The goal of the Celtique project is to improve the security and reliability of software through software certificates that attest to the well-behavedness of a given software. Contrary to certification techniques based on cryptographic signing, we are providing certificates issued from semantic software analysis. The semantic analyses extract approximate but sound descriptions of software behaviour from which a proof of security can be constructed. The analyses of relevance include numerical data flow analysis, control flow analysis for higher-order languages, alias and points-to analysis for heap structure manipulation and data race freedom of multi-threaded code.

Existing software certification procedures make extensive use of systematic test case generation. Semantic analysis can serve to improve these testing techniques by providing precise software models from which test suites for given test coverage criteria can be manufactured. Moreover, an emerging trend in mobile code security is to equip mobile code with proofs of well-behavedness that can then be checked by the code receiver before installation and execution. A prominent example of such proof-carrying code is the stack maps for Java byte code verification. We propose to push this technique much further by designing certifying analyses for Java byte code that can produce compact certificates of a variety of properties. Furthermore, we will develop efficient and verifiable checkers for these certificates, relying on proof assistants like Coq to develop provably correct checkers. We target two application domains: Java software for mobile devices (in particular mobile telephones) and embedded C programs.

Celtique is a joint project with the CNRS, the University of Rennes 1 and ENS Cachan.

Static program analysis is concerned with obtaining information about the run-time behaviour of a program without actually running it. This information may concern the values of variables, the relations among them, dependencies between program values, the memory structure being built and manipulated, the flow of control, and, for concurrent programs, synchronisation among processes executing in parallel. Fully automated analyses usually render approximate information about the actual program behaviour. The analysis is correct if the information includes all possible behaviour of a program. Precision of an analysis is improved by reducing the amount of information describing spurious behaviour that will never occur.

Static analysis has traditionally found most of its applications in the area of program optimisation where information about the run-time behaviour can be used to transform a program so that it performs a calculation faster and/or makes better use of the available memory resources. The last decade has witnessed an increasing use of static analysis in software verification for proving invariants about programs. The Celtique project is mainly concerned with this latter use. Examples of static analysis include:

Data-flow analysis as it is used in optimising compilers for
imperative languages. The properties can either be approximations of
the values of an expression (“the value of variable

Analyses of the memory structure includes shape analysis that aims at approximating the data structures created by a program. Alias analysis is another data flow analysis that finds out which variables in a program addresses the same memory location. Alias analysis is a fundamental analysis for all kinds of programs (imperative, object-oriented) that manipulate state, because alias information is necessary for the precise modelling of assignments.

Control flow analysis will find a safe approximation to the order in which the instructions of a program are executed. This is particularly relevant in languages where parameters or functions can be passed as arguments to other functions, making it impossible to determine the flow of control from the program syntax alone. The same phenomenon occurs in object-oriented languages where it is the class of an object (rather than the static type of the variable containing the object) that determines which method a given method invocation will call. Control flow analysis is an example of an analysis whose information in itself does not lead to dramatic optimisations (although it might enable in-lining of code) but is necessary for subsequent analyses to give precise results.

Static analysis possesses strong **semantic foundations**, notably abstract
interpretation , that allow to prove its correctness. The
implementation of static analyses is usually based on well-understood
constraint-solving techniques and iterative fixpoint algorithms. In
spite of the nice mathematical theory of program analysis and the
solid algorithmic techniques available one problematic issue persists,
*viz.*, the *gap* between the analysis that is proved
correct on paper and the analyser that actually runs on the
machine. While this gap might be small for toy languages, it becomes
important when it comes to real-life languages for which the
implementation and maintenance of program analysis tools become a
software engineering task. A *certified static analysis* is an
analysis that has been formally proved correct using a
proof assistant.

In previous work we studied the benefit of using abstract
interpretation for developing **certified static analyses**
, . The development of
certified static analysers is an ongoing activity that will be part of
the Celtique project. We use the Coq proof assistant which allows for
extracting the computational content of a constructive proof. A Caml
implementation can hence be extracted from a proof of existence, for
any program, of a correct approximation of the concrete program
semantics. We have isolated a theoretical framework based on abstract
interpretation allowing for the formal development of a broad range of
static analyses. Several case studies for the analysis of Java byte
code have been presented, notably a memory usage analysis
. This work has recently found
application in the context of Proof Carrying Code
and have also been successfully applied to
particular form of static analysis based on term rewriting and tree
automata .

