Section: Other Grants and Activities
National Actions
ANR SeSur Project AVOTÉ
Participants : Mathilde Arnaud, Sergiu Bursuc, Vincent Cheval, Ştefan Ciobâcă, Hubert ComonLundh, Stéphanie Delaune, Steve Kremer, Antoine Mercier.
The AVOTÉ project (http://www.lsv.enscachan.fr/anravote/ ) was submitted and accepted in the framework of the 2007 SeSur program (“Sécurité et Sûreté Informatique”) of the GIP ANR (Agence Nationale de la Recherche). The project started early 2008. The partners are the INRIA projectteam CASSIS (leader), SECSI, Verimag and until September 2009 France Télécom R&D.
Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes. However, the convenience of electronic elections comes with a risk of largescale fraud and their security has seriously been questioned. In this project we propose to use formal methods to analyze electronic voting protocols. More precisely, we structure the project around four workpackages.

Formalizing protocols and security properties. Electronic voting protocols have to satisfy a variety of security properties that are specific to electronic elections, such as eligibility, verifiability and different kind of anonymity properties. In the literature these properties are generally stated intuitively and in natural language. Such informal definitions are at the origin of many security flaws. As a first step the participants therefore propose to give a formalization of the different security properties in a wellestablished language for protocol analysis.

Automated techniques for formal analysis. The participants propose to design algorithms to perform abstract analysis of a voting system against formallystated security properties. From preliminary work it has already become clear that privacy preserving properties can be expressed as equivalences. Therefore, we will give a particular attention to automated techniques for deciding equivalences, such as static and observational equivalence in cryptographic picalculi. Static equivalence relies on an underlying equational theory axiomatizing the properties of the cryptographic functions (encryption, exclusive or, ...). Results exist for several interesting equational theories such as exclusive or, blind signature and other associative and commutative functions. However, many interesting equational theories useful for electronic voting are still lacking. The participants will also investigate a more modular approach based on combination results. More importantly the participants will develop algorithms for deciding observational equivalence: in particular symbolic decision procedures for deciding observational equivalence in the case of a bounded number of sessions putting the stress on equational theories with applications to electronic voting. These algorithms will be implemented in prototypes which are to be included in the AVISPA platform.

Computational aspects. There are two competing approaches to the verification of cryptographic protocols: the formal (also called DolevYao) model and the complexitytheoretic model, also called the computational model, where the adversary can be any polynomial time probabilistic algorithm. While the complexitytheoretic framework is more realistic and gives stronger security guarantees, the symbolic framework allows for a higher level of automation. Because of this, effort has been spent during the last years in relating both frameworks with the goal of getting the best of both worlds: see the ARA Formacrypt section. The participants plan to continue this effort and investigate soundness results for cryptographic primitives related to electronic voting. Moreover, most of the existing results only hold for trace properties, which do not cover most properties in electronic elections. The participants of AVOTÉ plan to establish soundness results for these properties.

Case studies. The members of AVOTÉ will validate all of the results on several case studies from the literature, notably a reallife case study on an electronic voting protocol designed at the Université Catholique de Louvain. This protocol was trialled during the election of the university president in 2009. However, even though the fundamental needs of security are satisfied, no formal analysis of this protocol has been performed.
ARA SSIA Formacrypt
Participants : Hubert ComonLundh, Stéphanie Delaune, Jean GoubaultLarrecq, Steve Kremer.
The Formacrypt project (http://www.di.ens.fr/~blanchet/formacrypt/index.html ) submitted and accepted in the framework of the 2005 ARA SSIA ("Sécurité, Systèmes embarqués et Intelligence Ambiante") of the GIP ANR (Agence Nationale de la Recherche) started 2006. The partners are Ecole Normale Supérieure de Paris (leader), SECSI, and INRIA projectteam CASSIS (Nancy).
Most efforts in cryptographic protocol verification use either the computational approach, in which messages are bitstrings, or the formal approach, in which messages are terms. The computational approach is more realistic but more difficult to automate. The goal of the Formacrypt project is to bridge the gap between these two approaches.
Several works have already begun linking these approaches, but they all have limitations. They generally put too strong security requirements on these primitives, and they do not allow one to compute the probability of an attack explicitly. The Formacrypt project offers three approaches in order to overcome these limitations.

