The overall goal of the Celtique project is to improve the security and reliability of software with semantic certification that attests to its well-behavedness. The semantic analyses extract approximate but sound descriptions of software behaviour from which a proof of security can be constructed. The analyses of relevance include numerical data flow analysis, control flow analysis for higher-order languages, alias and points-to analysis for heap structure manipulation, and various kinds of information flow analysis.

To achieve this goal, the project conducts work on improving semantic analysis techniques, as well as work on using proof assistants such as Coq to develop and prove properties of these analyses. We are applying such techniques to a variety of source languages, including Java, C, and JavaScript. We also study how these techniques apply to low-level languages, and how they can be combined with certified compilation.

We target three application domains: Java software for small devices (in particular smart cards and mobile telephones), embedded C programs, and web applications.

Celtique is a joint project with the CNRS, the University of Rennes 1 and ENS Rennes.

Static program analysis is concerned with obtaining information about the run-time behaviour of a program without actually running it. This information may concern the values of variables, the relations among them, dependencies between program values, the memory structure being built and manipulated, the flow of control, and, for concurrent programs, synchronisation among processes executing in parallel. Fully automated analyses usually render approximate information about the actual program behaviour. The analysis is correct if the information includes all possible behaviour of a program. Precision of an analysis is improved by reducing the amount of information describing spurious behaviour that will never occur.

Static analysis has traditionally found most of its applications in the area of program optimisation where information about the run-time behaviour can be used to transform a program so that it performs a calculation faster and/or makes better use of the available memory resources. The last decade has witnessed an increasing use of static analysis in software verification for proving invariants about programs. The Celtique project is mainly concerned with this latter use. Examples of static analysis include:

Data-flow analysis as it is used in optimising compilers for
imperative languages. The properties can either be approximations of
the values of an expression (“the value of variable

Analyses of the memory structure includes shape analysis that aims at approximating the data structures created by a program. Alias analysis is another data flow analysis that finds out which variables in a program addresses the same memory location. Alias analysis is a fundamental analysis for all kinds of programs (imperative, object-oriented) that manipulate state, because alias information is necessary for the precise modelling of assignments.

Control flow analysis will find a safe approximation to the order in which the instructions of a program are executed. This is particularly relevant in languages where parameters or functions can be passed as arguments to other functions, making it impossible to determine the flow of control from the program syntax alone. The same phenomenon occurs in object-oriented languages where it is the class of an object (rather than the static type of the variable containing the object) that determines which method a given method invocation will call. Control flow analysis is an example of an analysis whose information in itself does not lead to dramatic optimisations (although it might enable in-lining of code) but is necessary for subsequent analyses to give precise results.

Static analysis possesses strong **semantic foundations**, notably abstract
interpretation , that allow to prove its correctness. The
implementation of static analyses is usually based on well-understood
constraint-solving techniques and iterative fixpoint algorithms. In
spite of the nice mathematical theory of program analysis and the
solid algorithmic techniques available one problematic issue persists,
*viz.*, the *gap* between the analysis that is proved
correct on paper and the analyser that actually runs on the
machine. While this gap might be small for toy languages, it becomes
important when it comes to real-life languages for which the
implementation and maintenance of program analysis tools become a
software engineering task. A *certified static analysis* is an
analysis that has been formally proved correct using a
proof assistant.

In previous work we studied the benefit of using abstract
interpretation for developing **certified static analyses**
, . The development of
certified static analysers is an ongoing activity that will be part of
the Celtique project. We use the Coq proof assistant which allows for
extracting the computational content of a constructive proof. A Caml
implementation can hence be extracted from a proof of existence, for
any program, of a correct approximation of the concrete program
semantics. We have isolated a theoretical framework based on abstract
interpretation allowing for the formal development of a broad range of
static analyses. Several case studies for the analysis of Java byte
code have been presented, notably a memory usage analysis
. This work has recently found
application in the context of Proof Carrying Code
and have also been successfully applied to
particular form of static analysis based on term rewriting and tree
automata .

