The goal of the Celtique project is to improve the security and reliability of software through software certificates that attest to the well-behavedness of a given software. Contrary to certification techniques based on cryptographic signing, we are providing certificates issued from semantic software analysis. The semantic analyses extract approximate but sound descriptions of software behaviour from which a proof of security can be constructed. The analyses of relevance include numerical data flow analysis, control flow analysis for higher-order languages, alias and points-to analysis for heap structure manipulation and data race freedom of multi-threaded code.

Existing software certification procedures make extensive use of systematic test case generation. Semantic analysis can serve to improve these testing techniques by providing precise software models from which test suites for given test coverage criteria can be manufactured. Moreover, an emerging trend in mobile code security is to equip mobile code with proofs of well-behavedness that can then be checked by the code receiver before installation and execution. A prominent example of such proof-carrying code is the stack maps for Java byte code verification. We propose to push this technique much further by designing certifying analyses for Java byte code that can produce compact certificates of a variety of properties. Furthermore, we will develop efficient and verifiable checkers for these certificates, relying on proof assistants like Coq to develop provably correct checkers. We target two application domains: Java software for mobile devices (in particular mobile telephones) and embedded C programs.

Celtique is a joint project with the CNRS, the University of Rennes 1 and ENS Cachan.

The European Association for Programming Languages and Systems (EAPLS) Best PhD Dissertation Award 2012 has been won by Delphine Demange (ENS Cachan - Brittany Extension and the Celtique team at IRISA / Inria Rennes, advisors Thomas Jensen and David Pichardie), for her dissertation on "Semantic Foundations of Intermediate Program Representations".

The thesis prize Gilles Kahn 2013, awarded by the Société Informatique de France (SiF) and sponsored by Academy of Sciences, was awarded to Delphine Demange for her dissertation "Semantic Foundations of Intermediate Program Representations" (ENS Cachan - Brittany Extension and the Celtique team at IRISA / Inria Rennes, advisors Thomas Jensen and David Pichardie).

Static program analysis is concerned with obtaining information about the run-time behaviour of a program without actually running it. This information may concern the values of variables, the relations among them, dependencies between program values, the memory structure being built and manipulated, the flow of control, and, for concurrent programs, synchronisation among processes executing in parallel. Fully automated analyses usually render approximate information about the actual program behaviour. The analysis is correct if the information includes all possible behaviour of a program. Precision of an analysis is improved by reducing the amount of information describing spurious behaviour that will never occur.

Static analysis has traditionally found most of its applications in the area of program optimisation where information about the run-time behaviour can be used to transform a program so that it performs a calculation faster and/or makes better use of the available memory resources. The last decade has witnessed an increasing use of static analysis in software verification for proving invariants about programs. The Celtique project is mainly concerned with this latter use. Examples of static analysis include:

Data-flow analysis as it is used in optimising compilers for
imperative languages. The properties can either be approximations of
the values of an expression (“the value of variable

Analyses of the memory structure includes shape analysis that aims at approximating the data structures created by a program. Alias analysis is another data flow analysis that finds out which variables in a program addresses the same memory location. Alias analysis is a fundamental analysis for all kinds of programs (imperative, object-oriented) that manipulate state, because alias information is necessary for the precise modelling of assignments.

Control flow analysis will find a safe approximation to the order in which the instructions of a program are executed. This is particularly relevant in languages where parameters or functions can be passed as arguments to other functions, making it impossible to determine the flow of control from the program syntax alone. The same phenomenon occurs in object-oriented languages where it is the class of an object (rather than the static type of the variable containing the object) that determines which method a given method invocation will call. Control flow analysis is an example of an analysis whose information in itself does not lead to dramatic optimisations (although it might enable in-lining of code) but is necessary for subsequent analyses to give precise results.

Static analysis possesses strong **semantic foundations**, notably abstract
interpretation , that allow to prove its correctness. The
implementation of static analyses is usually based on well-understood
constraint-solving techniques and iterative fixpoint algorithms. In
spite of the nice mathematical theory of program analysis and the
solid algorithmic techniques available one problematic issue persists,
*viz.*, the *gap* between the analysis that is proved
correct on paper and the analyser that actually runs on the
machine. While this gap might be small for toy languages, it becomes
important when it comes to real-life languages for which the
implementation and maintenance of program analysis tools become a
software engineering task. A *certified static analysis* is an
analysis that has been formally proved correct using a
proof assistant.

