SECSI is a project common to INRIA and the Laboratoire Spécification et Vérification (LSV), itself a common lab between CNRS (UMR 8643) and the École Normale Supérieure (ENS) de Cachan. The team was created in 2001, and became an INRIA projet in December, 2002.

SECSI is a common project between INRIA Futurs and the LSV (Laboratoire Spécification et Vérification), itself a common research unit of CNRS (UMR 8643) and the ENS (École Normale Supérieure) de Cachan.

The SECSI project is a research project on the security of information systems. Originally, SECSI was organized around three main themes, and their mutual relationships:

Automated verification of cryptographic protocols;

Intrusion detection;

Static analysis of programs, in order to detect security holes and vulnerabilities at the protocol level.

This has changed. Starting from 2006, SECSI concentrates on the first theme, while keeping an eye on the other two.

In a nutshell, the aim of the SECSI project is to
*develop logic-based verification techniques for security
properties of computer systems and networks*.

The thrust is towards more
*automation*(new automata-based, or theorem-proving
based verification techniques), more
*properties*(not just secrecy or authentication, but
e.g., coercion-resistance in electronic voting schemes), more
*realism*(e.g., cryptographic soundness theorems for
formal models).

The new objectives of the SECSI project are:

Tree-automata based methods, automated deduction, and approximate/exact cryptographic protocol verification in the Dolev-Yao model.

Enriching the Dolev-Yao model with algebraic theories, and associated decision problems.

Computational soundness of formal models (Dolev-Yao, applied pi-calculus).

Indistinguishability proofs allowing us to handle more properties, e.g. anonymity.

Application to new security protocols, e.g. electonic voting protocols.

Security in the presence of probabilistic and demonic non-deterministic choices.

Using his tool
*Tookan*- a tool for analysing PKCS#11 security
tokens-Graham Steel succeeded in discovering a number of
attacks on commercially available authentication tokens,
including the RSA SecureID 800. See also the project webpage
http://

This section is unchanged from the SECSI 2006 report.

see model-checking.

a set of automated techniques aiming at ensuring that a formal model of some given computer system satisfies a given specification, typically written as a formula in some adequate logic.

a sequence of messages defining an interaction between two or more machines, programs, or people.

a protocol using cryptographic means, in particular encryption, that attempts to satisfy properties of secrecy, authentication, or other security properties.

Computer security has become more and more pressing as a
concern since the mid 1990s. There are several reasons to
this: cryptography is no longer a
*chasse réservée*of the military, and has become
ubiquitous; and computer networks (e.g., the Internet) have
grown considerably and have generated numerous opportunities
for attacks and misbehaviors, notably.

The aim of the SECSI project is to
*develop logic-based verification techniques for security
properties of computer systems and networks*. Let us
explain what this means, and what this does not mean.

First, the scope of the research at SECSI is a rather broad subset of computer security, although the core of SECSI's activities is on verifying cryptographic protocols. The SECSI group has tried to be as comprehensive as possible. Several security properties have been the focus of SECSI's research: weak and strong secrecy, authentication, anonymity, fairness in contract-signing notably. Several models, too: the Dolev-Yao model initially, but also process algebra models (spi-calcul, applied pi-calculus), and, more recently, the more realistic computational models favored by cryptographers. Several input formats, finally: either symbolic descriptions of protocols à la Needham-Schroeder, or programs that actually implement cryptographic protocols.

Apart from cryptographic protocols, the vision of the SECSI project is that computer security, being a global concern, should be taken as a whole, as far as possible. This is why one of the initial objectives of SECSI was also concerned with problems in intrusion detection, notably.

However, the aims of any project, including SECSI, have to be circumscribed somewhat. One of the key points in the aim of the SECSI project, stated above, is “logic-based”. SECSI aims at developing rigorous approaches to the verification of security. But the expertise of the members of SECSI are not in, say, numerical analysis or the quantitative evaluation of degrees of security, but in formal methods in logic. It is a founding theme of SECSI that logic matters in security, and opportunities are to be grabbed. This was definitely the case for the verification of cryptographic protocols. This was also the case for intrusion detection, where an original model-checking based approach to misuse detection was developed.

Then, another important point is “verification techniques”. The expertise of SECSI is not so much in designing protocols. Verifying protocols, formally, is a rather more arduous task. It is also particularly needed in cryptographic protocol security, where many protocols were flawed, despite published proofs.

Automated cryptographic protocol verification is certainly
*the*main theme of SECSI. While it was already the theme
that kept most SECSI members busy at the time SECSI was
created (2002), one might say that, as of 2006, all SECSI
members work on it. Accordingly, this theme was naturally
subdivided into new objectives.

Tree-automata based methods, automated deduction, and approximate/exact cryptographic protocol verification in the Dolev-Yao model.

Enriching the Dolev-Yao model with algebraic theories, and associated decision problems.

Computational soundness of formal models (Dolev-Yao, applied pi-calculus).

Indistinguishability proofs allowing us to handle more properties, e.g. anonymity.

Application to new security protocols, e.g. electonic voting protocols.

Security in the presence of probabilistic and demonic non-deterministic choices.

The various efforts of the SECSI team are united by the
reliance on
*logic*and rigorous methods. As already said in
Section
, SECSI does not do any
cryptology per se.

As far as cryptographic protocol verification is
concerned, one popular kind of model is that of Dolev and Yao
(after
, see
for a survey), where: the
intruder can read and write on every communication channel,
and in effect has full control over the network; the intruder
may encrypt, decrypt, build and destruct pairs, as many times
as it wishes; and, finally, cryptographic means are assumed
to be
*perfect*. The latter in particular means that the only
way to compute the plaintext
Mfrom the ciphertext
{
M}
_{K}is to decrypt the latter using the inverse key
K^{-1}. It also means that no ciphertext can be confused
with any message that is not a ciphertext, and that
{
M}
_{K}= {
M
^{'}}
_{K'}implies
M=
M^{'}and
K=
K^{'}. Thus, messages can be simply encoded as
first-order terms, a fact which has been used by many
authors. This “perfect cryptgraphy” model has been extended
to algebraic properties of primitives (see
for a survey) which was one of
the main themes of the RNTL project PROUVÉ.

As soon as cryptography has been abstracted using a term algebra, first-order logic is relevant to security proofs: security proofs can be tackled from the automata-theoretic point of view or using automated deduction. In SECSI we contributed (and continue to contribute) to this line of research designing strategies and decision methods, e.g. , .