Precise context-sensitive control-flow analysis is a fundamental
prerequisite for precisely analysing Java programs.
Bacon and Sweeney's Rapid Type Analysis (RTA) is a
scalable algorithm for constructing an initial call-graph of the
program. Tip and Palsberg have proposed a variety of
more precise but scalable call graph construction algorithms
*e.g.,* MTA, FTA, XTA which accuracy is between RTA and 0'CFA.
All those analyses are not context-sensitive. As early as 1991,
Palsberg and Schwartzbach , proposed a theoretical
parametric framework for typing object-oriented programs in a
context-sensitive way. In their setting, context-sensitivity is
obtained by explicit code duplication and typing amounts to analysing
the expanded code in a context-insensitive manner. The framework
accommodates for both call-contexts and allocation-contexts.

To assess the respective merits of different instantiations, scalable
implementations are needed. For Cecil and Java programs, Grove
*et al.,* , have explored the algorithmic design
space of contexts for benchmarks of significant size.
Later on, Milanova *et. al.,* have
evaluated, for Java programs, a notion of context called
*object-sensitivity* which abstracts the call-context by the
abstraction of the `this` pointer. More recently, Lhotak and
Hendren have extended the empiric
evaluation of object-sensitivity using a BDD implementation allowing
to cope with benchmarks otherwise out-of-scope.
Besson and Jensen proposed to use datalog
in order to specify context-sensitive analyses. Whaley and
Lam have implemented a context-sensitive
analysis using a BDD-based datalog implementation.

Control-flow analyses are a prerequisite for other analyses. For instance, the security analyses of Livshits and Lam and the race analysis of Naik, Aiken and Whaley both heavily rely on the precision of a control-flow analysis.

Control-flow analysis allows to statically prove the absence of certain run-time errors such as "message not understood" or cast exceptions. Yet it does not tackle the problem of "null pointers". Fahnrich and Leino propose a type-system for checking that after object creation fields are non-null. Hubert, Jensen and Pichardie have formalised the type-system and derived a type-inference algorithm computing the most precise typing . The proposed technique has been implemented in a tool called NIT . Null pointer detection is also done by bug-detection tools such as FindBugs . The main difference is that the approach of findbugs is neither sound nor complete but effective in practice.

Static analyses yield qualitative results, in the sense that they compute a safe over-approximation of the concrete semantics of a program, w.r.t. an order provided by the abstract domain structure. Quantitative aspects of static analysis are two-sided: on one hand, one may want to express and verify (compute) quantitative properties of programs that are not captured by usual semantics, such as time, memory, or energy consumption; on the other hand, there is a deep interest in quantifying the precision of an analysis, in order to tune the balance between complexity of the analysis and accuracy of its result.

The term of quantitative analysis is often related to probabilistic models for abstract computation devices such as timed automata or process algebras. In the field of programming languages which is more specifically addressed by the Celtique project, several approaches have been proposed for quantifying resource usage: a non-exhaustive list includes memory usage analysis based on specific type systems , , linear logic approaches to implicit computational complexity , cost model for Java byte code based on size relation inference, and WCET computation by abstract interpretation based loop bound interval analysis techniques .

We have proposed an original approach for designing static analyses computing program costs: inspired from a probabilistic approach , a quantitative operational semantics for expressing the cost of execution of a program has been defined. Semantics is seen as a linear operator over a dioid structure similar to a vector space. The notion of long-run cost is particularly interesting in the context of embedded software, since it provides an approximation of the asymptotic behaviour of a program in terms of computation cost. As for classical static analysis, an abstraction mechanism allows to effectively compute an over-approximation of the semntics, both in terms of costs and of accessible states . An example of cache miss analysis has been developed within this framework .

In spite of the nice mathematical theory of program analysis (notably
abstract interpretation) and the solid algorithmic
techniques available one problematic issue persists, *viz.*, the
*gap* between the analysis that is proved correct on paper and
the analyser that actually runs on the machine. While this gap might
be small for toy languages, it becomes important when it comes to
real-life languages for which the implementation and maintenance of
program analysis tools become a software engineering task.