Precise context-sensitive control-flow analysis is a fundamental
prerequisite for precisely analysing Java programs.
Bacon and Sweeney's Rapid Type Analysis (RTA) is a
scalable algorithm for constructing an initial call-graph of the
program. Tip and Palsberg have proposed a variety of
more precise but scalable call graph construction algorithms
*e.g.,* MTA, FTA, XTA which accuracy is between RTA and 0'CFA.
All those analyses are not context-sensitive. As early as 1991,
Palsberg and Schwartzbach , proposed a theoretical
parametric framework for typing object-oriented programs in a
context-sensitive way. In their setting, context-sensitivity is
obtained by explicit code duplication and typing amounts to analysing
the expanded code in a context-insensitive manner. The framework
accommodates for both call-contexts and allocation-contexts.

To assess the respective merits of different instantiations, scalable
implementations are needed. For Cecil and Java programs, Grove
*et al.,* , have explored the algorithmic design
space of contexts for benchmarks of significant size.
Latter on, Milanova *et. al.,* have
evaluated, for Java programs, a notion of context called
*object-sensitivity* which abstracts the call-context by the
abstraction of the `this` pointer. More recently, Lhotak and
Hendren have extended the empiric
evaluation of object-sensitivity using a BDD implementation allowing
to cope with benchmarks otherwise out-of-scope.
Besson and Jensen proposed to use datalog
in order to specify context-sensitive analyses. Whaley and
Lam have implemented a context-sensitive
analysis using a BDD-based datalog implementation.

Control-flow analyses are a prerequisite for other analyses. For instance, the security analyses of Livshits and Lam and the race analysis of Naik, Aiken and Whaley both heavily rely on the precision of a control-flow analysis.

Control-flow analysis allows to statically prove the absence of certain run-time errors such as "message not understood" or cast exceptions. Yet it does not tackle the problem of "null pointers". Fahnrich and Leino propose a type-system for checking that after object creation fields are non-null. Hubert, Jensen and Pichardie have formalised the type-system and derived a type-inference algorithm computing the most precise typing . The proposed technique has been implemented in a tool called NIT . Null pointer detection is also done by bug-detection tools such as FindBugs . The main difference is that the approach of findbugs is neither sound nor complete but effective in practice.

Static analyses yield qualitative results, in the sense that they compute a safe over-approximation of the concrete semantics of a program, w.r.t. an order provided by the abstract domain structure. Quantitative aspects of static analysis are two-sided: on one hand, one may want to express and verify (compute) quantitative properties of programs that are not captured by usual semantics, such as time, memory, or energy consumption; on the other hand, there is a deep interest in quantifying the precision of an analysis, in order to tune the balance between complexity of the analysis and accuracy of its result.

The term of quantitative analysis is often related to probabilistic models for abstract computation devices such as timed automata or process algebras. In the field of programming languages which is more specifically addressed by the Celtique project, several approaches have been proposed for quantifying resource usage: a non-exhaustive list includes memory usage analysis based on specific type systems , , linear logic approaches to implicit computational complexity , cost model for Java byte code based on size relation inference, and WCET computation by abstract interpretation based loop bound interval analysis techniques .

We have proposed an original approach for designing static analyses computing program costs: inspired from a probabilistic approach , a quantitative operational semantics for expressing the cost of execution of a program has been defined. Semantics is seen as a linear operator over a dioid structure similar to a vector space. The notion of long-run cost is particularly interesting in the context of embedded software, since it provides an approximation of the asymptotic behaviour of a program in terms of computation cost. As for classical static analysis, an abstraction mechanism allows to effectively compute an over-approximation of the semntics, both in terms of costs and of accessible states . An example of cache miss analysis has been developed within this framework .

The semantic analysis of programs can be combined with efficient
constraint solving techniques in order to extract specific
information about the program, *e.g.*, concerning the
accessibility of program points and feasibility of execution paths , . As
such, it has an important use in the automatic generation of test
data. Automatic test data generation received considerable attention these last years
with the development of efficient and dedicated constraint solving
procedures and compositional techniques .

We have made major contributions to the development of **constraint-based testing**, which is a two-stage process
consisting of first generating a constraint-based
model of the program's data flow and then, from the selection of a testing objective such as a statement to reach
or a property to invalidate, to extract
a constraint system to be solved.
Using efficient constraint solving
techniques allows to generate test data that satisfy the testing
objective, although this generation might not always terminate.
In a certain way, these constraint techniques can be seen as efficient decision procedures
and so, they are competitive with the best software model
checkers that are employed to generate test data.

