INRIA, Evaluation of Theme Sym A

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "INRIA, Evaluation of Theme Sym A"

Transcription

1 INRIA, Evaluation of Theme Sym A Project-team SECSI Nov , 2006 Project-team title : SECurity of Information Systems (SECSI) Scientific leader : Jean Goubault-Larrecq Research center : Futurs Common project-team with : Laboratoire Spécification et Vérification (LSV), UMR 8643 ENS Cachan & CNRS. 1 Personnel Personnel (Dec (creation)) Misc. INRIA CNRS University Total DR (1) / Professors CR (2) / Assistant Professors Permanent Engineers (3) 0 Temporary Engineers (4) 1 1 PhD Students 6 6 Post-Doc. 1 1 Total External Collaborators 0 Visitors (> 1 month) 0 (1) Senior Research Scientist (Directeur de Recherche) (2) Junior Research Scientist (Chargé de Recherche) (3) Civil servant (CNRS, INRIA,...) (4) Associated with a contract (Ingénieur Expert or Ingénieur Associé) Personnel (Nov , 2006) Misc. INRIA CNRS University Total DR / Professors 2 2 CR / Assistant Professor Permanent Engineer 0 Temporary Engineer 0 PhD Students Post-Doc Total External Collaborators Visitors (> 1 month) 1

2 Changes in staff DR / Professors Misc. INRIA CNRS University total CR / Assistant Professors Arrival 1 1 Leaving 2 Comments : Hubert Comon-Lundh moved from CNRS directeur de recherches to full professor, still at ENS Cachan, thus accounting for a somewhat artificial departure from CNRS and one equally artificial arrival at the university in the table above. Current composition of the project-team (Nov , 2006): Goubault-Larrecq, Jean (scientific leader). Full professor, ENS Cachan. Jacquemard, Florent (permanent leader). INRIA CR. Comon-Lundh, Hubert. Full professor, ENS Cachan. Kremer, Steve. INRIA CR. Demri, Stéphane. CNRS CR. Treinen, Ralf. Associate professor, ENS Cachan. Carré, Jean-Loup. PhD student, CIFRE grant, LSV/EADS. Bursuc, Sergiu. PhD student, INRIA grant. Bursztein, Elie. PhD student, DGA/CNRS grant. Mercier, Antoine. PhD student, MENRT grant. Troina, Angelo. Postdoc, ARC ProNoBis, shared with project-team Comète (Futurs, LIX). Mazaré, Laurent. Postdoc. Current position of former project-team members (including PhD students during the (Dec (creation) Nov , 2006): Bidoit, Michel. CNRS DR. Left SECSI, Sep Current position: LSV, UMR CNRS and ENS Cachan; ministère de l éducation nationale, de la recherche et de la technologie. Olivain, Julien. Former temporary engineer (3 years), left Nov Current position: travailleur autonome, Montréal, province du Québec, Canada. Boisseau, Alexandre. Former PhD student, defended Sep Current position: Professeur de classe préparatoire aux grandes écoles, Reims. Cortier, Véronique. Former PhD student, defended March 2003; SPECIF Award 2003, Le Monde Award Current position: CNRS CR, LORIA, Nancy. Verma, Kumar Neeraj. Former PhD student, defended Sep Current position: post-doc, Technische Universität München, Germany. 2

3 Roger, Muriel. Former PhD student, defended Oct Current position: research engineer, LIST, CEA, Saclay. Ratti, Benjamin. Former PhD student, started Sep. 2004, quit March Current position: developer, Harmonie Technologie, Paris. Zhang Yu. Former PhD student, started Sep. 2002, defended Oct Tang frères award of the AFCRST (French-Chinese Association for Scientific and Technical Research) Current position: postdoc, EVEREST project-team, INRIA Sophia-Antipolis. Bernat, Vincent. Former PhD student, started Sep. 2002, defended June Current position: consultant engineer, Wallix, Paris. Baudet, Mathieu. PhD student, started June 2003, grant expired June 2006, defence foreseen, Dec Current position: chargé de mission, DCSSI (direction centrale de la sécurité des systèmes d information), Paris. Delaune, Stéphanie. Former PhD student, started Sep. 2003, defended June Current position: postdoc, Birmingham University, UK. Lafourcade, Pascal. Former PhD student, started Sep. 2003, defended Sep Current position: DGA postdoc, ETHZ, Zürich, Switzerland. Parrennes, Fabrice. Former postdoc and 1/2-ATER (temporary teaching assistant), left May Current position: engineer, RATP, Paris. Chhabra, Shalendra. ITBHU intern (Vanirasi, India), spring Current position: program manager, Microsoft Corp., Riverside, CA, USA. Gupta, Ankit. IIT Delhi-INRIA intern, spring Current position: as far as we know, was applying at several US universities (graduate level), spring Last INRIA enlistments Kremer, Steve. Hired, Sep. 2004, as CR2. At the time of writing, on the list of people subject to CR1 promotion. Other comments : Hubert Comon-Lundh was SECSI s first permanent leader. Florent Jacquemard took on in Our priority at SECSI is hiring talented researchers, and INRIA offers opportunities that are most welcome. Julien Olivain was on the INRIA payroll for two years as ingénieur associé, Mathieu Baudet was paid as Corps des Télécoms PhD student by INRIA for three years, Ralf Treinen was on délégation INRIA status for two years. The first two have left, the third has returned to an associate professor position. As of 2006, the number of INRIA personnel on SECSI s list is at its lowest. We would have liked to recruit Bogdan Warinschi as CR, and he was happy to come to SECSI, too (ranked first at Futurs in 2006); for personal reasons, he had to move to Bristol instead however. SECSI s manpower is therefore currently, temporarily low. 3

4 2 Work progress 2.1 Keywords Computer security, cryptographic protocols, automated deduction, model-checking, intrusion detection. 2.2 Context and overall goal of the project Computer security has become more and more pressing as a concern since the mid 1990s. There are several reasons to this: cryptography is no longer a chasse réservée of the military, and has become ubiquitous; and computer networks (e.g., the Internet) have grown considerably and have generated numerous opportunities for attacks and misbehaviors, notably. The aim of the SECSI project is to develop logic-based verification techniques for security properties of computer systems and networks. Let us explain what this means, and what this does not mean. First, the scope of the research at SECSI is a rather broad subset of computer security, although the core of SECSI s activities is on verifying cryptographic protocols. We try to be as comprehensive as possible. Several security properties have been the focus of SECSI s research: weak and strong secrecy, authentication, anonymity, fairness in contract-signing notably. Several models, too: the Dolev-Yao model initially, but also process algebra models (spi-calcul, applied pi-calculus), and, more recently, the more realistic computational model favored by cryptographers. Several input formats, finally: either symbolic descriptions of protocols à la Needham-Schroeder, or programs that actually implement cryptographic protocols. Apart from cryptographic protocols, the vision of the SECSI project is that computer security, being a global concern, should be taken as a whole, as far as possible. This is why one of the initial objectives of SECSI was also concerned with problems in intrusion detection, notably. However, the aims of any project, including SECSI, have to be circumscribed somewhat. One of the key points in the aim of the SECSI project, stated above, is logic-based. SECSI aims at developing rigorous approaches to the verification of security. But the expertise of the members of SECSI are not in, say, numerical analysis or the quantitative evaluation of degrees of security, but in formal methods in logic. It is a founding theme of SECSI that logic matters in security, and opportunities are to be grabbed. This was definitely the case for the verification of cryptographic protocols. This was also the case for intrusion detection, where an original model-checking based approach to misuse detection was developed. Then, another important point is verification techniques. The expertise of SECSI is not so much in designing protocols. Verifying protocols, formally, is a rather more arduous task. It is also particularly needed in cryptographic protocol security, where many protocols were flawed, despite published proofs. 2.3 Objectives for the evaluation period The abstract of the SECSI proposal, dated July 25, 2002, was: Le projet comporte trois volets: 1. La vérification automatique de propriétés sécuritaires de protocoles cryptographiques. Il s agit là d un problème orthogonal aux questions algorithmiques de chiffrement, les problèmes étudiés étant de nature purement 4

5 logique, les outils utilisés relevant de la démonstration automatique ou de la résolution de contraintes. 2. La détection d intrusion. La spécificité de notre projet en la matière est de s appuyer sur des méthodes formelles, en particulier les logiques temporelles et la vérification de modèles. 3. Les relations entre les deux sujets précédents: comment, à partir de faiblesses détectées dans les protocoles cryptographiques, et dans leurs réalisations, construire des scénarii d attaques qui peuvent ensuite être utilisés pour la détection d intrusion. Translation: The project comprises three parts: 1. The automatic verification of security properties of cryptographic protocols. This is a problem that is orthogonal to questions on encryption algorithms, the nature of the problems being purely logical, and the tools used coming from automated deduction or constraint resolution. 2. Intrusion detection. The specific theme of our project in this domain is to rely on formal methods, in particular temporal logics and model-checking. 3. Relating the previous two subjects: given vulnerabilities detected in specific cryptographic protocols, and in their implementations, how can we build attack scenarios that can be used in intrusion detection. Among these three themes, the first one is certainly the one that grew most, generating several new directions of research. As of Nov , 2006, most members of SECSI work in one or the other sub-topic of this first theme. Only one permanent member and one PhD student work at this date on the second theme, and none on the third. We discuss this more below. 2.4 Objective 1 : Executive summary Automated cryptographic protocol verification is certainly the main theme of SECSI. While it was already the theme that kept most SECSI members busy at the time SECSI was created (2002), one might say that, as of 2006, all SECSI members work on it. Accordingly, this theme was naturally subdivided into new objectives. It would then have been natural to divide the present section into as many of the corresponding new objectives. This would have been fairer to the actual proportion of work done for each objective. However, I ll conform to the instructions. This will have the advantage that objective 1 will be described concisely. However, it is also meaningful to enumerate these new objectives: 1.1 Tree-automata based methods, automated deduction, and approximate/exact cryptographic protocol verification in the Dolev-Yao model. 1.2 Enriching the Dolev-Yao model with algebraic theories, and associated decision problems. 1.3 Computational soundness of formal models (Dolev-Yao, applied pi-calculus). 1.4 Security of group protocols, fair exchange, voting and other protocols. Other security properties, other security models. 5

