Cassis is a joint project between the
*Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA - UMR 7503)*and
*Laboratoire d'Informatique de l'Université de Franche-Comté (LIFC - FRE 2661)*.

The objective of the project is to design and develop tools to verify the safety of systems with an infinite number of states. The analysis of such systems is based on a symbolic representation of sets of states in terms of formal languages or logical formulas. Safety is obtained via automatic proof, symbolic exploration of models or test generation. These validation methods are complementary. They rely on the study of accessibility problems and their reduction to constraint solving.

An originality of the project is its focus on infinite systems, parameterized or large scale, for which each technique taken separately shows its limits. This is the case for example with protocols operating on topologies of arbitrary size (ring networks), systems handling data structures of any size (sets), or whose control is infinite (automata communicating through an unbounded buffer). Ongoing or envisioned applications concern embedded software (e.g., smart cards, automotive controllers), cryptographic protocols (IKE, SET, TLS, Kerberos) designed to ensure trust in electronic transactions, and distributed systems.

The problem of validating or verifying reactive systems is crucial because of the increasing number of security-sensitive systems. The failure of these critical systems can have dramatic consequences since they may be embedded in vehicles components, or they control power stations or telecommunication networks. Beside obvious security issues, the reliability of products whose destination is millions of end-users has a tremendous economical impact.

There are several approaches to system verification: automated deduction, reachability analysis or model-checking, and testing. These approaches have different advantages and drawbacks. Automated deduction can address practical verification, however it remains complex to handle and requires a lot of expertise and guidance from the user. Model-checking is exhaustive but must face combinatorial explosion and becomes problematic with large-size or infinite systems. Testing is fundamental for validating requirements since it allows the discovery of many errors. However, it is almost never exhaustive and therefore only leads to partial solutions. Hence we believe that these approaches should not be considered as competing but as complementary.

The goal of our project is to contribute to new combinations of these three verification techniques in a framework that would apply them in an industrial context. In particular we expect some breakthrough in the infinite-state verification domain by joint applications of deductive, model-checking and testing techniques.

For verifying the security of infinite state systems we rely on

Different ways to express the safety, reachability or liveness properties of systems, linear-time or branching-time logics, and the application of abstraction or abstract interpretation.

Test generation techniques.

The modeling of systems by encoding states as words, terms or trees and by representing infinite sets of states by languages. To each of these structures corresponds appropriate action families, such as transductions or rewritings.

Our goal is to apply these different approaches for ensuring the security of industrial systems by providing adequate methods and tools. In more details we aim at the following contributions (see the continuous lines in Figure ):

verification of abstract models derived from existing systems;

tests generation from the abstract model for validating the existing model;

cross-fertilization of the different validation techniques (deduction, model-checking, testing) by taking advantage of the complementary scopes and of their respective algorithmic contributions.

Let us mention that all these techniques comply with various development methodologies.

Verifying the safety of infinite state systems is a challenge: nowadays algorithmic techniques only apply to very specific infinite state systems. On the other hand the deductive approaches are good candidates to capture infinite system safety verification but are difficult to bring into operation and require a deep expertise. A solution consists of integrating several verification methods by combining, for example, theorem-proving and model-checking.

The behavior of infinite states systems is expressed in the various models by composing or iterating actions. One of the main problems with algorithmic techniques is to compute the effect of
these actions on the initial state. This computation is called
*reachability analysis*. The verification of safety properties as well as the automatic generation of test cases relies heavily on the accuracy of reachability analysis.

The transverse goal is to push away the limitations on the use of formal verification techniques, to ease their applications, and to let them scale-up.

For properties that can be checked by reachability analysis we have proposed models based on regular languages and rational transductions. We have completed them by designing algorithms for verifying a refinement relation between two models and . This refinement relation when satisfied preserves the safety properties and therefore allows them to be inherited. We shall investigate this approach with other representations.

In order to generate boundary-value functional test cases, we abstract models as constrained states. These constraints are solved by a customized solver, called CLPS. The test cases are derived in two steps :

partitioning of the formal model and extraction of boundary values,

reachability graph exploration from constrained states in order to reach boundary values and generate state sequences (traces) as test cases with the oracle.

After the generation phase, a concretization is used to produce the test drivers . Furthermore, the kernel of the engine allows one to perform specification animations in order to validate the model .

For the safety of infinite state systems we have designed automated deduction tools based on term rewriting (
*SPIKE*,
*daTac*,
*haRVey*) and an extensible and modular platform for detecting flaws and potential attacks on security protocols (
*AVISPA*). The tools have been built on the modeling of systems by terms and rewrite rules. Our work with other models based on regular languages of words or trees and of transducers
should complement these term rewriting models.

In order to address this challenge, we rely on complementary skills within the project. We believe that each of the three techniques will benefit from concepts and algorithms designed for the two others.

Three members of the EPI Cassis have defended their Habilitation: Véronique Cortier, Pierre-Cyrille Héam and Christophe Ringeissen.

Our main goal is to design techniques and to develop tools for the verification of (safety-critical) systems, such as programs or protocols. To this end, we develop a combination of techniques based on automated deduction for program verification, constraint resolution for test generation, and reachability analysis for the verification of infinite state systems.

The main goal is to prove the validity of assertions obtained from program analysis. To this end, we develop techniques and automated deduction systems based on rewriting and constraint solving. The verification of recursive data structures relies on inductive reasoning or the manipulation of equations and it also exploits some form of reasoning modulo properties of selected operators (such as associativity and/or commutativity).

Rewriting, which allows us to simplify expressions and formulae, is a key ingredient for the effectiveness of many state-of-the-art automated reasoning systems. Furthermore, a well-founded rewriting relation can be also exploited to implement reasoning by induction. This observation forms the basis of our approach to inductive reasoning, with high degree of automation and the possibility to refute false conjectures.

The constraints are the key ingredient to postpone the activity of solving complex symbolic problems until it is really necessary. They also allow us to increase the expressivity of the specification language and to refine theorem-proving strategies. As an example of this, the handling of constraints for unification problems or for the orientation of equalities in the presence of interpreted operators (e.g., commutativity and/or associativity function symbols) will possibly yield shorter automated proofs.