In previous work we studied the benefit of using abstract
interpretation for developing **certified static analyses**
, . The development of
certified static analysers is an ongoing activity that will be part of
the Celtique project. We use the Coq proof assistant which allows for
extracting the computational content of a constructive proof. A Caml
implementation can hence be extracted from a proof of existence, for
any program, of a correct approximation of the concrete program
semantics. We have isolated a theoretical framework based on abstract
interpretation allowing for the formal development of a broad range of
static analyses. Several case studies for the analysis of Java byte
code have been presented, notably a memory usage analysis
. This work has recently found
application in the context of Proof Carrying Code
and have also been successfully applied to
particular form of static analysis based on term rewriting and tree
automata .

Precise context-sensitive control-flow analysis is a fundamental
prerequisite for precisely analysing Java programs.
Bacon and Sweeney's Rapid Type Analysis (RTA) is a
scalable algorithm for constructing an initial call-graph of the
program. Tip and Palsberg have proposed a variety of
more precise but scalable call graph construction algorithms
*e.g.,* MTA, FTA, XTA which accuracy is between RTA and 0'CFA.
All those analyses are not context-sensitive. As early as 1991,
Palsberg and Schwartzbach , proposed a theoretical
parametric framework for typing object-oriented programs in a
context-sensitive way. In their setting, context-sensitivity is
obtained by explicit code duplication and typing amounts to analysing
the expanded code in a context-insensitive manner. The framework
accommodates for both call-contexts and allocation-contexts.

To assess the respective merits of different instantiations, scalable
implementations are needed. For Cecil and Java programs, Grove
*et al.,* , have explored the algorithmic design
space of contexts for benchmarks of significant size.
Latter on, Milanova *et. al.,* have
evaluated, for Java programs, a notion of context called
*object-sensitivity* which abstracts the call-context by the
abstraction of the `this` pointer. More recently, Lhotak and
Hendren have extended the empiric
evaluation of object-sensitivity using a BDD implementation allowing
to cope with benchmarks otherwise out-of-scope.
Besson and Jensen proposed to use datalog
in order to specify context-sensitive analyses. Whaley and
Lam have implemented a context-sensitive
analysis using a BDD-based datalog implementation.

Control-flow analyses are a prerequisite for other analyses. For instance, the security analyses of Livshits and Lam and the race analysis of Naik, Aiken and Whaley both heavily rely on the precision of a control-flow analysis.

Control-flow analysis allows to statically prove the absence of certain run-time errors such as "message not understood" or cast exceptions. Yet it does not tackle the problem of "null pointers". Fahnrich and Leino propose a type-system for checking that after object creation fields are non-null. Hubert, Jensen and Pichardie have formalised the type-system and derived a type-inference algorithm computing the most precise typing . The proposed technique has been implemented in a tool called NIT . Null pointer detection is also done by bug-detection tools such as FindBugs . The main difference is that the approach of findbugs is neither sound nor complete but effective in practice.

Static analyses yield qualitative results, in the sense that they compute a safe over-approximation of the concrete semantics of a program, w.r.t. an order provided by the abstract domain structure. Quantitative aspects of static analysis are two-sided: on one hand, one may want to express and verify (compute) quantitative properties of programs that are not captured by usual semantics, such as time, memory, or energy consumption; on the other hand, there is a deep interest in quantifying the precision of an analysis, in order to tune the balance between complexity of the analysis and accuracy of its result.

The term of quantitative analysis is often related to probabilistic models for abstract computation devices such as timed automata or process algebras. In the field of programming languages which is more specifically addressed by the Celtique project, several approaches have been proposed for quantifying resource usage: a non-exhaustive list includes memory usage analysis based on specific type systems , , linear logic approaches to implicit computational complexity , cost model for Java byte code based on size relation inference, and WCET computation by abstract interpretation based loop bound interval analysis techniques .

We have proposed an original approach for designing static analyses computing program costs: inspired from a probabilistic approach , a quantitative operational semantics for expressing the cost of execution of a program has been defined. Semantics is seen as a linear operator over a dioid structure similar to a vector space. The notion of long-run cost is particularly interesting in the context of embedded software, since it provides an approximation of the asymptotic behaviour of a program in terms of computation cost. As for classical static analysis, an abstraction mechanism allows to effectively compute an over-approximation of the semntics, both in terms of costs and of accessible states . An example of cache miss analysis has been developed within this framework .

The term "software certification" has a number of meanings ranging from the formal proof of program correctness via industrial certification criteria to the certification of software developers themselves! We are interested in two aspects of software certification:

industrial, mainly process-oriented certification procedures

software certificates that convey semantic information about a program

Semantic analysis plays a role in both varieties.

Criteria for software certification such as the Common criteria or the DOA aviation industry norms describe procedures to be followed when developing and validating a piece of software. The higher levels of the Common Criteria require a semi-formal model of the software that can be refined into executable code by traceable refinement steps. The validation of the final product is done through testing, respecting criteria of coverage that must be justified with respect to the model. The use of static analysis and proofs has so far been restricted to the top level 7 of the CC and has not been integrated into the aviation norms.