A *certified static analysis* is an analysis whose implementation
has been formally proved correct using a proof assistant. Such
analysis can be developed in a proof assistant like Coq
by programming the analyser inside the assistant and formally proving
its correctness. The Coq extraction mechanism then allows for
extracting a Caml implementation of the analyser. The feasibility of
this approach has been demonstrated
in .

We also develop this technique through certified reachability analysis over term rewriting systems. Term rewriting systems are a very general, simple and convenient formal model for a large variety of computing systems. For instance, it is a very simple way to describe deduction systems, functions, parallel processes or state transition systems where rewriting models respectively deduction, evaluation, progression or transitions. Furthermore rewriting can model every combination of them (for instance two parallel processes running functional programs).

Depending on the computing system modelled using rewriting, reachability (and unreachability) permits to achieve some verifications on the system: respectively prove that a deduction is feasible, prove that a function call evaluates to a particular value, show that a process configuration may occur, or that a state is reachable from the initial state. As a consequence, reachability analysis has several applications in equational proofs used in the theorem provers or in the proof assistants as well as in verification where term rewriting systems can be used to model programs.

For proving unreachability, i.e. safety properties, we already have some
results based on the over-approximation of the set of reachable
terms , . We defined a simple and efficient
algorithm
for computing exactly the set of reachable terms, when it is regular,
and construct an over-approximation otherwise. This algorithm consists of
a *completion* of a *tree automaton*, taking advantage
of the ability of tree automata to finitely represent infinite sets of
reachable terms.

To certify the corresponding analysis, we have defined a checker guaranteeing that a tree automaton is a valid fixpoint of the completion algorithm. This consists in showing that for all term recognised by a tree automaton all his rewrites are also recognised by the same tree automaton. This checker has been formally defined in Coq and an efficient Ocaml implementation has been automatically extracted . This checker is now used to certify all analysis results produced by the regular completion tool as well as the optimised version of .

Alan Schmitt has received the 2015 Most Influential POPL Paper Award for the 2005 paper “Combinators for Bi-Directional Tree Transformations: A Linguistic Approach to the View Update Problem” .

Certified JavaScript

Functional Description

The JSCert project aims to really understand JavaScript. JSCert itself is a mechanised specification of JavaScript, written in the Coq proof assistant, which closely follows the ECMAScript 5 English standard. JSRef is a reference interpreter for JavaScript in OCaml , which has been proved correct with respect to JSCert and tested with the Test 262 test suite.

Participants: Martin Bodin and Alan Schmitt

Partner: Imperial College London

Contact: Alan Schmitt

URL: http://

JAvaCard AnaLyseur

Keywords: JavaCard - Certification - Static program analysis - AFSCM

Functional Description

Jacal is a JAvaCard AnaLyseur developed on top of the SAWJA platform. This software verifies automatically that Javacard programs conform with the security guidelines issued by the AFSCM (Association Française du Sans Contact Mobile). Jacal is based on the theory of abstract interpretation and combines several object-oriented and numeric analyses to automatically infer sophisticated invariants about the program behaviour. The result of the analysis is thereafter harvest to check that it is sufficient to ensure the desired security properties.

Participants: Delphine Demange, David Pichardie, Thomas Jensen and Frédéric Besson

Contact: Thomas Jensen

Functional Description

Javalib is an efficient library to parse Java .class files into OCaml data structures, thus enabling the OCaml programmer to extract information from class files, to manipulate and to generate valid .class files.

Participants: Frédéric Besson, David Pichardie and Laurent Guillo

Contact: David Pichardie

Static Analysis Workshop for Java

Keywords: Security - Software - Code review

Functional Description

Sawja is a library written in OCaml, relying on Javalib to provide a high level representation of Java bytecode programs. It name comes from Static Analysis Workshop for JAva. Whereas Javalib is dedicated to isolated classes, Sawja handles bytecode programs with their class hierarchy and with control flow algorithms.