Finally, decision procedures are being considered as a key ingredient for the successful application of automated reasoning systems to verification problems. A decision procedure is an algorithm capable of efficiently deciding whether formulae from certain theories (such as Presburger arithmetic, lists, arrays, and their combination) are valid or not. We develop techniques to build and combine decision procedures for the domains which are relevant to verification problems. We also perform experimental evaluation of the proposed techniques by combining propositional reasoning (implemented by means of Boolean solvers – Binary Decision Diagrams or SAT solvers) and decision procedures, and their extensions to semi-decision procedures for handling larger (possibly undecidable) fragments of first-order logic.

We investigate techniques to incorporate the use of decision procedures in the model-checking of infinite state systems. The state of such systems is described by the models of theories specifying data types (such as integers or arrays) and their behavior is identified by (possibly infinite) sequences of these models which share the interpretation of the symbols interpreted in the theories (e.g., the addition over the integers). In this context, checking if a system satisfies a certain property may be reduced to checking the satisfiability of a formula in the theory obtained as the combination of the theories describing the sequence of states in the computation. To solve this problem, it is crucial to develop new combination methods for non-disjoint unions of theories.

Applying constraint logic programming technology in the validation and verification area is currently an active way of research. It usually requires the design of specific solvers to deal with the description language's vocabulary. We are interested in using a solver for set constraints based on the CLPS core , to evaluate set-oriented formal specifications. By evaluation, we mean the encoding of the formal model into a constraint system, and the ability for the solver to verify the invariant on the current constraint graph, to propagate preconditions or guards, and to apply the substitution calculus on this graph. The constraint solver is used for animating specifications and automatically generating abstract test cases.

Invariant checking and strenghtening is the dual of reachability analysis, and can thus be used for verifying safety properties of infinite-state systems. In fact, many infinite-state
systems are just parameterized systems which become finite state systems when parameters are instantiated. Then, the challenge is to automatically discharge the maximal number of proof
obligations coming from the decomposition of the invariance conditions. For parameterized systems, we develop a deductive approach where states are defined by first order formulae with
equality, and proof obligations are checked by the automatic theorem prover
*haRVey*. Thanks to this tool, we study the applicability of the superposition calculus (a modern version of resolution with a built-in treatment of the equality predicate and powerful
techniques for reducing the search space) for deciding conditions arising from program verification.

Security protocols such as SET, TLS and Kerberos, are designed for establishing the confidence of electronic transactions. They rely on cryptographic primitives, the purpose of which is to ensure integrity of data, authentication or anonymity of participants, confidentiality of transactions, etc.

Experience has shown that the design of those protocols is often erroneous, even when assuming that cryptographic primitives are perfect, i.e., that an encoded message cannot be decrypted without the appropriate key. An intruder can intercept, analyze and modify the exchanged messages with very few computations and therefore, for example, generate important economic damage.

Analyzing cryptographic protocols is complex because the set of configurations to consider is very large, and can even be
*infinite*: one has to consider any number of sessions, any size of messages, sessions interleaving, some algebraic properties of encryption or data structures.

Our objective is to automatize as much as possible the analysis of protocols starting from their specification. This consists in designing a tool easy to use, permitting to specify a large number of protocols thanks to a standard high-level language, and permitting either to look for flaws in a given protocol or to check whether it satisfies a given property. Such a tool is essential for verifying existing protocols, but also for helping in designing new ones. For our tool to be easy to use, it has to provide a graphical interface allowing a user to do only click-button.

Our tools for verifying security protocols are available as components of the AVISPA platform. As an extension of the AVISPA specification language, we are working on a new environment
called
*CASRUL*for handling more general protocols like e-business protocols for example.

In , we have presented a new approach for test generation from set-oriented formal specifications: the BZ-TT method. This method is based on Constraint Logic Programming (CLP) techniques. The goal is to test every operation of the system at every boundary state using all input boundary values of that operation. It has been validated in several industry case studies for smart card OS and application validation (GSM 11-11 standard and Java Card Virtual Machine Transaction mechanism ) and for embedded automotive software (an automobile wind-screen wiper controller).

This test generation method can be summed up as follows: from the formal model, the system computes boundary values to create boundary states; test cases are generated by traversal of the
state space with a preamble part (sequences of operations from the initial state to a boundary state), a body part (critical invocations), an identification part (observation and Oracle state
computation) and a post-amble part (return path to initial or boundary state). Then, an executable test script file is generated using a test pattern and a table of correspondence between
abstract operations (from the model) and concrete ones. This approach differs in several main points from the work of Dick, Faivre
*et al*: first, using boundary goals as test objectives avoids the complete construction of the reachability graph; second, this process is fully automated and the test engineer could just
drive it at the boundary value computation level or for the path computation.

The BZ-TT method is fully supported by the BZ-Testing-Tools tool-set. This environment is a set of tools dedicated to animation and test cases generation from B, Z or State-Chart formal specifications. It is based on the CLPS constraint solver, able to simulate the execution of the specification. By execution, we mean that the solver computes a so-called constrained state by applying the pre- and post-condition of operations. A constrained state is a constraint store where state variables and also input and output variables support constraints.

One orientation of the current work is to go beyond the finiteness assumption limitations by using symbolic constraint propagation during the test generation process and to extend the result to object oriented specifications.

Catching bugs in programs is difficult and time-consuming. The effort of debugging and proving correct even small units of code can surpass the effort of programming. Bugs inserted while “programming in the small” can have dramatic consequences for the consistency of a whole software system as shown, e.g., by viruses which can spread by exploiting buffer overflows, a bug which typically arises while coding a small portion of code. To detect this kind of errors, many verification techniques have been put forward such as static analysis and software model checking.

Recently, in the program verification community, there seems to be a growing demand for more declarative approaches in order to make the results of the analysis readily available to the end user. To meet this requirement, a growing number of program verification tools integrate some form of theorem proving.

The goals of our research are twofold. First, we perform theoretical investigations of various combinations of propositional and first-order satisfiability checking in order to automate the theorem proving activity required to solve a large class of program analysis problems which can be encoded as first-order formulae. Second, we experimentally investigate how our techniques behave on real problems so to make program analysis more precise and scalable. Building tools capable of providing a good balance between precision and scalability is one of the crucial challenges to transfer theorem proving technology to the industrial domains.