Testing requirements present in existing certification procedures
pose a challenge in terms of the automation of the test data
generation process for satisfying functional and structural testing
requirements. For example, the standard document which currently
governs the development and verification process of software in
airborne system (DO-178B) requires the coverage of all the statements,
all the decisions of the program at its higher levels of criticality.
It is well-known that DO-178B structural coverage is a primary
cost driver on avionics project. Although they are widely used,
existing marketed testing tools are currently restricted to test
coverage monitoring and measurements

So far, static analysis tools are not a part of the approved certification procedures. This would require the acceptance of the static analyzers by the certification authorities in a process called “Qualification of the tools” in which the tools are shown to be as robust as the software it will certify. We believe that proof assistants have a role to play in building such certified static analysis as we have already shown by extracting provably correct analysers for Java byte code.

The particular branch of information security called "language-based
security" is concerned with the study of programming language features
for ensuring the security of software.
Programming languages such as
Java offer a variety of language constructs for securing an
application. Verifying that these constructs have been used properly
to ensure a given security property is a challenge for program
analysis.
One such problem is confidentiality of the private data manipulated by
a program and a large group of researchers have addressed the
problem of tracking information flow in a program in order to ensure
that *e.g.*, a credit card number does not end up being accessible to all
applications running on a computer
, .
Another kind of problems concern the way computational
resources are being accessed and used, in order to ensure the
correct implementation of a given
access policy, and that a given
application does not consume more resources that it has been
allocated. Members of the Celtique team have proposed a verification
technique that can check the proper use of resources of Java
applications running on mobile telephones .
**Semantic software certificates**
have been proposed as a means of dealing with the security problems caused
by mobile code that is downloaded from foreign sites of varying
trustworthiness and which can cause damage to the receiving host,
either deliberately or inadvertently. These certificates should contain
enough information about the behaviour of the downloaded code to allow
the code consumer to decide whether it
adheres to a given security policy.

In the basic PCC architecture, the only components that have to be trusted are the program logic, the proof checker of the logic, and the formalization of the security property in this logic. Neither the mobile code nor the proposed proof—and even less the tool that generated the proof—need be trusted.

In practice, the *proof checker* is a complex tool which relies
on a complex Verification Condition Generator (VCG). VCGs for real
programming languages and security policies are large and non-trivial
programs. For example, the VCG of the Touchstone verifier represents
several thousand lines of C code, and the authors observed that
"there were errors in that code that escaped the thorough testing of
the infrastructure" . Many solutions have been
proposed to reduce the size of the trusted computing base. In the
*foundational proof carrying code* of Appel and
Felty , , the code producer gives a direct proof
that, in some "foundational" higher-order logic, the code respects a
given security policy. Wildmoser and
Nipkow , .
prove the soundness of a
*weakest precondition* calculus for a reasonable subset of the
Java bytecode.
Necula and Schneck extend a small
trusted core VCG and describe the protocol that the untrusted verifier
must follow in interactions with the trusted infrastructure.

One of the most prominent examples of software certificates and
proof-carrying code is given by the Java byte code verifier based on
*stack maps*. Originally proposed under the term “lightweight
Byte Code Verification” by Rose , the
techniques consists in providing enough typing information (the stack
maps) to enable the byte code verifier to check a byte code in one
linear scan, as opposed to inferring the type information by an
iterative data flow analysis. The Java Specification Request 202
provides a formalization of how such a verification can be carried
out.

In spite of the nice mathematical theory of program analysis (notably
abstract interpretation) and the solid algorithmic
techniques available one problematic issue persists, *viz.*, the
*gap* between the analysis that is proved correct on paper and
the analyser that actually runs on the machine. While this gap might
be small for toy languages, it becomes important when it comes to
real-life languages for which the implementation and maintenance of
program analysis tools become a software engineering task.

A *certified static analysis* is an analysis whose implementation
has been formally proved correct using a proof assistant. Such
analysis can be developed in a proof assistant like Coq
by programming the analyser inside the assistant and formally proving
its correctness. The Coq extraction mechanism then allows for
extracting a Caml implementation of the analyser. The feasibility of
this approach has been demonstrated
in .

We also develop this technique through certified reachability analysis over term rewriting systems. Term rewriting systems are a very general, simple and convenient formal model for a large variety of computing systems. For instance, it is a very simple way to describe deduction systems, functions, parallel processes or state transition systems where rewriting models respectively deduction, evaluation, progression or transitions. Furthermore rewriting can model every combination of them (for instance two parallel processes running functional programs).

