@incollection{jgl-encyc06, author = {Goubault{-}Larrecq, Jean}, title = {Preuve et v{\'e}rification pour la s{\'e}curit{\'e} et la s{\^u}ret{\'e}}, booktitle = {Encyclop{\'e}die de l'informatique et des syst{\`e}mes d'information}, editor = {Akoka, Jacky and Comyn-Wattiau, Isabelle}, pages = {683-703}, publisher = {Vuibert}, year = 2006, month = dec, chapter = {I.6}, url = {http://www.vuibert.com/livre12401.html}, abstract = {La s\^uret\'e, comme la s\'ecurit\'e, \'enonce qu'un mal n'arrive jamais. Le but de cet article est de d\'efinir la notion de propri\'et\'e de s\^uret\'e, et d'en d\'ecrire quelques techniques de v\'erification et de preuve~: model-checking, interpr\'etation abstraite notamment. Apr\`es avoir remarqu\'e qu'il n'y avait pas de s\'ecurit\'e sans s\^uret\'e, il est expliqu\'e que l'analyse de s\'ecurit\'e d'un syst\`eme repose sur un mod\`ele, des hypoth\`eses, des propri\'et\'es \`a v\'erifier, et une architecture de s\'ecurit\'e. Finalement, il est donn\'e un aper\c{c}u de quelques mod\`eles et m\'ethodes de preuve de protocoles cryptographiques.} }

@inproceedings{BJ-secret06, address = {Venice, Italy}, month = jul, year = 2006, editor = {Fern{\'a}ndez, Maribel and Kirchner, Claude}, acronym = {{SecReT}'06}, booktitle = {{P}reliminary {P}roceedings of the 1st {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'06)}, author = {Bouhoula, Adel and Jacquemard, Florent}, title = {Security Protocols Verification with Implicit Induction and Explicit Destructors}, pages = {37-44}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-secret06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-secret06.pdf}, abstract = {We present a new method for automatic implicit induction theorem proving, and its application for the verification of a key distribution cryptographic protocol. The~method can handle axioms between constructor terms, a~feature generally not supported by other induction procedure. We~use such axioms in order to specify explicit destructors representing cryptographic operators.} }

@inproceedings{BC-asian06, address = {Tokyo, Japan}, month = jan, year = 2008, volume = 4435, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Okada, Mitsu and Satoh, Ichiro}, acronym = {{ASIAN}'06}, booktitle = {{R}evised {S}elected {P}apers of the 11th {A}sian {C}omputing {S}cience {C}onference ({ASIAN}'06)}, author = {Bernat, Vincent and Comon{-}Lundh, Hubert}, title = {Normal proofs in intruder theories}, pages = {151-166}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BC-asian06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BC-asian06.pdf}, doi = {10.1007/978-3-540-77505-8_12}, abstract = {Given an arbitrary intruder deduction capability, modeled as an inference system~\(\mathcal{S}\) and a protocol, we show how to compute an inference system~\(\widehat{\mathcal{S}}\) such that the security problem for an unbounded number of sessions is equivalent to the deducibility of some message in~\(\widehat{\mathcal{S}}\). Then, assuming that \(\mathcal{S}\)~has some subformula property, we lift such a property to~\(\widehat{\mathcal{S}}\), thanks to a proof normalisation theorem. In~general, for an unbounded number of sessions, this provides with a complete deduction strategy. In case of a bounded number of sessions, our theorem implies that the security problem is co-NP-complete. As an instance of our result we get a decision algorithm for the theory of blind-signatures, which, to our knowledge, was not known before.} }

@inproceedings{LNZ-asian06, address = {Tokyo, Japan}, month = jan, year = 2008, volume = 4435, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Okada, Mitsu and Satoh, Ichiro}, acronym = {{ASIAN}'06}, booktitle = {{R}evised {S}elected {P}apers of the 11th {A}sian {C}omputing {S}cience {C}onference ({ASIAN}'06)}, author = {Lasota, S{\l}awomir and Nowak, David and Yu, Zhang}, title = {On completeness of logical relations for monadic types}, pages = {223-230}, nmnote = {autc parce que c'est un short paper, pas ant pour Zhang Yu}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LNZ-monad-complete.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LNZ-monad-complete.pdf}, doi = {10.1007/978-3-540-77505-8_17}, abstract = {Software security can be ensured by specifying and verifying security properties of software using formal methods with strong theoretical bases. In~particular, programs can be modeled in the framework of lambda-calculi, and interesting properties can be expressed formally by contextual equivalence (a.k.a.~observational equivalence). Furthermore, imperative features, which exist in most real-life software, can be nicely expressed in the so-called computational lambda-calculus. Contextual equivalence is difficult to prove directly, but we can often use logical relations as a tool to establish it in lambda-calculi. We~have already defined logical relations for the computational lambda-calculus in previous work. We~devote this paper to the study of their completeness w.r.t.~contextual equivalence in the computational lambda-calculus.} }

@inproceedings{abw-fossacs2006, address = {Vienna, Austria}, month = mar, year = 2006, volume = 3921, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Aceto, Luca and Ing{\'o}lfsd{\'o}ttir, Anna}, acronym = {{FoSSaCS}'06}, booktitle = {{P}roceedings of the 9th {I}nternational {C}onference on {F}oundations of {S}oftware {S}cience and {C}omputation {S}tructures ({FoSSaCS}'06)}, author = {Abadi, Mart{\'\i}n and Baudet, Mathieu and Warinschi, Bogdan}, title = {Guessing Attacks and the Computational Soundness of Static Equivalence}, pages = {398-412}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABW_Fossacs06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABW_Fossacs06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ABW_Fossacs06.ps}, doi = {10.1007/11690634_27}, abstract = {The indistinguishability of two pieces of data (or two lists of pieces of data) can be represented formally in terms of a relation called static equivalence. Static equivalence depends on an underlying equational theory. The choice of an inappropriate equational theory can lead to overly pessimistic or overly optimistic notions of indistinguishability, and in turn to security criteria that require protection against impossible attacks or ---worse yet--- that ignore feasible ones. In this paper, we define and justify an equational theory for standard, fundamental cryptographic operations. This equational theory yields a notion of static equivalence that implies computational indistinguishability. Static equivalence remains liberal enough for use in applications. In particular, we develop and analyze a principled formal account of guessing attacks in terms of static equivalence.} }

@inproceedings{edos2006wsl, address = {Porto Allegre, Brazil}, month = apr, year = 2006, editor = {Berger, Olivier}, acronym = {{IWFS}'06}, booktitle = {{P}roceedings of the {I}nternational {W}orkshop on {F}ree {S}oftware ({IWFS}'06)}, author = {Boender, Jaap and Di Cosmo, Roberto and Durak, Berke and Leroy, Xavier and Mancinelli, Fabio and Morgado, Mario and Pinheiro, David and Treinen, Ralf and Trezentos, Paulo and Vouillon, J{\'e}r{\^o}me}, title = {News from the {EDOS} project: improving the maintenance of free software distributions}, pages = {199-207}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/wsl06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/wsl06.pdf}, abstract = {The EDOS research project aims at contributing to the quality assurance of free software distributions. This is a major technical and engineering challenge, due to the size and complexity of these distributions (tens of thousands of software packages). We present here some of the challenges that we have tackled so far, and some of the advanced tools that are already available to the community as an outcome of the first year of work. } }

@inproceedings{edos2006ase, address = {Tokyo, Japan}, month = sep, year = 2006, publisher = {{IEEE} Computer Society Press}, acronym = {{ASE}'06}, booktitle = {{P}roceedings of the 21st {IEEE}/{ACM} {I}nternational {C}onference on {A}utomated {S}oftware {E}ngineering ({ASE}'06)}, author = {Mancinelli, Fabio and Boender, Jaap and Di Cosmo, Roberto and Vouillon, J{\'e}r{\^o}me and Durak, Berke and Leroy, Xavier and Treinen, Ralf}, title = {Managing the Complexity of Large Free and Open Source Package-Based Software Distributions}, pages = {199-208}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/edos-ase06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/edos-ase06.pdf}, doi = {10.1109/ASE.2006.49}, abstract = {The widespread adoption of Free and Open Source Software~(FOSS) in many strategic contexts of the information technology society has drawn the attention on the issues regarding how to handle the complexity of assembling and managing a huge number of (packaged) components in a consistent and effective~way. FOSS~distributions (and~in particular GNU\slash Linux-based~ones) have always provided tools for managing the tasks of installing, removing and upgrading the (packaged) components they were made~of. While these tools provide a (not always effective) way to handle these tasks on the client side, there is still a lack of tools that could help the distribution editors to maintain, on the server side, large and high-quality distributions. In~this paper we present our research whose main goal is to fill this gap: we~show our approach, the tools we have developed and their application with experimental results. Our~contribution provides an effective and automatic way to support distribution editors in handling those issues that were, until now, mostly addressed using ad-hoc tools and manual techniques.} }

@inproceedings{CKKW-fsttcs2006, address = {Kolkata, India}, month = dec, year = 2006, volume = 4337, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Garg, Naveen and Arun-Kumar, S.}, acronym = {{FSTTCS}'06}, booktitle = {{P}roceedings of the 26th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'06)}, author = {Cortier, V{\'e}ronique and Kremer, Steve and K{\"u}sters, Ralf and Warinschi, Bogdan}, title = {Computationally Sound Symbolic Secrecy in the Presence of Hash Functions}, pages = {176-187}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CKKW-fsttcs06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CKKW-fsttcs06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CKKW-fsttcs06.ps}, doi = {10.1007/11944836_18}, abstract = {The standard symbolic, deducibility-based notions of secrecy are in general insufficient from a cryptographic point of view, especially in presence of hash functions. In~this paper we devise and motivate a more appropriate secrecy criterion which exactly captures a standard cryptographic notion of secrecy for protocols involving public-key enryption and hash functions: protocols that satisfy it are computationally secure while any violation of our criterion directly leads to an attack. Furthermore, we prove that our criterion is decidable via an NP decision procedure. Our~results hold for standard security notions for encryption and hash functions modeled as random oracles.} }

@article{CDL05-survey, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie and Lafourcade, Pascal}, title = {A Survey of Algebraic Properties Used in Cryptographic Protocols}, year = {2006}, volume = 14, number = 1, pages = {1-43}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/surveyCDL.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/surveyCDL.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/surveyCDL.ps}, abstract = {Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic protocols.} }

@article{delaune-tcs06, publisher = {Elsevier Science Publishers}, journal = {Theoretical Computer Science}, author = {Delaune, St{\'e}phanie}, title = {An Undecidability Result for~{\textsf{\MakeUppercase{AG}h}}}, volume = 368, number = {1-2}, pages = {161-167}, year = 2006, month = dec, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/delaune-tcs06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/delaune-tcs06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/delaune-tcs06.ps}, doi = {10.1016/j.tcs.2006.08.018}, abstract = {We present an undecidability result for the verification of security protocols. Since the \emph{perfect cryptography assumption} is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We are interested in the \emph{Abelian groups} theory in combination with the homomorphism axiom. We show that satisfaisability of symbolic deducibility constraints is undecidable, obtaining in this way the first undecidability result concerning a theory for which unification is known to be decidable~[F.~Baader, Unification in commutative theories, Hilbert's basis theorem, and Gr{\"{o}}bner bases, J.~ACM~40(3) (1993)~477-503].} }

@inproceedings{DKR-wote06, address = {Cambridge, UK}, month = jun, year = 2006, acronym = {{WOTE}'06}, booktitle = {{P}roceedings of the {IAVoSS} {W}orkshop {O}n {T}rustworthy {E}lections ({WOTE}'06)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Verifying Properties of Electronic Voting Protocols}, pages = {45-52}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-wote06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-wote06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-wote06.ps}, abstract = {In this paper we report on some recent work to formally specify and verify electronic voting protocols. In particular, we use the formalism of the applied pi calculus: the applied pi calculus is a formal language similar to the pi calculus but with useful extensions for modelling cryptographic protocols. We model several important properties, namely fairness, eligibility, privacy, receipt-freeness and coercion-resistance. Verification of these properties is illustrated on two cases studies and has been partially automated using the Blanchet's ProVerif tool.} }

@inproceedings{DKR-csfw06, address = {Venice, Italy}, month = jul, year = 2006, publisher = {{IEEE} Computer Society Press}, acronym = {{CSFW}'06}, booktitle = {{P}roceedings of the 19th {IEEE} {C}omputer {S}ecurity {F}oundations {W}orkshop ({CSFW}'06)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Coercion-Resistance and Receipt-Freeness in Electronic Voting}, pages = {28-39}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-csfw06.ps}, doi = {10.1109/CSFW.2006.8}, abstract = {In this paper we formally study important properties of electronic voting protocols. In particular we are interested in coercion-resistance and receipt-freeness. Intuitively, an election protocol is coercion-resistant if a voter \(A\) cannot prove to a potential coercer~\(C\) that she voted in a particular way. We assume that \(A\) cooperates with~\(C\) in an interactive way. Receipt-freeness is a weaker property, for which we assume that \(A\) and~\(C\) cannot interact during the protocol, but \(A\) later provides evidence (the receipt) of how she voted. While receipt-freeness can be expressed using observational equivalence from the applied pi calculus, we need to introduce a new relation to capture coercion-resistance. Our formalization of coercion-resistance and receipt-freeness are quite different. Nevertheless, we show in accordance with intuition that coercion-resistance implies receipt-freeness, which implies privacy, the basic anonymity property of voting protocols, as defined in previous work. Finally we illustrate the definitions on a simplified version of the Lee~\emph{et~al.}\ voting protocol.} }

@inproceedings{DLLT-ICALP2006, address = {Venice, Italy}, month = jul, year = 2006, volume = 4052, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Buglesi, Michele and Preneel, Bart and Sassone, Vladimiro and Wegener, Ingo}, acronym = {{ICALP}'06}, booktitle = {{P}roceedings of the 33rd {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'06)~--- {P}art~{II}}, author = {Delaune, St{\'e}phanie and Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf}, title = {Symbolic Protocol Analysis in Presence of a Homomorphism Operator and {\emph{Exclusive~Or}}}, pages = {132-143}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DLLT-icalp06.ps}, doi = {10.1007/11787006_12}, abstract = {Security of a cryptographic protocol for a bounded number of sessions is usually expressed as a symbolic trace reachability problem. We show that symbolic trace reachability for well-defined protocols is decidable in presence of the exclusive or theory in combination with the homomorphism axiom. These theories allow us to model basic properties of important cryptographic operators. This trace reachability problem can be expressed as a system of symbolic deducibility constraints for a certain inference system describing the capabilities of the attacker. One main step of our proof consists in reducing deducibility constraints to constraints for deducibility in one step of the inference system. This constraint system, in turn, can be expressed as a system of quadratic equations of a particular form over \(\mathbb{Z}/2\mathbb{Z}[h]\), the ring of polynomials in one indeterminate over the finite field \(\mathbb{Z}/2\mathbb{Z}\). We show that satisfiability of such systems is decidable. } }

@proceedings{CK-fcc2006, editor = {Cortier, V{\'e}ronique and Kremer, Steve}, booktitle = {{P}roceedings of the 2nd {W}orkshop on {F}ormal and {C}omputational {C}ryptography ({FCC}'06)}, title = {{P}roceedings of the 2nd {W}orkshop on {F}ormal and {C}omputational {C}ryptography ({FCC}'06)}, address = {Venice, Italy}, year = 2006, month = jul, url = {http://hal.inria.fr/FCC2006/} }

@article{CKS-jar2005, publisher = {Springer}, journal = {Journal of Automated Reasoning}, author = {Chadha, Rohit and Kremer, Steve and Scedrov, Andre}, title = {Formal Analysis of Multi-Party Contract Signing}, volume = 36, number = {1-2}, pages = {39-83}, year = 2006, month = jan, nmnote = {Special Issue on Automated Reasoning for Security Protocol Analysis}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/mpcs-CKS.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/mpcs-CKS.pdf}, doi = {10.1007/s10817-005-9019-5}, abstract = {We analyze the multi-party contract-signing protocols of Garay and MacKenzie (GM) and of Baum and Waidner (BW). We use a finite-state tool, {\scshape Mocha}, which allows specification of protocol properties in a branching-time temporal logic with game semantics. While our analysis does not reveal any errors in the BW protocol, in the GM protocol we discover serious problems with fairness for four signers and an oversight regarding abuse-freeness for three signers. We propose a complete revision of the GM subprotocols in order to restore fairness.} }

@article{dj-jar05, publisher = {Springer}, journal = {Journal of Automated Reasoning}, author = {Delaune, St{\'e}phanie and Jacquemard, Florent}, title = {Decision Procedures for the Security of Protocols with Probabilistic Encryption against Offline Dictionary Attacks}, volume = 36, number = {1-2}, year = 2006, month = jan, pages = {85-124}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DJ-jar05.ps}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DJ-jar05.ps}, doi = {10.1007/s10817-005-9017-7}, abstract = {We consider the problem of formal automatic verification of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks and propose an inference system modeling the deduction capabilities of an intruder. This system extends a set of well studied deduction rules for symmetric and public key encryption often called Dolev-Yao rules with the introduction of a probabilistic encryption operator and guessing abilities for the intruder. Then, we show that the intruder deduction problem in this extended model is decidable in~PTIME. The proof is based on a locality lemma for our inference system. This first result yields to an NP decision procedure for the protocol insecurity problem in presence of a passive intruder. In the active case, the same problem is proved to be NP-complete: we give a procedure for simultaneously solving symbolic constraints with variables which represent intruder deductions. We illustrate the procedure with examples of published protocols and compare our model to other recent formal definitions of dictionary attacks.} }

@article{SD-ipl05, publisher = {Elsevier Science Publishers}, journal = {Information Processing Letters}, author = {Delaune, St{\'e}phanie}, title = {Easy Intruder Deduction Problems with Homomorphisms}, volume = 97, number = 6, pages = {213-218}, month = mar, year = 2006, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SD-ipl05.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SD-ipl05.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/SD-ipl05.ps}, doi = {10.1016/j.ipl.2005.11.008}, abstract = {We present complexity results for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, we extend the classical \emph{Dolev-Yao} model by permitting the intruder to exploit these properties. More precisely, we are interested in theories such as \emph{Exclusive or} and \emph{Abelian groups} in combination with the homomorphism axiom. We show that the intruder deduction problem is in PTIME in both cases, improving the EXPTIME complexity results presented in~(Lafourcade, Lugiez, Treinen,~2005).} }

@inproceedings{JRV-ijcar06, address = {Seattle, Washington, USA}, month = aug, year = 2006, volume = 4130, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer-Verlag}, editor = {Furbach, Ulrich and Shankar, Natarajan}, acronym = {{IJCAR}'06}, booktitle = {{P}roceedings of the 3rd {I}nternational {J}oint {C}onference on {A}utomated {R}easoning ({IJCAR}'06)}, author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l and Vigneron, Laurent}, title = {Tree automata with equality constraints modulo equational theories}, pages = {557-571}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-07.pdf}, doi = {10.1007/11814771_45}, abstract = {This paper presents new classes of tree automata combining automata with equality test and automata modulo equational theories. We believe that this class has a good potential for application in \emph{e.g.}~software verification. These tree automata are obtained by extending the standard Horn clause representations with equational conditions and rewrite systems. We show in particular that a generalized membership problem (extending the emptiness problem) is decidable by proving that the saturation of tree automata presentations with suitable paramodulation strategies terminates. Alternatively our results can be viewed as new decidable classes of first-order formula.} }

@inproceedings{Laf-secret06, address = {Venice, Italy}, month = jul, year = 2007, number = 4, volume = 171, series = {Electronic Notes in Theoretical Computer Science}, publisher = {Elsevier Science Publishers}, editor = {Fern{\'a}ndez, Maribel and Kirchner, Claude}, acronym = {{SecReT}'06}, booktitle = {{P}roceedings of the 1st {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'06)}, author = {Lafourcade, Pascal}, title = {Intruder Deduction for the Equational Theory of {\emph{Exclusive-or}} with Commutative and Distributive Encryption}, pages = {37-57}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Laf-secret06-long.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Laf-secret06-long.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/Laf-secret06-long.ps}, nomorelongpdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/ rr-lsv-2005-21.pdf}, nomorelongps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/ rr-lsv-2005-21.ps}, nomorelongpsgz = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PSGZ/ rr-lsv-2005-21.ps.gz}, doi = {10.1016/j.entcs.2007.02.054}, abstract = {The first step in the verification of cryptographic protocols is to decide the intruder deduction problem, that is the vulnerability to a so-called passive attacker. We~extend the Dolev-Yao model in order to model this problem in presence of the equational theory of a commutative encryption operator which distributes over the \emph{exclusive-or} operator. The~interaction between the commutative distributive law of the encryption and \emph{exclusive-or} offers more possibilities to decrypt an encrypted message than in the non-commutative case, which imply a more careful analysis of the proof system. We~prove decidability of the intruder deduction problem for a commutative encryption which distributes over \emph{exclusive-or} with a DOUBLE-EXPTIME procedure. And~we obtain that this problem is EXPSPACE-hard in the binary case.} }

@inproceedings{LLT-unif2006, address = {Seattle, Washington, USA}, month = aug, year = 2006, editor = {Levy, Jordi}, acronym = {{UNIF}'06}, booktitle = {{P}roceedings of the 20th {I}nternational {W}orkshop on {U}nification ({UNIF}'06)}, author = {Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf}, title = {{ACUNh}: Unification and Disunification Using Automata Theory}, pages = {6-20}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-unif06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-unif06.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/LLT-unif06.ps}, abstract = {We show several results about unification problems in the equational theory~ACUNh consisting of the theory of exclusive or with one homomorphism. These results are shown using only techniques of automata and combinations of unification problems. We~show how to construct a most-general unifier for ACUNh-unification problems with constants using automata. We also prove that the first-order theory of ground terms modulo~ACUNh is decidable if the signature does not contain free non-constant function symbols, and that the existential fragment is decidable in the general case. Furthermore, we show a technical result about the set of most-general unifiers obtained for general unification problems.} }

@inproceedings{BJ-unif2006, address = {Seattle, Washington, USA}, month = aug, year = 2006, editor = {Levy, Jordi}, acronym = {{UNIF}'06}, booktitle = {{P}roceedings of the 20th {I}nternational {W}orkshop on {U}nification ({UNIF}'06)}, author = {Bouhoula, Adel and Jacquemard, Florent}, title = {Automating Sufficient Completeness Check for Conditional and Constrained~{TRS}}, nopages = {}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-unif06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-unif06.pdf}, abstract = {We present a procedure for checking sufficient completeness for conditional and constrained term rewriting systems containing axioms for constructors which may be constrained (by~e.g.~equalities, disequalities, ordering, membership...). Such axioms allow to specify complex data structures like e.g.~sets, sorted lists or powerlists. Our approach is integrated in a framework for inductive theorem proving based on tree grammars with constraints, a formalism which permits an exact representation of languages of ground constructor terms in normal form. The key technique used in the procedure is a generalized form of narrowing where, given a term, instead of unifying it with left members of rewrite rules, we instantiate it, at selected variables, following the productions of a constrained tree grammar, and test whether it can be rewritten. Our~procedure is sound and complete and has been successfully applied to several examples, yielding very natural proofs and, in case of negative answer, a counter example suggesting how to complete the specification. Moreover, it is a decision procedure when the TRS is unconditional but constrained, for a large class of constrained constructor axioms.} }

@inproceedings{MOJ-aisc2006, address = {Beijing, China}, month = sep, year = 2006, volume = 4120, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer}, editor = {Calmet, Jacques and Ida, Tetsuo and Wang, Dongming}, acronym = {{AISC}'06}, booktitle = {{P}roceedings of the 8th {I}nternational {C}onference on {A}rtificial {I}ntelligence and {S}ymbolic {C}omputation ({AISC}'06)}, author = {Mitsuhashi, Ichiro and Oyamaguchi, Michio and Jacquemard, Florent}, title = {The Confluence Problem for Flat~{TRSs}}, pages = {68-81}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/MOJ-aisc06.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/MOJ-aisc06.pdf}, doi = {10.1007/11856290_8}, abstract = {We prove that the properties of reachability, joinability and confluence are undecidable for flat~TRSs. Here, a~TRS is flat if the heights of the left and right-hand sides of each rewrite rule are at most one.} }

@phdthesis{THESE-bernat06, author = {Bernat, Vincent}, title = {Th{\'e}ories de l'intrus pour la v{\'e}rification des protocoles cryptographiques}, year = 2006, month = jun, type = {Th{\`e}se de doctorat}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-bernat.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-bernat.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-bernat.ps} }

@phdthesis{THESE-delaune06, author = {Delaune, St{\'e}phanie}, title = {V{\'e}rification des protocoles cryptographiques et propri{\'e}t{\'e}s alg{\'e}briques}, year = 2006, month = jun, type = {Th{\`e}se de doctorat}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-delaune.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-delaune.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-delaune.ps}, abstract = {Cryptographic protocols are small concurrent programs designed to guarantee the security of exchanges between participants using non-secure medium. Establishing the correctness of these protocols is crucial given the increasing number of applications, such as electronic commerce, that exchange information on the Internet. Unfortunately, the existence of cryptographic primitives such as encryption is not sufficient to ensure security. The security of exchanges is ensured by cryptographic protocols which are notoriously error-prone.\par The formal verification of cryptographic protocols is a difficult problem that can be seen as a particular model-checking problem in an hostile environment. To verify such protocols, a line of research consists in considering encryption as a black box and assuming that an adversary can't learn anything from an encrypted message except if he has the key. This is called the \emph{perfect cryptography} assumption. Many results have been obtained under this assumption, but such an assumption is too strong in general. Some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. \par In this thesis, we relax the perfect cryptography assumption by taking into account some algebraic properties of cryptographic primitives. We give decision procedures for the security problem in presence of several algebraic operators.} }

@phdthesis{THESE-lafourcade06, author = {Lafourcade, Pascal}, title = {V{\'e}rification des protocoles cryptographiques en pr{\'e}sence de th{\'e}ories {\'e}quationnelles}, year = 2006, month = sep, type = {Th{\`e}se de doctorat}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-lafourcade.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-lafourcade.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-lafourcade.ps}, note = {209~pages}, abstract = {The rise of the internet of new technologies has reinforced the key role of computer science in communication technology. The recent progress in these technologies has brought a dramatic change in the ways how we communicate and consume. All these communication activities are subject to complex communication protocols that a user does not control completely. Users of communication protocols require that their communications are {"}secure{"}. The developers of these communication protocols aim to secure communications in a hostile environment by cryptographic means. Such an environment consists of a dishonest communication participant, called an {"}intruder{"} or {"}attacker{"}... We suppose that the intruder controls the network on which the messages are exchanged.\par The verification of a cryptographic protocol either ensures that no attack is possible against the execution of the protocol in presence of a certain intruder, or otherwise exhibits an attack. One important assumption in the verification of cryptographic protocols is the so-called {"}perfect cryptography assumption{"}, which states that the only way to obtain knowledge about an encrypted message is to know its decryption key. This hypothesis is not sufficient to guarantee security in reality. It is possible that certain properties used in the protocol allow the intruder to obtain some information.\par One way to weaken this perfect cryptography assumption is to take into account in the model certain algebraic properties. We develop a formal approach for verifying the so-called secrecy property of cryptographic protocols in the presence of equational theories and of homomorphism.} }

@mastersthesis{bursuc-master, author = {Bursuc, Sergiu}, title = {Contraintes de d{\'e}ductibilit{\'e} modulo Associativit{\'e}-Commutativit{\'e}}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, month = sep, year = 2006, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bursuc-M2.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bursuc-M2.pdf} }

@techreport{LSV:06:13, author = {Olivain, Julien and Goubault{-}Larrecq, Jean}, title = {Detecting Subverted Cryptographic Protocols by Entropy Checking}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2006, month = jun, type = {Research Report}, number = {LSV-06-13}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf}, note = {19~pages}, abstract = {What happens when your implementation of SSL or some other cryptographic protocol is subverted through a buffer overflow attack? You have been hacked, right. Unfortunately, you may be unaware of~it: since normal traffic is encrypted, most IDSs cannot monitor~it. We propose a simple, yet efficient technique to detect such attacks, by computing the entropy of the flow and comparing it against known thresholds. This was implemented in the Net-Entropy sensor.} }

@inproceedings{Gou-fossacs08b, address = {Budapest, Hungary}, month = mar # {-} # apr, year = 2008, volume = 4962, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Amadio, Roberto}, acronym = {{FoSSaCS}'08}, booktitle = {{P}roceedings of the 11th {I}nternational {C}onference on {F}oundations of {S}oftware {S}cience and {C}omputation {S}tructures ({FoSSaCS}'08)}, author = {Goubault{-}Larrecq, Jean}, title = {Simulation Hemi-Metrics Between Infinite-State Stochastic Games}, pages = {50-65}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-34.pdf}, doi = {10.1007/978-3-540-78499-9_5}, abstract = {We investigate simulation hemi-metrics between certain forms of turn-based \(2\frac{1}{2}\)-player games played on infinite topological spaces. They have the desirable property of bounding the difference in payoffs obtained by starting from one state or another. All constructions are described as the special case of a unique one, which we call the Hutchinson hemi-metric on various spaces of continuous previsions. We show a directed form of the Kantorovich-Rubinstein theorem, stating that the Hutchinson hemi-metric on spaces of continuous probability valuations coincides with a notion of trans-shipment hemi-metric. We also identify the class of so-called sym-compact spaces as the right class of topological spaces, where the theory works out as nicely as possible.} }

@inproceedings{Gou-fossacs08a, address = {Budapest, Hungary}, month = mar # {-} # apr, year = 2008, volume = 4962, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Amadio, Roberto}, acronym = {{FoSSaCS}'08}, booktitle = {{P}roceedings of the 11th {I}nternational {C}onference on {F}oundations of {S}oftware {S}cience and {C}omputation {S}tructures ({FoSSaCS}'08)}, author = {Goubault{-}Larrecq, Jean}, title = {Prevision Domains and Convex Powercones}, pages = {318-333}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-33.pdf}, doi = {10.1007/978-3-540-78499-9_23}, abstract = {Two recent semantic families of models for mixed probabilistic and non-deterministic choice over a space~\(X\) are the convex powercone models, due independently to Mislove, and to Tix, Keimel, and Plotkin, and the continuous prevision model of the author. We show that, up to some minor details, these models are isomorphic whenever \(X\) is a continuous, coherent cpo, and whether the particular brand of non-determinism we focus on is demonic, angelic, or chaotic. The construction also exhibits domains of continuous previsions as retracts of well-known continuous cpos, providing simple bases for the various continuous cpos of continuous previsions. This has practical relevance to computing approximations of operations on previsions.} }

@inproceedings{Kremer-tgc07, address = {Sophia-Antipolis, France}, year = 2008, volume = 4912, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Barthe, Gilles and Fournet, C{\'e}dric}, acronym = {{TGC}'07}, booktitle = {{R}evised {S}elected {P}apers from the 3rd {S}ymposium on {T}rustworthy {G}lobal {C}omputing ({TGC}'07)}, author = {Kremer, Steve}, title = {Computational soundness of equational theories (Tutorial)}, pages = {363-382}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Kremer-tgc07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Kremer-tgc07.pdf}, doi = {10.1007/978-3-540-78663-4}, abstract = {We study the link between formal and cryptographic models for security protocols in the presence of passive and adaptive adversaries. We first describe the seminal result by Abadi and Rogaway and shortly discuss some of its extensions. Then we describe a general model for reasoning about the soundness of implementations of equational theories. We illustrate this model on several examples of computationally sound implementations of equational theories.} }

@article{JRV-jlap07, publisher = {Elsevier Science Publishers}, journal = {Journal of Logic and Algebraic Programming}, author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l and Vigneron, Laurent}, title = {Tree automata with equality constraints modulo equational theories}, year = 2008, month = apr, volume = 75, number = 2, pages = {182-208}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JRV-jlap08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JRV-jlap08.pdf}, doi = {10.1016/j.jlap.2007.10.006}, abstract = {This paper presents new classes of tree automata combining automata with equality test and automata modulo equational theories. We believe that these classes have a good potential for application in \emph{e.g.} software verification. These tree automata are obtained by extending the standard Horn clause representations with equational conditions and rewrite systems. We~show in particular that a generalized membership problem (extending the emptiness problem) is decidable by proving that the saturation of tree automata presentations with suitable paramodulation strategies terminates. Alternatively our results can be viewed as new decidable classes of first-order formula.} }

@inproceedings{BJ-arspa07, address = {Wroc{\l}aw, Poland}, month = jul, year = 2007, editor = {Degano, Pierpaolo and K{\"u}sters, Ralf and Vigan{\`o}, Luca and Zdancewic, Steve}, acronym = {{FCS-ARSPA}'07}, booktitle = {{P}roceedings of the {J}oint {W}orkshop on {F}oundations of {C}omputer {S}ecurity and {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis ({FCS-ARSPA}'07)}, author = {Adel Bouhoula and Florent Jacquemard}, title = {Verifying Regular Trace Properties of Security Protocols with Explicit Destructors and Implicit Induction}, pages = {27-44}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-arspa07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-arspa07.pdf}, abstract = {We present a procedure for the verification of cryptographic protocols based on a new method for automatic implicit induction theorem proving for specifications made of conditional and constrained rewrite rules. The~method handles axioms between constructor terms which are used to introduce explicit destructor symbols for the specification of cryptographic operators. Moreover, it can deal with non-confluent rewrite systems. This is required in the context of the verification of security protocols because of the non-deterministic behavior of attackers. Our~induction method makes an intensive use of constrained tree grammars, which are used in proofs both as induction schemes and as oracles for checking validity and redundancy criteria by reduction to an emptiness problem. The grammars make possible the development of a generic framework for the specification and verification of protocols, where the specifications can be parametrized with (possibly infinite) regular sets of user names or attacker's initial knowledge and complex security properties can be expressed, referring to some fixed regular sets of bad traces representing potential vulnerabilities. We present some case studies giving very promising results, for the detection of attacks (our~procedure is complete for refutation), and also for the validation of protocols.} }

@inproceedings{Bur-nordsec07, address = {Reykjavik, Iceland}, month = oct, year = 2007, editor = {Erlingsson, {\'U}lfar and Sabelfeld, Andrei}, acronym = {{NordSec}'07}, booktitle = {{P}roceedings of the 12th {N}ordic {W}orkshop on {S}ecure {IT} {S}ystems ({NordSec}'07)}, author = {Bursztein, Elie}, title = {Time has something to tell us about network address translation}, nopages = {}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-nordsec07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-nordsec07.pdf}, abstract = { In this paper we introduce a new technique to count the number of host behind a~NAT. This technique based on TCP timestamp option, work with Linux and BSD system and therefore is complementary to the previous one base on IPID than does not work for those systems. Our~implementation demonstrates the practicability of this method.} }

@techreport{Prouve:rap10, author = {Delaune, St{\'e}phanie and Klay, Francis}, title = {Synth{\`e}se des exp{\'e}rimentations}, institution = {projet RNTL PROUV{\'E}}, month = may, year = 2007, type = {Technical Report}, number = 10, note = {10~pages}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap10.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap10.pdf}, abstract = {Dans ce document nous pr{\'e}sentons une synth{\`e}se des deux cas d'{\'e}tude trait{\'e}s durant le projet. Rappelons qu'il s'agit d'une part d'un protocole de commerce {\'e}lectronique et d'autre part d'un protocole de vote. Pour chacun de ces protocoles, nous analysons les r{\'e}sultats obtenus afin de d{\'e}gager l'apport des travaux issus du projet et les aspects qui n'ont pas pu etre compl{\`e}tement trait{\'e}s. Compte tenu des enseignements tir{\'e}s, dans la derni{\`e}re partie nous mettons en perspectives les axes de recherches envisageables pour traiter compl{\`e}tement des protocoles aussi complexes que celui du vote {\'e}lectronique.} }

@techreport{Prouve:rap9, author = {Klay, Francis and Bozga, Liana and Lakhnech, Yassine and Mazar{\'e}, Laurent and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Retour d'exp{\'e}rience sur la validation du vote {\'e}lectronique}, institution = {projet RNTL PROUV{\'E}}, month = nov, year = 2006, type = {Technical Report}, number = 9, note = {47~pages}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap9.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap9.pdf}, abstract = {Dans ce rapport, nous pr{\'e}sentons le travail de v{\'e}rification qui a {\'e}t{\'e} r{\'e}alis{\'e} sur le protocole de vote {\'e}lectronique que nous avons introduit et formalis{\'e} dans le rapport RNTL Prouv{\'e} num{\'e}ro~\(6\). Ce protocole a {\'e}t{\'e} mis au point par J.~Traor{\'e}, ing{\'e}nieur de recherche chez France T{\'e}l{\'e}com. Il est bas{\'e} sur le m{\'e}canisme de signature en aveugle et peut {\^e}tre consid{\'e}r{\'e} comme un d{\'e}riv{\'e} du protocole de Fujioka, Okamoto et~Ohta.\par La formalisation de ce protocole {\`a} mis en {\'e}vidence une grande complexit{\'e} due en particulier aux structures de donn{\'e}es et aux primitives cryptographiques manipul{\'e}es. D'un autre c{\^o}t{\'e} ce travail a {\'e}galement r{\'e}v{\'e}l{\'e} que les propri{\'e}t{\'e}s de s{\^u}ret{\'e} {\`a} garantir sont particuli{\`e}rement subtiles. Ce~document pr{\'e}sente les r{\'e}sultats qui ont {\'e}t{\'e} obtenus lors de la v{\'e}rification de ce protocole. En particulier nous montrons que certaines propri{\'e}t{\'e}s de s{\^u}ret{\'e} ont pu {\^e}tre prouv{\'e}es automatiquement alors que pour d'autres une preuve manuelle s'est av{\'e}r{\'e}e n{\'e}cessaire.} }

@techreport{LSV:07:31, author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l}, title = {Rewrite Closure of {H}edge-Automata Languages}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2007, month = oct, type = {Research Report}, number = {LSV-07-31}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-31.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-31.pdf}, note = {22~pages}, abstract = {We investigate some preservation properties for classes of regular languages of unranked ordered terms under an appropriate generalization of term rewriting subsuming both standard term rewriting and word rewriting.\par The considered classes include languages of hedge automata (HA) and some extension (called CF-HA) with context-free languages in transitions, instead of regular languages. In~particular, we~show, with a HA completion procedure, that the set of unranked terms reachable from a given HA language, using a so called inverse context-free rewrite system, is an HA language. Moreover, we~prove, using different techniques, the closure of CF-HA languages with respect to context-free rewrite systems, the symmetric case of the above rewrite systems. As~a consequence, the~problems of ground reachability and regular hedge model checking are decidable in both cases. We~give several several counter examples showing that we cannot relax the restrictions.} }

@mastersthesis{vacher-master, author = {Vacher, Camille}, title = {Accessibilit{\'e} inverse dans les automates d'arbres {\`a} m{\'e}moire d'ordre sup{\'e}rieur}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = 2007, month = sep, oldurl = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vacher-m2.pdf}, oldpdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vacher-m2.pdf}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-35.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-35.pdf} }