The term "software certification" has a number of meanings ranging from the formal proof of program correctness via industrial certification criteria to the certification of software developers themselves! We are interested in two aspects of software certification:

industrial, mainly process-oriented certification procedures

software certificates that convey semantic information about a program

Semantic analysis plays a role in both varieties.

Criteria for software certification such as the Common criteria or the DOA aviation industry norms describe procedures to be followed when developing and validating a piece of software. The higher levels of the Common Criteria require a semi-formal model of the software that can be refined into executable code by traceable refinement steps. The validation of the final product is done through testing, respecting criteria of coverage that must be justified with respect to the model. The use of static analysis and proofs has so far been restricted to the top level 7 of the CC and has not been integrated into the aviation norms.

The testing requirements present in existing certification procedures
pose a challenge in terms of the automation of the test data
generation process for satisfying functional and structural testing
requirements. For example, the standard document which currently
governs the development and verification process of software in
airborne system (DO-178B) requires the coverage of all the statements,
all the decisions of the program at its higher levels of criticality
and it is well-known that DO-178B structural coverage is a primary
cost driver on avionics project. Although they are widely used,
existing marketed testing tools are currently restricted to test
coverage monitoring and measurements

Static analysis tools are so far not a part of the approved certification procedures. For this to change, the analysers themselves must be accepted by the certification bodies in a process called “Qualification of the tools” in which the tools are shown to be as robust as the software it will certify. We believe that proof assistants have a role to play in building such certified static analysis as we have already shown by extracting provably correct analysers for Java byte code.

The particular branch of information security called "language-based
security" is concerned with the study of programming language features
for ensuring the security of software.
Programming languages such as
Java offer a variety of language constructs for securing an
application. Verifying that these constructs have been used properly
to ensure a given security property is a challenge for program
analysis.
One such problem is confidentiality of the private data manipulated by
a program and a large group of researchers have addressed the
problem of tracking information flow in a program in order to ensure
that *e.g.*, a credit card number does not end up being accessible to all
applications running on a computer
, .
Another kind of problems concern the way that computational
resources are being accessed and used, in order to ensure that a given
access policy is being implemented correctly and that a given
application does not consume more resources that it has been
allocated. Members of the Celtique team have proposed a verification
technique that can check the proper use of resources of Java
applications running on mobile telephones .
**Semantic software certificates**
have been proposed as a means of dealing with the security problems caused
by mobile code that is downloaded from foreign sites of varying
trustworthiness and which can cause damage to the receiving host,
either deliberately or inadvertently. These certificates should contain
enough information about the behaviour of the downloaded code to allow
the code consumer to decide whether it
adheres to a given security policy.

In the basic PCC architecture, the only components that have to be trusted are the program logic, the proof checker of the logic, and the formalization of the security property in this logic. Neither the mobile code nor the proposed proof—and even less the tool that generated the proof—need be trusted.

In practice, the *proof checker* is a complex tool which relies
on a complex Verification Condition Generator (VCG). VCGs for real
programming languages and security policies are large and non-trivial
programs. For example, the VCG of the Touchstone verifier represents
several thousand lines of C code, and the authors observed that
"there were errors in that code that escaped the thorough testing of
the infrastructure" . Many solutions have been
proposed to reduce the size of the trusted computing base. In the
*foundational proof carrying code* of Appel and
Felty , , the code producer gives a direct proof
that, in some "foundational" higher-order logic, the code respects a
given security policy. Wildmoser and
Nipkow , .
prove the soundness of a
*weakest precondition* calculus for a reasonable subset of the
Java bytecode.
Necula and Schneck extend a small
trusted core VCG and describe the protocol that the untrusted verifier
must follow in interactions with the trusted infrastructure.

One of the most prominent examples of software certificates and
proof-carrying code is given by the Java byte code verifier based on
*stack maps*. Originally proposed under the term “lightweight
Byte Code Verification” by Rose , the
techniques consists in providing enough typing information (the stack
maps) to enable the byte code verifier to check a byte code in one
linear scan, as opposed to inferring the type information by an
iterative data flow analysis. The Java Specification Request 202
provides a formalization of how such a verification can be carried
out.