Driven by rapidly changing requirements and business needs, IT systems and applications are undergoing a paradigm shift: components are replaced by services, distributed over the network,
and composed and reconfigured dynamically in a demand-driven way into service-oriented architectures

Researchers in microrobotics have recently proposed the concept of a distributed and integrated micromanipulator called
*smart surface*, based on an array of smart micromodules in order to realize an automated positioning and conveying surface. Each micro-module will be composed of a micro-actuator, a
micro-sensor and a control unit. The cooperation of these micromodules will allow to recognize the parts and to control micro-actuators on order to move and position accurately the parts on
the smart surface.

Our objective is to elaborate new specification languages and verification methods to validate distributed smart surfaces at different levels of abstraction. We will bring our experience in formal verification, more especially in regular model-checking (RMC).

We collaborate with the AS2M (Automatique et Systèmes Micro-Mécatroniques) department at the FEMTO-ST (Franche-Comté Electronique Mecanique Thermique et Optique - Sciences et Technologies)
institute (UMR 6174) on verifying and validating an adaptative
*microfactory*model they have developed. We have defined a complete information model of multi-cells microfactories in UML. This model is used as the communication basis between the
robotic and computing researchers. It includes the structure of the physical components of the microfactory - cells and transports functions - and the logical components - information
gathering and exchange. The next step will be to provide properties and a dynamic model of microfactories.

Cassis has been one of the 4 partners involved in the European project AVISPA, which has resulted in the distribution of a tool for automated verification of security protocols, named
*AVISPA*Tool. It is freely available on the web
*AVISPA*Tool compares favourably to related systems in scope, effectiveness, and performance, by (i) providing a modular and expressive formal language for specifying security protocols
and properties, and (ii) integrating 4 back-ends that implement automatic analysis techniques ranging from
*protocol falsification*(by finding an attack on the input protocol) to
*abstraction-based verification*methods for both finite and infinite numbers of sessions.

In 2009, no new release of the AVISPA Tool has been delivered, but the users mailing-list has been active and an important contribution has been proposed by Thomas Genet (LANDE Project, IRISA), SPAN, a protocol animator.

The tool has also been used in the group for analyzing non-repudiation protocols.

We develop, as a first back-end of
*AVISPA*,
*CL-AtSe*, a Constraint Logic based Attack Searcher for cryptographic protocols. The
*CL-AtSe*approach to verification consists in a symbolic state exploration of the protocol execution, for a bounded number of sessions. This necessary restriction (for decidability,
see
) allows
*CL-AtSe*to be correct and complete, i.e., any attack found by
*CL-AtSe*is a valid attack, and if no attack is found, then the protocol is secure for the given number of sessions. Each protocol step is represented by a constraint on the protocol
state. These constraints are checked lazily for satisfiability, where satisfiability means reachability of the protocol state.
*CL-AtSe*includes a proper handling of sets (operations and tests), choice points, specification of any attack states through a language for expressing fairness, non-abuse freeness,
etc..., advanced protocol simplifications and optimizations to reduce the problem complexity, and protocol analysis modulo the algebraic properties of cryptographic operators such as XOR
(exclusive or) and Exp (modular exponentiation). The handling of XOR and Exp has required to implement an optimized version of the combination algorithm of Baader & Schulz
for solving unification problems in disjoint unions of arbitrary
theories.

*CL-AtSe*has been successfully used by Cassis members
to analyse France Telecom R&D, Siemens AG, IETF, or Gemalto
protocols in funded projects. It is also employed by external users, e.g., from the AVISPA's community. Moreover,
*CL-AtSe*achieves very good analysis times, comparable and sometimes better than state-of-the art tools in the domain (see
for tool details and precise benchmarks).

We have developed, as a second back-end of
*AVISPA*, TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols), an automata based tool dedicated to the validation of security protocols for an
unbounded number of sessions. This tool provides automatic computations of over and under approximations of the knowledge accessible by an intruder. This knowledge is encoded as a regular
tree language and protocol steps and intruder abilities are encoded as a term rewriting system. When given a reachability problem such as secrecy, TA4SP reports that (1) the protocol is safe
if it manages to compute an over-approximation of intruder's knowledge that does not contain a secret term or (2) the protocol is unsafe in the rewrite model if it manages to compute an
underapproximation of intruder's knowledge containing a secret term or (3) I don't know otherwise. TA4SP has verified 28 industrial protocols and case (3) occurred only once, for Kaochow
protocol version 2.

TA4SP handles protocols using operators with algebraic properties. Thanks to a recent quadratic completion algorithm new experimental results have been obtained, for example for the Encrypted Key Exchange protocol (EKE2) using the exponential operator.

The Testing Tools is a tool-set for animation and test generation from B, JML, Z and State-chart specifications. It consists of two components:

**BZ-Testing-Tools**– BZ-TT – is a tool-set for animation and test generation from B, Z and State-chart specifications. BZ-TT provides several testing strategies (partition analysis,
cause-effect testing, boundary-value testing and domain testing), and several test model coverage criteria (multiple condition coverage, boundary coverage and transition coverage).

A rebuild of the architecture of the BZ-Testing-Tools engine has started in December 2008, with the help of an "ingénieur jeune diplomé" from INRIA. It aimed at integrating the latest works on constraint solving and theorem proving, in a modular architecture dedicated to the analysis and exploitation of formal behavioral models for test generation purposes.

**JML-Testing-Tools**– JML-TT – is a framework for the symbolic animation of formal models written using JML annotations
embedded within Java programs. JML-TT provides a simple and
efficient way to semi-automatically validate a JML specification and to check model properties such as class invariant or history constraints during the animation. This tool is used in the
ACI GECCOO project

We develop a third tool
**Test-For-Testing-Tools**to validate the tests. The tool takes as input a code program and a test suite (realized by several approaches such as BZ-TT/random/properties driven tests). The
system performs a mutation of the code program and we observe how many mutants are killed with each test suite.

Most of the software tools described in previous sections are using tools that we have developed in the past: BZ-TT uses the set constraints solver CLPS and
*SPIKE*. Note that the development of the SMT prover haRVey has been stopped. The successor of haRVey in Nancy is called veriT and is developed by David Déharbe (UFRN Natal, Brasil) and
Pascal Fontaine (MOSEL).

