2023Activity reportProject-TeamSPLITS

6.1.1 Easycrypt

• Keywords:
  Proof assistant, Cryptography
• Functional Description:
  EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. Its main application is the construction and verification of game-based cryptographic proofs. EasyCrypt can also be used for reasoning about differential privacy.
• Release Contributions:
  This version introduces a new logic (ehoare) allowing to bound the expectation of a function in a probabilistic program.
• News of the Year:
  The major release (2023.09) has been published. This release includes a new logic for bounding the expectation of a function in a probabilistic program.
• URL:
  https://­github.­com/­EasyCrypt/­easycrypt
• Publications:
  hal-03352062, hal-03469015
• Contact:
  Gilles Barthe
• Participants:
  Benjamin Grégoire, Gilles Barthe, Pierre-Yves Strub, Adrien Koutsos

6.1.2 Jasmin

• Name:
  Jasmin compiler and analyser
• Keywords:
  Cryptography, Static analysis, Compilers
• Functional Description:

  The Jasmin programming language smoothly combines high-level and low-level constructs, so as to support “assembly in the head” programming. Programmers can control many low-level details that are performance-critical: instruction selection and scheduling, what registers to spill and when, etc. The language also features high-level abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of high-level abstractions incurs no run-time penalty.

  The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machine-checked by the Coq proof assistant). This ensures that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

  Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against side-channel attacks (constant-time).

• Release Contributions:

  2023.06.0 is a major release of Jasmin. It contains a few noteworthy changes: - local functions now use call and ret instructions, - experimental support for the ARMv7 (i.e., Cortex-M4) architecture, - a few aspects of the safety checker can be finely controlled through annotations or command-line flags, - shift and rotation operators have a simpler semantics.

  As usual, it also brings in various fixes and improvements, such as bit rotation operators and automatic slicing of the input program.

• News of the Year:
  On June 2023, a major release (2023.06.0) has been published.
• URL:
  https://­github.­com/­jasmin-lang/­jasmin
• Publications:
  hal-04106448, hal-04218417, hal-03844366, hal-03430789, hal-03352062, hal-02404581, hal-02974993, hal-01649140
• Contact:
  Jean-Christophe Léchenet
• Participants:
  Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, Jean-Christophe Léchenet, Swarn Priya, Santiago Arranz Olmos
• Partners:
  The IMDEA Software Institute, Ecole Polytechnique, Universidade do Minho, Universidade do Porto, Max Planck Institute for Security and Privacy

6.1.3 Bigloo

• Keyword:
  Compilers
• Functional Description:
  Bigloo is a Scheme implementation devoted to one goal: enabling Scheme based programming style where C(++) is usually required. Bigloo attempts to make Scheme practical by offering features usually presented by traditional programming languages but not offered by Scheme and functional programming. Bigloo compiles Scheme modules. It delivers small and fast stand alone binary executables. Bigloo enables full connections between Scheme and C programs and between Scheme and Java programs.
• Release Contributions:
  modification of the object system (language design and implementation), new APIs (alsa, flac, mpg123, avahi, csv parsing), new library functions (UDP support), new regular expressions support, new garbage collector (Boehm's collection 7.3alpha1).
• URL:
  http://­www-sop.­inria.­fr/­teams/­indes/­fp/­Bigloo/
• Contact:
  Manuel Serrano
• Participant:
  Manuel Serrano

6.1.4 Hiphop.js

• Name:
  Hiphop.js
• Keywords:
  Web 2.0, Synchronous Language, Programming language
• Functional Description:
  HipHop.js is an Hop.js DLS for orchestrating web applications. HipHop.js helps programming and maintaining Web applications where the orchestration of asynchronous tasks is complex.
• URL:
  http://­hop-dev.­inria.­fr/­hiphop
• Contact:
  Manuel Serrano

6.1.5 Hop

• Keyword:
  Programming language
• Scientific Description:

  The Hop programming environment consists in a web broker that intuitively combines in a single architecture a web server and a web proxy. The broker embeds a Hop interpreter for executing server-side code and a Hop client-side compiler for generating the code that will get executed by the client.

  An important effort is devoted to providing Hop with a realistic and efficient implementation. The Hop implementation is validated against web applications that are used on a daily-basis. In particular, we have developed Hop applications for authoring and projecting slides, editing calendars, reading RSS streams, or managing blogs.