@inproceedings{CL-avocs07, address = {Oxford, UK}, month = sep, year = {2007}, editor = {Goldsmith, Michael and Roscoe, Bill}, acronym = {{AVoCS}'07}, booktitle = {{P}re-proceedings of the 7th {I}nternational {W}orkshop on {A}utomated {V}erification of {C}ritical {S}ystems ({AVoCS}'07)}, author = {Cremers, Cas and Lafourcade, Pascal}, title = {Comparing State Spaces in Automatic Security Protocol Verification}, nmnote = {Pas paru dans les proceedings ENTCS}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-avocs07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-avocs07.pdf}, abstract = {Many tools exist for automatic security protocol verification, and most of them have their own particular language for specifying protocols and properties. Several protocol specification models and security properties have been already formally related to each other. However, there is a further difference between verification tools, which has not been investigated in depth before: the~explored state space. Some tools explore all possible behaviors, whereas others explore strict subsets, often by using so-called scenarios. Ignoring such differences can lead to wrong interpretations of the output of a tool. We~relate the explored state spaces to each other and find previously unreported differences between the various approaches. We~apply our study of state space relations in a performance comparison of several well-known automatic tools for security protocol verification. We~model a set of protocols and their properties as homogeneous as possible for each tool. We~analyze the performance of the tools over comparable state spaces. This work allows us for the first time to compare these automatic tools fairly, i.e.,~using the same protocol description and exploring the same state space. We~also propose some explanations for our experimental results, leading to a better understanding of the tools.} }

@inproceedings{BG-asian07, address = {Doha, Qatar}, month = dec, year = 2007, volume = 4846, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Cervesato, Iliano}, acronym = {{ASIAN}'07}, booktitle = {{P}roceedings of the 12th {A}sian {C}omputing {S}cience {C}onference ({ASIAN}'07)}, author = {Bursztein, Elie and Goubault{-}Larrecq, Jean}, title = {A Logical Framework for Evaluating Network Resilience Against Faults and Attacks}, pages = {212-227}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BGL-asian07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BGL-asian07.pdf}, doi = {10.1007/978-3-540-76929-3_20}, abstract = {We present a logic-based framework to evaluate the resilience of computer networks in the face of incidents, i.e., attacks from malicious intruders as well as random faults. Our model uses a two-layered presentation of dependencies between files and services, and of timed games to represent not just incidents, but also the dynamic responses from administrators and their respective delays. We demonstrate that a variant TATL\(\Diamond\) of timed alternating-time temporal logic is a convenient language to express several desirable properties of networks, including several forms of survivability. We illustrate this on a simple redundant Web service architecture, and show that checking such timed games against the so-called TATL\(\Diamond\) variant of the timed alternating time temporal logic TATL is EXPTIME-complete.} }

@inproceedings{GPT-aplas07, address = {Singapore}, month = nov # {-} # dec, year = 2007, volume = 4807, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Shao, Zhong}, acronym = {{APLAS}'07}, booktitle = {{P}roceedings of the 5th {A}sian {S}ymposium on {P}rogramming {L}anguages and {S}ystems ({APLAS}'07)}, author = {Goubault{-}Larrecq, Jean and Palamidessi, Catuscia and Troina, Angelo}, title = {A Probabilistic Applied Pi-Calculus}, pages = {175-290}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GPT-aplas07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GPT-aplas07.pdf}, doi = {10.1007/978-3-540-76637-7_12}, abstract = {We propose an extension of the Applied Pi-calculus by introducing nondeterministic and probabilistic choice operators. The semantics of the resulting model, in which probability and nondeterminism are combined, is given by Segala's Probabilistic Automata driven by schedulers which resolve the nondeterministic choice among the probability distributions over target states. Notions of static and observational equivalence are given for the enriched calculus. In order to model the possible interaction of a process with its surrounding environment a labeled semantics is given together with a notion of weak bisimulation which is shown to coincide with the observational equivalence. Finally, we prove that results in the probabilistic framework are preserved in a purely nondeterministic setting.} }

@inproceedings{CDD-fsttcs07, address = {New~Delhi, India}, month = dec, year = 2007, volume = 4855, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Arvind, V. and Prasad, Sanjiva}, acronym = {{FSTTCS}'07}, booktitle = {{P}roceedings of the 27th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'07)}, author = {Cortier, V{\'e}ronique and Delaitre, J{\'e}r{\'e}mie and Delaune, St{\'e}phanie}, title = {Safely Composing Security Protocols}, pages = {352-363}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDD-fsttcs07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDD-fsttcs07.pdf}, addendumpdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ CDD-fsttcs07-addendum.pdf}, doi = {10.1007/978-3-540-77050-3_29}, abstract = {Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of active attackers that may block, intercept and send new messages. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols, possibly sharing some common identities and keys like public keys or long-term symmetric keys, are executed.\par In this paper, we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols are executed, provided each encryption contains some tag identifying each protocol, like e.g.~the name of the protocol.} }

@inproceedings{DKR-fsttcs07, address = {New~Delhi, India}, month = dec, year = 2007, volume = 4855, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Arvind, V. and Prasad, Sanjiva}, acronym = {{FSTTCS}'07}, booktitle = {{P}roceedings of the 27th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'07)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Symbolic Bisimulation for the Applied Pi-Calculus}, pages = {133-145}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-fsttcs07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-fsttcs07.pdf}, doi = {10.1007/978-3-540-77050-3_11}, abstract = {We propose a symbolic semantics for the finite applied pi calculus, which is a variant of the pi calculus with extensions for modelling cryptgraphic protocols. By~treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs from the environment. Correctness is maintained by associating with each process a set of constraints on symbolic terms. Based on the semantics, we~define a sound symbolic labelled bisimulation relation. This~is an important step towards automation of observational equivalence for the finite applied pi calculus, \emph{e.g.}, for verification of anonymity or strong secrecy properties of protocols with a bounded number of sessions.} }

@inproceedings{DLL-lpar07, address = {Yerevan, Armenia}, month = oct, year = 2007, volume = 4790, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer}, editor = {Dershowitz, Nachum and Voronkov, Andrei}, acronym = {{LPAR}'07}, booktitle = {{P}roceedings of the 14th {I}nternational {C}onference on {L}ogic for {P}rogramming, {A}rtificial {I}ntelligence, and {R}easoning ({LPAR}'07)}, author = {Delaune, St{\'e}phanie and Lin, Hai and Lynch, {\relax Ch}ristopher}, title = {Protocol verification via rigid{\slash}flexible resolution}, pages = {242-256}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLL-lpar07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLL-lpar07.pdf}, doi = {10.1007/978-3-540-75560-9_19}, abstract = {In this paper we propose a decision procedure, i.e., an~inference system for clauses containing rigid and flexible variables. Rigid variables are only allowed to have one instantiation, whereas flexible variables are allowed as many instantiations as desired. We~assume a set of clauses containing only rigid variables together with a set of clauses containing only flexible variables. When the flexible clauses fall into a particular class, we propose an inference system based on ordered resolution that is sound and complete and for which the inference procedure will halt.\par An interest in this form of problem is for cryptographic protocol verification for a bounded number of protocol instances. Our class allows us to obtain a generic decidability result for a large class of cryptographic protocols that may use for instance~CBC (Cipher Block Chaining) encryption and blind signature. } }

@inproceedings{CD-lpar07, address = {Yerevan, Armenia}, month = oct, year = 2007, volume = 4790, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer}, editor = {Dershowitz, Nachum and Voronkov, Andrei}, acronym = {{LPAR}'07}, booktitle = {{P}roceedings of the 14th {I}nternational {C}onference on {L}ogic for {P}rogramming, {A}rtificial {I}ntelligence, and {R}easoning ({LPAR}'07)}, author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Deciding Knowledge in Security Protocols for Monoidal Equational Theories}, pages = {196-210}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-lpar07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-lpar07.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CD-lpar07.ps}, doi = {10.1007/978-3-540-75560-9_16}, abstract = {In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,~...). The~analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually used: deducibility and indistinguishability. Only few results have been obtained (in~an ad-hoc~way) for equational theories with associative and commutative properties, especially in the case of static equivalence. The~main contribution of this paper is to propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of these theories. Our~setting relies on the correspondence between a monoidal theory~{\(E\)} and a semiring~{\(S_E\)} which allows us to give an algebraic characterization of the deducibility and indistinguishability problems. As~a consequence we recover easily existing decidability results and obtain several new ones.} }

@article{DLLT-IC07, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Delaune, St{\'e}phanie and Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf}, title = {Symbolic protocol analysis for monoidal equational theories}, pages = {312-351}, volume = 206, number = {2-4}, year = 2008, month = feb # {-} # apr, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-ic07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-ic07.pdf}, doi = {10.1016/j.ic.2007.07.005}, abstract = {We are interested in the design of automated procedures for analyzing the (in)security of cryptographic protocols in the Dolev-Yao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This~leads to a more realistic model than what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to set up a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an ad-hoc way (e.g.~exclusive~or, Abelian groups, exclusive or in combination with the homomorphism axiom). We~follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem. This approach strongly relies on the correspondence between a monoidal theory~{\(E\)} and a semiring~{\(S_E\)} which we use to deal with the symbolic constraints. We~show that the well-defined symbolic constraints that are generated by reasonable protocols can be solved provided that unification in the monoidal theory satisfies some additional properties. The~resolution process boils down to solving particular quadratic Diophantine equations that are reduced to linear Diophantine equations, thanks to linear algebra results and the well-definedness of the problem. Examples of theories that do not satisfy our additional properties appear to be undecidable, which suggests that our characterization is reasonably tight.} }

@proceedings{secret2007-pre, title = {{P}reliminary {P}roceedings of the 2nd {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'07)}, booktitle = {{P}reliminary {P}roceedings of the 2nd {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'07)}, editor = {Nesi, Monica and Treinen, Ralf}, year = 2007, month = jul, address = {Paris, France} }

@inproceedings{BCD-jouannaud, address = {Cachan, France}, month = jun, year = 2007, volume = 4600, series = {Lecture Notes in Computer Science}, publisher = {Springer}, acronym = {{R}ewriting, {C}omputation and {P}roof}, booktitle = {{R}ewriting, {C}omputation and {P}roof~--- {E}ssays {D}edicated to {J}ean-{P}ierre {J}ouannaud on the {O}ccasion of his 60th {B}irthday}, editor = {Comon{-}Lundh, Hubert and Kirchner, Claude and Kirchner, H{\'e}l{\`e}ne}, author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {Deducibility Constraints, Equational Theory and Electronic Money}, pages = {196-212}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-jpj07.ps}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-jpj07.ps}, doi = {10.1007/978-3-540-73147-4_10}, abstract = {The starting point of this work is a case study (from France T\'el\'ecom) of an electronic purse protocol. The~goal was to prove that the protocol is secure or that there is an attack. Modeling the protocol requires algebraic properties of a fragment of arithmetic, typically containing modular exponentiation. The~usual equational theories described in papers on security protocols are too weak: the~protocol cannot even be executed in these models. We~consider here an equational theory which is powerful enough for the protocol to be executed, and for which unification is still decidable.\par Our main result is the decidability of the so-called intruder deduction problem, i.e.,~security in presence of a passive attacker, taking the algebraic properties into account. Our~equational theory is a combination of several equational theories over non-disjoint signatures.} }

@proceedings{CLKK-jouannaud07, editor = {Comon{-}Lundh, Hubert and Kirchner, Claude and Kirchner, H{\'e}l{\`e}ne}, booktitle = {Rewriting, Computation and Proof~--- Essays Dedicated to Jean-Pierre Jouannaud on the Occasion of his 60th Birthday}, title = {Rewriting, Computation and Proof~--- Essays Dedicated to Jean-Pierre Jouannaud on the Occasion of his 60th Birthday}, publisher = {Springer}, series = {Lecture Notes in Computer Science}, volume = 4600, year = 2007, month = jun, address = {Cachan, France}, url = {http://www.springerlink.com/content/p0p40764x486/}, doi = {10.1007/978-3-540-73147-4}, isbn = {978-3-540-73146-7} }

@techreport{LSV:07:20, author = {Bresciani, Riccardo}, title = {The {ZRTP} Protocol~--- Security Considerations}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2007, month = may, type = {Research Report}, number = {LSV-07-20}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-20.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-20.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/ rr-lsv-2007-20.ps}, note = {23~pages}, abstract = {ZRTP is draft of key agreement protocol by Phil~Zimmermann, which relies on a Diffie-Hellman exchange to generate SRTP session parameters, providing confidentiality and protecting against \emph{Man-in-the-Middle} attacks even without a public key infrastructure or endpoint certificates. This is an analysis of the protocol performed with AVISPA and ProVerif, which tests security properties of ZRTP; in~order to perform the analysis, the protocol has been modeled in HLPSL (for~AVISPA) and in the applied \(\pi\)-calculus (for~Proverif). An improvement to gather some extra resistance against \emph{Man-in-the-Middle} attacks is also proposed.} }

@inproceedings{ACD-frocos07, address = {Liverpool, UK}, month = sep, year = 2007, volume = 4720, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer}, editor = {Wolter, Franck}, acronym = {{FroCoS}'07}, booktitle = {{P}roceedings of the 6th {I}nternational {S}ymposium on {F}rontiers of {C}ombining {S}ystems ({FroCoS}'07)}, author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Combining algorithms for deciding knowledge in security protocols}, pages = {103-117}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-frocos07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-frocos07.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ACD-frocos07.ps}, doi = {10.1007/978-3-540-74621-8_7}, abstract = {In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,~...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually used: deducibility and indistinguishability. Those notions are well-studied and a lot of decidability results already exist to deal with a variety of equational theories.\par We~show that decidability results can be easily combined for any disjoint equational theories: if the deducibility and indistinguishability relations are decidable for two disjoint theories, they are also decidable for their union. As~an application, new decidability results can be obtained using this combination theorem.} }

@inproceedings{KM-esorics07, address = {Dresden, Germany}, month = sep, year = 2007, volume = 4734, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Biskup, Joachim and Lopez, Javier}, acronym = {{ESORICS}'07}, booktitle = {{P}roceedings of the 12th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'07)}, author = {Kremer, Steve and Mazar{\'e}, Laurent}, title = {Adaptive Soundness of Static Equivalence}, pages = {610-625}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-esorics07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-esorics07.pdf}, doi = {10.1007/978-3-540-74835-9_40}, abstract = {We define a framework to reason about implementations of equational theories in the presence of an adaptive adversary. We particularly focus on soundess of static equivalence. We illustrate our framework on several equational theories: symmetric encryption, XOR, modular exponentiation and also joint theories of encryption and modular exponentiation. This last example relies on a combination result for reusing proofs for the separate theories. Finally, we~define a model for symbolic analysis of dynamic group key exchange protocols, and show its computational soundness.} }

@inproceedings{Gou-csl07, address = {Lausanne, Switzerland}, month = sep, year = 2007, volume = 4646, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Duparc, Jacques and Henzinger, {\relax Th}omas A.}, acronym = {{CSL}'07}, booktitle = {{P}roceedings of the 16th {A}nnual {EACSL} {C}onference on {C}omputer {S}cience {L}ogic ({CSL}'07)}, author = {Goubault{-}Larrecq, Jean}, title = {Continuous Previsions}, pages = {542-557}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-csl07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-csl07.pdf}, doi = {10.1007/978-3-540-74915-8_40}, abstract = {We define strong monads of continuous (lower, upper) previsions, and of forks, modeling both probabilistic and non-deterministic choice. This is an elegant alternative to recent proposals by Mislove, Tix, Keimel, and Plotkin. We show that our monads are sound and complete, in the sense that they model exactly the interaction between probabilistic and (demonic, angelic, chaotic) choice.} }

@techreport{DGA:rap3, author = {Lafourcade, Pascal}, title = {Rapport final d'activit{\'e} {\`a}~{\(11\)}~mois, contrat~{CNRS/DGA} r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01 <<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles dans l'analyse des protocoles cryptographiques~>>}, type = {Contract Report}, institution = {DGA}, year = {2007}, month = oct, note = {6~pages}, url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap3.ps}, ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap3.ps} }

@techreport{DGA:rap2, author = {Lafourcade, Pascal}, title = {Rapport d'activit{\'e}s {\`a}~{\(6\)}~mois, contrat~{CNRS/DGA} r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01 <<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles dans l'analyse des protocoles cryptographiques~>>}, type = {Contract Report}, institution = {DGA}, year = {2007}, month = apr, note = {5~pages}, url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap2.ps}, ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap2.ps} }

@techreport{DGA:rap1, author = {Lafourcade, Pascal}, title = {Rapport d'activit{\'e}s {\`a}~{\(3\)}~mois, contrat~{CNRS/DGA} r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01 <<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles dans l'analyse des protocoles cryptographiques~>>}, type = {Contract Report}, institution = {DGA}, year = {2007}, month = jan, note = {3~pages}, url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap1.ps}, ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap1.ps} }

@inproceedings{JGL-icalp07, address = {Wroc{\l}aw, Poland}, month = jul, year = 2007, volume = 4596, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Arge, Lars and Cachin, {\relax Ch}ristian and Jurdzi{\'n}ski, Tomasz and Tarlecki, Andrzej}, acronym = {{ICALP}'07}, booktitle = {{P}roceedings of the 34th {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'07)}, author = {Goubault{-}Larrecq, Jean}, title = {Continuous Capacities on Continuous State Spaces}, pages = {764-776}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-icalp07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-icalp07.pdf}, doi = {10.1007/978-3-540-73420-8_66}, abstract = {We propose axiomatizing some stochastic games, in a continuous state space setting, using continuous belief functions, resp. plausibilities, instead of measures. Then, stochastic games are just variations on continuous Markov chains. We argue that drawing at random along a belief function is the same as letting the probabilistic player~\(P\) play first, then letting the non-deterministic player~\(C\) play demonically. The same holds for an angelic~\(C\), using plausibilities instead. We then define a simple modal logic, and characterize simulation in terms of formulae of this logic. Finally, we show that (discounted) payoffs are defined and unique, where in the demonic case, \(P\)~maximizes payoff, while \(C\)~minimizes it} }

@inproceedings{CDS-csf07, address = {Venice, Italy}, month = jul, year = 2007, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'07}, booktitle = {{P}roceedings of the 20th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'07)}, author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie and Steel, Graham}, title = {A Formal Theory of Key Conjuring}, pages = {79-93}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDS-csf07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDS-csf07.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CDS-csf07.ps}, doi = {10.1109/CSF.2007.5}, abstract = {We describe a formalism for \emph{key conjuring}, the process by which an attacker obtains an unknown, encrypted key by repeatedly calling a cryptographic API function with random values in place of keys. This technique has been used to attack the security APIs of several Hardware Security Modules~(HSMs), which are widely deployed in the ATM (cash machine) network. We~propose a formalism for detecting computationally feasible key conjuring operations, incorporated into a Dolev-Yao style model of the security~API. We~show that security in the presence of key conjuring operations is decidable for a particular class of~APIs, which includes the key management~API of IBM's Common Cryptographic Architecture~(CCA).} }

@inproceedings{Gou-lics07, address = {Wroc{\l}aw, Poland}, month = jul, year = 2007, publisher = {{IEEE} Computer Society Press}, acronym = {{LICS}'07}, booktitle = {{P}roceedings of the 22nd {A}nnual {IEEE} {S}ymposium on {L}ogic in {C}omputer {S}cience ({LICS}'07)}, author = {Goubault{-}Larrecq, Jean}, title = {On {N}oetherian Spaces}, pages = {453-462}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-lics07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-lics07.pdf}, doi = {10.1109/LICS.2007.34}, abstract = {A topological space is Noetherian iff every open is compact. Our~starting point is that this notion generalizes that of well-quasi order, in the sense that an Alexandroff-discrete space is Noetherian iff its specialization quasi-ordering is well. For~more general spaces, this opens the way to verifying infinite transition systems based on non-well quasi ordered sets, but where the preimage operator satisfies an additional continuity assumption. The technical development rests heavily on techniques arising from topology and domain theory, including sobriety and the de Groot dual of a stably compact space. We~show that the category Nthr of Noetherian spaces is finitely complete and finitely cocomplete. Finally, we note that if \(X\)~is a Noetherian space, then the set of all (even infinite) subsets of~\(X\) is again Noetherian, a~result that fails for well-quasi orders.} }

@techreport{LSV:07:10, author = {Bouhoula, Adel and Jacquemard, Florent}, title = {Tree Automata, Implicit Induction and Explicit Destructors for Security Protocol Verification}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2007, month = feb, type = {Research Report}, number = {LSV-07-10}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-10.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-10.pdf}, note = {21~pages}, abstract = {We present a new method for automatic implicit induction theorem proving, and its application for the verification of cryptographic protocols. The~method is based on constrained tree grammars and handles non-confluent rewrite systems which are required in the context of the verification of security protocols because of the non-deterministic behavior of attackers. It~also handles axioms between constructor terms which allows us to specify explicit destructors representing cryptographic operators. Constrained tree grammars are used in our procedure both as induction schemes and as oracles for checking validity and redundancy by reduction to an emptiness problem. They also permit to characterize security failure of cryptographic protocols as sets of execution traces corresponding to an attack. This~way, we obtain a generic framework for the verification of protocols, in~which we can verify reachability properties like confidentiality, but also more complex properties like authentication. We present three case studies which gave very promising results.} }

@techreport{KL-eth07, author = {Ksi{\k e}{\. z}opolski, Bogdan and Lafourcade, Pascal}, title = {Attack and Revison of an Electronic Auction Protocol using~{OFMC}}, institution = {Department of Computer Science, ETH Zurich, Switzerland}, year = 2007, month = feb, type = {Technical Report}, number = {549}, note = {13~pages}, nmnote = {on peut pas dire que ce soit un papier du labo... Si en fait, car Pascal etait la-bas sur un contrat gere par le LSV}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KL-eth549.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KL-eth549.pdf}, abstract = {In the article we show an attack on the cryptographic protocol of electronic auction with extended requirements [Ksiezopolski and Kotulski, \textit{Cryptographic protocol for electronic auctions with extended requirements},~2004]. The found attack consists of authentication breach and secret retrieval. It~is a kind of {"}man-in-the-middle attack{"}. The intruder impersonates an agent and learns some secret information. We have discovered this flaw unsing OFMC an automatic tool of cryptographic protocol verification. After a description of this attack, we propose a new version of the e-auction protocol. We also check with OFMC the secrecy for the new protocol and give an informal proof of the other properties that this new e-auction protocol has to guarantee.} }

@inproceedings{Maz-wits07, address = {Braga, Portugal}, month = mar, year = 2007, editor = {Focardi, Riccardo}, acronym = {{WITS}'07}, booktitle = {{P}reliminary {P}roceedings of the 7th {I}nternational {W}orkshop on {I}ssues in the {T}heory of {S}ecurity ({WITS}'07)}, author = {Mazar{\'e}, Laurent}, title = {Computationally Sound Analysis of Protocols using Bilinear Pairings}, pages = {6-21}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Maz-wits07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Maz-wits07.pdf}, abstract = {In this paper, we introduce a symbolic model to analyse protocols that use a bilinear pairing between two cyclic groups. This model consists in an extension of the Abadi-Rogaway logic and we prove that the logic is still computationally sound: symbolic indistinguishability implies computational indistinguishability provided that the Bilinear Decisional Diffie-Hellman assumption is verified and that the encryption scheme is IND-CPA secure. We~illustrate our results on classical protocols using bilinear pairing like Joux tripartite Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols.} }

@techreport{LSV:07:03, author = {Goubault{-}Larrecq, Jean}, title = {Believe It Or Not, {GOI}~is a Model of Classical Linear Logic}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2007, month = jan, type = {Research Report}, number = {LSV-07-03}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-03.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-03.pdf}, note = {18~pages}, othernote = {a draft of the longer version of this report is available at http://www.lsv.ens-cachan.fr/~goubault/isg.pdf}, abstract = {We introduce the Danos-R\'egnier category \(\mathcal{DR}(M)\) of a linear inverse monoid~\(M\), a categorical description of geometries of interaction~(GOI). The usual setting for GOI is that of a weakly Cantorian linear inverse monoid. It is well-known that GOI is perfectly suited to describe the multiplicative fragment of linear logic, and indeed \(\mathcal{DR}(M)\) will be a \(*\)-autonomous category in this case. It is also well-known that the categorical interpretation of the other linear connectives conflicts with GOI interpretations. We make this precise, and show that \(\mathcal{DR}(M)\) has no terminal object, no cartesian product, and no exponential---whatever \(M\) is, unless \(M\) is trivial. However, a form of coherence completion of~\(\mathcal{DR}(M)\) \`a la Hu-Joyal provides a model of full classical linear logic, as soon as \(M\) is weakly Cantorian.} }

@phdthesis{THESE-baudet07, author = {Baudet, Mathieu}, title = {S{\'e}curit{\'e} des protocoles cryptographiques~: aspects logiques et calculatoires}, year = 2007, month = jan, type = {Th{\`e}se de doctorat}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-baudet.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-baudet.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-baudet.ps}, abstract = {This thesis is dedicated to the automatic verification of cryptographic protocols in the logical and computational settings. \par The~first part concerns the security of procotols in the logical ({"}formal{"}) framework. To~begin with, we show how to specify various security properties of protocols in a concurrent language, and how to analyze them automatically for a bounded number of sessions. The~properties under consideration include notably simple secrecy, authentication and resistance to dictionary attacks. \par The~second part deals with the computational soundness of logical models. The~main question here is to what extent the fact that no logical attack exists on a protocol implies that it is provably secure in the usual cryptographic model (called the computational model). We~concentrate on static equivalence, applied notably to several kinds of encryption and data vulnerable to dictionary attacks (such as passwords). We~show that under simple conditions, any (logical) proof of static equivalence between two messages implies their (computational) indistinguishability. This entails computational soundness in the passive case for the notion of dictionary attacks developped in the first part.} }

@article{VG-icomp2007, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Verma, Kumar N. and Goubault{-}Larrecq, Jean}, title = {Alternating Two-Way {AC}-Tree Automata}, pages = {817-869}, year = {2007}, month = jun, volume = 205, number = 6, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/VG-icomp07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/VG-icomp07.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/VG-icomp07.ps}, doi = {10.1016/j.ic.2006.12.006}, abstract = {We explore the notion of alternating two-way tree automata modulo the theory of finitely many associative-commutative (AC) symbols. This was prompted by questions arising in cryptographic protocol verification, in~particular in modeling group key agreement schemes based on Diffie-Hellman-like functions, where the emptiness question for intersections of such automata is fundamental. This also has independent interest. We~show that the use of general push clauses, or of alternation, leads to undecidability, already in the case of one AC symbol, with only functions of arity zero. On~the other hand, emptiness is decidable in the general case of several function symbols, including several AC symbols, provided push clauses are unconditional and intersection clauses are final. This class of automata is also shown to be closed under intersection.} }

@inproceedings{CJP-fossacs07, address = {Braga, Portugal}, month = mar, year = 2007, volume = 4423, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Seidl, Helmut}, acronym = {{FoSSaCS}'07}, booktitle = {{P}roceedings of the 10th {I}nternational {C}onference on {F}oundations of {S}oftware {S}cience and {C}omputation {S}tructures ({FoSSaCS}'07)}, author = {Comon{-}Lundh, Hubert and Jacquemard, Florent and Perrin, Nicolas}, title = {Tree Automata with Memory, Visibility and Structural Constraints}, pages = {168-182}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-fossacs07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-fossacs07.pdf}, doi = {10.1007/978-3-540-71389-0_13}, abstract = {Tree automata with one memory have been introduced in~2001. They generalize both pushdown (word) automata and the tree automata with constraints of equality between brothers of Bogaert and Tison. Though it has a decidable emptiness problem, the main weakness of this model is its lack of good closure properties. We~propose a generalization of the visibly pushdown automata of Alur and Madhusudan to a family of tree recognizers which carry along their (bottom-up) computation an auxiliary unbounded memory with a tree structure (instead of a symbol stack). In~other words, these recognizers, called visibly Tree Automata with Memory~(VTAM) define a subclass of tree automata with one memory enjoying Boolean closure properties. We show in particular that they can be determinized and the problems like emptiness, inclusion and universality are decidable for~VTAM. Moreover, we propose an extension of VTAM whose transitions may be constrained by structural equality and disequality tests between memories, and show that this extension preserves the good closure and decidability properties. } }

@inproceedings{BCD-stacs2007, address = {Aachen, Germany}, month = feb, year = 2007, volume = 4393, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Thomas, Wolfgang and Weil, Pascal}, acronym = {{STACS}'07}, booktitle = {{P}roceedings of the 24th {A}nnual {S}ymposium on {T}heoretical {A}spects of {C}omputer {S}cience ({STACS}'07)}, author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {Associative-Commutative Deducibility Constraints}, pages = {634-645}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-stacs07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-stacs07.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-stacs07.ps}, doi = {10.1007/978-3-540-70918-3_54}, abstract = {We consider deducibility constraints, which are equivalent to particular Diophantine systems, arising in the automatic verification of security protocols, in presence of associative and commutative symbols. We show that deciding such Diophantine systems is, in general, undecidable. Then, we consider a simple subclass, which we show decidable. Though the solutions of these problems are not necessarily semi-linear sets, we show that there are (computable) semi-linear sets whose minimal solutions are not too far from the minimal solutions of the system. Finally, we consider a small variant of the problem, for which there is a much simpler decision algorithm. } }

@article{Baudet05jalc, journal = {Journal of Automata, Languages and Combinatorics}, author = {Baudet, Mathieu}, title = {Random Polynomial-Time Attacks and {D}olev-{Y}ao Models}, year = 2006, volume = 11, number = 1, pages = {7-21}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bau05-jalc.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bau05-jalc.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/Bau05-jalc.ps}, abstract = {In this paper we present an extension of Dolev-Yao models for security protocols with a notion of random polynomial-time (Las Vegas) computability. First we notice that Dolev-Yao models can be seen as transition systems, possibly infinite. We then extend these transition systems with computation times and probabilities. The extended models can account for normal Dolev-Yao transitions as well as nonstandard operations such as inverting a one-way function. Our main contribution consists of showing that under reasonable assumptions the extended models are equivalent to standard Dolev-Yao models as far as (safety) security properties are concerned.} }

@article{LLT-icomp07, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf}, title = {Intruder Deduction for the Equational Theory of {A}belian Groups with Distributive Encryption}, year = 2007, volume = 205, number = 4, pages = {581-623}, month = apr, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-icomp07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-icomp07.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/LLT-icomp07.ps}, doi = {10.1016/j.ic.2006.10.008}, abstract = {Cryptographic protocols are small programs which involve a high level of concurrency and which are difficult to analyze by hand. The~most successful methods to verify such protocols are based on rewriting techniques and automated deduction in order to implement or mimic the process calculus describing the execution of a protocol. We~are interested in the intruder deduction problem, that is vulnerability to passive attacks in presence of equational theories which model the protocol specification and properties of the cryptographic operators.\par In the present paper we consider the case where the encryption distributes over the operator of an Abelian group or over an exclusive-or operator. We~prove decidability of the intruder deduction problem in both cases. We~obtain a PTIME decision procedure in a restricted case, the so-called binary case.\par These decision procedures are based on a careful analysis of the proof system modeling the deductive power of the intruder, taking into account the algebraic properties of the equational theories under consideration. The~analysis of the deduction rules interacting with the equational theory relies on the manipulation of \(\mathbb{Z}\)-modules in the general case, and on results from prefix rewriting in the binary case.} }

@book{TATA07, author = {Comon{-}Lundh, Hubert and Dauchet, Max and Gilleron, R{\'e}mi and L{\"o}ding, Cristof and Jacquemard, Florent and Lugiez, Denis and Tison, Sophie and Tommasi, Marc}, title = {Tree Automata Techniques and Applications}, year = 2007, month = nov, url = {http://www.grappa.univ-lille3.fr/tata/}, nmhowpublished = {Available on: \url{http://www.grappa.univ-lille3.fr/tata}}, nmnote = {release October, 12th 2007} }

@inproceedings{HCL-fsttcs08, address = {Bangalore, India}, month = dec, year = 2008, volume = 2, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Hariharan, Ramesh and Mukund, Madhavan and Vinay, V.}, acronym = {{FSTTCS}'08}, booktitle = {{P}roceedings of the 28th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'08)}, author = {Comon{-}Lundh, Hubert}, title = {About models of security protocols}, nopages = {}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-fsttcs08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-fsttcs08.pdf}, abstract = {In this paper, mostly consisting of definitions, we~revisit the models of security protocols: we~show that the symbolic and the computational models (as~well as others) are instances of a same generic model. Our definitions are also parametrized by the security primitives, the notion of attacker and, to some extent, the process calculus.} }

@article{GLLN-mscs08, publisher = {Cambridge University Press}, journal = {Mathematical Structures in Computer Science}, author = {Goubault{-}Larrecq, Jean and Lasota, S{\l}awomir and Nowak, David}, title = {Logical Relations for Monadic Types}, volume = 18, number = 6, pages = {1169-1217}, month = dec, year = 2008, note = {81~pages}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GLLN-arxiv05.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GLLN-arxiv05.pdf}, doi = {10.1017/S0960129508007172}, abstract = {Logical relations and their generalisations are a fundamental tool in proving properties of lambda calculi, for example, for yielding sound principles for observational equivalence. We propose a natural notion of logical relations that is able to deal with the monadic types of Moggi's computational lambda calculus. The treatment is categorical, and is based on notions of subsconing, mono factorisation systems and monad morphisms. Our approach has a number of interesting applications, including cases for lambda calculi with non-determinism (where being in a logical relation means being bisimilar), dynamic name creation and probabilistic systems.} }

@phdthesis{bursztein-these2008, author = {Bursztein, Elie}, title = {Anticipation games. Th{\'e}orie des jeux appliqu{\'e}s {\`a} la s{\'e}curit{\'e} r{\'e}seau}, year = 2008, month = nov, type = {Th{\`e}se de doctorat}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-EB08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-EB08.pdf}, futureslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/ these-AS07-slides.pdf} }

@phdthesis{arapinis-these2008, author = {Arapinis, Myrto}, title = {S{\'e}curit{\'e} des protocoles cryptographiques~: d{\'e}cidabilit{\'e} et r{\'e}sultats de r{\'e}duction}, year = 2008, month = nov, type = {Th{\`e}se de doctorat}, school = {Universit{\'e} Paris~12, Cr{\'e}teil, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-MA07.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-MA07.pdf}, futureslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/ these-FC07-slides.pdf} }

@article{CD-fmsd08, publisher = {Springer}, journal = {Formal Methods in System Design}, author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Safely Composing Security Protocols}, volume = 34, number = 1, pages = {1-36}, month = feb, year = 2009, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-fmsd08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-fmsd08.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CD-fmsd08.ps}, doi = {10.1007/s10703-008-0059-4}, abstract = {Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new messages. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols are executed, possibly sharing some common keys like public keys or long-term symmetric keys.\par In this paper, we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols satisfying a reasonable (syntactic) condition are executed. This result holds for a large class of security properties that encompasses secrecy and various formulations of authentication.} }

@misc{PhS-AV2008, author = {Schnoebelen, {\relax Ph}ilippe}, title = {The complexity of lossy channel systems}, year = 2008, month = aug, noslides = {}, howpublished = {Invited talk, Workshop {A}utomata and {V}erification ({AV}'08), Mons, Belgium} }

@inproceedings{EB-fast08, address = {Malaga, Spain}, month = apr, year = 2009, volume = 5491, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Guttman, Joshua and Martinelli, Fabio}, acronym = {{FAST}'08}, booktitle = {{R}evised {S}elected {P}apers of the 5th {I}nternational {W}orkshop on {F}ormal {A}spects in {S}ecurity and {T}rust ({FAST}'08)}, author = {Bursztein, Elie}, title = {Extending Anticipation Games with Location, Penalty and Timeline}, pages = {272-286}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/eb-fast08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/eb-fast08.pdf}, doi = {10.1007/978-3-642-01465-9_18}, abstract = {Over the last few years, attack graphs have became a well recognized tool to analyze and model complex network attack. The most advanced evolution of attack graphs, called anticipation games, is based on game theory. However even if anticipation games allow to model time, collateral effects and player interactions with the network, there is still key aspects of the network security that cannot be modeled in this framework. Theses aspects are network cooperation to fight unknown attack, the cost of attack based on its duration and the introduction of new attack over the time. In this paper we address these needs, by introducing a three-fold extension to anticipation games. We prove that this extension does not change the complexity of the framework. We illustrate the usefulness of this extension by presenting how it can be used to find a defense strategy against 0 days that use an honey net. Finally, we have implemented this extension into a prototype, to show that it can be used to analyze large networks security.} }

@inproceedings{CLC-ccs08, address = {Alexandria, Virginia, USA}, month = oct, year = 2008, publisher = {ACM Press}, acronym = {{CCS}'08}, booktitle = {{P}roceedings of the 15th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity ({CCS}'08)}, author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique}, title = {Computational Soundness of Observational Equivalence}, pages = {109-118}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CLC-ccs08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CLC-ccs08.pdf}, doi = {10.1145/1455770.1455786}, abstract = {Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in~2000: computational indistinguishability in presence of an active attacker is implied by the observational equivalence of the corresponding symbolic processes. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and public-key encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.} }

@mastersthesis{ciobaca-master, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan}, title = {Verification of anonymity properties in e-voting protocols}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2008}, month = sep, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-ciobaca.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-ciobaca.pdf} }

@inproceedings{ADK-lpar08, address = {Doha, Qatar}, month = nov, year = 2008, volume = {5330}, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer}, editor = {Cervesato, Iliano and Veith, Helmut and Voronkov, Andrei}, acronym = {{LPAR}'08}, booktitle = {{P}roceedings of the 15th {I}nternational {C}onference on {L}ogic for {P}rogramming, {A}rtificial {I}ntelligence, and {R}easoning ({LPAR}'08)}, author = {Arapinis, Myrto and Delaune, St{\'e}phanie and Kremer, Steve}, title = {From One Session to Many: Dynamic Tags for Security Protocols}, pages = {128-142}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ADK-lpar08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ADK-lpar08.pdf}, doi = {10.1007/978-3-540-89439-1_9}, abstract = {The design and verification of cryptographic protocols is a notoriously difficult task, even in abstract Dolev-Yao models. This is mainly due to several sources of unboundedness (size of messages, number of sessions,~...). In~this paper, we~present a transformation which maps a protocol that is secure for a single session to a protocol that is secure for an unbounded number of sessions. The~transformation is surprisingly simple, computationally light and works for arbitrary protocols that rely on usual cryptographic primitives, such as symmetric and asymmetric encryption as well as digital signatures. Our~result provides an effective strategy to design secure protocols: (i)~design a protocol intended to be secure for one session (this can be verified with existing automated tools); (ii)~apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. A~side-effect of this result is that we characterize a class of protocols for which secrecy for an unbounded number of sessions is decidable.} }

@inproceedings{HCL-ijcar08, address = {Sydney, Australia}, month = aug, year = 2008, volume = {5195}, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer-Verlag}, editor = {Armando, Alessandro and Baumgartner, Peter and Dowek, Gilles}, acronym = {{IJCAR}'08}, booktitle = {{P}roceedings of the 4th {I}nternational {J}oint {C}onference on {A}utomated {R}easoning ({IJCAR}'08)}, author = {Comon{-}Lundh, Hubert}, title = {Challenges in the Automated Verification of Security Protocols}, pages = {396-409}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-ijcar08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-ijcar08.pdf}, doi = {10.1007/978-3-540-71070-7_34}, abstract = {The application area of security protocols raises several problems that are relevant to automated deduction. We describe in this note some of these challenges.} }