We develop general techniques which allow us to re-use available tools in order to build a new generation of satisfiability solvers offering a good trade-off between expressiveness, flexibility, and scalability. We focus on the careful integration of combination techniques and rewriting techniques to design satisfiability procedures for a wide range of (combined) theories of interest in verification.

We show how to use a non-disjoint extension of the Nelson-Oppen combination method to obtain decision procedures for theories modelling data structures and arithmetic constraints.

We propose a first solution when the incorporated arithmetic operator allows to express only linear increments, i.e. when the considered constraints have to be interpreted modulo the theory of integer offsets . We present a superposition calculus dedicated to theories that model some data structures and that share the integer offsets; we show that the calculus is capable to actually decide the existential fragment of these theories and that can be plugged into the non-disjoint extension of the Nelson-Oppen combination method, deriving thus decision procedure for theories modeling more complex data structures.

To be effective in all our papers mentioned above, the non-disjoint extension of the Nelson-Oppen combination method makes use of procedures able to compute the logical consequences over the shared signature.

Increasing the automaticity of proofs in deductive verification of C programs is a challenging task. When applied to industrial C programs known heuristics to generate simpler verification conditions are not efficient enough. This is mainly due to their size and a high number of irrelevant hypotheses. We have presented a strategy to reduce program verification conditions by selecting their relevant hypotheses. The relevance of a hypothesis is determined by the combination of a syntactic analysis and two graph traversals. The first graph is labeled by constants and the second one by the predicates in the axioms. The approach is applied on a benchmark arising in industrial program verification.

In collaboration with F. Jacquemard (DAHU project) we pursue our investigation on rewriting systems for unranked ordered terms, i.e. trees where the number of successors of a node is not determined by its label, and is not a priori bounded. We model XML update operations with parametrized rewriting on unranked trees. Then we compute the forward and backward reachability sets of these systems for unranked trees languages given by several classes of hedge automata . This gives more insight on these notions that have not been investigated before. In the context of XML processing, static type checking amounts verifying that a document transformation always converts valid source documents into valid output documents. We solve this problem for arbitrary sequences of atomic XML update operations from different subsets of the W3C XQuery Update Facility 1.0. We then apply the results to the verification of access control policies for XML updates. We propose an algorithm for the policy local consistency problem, that is, for deciding whether a sequence of authorized operations starting from a given document can simulate a forbidden one.

The design of cryptographic protocols is error-prone. Without a careful analysis, subtle flaws may be discovered several years after the publication of a protocol, yielding potential harmful attacks. In this context, formal methods have proved their interest for obtaining good security guarantees. Many analysis techniques have been proposed in the litterature . We develop new techniques for richer primitives, wider classes of protocols and, higher security guarantees.

Some attacks exploit in a clever way the interaction between protocol rules and algebraic properties of cryptographic operators. In , we provide a list of such properties and attacks as well as existing formal approaches for analyzing cryptographic protocols under algebraic properties.

Focusing on ground deducibility and static equivalence (checking whether two sequences of messages are indistinguishable to an attacker), we have proposed
an efficient and generic decision procedure for a wide class of
equational theories, including subterm convergent theories (e.g. encryption, signatures, pairing and hash) and layered convergent theories (e.g. blind signatures). The procedure is generic in
the sense that it remains sound and complete (but may not terminate) for any convergent theory. It has been implemented in the YAPA tool

Encryption “distributing over pairs” is employed in several cryptographic protocols. As a first step towards solving intruder constraints under this hypothesis, we show that unification is decidable for an equational theory HE specifying such an encryption . The method consists in transforming any given problem in such a way, that the resulting problem can be solved by combining a graph-based reasoning on its equations involving the homomorphisms, with a syntactic reasoning on its pairings.

We have also continued the work on the symbolic derivation model for cryptographic protocols that was introduced in . We were in particular interested by the problem of whether two distinct symbolic derivations have the same sets of solutions. We have obtained a decidability result for the subterm convergent theories.

Most previous results focus on secrecy and authentication for simple protocols like the ones from Clark & Jacob library. We explore several directions to cover more complex security properties.

Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, in collaboration with F. Klay (France Telecom R&D), we have shown how to partially represent non-repudiation as a combination of authentications, and also defined a new method , based on the handling of the knowledge of protocol participants. This last method has been implemented in the AVISPA Tool, and used for analyzing several protocols .

In particular, it has been used with L. Jing (Sun Yat-Sen University, China) for defining and analyzing a non-repudiation protocol for which there is no assumption of existence of resilient channels between the TTP and each protocol participant .

Our method has also been used with Ambuj Pushkar Ojha (INRIA Internship, from IIT Bombay, India) for modeling the a protocol defined by Cederquist, Dashti and Mauw, and analyzing it, finding fairness attacks.

.

Several security cannot be defined (or cannot be naturally defined) as trace properties and require the notion of
*observational equivalence*. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography. In the context of the applied pi
calculus and for
*determinate*processes, we have shown
that observational equivalence actually coincides with trace
equivalence, a notion simpler to reason with. Most existing protocols can actually be shown to be determinate. Then, for determinate processes without replication, we deduce decidability of
observational equivalence for a general class of equational theories, reducing the decidability of trace equivalence to deciding an equivalence relation introduced by M. Baudet.

New classes of protocols are still emerging and not all can be analysed using existing techniques. We study how to cover the emergent families of security protocols.

*Group Protocols.*Although many works have been dedicated to standard protocols, very few address the more challenging class of group protocols. We have investigated group protocol
analysis in a synchronous model, that allows the specification of unbounded sets of agents with related behavior. Also, when used in an asychronous way, this generalizes standard protocol
models with bounded number of agents by permitting unbounded lists inside messages (including unbounded number of variables, nonces, etc..). This approach also applies to analyzing Web
services manipulating sequences of items. In this model we propose a decision procedure for the sub-class of well-tagged protocols with autonomous keys.
,
.

In collaboration with the MADYNES EPI, and in the framework of SAFECAST project on secured group communication system design, we have experienced the use of UML and two complementary verification tools : AVISPA enabled us detecting and fixing security flaws; the TURTLE toolkit enabled us saving development time by eliminating design solutions with inappropriate temporal parameters.