• Functional Description:
  Multitier web programming language and runtime environment.
• URL:
  http://­hop.­inria.­fr
• Contact:
  Manuel Serrano
• Participant:
  Manuel Serrano

7.1.1 Debunking the Performance of Asynchronous JavaScript

In this study, we compared the performance of server-side JavaScript applications programmed using synchronous, asynchronous, and promise-based APIs. Our findings show that, in general, synchronous programs execute significantly faster and consume fewer resources compared to their asynchronous counterparts. The only situation where we observed better performance for the asynchronous model was in the case of a highly loaded web server. For that application, under that exceptional context, we noticed that the asynchronous approach enables servers to degrade more gracefully than the synchronous one. This suggests that an hybrid architecture that could combine the best of both worlds, synchronous operations under normal situations and asynchronous operations under super-heavy pressure, would be optimal. The Hop.js execution environment that supports both modes is an ideal playground for conducting this sort of experiment.

We further demonstrated that the overhead incurred by asynchronous executions is a combination of complex control flow, which makes it challenging for compilers to apply simple reduction optimizations, additional memory allocations, and high thread synchronization costs. The asynchronous model also requires intensive collaborations between JavaScript and the implementation language, with numerous exchanges between the two worlds. This places demands on the JavaScript automatic memory management system to track values passed to the implementation language.

This experiment also unveiled that a highly optimized and tuned JavaScript runtime can be defeated by a more general runtime system that enables smoother integration between the core language and foreign libraries. This suggests that such systems may be suitable when intensive collaborations between the core language and foreign libraries are expected. This is an incentive for pursuing the development of the generic runtime system hopc uses.

7.1.2 Optimizing JavaScript Variable-Arity Functions in the Large

JavaScript allows functions to be called with a different number of arguments than the specified number of parameters. The pseudo-variable arguments packs all the arguments into a heap-allocated structure and enables the receiver to introspect the received values. The design and semantics of arguments make it difficult to implement efficiently but it is used by millions or even maybe billions of applications. Therefore, improving it may have a significant global impact on computing resources.

We conducted a study on how modern JavaScript code utilizes the arguments property. By analyzing Npm, the largest JavaScript repository, we demonstrated that despite the introduction of alternative constructs to support variable-arity functions, the historical arguments property is still widely used, which is unfortunate so difficult it is to implement efficiently. To address this issue, we presented an optimization that significantly accelerates its performance. The optimization can either completely eliminate the construction of the arguments object or transform the usual heap allocation, which a generic implementation employs, into a faster stack allocation. We validated the effectiveness of this optimization through a set of micro-benchmarks. When applied to the Hop.js compiler, the optimization resulted in performance gains of one to two orders of magnitude compared to the generic code. The analysis and optimization can also be adopted by JIT compilers, as they rely on fast local analyses instead of lengthy analysis of the entire program.

While the optimization may not have a spectacular impact on individual programs, its global effect could be significant. Our study revealed that approximately half of the 3 million JavaScript packages available on Npm directly or indirectly depend on one or several packages that use arguments. As a result, our optimization has the potential to accelerate around 1.5 million packages, which likely play a role in millions or billions of real applications. Considering the collective impact of optimizing all these executions, the potential benefits could be tremendous. We reckon that this compelling motivation justified our undertaking of this study.

7.1.3 An Executable Semantics for Faster Development of Optimizing Python Compilers

Python is a popular programming language whose performance is known to be uncompetitive in comparison to static languages such as C. Although significant efforts have already accelerated implementations of the language, more efficient ones are still required. The development of such optimized implementations is nevertheless hampered by its complex semantics and the lack of an official formal semantics. We addressed this issue by developing an approach to define an executable semantics targeting the development of optimizing compilers. This executable semantics is written in a format that highlights type checks, primitive values boxing and unboxing, and function calls which are all known sources of overhead. We also developed semPy, a partial evaluator of our executable semantics that can be used to remove redundant operations when evaluating arithmetic operators.

To validate our approach, we integrated these behaviors to Zipi, an AoT optimizing Python compiler prototype. Zipi compiles behaviors and dispatches operations to their corresponding behaviors at run time. This increases execution speed, offering performance that rivals PyPy. Although this speedup is limited to arithmetic-heavy programs, behaviors could be extended to other operations or serve alongside other optimization techniques. On some tasks, Zipi displays performance competitive with that of state of art Python implementations.

We hope semPy and the behavior optimization can contribute to the ongoing optimization efforts of Python implementations. It appears to us that they would be well suited for CPython, as they specifically address the known overhead of this implementation.

This work has been presented at the 16th ACM SIGPLAN International Conference on Software Language Engineering (SLE'23) conference 8.

