Julien Signoles - Academia.edu (original) (raw)

Papers by Julien Signoles

This paper 3 presents a methodology which combines static analysis and runtime assertion checking... more This paper 3 presents a methodology which combines static analysis and runtime assertion checking in order to automatically generate countermeasures , and execute them whenever a flaw in the code which may compromise the security of an application is detected during execution. Static analysis pinpoints alarms that must be converted into runtime checks. Therefore the verifier is able to only monitor the security critical points of the application. This method allows to strengthen a security-critical source code in a cost-effective manner. We implemented it in the Frama-C framework and experimented it on a real use case based on Apache web server. The paper ends with preliminary considerations on potential perspectives for security evaluation and certification.

HAL (Le Centre pour la Communication Scientifique Directe), 2017

International audienc

HAL (Le Centre pour la Communication Scientifique Directe), May 19, 2010

Enforcing Coding Standards is part of the traditional concerns of industrial software development... more Enforcing Coding Standards is part of the traditional concerns of industrial software developments. In this paper, we present a framework based on the open source Frama-C platform for easily developing syntactic, typing (and even some semantic) analyses of C source code, among which conformance to Coding Standards. We report on our successful attempt to develop a Frama-C plug-in named Taster, in order to replace a commercial, offthe-shelf, legacy tool in the verification process of several Airbus avionics software products. We therefore present the types of coding rules to be verified, the Frama-C platform and the Taster plug-in. We also discuss ongoing industrial deployment and qualification activities.

Kalpa publications in computing, Jan 12, 2018

This short paper presents a compilation of feedback about online runtime verification competition... more This short paper presents a compilation of feedback about online runtime verification competitions from an active contestant. In particular, it points out several issues and how they could possibly be fixed.

Lecture Notes in Computer Science, 2018

Analysis tools like abstract interpreters, symbolic execution tools and testing tools usually req... more Analysis tools like abstract interpreters, symbolic execution tools and testing tools usually require a proper context to give useful results when analyzing a particular function. Such a context initializes the function parameters and global variables to comply with function requirements. However it may be error-prone to write it by hand: the handwritten context might contain bugs or not match the intended specification. A more robust approach is to specify the context in a dedicated specification language, and hold the analysis tools to support it properly. This may mean to put significant development efforts for enhancing the tools, something that is often not feasible if ever possible. This paper presents a way to systematically generate such a context from a formal specification of a C function. This is applied to a subset of the ACSL specification language in order to generate suitable contexts for the abstract interpretationbased value analysis plug-ins of Frama-C, a framework for analysis of code written in C. The idea here presented has been implemented in a new Frama-C plugin which is currently in use in an operational industrial setting.

Sigplan Notices, 2017

We show how static analysis for secure information flow can be expressed and proved correct entir... more We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS'04) and the type system of Hunt and Sands (POPL'06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

Le raffinement est une methode pour deriver des programmes corrects a partir de specifications. U... more Le raffinement est une methode pour deriver des programmes corrects a partir de specifications. Un langage de types expressif est un autre moyen d'assurer la correction des programmes. Nous proposons une extension du langage ML permettant de verifier la correction des programmes ML en combinant ces deux approches : les programmes peuvent etre construits par raffinements successifs de specifications, la correction de chaque etape etant garantie par un systeme de types. Au niveau syntaxique, notre extension ajoute les types de base aux expressions, introduisant de ce fait du sous-determinisme et des types dependants. Elle integre egalement une nouvelle construction, appelee application demoniaque, de maniere a augmenter la puissance du langage de specification. Nous etudions les semantiques denotationnelle et operationnelle de l'extension proposee. Nous demontrons leur equivalence ainsi que leur conservativite par rapport a la semantique habituelle de ML. Nous proposons egalement un systeme de generation d'obligations de preuve: si ces dernieres sont prouvees correctes par l'utilisateur, alors la correction du programme vis-a-vis de sa specification est garantie. Par ailleurs, un prototype de l'extension proposee a ete implante, fournissant de premiers resultats experimentaux prometteurs. Enfin, l'ajout de caracteristiques propres a ML et manquantes dans notre extension est egalement discute.