The thrust here is on
*more automation*.

It was slightly less clear in 2002 that the Dolev-Yao
model required some definite extensions, in particular
allowing for terms to be interpreted modulo some equational
theory—the so-called
*algebraic*case. (But also to propertly handle specific
code chaining techniques
.) Typical examples of theories
of interest are modular exponentiation over a fixed generator
g(application: Diffie-Hellman-like protocols)
or that of bitwise exclusive-or
. The PhD theses of Roger
, Verma
, and Cortier
display early (and influential!)
research in this area. More recent theses in SECSI are those
of Delaune
, Lafourcade
and Bernat
. Cortier's thesis—which contains
much more material than we can describe—was awarded the
SPECIF best PhD thesis award in 2003, and the Le Monde
academic research prize in 2004. Delaune's thesis, funded by
a CIFRE grant with France Télécom, was awarded the “mention
thèse remarquable” by France Télécom.

Following all these bright PhD theses, the main activities and results of SECSI during the period 2003–2006 were devoted to such more accurate formal models of cryptography. This resulted in several decision procedures or impossibility results (see for instance , , , ).

Nowadays, we continue to work in this area, for instance following an electronic purse case study from France Télécom . The main focus is however on extending the results to other security properties (see Section ) and combining theories, such as in , . Moreover, it is important to consider protocols in their context. For instance, a key distribution protocol can be used to establish a key which is then reused in another protocol. Different protocols reusing the same long-term keys or passwords may be separately secure, but insecure when executed in parallel. Some composition results guaranteeing that parallel composition preserves security properties have already been obtained in , , .

The thrust here is on
*more realism*, and
*more automation*.

One desirable goal that seemed totally out of reach in 2002 is to relate the Dolev-Yao notion of security, possibly in the algebraic case, to more realistic notions of security as used in the cryptographic community (e.g., IND-CPA and IND-CCA security). The latter define security as resistance to probabilistic polynomial-time attackers, while the Dolev-Yao models overlook any computational constraints. In other words, cryptographic security is about actual computers running attacks, and being unable to gain any significant advantage while interacting with your protocol.

Abadi and Rogaway initiated work in this domain , dealing with a constrained case of security against passive attackers. The domain has flourished in recent years, and SECSI is taking an active part in it, as part of the ARA SSIA Formacrypt project, whose members include Martín Abadi and Bruno Blanchet. A more recent French-Japanese also continues this research theme. One early paper on this topic is . Laurent Mazaré, a PhD student of Yassine Lakhnech on these themes, spent 6 months as postdoc at SECSI and worked actively on the connection between formal and computational models in the presence of bilinear maps, an emerging fundamental tool in extensions of Diffie-Hellman-like protocols among others (best paper at WITS'07 ). Other results include the case of soundness of formal methods in the case of adaptive attacks , soundness and decidability results in a framework meant to deal with off-line guessing attacks, but reaching far beyond . Recently, Comon-Lundh and Cortier have shown that the observational equivalence of the applied pi calculus implies computational indistinguishability which has been an open question for several years. Their result implies soundness of properties such as anonymity and strong secrecy modelled in terms of observational equivalence.

Objective 1.3 is quite probably the hottest topic for the years to come as far as verification of cryptographic protocols is concerned.

The thrust here is on
*more realism*. However, the purpose of FormaCrypt, and
of SECSI in particular, is to relate cryptographic approaches
to mechanizable formal approaches, hence
*more automation*is also sought after in this field.

Most of the research in activities 1.1, 1.2, 1.3 are mainly concerned with rather traditional security properties, namely secrecy or authentication—in general, (un)reachability properties. However, in cryptography many properties are formulated as indisitinguishability properties.

*Strong*notions of secrecy are not reachability
properties, and in fact are not trace properties. Rather,
they are characterized using contextual equivalences. A
notion of bisimulation complete for contextual equivalence in
the spi-calculus was found by Cortier
. The cryptographic results of
relate cryptographic security to
*static equivalence*, a form of contextual equivalence
well-suited to passive adversaries introduced in Abadi and
Fournet's applied pi-calculus
. Notions of strong security and
contextual equivalence have also been studied in the
framework of higher-order computation (a lambda-calculus with
name creation and cryptographic primitives) by Zhang, using
Kripke logical relations
,
,
. Zhang's thesis
was awarded the 2006 prize of the
AFCRST (French-Chinese Association for Scientific and
Technical Research). Other examples of indistinguishability
properties that we have studied are privacy-related
properties such as those appearing in electronic voting
protocols
and offline guessing
attacks
.

In SECSI, we have been working on decision procedures, combination and composition results for such equivalence properties. In particular, decision procedures for many equational theories , , , , combination and composition results have been achieved for static equivalence. In the active case we are also working on symbolic methods for deciding obervational equivalences , .

The thrust is on
*more properties*and
*more automation*.

In addition to classical, academic protocols, such as those presented in the “Clark Jacob library” , we have applied our methods to other protocols, and classes of protocols which often require to model new properties.

In this vein other properties and other protocols were studied:

Anonymity properties and electronic voting

Electronic voting schemes require the
voter to be unable to prove his vote to a bully, a
property named
*receipt-freeness*in the passive case and
*coercion-resistance*in the more demanding active
case
. Anonymity, privacy,
unlinkability and in general all opacity properties are
also the topic of objective 1.4.

Security APIs

*Security APIs*allow untrusted code to access
sensitive resources in a secure way. A security API
provides an interface between a trusted component, such
as a smart card or cryptographic security module, and the
untrusted outside world such that no matter what sequence
of commands in the interface are called, and no matter
what the parameters, certain `good' properties will
continue to hold, e.g. the secret long term keys on the
smartcard are never revealed. Analysis of security APIs
is a new theme which has recently started in SECSI with
the arrival of Graham Steel. First results on the widely
deployed standard PKCS#11 were presented in
.

Password-based protocols

*Guessing attacks*are attacks where a weak secret
can be guessed, e.g. by brute force enumeration
(passwords). Some protocols use passwords but are still
immune to guessing attacks
,
, and a general decision
procedure was proposed by Baudet
in the (realistic) offline
case, using a definition of security based on static
equivalence.

Group protocols

Secrecy and authentication properties were examined in the challenging case of group protocols. See Roger's PhD thesis , and the paper . Antoine Mercier has started a PhD thesis on security properties of group protocols with Ralf Treinen and Steve Kremer, Fall 2006. First results on secrecy for an unbounded number of participants were presented in .