7.4.1 Binary Code Analyzer

Participants: Tamara Rezk.

We tackle the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure. These properties are crucial for cryptographic implementations, but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel, for bug-finding and bounded-verification of constant-time and secret-erasure, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel, we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4148 and 1156 binaries respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling which might break secret-erasure. We also discovered that gcc -O0 and backend passes of clang introduce violations of constant-time in implementations that were previously deemed secure by a state-of-the-art constant-time verification tool operating at LLVM level, showing the importance of reasoning at binary-level.

This work has been published as a journal in ACM Transactions on Privacy and Security 2.

7.4.2 More security guarantees for the Jasmin compiler

Participants: Benjamin Grégoire, Jean-Christophe Léchenet.

We revisit the problem of erasing sensitive data from memory and registers during return from a cryptographic routine. While the problem and related attacker model is fairly easy to phrase, it turns out to be surprisingly hard to guarantee security in this model when implementing cryptography in common languages such as C/C++ or Rust. We revisit the issues surrounding zeroization and then present a principled solution in the sense that it guarantees that sensitive data is erased and it clearly defines when this happens. We implement our solution as extension to the formally verified Jasmin compiler and extend the correctness proof of the compiler to cover zeroization. We show that the approach seamlessly integrates with state-of-the-art protections against microarchitectural attacks by integrating zeroization into Libjade, a cryptographic library written in Jasmin with systematic protections against timing and Spectre-v1 attacks. Benchmarks show that in many cases the overhead of zeroization is barely measurable and that it stays below 2% except for highly optimized symmetric crypto routines on short inputs. This paper is accepted at CHES 2024.

7.6.1 Branching pomsets for choreographies

Participants: Ilaria Castellani.

Choreographic languages describe possible sequences of interactions among a set of agents. Typical models are based on languages or automata over sending and receiving actions. Pomsets provide a more compact alternative by using a partial order to explicitly represent causality and concurrency between these actions. However, pomsets offer no representation of choices, thus a set of pomsets is required to represent branching behavior. For example, if an agent Alice can send one of two possible messages to Bob three times, one would need a set of $2\times 2\times 2$ distinct pomsets to represent all possible branches of Alice's behavior. This paper proposes an extension of pomsets, named branching pomsets, with a branching structure that can represent Alice's behavior using $2+2+2$ ordered actions. We compare the expressiveness of branching pomsets with that of several forms of event structures from the literature. We encode choreographies as branching pomsets and show that the pomset semantics of the encoded choreographies are bisimilar to their operational semantics. Furthermore, we define well-formedness conditions on branching pomsets, inspired by multiparty session types, and we prove that the well-formedness of a branching pomset is a sufficient condition for the realizability of the represented communication protocol. Finally, we present a prototype tool that implements our theory of branching pomsets, focusing on its applications to choreographies. These results are presented in 3.

7.6.2 Session type encodings

Participants: Ilaria Castellani.

To celebrate the 30th edition of EXPRESS (Expressiveness in Concurrency) and the 20th edition of SOS (Structural Operational Semantics), we presented a retrospective view on how session types can be expressed in a type theory for the standard $\pi$-calculus by means of a suitable encoding 4. This encoding allows one to reuse results about the $\pi$-calculus in the context of session-based communications, thus deepening the understanding of sessions and reducing redundancies in their theoretical foundations. We have also reviewed the practical implications of these results (e.g., refined forms of deadlock analysis, type inference).

8.1.1 Associate Teams in the framework of an Inria International Lab or in the framework of an Inria International Program

8.1.2 Visits of international scientists

8.1.3 Visits to international teams

8.2.1 Action Exploratoire: AoT.js – Optimizing Compilation from Higher-Order Programming to Computer Architecture

Participants: Erven Rohou, Manuel Serrano.

This action exploratoire is bi-localized in Rennes and Sophia-Antipolis.

JavaScript programs are typically executed by a JIT compiler, able to handle efficiently the dynamic aspects of the language. However, JIT compilers are not always viable or sensible (e.g., on constrained IoT systems, due to secured read-only memory (W$\oplus$X), or because of the energy spent recompiling again and again). We propose to rely on ahead-of-time compilation, and achieve performance thanks to optimistic compilation, and detailed analysis of the behavior of the processor, thus requiring a wide range of expertise from high-level dynamic languages to microarchitecture.

8.2.2 ANR CISC

Participants: Ilaria Castellani, Tamara Rezk, Manuel Serrano.