Moreover, Sawja provides some stackless intermediate representations of code, called JBir and A3Bir. The transformation algorithm, common to these representations, has been formalized and proved to be semantics-preserving.

Participants: Frédéric Besson, David Pichardie and Laurent Guillo

Contact: Frédéric Besson

Keywords: Demonstration - Ocaml - Vérification de programmes - Tree Automata

Functional Description

Timbuk is a collection of tools for achieving proofs of reachability over Term Rewriting Systems and for manipulating Tree Automata (bottom-up non-deterministic finite tree automata)

Participant: Thomas Genet

Contact: Thomas Genet

Keywords: Verified compilation - Single Static Assignment form - Optimization - Coq - OCaml

Functional Description

CompCertSSA is built on top of the C CompCert verified compiler, by adding a SSA-based middle-end (conversion to SSA, SSA-based optimizations, destruction of SSA). It is verified in the Coq proof assistant.

Participant: Delphine Demange, David Pichardie, Yon Fernandez de Retana, Leo Stefanesco

Contact: Delphine Demange

We thrive at improving the technology of certified compilation. Our work builds on the infrastructure provided by the CompCert compiler. We are working both at improving the guarantees provided by certified compilation and at formalising state-of-the-art optimisation techniques.

The CompCert compiler is proved with respect to an abstract semantics. In previous work , we propose a more concrete memory model for the CompCert compiler . This model gives a semantics to more programs and lift the assumption about an infinite memory. This model makes CompCert safer because more programs are captured by the soundness theorem of CompCert and because it allows to reason about memory consumption.

We are investigating the consequences this model on different compiler passes of CompCert . As a sanity check, we prove formally that the existing memory model is an abstraction of our more concrete model thus validating formally the soundness of CompCert’s abstract semantics of pointers. We have also port the front-end of the compiler to our new semantics and are working on the compiler back-end.

The CompCert compiler foregoes using SSA, an intermediate representation employed by many compilers that enables writing simpler, faster optimizers. In previous work , we have proposed a formally verified SSA-based middle-end for CompCert, addressing two problems raised by Leroy in 2009: giving an intuitive formal semantics to SSA, and leveraging its global properties to reason locally about program optimizations. Since then, we have studied in more depth the SSA-based optimization techniques with the objective to make the middle-end more realistic, in terms of the efficiency of optimizations, and to rationalize the way the correctness proofs of optimizations are conducted and structured.

Finally, we have studied (paper under review at the international conference Compiler Construction 2016) the destruction of the SSA form (i.e. at the exit point of the middle-end), a problem that has remained a difficult problem, even in a non-verified environment. We formally defined and proved the properties of the generation of Conventional SSA (CSSA) which make its destruction simple to implement and prove. We implemented and proved correct a coalescing destruction of CSSA, à la Boissinot et al., where variables can be coalesced according to a refined notion of interference. Our CSSA-based, coalescing destruction allows us to coalesce more than 99% of introduced copies, on average, and leads to encouraging results concerning spilling and reloading during post-SSA allocation.

We have continued our work on the certification of analyses for JavaScript by developing a systematic way to build certified abstract interpreters from big-step semantics using the Coq proof assistant. We based our approach on Schmidt’s abstract interpretation principles for natural semantics, and used a pretty-big-step (PBS) semantics, a semantic format proposed by Charguéraud. We proposed a systematic representation of the PBS format and implemented it in Coq. We then showed how the semantic rules can be abstracted in a methodical fashion, independently of the chosen abstract domain, to produce a set of abstract inference rules that specify an abstract interpreter. We proved the correctness of the abstract interpreter in Coq once and for all, under the assumption that abstract operations faithfully respect the concrete ones. We finally showed how to define correct-by-construction analyses: their correction amounts to proving they belong to the abstract semantics. This work has been published at CPP 2015 .

In addition, we have worked on hybrid typing of information flow for JavaScript, in collaboration with José Fragoso Santos and Tamara Rezk at Inria Sophia-Antipolis. Our analysis combined static and dynamic typing in order to avoid rejecting programs due to imprecise typing information. This work has been published at TGC 2015 .