In spite of the nice mathematical theory of program analysis (notably
abstract interpretation) and the solid algorithmic
techniques available one problematic issue persists, *viz.*, the
*gap* between the analysis that is proved correct on paper and
the analyser that actually runs on the machine. While this gap might
be small for toy languages, it becomes important when it comes to
real-life languages for which the implementation and maintenance of
program analysis tools become a software engineering task.

A *certified static analysis* is an analysis whose implementation
has been formally proved correct using a proof assistant. Such
analysis can be developed in a proof assistant like Coq
by programming the analyser inside the assistant and formally proving
its correctness. The Coq extraction mechanism then allows for
extracting a Caml implementation of the analyser. The feasibility of
this approach has been demonstrated
in .

We also develop this technique through certified reachability analysis over term rewriting systems. Term rewriting systems are a very general, simple and convenient formal model for a large variety of computing systems. For instance, it is a very simple way to describe deduction systems, functions, parallel processes or state transition systems where rewriting models respectively deduction, evaluation, progression or transitions. Furthermore rewriting can model every combination of them (for instance two parallel processes running functional programs).

Depending on the computing system modelled using rewriting, reachability (and unreachability) permits to achieve some verifications on the system: respectively prove that a deduction is feasible, prove that a function call evaluates to a particular value, show that a process configuration may occur, or that a state is reachable from the initial state. As a consequence, reachability analysis has several applications in equational proofs used in the theorem provers or in the proof assistants as well as in verification where term rewriting systems can be used to model programs.

For proving unreachability, i.e. safety properties, we already have some
results based on the over-approximation of the set of reachable
terms , . We defined a simple and efficient
algorithm
for computing exactly the set of reachable terms, when it is regular,
and construct an over-approximation otherwise. This algorithm consists of
a *completion* of a *tree automaton*, taking advantage
of the ability of tree automata to finitely represent infinite sets of
reachable terms.

To certify the corresponding analysis, we have defined a checker guaranteeing that a tree automaton is a valid fixpoint of the completion algorithm. This consists in showing that for all term recognised by a tree automaton all his rewrites are also recognised by the same tree automaton. This checker has been formally defined in Coq and an efficient Ocaml implementation has been automatically extracted . This checker is now used to certify all analysis results produced by the regular completion tool as well as the optimised version of .

Javalib is an efficient library to parse Java .class files into OCaml data structures, thus enabling the OCaml programmer to extract information from class files, to manipulate and to generate valid .class files.

See also the web page http://

Version: 2.2

Programming language: Ocaml

Sawja is a library written in OCaml, relying on Javalib to provide a high level representation of Java bytecode programs. It name comes from Static Analysis Workshop for JAva. Whereas Javalib is dedicated to isolated classes, Sawja handles bytecode programs with their class hierarchy and with control flow algorithms.

Moreover, Sawja provides some stackless intermediate representations of code, called JBir and A3Bir. The transformation algorithm, common to these representations, has been formalized and proved to be semantics-preserving.

See also the web page http://

Version: 1.2

Programming language: Ocaml

Static program analysis, Javacard, Certification, AFSCM

`Jacal` is a JAvaCard AnaLyseur developed on top of the SAWJA platform.
This proprietary software verifies automatically that Javacard programs conform with the security
guidelines issued by the AFSCM (Association Française du Sans Contact
Mobile).
`Jacal` is based on the theory of abstract interpretation and combines several object-oriented and
numeric analyses to automatically infer sophisticated invariants about the program behaviour.
The result of the analysis is thereafter harvest to check that it is sufficient to ensure the desired security properties.

Timbuk is a library of Ocaml functions for manipulating tree automata. More precisely, Timbuk deals with finite bottom-up tree automata (deterministic or not). This library provides the classical operations over tree automata (intersection, union, complement, emptiness decision) as well as exact or approximated sets of terms reachable by a given term rewriting system. This last operation can be certified using a checker extracted from a Coq specification. The checker is now part of the Timbuk distribution. Timbuk distribution now also provide a CounterExample Guided Abstraction Refinement (CEGAR) tool for tree automata completion. The CEGAR part is based on the Buddy BDD library.

Version: 3.1

Programming language: Ocaml

Control-flow analysis (CFA) of functional programs is concerned with
determining how the program's functions call each other. In the case
of the lambda calculus, this amounts to computing the flow of lambda
expressions in order to determine what functions are effectively
called in an application

The systematic derivation of a CFA for a higher-order functional language from a well-known operational semantics provides the resulting analysis with strong mathematical foundations. Its correctness follows directly from the general theorems of abstract interpretation.

