Most existing results in verification of security protocols focus on trace properties such as secrecy or authentication. There are however several security properties that cannot be defined (or cannot be naturally defined) as trace properties and require the notion of indistinguishably. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography.

In the framework of the applied pi-calculus  , as in similar languages based on equational logics, indistinguishability corresponds to a relation called trace equivalence. Roughly, two processes are trace equivalent when an observer cannot see any difference between the two processes.

Under some conditions, trace equivalence can be reduced to the problem of deciding symbolic equivalence, an equivalence relation introduced by M. Baudet  . However, the procedure proposed by Mathieu Baudet for deciding symbolic equivalence is complex and cannot be implemented in its current state. Moreover, this method can only deal with simple processes with trivial else branches and is restricted to the class of subterm-convergent equational theories. Unfortunately, this makes it unsuitable for some case studies of interest to the SECSI team, among which the FOO electronic voting protocol, and the electronic passport protocols.

In order to provide tool support to decide trace equivalence, Rohit Chadha, Stefan Ciobâcă, and Steve Kremer propose a procedure that can handle a large set of cryptographic primitives. The procedure has been implemented in a prototype tool and has been effectively tested on examples ( e.g., the FOO e-voting protocol). This paper is currently under submission.

Vincent Cheval, Hubert Comon-Lundh and Stéphanie Delaune have designed another procedure that allows one to check trace equivalence for a general class of processes  . In their class, they can model conditionals (with non-trivial else branches), private channels, and non-deterministic choice. The private authentication protocol and the various versions of the electronic passport protocol fall into their class.

Anonymous credentials plays an important role in non-interactive anonymous authentication: they allow a user to obtain certificates from organization and subsequently prove their possession in such a way that transactions of a same user remain unlinkable. In collaboration with Benoit Libert and Damien Vergnaud, Malika Izabachène present an anonymous credential scheme  in which a user can prove possession of appropriate attributes in an non-interactive fashion, by showing that these attributes satisfy a certain predicate (different type of predicates are handled).

Following this line of research on anonymous protocols, Stéphanie Delaune, Malika Izabachène and Graham Steel formalize unlinkability in the pi-calculus framework. They are exploring several scenarios in order to capture many adversarial strategies, especially in the context of low-cost devices, in which sensitive data are stored and identifier means are exchanged through public channels.

Security APIs allow untrusted code to access sensitive resources in a secure way. The idea is to design an interface between a trusted component, such as a smart card or cryptographic security module, and the untrusted outside world such that no matter what sequence of commands in the interface are called, and no matter what the parameters, certain  good  properties will continue to hold, e.g. the secret long term keys on the smartcard are never revealed. Designing such interfaces is very tricky, and several vulnerabilities in APIs in common use have come to light in recent years.

The members of the SECSI team have been studying the application of formal security analysis techniques to APIs, for the last few years. These APIs include industrial standards such as PKCS#11 and the Trusted Platform Module (TPM).

In  , Delaune, Kremer and Steel present a Horn-clause-based framework for analyzing security protocols that use platform configuration registers (PCRs), which are registers for maintaining state inside the Trusted Platform Module (TPM). In their model, the PCR state space is unbounded, and experience shows that a naïve analysis using verification tools such as ProVerif or SPASS does not terminate. To address this, the authors extract a set of instances of the Horn clauses of the model, for which ProVerif does terminate on the chosen examples. The authors prove the soundness of this extraction process: no attacks are lost, that is, any query derivable in the more general set of clauses is also derivable from the extracted instances. The effectiveness of this framework is demonstrated in two case studies: a simplified version of Microsoft Bitlocker, and a digital envelope protocol that allows a user to choose whether to perform a decryption, or to verifiably renounce the ability to perform the decryption.

One of the reasons for the existence of security flaws that the members of the SECSI team identified when studying security APIs is the absence of definitions stating the expected security properties.

In  , Kremer, Steel and Warinschi propose a much-needed formal definition of security for cryptographic key management APIs. The advantages of this definition are that it is general, intuitive, and applicable to security proofs in both symbolic and computational models of cryptography. This definition relies on an idealized API which allows only the most essential functions for generating, exporting and importing keys, and takes into account dynamic corruption of keys. Based on this the authors can define the security of more expressive APIs which support richer functionality. They illustrate their approach by showing the security of APIs both in symbolic and computational models.