We designed and proved sound, using the Coq proof assistant, a static analyzer, Verasco , based on abstract interpretation for most of the ISO C 1999 language (excluding recursion and dynamic allocation). Verasco establishes the absence of run-time errors in the analyzed programs. It enjoys a modular architecture that supports the extensible combination of multiple abstract domains, both relational and non-relational. Verasco integrates with the CompCert formally-verified C compiler so that not only the soundness of the analysis results is guaranteed with mathematical certitude, but also the fact that these guarantees carry over to the compiled code.

Static analysis of binary code is challenging for several reasons. In particular, standard static analysis techniques operate over control flow graphs, which are not available when dealing with self-modifying programs which can modify their own code at runtime. We formalized in the Coq proof assistant some key abstract interpretation techniques that automatically extract memory safety properties and control flow graphs from binary code , and operate over a small subset of the x86 assembly. Our analyzer is formally proved correct and has been run on several self-modifying challenges, provided by Cai et al. in their PLDI 2007 paper. This an extended version of out ITP 2014 paper.

We develop a specific theory and the related tools for analyzing programs whose semantics is defined using term rewriting systems. The analysis principle is based on regular approximations of infinite sets of terms reachable by rewriting. The tools we develop use, so-called, Tree Automata Completion to compute a tree automaton recognizing a superset of all reachable terms. This over-approximation is then used to prove properties on the program by showing that some “bad” terms, encoding dangerous or problematic configurations, are not in the superset and thus not reachable. This is a specific form of, so-called, Regular Tree Model Checking. Now, we aim at applying this technique to the static analysis of programming languages whose semantics is based on terms, like functional programming languages. We already shown that static analysis of first order functional programs with a call-by-value evaluation strategy can be automated using tree automata completion . This is the subject of the PhD thesis Yann Salmon has defended . Now, one of the objective is to lift those results to the static analysis of higher-order functions.

We have developed a static dependency analysis for a strongly typed, high-level functional specifications written in a specification formalism developed by the SME Prove & Run. In the context of interactive formal verification of complex systems, much effort is spent on proving the preservation of the system invariants. However, most operations have a localized effect on the system, which only really impacts few invariants at the same time. Identifying those invariants that are unaffected by an operation can substantially ease the proof burden for the programmer. Our dependency analysis computes a conservative approximation of the input fragments on which the operations depend. It is a flow-sensitive interprocedural analysis that handles arrays, structures and variant data types. We have validated the scalability of the analysis to complex transition systems by applying it to a functional specification of the MINIX operating system. This work was reported in .

We develop a

Static program analysis, Certified static analysis

The VERASCO project (2012–2015) is funded by the call ISN 2011, a program of the Agence Nationale de la Recherche. It investigates the formal verification of static analyzers and of compilers, two families of tools that play a crucial role in the development and validation of critical embedded software. It is a joint project with the Inria teams Abstraction, Gallium, The VERIMAG laboratory and the Airbus company.

Static program analysis, Security, Secure compilation

The AnaStaSec project (2015–2018) aims at ensuring security properties of embedded critical systems using static analysis and security enhancing compiler techniques. The case studies are airborne embedded software with ground communication capabilities. The Celtique project focuses on software fault isolation which is a compiler technology to ensure by construction a strong segregation of tasks.

This is a joint project with the Inria teams Antique and Prosecco, CEA-LIST, TrustInSoft, AMOSSYS and Airbus Group.

Binary code, Static program analysis

The Binsec project (2013–2017) is founded by the call ISN 2012, a program of the Agence Nationale de la Recherche. The goal of the BINSEC project is to develop static analysis techniques and tools for performing automatic security analyses of binary code. We target two main applicative domains: vulnerability analysis and virus detection.

Binsec is a joint project with the Inria Carte team, CEA LIS, Verimag and EADS IW.