Lecture Notes in Computer Science, 2023

HAL (Le Centre pour la Communication Scientifique Directe), Jun 27, 2016

Qualitative information flow aims at detecting information leaks, whereas the emerging quantitati... more Qualitative information flow aims at detecting information leaks, whereas the emerging quantitative techniques target the estimation of information leaks. Quantifying information flow in the presence of low inputs is challenging, since the traditional techniques of approximating and counting the reachable states of a program no longer suffice. This paper proposes an automated quantitative information flow analysis for imperative deterministic programs with low inputs. The approach relies on a novel abstract domain, the cardinal abstraction, in order to compute a precise upper-bound over the maximum leakage of batch-job programs. We prove the soundness of the cardinal abstract domain by relying on the framework of abstract interpretation. We also prove its precision with respect to a flow-sensitive type system for the two-point security lattice.

Springer eBooks, 2013

Novel approaches for dynamic information flow monitoring are promising since they enable permissi... more Novel approaches for dynamic information flow monitoring are promising since they enable permissive (accepting a large subset of executions) yet sound (rejecting all unsecure executions) enforcement of non-interference. In this paper, we present a dynamic information flow monitor for a language supporting pointers. Our flow-sensitive monitor relies on prior static analysis in order to soundly enforce non-interference. We also propose a program transformation that preserves the behavior of initial programs and soundly inlines our security monitor. This program transformation enables both dynamic and static verification of non-interference.

Lecture Notes in Computer Science, 2018

Runtime assertion checking aspires to a similar level of sound and complete checking of software ... more Runtime assertion checking aspires to a similar level of sound and complete checking of software as does static deductive verification. Furthermore, for the same source language and specification language, runtime and static checking should implement as closely as possible the same semantics. We describe here the architecture used by two different systems to achieve this goal. We accompany that with descriptions of novel designs and implementations that add new capabilities to runtime assertion checking, bringing it closer to the feature coverage of static verification.

Lecture Notes in Computer Science, 2020

Lecture Notes in Computer Science, 2016

Why3 is an environment for static verification, generic in the sense that it is used as an interm... more Why3 is an environment for static verification, generic in the sense that it is used as an intermediate tool by different front-ends for the verification of Java, C or Ada programs. Yet, the choices made when designing the specification languages provided by those front-ends differ significantly, in particular with respect to the executability of specifications. We review these differences and the issues that result from these choices. We emphasize the specific feature of ghost code which turns out to be extremely useful for both static and dynamic verification. We also present techniques, combining static and dynamic features, that help users understand why static verification fails.

Springer eBooks, 2015

interpretation is a powerful tool in program verification. Several commercial or industrial scale... more interpretation is a powerful tool in program verification. Several commercial or industrial scale implementations of abstract interpretation have demonstrated that this approach can verify safety properties of real-world code. However, using abstract interpretation tools is not always simple. If no user-provided hints are available, the abstract interpretation engine may lose precision during widening and produce an overwhelming number of false alarms. However, manually providing these hints is time consuming and often frustrating when re-running the analysis takes a lot of time. We present an algorithm for program verification that combines abstract interpretation, symbolic execution and crowdsourcing. If verification fails, our procedure suggests likely invariants, or program patches, that provide helpful information to the verification engineer and makes it easier to find the correct specification. By complementing machine learning with well-designed games, we enable program analysis to incorporate human insights that help improve their scalability and usability.

Lecture Notes in Computer Science, Aug 12, 2008

Bugs in programs implementing security features can be catastrophic: for example they may be expl... more Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

Lecture Notes in Computer Science, 2014

Among various static and dynamic software verification techniques, runtime assertion checking tra... more Among various static and dynamic software verification techniques, runtime assertion checking traditionally holds a particular place. Commonly used by most software developers, it can provide a fast feedback on the correctness of a property for one or several concrete executions of the program. Quite easy to realize for simple program properties, it becomes however much more complex for complete program contracts written in an expressive specification language. This paper presents a one-hour tutorial on runtime assertion checking in which we give an overview of this popular dynamic verification technique, present its various combinations with other verification techniques (such as static analysis, deductive verification, test generation, etc.) and emphasize the benefits and difficulties of these combinations. They are illustrated on concrete examples of C programs within the Frama-C software analysis framework using the executable specification language E-ACSL.

