Our times are characterized by the massive presence of
highly distributed and mobile systems consisting of
diverse and specialized devices, forming heterogeneous networks,
and providing different services and applications. The resulting
computational systems are usually referred to as *Ubiquitous Computing*,
(see, e.g., the UK Grand Challenge initiative under the
name *Sciences for Global Ubiquitous Computing*
). *Security* is one of the fundamental concerns that
arises in this setting. The problem of *privacy*, in particular, is
exacerbated by orders of magnitude: The frequent interaction between users and
electronic devices, and the continuous connection between these devices
and the internet, offer to malicious agents the opportunity
to gather and store huge amount of information, often without
the individual being even aware of it. Mobility is also an additional
source of vulnerability, since tracing may reveal significant information.
To avoid these hazards, honest agents should use special
protocols, called *security protocols*.

The systems above are usually very complex and based on impressive engineering technologies, but they do not always exhibit a satisfactory level of robustness and reliability. The same holds for security protocols: they usually look simple, but the properties that they are supposed to ensure are extremely subtle, and it is also difficult to capture the capabilities of the attacker. As a consequence, even protocols that seem at first “obviously correct” are later (often years later) found to be prone to attacks.

In order to overcome these drawbacks, we need to develop formalisms, reasoning techniques, and tools, to specify systems and protocols, their intended properties, and to guarantee that these intended properties are indeed satisfied. The challenges that we envisage are (a) to find suitably expressive formalisms which capture essential new features such as mobility, probabilistic behavior, presence of uncertain information, and potentially hostile environment, (b) to build suitably representative models in which to interpret these formalisms, and (c) to design efficient tools to perform the verification in presence of these new features.

Mário Alvim, an ex PhD student of Comète who defended his thesis in October 2011, has been nominated for the “Prix de thèse ParisTech 2012”.

Much of the research of Comète focuses on security and privacy. In particular, we are interested in the problem of the leakage of secret information through public observables.

Ideally we would like systems to be completely secure, but in practice this goal is often impossible to achieve. Therefore, we need to reason about the amount of information leaked, and the utility that it can have for the adversary, i.e. the probability that the adversary be able to exploit such information.

The recent tendency is to use information theoretic
approach to model the problem and define the leakage in a quantitative way.
The idea is to consider that system as an information-theoretic *channel*.
The input represents the secret, the output represents the observable,
and the correlation between the input and output (*mutual information*)
represents the information leakage.

Information theory depends on the notion of entropy. Most of the proposals in the literature use *Shannon entropy*,
which is the most established measure of uncertainty.
From the security point of view, this measure corresponds to a particular model of attack and
a particular way of estimating the security threat (vulnerability of the secret).
We consider also other notions, in particular the Rényi min-entropy, which seem
to be more appropriate for security in common scenarios like the one-try attacks.

We will focus our efforts on a
probabilistic variant of the asynchronous

We intend to study models and languages for concurrent, probabilistic and mobile systems, with a particular attention to expressiveness issues. We aim at developing criteria to assess the expressive power of a model or formalism in a distributed setting, to compare existing models and formalisms, and to define new ones according to an intended level of expressiveness, taking also into account the issue of (efficient) implementability.

Our research in ccp develops along the following two lines:

The study of a bisimulation semantics for ccp. The advantage of bisimulation, over other kinds of semantics, is that it can be efficiently verified.

Enriching ccp with epistemic constructs, which will allow to reason about the knowledge of agents.

We plan to develop model-checking techniques and tools for verifying properties of systems and protocols specified in the above formalisms.

Model checking addresses the problem of establishing whether the model (for instance, a finite-state machine) of a certain specification satisfies a certain logical formula.

We intend to concentrate our efforts on aspects that are fundamental for the verification of security protocols, and that are not properly considered in existing tools. Namely, we will focus on:

the combination of probability and mobility, which is not provided by any of the current model checkers,

the interplay between nondeterminism and probability, which in security present subtleties that cannot be handled with the traditional notion of scheduler,

the development of a logic for expressing security (in particular privacy) properties.

Concerning the last point (the logic), we should capture both probabilistic and epistemological aspects, the latter being necessary for treating the knowledge of the adversary.