The MALTHY project, funded by ANR in the program INS 2013, aims at advancing the state-of-the-art in real-time and hybrid model checking by applying advanced methods and tools from linear algebra and algebraic geometry. MALTHY is coordinated by VERIMAG, involving CEA-LIST, Inria Rennes (Estasys and Celtique), Inria Saclay (MAXPLUS) and VISEO/Object Direct.

The goal of the AJACS project is to provide strong security and privacy guarantees on the client side for web application scripts. To this end, we propose to define a mechanized semantics of the full JavaScript language, the most widely used language for the Web. We then propose to develop and prove correct analyses for JavaScript programs, in particular information flow analyses that guarantee no secret information is leaked to malicious parties. The definition of sub-languages of JavaScript, with certified compilation techniques targeting them, will allow us to derive more precise analyses. Finally, we propose to design and certify security and privacy enforcement mechanisms for web applications, including the APIs used to program real-world applications.

The project partners include the following Inria teams: Celtique, Indes, Prosecco, and Toccata; it also involves researchers from Imperial College as external collaborators. The project runs from December 2014 to June 2018.

The DISCOVER project project aims at leveraging recent foundational work on formal verification and proof assistants to design, implement and verify compilation techniques used for high-level concurrent and managed programming languages. The ultimate goal of DISCOVER is to devise new formalisms and proof techniques able to scale to the mechanized correctness proof of a compiler involving a rich class of optimizations, leading to efficient and scalable applications, written in higher-level languages than those currently handled by cutting-edge verified compilers.

In the light of recent work in optimizations techniques used in production compilers of high-level languages, control-flow-graph based intermediate representations seems too rigid. Indeed, the analyses and optimizations in these compilers work on more abstract representations, where programs are represented with data and control dependencies. The most representative representation is the sea-of-nodes form, used in the Java Hotspot Server Compiler, and which is the rationale behind the highly relaxed definition of the Java memory model. DISCOVER proposes to tackle the problem of verified compilation for shared-memory concurrency with a resolute language-based approach, and to investigate the formalization of adequate program intermediate representations and associated correctness proof techniques.

The project runs from October 2014 to September 2018.

The SecCloud project, started in 2012, will provide a comprehensive language-based approach to the definition, analysis and implementation of secure applications developed using Javascript and similar languages. Our high level objectives is to enhance the security of devices (PCs, smartphones, ect.) on which Javascript applications can be downloaded, hence on client-side security in the context of the Cloud. We will achieve this by focusing on three related issues: declarative security properties and policies for client-side applications, static and dynamic analysis of web scripting programming languages, and multi-level information flow monitoring.

This is a joint project with Supelec Rennes and Ecole des Mines de Nantes.

Title: Verified Compilation of Concurrent Managed Languages

International Partner (Institution - Laboratory - Researcher):

Purdue University (United States) - Suresh Jagannathan

Start year: 2014

See also: http://

Safety-critical applications demand rigorous, unambiguous guarantees on program correctness. While a combination of testing and manual inspection is typically used for this purpose, bugs latent in other components of the software stack, especially the compiler and the runtime system, can invalidate these hard-won guarantees. To address such concerns, additional laborious techniques such as manual code reviews of generated assembly code are required by certification agencies. Significant restrictions are imposed on compiler optimizations that can be performed, and the scope of runtime and operating system services that can be utilized. To alleviate this burden, the JCert project is implementing a verified compiler and runtime for managed concurrent languages like Java or C#.

Professor Philippa Gardner, Imperial College, UK, since December 2015.

Alan Schmitt is part of a Polonium Hubert Curien Partnership (PHC) with the University of Wrocław. This partnership is lead by Sergueï Lenglet, from Loria, Nancy, France.

Jensen Thomas

Date: Sep 2014 - Aug 2015

Institution: University of Copenhagen (Denmark)

Martin Bodin visited the Department of Computing at Imperial College London for three months.

Static Analysis Symposium 2015, Saint-Malo, September 2015.

