- A1.3. Distributed Systems
- A2. Software
- A2.1. Programming Languages
- A2.1.1. Semantics of programming languages
- A2.1.3. Object-oriented programming
- A2.1.4. Functional programming
- A2.1.7. Distributed programming
- A2.1.9. Synchronous languages
- A2.1.12. Dynamic languages
- A2.2.1. Static analysis
- A2.2.5. Run-time systems
- A2.2.9. Security by compilation
- A4.3.3. Cryptographic protocols
- A4.6. Authentication
- A4.7. Access control
- B6.3.1. Web
- B6.4. Internet of things
- B9.5.1. Computer science
- B9.10. Privacy
1 Team members, visitors, external collaborators
- Manuel Serrano [Team leader, Inria, Senior Researcher, HDR]
- Ilaria Castellani [Inria, Researcher]
- Tamara Rezk [Inria, Researcher, HDR]
- Gérard Berry [Collège de France, Emeritus, HDR]
- Lesly Ann Daniel [CEA]
- Mohamad El Laz [Inria, from Dec 2020]
- Jayanth Krishnamurthy [Inria]
- Heloise Maurel [Inria]
- Bertrand Petit [Pôle Emploi, until Aug 2020]
- Yoon Seok Ko [Inria, Engineer]
- Nathalie Bellesso [Inria]
- Marc Feeley [Université de Montréal - Canada]
2 Overall objectives
The goal of the Indes team is to study models for diffuse computing and develop languages for secure diffuse applications. Diffuse applications, of which Web 2.0 applications are a notable example, are the new applications emerging from the convergence of broad network accessibility, rich personal digital environment, and vast sources of information. Strong security guarantees are required for these applications, which intrinsically rely on sharing private information over networks of mutually distrustful nodes connected by unreliable media.
Diffuse computing requires an original combination of nearly all previous computing paradigms, ranging from classical sequential computing to parallel and concurrent computing in both their synchronous / reactive and asynchronous variants. It also benefits from the recent advances in mobile computing, since devices involved in diffuse applications are often mobile or portable.
The Indes team contributes to the whole chain of research on models and languages for diffuse computing, going from the study of foundational models and formal semantics to the design and implementation of new languages to be put to work on concrete applications. Emphasis is placed on correct-by-construction mechanisms to guarantee correct, efficient and secure implementation of high-level programs. The research is partly inspired by and built around Hop, the web programming model proposed by the former Mimosa team, which takes the web as its execution platform and targets interactive and multimedia applications.
3 Research program
3.1 Parallelism, concurrency, and distribution
Concurrency management is at the heart of diffuse programming. Since the execution platforms are highly heterogeneous, many different concurrency principles and models may be involved. Asynchronous concurrency is the basis of shared-memory process handling within multiprocessor or multicore computers, of direct or fifo-based message passing in distributed networks, and of fifo- or interrupt-based event handling in web-based human-machine interaction or sensor handling. Synchronous or quasi-synchronous concurrency is the basis of signal processing, of real-time control, and of safety-critical information acquisition and display. Interfacing existing devices based on these different concurrency principles within Hop or other diffuse programming languages will require better understanding of the underlying concurrency models and of the way they can nicely cooperate, a currently ill-resolved problem.
3.2 Web, functional, and reactive programming
We are studying new paradigms for programming Web applications that rely on multi-tier functional programming. We have created a Web programming environment named Hop. It relies on a single formalism for programming the server-side and the client-side of the applications as well as for configuring the execution engine.
Hop is a functional language based on the Scheme programming language. That is, it is a strict functional language, fully polymorphic, supporting side effects, and dynamically type-checked. Hop is implemented as an extension of the Bigloo compiler that we develop. In the past, we have extensively studied static analyses (type systems and inference, abstract interpretations, as well as classical compiler optimizations) to improve the efficiency of compilation in both space and time.
As a Hop DSL, we have created HipHop, a synchronous orchestration language for web and IoT applications. HipHop facilitates the design and programming of complex web/IoT applications by smoothly integrating three computation models and programming styles that have been historically developed in different communities and for different purposes: i) Transformational programs that simply compute output values from input values, with comparatively simple interaction with their environment; ii) asynchronous concurrent programs that perform interactions between their components or with their environment with uncontrollable timing, using typically network-based communication; and iii) synchronous reactive programs that react to external events in a conceptually instantaneous and deterministic way.