Logics of this kind have been already developed, but the investigation of the relation with the models coming from process calculi, and their utilization in model checking, is still in its infancy.

The aim of our research is the specification and verification
of protocols used in mobile distributed systems,
in particular security protocols. We are especially interested in
protocols for *information hiding*.

Information hiding is a generic term which we use here to refer to
the problem of preventing the disclosure of information which is supposed to be secret or confidential.
The most prominent research areas which are concerned with this problem are those of
*secure information flow* and of *privacy*.

Secure information flow refers to the problem of avoiding the so-called *propagation* of secret
data due to their processing. It was initially considered as related to software, and the research focussed on
type systems and other kind of static analysis to prevent dangerous operations,
Nowadays the setting is more general, and a large part of the research effort is directed
towards the investigation of probabilistic scenarios and treaths.

Privacy denotes the issue
of preventing certain information to become publicly known. It may refer to the protection of *private data*
(credit card number, personal info etc.), of the
agent's identity (*anonymity*), of the link between information and user
(*unlinkability*), of its activities (*unobservability*),
and of its *mobility* (*untraceability)*.

The common denominator of this class of problems is that an adversary
can try to infer the private information (*secrets*) from the
information that he can access (*observables*).
The solution is then to obfuscate the link between
secrets and observables as much as possible,
and often the use randomization, i.e. the introduction of *noise*,
can help to achieve this purpose. The system can then
be seen as a *noisy channel*, in the information-theoretic sense,
between the secrets and the observables.

We intend to explore the rich set of concepts and techniques in the fields of
information theory and hypothesis testing
to establish the foundations of quantitive information flow and of privacy, and to develop heuristics and methods
to improve mechanisms for the protection of secret information. Our approach will be based on the specification of protocols
in the probabilistic asynchronous

In collaborations with Dave Parker and Marta Kwiatkowska, we are developing
a model checker for the probabilistic asynchronous

Technically we use MMC as a compiler to encode the probabilistic

In the meanwhile we are also attempting a direct and more flexible
approach to the development of a model checker for the probabilistic

This software generates PRISM models for the Dining Cryptographers and Crowds protocols. It can also use PRISM to calculate the capacity of the corresponding channels. More information can be found in
and in the file README file width instructions at the URL http://

The software can be download at http://

The corner points can be used to compute the maximum probability of error and to improve the Hellman-Raviv and Santhi-Vardy bounds. More information can be found in
and in the file README file width instructions at the URL http://

The software can be download at http://

MMCsp is a compiler from a simple probabilistic

The tool was developed by Peng Wu during his postdoc period in Comète in 2005-2007, in the context of the collaboration between the teams Comète and PRISM under the Inria/ARC Project ProNoBis. It is based on the papers and .

The source code is free and can be download from http://

Information hiding refers to the problem of protecting private information while performing certain tasks or interactions, and trying to avoid that an adversary can infer such information. This is one of the main areas of research in Comète; we are exploring several topics, described below.

A fundamental concern in computer security is to control information flow, whether to protect confidential information from being leaked, or to protect trusted information from being tainted. In view of the pragmatic difficulty of preventing undesirable flows completely, there is now much interest in theories that allow information flow to be quantified, so that “small” leaks can be tolerated. In we introduced g-leakage, a rich generalization of the min-entropy model of quantitative information flow. In g-leakage, the benefit that an adversary derives from a certain guess about a secret is specified using a gain function g. Gain functions allow a wide variety of operational scenarios to be modeled, including those where the adversary benefits from guessing a value close to the secret, guessing a part of the secret, guessing a property of the secret, or guessing the secret within some number of tries. We proved important properties of g-leakage, including bounds between min-capacity, g-capacity, and Shannon capacity. We also showed a deep connection between a strong leakage ordering on two channels, C1 and C2, and the possibility of factoring C1 into C2 C3 , for some C3 . Based on this connection, we proposed a generalization of the Lattice of Information from deterministic to probabilistic channels.