@article{DKR-jcs08, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Verifying Privacy-type Properties of Electronic Voting Protocols}, volume = 17, number = 4, month = jul, year = 2009, pages = {435-487}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs08.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-jcs08.ps}, doi = {10.3233/JCS-2009-0340}, abstract = {Electronic voting promises the possibility of a convenient, efficient and secure facility for recording and tallying votes in an election. Recently highlighted inadequacies of implemented systems have demonstrated the importance of formally verifying the underlying voting protocols. We study three privacy-type properties of electronic voting protocols: in increasing order of strength, they are vote-privacy, receipt-freeness, and coercion-resistance.\par We use the applied pi calculus, a formalism well adapted to modelling such protocols, which has the advantages of being based on well-understood concepts. The privacy-type properties are expressed using observational equivalence and we show in accordance with intuition that coercion-resistance implies receipt-freeness, which implies vote-privacy.\par We illustrate our definitions on three electronic voting protocols from the literature. Ideally, these three properties should hold even if the election officials are corrupt. However, protocols that were designed to satisfy receipt-freeness or coercion-resistance may not do so in the presence of corrupt officials. Our model and definitions allow us to specify and easily change which authorities are supposed to be trustworthy.} }

@inproceedings{Bur-atva08, address = {Seoul, Korea}, month = oct, year = {2008}, volume = 5311, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Cha, Sungdeok and Choi, Jin-Young and Kim, Moonzoo and Lee, Insup and Viswanathan, Mahesh}, acronym = {{ATVA}'08}, booktitle = {{P}roceedings of the 6th {I}nternational {S}ymposium on {A}utomated {T}echnology for {V}erification and {A}nalysis ({ATVA}'08)}, author = {Bursztein, Elie}, title = {Net{Q}i: A~Model Checker for Anticipation Game}, pages = {246-251}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-atva08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-atva08.pdf}, doi = {10.1007/978-3-540-88387-6_22}, abstract = {NetQi is a freely available model-checker designed to analyze network incidents such as intrusion. This tool is an implementation of the anticipation game framework, a variant of timed game tailored for network analysis. The main purpose of NetQi is to find, given a network initial state and a set of rules, the best strategy that fulfills player objectives by model-checking the anticipation game and comparing the outcome of each play that fulfills strategy constraints. For instance, it can be used to find the best patching strategy. NetQi has been successfully used to analyze service failure due to hardware, network intrusion, worms and multiple-site intrusion defense cooperation.} }

@techreport{LSV:08:18, author = {Goubault{-}Larrecq, Jean}, title = {A Cone-Theoretic {K}rein-{M}ilman Theorem}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2008, month = jun, type = {Research Report}, number = {LSV-08-18}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-18.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-18.pdf}, note = {8~pages}, abstract = {We prove the following analogue of the Krein-Milman Theorem: in any locally convex \(T_{0}\) topological cone, every convex compact saturated subset is the compact saturated convex hull of its extreme points.} }

@article{CJP-lmcs08, journal = {Logical Methods in Computer Science}, author = {Comon{-}Lundh, Hubert and Jacquemard, Florent and Perrin, Nicolas}, title = {Visibly Tree Automata with Memory and Constraints}, year = 2008, month = jun, volume = 4, number = {2\string:8}, nopages = {}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-lmcs08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-lmcs08.pdf}, doi = {10.2168/LMCS-4(2:8)2008}, abstract = {Tree automata with one memory have been introduced in~2001. They generalize both pushdown (word) automata and the tree automata with constraints of equality between brothers of Bogaert and Tison. Though it has a decidable emptiness problem, the main weakness of this model is its lack of good closure properties.\par We propose a generalization of the visibly pushdown automata of Alur and~Madhusudan to a family of tree recognizers which carry along their (bottom-up) computation an auxiliary unbounded memory with a tree structure (instead of a symbol stack). In~other words, these recognizers, called Visibly Tree Automata with Memory~(VTAM) define a subclass of tree automata with one memory enjoying Boolean closure properties. We~show in particular that they can be determinized and the problems like emptiness, membership, inclusion and universality are decidable for VTAM. Moreover, we propose several extensions of VTAM whose transitions may be constrained by different kinds of tests between memories and also constraints \emph{{\`a}~la} Bogaert and~Tison. We~show that some of these classes of constrained VTAM keep the good closure and decidability properties, and we demonstrate their expressiveness with relevant examples of tree languages.} }

@inproceedings{KMT-ijcar08, address = {Sydney, Australia}, month = aug, year = 2008, volume = {5195}, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer-Verlag}, editor = {Armando, Alessandro and Baumgartner, Peter and Dowek, Gilles}, acronym = {{IJCAR}'08}, booktitle = {{P}roceedings of the 4th {I}nternational {J}oint {C}onference on {A}utomated {R}easoning ({IJCAR}'08)}, author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf}, title = {Proving Group Protocols Secure Against Eavesdroppers}, pages = {116-131}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-ijcar08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-ijcar08.pdf}, doi = {10.1007/978-3-540-71070-7_9}, abstract = {Security protocols are small programs designed to ensure properties such as secrecy of messages or authentication of parties in a hostile environment. In this paper we investigate automated verification of a particular type of security protocols, called \emph{group protocols}, in the presence of an eavesdropper, i.e., a passive attacker. The specificity of group protocols is that the number of participants is not bounded.\par Our approach consists in representing an infinite set of messages exchanged during an unbounded number of sessions, one session for each possible number of participants, as well as the infinite set of associated secrets. We use so-called visibly tree automata with memory and structural constraints (introduced recently by Comon-Lundh \textit{et~al.}) to represent over-approximations of these two sets. We~identify restrictions on the specification of protocols which allow us to reduce the attacker capabilities guaranteeing that the above mentioned class of automata is closed under the application of the remaining attacker rules. The class of protocols respecting these restrictions is large enough to cover several existing protocols, such as the GDH family, GKE, and others.} }

@proceedings{CKR-dagstuhl07, editor = {Chen, Liqun and Kremer, Steve and Ryan, Mark D.}, booktitle = {Formal Protocol Verification Applied}, title = {Formal Protocol Verification Applied}, year = 2008, address = {Dagstuhl, Germany}, series = {Dagstuhl Seminar Proceedings}, volume = {07421}, url = {http://drops.dagstuhl.de/portals/index.php?semnr=07421} }

@inproceedings{JGL:badweeds, address = {Budapest, Hungary}, month = mar, year = 2008, volume = 5289, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Leucker, Martin}, acronym = {{RV}'08}, booktitle = {{P}roceedings of the 8th {W}orkshop on {R}untime {V}erification ({RV}'08)}, author = {Goubault{-}Larrecq, Jean and Olivain, Julien}, title = {A Smell of Orchids}, pages = {1-20}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/go-rv08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/go-rv08.pdf}, doi = {10.1007/978-3-540-89247-2_1}, abstract = {Orchids is an intrusion detection tool based on techniques for fast, on-line model-checking. Orchids detects complex, correlated strands of events with very low overhead in practice, although its detec- tion algorithm has worst-case exponential time complexity.\par The purpose of this paper is twofold. First, we explain the salient features of the basic model-checking algorithm in an intuitive way, as a form of dynamically-spawned monitors. One distinctive feature of the Orchids algorithm is that fresh monitors need to be spawned at a pos- sibly alarming rate.\par The second goal of this paper is therefore to explain how we tame the complexity of the procedure, using abstract interpretation techniques to safely kill useless monitors. This includes monitors which will provably detect nothing, but also monitors that are subsumed by others, in the sense that they will definitely fail the so-called shortest run criterion. We take the opportunity to show how the Orchids algorithm maintains its monitors sorted in such a way that the subsumption operation is effected with no overhead, and we correct a small, but definitely annoying bug in its core algorithm, as it was published in~2001.} }

@inproceedings{JGL-csf08, address = {Pittsburgh, Pennsylvania, USA}, month = jun, year = 2008, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'08}, booktitle = {{P}roceedings of the 21st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'08)}, author = {Goubault{-}Larrecq, Jean}, title = {Towards Producing Formally Checkable Security Proofs, Automatically}, pages = {224-238}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-15.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-15.pdf}, doi = {10.1109/CSF.2008.21}, abstract = {First-order logic models of security for cryptographic protocols, based on variants of the Dolev-Yao model, are now well-established tools. Given that we have checked a given security protocol~\(\pi\) using a given first-order prover, how hard is it to extract a formally checkable proof of~it, as~required in, e.g., common criteria at evaluation level~\(7\)? We~demonstrate that this is surprisingly hard: the problem is non-recursive in general. On~the practical side, we show how we can extract finite models~\(\mathcal{M}\) from a set~\(\mathcal{S}\) of clauses representing~\(\pi\), automatically, in two ways. We~then define a model-checker testing \(\mathcal{M} \models \mathcal{S}\), and show how we can instrument it to output a formally checkable proof, e.g., in~Coq. This was implemented in the \texttt{h1} tool suite. Experience on a number of protocols shows that this is practical.} }

@inproceedings{DKR-csf08, address = {Pittsburgh, Pennsylvania, USA}, month = jun, year = 2008, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'08}, booktitle = {{P}roceedings of the 21st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'08)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Composition of Password-based Protocols}, pages = {239-251}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csf08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csf08.pdf}, doi = {10.1109/CSF.2008.6}, abstract = {We investigate the composition of protocols that share a common secret. This situation arises when users employ the same password on different services. More precisely we study whether resistance against guessing attacks composes when the same password is used. We model guessing attacks using a common definition based on static equivalence in a cryptographic process calculus close to the applied pi calculus. We show that resistance against guessing attacks composes in the presence of a passive attacker. However, composition does not preserve resistance against guessing attacks for an active attacker. We therefore propose a simple syntactic criterion under which we show this composition to hold. Finally, we present a protocol transformation that ensures this syntactic criterion and preserves resistance against guessing attacks.} }

@inproceedings{DKS-csf08, address = {Pittsburgh, Pennsylvania, USA}, month = jun, year = 2008, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'08}, booktitle = {{P}roceedings of the 21st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'08)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Steel, Graham}, title = {Formal Analysis of {PKCS}\#11}, pages = {331-344}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-csf08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-csf08.pdf}, doi = {10.1109/CSF.2008.16}, abstract = {PKCS\#11 defines an API for cryptographic devices that has been widely adopted in industry. However, it~has been shown to be vulnerable to a variety of attacks that could, for example, compromise the sensitive keys stored on the device. In~this paper, we~set out a formal model of the operation of the API, which differs from previous security API models notably in that it accounts for non-monotonic mutable global state. We~give decidability results for our formalism, and describe an implementation of the resulting decision procedure using a model checker. We~report some new attacks and prove the safety of some configurations of the API in our model.} }

@inproceedings{DKS-TFIT2008, address = {Taipei, Taiwan}, month = mar, year = 2008, editor = {Kuo, Tei-Wei and Cruz-Lara, Samuel}, acronym = {{TFIT}'08}, booktitle = {{P}roceedings of the 4th {T}aiwanese-{F}rench {C}onference on {I}nformation {T}echnology ({TFIT}'08)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Steel, Graham}, title = {Formal Analysis of {PKCS}\#11}, pages = {267-278}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-tfit08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-tfit08.pdf}, abstract = {PKCS\#11 defines an API for cryptographic devices that has been widely adopted in industry. However, it~has been shown to be vulnerable to a variety of attacks that could, for~example, compromise the sensitive keys stored on the device. In~this paper, we~set out a formal model of the operation of the API, which differs from previous security API models notably in that it accounts for non-monotonic mutable global state. We give decidability results for our formalism, and describe an implementation of the resulting decision procedure using a model checker. We report some new attacks and prove the safety of some configurations of the API in our model.} }

@inproceedings{DRS-ifiptm08, address = {Trondheim, Norway}, month = jun, year = 2008, volume = 263, series = {IFIP Conference Proceedings}, publisher = {Springer}, editor = {Karabulut, Yuecel and Mitchell, John and Herrmann, Peter and Jensen, Christian Damsgaard}, acronym = {IFIPTM'08}, booktitle = {{P}roceedings of the 2nd {J}oint i{T}rust and {PST} {C}onferences on {P}rivacy, {T}rust {M}anagement and {S}ecurity (IFIPTM'08)}, author = {Delaune, St{\'e}phanie and Ryan, Mark D. and Smyth, Ben}, title = {Automatic verification of privacy properties in the applied pi-calculus}, pages = {263-278}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DRS-ifiptm08.ps}, abstract = {We develop a formal method verification technique for cryptographic protocols. We~focus on proving observational equivalences of the kind \(P \sim Q\), where the processes \(P\) and~\(Q\) have the same structure and differ only in the choice of terms. The calculus of ProVerif, a variant of the applied pi-calculus, makes some progress in this direction. We~expand the scope of ProVerif, to provide reasoning about further equivalences. We~also provide an extension which allows modelling of protocols which require global synchronisation. Finally we develop an algorithm to enable automated reasoning.\par We demonstrate the practicality of our work with two case studies.} }

@inproceedings{Bur-wistp08, address = {Sevilla, Spain}, month = may, year = 2008, volume = 5019, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Onieva, Jose A. and Sauveron, Damien and Chaumette, Serge and Gollmann, Dieter and Markantonakis, Konstantinos}, acronym = {{WISTP}'08}, booktitle = {{P}roceedings of the 2nd {I}nternational {W}orkshop on {I}nformation {S}ecurity {T}heory and {P}ractices ({WISTP}'08)}, author = {Bursztein, Elie}, title = {Probabilistic Protocol Identification for Hard to Classify Protocol}, pages = {49-63}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-wistp08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-wistp08.pdf}, doi = {10.1007/978-3-540-79966-5_4}, note = {Best paper award}, abstract = {With the growing use of protocols obfuscation techniques, protocol identification for Q.O.S enforcement, traffic prohibition, and intrusion detection has became a complex task. This paper address this issue with a probabilistic identification analysis that combines multiples advanced identification techniques and returns an ordered list of probable protocols. It~combines a payload analysis with a classifier based on several discriminators, including packet entropy and size. We~show with its implementation, that it overcomes the limitations of traditional port-based protocol identification when dealing with hard to classify protocol such as peer to peer protocols. We also details how it deals with tunneled session and covert channel.} }

@techreport{LSV:08:02, author = {Bursztein, Elie}, title = {Network Administrator and Intruder Strategies}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = 2008, month = feb, type = {Research Report}, number = {LSV-08-02}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-02.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-02.pdf}, note = {23~pages}, abstract = {The anticipation game framework is an extension of attack graphs based on game theory. It is used to anticipate and analyze intruder and administrator interactions with the network. In this paper we extend this framework with cost and reward in order to analyze and find player strategies. Additionally this extension allows to take into account the financial aspect of network security in the analysis. Intuitively a strategy is the best succession of actions that the administrator or the intruder can perform to achieve his objectives. Player objectives range from patching the network efficiently to compromising the most valuable network assets. We prove that finding the optimal strategy is decidable and only requires a linear memory space. Finally we show that finding strategy can be done in practice by evaluating the performance of our analyzer called NetQi.} }

@misc{hcl:lecture07, author = {Comon{-}Lundh, Hubert}, title = {Soundness of abstract cryptography}, oldhowpublished = {Lecture notes, part 1. Available at \url{http://staff.aist.go.jp/h.comon-lundh/}}, year = {2007}, note = {Course notes (part~1), Symposium on Cryptography and Information Security (SCIS2008), Tokai, Japan}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-sac08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-sac08.pdf} }

@article{PPSLBCH-commag08, publisher = {{IEEE} Communications Society}, journal = {IEEE Communications Magazine}, author = {Papadimitratos, Panos and Poturalski, Marcin and Schaller, Patrick and Lafourcade, Pascal and Basin, David and {\v{C}}apkun, Srdjan and Hubaux, Jean-Pierre}, title = {Secure Neighborhood Discovery: A~Fundamental Element for Mobile Ad Hoc Networking}, year = 2008, month = feb, volume = 46, number = 2, pages = {132-139}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/PPSLBCH-commag08.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/PPSLBCH-commag08.pdf}, doi = {10.1109/MCOM.2008.4473095}, abstract = {Pervasive computing systems will likely be deployed in the near future, with the proliferation of wireless devices and the emergence of ad hoc networking as key enablers. Coping with mobility and the volatility of wireless communications in such systems is critical. Neighborhood Discovery~(ND), namely, the discovery of devices directly reachable for communication or in physical proximity, becomes a fundamental requirement and a building block for various applications. However, the very nature of wireless mobile networks makes it easy to abuse ND and thereby compromise the overlying protocols and applications. Thus, providing methods to mitigate this vulnerability and to secure ND is crucial. In~this article, we~focus on this problem and provide definitions of neighborhood types and ND protocol properties, as well as a broad classification of attacks. Our ND literature survey reveals that securing ND is indeed a difficult and largely open problem. Moreover, given the severity of the problem, we advocate the need to formally model neighborhood and to analyze ND schemes.} }

@unpublished{JLC-rc, author = {Carr{\'e}, Jean-Loup}, title = {R{\'e}{\'e}criture, confluence}, year = {2007}, month = dec, note = {Course notes, {P}r{\'e}paration {\`a} l'agr{\'e}gation, ENS Cachan, France} }

@misc{pronobis-final, author = {ARC ProNoBis}, title = {ProNoBis: Probability and Nondeterminism, Bisimulations and Security~-- {R}apport Final}, year = 2007, month = oct, type = {Contract Report}, nonote = {78~slides}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/pronobis-final.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/pronobis-final.pdf} }

@misc{netanalyser-v0.7.5, author = {Bursztein, Elie}, title = {NetAnalyzer~v0.7.5}, year = {2008}, month = jan, nohowpublished = {Available at .... }, note = {Written in~C and Perl (about 25000 lines)}, note-fr = {\'Ecrit en~C et en Perl (environ 25000 lignes)} }

@misc{netqi-v1, author = {Bursztein, Elie}, title = {NetQi~v1rc1}, year = {2007}, month = dec, howpublished = {Available at \url{http://www.netqi.org/}}, note = {Written in~C and Java (about 10000 lines)}, note-fr = {\'Ecrit en~C et en Java (environ 10000 lignes)}, url = {http://www.netqi.org} }

@phdthesis{mercier-phd2009, author = {Mercier, Antoine}, title = {Contributions {\`a} l'analyse automatique des protocoles cryptographiques en pr{\'e}sence de propri{\'e}t{\'e}s alg{\'e}briques : protocoles de groupe, {\'e}quivalence statique}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2009, month = dec, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/AM-these09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/AM-these09.pdf} }

@phdthesis{bursuc-phd2009, author = {Bursuc, Sergiu}, title = {Contraintes de d{\'e}ductibilit{\'e} dans une alg{\`e}bre quotient: r{\'e}duction de mod{\`e}les et applications {\`a} la s{\'e}curit{\'e}}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2009, month = dec, url = {http://www.lsv.fr/Publis/PAPERS/PDF/SB-these09.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SB-these09.pdf} }

@article{JGL-mscs09, publisher = {Cambridge University Press}, journal = {Mathematical Structures in Computer Science}, author = {Goubault{-}Larrecq, Jean}, title = {{D}e~{G}root Duality and Models of Choice: Angels, Demons, and Nature}, volume = {20}, number = 2, pages = {169-237}, month = apr, year = 2010, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-mscs09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-mscs09.pdf}, doi = {10.1017/S0960129509990363}, abstract = {We introduce convex-concave duality for various models of non-deterministic choice, probabilistic choice, and the two of them together. This complements the well-known duality of stably compact spaces in a pleasing way: convex-concave duality swaps angelic and demonic choice, and leaves probabilistic choice invariant.} }

@inproceedings{JGL-asian09, address = {Seoul, Korea}, month = dec, year = 2009, volume = 5913, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Datta, Anupam}, acronym = {{ASIAN}'09}, booktitle = {{P}roceedings of the 13th {A}sian {C}omputing {S}cience {C}onference ({ASIAN}'09)}, author = {Goubault{-}Larrecq, Jean}, title = {{\textquotedbl}{L}ogic Wins!{\textquotedbl}}, pages = {1-16}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-asian09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-asian09.pdf}, doi = {10.1007/978-3-642-10622-4_1}, abstract = {Clever algorithm design is sometimes superseded by simple encodings into logic. We apply this motto to a few case studies in the formal verification of security properties. In particular, we examine confidentiality objectives in hardware circuit descriptions written in VHDL.} }

@inproceedings{SRKK-wissec09, address = {Louvain-la-Neuve, Belgium}, month = nov, year = 2009, editor = {Pereira, Olivier and Quisquater, Jean-Jacques and Standaert, Fran\c{c}ois-Xavier}, acronym = {{WISSEC}'09}, booktitle = {{P}roceedings of the 4th {B}enelux {W}orkshop on {I}nformation and {S}ystem {S}ecurity ({WISSEC}'09)}, author = {Smyth, Ben and Ryan, Mark D. and Kremer, Steve and Kourjieh, Mounira}, title = {Election verifiability in electronic voting protocols (Preliminary version)}, nopages = {}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SRKK-wissec09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SRKK-wissec09.pdf}, abstract = {We~present a symbolic definition of election verifiability for electronic voting protocols. Our definition is given in terms of reachability assertions in the applied pi calculus and is amenable to automated reasoning using the tool ProVerif. The~definition distinguishes three aspects of verifiability, which we call individual, universal, and eligibility verifiability. It also allows us to determine precisely what aspects of the system are required to be trusted. We demonstrate our formalism by analysing the protocols due to Fujioka, Okamoto \&~Ohta and Juels, Catalano \&~Jakobsson; the~latter of which has been implemented by Clarkson, Chong \&~Myers. } }

@inproceedings{CCD-secco09, address = {Bologna, Italy}, month = oct, year = 2009, editor = {Boreale, Michele and Kremer, Steve}, acronym = {{SecCo}'09}, booktitle = {{P}reliminary {P}roceedings of the 7th {I}nternational {W}orkshop on {S}ecurity {I}ssues in {C}oordination {M}odels, {L}anguages and {S}ystems ({SecCo}'09)}, author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {A~decision procedure for proving observational equivalence}, nmnote = {did not appear in postproceedings EPTCS7}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCD-secco09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCD-secco09.pdf} }

@proceedings{BK-secco2009, title = {{P}roceedings of the 7th {I}nternational {W}orkshop on {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'09)}, booktitle = {{P}roceedings of the 7th {I}nternational {W}orkshop on {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'09)}, acronym = {{S}ec{C}o'09}, editor = {Boreale, Michele and Kremer, Steve}, doi = {10.4204/EPTCS.7}, url = {http://eptcs.web.cse.unsw.edu.au/content.cgi?SECCO2009}, series = {Electronic Proceedings in Theoretical Computer Science}, volume = 7, year = 2009, month = aug, address = {Bologna, Italy} }

@mastersthesis{cheval-master, author = {Cheval, Vincent}, title = {Algorithme de d{\'e}cision de l'{\'e}quivalence symbolique de syst{\`e}mes de contraintes}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2009}, month = sep, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-cheval.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-cheval.pdf} }

@inproceedings{DKP-fsttcs09, address = {Kanpur, India}, month = dec, year = 2009, volume = 4, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Kannan, Ravi and Narayan Kumar, K.}, acronym = {{FSTTCS}'09}, booktitle = {{P}roceedings of the 29th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'09)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Pereira, Olivier}, title = {Simulation based security in the applied pi calculus}, pages = {169-180}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-fsttcs09.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-fsttcs09.pdf}, doi = {10.4230/LIPIcs.FSTTCS.2009.2316}, abstract = {We present a symbolic framework for refinement and composition of security protocols. The framework uses the notion of ideal functionalities. These are abstract systems which are secure by construction and which can be combined into larger systems. They can be separately refined in order to obtain concrete protocols implementing them. Our work builds on ideas from computational models such as the universally composable security and reactive simulatability frameworks. The underlying language we use is the applied pi calculus which is a general language for specifying security protocols. In our framework we can express the different standard flavours of simulation-based security which happen to all coincide. We illustrate our framework on an authentication functionality which can be realized using the Needham-Schroeder-Lowe protocol. For this we need to define an ideal functionality for asymmetric encryption and its realization. We also show a joint state result for this functionality which allows composition (even though the same key material is reused) using a tagging mechanism.} }

@inproceedings{FLS-nordsec09, address = {Oslo, Norway}, month = oct, year = 2009, volume = 5838, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {J{\o}sang, Audun and Maseng, Torleiv and Knapskog, Svein Johan}, acronym = {{NordSec}'09}, booktitle = {{P}roceedings of the 14th {N}ordic {W}orkshop on {S}ecure {IT} {S}ystems ({NordSec}'09)}, author = {Focardi, Riccardo and Luccio, Flaminia L. and Steel, Graham}, title = {Blunting Differential Attacks on {PIN} Processing {API}s}, pages = {88-103}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf}, doi = {10.1007/978-3-642-04766-4_7}, abstract = {We~propose a countermeasure for a class of known attacks on the PIN processing API used in the ATM (cash machine) network. This API controls access to the tamper-resistant Hardware Security Modules where PIN encryption, decryption and verification takes place. The~attacks are differential attacks, whereby an attacker gains information about the plaintext values of encrypted customer PINs by making changes to the non-confidential inputs to a command. Our~proposed fix adds an integrity check to the parameters passed to the command. It~is novel in that it involves very little change to the existing ATM network infrastructure.} }

@inproceedings{KMT-asian09, address = {Seoul, Korea}, month = dec, year = 2009, volume = 5913, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Datta, Anupam}, acronym = {{ASIAN}'09}, booktitle = {{P}roceedings of the 13th {A}sian {C}omputing {S}cience {C}onference ({ASIAN}'09)}, author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf}, title = {Reducing Equational Theories for the Decision of Static Equivalence}, pages = {94-108}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-asian09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-asian09.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/KMT-asian09.ps}, doi = {10.1007/978-3-642-10622-4_8}, abstract = {Static equivalence is a well established notion of indistinguishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theories allows a more accurate representation of cryptographic primitives by modelling properties of operators by equational axioms. We develop a method that allows in some cases to simplify the task of deciding static equivalence in a multi-sorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. We illustrate our technique at hand of bilinear pairings.} }

@article{DKS-jcs09, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Steel, Graham}, title = {Formal Analysis of {PKCS\#11} and Proprietary Extensions}, volume = 18, number = 6, pages = {1211-1245}, year = 2010, month = nov, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-jcs09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-jcs09.pdf}, doi = {10.3233/JCS-2009-0394}, abstract = {PKCS\#11 denes an API for cryptographic devices that has been widely adopted in industry. However, it has been shown to be vulnerable to a variety of attacks that could, for example, compromise the sensitive keys stored on the device. In this paper, we set out a formal model of the operation of the API, which diers from previous security API models notably in that it accounts for non-monotonic mutable global state. We give decidability results for our formalism, and describe an implementation of the resulting decision procedure using the model checker NuSMV. We report some new attacks and prove the safety of some congurations of the API in our model. We also analyse proprietary extensions proposed by nCipher (Thales) and Eracom (Safenet), designed to address the shortcomings of PKCS\#11.} }

@techreport{LSV:09:15, author = {H{\'e}am, Pierre-Cyrille and Nicaud, Cyril}, title = {Seed: an Easy-to-Use Random Generator of Recursive Data Structures for Testing}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = {2009}, month = jul, type = {Research Report}, number = {LSV-09-15}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-15.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-15.pdf}, note = {16~pages}, abstract = {Random testing represents a simple and tractable way for software assessment. This paper presents the Seed tool dedicated to the uniform random generation of recursive data structures as labelled trees or logical formulas. We show how Seed can be used in several testing contexts, from model based testing to performance testing. Generated data structures are defined by grammar-like rules, given in an XML format, multiplying Seed possible applications. Seed is based on combinatorial techniques, and can generate uniformly at random \(k\)~structures of size~\(n\) with a time complexity in \(O(n^{2}+ kn\cdot \log(n))\). Finally, Seed is available as a free java application and a great effort has been made to make it easy-to-use.} }

@inproceedings{BCLD-asian09, address = {Seoul, Korea}, month = dec, year = 2009, volume = 5913, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Datta, Anupam}, acronym = {{ASIAN}'09}, booktitle = {{P}roceedings of the 13th {A}sian {C}omputing {S}cience {C}onference ({ASIAN}'09)}, author = {Bursuc, Sergiu and Delaune, St{\'e}phanie and Comon{-}Lundh, Hubert}, title = {Deducibility constraints}, pages = {24-38}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-asian09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-asian09.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-asian09.ps}, doi = {10.1007/978-3-642-10622-4_3}, abstract = {In their work on tractable deduction systems, D.~McAllester and later D.~Basin and H.~Ganzinger have identified a property of inference systems (the~locality property) that ensures the tractability of the \textit{Entscheidungsproblem}.\par On~the other hand, deducibility constraints are sequences of deduction problems in which some parts (formulas) are unknown. The~problem is to decide their satisfiability and to represent the set of all possible solutions. Such constraints have also been used for deciding some security properties of cryptographic protocols.\par In this paper we show that local inference systems (actually a slight modification of such systems) yield not only a tractable deduction problem, but also decidable deducibility constraints. Our algorithm not only allows to decide the existence of a solution, but also gives a representation of all solutions.} }

@incollection{ACL-fps09, noaddress = {}, month = may, year = 2009, volume = 5458, series = {Lecture Notes in Computer Science}, publisher = {Springer}, noacronym = {}, booktitle = {{F}ormal to {P}ractical {S}ecurity}, editor = {Cortier, V{\'e}ronique and Kirchner, Claude and Okada, Mitsuhiro and Sakurada, Hideki}, author = {Affeldt, Reynald and Comon{-}Lundh, Hubert}, title = {Verification of Security Protocols with a Bounded Number of Sessions Based on Resolution for Rigid Variables}, pages = {1-20}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACL-fps09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACL-fps09.pdf}, doi = {10.1007/978-3-642-02002-5_1}, abstract = {First-order logic resolution is a standard way to automate the verification of security protocols. However, it sometimes fails to produce security proofs for secure protocols because of the detection of false attacks. For the verification of a bounded number of sessions, false attacks can be avoided by introducing rigid variables. Unfortunately, this yields complicated resolution procedures. We show here that there is a simple translation of the security problem for a bounded number of sessions into first-order logic, that does not introduce false attacks. This is shown by translating clauses involving rigid variables into classical first-order clauses, while preserving satisfiability. We illustrate this approach by giving a complete and terminating strategy for a first-order logic fragment resulting from the above translation, that yields a decision procedure for a bounded number of sessions.} }

@inproceedings{ABC-cav09, address = {Grenoble, France}, month = jun # {-} # jul, year = 2009, volume = 5643, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Bouajjani, Ahmad and Maler, Oded}, acronym = {{CAV}'09}, booktitle = {{P}roceedings of the 21st {I}nternational {C}onference on {C}omputer {A}ided {V}erification ({CAV}'09)}, author = {Abadi, Mart{\'\i}n and Blanchet, Bruno and Comon{-}Lundh, Hubert}, title = {Models and Proofs of Protocol Security: A~Progress Report}, pages = {35-49}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABC-cav09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABC-cav09.pdf}, doi = {10.1007/978-3-642-02658-4_5}, abstract = {This paper discusses progress in the verification of security protocols. Focusing on a small, classic example, it stresses the use of program-like representations of protocols, and their automatic analysis in symbolic and computational models.} }

@inproceedings{CFLS-esorics09, address = {Saint~Malo, France}, month = sep, year = 2009, volume = 5789, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Backes, Michael and Ning, Peng}, acronym = {{ESORICS}'09}, booktitle = {{P}roceedings of the 14th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'09)}, author = {Centenaro, Matteo and Focardi, Riccardo and Luccio, Flaminia L. and Steel, Graham}, title = {Type-based Analysis of {PIN} Processing {API}s}, pages = {53-68}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CFLS-esorics09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CFLS-esorics09.pdf}, doi = {10.1007/978-3-642-04444-1_4}, abstract = {We examine some known attacks on the PIN verification framework, based on weaknesses of the security API for the tamper-resistant Hardware Security Modules used in the network. We specify this API in an imperative language with cryptographic primitives, and show how its flaws are captured by a notion of robustness that extends the one of Myers, Sabelfeld and Zdancewic to our cryptographic setting. We~propose an improved API, give an extended type system for assuring integrity and for preserving confidentiality via randomized and non-randomized encryptions, and show our new API to be type-checkable.} }

@inproceedings{CS-esorics09, address = {Saint~Malo, France}, month = sep, year = 2009, volume = 5789, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Backes, Michael and Ning, Peng}, acronym = {{ESORICS}'09}, booktitle = {{P}roceedings of the 14th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'09)}, author = {Cortier, V{\'e}ronique and Steel, Graham}, title = {A~generic security {API} for symmetric key management on cryptographic devices}, pages = {605-620}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CS-esorics09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CS-esorics09.pdf}, doi = {10.1007/978-3-642-04444-1_37}, abstract = {Security APIs are used to define the boundary between trusted and untrusted code. The security properties of existing APIs are not always clear. In~this paper, we~give a new generic API for managing symmetric keys on a trusted cryptographic device. We state and prove security properties for our API. In~particular, our API offers a high level of security even when the host machine is controlled by an attacker. Our API is generic in the sense that it can implement a wide variety of (symmetric~key) protocols. As a proof of concept, we give an algorithm for automatically instantiating the API commands for a given key management protocol. We demonstrate the algorithm on a set of key establishment protocols from the Clark-Jacob suite.} }

@inproceedings{KAS-arspawits09, address = {York, UK}, month = aug, year = 2009, volume = 5511, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Vigan{\`o}, Luca}, acronym = {{ARSPA-WITS}'09}, booktitle = {{R}evised {S}elected {P}apers of the {J}oint {W}orkshop on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and {I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'09)}, author = {Keighren, Gavin and Aspinall, David and Steel, Graham}, title = {Towards a Type System for Security {API}s}, pages = {173-192}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KAS-arspawits09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KAS-arspawits09.pdf}, doi = {10.1007/978-3-642-03459-6_12}, abstract = {Security API analysis typically only considers a subset of an API's functions, with results bounded by the number of function calls. Furthermore, attacks involving partial leakage of sensitive information are usually not covered. Type-based static analysis has the potential to alleviate these shortcomings. To that end, we present a type system for secure information flow based upon the one of Volpano, Smith and Irvine, extended with types for cryptographic keys and ciphertext similar to those in Sumii and Pierce. In~contrast to some other type systems, the encryption and decryption of keys does not require special treatment. We show that a well-typed sequence of commands is non-interferent, based upon a definition of indistinguishability where, in certain circumstances, the adversary can distinguish between ciphertexts that correspond to encrypted public data.} }

@inproceedings{FS-arspawits09, address = {York, UK}, month = aug, year = 2009, volume = 5511, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Vigan{\`o}, Luca}, acronym = {{ARSPA-WITS}'09}, booktitle = {{R}evised {S}elected {P}apers of the {J}oint {W}orkshop on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and {I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'09)}, author = {Fr{\"o}schle, Sibylle and Steel, Graham}, title = {Analysing {PKCS}\#11 Key Management {API}s with Unbounded Fresh Data}, pages = {92-106}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FS-arspawits09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FS-arspawits09.pdf}, doi = {10.1007/978-3-642-03459-6_7}, abstract = {We extend Delaune, Kremer and Steel's framework for analysis of PKCS#11-based APIs from bounded to unbounded fresh data. We achieve this by: formally defining the notion of an \emph{attribute policy}; showing that a well-designed API should have a certain class of policy we call \emph{complete}; showing that APIs with complete policies may be safely abstracted to APIs where the attributes are fixed; and proving that these \emph{static} APIs can be analysed in a small bounded model such that security properties will hold for the unbounded case. We automate analysis in our framework using the SAT-based security protocol model checker SATMC. We show that a symmetric key management subset of the Eracom PKCS#11 API, used in their ProtectServer product, preserves the secrecy of sensitive keys for unbounded numbers of fresh keys and \emph{handles}, i.e.~pointers to keys. We also show that this API is not robust: if~an encryption key is lost to the intruder, SATMC finds an attack whereby all the keys may be compromised.} }

@inproceedings{CDK-secret09, address = {Port Jefferson, New~York, USA}, month = jul, year = 2009, editor = {Comon{-}Lundh, Hubert and Meadows, Catherine}, acronym = {{SecReT}'09}, booktitle = {{P}reliminary {P}roceedings of the 4th {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'09)}, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Computing knowledge in security protocols under convergent equational theories}, pages = {47-58}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-secret09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-secret09.pdf}, abstract = {We propose a procedure for the intruder deduction problem and for the static equivalence problem, in the case where cryptographic primitives are modeled by a convergent equational theory. Our~procedure terminates on a wide range of equational theories. In~particular, we~obtain a new decidability result for a theory of trapdoor commitment that we encountered in the study of e-voting protocols. We~also provide a prototype implementation.} }

@inproceedings{ACD-secret09, address = {Port Jefferson, New~York, USA}, month = jul, year = 2009, editor = {Comon{-}Lundh, Hubert and Meadows, Catherine}, acronym = {{SecReT}'09}, booktitle = {{P}reliminary {P}roceedings of the 4th {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'09)}, author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Modeling and Verifying Ad Hoc Routing Protocol}, pages = {33-46}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-secret09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-secret09.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ACD-secret09.ps}, abstract = {Mobile ad hoc networks consist of mobile wireless devices which autonomously organize their infrastructure. In~such a network, a~central issue, ensured by routing protocols, is to find a route from one device to another. Those protocols use cryptographic mechanisms in order to prevent a malicious node from compromising the discovered route.\par We present a calculus for modeling and reasoning about security protocols, including in particular secured routing protocols. Our calculus extends standard symbolic models to take into account the characteristics of routing protocols and to model wireless communication in a more accurate way. Then, by using constraint solving techniques, we propose a decision procedure for analyzing routing protocols for a bounded number of sessions and for a fixed network topology. We~demonstrate the usage and usefulness of our approach by analyzing the protocol SRP applied to~DSR.} }

@inproceedings{KMT-secret09, address = {Port Jefferson, New~York, USA}, month = jul, year = 2009, editor = {Comon{-}Lundh, Hubert and Meadows, Catherine}, acronym = {{SecReT}'09}, booktitle = {{P}reliminary {P}roceedings of the 4th {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques ({SecReT}'09)}, author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf}, title = {Reducing Equational Theories for the Decision of Static Equivalence (Preliminary Version)}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-secret09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-secret09.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/KMT-secret09.ps}, abstract = {Static equivalence is a well established notion of indistinguishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theories allows a more accurate representation of cryptographic primitives by modelling properties of operators by equational axioms. We develop a method that allows in some cases to simplify the task of deciding static equivalence in a multi-sorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. We illustrate our technique at hand of bilinear pairings.} }

@techreport{LSV:09:09, author = {Goubault{-}Larrecq, Jean}, title = {On a Generalization of a Result by {V}alk and {J}antzen}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = {2009}, month = may, type = {Research Report}, number = {LSV-09-09}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-09.pdf}, note = {18~pages}, abstract = {We~show that, under mild assumptions on the effective, well quasi-ordered set~\(X\), one~can compute a finite basis of an upward-closed subset~\(U\) of~\(X\) if and only if one can decide whether \(U \cap \downarrow z\) is empty for every \(z \in \widehat{X}\). Here \(\widehat{X}\) is the completion of \(X\) as defined in Finkel and Goubault-Larrecq, {\em Forward Analysis for WSTS, Part~{I:} Completions}, STACS'09, pages 433-444, 2009. This generalizes a useful result proved by Valk and Jantzen in~1985, which is the case \(X = \\mathbb{N}^k\).} }

@inproceedings{CDK-cade09, address = {Montreal, Canada}, month = aug, year = 2009, volume = {5663}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Schmidt, Renate}, acronym = {{CADE}'09}, booktitle = {{P}roceedings of the 22nd {I}nternational {C}onference on {A}utomated {D}eduction ({CADE}'09)}, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Computing knowledge in security protocols under convergent equational theories}, pages = {355-370}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-cade09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-cade09.pdf}, doi = {10.1007/978-3-642-02959-2_27}, abstract = {In the symbolic analysis of security protocols, two classical notions of knowledge, deducibility and indistinguishability, yield corresponding decision problems. We~propose a procedure for both problems under arbitrary convergent equational theories. Our~procedure terminates on a wide range of equational theories. In~particular, we~obtain a new decidability result for a theory we encountered when studying electronic voting protocols. We~also provide a prototype implementation.} }