*Securing routing Protocols.*The goal of routing protocols is to construct valid routes between distant nodes in the network. If no security is used, it is possible for an attacker to
disorganize the network by maliciously interacting with the routing protocols, yielding invalid routes to be build. That is why secure versions of routing protocols are now developed.
Mathilde Arnaud has recently started a PhD, in collaboration with the project-team
SECSI(LSV, Cachan) on designing verification techniques adapted for routing protocols. In particular, she has proposed
a new model and an associated decision procedure to check whether a
routing protocol can ensure that honest nodes only accept valid routes, even if one of the nodes of the network is compromised. This result has been obtained for a bounded number of sessions,
adapting constraint solving techniques.

*Security APIs.*In some systems, it is not possible to trust the host machine on which sensitive codes are executed. In that case, security-critical fragments of a program should be
executed on some tamper resistant device (TRD), such as a smartcard, USB security token or hardware security module (HSM). The exchanges between the trusted and the untrusted infrastructures
are ensured by special kind of API (Application Programming Interface), that are called
*security APIs*. We have proposed
,
a new and generic API that can be used to implement most
key-exchange protocols on untrusted host machines.

Even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols, possibly sharing some common identities and keys like public keys or long-term symmetric keys, are executed. In , we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols are executed, provided each encryption contains some tag identifying each protocol, like e.g. the name of the protocol.

Protocols may also be built in a modular way. For example, authentication protocols may assume pre-distributed keys or may assume secure channel. How security of these protocols can be combined is an important issue. Stefan Ciobaca has started a PhD on this subject this year, in collaboration with the project-team SECSI(LSV, Cachan).

All the previous results rely on symbolic models of protocol executions in which cryptographic primitives are abstracted by symbolic expressions. This approach enables significantly simple and often automated proofs. However, the guarantees that it offers have been quite unclear compared to cryptographic models that consider issues of complexity and probability. Cryptographic models capture a strong notion of security, guaranteed against all probabilistic polynomial-time attacks.

A recent line of research consists in identifying when it is possible to obtain the best of both cryptographic and formal worlds in the case of public encryption: fully automated proofs and strong, clear security guarantees. We have proposed a survey of the results obtained so far. Moreover, we have proposed a framework and proof techniques to identify when static equivalence can be used for proving indistinguishability of bitstrings .

The large size and complexity of modern networks result in large and complex firewall policies. Two policy editing languages, Type I and Type II, are generally used to update the firewall
policies. Due to intervening nature of firewall rules, correct configuration and
*deployment*of large policies is a difficult and error-prone task. We have shown that some recently proposed deployment algorithms in the network security contain seriousflaws
. Then we have defined a notion of safe deployment strategies. We
have provided linear algorithms for Type I safe deployment and an approximatively linear and safe algorithm for Type II.

We have investigated extensions of regular model-checking to new classes of rewrite relations on trees. We have studied specification and proof of modular imperative programs.

Term rewriting systems are now commonly used as a modelling language for programs or systems. On those rewriting based models, reachability analysis, i.e. proving or disproving that a given term is reachable from a set of input terms, provides an efficient verification technique. Many recent works have shown the relevance of regular approximation techniques to tackle in practice undecidable reachability problems.

In
, we address the following general problem of tree regular
model-checking: decide whether
R^{*}(
L)
L_{p}=
where
R^{*}is the reflexive and transitive closure of a successor relation induced by a term rewriting system
R, and
Land
L_{p}are both regular tree languages. We develop an automatic approximation-based technique to handle this – undecidable in general – problem in most practical cases, extending an
over-approximation approach initially developed in
to check the reachability of terms. Moreover, we also show in
how the approach can be used to compute under-approximations. We
also make approximation-based approach fully automatic for practical validation of security protocols. In particular, the technique was successfully used to detect attacks in security
protocols like NSPK-xor, DH-exp.

To check reachability of particular terms, we improved the over-approximation approach above. Given a term
t, we try to compute an over-approximation which does not contain
tby refining the approximation. If the approximation refinement fails then
tis a reachable term. The above technique has been extended to left-linear term rewriting systems. However it requires to perform some determinisation steps with an exponential time and
space complexity, and it is therefore practically unfeasible. In
, we address this problem for non-left linear rules by proposing an
algorithm replacing determinisation (exponential steps) by polynomial time constructions on involved automata. This algorithm is a generalisation of the algorithm presented in
which addresses the problem of left-quadratic rules. It should be
noticed that many industrial specifications give rise to non-left linear rules, like in security protocols analysis, or in backward analysis of Java bytecode.

The widespread use of automata as primitive bricks in verification motivates an ever renewed search for efficient algorithms taking automata as input. Developing new algorithms and
heuristics raises crucial evaluation issues, as improved worst-case complexity upper-bounds do not always transcribe into clear practical gains. A suite for software performance evaluation
can usually gather three types of entries:

benchmarks, i.e. large sets of typical samples, which can be prohibitively difficult to collect, and thus only exist for a few general problems,

hard instances, that provide good estimations of the worst case behaviour, but are not always relevant for average case evaluations,

random inputs, that deliver average complexity estimations, for which the catch resides in obtaining a meaningful random distribution (for instance a uniform random distribution). As the mathematical computation of the average complexity of an algorithm is an intricate task that cannot be undertaken in general, random inputs can prove themselves invaluable for its empirical estimation.

Weighted automata is a formalism widely used in computer science for applications in image compression, speech-to-text processing or discrete event systems. These large application areas make them intensively studied from the theoretical point of view. The expressive power of these automata is high enough so that many natural problems are not decidable. Among them the problem to know whether for a given integer weighted automaton , every word has a positive cost, called the positivity problem, was shown to be undecidable . This problem is of special interest because systems/components comparisons modelled by integer weighted automata can be based on or reduced to it.

A well conceived program is developed in a modular way, that is by the structured assembly of simpler components. A challenge is to get modularity to specify and prove modular imperative programs. It is one of the objectives of the INRIA CeProMi “Action de Recherche Collaborative”(ARC). In we have illustrated the subject by specifying an algorithm to sort a Java array. An INRIA research report on all the CASSIS contributions to the CeProMi project will be made public at the end of 2009. Some of the work done prepares a joint (intra Cassis, Nancy-Besançon) work on “Specification and formal certification of (combination of) decision procedures”.