Electronic purse

We have worked on a challenging case study of an electronic purse protocol which was provided by France Télécom in the RNTL project PROUVÉ. The protocol relies on algebraic properties of a fragment of arithmetic, typically containing modular exponentiation. This case study motivated work on Associative-Commutative deducibility constraints and gave rise to new decidability results , .

Fair exchange and contract signing protocols

Boisseau studied contract-signing
protocols (see his PhD thesis
); Kremer studied optimistic
multi-party contract signing protocols
, and fair exchange protocols
, where one of the crucial
properties is
*fairness*(none of the signers can prove the
contract signed to a third-party while the other has not
yet signed), not secrecy.

Overall, objective 1.5 differs from the other objectives in providing a source of sundry exciting perspectives (other properties, other protocols, other models).

The thrust is on
*more properties*and
*more realism*, while
*more automation*is still a running concern.

While objective 1.3 (computational soundness) is important
to reach the SECSI goal of
*more realism*, i.e., to show that security proofs in
formal models have realistic implications, one will also have
to consider some protocols for which no formal model exists
that is solely based on logic. This is the case for protocols
whose security depends on probabilities, for example. The
paradigmatic example is Chaum's dining cryptographers,
whereby
Nagents try to determine whether one of them paid while
not revealing the identity of the payer with any
non-negligible probability. Chaum's protocol involves
flipping coins, and any bias in coin-flipping is known to
result into possible attacks.

Probabilities are also needed to model realistic notions of anonymity, where the distribution of possible outputs of the protocol should not give any information on the distribution of the inputs. Here, models purely based on logic will miss an important point.

Work in this direction was conducted in 2006–2007 through the INRIA ARC ProNoBis, on finding appropriate models for mixing probabilistic choice and non-deterministic choice. Intuitively, protocols can be seen as the interaction between honest agents, who proceed deterministically or by tossing coins, and attackers, who can be thought of as always choosing the action that will defeat some security objective in the worst way. I.e., attackers run as demonic non-deterministic agents. Finding simple and usable models mixing probabilistic choice and demonic non-determinism is challenging in itself. SECSI is also exploring the possibility of including angelic non-determinism (e.g., specified but not yet implemented behavior from honest agents), and chaotic non-determinism. Finally, these models are explored both from the point of view of transition systems, and model-checking, even in the non-discrete case, and from the point of view of the semantics of programming languages, in particular of Moggi's monadic lambda-calculus.

The main originality in this line of work used to be the
theory of
*convex games*and
*belief functions*
, which originated in economic
circles in the 1950s and in statistics in the 1960s. This
evolved into the use of
*continuous previsions*
, similar to a notion invented in
finance by Walley. Most of the required fundamental theoretic
results are now established, and practical applications
should come by in 2008, e.g., adapting the semantics and
results on observational equivalence for the probabilistic
applied pi-calculus of
.

The thrust here is on
*more properties*, and
*more realism*.

The application domains of SECSI cover a large part of computer security.

Cryptographic protocols are used in more and more domains today, including smart card protocols, enterprise servers, railroad network architectures, secured distributed graphic user interfaces, mobile telephony, on-line banking, on-line merchant sites, pay-per-view video, etc. The SECSI project is not tied to any specific domain as far as cryptographic protocols are concerned. Our industrial partners in this domain are Trusted Logic S.A., France Télécom R&D, and CRIL Technology.

Analyzing cryptographic protocols per se is fine, but a
more realistic approach consists in analyzing actual code
implementing specific roles of cryptographic protocols, such
as
`ssh`or
`slogin`, which implement the SSL/TLS protocols
are are used on every personal
computer running Unix today. SECSI pioneered the domain
. We collaborate with EADS
Innovation Works on analyzing multi-threaded programs.

The SECSI project started in 2002 with a relatively large
software basis: tools to parse, translate, and verify
cryptographic protocols which are part of the RNTL project
EVA (including
*CPV*,
*CPV2*,
*Securify*), a static analysis tool (
*CSur*), an intrusion detection tool (
*logWeaver*). These programs were started before SECSI
was created.

The SPORE Web page was new in 2002. It is a public and open repository of cryptographic protocols. Its purpose is to collect information on cryptographic protocols, their design, proofs, attacks, at the international level.

2003 and 2004 brought new developments. In intrusion detection, a completely new project has started, which benefited from the lessons learned in the DICO project: faster, more versatile, the ORCHIDS intrusion detection system promises to become the most powerful intrusion detection system around.

In 2005, the development of ORCHIDS reached maturity. ORCHIDS works reliably in practice, and has been used so at the level of the local network of LSV, ENS Cachan. Several additional sensors have been added, including one based on comparing statistical entropy of network packets to detect corruption attacks on cryptographic protocols. A tool paper on ORCHIDS was presented at the CAV'2005 international conference, Edinburgh, Scotland .

In 2006-07, a new prototype, NetQi, was initiated to test
ideas on predicting network faults and attacks. This consists
of two parts. One collects data from a network, and infers
dependencies between services, between services and local
files, and between local files, for example of the form “if
Afails then
Bmay fail”. This uses
N-gram based statistical techniques. The other exploits
the dependency graphs thus obtained to detect scenarios that
would violate some properties in an expressive game logic
involving temporal constraints
.

The CSur project consisted in developing a static analysis tool able to detect leakage of confidential data from programs written in C. Its design and development covered the period 2002-2004. The main challenge was to properly integrate Dolev-Yao style cryptographic protocol analysis with pointer alias analysis. Once development was over, a paper was published, which explains the techniques used. (A journal version was submitted in June 2005. No news since then.)

The
`h1`tool suite was created in 2004 to support the
discovery for security proofs, to output corresponding formal
proofs in the Coq proof assistant, and also to provide a
suite of tools allowing one to manipulate tree automata
automatically
.

Finally the PROUVÉ parser library is the analoguous of the above mentionned tools of the RNTL project EVA for the PROUVÉ specification language.

The initial purpose of the
`h1`tool is to decide Nielson, Nielson and Seidl's
decidable class
, as well as an automated
abstraction engine that converts any clause set to one in
.

The main application of
`h1`is to verify sets of clauses representing
cryptographic protocols. It was shown by the author at the
CSF'08 conference how
`h1mc`, the model-checker of the suite, could be used
to produce
*Coq proofs of security*, in an automated way.