Depending on the computing system modelled using rewriting, reachability (and unreachability) permits to achieve some verifications on the system: respectively prove that a deduction is feasible, prove that a function call evaluates to a particular value, show that a process configuration may occur, or that a state is reachable from the initial state. As a consequence, reachability analysis has several applications in equational proofs used in the theorem provers or in the proof assistants as well as in verification where term rewriting systems can be used to model programs.

For proving unreachability, i.e. safety properties, we already have some
results based on the over-approximation of the set of reachable
terms , . We defined a simple and efficient
algorithm
for computing exactly the set of reachable terms, when it is regular,
and construct an over-approximation otherwise. This algorithm consists of
a *completion* of a *tree automaton*, taking advantage
of the ability of tree automata to finitely represent infinite sets of
reachable terms.

To certify the corresponding analysis, we have defined a checker guaranteeing that a tree automaton is a valid fixpoint of the completion algorithm. This consists in showing that for all term recognised by a tree automaton all his rewrites are also recognised by the same tree automaton. This checker has been formally defined in Coq and an efficient Ocaml implementation has been automatically extracted . This checker is now used to certify all analysis results produced by the regular completion tool as well as the optimised version of .

Javalib is an efficient library to parse Java .class files into OCaml data structures, thus enabling the OCaml programmer to extract information from class files, to manipulate and to generate valid .class files.

See also the web page http://

Version: 2.3

Programming language: Ocaml

Sawja is a library written in OCaml, relying on Javalib to provide a high level representation of Java bytecode programs. It name comes from Static Analysis Workshop for JAva. Whereas Javalib is dedicated to isolated classes, Sawja handles bytecode programs with their class hierarchy and with control flow algorithms.

Moreover, Sawja provides some stackless intermediate representations of code, called JBir and A3Bir. The transformation algorithm, common to these representations, has been formalized and proved to be semantics-preserving.

See also the web page http://

Version: 1.5

Programming language: Ocaml

Static program analysis, Javacard, Certification, AFSCM

`Jacal` is a JAvaCard AnaLyseur developed on top of the SAWJA
(see Section ) platform.
This proprietary software verifies automatically that Javacard programs conform with the security
guidelines issued by the AFSCM (Association Française du Sans Contact
Mobile).
`Jacal` is based on the theory of abstract interpretation and combines several object-oriented and
numeric analyses to automatically infer sophisticated invariants about the program behaviour.
The result of the analysis is thereafter harvest to check that it is sufficient to ensure the desired security properties.

Timbuk is a library of Ocaml functions for manipulating tree
automata. More precisely, Timbuk deals
with finite bottom-up tree automata (deterministic or not). This
library provides the classical operations over tree automata (intersection,
union, complement, emptiness decision) as well as exact or approximated sets of
terms reachable by a given term rewriting system. This last operation can be
certified using a checker extracted from a Coq specification. The checker is
now part of the Timbuk distribution. Timbuk distribution now also provides a
CounterExample Guided Abstraction Refinement (CEGAR) tool for tree
automata completion. The CEGAR part is based on the Buddy BDD library.
Timbuk also provides an implementation of Lattice Tree Automata to
(efficiently) represent built-in values such as integers, strings, etc. in
recognized tree languages. See also the web page http://

Version: 3.1

Programming language: Ocaml

The JSCert project aims to really understand JavaScript. JSCert itself is a mechanised specification of JavaScript, written in the Coq proof assistant, which closely follows the ECMAScript 5 English standard. JSRef is a reference interpreter for JavaScript in OCaml, which has been proved correct with respect to JSCert and tested with the Test 262 test suite.

We plan to build other verification and analysis projects on top of JSCert and JSRef, in particular the certification of derivations in program logics or static analyses.

This project is an ongoing collaboration between Inria and Imperial
College. More information is available at http://

We investigate different approaches for dynamically tracking information flows.

The first track of work is motivated by web-browser security. In a survey , we have classified JavaScript security policies and their enforcement mechanisms in a web-browser. We have identified the problem of stateless web tracking (fingerprinting) and have proposent a novel approach to hybrid information flow monitoring by tracking the knowledge about secret variables using logical formulae. A logic formula quantifies the amount of knowledge stored in a variable. This knowledge representation helps to compare and improve precision of hybrid information flow monitors. We define a generic hybrid monitor parametrised by a static analysis and derive sufficient conditions on the static analysis for soundness and relative precision of hybrid monitors. We instantiate the generic monitor with a combined static constant and dependency analysis. Several other hybrid monitors including those based on well-known hybrid techniques for information flow control are formalised as instances of our generic hybrid mon- itor. These monitors are organised into a hierarchy that establishes their relative precision. The whole framework is accompanied by a formalisation of the theory in the Coq proof assistant .

Our second activity is related to SAFE, a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model in the Coq proof assistant .