3.3 Security of diffuse programs
The main goal of our security research is to provide scalable and rigorous language-based techniques that can be integrated into multi-tier compilers to enforce the security of diffuse programs. Research on language-based security has been carried on before in former Inria teams. In particular previous research has focused on controlling information flow to ensure confidentiality.
Typical language-based solutions to these problems are founded on static analysis, logics, provable cryptography, and compilers that generate correct code by construction. Relying on the multi-tier programming language Hop that tames the complexity of writing and analysing secure diffuse applications, we are studying language-based solutions to prominent web security problems such as code injection and cross-site scripting, to name a few.
4 Application domains
The Web is the natural application domain of the team. We are designing and implementing multitier languages for helping the development of Web applications. We are creating static and dynamic analyses for Web security. We are conducting empirical studies about privacy preservation on the Web.
4.2 Internet of Things
More recently, we have started focusing on Internet of Things (IoT) applications. They share many similarities with Web applications so most of the methodologies and expertises we have developed for the Web apply to IoT but the restricted hardware resources made available by many IoT devices demand new developments and new research explorations.
5 Highlights of the year
Lesly Ann Daniel received the award “Jeunes Talents France” L’Oréal - UNESCO pour les femmes et la science" for her work on automated program analysis for security.
6 New software and platforms
- Name: Automatic Symbolic Analysis of Constant Time at Binary Level
- Keyword: Cybersecurity
- Functional Description: Binsec/Rel is an extension of the binary analysis plateform Binsec that implements relational symbolic execution (RelSE) for constant-time (CT) verification.
github. com/ binsec/ Rel
- Contact: Tamara Rezk
6.2 New software
- Keyword: Compilers
- Functional Description: Bigloo is a Scheme implementation devoted to one goal: enabling Scheme based programming style where C(++) is usually required. Bigloo attempts to make Scheme practical by offering features usually presented by traditional programming languages but not offered by Scheme and functional programming. Bigloo compiles Scheme modules. It delivers small and fast stand alone binary executables. Bigloo enables full connections between Scheme and C programs, between Scheme and Java programs.
- Release Contributions: modification of the object system (language design and implementation), new APIs (alsa, flac, mpg123, avahi, csv parsing), new library functions (UDP support), new regular expressions support, new garbage collector (Boehm's collection 7.3alpha1).
www-sop. inria. fr/ teams/ indes/ fp/ Bigloo/
- Contact: Manuel Serrano
- Participant: Manuel Serrano
- Keywords: Programming language, Multimedia, Iot, Web 2.0, Functional programming
The Hop programming environment consists in a web broker that intuitively combines in a single architecture a web server and a web proxy. The broker embeds a Hop interpreter for executing server-side code and a Hop client-side compiler for generating the code that will get executed by the client.
An important effort is devoted to providing Hop with a realistic and efficient implementation. The Hop implementation is validated against web applications that are used on a daily-basis. In particular, we have developed Hop applications for authoring and projecting slides, editing calendars, reading RSS streams, or managing blogs.
- Functional Description: Multitier web programming language and runtime environment.
hop. inria. fr
- Contact: Manuel Serrano
- Participant: Manuel Serrano
- Keyword: Cybersecurity
www-sop. inria. fr/ indes/ ifJS/
- Contact: Tamara Rezk
- Name: Hiphop.js
- Keywords: Web 2.0, Synchronous Language, Programming language
- Functional Description: HipHop.js is an Hop.js DLS for orchestrating web applications. HipHop.js helps programming and maintaining Web applications where the orchestration of asynchronous tasks is complex.
hop-dev. inria. fr/ hiphop
- Contacts: Manuel Serrano, Gérard Berry
6.2.5 Server-Side Protection against Third Party Web Tracking
- Keywords: Privacy, Web Application, Web, Architecture, Security by design, Program rewriting techniques
We present a new web application architecture that allows web developers to gain control over certain types of third party content. In the traditional web application architecture, a web application developer has no control over third party content. This allows the exchange of tracking information between the browser and the third party content provider.
To prevent this, our solution is based on the automatic rewriting of the web application in such a way that the third party requests are redirected to a trusted third party server, called the Middle Party Server. It may be either controlled by a trusted party, or by a main site owner and automatically eliminates third-party tracking cookies and other technologies that may be exchanged by the browser and third party server
www-sop. inria. fr/ members/ Doliere. Some/ essos/
- Contact: Francis Doliére Some
- Name: Webstats
- Keywords: Web Usage Mining, Statistic analysis, Security
webstats. inria. fr
- Contacts: Francis Doliére Some, Tamara Rezk, Nataliia Bielova
- Name: Platform for creation and execution for audience participative music
- Keywords: Music, Interaction, Web Application, Synchronous Language
- Functional Description: Skini is a platform form designing et performing collaborative music. It is based on two musical concept: pattern and orchestration. The orchestration is design using HipHop.js.
