## Section: New Results

### Static analysis based on rewriting and tree automata

Participants : Thomas Genet, Benoît Boyer, Olivier Heen.

#### Tree automata completion with equational abstractions

We have proposed a new language for defining regular approximations of set of reachable terms. Approximations are defined using equations which define equivalence classes of terms “similar” w.r.t. the approximation. The idea is close to the one developped with Valérie Viet Triem Tong [54] and more recently by José Meseguer, Miguel Palomino and Narciso Martí-Oliet [63] . With regards to this last work, the interest of our approach is that it imposes fewer restriction on the equations used to define approximation. Our only syntactical constraint is that equations have to be linear though [63] imposes that the term rewriting system and the set of equations have to be coherent which is a more drastic restriction. Our proposition, published in [12] , consists in using the equations to detect equivalent terms recognized by the tree automata and merge the recognizing states so as to mimic the construction of equivalence classes. We have also proven a precision result showing that, under some retrictions on the initial language, our algorithm builds no more than terms reachable by rewriting modulo the set of equations.

#### Verification of Temporal Properties on Tree Automata

In the static analysis framework based on term rewriting systems and tree automata,
we only
consider the reachability and unreachability problem, i.e. is a term
(representing a program configuration) reachable or not? This is closely related
to so-called *safety properties* . In a recent
work [18] , we have achieved a step further and consider temporal
properties, like *liveness properties* . From the tree automata produced by
the new completion algorithm proposed in [12] , we managed to
extract a Büchi automaton representing the behaviour of the term
rewriting system. The extracted Büchi automaton models exactly the rewriting
steps at a given depth in a term. For the moment, our technique is only able
to deal with term rewriting systems having a finite set of reachable terms,
thus doing no more that usual finite model-checking. However, defining
approximations is easy on the tree automata completion framework. Hence, we are
currently improving this preliminary work so as to deal with
verification of temporal properties on infinite-state models, using
approximations.

#### Verification of cryptographic protocols

With respect to verification of cryptographic protocols, the last developments were done around the SPAN verification tool: http://www.irisa.fr/lande/genet/span/ . We carried out verification of protocols for ad hoc network. Even with a few participants and a few messages, there is a loss of intuition that may lead to vulnerabilities in those particular protocols. We have automatically verified some security properties of the protocol designed for vehicular ad hoc networks [24] , [23] . During all the verification process, SPAN was useful to check the adequation between the model and the real protocol. It also provided a critical advantage for convincing automotive industry people of the validity of our approach. It is worth notifying that, during the IEEE VNC 2009 conference, three talks (including our talk) underlined the need of formal security verification in vehicular ah hoc network. We believe that this field will provide interesting uses cases and verification needs, exactly as the aviation industry did these last 20 years.