secrecy of a ballot in vote protocols. For instance, observational equivalence can justify that there is no action of an attacker that makes distinguishable two protocol executions with different identities or vote values. For simple processes without branch nor replication observational equivalence can be reduced to checking whether two symbolic constraints (representing honest agents) are equivalent   . We have obtained a new proof that symbolic constraints equivalence is decidable for subterm convergent theories  . We believe it is simpler than the first one given by M. Baudet  .

New classes of protocols are still emerging and not all can be analysed using existing techniques. We study how to cover the emergent families of security protocols.

Group Protocols.Although many works have been dedicated to standard protocols, very few address the more challenging class of group protocols. We have investigated group protocol analysis in a synchronous model, that allows the specification of unbounded sets of agents with related behavior. In collaboration with the project-team Madynes, and in the framework of SAFECAST project on secured group communication system design, we have experienced the use of UML and two complementary verification tools  : AVISPA enabled us detecting and fixing security flaws; the TURTLE toolkit enabled us saving development time by eliminating design solutions with inappropriate temporal parameters.

Securing routing Protocols.The goal of routing protocols is to construct valid routes between distant nodes in the network. If no security is used, it is possible for an attacker to disorganize the network by maliciously interacting with the routing protocols, yielding invalid routes to be build. That is why secure versions of routing protocols are now developed. We have proposed  a new model and an associated decision procedure to check whether a routing protocol can ensure that honest nodes only accept valid routes, even if one of the nodes of the network is compromised. This result has been obtained for a bounded number of sessions, adapting constraint solving techniques.

Security APIs.In some systems, it is not possible to trust the host machine on which sensitive codes are executed. In that case, security-critical fragments of a program should be executed on some tamper resistant device (TRD), such as a smartcard, USB security token or hardware security module (HSM). The exchanges between the trusted and the untrusted infrastructures are ensured by special kind of API (Application Programming Interface), that are called security APIs. We have proposed new techniques for formally analyze APIs.

Protocols are often built in a modular way. For example, authentication protocols may assume pre-distributed keys or may assume secure channel. However, when an authentication protocol has been proved secure assuming pre-distributed keys, there is absolutely no guarantee that it remains secure when executing a real protocol for distributing the keys. How the security of these protocols can be combined is an important issue that is studied in  . More precisely, we show how protocols sharing data can be safely interleaved, provided that they use disjoint primitives or that each common primitive contains some tag identifying each protocol, like e.g. the name of the protocol. As a sub-result, we provide sufficient and simple conditions for composing key distribution protocols with any protocol using secure channels or pre-distributed keys.

All the previous results rely on symbolic models of protocol executions in which cryptographic primitives are abstracted by symbolic expressions. This approach enables significantly simple and often automated proofs. However, the guarantees that it offers have been quite unclear compared to cryptographic models that consider issues of complexity and probability. Cryptographic models capture a strong notion of security, guaranteed against all probabilistic polynomial-time attacks.

A recent line of research consists in identifying cases where it is possible to obtain the best of both cryptographic and formal worlds in the case of public encryption: fully automated proofs and strong, clear security guarantees. We have proposed a survey  of the results obtained so far.

The large size and complexity of modern networks result in large and complex firewall policies. Two policy editing languages, Type I and Type II, are generally used to update the firewall policies. Due to intervening nature of firewall rules, correct configuration and deploymentof large policies is a difficult and error-prone task. We have shown that some recently proposed deployment algorithms in the network security contain serious flaws  . Then we have defined a notion of safe deployment strategies. We have provided linear algorithms for Type I safe deployment and an approximatively linear and safe algorithm for Type II.

Term rewriting systems are now commonly used as a modelling language for programs or systems. On those rewriting based models, reachability analysis, i.e. proving or disproving that a given term is reachable from a set of input terms, provides an efficient verification technique. Many recent works have shown the relevance of regular approximation techniques to tackle in practice undecidable reachability problems.

We propose in  , to exploit rewriting approximations developped in  for analysing properties of CCS specifications (without renaming). The approach has been implemented and used to verify properties of the Alternating Bit Protocol and of hardware components specifications expressed as CCS processes.

Developing new algorithms and heuristics raises crucial evaluation issues, as improved worst-case complexity upper-bounds do not always transcribe into clear practical gains. A suite for software performance evaluation can usually gather three types of entries: benchmarks, hard instance and random inputs, that deliver average complexity estimations, for which the catch resides in obtaining a meaningful random distribution (for instance a uniform random distribution).

We presented in  a general rejection algorithm that uniformly generates sequential letter-to-letter transducers up to the isomorphism. We tailor this general scheme to randomly generate deterministic tree walking automata and deterministic top-down tree automata. In  we extend this approach by providing a new generation feature to fix both the number of states and the number of transitions. The generation is still uniform, up to isomorphism, and can be performed in polynomial time. In  we investigate how to generate non-deterministic tree automata with constraints in order to evaluate the performance of algorithms for the emptiness problem. Moreover, we have continued the development of an easy-to-use prototype dedicated to the random generation of recursive data structure for testing  .