More recently, Kremer, Künnemann and Steel go even a step further in that direction and present the first key-management functionality in Canetti's Universal Composability (UC) framework. It allows one to enforce a wide range of security policy and is highly extensible. The authors illustrate its use by proving an implementation of a Security API secure with respect to arbitrary key-usage operations and explore a proof technique that allows to store cryptographic keys externally, a novelty in the UC framework. This work is currently submitted.

In other recent work, in collaboration with Riccardo Focardi at the University of Venice, Kawamoto, Steel and Tsay have investigated the error behaviour of functions in the PKCS#11 API of various cryptographic devices including security tokens, electronic ID cards and Hardware Security Modules (HSMs). In certain circumstances attackers can take advantage of errors reported to make cryptanalytic attacks on functions in the API. Taking the example of the command used to import and encrypted key onto the device, they have discovered a number of so-called `error oracle attacks' based on variations of well-known padding attacks due to Bleichenbacher and Vaudenay. This work has also recently been submitted. A number of vulnerability reports have been sent to manufacturers and national agencies.

Mobile ad hoc networks consist of mobile wireless devices which autonomously organize their communication infrastructure: each node provides the function of a router and relays packets on paths to other nodes. Finding these paths in an a priori unknown and constantly changing network topology is a crucial functionality of any ad hoc network. Specific protocols, called routing protocols, are designed to ensure this functionality known as route discovery. Secure routing protocols use cryptographic mechanisms in order to prevent a malicious node from compromising the discovered route and they often perform some recursive tests on received messages.

Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune provide NPTIME decision procedures for protocols with recursive tests and for a bounded number of sessions  . They also revisit constraint system solving, providing a complete symbolic representation of the attacker knowledge.

In the context of vehicular ad-hoc networks, to improve road safety, a vehicle-to-vehicle communication platform is currently being developed by consortia of car manufacturers and legislators.

In  , Morten Dahl, Stéphanie Delaune and Graham Steel propose a framework for formal analysis of privacy in location based services such as anonymous electronic toll collection. They give a formal definition of privacy, and apply it to the VPriv scheme for vehicular services. They analyse the resulting model using the ProVerif tool, concluding that the privacy property holds only if certain conditions are met by the implementation. Their analysis includes some novel features such as the formal modelling of privacy for a protocol that relies on interactive zero-knowledge proofs of knowledge and list permutations.

Céline Chevalier, Stéphanie Delaune, and Steve Kremer investigate the composition of protocols that share a common weak secret  . This situation arises when users employ the same password on different services. More precisely they study whether resistance against guessing attacks composes when a same password is used. More precisely, they present a transformation which maps a password protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Their result provides an effective strategy to design secure password protocols: (i) design a protocol intended to be secure for one protocol session; (ii) apply the transformation and obtain a protocol which is secure for an unbounded number of sessions. This technique also applies to compose different password protocols allowing one to obtain both inter-protocol and inter-session composition.

Hedi Benzina showed that hypervisors can be protected from some denial of service attacks by allowing administrators to write security policies in a simple language . He implemented the RuleGen tool, which translates these policies into Orchids signatures.

Soundness results aim at bridging the gap between computational and symbolic security; they show that some symbolic model, in which messages are terms and the attacker is a formal process, faithfully abstracts the computational model, in which messages are bitstrings and the attacker is any probabilistic polynomial time Turing machine. Such results allow one to derive strong security guarantees, while reasoning at an abstract level. They have been developed for several cryptographic primitives (e.g. symmetric and asymmetric encryption, signatures, hash) and security properties.

These results however suffer from some severe limitations, as Hubert Comon-Lundh and Véronique Cortier demonstrate , focusing on symmetric encryption.

Rohit Chadha along with A. Prasad Sistla and Mahesh Viswanathan continued their study on reactive probabilistic systems modeled as Probabilistic Büchi Automata (PBA) in . Reactive probabilistic systems are probabilistic non-deterministic systems in which the nondeterminism is resolved by a external environment which is oblivious of the “current" state of the system. This paper investigates the power of PBA when the threshold probability of acceptance is non-extremal, i.e., is a value strictly between 0 and 1. Many practical randomized algorithms are designed to work under non-extremal threshold probabilities and thus it is important to study power of PBAs for such cases. The paper presents a number of surprising expressiveness and decidability results for PBAs when the threshold probability is non-extremal. Some of these results sharply contrast with the results for extremal threshold probabilities. The paper also presents results for Hierarchical PBAs and for an interesting subclass of them called simple PBAs.