6 We shall use this classification in the subsections below. Themes 1.1 and 1.2 are not entirely disjoint, as research around automated deduction for the Dolev-Yao model quickly turned into automated deduction for the Dolev-Yao model enriched by equational theories. The stress in 1.1 is more on automated deduction, while the stress in 1.2 is more on specific decidability issues of Dolev-Yao intruder theories in the presence of equational theories. The fact that these sub-objectives are not totally disconnected should be apparent from the Personnel table below Personnel Objective: Mathieu Baudet x x Vincent Bernat x Alexandre Boisseau x Sergiu Bursuc x Hubert Comon-Lundh x x Véronique Cortier x x Stéphanie Delaune x x Jean Goubault-Larrecq x x x Ankit Gupta x x Florent Jacquemard x x Steve Kremer x x Pascal Lafourcade x Benjamin Ratti x Muriel Roger x x Ralf Treinen x Kumar Neeraj Verma x x Yu Zhang x Project-team positioning There are now many groups working on cryptographic protocol verification around the world. It would be pointless to cite them all. Let us cite some of the most prominent. Some of the US groups are SRI (Jon Millen; Palo Alto, CA), U. Texas at Austin (Vitaly Shmatikov; formerly at SRI), Martín Abadi (Santa Cruz then Microsoft, Mountain View, CA), Stanford University (John Mitchell; Palo Alto, CA), Mitre Corp. (Joshua Guttman), NRL (Catherine Meadows), Clarkson U. (Chistopher Lynch). In Japan, AIST (Hitoshi Ohsaki; Amagasaki). In Italy, U. Firenze (Michele Boreale), U. Verona (Luca Viganó), U. Bologna (Roberto Gorrieri). In Germany, U. Kiel (Ralf Küsters), TUM (Helmut Seidl, München). In Switzerland, ETHZ (David Basin; Zürich). In the UK, Microsoft Cambridge has a strong group (Cédric Fournet, Andrew Gordon); also Cambridge University (Larry Paulson), Oxford University (Gavin Lowe). In France, one must cite Verimag (Yassine Lakhnech; Grenoble), France Télécom R&D (Francis Klay; Rennes), U. of Provence (Denis Lugiez; Marseille), and the INRIA teams Lande (Thomas Genet; Rennes), Cassis (Michael Rusinowitch; Nancy). This (incomplete) list is mostly for 1.1 or 1.2. For 1.3, one must cite Verimag (Yassine Lakhnech), ENS Paris (Bruno Blanchet, David Pointcheval), CELAR (David Lubicz, Rennes). In Germany, Saarland University (Michael Backes; Saarbrücken). In Belgium, U. Louvain-la-neuve (Olivier Pereira). In the US, John Mitchell, Martín Abadi. For 1.4, in the UK, U. Birmingham (Mark Ryan; group protocols, opacity). In Belgium, free U. Brussels (Olivier Markowitch; voting). In France, France Télécom R&D (Francis 6

7 Klay; voting). We are regularly in touch with each of them, either through project meetings, for common papers, or simply during conferences Scientific achievements Obj. 1.1 It was relatively clear in 2002 that what is now called the Dolev-Yao model of security was essentially a matter of encoding cryptographic protocols as formulae in subclasses of first-order logic, some of them decidable. Security could be attacked from the automatatheoretic point of view, or using set constraints, or automated theorem proving. The realization that all these points of view could be unified has now pervaded the project, if not the community at large. That tree automata and set constraints are special cases of the (decidable) monadic class is due to Bachmair and Ganzinger [BGW93]. That they could in fact be decided efficiently by automated deduction methods is now a running theme in SECSI, see [92, 58, 67, 42, 160] for example. This is the scientific basis of the h1 tool suite (see the Software section). When the natural class of first-order formulas to encode cryptographic protocols and their properties in is not decidable, or not clearly so, abstraction techniques are required. (The relationship between decidable classes of first-order logic and decidable cases of cryptographic protocol verification was the theme of the ACI cryptologie VERNAM.) It turns out that fairly simple, and automated, techniques apply [42, 39], inspired from Vardi et al. [FSVY91]. Obj 1.2 It was slightly less clear in 2002 that the Dolev-Yao model required some definite extensions, in particular allowing for terms to be interpreted modulo some equational theory the so-called algebraic case. (But also to propertly handle specific code chaining techniques [96].) Typical examples of theories of interest are modular exponentiation over a fixed generator g (application: Diffie-Hellman-like protocols) [39] or that of bitwise exclusive-or [58]. The PhD theses of Roger [8], Verma [10], and Cortier [132] display early (and influential!) research in this area. Cortier s thesis which contains much more material than we can describe was awarded the SPECIF best PhD thesis award in 2003, and the Le Monde academic research prize in Handling the algebraic case is now standard in the security protocol verification community, and is still actively being explored in the framework of the RNTL project Prouvé and the ACI SI Rossignol. The related decision problems are much more difficult than in the non-algebraic case. Automated deduction techniques had to be complemented with specific algorithmic techniques [62], loosely inspired by McAllester s notion of local theories [McA93], to decide the so-called intruder deduction problem in the case of several equational theories. The intruder deduction problem is equivalent to deciding unreachability (e.g., secrecy, authentication) in protocols using a bounded number of sessions. These equational theories include those containing explicit destructors (e.g., ciphers) [66], AC-like theories, e.g. exclusive-or [61, 60], theories containing a homomorphic operator, say a hashing or encryption primitive that distributes over concatenation, or over exclusive-or [98]. See the PhD theses of Cortier again, of Delaune [6], and of Lafourcade [7]. The quest for finding [BGW93] L. Bachmair, H. Ganzinger, U. Waldmann, Set Constraints are the Monadic Class, in : Proceedings, Eighth Annual IEEE Symposium on Logic in Computer Science, IEEE Computer Society Press, p , [FSVY91] T. Frühwirth, E. Shapiro, M. Y. Vardi, E. Yardeni, Logic Programs as Types for Logic Programs, in : LICS 91, [McA93] D. A. McAllester, Automatic Recognition of Tractability in Inference Relations, Journal of the ACM 40, 2, April 1993, p

8 generic algorithms for this problem, given an equational theory in argument, is the subject of Bernat s thesis [3]. Obj. 1.3 One desirable goal that seemed totally out of reach in 2002 is to relate the Dolev-Yao notion of security, possibly in the algebraic case, to more realistic notions of security as used in the cryptographic community (e.g., IND-CPA and IND-CCA security). The latter define security as resistance to probabilistic polynomial-time attackers, while the Dolev- Yao models overlook any computational constraints. Abadi and Rogaway initiated work in this domain [AR02], dealing with a constrained case of security against passive attackers. The domain has flourished in recent years, and SECSI has started taking an active part in it, as part of the ARA SSIA FormaCrypt project, whose members include Martín Abadi and Bruno Blanchet. One recent paper on this topic is [47]. Laurent Mazaré, a PhD student of Yassine Lakhnech on these themes, will spend one year as postdoc at SECSI. See also the forthcoming PhD thesis of Baudet (Dec. 2006). Obj. 1.4 The above lines of research are mainly concerned with rather traditional security properties, namely secrecy or authentication in general, (un)reachability properties and with protocols with a fixed number of participants in each session. There is much more to security. Strong notions of secrecy are not reachability properties, and in fact are not trace properties. Rather, they are characterized using contextual equivalences. A notion of bisimulation complete for contextual equivalence in the spi-calculus was found by Cortier [132]. The cryptographic results of [47] (cited above) relate cryptographic security to static equivalence, a form of contextual equivalence well-suited to passive adversaries introduced in Abadi and Fournet s applied pi-calculus [AF01]. Notions of strong security and contextual equivalence have also been studied in the framework of higher-order computation (a lambda-calculus with name creation and cryptographic primitives) by Zhang, using Kripke logical relations [111, 88, 101]. Zhang s thesis [11] was awarded the 2006 prize of the AFCRST (French-Chinese Association for Scientific and Technical Research). Other properties and other protocols were studied: Boisseau studied deciding anonymity properties, contract-signing and voting protocols (see his PhD thesis [4]); Kremer studied optimistic multi-party contract signing protocols [56], and fair exchange protocols [105], where one of the crucial properties is fairness (none of the signers can prove the contract signed to a third-party while the other has not yet signed), not secrecy. Electronic voting schemes require the voter to be unable to prove his vote to a bully, a property named receipt-freeness [70]. Guessing attacks are attacks where a weak secret can be guessed, e.g. by brute force enumeration (passwords). Some protocols use passwords but are still immune to guessing attacks [74, 68], and a general decision procedure was proposed by Baudet [49] in the (realistic) offline case, using a definition of security based on static equivalence. (See Baudet s forthcoming PhD thesis.) Finally, secrecy and authentication properties were examined in the challenging case of group protocols. See Roger s PhD thesis [8], and the paper [39]. Antoine Mercier is starting a PhD thesis on security properties of group protocols with Ralf Treinen and Steve Kremer, fall Overall, objective 1.4 differs from the other objectives in providing a source of sundry exciting perspectives (other properties, other protocols, other models). [AR02] M. Abadi, P. Rogaway, Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption), Journal of Cryptology 15, 2, 2002, p [AF01] M. Abadi, C. Fournet, Mobile Values, New Names, and Secure Communication, in : Proc. 28th ACM Symposium on Principles of Programming Languages (POPL 01), ACM Press, p ,