Unlinkability is a privacy property of crucial importance for several systems (such as RFID or voting systems). Informally, unlinkability states that, given two events/items in a system, an attacker is not able to infer whether they are related to each other. However, in the literature we find several definitions for this notion, which are apparently unrelated and shows a potentially problematic lack of agreement. In we shed new light on unlinkability by comparing different ways of defining it and showing that in many practical situations the various definitions coincide. It does so by (a) expressing in a unifying framework four definitions of unlinkability from the literature (b) demonstrating how these definitions are different yet related to each other and to their dual notion of “inseparability” and (c) by identifying conditions under which all these definitions become equivalent. We argued that the conditions are reasonable to expect in identification systems, and we prove that they hold for a generic class of protocols.

Differential privacy is a modern approach in privacy-preserving data analysis to control the amount of information that can be inferred about an individual by querying a database. The most common techniques are based on the introduction of probabilistic noise, often defined as a Laplacian parametric on the sensitivity of the query. In order to maximize the utility of the query, it is crucial to estimate the sensitivity as precisely as possible.

Differential privacy (already introduced in the previous section) is usually achieved by using mechanisms that add random noise to the query answer. Thus, privacy is obtained at the cost of reducing the accuracy, and therefore the utility, of the answer. Since the utility depends on the user's side information, commonly modeled as a prior distribution, a natural goal is to design mechanisms that are optimal for every prior. However, it has been shown in the literature that such mechanisms do not exist for any query other than counting queries.

Differential privacy, already described above, is a formal privacy guarantee that ensures that sensitive information relative to individuals cannot be easily inferred by disclosing answers to aggregate queries. If two databases are adjacent, i.e. differ only for an individual, then querying them should not allow to tell them apart by more than a certain factor. The transitive application of this property induces a bound also on the distinguishability of two generic databases, which is determined by their distance on the Hamming graph of the adjacency relation.

The growing popularity of location-based systems, allowing unknown/untrusted servers to easily collect and process huge amounts of users' information regarding their location, has recently started raising serious concerns about the privacy of this kind of sensitive information. In we studied geo-indistinguishability, a formal notion of privacy for location-based systems that protects the exact location of a user, while still allowing approximate information - typically needed to obtain a certain desired service - to be released.

Our privacy definition formalizes the intuitive notion of protecting the user's location within a radius r with a level of privacy that depends on r. We presented three equivalent characterizations of this notion, one of which corresponds to a generalized version of the well-known concept of differential privacy. Furthermore, we presented a perturbation technique for achieving geo-indistinguishability by adding controlled random noise to the user's location, drawn from a planar Laplace distribution. We demonstrated the applicability of our technique through two case studies: First, we showed how to enhance applications for location-based services with privacy guarantees by implementing our technique on the client side of the application. Second, we showed how to apply our technique to sanitize location-based sensible information collected by the US Census Bureau.

Systems concerned with information hiding often use randomization to obfuscate the link between the observables and the information to be protected. The degree of protection provided by a system can be expressed in terms of the probability of error associated to the inference of the secret information. In we considered a probabilistic process calculus to specify such systems, and we studied how the operators affect the probability of error. In particular, we characterized constructs that have the property of not decreasing the degree of protection, and that can therefore be considered safe in the modular construction of these systems. As a case study, we applied these techniques to the Dining Cryptographers, and we derived a generalization of Chaum's strong anonymity result.

*Incentives to Cooperation*. Anonymity systems have a broad range of users,
ranging from ordinary citizens who want to avoid being profiled for targeted
advertisements, to companies trying to hide information from their competitors,
to entities requiring untraceable communication over the Internet. With these
many potential users, it would seem that anonymity services based on a
consumer/provider users will naturally be well-resourced and able to operate
efficiently. However, cooperation cannot be taken for granted. Current deployed
systems show that some users will indeed act selfishly, and only use the system
to send their messages whilst ignoring the requests to forward others'
messages. Obviously, with not enough cooperative users, the systems will hardly
operate at all, and will certainly not be able to afford adequate anonymity
guarantees. It is therefore vital that these systems are able to deploy
incentives to encourage users' cooperation and so make the anonymity provision
effective. Some interesting approaches to achieve that have been proposed, such
as make running relays easier and provide better forwarding performance.

