EN FR
EN FR
SPLITS - 2024
SPLITS - 2024

2024Activity reportProject-TeamSPLITS

RNSR: 202324427F
  • Research center Inria Centre at Université Côte d'Azur
  • Secure Programming Languages & Tools for Security
  • Domain:Algorithmics, Programming, Software and Architecture
  • Theme:Security and Confidentiality

Keywords

Computer Science and Digital Science

  • A1.1.8. Security of architectures
  • A1.3.1. Web
  • A2.1.1. Semantics of programming languages
  • A2.1.4. Functional programming
  • A2.1.6. Concurrent programming
  • A2.1.7. Distributed programming
  • A2.1.10. Domain-specific languages
  • A2.1.11. Proof languages
  • A2.2.1. Static analysis
  • A2.2.8. Code generation
  • A2.2.9. Security by compilation
  • A2.4.1. Analysis
  • A2.4.3. Proofs

Other Research Topics and Application Domains

  • B6. IT and telecom

1 Team members, visitors, external collaborators

Research Scientists

  • Tamara Rezk [Team leader, INRIA, Senior Researcher, HDR]
  • Ilaria Castellani [INRIA, Researcher]
  • Benjamin Grégoire [INRIA, Researcher, HDR]
  • Manuel Serrano [INRIA, Senior Researcher, HDR]

PhD Student

  • Davide Davoli [UNIV COTE D'AZUR, from Jul 2024]

Technical Staff

  • Jean-Christophe Léchenet [INRIA, Engineer]
  • Paolo Torrini [INRIA, Engineer, from Jul 2024]

Interns and Apprentices

  • Youcef Bouzid [ENSIMAG, Intern, from Jun 2024 until Jul 2024]
  • Hubert Gruniaux [INRIA, Intern, from Jun 2024 until Aug 2024]

Administrative Assistant

  • Christine Foggia [INRIA]

Visiting Scientists

  • Olivier Mélançon [UNIV MONTREAL, from May 2024 until Jun 2024]
  • Andreas Sabelfeld [Chalmers, from Apr 2024]

External Collaborators

  • Gilles Barthe [INSTITUT MAX-PLANCK, HDR]
  • Gérard Berry [COLLEGE DE FRANCE, HDR]
  • Marc Feeley [UNIV MONTREAL]

2 Overall objectives

SPLiTS, Secure Programming Languages & Tools for Security, is a research team at Inria (Inria équipe-projet), focusing on defensive system security and compilers. It was created on July 1st, 2023.

SPLiTS’ overall goal is to develop safeguard mechanisms for confidentiality and integrity of computer systems by providing mathematical proofs that align with currently valid threat models at various levels of abstraction. To accomplish this goal, our research plan is organized into six axes, addressing different levels of abstraction:

  1. Web application security 
  2. Program analyses for verification and vulnerability detection
  3. Optimizing compilers
  4. Compilers for high assurance cryptography
  5. Transient execution attacks and defenses 
  6. Session Types and provable security

3 Research program

One of the most important concepts in cybersecurity is, arguably, that of a threat model. A threat model determines what is the power of an attacker: essentially, it defines what the attacker can and cannot do. For example, a particular threat model may assume that factorization cannot be solved in polynomial time, or that a number given by a random generator can never be guessed, or that memory boundaries imposed by software can never be crossed by the attacker, or that certain hardware microarchitectural features such as the cache memory can be observed. Threat models are important, in particular, to reason about what one is defending against by focusing on certain attacker's capabilities and abstracting away from any attacks outside the considered threat model. Threat models represent the most vulnerable point in security research and engineering. This is because threat models may be contradicted by novel attacks, and assumptions of what an attacker cannot do might be violated in practice. A remarkable example of a wrong threat model came to light in January 2018, when Spectre vulnerabilities were revealed. Up to then, application security researchers and engineers had assumed that the abstraction provided by hardware, that is the hardware architecture, was mostly unbreakable by the attacker (with few exceptions such as, for example, leaks due to the cache memory). Our research plan consists in elucidating the synergies among different threat models in the new Spectre era, by facing major scientific challenges such as the design of secure and efficient software and hardware that take the new synergies into account.

4 Application domains

4.1 Sessions

A session refers to an interaction, devoted to a particular topic, among a number of participants. When a web server communicates with an object, session information may include tokens that authenticate the server, which could be used by an attacker to access an actuator and use the device to change the physical world, e.g. the token could be used to operate a smart vacuum cleaner and obtain a house map. An attacker modifying the normal flow of a web session, e.g. manipulating session cookies or tokens, violates session integrity.

Session types were introduced in the mid-nineties, as a tool for specifying and analyzing web services in a variant of the π-calculus. Since then, session types have been extended in various ways and integrated into several programming languages. In 2007, session types were further enriched, as the result of a dialogue between academia and the World Wide Web Consortium (W3C), with the goal of formalizing complex web sessions between a client and a server in web applications. More recently, session types have also been equipped with security information in order to achieve access control and secure information flow between parties, but never to help to deal with one of the most important problems regarding sessions: violations to session integrity. In the short term, we plan to investigate defenses against these violations using session types.

4.2 Optimizing Compilers and Web Security

Running a program in a popular programming language today, such as JavaScript or Python, brings us back to the performance of a running C program on a computer from about 20 years ago. Energy consumption is subject to a similar law.

Improving the performance of modern languages, either by developing new, better adapted, hardware architectures, or by developing new techniques for implementation and execution is therefore a subject of major research.

Hop.js, an ahead-of-time JavaScript compiler, calls upon a large part of the optimization techniques developed for functional languages (Scheme and ML languages) since the beginning of the 90s. However, these methods alone are not sufficient to obtain performance comparable to those of the best JIT compilers of the moment. To approach it, new optimizations based on so-called opportunistic optimizations have been invented. They are essentially based on the idea of transposing the techniques of long-used hardware speculations. These new software techniques are still in their infancy and constitute the central element of the program research that will be developed in SPLiTS. In order to do that for the JavaScript language we will investigate the approach of opportunistic JavaScript typing as well as TypeScript, a typed version of JavaScript.