SAS 2015 (Static Analysis Symposium) was chaired by Sandrine Blazy and Thomas Jensen

FORTE 2015 (International Conference on Formal Techniques for Distributed Objects, Components and Systems): Alan Schmitt

CoqPL 2016 (International Workshop on Coq for PL): Alan Schmitt

POPL 2015 (Symposium on Principles of Programming Languages): David Pichardie (Program Committee) and Delphine Demange (External Review Committee)

ESOP 2015 (European Symposium on Programming) : Delphine Demange

JFLA 2015 (Journées Francophones des Langages Applicatifs) : Delphine Demange

OCaml workshop 2015: Sandrine Blazy

AFADL 2015 (Approches Formelles dans l'Assistance au Développement de Logiciels) : Sandrine Blazy

ITP 2015 (Interactive Theorem Proving): Sandrine Blazy

CPP 2016 (Certified Proofs and Programs): Sandrine Blazy

IFIP SEC 2015: Thomas Jensen

CONCUR 2015 (International Conference on Concurrency Theory): Alan Schmitt

FOSSACS 2016 (International Conference on Foundations of Software Science and Computation Structures): Alan Schmitt

ITP 2015 (International Conference on Interactive Theorem Proving) : Delphine Demange

ATVA 2015 (13th International Symposium on Automated Technology for Verification and Analysis) : Sandrine Blazy

ESOP 2015 (European Symposium on Programming): Thomas Jensen.

Applied Mathematics & Information Sciences: Alan Schmitt

Formal Aspects of Computing: Alan Schmitt, Thomas Jensen

International Journal of Computer Mathematics: Alan Schmitt

Journal of Automated Reasoning: Sandrine Blazy, David Pichardie

Journal of Computer Security : Sandrine Blazy

Sandrine Blazy: Formal verification of compilers and static analyzers, PLMW@POPL 2015 (Programming Languages Mentoring Workshop)

Thomas Jensen: Integrating formal verification within programming languages. Seminar Collège de France, October 2015.

Sandrine Blazy: expertise of 2 projects for FNR (Luxemburg)

Thomas Jensen, expertise of ANR AAP general, short proposals

Thomas Jensen is head of the NUMERIC department at University of Bretagne-Loire

Thomas Jensen is managing the “Security” track of ANR Comin Labs.

Licence: Thomas Genet, Software Engineering, 58h, L2, Université de Rennes 1 / Istic, France

Licence: Delphine Demange, Software Engineering, 40h, L2, Université de Rennes 1 / Istic, France

Licence: Delphine Demange, Functional Programming, 70h, L1, Université de Rennes 1 / Istic, France

Licence : Alan Schmitt, Programmation Fonctionnelle, 39h, L3, Insa Rennes, France

Licence : David Pichardie, Algorithms, 36h, L3, ENS Rennes, France

Licence : David Cachera, Logic, 36h, L3, ENS Rennes, France

Licence : Sandrine Blazy, Functional programming, 30h, L3, Université Rennes 1 France

Master : Thomas Genet, Formal Design and Verification, 108h, M1, Université de Rennes 1 / Istic, France

Master : Thomas Genet, Cryptographic Protocols, 24h, M2, Université de Rennes 1 / Istic, France

Master : David Cachera, Semantics of Programming Languages, 36h, M1, Université Rennes 1, France

Master : Frédéric Besson, Compilation, 50h, M1, Insa Rennes, France

Master : Sandrine Blazy, Méthodes Formelles pour le développement de logiciels sûrs, 53h, M1, Rennes 1, France

Master : Alan Schmitt, Méthodes Formelles pour le développement de logiciels sûrs, 25h, M1, Rennes 1, France

Master : David Pichardie, Mechanized Semantics, 15h, M2, Université Rennes 1, France

Master : Sandrine Blazy, Mechanized Semantics, 15h, M2, Université Rennes 1, France

Master : Sandrine Blazy, Software vulnerabilities, 38h, M2, Université Rennes 1, France

Master : Delphine Demange, Software Security, 9h, M2, Université Rennes 1, France

Master : Thomas Jensen, Program Analysis and Software Security, 39h, M2, Université Rennes 1, France