To evaluate whether these approaches are effective, we need a framework which empowers us to analyze them, as well as provide guidelines and some mechanism design principles for incentive schemes. This much we have provided in , exploiting notions and techniques from Game Theory. We proposed a game theoretic framework and used it to analyze users' behaviours and also predict what strategies users will choose under different circumstances and according to their exact balance of preferences among factors such as anonymity, performance (message delivery time) and cost. Significantly, we also used the model to assess the effectiveness of the gold-star incentive mechanism, which was introduced in Tor network to encourage users to act as cooperative relays, and thus enhance the service performance for well-behaved forwarders.

*Trust in anonymity networks*. Trust metrics are used in anonymity networks to
support and enhance reliability in the absence of verifiable identities, and a
variety of security attacks currently focus on degrading a user's
trustworthiness in the eyes of the other users. In
we have presented an enhancement of the Crowds anonymity protocol via a notion
of trust which allows crowd members to route their traffic according to their
perceived degree of trustworthiness of each other member of the crowd. Such
trust relations express a measure of an individual's belief that another user
may become compromised by an attacker, either by a direct attempt to corrupt or
by a denial-of-service attack. Our protocol variation has the potential of
improving the overall trustworthiness of data exchanges in anonymity networks,
which cannot normally be taken for granted in a context where users are
actively trying to conceal their identities. Using such formalization, in the
paper we have then analyzed quantitatively the privacy properties of the
protocol under standard and adaptive attacks.

Distributed systems have changed substantially in the recent past with the
advent of phenomena like social networks and cloud computing. In the previous
incarnation of distributed computing the emphasis was on consistency, fault
tolerance, resource management and related topics; these were all characterized
by *interaction between processes*. Research proceeded along two lines: the
algorithmic side which dominated the Principles Of Distributed Computing
conferences and the more process algebraic approach epitomized by CONCUR where
the emphasis was on developing compositional reasoning principles. What marks
the new era of distributed systems is an emphasis on managing access to
information to a much greater degree than before.

The *Concurrent constraint programming (ccp)* paradigm focuses on information
access and therefore it is suited for this new era of concurrent systems. Ccp
singles out the fundamental aspects of asynchronous systems whose agents (or
processes) evolve by accessing information in a global medium. In the works
, , ,
described below we developed algorithms and extended the foundations of ccp.

Epistemic concepts were crucial in distributed computing as was realized in the mid 1980s with Halpern and Moses' groundbreaking paper on common knowledge. This led to a flurry of activity in the next few years with many distributed protocols being understood from an epistemic point of view. The impact of epistemic ideas in the concurrency theory community was slower in coming. We believe that epistemic ideas need to be exploited more by concurrency theorists and we did so in the following works.

In we introduced spatial and epistemic process calculi for reasoning about spatial information and knowledge distributed among the agents of a system. We also introduced domain-theoretical structures to represent spatial and epistemic information. Finally we provided operational and denotational techniques for reasoning about the potentially infinite behaviour of spatial and epistemic processes. We also gave compact representations of infinite objects that can be used by processes to simulate announcements of common knowledge and global information. We also developed an interpreter of these calculi in .

Bisimilarity is a standard behavioural equivalence in concurrency theory, but a well-behaved notion of bisimilarity for ccp has been proposed only recently. When the state space of a system is finite, the ordinary notion of bisimilarity can be computed via the well-known partition refinement algorithm, but unfortunately, this algorithm does not work for ccp bisimilarity. In we proposed a variation of the partition refinement algorithm for verifying ccp bisimilarity. To the best of our knowledge this is the first work providing for the automatic verification of program equivalence for ccp.

In we only studied the strong version of bisimilarity. Weak bisimiliarity is obtained from the strong case by taking into account only the actions that are observable in the system. Typically, the standard partition refinement can also be used for deciding weak bisimilarity simply by using Milner's reduction from weak to strong bisimilarity; a technique referred to as saturation. In we showed that, because of its involved labeled transitions, the above-mentioned saturation technique does not work for ccp. We also gave an alternative reduction from weak ccp bisimilarity to the strong one that allows us to use the ccp partition refinement algorithm for deciding this equivalence.