9 2.4.4 Collaborations Martín Abadi, Santa Cruz university, then Microsoft, Mountain View. Visits by Véronique Cortier, Mathieu Baudet. One paper in common [ABW06]. Visits weave links, creating opportunities for future papers: witness the two papers [AC04,AC05] by Cortier, a few years after she left SECSI as a PhD student for a position in CASSIS. Common participation in ARA SSIA Formacrypt. Mark D. Ryan, U. Birmingham. Several papers with Steve Kremer [96, 97], and Stéphanie Delaune [70]. Visits in both directions. Francis Klay, France Télécom R&D, Lannion, France. (Through RNTL project Prouvé.) Funds CIFRE PhD grant of Stéphanie Delaune, providing natural opportunities for common research [120, 69, 121, 136]. Denis Lugiez, U. de Provence, Marseille, France. Natural collaborations on AC-tree automata and cryptographic protocol verification. Materialized in the ACI SI Rossignol, through common supervision of PhD student Pascal Lafourcade [98, 165]. Hitoshi Ohsaki, AIST, Osaka, Japan. Cooperation on the verification of protocols using tree automata and rewriting. Several visits in both directions. Memorandum of Understanding on cooperation signed in 2006 between AIST and LSV. Applied to JST/CNRS for a 3-year cooperation project, starting January 2007 (decision pending). More informal collaborations with several other people; see Section In France, we feel close to Yassine Lakhnech, Verimag, Grenoble, and to Michael Rusinowitch, CASSIS, LORIA, Nancy, notably External support 1.1: RNTL EVA, ACI cryptologie VERNAM, ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault-Larrecq), INRIA-Tunisia project 06/I09 Conception et réalisation d un système de démonstration automatique par récurrence. Application à la validation de protocoles et de systèmes distribués, (Initiated, 2005.) 1.2: RNTL Prouvé, ACI SI Rossignol, : ARA SSIA FormaCrypt, (Started informally, 2005.) 1.4: ACI cryptologie Psi-Robuste, Short-term industrial contracts: Aud System, security evaluation, 2004 (Julien Olivain, Jean Goubault-Larrecq); Lex Persona, security evaluation, 2005 (Steve Kremer, http: // Self assessment The cryptographic protocol part of SECSI is very lively, and has in fact engulfed most of SECSI. Objectives 1.1 and 1.2 are now strongholds of SECSI, which objectives 1.3 and 1.4 [ABW06] [AC04] [AC05] M. Abadi, M. Baudet, B. Warinschi, Guessing Attacks and the Computational Soundness of Static Equivalence, in : Proceedings of the 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 06), L. Aceto, A. Ingólfsdóttir (editors), Lecture Notes in Computer Science, 3921, Springer, p , Vienna, Austria, March 2006, Fossacs06.pdf. M. Abadi, V. Cortier, Deciding Knowledge in Security Protocols under Equational Theories, in : Proc. 31st Int. Coll. Automata, Languages, and Programming (ICALP 2004), Springer-Verlag LNCS 3142, p , Turku, Finland, July M. Abadi, V. Cortier, Deciding Knowledge in Security Protocols under (Many More) Equational Theories, in : Proc. 18th IEEE Computer Security Foundations Workshop (CSFW 05), IEEE Comp. Soc. Press, p , Aix-en-Provence, France, June

10 provide exciting new opportunities for the future. SECSI is originally a group created by people from automated deduction and logics. There was a risk that SECSI could be seen as merely a group of logicians who took an opportunity to apply their techniques in the security field. A strong point of SECSI is that SECSI is now taken seriously in security circles. One could still do better and penetrate the crypto world i.e., submit to conferences such as Crypto or Eurocrypt. Objective 1.3 notably is a very relevant research direction. Another strong point is the large number of funded projects that SECSI has engaged in, in this objective. SECSI has also many links with various important groups worldwide. SECSI does not really have any weak point related to this objective, as far as we know. Objective 1.1 is solid, and now serves as a basis for most others. Objectives 1.2, 1.3 and 1.4 should be strongly supported. A new objective on handling the probabilistic aspects of some protocols in formal methods is born in 2006, and led to the creation of the INRIA ARC ProNoBis ( goubault/pronobis/ pronobis1index.html), together with Catuscia Palamidessi s Comète project-team, Futurs. This is yet another promising research direction, dealing with semantics, bisimulations, and evaluating evidence in environments where both demonically non-deterministic and probabilistic choices enter the scene. 2.5 Objective 2 : Executive summary The activities of SECSI in intrusion detection were concentrated into developing the Orchids misuse detection tool ( The starting ideas were exposed in [RGL01], and Julien Olivain (temporary engineer on RNTL DICO, 2003; INRIA ingénieur associé, ), who is the main developer, still works occasionally on Orchids in Montréal. Technically, Orchids is probably one the most efficient and most expressive intrusion detection systems existing today. Its purpose is to detect attacks based on attack signatures, which are essentially temporal logic formulae, allowing for temporal and field-based correlation between events Personnel Jean Goubault-Larrecq, Julien Olivain (engineer), Stéphane Demri (researcher), Elie Bursztein (PhD student) Project-team positioning The system closest to Orchids is probably GnG, developed at Supélec Rennes (Eric Totel, Ludovic Mé). Due to the fact that Julien Olivain comes from an engineering school, Orchids has less the flavor of an academic prototype than of a full-featured product. As far as we know, there is no competing product today. In general, there are many groups working in intrusion detection around the world. The main international groups in misuse intrusion detection are the STAT team (UC Santa Barbara, USA; P. Porras, G. Vigna, R. Kemmerer, K. Ilgun), the IDIOT team (Purdue U., Indiana, USA; S. Kumar, E. Spafford), the BRO team (Lawrence Berkeley National Lab.; V. Paxson), and the UC Davis group. The most well-known system of this kind is [RGL01] M. Roger, J. Goubault-Larrecq, Log Auditing through Model Checking, in : Proc. 14th IEEE Computer Security Foundations Workshop (CSFW 01), Cape Breton, Nova Scotia, Canada, June 2001, IEEE Comp. Soc. Press, p , 2001, fr/publis/papers/roggou-csfw01.ps. 10

11 Snort ( M. Roesch). This is mostly a single-event system. Orchids uses it as one of its numerous input sources. The main groups in France are Supélec (Rennes; Ludovic Mé), France Télécom R&D (Caen; Hervé Debar), Eurécom (Sophia-Antipolis; Marc Dacier), ENST (Rennes; Frédéric Cuppens), U. Artois (Lens; Salem Benferhat). Two other INRIA teams are occasionally interested in intrusion detection: Lande (Rennes; Mireille Ducassé), and Cassis (Nancy; Michael Rusinowitch) Scientific achievements The main effort in this objective was to develop and improve Orchids. During this effort, new ideas have naturally come up. None has been published yet. One is on the detecting subverted cryptographic flows through on-line entropy estimation [OGL06], and has been implemented in the Net-entropy sensor to Orchids. Another one is on using interval-based temporal logics to deal with time, and in particular with clock drift and clock resolutions [DGLO06], based on a 2003 idea of Julien Olivain s. The Orchids system was presented at the CAV 2005 conference [106]. Software: Orchids ( Net-entropy (http: // olivain/net-entropy/), Evtgen ( fr/ olivain/evtgen/) Collaborations Collaboration in the RNTL DICO project (below) consisted in exchanging ideas, comparing algorithms, learning about problems to be solved. Outcome consisted in deliverables [147, 140] External support RNTL project DICO (Détection d Intrusions COopérative), ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault- Larrecq), Self assessment Strong points: high technical quality of the Orchids tool; very good ideas, mostly by Julien Olivain. Weak points: few publications (slow writing rate; e.g., paper [DGLO06] is the third major revision of a paper started in 2002, not yet published); no technology transfer, despite intense efforts (all attempts failed; eventually Orchids acquired Cecill 2 [GPL] status); could not recruit high-quality researchers on the intrusion detection theme (except Julien Olivain [ ], and Elie Bursztein [PhD, 2005-]). The intrusion detection activity at SECSI should be stopped. This was very timeconsuming, and brought little return. Papers in the queue should nonetheless be completed, and Elie Bursztein s PhD thesis will proceed ( ). I still hope that the [OGL06] J. Olivain, J. Goubault-Larrecq, Detecting Subverted Cryptographic Protocols by Entropy Checking, Research Report number LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2006, 19 pages, RAPPORTS LSV/PDF/rr-lsv pdf. [DGLO06] S. Demri, J. Goubault-Larrecq, J. Olivain, Handling Time in Misuse Detection Systems, In preparation,