Since then, the journal version
lists additional case studies,
and makes a thorough analysis of the algorithmic details
behind
`h1mc`.

The Auditd sensor was implemented as a part of the ORCHIDS intrusion detection system. Auditd permits to catch system events in linux 2.6 kernels which gives ORCHIDS the ability to detect attacks on such version of linux kernels. For instance, ORCHIDS is now able to detect a whole family of violent DOS (Denial Of Service) attacks on linux 2.6 kernels. ORCHIDS was also integrated to an hypervisor-based platform (Xen 3), which makes it able to run in a protected VM (Virtual Machine), while its sensors (auditd) are running in other VMs and reporting events to ORCHIDS. This architecture gives ORCHIDS the ability to supervise the whole architecture and to detect attacks on other virtual machines. This work was done in collaboration with Bertin technologies in the setting of the PFC, System@tic project.

The RuleGen tool implements the algorithm described in . The idea is that the system administrator can write security policies using simple LTL (Linear Temporal Logic) formulas. RuleGen permits an automatic generation of attacks signatures from these formulas. Then, the generated signatures can be added to the ORCHIDS intrusion detection system rule base.

*Tookan*is a tool for the automated analysis of key
management devices that follow the RSA PKCS#11 standard. It
re-implements and combines two pre-existing tools:
`mkP11`, implemented in the SECSI team, a tool that
generates a formal model in a set rewriting logic of an RSA
PKCS#11 compatible key management API; and `APITool',
developed at the University of Venice, which extracts
configuration information from such a device by a pre-defined
reverse-engineering process. The model constructed is
suitable for the SAT based security protocol model checker,
SATMC. If SATMC finds an attack,
*Tookan*executes the attack directly on the token.

*Tookan*is described in a paper published this year at
the ACM Computer and Communications Security Conference (CCS)
. The paper discusses results
from testing on 18 commercially available cryptographic
devices: 10 were found to be vulnerable to attack. The
commercialisation of
*Tookan*is underway with the support of the INRIA Saclay
SRIV, and a request for resources has also been made to
CSATT, the central INRIA committee for technology transfer
projects. A major bank and a major manufacturer of aircraft
have expressed interest in transfer projects around
*Tookan*.

The intruder deduction problem is to decide if an intruder
can compute a certain message
Tfrom a certain set of messages
M. The static equivalence problem is to decide if an
intruder can distinguish between two sequences of messages
M_{1}and
M_{2}. Messages are modeled as terms and the cryptographic
primitives are modeled as function symbols. The properties of
the cryptographic primitives are modeled by an equational
theory.

KISS (Knowledge in Security Protocols) is a tool that solves the intruder deduction problem and the static equivalence problem for a certain class of convergent equational theories. In particular, KISS is known to terminate in polynomial time for subterm convergent equational theories and for other equational theories useful in e-voting protocols such as blind signatures and trapdoor commitment.

The algorithm implemented in KISS is described in .

SubVariant is a tool for computing complete sets of finite variants for subterm convergent rewrite systems modulo the empty equational theory. As an immediate application, SubVariant can also compute complete set of unifiers for subterm convergent equational theories. The finite set of variants of a term is useful in symbolic approaches to security. The eventual goal of SubVariant is to include it as a subtool for deciding equivalence properties for security protocols.

ADECS is a tool for deciding indistinguishability
properties in security protocols. Infinite sets of possible
traces of protocls are symbolically represented using
deducibility constraints. The tool is able to decide the
equivalence of such constraint systems,
*i.e.*deciding whether two constraints systems have the
same set of solutions.

The algorithm implemented in ADECS is described in .

Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require the notion of indistinguishably. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography.

As explained above, static equivalence is a cornerstone to provide decision procedures for observational equivalence.

In
, Ştefan Ciobâcă, Stéphanie
Delaune and Steve Kremer propose a representation of
deducible terms to overcome the limitation of a procedure
proposed by M. Baudet
*et al.*in
. The procedure terminates on a
wide range of equational theories. In particular, they
obtain a new decidability result for the theory of trapdoor
bit commitment encountered when studying electronic voting
protocols. The algorithm has been implemented in the KiSs
tool. This work is a journal version of the work presented
in
.

In
, Stéphanie Delaune, in
collaboration with Véronique Cortier (LORIA, France), shows
that existing decidability results can be easily combined
for any disjoint equational theories: if the deducibility
and indistinguishability relations are decidable for two
disjoint theories, they are also decidable for their union.
They also propose a general setting for solving
deducibility and indistinguishability for an important
class (called
*monoidal*) of equational theories involving
operators. This paper is a journal version of the
works presented in
,
.

Steve Kremer and Antoine Mercier, in collaboration with Ralf Treinen (PPS, France), have obtained a combination result for non-disjoint theories . Their method allows one to simplify the task of deciding static equivalence in a multi-sorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. In par- ticular, this technique allows one to decide static equivalence for bilinear pairings. This work is a journal version of a work that has been published in .

Under some conditions, observational equivalence can be reduced to the problem of deciding symbolic equivalence, an equivalence relation introduced by M. Baudet . However, the procedure proposed by Mathieu Baudet in for deciding symbolic equivalence is quite complex and can not be implemented in its current state. In order to provide tool support to decide observational equivalence, Vincent Cheval, Hubert Comon-Lundh and Stéphanie Delaune have designed another procedure that has been implemented in the ADECS tool .

Current state-of-the-art tools and techniques have become efficient enough to analyze many protocols. However, these analyses are carried out in isolation, without necessarily taking into account other protocols which are executed in parallel. It is often assumed that participants share a key assumed abstracting away how this key has been distributed. It is therefore important to obtain composition results which allow to compose protocols. For instance such composition results aim at showing that if two protocols are secure indivdually then their parallel composition preserves the security guarantees of the protocols, even if some keying material is shared, or if the same password is reused. Another example of composition is to show that if a key exchange protocol is secure and if a protocol, relying on a shared key, guarantees a given property then these protocols can be composed sequentially. This allows to implement the shared key assumption by any secure key exchange protocol.