As noted earlier, an antagonism has recently been highlighted between processor performance and execution security, mainly due to speculation phenomena (e.g. Spectre mentioned above) whose importance is now well understood and accepted. To be able to bring a satisfactory answer to this difficult problem, that is to say an answer that would combine performance and safety, dual skills are required: on the one hand knowledge and in-depth understanding of the concepts and techniques used in the design of architectures and on the other hand a mastery of formal mathematical tools which allow us to reason about the behavior of processors and to establish proofs of correctness and security.

4.3 Compilers for High Assurance Cryptography

The Jasmin compiler was designed to achieve predictability and efficiency of the output binary code (for now the code is targeted to the x86 architecture). The compiler is formally verified in the Coq proof assistant. The Jasmin compiler generates binary code with provable security guarantees to defend against a speculative attacker that can measure access to the cache memory: indeed, generated Jasmin code is not vulnerable -by construction- to Spectre-PHT nor Spectre-STL. Without using a threat model for speculative execution, Jasmin generates binary code with a performance closed to the fastest cryptographic code (e.g. the OpenSSL implementation in Jasmin enjoys a performance competitive with OpenSSL, even slightly beating it). We plan to extend Jasmin compilers to generalize the guarantees it provides for the speculative and quantum thread models.

4.4 Software and Hardware for the new Spectre Era

At the abstraction level provided by the hardware architecture, programs are assumed to execute sequentially in the order in which the program control flow is provided. However, at the level of the hardware implementation, program execution is more complex and involves for example execution of programs out-of-order and speculatively. This complexity at the microarchitectural level was supposed to be transparent for the developer, who should only reason about programs using the abstractions provided by the hardware architecture. Yet, Spectre attacks, quickly followed by many other attacks, demonstrated how an attacker could make use of speculative execution to exfiltrate secrets that were otherwise highly protected at the architectural level. The consequences of these speculative attacks can be devastating. For example, Branch Target Injection (a.k.a. BTI or Spectre v2) allows the attacker to ignore the architectural privilege boundaries, i.e. the attacker can control the execution of a more privileged program, for instance a program belonging to the operating system kernel. Since their disclosure, speculative attacks have strongly impacted both academia and industry1 and have opened a new era for security for which almost all previous threat models need to be revisited. Our broad goal is to provide software and hardware for the speculative threat model.

5 Highlights of the year

5.1 Awards

Tamara Rezk received the 2024 Computer Security Foundations Test-of-Time award, granted for enduring significance and outstanding impact, for the work Secure Information Flow by Self-Composition published in 2004 and received the 2024 Prix d'Excellence from Université Côte d'Azur for the same work.

5.2 HDR defence

Benjamin Grégoire successfully defended his Habilitation à Diriger des Recherches on December 9th in Sophia Antipolis. His dissertation was titled: Provable Security of Cryptographic Primitives: From Algorithms to Assembly17.

5.3 Lowlights

Note : Readers are advised that the Institute does not endorse this text in the “Highlights of the year” section, which is the sole responsibility of the team leader.

At the end of 2024, Inria's top management enacted a new “contrat d'objectifs, de moyens et de performance” (COMP), which defines Inria's objectives for the period 2024–2028. We are very concerned about the content of this document and the way it was imposed.

  • Neither the staff nor their representative bodies were given the opportunity to influence the drafting of this document.
  • The document defines Inria's main mission as “contributing to the digital sovereignty of the Nation through research and innovation” and proposes to amend Inria's founding decree accordingly. We strongly believe that our primary mission is -and should remain- the advancement of human knowledge through research. Research is not a means to achieve “digital sovereignty”, whatever that may mean.
  • The document's references to “strategic partner institutions” and “strategic themes” suggests that most of the institute's research funding will be redirected toward a limited number of partners and themes. We are concerned that this will significantly reduce researchers' fundamental freedom to choose their own topics and collaborations.
  • The document indicates that all of Inria's research should have a “dual nature”, that is, both civilian and military applications. While some of the institute's research may have military applications, the vast majority of it is independent of the military, and should remain so.
  • The document announces a desire to place all of Inria in a “restricted regime area” (ZRR), which means that the hiring of researchers and interns will be reviewed and possibly vetoed by the Fonctionnaire Sécurité Défense. This will create administrative delays, introduce opaque criteria for hiring, and in general discourage the hiring of foreigners, thus harming research and collaboration.
  • Staff opposition to these policies, which has been expressed in several votes and petitions (in particular, the petition https://comp.collectif-inria.fr that gathered over 900 signatures, including those of more than half of Inria's permanent researchers) has been largely ignored.

6 New software, platforms, open data

6.1 New software

6.1.1 Easycrypt

  • Keywords:
    Proof assistant, Cryptography
  • Functional Description:
    EasyCrypt is a toolset for reasoning about relational properties of probabilistic computations with adversarial code. Its main application is the construction and verification of game-based cryptographic proofs. EasyCrypt can also be used for reasoning about differential privacy.
  • URL:
    https://­github.­com/­EasyCrypt/­easycrypt
  • Publications:
    hal-03352062, hal-03469015
  • Contact:
    Gilles Barthe
  • Participants:
    Benjamin Grégoire, Gilles Barthe, Pierre-Yves Strub, Adrien Koutsos

6.1.2 Jasmin

  • Name:
    Jasmin compiler and analyser
  • Keywords:
    Cryptography, Static analysis, Compilers
  • Scientific Description:

    Jasmin is a workbench for high-assurance and high-speed cryptography. Jasmin implementations aim at being efficient, safe, correct, and secure.

    Jasmin is both a language and a compiler from this language to assembly. The compiler is written and formally verified for correctness in the Coq proof assistant. This justifies that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

    Jasmin comes with a set of tools to reason on Jasmin programs (a safety checker, a type-checker for Constant Time, a type-checker for Speculative Constant Time and an extraction to EasyCrypt to prove properties about the extracted Jasmin program, e.g. functional correctness).