- Release Contributions: Can be use for performance and création.
- Contact: Bertrand Petit
7 New results
This study has been conducted in collaboration with Robby Findler in the context of the HipHopSec Inria associated team. It has been published in a scientific conference 16.
We have also worked on new optimizations to apply to the Hop ahead-of-time compiler. Its new version is due to be released during the first trimester.
7.2 Web Reactive Programming
HipHop and HipHop applications have been published in a conference paper this year 14.
This year, we have completed the implementation of the HipHop.js web reactive synchronous language and we have mainly focused our effort on the programming and debugging environment.
Once the run-time rejects a program due to causality error, the HipHop program which is compiled into set of nets called net-list, will have the nets that are not participating in a reaction. We take these nets as a digraph and proceed with Depth First search algorithm to identify strongly connected components among them using Tarjan's algorithm. The nets in strongly connected components are the ones participating in Causal cycles. Further, since a strongly connected component can have smaller sub components which are strongly connected, we used the technique proposed by F. Bourdoncle to further refine the strongly connected components to smaller sub components pointing to smallest causality cycle that can be easily managed by the programmer. We take these smallers subcomponents and process the information available in the nets to identify and point out the source locations that are contributing to causality errors. The programmers can resolve these smaller cycles and then incrementally identify next bigger cycle if any. Once the cycle locations are identified, we presented their locations with visual markers on Emacs editor. Further, this approach was extended to popular IDEs like Vscode and Atom editors. We are preparing a research paper that will describe this work.
Recently visual programming tool kits like Blockly have become very popular with non - cs background programmers. We are extending HipHop programming to Blockly so that musicians can use HipHop for interactive music generation. We intend to bring in the causality debugging support to Blockly programmers as a future work.
7.2.2 Interactive Music Composition
Skini is a programming methodology and an execution environment for interactive structured music. With this system, the composer programs his scores in the HipHop synchronous reactive language. They are then executed, or played, in live concerts, in interaction with the audience. The system aims at helping composers to find a good balance between the determinism of the compositions and the nondeterminism of the interactions with the public. Each execution of a Skini score yields to a different but aesthetically consistent interpretation.
This work raises many questions in the musical fields. How to combine composition and interaction?How to control the musical style when the audience influences what is to play next?What are the possible connections with generative music? These are important questions for the Skini system but they are out of the scope of this work that focuses exclusively on the computer science aspects of the system. From that perspective, the main questions are how to program the scores and in which language? General purpose languages are inappropriate because their elementary constructs (i.e., variables, functions, loops, etc.) do not match the constructions needed to express music and musical constraints. We show that synchronous programming languages are a much better fit because they rely on temporal constructs that can be directly used to represent musical scores and because their malleability enables composers to experiment easily with artistic variations of their initial scores.
We have published a journal paper 12 that focuses on scores programming. It exposes the process a composer should follow from his very first musical intuitions up to the generation of a musical artifact. The paper presents some excerpts of the programming of a classical music composition that it then precisely relates to an actual recording. Examples of techno music and jazz are also presented, with audio artifact, to demonstrate the versatility of the system. Finally, brief presentations of past live concerts are presented as an evidence of viability of the system. A second paper 17 focuses on the production of generative music with Skini.
7.3 Session Types
Session types describe communication protocols involving two or more participants by specifying the sequence of exchanged messages and their functionality (sender, receiver and type of carried data). They may be viewed as the analogue, for concurrency and distribution, of data types for sequential computation. Originally conceived as a static analysis technique for an enhanced version of the -calculus, session types have been subsequently embedded into a range of functional, concurrent, and object-oriented programming languages.
The aim of session types is to ensure safety properties for sessions, such as the absence of communication errors (no type mismatch in exchanged data) and deadlock-freedom (no standstill until all participants are terminated). Multiparty session types often target also the liveness property of progress or lock-freedom (no participant waits forever), which is stronger than deadlock-freedom.