In the past decade an impressive number of results have been obtained related to the use of symbolic techniques for computational proofs of security protocols. In we survey these results. Even though a large number of results exist, they are still not satisfactory and using symbolic techniques for achieving computational proofs is still an active area of research. In SECSI we work in particular on

a framework for computational soundness which is general, abstract and modular. It is general in the sense that it is defined for equational theories rather than particular cryptographic primitives (in the style of ). It is abstract, because it defines soundness in terms of cryptographic games, independent of a particular protocol language. Soundness for trace or indistinguishability properties are easily shown from these games for many reasonable protocol languages. Finally, we aim at modularity by the means of combination results for soundness results of different equational theories. We expect that the more pure cryptographic games will simplify the combination.

more general results for soundness of observational equivalence. In particular, we relax hypotheses which were unnecessary for the result (but greatly simplified the first proof of soundness of observational equivalence) and hence widen the class of protocols these soundness results can be applied to.

a new symbolic model, that accounts
for keys, which are generated by the attacker. The
security assumptions, such as IND-CCA, integrity,
*etc.*are formally defined using a randomly chosen
key. Actually, all known encryption schemes do not
provide any guarantee for some specific key, but only an
average guarantee for all keys. This means that, for
specific keys, basically anything can happen. This may
occur in realistic situations in which a
man-in-the-middle attacker generates specific keys that
are then used by principals. All soundness results assume
so far that all keys are generated using the key
generation algorithm. Guillaume Scerri's master
internship consisted in extending the symbolic model and
proving a soundness result for this extended model, even
when some keys are not chosen at random.

a more direct approach where computational security is shown without the use of a soundness result. The idea is to reason about protocols in a first-order logic, based on a set of axioms which are shown to be valid in a computational model.

Mobile ad hoc networks consist of mobile wireless devices
which autonomously organize their communication
infrastructure: each node provides the function of a router
and relays packets on paths to other nodes. Finding these
paths in an a priori unknown and constantly changing network
topology is a crucial functionality of any ad hoc network.
Specific protocols, called
*routing protocols*, are designed to ensure this
functionality known as
*route discovery*. Secure routing protocols use
cryptographic mechanisms in order to prevent a malicious node
from compromising the discovered route.

Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune present in a calculus for modeling and reasoning about security protocols, including in particular secure routing protocols. Their calculus extends standard symbolic models to take into account the characteristics of routing protocols and to model wireless communication in a more accurate way. They propose a decision procedure for analyzing routing protocols for a bounded number of sessions.

In the context of vehicular ad-hoc networks, to improve road safety, a vehicle-to-vehicle communication platform is currently being developed by consortia of car manufacturers and legislators. Actually, there is a consensus that all vehicles must periodically broadcast a beacon message consisting of the vehicle's location, velocity, and identifier. However, broadcasting this data several times per second raises privacy issues. Mix-zones, where vehicles encrypt their transmissions and then change their identifiers, have been proposed as a solution to this problem.

In previous papers we pioneered formal, symbolic verification of electronic voting protocols. In particular we gave definitions of privacy-preserving properties, such as vote privacy, receipt-freeness and coercion-resistance. A survey of our work was invited to appear as a chapter in a special LNCS volume on teh state-of-the-art of research in electronic elections.

The notion of
*end-to-end verifiability*has been introduced in
electronic voting systems to achieve transparency: the voter
should not have to trust the election authorities, the
hardware or the software in order to trust the outcome.
In
we present a formal, symbolic
deﬁnition of election veriﬁability for electronic voting
protocols in the context of the applied pi calculus. Our
definition is given in terms of boolean tests which can be
performed on the data produced by an election. The deﬁnition
distinguishes three aspects of veriﬁability: individual,
universal and eligibility veriﬁability. It also allows us to
determine precisely which aspects of the system’s hardware
and software must be trusted for the purpose of election
veriﬁability. In contrast with earlier work our deﬁnition is
compatible with a large class of electronic voting schemes,
including those based on blind signatures, homomorphic
encryption and mixnets. We demonstrate the applicability of
our formalism by analysing three protocols: FOO, Helios 2.0,
and Civitas (the latter two have been deployed). In
, we presented a stronger
definition of verifiability: it had the advantage of
automated tool support for porving the property, but it was
too strong for a variety of protocols in the literature.

Security APIs allow untrusted code to access sensitive resources in a secure way. The idea is to design an interface between a trusted component, such as a smart card or cryptographic security module, and the untrusted outside world such that no matter what sequence of commands in the interface are called, and no matter what the parameters, certain good properties will continue to hold, e.g. the secret long term keys on the smartcard are never revealed. Designing such interfaces is very tricky, and several vulnerabilities in APIs in common use have come to light in recent years.

In the SECSI team we have been studying the application of formal security analysis techniques to APIs for the last few years. Notable progress was made this year on the study of the API of the Trusted Platform Module (TPM), a cryptographic chip installed in most new computers. The API is described in a vast specification that lacks a definite security policy. In a paper at FAST (also presented at the SecCo workshop), we discussed a basis for a security policy based around formally specified correspondence properties , . We showed how these properties can be checked using the protocol analysis tool Proverif, and showed examples of commands in the API that fail to assure such security. We showed how the standard could be patched for the next release.

Significant results were also obtained in the study of the
widely used standard for key management APIs, RSA PKCS#11.
Previously, the group had published work showing how a
variety of attacks on the API specified in the standard could
be found using model checking. However, until this year, they
remained attacks on the standard and it was unknown to what
extent they affected real devices. This year, with the
development of the
*Tookan*tool (see
), we were able to use these
formal analysis techniques to discover 10 previously unknown
attacks on commercially available devices, including several
developed by the major manufacturers.

Virtualized systems such as Xen, VirtualBox, VMWare or QEmu have been proposed to increase the level of security achievable on personal computers. On the other hand, such virtualized systems are now targets for attacks. Hedi Benzina and Jean Goubault-Larrecq propose an intrusion detection architecture for virtualized systems, and discuss some of the security issues that arise. The main point is that running Orchids in a separate virtual machine allows one to monitor all the other virtual machines in a safe way, and even to restart a virtual machine from an earlier non-compromised state, in case of compromission.

However, a weak spot of such virtualized systems in terms of security is domain zero administration, which is left entirely under the administrator's responsibility, and is in particular vulnerable to trojans. To avert some of the risks, the paper proposes to install a role-based access control model with possible role delegation, and to describe all undesired activity flows through simple temporal formulas, in a fragment of first-order LTL with past. The latter are easily compiled into Orchids rules, through a generalization of the so-called history variable mechanism.