@article{goubault-jcs09, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Goubault{-}Larrecq, Jean}, title = {Finite Models for Formal Security Proofs}, volume = 18, number = 6, pages = {1247-1299}, year = 2010, month = nov, url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-jcs09.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-jcs09.pdf}, doi = {10.3233/JCS-2009-0395}, abstract = {First-order logic models of security for cryptographic protocols, based on variants of the Dolev-Yao model, are now well-established tools. Given that we have checked a given security protocol using a given first-order prover, how hard is it to extract a formally checkable proof of it, as required in, \textit{e.g.}, common criteria at the highest evaluation level~(EAL7)? We~demonstrate that this is surprisingly hard in the general case: the problem is non-recursive. Nonetheless, we show that we can instead extract finite models~\(\mathcal{M}\) from a set~\(S\) of clauses representing~\(\pi\), automatically, and give two ways of doing~so. We~then define a model-checker testing \(\mathcal{M} \models S\), and show how we can instrument it to output a formally checkable proof, \textit{e.g.}, in~Coq. Experience on a number of protocols shows that this is practical, and that even complex (secure) protocols modulo equational theories have small finite models, making our approach suitable.} }

@inproceedings{FGL-icalp09, address = {Rhodes, Greece}, month = jul, year = 2009, volume = 5556, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Albers, Susanne and Marchetti-Spaccamela, Alberto and Matias, Yossi and Thomas, Wolfgang}, acronym = {{ICALP}'09}, booktitle = {{P}roceedings of the 36th {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'09)}, author = {Finkel, Alain and Goubault{-}Larrecq, Jean}, title = {Forward Analysis for {WSTS}, Part~{II}: Complete {WSTS}}, pages = {188-199}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-icalp09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-icalp09.pdf}, doi = {10.1007/978-3-642-02930-1_16}, abstract = {We~describe a simple, conceptual forward analysis procedure for \(\infty\)-complete WSTS~\(\mathcal{S}\). This computes the \emph{clover} of a state~\(s_0\) , \textit{i.e.}, a~finite description of the closure of the cover of~\(s_0\) . When \(S\) is the completion of a WSTS~\(\mathcal{X}\), the clover in~\(\mathcal{S}\) is a finite description of the cover in~\(\mathcal{X}\). We~show that this applies exactly when \(\mathcal{X}\) is an \(\omega^2\)-WSTS, a~new robust class of WSTS. We~show that our procedure terminates in more cases than the generalized Karp-Miller procedure on extensions of Petri nets. We characterize the WSTS where our procedure terminates as those that are \emph{clover-flattable}. Finally, we~apply this to well-structured counter systems.} }

@inproceedings{CD-csf09, address = {Port Jefferson, New York, USA}, month = jul, year = 2009, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'09}, booktitle = {{P}roceedings of the 22nd {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'09)}, author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {A~method for proving observational equivalence}, pages = {266-276}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-csf09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-csf09.pdf}, doi = {10.1109/CSF.2009.9}, abstract = {Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require the notion of \emph{observational equivalence}. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography.\par In this paper, we consider the applied pi calculus and we show that for \emph{determinate} processes, observational equivalence actually coincides with trace equivalence, a notion simpler to reason with. We~exhibit a large class of determinate processes, called \emph{simple processes}, that capture most existing protocols and cryptographic primitives. Then, for simple processes without replication, we~reduce the decidability of trace equivalence to deciding an equivalence relation introduced by M.~Baudet. Altogether, this yields the first decidability result of observational equivalence for a general class of equational theories.} }

@inproceedings{CDK-forte09, address = {Lisbon, Portugal}, month = jun, year = 2009, volume = {5522}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Lee, David and Lopes, Ant{\'o}nia and Poetzsch-Heffter, Arnd}, acronym = {{FMOODS/FORTE}'09}, booktitle = {{P}roceedings of {IFIP} {I}nternational {C}onference on {F}ormal {T}echniques for {D}istributed {S}ystems ({FMOODS/FORTE}'09)}, author = {Chadha, Rohit and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Epistemic Logic for the Applied Pi Calculus}, pages = {182-197}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/cdk-forte09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/cdk-forte09.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/cdk-forte09.ps}, doi = {10.1007/978-3-642-02138-1_12}, abstract = {We propose an epistemic logic for the applied pi calculus, which is a variant of the pi calculus with extensions for modeling cryptographic protocols. In such a calculus, the security guarantees are usually stated as equivalences. While process calculi provide a natural means to describe the protocols themselves, epistemic logics are often better suited for expressing certain security properties such as secrecy and anonymity.\par We intend to bridge the gap between these two approaches: using the set of traces generated by a process as models, we define a logic which has constructs for reasoning about both intruder's epistemic knowledge and the set of messages in possession of the intruder. As an example we consider two formalizations of privacy in electronic voting and study the relationship between them.} }

@inproceedings{BCL-rta09, address = {Bras{\'\i}lia, Brazil}, month = jun # {-} # jul, year = 2009, volume = 5595, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Treinen, Ralf}, acronym = {{RTA}'09}, booktitle = {{P}roceedings of the 20th {I}nternational {C}onference on {R}ewriting {T}echniques and {A}pplications ({RTA}'09)}, author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert}, title = {Protocol security and algebraic properties: decision results for a bounded number of sessions}, pages = {133-147}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCL-rta09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCL-rta09.pdf}, doi = {10.1007/978-3-642-02348-4_10}, abstract = {We consider the problem of deciding the security of cryptographic protocols for a bounded number of sessions, taking into account some algebraic properties of the security primitives, for instance Abelian group properties. We propose a general method for deriving decision algorithms, splitting the task into 4 properties of the rewriting system describing the intruder capabilities: locality, conservativity, finite variant property and decidability of one-step deducibility constraints. We illustrate this method on a non trivial example, combining several Abelian Group properties, exponentiation and a homomorphism, showing a decidability result for this combination. } }

@inproceedings{BCD-rta09, address = {Bras{\'\i}lia, Brazil}, month = jun # {-} # jul, year = 2009, volume = 5595, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Treinen, Ralf}, acronym = {{RTA}'09}, booktitle = {{P}roceedings of the 20th {I}nternational {C}onference on {R}ewriting {T}echniques and {A}pplications ({RTA}'09)}, author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {{YAPA}: A~generic tool for computing intruder knowledge}, pages = {148-163}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-rta09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-rta09.pdf}, doi = {10.1007/978-3-642-02348-4_11}, abstract = {Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so~far.\par We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.} }

@techreport{LSV:09:02, author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert}, title = {Protocols, insecurity decision and combination of equational theories}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = {2009}, month = feb, type = {Research Report}, number = {LSV-09-02}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-02.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-02.pdf}, note = {43~pages}, abstract = {We consider the problem of finding attacks for a bounded number of sessions of security protocols. We~contribute to this field, showing how to decompose the problem into pieces for a class of equational theories, which includes the hierarchical combinations, as well as non-hierarchical ones. We apply this result to an electronic purse case study: we~show the decidability in co-NP of the insecurity problem for a complex equational theory mixing three Abelian groups, exponentiation and homomorphism properties.\par The main technical contributions rely on equational logic, term rewriting and combination of theories.} }

@article{CCZ-tocl08, publisher = {ACM Press}, journal = {ACM Transactions on Computational Logic}, author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and Z{\u{a}}linescu, Eugen}, title = {Deciding security properties for cryptographic protocols. Application to key cycles}, volume = 11, number = 2, nopages = {}, month = jan, year = 2010, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCZ-tocl09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCZ-tocl09.pdf}, doi = {10.1145/1656242.1656244}, abstract = {There is a large amount of work dedicated to the formal verification of security protocols. In~this paper, we~revisit and extend the NP-complete decision procedure for a bounded number of sessions. We use a, now standard, deducibility constraint formalism for modeling security protocols. Our~first contribution is to give a simple set of constraint simplification rules, that allows to reduce any deducibility constraint to a set of solved forms, representing all solutions (within the bound on sessions).\par As a consequence, we prove that deciding the existence of key cycles is NP-complete for a bounded number of sessions. The problem of key-cycles has been put forward by recent works relating computational and symbolic models. The so-called soundness of the symbolic model requires indeed that no key cycle (\textit{e.g.},~enc\((k, k)\)) ever occurs in the execution of the protocol. Otherwise, stronger security assumptions (such as KDM-security) are required.\par We show that our decision procedure can also be applied to prove again the decidability of authentication-like properties and the decidability of a significant fragment of protocols with timestamps.} }

@inproceedings{JKV-lata09, address = {Tarragona, Spain}, month = apr, year = 2009, volume = 5457, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Dediu, Adrian Horia and Mihai Ionescu, Armand and Mart{\'\i}n-Vide, Carlos}, acronym = {{LATA}'09}, booktitle = {{P}roceedings of the 3rd {I}nternational {C}onference on {L}anguage and {A}utomata {T}heory and {A}pplications ({LATA}'09)}, author = {Jacquemard, Florent and Klay, Francis and Vacher, Camille}, title = {Rigid Tree Automata}, pages = {446-457}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-lata09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-lata09.pdf}, doi = {10.1007/978-3-642-00982-2_38}, abstract = {We introduce the class of Rigid Tree Automata (RTA), an extension of standard bottom-up automata on ranked trees with distinguished states called rigid. Rigid states define a restriction on the computation of RTA on trees: RTA can test for equality in subtrees reaching the same rigid state. RTA are able to perform local and global tests of equality between subtrees, non-linear tree pattern matching, and restricted disequality tests as well. Properties like determinism, pumping lemma, boolean closure, and several decision problems are studied in detail. In particular, the emptiness problem is shown decidable in linear time for RTA whereas membership of a given tree to the language of a given RTA is NP-complete. Our main result is the decidability of whether a given tree belongs to the rewrite closure of a RTA language under a restricted family of term rewriting systems, whereas this closure is not a RTA language. This result, one of the first on rewrite closure of languages of tree automata with constraints, is enabling the extension of model checking procedures based on finite tree automata techniques. Finally, a comparison of RTA with several classes of tree automata with local and global equality tests, and with dag automata is also provided.} }

@proceedings{KP-secco2008, title = {{P}roceedings of the 6th {I}nternational {W}orkshop on {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'08)}, booktitle = {{P}roceedings of the 6th {I}nternational {W}orkshop on {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'08)}, editor = {Kremer, Steve and Panangaden, Prakash}, publisher = {Elsevier Science Publishers}, doi = {10.1016/j.entcs.2009.07.077}, url = {http://www.sciencedirect.com/science/journal/15710661/242/3}, series = {Electronic Notes in Theoretical Computer Science}, volume = 242, number = 3, year = 2009, month = aug, address = {Toronto, Canada} }

@article{BCK-IC09, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Kremer, Steve}, title = {Computationally Sound Implementations of Equational Theories against Passive Adversaries}, year = {2009}, month = apr, volume = 207, number = 4, pages = {496-520}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCK-ic09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCK-ic09.pdf}, doi = {10.1016/j.ic.2008.12.005}, abstract = {In~this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In~contrast to other works, we~do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We~define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In~particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We~present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to~illustrate our framework, we~establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.} }

@article{KM-jcs09, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Kremer, Steve and Mazar{\'e}, Laurent}, title = {Computationally Sound Analysis of Protocols using Bilinear Pairings}, year = 2010, month = nov, volume = 18, number = 6, pages = {999-1033}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-jcs09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-jcs09.pdf}, doi = {10.3233/JCS-2009-0388}, abstract = {In this paper, we introduce a symbolic model to analyse protocols that use a bilinear pairing between two cyclic groups. This model consists in an extension of the Abadi-Rogaway logic and we prove that the logic is still computationally sound: symbolic indistinguishability implies computational indistinguishability provided that the Bilinear Decisional Diffie-Hellman assumption holds and that the encryption scheme is \textsf{IND-CPA} secure. We~illustrate our results on classical protocols using bilinear pairing like Joux tripartite Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols. We also investigate the security of a newly designed variant of the Burmester-Desmedt protocol using bilinear pairings. More precisely, we show for each of these protocols that the generated key is indistinguishable from a random element.} }

@article{DKR-jcs09, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Symbolic bisimulation for the applied pi~calculus}, year = 2010, month = mar, volume = 18, number = 2, pages = {317-377}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf}, doi = {10.3233/JCS-2010-0363}, abstract = {We propose a symbolic semantics for the finite applied pi~calculus. The~applied pi calculus is a variant of the pi~calculus with extensions for modelling cryptographic protocols. By~treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs from the environment. Correctness is maintained by associating with each process a set of constraints on terms. We~define a symbolic labelled bisimulation relation, which is shown to be sound but not complete with respect to standard bisimulation. We explore the lack of completeness and demonstrate that the symbolic bisimulation relation is sufficient for many practical examples. This~work is an important step towards automation of observational equivalence for the finite applied pi calculus, \textit{e.g.}~for verification of anonymity or strong secrecy properties.} }

@inproceedings{FGL-stacs2009, address = {Freiburg, Germany}, month = feb, year = 2009, volume = 3, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Albers, Susanne and Marion, Jean-Yves}, acronym = {{STACS}'09}, booktitle = {{P}roceedings of the 26th {A}nnual {S}ymposium on {T}heoretical {A}spects of {C}omputer {S}cience ({STACS}'09)}, author = {Finkel, Alain and Goubault{-}Larrecq, Jean}, title = {Forward Analysis for~{WSTS}, Part~{I}: Completions}, pages = {433-444}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-stacs2009.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-stacs2009.pdf}, abstract = {Well-structured transition systems provide the right foundation to compute a finite basis of the set of predecessors of the upward closure of a state. The~dual problem, to compute a finite representation of the set of successors of the downward closure of a state, is~harder: Until now, the theoretical framework for manipulating downward-closed sets was missing. We~answer this problem, using insights from domain theory (dcpos and ideal completions), from topology (sobrifications), and shed new light on the notion of adequate domains of limits.} }

@article{JKV-icomp10, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Jacquemard, Florent and Klay, Francis and Vacher, Camille}, title = {Rigid Tree Automata}, volume = {209}, number = 3, pages = {486-512}, year = 2011, month = mar, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-icomp11.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-icomp11.pdf}, doi = {10.1016/j.ic.2010.11.015}, abstract = {We introduce the class of Rigid Tree Automata (RTA), an extension of standard bottom-up automata on ranked trees with distinguished states called rigid. Rigid states define a restriction on the computation of RTA on trees: RTA can test for equality in subtrees reaching the same rigid state. RTA are able to perform local and global tests of equality between subtrees, non-linear tree pattern matching, and restricted disequality tests as well. Properties like determinism, pumping lemma, boolean closure, and several decision problems are studied in detail. In particular, the emptiness problem is shown decidable in linear time for RTA whereas membership of a given tree to the language of a given RTA is NP-complete. Our main result is the decidability of whether a given tree belongs to the rewrite closure of a RTA language under a restricted family of term rewriting systems, whereas this closure is not a RTA language. This result, one of the first on rewrite closure of languages of tree automata with constraints, is enabling the extension of model checking procedures based on finite tree automata techniques. Finally, a comparison of RTA with several classes of tree automata with local and global equality tests, and with dag automata is also provided.} }

@inproceedings{CSV-vmcai11, address = {Austin, Texas, USA}, month = jan, year = 2011, volume = 6538, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Jhala, Ranjit and Schmidt, David}, acronym = {{VMCAI}'11}, booktitle = {{P}roceedings of the 12th {I}nternational {C}onference on {V}erification, {M}odel {C}hecking and {A}bstract {I}nterpretation ({VMCAI}'11)}, author = {Chadha, Rohit and Sistla, A. Prasad and Viswanathan, Mahesh}, title = {Probabilistic {B}{\"u}chi automata with non-extremal acceptance thresholds}, pages = {103-117}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-vmcai11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-vmcai11.pdf}, doi = {10.1007/978-3-642-18275-4_9}, abstract = {This paper investigates the power of Probabilistic B{\"u}chi Automata~(PBA) when the threshold probability of acceptance is non-extremal, i.e., is a value strictly between 0 and 1. Many practical randomized algorithms are designed to work under non-extremal threshold probabilities and thus it is important to study power of PBAs for such cases.\par The paper presents a number of surprising expressiveness and decidability results for PBAs when the threshold probability is non-extremal. Some of these results sharply contrast with the results for extremal threshold probabilities. The paper also presents results for Hierarchical PBAs and for an interesting subclass of them called simple PBAs.} }

@inproceedings{steel-escar09, address = {D{\"u}sseldorf, Germany}, month = nov, year = 2009, editor = {Paar, Christof and Wollinger, Thomas}, acronym = {{ESCAR}'09}, booktitle = {{P}roceedings of the 7th {C}onference on {E}mbedded {S}ecurity in {C}ars ({ESCAR}'09)}, author = {Steel, Graham}, title = {Towards a Formal Analysis of the {S}e{V}e{C}o{M}~{API}}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-escar09.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-escar09.pdf} }

@inproceedings{steel-fcc09, address = {Port Jefferson, New York, USA}, month = jul, year = 2009, editor = {K{\"u}sters, Ralf}, acronym = {{FCC}'09}, booktitle = {{P}roceedings of the 5th {W}orkshop on {F}ormal and {C}omputational {C}ryptography ({FCC}'09)}, author = {Steel, Graham}, title = {Computational Soundness for {API}s}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-fcc09.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-fcc09.pdf} }

@inproceedings{SC-fcc07, address = {Venice, Italy}, month = jul, year = 2007, editor = {Backes, Michael and Lakhnech, Yassine}, acronym = {{FCC}'07}, booktitle = {{P}roceedings of the 3rd {W}orkshop on {F}ormal and {C}omputational {C}ryptography ({FCC}'07)}, author = {Steel ,Graham and Courant, Judica{\"e}l}, title = {A formal model for detecting parallel key search attacks}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-fcc07.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-fcc07.pdf} }

@mastersthesis{scerri-master, author = {Scerri, Guillaume}, title = {Mod{\'e}lisation des cl{\'e}s de l'intrus}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2010}, month = sep, nmnote = {Hubert prefere ne pas diffuser le rapport, et prepare une version 'conf'} }

@article{LMT-tcs10, publisher = {Elsevier Science Publishers}, journal = {Theoretical Computer Science}, author = {Lanotte, Ruggero and Maggiolo{-}Schettini, Andrea and Troina, Angelo}, title = {Weak bisimulation for Probabilistic Timed Automata?}, volume = 411, number = 50, year = 2010, month = nov, pages = {4291-4322}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/LMT-tcs10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/LMT-tcs10.pdf}, doi = {10.1016/j.tcs.2010.09.003}, abstract = {We are interested in describing timed systems that exhibit probabilistic behaviour. To this purpose, we consider a model of Probabilistic Timed Automata and introduce a concept of weak bisimulation for these automata, together with an algorithm to decide it. The weak bisimulation relation is shown to be preserved when either time, or probability is abstracted away. As an application, we use weak bisimulation for Probabilistic Timed Automata to model and analyze a timing attack on the dining cryptographers protocol.} }

@article{CD-jar10, publisher = {Springer}, journal = {Journal of Automated Reasoning}, author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Decidability and combination results for two notions of knowledge in security protocols}, volume = 48, number = {4}, pages = {441-487}, month = apr, year = 2012, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-jar10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-jar10.pdf}, doi = {10.1007/s10817-010-9208-8}, abstract = {In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive~or,~...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually considered: deducibility and indistinguishability. Those notions are well-studied and several decidability results already exist to deal with a variety of equational theories. Most of the existing results are dedicated to specific equational theories and only few results, especially in the case of indistinguishability, have been obtained for equational theories with associative and commutative properties~(AC).\par In this paper, we show that existing decidability results can be easily combined for any disjoint equational theories: if the deducibility and indistinguishability relations are decidable for two disjoint theories, they are also decidable for their union. We also propose a general setting for solving deducibility and indistinguishability for an important class (called \emph{monoidal}) of equational theories involving AC operators.\par As a consequence of these two results, new decidability and complexity results can be obtained for many relevant equational theories.} }

@inproceedings{BGGLP-scan10, address = {Lyon, France}, month = sep, year = 2010, noeditor = {}, acronym = {SCAN'10}, booktitle = {{P}roceedings of the 14th {GAMM}-{IMACS} {I}nternational {S}ymposium on {S}cientific {C}omputing, {C}omputer {A}rithmetic and {V}alidated {N}umerics ({SCAN}'10)}, author = {Bouissou, Olivier and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean and Putot, Sylvie}, title = {A Generalization of {P}-boxes to Affine Arithmetic, and Applications to Static Analysis of Programs}, nopages = {} }

@article{GLK-mscs10, publisher = {Cambridge University Press}, journal = {Mathematical Structures in Computer Science}, author = {Goubault{-}Larrecq, Jean and Keimel, Klaus}, title = {{C}hoquet-{K}endall-{M}atheron Theorems for Non-{H}ausdorff Spaces}, volume = 21, number = 3, pages = {511-561}, month = jun, year = 2011, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLK-mscs10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLK-mscs10.pdf}, doi = {10.1017/S0960129510000617}, abstract = {We establish Choquet-Kendall-Matheron theorems on non-Hausdorff topological spaces. This typical result of random set theory is profitably recast in purely topological terms, using intuitions and tools from domain theory. We obtain three variants of the theorem, each one characterizing distributions, in the form of continuous valuations, over relevant powerdomains of demonic, resp. angelic, resp. erratic non-determinism.} }

@inproceedings{CSV-fsttcs10, address = {Chennai, India}, month = dec, year = 2010, volume = 8, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Lodaya, Kamal and Mahajan, Meena}, acronym = {{FSTTCS}'10}, booktitle = {{P}roceedings of the 30th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'10)}, author = {Chadha, Rohit and Sistla, A. Prasad and Viswanathan, Mahesh}, title = {Model Checking Concurrent Programs with Nondeterminism and Randomization}, pages = {364-375}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-fsttcs10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-fsttcs10.pdf}, doi = {10.4230/LIPIcs.FSTTCS.2010.364}, abstract = {For concurrent probabilistic programs having process-level nondeterminism, it is often necessary to restrict the class of schedulers that resolve nondeterminism to obtain sound and precise model checking algorithms. In this paper, we introduce two classes of schedulers called \emph{view consistent} and \emph{locally Markovian} schedulers and consider the model checking problem of concurrent, probabilistic programs under these alternate semantics. Specifically, given a B{\"u}chi automaton~\(\textsf{Spec}\), a~threshold~\(x\in[0,1]\), and a concurrent program~\(\mathbb{P}\), the model checking problem asks if the measure of computations of~\(\mathbb{P}\) that satisfy~\(\textsf{Spec}\) is at least~\(x\), under all view consistent (or locally Markovian) schedulers. We give precise complexity results for the model checking problem (for different classes of B{\"u}chi automata specifications) and contrast it with the complexity under the standard semantics that considers all schedulers. } }

@inproceedings{DKRS-fast10, address = {Pisa, Italy}, month = sep, year = 2010, volume = 6561, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Etalle, Sandro and Guttman, Joshua}, acronym = {{FAST}'10}, booktitle = {{R}evised {S}elected {P}apers of the 7th {I}nternational {W}orkshop on {F}ormal {A}spects in {S}ecurity and {T}rust ({FAST}'10)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and Steel, Graham}, title = {A~Formal Analysis of Authentication in the {TPM}}, pages = {111-125}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-fast10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-fast10.pdf}, ps = {DKRS-fast10.ps}, doi = {10.1007/978-3-642-19751-2_8}, abstract = {The Trusted Platform Module~(TPM) is a hardware chip designed to enable computers to achieve a greater level of security than is possible in software alone. To this end, the TPM provides a way to store cryptographic keys and other sensitive data in its shielded memory. Through its API, one can use those keys to achieve some security goals. The TPM is a complex security component, whose specification consists of more than \(700\)~pages.\par We model a collection of four TPM commands, and we identify and formalise their security properties. Using the tool ProVerif, we rediscover some known attacks and some new variations on them. We propose modifications to the API and verify our properties for the modified API.} }

@inproceedings{DKRS-secco10, address = {Paris, France}, month = aug, year = 2010, editor = {Cortier, V{\'e}ronique and Chatzikokolakis, Kostas}, acronym = {{SecCo}'10}, booktitle = {{P}reliminary {P}roceedings of the 8th {I}nternational {W}orkshop on {S}ecurity {I}ssues in {C}oordination {M}odels, {L}anguages and {S}ystems ({SecCo}'10)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and Steel, Graham}, title = {A~Formal Analysis of Authentication in the~{TPM} (short paper)}, nopages = {}, nmnote = {did not appear in postproc. EPTCS 51}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-secco10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-secco10.pdf}, ps = {DKRS-secco10.ps} }

@article{bwa-jcs10, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Baudet, Mathieu and Warinschi, Bogdan and Abadi, Mart{\'\i}n}, title = {Guessing Attacks and the Computational Soundness of Static Equivalence}, volume = 18, number = 5, pages = {909-968}, month = sep, year = 2010, url = {http://www.lsv.fr/Publis/PAPERS/PDF/bwa-jcs10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/bwa-jcs10.pdf}, doi = {10.3233/JCS-2009-0386}, abstract = {The indistinguishability of two pieces of data (or two lists of pieces of data) can be represented formally in terms of a relation called static equivalence. Static equivalence depends on an underlying equational theory. The choice of an inappropriate equational theory can lead to overly pessimistic or overly optimistic notions of indistinguishability, and in turn to security criteria that require protection against impossible attacks or---worse yet---that ignore feasible ones. In this paper, we define and justify an equational theory for standard, fundamental cryptographic operations. This equational theory yields a notion of static equivalence that implies computational indistinguishability. Static equivalence remains liberal enough for use in applications. In particular, we develop and analyze a principled formal account of guessing attacks in terms of static equivalence.} }

@inproceedings{bgl-setop10, address = {Athens, Greece}, month = sep, year = 2010, volume = 6514, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Cavalli, Ana and Leneutre, Jean}, acronym = {{DPM}{{\slash}}{SETOP}'10}, booktitle = {{R}evised {S}elected {P}apers of the 5th {I}nternational {W}orkshop on {D}ata {P}rivacy {M}anagement and {A}utonomous {S}pontaneous {S}ecurity ({DPM}'10) and 3rd {I}nternational {W}orkshop on {A}utonomous and {S}pontaneous {S}ecurity ({SETOP}'10)}, author = {Benzina, Hedi and Goubault{-}Larrecq, Jean}, title = {Some Ideas on Virtualized Systems Security, and Monitors}, pages = {244-258}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/bgl-setop10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/bgl-setop10.pdf}, doi = {10.1007/978-3-642-19348-4_18}, abstract = {Virtualized systems such as Xen, VirtualBox, VMWare or QEmu have been proposed to increase the level of security achievable on personal computers. On the other hand, such virtualized systems are now targets for attacks. We propose an intrusion detection architecture for virtualized systems, and discuss some of the security issues that arise. We argue that a weak spot of such systems is domain zero administration, which is left entirely under the administrator's responsibility, and is in particular vulnerable to trojans. To~avert some of the risks, we~propose to install a role-based access control model with possible role delegation, and to describe all undesired activity ows through simple temporal formulas. We show how the latter are compiled into Orchids rules, via a fragment of linear temporal logic, through a generalization of the so-called history variable mechanism.} }

@phdthesis{carre-phd2010, author = {Carr{\'e}, Jean-Loup}, title = {Analyse statique de programmes multi-thread pour l'embarqu{\'e}}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2010, month = jul, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/carre-these10.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/carre-these10.pdf} }

@article{KMT-jar10, publisher = {Springer}, journal = {Journal of Automated Reasoning}, author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf}, title = {Reducing Equational Theories for the Decision of Static Equivalence}, year = 2012, month = feb, pages = {197-217}, number = 48, volume = 2, url = {http://www.lsv.fr/Publis/PAPERS/PDF/KMT-jar10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KMT-jar10.pdf}, doi = {10.1007/s10817-010-9203-0}, abstract = {Static equivalence is a well established notion of indistinguishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theories allows for a more accurate representation of cryptographic primitives by modelling properties of operators by equational axioms. We develop a method that allows us in some cases to simplify the task of deciding static equivalence in a multi-sorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. We illustrate our technique at hand of bilinear pairings.} }

@article{CDK-jar10, publisher = {Springer}, journal = {Journal of Automated Reasoning}, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Computing knowledge in security protocols under convergent equational theories}, year = 2012, month = feb, pages = {219-262}, number = 2, volume = 48, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-jar10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-jar10.pdf}, doi = {10.1007/s10817-010-9197-7}, abstract = {The analysis of security protocols requires reasoning about the knowledge an attacker acquires by eavesdropping on network traffic. In formal approaches, the messages exchanged over the network are modeled by a term algebra equipped with an equational theory axiomatizing the properties of the cryptographic primitives (e.g. encryption, signature). In this context, two classical notions of knowledge, deducibility and indistinguishability, yield corresponding decision problems.\par We propose a procedure for both problems under arbitrary convergent equational theories. Since the underlying problems are undecidable we cannot guarantee termination. Nevertheless, our procedure terminates on a wide range of equational theories. In particular, we obtain a new decidability result for a theory we encountered when studying electronic voting protocols. We also provide a prototype implementation.} }

@inproceedings{BCFS-ccs10, address = {Chicago, Illinois, USA}, month = oct, year = 2010, publisher = {ACM Press}, acronym = {{CCS}'10}, booktitle = {{P}roceedings of the 17th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity ({CCS}'10)}, author = {Bortolozzo, Matteo and Centenaro, Matteo and Focardi, Riccardo and Steel, Graham}, title = {Attacking and Fixing {PKCS}\#11 Security Tokens}, pages = {260-269}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf}, doi = {10.1145/1866307.1866337}, abstract = {We show how to extract sensitive cryptographic keys from a variety of commercially available tamper resistant cryptographic security tokens, exploiting vulnerabilities in their RSA PKCS\#11 based APIs. The attacks are performed by Tookan, an automated tool we have developed, which reverse-engineers the particular token in use to deduce its functionality, constructs a model of its API for a model checker, and then executes any attack trace found by the model checker directly on the token. We describe the operation of Tookan and give results of testing the tool on 17 commercially available tokens: 9~were vulnerable to attack, while the other 8 had severely restricted functionality. One of the attacks found by the model checker has not previously appeared in the literature. We show how Tookan may be used to verify patches to insecure devices, and give a secure configuration that we have implemented in a patch to a software token simulator. This is the first such configuration to appear in the literature that does not require any new cryptographic mechanisms to be added to the standard. We comment on lessons for future key management APIs.} }

@article{CKW-jar2010, publisher = {Springer}, journal = {Journal of Automated Reasoning}, author = {Cortier, V{\'e}ronique and Kremer, Steve and Warinschi, Bogdan}, title = {A~Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems}, year = 2010, month = apr, pages = {225-259}, number = {3-4}, volume = {46}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CKW-jar10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CKW-jar10.pdf}, doi = {10.1007/s10817-010-9187-9}, abstract = {Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers with respect to the more detailed computational models have been quite unclear.\par For more than twenty years the two approaches have coexisted but evolved mostly independently. Recently, significant research efforts attempt to develop paradigms for cryptographic systems analysis that combines the best of both worlds. There are two broad directions that have been followed. Computational soundness aims to establish sufficient conditions under which results obtained using symbolic models imply security under computational models. The direct approach aims to apply the principles and the techniques developed in the context of symbolic models directly to computational ones.\par In this paper we survey existing results along both of these directions. Our goal is to provide a rather complete summary that could act as a quick reference for researchers who want to contribute to the field, want to make use of existing results, or just want to get a better picture of what results already exist.} }

@inproceedings{KRS-esorics10, address = {Athens, Greece}, month = sep, year = 2010, volume = {6345}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Gritzalis, Dimitris and Preneel, Bart}, acronym = {{ESORICS}'10}, booktitle = {{P}roceedings of the 15th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'10)}, author = {Kremer, Steve and Ryan, Mark D. and Smyth, Ben}, title = {Election verifiability in electronic voting protocols}, pages = {389-404}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/KRS-esorics10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KRS-esorics10.pdf}, doi = {10.1007/978-3-642-15497-3_24}, abstract = {We present a formal, symbolic definition of election verifiability for electronic voting protocols in the context of the applied pi calculus. Our definition is given in terms of boolean tests which can be performed on the data produced by an election. The definition distinguishes three aspects of verifiability: individual, universal and eligibility verifiability. It also allows us to determine precisely which aspects of the system's hardware and software must be trusted for the purpose of election verifiability. In contrast with earlier work our definition is compatible with a large class of electronic voting schemes, including those based on blind signatures, homomorphic encryption and mixnets. We demonstrate the applicability of our formalism by analysing three protocols: FOO, Helios~2.0, and Civitas (the latter two have been deployed).} }

@inproceedings{DDS-esorics10, address = {Athens, Greece}, month = sep, year = 2010, volume = {6345}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Gritzalis, Dimitris and Preneel, Bart}, acronym = {{ESORICS}'10}, booktitle = {{P}roceedings of the 15th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'10)}, author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham}, title = {Formal Analysis of Privacy for Vehicular Mix-Zones}, pages = {55-70}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-esorics10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-esorics10.pdf}, ps = {DDS-esorics10.ps}, doi = {10.1007/978-3-642-15497-3_4}, abstract = {Safety critical applications for recently proposed vehicle to vehicle ad-hoc networks~(VANETs) rely on a beacon signal, which poses a threat to privacy since it could allow a vehicle to be tracked. Mix-zones, where vehicles encrypt their transmissions and then change their identifiers, have been proposed as a solution to this problem. \par In this work, we~describe a formal analysis of mix-zones. We~model a mix-zone and propose a formal definition of privacy for such a zone. We~give a set of necessary conditions for any mix-zone protocol to preserve privacy. We~analyse, using the tool ProVerif, a~particular proposal for key distribution in mix-zones, the CMIX protocol. We~report attacks on privacy and we propose a fix.} }

@inproceedings{DDS-fcsprivmod10, address = {Edinburgh, Scotland, UK}, month = jul, year = 2010, editor = {Cortier, V{\'e}ronique and Ryan, Mark D. and Shmatikov, Vitaly}, acronym = {{FCS-PrivMod}'10}, booktitle = {{P}roceedings of the {W}orkshop on {F}oundations of {S}ecurity and {P}rivacy ({FCS-PrivMod}'10)}, author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham}, title = {Formal Analysis of Privacy for Vehicular Mix-Zones}, pages = {55-70}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-10.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-10.pdf}, ps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/ rr-lsv-2010-10.ps}, doi = {10.1007/978-3-642-15497-3_4}, abstract = {Safety critical applications for recently proposed vehicle to vehicle ad-hoc networks (VANETs) rely on a beacon signal, which poses a threat to privacy since it could allow a vehicle to be tracked. Mix-zones, where vehicles encrypt their transmissions and then change their identifiers, have been proposed as a solution to this problem.\par In this work, we describe a formal analysis of mix-zones. We model a mix-zone and propose a formal definition of privacy for such a zone. We give a set of necessary conditions for any mix-zone protocol to preserve privacy. We analyse, using the tool ProVerif, a particular proposal for key distribution in mix-zones, the CMIX protocol. We report attacks on privacy and we propose a fix.} }

@incollection{DKR-lncs6000, noaddress = {}, month = may, year = 2010, volume = 6000, series = {Lecture Notes in Computer Science}, publisher = {Springer}, noacronym = {}, booktitle = {{T}owards {T}rustworthy {E}lections -- {N}ew {D}irections in {E}lectronic {V}oting}, editor = {Chaum, David and Jakobsson, Markus and Rivest, Ronald L. and Ryan, Peter Y. A. and Benaloh, Josh and Kuty{\l}owski, Miros{\l}aw and Adida, Ben}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Verifying Privacy-Type Properties of Electronic Voting Protocols: A~Taster}, pages = {289-309}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKR-lncs6000.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKR-lncs6000.pdf}, doi = {10.1007/978-3-642-12980-3_18}, abstract = {While electronic elections promise the possibility of convenient, efficient and secure facilities for recording and tallying votes, recent studies have highlighted inadequacies in implemented systems. These inadequacies provide additional motivation for applying formal methods to the validation of electronic voting protocols.\par In this paper we report on some of our recent efforts in using the applied pi calculus to model and analyse properties of electronic elections. We particularly focus on anonymity properties, namely vote-privacy and receipt-freeness. These properties are expressed using observational equivalence and we show in accordance with intuition that receipt-freeness implies vote-privacy.\par We illustrate our definitions on two electronic voting protocols from the literature. Ideally, these properties should hold even if the election officials are corrupt. However, protocols that were designed to satisfy privacy or receipt-freeness may not do so in the presence of corrupt officials. Our model and definitions allow us to specify and easily change which authorities are supposed to be trustworthy.} }

@inproceedings{CCD-ijcar10, address = {Edinburgh, Scotland, UK}, month = jul, year = 2010, volume = {6173}, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer-Verlag}, editor = {Giesl, J{\"u}rgen and Haehnle, Reiner}, acronym = {{IJCAR}'10}, booktitle = {{P}roceedings of the 5th {I}nternational {J}oint {C}onference on {A}utomated {R}easoning ({IJCAR}'10)}, author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {Automating security analysis: symbolic equivalence of constraint systems}, pages = {412-426}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ijcar10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ijcar10.pdf}, doi = {10.1007/978-3-642-14203-1_35}, abstract = {We consider security properties of cryptographic protocols, that are either trace properties (such as confidentiality or authenticity) or equivalence properties (such as anonymity or strong secrecy).\par Infinite sets of possible traces are symbolically represented using \emph{deducibility constraints}. We give a new algorithm that decides the trace equivalence for the traces that are represented using such constraints, in the case of signatures, symmetric and asymmetric encryptions. Our algorithm is implemented and performs well on typical benchmarks. This is the first implemented algorithm, deciding symbolic trace equivalence.} }

@inproceedings{JGL-icalp10, address = {Bordeaux, France}, month = jul, year = 2010, volume = 6199, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Abramsky, Samson and Meyer{ }auf{ }der{ }Heide, Friedhelm and Spirakis, Paul}, acronym = {{ICALP}'10}, booktitle = {{P}roceedings of the 37th {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'10)~-- {P}art~{II}}, author = {Goubault{-}Larrecq, Jean}, title = {Noetherian Spaces in Verification}, pages = {2-21}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-icalp10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-icalp10.pdf}, doi = {10.1007/978-3-642-14162-1_2}, abstract = {Noetherian spaces are a topological concept that generalizes well quasiorderings. We explore applications to infinite-state verification problems, and show how this stimulated the search for infinite procedures \`a la Karp-Miller.} }

@inproceedings{CC-csf10, address = {Edinburgh, Scotland, UK}, month = jul, year = 2010, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'10}, booktitle = {{P}roceedings of the 23rd {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'10)}, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Cortier, V{\'e}ronique}, title = {Protocol composition for arbitrary primitives}, pages = {322-336}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-09.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-09.pdf}, doi = {10.1109/CSF.2010.29}, abstract = {We study the composition of security protocols when protocols share secrets such as keys. We show (in a Dolev-Yao model) that if two protocols use disjoint cryptographic primitives, their composition is secure if the individual protocols are secure, even if they share data. Our result holds for any cryptographic primitives that can be modeled using equational theories, such as encryption, signature, MAC, exclusive-or, and Diffie-Hellman. Our main result transforms any attack trace of the combined protocol into an attack trace of one of the individual protocols. This allows various ways of combining protocols such as sequentially or in parallel, possibly with inner replications. As an application, we show that a protocol using preestablished keys may use any (secure) key-exchange protocol without jeopardizing its security, provided that they do not use the same primitives. This allows us, for example, to securely compose a Diffie-Hellman key exchange protocol with any other protocol using the exchanged key, provided that the second protocol does not use the Diffie-Hellman primitives. We also explore tagging, which is a way of forcing the disjointness of two protocols that share cryptographic primitives We explain why composing protocols which use tagged cryptographic primitives like encryption and hash functions is secure by reducing this problem to the previous one.} }