While binary sessions can be described by a single session type, multiparty sessions require two kinds of types: a global type that describes the whole session protocol, and local types that describe the individual contributions of the participants to the protocol. The key requirement to achieve safety properties such as the absence of communication errors and deadlock-freedom, is that the local types of the processes implementing the participants be obtained as projections from the same global type. To ensure progress, global types must satisfy additional well-formedness requirements.
We have pursued our work on multiparty session types along the two directions described below, in collaboration with colleagues from the Universities of Turin and Eastern Piedmont.
7.3.1 Multiparty Sessions with Internal Delegation
We have investigated a new form of delegation for multiparty session calculi. Usually, delegation allows a session participant to appoint a participant in another session to act on her behalf. In this view, delegation is an inter-session mechanism which requires session interleaving. Hence it falls outside the descriptive power of global types, which specify single multiparty sessions. As a consequence, properties such as deadlock-freedom or lock-freedom are difficult to ensure in the presence of delegation. In our work, we adopt a different view of delegation, by allowing participants to delegate tasks to each other within the same multiparty session. This way, delegation occurs within a single session (whence the name “internal delegation”) and may be captured by its global type. We present a session type system based on global types with internal delegation, and show that it ensures the usual safety properties of multiparty sessions, together with a progress property.
This work has been published in a special issue of the journal Theoretical Computer Science dedicated to Maurice Nivat 11.
7.3.2 Global Types and Event Structure Semantics for Asynchronous Multiparty Sessions
In previous work we explored the relationship between synchronous multiparty sessions and Event Structures (ESs), a well-known concurrency model introduced in the early 80's. We considered a core multiparty session calculus where sessions are described as networks of sequential processes (each process implementing a participant), equipped with standard global types. We proposed an interpretation of networks as Flow Event Structures (FESs), a subclass of Winskel's Stable Event Structures, as well as an interpretation of global types as Prime Event Structures (PESs), the simplest class of ESs. Since the syntax of global types does not allow all the concurrency among communications to be explicitly represented, the events of the associated PES need to be defined as equivalence classes of communication sequences up to permutation equivalence. We showed that when a network is typable by a global type, the FES semantics of the former is equivalent, in a precise technical sense, to the PES semantics of the latter.
In the work 21, we undertake a similar endeavour in the asynchronous setting. This involves devising a new notion of global type for asynchronous sessions. The type system for asynchronous sessions is expected to be more permissive than the one for synchronous sessions. For instance, consider a session with two participants each of which wishes to first send a message to the other one and then receive a message from the other one. This session is stuck if communication is synchronous but not if communication is asynchronous.
We start by considering a core session calculus as in the synchronous case, where networks are endowed with a queue and they act on this queue by performing outputs or inputs: an output stores a message in the queue, while an input fetches a message from the queue. The intuition for our new asynchronous global types is quite simple: to split communications in the type into outputs and inputs, and to equip the type with a queue, thus mimicking very closely the behaviour of asynchronous networks. The well-formedness conditions for global types must now take into account also the content of the queue. Essentially, this amounts to requiring that each input appearing in the type be justified by a preceding output in the type or by a message in the queue, and vice versa, that each output in the type or message in the queue be matched by a corresponding input in the type.
The contribution of 21 is twofold: 1) We propose an original type system for asynchronous multiparty sessions, which accounts for asynchronous communication in a more natural way than existing approaches, while remaining decidable. Our type system ensures the classical safety properties of sessions as well as progress; 2) We present an Event Structure semantics for asynchronous sessions and for asynchronous global types, and we show that these two semantics agree.
This paper has been submitted for journal publication.
7.4 Security Analysis of ElGamal Implementations
The ElGamal encryption scheme is not only the most extensively used alternative to RSA, but is also almost exclusively used in voting systems as an effective homomorphic encryption scheme. Being easily adaptable to a wide range of cryptographic groups, the ElGamal encryption scheme enjoys homomorphic properties while remaining semantically secure. This is subject to the upholding of the Decisional Diffie-Hellman (DDH) assumption on the chosen group. We analyze 26 libraries that implement the ElGamal encryption scheme and discover that 20 of them are semantically insecure as they do not respect the Decisional Diffie-Hellman (DDH) assumption. From the five libraries that do satisfy the DDH assumption, we identify and compare four different message encoding and decoding techniques.
7.5 Timing Leaks
Timing leaks have been a major concern for the security community. A common approach is to prevent secrets from affecting the execution time, thus achieving security with respect to a strong, local attacker who can measure the timing of program runs. However, this approach becomes restrictive as soon as programs branch on a secret, it becomes ineffective both when compiler passes re-introduces branches on secrets, or when an attacker exploits speculations. We have studied timing leaks in all of these different scenarios.