12 Orchids system could become more well-known; unfortunately, merely maintaining it requires some personnel. Julien Olivain is still occasionally working on it in Montréal. Informal collaborations between him and Ecole Polytechnique de Montréal (Samuel Pierre, José Fernandez, John Mullins), and U. du Québec à Montréal (Romdhane Ben Younès) have started. 2.6 Objective 3 : Executive summary Let us first recall that objective 3 was more prospective than the other two, and was meant mostly as a guideline for the investigation of emerging security problems requiring logical treatment. And indeed, while trying to profit from failed proofs of security to feed an intrusion detection system [123] turned out not to be so interesting or feasible. On the other hand, monitoring actual programs implementing cryptographic protocols is interesting. One of our guidelines in objective 3 was to find useful techniques that could increase the confidence we may have in large code implementing cryptographic protocols, typically OpenSSL. This led to an effort on inventing static analysis techniques to detect secrecy leaks in actual programs as opposed to idealized protocols Personnel Jean Goubault-Larrecq, Shalendra Chhabra (ITBHU intern), Fabrice Parrennes (postdoc, then 1/2-ATER) Project-team positioning One might reasonably say that this objective eventually turned into one on static analysis techniques for security. While there are many groups working on static analysis around the world, in Europe and in France, almost none works on applications to security. Notable exceptions are the works by Volpano and Smith (resp. Naval Postgraduate School, Monterey, CA and Florida Intl. University, Miami, FL, USA), by Castellani and Boudol (INRIA Sophia), by Zdancewic and Myers (Cornell U., Ithaca, NY, USA), or by Giacobazzi et al. (Pisa, Italy) on typing systems for non-interference. Traditional dataflow analysis or abstract interpretation groups have been more interested in safety than in security. In particular, recent successes have been obtained in static analyzers that detect very simple run-time errors (e.g., array bounds overflow) on large programs: see PolySpace Technologies, or Patrick Cousot s endeavor around the Astrée analyzer. On the other hand, security properties, even just weak secrecy, is a complex property. Interest has recently arisen on this topic at Microsoft Research, Cambridge, UK Scientific achievements The initial goal of this objective was explored by Sh. Chhabra [123]. Work on detecting leakage of confidential data in programs written in C (with an eye on the OpenSSL implementation) was conducted by Jean Goubault-Larrecq and Fabrice Parrennes ( ). This led to a prototype tool, named Csur [180], and a paper the next year [90]. (An extended, and corrected version was submitted to TCS in June 2005, but we have had no news of this submission since then.) This paper was abundantly referred to by Andrew Gordon (Microsoft Research, Cambridge, UK) in his invited talk at CAV 06. The main point is that our techniques show the promise of scaling up techniques used on protocols 12

13 of a few lines to analyzing actual programs of several thousand lines, in real programming languages including pointers notably. Software: CSur ( Collaborations None formal. Informal visits at U. Laval, Québec (Nadia Tawbi, Josée Desharnais, François Laviolette) and conversely External support ACI cryptologie Psi-Robuste, ACI jeunes chercheurs Sécurité informatique, protocoles cryptographiques et détection d intrusion (Jean Goubault-Larrecq), Self assessment Strong point: opened a new field, that of abstract interpretation for security properties (à la Dolev-Yao) on real programs, not just idealized protocol specifications. Weak point: nobody works on this theme any longer at SECSI. Of the people participating in this objective, only Jean Goubault-Larrecq remains, but no longer works on it. As a matter of fact, static analysis for security is now a dormant theme at SECSI. This objective is therefore de facto stopped. However, static analysis techniques are an important toolbox for verification, in particular if we are to find techniques that scale up to large programs. I propose to consider static analysis no longer as an objective, but as a bag of tools we can use on specific occasions. Some preliminary work has started with U. Laval (Québec, Canada; Nadia Tawbi), and Jean-Loup Carré has started (2006) a PhD thesis on a CIFRE grant with EADS (Suresnes, France; Charles Hymans, co-advisor) and LSV/SECSI (Jean Goubault-Larrecq, co-advisor) on static analysis techniques for multi-threaded programs. 3 Knowledge dissemination Publications For simplicity, year 1=2002,..., year 4=2005, although SECSI was formally created as project team in Dec I also include editions of special issues of journals and conference proceedings under the Book (edited) category. year1 year2 year3 year 4 PhD Thesis 4 1 H.D.R (*) 1 Journal Conference proceedings (**) Book chapter Book (written) 1 Book (edited) 2 Patent Technical report Deliverable (*) HDR Habilitation à diriger des Recherches 13

14 (**) Conference with a program committee Indicate the major journals in the field and, for each, indicate the number of papers coauthored by members of the project-team that have been accepted during the evaluation period. 1. Information and Computation: Journal of Logic and Computation: Theoretical Computer Science: ACM Transactions on Computational Logic: Mathematical Structures in Computer Science: Journal of Logic and Algebraic Programming: 1. Indicate the major conferences in the field and, for each, indicate the number of papers coauthored by members of the project-team that have been accepted during the evaluation period. 1. Computer Security Foundations Workshop (CSFW): Int. Conf. Computer and Communications Security (CCS): IEEE/ACM Symp. Logics in Computer Science (LICS): Int. Coll. on Automata, Languages, and Programming (ICALP): Int. Conf. Concurrency Theory (CONCUR): Int. Conf. Computer Aided Verification (CAV): Int. Conf. Theoretical Aspects of Computer Science (STACS): Symp. Principles of Programming Languages (POPL): 1 9. Foundations of Software Science and Computation Structures (FOSSACS): Int. Conf. Computer Science Logic (CSL): Int. Conf. Rewriting Techniques and Applications (RTA): European Symposium on Programming (ESOP): Int. Conf. Foundations of Software Technology and Theoretical Computer Science (FST&TCS): Int. Conf. Logic for Programming, Artificial Intelligence, and Reasoning (LPAR): 1. 14

15 3.1 Software CSur (Objective 3.) A static analyzer for C programs, goal is to detect leaks of secret information in a suitable Dolev-Yao model [90], while dealing with pointer arithmetic. Outputs clauses that are fed to h1 (see below). Licence: specific ( Impact: good feedback from Microsoft Research, Cambridge (C. Fournet, A. Gordon); 46 references from Google csur goubault parrennes, of which 13 different. Competitors: none. Implemented in C. Authors: Fabrice Parrennes, Jean Goubault-Larrecq. EVAtrans (Objective 1.1.) The EVA translator. Translates cryptographic protocols written in standard notation to input formats of several cryptographic protocol verifiers (Hermès, Securify [see below], h1 [see below]). In passing, does type inference and message well-formedness checking. Developed in the framework of RNTL project EVA. Licence: specific (similar to that of CSur). Impact: 1 contact; 43 references from Google evatrans EVA translator, of which 16 different. Competitors: CASRUL (CASSIS, LORIA), CAPSL (SRI). Implemented in OCaml. Current version: 2. Author: Florent Jacquemard. First version by Jean Goubault-Larrecq. EvtGen (Objective 2.) A generic discrete event simulator based on Markov chains. Used to build artificial, realistic event sources to test intrusion detection systems, in particular Orchids [see below]. Developed as part of the RNTL project DICO. olivain/evtgen/. Licence: specific (similar to CSur). Impact: at the time of DICO, several users, mostly at Supélec Rennes; 26 references from Google evtgen olivain, of which 6 different. Competitors: none known. Implemented in C. Author: Julien Olivain. h1 (Objective 1.1.) The h1 tool suite. A library of tools around the decidable class H 1 [42]. Can be seen as a library of finite tree automata handling tools, or as dealing with set constraints. goubault/h1.dist/dh1index.html Licence: GPL. Impact: negligible; 102 references from Google h1 tool suite Goubault, of which 21 different. Competitors: for the h1 prover (the main tool of the suite), any first-order automated prover, see SPASS or Vampire; concerning the other tools (the h1mc model-checker, which in particular allows for building a Coq proof of the non-existence of a proof, the h1trace trace extractor, or the pldet determinizer notably), none. Experimental evaluation at goubault/h1.dist/ dh1003.html. Implemented in HimML and C. Current version: 1.1. Author: Jean Goubault-Larrecq. 15

16 HimML HimML is a map-oriented ML: an implementation of the Standard ML language (bytecode compiler, toplevel loop, HimML to C compiler, debugger, profiler) with native and efficient finite set and map operations. goubault/himml-dwnld.html Licence: GPL. Impact: negligible. Mostly used by Jean Goubault-Larrecq as a secret weapon as far as programming languages matter; 270 references from Google HimML Goubault, of which 40 different. Competitors: SML/NJ, Ocaml. Implemented in C. Current version: 1.0α18. Author: Jean Goubault-Larrecq. ISpi (Objective 1.1, 1.2.) ISpi is a cryptographic protocol verifier, taking as input protocols written in a variant of the spi-calculus, with a syntax as compatible as possible with B. Blanchet s ProVerif. Compiles to clauses fed to h1. Developed as part of the RNTL project Prouvé. goubault/ispi/ Licence: GPL. Impact: none (not yet finished); 109 references from Google ISpi Goubault, of which 9 different. Competitors: ProVerif. Implemented in HimML. Current version: 1.0. Author: Jean Goubault-Larrecq. Net-Entropy (Objective 2.) An entropy checker for ciphered network connections, described in [OGL06]. One of the original sensors to Orchids. olivain/net-entropy/ Licence: GPL. Impact: negligible; 14 references from Google Net-entropy Olivain, of which 7 different. Competitors: PAYL (Columbia University) does something seemingly close, but really different. Implemented in C. Author: Julien Olivain. Orchids (Objective 2.) An efficient, on-line, real-time, multi-event intrusion detection system originally based on model-checking ideas [106]. Licence: Cecill 2 (GPL). Impact: negligible (yet?); 59 references from Google Orchids intrusion detection Olivain, of which 22 different. Competitors: GnG (Supélec Rennes). Implemented in C. Authors: Julien Olivain, Jean Goubault-Larrecq (for initial ideas and algorithms, and a previous prototype). PROUVÉ parser library (Objective 1.2) A library providing functions for transforming specifications of cryptographic protocols written in the PROUVÉ language into [OGL06] J. Olivain, J. Goubault-Larrecq, Detecting Subverted Cryptographic Protocols by Entropy Checking, Research Report number LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan, France, June 2006, 19 pages, RAPPORTS LSV/PDF/rr-lsv pdf. 16