The CISC project (Certified IoT Secure Compilation) is funded by the ANR for 42 months, ending in September 2023. The goal of the CISC project is to provide strong security and privacy guarantees for IoT applications by means of a language to orchestrate IoT applications from the microcontroller to the cloud. Tamara Rezk coordinates this project, and Manuel Serrano and Ilaria Castellani participate in the project. The partners of this project are the INRIA teams Celtique and SPLiTS, and Collège de France.

8.2.3 PEPR

Participant: Benjamin Grégoire, Jean-Christophe Léchenet.

SVP PEPR Cybersecurity. We participate in a project concerned with the verification of security protocols. Partners in this project are CNRS IRISA Rennes (coordinator Stéphanie Delaune), INRIA, University of Paris-Saclay, University of Lorraine, University of Côte d’Azur, ENS Rennes. The funds allocated to our team in this collaboration are 333 KEuros. The corresponding researcher for this contract is Benjamin Grégoire.

9.1.1 Scientific events: organisation

We organized the Inaugural SPliTS workshop on September 29th, 2023, in Belles Rives, Antibes.

9.1.2 Invited talks

• Tamara Rezk was invited as:
  • Speaker at the NICT/Inria/IMT Workshop, on March 1st, 2023.
  • Keynote speaker at the Annual Meeting of the WG "Formal Methods for Security" (GT MFS), on March 28th, 2023.
  • Keynote speaker at WASP4ALL 2023: Building the future Cyber Security landscape, on June 1st, 2023.
  • Keynote speaker at the Navigating the Cybersecurity Landscape, Chalmers, on October 11th, 2023. In the same event, she was invited to participate in a pannel on Cybersecurity.
  • Keynote speaker at the Programming Languages and Analysis for Security Workshop at CCS, Copenhagen, on November 26th, 2023.

9.1.3 Scientific expertise

Tamara Rezk was an expert in the selection committee for the Estonian Research Council 2023.

9.1.4 Research administration

• Tamara Rezk is part of the bureau du CEP at INRIA Sophia Antipolis. In 2023, she also coordinated the working group for the creation of the EP OLAS.
• Manuel Serrano was vice-head of the Inria Evaluation Committee until end of August 2023. As such he co-organized all the grants, promotion juries and the juries of the national recruiting campaigns. He also co-organized all the team evaluation seminars.
• Benjamin Grégoire is member of the CSD.
• Ilaria Castellani is a member of the INRIA Equal Opportunity Committee, and of the organising committees of the Sophia Antipolis Colloquium and of the Forum Numerica seminar series.

9.2.1 Supervision

• PhD defended: Jayanth Krishnamurthy, Debugging Techniques for the HipHop.js Reactive Programming Language, supervisor: Manuel Serrano.
• Phd defended: Benjamin Grégoire supervised the thesis of Swarn Priya (Université Côte d’Azur) until November 21, codirector Yves Bertot.
• PhD in progress: Aurore Poirier, Optimizing Compilation from Higher-Order Programming to Computer Architecture, supervisors: Erven Rohou & Manuel Serrano.
• PhD in progress: Olivier Melançon, Basic Block Versioning for Python, supervisors: Marc Feeley & Manuel Serrano.
• PhD in progress: Davide Davoli, Kernel Security in the Spectre Era, co-supervision Martin Avanzini and Tamara Rezk.
• PhD in progress: Ignacio Tiraboschi, Program Analyses for Security, co-supervision Xavier Rival and Tamara Rezk.
• PhD in progress: Guillaume Combette, Binary Analyses for Security, co-supervision Sébastien Bardin and Tamara Rezk.

9.2.2 Juries

• Benjamin Grégoire was a member of the jury Abdul Rahman Taleb (Sorbonne Université) in November.
• Tamara Rezk was opponent for the PhD defense of Andreas Lindner, KTH Royal Institute of Technology.
• Tamara Rezk was rapporteuse and a jury member for the HDR thesis of Clémentine Maurice, University of Lille.
• Tamara Rezk was rapporteuse and a jury member for the PhD thesis of Feras Al Kassar, Eurecom.
• Tamara Rezk was a member of the CSD committee for Jonathan Brossard, CNAM.
• Ilaria Castellani was a jury member for the PhD thesis of Loïc Germerie Guizouarn, Université Côte d'Azur.