We develop a specific theory and the related tools for analyzing programs whose semantics is defined using term rewriting systems. The analysis principle is based on regular approximations of infinite sets of terms reachable by rewriting. The tools we develop use, so-called, Tree Automata Completion to compute a tree automaton recognizing a superset of all reachable terms. This over-approximation is then used to prove safety properties on the program by showing that some “bad” terms, encoding dangerous or problematic configurations, are not in the superset and thus not reachable. This is a specific form of, so-called, Regular Tree Model Checking. However, when dealing with infinite-state systems, Regular Tree Model Checking approaches may have some difficulties to represent infinite sets of data. We proposed Lattice Tree Automata, an extended version of tree automata to represent complex data domains and their related operations in an efficient manner. Moreover, we introduce a new completion-based algorithm for computing the possibly infinite set of reachable states in a finite amount of time. This algorithm is independent of the lattice making it possible to seamlessly plug abstract domains into a Regular Tree Model Checking algorithm. As a first instance, we implemented in Timbuk a completion with an interval abstract domain. We shown that this implementation permits to scale up regular tree model-checking of Java programs dealing with integer arithmetics. Now, we aim at applying this technique to the static analysis of programming languages whose semantics is based on terms, like functional programming languages .

The automation of the deductive approach to program verification crucially depends on the ability to efficiently infer and discharge program invariants. In an ideal world, user-provided invariants would be strengthened by incorporating the result of static analysers as untrusted annotations and discharged by automated theorem provers. However, the results of object-oriented analyses are heavily quantified and cannot be discharged, within reasonable time limits, by state-of-the-art auto- mated theorem provers. In the present work, we investigate an original approach for verifying automatically and efficiently the result of certain classes of object-oriented static analyses using off-the-shelf automated theorem provers. We propose to generate verification conditions that are generic enough to capture, not a single, but a family of analyses which encompasses Java bytecode verification and Fähndrich and Leino type-system for checking null pointers. For those analyses, we show how to generate tractable verification conditions that are still quantified but fall in a decidable logic fragment that is reducible to the Effectively Propositional logic. Our experiments confirm that such verification conditions are efficiently discharged by off-the-shelf automated theorem provers .

Recent advances in verification have made it possible to envision
trusted implementations of real-world languages. Java with its
type-safety and fully specified semantics would appear to be an
ideal candidate; yet, the complexity of the translation steps used
in production virtual machines have made it a challenging target for
verifying compiler technology. One of Java's key innovations, its
memory model, poses significant obstacles to such an endeavor. The
Java Memory Model is an ambitious attempt at specifying the behavior
of multithreaded programs in a portable, hardware agnostic, way.
While experts have an intuitive grasp of the properties that the
model should enjoy, the specification is complex and not well-suited
for integration within a verifying compiler infrastructure.
Moreover, the specification is given in an axiomatic style that is
distant from the intuitive reordering-based reasonings traditionally
used to justify or rule out behaviors, and ill suited to the kind of
operational reasoning one would expect to employ in a compiler. We
take a step back, and introduces a *Buffered Memory Model*
(BMM) for Java . We choose a pragmatic
point in the design space sacrificing generality in favor of a model
that is fully characterized in terms of the reorderings it allows,
amenable to formal reasoning, and which can be efficiently applied
to a specific hardware family, namely x86 multiprocessors. Although
the BMM restricts the reorderings compilers are allowed to perform,
it serves as the key enabling device to achieving a verification
pathway from bytecode to machine instructions. Despite its
restrictions, we show that it is backwards compatible with the Java
Memory Model and that it does not cripple performance on TSO
architectures.

Static analyzers based on abstract interpretation are complex pieces of software implementing delicate algorithms. Even if static analysis techniques are well understood, their implementation on real languages is still error-prone.

Using the Coq proof assistant, we formalized of a value analysis (based on abstract interpretation), and a soundness proof of the value analysis. The formalization relies on generic interfaces. The mechanized proof is facilitated by a translation validation of a Bourdoncle ﬁxpoint iterator. The work has been integrated into the CompCert veriﬁed C-compiler. Our veriﬁed analysis directly operates over an intermediate language of the compiler having the same expressiveness as C. The automatic extraction of our value analysis into OCaml yields a program with competitive results, obtained from experiments on a number of benchmarks and comparisons with the Frama-C tool . The value analysis was applied to a loop bound estimation tool for WCET analysis relying also on program slicing and loop bound calculation.

Moreover, we formalized static analyses for logic programming, relying on results about the relative correctness of semantics in different styles; forward and backward, top-down and bottom-up. The results chosen are paradigmatic of the kind of correctness theorems that semantic analyses rely on and are therefore well-suited to explore the possibilities afforded by the application of interactive theorem provers to this task, as well as the difficulties likely to be encountered in the endeavour .