One of the results obtained by Jean Goubault-Larrecq was that so-called continuous credibilities (sometimes called continuous belief functions) were an adequate semantic model for mixing probabilistic choice and demonic non-deterministic choice. Klaus Keimel (U. Darmstadt) informed Goubault-Larrecq that this was a definite improvement over a series of results in mathematics due to Choquet in the 1950s, then to Kendall and Matheron in the 1970s. The paper is probably the ultimate result in this direction, showing that, up to a bijection, continuous credibilities are the same thing that continuous valuations (essentially, measures) over the Smyth hyperspace (the powerdomain of demonic non-determinism), under mild conditions. Additionally, this paper deals continuous plausibilities vs. angelic non-determinism, and a new notion called sesqui-continuous estimates, vs. erratic non-determinism. Finally, not only are these results more general than any former version, also the proofs are considerably simpler, using a very simple case of Groemer's integral theorem.

As part the ANR programme blanc CPP project, Bouissou,
Goubault, Goubault-Larrecq and Putot
showed how to extend a precise
abstract interpretation framework based on so-called
zonotopes (i.e., polytopes that are symmetric around a given
point called its center) to programs that take some inputs
know to obey certain (imprecise) probabilities. The basic
zonotope framework allows one to analyze numerical programs
and have good upper approximations of the values taken by
each program variable, as a function of so-called noise
symbols, assumed to vary in
[-1, 1]. This is extended to
computing
*distributions*over zonotopes, described as finite
P-boxes, or finite interval-based belief functions. The
stress in this paper is on computing approximants of
distributions of real values taken by program variables,
using such objects. Further papers will explain the precise
connection with continuous credibilities, part of which is
implicit in
.

Jung and Tix asked the following question in 1998: Is there any cartesian-closed category of continuous domains that would be closed under Jones and Plotkin's probabilistic powerdomain construction? This is a major open problem in the area of denotational semantics of probabilistic higher-order languages. While this problem remains open, there is simply no known denotational semantics for higher-order, typed, functional languages with polymorphic choice, except for the trivial one where types are interpreted as mere dcpos—not necessarily continuous, hence with possibly strange properties.

Jean Goubault-Larrecq's invited paper at ICALP'10 was an opportunity to recapitulate on research done since his LICS'07 paper on Noetherian spaces , and applied with Alain Finkel to the verification of well-structured transition systems.

Additionally, Jean Goubault-Larrecq claimed there that Noetherian spaces were probably an interesting (proper) generalization of well-quasi orders. He demonstrated a few examples of transition systems that are beyond well-structured transition systems, but on which Noetherian machinery allows for easy decidability results, including some multiple-pushdown-stack systems, and a class of communicating programs that compute on real numbers.

The AVOTÉ project (
http://

Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes. However, the convenience of electronic elections comes with a risk of large-scale fraud and their security has seriously been questioned. In this project we propose to use formal methods to analyze electronic voting protocols. More precisely, we structure the project around four work-packages.

Formalizing protocols and security properties. Electronic voting protocols have to satisfy a variety of security properties that are specific to electronic elections, such as eligibility, verifiability and different kind of anonymity properties. In the literature these properties are generally stated intuitively and in natural language. Such informal definitions are at the origin of many security flaws. As a first step the participants therefore propose to give a formalization of the different security properties in a well-established language for protocol analysis.

Automated techniques for formal analysis. The participants propose to design algorithms to perform abstract analysis of a voting system against formally-stated security properties. From preliminary work it has already become clear that privacy preserving properties can be expressed as equivalences. Therefore, we will give a particular attention to automated techniques for deciding equivalences, such as static and observational equivalence in cryptographic pi-calculi. Static equivalence relies on an underlying equational theory axiomatizing the properties of the cryptographic functions (encryption, exclusive or, ...). Results exist for several interesting equational theories such as exclusive or, blind signature and other associative and commutative functions. However, many interesting equational theories useful for electronic voting are still lacking. The participants will also investigate a more modular approach based on combination results. More importantly the participants will develop algorithms for deciding observational equivalence: in particular symbolic decision procedures for deciding observational equivalence in the case of a bounded number of sessions putting the stress on equational theories with applications to electronic voting. These algorithms will be implemented in prototypes which are to be included in the AVISPA platform.

Computational aspects. There are two competing approaches to the verification of cryptographic protocols: the formal (also called Dolev-Yao) model and the complexity-theoretic model, also called the computational model, where the adversary can be any polynomial time probabilistic algorithm. While the complexity-theoretic framework is more realistic and gives stronger security guarantees, the symbolic framework allows for a higher level of automation. Because of this, effort has been spent during the last years in relating both frameworks with the goal of getting the best of both worlds: see the ARA Formacrypt section. The participants plan to continue this effort and investigate soundness results for cryptographic primitives related to electronic voting. Moreover, most of the existing results only hold for trace properties, which do not cover most properties in electronic elections. The participants of AVOTÉ plan to establish soundness results for these properties.

Case studies. The members of AVOTÉ will validate all of the results on several case studies from the literature, notably a real-life case study on an electronic voting protocol designed at the Université Catholique de Louvain. This protocol was trialled during the election of the university president in 2009. However, even though the fundamental needs of security are satisfied, no formal analysis of this protocol has been performed.

The Phalaenopsis project is an ADT (action de développement technologique) of INRIA Saclay. It started December 01, 2010, and will end on November 30, 2011. Its purpose is to prepare a technology transfer of the intrusion detection tool Orchids, developed at SECSI, towards the industrial world. The intended industrial partner is EADS (Innovation Works, Cassidian). Technically, this will involve adding some features that Orchids is still lacking, notably as far as aggregation of input events, presentation of detection results, and generation of signatures are concerned.

The REDPILL project is a DIGITEO project, started september 2009. The partners are SECSI and Bertin Technologies. The goal of the project is the detection of malware on virtualized platforms.

The PFC project (for: “PlateForme de Confiance”) is one
of the projects of the System@tic Paris Region French
cluster in complex systems design and management, see
http://

The goal of the project is the design and validation of secure and safe embedded applications, particularly aimed at upper administration, police and customs forces. Within this project, SECSI is particularly collaborating with Bertin Technologies on effective intrusion prevention in hypervisor-based computer systems using ORCHIDS. Hedi Benzina has joined the project in November 2008 as a temporary engineer.

Hedi Benzina has started a PhD thesis in October 2009, under the direction of Jean Goubault-Larrecq, and is funded by the Digiteo DIM project “RedPill: Malware Detection on Virtualized Architectures”, 2009-2012.