In the more traditional setting of the pi-calculus we have also proposed an approach to restrict access to information.

In we have improved the result of by introducing a new logic called probabilistic mu-calculus with independent product. We have proved that two semantics coincide in all models: a denotational semantics and a two-player game semantics based on a novel class of concurrent games. Furthermore, we have shown how the new logic is strictly more expressive than the other. This allows the encoding of other important temporal logics for probabilistic concurrent systems such as PCTL.

In we have introduced a proof system designed for supporting human-aided verification of properties (expressed as probabilistic mu-calculus formulas () of concurrent probabilistic processes described by SOS-style operational semantics.

Mobile ad-hoc networks consist of a collection of nodes that communicate with each other through wireless links without a pre-established networking infrastructure. A common feature of most of these networks is free node mobility. Each device will therefore change its links to other devices frequently. These frequent changes in the network topology can cause the nodes to continuously enter and exit each other transmission area. Hence, highly dynamic routing algorithms are needed to ensure the connectivity. Moreover, mobile devices may have strict requirements on the energy consumption because their expected life-time often depends on the energy stored in a battery or other exhaustible power sources. For these reasons, finding a good trade-off between network connectivity, power saving and interference reduction is one of the most critical challenges in managing mobile ad hoc networks. In , we have proposed an effective framework for analysing protocol connectivity and measuring the level of interference and, based on that for developing novel interference-aware communication strategies. Though other models exist in the literature, to our best knowledge, our framework is the most comprehensive and effective for the behavioral analysis and a quantitative assessment of interference for wireless networks in the presence of node mobility.

PANDA

Analysis of Parallelism and Distribution

October 2009 - March 2013

Catuscia Palamidessi, Inria Saclay

Dale Miller, EPIs Parsifal at Inria Saclay. Emmanuel Haucourt, CEA Saclay. Damiano Mazza, Pôle Parisien (ENS Cachan, Paris VII and Paris XIII). Emmanuel Godard, Pôle Méditerranéen (ENS Lyon and the University of Marseille). Jean Souyris, Airbus.

The aim of PANDA is to bring together different mathematical models of parallel and concurrent computation (geometric models, rewriting theory, higher category theory, stochastic processes), along with theoretical frameworks for static analysis (spatial logics, proof construction), in order to guide the development of software tools that meet industrial needs of program specification and verification (in particular, fault detection of parallel programs involved in avionics).

CCP

Confidence, Proof and Probabilities

October 2009 - March 2013

Jean Goubault-Larrecq, ENS Cachan

Catuscia Palamidessi, Inria. Olivier Bouissou, CEA LIST. Gilles Fleury, Supelec SSE. Michel Kieffer, Supelec L2S.

In the context of proofs of safety properties for critical software, The CPP project proposes to study the joint use of probabilistic and formal (deterministic) semantics and analysis methods, in a way to improve the applicability and precision of static analysis methods on numerical programs.

CAPPRIS

Collaborative Action on the Protection of Privacy Rights in the Information Society

October 2011 - September 2015

Daniel Le Metayer, Inria Grenoble

The project involves four Inria research centers (Saclay, Saphia-Antipolis, Rennes and Grenoble), CNRS-LAAS, Eurecom and the university of Namur. Besides computer scientists, the consortium also includes experts in sociology and in law, thus covering the complementary areas of expertise required to reach the objectives.

The goal of this project is to study the challenges related to privacy in the modern information society, trying to consider not only the technical, but also the social and legal ones, and to develop methods to enhance the privacy protection.

FP7-PEOPLE-2011-IRSES

MEALS

Mobility between Europe and Argentina applying Logic to Systems

October 2011 - September 2005

Holger Hermans, Saarland University, Germany

Rheinisch-Westfälische Technische Hochschule Aachen, Germany. Technische Universität Dresden, Germany. Inria, France. Imperial College of Science, Technology and Medicine, UK, University of Leicester, UK. Technische Universiteit Eindhoven, NL. Universidad Nacional de Cordoba, AR. Universidad de Buenos Aires, AR. Instituto Tecnologico de Buenos Aires, AR. Universidad Nacional de Rio Cuarto, AR.