We also study the development of certified information flow analyses based on a formal semantics of JavaScript. We have in particular presented a technique for deriving semantic program analyses from a natural semantics specification of the programming language. The technique is based on the pretty-big-step semantics approach applied to a language with simple objects called O'While. We have specified a series of instrumentations of the semantics that makes explicit the flows of values in a program. This leads to a semantics-based dependency analysis, at the core, e.g., of tainting or information flow analyses in software security .

JavaScript is the most widely used web language for client-side applications. Whilst the development of JavaScript was initially just led by implementation, there is now increasing momentum behind the ECMA standardisation process. The time is ripe for a formal, mechanised specification of JavaScript, to clarify ambiguities in the ECMA standards, to serve as a trusted reference for high-level language compilation and JavaScript implementations, and to provide a platform for high-assurance proofs of language properties. We present JScert, a formalisation of the current ECMA standard in the Coq proof assistant, and JSref, a reference interpreter for JavaScript extracted from Coq to OCaml. We give a Coq proof that JSref is correct with respect to JScert and assess JSref using test262, the ECMA conformance test suite. Our methodology ensures that JScert is a comparatively accurate formulation of the English standard, which will only improve as time goes on. We have demonstrated that modern techniques of mechanised specification can handle the complexity of JavaScript , .

Concurrent reversibility has been studied in different areas, such as
biological or dependable distributed systems. However, only “rigid”
reversibility has been considered, allowing to go back to a past state
and restart the exact same computation, possibly leading to
divergence. We present a concurrent calculus featuring *flexible
reversibility*, allowing the specification of alternatives to a
computation to be used upon rollback. Alternatives in processes of
this calculus are attached to messages. We show the robustness of this
mechanism by encoding more complex idioms for specifying flexible
reversibility, and we illustrate the benefits of our approach by
encoding a calculus of communicating transactions .

We have proposed an abstract interpretation based method for inferring polynomial invariants.Our analysis uses a form of weakest precondition calculus which was already observed to be well adapted to polynomial disequality guards, and which we extend to equality guards by using parameterized polynomial division. We have shown that the choice of a suitable division operation is crucial at each iteration step in order to compute the invariant. Based on this analysis, we have designed a constraint-based algorithm for inferring polynomial invariants. We have identified heuristics to solve equality constraints between ideals, and implemented the whole analysis algorithm in Maple.A salient feature of this analysis, which distinguishes it from the approaches proposed so far in the literature, is that it does not require the use of Gröbner base computations, which are known to be costly on parameterized polynomials. Our benchmarks show that our analyzer can successfully infer invariants on a sizeable set of examples, while performing two orders of magnitude faster than other existing implementations .

Static program analysis, Javacard, Certification, AFSCM

Partner : FIME

Period: Starting January 2012; ending June 2013

The FIME contract consists in an industrial transfer of the Sawja platform adapted to analyse Javacard programs according to AFSCM (Association Française du Sans Contact Mobile) security guidelines. The rules specify syntactic constraints but also more semantics properties such as the absence of certain runtime exceptions. FIME aims at automating the process of validating that Javacard applications are conformant to the rules. The outcome of the project is the Jacal (JAvaCard AnaLyser) ( which takes a binary Javacard application; performs static analysis and output statuses for the different rules. Pierre Vittet has recently been recruited by FIME and the operational deployment of Jacal is in progress.

The Celtique team collaborates with DGA-MI, a research laboratory belonging to the French army, and located in Rennes. The collaboration has several facets.

We run a joint bi-monthly seminar on Security and Formal Methods. This seminar attracts attendance from academia and industry.

DGA-MI is funding a PhD thesis, supervised jointly, on code obfuscation.

Colas Le Guernic, a DGA-MI researcher, is external collaborator of Celtique on our activities on analysis of binary code.

Process calculi, Verification, Proof Assistants

The goal of the (PiCoq project) is to develop an environment for the formal verification of properties of distributed, component-based programs. The project's approach approach lies at the interface between two research areas: concurrency theory and proof assistants. Achieving this goal relies on three scientific advances, which the project intends to address:

Finding mathematical frameworks that ease modular reasoning about concurrent and distributed systems: due to their large size and complex interactions, distributed systems cannot be analysed in a global way. They have to be decomposed into modular components, whose individual behaviour can be understood.

Improving existing proof techniques for distributed/modular systems: while behavioural theories of first-order concurrent languages are well understood, this is not the case for higher-order ones. We also need to generalise well-known modular techniques that have been developed for first-order languages to facilitate formalization in a proof assistant, where source code redundancies should be avoided.

Defining core calculi that both reflect concrete practice in distributed component programming and enjoy nice properties w.r.t. behavioural equivalences.

The project partners include Inria, LIP, and Université de Savoie. The project runs from November 2010 to October 2014.