17 abstract syntax, and to perform a static analysis on the specification. Licence: LGPL. Impact: Used as frontend of the protocol verification tools CASRUL and HERMES inside the PROUVÉ project. A cooperation with AIST (Japan) about integration into the ACTAS verification tool is ongoing; 110 references from Google prouvé cryptographic protocol treinen, of which 28 different. Competitors: none. Implemented in Objective Caml. Author: Ralf Treinen. Securify (Objective 1.1.) A cryptographic protocol verification tool. Developed as part of the RNTL project EVA. cortier/eva/eva-comp.php Licence: specific (similar to CSur). Impact: 94 references from Google Securify Cortier, of which 25 different. Competitors: ProVerif. Implemented in C, OCaml, HimML. Current version: 2. Authors: Stéphanie Delaune (v.2), Véronique Cortier (v.1). SPORE (Objective 1.) The Security Protocol Open Repository. The purpose of this page is to continue online the seminal work of Clark and Jacob [CJ97], updating their base of security protocols. Initially developed as part of the RNTL project EVA. Licence: none. Impact: 323 references from Google SPORE security protocols open repository, of which 47 different. Competitors: none. Authors: Florent Jacquemard, Ralf Treinen, Hubert Comon-Lundh Valorization and technology transfer Orchids has until now resisted all technology transfer attempts. We have had contacts with several industrial partners, some of which claimed they were definitely interested (NetSecureOne, SAP, Mandriva). None led to anything concrete. Our experience in the security of cryptographic protocols led to two consultancy contracts: Aud System, 2004 (Julien Olivain, Jean Goubault-Larrecq); Lex Persona, 2005 (Steve Kremer, French firms traditionally prefer contracts with academics that are funded through public grants: Trusted Logic, Versailles (through RNTL EVA), France Télécom R&D (Lannion, through RNTL Prouvé; Caen, through RNTL DICO), CRIL Technologie, Melun (through RNTL Prouvé), NetSecure- One (through RNTL DICO). 3.2 Teaching Each full-time teaching personnel teaches roughly 192 TD-equivalent hours per year. Each exercise session (TD) hour counts for one hour. Each programming session (TP) hour counts for 2/3 hour. Each lecture hour counts for 1.5 hours. This is valid for Jean [CJ97] J. Clark, J. Jacob, A Survey of Authentication Protocol Literature: Version 1.0, Posted at the University of York on the Secure Network page under the link Security Protocols Review, November 1997, cheng/link/clarkjacob.pdf. 17

18 Goubault-Larrecq, Hubert Comon-Lundh, and Ralf Treinen (except for his two-year delegation period). Their main teaching duties are in the magistère STIC of the ENS Cachan (level L3 Licence), and the Master Parisien de Recherche en Informatique (MPRI; mostly level M2 DEA). Several PhD students are moniteurs, which includes a 64h. yearly duty. Courses: Algorithms, maximal flow problems, NP-completeness, and approximation. 15h. lecture in (Stéphane Demri). Magistère STIC, first year ( level L3), ENS Cachan. Analyse statique (static analysis of code), 2 20h. lecture in 2002, 2003 (Jean Goubault- Larrecq). DESS Développement de Logiciels Sûrs, Paris. Analyse statique (static analysis of code), 20h. lecture in 2004 (Jean Goubault-Larrecq), 12h. TD in 2004 (Vincent Bernat). Magistère STIC, second year ( level M1), ENS Cachan. Calculabilité et complexité (computability and complexity), 2 40h. lecture in 2004, 2005 (Hubert Comon-Lundh, Jean Goubault-Larrecq). 56h. TD-equivalent in 2004 (Ralf Treinen). 10h. TD in 2005 (Steve Kremer). Magistère STIC, first year ( level L3), ENS Cachan. Calculabilité 2 (computability 2) 80h. TD-equivalent (lecture+td) in 2003 (Hubert Comon-Lundh, Ralf Treinen). Magistère STIC, first year (level L3), ENS Cachan. Complexité 2 (complexity 2) 22h. lecture in 2005 (Jean Goubault-Larrecq). Magistère STIC, first year (level L3), ENS Cachan. Complexité du model-checking (model-checking complexity) 20h. lecture in 2002 (Stéphane Demri), 15h. lecture in 2004 (Stéphane Demri). DEA Algorithmique, Paris. Computer Networks 4h. lecture + 4h. TD in 2004 (Julien Olivain). Magistère STIC, first year ( level L3), ENS Cachan. Computer Security 2 1h. lecture in 2004, 2005 (Steve Kremer; as part of Mark D. Ryan s course). University of Birmingham, UK. Concurrency and Operating Systems 20h. lecture in 2005 (Hubert Comon-Lundh). Magistère STIC, first year ( level L3), ENS Cachan. Cryptography and cryptographic protocols. 2 3h. lecture in 2004, 2005 (Jean Goubault-Larrecq). Préparation à l aggrégation (no international equivalent), department of economics, third year, ENS Cachan. Cryptography and cryptographic protocols. 3h. lecture in 2005 (Jean Goubault-Larrecq). Regards croisés programme (series of lectures common to Math and Physics students), level M1, ENS Cachan. Démonstration automatique (automated deduction), 16h. lecture in 2002 (Jean Goubault- Larrecq). DEA Programmation, Paris. Then 2 15h. lecture in 2004, 2005 (Jean Goubault-Larrecq). Magistère MPRI, level M2, Paris. Démonstration automatique (automated deduction), 15h. lecture in 2004 (Jean Goubault- Larrecq). Magistère STIC, second year ( level M1), ENS Cachan. 18

19 Formal verification of security protocols 6 h. lecture (Steve Kremer). Master Sécurité des Systèmes Informatiques (security of computer systems), level M2, Paris 12. Langages formels (formal language theory), 15h. lecture in 2004 (Hubert Comon- Lundh). Magistère STIC, second year ( level M1), ENS Cachan. Logique (logic) 2 80h. TD-equivalent (lecture+td) in and (Hubert Comon-Lundh, Ralf Treinen). Magistère STIC, first year (level L3), ENS Cachan. Logique (logic) 2 20h. lecture in 2004, 2005 (Hubert Comon-Lundh). 23 h. TDequivalent in 2004 (lecture+td; Ralf Treinen). 12h. TD in 2005 (TD; Mathieu Baudet). Magistère STIC, first year ( level L3), ENS Cachan. Logique et automates (logic and automata) 20h. Lundh). DEA Programmation, Paris. lecture in 2002 (Hubert Comon- Logique et automates (logic and automata) 60h. TD-equivalent in (Hubert Comon-Lundh, Ralf Treinen). 14h. TD-equivalent in 2004 (Ralf Treinen). Magistère STIC, second year ( level M1), ENS Cachan. Logique et informatique (lambda-calculus), 3 24h. lecture in 2002, 2003, 2004, 2005 (Jean Goubault-Larrecq; TD by Maribel Fernández in 2002), 3 24h. TD (Florent Jacquemard in 2003, 2004, and 2005). Common to Magistère STIC (ENS Cachan) and Magistère MMFAI (ENS Paris). Programmation 1 40h. TD-equivalent (lecture+td) in 2002 (Jean Goubault-Larrecq). 3 30h. TD-equivalent in 2003, 2004, 2005 (Jean Goubault-Larrecq). Magistère STIC (level L3), ENS Cachan. Programmation 2 40h. TD-equivalent in 2003 (Ralf Treinen). 44h. TD-equivalent in 2004 (Ralf Treinen). Magistère STIC, first year (level L3), ENS Cachan. Résolution de contraintes (constraint resolution) 12 h. Treinen). DEA Programmation, Paris. lecture in (Ralf Tableau methods and temporal logics 3h. lecture (Stéphane Demri). Magistère MPRI, level M2, Paris. Temporal logics 12 h. lecture (Stéphane Demri). Magistère MPRI, level M2, Paris. Tree automata, techniques and applications. 24h. lecture in 2005 (Hubert Comon- Lundh, Florent Jacquemard). Magistère MPRI, level M2, Paris. Vérification de systèmes concurrents (verification of concurrent systems) 15h. TDequivalent (Ralf Treinen, 2003). DEA Programmation, Paris. Verification of Cryptographic Protocols and automated deduction. 2 20h. lecture in 2002, 2003 (Jean Goubault-Larrecq, Hubert Comon-Lundh). DEA Programmation, Paris. Other exercise and programming sessions: Algorithmics Alexandre Boisseau, as moniteur. 32h., second term 2002; 32h., second term ISTY (école d ingénieurs), U. Versailles Saint-Quentin en Yvelines. 19

20 C++ programming sessions Véronique Cortier, as moniteur, first term 2002, h. Vincent Bernat, 2004, 34h. Magistère of electrical engineering, first year ( level L3), ENS Cachan. Computability Véronique Cortier, as moniteur, second term 2002, h. Magistère MathInfo (mathematics and computer science), first year ( level L3), ENS Cachan. Database Pascal Lafourcade, h. TD. IUT Fontainebleau, first year. Finite automata Stéphanie Delaune, as moniteur, h. Licence 2, U. Paris 7. Introduction to programming Pascal Lafourcade, TD+TP. 64 h. DEUG MIAS, first year, U. Paris 12, Créteil. Java programming Stéphanie Delaune, as moniteur, h. DEUG MIAS, U. Paris 7. Java programming Stéphanie Delaune, as moniteur, h. Licence 1, U. Paris 7. Network programming Vincent Bernat, h. Magistère STIC, first year ( level L3), ENS Cachan. Systems programming and networks Pascal Lafourcade, TP. 32h. IUT Fontainebleau, second year. Programmation avancée Fabrice Parrennes, as 1/2 ATER, , 96h. Magistère STIC, second year ( level M1). Miscellaneous: Computer security Introductory talk at the conférence de rentrée (freshman conference), Jean Goubault-Larrecq. 1h. ENS Cachan, first year ( level L2). All PhD students at SECSI, and more generally at LSV, are registered at the Ecole Doctorale Sciences Pratiques (EDSP), ENS Cachan. 3.3 Visibility Special issues Jean Goubault-Larrecq edited a special issue of the Journal of Telecommunications and Information Technology on models and methods for cryptographic protocol verification [41], Organizing committees Ralf Treinen, UNIF 02 (International Workshop on Unification, satellite of FloC 2002); UNIF 04 (International Workshop on Unification, satellite of IJCAR 2004), Cork, Ireland, 2004; RDP 2007 (Federated Conference on Rewriting, Deduction and Programming 1 ). Stéphane Demri, Perspectives in Verification meeting, ENS Cachan, Steve Kremer, 1st Workshop on the Link between Formal and Computational Models, ENS Paris, The organization effort started in LSV/SECSI is organizing, together with the Cédric lab of CNAM and the PPS lab of University Paris 7 the International Conference of Rewriting, Deduction, and Programming (RDP 07), to be held June 25 29, 2007 in Paris. This federated conference comprises the two major conferences Rewriting Techniques and Applications (RTA) and Typed Lambda Calculi and Applications (TLCA), as well as 8 one-day workshops. URL: 20

Vincent Cheval. Curriculum Vitae. Research

Vincent Cheval. Curriculum Vitae. Research Vincent Cheval School of Computing University of Kent Canterbury, CT2 7NF, UK +44 (0)7479 555701 +44 (0)1227 823816 vincent.cheval@icloud.com homepage: www.cs.kent.ac.uk/ vc218/web Nationality : French

More information

How to prove security of communication protocols?