International journals

• 1 articleI.Ilaria Castellani, M.Mariangiola Dezani-Ciancaglini and P.Paola Giannini. Event structure semantics for multiparty sessions.Journal of Logical and Algebraic Methods in Programming131February 2023HALDOIback to text
• 2 articleL.-A.Lesly-Ann Daniel, S.Sébastien Bardin and T.Tamara Rezk. Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure.ACM Transactions on Privacy and Security2023HALback to text
• 3 articleL.Luc Edixhoven, S.-S.Sung-Shik Jongmans, J.José Proença and I.Ilaria Castellani. Branching pomsets: Design, expressiveness and applications to choreographies.Journal of Logical and Algebraic Methods in Programming136September 2023HALDOIback to text

Invited conferences

• 4 inproceedingsI.Ilaria Castellani, O.Ornela Dardha, L.Luca Padovani and D.Davide Sangiorgi. EXPRESSing Session Types.Electronic Proceedings in Theoretical Computer ScienceEXPRESS / SOS 2023 - Combined 30th International Workshop on Expressiveness in Concurrency and 20th Workshop on Structural Operational SemanticsEPTCS-387Proceedings Combined 30th International Workshop on Expressiveness in Concurrency and 20th Workshop on Structural Operational SemanticsAnvers (Antwerpen), BelgiumSeptember 2023, 8-25HALDOIback to text

International peer-reviewed conferences

• 5 inproceedingsJ.José Bacelar Almeida, M.Manuel Barbosa, G.Gilles Barthe, B.Benjamin Grégoire, V.Vincent Laporte, J.-C.Jean-Christophe Léchenet, T.Tiago Oliveira, H.Hugo Pacheco, M.Miguel Quaresma, P.Peter Schwabe, A.Antoine Séré and P.-Y.Pierre-Yves Strub. Formally verifying Kyber: Episode IV: Implementation correctness.ACR Transactions on Cryptographic Hardware and Embedded SystemsCHES 2023 - Conference on Cryptographic Hardware and Embedded Systems20233Praha, Czech RepublicJune 2023, 164-193HALDOI
• 6 inproceedingsM.Manuel Barbosa, G.Gilles Barthe, C.Christian Doczkal, J.Jelle Don, S.Serge Fehr, B.Benjamin Grégoire, Y.-H.Yu-Hsuan Huang, A.Andreas Hülsing, Y.Yi Lee and X.Xiaodi Wu. Fixing and Mechanizing the Security Proof of Fiat-Shamir with Aborts and Dilithium.Lecture Notes in Computer ScienceCRYPTO 2023 - 43rd International Cryptology ConferenceLNCS-14085Advances in Cryptology – CRYPTO 2023 : 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023, Proceedings, Part VSanta Barbara, United StatesAugust 2023, 358–389HALDOI
• 7 inproceedingsL.-A.Lesly-Ann Daniel, M.Marton Bognar, J.Job Noorman, S.Sébastien Bardin, T.Tamara Rezk and F.Frank Piessens. ProSpeCT: Provably Secure Speculation for the Constant-Time Policy.USENIX Security SymposiumAnaheim, FranceAugust 2023HALback to text
• 8 inproceedingsO.Olivier Melançon, M.Marc Feeley and M.Manuel Serrano. An Executable Semantics for Faster Development of Optimizing Python Compilers.SLE '23: 16th ACM SIGPLAN International Conference on Software Language EngineeringCascais Portugal, PortugalACMOctober 2023, 15-28HALDOIback to text
• 9 inproceedingsI.Ignacio Tiraboschi, T.Tamara Rezk and X.Xavier Rival. Sound Symbolic Execution via Abstract Interpretation and its Application to Security.Lecture Notes in Computer ScienceVMCAI 2023 - 24th International Conference on Verification, Model Checking, and Abstract Interpretation13881Verification, Model Checking, and Abstract Interpretation 24th International Conference, VMCAI 2023, Boston, MA, USA, January 16–17, 2023, ProceedingBoston, MA, United StatesSpringer Nature SwitzerlandJanuary 2023, 267-295HALDOIback to text

Reports & preprints

• 10 miscB.Bruno Blanchet, P.Pierre Boutry, C.Christian Doczkal, B.Benjamin Grégoire and P.-Y.Pierre-Yves Strub. CV2EC: Getting the Best of Both Worlds.December 2023HAL
• 11 reportA.Anne Canteaut, M.Manuel Serrano, C.Céline Grandmont, G.Guillaume Pallez, V.Vincent Perrier, X.Xavier Rival and E.Emmanuel Thomé. Bilan de la mandature 2019-2023 de la Commission d'Évaluation Inria.InriaAugust 2023HAL