PhD in progress : Martin Bodin, Certified Analyses of JavaScript, 1st september 2012, Thomas Jensen and Alan Schmitt

PhD in progress : Gurvan Cabon, Analyse non locale certifiée en JavaScript grâce à une sémantique annotée, 1st september 2015, Alan Schmitt

PhD in progress : Yon Fernandez De Retana, Verified Optimising Compiler for high-level languages, 1st september 2015, Delphine Demange and David Pichardie

PhD in progress : Yannick Zakowski, Programs Logics for Concurrency, 1st september 2014, David Pichardie and David Cachera

PhD in progress : Florent Saudel, Vulnerability discovery, November 2015, Sandrine Blazy, Frédéric Besson and Frédéric Guihéry (Amossys)

PhD in progress: David Bühler, Communication between analyses by deductive verification and abstract interpretation, November 2013, Sandrine Blazy and Boris Yakobowski (CEA)

PhD in progress: Pierre Wilke, Low-level memory models for compilers and static analysers, 1st august 2013, Sandrine Blazy and Frédéric Besson

PhD in progress: Oana Andreescu, Static analysis and automated program proving, 1st September 2013, Thomas Jensen

PhD in progress: Pauline Bolignano, Modeling and abstraction of system software, 1st November 2013, Thomas Jensen

PhD: Yann Salmon, Reachability for Term Rewriting Systems under Strategies, defended Dec 2015, Thomas Genet

PhD: Vincent Laporte, Verified static analyses for low-level languages, defended Nov 2015, Sandrine Blazy and David Pichardie

PhD: Stéphanie Riaud, Data obfuscation for protecting programs against dynamic analysis, defended Dec 2015, Sandrine Blazy

Alan Schmitt, jury member (reviewer) for the PhD defense of Burak Ekici, December 2015, Université Grenoble Alpes

David Pichardie, jury member (chair) for the PhD defense of Mounir Assaf, May 2015, University Rennes 1, France.

David Pichardie, jury member (reviewer) for the PhD defense of Bogdan Mihaila, January 2015, Technische Universität München, Germany.

Sandrine Blazy, jury member for the PhD defense of Alexis Fouilhé, October 2015, Grenoble University, France

Sandrine Blazy, jury member for the PhD defense of Zakaria Chihani, November 2015, Ecole Polytechnique, France.

Sandrine Blazy, jury member for the PhD defense of Lourdes del Carmen Gonzalez Huesca, November2015, Paris Diderot University, France.

Thomas Jensen, jury member for the PhD defense of Magnus Madsen, May 2015, Aarhus University, Denmark.

Thomas Jensen, jury member for the PhD defense of Clémentine Maurice, EURECOM, France.

Alan Schmitt, jury member for the selection of Inria CR (researcher) candidates, March and April 2015, Inria, Rennes, France.

Delphine Demange, jury member for the selection of a Maître de Conférences at University Paris Diderot (Paris 7) / LIAFA+PPS, May 2015, Paris, France.

Sandrine Blazy, jury member for the selection of a Maître de Conférences at University of Nancy, May 2015, Nancy, France.

Sandrine Blazy, jury member for the selection of a Maître de Conférences at University of Rennes 1, May 2015, Rennes, France.

Sandrine Blazy, jury member for the selection of a professor at University of Brest, May 2015, Brest, France.

Delphine Demange, jury member of the Gilles Kahn PhD award committee, December 2015, Inria Paris - Rocquencourt

IRISA 40th anniversary Open House - Recreational workshop (interactive demonstration) on the problem of functional correctness of programs, its importance in the field of critical software, and formal proof of correctness : Thomas Genet, Delphine Demange, Pauline Bolignano, Yannick Zakowski. Inria Convention centre, Inria Rennes - Bretagne Atlantique. Rennes, France. December 2015.

Talk “Bug, Virus, Intrusion, Pirates... So many threats and no defense? Yes... maths.”, Thomas Genet, given two times in high schools close to Rennes.

Two short tutorials. One for Isabelle/HOL and one for SPAN+AVISPA .