The approach is easily adapted to different variants of the source language. We demonstrate this by deriving a CFA for functional programs written in continuation-passing style.

The common framework of these analyses enables their comparison. We take advantage of this to settle a question about the equivalence between the analysis of programs in direct and continuation-passing style.

The resulting equations can be given an equivalent
constraint-based presentation, providing *ipso facto* a
rational reconstruction and a correctness proof of constraint-based
CFA.

This work was published in the journal Information and Computation

Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to an internal mutable object.

However, implementation of a copy method (like clone()) is entirely left to the programmer. It may not provide a sufficiently deep copy of an object and is subject to overriding by a malicious sub-class. Currently no language-based mechanism supports secure object cloning.

We propose a type-based annotation system for defining modular copy policies for class-based object-oriented programs. A copy policy specifies the maximally allowed sharing between an object and its clone. We provide a static enforcement mechanism that will guarantee that all classes fulfill their copy policy, even in the presence of overriding of copy methods, and establish the semantic correctness of the overall approach in Coq.

The mechanism has been implemented and experimentally evaluated on clone methods from several Java libraries. The work as been presented at ESOP 2011. In 2012 a journal special issue has been published in Logical Methods in Computer Science .

CompCert is a formally verified compiler that generates compact and efficient PowerPC, ARM and x86 code for a large and realistic subset of the C language. However, CompCert foregoes using Static Single Assignment (SSA), an intermediate representation that allows for writing simpler and faster optimizers, and is used by many compilers. In fact, it has remained an open problem to verify formally a SSA-based compiler middle-end.

We report on a formally verified, SSA-based, middle-end for CompCert. Our middle-end performs conversion from CompCert intermediate form to SSA form, optimization of SSA programs, including Global Value Numbering, and transforming out of SSA to intermediate form.

In addition to provide the first formally verified SSA-based middle-end, we address two problems raised by Leroy: giving a simple and intuitive formal semantics to SSA, and leveraging the global properties of SSA to reason locally about program optimizations. The work as been presented at ESOP 2012 .

The problem of automatically inferring non-linear (polynomial) invariants of programs is still a challenge in program verification. A central observation in existing work on generating polynomial invariants is that n-ary relations between variables that can be described as the zeroes of a set of polynomials, correspond to a lattice of polynomials ideals. Such ideals are finitely generated , and all the approaches proposed so far in the literature rely on Gröbner base computations for computing ideal intersection or inclusion, or analysing the effects of polynomial assignments to variables. Computing Gröbner bases however slows down considerably the overall analysis.

We have proposed an abstract interpretation based method for
inferring polynomial invariants that entirely avoids computing
Gröbner bases. The method is precise and efficient, and is obtained
without restricting the expressiveness of the polynomial programming
language. Our analysis handles a general polynomial structured
programming language that includes if and while constructs where
branching conditions are both polynomial equalities and
disequalities. Our analysis uses a form
of weakest precondition calculus for showing that a polynomial
relation

Based on this anlysis, we have designed a constraint-based algorithm for inferring polynomial invariants. Such constraint-based techniques (rather than iteration) when dealing with loops means that it becomes feasible to analyse conditionals precisely, using parameterized polynomial division. A salient feature of this analysis, which distinguishes it from previous analyses, is that it does not require the use of Gröbner base computations. We have implemented this algorithm in Maple and our benchmarks show that our analyzer can successfully infer invariants on a sizeable set of examples, while performing two orders of magnitude faster than other existing implementations .

Result Certification, Static program analysis, Decision procedures

We develop a lightweight approach for verifying *a posteriori* that the result of a static
analysis is correct. The approach consists in encoding the program semantics directly inside an
Intermediate Verification Language e.g., Why3 as an executable program interpreter. Running the
standard VcGen of the IVL for the interpreter specialised for a program annotated with analysis results
therefore amounts to generating program specific verification conditions .
This approach has the advantage of reducing the size of the Trusted Computing Base (TCB) because
the VcGen is generic and language agnostic. Moreover, unlike traditional approaches,
our TCB does not embed a compiler from the source code to the language of the IVL.