7.5.1 ClockworK: Timing Leaks in popular IoT application platforms
7.5.2 Spectre attacks
The constant-time programming discipline (CT) is a software-based countermeasure used for protecting high assurance cryptographic implementations against timing side-channel attacks. Constant time is effective (it protects against many known attacks), rigorous (it can be formalized using program semantics), and amenable to automated verification. Yet, the advent of microarchitectural attacks makes constant-time as it exists today far less useful. This work lays foundations for constant-time programming in the presence of speculative and out-of-order execution. We present an operational semantics and a formal definition of constant-time programs in this extended setting. Our semantics eschews formalization of microarchitectural features (that are instead assumed under adversary control), and yields a notion of constant-time that retains the elegance and tractability of the usual notion. We demonstrate the relevance of our semantics in two ways: First, by contrasting existing Spectre-like attacks with our definition of constant-time. Second, by implementing a static analysis tool, Pitchfork, which detects violations of our extended constant-time property in real world cryptographic libraries
Writing CT code is challenging as it demands to reason about pairs of execution traces (2- hypersafety property) and it is generally not preserved by the compiler, requiring binary-level analysis. Unfortunately, current verification tools for CT either reason at higher level (C or LLVM), or sacrifice bug-finding or bounded-verification, or do not scale. We tackle the problem of designing an efficient binary-level verification tool for CT providing both bug-finding and bounded-verification. The technique builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, BINSEC/REL, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach in both bug-finding and bounded-verification. Using BINSEC/REL, we also automate a previous manual study of CT preservation by compilers. Interestingly, we discovered that gcc -O0 and backend passes of clang introduce violations of CT in implementations that were previously deemed secure by a state-of-the-art CT verification tool operating at LLVM level, showing the importance of reasoning at binary-level.
8 Bilateral contracts and grants with industry
8.1 Bilateral grants with industry
The ANSWER project (Advanced aNd Secured Web Experience and seaRch) is
lead by the QWANT search engine and the Inria Sophia Antipolis
Méditerranée research center. This proposal is the winner of the
"Grand Challenges du Numérique" (BPI) and aims to develop the new
version of the search engine http://
- with Arnaud Legout from the DIANA project-team a funding for a 3 years Ph.D. student to work on Web tracking technologies and privacy protection. Imane Fouad, a former Indes member, was hired to work on this project.
- a funding for 18 months Postdoc to work on Web application security. Yoon Seok Ko has worked on this project as a postdoc.
9 Partnerships and cooperations
9.1 International initiatives
9.1.1 Inria associate team not involved in an IIL
- Title: Secure Reactive IoT Programming
- Duration: 2020 - 2021
- Coordinator: Manuel Serrano
- Partners: Northwestern University (Chicago, United States).
- Inria contact: Manuel Serrano
- Summary: Nowadays most applications are distributed, that is, they run on
several computers: a mobile device for the graphical user interface a gateway for storing data in a local area; a remote server of a large cloud platform for resource demanding computing; an object connected to Internet in the IoT (Internet of Things); etc. For many different reasons, this makes programming much more difficult than it was when only a single computer was involved:
- Applications are composed of extensive lists of diverse components, each coming with their own specification and imposing its own constraints on application development.
- Due to the distributed nature of the applications, developers have to implement appropriate communication protocols, which is difficult to do correctly and securely.
The Indes, Northwestern, and College de France teams are studying programming languages and have each created complementary solutions that address the aforementioned problems. Combined together, they could lead to a robust and secure execution environment for the web and IoT programming. Indes will bring its expertise in secure web programming, College de France its expertise in synchronous reactive programming, Northwestern its expertise secure execution environments and run-time validation of security properties of program executions. Finally Northwestern will contribute with its expertise in medical descriptions, which will be the main application domain of the secure execution environment the participants aim to develop.
The main objective of the collaboration is the development of a robust and secure integrated programming environment for reactive applications suitable for web and IoT applications. The programming of medical prescriptions will be our favored application domain. We will base our work on three pillars: Hop.js, the contract system designed for the Racket language, and HipHop.js, a domain specific language for reactive programming within Hop.js.
- HipHop.js has currently minimal integration with Hop.js and a rudimentary programming environment. We will continue the development of HipHop.js with the goal of turning it into a a usable and reliable platform.