@inproceedings{ACD-csf10, address = {Edinburgh, Scotland, UK}, month = jul, year = 2010, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'10}, booktitle = {{P}roceedings of the 23rd {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'10)}, author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Modeling and Verifying Ad Hoc Routing Protocols}, pages = {59-74}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf10.pdf}, doi = {10.1109/CSF.2010.12}, abstract = {Mobile ad hoc networks consist of mobile wireless devices which autonomously organize their infrastructure. In such networks, a central issue, ensured by routing protocols, is to find a route from one device to another. Those protocols use cryptographic mechanisms in order to prevent malicious nodes from compromising the discovered route.\par Our contribution is twofold. We first propose a calculus for modeling and reasoning about security protocols, including in particular secured routing protocols. Our calculus extends standard symbolic models to take into account the characteristics of routing protocols and to model wireless communication in a more accurate way. Our second main contribution is a decision procedure for analyzing routing protocols for any network topology. By using constraint solving techniques, we show that it is possible to automatically discover (in NPTIME) whether there exists a network topology that would allow malicious nodes to mount an attack against the protocol, for a bounded number of sessions. We also provide a decision procedure for detecting attacks in case the network topology is given a priori. We demonstrate the usage and usefulness of our approach by analyzing the protocol \textsf{SRP} applied to~\textsf{DSR}.} }

@inproceedings{JGL-lics10, address = {Edinburgh, Scotland, UK}, month = jul, year = 2010, publisher = {{IEEE} Computer Society Press}, acronym = {{LICS}'10}, booktitle = {{P}roceedings of the 25th {A}nnual {IEEE} {S}ymposium on {L}ogic in {C}omputer {S}cience ({LICS}'10)}, author = {Goubault{-}Larrecq, Jean}, title = {{{\(\omega\)}}{\textbf{\MakeUppercase{QRB}}}-Domains and the Probabilistic Powerdomain}, pages = {352-361}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lics10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lics10.pdf}, doi = {10.1109/LICS.2010.50}, abstract = {Is there any cartesian-closed category of continuous domains that would be closed under Jones and Plotkin's probabilistic powerdomain construction? This is a major open problem in the area of denotational semantics of probabilistic higher-order languages. We relax the question, and look for quasi-continuous dcpos instead. We introduce a natural class of such quasi-continuous dcpos, the \(\omega\textbf{QRB}\)-domains. We show that they form a category \(\omega\textbf{QRB}\) with pleasing properties: \(\omega\textbf{QRB}\) is closed under the probabilistic powerdomain functor, has all finite products, all bilimits, and is stable under retracts, and even under so-called quasiretracts. But... \(\omega\textbf{QRB}\) is not cartesian closed.} }

@inproceedings{SRKK-arspawits10, address = {Paphos, Cyprus}, month = oct, year = 2010, volume = 6186, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Armando, Alessandro and Lowe, Gavin}, acronym = {{ARSPA-WITS}'10}, booktitle = {{P}roceedings of the {J}oint {W}orkshop on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and {I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'10)}, author = {Smyth, Ben and Ryan, Mark D. and Kremer, Steve and Kourjieh, Mounira}, title = {Towards automatic analysis of election verifiability properties}, pages = {146-163}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/SRKK-arspawits10.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SRKK-arspawits10.pdf}, doi = {10.1007/978-3-642-16074-5_11}, abstract = {We present a symbolic definition that captures some cases of election verifiability for electronic voting protocols. Our definition is given in terms of reachability assertions in the applied pi calculus and is amenable to automated reasoning using the software tool ProVerif. The definition distinguishes three aspects of verifiability, which we call individual, universal, and eligibility verifiability. We demonstrate the applicability of our formalism by analysing the protocols due to Fujioka, Okamoto~\& Ohta and a variant of the one by Juels, Catalano~\& Jakobsson (implemented as Civitas by Clarkson, Chong~\& Myers).} }

@misc{avote-D21, nocontributor = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and Kremer, Steve}, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Cortier, V{\'e}ronique}, title = {Algorithmes pour l'{\'e}quivalence statique}, year = 2009, month = sep, type = {Contract Report}, howpublished = {Deliverable AVOTE~2.1 (ANR-07-SESU-002)}, note = {17~pages}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/avote-d21.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/avote-d21.pdf} }

@misc{JGL-tacl11, author = {Jean Goubault{-}Larrecq}, title = {A Few Pearls in the Theory of Quasi-Metric Spaces}, year = {2011}, month = jul, howpublished = {Invited talk, Fifth International Conference on Topology, Algebra, and Categories in Logic (TACL'11), Marseilles, France, July~2011} }

@article{FG-lmcs12, journal = {Logical Methods in Computer Science}, author = {Finkel, Alain and Goubault{-}Larrecq, Jean}, title = {Forward Analysis for {WSTS}, Part~{II}: Complete {WSTS}}, year = 2012, month = sep, volume = 8, number = {3:28}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf}, doi = {10.2168/LMCS-8(3:28)2012}, abstract = {We describe a simple, conceptual forward analysis procedure for \(\infty\)-complete WSTS~\(\mathfrak{S}\). This computes the so-called \emph{clover} of a state. When \(\mathfrak{S}\) is the completion of a WSTS~\(\mathfrak{X}\), the clover in~\(\mathfrak{S}\) is a finite description of the downward closure of the reachability set. We show that such completions are infinity-complete exactly when \(\mathfrak{X}\) is an \(\omega^2\)-WSTS, a~new robust class of WSTS. We show that our procedure terminates in more cases than the generalized Karp-Miller procedure on extensions of Petri nets and on lossy channel systems. We characterize the WSTS where our procedure terminates as those that are \emph{clover-flattable}. Finally, we apply this to well-structured counter systems.} }

@article{JGL-lmcs12, journal = {Logical Methods in Computer Science}, author = {Goubault{-}Larrecq, Jean}, title = {{QRB}-Domains and the Probabilistic Powerdomain}, year = 2012, volume = 8, number = {1:14}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lmcs12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lmcs12.pdf}, doi = {10.2168/LMCS-8(1:14)2012}, abstract = {Is there any Cartesian-closed category of continuous domains that would be closed under Jones and Plotkin's probabilistic powerdomain construction? This is a major open problem in the area of denotational semantics of probabilistic higher-order languages. We relax the question, and look for quasi-continuous dcpos instead.\par We introduce a natural class of such quasi-continuous dcpos, the omega-QRB-domains. We show that they form a category omega-QRB with pleasing properties: omega-QRB is closed under the probabilistic powerdomain functor, under finite products, under taking bilimits of expanding sequences, under retracts, and even under so-called quasi-retracts. But... omega-QRB is not Cartesian closed. We conclude by showing that the QRB domains are just one half of an FS-domain, merely lacking control.} }

@article{BGGLP-comp11, publisher = {Springer}, journal = {Computing}, author = {Bouissou, Olivier and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean and Putot, Sylvie}, title = {A Generalization of {P}-boxes to Affine Arithmetic, and Applications to Static Analysis of Programs}, year = 2012, month = mar, volume = 94, number = {2-4}, pages = {189-201}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BGGLP-comp11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BGGLP-comp11.pdf}, doi = {10.1007/s00607-011-0182-8}, abstract = {We often need to deal with information that contains both interval and probabilistic uncertainties. P-boxes and Dempster-Shafer structures are models that unify both kind of information, but they suffer from the main defect of intervals, the wrapping effect. We present here a new arithmetic that mixes, in a guaranteed manner, interval uncertainty with probabilities, while using some information about variable dependencies, hence limiting the loss from not accounting for correlations. This increases the precision of the result and decreases the computation time compared to standard p-box arithmetic.} }

@inproceedings{BC-post12, address = {Tallinn, Estonia}, month = mar, year = 2012, volume = {7215}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Guttman, Joshua D.}, acronym = {{POST}'12}, booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'12)}, author = {Bana, Gergei and Comon{-}Lundh, Hubert}, title = {Towards Unconditional Soundness: Computationally Complete Symbolic Attacker}, pages = {189-208}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-post12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-post12.pdf}, doi = {10.1007/978-3-642-28641-4_11}, abstract = {We consider the question of the adequacy of symbolic models versus computational models for the verification of security protocols. We neither try to include properties in the symbolic model that reflect the properties of the computational primitives nor add computational requirements that enforce the soundness of the symbolic model. We propose in this paper a different approach: everything is possible in the symbolic model, unless it contradicts a computational assumption. In this way, we obtain unconditional soundness almost by construction. And we do not need to assume the absence of dynamic corruption or the absence of key-cycles, which are examples of hypotheses that are always used in related works. We set the basic framework, for arbitrary cryptographic primitives and arbitrary protocols, however for trace security properties only.} }

@inproceedings{CCS-post12, address = {Tallinn, Estonia}, month = mar, year = 2012, volume = {7215}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Guttman, Joshua D.}, acronym = {{POST}'12}, booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'12)}, author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and Scerri, Guillaume}, title = {Security proof with dishonest keys}, pages = {149-168}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-post12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-post12.pdf}, doi = {10.1007/978-3-642-28641-4_9}, abstract = {Symbolic and computational models are the two families of models for rigorously analysing security protocols. Symbolic models are abstract but offer a high level of automation while computational models are more precise but security proof can be tedious. Since the seminal work of Abadi and Rogaway, a new direction of research aims at reconciling the two views and many soundness results establish that symbolic models are actually sound w.r.t. computational models.\par This is however not true for the prominent case of encryption. Indeed, all existing soundness results assume that the adversary only uses honestly generated keys. While this assumption is acceptable in the case of asymmetric encryption, it is clearly unrealistic for symmetric encryption. In this paper, we provide with several examples of attacks that do not show-up in the classical Dolev-Yao model, and that do not break the IND-CPA nor INT-CTXT properties of the encryption scheme.\par Our main contribution is to show the first soundness result for symmetric encryption and arbitrary adversaries. We consider arbitrary indistinguishability properties and an unbounded number of sessions. This result relies on an extension of the symbolic model, while keeping standard security assumptions: IND-CPA and IND-CTXT for the encryption scheme.} }

@inproceedings{CDD-post12, address = {Tallinn, Estonia}, month = mar, year = 2012, volume = {7215}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Degano, Pierpaolo and Guttman, Joshua D.}, acronym = {{POST}'12}, booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'12)}, author = {Cortier, V{\'e}ronique and Degrieck, Jan and Delaune, St{\'e}phanie}, title = {Analysing routing protocols: four nodes topologies are sufficient}, pages = {30-50}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post12.pdf}, doi = {10.1007/978-3-642-28641-4_3}, abstract = {Routing protocols aim at establishing a route between nodes on a network. Secured versions of routing protocols have been proposed in order to provide more guarantees on the resulting routes. Formal methods have proved their usefulness when analysing standard security protocols such as confidentiality or authentication protocols. However, existing results and tools do not apply to routing protocols. This is due in particular to the fact that all possible topologies (infinitely many) have to be considered.\par In this paper, we propose a simple reduction result: when looking for attacks on properties such as the validity of the route, it is sufficient to consider topologies with only four nodes, resulting in a number of just five distinct topologies to consider. As an application, we analyse the SRP applied to DSR and the SDMSR protocols using the ProVerif tool.} }

@techreport{LSV-11-24, author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Modeling and Verifying Ad~Hoc Routing Protocols}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = {2011}, month = dec, type = {Research Report}, number = {LSV-11-24}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24.pdf}, versions = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24-v1.pdf, 20111220}, note = {66~pages}, abstract = {Mobile ad hoc networks consist of mobile wireless devices which autonomously organize their infrastructure. In such networks, a central issue, ensured by routing protocols, is to find a route from one device to another. Those protocols use cryptographic mechanisms in order to prevent malicious nodes from compromising the discovered route.\par Our contribution is twofold. We first propose a calculus for modeling and reasoning about security protocols, including in particular secured routing protocols. Our calculus extends standard symbolic models to take into account the characteristics of routing protocols and to model wireless communication in a more accurate way. Our second main contribution is a decision procedure for analyzing routing protocols for any network topology. By using constraint solving techniques, we show that it is possible to automatically discover (in~NPTIME) whether there exists a network topology that would allow malicious nodes to mount an attack against the protocol, for a bounded number of sessions. We also provide a decision procedure for detecting attacks in case the network topology is given a priori. We demonstrate the usage and usefulness of our approach by analyzing protocols of the literature, such as SRP applied to DSR and SDMSR.} }

@inproceedings{CMV-tacas12, address = {Tallinn, Estonia}, month = mar, year = 2012, volume = {7214}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Flanagan, Cormac and K{\"o}nig, Barbara}, acronym = {{TACAS}'12}, booktitle = {{P}roceedings of the 18th {I}nternational {C}onference on {T}ools and {A}lgorithms for {C}onstruction and {A}nalysis of {S}ystems ({TACAS}'12)}, author = {Chadha, Rohit and Madhusudan, P. and Viswanathan, Mahesh}, title = {Reachability under Contextual Locking}, pages = {437-450}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CMV-tacas12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CMV-tacas12.pdf}, doi = {10.1007/978-3-642-28756-5_30}, abstract = {The pairwise reachability problem for a multi-threaded program asks, given control locations in two threads, whether they can be simultaneously reached in an execution of the program. The problem is important for static analysis and is used to detect statements that are concurrently enabled. This problem is in general undecidable even when data is abstracted and when the threads (with recursion) synchronize only using a finite set of locks. Popular programming paradigms that limit the lock usage patterns have been identified under which the pairwise reachability problem becomes decidable. In this paper, we consider a new natural programming paradigm, called contextual locking, which ties the lock usage to calling patterns in each thread: we assume that locks are released in the same context that they were acquired and that every lock acquired by a thread in a procedure call is released before the procedure returns. Our main result is that the pairwise reachability problem is polynomial-time decidable for this new programming paradigm as well.} }

@phdthesis{arnaud-phd2011, author = {Arnaud, Mathilde}, title = {Formal verification of secured routing protocols}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2011, month = dec, url = {http://www.lsv.fr/Publis/PAPERS/PDF/arnaud-these11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/arnaud-these11.pdf} }

@phdthesis{ciobaca-phd2011, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan}, title = {Automated Verification of Security Protocols with Appplications to Electronic Voting}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2011, month = dec, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ciobaca-these11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ciobaca-these11.pdf} }

@article{BCJST-ijis11, publisher = {Springer}, journal = {International Journal on Information Security}, author = {Backes, Michael and Cervesato, Iliano and Jaggard, Aaron and Scedrov, Andre and Tsay, Joe-Kai}, title = {Cryptographically sound security proofs for basic and public-key {K}erberos}, pages = {107-134}, volume = {10}, number = {2}, year = {2011}, month = jun, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCJST-ijis11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCJST-ijis11.pdf}, doi = {10.1007/s10207-011-0125-6} }

@inproceedings{ILV-imacc11, address = {Oxford, UK}, month = dec, year = 2011, volume = {7089}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Chen, Liqun}, acronym = {{IMACC}'11}, booktitle = {{P}roceedings of the 13th {IMA} {I}nternational {C}onference on {C}ryptography and {C}oding ({IMACC}'11)}, author = {Izabach{\`e}ne, Malika and Libert, Beno{\^\i}t and Vergnaud, Damien}, title = {Block-wise {P}-Signatures and Non-Interactive Anonymous Credentials with Efficient Attributes}, pages = {431-450}, doi = {10.1007/978-3-642-25516-8_26}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ILV-imacc11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ILV-imacc11.pdf}, abstract = {Anonymous credentials are protocols in which users obtain certificates from organizations and subsequently demonstrate their possession in such a way that transactions carried out by the same user cannot be linked. We present an anonymous credential scheme with non-interactive proofs of credential possession where credentials are associated with a number of attributes. Following recent results of Camenisch and Gro\ss{} (CCS~2008), the proof simultaneously convinces the verifier that certified attributes satisfy a certain predicate. Our construction relies on a new kind of P-signature, termed \emph{block-wise P-signature}, that allows a user to obtain a signature on a committed vector of messages and makes it possible to generate a short witness that serves as a proof that the signed vector satisfies the predicate. A~non-interactive anonymous credential is obtained by combining our \emph{block-wise} P-signature scheme with the Groth-Sahai proof system. It allows efficiently proving possession of a credential while simultaneously demonstrating that underlying attributes satisfy a predicate corresponding to the evaluation of inner products (and therefore disjunctions or polynomial evaluations). The security of our scheme is proved in the standard model under non-interactive assumptions.} }

@book{LPS-book11, author = {Luccio, Fabrizio and Pagli, Linda and Steel, Graham}, title = {Mathematical and Algorithmic Foundations of the Internet}, publisher = {CRC Press}, year = 2011, month = jul, url = {https://www.crcpress.com/9781439831380} }

@incollection{steel-crypt2011, author = {Steel, Graham}, title = {Formal Analysis of Security~{API}s}, booktitle = {Encyclopedia of Cryptography and Security}, edition = {2nd}, editor = {van Tilborg, Henk C. A. and Jajodia, Sushil}, year = {2011}, pages = {492-494}, publisher = {Springer}, doi = {10.1007/978-1-4419-5906-5_873} }

@article{CSV-lmcs11, journal = {Logical Methods in Computer Science}, author = {Chadha, Rohit and Sistla, A. Prasad and Viswanathan, Mahesh}, title = {Power of Randomization in Automata on Infinite Strings}, year = {2011}, month = sep, volume = {7}, number = {3:22}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-lmcs11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-lmcs11.pdf}, doi = {10.2168/LMCS-7(3:22)2011}, abstract = {Probabilistic B{\"u}chi Automata~(PBA) are randomized, finite state automata that process input strings of infinite length. Based on the threshold chosen for the acceptance probability, different classes of languages can be defined. In this paper, we present a number of results that clarify the power of such machines and properties of the languages they define. The broad themes we focus on are as follows. We present results on the decidability and precise complexity of the emptiness, universality and language containment problems for such machines, thus answering questions central to the use of these models in formal verification. Next, we characterize the languages recognized by PBAs topologically, demonstrating that though general PBAs can recognize languages that are not regular, topologically the languages are as simple as \(\omega\)-regular languages. Finally, we introduce Hierarchical PBAs, which are syntactically restricted forms of PBAs that are tractable and capture exactly the class of \(\omega\)-regular languages.} }

@mastersthesis{pasaila-master, author = {Pasail{\u{a}}, Daniel}, title = {Verifying equivalence properties of security protocols}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2011}, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/dp11-m2.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/dp11-m2.pdf} }

@mastersthesis{degriek-master, author = {Degrieck, Jan}, title = {R{\'e}duction de graphes pour l'analyse de protocoles de routage s{\'e}curis{\'e}s}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2011}, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/jd11-m2.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/jd11-m2.pdf} }

@inproceedings{CDK-fsttcs11, address = {Mumbai, India}, month = dec, year = 2011, volume = 13, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Chakraborty, Supratik and Kumar, Amit}, acronym = {{FSTTCS}'11}, booktitle = {{P}roceedings of the 31st {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'11)}, author = {Chevalier, C{\'e}line and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Transforming Password Protocols to Compose}, pages = {204-216}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-fsttcs11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-fsttcs11.pdf}, doi = {10.4230/LIPIcs.FSTTCS.2011.204}, abstract = {Formal, symbolic techniques are extremely useful for modelling and analysing security protocols. They improved our understanding of security protocols, allowed to discover flaws, and also provide support for protocol design. However, such analyses usually consider that the protocol is executed in isolation or assume a bounded number of protocol sessions. Hence, no security guarantee is provided when the protocol is executed in a more complex environment.\par In this paper, we study whether password protocols can be safely composed, even when a same password is reused. More precisely, we present a transformation which maps a password protocol that is secure for a single protocol session (a~decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure password protocols: (i)~design a protocol intended to be secure for one protocol session; (ii)~apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. Our technique also applies to compose different password protocols allowing us to obtain both inter-protocol and inter-session composition.} }

@incollection{FLS-fosad11, noaddress = {}, month = sep, year = 2011, volume = 6858, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Aldini, Alessandro and Gorrieri, Roberto}, acronym = {{FOSAD}'{VI}}, booktitle = {{F}oundations of {S}ecurity {A}nalysis and {D}esign~-- {FOSAD} {T}utorial {L}ectures ({FOSAD}'{VI})}, author = {Focardi, Riccardo and Luccio, Flaminia L. and Steel, Graham}, title = {An Introduction to Security {API} Analysis}, pages = {35-65}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/FLS-fosad11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/FLS-fosad11.pdf}, doi = {10.1007/978-3-642-23082-0_2}, abstract = {A~security API is an Application Program Interface that allows untrusted code to access sensitive resources in a secure way. Examples of security APIs include the interface between the tamper-resistant chip on a smartcard (trusted) and the card reader (untrusted), the~interface between a~cryptographic Hardware Security Module, or~HSM (trusted) and the client machine (untrusted), and the Google maps API (an~interface between a server, trusted by Google, and the rest of the Internet).} }

@inproceedings{CCD-ccs11, address = {Chicago, Illinois, USA}, month = oct, year = 2011, publisher = {ACM Press}, editor = {Chen, Yan and Danezis, George and Shmatikov, Vitaly}, acronym = {{CCS}'11}, booktitle = {{P}roceedings of the 18th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity ({CCS}'11)}, author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {Trace Equivalence Decision: Negative Tests and Non-determinism}, pages = {321-330}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ccs11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ccs11.pdf}, doi = {10.1145/2046707.2046744}, abstract = {We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability.\par In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and\slash or private channels (for a bounded number of sessions).} }

@inproceedings{SC-unif11, address = {Wroc{\l}aw, Poland}, month = jul, year = 2011, editor = {Baader, Franz}, acronym = {{UNIF}'11}, booktitle = {{P}roceedings of the 25th {I}nternational {W}orkshop on {U}nification ({UNIF}'11)}, author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan}, title = {Computing finite variants for subterm convergent rewrite systems}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-unif11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-unif11.pdf}, abstract = {Driven by an application in the verification of security protocols, we introduce the strong finite variant property, an extention of the finite variant property, and we show that subterm convergent rewrite systems enjoy the strong finite variant property modulo the empty equational theory.\par We argue that the strong finite variant property is more natural and more useful in practice than the finite variant property. We also compare the two properties and we provide a prototype implementation of an algorithm that computes a finite strongly complete set of variants for any term t with respect to a subterm convergent rewrite system.} }

@inproceedings{CKVAK-qest11, address = {Aachen, Germany}, month = sep, year = 2011, publisher = {{IEEE} Computer Society Press}, acronym = {{QEST}'11}, booktitle = {{P}roceedings of the 8th {I}nternational {C}onference on {Q}uantitative {E}valuation of {S}ystems ({QEST}'11)}, author = {Chadha, Rohit and Korthikranthi, Vijay and Viswanathan, Mahesh and Agha, Gul and Kwon, Youngmin}, title = {Model Checking {MDP}s with a Unique Compact Invariant Set of Distributions}, pages = {121-130}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CKVAK-qest11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CKVAK-qest11.pdf}, doi = {10.1109/QEST.2011.22}, abstract = {The semantics of Markov Decision Processes (MDPs), when viewed as transformers of probability distributions, can described as a labeled transition system over the probability distributions over the states of the MDP. The MDP can be seen as defining a set of executions, where each execution is a sequence of probability distributions. Reasoning about sequences of distributions allows one to express properties not expressible in logics like PCTL; examples include expressing bounds on transient rewards and expected values of random variables, as well as comparing the probability of being in one set of states at a given time with another set of states. With respect to such a semantics, the problem of checking that the MDP never reaches a bad distribution is undecidable. In this paper, we identify a special class of MDPs called \emph{semi-regular} MDPs that have a unique non-empty, compact, invariant set of distributions, for which we show that checking any \(\omega\)-regular property is decidable. Our decidability result also implies that for semi-regular probabilistic finite automata with isolated cut-points, the emptiness problem is decidable.} }

@inproceedings{benzina-iccans11, address = {Republic of Maldives}, month = may, year = 2011, noeditor = {}, acronym = {{ICCANS}'11}, booktitle = {{P}roceedings of the {I}nternational {C}onference on {C}omputer {A}pplications and {N}etwork {S}ecurity ({ICCANS}'11)}, author = {Benzina, Hedi}, title = {Logic in Virtualized Systems}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iccans11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iccans11.pdf}, abstract = {As virtualized systems grow in complexity, they are increasingly vulnerable to denial-of-service (DoS) attacks involving resource exhaustion. A malicious driver downloaded and installed by the system administrator can trigger high-complexity behavior exhausting CPU time or stack space and making the whole system unavailable. Virtualized systems such as Xen or VirtualBox have been proposed to increase the level of security on computers. On the other hand, such virtualized systems are now targets for attacks. The weak spot of such systems is domain zero administration, which is left entirely under the administrator's responsibility, and is in particular vulnerable to attacks. \par We propose to let the administrator write and deploy security policies and rely on RuleGen, a policy compiler, and Orchids' fast, real-time monitoring engine to raise alerts in case any policy violation, expressed in a fragment of linear temporal logic, is detected. This approach has shown its efficiency against real DoS exploits. } }

@incollection{CDM-fmtasp11, author = {Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie and Millen, Jonathan K.}, title = {Constraint solving techniques and enriching the model with equational theories}, booktitle = {Formal Models and Techniques for Analyzing Security Protocols}, editor = {Cortier, V{\'e}ronique and Kremer, Steve}, series = {Cryptology and Information Security Series}, volume = 5, publisher = {{IOS} Press}, nochapter = {}, pages = {35-61}, year = 2011, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDM-fmtasp11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDM-fmtasp11.pdf}, abstract = {Derivability constraints represent in a symbolic way the infinite set of possible executions of a finite protocol, in presence of an arbitrary active attacker. Solving a derivability constraint consists in computing a simplified representation of such executions, which is amenable to the verification of any (trace) security property. Our goal is to explain this method on a non-trivial combination of primitives.\par In this chapter we explain how to model the protocol executions using derivability constraints, and how such constraints are interpreted, depending on the cryptographic primitives and the assumed attacker capabilities. Such capabilities are represented as a deduction system that has some specific properties. We choose as an example the combination of exclusive-or, symmetric encryption{\slash}decryption and pairing{\slash}unpairing. We explain the properties of the deduction system in this case and give a complete and terminating set of rules that solves derivability constraints. A similar set of rules has been already published for the classical Dolev-Yao attacker, but it is a new result for the combination of primitives that we consider. This allows to decide trace security properties for this combination of primitives and arbitrary finite protocols.} }

@inproceedings{ACD-cade11, address = {Wroc{\l}aw, Poland}, month = jul, year = 2011, volume = {6803}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Bj{\o}rner, Nikolaj and Sofronie-Stokkermans, Viorica}, acronym = {{CADE}'11}, booktitle = {{P}roceedings of the 23rd {I}nternational {C}onference on {A}utomated {D}eduction ({CADE}'11)}, author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Deciding security for protocols with recursive tests}, pages = {49-63}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-cade11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-cade11.pdf}, doi = {10.1007/978-3-642-22438-6_6}, abstract = {Security protocols aim at securing communications over public networks. Their design is notoriously dicult and error-prone. Formal methods have shown their usefulness for providing a careful security analysis in the case of standard authentication and condentiality protocols. However, most current techniques do not apply to protocols that perform recursive computation e.g. on a list of messages received from the network.\par While considering general recursive input{\slash}output actions very quickly yields undecidability, we focus on protocols that perform recursive tests on received messages but output messages that depend on the inputs in a standard way. This is in particular the case of secured routing protocols, distributed right delegation or PKI certication paths. We provide NPTIME decision procedures for protocols with recursive tests and for a bounded number of sessions. We also revisit constraint system solving, providing a complete symbolic representation of the attacker knowledge.} }

@inproceedings{KSW-csf11, address = {Cernay-la-Ville, France}, month = jun, year = 2011, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'11}, booktitle = {{P}roceedings of the 24th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'11)}, author = {Kremer, Steve and Steel, Graham and Warinschi, Bogdan}, title = {Security for Key Management Interfaces}, pages = {266-280}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/KSW-csf11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KSW-csf11.pdf}, nolongps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/ rr-lsv-2011-07.ps}, nolongpsgz = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PSGZ/ rr-lsv-2011-07.ps.gz}, doi = {10.1109/CSF.2011.25}, abstract = {We propose a much-needed formal definition of security for cryptographic key management APIs. The advantages of our definition are that it is general, intuitive, and applicable to security proofs in both symbolic and computational models of cryptography. Our definition relies on an idealized API which allows only the most essential functions for generating, exporting and importing keys, and takes into account dynamic corruption of keys. Based on this we can define the security of more expressive APIs which support richer functionality. We illustrate our approach by showing the security of APIs both in symbolic and computational models.} }

@inproceedings{DKRS-csf11, address = {Cernay-la-Ville, France}, month = jun, year = 2011, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'11}, booktitle = {{P}roceedings of the 24th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'11)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and Steel, Graham}, title = {Formal analysis of protocols based on {TPM} state registers}, pages = {66-82}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-csf11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-csf11.pdf}, doi = {10.1109/CSF.2011.12}, abstract = {We~present a Horn-clause-based framework for analysing security protocols that use platform configuration registers~(PCRs), which are registers for maintaining state inside the Trusted Platform Module~(TPM). In~our model, the~PCR state space is unbounded, and our experience shows that a na{\"i}ve analysis using ProVerif or SPASS does not terminate. To address this, we extract a set of instances of the Horn clauses of our model, for which ProVerif does terminate on our examples. We~prove the soundness of this extraction process: no~attacks are lost, that~is, any query derivable in the more general set of clauses is also derivable from the extracted instances. The~effectiveness of our framework is demonstrated in two case studies: a~simplified version of Microsoft Bitlocker, and a digital envelope protocol that allows a user to choose whether to perform a decryption, or to verifiably renounce the ability to perform the decryption.} }

@inproceedings{CLC-stacs11, address = {Dortmund, Germany}, month = mar, year = 2011, volume = 9, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {D{\"u}rr, Christoph and Schwentick, {\relax Th}omas}, acronym = {{STACS}'11}, booktitle = {{P}roceedings of the 28th {A}nnual {S}ymposium on {T}heoretical {A}spects of {C}omputer {S}cience ({STACS}'11)}, author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique}, title = {How to prove security of communication protocols? A~discussion on the soundness of formal models w.r.t. computational ones}, pages = {29-44}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CLC-stacs11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CLC-stacs11.pdf}, doi = {10.4230/LIPIcs.STACS.2011.29}, abstract = {Security protocols are short programs that aim at securing communication over a public network. Their design is known to be error-prone with flaws found years later. That is why they deserve a careful security analysis, with rigorous proofs. Two main lines of research have been (independently) developed to analyse the security of protocols. On the one hand, formal methods provide with symbolic models and often automatic proofs. On the other hand, cryptographic models propose a tighter modeling but proofs are more difficult to write and to check. An approach developed during the last decade consists in bridging the two approaches, showing that symbolic models are sound w.r.t. symbolic ones, yielding strong security guarantees using automatic tools. These results have been developed for several cryptographic primitives (e.g. symmetric and asymmetric encryption, signatures, hash) and security properties. While proving soundness of symbolic models is a very promising approach, several technical details are often not satisfactory. Focusing on symmetric encryption, we describe the difficulties and limitations of the available results.} }

@phdthesis{kremer-HDR11, author = {Kremer, Steve}, title = {Modelling and analyzing security protocols in cryptographic process calculi}, year = 2011, month = mar, type = {M{\'e}moire d'habilitation}, school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SK.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SK.pdf}, noslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/} }

@phdthesis{steel-HDR11, author = {Steel, Graham}, title = {Formal Analysis of Security {API}s}, year = 2011, month = mar, type = {M{\'e}moire d'habilitation}, school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-GS.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-GS.pdf}, noslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/} }

@phdthesis{delaune-HDR11, author = {Delaune, St{\'e}phanie}, title = {Verification of security protocols: from confidentiality to privacy}, year = 2011, month = mar, type = {M{\'e}moire d'habilitation}, school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SD.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SD.pdf}, abstract = {Security is a very old concern, which until quite recently was mostly of interest for military purposes. The deployment of electronic commerce changes this drastically. The security of exchanges is ensured by cryptographic protocols which are notoriously error prone. The formal verification of cryptographic protocols is a difficult problem that can be seen as a particular model-checking problem in an hostile environment. Many results and tools have been developed to automatically verify cryptographic protocols.\par Recently, new type of applications have emerged, in order to face new technological and societal challenges, e.g. electronic voting protocols, secure routing protocols for mobile ad hoc networks,~... These applications involve some features that are not taken into account by the existing verification tools, e.g. complex cryptographic primitives, privacy-type security properties,~... This prevents us from modelling these protocols in an accurate way. Moreover, protocols are often analysed in isolation and this is well-known to be not sufficient. In this thesis, we use formal methods to study these aspects concerning the verification of cryptographic protocols.} }

@inproceedings{ACGP-rsa11, address = {San Francisco, California, USA}, month = feb, year = 2011, volume = 6558, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Kiayias, Aggelos}, acronym = {{CT-RSA}'11}, booktitle = {{P}roceedings of the {C}ryptographers' {T}rack at the {RSA} {C}onference 2011 ({CT-RSA}'11)}, author = {Abdalla, Michel and Chevalier, C{\'e}line and Granboulan, Louis and Pointcheval, David}, title = {Contributory Password-Authenticated Group Key Exchange with Join Capability}, pages = {142-160}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACGP-rsa11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACGP-rsa11.pdf}, doi = {10.1007/978-3-642-19074-2_11}, abstract = {Password-based authenticated group key exchange allows any group of users in possession of a low-entropy secret key to establish a common session key even in the presence of adversaries. In this paper, we propose a new generic construction of password-authenticated group key exchange protocol from any two-party password-authenticated key exchange with explicit authentication. Our new construction has several advantages when compared to existing solutions. First, our construction only assumes a common reference string and does not rely on any idealized models. Second, our scheme enjoys a simple and intuitive security proof in the universally composable framework and is optimal in the sense that it allows at most one password test per user instance. Third, our scheme also achieves a strong notion of security against insiders in that the adversary cannot bias the distribution of the session key as long as one of the players involved in the protocol is honest. Finally, we show how to easily extend our protocol to the dynamic case in a way that the costs of establishing a common key between two existing groups is significantly smaller than computing a common key from scratch.} }

@inproceedings{GLV-lics2011, address = {Toronto, Canada}, month = jun, year = 2011, publisher = {{IEEE} Computer Society Press}, acronym = {{LICS}'11}, booktitle = {{P}roceedings of the 26th {A}nnual {IEEE} {S}ymposium on {L}ogic in {C}omputer {S}cience ({LICS}'11)}, author = {Goubault{-}Larrecq, Jean and Varacca, Daniele}, title = {Continuous Random Variables}, pages = {97-106}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011.pdf}, corrigendumpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011-errata.pdf}, doi = {10.1109/LICS.2011.23}, abstract = {We introduce the domain of continuous random variables (CRV) over a domain, as an alternative to Jones and Plotkin's probabilistic powerdomain. While no known Cartesian-closed category is stable under the latter, we show that the so-called thin (uniform) CRVs define a strong monad on the Cartesian-closed category of bc-domains. We also characterize their inequational theory, as (fair-)coin algebras. We apply this to solve a recent problem posed by M. Escard{\'o}: testing is semi-decidable for EPCF terms. CRVs arose from the study of the second author's (layered) Hoare indexed valuations, and we also make the connection apparent.} }

@book{CK-ios2011, editor = {Cortier, V{\'e}ronique and Kremer, Steve}, title = {Formal Models and Techniques for Analyzing Security Protocols}, publisher = {{IOS} Press}, year = {2011}, series = {Cryptology and Information Security Series}, volume = 5, url = {http://www.iospress.nl/loadtop/load.php?isbn=9781607507130} }

@inproceedings{DDS-tosca11, address = {Saarbr{\"u}cken, Germany}, month = jan, year = 2012, volume = 6993, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {M{\"o}dersheim, Sebastian A. and Palamidessi, Catuscia}, acronym = {{TOSCA}'11}, booktitle = {{R}evised {S}elected {P}apaers of the {W}orkshop on {T}heory of {S}ecurity and {A}pplications ({TOSCA}'11)}, author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham}, title = {Formal Analysis of Privacy for Anonymous Location Based Services}, pages = {98-112}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-tosca11.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-tosca11.pdf}, doi = {10.1007/978-3-642-27375-9_6}, abstract = {We propose a framework for formal analysis of privacy in location based services such as anonymous electronic toll collection. We give a formal definition of privacy, and apply it to the VPriv scheme for vehicular services. We analyse the resulting model using the ProVerif tool, concluding that our privacy property holds only if certain conditions are met by the implementation. Our analysis includes some novel features such as the formal modelling of privacy for a protocol that relies on interactive zero-knowledge proofs of knowledge and list permutations. } }

@article{JGL-jyg10, publisher = {Elsevier Science Publishers}, journal = {Theoretical Computer Science}, author = {Goubault{-}Larrecq, Jean}, title = {Musings Around the Geometry of Interaction, and Coherence}, volume = 412, number = 20, pages = {1998-2014}, year = 2011, month = apr, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/jgl-jyg10.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/jgl-jyg10.pdf}, doi = {10.1016/j.tcs.2010.12.023}, abstract = {We introduce the Danos-R{\'e}gnier category \(\mathcal{DR}(M)\) of a linear inverse monoid~\(M\), as~a categorical description of geometries of interaction~(GOI) inspired from the weight algebra. The natural setting for GOI is that of a so-called weakly Cantorian linear inverse monoid, in which case \(\mathcal{DR}(M)\) is a kind of symmetrized version of the classical Abramsky-Haghverdi-Scott construction of a weak linear category from a GOI situation. It is well-known that GOI is perfectly suited to describe the multiplicative fragment of linear logic, and indeed \(\mathcal{DR}(M)\) will be a \(\star\)-autonomous category in this case. It is also well-known that the categorical interpretation of the other linear connectives conflicts with GOI interpretations. We make this precise, and show that \(\mathcal{DR}(M)\) has no terminal object, no cartesian product of any two objects, and no exponential---whatever \(M\)~is, unless \(M\)~is trivial. However, a form of coherence completion of \(\mathcal{DR}(M)\) \textit{{\`a} la} Hu-Joyal (which for additives resembles a layered approach \textit{{\`a} la} Hughes-van Glabbeek), provides a model of full classical linear logic, as soon as \(M\) is weakly Cantorian. One finally notes that Girard's notion of \emph{coherence} is pervasive, and instrumental in every aspect of this work.} }

@inproceedings{CU-fsttcs12, address = {Hyderabad, India}, month = dec, year = 2012, volume = 18, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {D'Souza, Deepak and Radhakrishnan, Jaikumar and Telikepalli, Kavitha}, acronym = {{FSTTCS}'12}, booktitle = {{P}roceedings of the 32nd {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'12)}, author = {Chadha, Rohit and Ummels, Michael}, title = {The complexity of quantitative information flow in recursive programs}, pages = {534-545}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-15.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-15.pdf}, doi = {10.4230/LIPIcs.FSTTCS.2012.534}, abstract = {Information-theoretic measures based upon mutual information can be employed to quantify the information that an \emph{execution} of a program reveals about its \emph{secret inputs}. The \emph{information leakage bounding problem} asks whether the information leaked by a program does not exceed a certain amount. We consider this problem for two scenarios: a)~the \emph{outputs} of the program are revealed, and b)~the \emph{timing} (measured in the number of execution steps) of the program is revealed. For both scenarios, we establish complexity results in the context of deterministic boolean programs, both for programs with and without recursion. In particular, we prove that for recursive programs the information leakage bounding problem is no harder than checking reachability.} }