  • Functional Description:

    The Jasmin programming language smoothly combines high-level and low-level constructs, so as to support “assembly in the head” programming. Programmers can control many low-level details that are performance-critical: instruction selection and scheduling, what registers to spill and when, etc. The language also features high-level abstractions (variables, functions, arrays, loops, etc.) to structure the source code and make it more amenable to formal verification. The Jasmin compiler produces predictable assembly and ensures that the use of high-level abstractions incurs no run-time penalty.

    The semantics is formally defined to allow rigorous reasoning about program behaviors. The compiler is formally verified for correctness (the proof is machine-checked by the Coq proof assistant). This ensures that many properties can be proved on a source program and still apply to the corresponding assembly program: safety, termination, functional correctness…

    Jasmin programs can be automatically checked for safety and termination (using a trusted static analyzer). The Jasmin workbench leverages the EasyCrypt toolset for formal verification. Jasmin programs can be extracted to corresponding EasyCrypt programs to prove functional correctness, cryptographic security, or security against side-channel attacks (constant-time).

  • Release Contributions:

    This year, four minor versions and one major version have been released. Here are some of the most significant changes brought by these different versions.

    The semantics of the Jasmin language has been extended to cover more use cases. On one hand programmers no longer need to prove that memory accesses and (direct) array accesses are properly aligned. Jasmin programs have a well-defined semantics even if unaligned accesses occur. On the other hand more functions can have arrays as arguments and results.

    The programming language has been improved to simplify program writing tasks. Namespaces allow reusing names: two things may have the same name, as long as they belong to different namespaces. Spilling and unspilling of registers can now be done implicitly thanks to the spill and unspill operators. Type aliases can be defined through the new type key-word. Local variables may be initialized when declared.

    So as to give more security guaranties about the emitted code, the compiler can introduce code that zeroizes the stack at the end of export functions. The user can enable the feature with an annotation or a compiler flag.

    This is a minor release of Jasmin. Here is a brief description of a few of the changes it features.

    The checker for Constant-Time security, now available as a separate tool (jasmin-ct), has been made more precise and can also verify security in spite of speculative executions (Spectre).

    Support of x86 and ARMv7 architectures has been fostered. Many more instructions are available and some issues with large immediates have been fixed.

  • News of the Year:
    On July 2024, a major release (2024.07.0) has been published.
  • URL:
    https://­github.­com/­jasmin-lang/­jasmin
  • Publications:
    hal-04106448, hal-04218417, hal-04595591, hal-04691165, hal-03844366, hal-03430789, hal-03352062, hal-02404581, hal-02974993, hal-01649140
  • Contact:
    Jean-Christophe Léchenet
  • Participants:
    Alexandre Bourbeillon, Gaëtan Cassiers, Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, Jean-Christophe Léchenet, Swarn Priya, Santiago Arranz Olmos
  • Partners:
    The IMDEA Software Institute, Ecole Polytechnique, Universidade do Minho, Universidade do Porto, Max Planck Institute for Security and Privacy

6.1.3 Bigloo

  • Keyword:
    Compilers
  • Functional Description:
    Bigloo is a Scheme implementation devoted to one goal: enabling Scheme based programming style where C(++) is usually required. Bigloo attempts to make Scheme practical by offering features usually presented by traditional programming languages but not offered by Scheme and functional programming. Bigloo compiles Scheme modules. It delivers small and fast stand alone binary executables. Bigloo enables full connections between Scheme and C programs and between Scheme and Java programs.
  • Release Contributions:
    modification of the object system (language design and implementation), new APIs (alsa, flac, mpg123, avahi, csv parsing), new library functions (UDP support), new regular expressions support, new garbage collector (Boehm's collection 7.3alpha1).
  • URL:
    http://­www-sop.­inria.­fr/­teams/­indes/­fp/­Bigloo/
  • Contact:
    Manuel Serrano
  • Participant:
    Manuel Serrano

6.1.4 Hiphop.js

  • Name:
    Hiphop.js
  • Keywords:
    Web 2.0, Synchronous Language, Programming language
  • Functional Description:
    HipHop.js is an Hop.js DLS for orchestrating web applications. HipHop.js helps programming and maintaining Web applications where the orchestration of asynchronous tasks is complex.
  • URL:
    http://­hop-dev.­inria.­fr/­hiphop
  • Contact:
    Manuel Serrano

6.1.5 Hop

  • Keyword:
    Programming language
  • Scientific Description:

    The Hop programming environment consists in a web broker that intuitively combines in a single architecture a web server and a web proxy. The broker embeds a Hop interpreter for executing server-side code and a Hop client-side compiler for generating the code that will get executed by the client.

    An important effort is devoted to providing Hop with a realistic and efficient implementation. The Hop implementation is validated against web applications that are used on a daily-basis. In particular, we have developed Hop applications for authoring and projecting slides, editing calendars, reading RSS streams, or managing blogs.

  • Functional Description:
    Multitier web programming language and runtime environment.
  • URL:
    http://­hop.­inria.­fr
  • Contact:
    Manuel Serrano
  • Participant:
    Manuel Serrano

7 New results

7.1 Implementation of Dynamic Languages

Participants: Manuel Serrano.

We have pursued the development of compilers of dynamic languages. We have pursued our work on optimizing JavaScript static compilation with the context of Hop (also sometimes refered to as Hop.js in the rest of this text) and we also pursued our collaboration with the University of Montréal on the compilation of the Scheme programming language.

7.1.1 Static Basic Block Versioning

Basic Block Versioning (BBV) is a compilation technique for optimizing program execution. It consists in duplicating and specializing basic blocks of code according to the execution contexts of the blocks, up to a version limit. BBV has been used in Just-In-Time compilers for reducing the dynamic type checks of dynamic languages. Our work revisits the BBV technique to adapt it to Ahead-of-Time (AoT) compilation. This Static BBV (SBBV) raises new challenges, most importantly how to ensure the convergence of the algorithm when the specializations of the basic blocks are not based on profiled variable values and how to select the good specialization contexts. SBBV opens new opportunities for more precise optimizations as the compiler can explore multiple versions and only keep those within the version limit that yield better generated code.