Rohit Chadha along with V. Korthikranthi, M. Viswanathan, G. Agha and Y. Kwon also study reactive probabilistic systems in . In   , reactive probabilistic systems are viewed as transformers of probability distributions, giving rise to a labeled transition system over the probability distributions over the states of the system. Thus, a reactive probabilistic system can be seen as defining a set of executions where each execution is a sequence of probability distributions. Reasoning about sequences of distributions allows one to express properties not expressible in standard probabilistic logics like PCTL; examples include expressing bounds on transient rewards and expected values of random variables, as well as comparing the probability of being in one set of states at a given time with another set of states. With respect to such a semantics, the model-checking problem is undecidable. In this paper, the authors identify a special class of systems called semi-regular Markov Decision Processes that have a unique non-empty, compact, invariant set of distributions, for which they show that checking any $\omega$-regular property is decidable. Their decidability result also implies that for semi-regular probabilistic finite automata with isolated cut-points, the emptiness problem is decidable.

Continuing work on probabilistic and non-deterministic choice in a domain-theoretic setting, Jean Goubault-Larrecq and Daniele Varacca (PPS, University Paris 7) proposed a new monad for probabilistic choice, that of continuous random variables . The usual Jones-Plotkin monad of continuous valuations, although simple enough, suffers from the defect that no category of continuous domains is known that would be both Cartesian-closed (i.e., would allow one to interpret functions) and stable under the Jones-Plotkin monad.

Jean Goubault-Larrecq and Daniele Varacca managed to show that a related monad, that of continuous random variables, inspired from the notion of a random variable in probability theory, did not suffer from this defect: the category of bc-domains is indeed both Cartesian-closed and stable under this monad. Moreover, the authors showed that using one or the other monad gave semantics to higher-order probabilistic programs that were indistinguishable at ground types. Finally, they used this to solve an open problem by Escardò, namely that observational equivalence of probabilistic higher-order programs is recursively enumerable.

One of the results obtained by Jean-Goubault-Larrecq in his theory of semantics for mixed non-deterministic and probabilistic choice is that there is a one-to-one correspondence between continuous credibilities over some (state) space $X$and certain compact subsets of the space of all continuous valuations over $X$, under mild assumptions on $X$. Similar theorems were produced by Choquet in the 1950s, refined by Kendall, then by Matheron in the 1970s, with applications in random set theory, among others.

Klaus Keimel and Jean Goubault-Larrecq produced an extremely simple proof of this fact , based on a simple special case of Groemer's integral theorem. This proof also produces a much more general result than what was known earlier, as it does not assume that $X$is second-countable or Hausdorff, and only local compactness.

A domain-theoretic view is that this is a representation theorem for mixed demonic choice and probabilistic choice; the angelic and erratic cases are also covered by Goubault-Larrecq and Keimel.

These results had been presented at Dagstuhl Seminar 10232, June 2010.

Consider a programming language, with both an operational semantics, stating how one can implement a machine for this language, and a denotational semantics, which states what programs compute (not how). A classical question in programming language semantics is whether equality of denotations (from denotational semantics) coincides with contextual equivalence (from operational semantics). This is called full abstraction.

This question was first formulated for PCF by G. Plotkin in 1977, who showed that PCF was not fully abstract, although PCF plus a form of parallel or was. PCF is a simply-typed higher-order language, which one could see as a simple variant of the ML language without mutable state.

Jean Goubault-Larrecq examined the question for variants of PCF with various forms of non-deterministic and probabilistic choice. The latter are modeled denotationally by using his theory of previsions . The most startling result is that the call-by-value variant of PCF with only angelic non-determinism is fully abstract, without the need for parallel or. Jean Goubault-Larrecq also showed that call-by-value PCF with angelic non-determinism and probabilistic choice is not fully abstract, but that this language plus so-called statistical test primitives is fully abstract. These results were presented at the Domains X Workshop, Swansea, Wales, UK, September 2011.