- The formal semantics of HipHop.js is based on rewriting logics, automata theory and Boolean equations. Thus, HipHop.js programs can be verified using existing techniques based on the satisfiability of logic formulas. Such techniques have been widely used for synchronous reactive programs, but never before in the more dynamic world of web or medical applications.
- Supporting medical prescriptions as programs requires not only a language with special syntactic abstractions to match the notations of the medical domain, but also a fundamentally new way to think about prescription vs. computer programs. For example, medical personnel often modifies prescriptions in the middle of a treatment. In linguistic terms this requires that the programming language in use supports the ability to pause a program while it is running, modify its code, and restart it from the point of the pause but with the modified version of the code, this in a guaranteed consistent way. We hope to build such a programming language, with a semantics inspired by synchronous-reactive programming in the style of HipHop.js but tailored to the medical domain.
9.1.2 Inria international partners
Declared Inria international partners
Marc Feeley from University of Montréal is a recurrent visitor of the team. Unfortunately, his visit of the year has been canceled for obvious reasons but it did not end our collaboration. We are participating in weekly meetings with him and his student.
9.2 European initiatives
9.2.1 FP7 & H2020 Projects
- Title: Special projects for advanced research and technology in Europe
- Duration: February 2019 - January 2022
- Coordinator: CEA
- CENTRE D'EXCELLENCE EN TECHNOLOGIES DE L'INFORMATION ET DE LA COMMUNICATION (Belgium)
- CESNET ZAJMOVE SDRUZENI PRAVNICKYCH OSOB (Czech Republic)
- COMMISSARIAT A L ENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES (France)
- CONSIGLIO NAZIONALE DELLE RICERCHE (Italy)
- CONSORZIO INTERUNIVERSITARIO NAZIONALE PER L'INFORMATICA (Italy)
- CONSORZIO NAZIONALE INTERUNIVERSITARIO PER LE TELECOMUNICAZIONI (Italy)
- CZ.NIC, ZSPO (Czech Republic)
- DIREZIONE GENERALE PER LE TECNOLOGIE DELLE COMUNICAZIONI E LA SICUREZZA INFORMATICA - ISTITUTO SUPERIORE DELLE COMUNICAZIONI E DELLE TECNOLOGIE DELL'INFORMAZIONE (Italy)
- FRAUNHOFER GESELLSCHAFT ZUR FOERDERUNG DER ANGEWANDTEN FORSCHUNG E.V. (Germany)
- FUNDACIO EURECAT (Spain)
- FUNDACION CENTRO DE TECNOLOGIAS DE INTERACCION VISUAL Y COMUNICACIONES VICOMTECH (Spain)
- FUNDACION TECNALIA RESEARCH & INNOVATION (Spain)
- GENEROLO JONO ZEMAICIO LIETUVOS KARO AKADEMIJA (Lithuania)
- INDRA SISTEMAS SA (Spain)
- INOV INESC INOVACAO - INSTITUTO DE NOVAS TECNOLOGIAS (Portugal)
- INSTITUT NATIONAL DES SCIENCES APPLIQUEES DE LYON (France)
- INSTITUTO SUPERIOR TECNICO (Portugal)
- ITTI SP ZOO (Poland)
- JOANNEUM RESEARCH FORSCHUNGSGESELLSCHAFT MBH (Austria)
- KAUNO TECHNOLOGIJOS UNIVERSITETAS (Lithuania)
- KENTRO MELETON ASFALEIAS (Greece)
- LEONARDO - SOCIETA PER AZIONI (Italy)
- LIETUVOS KIBERNETINIU NUSIKALTIMU KOMPETENCIJU IR TYRIMU CENTRAS (Lithuania)
- LUXEMBOURG INSTITUTE OF SCIENCE AND TECHNOLOGY (Luxembourg)
- MYKOLO ROMERIO UNIVERSITETAS (Lithuania)
- NATIONAL CENTER FOR SCIENTIFIC RESEARCH "DEMOKRITOS" (Greece)
- NAUKOWA I AKADEMICKA SIEC KOMPUTEROWA - PANSTWOWY INSTYTUT BADAWCZY (Poland)
- SECRETARIAT GENERAL DE LA DEFENSE ET DE LA SECURITE NATIONALE (France)
- STOWARZYSZENIE POLSKA PLATFORMA BEZPIECZENSTWA WEWNETRZNEGO (Poland)
- TARTU ULIKOOL (Estonia)
- TECHNIKON FORSCHUNGS- UND PLANUNGSGESELLSCHAFT MBH (Austria)
- TECHNISCHE UNIVERSITAET MUENCHEN (Germany)
- THALES SIX GTS FRANCE SAS (France)
- UNIVERSITAT KONSTANZ (Germany)
- UNIVERSITE DE NAMUR ASBL (Belgium)
- UNIVERSITE DU LUXEMBOURG (Luxembourg)
- VYSOKE UCENI TECHNICKE V BRNE (Czech Republic)
- Inria contact: Thomas Jensen