@inproceedings{CB-post13, address = {Rome, Italy}, month = mar, year = 2013, volume = {7796}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Basin, David and Mitchell, John}, acronym = {{POST}'13}, booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'13)}, author = {Cheval, Vincent and Blanchet, Bruno}, title = {Proving More Observational Equivalences with ProVerif}, pages = {226-246}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CB-post13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CB-post13.pdf}, doi = {10.1007/978-3-642-36830-1_12}, abstract = {This paper presents an extension of the automatic protocol verifier ProVerif in order to prove more observational equivalences. ProVerif can prove observational equivalence between processes that have the same structure but differ by the messages they contain. In order to extend the class of equivalences that ProVerif handles, we extend the language of terms by defining more functions (destructors) by rewrite rules. In particular, we allow rewrite rules with inequalities as side-conditions, so that we can express tests {"}if then else{"} inside terms. Finally, we provide an automatic procedure that translates a process into an equivalent process that performs as many actions as possible inside terms, to allow ProVerif to prove the desired equivalence. These extensions have been implemented in ProVerif and allow us to automatically prove anonymity in the private authentication protocol by Abadi and Fournet.} }

@inproceedings{CD-post13, address = {Rome, Italy}, month = mar, year = 2013, volume = {7796}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Basin, David and Mitchell, John}, acronym = {{POST}'13}, booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'13)}, author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie}, title = {Formal analysis of privacy for routing protocols in mobile ad~hoc networks}, pages = {1-20}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-post13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-post13.pdf}, doi = {10.1007/978-3-642-36830-1_1}, abstract = {Routing protocols aim at establishing a route between distant nodes in ad hoc networks. Secured versions of routing protocols have been proposed to provide more guarantees on the resulting routes, and some of them have been designed to protect the privacy of the users. In this paper, we propose a framework for analysing privacy-type properties for routing protocols. We use a variant of the applied-pi calculus as our basic modelling formalism. More precisely, using the notion of equivalence between traces, we formalise three security properties related to privacy, namely indistinguishability, unlinkability, and anonymity. We study the relationship between these definitions and we illustrate them using two versions of the ANODR routing protocol.} }

@phdthesis{benzina-phd2012, author = {Benzina, Hedi}, title = {Enforcing Virtualized Systems Security}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2012, month = dec, url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-these12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-these12.pdf} }

@mastersthesis{m2-chretien, author = {Chr{\'e}tien, R{\'e}my}, title = {Trace equivalence of protocols for an unbounded number of sessions}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2012}, month = sep, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-22.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-22.pdf}, note = {30~pages}, abstract = {The problem of deciding reachability for cryptographic protocols has been thoroughly studied for an unbounded number of sessions and proven to be undecidable in general. Nevertheless some fragments were shown to be decidable, either by tagging or by restricting the number of blind-copies. On the other hand, trace equivalenc has only been proven to be decidable for a bounded number of sessions. The objective of this talk is to provide the first results of decidability of trace equivalence for an unbounded number of sessions by lifting the approach followed by Comon-Lundh and Cortier to trace equivalence.\par Trace equivalence for a first class of protocols was shown undecidable under scarce restrictions one variable and symmetric encryption are indeed enough. Consequently, we restrained our class of protocols a step further by making the protocols deterministic in some sense and preventing it from disclosing secret keys. This tighter class of protocols was then shown to be decidable after reduction to an equivalence between deterministic pushdown automata.} }

@phdthesis{cheval-phd2012, author = {Cheval, Vincent}, title = {Automatic verification of cryptographic protocols: privacy-type properties}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2012, month = dec, url = {http://www.lsv.fr/Publis/PAPERS/PDF/cheval-these12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/cheval-these12.pdf} }

@techreport{AGL-arxiv12, author = {Adj{\'e}, Assal{\'e} and Goubault{-}Larrecq, Jean}, title = {Concrete Semantics of Programs with Non-Deterministic and Random Inputs}, year = {2012}, month = oct, type = {Research Report}, institution = {Computing Research Repository}, number = {cs.LO/1210.2605}, url = {http://arxiv.org/abs/1210.2605}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AGL-arxiv12.pdf}, originalpdf = {http://arxiv.org/pdf/1210.2605}, note = {19~pages}, abstract = {This document gives semantics to programs written in a C-like programming language, featuring interactions with an external environment with noisy and imprecise data.} }

@inproceedings{KS-stm12, address = {Pisa, Italy}, month = sep, year = 2012, volume = 7783, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {J{\o}sang, Audun and Samarati, Pierangela and Petrocchi, Marinella}, acronym = {{STM}'12}, booktitle = {{R}evised {S}elected {P}apers of the 8th {W}orkshop on {S}ecurity and {T}rust {M}anagement ({STM}'12)}, author = {K{\"u}nnemann, Robert and Steel, Graham}, title = {{Y}ubi{S}ecure? Formal Security Analysis Results for the {Y}ubikey and {Y}ubi{HSM}}, pages = {257-272 }, url = {http://www.lsv.fr/Publis/PAPERS/PDF/KS-stm12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KS-stm12.pdf}, doi = {10.1007/978-3-642-38004-4_17}, abstract = {The Yubikey is a small hardware device designed to authenticate a user against network-based services. Despite its widespread adoption (over a million devices have been shipped by Yubico to more than 20~000 customers including Google and Microsoft), the Yubikey protocols have received relatively little security analysis in the academic literature. In the first part of this paper, we give a formal model for the operation of the Yubikey one-time password (OTP) protocol. We prove security properties of the protocol for an unbounded number of fresh OTPs using a protocol analysis tool, tamarin.\par In the second part of the paper, we analyze the security of the protocol with respect to an adversary that has temporary access to the authentication server. To address this scenario, Yubico offers a small Hardware Security Module (HSM) called the YubiHSM, intended to protect keys even in the event of server compromise. We show if the same YubiHSM configuration is used both to set up Yubikeys and run the authentication protocol, then there is inevitably an attack that leaks all of the keys to the attacker. Our discovery of this attack lead to a Yubico security advisory in February 2012. For the case where separate servers are used for the two tasks, we give a configuration for which we can show using the same verification tool that if an adversary that can compromise the server running the Yubikey-protocol, but not the server used to set up new Yubikeys, then he cannot obtain the keys used to produce one-time passwords.} }

@inproceedings{BFKSST-crypto12, address = {Santa Barbara, California, USA}, month = aug, year = 2012, volume = 7417, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Safavi-Naini, Reihaneh and Canetti, Ran}, acronym = {{CRYPTO}'12}, booktitle = {{P}roceedings of the 32nd {A}nnual {I}nternational {C}ryptology {C}onference ({CRYPTO}'12)}, author = {Bardou, Romain and Focardi, Riccardo and Kawamoto, Yusuke and Simionato, Lorenzo and Steel, Graham and Tsay, Joe-Kai}, title = {Efficient Padding Oracle Attacks on Cryptographic Hardware}, pages = {608-625}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BFKSST-crypto12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BFKSST-crypto12.pdf}, doi = {10.1007/978-3-642-32009-5_36}, abstract = {We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key. The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel. In the asymmetric encryption case, we modify and improve Bleichenbacher's attack on RSA PKCS\#1v1.5 padding, giving new cryptanalysis that allows us to carry out the 'million message attack' in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key (the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case). We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average (3 800 median). For the symmetric case, we adapt Vaudenay's CBC attack, which is already highly efficient. We demonstrate the vulnerabilities on a number of commercially available cryptographic devices, including security tokens, smartcards and the Estonian electronic ID card. The attacks are efficient enough to be practical: we give timing details for all the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack. We give mathematical analysis of the effectiveness of the attacks, extensive empirical results, and a discussion of countermeasures.} }

@article{AGG-lmcs12, journal = {Logical Methods in Computer Science}, author = {Adj{\'e}, Assal{\'e} and Gaubert, St{\'e}phane and Goubault, {\'E}ric}, title = {Coupling policy iteration with semi-definite relaxation to compute accurate numerical invariants in static analysis}, year = 2012, month = jan, volume = {8}, number = {1:1}, nopages = {}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/AGG-lmcs12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AGG-lmcs12.pdf}, doi = {10.2168/LMCS-8(1:01)2012}, abstract = {We introduce a new domain for finding precise numerical invariants of programs by abstract interpretation. This domain, which consists of level sets of non-linear functions, generalizes the domain of linear {"}templates{"} introduced by Manna, Sankaranarayanan, and Sipma. In the case of quadratic templates, we use Shor's semi-definite relaxation to derive computable yet precise abstractions of semantic functionals, and we show that the abstract fixpoint equation can be solved accurately by coupling policy iteration and semi-definite programming. We demonstrate the interest of our approach on a series of examples (filters, integration schemes) including a degenerate one (symplectic scheme).} }

@inproceedings{IL-pairing12, address = {Cologne, Germany}, month = may, year = 2012, volume = 7708, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Abdalla, Michel and Lange, Tanja}, acronym = {{PAIRING}'12}, booktitle = {{P}roceedings of the 5th {I}nternational {C}onference on {P}airing-Based {C}ryptography ({PAIRING}'12)}, author = {Izabach{\`e}ne, Malika and Libert, Beno{\^\i}t}, title = {Divisible E-Cash in the Standard Model}, pages = {314-332}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/IL-pairing12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/IL-pairing12.pdf}, doi = {10.1007/978-3-642-36334-4_20}, abstract = {Off-line e-cash systems are the digital analogue of regular cash. One of the main desirable properties is anonymity: spending a coin should not reveal the identity of the spender and, at the same time, users should not be able to double-spend coins without being detected. Compact e-cash systems make it possible to store a wallet of \(O(2^{L})\) coins using \(O(L + \lambda)\) bits, where \(\lambda\) is the security parameter. They are called \emph{divisible} whenever the user has the flexibility of spending an amount of~\(2^{\ell}\), for some \(\ell\leq L\), more efficiently than by repeatedly spending individual coins. This paper presents the first construction of divisible e-cash in the standard model (i.e., without the random oracle heuristic). The scheme allows a user to obtain a wallet of~\(2^{L}\) coins by running a withdrawal protocol with the bank. Our construction is built on the traditional binary tree approach, where the wallet is organized in such a way that the monetary value of a coin depends on how deep the coin is in the tree.} }

@inproceedings{benzina-dictap12, address = {Bangkok, Thailand}, month = may, year = 2012, publisher = {{IEEE} Computer Society Press}, acronym = {{DICTAP}'12}, booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on {D}igital {I}nformation and {C}ommunication {T}echnology and its {A}pplication ({DICTAP}'12)}, author = {Benzina, Hedi}, title = {Towards Designing Secure Virtualized Systems}, pages = {250-255}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/HB-dictap12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HB-dictap12.pdf}, doi = {10.1109/DICTAP.2012.6215385}, abstract = {Virtual machine technology is rapidly gaining acceptance as a fundamental building block in enterprise data centers. It is most known for improving efficiency and ease of management. However, it also provides a compelling approach to enhancing system security, offering new ways to rearchitect todays systems and opening the door for a wide range of future security technologies. While this technology is meant to enhance the security of computer systems, some recent attacks show that virtual machine technology has many weaknesses and becomes exposed to many security threats. In this paper we present some of these threats and show how we protect these systems through intrusion detection and security policies mechanisms.} }

@inproceedings{ACD-csf12, address = {Cambridge Massachusetts, USA}, month = jun, year = 2012, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'12}, booktitle = {{P}roceedings of the 25th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'12)}, author = {Arapinis, Myrto and Cheval, Vincent and Delaune, St{\'e}phanie}, title = {Verifying privacy-type properties in a modular way}, pages = {95-109}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf12.pdf}, doi = {10.1109/CSF.2012.16}, abstract = {Formal methods have proved their usefulness for analysing the security of protocols. In this setting, privacy-type security properties (e.g. vote-privacy, anonymity, unlinkability) that play an important role in many modern applications are formalised using a notion of equivalence.\par In this paper, we study the notion of trace equivalence and we show how to establish such an equivalence relation in a modular way. It is well-known that composition works well when the processes do not share secrets. However, there is no result allowing us to compose processes that rely on some shared secrets such as long term keys. We show that composition works even when the processes share secrets provided that they satisfy some reasonable conditions. Our composition result allows us to prove various equivalence-based properties in a modular way, and works in a quite general setting. In particular, we consider arbitrary cryptographic primitives and processes that use non-trivial else branches.\par As an example, we consider the ICAO e-passport standard, and we show how the privacy guarantees of the whole application can be derived from the privacy guarantees of its sub-protocols.} }

@inproceedings{benzina-iscc12, address = {Nev{\c{s}}ehir, Turkey}, month = jul, year = 2012, publisher = {{IEEE} Computer Society Press}, noeditor = {}, acronym = {{ISCC}'12}, booktitle = {{P}roceedings of the 17th {IEEE} {S}ymposium on {C}omputers and {C}ommunications ({ISCC}'12)}, author = {Benzina, Hedi}, title = {A~Network Policy Model for Virtualized Systems}, pages = {680-683}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iscc12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iscc12.pdf}, doi = {10.1109/ISCC.2012.6249376}, abstract = {Modern hypervisors offer the ability to build virtual networks between virtual machines. These networks are very useful in both personal and professional activities since they offer the same opportunities as physical networks, but in a much lower cost in terms of hardware and time. On the other hand, these networks are facing many security threats due to the absence of rigourous security policies that protect the sensitive ressources of the network. In this paper, we propose a multilevel security policy model for these networks, this policy covers not only network operations, but also operations related to the management of the virtual architecture.} }

@inproceedings{DKP-ijcar12, address = {Manchester, UK}, month = jun, year = 2012, volume = {7364}, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer-Verlag}, editor = {Gramlich, Bernhard and Miller, Dale and Sattler, Uli}, acronym = {{IJCAR}'12}, booktitle = {{P}roceedings of the 6th {I}nternational {J}oint {C}onference on {A}utomated {R}easoning ({IJCAR}'12)}, author = {Delaune, St{\'e}phanie and Kremer, Steve and Pasail{\u{a}}, Daniel}, title = {Security protocols, constraint systems, and group theories}, pages = {164-178}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-ijcar12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-ijcar12.pdf}, doi = {10.1007/978-3-642-31365-3_15}, abstract = {When formally analyzing security protocols it is often important to express properties in terms of an adversary's inability to distinguish two protocols. It has been shown that this problem amounts to deciding the equivalence of two constraint systems, i.e., whether they have the same set of solutions. In this paper we study this equivalence problem when cryptographic primitives are modeled using a group equational theory, a special case of monoidal equational theories. The results strongly rely on the isomorphism between group theories and rings. This allows us to reduce the problem under study to the problem of solving systems of equations over rings.\par We provide several new decidability and complexity results, notably for equational theories which have applications in security protocols, such as exclusive or and Abelian groups which may additionally admit a unary, homomorphic symbol.} }

@article{BCD-tocl12, publisher = {ACM Press}, journal = {ACM Transactions on Computational Logic}, author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {{YAPA}: A~generic tool for computing intruder knowledge}, year = 2013, month = feb, nopages = {}, number = {1:4}, volume = 14, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-tocl12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-tocl12.pdf}, doi = {10.1145/2422085.2422089}, abstract = {Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. \par We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers most of the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the tools ProVerif and KiSs.} }

@book{JGL-topology, author = {Goubault{-}Larrecq, Jean}, title = {Non-{H}ausdorff Topology and Domain Theory---Selected Topics in Point-Set Topology}, publisher = {Cambridge University Press}, series = {New Mathematical Monographs}, volume = {22}, year = {2013}, month = mar, url = {http://www.cambridge.org/9781107034136}, isbn = {9781107034136} }

@inproceedings{CCK-esop12, address = {Tallinn, Estonia}, month = mar, year = 2012, volume = {7211}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Seidl, Helmut}, acronym = {{ESOP}'12}, booktitle = {{P}rogramming {L}anguages and {S}ystems~--- {P}roceedings of the 22nd {E}uropean {S}ymposium on {P}rogramming ({ESOP}'12)}, author = {Chadha, Rohit and Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Kremer, Steve}, title = {Automated verification of equivalence properties of cryptographic protocols}, pages = {108-127}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCK-esop12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCK-esop12.pdf}, doi = {10.1007/978-3-642-28869-2_6}, abstract = {Indistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance to offline guessing attacks, and can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for bounded number of sessions. Our procedure is able to verify trace equivalence for determinate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under- and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those which can be modeled by an optimally reducing convergent rewrite system. Although, we were unable to prove its termination, it has been implemented in a prototype tool and has been effectively tested on examples, some of which were outside the scope of existing tools.} }

@article{CD-pourlascience13, publisher = {Belin}, journal = {Pour La Science}, author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie}, title = {La protection des informations sensibles}, volume = {433}, month = nov, year = 2013, pages = {70-77}, url = {http://www.pourlascience.fr/ewb_pages/a/article-la-protection-des-informations-sensibles-32228.php} }

@techreport{rr-lsv-13-13, author = {Hirschi, Lucca}, title = {R{\'e}duction d'entrelacements pour l'{\'e}quivalence de traces}, institution = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, year = {2013}, month = sep, type = {Research Report}, number = {LSV-13-13}, url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2013-13.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2013-13.pdf}, versions = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2013-13-v1.pdf, 20130910}, note = {22~pages}, abstract = {La trace \'equivalence permet notamment de mod\'eliser l'anonymat de protocoles cryptographiques. Cette propri\'et\'e est d\'ecidable pour de nombreuses classes de protocoles et quelques outils permettent de la prouver automatiquement. Mais malheureusement, tous ces outils sont tr\`es lents et peu de protocoles r\'eellement int\'eressants peuvent \^etre analys\'es dans un temps raisonnable. Ces outils doivent r\'ealiser un parcours exhaustif des traces (symboliques) possibles. Mais le parall\`ele introduit de nombreux entrelacements dont un grand nombre sont peu pertinents. Cette explosion combinatoire est une des causes de cette inefficacit\'e.\par Une optimisation dont l'id\'ee est emprunt\'ee \`a la POR (Partial Order Reduction) permet de r\'eduire significativement l'espace de recherche en reconnaissant certaines redondances entre les traces. Elle a \'et\'e d\'evelopp\'ee dans le cas des propri\'et\'es d'accessibilit\'e. L'objectif est de l'adapter au cas de l'\'equivalence, de l'automatiser, d'augmenter son champ d'action et de l'introduire dans un outil existant.} }

@inproceedings{JGL-mfcs13, address = {Klosterneuburg, Austria}, month = aug, year = 2013, volume = {8087}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Chatterjee, Krishnendu and Sgall, Ji{\v{r}}{\'\i}}, acronym = {{MFCS}'13}, booktitle = {{P}roceedings of the 38th {I}nternational {S}ymposium on {M}athematical {F}oundations of {C}omputer {S}cience ({MFCS}'13)}, author = {Goubault{-}Larrecq, Jean}, title = {A Constructive Proof of the Topological {K}ruskal Theorem}, pages = {22-41}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mfcs13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mfcs13.pdf}, doi = {10.1007/978-3-642-40313-2_3}, abstract = {We give a constructive proof of Kruskal's Tree Theorem---precisely, of a topological extension of~it. The proof is in the style of a constructive proof of Higman's Lemma due to Murthy and Russell~(1990), and illuminates the role of regular expressions there. In the process, we discover an extension of Dershowitz' recursive path ordering to a form of cyclic terms which we call \(\mu\)-terms. This all came from recent research on Noetherian spaces, and serves as a teaser for their theory.} }

@article{CCD-tcs13, publisher = {Elsevier Science Publishers}, journal = {Theoretical Computer Science}, author = {Cheval, Vincent and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Deciding equivalence-based properties using constraint solving}, year = {2013}, month = jun, volume = {492}, pages = {1-39}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tcs13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tcs13.pdf}, doi = {10.1016/j.tcs.2013.04.016}, abstract = {Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography.\par In this paper, we consider three notions of equivalence defined in the applied pi calculus: observational equivalence, may-testing equivalence, and trace equivalence. First, we study the relationship between these three notions. We show that for determinate processes, observational equivalence actually coincides with trace equivalence, a notion simpler to reason with. We exhibit a large class of determinate processes, called simple processes, that capture most existing protocols and cryptographic primitives. While trace equivalence and may-testing equivalence seem very similar, we show that may-testing equivalence is actually strictly stronger than trace equivalence. We prove that the two notions coincide for image-finite processes, such as processes without replication.\par Second, we reduce the decidability of trace equivalence (for finite processes) to deciding symbolic equivalence between sets of constraint systems. For simple processes without replication and with trivial else branches, it turns out that it is actually sufficient to decide symbolic equivalence between pairs of positive constraint systems. Thanks to this reduction and relying on a result first proved by M. Baudet, this yields the first decidability result of observational equivalence for a general class of equational theories (for processes without else branch nor replication). Moreover, based on another decidability result for deciding equivalence between sets of constraint systems, we get decidability of trace equivalence for processes with else branch for standard primitives.} }

@inproceedings{CCS-cade2013, address = {Lake Placid, New~York, USA}, month = jun, year = 2013, volume = 7898, series = {Lecture Notes in Artificial Intelligence}, publisher = {Springer}, editor = {Bonacina, Maria Paola}, acronym = {{CADE}'13}, booktitle = {{P}roceedings of the 24th {I}nternational {C}onference on {A}utomated {D}eduction ({CADE}'13)}, author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and Scerri, Guillaume}, title = {Tractable inference systems: an extension with a deducibility predicate}, pages = {91-108}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-cade2013.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-cade2013.pdf}, doi = {10.1007/978-3-642-38574-2_6}, abstract = {The main contribution of the paper is a PTIME decision procedure for the satisfiability problem in a class of first-order Horn clauses. Our result is an extension of the tractable classes of Horn clauses of Basin & Ganzinger in several respects. For instance, our clauses may contain atomic formulas \(S \vdash t\) where \(\vdash\) is a predicate symbol and \(S\) is a finite set of terms instead of a term. \(\vdash\)~is used to represent any possible computation of an attacker, given a set of messages~\(S\). The class of clauses that we consider encompasses the clauses designed by Bana~\& Comon-Lundh for security proofs of protocols in a computational model. \par Because of the (variadic) \(\vdash\) predicate symbol, we cannot use ordered resolution strategies only, as in Basin~\& Ganzinger: given \(S \vdash t\), we must avoid computing \(S' \vdash t\) for all subsets \(S'\) of~\(S\). Instead, we design PTIME entailment procedures for increasingly expressive fragments, such procedures being used as oracles for the next fragment. \par Finally, we obtain a PTIME procedure for arbitrary ground clauses and saturated Horn clauses (as in Basin~\& Ganzinger), together with a particular class of (non saturated) Horn clauses with the \(\vdash\) predicate and constraints (which are necessary to cover the application).} }

@inproceedings{KKS-esorics13, address = {Egham, U.K.}, month = sep, year = 2013, volume = {8134}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Crampton, Jason and Jajodia, Sushil and Mayes, Keith}, acronym = {{ESORICS}'13}, booktitle = {{P}roceedings of the 18th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'13)}, author = {Kremer, Steve and K{\"u}nnemann, Robert and Steel, Graham}, title = {Universally Composable Key-Management}, pages = {327-344}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/KKS-esorics13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KKS-esorics13.pdf}, doi = {10.1007/978-3-642-40203-6_19}, abstract = {We present the first universally composable key-management functionality, formalized in the GNUC framework by Hofheinz and Shoup. It allows the enforcement of a wide range of security policies and can be extended by diverse key usage operations with no need to repeat the security proof. We illustrate its use by proving an implementation of a security token secure with respect to arbitrary key-usage operations and explore a proof technique that allows the storage of cryptographic keys externally, a novel development in simulation-based security frameworks.} }

@inproceedings{CCD-icalp13, address = {Riga, Latvia}, month = jul, year = 2013, volume = {7966}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Fomin, Fedor V. and Freivalds, R{\=u}si{\c{n}}{\v{s}} and Kwiatkowska, Marta and Peleg, David}, acronym = {{ICALP}'13}, booktitle = {{P}roceedings of the 40th {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'13)~-- {P}art~{II}}, author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {From security protocols to pushdown automata}, pages = {137-149}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-icalp13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-icalp13.pdf}, doi = {10.1007/978-3-642-39212-2_15}, abstract = {Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalence-based properties, crucial for studying e.g. privacy-like properties such as anonymity or vote secrecy.\par We study the problem of checking equivalence of security protocols for an unbounded number of sessions. Since replication leads very quickly to undecidability (even in the simple case of secrecy), we focus on a limited fragment of protocols (standard primitives but pairs, one variable per protocol's rules) for which the secrecy preservation problem is known to be decidable. Surprisingly, this fragment turns out to be undecidable for equivalence. Then, restricting our attention to deterministic protocols, we propose the first decidability result for checking equivalence of protocols for an unbounded number of sessions. This result is obtained through a characterization of equivalence of protocols in terms of equality of languages of (generalized, real-time) deterministic pushdown automata.} }

@inproceedings{ABGGP-vstte13, address = {Atherton, California, USA}, year = 2014, volume = 8164, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Cohen, Ernie and Rybalchenko, Andrey}, acronym = {{VSTTE}'13}, booktitle = {{R}evised {S}elected {P}apers of the 5th {IFIP} {TC2}\slash{WG2.3} {C}onference {V}erified {S}oftware---{T}heories, {T}ools, and {E}xperiments ({VSTTE}'13)}, author = {Adj{\'e}, Assal{\'e} and Bouissou, Olivier and Goubault{-}Larrecq, Jean and Goubault, {\'E}ric and Putot, Sylvie}, title = {Static Analysis of Programs with Imprecise Probabilistic Inputs}, pages = {22-47}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ABGGP-vstte13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ABGGP-vstte13.pdf}, doi = {10.1007/978-3-642-54108-7}, abstract = {Having a precise yet sound abstraction of the inputs of numerical programs is important to analyze their behavior. For many programs, these inputs are probabilistic, but the actual distribution used is only partially known. We present a static analysis framework for reasoning about programs with inputs given as imprecise probabilities: we define a collecting semantics based on the notion of previsions and an abstract semantics based on an extension of Dempster-Shafer structures. We prove the correctness of our approach and show on some realistic examples the kind of invariants we are able to infer.} }

@inproceedings{CCP-cav13, address = {Saint Petersburg, Russia}, month = jul, year = 2013, volume = {8044}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Sharygina, Natasha and Veith, Helmut}, acronym = {{CAV}'13}, booktitle = {{P}roceedings of the 25th {I}nternational {C}onference on {C}omputer {A}ided {V}erification ({CAV}'13)}, author = {Cheval, Vincent and Cortier, V{\'e}ronique and Plet, Antoine}, title = {Lengths may break privacy~---or~how to check for equivalences with length}, pages = {708-723}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCP-cav13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCP-cav13.pdf}, doi = {10.1007/978-3-642-39799-8_50}, abstract = {Security protocols have been successfully analyzed using symbolic models, where messages are represented by terms and protocols by processes. Privacy properties like anonymity or untraceability are typically expressed as equivalence between processes. While some decision procedures have been proposed for automatically deciding process equivalence, all existing approaches abstract away the information an attacker may get when observing the length of messages.\par In this paper, we study process equivalence with length tests. We first show that, in the static case, almost all existing decidability results (for static equivalence) can be extended to cope with length tests. In the active case, we prove decidability of trace equivalence with length tests, for a bounded number of sessions and for standard primitives. Our result relies on a previous decidability result from Cheval~\emph{et~al.} (without length tests). Our procedure has been implemented and we have discovered a new flaw against privacy in the biometric passport protocol.} }

@article{CDKR-fmsd13, publisher = {Springer}, journal = {Formal Methods in System Design}, author = {Chevalier, C{\'e}line and Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.}, title = {Composition of Password-based Protocols}, volume = {43}, number = {3}, pages = {369-413}, month = dec, year = 2013, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDKR-fmsd13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDKR-fmsd13.pdf}, doi = {10.1007/s10703-013-0184-6}, abstract = {Formal and symbolic techniques are extremely useful for modelling and analysing security protocols. They have helped to improve our understanding of such protocols, allowed us to discover flaws, and they also provide support for protocol design. However, such analyses usually consider that the protocol is executed in isolation or assume a bounded number of protocol sessions. Hence, no security guarantee is provided when the protocol is executed in a more complex environment.\par In this paper, we study whether password protocols can be safely composed, even when a same password is reused. More precisely, we present a transformation which maps a password protocol that is secure for a single protocol session (a~decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure password protocols: (i)~design a protocol intended to be secure for one protocol session; (ii)~apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. Our technique also applies to compose different password protocols allowing us to obtain both inter-protocol and inter-session composition.} }

@incollection{GLJ-hg13, noaddress = {}, month = jan, year = 2013, volume = 7797, series = {Lecture Notes in Computer Science}, publisher = {Springer}, noacronym = {}, booktitle = {Programming Logics~-- Essays in Memory of {H}arald {G}anzinger}, editor = {Voronkov, Andrei and Weidenbach, Christoph}, author = {Goubault{-}Larrecq, Jean and Jouannaud, Jean-Pierre}, title = {The Blossom of Finite Semantic Trees}, pages = {90-122}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-hg13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-hg13.pdf} }

@mastersthesis{m2-lefaucheux, author = {Lefaucheux, Engel}, title = {D{\'e}tection de fautes dans les syst{\`e}mes probabilistes}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2014}, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-lefaucheux.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-lefaucheux.pdf}, note = {35~pages} }

@mastersthesis{m2-dubut, author = {Dubut, J{\'e}r{\'e}my}, title = {{H}omologie dirig{\'e}e}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2014}, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dubut.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dubut.pdf}, note = {35~pages} }

@inproceedings{BC-ccs14, address = {Scottsdale, Arizona, USA}, month = nov, year = 2014, publisher = {ACM Press}, editor = {Ahn, Gail-Joon and Yung, Moti and Li, Ninghui}, acronym = {{CCS}'14}, booktitle = {{P}roceedings of the 21st {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity ({CCS}'14)}, author = {Bana, Gergei and Comon{-}Lundh, Hubert}, title = {A~Computationally Complete Symbolic Attacker for Equivalence Properties}, pages = {609-620}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-ccs14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-ccs14.pdf}, doi = {10.1145/2660267.2660276}, abstract = {We consider the problem of computational indistinguishability of protocols. We design a symbolic model, amenable to automated deduction, such that a successful inconsistency proof implies computational indistinguishability. Conversely, symbolic models of distinguishability provide clues for likely computational attacks. We follow the idea we introduced earlier for reachability properties, axiomatizing what an attacker cannot violate. This results a computationally complete symbolic attacker, and ensures unconditional computational soundness for the symbolic analysis. We present a small library of computationally sound, modular axioms, and test our technique on an example protocol. Despite additional difficulties stemming from the equivalence properties, the models and the soundness proofs turn out to be simpler than they were for reachability properties.} }

@inproceedings{GLJ-mfps30, address = {Ithaca, New~York, USA}, month = jun, year = 2014, volume = 308, series = {Electronic Notes in Theoretical Computer Science}, publisher = {Elsevier Science Publishers}, editor = {Jacobs, Bart and Silva, Alexandra and Staton, Sam}, acronym = {{MFPS}'14}, booktitle = {{P}roceedings of the 30th {C}onference on {M}athematical {F}oundations of {P}rogramming {S}emantics ({MFPS}'14)}, author = {Goubault{-}Larrecq, Jean and Jung, Achim}, title = {{QRB}, {QFS}, and the Probabilistic Powerdomain}, pages = {167-182}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-mfps14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-mfps14.pdf}, doi = {10.1016/j.entcs.2014.10.010}, abstract = {We show that the first author's QRB-domains coincide with Li and Xu's QFS-domains, and also with Lawson-compact quasi-continuous dcpos, with stably-compact locally finitary compact spaces, with sober QFS-spaces, and with sober QRB-spaces. The first three coincidences were discovered independently by Lawson and~Xi. The equivalence with sober QFS-spaces is then applied to give a novel, direct proof that the probabilistic powerdomain of a QRB-domain is a QRB-domain. This improves upon a previous, similar result, which was limited to pointed, second-countable QRB-domains.} }

@article{jgl-jlap14, publisher = {Elsevier Science Publishers}, journal = {Journal of Logic and Algebraic Methods in Programming}, author = {Goubault{-}Larrecq, Jean}, title = {Full Abstraction for Non-Deterministic and Probabilistic Extensions of {PCF}~{I}: the~Angelic Cases}, volume = 84, number = 1, year = 2015, month = jan, pages = {155-184}, opteditor = {Berger, Ulrich}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/jgl-jlap14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/jgl-jlap14.pdf}, doi = {10.1016/j.jlamp.2014.09.003}, abstract = {We examine several extensions and variants of Plotkin's language~PCF, including non-deterministic and probabilistic choice constructs. For~each, we give an operational and a denotational semantics, and compare them. In each case, we show soundness and computational adequacy: the two semantics compute the same values at ground types. Beyond this, we establish full abstraction (the~observational preorder coincides with the denotational preorder) in a number of cases. In~the probabilistic cases, this requires the addition of so-called statistical termination testers to the language.} }

@article{CD-interstices14, publisher = {INRIA}, journal = {Interstices}, author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie}, title = {Le~bitcoin, une monnaie \(100\%\) num{\'e}rique}, month = sep, year = {2014}, url = {https://interstices.info/jcms/ni_78681/le-bitcoin-une-monnaie-100-numerique}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-interstices14.pdf} }

@inproceedings{CDR-tgc14, address = {Rome, Italy}, month = dec, year = 2014, volume = {8902}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Maffei, Matteo and Tuosto, Emilio}, acronym = {{TGC}'14}, booktitle = {{R}evised {S}elected {P}apers of the 9th {S}ymposium on {T}rustworthy {G}lobal {C}omputing ({TGC}'14)}, author = {Cheval, Vincent and Delaune, St{\'e}phanie and Ryan, Mark D.}, title = {Tests for establishing security properties}, pages = {82-96}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDR-tgc14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDR-tgc14.pdf}, doi = {10.1007/978-3-662-45917-1_6}, abstract = {Ensuring strong security properties in some cases requires participants to carry out tests during the execution of a protocol. A~classical example is electronic voting: participants are required to verify the presence of their ballots on a bulletin board, and to verify the computation of the election outcome. The notion of certificate transparency is another example, in which participants in the protocol are required to perform tests to verify the integrity of a certificate log.\par We present a framework for modelling systems with such `testable properties', using the applied pi calculus. We model the tests that are made by participants in order to obtain the security properties. Underlying our work is an attacker model called {"}malicious but cautious{"}, which lies in between the Dolev-Yao model and the {"}honest but curious{"} model. The malicious-but-cautious model is appropriate for cloud computing providers that are potentially malicious but are assumed to be cautious about launching attacks that might cause user tests to fail.} }

@inproceedings{GLS-pp14, year = 2014, volume = 8464, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {van Breugel, Franck and Kashefi, Elham and Palamidessi, Catuscia and Rutten, Jan}, booktitle = {Horizons of the Mind. A~Tribute to Prakash Panangaden}, author = {Goubault{-}Larrecq, Jean and Segala, Roberto}, title = {Random Measurable Selections}, pages = {343-362}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-pp14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-pp14.pdf}, doi = {10.1007/978-3-319-06880-0_18}, abstract = {We make the first steps towards showing a general {"}randomness for free{"} theorem for stochastic automata. The goal of such theorems is to replace randomized schedulers by averages of pure schedulers. Here, we explore the case of measurable multifunctions and their measurable selections. This involves constructing probability measures on the measurable space of measurable selections of a given measurable multifunction, which seems to be a fairly novel problem. We then extend this to the case of IT automata, namely, non-deterministic (infinite) automata with a history-dependent transition relation. Throughout, we strive to make our assumptions minimal.} }

@article{ADK-lmcs14, journal = {Logical Methods in Computer Science}, author = {Arapinis, Myrto and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Dynamic Tags for Security Protocols}, volume = 10, number = {2:11}, nopages = {}, month = jun, year = 2014, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ADK-lmcs14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ADK-lmcs14.pdf}, doi = {10.2168/LMCS-10(2:11)2014}, abstract = {The design and verification of cryptographic protocols is a notoriously difficult task, even in symbolic models which take an abstract view of cryptography. This is mainly due to the fact that protocols may interact with an arbitrary attacker which yields a verification problem that has several sources of unboundedness (size of messages, number of sessions, etc. In this paper, we characterize a class of protocols for which deciding security for an unbounded number of sessions is decidable. More precisely, we present a simple transformation which maps a protocol that is secure for a bounded number of protocol sessions (a~decidable problem) to a protocol that is secure for an unbounded number of sessions. The precise number of sessions that need to be considered is a function of the security property and we show that for several classical security properties a single session is sufficient. Therefore, in many cases our results yields a design strategy for security protocols: (i)~design a protocol intended to be secure for a {single session}; and (ii)~apply our transformation to obtain a protocol which is secure for an unbounded number of sessions.} }

@inproceedings{CCD-concur14, address = {Rome, Italy}, month = sep, year = 2014, volume = 8704, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Baldan, Paolo and Gorla, Daniele}, acronym = {{CONCUR}'14}, booktitle = {{P}roceedings of the 25th {I}nternational {C}onference on {C}oncurrency {T}heory ({CONCUR}'14)}, author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Typing messages for free in security protocols: the~case of equivalence properties}, pages = {372-386}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-concur14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-concur14.pdf}, doi = {10.1007/978-3-662-44584-6_26}, abstract = {Privacy properties such as untraceability, vote secrecy, or anonymity are typically expressed as behavioural equivalence in a process algebra that models security protocols. In this paper, we study how to decide one particular relation, namely trace equivalence, for an unbounded number of sessions.\par Our first main contribution is to reduce the search space for attacks. Specifically, we show that if there is an attack then there is one that is well-typed. Our result holds for a large class of typing systems and a large class of determinate security protocols. Assuming finitely many nonces and keys, we can derive from this result that trace equivalence is decidable for an unbounded number of sessions for a class of tagged protocols, yielding one of the first decidability results for the unbounded case. As an intermediate result, we also provide a novel decision procedure in the case of a bounded number of sessions.} }

@incollection{CD-nato12, author = {Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {Formal Security Proofs}, booktitle = {Software Safety and Security}, pages = {26-63}, editor = {Nipkow, Tobias and Grumberg, Orna and Hauptmann, Benedikt}, series = {NATO Science for Peace and Security Series~-- D:~Information and Communication Security}, volume = {33}, publisher = {{IOS} Press}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-nato12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-nato12.pdf}, year = 2012, month = may }

@inproceedings{CLHKS-ispec12, address = {Hangzhou, China}, year = 2012, month = apr, volume = 7232, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Ryan, Mark D. and Smyth, Ben and Wang, Guilin}, acronym = {{ISPEC}'12}, booktitle = {{P}roceedings of the 8th {I}nternational {C}onference on {I}nformation {S}ecurity {P}ractice and {E}xperience ({ISPEC}'12)}, author = {Comon{-}Lundh, Hubert and Hagiya, Masami and Kawamoto, Yusuke and Sakurada, Hideki}, title = {Computational Soundness of Indistinguishability Properties without Computable Parsing}, pages = {63-79}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CHKS-ispec12.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CHKS-ispec12.pdf}, doi = {10.1007/978-3-642-29101-2_5}, abstract = {We provide a symbolic model for protocols using public-key encryption and hash function, and prove that this model is computationally sound: if there is an attack in the computational world, then there is an attack in the symbolic (abstract) model. Our original contribution is that we deal with the security properties, such as anonymity, which cannot be described using a single execution trace, while considering an unbounded number of sessions of the protocols in the presence of active and adaptive adversaries. Our soundness proof is different from all existing studies in that it does not require a computable parsing function from bit strings to terms. This allows us to deal with more cryptographic primitives, such as a preimage-resistant and collision-resistant hash function whose input may have different lengths.} }