Verification conditions are usually discharged by Satisfiability Modulo Theory (SMT) provers that are therefore part of the TCB. To reduce further the TCB, we advocate for proof-generating SMT provers which results can be independently verified by reflexive Coq proof-checkers. For the EUF logic, we have proposed a novel compact format and proved correct an efficient Coq checker .

We develop a specific theory and the related tools for analyzing programs whose semantics is defined using term rewriting systems. The analysis principle is based on regular approximations of infinite sets of terms reachable by rewriting. The tools we develop use, so-called, Tree Automata Completion to compute a tree automaton recognizing a superset of all reachable terms. This over-approximation is then used to prove properties on the program by showing that some “bad” terms, encoding dangerous or problematic configurations, are not in the superset and thus not reachable. With such technique, like with any approximated technique, is when the “bad” terms are in the superset. We proposed a new CounterExample Guided Abstraction Refinement (CEGAR) algorithm for tree automata completion. Our approach relies on a new equational-abstraction based completion algorithm to compute a regular overapproximation of the set of reachable states in finite time. This set is represented by, so-called, R/E-automata, a new extended tree automaton formalism whose structure can be exploited to detect and remove false positives in an efficient manner. Our approach has been implemented in Timbuk and used to analyze Java programs by exploiting a translation from the Java byte code to term rewriting systems. These results have been published in . Now, we aim at applying this technique to the static analysis of programming languages whose semantics is based on terms, like functional programming languages. The first step in this direction is to take into account the evaluation strategy of the language when approximating the set of reachable terms .

Pierre-Alain Fouque joined the team Celtique from September 2011 to August 2012. As a cryptographer, he still worked on symmetric cryptography with his PhD and postdoc students and proposed new security analysis of the block-ciphers AES and Camellia using meet-in-the-middle techniques in , at IWSEC'12 and Indocrypt'12 and new security proofs for signature schemes AbdallaFLT12 at Eurocrypt'12 and elliptic-curve hash function at LatinCrypt'12 with nice properties.

With Pierre-Alain, we also worked on more practical security aspects since his delegation in the Celtique team was to study side-channel attacks and formal methods. In side-channel attacks, we work with people from DGA and NTT in Japan to present new efficient attacks on one well-known implementation of RSA in many smartcards. Our attack targets any implementation of RSA using the Chinese Remainder Theorem in order to speed-up the computation, any exponentiation algorithm and the Montgomery multiplication. Usually, public-key cryptography requires large integer arithmetic and in order to accelerate the computation of the modulo, Montgomery proposed a new algorithm that avoids the need of arbitrary euclidean division which is the most consuming part of the exponentiation algorithm. This algorithm uses a small register (8, 16 or 32 bits depending on the architecture) during the computation and if a fault makes the value of this register much shorter, we show that we can recover the factorization of the RSA modulus in polynomial time. Furthermore, we describe on many proposed hardware architectures that our attack can indeed be used in practice if a laser is used to provoke the fault. This article has been published at CHES'12.

With people from DGA, we also studied how fault attack can be used to have buffer overflow effects. Indeed, by accelerating the clock, it is possible to avoid some instruction in the assembler code of a function. Consequently, if a fault avoids the function epilogue that restores the stack and registers to the state they were in before the function was called, then the stack pointer is changed and we can execute another function. Such attacks show that code executed in embedded processor have to be protected using buffer overflow techniques.

Finally, we also worked with people from DGA and Grenoble University to study security proofs in a computational logic. We show that the mode of operations of some hash functions is secure in and published at CSF'12. In particular, we show a small bug in the security proof of the sponge construction used in the new SHA-3 candidate and winner of the competition Keccak.

Static program analysis, Javacard, Certification, AFSCM

Partner : FIME

Period: Starting January 2012; ending February 2013

The FIME contract consists in an industrial transfer of the Sawja platform adapted to analyse Javacard programs according to AFSCM (Association Française du Sans Contact Mobile) security guidelines. The outcome of the project is the Jacal (JAvaCard AnaLyser) (.

Static program analysis, Certified static analysis

The ASCERT project (2009–2012) is founded by the *Fondation de
Recherche pour l'Aéronautique et l'Espace*. It aims at studying the
formal certification of static analysis using and comparing various
approaches like certified programming of static analysers, checking of
static analysis result and deductive verification of analysis results.
It is a joint project with the Inria teams
Abstraction, Gallium and POP-ART.