In this project we focus on three aspects of formal methods: specification, verification, and synthesis. We consider the study of both qualitative behavior and quantitative behavior (extended with probabilistic information). We aim to study formal methods in all their aspects: foundations (their mathematical and logical basis), algorithmic advances (the conceptual basis for software tool support) and practical considerations (tool construction and case studies).

School of Computing and Information Sciences, Florida International University, USA.

School of Electronics and Computer Science, University of Southampton, UK.

Department of Computer Science, Pontificia Universidad Javeriana, Colombia.

ANR Blanc International

LOCALI

Logical Approach to Novel Computational Paradigms

October 2011 - September 2015

Gilles Dowek, Inria Rocquencourt

Catuscia Palamidessi, Inria Saclay. Thomas Erhard, Paris VII. Ying Jiang , Chinese Academy of Science in Beijin (China).

This project aims at exploring the interplays between logic and sequential/distributed computation in formalisms like the lambda calculus and the

Associate professor at the Pontificia Universidad Javeriana, Colombia. He visited for one month in July 2012, funded by the Ecole Polytechnique.

Full professor at the Università di Siena, Italy. He visited for one month in June 2012, funded by the Ecole Polytechnique.

Associate professor at the Universidade Federal de Minas Gerais, Belo Horizonte, Brazil. She visited for one month in July 2012, funded by the Ecole Polytechnique/Digiteo.

Assistant professor at the Università di Sassari, Italy. She visited for one month in June 2012, funded by the Ecole Polytechnique/Digiteo.

Full professor at the University of Southampton, UK. He visited for two months in October and November 2012, funded by the Ecole Polytechnique/Digiteo.

Full professor at the Pontificia Universidad Javeriana,Colombia. He visited for two months in October and November 2012, funded by the Ecole Polytechnique.

Lili Xu

From October 2011 until October 2012)

Compositionality of privacy on a probabilistic process calculus

Chinese Academy of Sciences of Beijin (China)

ANR project PANDA, Inria, and Chinese Academy of Sciences

Marco Stronati

From October 2011 until March 2013

Compositional analysis of queries' sensitivity

University of Pisa, Italy

Ecole Polytechnique and University of Pisa

Fernán Martinelli

From September 2012 until March 2013

Computation of bounds on the information flow

University of Rio Cuarto, Argentina

FP7 project MEALS

Michela Paolini

From September 2012 until December 2012

Compositionality of privacy on a probabilistic process calculus.

IMT Institute for Advanced Studies, Lucca, Italy

Grant from IMT

Note: In this section we include only the activities of the permanent internal members of Comète.

Catuscia Palamidessi is:

Member of the Editorial Board of Mathematical Structures in Computer Science, published by the Cambridge University Press.

Member of the Editorial Board of the Electronic Notes of Theoretical Computer Science, Elsevier Science.

Co-editor (with Frank Pfenning) of the special issue of Logical Methods in Computer Science dedicated to selected papers of FoSSaCS 2013.

Co-editor (with Geoffrey Smith) of the special issue of Mathematical Structures in Computer Science dedicated to Quantitative Information Flow.

Co-editor (with Samson Abramsky and Michael Mislove) of the special issue of Theoretical Computer Science dedicated to selected papers of MFPS XXV.

Co-editor (with Sebastian Mödersheim) of the proceedings of TOSCA 2011, Theory of Security and Applications.

Co-editor (with Mark Ryan) of the proceedings of TGC 2012, Trustworthy Global Computing.

Frank D. Valencia is:

Co-editor of the special issue of Mathematical Structures in Computer Science dedicated to the 18th International Workshop on Expressiveness in Concurrency.

Co-editor of the special issue of Mathematical Structures in Computer Science dedicated to the 17th International Workshop on Expressiveness in Concurrency.

Konstantinos Chatzikokolakis and Catuscia Palamidessi are:

Co-editors (with Sebastian Mödersheim) of the special issue of the Journal of Computer Security dedicated to selected papers of TOSCA 2011 and SecCo 2011.

Catuscia Palamidessi is member of:

The Council of EATCS, the European Association for Theoretical Computer Science. Since 2005.