Lecture Notes in Computer Science, 2023

Formal Aspects of Computing, Jul 31, 2023

This paper 3 presents a methodology which combines static analysis and runtime assertion checking... more This paper 3 presents a methodology which combines static analysis and runtime assertion checking in order to automatically generate countermeasures , and execute them whenever a flaw in the code which may compromise the security of an application is detected during execution. Static analysis pinpoints alarms that must be converted into runtime checks. Therefore the verifier is able to only monitor the security critical points of the application. This method allows to strengthen a security-critical source code in a cost-effective manner. We implemented it in the Frama-C framework and experimented it on a real use case based on Apache web server. The paper ends with preliminary considerations on potential perspectives for security evaluation and certification.

HAL (Le Centre pour la Communication Scientifique Directe), 2017

International audienc

HAL (Le Centre pour la Communication Scientifique Directe), May 19, 2010

Enforcing Coding Standards is part of the traditional concerns of industrial software development... more Enforcing Coding Standards is part of the traditional concerns of industrial software developments. In this paper, we present a framework based on the open source Frama-C platform for easily developing syntactic, typing (and even some semantic) analyses of C source code, among which conformance to Coding Standards. We report on our successful attempt to develop a Frama-C plug-in named Taster, in order to replace a commercial, offthe-shelf, legacy tool in the verification process of several Airbus avionics software products. We therefore present the types of coding rules to be verified, the Frama-C platform and the Taster plug-in. We also discuss ongoing industrial deployment and qualification activities.

Kalpa publications in computing, Jan 12, 2018

This short paper presents a compilation of feedback about online runtime verification competition... more This short paper presents a compilation of feedback about online runtime verification competitions from an active contestant. In particular, it points out several issues and how they could possibly be fixed.

Lecture Notes in Computer Science, 2018

Analysis tools like abstract interpreters, symbolic execution tools and testing tools usually req... more Analysis tools like abstract interpreters, symbolic execution tools and testing tools usually require a proper context to give useful results when analyzing a particular function. Such a context initializes the function parameters and global variables to comply with function requirements. However it may be error-prone to write it by hand: the handwritten context might contain bugs or not match the intended specification. A more robust approach is to specify the context in a dedicated specification language, and hold the analysis tools to support it properly. This may mean to put significant development efforts for enhancing the tools, something that is often not feasible if ever possible. This paper presents a way to systematically generate such a context from a formal specification of a C function. This is applied to a subset of the ACSL specification language in order to generate suitable contexts for the abstract interpretationbased value analysis plug-ins of Frama-C, a framework for analysis of code written in C. The idea here presented has been implemented in a new Frama-C plugin which is currently in use in an operational industrial setting.

Sigplan Notices, 2017

We show how static analysis for secure information flow can be expressed and proved correct entir... more We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS'04) and the type system of Hunt and Sands (POPL'06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

Le raffinement est une methode pour deriver des programmes corrects a partir de specifications. U... more Le raffinement est une methode pour deriver des programmes corrects a partir de specifications. Un langage de types expressif est un autre moyen d'assurer la correction des programmes. Nous proposons une extension du langage ML permettant de verifier la correction des programmes ML en combinant ces deux approches : les programmes peuvent etre construits par raffinements successifs de specifications, la correction de chaque etape etant garantie par un systeme de types. Au niveau syntaxique, notre extension ajoute les types de base aux expressions, introduisant de ce fait du sous-determinisme et des types dependants. Elle integre egalement une nouvelle construction, appelee application demoniaque, de maniere a augmenter la puissance du langage de specification. Nous etudions les semantiques denotationnelle et operationnelle de l'extension proposee. Nous demontrons leur equivalence ainsi que leur conservativite par rapport a la semantique habituelle de ML. Nous proposons egalement un systeme de generation d'obligations de preuve: si ces dernieres sont prouvees correctes par l'utilisateur, alors la correction du programme vis-a-vis de sa specification est garantie. Par ailleurs, un prototype de l'extension proposee a ete implante, fournissant de premiers resultats experimentaux prometteurs. Enfin, l'ajout de caracteristiques propres a ML et manquantes dans notre extension est egalement discute.