During the year, we completed the design of the SBBV algorithm. We used the analysis to optimize the dynamic type checks, array bound checks, and mixed-type arithmetic operators often found in dynamic languages. We implemented SBBV in two AoT compilers for the Scheme programming language that used to evaluate the technique's effectiveness. On a suite of benchmarks, we have observed that even with a low limit of 2 versions, SBBV greatly reduces the number of dynamic type tests (by 54% and 62% on average) and accelerates the execution time (by about 10% on average). Previous work has needed a higher version limit to achieve a similar level of optimization. We also observe a small impact on compilation time and code size (a decrease in some cases).

This work has been presented during the ECOOP'24 conference. See 16 for more information.

7.1.2 Dynamic Binary Modifications

We developed a technique that enables dynamic optimization of static code produced by C compilers. We implemented and tested the optimization in the context of Hopc, a static JavaScript-to-C compiler, for which it improves the performance of inline caches (IC), a common technique used to optimize object accesses. By using dynamic binary modification of the assembly sequences C compilers generate, Hop.js eliminates up to two memory reads by IC, yielding executable codes that are as efficient as those generated by JiT compilers.

We measured the impact of the optimization and observed that while it eliminates memory reads, as intended, it does not accelerate executions. We conducted several experiments to explain this behavior. We isolated the intrinsic cost of modifying the binary code of programs and showed that, in itself, it cannot explain the lack of acceleration. We eventually discovered, that the optimized IC sequences are actually no faster than un-optimized ones. The experiments we present show that, in the context of IC sequences, the micro-architectures already executed the extra memory reads of the C sequences early, and there is no benefit in removing them.

None of the tools we tried, including performance analysis tools that use hardware performance counters and micro-architectural code analyzers, was able to predict or even unveil this hardware optimization. Only by running many experiments have we been able to isolate and observe the hardware optimization that removes the extra memory we were chasing with our software optimization.

7.2 Reactive Programming

Participants: Manuel Serrano.

We have produced a new version of the HipHop implementation. The embedding of Esterel within JavaScript has been revamped so that it is easier to establish collaborations in between the two languages. This new version has been presented during the ICFP'24 conference.

7.2.1 The Functional, the Imperative, and the Sudoku

Conventional wisdom suggests that the benefits of functional programming no longer apply in the presence of even a small amount of imperative code, as if the addition of imperative code effectively subtracts. And yet, as we show, combining functional programming with the special imperative language Esterel provides a multiplicative improvement to the benefits of functional programming. The key to the benefit of both Esterel and functional programming stems from a restriction that both share. As in functional programming, where only the inputs to a function determine its outputs, the state of an Esterel computation is fully determined by the program's input and the state that the computation had in the previous time step, where the notion of a time step is explicit in the language. Esterel's guarantee holds even though Esterel programs feature concurrent threads, mutable state, and the ability to create, suspend, and even terminate threads as the computation proceeds. This similarity is the root of the benefits that programmers accrue as they informally reason about their program's behavior. To illustrate these benefits, the bulk of this paper consists of an in-depth exploration of HipHop code (a mashup of JavaScript and Esterel) that implements a Sudoku solver, showing how it is possible to write code that is as easy to understand as if it were written in a pure functional programming style, even though it uses multiple threads, mutable state, thread preemption, and even thread abortion. Even better, concurrent composition and task canceling provide significant program structuring benefits that allow a clean decomposition and task separation in the solver.

See 6 for extra information.

7.3 Combining Symbolic Execution and Abstract Interpretation

Participants: Tamara Rezk.

Symbolic execution is a program analysis technique commonly utilized to determine whether programs violate properties and, in case violations are found, to generate inputs that can trigger them. Used in the context of security properties such as noninterference, symbolic execution is precise when looking for counterexample pairs of traces when insecure information flows are found, however it is sound only for a subset of executions. Thus, it does not allow to prove the correctness of programs with executions beyond the given bound. By contrast, abstract interpretation-based static analysis guarantees soundness but generally lacks the ability to provide counterexample pairs of traces. We propose to weave both to obtain the best of two worlds. We demonstrate this with a series of static analyses, including a static analysis called RedSoundRSE aimed at verifying noninterference. RedSoundRSE provides both semantically sound results and the ability to derive counterexample pairs of traces up to a bound. It relies on a combination of symbolic execution and abstract domains inspired by the well known notion of reduced product. We formalize RedSoundRSE and prove its soundness as well as its relative precision up to a bound. We also provide a prototype implementation of RedSoundRSE and evaluate it on a sample of challenging examples.

As a follow-up of this work, we explore the concept of a static symbolic taint-tracker. We develop a formal semantics for a symbolic taint-tracker, together with the adaptation of weak secrecy for modern use cases. Then, by assuming the existence of a sound-but-imprecise taint tracker, we contribute to a combined analysis that uses both the sound and the symbolic taint trackers. Finally, we instantiate the combined analysis with Pysa, a sound taint-tracker developed by Meta, and our tool Pysta. Our tool refines the output of the sound taint-tracker, lowering the load of developers to manually review alarms.

This work has been done in collaboration with Xavier Rival and Ignacio Tiraboschi. It has been reported in the PhD thesis of Ignacio Tiraboschi  24, whom we co-supervised, and a publication in an international conference is planned.

7.4 Systems for the New Spectre Era

7.4.1 Software

Participants: Davide Davoli, Tamara Rezk.

Operating systems are stratified software ecosystems that manage the interaction between the user application and the hardware resources. The most important component is the kernel that has complete control over the hardware and every application that is running, making it a popular target for attacks. In the current state-of-the-art of security, often referred to as the Spectre era, speculative execution and side-channels are well known to be effective vectors for compromising kernel security.

We developed a formal model of the operation of kernels in the presence of speculative execution, and we used it to study whether kernel security can be restored in the Spectre era. We showed that any kernel that is safe against non-speculative attacks can be compiled to another kernel that is functionally equivalent but safe against speculative attacks. Our main result is the identification of two sufficient conditions for proving that a program transformation enforces safety against speculative attacks on kernels that are safe against ordinary attacks. Finally, we defined a transformation that satisfies such requisites.