The Steering Committee of ETAPS, the European Joint Conferences on Theory and Practice of Software. Since 2006.

The IFIP Technical Committee 1 – Foundations of Computer Science. Since 2007.

The IFIP Working Group 2.2 – Formal Description of Programming Concepts. Since 2001.

The IFIP Working Group 1.7 – Theoretical Foundations of Security Analysis and Design. Since 2010.

Frank D. Valencia member of:

The steering committee of the International Workshop in Concurrency EXPRESS. Since 2010.

Catuscia Palamidessi has given invited talks at the following conferences and workshops:

Grande Region Security and Reliability Day. Nancy, France. March 2012.

COW 2012. The 19th CREST Open Workshop on *Interference and Dependence* on 30st April - 1st May 2012.

VECoS 2012. 6th International Workshop on Verification and Evaluation of Computer and Communication Systems. CNAM, Paris, France. August 27-28, 2012.

Catuscia Palamidessi has served as PC co-chair (together with Mark Ryan) of TGC 2012, the 7th International Symposium on Trustworthy Global Computing. Newcastle, UK, 7-8 September 2012.

Catuscia Palamidessi has co-organized (together with Boris Köpf and Pasquale Malacaria) the Dagstuhl seminar on Quantitative Security Analysis. Dagstuhl, Germany, 25-30 November 2012.

Catuscia Palamidessi has been/is a member of the program committees of the following conferences:

TGC 2013. The 8th International Symposium on Trustworthy Global Computing. Buenos Aires, Argentina, 30-31 August 2013.

ICALP 2013 Track B. The 40th International Colloquium on Automata, Languages and Programming. Riga, Latvia, 8-12 July 2013.

CSF 2013. The 26th IEEE Computer Security Foundations Symposium. Tulane University, New Orleans, Louisiana, USA, 26-28 June 2013.

LICS 2013. The Twenty-Eighth Annual ACM/IEEE Symposium on Logic in Computer Science. Tulane University, New Orleans, Louisiana, USA, 25-28 June 2013.

FOSSACS 2013. The 16th Int.l Conf. on Foundations of Software Science and Computation Structures. (Part of ETAPS 2013.) Rome, Italy, March 2013.

SOFSEM 2013. 39th International Conference on Current Trends in Theory and Practice of Computer Science. Špindlerův Mlýn, Czech Republic, January 26–31, 2013.

CARDIS 2012. The Eleventh Smart Card Research and Advanced Application Conference. Graz, Austria, 28-30 November 2012.

QEST 2012. International Conference on Quantitative Evaluation of SysTems. London, UK, September 2012.

PPDP 2012. International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming. Leuven, Belgium, September 2012.

CONCUR 2012. 21st International Conference on Concurrency Theory. Newcastle, UK, September 2012.

CSF 2012. The 25th IEEE Computer Security Foundations Symposium. Cambridge MA, USA, June 2012.

POST 2012. First Conference on Principles of Security and Trust. Tallin, Estonia, March 2012.

Frank D. Valencia has been/is a member of the program committees of the following conferences and workshops:

CONCUR 2013. The 24th International Conference on Concurrency Theory. Buenos Aires, Argentina, 27-30 August 2013.

EXPRESS 2012: Combined 19th International Workshop on Expressiveness in Concurrency and 9th Workshop on Structural Operational Semantics. Newcastle upon Tyne, UK, 3 September 2012.

ICE 2012. The 5th International Workshop on Interaction and Concurrency Experience. Stockholm, Sweden, 16 June 2012.

Konstantinos Chatzikokolakis has been/is a member of the program committees of the following conferences and workshops:

ISPEC 2013: 9th International Conference on Information Security Practice and Experience.

QAPL 2013: 11th Workshop on Quantitative Aspects of Programming Languages.

ESOP 2012: 21th European Symposium on Programming.

TGC 2012: 7th International Symposium on Trustworthy Global Computing.

ISPEC 2012: 8th International Conference on Information Security Practice and Experience.

QAPL 2012: 10th Workshop on Quantitative Aspects of Programming Languages .