Lecture Notes in Computer Science, 2023

HAL (Le Centre pour la Communication Scientifique Directe), Jun 27, 2016

Qualitative information flow aims at detecting information leaks, whereas the emerging quantitati... more Qualitative information flow aims at detecting information leaks, whereas the emerging quantitative techniques target the estimation of information leaks. Quantifying information flow in the presence of low inputs is challenging, since the traditional techniques of approximating and counting the reachable states of a program no longer suffice. This paper proposes an automated quantitative information flow analysis for imperative deterministic programs with low inputs. The approach relies on a novel abstract domain, the cardinal abstraction, in order to compute a precise upper-bound over the maximum leakage of batch-job programs. We prove the soundness of the cardinal abstract domain by relying on the framework of abstract interpretation. We also prove its precision with respect to a flow-sensitive type system for the two-point security lattice.

Springer eBooks, 2013

Novel approaches for dynamic information flow monitoring are promising since they enable permissi... more Novel approaches for dynamic information flow monitoring are promising since they enable permissive (accepting a large subset of executions) yet sound (rejecting all unsecure executions) enforcement of non-interference. In this paper, we present a dynamic information flow monitor for a language supporting pointers. Our flow-sensitive monitor relies on prior static analysis in order to soundly enforce non-interference. We also propose a program transformation that preserves the behavior of initial programs and soundly inlines our security monitor. This program transformation enables both dynamic and static verification of non-interference.

Lecture Notes in Computer Science, 2018

Runtime assertion checking aspires to a similar level of sound and complete checking of software ... more Runtime assertion checking aspires to a similar level of sound and complete checking of software as does static deductive verification. Furthermore, for the same source language and specification language, runtime and static checking should implement as closely as possible the same semantics. We describe here the architecture used by two different systems to achieve this goal. We accompany that with descriptions of novel designs and implementations that add new capabilities to runtime assertion checking, bringing it closer to the feature coverage of static verification.

Lecture Notes in Computer Science, 2020

Lecture Notes in Computer Science, 2016

Why3 is an environment for static verification, generic in the sense that it is used as an interm... more Why3 is an environment for static verification, generic in the sense that it is used as an intermediate tool by different front-ends for the verification of Java, C or Ada programs. Yet, the choices made when designing the specification languages provided by those front-ends differ significantly, in particular with respect to the executability of specifications. We review these differences and the issues that result from these choices. We emphasize the specific feature of ghost code which turns out to be extremely useful for both static and dynamic verification. We also present techniques, combining static and dynamic features, that help users understand why static verification fails.

Springer eBooks, 2015

interpretation is a powerful tool in program verification. Several commercial or industrial scale... more interpretation is a powerful tool in program verification. Several commercial or industrial scale implementations of abstract interpretation have demonstrated that this approach can verify safety properties of real-world code. However, using abstract interpretation tools is not always simple. If no user-provided hints are available, the abstract interpretation engine may lose precision during widening and produce an overwhelming number of false alarms. However, manually providing these hints is time consuming and often frustrating when re-running the analysis takes a lot of time. We present an algorithm for program verification that combines abstract interpretation, symbolic execution and crowdsourcing. If verification fails, our procedure suggests likely invariants, or program patches, that provide helpful information to the verification engineer and makes it easier to find the correct specification. By complementing machine learning with well-designed games, we enable program analysis to incorporate human insights that help improve their scalability and usability.

Lecture Notes in Computer Science, Aug 12, 2008

Bugs in programs implementing security features can be catastrophic: for example they may be expl... more Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

Lecture Notes in Computer Science, 2014

Among various static and dynamic software verification techniques, runtime assertion checking tra... more Among various static and dynamic software verification techniques, runtime assertion checking traditionally holds a particular place. Commonly used by most software developers, it can provide a fast feedback on the correctness of a property for one or several concrete executions of the program. Quite easy to realize for simple program properties, it becomes however much more complex for complete program contracts written in an expressive specification language. This paper presents a one-hour tutorial on runtime assertion checking in which we give an overview of this popular dynamic verification technique, present its various combinations with other verification techniques (such as static analysis, deductive verification, test generation, etc.) and emphasize the benefits and difficulties of these combinations. They are illustrated on concrete examples of C programs within the Frama-C software analysis framework using the executable specification language E-ACSL.

Lecture Notes in Computer Science, 2023

Formal Aspects of Computing, Jul 31, 2023