Our advances in Model-Based Testing (MBT) are related to extending the MBT approach to the Web Services validation. They also involve test generation from scenarios using symbolic animation of model, and test generation using formal properties. Experience of team in MBT and practice is developed in book published this year.

We have introduced an original model-based testing approach that takes a UML behavioural view of the system under test and automatically generates test cases and executable test scripts according to model coverage criteria. We also proposed a solution on the basis of this work to treatbusiness process testing . In parallel, we are working on the improvement of the test generation technique, by combining constraint solving and theorem proving, in order to detect inconsistencies in the behaviors extracted from the model, and to find a relevant instantiation of the initial test data .

In the context of the RNTL POSE project

In addition, we have defined conformance relationships dedicated to establishing a verdict when testing the correct implementation of security policies (namely access control policies) in smart cards applications. These conformance relationships are variants of input-output conformance and are based on the inclusion of traces of the implementation w.r.t. traces computed on a security-dedicated model, involving possible mappings between the values of these two levels.

Also, we use scenario information to compute an abstraction of model. This abstraction can be use in two ways. The first is a referential coverage for test sequences. The second is to compute test sequences itself.

We are also beginning experiments on the combination of random- and model-based testing. A first attempt has been done to automatically produce LTL formula using uniform random test generation. More recently, an approach has considered the automated generation of automata in order to evaluate various FSM-based test generation algorithms. A major result is the highlighting of an error in a widely-spread implementation of the chinese postman algorithm. We also proposed a test generation technique, driven by a final number of test cases, and combining random testing and model-based testing. It consists in arbitrarily augmenting a FSM in order to reach a given number of test cases when selected FSM-based test generation algorithms are applied. A realistic experiment has illustrated the efficiency of this approach. These works are summarized in .

We have investigated several specific verification problems related to the composition of services including security issues and quality of service.

Automatic composition of web services is a challenging task. Many works have considered simplified automata models that abstract away from the structure of messages exchanged by the services. For the domain of secured services (using e.g. digital signing or timestamping) we propose a novel approach to automated orchestration of services under security constraints. Given a community of services and a goal service, we reduce the problem of composing the goal from services in the community to a security problem where an intruder should intercept and redirect messages from the service community and a client service till reaching a satisfying state. This work has been pursued in the context of AVANTSSAR FP7 project.

In collaboration with Olivier Perrin (LORIA) and Eric Monfroy (UTFSM Valparaíso, Chile), we are working on applying constraint programming techniques to the composition problem. Our approach consists in instantiating a given abstract representation of a composite Web service by selecting the most appropriate concrete Web services. This instantiation is based on constraint programming techniques which allows us to match the Web services according to a given request. Our proposal performs this instantiation in a distributed manner, i.e., the solvers for each service type are solving some constraints at one level, and they are forwarding the rest of the request (modified by the local solution) to the next services. When a service cannot provision part of the composition, a distributed backtrack mechanism enables to change previous solutions.

Distributed Collaborative Editors (DCE) belong to a particular class of distributed systems that enables several and dispersed users to form a group for editing documents (
*e.g.*Google Wave). To ensure data availability, the shared documents are replicated on the site of each participating user. Each user modifies locally his copy and then sends this
update to other users. Controlling access in such systems is still a challenging problem, as they need dynamic access changes and low latency access to shared documents. In this work, we
propose a
*flexible*access control model where the shared document and its authorization policy are replicated at the local memory of each user
,
. To deal with latency and dynamic access changes, we use an
optimistic access control technique in such a way that enforcement of authorizations is retroactive
. We show that naive coordination between updates of both copies
can create security holes on the shared document, by permitting illegal modifications or rejecting legal modifications. A prototype based on our concurrency control framework has been
implemented for supporting the secure and collaborative editing of HTML pages. This prototype is deployed on P2P JXTA platform.

In order to validate Web Services applications, we explore model-based testing methodologies combined with common criteria. The results of tests are used to compute a mark that qualifies the quality of web services operations. This solution is then integrated in a validation framework based on an UDDI server. In this framework, named iTac-QoS Web Services are tested when they are declared to the UDDI server, and the obtained marks are supplied to customers looking for services. We propose an original approach to take into account the composition of Web services from their models as described in .

The BZ-Testing-Tools technology has been transfered to LEIRIOS Technologies, at the end of 2004. The partnership between the Cassis project and the R&D LEIRIOS Department, located at the TEMIS Scientific and Industrial area at Besançon, will be continued through (national and international) projects or with a new transfer protocol. According to the law of innovation, F. Bouquet is scientific consultant of LEIRIOS Technologies.

AVANTSSAR —
*Automated validation of trust and security of service-oriented architectures*. STREP Project funded under 7th FP (Seventh Framework Programme) Research area: ICT-2007.1.4 Secure,
dependable and trusted infrastructures. The coordinator is the University of Verona (Italy) and the Cassis project is one of the 10 partners. AVANTSSAR aims to propose a rigorous technology
for the formal specification and "Automated VAlidatioN of Trust and Security of Service-oriented ARchitectures". This technology will be automated into an integrated toolset, the AVANTSSAR
Validation Platform, tuned on relevant industrial case studies.

SecureChange

The project is leaded by Fabio Massacci (University of Trento, Italy) and it is expected to start at the beginning of 2009 for a period of 36 months.

INTERREG TEST-INDUS — We are working with the university of Geneva, SMARTESTING Technologies and CLIO SA. The project concerns the test generation in industrial process. The consortium will propose methods, techniques and tools to integrate (model-based) testing into industrial process. The duration of the project is 18 months and started in May 2008.

Project INRIA-CNPq (Brazil), DA CAPO —
*Automated deduction for the verification of specifications and programs*. This is a project on the development of proof systems (like
*haRVey*) for the verification of specifications and software components. The coordinators are David Déharbe (UFRN Natal, Brazil) and Christophe Ringeissen. On the french side, DA CAPO
also involves
MOSELand
PAREO.

Project INRIA-CONICYT (Chile), CoreWeb —
*Constraint Reasoning for the Composition of Web Services*. The coordinators are Eric Monfroy (UTFSM Valparaíso, Chile) and Michaël Rusinowitch.