Process calculi, Verification, Proof Assistants

The goal of the (PiCoq project) is to develop an environment for the formal verification of properties of distributed, component-based programs. The project's approach approach lies at the interface between two research areas: concurrency theory and proof assistants. Achieving this goal relies on three scientific advances, which the project intends to address:

Finding mathematical frameworks that ease modular reasoning about concurrent and distributed systems: due to their large size and complex interactions, distributed systems cannot be analysed in a global way. They have to be decomposed into modular components, whose individual behaviour can be understood.

Improving existing proof techniques for distributed/modular systems: while behavioural theories of first-order concurrent languages are well understood, this is not the case for higher-order ones. We also need to generalise well-known modular techniques that have been developed for first-order languages to facilitate formalization in a proof assistant, where source code redundancies should be avoided.

Defining core calculi that both reflect concrete practice in distributed component programming and enjoy nice properties w.r.t. behavioural equivalences.

The project partners include Inria, LIP, and Université de Savoie. The project runs from November 2010 to October 2014.

Static program analysis, Certified static analysis

The VERASCO project (2012–2015) is founded by the call ISN 2011, a program of the Agence Nationale de la Recherche. It investigates the formal verification of static analyzers and of compilers, two families of tools that play a crucial role in the development and validation of critical embedded software. It is a joint project with the Inria teams Abstraction, Gallium, The VERIMAG laboratory and the Airbus company.

The DECERT project (2009–2012) is funded by the call Domaines Emergents 2008, a program of the Agence Nationale de la Recherche.

The objective of the DECERT project has been to design an architecture for cooperating decision procedures, with a particular emphasis on fragments of arithmetic, including bounded and unbounded arithmetic over the integers and the reals, and on their combination with other theories for data structures such as lists, arrays or sets. To ensure trust in the architecture, the decision procedures will either be proved correct inside a proof assistant or produce proof witnesses allowing external checkers to verify the validity of their answers.

This is a joint project with Systerel, CEA List and Inria teams Mosel, Cassis, Marelle, Proval and Celtique (coordinator).

The SecCloud project, started in 2012, will provide a comprehensive language-based approach to the definition, analysis and implementation of secure applications developed using Javascript and similar languages. Our high level objectives is to enhance the security of devices (PCs, smartphones, ect.) on which Javascript applications can be downloaded, hence on client-side security in the context of the Cloud. We will achieve this by focusing on three related issues: declarative security properties and policies for client-side applications, static and dynamic analysis of web scripting programming languages, and multi-level information flow monitoring.

This is a joint project with Supelec Rennes and Ecole des Mines de Nantes.

Imperial College (UK)

The JScert project (http://

Delphine Demange and David Pichardie have been working with Gilles Barthe from IMDEA Software, Madrid, Spain about the new verified SSA middle-end.

David Pichardie has spent one year at Purdue University, Indiana, US (from September 2011 to August 2012) working with Jan Vitek and Suresh Jagannathan. This was a one year Inria sabbatical leave. The collaboration deals with the formal verification of a Java compiler, taking into account concurrency. As a first result, a paper will appear at POPL 2013 where we provide a new intermediate memory model for the Java language.

David Pichardie served on the program committees of the international conferences IFM 2012 and ITP 2012 and the international workshop SVARM & VERIFY 2012. He co-chaired the international workshop PxTP 2012. A. Schmitt is a member of the steering committee of the Journées Françaises des Langages Applicatifs (JFLA). Thomas Jensen and Alan Schmitt organized the École Jeunes Chercheurs en Programmation (EJCP 2012). Sandrine Blazy served on the organizing committee of the annual meeting of the GDR GPL French community. Sandrine Blazy is a member of the steering committe of the ITP conference. Sandrine Blazy is scientific director of the “Languages and software engineering department” of IRISA.

Alan Schmitt, Caml, 43h, L3, Insa Rennes, France

Alan Schmitt, Méthodes Formelles pour le développement de logiciels sûrs, 12h, M1, Rennes 1, France

Sandrine Blazy, Méthodes Formelles pour le développement de logiciels sûrs, 53h, M1, Rennes 1, France

Sandrine Blazy, Software vulnerabilities, 24h, M2PRO, Rennes 1

Sandrine Blazy, Mechanised semantics, 30h, M2R, Rennes 1, France

Sandrine Blazy, The Coq proof assistant, 6h, 4th Asian-Pacific summer school on formal methods, Shanghai, China

Sandrine Blazy, Functional programming, 30h, L3, Rennes 1, France

Frédéric Besson, Compilation, 30h, M1, Insa Rennes, France

Thomas Jensen, Program analysis and Semantics, 30h, M2R, Rennes 1, France

Thomas Jensen, Sécurité de logiciel, 30h, M2R, Rennes 1, France

Pierre-Alain Fouque, Cryptography, 58h, M2PRO, Rennes 1, France

Thomas Jensen, Static program analysis, 5h, Ecole Jeunes Chercheurs en Programmation.