@inproceedings{BDH-post14, address = {Grenoble, France}, month = apr, year = 2014, volume = {8414}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Abadi, Mart{\'\i}n and Kremer, Steve}, acronym = {{POST}'14}, booktitle = {{P}roceedings of the 3rd {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'14)}, author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca}, title = {A~reduced semantics for deciding trace equivalence using constraint systems}, pages = {1-21}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-post14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-post14.pdf}, doi = {10.1007/978-3-642-54792-8_1}, abstract = {Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e.,~without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. Modersheim et~al. have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimization in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly.} }

@article{ACD-icomp13, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Modeling and Verifying Ad~Hoc Routing Protocols}, volume = 238, pages = {30-67}, month = nov, year = 2014, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-icomp13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-icomp13.pdf}, doi = {10.1016/j.ic.2014.07.004}, abstract = {Mobile ad hoc networks consist of mobile wireless devices which autonomously organize their infrastructure. In such networks, a central issue, ensured by routing protocols, is to find a route from one device to another. Those protocols use cryptographic mechanisms in order to prevent malicious nodes from compromising the discovered route.\par Our contribution is twofold. We first propose a calculus for modeling and reasoning about security protocols, including in particular secured routing protocols. Our calculus extends standard symbolic models to take into account the characteristics of routing protocols and to model wireless communication in a more accurate way. Our second main contribution is a decision procedure for analyzing routing protocols for any network topology. By using constraint solving techniques, we show that it is possible to automatically discover (in~NPTIME) whether there exists a network topology that would allow malicious nodes to mount an attack against the protocol, for a bounded number of sessions. We also provide a decision procedure for detecting attacks in case the network topology is given a priori. We demonstrate the usage and usefulness of our approach by analyzing protocols of the literature, such as SRP applied to DSR and SDMSR.} }

@article{GL-acs13, publisher = {Springer}, journal = {Applied Categorical Structures}, author = {Goubault{-}Larrecq, Jean}, title = {Exponentiable streams and prestreams}, volume = {22}, number = {3}, year = 2014, month = jun, pages = {515-549}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13.pdf}, corrigendumpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum.pdf}, doi = { 10.1007/s10485-013-9315-x}, note = {Errata 1: \url{http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum.pdf}; Errata 2: \url{http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum2.pdf}}, abstract = {Inspired by a construction of Escard{\'o}, Lawson, and Simpson, we give a general construction of \(\mathcal C\)-generated objects in a topological construct. When \(\mathcal C\) consists of exponentiable objects, the resulting category is Cartesian-closed. This generalizes the familiar construction of compactly-generated spaces, and we apply this to Krishnan's categories of streams and prestreams, as well as to Haucourt streams. For that, we need to identify the exponentiable objects in these categories: for prestreams, we show that these are the preordered core-compact topological spaces, and for streams, these are the core-compact streams.} }

@article{GL-mscs13, publisher = {Cambridge University Press}, journal = {Mathematical Structures in Computer Science}, author = {Goubault{-}Larrecq, Jean}, title = {A~short proof of the {S}chr{\"o}der-{S}impson theorem}, volume = 25, number = 1, year = 2015, month = jan, pages = {1-5}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-mscs13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-mscs13.pdf}, doi = {10.1017/S0960129513000467}, abstract = {We give a short and elementary proof of the Schr{\"o}der-Simpson Theorem, which states that the space of all continuous maps from a given space~\(X\) to the non-negative reals with their Scott topology is the cone-theoretic dual of the probabilistic powerdomain on~\(X\).} }

@article{BCD-icomp13, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie}, title = {Deducibility constraints and blind signatures}, year = {2014}, month = nov, volume = 238, pages = {106-127}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-icomp13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-icomp13.pdf}, nonote = {32~pages}, doi = {10.1016/j.ic.2014.07.006}, abstract = {Deducibility constraints represent in a symbolic way the infinite set of possible executions of a finite protocol. Solving a deducibility constraint amounts to finding all possible ways of filling the gaps in a proof. For finite local inference systems, there is an algorithm that reduces any deducibility constraint to a finite set of solved forms. This allows one to decide any trace security property of cryptographic protocols.\par We investigate here the case of infinite local inference systems, through the case study of blind signatures. We show that, in this case again, any deducibility constraint can be reduced to finitely many solved forms (hence we can decide trace security properties). We sketch also another example to which the same method can be applied.} }

@mastersthesis{m2-dallon, author = {Dallon, Antoine}, title = {Verification of Cryptographic Protocols : a bound on the number of agents}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2015}, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dallon.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dallon.pdf}, note = {38~pages} }

@article{CCD-tocl15, publisher = {ACM Press}, journal = {ACM Transactions on Computational Logic}, author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {From security protocols to pushdown automata}, volume = {17}, number = {1:3}, nopages = {}, year = 2015, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tocl15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tocl15.pdf}, doi = {10.1145/2811262}, abstract = {Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalence-based properties, crucial for studying e.g. privacy-like properties such as anonymity or vote secrecy.\par We study the problem of checking equivalence of security protocols for an unbounded number of sessions. Since replication leads very quickly to undecidability (even in the simple case of secrecy), we focus on a limited fragment of protocols (standard primitives but pairs, one variable per protocol's rules) for which the secrecy preservation problem is known to be decidable. Surprisingly, this fragment turns out to be undecidable for equivalence. Then, restricting our attention to deterministic protocols, we propose the first decidability result for checking equivalence of protocols for an unbounded number of sessions. This result is obtained through a characterization of equivalence of protocols in terms of equality of languages of (generalized, real-time) deterministic pushdown automata. We further show that checking for equivalence of protocols is actually equivalent to checking for equivalence of generalized, real-time deterministic pushdown automata.\par Very recently, the algorithm for checking for equivalence of deterministic pushdown automata has been implemented. We have implemented our translation from protocols to pushdown automata, yielding the first tool that decides equivalence of (some class of) protocols, for an unbounded number of sessions. As an application, we have analyzed some protocols of the literature including a simplified version of the basic access control (BAC) protocol used in biometric passports.} }

@inproceedings{CCD-esorics15, address = {Vienna, Austria}, month = sep, year = 2015, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Ryan, Peter and Weippl, Edgar}, acronym = {{ESORICS}'15}, booktitle = {{P}roceedings of the 20th {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'15)}, author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Checking trace equivalence: How to get rid of nonces?}, pages = {230-251}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-esorics15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-esorics15.pdf}, doi = {10.1007/978-3-319-24177-7_12}, abstract = {Security protocols can be successfully analysed using formal methods. When proving security in symbolic settings for an unbounded number of sessions, a typical technique consists in abstracting away fresh nonces and keys by a bounded set of constants. While this abstraction is clearly sound in the context of secrecy properties (for protocols without else branches), this is no longer the case for equivalence properties.\par In this paper, we study how to soundly get rid of nonces in the context of equivalence properties. We show that nonces can be replaced by constants provided that each nonce is associated to two constants (instead of typically one constant for secrecy properties). Our result holds for deterministic (simple) protocols and a large class of primitives that includes e.g. standard primitives, blind signatures, and zero-knowledge proofs.} }

@article{BCGMNTW-jfr14, publisher = {University of Bologna}, journal = {Journal of Formalized Reasoning}, author = {Baelde, David and Chaudhuri, Kaustuv and Gacek, Andrew and Miller, Dale and Nadathur, Gopalan and Tiu, Alwen and Wang, Yuting}, title = {Abella: A~System for Reasoning about Relational Specifications}, volume = {7}, number = {2}, year = {2014}, pages = {1-89}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCGMNTW-jfr14.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCGMNTW-jfr14.pdf}, doi = {10.6092/issn.1972-5787/4650}, abstract = {The Abella interactive theorem prover is based on an intuitionistic logic that allows for inductive and co-inductive reasoning over relations. Abella supports the \(\lambda\)-tree approach to treating syntax containing binders: it~allows simply typed \(\lambda\)-terms to be used to represent such syntax and it provides higher-order (pattern) unification, the \(\nabla\) quantifier, and nominal constants for reasoning about these representations. As such, it is a suitable vehicle for formalizing the meta-theory of formal systems such as logics and programming languages. This tutorial exposes Abella incrementally, starting with its capabilities at a first-order logic level and gradually presenting more sophisticated features, ending with the support it offers to the \emph{two-level logic approach} to meta-theoretic reasoning. Along the way, we show how Abella can be used prove theorems involving natural numbers, lists, and automata, as well as involving typed and untyped \(\lambda\)-calculi and the \(\pi\)-calculus.} }

@inproceedings{BDS-csl15, address = {Berlin, Germany}, month = sep, year = 2015, volume = {41}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Kreuzer, Stephan}, acronym = {{CSL}'15}, booktitle = {{P}roceedings of the 24th {A}nnual {EACSL} {C}onference on {C}omputer {S}cience {L}ogic ({CSL}'15)}, author = {Baelde, David and Doumane, Amina and Saurin, Alexis}, title = {Least and Greatest Fixed Points in Ludics}, pages = {549-566}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDS-csl15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDS-csl15.pdf}, doi = {10.4230/LIPIcs.CSL.2015.549}, abstract = {Various logics have been introduced in order to reason over (co)inductive specifications and, through the Curry-Howard correspondence, to study computation over inductive and coinductive data. The logic mu-MALL is one of those logics, extending multiplicative and additive linear logic with least and greatest fixed point operators.\par In this paper, we investigate the semantics of mu-MALL proofs in (computational) ludics. This framework is built around the notion of design, which can be seen as an analogue of the strategies of game semantics. The infinitary nature of designs makes them particularly well suited for representing computations over infinite data.\par We provide mu-MALL with a denotational semantics, interpreting proofs by designs and formulas by particular sets of designs called behaviours. Then we prove a completeness result for the class of {"}essentially finite designs{"}, which are those designs performing a finite computation followed by a copycat. On the way to completeness, we investigate semantic inclusion, proving its decidability (given two formulas, we can decide whether the semantics of one is included in the other's) and completeness (if semantic inclusion holds, the corresponding implication is provable in mu-MALL).} }

@inproceedings{BDH-concur15, address = {Madrid, Spain}, month = sep, year = 2015, volume = {42}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Aceto, Luca and de Frutos-Escrig, David}, acronym = {{CONCUR}'15}, booktitle = {{P}roceedings of the 26th {I}nternational {C}onference on {C}oncurrency {T}heory ({CONCUR}'15)}, author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca}, title = {Partial Order Reduction for Security Protocols}, pages = {497-510}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-concur15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-concur15.pdf}, doi = {10.4230/LIPIcs.CONCUR.2015.497}, abstract = {Security protocols are concurrent processes that communicate using cryptography with the aim of achieving various security properties. Recent work on their formal verification has brought procedures and tools for deciding trace equivalence properties (\textit{e.g.},~anonymity, unlinkability, vote secrecy) for a bounded number of sessions. However, these procedures are based on a naive symbolic exploration of all traces of the considered processes which, unsurprisingly, greatly limits the scalability and practical impact of the verification tools.\par In this paper, we mitigate this difficulty by developing partial order reduction techniques for the verification of security protocols. We provide reduced transition systems that optimally elim- inate redundant traces, and which are adequate for model-checking trace equivalence properties of protocols by means of symbolic execution. We have implemented our reductions in the tool \textsf{Apte}, and demonstrated that it achieves the expected speedup on various protocols.} }

@inproceedings{CCD-csf15, address = {Verona, Italy}, month = jul, year = 2015, publisher = {{IEEE} Computer Society Press}, acronym = {{CSF}'15}, booktitle = {{P}roceedings of the 28th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'15)}, author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie}, title = {Decidability of trace equivalence for protocols with nonces}, pages = {170-184}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-csf15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-csf15.pdf}, doi = {10.1109/CSF.2015.19}, abstract = {Privacy properties such as anonymity, unlinkability, or vote secrecy are typically expressed as equivalence properties.\par In this paper, we provide the first decidability result for trace equivalence of security protocols, for an unbounded number of sessions and unlimited fresh nonces. Our class encompasses most symmetric key protocols of the literature, in their tagged variant.} }

@inproceedings{DGGL-icalp15, address = {Kyoto, Japan}, month = jul, year = 2015, volume = {9135}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Halld{\'o}rsson, Magnus M. and Iwama, Kazuo and Kobayashi, Naoki and Speckmann, Bettina}, acronym = {{ICALP}'15}, booktitle = {{P}roceedings of the 42nd {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'15)~-- {P}art~{II}}, author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean}, title = {Natural Homology}, pages = {171-183}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-icalp15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-icalp15.pdf}, doi = {10.1007/978-3-662-47666-6_14}, abstract = {We propose a notion of homology for directed algebraic topology, based on so-called natural systems of abelian groups, and which we call natural homology. Contrarily to previous proposals, and as we show, natural homology has many desirable properties: it~is invariant under isomorphisms of directed spaces, it is invariant under refinement (subdivision), and it is computable on cubical complexes.} }

@inproceedings{ACD-post15, address = {London, UK}, month = apr, year = 2015, volume = {9036}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Focardi, Riccardo and Myers, Andrew}, acronym = {{POST}'15}, booktitle = {{P}roceedings of the 4th {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'15)}, author = {Arapinis, Myrto and Cheval, Vincent and Delaune, St{\'e}phanie}, title = {Composing security protocols: from confidentiality to privacy}, pages = {324-343}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-post15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-post15.pdf}, doi = {10.1007/978-3-662-46666-7_17}, abstract = {Security protocols are used in many of our daily-life applications, and our privacy largely depends on their design. Formal verification techniques have proved their usefulness to analyse these protocols, but they become so complex that modular techniques have to be developed. We propose several results to safely compose security protocols. We consider arbitrary primitives modeled using an equational theory, and a rich process algebra close to the applied pi calculus.\par Relying on these composition results, we derive some security properties on a protocol from the security analysis performed on each of its sub-protocols individually. We consider parallel composition and the case of key-exchange protocols. Our results apply to deal with confidentiality but also privacy-type properties (e.g. anonymity) expressed using a notion of equivalence. We illustrate the usefulness of our composition results on protocols from the 3G phone application and electronic passport.} }

@phdthesis{scerri-phd15, author = {Scerri, Guillaume}, title = {Proofs of security protocols revisited}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2015, month = jan, url = {http://www.lsv.fr/Publis/PAPERS/PDF/scerri-phd15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/scerri-phd15.pdf} }

@article{AFG-sif15, publisher = {SIF}, journal = {1024~-- Bulletin de la soci{\'e}t{\'e} informatique de France}, author = {Abiteboul, Serge and Fribourg, Laurent and Goubault{-}Larrecq, Jean}, title = {{G}{\'e}rard {B}erry~: un~informaticien m{\'e}daille d'or du {CNRS}~2014}, volume = 4, pages = {139-142}, month = oct, year = 2014, url = {http://www.lsv.fr/Publis/PAPERS/PDF/AFG-sif15.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AFG-sif15.pdf}, abstract = {C'est un chercheur en informatique qui vient de recevoir la m{\'e}daille d'or du CNRS, la plus haute distinction scientifique fran{\c c}aise toutes disciplines confondues. Les informaticiens sont rares {\`a} avoir {\'e}t{\'e} ainsi honor{\'e}s : ce n'est que la seconde fois apr{\`e}s Jacques Stern en~2006.} }

@inproceedings{GLO-fps13, address = {La Rochelle, France}, month = oct, year = 2013, volume = 8352, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Danger, Jean-Luc and Debbabi, Mourad and Marion, Jean-Yves and Garcia{-}Alfaro, Joaquin and Zincir{-}Heywood,Nur}, acronym = {{FPS}'13}, booktitle = {{R}evised {S}elected {P}apers of the 6th {I}nternational {S}ymposium on {F}oundations and {P}ractice of {S}ecurity ({FPS}'13)}, author = {Goubault{-}Larrecq, Jean and Olivain, Julien}, title = {On~the Efficiency of Mathematics in Intrusion Detection: The NetEntropy Case.}, pages = {3-16}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLO-fps13.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLO-fps13.pdf}, doi = {10.1007/978-3-319-05302-8_1}, abstract = {NetEntropy is a plugin to the Orchids intrusion detection tool that is originally meant to detect some subtle attacks on implementations of cryptographic protocols such as {SSL\slash TLS}. NetEntropy compares the sample entropy of a data stream to a known profile, and flags any significant variation. Our point is to stress the \emph{mathematics} behind NetEntropy: the reason of the rather incredible precision of NetEntropy is to be found in theorems due to Paninski and Moddemeijer.} }

@mastersthesis{m2-jacomme, author = {Jacomme, Charlie}, title = {Automated applications of Cryptographic Assumptions}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2016}, month = sep, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-jacomme.pdf} }

@article{DH-jlamp16, publisher = {Elsevier Science Publishers}, journal = {Journal of Logic and Algebraic Methods in Programming}, author = {Delaune, St{\'e}phanie and Hirschi, Lucca}, title = {A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols}, volume = {87}, year = {2016}, pages = {127-144}, url = {http://www.sciencedirect.com/science/article/pii/S235222081630133X}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DH-jlamp16.pdf}, doi = {10.1016/j.jlamp.2016.10.005}, note = {To~appear}, abstract = {Cryptographic protocols aim at securing communications over insecure networks such as the Internet, where dishonest users may listen to communications and interfere with them. A secure communication has a different meaning depending on the underlying application. It ranges from the confidentiality of a data to e.g. verifiability in electronic voting systems. Another example of a security notion is privacy. Formal symbolic models have proved their usefulness for analysing the security of protocols. Until quite recently, most results focused on trace properties like confidentiality or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, and privacy related properties. During the last decade, several results and verification tools have been developed to analyse equivalence-based security properties. We propose here a synthesis of decidability and undecidability results for equivalence-based security properties. Moreover, we give an overview of existing verification tools that may be used to verify equivalence-based security properties.} }

@article{GLSSW-dagrep16, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, journal = {Dagstuhl Reports}, author = {Goubault{-}Larrecq, Jean and Seisenberger, Monika and Selivanov, Victor and Weiermann, Andreas}, title = {Well {Q}uasi-{O}rders in {C}omputer {S}cience ({D}agstuhl {S}eminar 16031)}, year = 2016, month = jan, volume = {6}, number = {1}, pages = {69-98}, url = {http://dx.doi.org/10.4230/DagRep.6.1.69}, pdf = {http://dx.doi.org/10.4230/DagRep.6.1.69}, doi = {10.4230/DagRep.6.1.69}, abstract = {This report documents the program and the outcomes of Dagstuhl Seminar 16031 {"}Well Quasi{-}Orders in Computer Science{"}, the first seminar devoted to the multiple and deep interactions between the theory of Well quasi{-}orders (known as the Wqo{-}Theory) and several fields of Computer Science (Verification and Termination of Infinite-State Systems, Automata and Formal Languages, Term Rewriting and Proof Theory, topological complexity of computational problems on continuous functions). Wqo{-}Theory is a highly developed part of Combinatorics with ever-growing number of applications in Mathematics and Computer Science, and Well quasi-orders are going to become an important unifying concept of Theoretical Computer Science. In this seminar, we brought together several communities from Computer Science and Mathematics in order to facilitate the knowledge transfer between Mathematicians and Computer Scientists as well as between established and younger researchers and thus to push forward the interaction between Wqo{-}Theory and Computer Science.} }

@inproceedings{GLL-rv16, address = {Madrid, Spain}, volume = 10012, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Madrid, Spain}, acronym = {{RV}'16}, booktitle = {{P}roceedings of the 16th {C}onference on {R}untime {V}erification ({RV}'16)}, author = {Goubault{-}Larrecq, Jean and Lachance, Jean{-}Philippe}, title = {On the {C}omplexity of {M}onitoring {O}rchids {S}ignatures}, year = 2016, month = sep, pages = {169-164}, opturl = {http://link.springer.com/chapter/10.1007%2F978-3-319-46982-9_11}, optpdf = {http://link.springer.com/chapter/10.1007%2F978-3-319-46982-9_11}, doi = {10.1007/978-3-319-46982-9_11}, abstract = {Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let f(n) be the maximum number of monitor instances that can be fired on a sequence of n events: we design an algorithm that decides whether f(n) is asymptotically exponential or polynomial, and in the latter case returns an exponent d such that f(n)=Theta(n^d) . Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators + and max, and defining integer sequences u_n, what is the asymptotic behavior of u_n as n tends to infinity? We show that, under simple assumptions, u_n is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjanâs strongly connected components algorithm, in linear time.} }

@misc{vip-D42, author = {Delaune, St{\'e}phanie and Gazeau, Ivan}, howpublished = {Deliverable VIP~4.2 (ANR-11-JS02-0006)}, month = jun, note = {5~pages}, type = {Contract Report}, title = {Combination issues}, year = {2016}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d42.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d42.pdf} }

@misc{vip-D22, author = {Delaune, St{\'e}phanie and Gazeau, Ivan}, howpublished = {Deliverable VIP~2.2 (ANR-11-JS02-0006)}, month = jun, note = {8~pages}, type = {Contract Report}, title = {Results on the case studies}, year = {2016}, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d22.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d22.pdf} }

@inproceedings{DGGL-csl16, address = {Marseille, France}, month = sep, year = 2016, volume = {62}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Regnier, Laurent and Talbot, Jean-Marc}, acronym = {{CSL}'16}, booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on {C}omputer {S}cience {L}ogic ({CSL}'16)}, author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean}, title = {The Directed Homotopy Hypothesis}, pages = {9:1-9:16}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DBS-csl16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DBS-csl16.pdf}, doi = {10.4230/LIPIcs.CSL.2016.9}, abstract = {The homotopy hypothesis was originally stated by Grothendieck: topological spaces should be {"}equivalent{"} to (weak) infinite-groupoids, which give algebraic representatives of homotopy types. Much later, several authors developed geometrizations of computational models, e.g., for rewriting, distributed systems, (homotopy) type theory etc. But an essential feature in the work set up in concurrency theory, is that time should be considered irreversible, giving rise to the field of directed algebraic topology. Following the path proposed by Porter, we state here a directed homotopy hypothesis: Grandis' directed topological spaces should be {"}equivalent{"} to a weak form of topologically enriched categories, still very close to (infinite,1)-categories. We develop, as in ordinary algebraic topology, a directed homotopy equivalence and a weak equivalence, and show invariance of a form of directed homology.} }

@inproceedings{DBS-csl16, address = {Marseille, France}, month = sep, year = 2016, volume = {62}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Regnier, Laurent and Talbot, Jean-Marc}, acronym = {{CSL}'16}, booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on {C}omputer {S}cience {L}ogic ({CSL}'16)}, author = {Amina Doumane and David Baelde and Alexis Saurin}, title = {Infinitary proof theory: the multiplicative additive case}, pages = {42:1-42:17}, doi = {10.4230/LIPIcs.CSL.2016.42}, abstract = {Infinitary and regular proofs are commonly used in fixed point logics. Being natural intermediate devices between semantics and traditional finitary proof systems, they are commonly found in completeness arguments, automated deduction, verification, etc. However, their proof theory is surprisingly underdeveloped. In particular, very little is known about the computational behavior of such proofs through cut elimination. Taking such aspects into account has unlocked rich developments at the intersection of proof theory and programming language theory. One would hope that extending this to infinitary calculi would lead, e.g., to a better understanding of recursion and corecursion in programming languages. Structural proof theory is notably based on two fundamental properties of a proof system: cut elimination and focalization. The first one is only known to hold for restricted (purely additive) infinitary calculi, thanks to the work of Santocanale and Fortier; the second one has never been studied in infinitary systems. In this paper, we consider the infinitary proof system muMALLi for multiplicative and additive linear logic extended with least and greatest fixed points, and prove these two key results. We thus establish muMALLi as a satisfying computational proof system in itself, rather than just an intermediate device in the study of finitary proof systems.} }

@inproceedings{BLS-hal15, address = {Marseille, France}, month = sep, year = 2016, volume = {62}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Regnier, Laurent and Talbot, Jean-Marc}, acronym = {{CSL}'16}, booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on {C}omputer {S}cience {L}ogic ({CSL}'16)}, author = {Baelde, David and Lunel, Simon and Schmitz, Sylvain}, title = {A~Sequent Calculus for a Modal Logic on Finite Data Trees}, pages = {32:1-32:16}, url = {https://hal.inria.fr/hal-01191172}, doi = {10.4230/LIPIcs.CSL.2016.32}, abstract = {We investigate the proof theory of a modal fragment of XPath equipped with data (in)equality tests over finite data trees, i.e. over finite unranked trees where nodes are labelled with both a symbol from a finite alphabet and a single data value from an infinite domain. We present a sound and complete sequent calculus for this logic, which yields the optimal PSPACE complexity bound for its validity problem.} }

@inproceedings{DGGL-concur16, address = {Qu{\'e}bec City, Canada}, month = aug, year = 2016, volume = {59}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Desharnais, Jos{\'e}e and Jagadeesan, Radha}, acronym = {{CONCUR}'16}, booktitle = {{P}roceedings of the 27th {I}nternational {C}onference on {C}oncurrency {T}heory ({CONCUR}'16)}, author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean}, title = {Bisimulations and unfolding in {{\(\mathcal{P}\)}}-accessible categorical models}, pages = {25:1-25:14}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-concur16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-concur16.pdf}, doi = {10.4230/LIPIcs.CONCUR.2016.25}, abstract = {We propose a categorical framework for bisimulations and unfoldings that unifies the classical approach from Joyal \emph{et~al.} via open maps and unfoldings. This is based on a notion of categories accessible with respect to a subcategory of path shapes, i.e., for which one can define a nice notion of trees as glueings of paths. We show that transition systems and presheaf models are instances of our framework. We also prove that in our framework, several notions of bisimulation coincide, in particular an {"}operational~one{"} akin to the standard definition in transition systems. Also, our notion of accessibility is preserved by coreflections. This also leads us to a notion of unfolding that behaves well in the accessible case: it~is a right adjoint and is a universal covering, i.e., it is initial among the morphisms that have the unique lifting property with respect to path shapes. As an application, we prove that the universal covering of a groupoid, a standard construction in algebraic topology, is an unfolding, when the category of path shapes is well chosen.} }

@article{DGG-acs16, publisher = {Springer}, journal = {Applied Categorical Structures}, author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean}, title = {Directed homology theories and {E}ilenberg-{S}teenrod axioms}, year = 2017, month = oct, volume = {25}, number = {5}, pages = {775-807}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGG-acs16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGG-acs16.pdf}, doi = {doi:10.1007/s10485-016-9438-y}, abstract = {In this paper, we define and study a homology theory, that we call {"}natural homology{"}, which associates a natural system of abelian groups to every space in a large class of directed spaces and precubical sets. We show that this homology theory enjoys many important properties, as an invariant for directed homotopy. Among its properties, we show that subdivided precubical sets have the same homology type as the original ones ; similarly, the natural homology of a precubical set is of the same type as the natural homology of its geometric realization. By same type we mean equivalent up to some form of bisimulation, that we define using the notion of open map. Last but not least, natural homology, for the class of spaces we consider, exhibits very important properties such as Hurewicz theorems, and most of Eilenberg-Steenrod axioms, in particular the dimension, homotopy, additivity and exactness axioms. This last axiom is studied in a general framework of (generalized) exact sequences.} }

@inproceedings{GLS-icalp16, address = {Rome, Italy}, month = jul, year = 2016, volume = {55}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Chatzigiannakis, Ioannis and Mitzenmacher, Michael and Rabani, Yuval and Sangiorgi, Davide}, acronym = {{ICALP}'16}, booktitle = {{P}roceedings of the 43rd {I}nternational {C}olloquium on {A}utomata, {L}anguages and {P}rogramming ({ICALP}'16)}, author = {Goubault{-}Larrecq, Jean and Schmitz, Sylvain}, title = {Deciding Piecewise Testable Separability for Regular Tree Languages}, pages = {97:1-97:15}, url = {https://hal.inria.fr/hal-01276119/}, optpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-icalp16.pdf}, doi = {10.4230/LIPIcs.ICALP.2016.97}, abstract = {The piecewise testable separability problem asks, given two input languages, whether there exists a piecewise testable language that contains the first input language and is disjoint from the second. We prove a general characterisation of piecewise testable separability on languages in a well-quasi-order, in terms of ideals of the ordering. This subsumes the known characterisations in the case of finite words. In the case of finite ranked trees ordered by homeomorphic embedding, we show using effective representations for tree ideals that it entails the decidability of piecewise testable separability when the input languages are regular. A~final byproduct is a new proof of the decidability of whether an input regular language of ranked trees is piecewise testable, which was first shown in the unranked case by Boja{\'n}czyk, Segoufin, and Straubing (Log.~Meth. in Comput.~Sci.,~8(3:26), 2012).} }

@inproceedings{DBHS-lics16, address = {New York City, USA}, month = jul, year = 2016, publisher = {ACM Press}, editor = {Grohe, Martin and Koskinen, Eric and Shankar, Natarajan}, acronym = {{LICS}'16}, booktitle = {{P}roceedings of the 31st {A}nnual {ACM\slash IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'16)}, author = {Amina Doumane and David Baelde and Lucca Hirschi and Alexis Saurin}, title = {Towards Completeness via Proof Search in the Linear Time {{\(\mu\)}}-calculus}, pages = {377-386}, url = {https://hal.archives-ouvertes.fr/hal-01275289/}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DBHS-lics16.pdf}, doi = {10.1145/2933575.2933598}, abstract = {Modal \(\mu\)-calculus is one of the central languages of logic and verification, whose study involves notoriously complex objects: automata over infinite structures on the model-theoretical side; infinite proofs and proofs by (co)induction on the proof-theoretical side. Nevertheless, axiomatizations have been given for both linear and branching time \(\mu\)-calculi, with quite involved completeness arguments. We come back to this central problem, considering it from a proof search viewpoint, and provide some new completeness arguments in the linear time \(\mu\)-calculus. Our results only deal with restricted classes of formulas that closely correspond to (non-alternating) \(\omega\)-automata but, compared to earlier proofs, our completeness arguments are direct and constructive. We first consider a natural circular proof system based on sequent calculus, and show that it is complete for inclusions of parity automata directly expressed as formulas, making use of Safra's construction directly in proof search. We then consider the corresponding finitary proof system, featuring (co)induction rules, and provide a partial translation result from circular to finitary proofs. This yields completeness of the finitary proof system for inclusions of sufficiently deterministic parity automata, and finally for arbitrary B{\"u}chi automata.} }

@inproceedings{HBD-sp16, address = {San Jose, California, USA}, month = may, year = 2016, publisher = {IEEECSP}, editor = {Locasto, Michael and Shmatikov, Vitaly and Erlingsson, {\'U}lfar}, acronym = {{S\&P}'16}, booktitle = {{P}roceedings of the 37th {IEEE} {S}ymposium on {S}ecurity and {P}rivacy ({S\&P}'16)}, author = {Hirschi, Lucca and Baelde, David and Delaune, St{\'e}phanie}, title = {A~method for verifying privacy-type properties: the~unbounded case}, pages = {564-581}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/HBD-sp16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HBD-sp16.pdf}, doi = {10.1109/SP.2016.40}, abstract = {In~this paper, we~consider the problem of verifying anonymity and unlinkability in the symbolic model, where protocols are represented as processes in a variant of the applied pi calculus notably used in the Proverif tool. Existing tools and techniques do not allow one to verify directly these properties, expressed as behavioral equivalences. We propose a different approach: we design two conditions on protocols which are sufficient to ensure anonymity and unlinkability, and which can then be effectively checked automatically using Proverif. Our two conditions correspond to two broad classes of attacks on unlinkability, corresponding to data and control-flow leaks.\par This theoretical result is general enough to apply to a wide class of protocols. In particular, we apply our techniques to provide the first formal security proof of the BAC protocol (e-passport). Our work has also lead to the discovery of new attacks, including one on the LAK protocol (RFID authentication) which was previously claimed to be unlinkable (in~a weak sense) and one on the PACE protocol (e-passport).} }

@comment{{B-arxiv16, author = Bollig, Benedikt, affiliation = aff-LSVmexico, title = One-Counter Automata with Counter Visibility, institution = Computing Research Repository, number = 1602.05940, month = feb, nmonth = 2, year = 2016, type = RR, axeLSV = mexico, NOcontrat = "", url = http://arxiv.org/abs/1602.05940, PDF = "http://www.lsv.fr/Publis/PAPERS/PDF/B-arxiv16.pdf", lsvdate-new = 20160222, lsvdate-upd = 20160222, lsvdate-pub = 20160222, lsv-category = "rapl", wwwpublic = "public and ccsb", note = 18~pages, abstract = "In a one-counter automaton (OCA), one can read a letter from some finite alphabet, increment and decrement the counter by one, or test it for zero. It is well-known that universality and language inclusion for OCAs are undecidable. We consider here OCAs with counter visibility: Whenever the automaton produces a letter, it outputs the current counter value along with~it. Hence, its language is now a set of words over an infinite alphabet. We show that universality and inclusion for that model are in PSPACE, thus no harder than the corresponding problems for finite automata, which can actually be considered as a special case. In fact, we show that OCAs with counter visibility are effectively determinizable and closed under all boolean operations. As~a~strict generalization, we subsequently extend our model by registers. The general nonemptiness problem being undecidable, we impose a bound on the number of register comparisons and show that the corresponding nonemptiness problem is NP-complete.", }}

@misc{vip-D32, author = {Baelde, David and Delaune, St{\'e}phanie and Kremer, Steve}, title = {Decision procedures for equivalence based properties (part~{II})}, howpublished = {Deliverable VIP~3.2 (ANR-11-JS02-0006)}, month = sep, year = {2015}, note = {9~pages}, type = {Contract Report}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d32.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d32.pdf} }

@misc{vip-D41, author = {Delaune, St{\'e}phanie and Kremer, Steve}, title = {Composition results for equivalence-based security properties}, howpublished = {Deliverable VIP~3.1 (ANR-11-JS02-0006)}, month = sep, year = {2015}, note = {6~pages}, type = {Contract Report}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d41.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d41.pdf} }

@phdthesis{rc-phd2016, author = {Chr{\'e}tien, R{\'e}my}, title = {Analyse automatique de propri{\'e}t{\'e}s d'{\'e}quivalence pour les protocoles cryptographiques}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2016, month = jan, url = {http://www.lsv.fr/Publis/PAPERS/PDF/rc-phd16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/rc-phd16.pdf} }

@inproceedings{CDD-post16, address = {Eindhoven, The~Netherlands}, month = apr, year = 2016, volume = { 9635}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Piessens, Frank and Vigan{\'o}, Luca}, acronym = {{POST}'16}, booktitle = {{P}roceedings of the 5th {I}nternational {C}onference on {P}rinciples of {S}ecurity and {T}rust ({POST}'16)}, author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie}, title = {Bounding the number of agents, for equivalence~too}, pages = {211-232}, url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post16.pdf}, doi = {10.1007/978-3-662-49635-0_11}, abstract = {Bounding the number of agents is a current practice when modeling a protocol. In~2003, it has been shown that one honest agent and one dishonest agent are indeed sufficient to find all possible attacks, for secrecy properties. This is no longer the case for equivalence properties, crucial to express many properties such as vote privacy or untraceability.\par In this paper, we show that it is sufficient to consider two honest agents and two dishonest agents for equivalence properties, for deterministic processes with standard primitives and without else branches. More generally, we show how to bound the number of agents for arbitrary constructor theories and for protocols with simple else branches. We show that our hypotheses are tight, providing counter-examples for non actiondeterministic processes, non constructor theories, or protocols with complex else branches.} }

@article{JGL-mscs16, publisher = {Cambridge University Press}, journal = {Mathematical Structures in Computer Science}, author = {Goubault{-}Larrecq, Jean}, title = {Isomorphism theorems between models of mixed choice}, volume = {27}, number = {6}, pages = {1032-1067}, month = sep, year = 2017, url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mscs16.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mscs16.pdf}, doi = {10.1017/S0960129515000547}, abstract = {We relate the so-called powercone models of mixed non-deterministic and probabilistic choice proposed by Tix, Keimel, Plotkin, Mislove, Ouaknine, Worrell, Morgan, and McIver, to our own models of previsions. Under suitable topological assumptions, we show that they are isomorphic. We rely on Keimel's cone-theoretic variants of the classical Hahn-Banach separation theorems, using functional analytic methods, and on the Schr{\"o}der-Simpson Theorem.} }

@inproceedings{D-lics17, address = {Reykjavik, Iceland}, month = jun, publisher = {{IEEE} Press}, editor = {Ouaknine, Jo{\"e}l}, acronym = {{LICS}'17}, booktitle = {{P}roceedings of the 32nd {A}nnual {ACM\slash IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'17)}, author = {Doumane, Amina}, title = {Constructive completeness for the linear-time {\(\mu\)}-calculus}, pages = {1-12}, year = {2017}, doi = {10.1109/LICS.2017.8005075}, abstract = {Modal \(\mu\)-calculus is one of the central logics for verification. In his seminal paper, Kozen proposed an axiomatization for this logic, which was proved to be complete, 13 years later, by Kaivola for the linear-time case and by Walukiewicz for the branching-time one. These proofs are based on complex, non-constructive arguments, yielding no reasonable algorithm to construct proofs for valid formulas. The problematic of constructiveness becomes central when we consider proofs as certificates, supporting the answers of verification tools. In our paper, we provide a new completeness argument for the linear-time \(\mu\)-calculus which is constructive, i.e. it builds a proof for every valid formula. To achieve this, we decompose this difficult problem into several easier ones, taking advantage of the correspondence between the \(\mu\)-calculus and automata theory. More precisely, we lift the well-known automata transformations (non-determinization for instance) to the logical level. To solve each of these smaller problems, we perform first a proof-search in a circular proof system, then we transform the obtained circular proofs into proofs of Kozen's axiomatization.} }

@article{JGL-minimax17, publisher = {Heldermann Verlag}, journal = {Minimax Theory and its Applications}, author = {Goubault{-}Larrecq, Jean}, title = {A Non-{H}ausdorff Minimax Theorem}, volume = {3}, number = {1}, year = {2017}, pages = {73-80} }

@techreport{CDD-hal17, author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie}, institution = {HAL}, month = oct, number = {hal-01615265}, type = {Research Report}, title = {A typing result for trace inclusion (for pair and symmetric encryption only)}, year = {2017}, url = {https://hal.archives-ouvertes.fr/hal-01615265}, pdf = {https://hal.archives-ouvertes.fr/hal-01615265/document}, abstract = {Privacy-type properties such as vote secrecy, anonymity, or untraceability are typically expressed using the notion of trace equivalence in a process algebra that models security protocols. In this paper, we propose some results to reduce the search space when we are looking for an attack regarding trace equivalence. Our work is strongly inspired from [10], which establishes that, if there is a witness of non trace equivalence, then there is one that is well-typed.\par Our main contribution is to establish a similar result for trace inclusion. Our motivation is twofolds: first, this small attack property is needed for proving soundness of the tool SatEquiv [13]. Second, we revisit the proof in order to simplify it. Specifically, we show two results. First, if there is a witness of non-inclusion then there is one that is well-typed. We establish this result by providing a decision procedure for trace inclusion similar to the one proposed in [10] for trace equivalence. We also show that we can reduce the search space when considering the notion of static inclusion. Acutally, if there is a witness of static non-inclusion there is one of a specific shape.\par Even if our setting slightly differs from the one considered in [10], our proofs essentially follow the same ideas than the existing proof for trace equivalence. Nevertheless, we hope that this proof will be easier to extend to other primitives such as asymmetric encryption or signatures.} }