Associate Team INRIA (with UTFSM Valparaíso, Chile), VanaWeb —
*Hybrid and autonomous constraint solving and applications to composition problems for the Web*. The coordinators are Carlos Castro (UTFSM Valparaíso, Chile) and Christophe Ringeissen.
On the french side, VanaWeb also involves members of
ECOOand
PAREO.

French-Tunisian project on
*Security Policies and Configurations of Firewalls: Compilation and Automated Verification*. We collaborate with SupCom Tunis and the project-team
DAHUin the context of STIC-Tunisia.

PHC Alliance project between the Cassis team and the University of Bristol on refinement of security systems. The coordinators of the projet are Bogdan Warinschi and Véronique Cortier. Duration: 2 years, started in January 2008.

ARA SSIA FormaCrypt—
*Formal proofs and probabilistic semantics in cryptography*, duration: 3 years, started in January 2006. The verification of cryptographic protocols is a very active research area.
Most works on this topic use either the computational approach, in which messages are bitstrings, or the formal approach, in which messages are terms. The computational approach is more
realistic but more difficult to automate. The FormaCrypt project aims at bringing together these orthogonal approaches in order to get the best of the two worlds. Partners are: Liens
(coordinator), project-team
SECSI- LSV, Cachan.

ARA SSIA ARROWS—
*Safe Pointer-Based Data Structures: A Declarative Approach to their Specification and Analysis*, duration: 3 years, started in autumn 2005. The goal of this project is to develop new
specification languages for programs manipulating pointers which are sufficiently precise to express many interesting properties and, at the same time, support automatic analyses. Partners
are: CAPP-LEIBNIZ Grenoble (coordinator), LILaC-Irit Toulouse. The local coordinator is S. Ranise.

ARA SETI RAVAJ
*“Rewriting and Approximations for Java Applications Verification”*, duration: 39 months, started on January 2007. The goal of this project is to analyse MIdlets – Java programs
designed for mobile devices like cell phones or PDA. In addition to classical proof tools of rewriting, we propose to use approximations of reachable terms. There are three academics
partners: INRIA LANDE, INRIA PROTHEO and LIFC/Besançon; and an industrial: France Telecom R&D. The local coordinator is O. Kouchnarenko.

ANR SESUR AVOTÉ—
*Formal Analysis of Electronic-Voting protocols*, duration: 4 years, started in January 2008. Electronic voting promises the possibility of a convenient, efficient and secure facility
for recording and tallying votes. However, the convenience of electronic elections comes with a risk of large-scale fraud. The AVOTÉ project aims at proposing techniques for formally
analyzing e-voting protocols. The coordinator of the project is the Cassis team. Partners are: France Telecom Lannion, LSV Cachan, Verimag Grenoble.

ANR program “Systèmes interactifs et robotique”—
*Smart Surface*, coordinated by AS2M (Automatique et Systèmes Micro-Mécatroniques) department at the FEMTO-ST (Franche-Comté Electronique Mecanique Thermique et Optique - Sciences et
Technologies) institute (UMR 6174). This project started in July 2007 for three years. The
CASSISparticipant is A. Giorgetti.

ANR DECERT —
*Deduction and Certification*, coordinated by Th. Jensen (IRISA). This project focuses on the design of decision procedures, in particular for fragments of arithmetic, and their
integration into larger verification systems, including skeptical proof assistants. Partners are: IRISA Rennes, LRI Orsay, INRIA Sophia, Systerel and CEA. From INRIA Nancy,
MOSELand
CASSISproject-teams are involved. This project will start in January 2009 for three years.

ANR TASCCC
*Test Automatic basé sur des Scenarios et Critères Communs – Automated Testing based on Scenarios and Common Criteria*, duration: 3 years, starting in Dec. 2009. The project aims at
completing the model-based testing process initiated in the POSE project, using scenarios to specify the test cases that have to be generated by model animation. The goal is here to provide
an automated mean for generating the scenarios from a given set of properties. The overall objective is to ease the Common Criteria evaluation of secure softwares. Partners: :Gemalto
(leader), LIG, LIFC, Supelec, Smartesting, and Serma Technologies.

FCE Vetess

Collaborative Research Initiative INRIA, ARC CeProMi “Certification de Programmes manipulant la Mémoire”, coordinated by Claude Marché from the project-team PROVAL. This project started in 2008 for two years. The partners are the project-teams GALLIUM (François Pottier) and PROVAL (Claude Marché), and DCS Team (Marie-Laure Potet, Verimag, Grenoble). The local coordinator is Alain Giorgetti.

DGA RIE Secure Test project, duration: 18 months, started in February 2009. The project provides a specific environment to verify of cryptographic components (hardware or software) with an Model-Based Testing approach. The method help the test team to evaluation DGA to product a test refential. Partners are: DGA CELAR, Smartesting (coordinator), Telecom Bretagne. The local coordinator is F. Bouquet.

In the area of automated test generation from a formal model, we have an active collaboration with Dr Mark Utting from the Formal Method group from the University of
Waikato

In the area of business applications, we are working on the soundness problem of coloured work-flow Petri nets with the Information System group of Professor K. van Hee from the Technical University of Eindhoven. This cooperation is supported by the NWO scientific program (The Netherlands).

*F. Bouquet:*Vice-head of LIFC laboratory, PC Member of International Conference in Soft- ware Testing (ICST'09), PC member of Modevva'09 (Model-Driven Engineering, Verification, And
Validation) and PC member of MBTEST 2010.

*V. Cortier:*coordinator of the ANR SESUR AVOTÉ (started in January 2008); local coordinator of the ARA SSIA FormaCrypt (started in January 2006); French coordinator of the PHC
Alliance project on refinement of security systems; Chair of FCS 2009 (Workshop on Foundations of Computer Security, affiliated with LICS 2009); PC member of CSF 2009 (22nd Computer Security
Foundations Symposium), ESORICS'09 (14th European Symposium on Research in Computer Security), TACAS 2009 (15th International Conference on Tools and Algorithms for the Construction and
Analysis of Systems), ASIAN'09 (13th Annual Asian Computing Science Conference), SARSSI'09 (Conférence sur la sécurité des architectures réseaux et des systèmes d'information), ARSPA-WITS'09
(Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security); member of the CS (Comité de sélection) for the 2009 INRIA - Rennes University chair,
member of the CS (Comité de sélection) for the 2009 INRIA - ENS Cachan chair, member of the recruitment committee 2009 of junior researchers at INRIA Rocquencourt, member of the Evaluation
Committee of the INRIA since September 2008.