This work has been done with Martin Avanzini from the OLAS team, who co-supervised Davide Davoli together with Tamara Rezk, and was presented at ACM CCS 2024 14.

7.4.2 Hardware

Participants: Davide Davoli, Tamara Rezk, Youcef Bouzid, Tamara Rezk, Benjamin Gregoire.

In the past, we proposed ProSpeCT  22, a generic formal processor model providing provably secure speculation for the constant-time policy. For constant-time programs under a non-speculative semantics, ProSpeCT guarantees that speculative and out-of-order execution cause no microarchitectural leaks. In addition to the formal model, we provided a prototype hardware implementation of ProSpeCT on a RISC-V processor. In order to lower the impact on hardware cost and the cost regarding the required software changes, we are studying possible alternatives solutions to ProSpeCT, extending the RISC-V architecture with specialized instructions and evaluating the performance on different extended RISC-V processors. Youcef Bouzid from ENS Saclay was a L3 intern during part of this work (which is still in progress). This work is done in collaborations with researchers from KU Leuven.

7.5 More security guarantees for the Jasmin compiler

Participants: Benjamin Grégoire, Jean-Christophe Léchenet.

We revisit the problem of erasing sensitive data from memory and registers during return from a cryptographic routine. While the problem and related attacker model is fairly easy to phrase, it turns out to be surprisingly hard to guarantee security in this model when implementing cryptography in common languages such as C/C++ or Rust. We revisit the issues surrounding zeroization and then present a principled solution in the sense that it guarantees that sensitive data is erased and it clearly defines when this happens. We implement our solution as extension to the formally verified Jasmin compiler and extend the correctness proof of the compiler to cover zeroization. We show that the approach seamlessly integrates with state-of-the-art protections against microarchitectural attacks by integrating zeroization into Libjade, a cryptographic library written in Jasmin with systematic protections against timing and Spectre-v1 attacks. Benchmarks show that in many cases the overhead of zeroization is barely measurable and that it stays below 2% except for highly optimized symmetric crypto routines on short inputs. This work has been published in CHES 2024 2.

7.6 A complete logic to bound expectation in probabilistic programs

Participants: Benjamin Grégoire.

We propose, implement, and evaluate a hopping proof approach for proving expectation-based properties of probabilistic programs. Our approach combines eHL, a syntax-directed proof system for reducing proof goals of a program to proof goals of simpler programs, with a “hopping” proof rule for reducing proof goals of an original program to proof goal of a different program which is suitably related (by means of pRHL, a relational program logic for probabilistic program) to the original program. We prove that eHL is sound for a core language with procedure calls and adversarial computations, and complete for the adversary-free fragment of the language. We also provide an implementation of eHL into EasyCrypt, a proof assistant tailored for reasoning about relational properties of probabilistic programs. We provide a tight integration of eHL with other program logics supported by EasyCrypt, and in particular probabilistic Relational Hoare Logic (pRHL). Using this tight integration, we give mechanized proofs of expected complexity of in-place implementations of randomized quickselect and skip lists. We also sketch applications of our approach to cryptographic proofs and discuss the broader impact of eHL in the EasyCrypt proof assistant. This work has been published in OOPSLA 2024 10.

7.7 Formal method for cryptography

7.7.1 Formally verifying Kyber

Participants: Benjamin Grégoire, Jean-Christophe Léchenet.

We present a formally verified proof of the correctness and IND-CCA security of ML-KEM, the Kyber-based Key Encapsulation Mechanism (KEM) undergoing standardization by NIST. The proof is machine-checked in EasyCrypt and it includes: 1) A formalization of the correctness (decryption failure probability) and IND-CPA security of the Kyber base public-key encryption scheme, following Bos et al. at Euro S&P 2018; 2) A formalization of the relevant variant of the Fujisaki-Okamoto transform in the Random Oracle Model (ROM), which follows closely (but not exactly) Hofheinz, Hovelmanns and Kiltz at TCC 2017; 3) A proof that the IND-CCA security of the ML-KEM specification and its correctness as a KEM follows from the previous results; 4) Two formally verified implementations of ML-KEM written in Jasmin that are provably constant-time, functionally equivalent to the ML-KEM specification and, for this reason, inherit the provable security guarantees established in the previous points. The top-level theorems give self-contained concrete bounds for the correctness and security of MLKEM down to (a variant of) Module-LWE. We discuss how they are built modularly by leveraging various EasyCrypt features. This work has been published in Crypto 2024 7

7.7.2 A link between CryptoVerif and EasyCrypt

Participants: Benjamin Grégoire.

We define and implement CV2EC, a translation from CryptoVerif assumptions on primitives to EasyCrypt games. CryptoVerif and EasyCrypt are two proof tools for mechanizing game-based proofs. While CryptoVerif is primarily suited for verifying security protocols, EasyCrypt has the expressive power for verifying cryptographic primitives and schemes. CV2EC allows us to prove security protocols in CryptoVerif and then use EasyCrypt to prove the assumptions made in CryptoVerif, either directly or by reducing them to lower-level or more standard cryptographic assumptions. We apply this approach to several case studies: we prove the multikey computational and gap Diffie-Hellman assumptions used in CryptoVerif from the standard version of these assumptions; we also prove an n-user security property of authenticated key encapsulation mechanisms (KEMs), used in the CryptoVerif study of hybrid public-key encryption (HPKE), from the 2-user version. By doing that, we discovered errors in the paper proof of this property, which we reported to the authors who then fixed their proof. This work has been published in CSF 2024 11.

7.8 Protection against physical side channel attack

Participants: Benjamin Grégoire.

Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now. We describe a masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distributions would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure. This work has been published in Journal of Cryptology 3.

7.9 Termination-sensitive formal semantics of Jasmin

Participants: Benjamin Grégoire, Paolo Torrini, Jean-Christophe Léchenet.