@article{GLL-fmsd17, publisher = {Springer}, journal = {Formal Methods in System Design}, author = {Goubault{-}Larrecq, Jean and Lachance, Jean-Philippe}, title = {On the Complexity of Monitoring {O}rchids Signatures, and Recurrence Equations}, volume = {53}, number = {1}, year = {2018}, month = aug, pages = {6-32}, doi = {10.1007/s10703-017-0303-x}, url = {https://doi.org/10.1007/s10703-017-0303-x}, abstract = {Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let \(f(n)\) be the maximum number of monitor instances that can be fired on a sequence of \(n\) events: we design an algorithm that decides whether \(f(n)\) is asymptotically exponential or polynomial, and in the latter case returns an exponent \(d\) such that \(f(n)=\Theta(n^d)\). Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators \(+\) and \(\max\), and defining integer sequences \(u_n\), what is the asymptotic behavior of \(u_n\) as \(n\) tends to infinity? We show that, under simple assumptions, \(u_n\) is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjan's strongly connected components algorithm, in linear time.}, note = {Special issue of RV'16, to appear} }

@article{GLN-lmcs17, journal = {Logical Methods in Computer Science}, author = {Goubault{-}Larrecq, Jean and Ng, Kok Min}, title = {A Few Notes on Formal Balls}, volume = {13}, number = {4}, year = {2017}, month = nov, pages = {1-34}, doi = {10.23638/LMCS-13(4:18)2017}, url = {https://lmcs.episciences.org/4100}, pdf = {https://lmcs.episciences.org/4100/pdf}, note = {Special Issue of the Domains XII Workshop} }

@article{BCMW-fi17, publisher = {{IOS} Press}, journal = {Fundamenta Informaticae}, author = {David Baelde and Arnaud Carayol and Ralph Matthes and Igor Walukiewicz}, title = {Preface: Special Issue of {Fixed Points in Computer Science} ({FICS}'13)}, volume = {150}, number = {3-4}, pages = {i-ii}, year = {2017}, url = {https://doi.org/10.3233/FI-2017-1468}, doi = {10.3233/FI-2017-1468} }

@inproceedings{BDGK-csf17, address = {Santa Barbara, California, USA}, month = aug, publisher = {{IEEE} Computer Society Press}, editor = {K{\"o}pf, Boris and Chong, Steve}, acronym = {{CSF}'17}, booktitle = {{P}roceedings of the 30th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'17)}, author = {Baelde, David and Delaune, St{\'e}phanie and Gazeau, Ivan and Kremer, Steve}, title = {Symbolic Verification of Privacy-Type Properties for Security Protocols with {XOR}}, pages = {234-248}, year = {2017}, doi = {10.1109/CSF.2017.22}, pdf = {https://hal.inria.fr/hal-01533694/document}, url = {https://hal.inria.fr/hal-01533694}, abstract = {In symbolic verification of security protocols, process equivalences have recently been used extensively to model strong secrecy, anonymity and unlinkability properties. However, tool support for automated analysis of equivalence properties is limited compared to trace properties, e.g., modeling authentication and weak notions of secrecy. In this paper, we present a novel procedure for verifying equivalences on finite processes, i.e., without replication, for protocols that rely on various cryptographic primitives including exclusive or (xor). We have implemented our procedure in the tool AKISS, and successfully used it on several case studies that are outside the scope of existing tools, e.g., unlinkability on various RFID protocols, and resistance against guessing attacks on protocols that use xor.} }

@inproceedings{CDD-csf17, address = {Santa Barbara, California, USA}, month = aug, publisher = {{IEEE} Computer Society Press}, editor = {K{\"o}pf, Boris and Chong, Steve}, acronym = {{CSF}'17}, booktitle = {{P}roceedings of the 30th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'17)}, author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie}, title = {{SAT-Equiv}: An Efficient Tool for Equivalence Properties}, pages = {481-494}, year = {2017}, doi = {10.1109/CSF.2017.15}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-csf17.pdf}, url = {http://ieeexplore.ieee.org/document/8049740/}, abstract = {Automatic tools based on symbolic models have been successful in analyzing security protocols. Such tools are particularly adapted for trace properties (e.g. secrecy or authentication), while they often fail to analyse equivalence properties.Equivalence properties can express a variety of security properties, including in particular privacy properties (vote privacy, anonymity, untraceability). Several decision procedures have already been proposed but the resulting tools are rather inefficient.In this paper, we propose a novel algorithm, based on graph planning and SAT-solving, which significantly improves the efficiency of the analysis of equivalence properties. The resulting implementation, SAT-Equiv, can analyze several sessions where most tools have to stop after one or two sessions.} }

@mastersthesis{m2-hirschi, author = {Hirschi, Lucca}, title = {Reduction of interleavings for trace equivalence checking of security protocols}, school = {{M}aster {P}arisien de {R}echerche en {I}nformatique, Paris, France}, type = {Rapport de {M}aster}, year = {2013}, month = aug }

@phdthesis{doumane-phd2017, author = {Doumane, Amina}, title = {On the infinitary proof theory of logics with fixed points}, school = {Universit{\'e} Paris-Diderot, Paris, France}, type = {Th{\`e}se de doctorat}, year = 2017, month = jun, url = {https://www.irif.fr/~doumane/these.pdf}, pdf = {https://www.irif.fr/~doumane/these.pdf} }

@inproceedings{BFG-fsttcs17, address = {Kanpur, India}, month = dec, year = 2017, volume = {93}, series = {Leibniz International Proceedings in Informatics}, publisher = {Leibniz-Zentrum f{\"u}r Informatik}, editor = {Satya Lokam and R. Ramanujam}, acronym = {{FSTTCS}'17}, booktitle = {{P}roceedings of the 37th {C}onference on {F}oundations of {S}oftware {T}echnology and {T}heoretical {C}omputer {S}cience ({FSTTCS}'17)}, author = {Michael Blondin and Alain Finkel and Jean Goubault{-}Larrecq}, title = {Forward Analysis for {WSTS}, {Part III}: {Karp-Miller} Trees}, pages = {16:1-16:15}, url = {https://hal.archives-ouvertes.fr/hal-01736704/}, pdf = {http://drops.dagstuhl.de/opus/volltexte/2018/8403/pdf/LIPIcs-FSTTCS-2017-16.pdf}, doi = {10.4230/LIPIcs.FSTTCS.2017.16}, abstract = {This paper is a sequel of ''Forward Analysis for WSTS, Part I: Completions'' [STACS 2009, LZI Intl. Proc. in Informatics 3, 433-444] and ''Forward Analysis for WSTS, Part II: Complete WSTS'' [Logical Methods in Computer Science 8(3), 2012]. In these two papers, we provided a framework to conduct forward reachability analyses of WSTS, using finite representations of downwards-closed sets. We further develop this framework to obtain a generic Karp-Miller algorithm for the new class of very-WSTS. This allows us to show that coverability sets of very-WSTS can be computed as their finite ideal decompositions. Under natural assumptions on positive sequences, we also show that LTL model checking for very-WSTS is decidable. The termination of our procedure rests on a new notion of acceleration levels, which we study. We characterize those domains that allow for only finitely many accelerations, based on ordinal ranks.} }

@phdthesis{dubut-phd2017, author = {Dubut, J{\'e}r{\'e}my}, title = {Directed homotopic and homologic theories for geometric models of true concurrency}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2017, month = sep, url = {http://www.lsv.fr/Publis/PAPERS/PDF/dubut-phd17.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/dubut-phd17.pdf} }

@article{BDH-lmcs17, journal = {Logical Methods in Computer Science}, author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca}, title = {{A Reduced Semantics for Deciding Trace Equivalence}}, volume = {13}, number = {2:8}, year = {2017}, pages = {1-48}, doi = {10.23638/LMCS-13(2:8)2017}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-lmcs17.pdf}, url = {https://lmcs.episciences.org/3703}, abstract = {Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e. without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M{\"o}dersheim et al. [40] have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimisation in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly. The obtained partial order reduction technique has been integrated in a tool called Apte. We conducted complete benchmarks showing dramatic improvements.} }

@phdthesis{hirschi-phd2017, author = {Hirschi, Lucca}, title = {{Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory \& Practice}}, school = {Laboratoire Sp{\'e}cification et V{\'e}rification, ENS Cachan, France}, type = {Th{\`e}se de doctorat}, year = 2017, month = apr, url = {http://www.lsv.fr/Publis/PAPERS/PDF/hirschi-phd17.pdf}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/hirschi-phd17.pdf} }

@inproceedings{CK-csf17, address = {Santa Barbara, California, USA}, month = aug, publisher = {{IEEE} Computer Society Press}, editor = {K{\"o}pf, Boris and Chong, Steve}, acronym = {{CSF}'17}, booktitle = {{P}roceedings of the 30th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'17)}, author = {Comon, Hubert and Koutsos, Adrien}, title = {Formal Computational Unlinkability Proofs of RFID Protocols}, pages = {100-114}, year = {2017}, doi = {10.1109/CSF.2017.9}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CK-csf17.pdf}, url = {http://ieeexplore.ieee.org/document/8049714/}, abstract = {We set up a framework for the formal proofs of RFID protocols in the computational model. We rely on the so-called computationally complete symbolic attacker model. Our contributions are: 1) To design (and prove sound) axioms reflecting the proper- ties of hash functions (Collision-Resistance, PRF). 2) To formalize computational unlinkability in the model. 3) To illustrate the method, providing the first formal proofs of unlinkability of RFID protocols, in the computational model.} }

@inproceedings{CGKM-csf17, address = {Santa Barbara, California, USA}, month = aug, publisher = {{IEEE} Computer Society Press}, editor = {K{\"o}pf, Boris and Chong, Steve}, acronym = {{CSF}'17}, booktitle = {{P}roceedings of the 30th {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'17)}, author = {Calzavara, Stefano and Grishchenko, Ilya and Koutsos, Adrien and Maffei, Matteo}, title = {A Sound Flow-Sensitive Heap Abstraction for the Static Analysis of Android Applications}, pages = {22-36}, year = {2017}, doi = {10.1109/CSF.2017.19}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CGKM-csf17.pdf}, url = {http://ieeexplore.ieee.org/document/8049649/}, abstract = {The present paper proposes the first static analysis for Android applications which is both flow-sensitive on the heap abstraction and provably sound with respect to a rich formal model of the Android platform. We formulate the analysis as a set of Horn clauses defining a sound over-approximation of the semantics of the Android application to analyse, borrowing ideas from recency abstraction and extending them to our concurrent setting. Moreover, we implement the analysis in HornDroid, a state-of-the-art information flow analyser for Android applica- tions. Our extension allows HornDroid to perform strong updates on heap-allocated data structures, thus significantly increasing its precision, without sacrificing its soundness guarantees. We test our implementation on DroidBench, a popular benchmark of Android applications developed by the research community, and we show that our changes to HornDroid lead to an improvement in the precision of the tool, while having only a moderate cost in terms of efficiency. Finally, we assess the scalability of our tool to the analysis of real applications.} }

@article{KV-jcss17, publisher = {Elsevier Science Publishers}, journal = {Journal of Computer and System Sciences}, author = {Koutsos, Adrien and Vianu, Victor}, title = {{Process-centric views of data-driven business artifacts}}, volume = {86}, number = {1}, year = {2017}, pages = {82-107}, doi = {10.1016/j.jcss.2016.11.012}, month = jun, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KV-jcss17.pdf}, url = {http://dx.doi.org/10.1016/j.jcss.2016.11.012}, abstract = {Declarative, data-aware workflow models are becoming increasingly pervasive. While these have numerous benefits, classical process-centric specifications retain certain advantages. Workflow designers are used to development tools such as BPMN or UML diagrams, that focus on control flow. Views describing valid sequences of tasks are also useful to provide stakeholders with high-level descriptions of the workflow, stripped of the accompanying data. In this paper we study the problem of recovering process-centric views from declarative, data-aware workflow specifications in a variant of IBM's business artifact model. We focus on the simplest process-centric views, specified by finite-state transition systems, describing regular languages. The results characterize when process-centric views of artifact systems are regular, using both linear and branching-time semantics. We also study the impact of data dependencies on regularity of the views. As a side effect, we obtain several new results on verification of business artifacts, including a decidability result for branching-time properties.} }

@inproceedings{OBH-most17, address = {San Jose, CA, USA}, month = may, editor = {Chen, Hao and Koved, Larry}, booktitle = {{P}roceedings of Mobile Security Technologies (MoST'17), held as part of the {IEEE} Computer Society Security and Privacy Workshops}, author = {{O'Hanlon}, Piers and Borgaonkar, Ravishankar and Hirschi, Lucca}, title = {Mobile subscriber WiFi privacy}, todopages = {252-261}, year = {2017}, tododoi = {}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/OBH-most17.pdf}, abstract = {This paper investigates and analyses the insufficient protections afforded to mobile identities when using today?s operator backed WiFi services. Specifically we detail a range of attacks, on a set of widely deployed authentication protocols, that enable a malicious user to obtain and track a user?s International Mobile Subscriber Identity (IMSI) over WiFi. These attacks are possible due to a lack of sufficient privacy protection measures, which are exacerbated by preconfigured device profiles. We provide a formal analysis of the protocols involved, examine their associated configuration profiles, and document our experiences with reporting the issues to the relevant stakeholders. We detail a range of potential countermeasures to tackle these issues to ensure that privacy is better protected in the future.} }

@misc{JGL:pls16, author = {Goubault{-}Larrecq, Jean}, howpublished = {Encart dans l'article ''S'adapter {\`a} la cyberguerre'', de Karen Elazari, Pour La Science 459}, month = jan, title = {Les m{\'e}thodes formelles: l'autre arme de la cybers{\'e}curit{\'e}}, year = {2016}, pages = {50-55} }

@misc{JGL:stc16, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk (plenary speaker), Summer Topology Conference, Leicester, UK}, month = aug, title = {A few things on Noetherian spaces}, year = {2016} }

@misc{JGL:gs16, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk, Galway Symposium, Leicester, UK}, month = aug, title = {An introduction to asymmetric topology and domain theory: why, what, and how}, year = {2016} }

@misc{JGL:dom15, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk, Domains XII workshop, Cork, Ireland}, month = aug, title = {Formal balls}, year = {2015} }

@misc{JGL:lls14, author = {Goubault{-}Larrecq, Jean}, howpublished = {Matinale de l'innovation Logiciels Libres et S{\'e}curit{\'e}, Paris, France}, month = dec, title = {D{\'e}tection d'intrusions avec {OrchIDS}}, year = {2014} }

@misc{JGL:ccc14, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk, Continuity, Computability, Constructivity workshop (CCC), Ljubljana, Slovenia}, month = sep, title = {Noetherian spaces}, year = {2014} }

@misc{JGL:cps14, author = {Goubault{-}Larrecq, Jean}, howpublished = {CPS Summer School, Grenoble, France}, month = jul, title = {{OrchIDS}: on the value of rigor in intrusion detection}, year = {2014} }

@misc{JGL:stc13, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk (semi-plenary speaker), Summer Topology Conference, North Bay, Ontario, CA}, month = jul, title = {A few pearls in the theory of quasi-metric spaces}, year = {2013} }

@misc{JGL:dga13, author = {Goubault{-}Larrecq, Jean}, howpublished = {S{\'e}minaire DGA Innosciences. DGA, Bagneux}, month = jun, title = {{OrchIDS}, ou : de l'importance de la s{\'e}mantique}, year = {2013} }

@misc{JGL:at13, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk, Workshop on Asymmetric Topology, Summer Topology Conference, North Bay, Ontario, CA}, month = jul, title = {A short proof of the {Schr{\"o}der-Simpson} theorem}, year = {2013} }

@misc{JGL:dm16, author = {Goubault{-}Larrecq, Jean}, howpublished = {Invited talk, Dale Miller Festschrift, Paris Diderot University, Paris}, month = dec, title = {A semantics for {{\(\nabla\)}}}, year = {2016} }

@misc{GSHM:dga-inria16, author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Hulin-Hubard, Francis and Majorczyk, Fr{\'e}d{\'e}ric}, howpublished = {Rapport final et fourniture 4 du contrat DGA-INRIA Orchids}, month = may, title = {Etat final des travaux engag{\'e}s sur {Orchids}}, year = {2016} }

@misc{GM:dga-inria16, author = {Goubault-Larrecq, Jean and Majorczyk, Fr{\'e}d{\'e}ric}, howpublished = {Fourniture 3 du contrat DGA-INRIA Orchids}, month = may, title = {G{\'e}n{\'e}ration de signatures pour le suivi de flux d'informations}, year = {2016} }

@misc{GSM:dga-inria15, author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric}, howpublished = {Rapport interm{\'e}diaire du contrat DGA-INRIA Orchids}, month = may, title = {Etat d'avancement interm{\'e}diaire des travaux engag{\'e}s sur {OrchIDS}}, year = {2015} }

@misc{GSM:dga-inria-2-14, author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric}, howpublished = {Fourniture 2 du contrat DGA-INRIA Orchids}, month = may, title = {Techniques et m{\'e}thodes de g{\'e}n{\'e}ration de signatures pour la d{\'e}tection d'intrusions}, year = {2014} }

@misc{GSM:dga-inria-1-14, author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric}, howpublished = {Fourniture 1 du contrat DGA-INRIA Orchids}, month = may, title = {Politiques de s{\'e}curit{\'e} syst{\`e}me}, year = {2014} }

@misc{AG:anr-cpp12, author = {Adj{\'e}, Assal{\'e} and Goubault-Larrecq, Jean}, howpublished = {Fourniture du projet ANR CPP (Confidence, Proofs, and Probabilities), WP 2, version 1}, month = oct, title = {Concrete semantics of programs with non-deterministic and random inputs}, year = {2012}, url = {http://arxiv.org/abs/1210.2605} }

@misc{GL:ARC-ProNoBis-16, author = {Goubault-Larrecq, Jean}, howpublished = {Rapport final ARC ProNoBis}, month = oct, title = {{Pronobis: Probability and nondeterminism, bisimulations and security}}, year = {2007} }

@phdthesis{dallon-phd2018, author = {Dallon, Antoine}, title = {{Verification of indistinguishability properties in cryptographic protocols} -- {Small attacks and efficient decision with SAT-Equiv}}, school = {{\'E}cole Normale Sup{\'e}rieure Paris-Saclay, France}, type = {Th{\`e}se de doctorat}, year = 2018, month = nov, url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/dallon-phd18.pdf}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/dallon-phd18.pdf} }

@inproceedings{BDH-esorics18, address = {Barcelona, Spain}, month = sep, year = 2018, volume = {11098}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Javier L{\'{o}}pez and Jianying Zhou and Miguel Soriano}, acronym = {{ESORICS}'18}, booktitle = {{P}roceedings of the 23rd {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'18)}, author = {David Baelde and St{\'e}phanie Delaune and Lucca Hirschi}, title = {{POR} for Security Protocol Equivalences - Beyond Action-Determinism}, pages = {385-405}, url = {https://arxiv.org/abs/1804.03650}, doi = {10.1007/978-3-319-99073-6\_19}, abstract = {Formal methods have proved effective to automatically analyse protocols. Recently, much research has focused on verifying trace equivalence on protocols, which is notably used to model interesting privacy properties such as anonymity or unlinkability. Several tools for checking trace equivalence rely on a naive and expensive exploration of all interleavings of concurrent actions, which calls for partial-order reduction (POR) techniques. In this paper, we present the first POR technique for protocol equivalences that does not rely on an action-determinism assumption: we recast trace equivalence as a reachability problem, to which persistent and sleep set techniques can be applied, and we show how to effectively apply these results in the context of symbolic execution. We report on a prototype implementation, improving the tool DeepSec.} }

@inproceedings{CDD-esorics18, address = {Barcelona, Spain}, month = sep, year = 2018, volume = {11098}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {Javier L{\'{o}}pez and Jianying Zhou and Miguel Soriano}, acronym = {{ESORICS}'18}, booktitle = {{P}roceedings of the 23rd {E}uropean {S}ymposium on {R}esearch in {C}omputer {S}ecurity ({ESORICS}'18)}, author = {V{\'e}ronique Cortier and Antoine Dallon and St{\'e}phanie Delaune}, title = {Efficiently Deciding Equivalence for Standard Primitives and Phases}, pages = {491-511}, url = {https://hal.archives-ouvertes.fr/hal-01819366}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-esorics18.pdf}, doi = {10.1007/978-3-319-99073-6\_24}, abstract = {Privacy properties like anonymity or untraceability are now well identified, desirable goals of many security protocols. Such properties are typically stated as equivalence properties. However, automatically checking equivalence of protocols often yields efficiency issues.\par We propose an efficient algorithm, based on graph planning and SATsolving. It can decide equivalence for a bounded number of sessions, for protocols with standard cryptographic primitives and phases (often necessary to specify privacy properties), provided protocols are well-typed, that is encrypted messages cannot be confused. The resulting implementation, SAT-Equiv, demonstrates a significant speed-up w.r.t. other existing tools that decide equivalence, covering typically more than 100 sessions. Combined with a previous result, SAT-Equiv can now be used to prove security, for some protocols, for an unbounded number of sessions.} }

@inproceedings{JK-ccs18, address = {Toronto, Canada}, month = oct, publisher = {ACM Press}, editor = {Backes, Michael and Wang, XiaoFeng}, acronym = {{CCS}'18}, booktitle = {{P}roceedings of the 25th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity ({CCS}'18)}, author = {Barthe, Gilles and Fan, Xiong and Gancher, Joshua and Gr{\'e}goire, Benjamin and Jacomme, Charlie and Shi, Elaine}, title = {Symbolic Proofs for Lattice-Based Cryptography}, pages = {538-555}, year = {2018}, pdf = {https://eprint.iacr.org/2018/765.pdf}, url = {https://dl.acm.org/citation.cfm?doid=3243734.3243825} }

@inproceedings{BLS-pods19, address = {Amsterdam, Netherlands}, month = jun # {-} # jul, publisher = {ACM Press}, editor = {Christoph Koch}, acronym = {{PODS}'19}, booktitle = {{P}roceedings of the 38th {A}nnual {ACM} {SIGACT}-{SIGMOD}-{SIGART} {S}ymposium on {P}rinciples of {D}atabase {S}ystems ({PODS}'19)}, author = {Baelde, David and Lick, Anthony and Schmitz, Sylvain}, title = {Decidable {XP}ath Fragments in the Real World}, pages = {285-302}, year = 2019, doi = {10.1145/3294052.3319685}, url = {https://hal.inria.fr/hal-01852475}, abstract = {XPath is arguably the most popular query language for selecting elements in XML documents. Besides query evaluation, query satisfiability and containment are the main computational problems for XPath; they are useful, for instance, to detect dead code or validate query optimisations. These problems are undecidable in general, but several fragments have been identified over time for which satisfiability (or query containment) is decidable: CoreXPath 1.0 and 2.0 without so-called data joins, fragments with data joins but limited navigation, etc. However, these fragments are often given in a simplified syntax, and sometimes wrt. a simplified XPath semantics. Moreover, they have been studied mostly with theoretical motivations, with little consideration for the practically relevant features of XPath. To investigate the practical impact of these theoretical fragments, we design a benchmark compiling thousands of real-world XPath queries extracted from open-source projects. These queries are then matched against syntactic fragments from the literature. We investigate how to extend these fragments with seldom-considered features such as free variables, data tests, data joins, and the last() and id() functions, for which we provide both undecidability and decidability results. We analyse the coverage of the original and extended fragments, and further provide a glimpse at which other practically-motivated features might be worth investigating in the future.} }

@inproceedings{BLS-aiml18, address = {Bern, Switzerland}, month = aug, year = 2018, publisher = {College Publications}, editor = {Guram Bezhanishvili and Giovanna D'Agostino and George Metcalfe and Thomas Studer}, acronym = {{AiML}'18}, booktitle = {{P}roceedings of the 10th {C}onference on {A}dvances in {M}odal {L}ogics ({AiML}'18)}, author = {Baelde, David and Lick, Anthony and Schmitz, Sylvain}, title = {A Hypersequent Calculus with Clusters for Linear Frames}, pages = {36-55}, url = {https://hal.inria.fr/hal-01756126}, abstract = {The logic Kt4.3 is the basic modal logic of linear frames. Along with its extensions, it is found at the core of linear-time temporal logics and logics on words. In this paper, we consider the problem of designing proof systems for these logics, in such a way that proof search yields decision procedures for validity with an optimal complexity---coNP in this case. In earlier work, Indrzejczak has proposed an ordered hypersequent calculus that is sound and complete for Kt4.3 but does not yield any decision procedure. We refine his approach, using a hypersequent structure that corresponds to weak rather than strict total orders, and using annotations that reflect the model-theoretic insights given by small models for Kt4.3. We obtain a sound and complete calculus with an associated coNP proof search algorithm. These results extend naturally to the cases of unbounded and dense frames, and to the complexity of the two-variable fragment of first-order logic over total orders.} }

@article{JGL-mscs18, publisher = {Cambridge University Press}, journal = {Mathematical Structures in Computer Science}, author = {Goubault{-}Larrecq, Jean}, title = {A semantics for nabla}, pages = {1-25}, year = {2018}, doi = {10.1017/S0960129518000063}, url = {https://www.cambridge.org/core/journals/mathematical-structures-in-computer-science/article/semantics-for-nabla/A3337AB54DC58CBDDEC78116F4390777}, note = {To appear} }

@inproceedings{JKS-eurosp17, address = {Paris, France}, month = apr, publisher = {{IEEE} Press}, editor = {Andrei Sabelfeld and Matthew Smith}, acronym = {{EuroS\&P}'17}, booktitle = {{P}roceedings of the 2nd IEEE European Symposium on Security and Privacy ({EuroS\&P}'17)}, author = {Jacomme, Charlie and Kremer, Steve and Scerri, Guillaume}, title = {Symbolic Models for Isolated Execution Environments}, pages = {530-545}, year = {2018}, doi = {10.1109/EuroSP.2017.16}, url = {https://ieeexplore.ieee.org/document/7962001/}, abstract = {Isolated Execution Environments (IEEs), such as ARM TrustZone and Intel SGX, offer the possibility to execute sensitive code in isolation from other malicious programs, running on the same machine, or a potentially corrupted OS. A key feature of IEEs is the ability to produce reports binding cryptographically a message to the program that produced it, typically ensuring that this message is the result of the given program running on an IEE. We present a symbolic model for specifying and verifying applications that make use of such features. For this we introduce the S{\(\ell\)}APIC process calculus, that allows to reason about reports issued at given locations. We also provide tool support, extending the SAPIC/TAMARIN toolchain and demonstrate the applicability of our framework on several examples implementing secure outsourced computation (SOC), a secure licensing protocol and a one-time password protocol that all rely on such IEEs.} }

@inproceedings{JK-csf18, address = {Oxford, UK}, month = jul, publisher = {{IEEE} Computer Society Press}, editor = {Chong, Steve and Delaune, St{\'e}phanie}, acronym = {{CSF}'18}, booktitle = {{P}roceedings of the 31st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'18)}, author = {Jacomme, Charlie and Kremer, Steve}, title = {An extensive formal analysis of multi-factor authentication protocols}, pages = {1-15}, year = {2018}, doi = {10.1109/CSF.2018.00008}, pdf = {https://easychair.org/publications/preprint/m89p}, url = {https://ieeexplore.ieee.org/document/8429292/}, abstract = {Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multi-factor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols - variants of Google 2-step and FIDO's U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the ProVerif tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios.} }

@article{CCD-ic17, publisher = {Elsevier Science Publishers}, journal = {Information and Computation}, author = {Vincent Cheval and Hubert Comon{-}Lundh and St{\'e}phanie Delaune}, title = {{A procedure for deciding symbolic equivalence between sets of constraint systems}}, volume = {255}, year = {2017}, pages = {94-125}, doi = {10.1016/j.ic.2017.05.004}, url = {https://www.sciencedirect.com/science/article/pii/S0890540117300949}, abstract = {We consider security properties of cryptographic protocols that can be modelled using trace equivalence, a crucial notion when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability. Infinite sets of possible traces are symbolically represented using deducibility constraints. We describe an algorithm that decides trace equivalence for protocols that use standard primitives and that can be represented using such constraints. More precisely, we consider symbolic equivalence between sets of constraint systems, and we also consider disequations. Considering sets and disequations is actually crucial to decide trace equivalence for processes that may involve else branches and/or private channels (for a bounded number of sessions). Our algorithm for deciding symbolic equivalence between sets of constraint systems is implemented and performs well in practice. Unfortunately, it does not scale up well for deciding trace equivalence between processes. This is however the first implemented algorithm deciding trace equivalence on such a large class of processes.} }

@article{HGJX-lmcs18, journal = {Logical Methods in Computer Science}, author = {Ho, Weng Kin and Goubault-Larrecq, Jean and Jung, Achim and Xi, Xiaoyong}, title = {{The Ho-Zhao Problem}}, volume = {14}, number = {1}, year = {2018}, month = jan, pages = {1-19}, doi = {10.23638/LMCS-14(1:7)2018}, url = {https://lmcs.episciences.org/4218}, pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HGJX-lmcs18.pdf} }

@inproceedings{JGL-lncs11760, volume = 11760, series = {Lecture Notes in Computer Science}, publisher = {Springer}, editor = {M{\'a}rio S. Alvim and Kostas Chatzikokolakis and Carlos Olarte and Franck Valencia}, acronym = {{The Art of Modelling Computational Systems: A Journey from Logic and Concurrency to Security and Privacy}}, booktitle = {The Art of Modelling Computational Systems: A Journey from Logic and Concurrency to Security and Privacy---Essays Dedicated to Catuscia Palamidessi on the Occasion of Her 60th Birthday}, author = {Goubault{-}Larrecq, Jean}, title = {Fooling the Parallel or Tester with Probability $8/27$}, pages = {313--328}, year = 2019, note = {Updated version on arXiv:1903.12653}, url = {https://arxiv.org/abs/1903.12653}, abstract = {It is well-known that the higher-order language PCF is not fully abstract: there is a program - the so-called parallel or tester, meant to test whether its input behaves as a parallel or - which never terminates on any input, operationally, but is denotationally non-trivial. We explore a probabilistic variant of PCF, and ask whether the parallel or tester exhibits a similar behavior there. The answer is no: operationally, one can feed the parallel or tester an input that will fool it into thinking it is a parallel or. We show that the largest probability of success of such would-be parallel ors is exactly 8/27. The bound is reached by a very simple probabilistic program. The difficult part is to show that that bound cannot be exceeded.} }

@inproceedings{DGJL-isdt19, address = {Yangzhou, China}, month = jun, volume = 345, series = {Electronic Notes in Theoretical Computer Science}, publisher = {Elsevier Science Publishers}, editor = {Jung, Achim and Li, Qingguo and Xu, Luoshan and Zhang, Guo-Qiang}, acronym = {{ISDT}'19}, booktitle = {{P}roceedings of the {I}nternational {S}ymposium on {D}omain {T}heory ({ISDT}'19)}, author = {de Brecht, Matthew and Goubault{-}Larrecq, Jean and Jia, Xiaodong and Lyu, Zhenchao}, title = {Domain-complete and LCS-complete Spaces}, pages = {3-35}, doi = {10.1016/j.entcs.2019.07.014}, year = 2019 }

@inproceedings{GJ-isdt19, address = {Yangzhou, China}, month = jun, volume = 345, series = {Electronic Notes in Theoretical Computer Science}, publisher = {Elsevier Science Publishers}, editor = {Jung, Achim and Li, Qingguo and Xu, Luoshan and Zhang, Guo-Qiang}, acronym = {{ISDT}'19}, booktitle = {{P}roceedings of the {I}nternational {S}ymposium on {D}omain {T}heory ({ISDT}'19)}, author = {Goubault{-}Larrecq, Jean and Jia, Xiaodong}, title = {Algebras of the Extended Probabilistic Powerdomain Monad}, pages = {37-61}, doi = {10.1016/j.entcs.2019.07.015}, year = 2019 }

@article{GM-hjm19, publisher = {University of Houston}, journal = {Houston Journal of Mathematics}, author = {Goubault{-}Larrecq, Jean and Mynard, Fr{\'e}d{\'e}ric}, title = {Convergence without Points}, year = 2019, note = {To appear} }

@inproceedings{K-csf19, address = {Hoboken, NJ, USA}, month = jul, publisher = {{IEEE} Computer Society Press}, editor = {Delaune, St{\'e}phanie and Jia, Limin}, acronym = {{CSF}'19}, booktitle = {{P}roceedings of the 31st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'19)}, author = {Adrien Koutsos}, title = {Decidability of a Sound Set of Inference Rules for Computational Indistinguishability}, pages = {48-61}, year = 2019, doi = {10.1109/CSF.2019.00011}, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/K-csf19.pdf}, abstract = {Computational indistinguishability is a key property in cryptography and verification of security protocols. Current tools for proving it rely on cryptographic game transformations. We follow Bana and Comon's approach, axiomatizing what an adversary cannot distinguish. We prove the decidability of a set of first-order axioms which are computationally sound, though incomplete, for protocols with a bounded number of sessions whose security is based on an IND-CCA_2 encryption scheme. Alternatively, our result can be viewed as the decidability of a family of cryptographic game transformations. Our proof relies on term rewriting and automated deduction techniques.} }

@inproceedings{K-eurosp19, address = {Stockholm, Sweden}, month = jun, publisher = {{IEEE} Press}, editor = {Frank Piessens and Frank Stajano}, acronym = {{EuroS\&P}'19}, booktitle = {{P}roceedings of the 4th IEEE European Symposium on Security and Privacy ({EuroS\&P}'19)}, author = {Adrien Koutsos}, title = {The {5G-AKA} Authentication Protocol Privacy}, pages = {464-479}, year = 2019, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/K-eurosp19.pdf}, doi = {10.1109/EuroSP.2019.00041}, abstract = {We study the 5G-AKA authentication protocol described in the 5G mobile communication standards. This version of AKA tries to achieve a better privacy than the 3G and 4G versions through the use of asymmetric randomized encryption. Nonetheless, we show that except for the IMSI-catcher attack, all known attacks against 5G-AKA privacy still apply. Next, we modify the 5G-AKA protocol to prevent these attacks, while satisfying 5G-AKA efficiency constraints as much as possible. We then formally prove that our protocol is sigma-unlinkable. This is a new security notion, which allows for a fine-grained quantification of a protocol privacy. Our security proof is carried out in the Bana-Comon indistinguishability logic. We also prove mutual authentication as a secondary result.} }

@article{JGL-topa19, publisher = {Elsevier Science Publishers}, journal = {Topology and its Applications}, author = {Goubault{-}Larrecq, Jean}, title = {Formal Ball Monads}, year = 2019, note = {To appear}, doi = {10.1016/j.topol.2019.06.044}, url = {http://www.sciencedirect.com/science/article/pii/S0166864119302160}, abstract = {The formal ball construction B is a central tool of quasi-metric space theory. We show that it induces monads on certain natural categories of quasi-metric spaces, with 1-Lipschitz maps as morphisms, or with 1-Lipschitz continuous maps as morphisms. Those are left Kock-Zöberlein monads, and that allows us to characterize their algebras exactly. As an application, we study so-called Lipschitz regular spaces, a natural class of spaces that contain all standard algebraic quasi-metric spaces with relatively compact balls, in particular all metric spaces whose closed balls are compact. There are other Lipschitz regular spaces, as we show, and notably all B-algebras. That includes all spaces of formal balls, with their d+-Scott topology. The value of Lipschitz regularity is that, for a Lipschitz regular standard quasi-metric space X,d, the space LX of lower semicontinuous maps from X to the extended non-negative reals, with the Scott topology, retracts onto each of the spaces L_alpha(X,d) of alpha-Lipschitz continuous maps, and that the subspace topology on the latter coincides with the Scott topology.} }

@article{HBD-jcs19, publisher = {{IOS} Press}, journal = {Journal of Computer Security}, author = {Hirschi, Lucca and Baelde, David and Delaune, St{\'e}phanie}, title = {A method for unbounded verification of privacy-type properties}, volume = {27}, number = {3}, pages = {277-342}, year = 2019, pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HBD-jcs19.pdf}, doi = {10.3233/JCS-171070}, url = {https://content.iospress.com/articles/journal-of-computer-security/jcs171070} }

@inproceedings{BGJKS-csf19, address = {Hoboken, NJ, USA}, month = jul, publisher = {{IEEE} Computer Society Press}, editor = {Delaune, St{\'e}phanie and Jia, Limin}, acronym = {{CSF}'19}, booktitle = {{P}roceedings of the 31st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF}'19)}, author = {Barthe, Gilles and Gr{\'e}goire, Benjamin and Jacomme, Charlie and Kremer, Steve and Strub, Pierre-Yves}, title = {Symbolic methods in computational cryptography proofs}, pages = {136-151}, year = 2019, doi = {10.1109/CSF.2019.00017}, pdf = {https://hal.inria.fr/hal-02117794/document}, url = {https://hal.inria.fr/hal-02117794}, abstract = {Code-based game-playing is a popular methodology for proving security of cryptographic constructions and side-channel countermeasures. This methodology relies on treating cryptographic proofs as an instance of relational program verification (between probabilistic programs), and decomposing the latter into a series of elementary relational program verification steps. In this paper, we develop principled methods for proving such elementary steps for probabilistic programs that operate over finite fields and related algebraic structures. We focus on three essential properties: program equivalence, information flow, and uniformity. We give characterizations of these properties based on deducibility and other notions from symbolic cryptography. We use (sometimes improve) tools from symbolic cryptography to obtain decision procedures or sound proof methods for program equivalence, information flow, and uniformity. Finally, we evaluate our approach using examples drawn from provable security and from side-channel analysis-for the latter, we focus on the masking countermeasure against differential power analysis. A partial implementation of our approach is integrated in EASYCRYPT, a proof assistant for provable security, and in MASKVERIF, a fully automated prover for masked implementations.} }

@inproceedings{JGL-lics19, address = {Vancouver, Canada}, month = jun, publisher = {{IEEE} Press}, editor = {Bouyer, Patricia}, acronym = {{LICS}'19}, booktitle = {{P}roceedings of the 34th {A}nnual {ACM\slash IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'19)}, author = {Goubault{-}Larrecq, Jean}, title = {A Probabilistic and Non-Deterministic Call-by-Push-Value Language}, pages = {1-13}, year = 2019, doi = {10.1109/LICS.2019.8785809}, abstract = {There is no known way of giving a domain-theoretic semantics to higher-order probabilistic languages, in such a way that the involved domains are continuous or quasi-continuous. We argue that the problem naturally disappears for languages with two kinds of types, where one kind is interpreted in a Cartesian-closed category of continuous dcpos, and the other is interpreted in a category that is closed under the probabilistic powerdomain functor. Such a setting is provided by Paul B. Levy's call-by-push-value paradigm. Following this insight, we define a call-by-push-value language, with probabilistic choice sitting inside the value types, and where conversion from a value type to a computation type involves demonic non-determinism. We give both a domain-theoretic semantics and an operational semantics for the resulting language, and we show that they are sound and adequate. With the addition of statistical termination testers and parallel if, we show that the language is even fully abstract-and those two primitives are required for that.} }

*This file was generated by
bibtex2html 1.98.*