- Summary: In the domain of Cybersecurity Research and innovation, European scientists hold pioneering positions in fields such as cryptography, formal methods, or secure components. Yet this excellence on focused domains does not translate into larger-scale, system-level advantages. Too often, scattered and small teams fall short of critical mass capabilities, despite demonstrating world-class talent and results. Europe’s strength is in its diversity, but that strength is only materialised if we cooperate, combine, and develop common lines of research. Given today’s societal challenges, this has become more than an advantage – an urgent necessity. Various approaches are being developed to enhance collaboration at many levels. Europe’s framework programs have sprung projects in cybersecurity over the past thirty years, encouraging international cooperation and funding support actions. More recently, the Cybersecurity PPP has brought together public institutions and industrial actors around common roadmaps and projects. While encouraging, these efforts have highlighted the need to break the mould, to step up investments and intensify coordination. The SPARTA proposal brings together a unique set of actors at the intersection of scientific excellence, technological innovation, and societal sciences in cybersecurity. Strongly guided by concrete and risky challenges, it will setup unique collaboration means, leading the way in building transformative capabilities and forming world-leading expertise centres. Through innovative governance, ambitious demonstration cases, and active community engagement, SPARTA aims at re-thinking the way cybersecurity research is performed in Europe across domains and expertise, from foundations to applications, in academia and industry.</abstract>
9.3 National initiatives
9.3.1 ANR CISC
The CISC project (Certified IoT Secure Compilation) is funded by the ANR for 42 months, starting in April 2018. The goal of the CISC project is to provide strong security and privacy guarantees for IoT applications by means of a language to orchestrate IoT applicatoins from the microcontroller to the cloud. Tamara Rezk coordinates this project, and Manuel Serrano, Ilaria Castellani and Nataliia Bielova participate in the project. The partners of this project are Inria teams Celtique, Indes and Privatics, and Collège de France.
9.3.2 ANR PrivaWeb
The PrivaWeb project (Privacy Protection and ePrivacy Compliance for Web Users) is funded by the ANR JCJC program for 48 months, started in December 2018. PrivaWeb aims at developing new methods for detection of new Web tracking technologies and new tools to integrate in existing Web applications that seamlessly protect privacy of users.
Nataliia Bielova (PRIVATICS project-team) coordinates this project.
9.3.3 PIA ANSWER
The ANSWER project (Advanced aNd Secured Web Experience and seaRch) is
funded by PIA program for 36 months, starting January 1, 2018. The
aim of the ANSWER project is to develop the new version of the
10.1 Promoting Scientific Activities
10.1.1 Scientific Events: Organisation
- Tamara Rezk organized the 2020 Shonan meeting 159 on Web Security, together with Limin Jia (Carnegie Melon University) and Sukyoung Ryu (KAIST), inviting experts in web security from academy and industry. The meeting was canceled a week before its date due to COVID and moved to March 2022;
General Chair, Scientific Chair
- Ilaria Castellani was the co-chair (together with Mohammad Reza
Mousavi) of the workshop TRENDS 2020, the annual event of the IFIP
WG1.8 on Concurrency Theory, which took place virtually on September 5,
2020, in association with the CONCUR 2020 conference (these events
were due to take place in Vienna but were turned into virtual events
because of Covid).
concurrency-theory. org/ events/ workshops/ trends
Member of the Conference Program Committees
- Manuel Serrano was participating in the Program Committee of the ECOOP'20 conference.
- Ilaria Castellani served in the Program Committee of the
workshop PLACES 2020. http://
places20. by. di. fc. ul. pt/
- Tamara Rezk served in the Program Committee of ASIACCS 2020, MADWeb 2020, SecDev 2020, ACISP 2020, and SecWeb 2020.
10.1.2 Invited Talks
- Manuel Serrano gave a keynote conference at the FDL conference
about Web Reactive Programming and HipHop.js
www. fdl-conference. org/).