How to prove security of communication protocols? 1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA - CNRS, Nancy Colloquium Morgenstern,

More information

Formal Modelling of Network Security Properties (Extended Abstract)

Formal Modelling of Network Security Properties (Extended Abstract) Vol.29 (SecTech 2013), pp.25-29 http://dx.doi.org/10.14257/astl.2013.29.05 Formal Modelling of Network Security Properties (Extended Abstract) Gyesik Lee Hankyong National University, Dept. of Computer

More information

Formal Methods in Security Protocols Analysis

Formal Methods in Security Protocols Analysis Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte Big

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Crypto-Verifying Protocol Implementations in ML

Crypto-Verifying Protocol Implementations in ML Crypto-Verifying Protocol Implementations in ML Karthikeyan Bhargavan 1,2 Ricardo Corin 1,3 Cédric Fournet 1,2 1 MSR-INRIA Joint Centre 2 Microsoft Research 3 University of Twente June 2007 Abstract We

More information

Study for Automatically Analysing Non-repudiation

Study for Automatically Analysing Non-repudiation Study for Automatically Analysing Non-repudiation Judson Santiago and Laurent Vigneron LORIA INRIA-UN2 (UMR 7503) BP 239, 54506 Vandœuvre-lès-Nancy Cedex, France {judson,vigneron}@loria.fr Abstract. While

More information

Secure Reactive Systems

Secure Reactive Systems Michael Backes Saarland University, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems Lecture at Tartu U, 02/27/06 Building Systems on Open Networks E-Government Hospital

More information

The ORCHIDS Intrusion Detection Tool

The ORCHIDS Intrusion Detection Tool The ORCHIDS Intrusion Detection Tool Julien Olivain Jean Goubault-Larrecq LSV/CNRS UMR 8643 & INRIA Futurs projet SECSI & ENS Cachan 61 avenue du président-wilson, F-94235 Cachan Cedex olivain@lsv.ens-cachan.fr

More information

Software Verification: Infinite-State Model Checking and Static Program

Software Verification: Infinite-State Model Checking and Static Program Software Verification: Infinite-State Model Checking and Static Program Analysis Dagstuhl Seminar 06081 February 19 24, 2006 Parosh Abdulla 1, Ahmed Bouajjani 2, and Markus Müller-Olm 3 1 Uppsala Universitet,

More information

Laboratoire d Informatique de Paris Nord, Institut Galilée, Université. 99 avenue Jean-Baptiste Clément, 93430 Villetaneuse, France.

Laboratoire d Informatique de Paris Nord, Institut Galilée, Université. 99 avenue Jean-Baptiste Clément, 93430 Villetaneuse, France. Domenico Ruoppolo CV Personal Information First Name Domenico. Last Name Ruoppolo. Date of Birth December 16th, 1985. Place of Birth Naples, Italy. Nationality Italian. Location Address Office B311. Contacts

More information

How to Formally Model Features of Network Security Protocols

How to Formally Model Features of Network Security Protocols , pp.423-432 http://dx.doi.org/10.14257/ijsia How to Formally Model Features of Network Security Protocols Gyesik Lee Dept. of Computer & Web Information Engineering Hankyong National University Anseong-si,

More information

Le vote électronique : un défi pour la vérification formelle

Le vote électronique : un défi pour la vérification formelle Le vote électronique : un défi pour la vérification formelle Steve Kremer Loria, Inria Nancy 1 / 17 Electronic voting Elections are a security-sensitive process which is the cornerstone of modern democracy

More information

Information Security at ETH Zurich Institute of Information Security at ETH Zurich Zurich Information Security and Privacy Center

Information Security at ETH Zurich Institute of Information Security at ETH Zurich Zurich Information Security and Privacy Center Information Security at ETH Zurich Institute of Information Security at ETH Zurich Zurich Information Security and Privacy Center Department of Computer Science Introduction Our society is undergoing a

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

System Description: The MathWeb Software Bus for Distributed Mathematical Reasoning

System Description: The MathWeb Software Bus for Distributed Mathematical Reasoning System Description: The MathWeb Software Bus for Distributed Mathematical Reasoning Jürgen Zimmer 1 and Michael Kohlhase 2 1 FB Informatik, Universität des Saarlandes jzimmer@mathweb.org 2 School of Computer

More information

Providing solutions for more secure exchanges

Providing solutions for more secure exchanges Providing solutions for more secure exchanges Stéphanie Delaune November 18, 2014 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 1 / 44 Cryptographic protocols Cryptographic protocols

More information

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Denis Butin 1 / 37 2 / 37 Introduction Network communication sensitive: banking, private correspondence,

More information

Progress Report to ONR on MURI Project Building Interactive Formal Digital Libraries of Algorithmic Mathematics

Progress Report to ONR on MURI Project Building Interactive Formal Digital Libraries of Algorithmic Mathematics Progress Report to ONR on MURI Project Building Interactive Formal Digital Libraries of Algorithmic Mathematics Robert L. Constable Cornell University February 2003 Project Web Page http://www.cs.cornell.edu/info/projects/nuprl/html/digital

More information

Tableaux Modulo Theories using Superdeduction

Tableaux Modulo Theories using Superdeduction Tableaux Modulo Theories using Superdeduction An Application to the Verification of B Proof Rules with the Zenon Automated Theorem Prover Mélanie Jacquel 1, Karim Berkani 1, David Delahaye 2, and Catherine

More information

Anca Nitulescu. PhD Student. Personal information. Occupational field. PhD in cryptography

Anca Nitulescu. PhD Student. Personal information. Occupational field. PhD in cryptography Anca Nitulescu PhD Student Personal information Address: Ecole Normale Supérieure, DI Paris, France Email: anca.nitulescu@ens.fr Occupational field Cryptography: Provable Security for Protocols I have

More information

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios

Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios Automatic Generation of Correlation Rules to Detect Complex Attack Scenarios Erwan Godefroy, Eric Totel, Michel Hurfin, Frédéric Majorczyk To cite this version: Erwan Godefroy, Eric Totel, Michel Hurfin,

More information

Doctor of Philosophy in Computer Science

Doctor of Philosophy in Computer Science Doctor of Philosophy in Computer Science Background/Rationale The program aims to develop computer scientists who are armed with methods, tools and techniques from both theoretical and systems aspects

More information

Electronic Voting Protocol Analysis with the Inductive Method

Electronic Voting Protocol Analysis with the Inductive Method Electronic Voting Protocol Analysis with the Inductive Method Introduction E-voting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification

More information

Adversary Modelling 1

Adversary Modelling 1 Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway

More information

Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience

Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience Pierre Corbineau Mathilde Duclos Yassine Lakhnech Université de Grenoble, CNRS Verimag,

More information

Automatic Verification by Abstract Interpretation

Automatic Verification by Abstract Interpretation Automatic Verification by Abstract Interpretation (Invited tutorial) Patrick Cousot École normale supérieure, Département d informatique, 45 rue d Ulm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Specification and Analysis of Contracts Lecture 1 Introduction

Specification and Analysis of Contracts Lecture 1 Introduction Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.

More information

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

More information

Fanny Dos Reis. Visiting Assistant Professor, Texas A&M University. September 2006 - May 2008

Fanny Dos Reis. Visiting Assistant Professor, Texas A&M University. September 2006 - May 2008 Fanny Dos Reis Positions Held Visiting Assistant Professor, Texas A&M University. September 2006 - May 2008 Visiting Assistant Professor, University of Lille 1, France. September 2004 - August 2006 Visiting

More information

Static Program Transformations for Efficient Software Model Checking

Static Program Transformations for Efficient Software Model Checking Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major

More information

Privacy and Identity Management for Europe

Privacy and Identity Management for Europe Privacy and Identity Management for Europe Pierangela Samarati Università degli Studi di Milano Milan, Italy samarati@dti.unimi.it Page 1 Vision and Objectives Users disclose vast amounts of personal information

More information

Verifying security protocols using theorem provers

Verifying security protocols using theorem provers 1562 2007 79-86 79 Verifying security protocols using theorem provers Miki Tanaka National Institute of Information and Communications Technology Koganei, Tokyo 184-8795, Japan Email: miki.tanaka@nict.go.jp

More information

AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM

AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM Mr. Arjun Kumar arjunsingh@abes.ac.in ABES Engineering College, Ghaziabad Master of Computer Application ABSTRACT Now a days, security is very

More information

Section des Unités de recherche. Evaluation report. Research unit : Troubles du comportement alimentaire de l adolescent. University Paris 11

Section des Unités de recherche. Evaluation report. Research unit : Troubles du comportement alimentaire de l adolescent. University Paris 11 Section des Unités de recherche Evaluation report Research unit : Troubles du comportement alimentaire de l adolescent University Paris 11 Mars 2009 Section des Unités de recherche Rapport d'évaluation