Static program analysis, Certified static analysis

The VERASCO project (2012–2015) is funded by the call ISN 2011, a program of the Agence Nationale de la Recherche. It investigates the formal verification of static analyzers and of compilers, two families of tools that play a crucial role in the development and validation of critical embedded software. It is a joint project with the Inria teams Abstraction, Gallium, The VERIMAG laboratory and the Airbus company.

Binary code, Static program analysis

The Binsec project (2013–2017) is founded by the call ISN 2012, a program of the Agence Nationale de la Recherche. The goal of the BINSEC project is to develop static analysis techniques and tools for performing automatic security analyses of binary code. We target two main applicative domains: vulnerability analysis and virus detection.

Binsec is a joint project with the Inria Carte team, CEA LIS, Verimag, EADS IW and Vupen Security. Abstraction, The VERIMAG laboratory and the Airbus company.

The SecCloud project, started in 2012, will provide a comprehensive language-based approach to the definition, analysis and implementation of secure applications developed using Javascript and similar languages. Our high level objectives is to enhance the security of devices (PCs, smartphones, ect.) on which Javascript applications can be downloaded, hence on client-side security in the context of the Cloud. We will achieve this by focusing on three related issues: declarative security properties and policies for client-side applications, static and dynamic analysis of web scripting programming languages, and multi-level information flow monitoring.

This is a joint project with Supelec Rennes and Ecole des Mines de Nantes.

A strong collaboration is ongoing with researchers from Imperial
College (UK) in the setting of the JSCert project
(http://

In 2013, Martin Bodin, Thomas Jensen, and Alan Schmitt visited Imperial College twice. Daiva Naudziuniene, a PhD student of Philippa Gardner, also did a one month internship in the Celtique team in the setting of this collaboration.

David Pichardie was on sabbatical in 2012, in Jan Vitek's group at Purdue University, Indiana, USA. The strong collaboration is still ongoing, and an Associate Team proposal for 2014-2016 has been submitted in 2013 as part of an Inria International program. The JCert project research aims at verifying the compilation of concurrent managed languages, following the previous outcomes of the informal collaboration – a new memory model for concurrent Java that is more suitable to formal verification , as well as refinement-based proof methodology (under submission) that allows to reason compositionally about the atomicity of low-level concurrent code fragments. If the proposal is accepted, David Pichardie would be the Inria principal investigator of the JCert project, and Delphine Demange, Thomas Jensen, and Vincent Laporte will also be active participants.

Subject: Protection from Web Tracking: Analysis of web browser fingerprints

Date: from Mar 2013 until Apr 2013

Institution: University of Buenos Aires (Argentina)

David Pichardie took a sabbatical year and visited Greg Morrisett's group at Harvard University, Cambridge, USA in 2013. During this sabbatical, he worked on the DARPA SAFE project with Harvard University and UPenn University .

Sandrine Blazy and David Pichardie co-chaired and organized in Rennes
the international conference ITP 2013 and its 2 related
workshops. Sandrine Blazy is a member of the steering committee of
the ITP conference.
Sandrine Blazy served on the organizing committee of the international conferences
VMCAI 2013 and LPAR 2013. Sandrine Blazy was
scientific director of the “Languages and software engineering
department” of IRISA until September 2013.
Sandrine Blazy gave an invited talk at the VSTTE 2013 conference in
Menlo Park, USA.
David Pichardie served on the external reviewing committee of the international conference
PLDI 2013 and the organizing committee of the international
workshops BYTECODE 2013, PxTP 2013 and Coq Workshop 2013.
David Pichardie is chair of the department of Computer Science at ENS Rennes.
Alan Schmitt co-chaired and organized the International Symposium on
Database Programming Languages, co-located with VLDB, in Trento, Italy
(http://

Master : Frédéric Besson, Compilation, 68h, level M1, Insa Rennes, France

Licence : Sandrine Blazy, Programmation fonctionnelle, 30h, L3, Rennes 1, France

Master : Sandrine Blazy, Méthodes Formelles pour le développement de logiciels sûrs, 53h, M1, Rennes 1, France

Master : Sandrine Blazy, Software vulnerabilities, 26h, M2, Rennes 1

Master : Sandrine Blazy, Mechanised semantics, 15h, M2, Rennes 1, France

Licence : David Cachera, Formal Languages and Computability, 24h, L3, ENS Rennes

Licence : David Cachera, Logics, 24h, L3, ENS Rennes

Licence : David Cachera, Algorithmics, 12h, L3, ENS Rennes

Master : David Cachera, Programming Language Semantics, 24h, M1, Rennes 1

Licence : Delphine Demange, Algorithmique et Programmation Fonctionnelle, 80h, level L1, Université de Rennes 1 / Istic, France