Coq proofs on Jasmin code have so far only considered terminating programs, as currently the language specification is formalized operationally as an inductively defined big-step semantics. No matter how much this limitation can be softened by using fuelling techniques, it nonetheless remains a stumbling block in the verification of liveness properties, and we would like to overcome it.

Given the considerable body of proofs that have already been made on Jasmin, switching to a small-step semantics would invole a change of approach that is too radical and thus too costly for us. Switching to any basic coinductive flavour of the existing big-step semantics would make proofs much more complicated by demanding pervasive use of Coq coinduction.

Our plan is to obtain a cost-effective, termination-sensitive semantics of Jasmin relying on Interaction Trees, a denotational semantic approach which has emerged comparatively recently 26. Interaction Trees are essentially an abstract definition of monadic computation as a coinductive datatype in Coq. Their existing formalization allows one to make proofs about coinductive structures mainly relying on equational reasoning, and it supports a considerable degree of modularity in both specification and verification.

We expected that the denotational character of Interaction Trees would make it feasible to reuse existing Jasmin semantic definitions without changing them too much, and that the simplified, highly structured way to deal with coinduction would make it possible to refactor the existing proofs at a comparatively low cost.

These expectations have been confirmed so far in our steps, which have consisted in defining an Interaction Trees semantics for Jasmin in a way to maximize reuse, further analyzing the problem of defining an appropriately error-sensitive bisimulation to relate source and target of a compilation.

7.10 Session types

Participants: Ilaria Castellani.

Most of our work on session types was carried out in collaboration with Mariangiola Dezani (University of Torino) and Paola Giannini (University of Western Piedmont).

Session types describe communication protocols involving two or more participants by specifying the sequence of exchanged messages and their functionality (sender, receiver and type of carried data). They may be viewed as the analog, for concurrency and distribution, of data types for sequential computation. Originally conceived as a static analysis technique for a variant of the π-calculus, session types have been progressively embedded into a range of functional, concurrent, and object-oriented programming languages.

The aim of session types is to ensure safety properties for sessions, such as communication safety, i.e. the absence of communication errors (no type mismatch in exchanged data). In the absence of session interleaving, session types additionally ensure the property of deadlock-freedom (no standstill until all participants are terminated). When describing multiparty protocols, session types often target also the liveness property of progress or lock-freedom (no participant waits forever).

While binary sessions can be described by a single session type, multiparty sessions require two kinds of types: a global type that describes the whole session protocol, and local types that describe the individual contributions of the participants to the protocol. The key requirement to achieve safety properties such as deadlock-freedom is that the local types of the processes implementing the participants be obtained as projections from the same global type. To ensure progress, global types must also satisfy some well-formedness requirements.

What makes session types particularly attractive is that they offer several advantages at once: 1) static safety guarantees, 2) automatic check of protocol implementation correctness, based on local types, and 3) a strong connection with linear logics and with concurrency models such as communicating automata, graphical choreographies and message-sequence charts.

A survey of some recent research on multiparty session types was presented at the conference PPDP 2024 and is summarized in the abstract 12.

7.10.1 Event Structure Semantics for Asynchronous Multiparty Sessions

Participants: Ilaria Castellani.

We brought to an end our work on denotational semantics for asynchronous multiparty session calculi by means of Event Structures (ESs)  25, 23. In a previous work, we had proposed a similar semantics for synchronous multiparty session calculi.

Specifically, we propose an interpretation of multiparty sessions with asynchronous communication as Flow Event Structures. We introduce a new notion of asynchronous type for such sessions, ensuring the expected properties for multiparty sessions, including progress. Our asynchronous types, which reflect asynchrony more directly and more precisely than standard global types and are more permissive, are themselves interpreted as Prime Event Structures. The main result is that the Event Structure interpretation of a session is equivalent, when the session is typable, to the Event Structure interpretation of its asynchronous type, namely their domains of configurations are isomorphic.

This work has been published in the journal Fundamenta Informaticae 4.

7.10.2 Semantic Characterization of Global Type Well-formedness

Participants: Ilaria Castellani.

We address the question of characterizing the well-formedness properties of multiparty session types semantically, i.e., as properties of the semantic model used to interpret types. In this work, we focus on sessions with synchronous communication. Choosing Prime Event Structures (PESs) as our semantic model, we present semantic counterparts for the two properties that underpin global type well-formedness, namely projectability and boundedness. As a first step towards a characterization of the class of PESs corresponding to well-formed global types, we identify some simple structural properties satisfied by such PESs.

This work was presented at the workshop PLACES 2024 13.

7.11 Constructive characterizations of the must-preorder for asynchrony

Participants: Ilaria Castellani.

This work was carried out in collaboration with Giovanni Bernardi (IRIF, Université Paris Cité), Paul Laforgue (IRIF and Nomadic Labs) and Léo Stefanesco (MPI-SWS - Max Planck Institute for Software Systems).

The must-preorder by De Nicola and Hennessy is a contextual refinement which states that a server q refines a server p if all clients satisfied by p are also satisfied by q. Due to the universal quantification over clients, this definition does not yield a practical proof method for the must-preorder, and alternative characterizations are necessary to reason over it. Finding these characterizations for asynchronous semantics, i.e. where outputs are non-blocking, has thus far proven to be a challenge, usually tackled via ad-hoc definitions. We show that the standard characterizations of the must-preorder, as given for synchronous semantics, carry over as they stand to asynchronous communication provided servers are enhanced to act as forwarders, i.e. they are given the ability to input any message as long as they store it back into the shared buffer. Our development is constructive, completely mechanized in Coq, and independent of any calculus since it is carried out on Selinger output-buffered agents with feedback. This is a class of Labelled Transition Systems representing programs that communicate via a shared unordered buffer, as in asynchronous Calculus of Communicating Systems (CCS) or the asynchronous π-calculus. We show that the standard coinductive characterization allows us to prove in Coq that concrete programs are related by the must-preorder. Finally, our proofs show that Brouwer's bar induction principle is a useful technique to reason on liveness preserving program transformations.

This work has been accepted for presentation at the conference ESOP 2025. The full version of the paper is available on HAL 19.