Thomas Genet, Cryptography, 18h, M1, Rennes 1, France

Thomas Genet, Object-oriented software engineering, 48h, M1, Rennes 1, France

Thomas Genet, Software Formal Analysis and Design, 65h, M1, Rennes 1, France

Thomas Genet, Functional programming, 44h, L3, Rennes 1, France

David Cachera, Programming language semantics, 24h, M1, Rennes 1, France

David Cachera, Computability and Logic, 24h, L3, ENS Cachan Bretagne, France

David Cachera, Formal Languages, 24h, L3, ENS Cachan Bretagne, France

David Cachera, Algorithmics, 10h, M2FES, ENS Cachan Bretagne, France

PhD & HdR :

HdR : David Pichardie, Toward a Verified Software Toolchain for Java, ENS Cachan, November 19th 2012

PhD : Delphine Demange, Semantic foundations of intermediate program representations, ENS Cachan, October 19th 2012, Thomas Jensen and David Pichardie

PhD : Arnaud Jobin, Dioïdes et idéaux de polynômes en analyse statique, ENS Cachan, January 16th 2012, Thomas Jensen and David Cachera

PhD in progress: Zhoulai Fu, Abstract interpretation and memory analysis, octobre 2009, Thomas Jensen and David Pichardie

PhD in progress: Vincent Laporte, Formal verification of static analyses for low level langages, septembre 2012, Sandrine Blazy and David Pichardie

PhD in progress: Martin Bodin, Certified Analyses for JavaScript, September 2012, Thomas Jensen and Alan Schmitt

PhD in progress: Andre Oliveira Maroneze, Compilation vérifiée et calcul de temps d'exécution au pire cas, septembre 2010, Sandrine Blazy and Isabelle Puaut

PhD in progress: Stéphanie Riaud, Transformations de programmes pertinentes pour la sécurité du logiciel, septembre 2011, Sandrine Blazy

PhD in progress: J-C Zapalowicz, Formal methods for identifying security vulnerabilities, September 2011, Thomas Jensen and Pierre-Alain Fouque.

Pierre-Emmanuel Cornilleau: Result certification of static analyses using SMTs, October 2009, Frédéric Besson and Thomas Jensen.

PhD in progress: Valérie Murat, Automatic verification of infinite state systems using tree automata completion, septembre 2010, Thomas Genet

PhD in progress: Yann Salmon, Static Analysis of functional programs using tree automata, septembre 2011, Thomas Genet

Alan Schmitt, jury member for the HdR defense of Ludovic Henrio, July 19th 2012

Alan Schmitt, jury member (reviewer) for the PhD defense of Federico Ulliana, December 12 2012

Sandrine Blazy, jury member for the HDR defense of Eric Totel, December 2012, Supélec, Rennes

Sandrine Blazy, jury member (reviewer) for the PhD defense of Vincent Filou, December 2012, LABRI, Bordeaux

Thomas Jensen, jury member (reviewer) for the PhD defense of Tahina Ramananandro, January 2012, ENS Paris

Thomas Jensen, jury member (examiner) for the PhD defense of Jérémy Planul, February 2012, Ecole polytechnique

Pierre-Alain Fouque, jury member (reviewer) for the PhD defense of Olivier Meynard, January 2012, ENST Paris

Pierre-Alain Fouque, jury member (reviewer) for the PhD defense of Sylvain Heraud, February 2012, Nice-Sophia Antipolis

Pierre-Alain Fouque, jury member (reviewer) for the PhD defense of Christina Boura, January 2012, Paris 6 University

David Pichardie organised the second edition of the french Castor Informatique contest. This contest promotes Computer Science in secondary schools and high schools. It is organised by Inria, ENS Cachan and the France IOI association and supported by CNRS, Pascaline, the SIF and API associations. In 2012, there was about 90.000 participants.

Sandrine Blazy was interviewed for a 10 minutes podcast (in French) about compiler verification. The podcast is available from the Interstices website.