Master : Delphine Demange, Sémantique, 8h, level M1, Université de Rennes 1 / Istic / ENS Cachan Antenne Bretagne, France

Licence : Thomas Genet, Programmation fonctionnelle, 32h, niveau L3, Université de Rennes 1 / Istic, France

Master : Thomas Genet, Conception et vérification formelle, 90h, niveau M1, Université de Rennes 1 / Istic, France

Master : Thomas Genet, Protocoles cryptographiques, 24h, niveau M2, Université de Rennes 1 / Istic, France

Master : Thomas Jensen, Program analysis, 14h, M2, Rennes

Master : Thomas Jensen, Software security, 20h, M2, Rennes

Licence : David Pichardie, Algorithms, 60h, L3, ENS Rennes

Master : David Pichardie, Mechanised semantics, 15h, M2, Rennes 1, France

Master : David Pichardie, Program analysis, 6h, M2, Rennes

Licence : Alan Schmitt, Programmation Fonctionnelle, 37h, niveau L3, Insa Rennes, France

PhD : Pierre-Emmanuel Cornilleau, Certification of static analysis in many-sorted first-order logic, ENS Cachan - antenne de bretagne, 25 march 2013, Thomas Jensen and Frédéric Besson

PhD in progress : Pierre Wilke, Retro-engineering of auto-modifying code by static analysis, 1st august 2013, Sandrine Blazy and Frédéric Besson

PhD in progress : Valérie Murat, Automatic Verification of infinite state systems by tree automata completion, 1st august 2011, Thomas Genet

PhD in progress : Yann Salmon, Reachability for Term Rewriting Systems under Strategies, 1st august 2012, Thomas Genet

PhD in progress: Andre Oliveira Maroneze, Compilation vérifiée et calcul de temps d'exécution au pire cas, septembre 2010, Sandrine Blazy, David Pichardie and Isabelle Puaut

PhD in progress: Stéphanie Riaud, Transformations de programmes pertinentes pour la sécurité du logiciel, septembre 2011, Sandrine Blazy

PhD in progress: Vincent Laporte, Formal verification of static analyses for low level langages, septembre 2012, Sandrine Blazy and David Pichardie

PhD in progress: David Bühler, Communication between analyses by deductive verification and abstract interpretation, November 2013, Sandrine Blazy and Boris Yakobowski (CEA)

PhD in progress : Martin Bodin, Certified Analyses of JavaScript, 1st september 2012, Thomas Jensen and Alan Schmitt

PhD in progress : Oana Andreescu, Proof reusability in the formal modeling of secure operating systems, 1st September 2013, Thomas Jensen and Stephane Lescuyer (Prove & Run)

PhD in progress : Pauline Bolignano, Formal methods for minimizing a trusted computing base in an operating system, 1st October 2013, Thomas Jensen and Vincent Siles (Prove & Run)

Frédéric Besson, jury member for the PhD defense of Mohamed Iguernelala, July 10th 2013

Sandrine Blazy, jury member (reviewer) for the PhD defense of Cédric Auger, February 2013, University Paris Sud

Sandrine Blazy, jury member (reviewer) for the PhD defense of Suman Saha, March 2013, University Paris 6

Sandrine Blazy, jury member (president) for the PhD defense of Benjamin Lesage, May 2013, University Rennes 1

Sandrine Blazy, jury member (reviewer) for the PhD defense of Xiaomu Shi, July 2013, Grenoble University

Sandrine Blazy, jury member for the PhD defense of Pierre Néron, October 2013, École Polytechnique

Sandrine Blazy, jury member (reviewer) for the PhD defense of Jean Fortin, October 2013, University Paris East

Thomas Jensen, jury member (examiner) for the PhD defense of Andreas lundblad, March 2013, Royal Technological University, Stockholm, Sweden.

Thomas Jensen, jury member (reviewer) for the PhD defense of Michal Terepeta, October 2013, Technical University, Denmark.

Thomas Jensen, jury member (president) for the PhD defense of Yassamine Seladji, November 2013, Ecole Polytechnique.

Thomas Jensen, jury member (reviewer,president) for the PhD defense of Quentin Sabah, December 2013, University of Grenoble.

David Pichardie, jury member (president) for the PhD defense of Sebastien Chédor, December 2013, University Rennes 1

Frédéric Besson and Nataliia Bielova have presented their approach for quantifying web-fingerprinting in the "Du côté de la recherche" section of the November issue of Ouest Inria.

David Pichardie organised the third edition of the french Castor Informatique contest. This contest promotes Computer Science in secondary schools and high schools. It is organised by Inria, ENS Cachan and the France IOI association and supported by CNRS, Pascaline, the SIF and API associations. In 2013, there was about 170.000 participants.