8 Partnerships and cooperations

8.1 International initiatives

8.1.1 Inria associate team not involved in an IIL or an international program

Participants: Manuel Serrano, Robert Findler.

  • Title:
    HipHopSec
  • Partner Institution(s):
    Northwestern University (USA)

HipHopSec is an Inria/Northwestern associated team studying new programming environment for IoT devices.

Nowadays most applications are distributed, that is, they run on several computers: a mobile device for the graphical user interface; a gateway for storing data in a local area; a remote server of a large cloud platform for resource demanding computing; an object connected to Internet in the IoT (Internet of Things); etc. For many different reasons, this makes programming much more difficult than it was when only a single computer was involved:

  • Applications are composed of extensive lists of diverse components, each coming with their own specification and imposing its own constraints on application development.
  • Due to the distributed nature of the applications, developers have to implement appropriate communication protocols, which is difficult to do correctly and securely.
  • Communicating applications need to resort to parallelism to handle requests from their clients with acceptable latency. No matter whether it is multi-threading (as in Java) or asynchronous programming (as in JavaScript/Node.js), this style of programming is notoriously difficult and error-prone.

The Inria Indes, Northwestern University, and College de France teams are working together to propose solutions that address the aforementioned problems. Combined together, they could lead to a robust and secure execution environment for the web and IoT programming.

Participants: Erven Rohou, Manuel Serrano, Marc Feeley.

  • Title:
    COLD
  • Partner Institution(s):
    Inria Rennes (leader), University of Montreal (CANADA)

Cold is an Inria/University of Montreal associated team studying compilation techniques for dynamic languages. It is co-funded by Inria and the University of Montreal. Erven Rohou is the leader of the team.

Dynamic programming languages offer flexibility and generally facilitate rapid software development. Programs written using dynamic languages are typically slower, consume more memory, and are less energy efficient. This is especially concerning, considering that dynamic languages such as Python and JavaScript are extensively used. JavaScript is the main language for implementing web applications, while Python is the most used language for software development today and in particular in the very active field of Machine Learning and Artificial Intelligence.

To solve this issue, our team researches optimizing compilation techniques for dynamic languages. Such techniques generate optimized code when translating a program from its source code to machine code. This provides better performance without having to sacrifice the flexibility of dynamic languages. Furthermore, since novel optimizing techniques can be integrated into existing compilers, they can improve current programs with no additional effort by the application programmers.

In the last decades, the discovery of tracing just-in-time compilation and advances in partial evaluation have significantly improved the performance of dynamic languages. However, work remains to be done to bridge the gap between dynamic and static languages, a performant yet less flexible family of languages. Bridging this gap will enable significant savings in execution time and energy efficiency globally.

8.1.2 Participation in other International Programs

Retrofit (ANR/NSF)

Participants: Manuel Serrano.

  • Title: Bringing Esterel out of its Shell
  • Partner Institution(s):
    • Northwestern University, USA
  • Date/Duration: May 1st 2025, 42 months

Synchronous reactive programming languages have proven successful for real-time, safety-critical applications, such as aviation and nuclear power. We consider it a mistake that these languages have not been extended to other domains that require responsiveness to interacting agents with strict attention to sequencing and time bounds. In our view, the Web, the IoT, and medical care are neglected domains where synchronous reactive languages have potential to bring order-of-magnitude improvements in reliability and responsiveness. In the Retrofit project, we aim to demonstrate the benefit of synchronous reactive programming for general programming. For that, Esterel will be our main source of inspiration as we create new synchronous reactive languages for these domains. To assess the benefits of synchronous reactive programming, we will build and assess realistic dynamic prototypes in these new languages.

8.2 International research visitors

8.2.1 Visits of international scientists

Participants: Marc Feeley, Andreas Sabelfeld, Gilles Barthe, Ignacio Tiraboschi, Guillaume Combette.

8.2.2 Visits to international teams

Research stays abroad
  • Visited institution:
    University of Montreal (Prof. M. Feeley)
  • Country:
    Canada
  • Dates:
    November
  • Context of the visit:
    COLD (Inria PACAP associate team)
  • Mobility program/type of mobility:
    research stay

8.3 National initiatives

8.3.1 Action Exploratoire: AoT.js – Optimizing Compilation from Higher-Order Programming to Computer Architecture

Participants: Erven Rohou, Manuel Serrano.

This action exploratoire is bi-localized in Rennes and Sophia-Antipolis.

JavaScript programs are typically executed by a JIT compiler, able to handle efficiently the dynamic aspects of the language. However, JIT compilers are not always viable or sensible (e.g., on constrained IoT systems, due to secured read-only memory (WX), or because of the energy spent recompiling again and again). We propose to rely on ahead-of-time compilation, and achieve performance thanks to optimistic compilation, and detailed analysis of the behavior of the processor, thus requiring a wide range of expertise from high-level dynamic languages to microarchitecture.

8.3.2 PEPR

Participant: Benjamin Grégoire, Jean-Christophe Léchenet.

SVP PEPR Cybersecurity. We participate in a project concerned with the verification of security protocols. Partners in this project are CNRS IRISA Rennes (coordinator Stéphanie Delaune), INRIA, University of Paris-Saclay, University of Lorraine, University of Côte d’Azur, ENS Rennes. The funds allocated to our team in this collaboration are 333 KEuros. The corresponding researcher for this contract is Benjamin Grégoire.

8.4 Regional initiatives

8.4.1 Graines de projet ADT

Participant: Benjamin Grégoire, Côme Le Breton, Jean-Christophe Léchenet, Romain Tetley.

We carried out a graine de projet ADT initiative with the goal of adding a RISC-V backend to the Jasmin compiler. This project was highly successful, allowing us to test the new backend with an implementation of the post-quantum signature scheme Dilithium in Jasmin. This paves the way for extending the Libjade library with RISC-V implementations.

