Section: New Results
Active and passive testing
Diagnosis of Pushdown Systems
Participant : Christophe Morvan.
Diagnosis problems of discrete-event systems consist in detecting unobservable defects during system execution. For finite-state systems, the theory is well understood and a number of effective solutions have been developed. For infinite-state systems, however, there are only few results, mostly identifying classes where the problem is undecidable. In [25] , [36] , we consider higher-order pushdown systems and investigate two basic variants of diagno- sis problems: the diagnosability, which consists in deciding whether defects can be detected within a finite delay, and the bounded-latency problem, which consists in determining a bound for the delay of detecting defects. This work was done in collaboration with S. Pinchinat (S4 EPI).
Monitoring Confidentiality by Diagnosis Techniques
Participants : Jérémy Dubreil, Thierry Jéron, Hervé Marchand.
In [20] , we have been interested in constructing monitors for the detection of confidential information flow in the context of partially observable discrete event systems. We first characterize the set of observations allowing an attacker to infer the secret information. Further, based on the diagnosis of discrete event systems, we provide necessary and sufficient conditions under which detection and prediction of secret information flow can be ensured, and construct a monitor allowing an administrator to detect it.
Testing security properties
Participants : Jérémy Dubreil, Thierry Jéron, Hervé Marchand.
In [23] [28] , we investigate the combination of controller synthesis and test generation techniques for the testing of open, partially observable systems with respect to security policies. We consider two kinds of properties: integrity properties and confidentiality properties. We assume that the behavior of the system is modeled by a labeled transition system and assume the existence of a black-box implementation. We first outline a method allowing to automatically compute an ideal access control ensuring these two kinds of properties. Then, we show how to derive testers that test the conformance of the implementation with respect to its specification, the correctness of the real access control that has been composed with the implementation in order to ensure a security property, and the security property itself.