10.1.3 Leadership within the Scientific Community
10.1.4 Research Administration
- Manuel Serrano is vice-head of the Inria Evaluation Committee. As such he co-organizes all the grants, promotions juries and the juries of the national recruiting campaigns. He also co-organizes all the team evaluation seminars.
- Ilaria Castellani was the chair of the “jury d'admissibilité” for the recruitment of junior researchers in the INRIA Centre of Grenoble Rhône Alpes.
- Ilaria Castellani is a member of INRIA’s “Comité Parité et Égalité des Chances”. In the Centre of INRIA Sophia Antipolis, she is a member of the “Comité Scientifique du Colloquium”. Within UCA (Université Côte d'Azur), she is a member of the organising committee of the “Forum Numerica” seminar series.
10.2 Teaching - Supervision - Juries
- Tamara Rezk taught two courses (master level) at University of Nice-Sophia Antipolis: Web Security (28 ETD) and Cryptographic proofs (28 ETD).
- PhD in progress: Jayanth Krishnamurthy, Secure Reactive Web Programming, 12/09/2018, Manuel Serrano.
- PhD in progress: Bertrand Petit, Musique Massivement Interactive, 12/09/2017, Manuel Serrano. PhD defended in July 2020.
- PhD in progress : Héloïse Maurel, Statically Identifying Security Vulnerabilities using Deep Learning 1/10/2018, Tamara Rezk
- PhD in progress : Mohamad Ellaz, Implementation and analysis of cryptographic libraries, 1/12/2017, Benjamin Grégoire and Tamara Rezk
- PhD in progress : Lesly-Ann Daniel, Security analysis of binary code, 1/10/2018, Sébastien Bardin and Tamara Rezk
- PhD in progress : Adam Khayam, Semantics of Multitier Languages, 1/07/2019, Alan Schmitt and Tamara Rezk
- PhD in progress: Ignacio Tiraboschi, Analysis for IoT Security, Xavier Rival and Tamara Rezk
- Tamara Rezk was a jury member of the national Inria competition CRCN/ISFP 2020.
- Tamara Rezk was a Phd jury member (Rapporteur) of Sebastian Poeplau (supervisor: Aurélien Francillon), EURECOM, 2020.
10.3.1 Internal or external Inria responsibilities
- Tamara Rezk was part of the Editorial Board of the blog Binaire of Le Monde.
11 Scientific production
11.1 Major publications
- 1 inproceedingsA Taxonomy of Information Flow MonitorsInternational Conference on Principles of Security and Trust (POST 2016)9635LNCS - Lecture Notes in Computer ScienceEindhoven, NetherlandsSpringerApril 2016, 46--67
- 2 articleNoninterference for Concurrent Programs and Thread SystemsTheoretical Computer Science28112002, 109-130
- 3 article Reasoning about Web Applications: An Operational Semantics for HOP \sc ACM Transactions on Programming Languages and Systems (TOPLAS) 34 2 2012
- 4 articleInformation Flow Safety in Multiparty SessionsMathematical Structures in Computer Science2682015, 43
- 5 inproceedingsConcurrent Reversible SessionsCONCUR 2017 - 28th International Conference on Concurrency Theory 85CONCUR 2017 Roland Meyer and Uwe NestmannBerlin, GermanySeptember 2017, 1-17
- 6 inproceedingsCryptographically sound implementations for typed information-flow securityProceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008, San Francisco, California, USA, January 7-12, 20082008, 323-335
- 7 inproceedingsImpossibility of Precise and Sound Termination-Sensitive Security EnforcementsSP 2018 - IEEE Symposium on Security and PrivacySan Francisco, United StatesIEEEMay 2018, 496-513
- 8 articleMultitier Programming in Hop - A first step toward programming 21st-century applicationsCommunications of the ACM558August 2012, 53--59URL: http://cacm.acm.org/magazines/2012/8/153796-multitier-programming-in-hop/abstract
- 9 inproceedingsA Glimpse of Hopjs21th \sc ACM Sigplan Int'l Conference on Functional Programming (ICFP)Nara, JapanSeptember 2016, 188--200URL: http://dx.doi.org/10.1145/2951913.2951916
- 10 article On the Content Security Policy Violations due to the Same-Origin Policy 26th International World Wide Web Conference, 2017 (WWW 2017) April 2017
11.2 Publications of the year
International peer-reviewed conferences
Conferences without proceedings
Doctoral dissertations and habilitation theses
Reports & preprints