Jean Goubault-Larrecq made a critical evaluation of the Spidware security solution, based on Jeremy Briffaut's PIGA interposition tool, on account of Advitech Partners. Spidware is a startup company founded by researchers at ENSI Bourges and LIFO. Jean Goubault-Larrecq wrote a detailed, confidential report on the technical strengths and weaknesses of this product.

Jean Goubault-Larrecq is scientific coordinator of the
ANR programme blanc project CPP (confiance, preuves,
probabilités, 2009-2012). See the Wiki
http://

From the standpoint of SECSI, this project leverages the results obtained during the ARC ProNoBiS (2006-2007) and before on semantic models of mixed non-deterministic and probabilistic choice, and applies them to the design of static analyzers for floating-point programs, specifically airplane engine controllers. (The need comes from Dassault Aviation, and Hispano-Suiza plane engines—now Safran. They are both associated partners to the project.)

The whole project revolves around the automated evaluation of uncertainty, whether probabilistic or non-deterministic. This uncertainty arises because static analyzers must inherently work on approximate values, but also because the environmental values (pressure, temperature, speed) are known only up to some precision, or fluctuate around some central value; and finally because of round-off errors in floating-point computations.

This project is a focused collaborative project, supported by CNRS and the Japan Science and Technology agency. The main goals are similar to the Formacrypt project described above: the aim is to produce security proofs at a symbolic level, while deriving precise computational assumptions, under which the proofs can be transferred at the computational level.

The idea is to bring, on this focused research area, both cryptographers and specialists of formal methods, and both Japanese and French researchers. The activities include an annual meeting (the first one being organized in Japan, in April 2009) and visits on both sides. Hubert Comon-Lundh has been visiting the Research Center for Information Security during two years (partly supported by INRIA). Other visits from the French side include S. Kremer and S. Bursuc for instance.

On the result side, there is a joint paper (by H. Comon-Lundh, Y. Kawamoto and H. Sakurada), that appeared in the JSIAM letters (May 2009). This paper is about anonymity proofs for ring signatures, in an unbounded network. In this work, H. Comon-Lundh brought an expertise in formal methods and concurrency and the Japanese side an expertise in cryptographic primitives related to digital signatures.

This is typically the goal of the project: produce such collaborative results coming from two countries and two different research communities.

Hubert Comon-Lundh is director of the MPRI (Parisian Master of Research in Computer Science). He is elected on the scientific council of the CNRS INSII. He is member of the scientific council of INRIA-MSR, IRISA (AERES) and LIF. He is the representive of CPU for Allistene, GT2. He has been member of “comité de sélection” at Paris 7, Marseille and Paris 13. He was guest editor of a special issue of JAR on security and rewriting.

Hubert Comon-Lundh and Stéphanie Delaune co-organized the 37th Spring School on theoretical computer science the French-Japanese collaboration workshop, CoSyProofs’10 (60 attendees), Barbizon, France.

Stéphanie Delaune also gave an interview on electronic
voting in the magazine
*La Recherche*.

Jean Goubault-Larrecq was member of the “comité de sélection” for a “Maître de Conférences” position at the Université Paris Diderot, the committee “défi ANR SEC& SI” and the Gilles Kahn thesis award committee.

He was also guest editor (with Ralf Treinen) of a special issue of LMCS (selected papers from RTA'09).

Steve Kremer was a member of the hiring committee (jury CR) of INRIA Saclay.

Graham Steel was General Chair of CSF'10. He also co-organised the 4th International Workshop on Analysis of Security APIs (ASA-4), a satellite of CSF'10.

Mathilde Arnaud held part of the TDs (exercise sessions) of the course Advanced Algorithmics (ENS Cachan, first year = level 3), and part of the TPs (programming project) of the course Programmation II (ENS Cachan, first year = level 3) during the academic year 2009/2010.

Hedi Benzina held a part of the TPs of the course “Projet programmation réseau” for MPRI (Master Parisien de Recherche en Informatique) master level 1. Total amount (21h).

Rohit Chadha gave the course “Probabilistic aspects of computer science" for MPRI (Master Parisien de Recherche en Informatique) master level 1.

Vincent Cheval held exercise sessions for EEA Licence level 3 courses of Programming (20h) and also for "Préparation ˆ l'agrégation" at ENS Cachan (12h).

Céline Chevalier held the TDs for Calculability and Logics at the Bachelor level (L3) in ENS Cachan and Probabilistic Aspects of Computer Science at the master level (M1) at the MPRI.

Hubert Comon-Lundh is teaching the logic course at the Bachelor level (L3) in ENS Cachan and the logic course at the master level (M1) for the “agrégation de mathématiques”.

Stéphanie Delaune gave a part (12h) of the MPRI (Master
Parisien de Recherche en Informatique) course 2.30,
*Cryptographic protocols: formal and computational
proofs*. She also gave a lecture (4h) on verification of
cryptographic protocols at ENS Cachan (level L3).

Jean Goubault-Larrecq gave the following courses: logic and computer science (i.e., lambda-calculus; ENS Cachan and ENS Paris, first year=level L3, 39h. eq. TD), automated deduction (MPRI, level M2, 18h eq. TD), programming (ENS Cachan, first year=level L3, 36h eq. TD), and advanced complexity (MPRI, level M1, 39 h eq. TD). He also participated to rehearsals of lessons of “agrégation”, ENS Cachan, 3rd year, 27h. eq. TD. He also gave a lecture (4h) on cryptographic protocols at ENS Cachan (level L3).

Steve Kremer was teaching formal verification of security protocols in the master (M2) courses “Cryptographic protocols: formal and computational proofs” at the MPRI (amount: 18h TD eq.) and “Méthodes de vérification de sécurité” (verification methods for security) at the “Master Sécurité des Systèmes Informatiques”, University Paris XII (amount: 9h TD eq.).

Hubert Comon-Lundh and Stéphanie Delaune co-supervised Vincent Cheval who started PhD in Fall 2009 on the verification of equivalence based security properties.

Hubert Comon-Lundh co-supervised (with Véronique Cortier, LORIA) Guillaume Scerri's master internship.

Stéphanie Delaune and Jean Goubault-Larrecq co-supervised Mathilde Arnaud (co-advisor Véronique Cortier, LORIA) who started her PhD in Fall 2008 on verification of ad-hoc routing security protocols.

Stéphanie Delaune and Graham Steel co-supervised Morten Dahl (8 month intern from University of Aalborg), project `Analysing Privacy Properties of VANET Protocols'.