Tree automata with constraints are widely used to tackle data base algorithmic problems, particularly to analyse queries over XML documents. The model of Tree Automata with Global Constraints (TAGED) is a model introduced in 2009 for these purposes. The membership problem for TAGED is known to be NP-complete. In  an efficient SAT-based approach for this problem is proposed, with very encouraging experimentations.

We are currently working on developing efficient algorithms for the emptiness problem for positive TAGED. In order to evaluate their performances, we have developed in  a random generator of hard instances for this problem.

We work with Hanifa Boucheneb (Professor at Ecole Polytechnique de Montréal, Canada) on automatic verification of optimistic replication algorithms supporting collaborative edition. In this work, we propose a symbolic model-checking technique to verify that an Operational Transformation (OT) algorithm ensures replicas convergence  . The shared objects are abstracted and their update operations are handled symbolically using difference bound matrices (DBMs) and neither the shared object size nor the update operations parameter sizes are fixed. Our approach provides symbolic counterexamples in case the convergence property is not satisfied. However, we cannot prove automatically that an OT algorithm ensures convergence for an arbitrary number of sites and operations.

We have participated to the ANR `Smart Surface' project whose aim is the realization of an active surface to automatically position and convey micro-items. This new application has motivated us to study regular model-checking (RMC) for pictures.

Let us recall that the RMC paradigm consists in representing infinite sets of configurations of a system by recognizable languages, and developing meta-transitions which can compute infinite sets of successors in one step. Unfortunately, a necessary property for RMC is missing in the class of recognizable 2D languages, namely decidability of the inclusion problem. This led us to seek sufficient conditions to decide inclusion. We have studied  the notion of simulation over the class of two-dimensional On-line Tessellation Automata (2OTA). This class of automata accepts the class of recognizable 2D languages, considered as the natural extension of classical regular word languages to the 2D case. We have proved that simulation over 2OTA implies language inclusion. Even if the existence of a simulation relation between two 2OTA is shown to be an NP-complete problem, this is a useful result since the inclusion problem is undecidable in general in this class of languages. Then we have proved the existence of a unique maximal autosimulation relation in a given 2OTA and the existence of a unique minimal 2OTA which is simulation equivalent to this given 2OTA, both computable in polynomial time.

We have introduced an original model-based testing approach that takes an UML behavioural view of the system under testing and automatically generates test cases and executable test scripts according to model coverage criteria. We have extended this result to SysML specifications for validating embedded systems  .

We are working on improving test generation in two directions:

The first direction is based on the preliminary computation of an abstraction of the model. We have experimented two techniques for automatically computing a symbolic transition system representing an abstraction of a behavioral model. First, we use a machine learning algorithm (à la Angluin) that is combined with model animation  . Second, we have experimented the use of behavioral decomposition of the model operation to compute the abstraction state, whereas transitions feasibility is computed using constraint solvers  . In both cases, the abstraction is used to produce test cases built according to state/transition coverage criteria.

The second direction exploits the evolution of requirements to classify test sequences, and precisely target the parts of the system impacted by this evolution. We have proposed to define the life cycle of a test via three test classes: ( i)Regression, used to validate that unimpacted parts of the system did not change, ( i i)Evolution, used to validate that impacted parts of the system correctly evolved, and ( i i i)Stagnation, used to validate that impacted parts of the system did actually evolve. The associated algorithms are under implementation in a dedicated prototype to be used in the SecureChange european project.

Test scenarios represent an abstract test case specification that aims at guiding the model animation in order to produce relevant test cases. Contrary to the previous section, this technique is not fully automated since it requires the user to design the scenario, in addition to the model.

In the context of ANR TASCCC project, we are investigating the automation of test generation from Security Functional Requirements (SFR), as defined in the Common Criteria terminology. SFRs represent security functions that have to be assessed during the validation phase of security products (in the project, the Global Platform, an operating system for last-generation smart cards). To achieve that, we are working on the definition of security property description patterns, to which a given set of SFRs can be related. These properties are used to automatically generate test scenarios that produce model based test cases. The traceability, ensured all along the testing process, makes it possible to provide evidences of the coverage of the SFR by the tests, required by the Common Criteria to reach the highest Evaluation Assurance Levels.

Also, we have experimented the use of scenarios to compute an abstraction of a model  , . This abstraction can be used in two ways: to evaluate the coverage of test sequences, and to compute test sequences themselves.

In the context of the SecureChange project, we also investigate the evolution of test scenarios. As the system evolves, the model evolves, and the associated test scenarios may also evolve. We are currently extending the tests generation and management of system evolutions to ensure the preservation of the security.