9 Dissemination

9.1 Promoting scientific activities

9.1.1 Scientific events: organisation

Member of the organizing committees
  • Benjamin Grégoire organized the Formosa Crypto Retreat in Sophia Antipolis from December 10th to 13th.
  • Tamara Rezk organized:
    • A local workshop on Web Security at Inria, in January 2024.
    • An international seminar on Web Security in Shonan, March 2024: this seminar was initially proposed for March 2020 and then postponed due to Covid.
    • An international seminar on Microarchitectural Attacks and Defences in Shonan, July 2024 (https://shonan.nii.ac.jp/seminars/215/).
    • An international workshop called Pyramid (co-organized with Chalmers and Google) at Inria, in October 2024.
Chair of conference program committees
  • Ilaria Castellani was Programme co-Chair of COORDINATION 2024: 26th International Conference on Coordination Models and Languages.
  • Tamara Rezk was Programme co-Chair of CSF 2024: Conference on Computer Security Foundations.
Member of the conference program committees
  • Manuel Serrano participated in the program committees of ECOOP'24 (European Conference on Object-Oriented Programming).
  • Ilaria Castellani participated in the programme committee of CONCUR 2024: 35th International Conference on Concurrency Theory.
  • Ilaria Castellani is a member of the Steering Committees of the conference COORDINATION and of the workshop EXPRESS/SOS.
  • Benjamin Grégoire participated in the program committees of:
    • CSF'24: 37th IEEE Computer Security Foundations Symposium
    • CCS'24: The 31st ACM Conference on Computer and Communications Security
    • The annual meeting of the GT MFS organized by the Working Group (GT) "Formal Methods for Security" (MFS) of the GDR Sécurité Informatique.
  • Tamara Rezk participated in the program committee of USENIX 2024: USENIX Security Symposium.

9.1.2 Scientific events: selection

Member of the editorial boards

9.1.3 Invited talks

  • Ilaria Castellani was the invited speaker of PPDP 2024: 26th International Symposium on Principles and Practice of Declarative Programming.
  • Tamara Rezk was:
    • Invited speaker at the Symposium of Systems Security at MPI-Bochum, "On Kernel's Safety in the Spectre Era", Bochum, June 17th, 2024 (https://www.mpi-sp.org/63428/program).
    • Invited speaker at Waseda University, "On Kernel's Safety in the Spectre Era", Tokyo, July, 2024.
    • Invited speaker at the Chalmers research retreat, "On Kernel's Safety in the Spectre Era", GullHolmen, August 2024.

9.1.4 Leadership within the scientific community

9.1.5 Research administration

  • Ilaria Castellani is a member of the INRIA Gender Equality and Equal Opportunities Committee, and of the organizing committee of the Forum Numerica seminar series.
  • Tamara Rezk is a member of the Bureau de CP.

9.2 Teaching - Supervision - Juries

Tamara Rezk taught courses in Université Côte d'Azur, Chalmers, and École Polytechnique.

9.2.1 Supervision

  • PhD in progress: Aurore Poirier, Erven Rohou and Manuel Serrano.
  • PhD in progress: Olivier Melancon, Marc Feeley and Manuel Serrano.
  • PhD in progress: Davide Davoli , co-supervised by Martin Avanzini and Tamara Rezk .
  • PhD discontinued: Guillaume Combette, co-supervised by Sébastien Bardin and Tamara Rezk , discontinued his PhD in December 2024.
  • PhD defended 18 in October 2024: Ignacio Tiraboschii , co-supervised by Xavier Rival and Tamara Rezk .

9.2.2 Juries

  • Manuel Serrano was a reviewer for the PhD of Leo Andres (University of Paris Saclay) and Colin Gonzalez Duburc (University of Paris City).
  • Ilaria Castellani was a member of the PhD juries of Vincent Rébiscoul (Université de Rennes 1), Giovanni Fabbretti (Université Grenoble Alpes), and Luc Edixhoven (Open University, the Netherlands).
  • Tamara Rezk was a member of the PhD juries of Joel Kuepper (supervisors: Yuval Yarom and Chitchanok Chuengsatiansup), The University of Adelaide, February 2024; and Basavesh Ammanaghatta Shivakumar (supervisors: Peter Schwabe and Gilles Barthe), Radboud University, September 2024.

10 Scientific production

10.1 Publications of the year

International journals

International peer-reviewed conferences

Doctoral dissertations and habilitation theses

  • 17 thesisB.Benjamin Grégoire. Provable Security of Cryptographic Primitives: from Algorithms to Assembly.Université Côte D'AzurDecember 2024HALback to text
  • 18 thesisI.Ignacio Tiraboschi. Intertwining Symbolic Execution and Abstract Interpretation for the Analysis of Security Properties.ENS Paris - Ecole Normale Supérieure de ParisOctober 2024HALback to text

Reports & preprints

10.2 Cited publications

  • 22 inproceedingsL.-A.Lesly-Ann Daniel, M.Marton Bognar, J.Job Noorman, S.Sébastien Bardin, T.Tamara Rezk and F.Frank Piessens. ProSpeCT: Provably Secure Speculation for the Constant-Time Policy.USENIX Security SymposiumAnaheim, FranceAugust 2023HALback to text
  • 23 articleM.Mogens Nielsen, G.Gordon Plotkin and G.Glynn Winskel. Petri Nets, Event Structures and Domains, Part I.Theoretical Computer Science1311981, 85--108back to text
  • 24 phdthesisI.Ignacio Tiraboschi. Intertwining Symbolic Execution and Abstract Interpretation for the Analysis of Security Properties.Université PSLNovember 2024, URL: https://www-sop.inria.fr/members/Tamara.Rezk/publications/IgnacioTiraboschi2024.pdfback to text
  • 25 phdthesisG.G. Winskel. Events in Computation.University of Edinburgh1980back to text
  • 26 articleL.-y.Li-yao Xia, Y.Yannick Zakowski, P.Paul He, C.-K.Chung-Kil Hur, G.Gregory Malecha, B. C.Benjamin C. Pierce and S.Steve Zdancewic. Interaction trees: representing recursive and impure programs in Coq.Proc. ACM Program. Lang.4POPLDecember 2019, URL: https://doi.org/10.1145/3371119DOIback to text