More information

The Course. http://www.cse.unsw.edu.au/~cs3153/

The Course. http://www.cse.unsw.edu.au/~cs3153/ The Course http://www.cse.unsw.edu.au/~cs3153/ Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2 Plan/Schedule (1) Where and When Tuesday,

More information

The Eighth International Conference INCOSE_IL 2015. Formal Methods Security Tools in the Service of Cyber Security

The Eighth International Conference INCOSE_IL 2015. Formal Methods Security Tools in the Service of Cyber Security The Eighth International Conference INCOSE_IL 2015 כלים ובדיקות Formal Methods Security Tools in the Service of Cyber Security Dr. Michael J. May Kinneret College on the Sea of Galilee 1 כלים ובדיקות /

More information

Astroparticle theory in France. Pierre Binetruy, APC. ASPERA Theory Meting, Oxford, 17 March 2008

Astroparticle theory in France. Pierre Binetruy, APC. ASPERA Theory Meting, Oxford, 17 March 2008 Astroparticle theory in France Pierre Binetruy, APC ASPERA Theory Meting, Oxford, 17 March 2008 Two kinds of laboratories: general theory labs with an astroparticle physics group: Laboratoire de Physique

More information

Curriculum Vitae up to February 3, 2013

Curriculum Vitae up to February 3, 2013 Curriculum Vitae up to February 3, 2013 Alessandro De Luca DIETI, University of Naples Federico II via Cintia, Monte S. Angelo 80126 Napoli, Italy alessandro.deluca@unina.it Personal Born: 1981 in Heerlen,

More information

Automated Theorem Proving - summary of lecture 1

Automated Theorem Proving - summary of lecture 1 Automated Theorem Proving - summary of lecture 1 1 Introduction Automated Theorem Proving (ATP) deals with the development of computer programs that show that some statement is a logical consequence of

More information

Motivations 1. What is (or should be) the essential preoccupation of computer scientists?

Motivations 1. What is (or should be) the essential preoccupation of computer scientists? Improving Systems Quality Challenges and Trends An Abstract Interpretation Perspective Patrick COUSOT École Normale Supérieure 45 rue d Ulm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions

Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions Serdar Erbatur 1, Santiago Escobar 2, Deepak Kapur 3, Zhiqiang Liu 4, Christopher Lynch 4, Catherine Meadows 5, José Meseguer

More information

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS CEA S SOFTWARE SAFETY LABORATORY 1995: LEAP FROM DYNAMIC TO STATIC CODE ANALYSIS! CAVEAT: ARCHITECTURE C source code VC Generator Formal specifications

More information

Fabien Hermenier. 2bis rue Bon Secours 44000 Nantes. hermenierfabien@gmail.com http://www.emn.fr/x-info/fhermeni/

Fabien Hermenier. 2bis rue Bon Secours 44000 Nantes. hermenierfabien@gmail.com http://www.emn.fr/x-info/fhermeni/ Fabien Hermenier 2bis rue Bon Secours 44000 Nantes hermenierfabien@gmail.com http://www.emn.fr/x-info/fhermeni/ Activities Oct. 2009 - Sep. 2010 : Post-doctoral researcher École des Mines de Nantes, ASCOLA

More information

Static analysis: from theory to practice

Static analysis: from theory to practice Static analysis: from theory to practice David Monniaux CNRS / VERIMAG A joint laboratory of CNRS, Université Joseph Fourier (Grenoble) and Grenoble-INP. 19 juin 2009 David Monniaux (VERIMAG) Static analysis:

More information

PROGRAM LOGICS FOR CERTIFIED COMPILERS

PROGRAM LOGICS FOR CERTIFIED COMPILERS PROGRAM LOGICS FOR CERTIFIED COMPILERS Separation logic is the twenty-first-century variant of Hoare logic that permits verification of pointer-manipulating programs. This book covers practical and theoretical

More information

An Overview of Common Adversary Models

An Overview of Common Adversary Models An Overview of Common Adversary Karl Palmskog palmskog@kth.se 2012-03-29 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional

More information

«Object-Oriented Multi-Methods in Cecil» Craig Chambers (Cours IFT6310, H08)

«Object-Oriented Multi-Methods in Cecil» Craig Chambers (Cours IFT6310, H08) «Object-Oriented Multi-Methods in Cecil» Craig Chambers (Cours IFT6310, H08) Mathieu Lemoine 2008/02/25 Craig Chambers : Professeur à l Université de Washington au département de Computer Science and Engineering,

More information

ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo

ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo ZQL Work in progress a cryptographic compiler for processing private data George Danezis Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo Microsoft Research and Joint INRIA-MSR Centre Data

More information

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones Gwenaëlle Martinet 1, Guillaume Poupard 1, and Philippe Sola 2 1 DCSSI Crypto Lab, 51 boulevard de La Tour-Maubourg

More information

Introducing Formal Methods. Software Engineering and Formal Methods

Introducing Formal Methods. Software Engineering and Formal Methods Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended

More information

Séjours dans des centres de recherche

Séjours dans des centres de recherche Juin 2009 Olivier Gossner email: gossner@ens.fr www: http://ogossner.free.fr/ Paris School of Economics 48 Boulevard Jourdan 75014 Paris, France Formation Habilitation à diriger les recherches, 2004 Ph.D.

More information

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

More information

Curriculum Vitae. Claude Barral. 1984 1988 Baccalaureat (E-level) : Mathematics and Technologies Lycée polyvalent Antonin Artaud, Marseille, France

Curriculum Vitae. Claude Barral. 1984 1988 Baccalaureat (E-level) : Mathematics and Technologies Lycée polyvalent Antonin Artaud, Marseille, France Curriculum Vitae Address n o 6 La Bastide Samat 13119 Saint Savournin, France Phone: +33.4.42.32.36.92 Mobile Phone: +33.6.86.83.19.55 Email: claude.barral@gmail.com Homepage: http://www.linkedin.com/in/cbarral

More information

1999 2004 Diploma (5-year degree), School of Applied Mathematics and Physics, NTUA (Greece) Major: Computer Science and Applied Mathematics.

1999 2004 Diploma (5-year degree), School of Applied Mathematics and Physics, NTUA (Greece) Major: Computer Science and Applied Mathematics. Curriculum Vitae Vassilis Zikas Postdoctoral Researcher, UCLA University of California, Los Angeles Los Angeles, CA 90095-1596 +1 (424) 781-7942 vzikas@cs.ucla.edu www.cs.ucla.edu/~vzikas Education 2006

More information

Security Requirements Analysis of Web Applications using UML

Security Requirements Analysis of Web Applications using UML Security Requirements Analysis of Web Applications using UML Salim Chehida 1, Mustapha kamel Rahmouni 2 1 Department of Informatics, University of Mostaganem, Algeria salimchehida@yahoo.fr 2 Department

More information

Numerical Methods for Fusion. Lectures SMF session (19-23 July): Research projects: Organizers:

Numerical Methods for Fusion. Lectures SMF session (19-23 July): Research projects: Organizers: CEMRACS 2010 Centre d Eté Mathématique de Recherche Avancée en Calcul Scientifique http://smai.emath.fr/cemracs/cemracs10/ Centre International de Rencontres Mathématiques (CIRM) Marseille, 19 July - 27

More information

MONPOLY: Monitoring Usage-control Policies

MONPOLY: Monitoring Usage-control Policies MONPOLY: Monitoring Usage-control Policies David Basin, Matúš Harvan, Felix Klaedtke, and Eugen Zălinescu Computer Science Department, ETH Zurich, Switzerland 1 Introduction Determining whether the usage

More information

The ProB Animator and Model Checker for B

The ProB Animator and Model Checker for B The ProB Animator and Model Checker for B A Tool Description Michael Leuschel and Michael Butler Department of Electronics and Computer Science University of Southampton Highfield, Southampton, SO17 1BJ,

More information

Formal Analysis of Authentication in Bluetooth Device Pairing

Formal Analysis of Authentication in Bluetooth Device Pairing Formal Analysis of Authentication in Bluetooth Device Pairing Richard Chang and Vitaly Shmatikov The University of Texas at Austin Abstract. Bluetooth is a popular standard for short-range wireless communications.

More information

Smart Secure Devices & Embedded Operating Systems

Smart Secure Devices & Embedded Operating Systems Smart Secure Devices & Embedded Operating Systems Contact: pierre.dusart@unilim.fr Team: XLIM/DMI/SSD Limoges/FRANCE Technology involved ibutton USB token Contactless Prices of these objects: less than

More information

Object-Oriented Software Specification in Programming Language Design and Implementation

Object-Oriented Software Specification in Programming Language Design and Implementation Object-Oriented Software Specification in Programming Language Design and Implementation Barrett R. Bryant and Viswanathan Vaidyanathan Department of Computer and Information Sciences University of Alabama

More information

Software Modeling and Verification

Software Modeling and Verification Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

More information

Attack graph analysis using parallel algorithm

Attack graph analysis using parallel algorithm Attack graph analysis using parallel algorithm Dr. Jamali Mohammad (m.jamali@yahoo.com) Ashraf Vahid, MA student of computer software, Shabestar Azad University (vahid.ashraf@yahoo.com) Ashraf Vida, MA

More information

Managing Risks at Runtime in VoIP Networks and Services

Managing Risks at Runtime in VoIP Networks and Services Managing Risks at Runtime in VoIP Networks and Services Oussema Dabbebi, Remi Badonnel, Olivier Festor To cite this version: Oussema Dabbebi, Remi Badonnel, Olivier Festor. Managing Risks at Runtime in

More information

Proposal for a Graduate Certificate in Information Assurance Education Track 2. Submitted. by the. School of Technology West Lafayette Campus