Jean Goubault-Larrecq supervised Hedi Benzina who started his PhD in Fall 2009 on malware detection on virtualized architectures, funded by the Digiteo “RedPill” DIM project. He also supervised Philippe Chaput from Fall 2009 to Summer 2010, on efficient finite-state approximants of probabilistic processes, funded by a CORDI grant from INRIA. Finally, he supervised Jean-Loup Carré on static analysis of multi-threaded programs, funded by a CIFRE grant with EADS Innovation Works; Jean-Loup Carré defended in July 2010.

Steve Kremer and Jean Goubault-Larrecq supervised Ştefan Ciobâcă (co-advisor Véronique Cortier, LORIA) who started his PhD in Fall 2008 on the automatic verification of equivalence properties and electronic voting protocols.

Steve Kremer and Graham Steel supervised Robert Künnemann who started his PhD in Fall 2010 on the verification of security APIs.

Graham Steel co-supervised Gavin Keighren (PhD student, Edinburgh), provisional thesis title: Information Flow techniques for API Analysis.

Hubert Comon-Lundh participated in the following PhD/habilitation thesis committees

PhD of Pierre-Malo Deniélou, Paris 7 (examinateur)

Thomas Genet, Rennes 1 (examinateur)

Pierre Valarcher, Paris 12 (examinateur)

Jean Goubault-Larrecq participated in the following PhD/habilitation thesis committees

Habilitation of Olivier Laurent, PPS (président de jury),

PhD of Nazim Benaissa, LORIA (rapporteur),

PhD of Mathieu Tracol, LRI (examinateur),

PhD of Nizar Kheir, ENST Bretagne (rapporteur),

Habilitation of Xavier Urbain, LRI, Orsay (rapporteur),

PhD of Benoit Boyer, IRISA, Rennes (rapporteur).

Steve Kremer participated to the following PhD thesis committees

PhD of Christelle Braun, LIX, École Polytechnique (examinateur)

Hubert Comon-Lundh participated in the following program committees:

FOSSACS

ASIA CCS

RTA

LPAR

and the workshops FCC, SECRET

Stéphanie Delaune participated in the following program committees:

workshop on Foundations of Security and Privacy FCS-PrivMod, 2010.

Jean Goubault-Larrecq participated in the following program committees:

RV'10,

LPAR'10,

ESOP'11.

Steve Kremer participated in the following program committees:

MoVeP'10,

SecReT (co-chair).

Graham Steel participated in the following program committees:

ARSPA-WITS'10

ASA-4 (chair)

MICAI 2010

Mathilde Arnaud has presented at CSF'10. She also attended the associated workshops FCS-PrivMod, FCC and ASA.

Gergei Bana has been invited to hold seminar talks at

SQIG group of the Mathematics Department of Instituto Superior Tecnico, Lisbon, Portugal

Verimag of Joseph Fourier University, Grenoble,

Information Security group of the Department of Computer Science of ETH Zurich

He also attended CSF'10 (Edinburgh, UK), and presented a talk at FCC'10 (Edinburgh, UK). He has also been invited for a couple of weeks for continuing joint work at University of Tsukuba, Japan, and at Instituto Superior Tecnico, Lisbon, Portugal.

Hedi Benzina has presented at the the third International Workshop on Autonomous and Spontaneous Security (SETOP 2010, part of ESORICS 2010). He also attended the MoVeP 2010 Summer School and the ESORICS 2010 conference.

Vincent Cheval has presented at the IJCAR'10 conference. He also attended the Secret 2010 workshop and CosyProofs Spring School.

Ştefan Ciobâcă has presented at CSF'10. He also attented the workshops affiliated with CSF'10, the CoSyProofs Summer School and the SecRet'10 (Valencia, Spain) workshop.

Hubert Comon-Lundh gave an invited talk at FCS-PrivMod 2010. He attended FLoC'10 and SecReT'10.

Stéphanie Delaune has presented at the Secco workshop (Paris, France) and at the FAST conference (Pisa, Italy). She gave an invited talk at the SecVote summer school (Bertinoro, Italy). She has also attended the FLoC conference (Edinburgh, UK).

Jean Goubault-Larrecq gave invited talks at ICALP'10 (Bordeaux, France, July 05-10), at the Dagstuhl seminar on the theory of information (Dagstuhl, Germany,June 6-10), and at two international workshops: Galop'10 (Cyprus, March 21), and SecCo'10 (Paris, France, August 30). He attended the LICS'10 (Edinburgh, Scotland, July 11-14), and CONCUR'10 (Paris, France, August 31-September 03) conferences.

He gave seminars at PPS, U. Paris Diderot (January 28), at LIAFA, U. Paris Diderot (February 08), at the “complexité, logique et informatique” seminar, U. Paris Diderot (February 21), at the ANR Panda meeting (May 04), He gave tool demonstrations at ANSSI (national agency for the security of information systems, June 02), and at the first I-Match day (INRIA Saclay, November 23). Yusuke Kawamoto Yusuke Kawamoto has presented his work at CoSyProofs spring school (Barbizon, France). He also attended CSF'10 and FCC'10 (Edinburgh,UK)

Steve Kremer was lecturer at CoSyProofs spring school (Barbizon, France) and the SecVote summer school (Bertinoro, Italy). He gave invited talk at the workshop in honour of Raymond Devillers' 65th birthday (Brussels, Belgium). He also attended CSF'10 (Edinburgh,UK), SecReT'10 (Valencia, Spain) and SecCo'10 (Paris, France).

Graham Steel was a lecturer at the SICSA summer school (Edinburgh, UK), and an invited speaker at the WSOFT workshop (Pisa, Italy), the JFLI Workshop (Paris Jussieu), the MeFoSyLoMa seminar (Cachan), and the AVOTE workshop (Cachan). He gave invited seminars at IRISA Rennes, VERIMAG Grenoble, Barclays Bank (London, UK) and the University of Edinburgh (UK). He presented work at the Grande Region Security Day (Saarbruecken, Germany), the CoSyProofs Workshop (Barbizon, France), SecReT'10 (Valencia, Spain), the Analysis of Security APIs workshop (Edinburgh, UK), ACM CCS (Chicago, USA), and the CryptoForma Workshop (Guildford, UK). He also attended CSF'10 and VSTTE'10.

Joe-Kai Tsay attended the CoSy Proofs Spring School, the CSF 2010 Conference, and the FCS-PrivMod 2010, the FCC 2010 and the ASA-4 workshops.