*F. Dadeau:*PC member of the 7th International Conference on integrated Formal Methods (iFM'09), Dusseldorf, Germany. PC member of the 2nd International Workshop on Constraints in
Software Testing, Verification and Analysis (CSTVA'2010), co-located with the International Conference on Software Testing (ICST'2010). Organizer of the MTVV'2009 days in Besançon (two-days
workshop) on Model-Based Testing, funded by the MTVV group of the GDR GPL).

*A. Giorgetti:*Editorial committee member of
*Techniques et Science Informatique (TSI)*.

*O. Kouchnarenko:*director of the research team
*VESONTIO*(former TFC) of the
*Laboratoire d'informatique de Franche Comté (LIFC)*; PC member of “
*International Workshop on Abstractions for Petri Nets and Other Models of Concurrency*”, APNOC'09. Member of the “Comité de Sélection” at the “Ecole des Mines de Nancy” and the University
of Nancy I. Member of the Committee INRIA CR1 and CR2 at the Center INRIA Nancy-Grand Est. Director of the “Licence Informatique 2008-2012” in the University of Franche-Comté.

*C. Ringeissen*: PC member of FroCoS'09 (Frontiers of Combining Systems) and IJCAR 2010 (the 5th International Joint Conference on Automated Reasoning); member of the CS (Comité de
sélection) for the recruitment of assistant professors at the University Paris-Sud 11 (Orsay).

*M. Rusinowitch:*member of the IFIP Working Group 1.6 (Rewriting); PC member of CADE 2009 (22nd International Conference on Automated Deduction), CRiSIS 2009 (International Conference
on Risks and Security of Internet and Systems), FTP 2009 (International Workshop on First-Order Theorem Proving), Luxembourg Day on Security and Reliability, SCSS 2009 (Tunisia - Japan Workshop
on Symbolic Computation in Software Science), Colloque d'Informatique: Brésil / INRIA, Coopérations, Avancées et Défis, SARSSI'09 (Conférence sur la sécurité des architectures réseaux et des
systèmes d'information). member of the CS (Comité de sélection) for the 2009 INRIA - Bordeaux University chair. Vice-président du comité des projets INRIA Grand Est depuis le 1/10/2009.

*L. Vigneron:*Member of the FTP steering committee; Member of the IFIP Working Group 1.6 on Rewriting; Webmaster of the site Rewriting Home Page and of the RTA conference site.

We are involved in several lectures of the “Master Informatique” of the universities of Nancy. L. Vigneron is in charge of the lectures on
*Algorithmic verification*and
*Security of communications*. V. Cortier is in charge of the lecture on
*Theory of the security*. C. Ringeissen is in charge of the lecture on
*Decision procedures and program verification*.

*Eric Monfroy*(UTFSM Valparaíso, Chile) has visited LORIA as a Nancy 2 invited professor, to work on a constraint approach for composition of web services (June-July).

*Ambuj Pushkar Ojha*(IIT Bombay), NRIA Internship, (May-July).

*Bogdan Warinschi*(University of Bristol) has visited LORIA to work on combination techniques for soundness results of symbolic model (June 22-26th and November 16-20th).

*Adel Bouhoula*(SupCom Tunis) has visited LORIA from July 23 to July 28 to work on computer security.

*Chris Lynch*(Univ. of Clarkson) has visited LORIA in June to work on protocol verification.

*Véronique Cortier*has visited Bogdan Warinschi (University of Bristol) to work on combination techniques for soundness results of symbolic models (September 27th - October 1st).

*Olga Kouchnarenko*has visited Natalia Sidorova (Eindhoven Univ. of Technologies) to work on refinement of may-/must workflow Petri nets (June 30th - July 14th), and on component
adaptability and configuration (October 26th - November 6th).

*Vincent Pretre*has defended his Ph. D thesis (Université de Franche-Comté) entitled “Génération automatique de tests à partir de modèle formel pour les applications de type web
services”, on March 18, 2009.

*Najah Chridi*has defended her Ph. D. thesis (Université Henri Poincaré – Nancy 1) entitled “Contributions à la vérification automatique de protocoles de groupes”, on September
11, 2009.

*Pierre-Cyrille Héam*has defended his habilitation (Université de Franche-Comté) entitled “Automates finis pour la fiabilité logicielle et l'analyse d'accessibilité”, on November 13,
2009.

*Véronique Cortier*has defended her habilitation (INPL) entitled “Analysis of cryptographic protocols: from symbolic to computational models”, on November 18, 2009.

*Christophe Ringeissen*has defended his habilitation (Université Henri Poincaré – Nancy 1) entitled “Equational Reasoning and Combination Methods: from programs to proofs”, on November 27,
2009.

*Fabrice Bouquet*is chair of Ph. D. thesis committee of Hala Sabbah (Université de Franche Comté).

*Véronique Cortier*is reviewer for the thesis of Mounira Kourjieh (Toulouse).

*O. Kouchnarenko*is a member of the ASTI 2009 committee to award the best Ph. D. dissertations
*Fédération des Associations Françaises des Sciences et Technologies de l'Informations*.

*M. Rusinowitch*is reviewer for the habilitations of Thomas Genet (Rennes) and Hélène Collavizza (Nice), and for the PhD thesis of Sergiu Bursuc (Cachan) and Antoine Mercier
(Cachan).

We were invited to give the following talks.

K. Cabrera Castillos,
*Scenario Based Testing for ensuring POSIX Compliance*(joint work with F. Dadeau, A. De Kermadec and R. Tissot). Invited Talk at the Workshop on Verified Software: Theory, Tools, and
Experiments (VSTTE'2009), part of the FM'Week (Eindhoven).

V. Cortier, Invited tutorial on Verification of Security Protocols at VMCAI'09 (Conference on Verification, Model Checking, and Abstract Interpretation), January 18th, 2009, Savannah, USA.

P. Héam, Invited Talk on Regular Approximations at Laboratoire Bordelais de Recherche en Informatique, Université de Bordeaux.

L. Vigneron, Seminar on Verification of Infinite State Systems: Application to the Security Protocols Analysis, at ENS Lyon, December 8th, 2009.