Proposal for a Graduate Certificate in Information Assurance Education Track 2. Submitted. by the. School of Technology West Lafayette Campus Graduate Council Document 03-24a Approved by the Graduate Council 11/20/03 Proposal for a Graduate Certificate in Information Assurance Education Track 2 Submitted by the School of Technology West Lafayette

More information

Design, Modelling and Analysis of a Workflow Reconfiguration

Design, Modelling and Analysis of a Workflow Reconfiguration Design, Modelling and Analysis of a Workflow Reconfiguration Manuel Mazzara 1, Faisal Abouzaid 2, Nicola Dragoni 3, and Anirban Bhattacharyya 1 1 Newcastle University, Newcastle upon Tyne, UK {Manuel.Mazzara,

More information

Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends

Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends FORMA METHODS FOR CRYPTOGRAPHIC PROTOCOL ANALYSIS 1 Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends Catherine Meadows Abstract The history of the application of formal methods

More information

Performance Modeling of TCP/IP in a Wide-Area Network

Performance Modeling of TCP/IP in a Wide-Area Network INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE Performance Modeling of TCP/IP in a Wide-Area Network Eitan Altman, Jean Bolot, Philippe Nain, Driss Elouadghiri, Mohammed Erramdani, Patrick

More information

Curriculum Vitae. Positions

Curriculum Vitae. Positions Curriculum Vitae Luca Castelli Aleardi Professional address : ULB, O8.114, CP 212, Bvd. du Triomphe, 1050 Bruxelles, Belgium Personal address : 52, rue du Couédic, 75014 Paris Tél. : +33 (0)6 63 66 01

More information

Information Security and Cryptography

Information Security and Cryptography Information Security and Cryptography Fundamentals and Applications June 1-3, 2015 Zurich, Switzerland Lecturers: David Basin, ETH Zurich Ueli Maurer, ETH Zurich ATG www.infsec.ch Program Starting 09:00

More information

OUTILS DE DÉMONSTRATION

OUTILS DE DÉMONSTRATION OUTILS DE DÉMONSTRATION AUTOMATIQUE ET PREUVE DE CIRCUITS ÉLECTRONIQUES Laurence Pierre Laboratoire TIMA, Grenoble PREAMBLE Design/validation of embedded applications: Design/validation for the system

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

EasyCrypt - Lecture 6 Overview and perspectives. Tuesday November 25th

EasyCrypt - Lecture 6 Overview and perspectives. Tuesday November 25th EasyCrypt - Lecture 6 Overview and perspectives Tuesday November 25th EasyCrypt - Lecture 6 Case studies Verified implementations Automated proofs and synthesis Perspectives 2 Inventaire à la Prevert Examples

More information

Curriculum Vitae. Jens Chr. Godskesen. IT University of Copenhagen Rued Langgaards Vej 7, DK-2300 Copenhagen S, Denmark www.itu.

Curriculum Vitae. Jens Chr. Godskesen. IT University of Copenhagen Rued Langgaards Vej 7, DK-2300 Copenhagen S, Denmark www.itu. Curriculum Vitae Jens Chr. Godskesen Date of Birth May 25, 1963 Position Address www Positions Head of Department IT University of Copenhagen Rued Langgaards Vej 7, DK-2300 Copenhagen S, Denmark www.itu.dk/~jcg

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Refinement of Security Protocol Data Types to Java

Refinement of Security Protocol Data Types to Java Refinement of Security Protocol Data Types to Java Holger Grandy, Kurt Stenzel, Wolfgang Reif E-Mail: {grandy, stenzel, reif}@informatik.uni-augsburg.de Abstract. In this paper we illustrate the mapping

More information

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

More information

Towards Security Analyses of an Identity Federation Protocol for Web Services in Convergent Networks

Towards Security Analyses of an Identity Federation Protocol for Web Services in Convergent Networks Towards Security Analyses of an Identity Federation Protocol for Web Services in Convergent Networks Maurice ter Beek ISTI CNR, Via G Moruzzi 1, 56124 Pisa, Italy Email: mauriceterbeek@isticnrit Corrado

More information

MEASURING THE SIZE OF SMALL FUNCTIONAL ENHANCEMENTS TO SOFTWARE

MEASURING THE SIZE OF SMALL FUNCTIONAL ENHANCEMENTS TO SOFTWARE MEASURING THE SIZE OF SMALL FUNCTIONAL ENHANCEMENTS TO SOFTWARE Marcela Maya, Alain Abran, Pierre Bourque Université du Québec à Montréal P.O. Box 8888 (Centre-Ville) Montréal (Québec), Canada H3C 3P8

More information

Using semantic properties for real time scheduling

Using semantic properties for real time scheduling Using semantic properties for real time scheduling Christian Fotsing, Annie Geniet LISI, ENSMA 1 Av. Clement Ader BP 40109-86961 Futuroscope Chasseneuil-France fotsingc@ensma.fr, annie.geniet@univ-poitiers.fr

More information

DELEGATING LOG MANAGEMENT TO THE CLOUD USING SECURE LOGGING

DELEGATING LOG MANAGEMENT TO THE CLOUD USING SECURE LOGGING Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IJCSMC, Vol. 3, Issue.

More information

Master of Science in Computer Science

Master of Science in Computer Science Master of Science in Computer Science Background/Rationale The MSCS program aims to provide both breadth and depth of knowledge in the concepts and techniques related to the theory, design, implementation,

More information

Is it possible to decide whether a cryptographic protocol is secure or not?

Is it possible to decide whether a cryptographic protocol is secure or not? Is it possible to decide whether a cryptographic protocol is secure or not? Hubert Comon and Vitaly Shmatikov Abstract We consider the so called cryptographic protocols whose aim is to ensure some security

More information

Welcome to: M2R Informatique & MoSIG Master of ScienceSep. in Informatics 18, 2009 Joseph 1 / 1Fou

Welcome to: M2R Informatique & MoSIG Master of ScienceSep. in Informatics 18, 2009 Joseph 1 / 1Fou Welcome to: M2R Informatique & MoSIG Master of Science in Informatics Joseph Fourier University of Grenoble & Grenoble INP UFR IMAG http://www-ufrima.imag.fr & ENSIMAG http://ensimag.grenoble-inp.fr Sep.

More information

Programming Risk Assessment Models for Online Security Evaluation Systems

Programming Risk Assessment Models for Online Security Evaluation Systems Programming Risk Assessment Models for Online Security Evaluation Systems Ajith Abraham 1, Crina Grosan 12, Vaclav Snasel 13 1 Machine Intelligence Research Labs, MIR Labs, http://www.mirlabs.org 2 Babes-Bolyai

More information

Master of Science in Ubiquitous Networking and Computing

Master of Science in Ubiquitous Networking and Computing Master of Science in Ubiquitous Networking and Computing Sophia Antipolis, France Guillaume Urvoy-Keller urvoy@i3s.unice.fr http://ubinet.unice.fr Environment University of Nice-Sophia Antipolis. Courses

More information

2 Protocol Analysis, Composability and Computation

2 Protocol Analysis, Composability and Computation 2 Protocol Analysis, Composability and Computation Ross Anderson, Michael Bond Security protocols early days The study of security protocols has been associated with Roger Needham since 1978, when he published

More information

asked the Software Engineering Institute Publishes Software Technology Review A Cliffs Notes Approach for PEOs, PMs, IPTs, and Support Staff

asked the Software Engineering Institute Publishes Software Technology Review A Cliffs Notes Approach for PEOs, PMs, IPTs, and Support Staff ACQUISITION REFERENCE SOURCE Software Engineering Institute Publishes Software Technology Review A Cliffs Notes Approach for PEOs, PMs, IPTs, and Support Staff ROBERT ROSENSTEIN KIMBERLY BRUNE JOHN FOREMAN

More information

Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange

Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange Ran Canetti and Sebastian Gajek School of Computer Science Tel Aviv University, Israel May 20, 2010 Abstract Canetti and Herzog

More information

DiPro - A Tool for Probabilistic Counterexample Generation

DiPro - A Tool for Probabilistic Counterexample Generation DiPro - A Tool for Probabilistic Counterexample Generation Husain Aljazzar, Florian Leitner-Fischer, Stefan Leue, and Dimitar Simeonov University of Konstanz, Germany Abstract. The computation of counterexamples

More information

Lecture 1: Introduction. CS 6903: Modern Cryptography Spring 2009. Nitesh Saxena Polytechnic University

Lecture 1: Introduction. CS 6903: Modern Cryptography Spring 2009. Nitesh Saxena Polytechnic University Lecture 1: Introduction CS 6903: Modern Cryptography Spring 2009 Nitesh Saxena Polytechnic University Outline Administrative Stuff Introductory Technical Stuff Some Pointers Course Web Page http://isis.poly.edu/courses/cs6903-s10

More information

An Automatic Reversible Transformation from Composite to Visitor in Java

An Automatic Reversible Transformation from Composite to Visitor in Java An Automatic Reversible Transformation from Composite to Visitor in Java Akram To cite this version: Akram. An Automatic Reversible Transformation from Composite to Visitor in Java. CIEL 2012, P. Collet,

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Introduction to Formal Methods Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Outline Introduction Formal Specification Formal Verification Model Checking Theorem Proving Introduction Good papers to

More information

Research Topics in Security and Privacy using Data Science

Research Topics in Security and Privacy using Data Science Research Topics in Security and Privacy using Data Science School of Informatics University of Edinburgh David Aspinall David.Aspinall@ed.ac.uk http://secpriv.inf.ed.ac.uk/ http://cybersec.ed.ac.uk/ Outline

More information

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

More information

Analysis of a Biometric Authentication Protocol for Signature Creation Application

Analysis of a Biometric Authentication Protocol for Signature Creation Application Analysis of a Biometric Authentication Protocol for Signature Creation Application A. Salaiwarakul and M.D.Ryan School of Computer Science, University of Birmingham, UK {A.Salaiwarakul, M.D.Ryan}@cs.bham.ac.uk

More information