Catuscia Palamidessi serves in the following committees:

President of the selection committee for the EATCS Best Paper Award at the ETAPS conferences. Since 2006.

Member of the EAPLS PhD Award committee. Since 2010.

Frank D. Valencia, Luis Fernando Pino Duque, and Andrés Aristizábal are the organizer of the Comète-Parsifal Seminar. This seminar takes place weekly at LIX, and it is meant as a forum where the members of Comète and Parsifal present their current works and exchange ideas.

Catuscia Palamidessi serves as:

Member of the Comité d'Orientation Scientifique et Technique, Groupe de travail Relation Internationales (COST-GTRI). Since November 2007.

Directrice adjointe du LIX, le Laboratoire d'Informatique de l'Ecole Polytechnique. Since April 2010.

Member of the Comité de These for Mathematics and Computer Science at the École Polytechnique. Since October 2007.

Reviewer for the projects proposal for the program PRIN, sponsored by the Italian MIUR (“Ministero dell'Istruzione, dell'Università e della Ricerca”). Since 2004.

Frank Valencia has served as:

Member of the Evaluation Committee of the LIX/Qualcomm postdoc grants for the year 2012.

Master: Konstantinos Chatzikokolakis has been teaching the course “Concurrence” at the “Master Parisien de Recherche en Informatique” (MPRI) in Paris. Level M2. Total 12 hours.

Master: Miguel E. Andrés, Konstantinos Chatzikokolakis, and Catuscia Palamidessi have been teaching an advanced course on Quantitative Information Flow and on Differential Privacy at RIO 2012, the Summer School on Informatics Río Cuarto, Argentine. Total 20 hours. 13-18 February 2012.

Master. Frank D. Valencia has been teaching an advanced course on Process Modeling at Master Program in Computer Science of the Pontificia Universidad Javeriana de Cali, Colombia. Total 30 hours. A.Y. 2011-12.

PhD (2009-12) Andrés Aristizábal. Ecole Polytechnique. Grant CNRS/DGA. Title of the thesis: *Bisimulation Techniques and Algorithms for Concurrent Constraint Programming*.
Defended on 17 October 2012. Co-supervised by Catuscia Palamidessi and Frank D. Valencia.

PhD in progress (2012-) Marco Stronati. Ecole Polytechnique. Grant EDX Monge. Co-supervised by Catuscia Palamidessi and Konstantinos Chatzikokolakis.

PhD in progress (2011-). Ecole Polytechnique and Chinese academy of Science, Beijing, China. Co-supervised by Catuscia Palamidessi and Huimin Li.

PhD in progress (2011-) Nicolás E. Bordenabe. Ecole Polytechnique. Grant Inria/DGA. Co-supervised by Catuscia Palamidessi and Konstantinos Chatzikokolakis.

PhD in progress (2011-) Luis Fernando Pino Duque. Ecole Polytechnique. Grant Inria/DGA. Co-supervised by Catuscia Palamidessi and Frank D. Valencia.

PhD in progress (2010-) Sophia Knight. Ecole Polytechnique. Grant Inria/CORDIS. Co-supervised by Catuscia Palamidessi and Frank D. Valencia.

PhD in progress (2009-) Ivan Gazeau. Ecole Polytechnique. Grant ANR. Co-supervised by Catuscia Palamidessi and Dale Miller.

Catuscia Palamidessi has been reviewer for the thesis of the following PhD students:

James Jerson Ortiz Vega (Universidad del Valle, Cali, Colombia). Title of the thesis: *Formal Methods for the Specification and Verification of Distributed and Timed Systems*. Advised Juan Francisco Dias Frias. Defended in September 2013.

Thomas Given-Wilson (University of Technology, Sydney, Australia). Title of the thesis: *Concurrent Pattern Unification*. Advised by Barry Jay. Defended in August 2012.

Jacopo Mauro (University of Bologna, Italy). PhD thesis reviewer. Title of the thesis: *Constraints meet Concurrency*. Advised by Maurizio Gabbrielli. Defended in April 2012.

Catuscia Palamidessi has been member of the committee at the HDR defense of Daniele Varacca, University of Paris VII, December 2012.