In the direct approach, the goal is to design and implement a computationally sound, automated protocol prover. This prover, called CryptoVerif, builds computational proofs presented as sequences of socalled games: the first game corresponds to the real protocol, the next games are obtained by transformations so that the difference of probability between consecutive games is negligible, and the probability of success of an attack in the last game is obvious. The probability of success of an attack in the initial game can then be bounded.

The purpose of the intermediate approach is to design a computationally sound logic, by adapting and extending an existing modal logic (the Protocol Composition Logic), originally sound in the formal model. The definition of a new semantics for this logic and the addition of new predicates, specific to the computational model, was necessary.

In the modular approach, which was specifically explored by SECSI, the idea is to extend theorems that prove the computational soundness of formal proofs of protocols. This allows one to reuse existing tools. These extensions concern both security properties (fairness, secrecy of keys, etc.) and cryptographic primitives (symmetric encryption, hash functions, etc.) Additionally, weaker security properties are considered, for publickey encryption (resistance to chosen plaintext attacks) and for signatures (for electronic voting, for instance). This also involved studying the computational soundness of formal models based on equational theories, which represent more precisely the properties of cryptographic primitives. Finally, the computational soundness of formal models for guessing attacks (for weak secrets, such as passwords) will be investigated, too.
REDPILL project
Participants : Jean GoubaultLarrecq, Hedi Benzina.
The REDPILL project is a DIGITEO project, started september 2009. The partners are SECSI and Bertin Technologies. The goal of the project is the detection of malware on virtualized platforms.
System@tic Project PFC
Participants : Jean GoubaultLarrecq, Hedi Benzina.
The PFC project (for: “PlateForme de Confiance”) is one of the projects of the System@tic Paris Region French cluster in complex systems design and management, see http://www.systematicparisregion.org . This cluster involves industrial groups, SMEs and academic partners around Paris. This project is funded by the French ministry of industry (FCE).
The goal of the project is the design and validation of secure and safe embedded applications, particularly aimed at upper administration, police and customs forces. Within this project, SECSI is particularly collaborating with Bertin Technologies on effective intrusion prevention in hypervisorbased computer systems using ORCHIDS. Hedi Benzina has joined the project in November 2008 as a temporary engineer.
Hedi Benzina has started a PhD thesis in October 2009, under the direction of Jean GoubaultLarrecq, and is funded by the Digiteo DIM project “RedPill: Malware Detection on Virtualized Architectures”, 20092012.
Spidware
Participant : Jean GoubaultLarrecq.
Jean GoubaultLarrecq made a critical evaluation of the Spidware security solution, based on Jeremy Briffaut's PIGA interposition tool, on account of Advitech Partners. Spidware is a startup company founded by researchers at ENSI Bourges and LIFO. Jean GoubaultLarrecq wrote a detailed, confidential report on the technical strengths and weaknesses of this product.
CPP
Participants : Jean GoubaultLarrecq, Philippe Chaput.
Jean GoubaultLarrecq is scientific coordinator of the ANR programme blanc project CPP (confiance, preuves, probabilités, 20092012). See the Wiki http://www.lix.polytechnique.fr/~bouissou/cpp/index.php?n=Main.HomePage . The academic partners are INRIA Saclay (Comète, Parsifal, Maxplus); LSV, ENS Cachan (including SECSI); LSS and SSE, Supélec; and CEA.
From the standpoint of SECSI, this project leverages the results obtained during the ARC ProNoBiS (20062007) and before on semantic models of mixed nondeterministic and probabilistic choice, and applies them to the design of static analyzers for floatingpoint programs, specifically airplane engine controllers. (The need comes from Dassault Aviation, and HispanoSuiza plane engines—now Safran. They are both associated partners to the project.)
The whole project revolves around the automated evaluation of uncertainty, whether probabilistic or nondeterministic. This uncertainty arises because static analyzers must inherently work on approximate values, but also because the environmental values (pressure, temperature, speed) are known only up to some precision, or fluctuate around some central value; and finally because of roundoff errors in floatingpoint computations.