Verification of security protocols models is an important issue. Nevertheless, the verification reasons on a model of the protocol, and does not consider its concrete implementation. While representing a safe model, the protocol may be incorrectly implemented, leading to security flaws when it is deployed. We have proposed a model-based approach for testing security protocols implementations. This technique relies on the use of mutations of an original protocol, proved to be correct, for injecting realistic errors that may occur during the protocol implementation (e.g. re-use of existing keys, partial checking of received messages, incorrect formatting of sent messages, use of exponential/xor encryption, etc.). Mutations that lead to security flaws are used to build test cases, which are defined as a sequence of messages representing the behavior of the intruder and leads to the leaking of a secret. We have applied our technique on protocols designed in HLPSL, and implemented a protocol mutation tool that performs the mutations. The mutants are then analyzed by the CL-Atse  front-end of the AVISPA toolset  . Experiments show the relevance of the proposed mutation operators and the efficiency of the CL-Atse tool to conclude on the vulnerability of a protocol and produce an attack trace that can be used as a test case for implementations.

In model-based testing the model design is a complex activity that falls to the test engineer. The model validation is mainly done by animation to validate the model behavior and check that it corresponds to the informal requirements. We have proposed to define and assess the quality of B models in order to provide an automated feedback on a model by performing systematic checks on its content. We define and classify classes of automatic verification steps that help the modeller in checking whether his model is well-written or not. From a behavioral model, verification conditions are automatically computed and discharged using a dedicated tool. This technique has been adapted to B abstract machines, and is implemented within a tool interfaced with a constraint solver that is able to find counter-examples to invalid verification conditions  . In addition, we have designed an abstraction technique that makes it possible to extract, for a behavioral model, a graphical representation as a labeled transition system  .

We participate to the design of original combinations of static analysis and structural program testing for C program debugging. We have presented a prototype  called SANTE (Static ANalysis and TEsting). It calls a static analysis tool (Frama-C) which generates alarms when it cannot ensure the absence of run-time errors. Then these alarms guide a structural test generation tool (PathCrawler) trying to confirm alarms by activating bugs on some test cases. Experiments on real-life software show that this combination can outperform the use of each technique independently.

Automatic composition of web services is a challenging task. Many works have considered simplified automata models that abstract away from the structure of messages exchanged by the services. For the domain of secured services (using e.g. digital signing or timestamping) we propose a novel approach to automated orchestration of services under security constraints. Given a community of services and a goal service, we reduce the problem of composing the goal from services in the community to a security problem where an intruder should intercept and redirect messages from the service community and a client service till reaching a satisfying state    . This work has been pursued in the context of AVANTSSAR and NESSOS FP7 projects.

In collaboration with Olivier Perrin (Score team) and Eric Monfroy (UTFSM Valparaíso, Chile), we are working on applying constraint programming techniques to the composition problem. Our approach consists in instantiating a given abstract representation of a composite Web service by selecting the most appropriate concrete Web services. This instantiation is performed in a distributed manner by analysing the current request, i.e., the solver of each service is solving some constraints at one level, and it forwards the rest of the request (modified by the local solution) to the next services. When a service cannot build part of the composition, a distributed backtrack mechanism enables to change previous solutions. Our event-based distributed framework is described in .

In  , we focus on the composition of Web services with constraints. The originality of our approach consists in modeling the services by Boolean automata, i.e. finite automata extended with parametric Boolean conditions. We give a theoretical analysis of three service composition problems – the Valuation Decision problem, the Boolean Formula Decision problem, and the Boolean Formula Synthesis problem. New complexity results are established for these problems when considering both simulation-based and trace-based relations between automata. To go further, we have been studying the mediator decision problem.

In addition, the substitutivity problem for component-/service-based systems has been studied when considering extra-functional properties, like QoS. For services modeled by weighted automata, in  , four notions of simulation-based substitutivity managing QoS aspects are proposed, and related complexity issues on weighted automata are investigated. The substitutivity problem has been shown undecidable in general for bisimulation equivalence, but some decidable classes–important in practice–have been defined.

We propose an access control model where a group of users can define access rights on a set of shared objects  . This model has been implemented as a middleware for collaborative editing systems based on logging mechanism where both the shared document and the access control policy are replicated at each collaborating site. It is difficult to manage the interleaving between document updates and policy administration which may lead to security holes. To deal with latency and dynamic access rights, we apply an optimistic access control technique in such a way that enforcement of authorizations is retroactive. A performance analysis shows the algorithm scales. We plan to extend our model to support delegation.

Since our access control model is based on logs to ensure convergence between all copies of shared objects and policies, we propose a garbage collection mechanism in order to reuse this model on mobile devices (e.g. iPhone)  with low storage capacities and high communication delays. Our solution consists in capturing a global view of the state of each log through the exchange of garbage messages: when all users have received all operations and thus have the same global view, their logs are cleaned.