Abstract: Verifying certain security requirements is not even always decidable. Furthermore, properties like privacy preservation, which are not expressible as trace properties, can be verified only via few methodologies. In this talk, we will see some of these challenges and how they can be tackled, in part, by parameterised verification of temporal-epistemic logics in specialised multi-agent system semantics.

Humans typically do not realize how much intelligence is required to perform usual motions.
One of the reasons why we are so good at motion control seems to be that we can abstract continuous inputs and outputs and their relationships with great flexibility, and perhaps reason almost symbolically on these abstractions. This observation leads to the temptation to tackle humanoid robot motion problems with discrete abstractions and formal methods.

We consider opacity questions where an observation function provides
to an external attacker a view of the states along executions and
secret executions are those visiting some secret state from a fixed
subset. Disclosure occurs when the observer can deduce from a finite
observation that the execution is secret. In a probabilistic and non
deterministic setting, where an internal agent can choose between
actions, there are two points of view, depending on the status of
this agent: the successive choices can either help the attacker
trying to disclose the secret, if the system has been corrupted, or
they can prevent disclosure as much as possible if these choices are
part of the system design. In the former situation, corresponding to
a worst case, the disclosure value is the supremum over the
strategies of the probability to disclose the secret (maximisation),
whereas in the latter case, the disclosure is the infimum
(minimisation). We address quantitative problems (relation between
the optimal value and a threshold) and qualitative ones (when the
threshold is zero or one) related to both forms of disclosure for a
fixed or finite horizon. For all problems, we characterise their
decidability status and their complexity. Surprisingly, while in
maximisation problems optimal strategies may be chosen among
deterministic ones, it is not the case for minimisation problems,
but more minimisation problems than maximisation ones are decidable.

La vérification de la résistance aux attaques des implémentations embarquées des vérifieurs de code intermédiaire Java Card est une tâche complexe. Les méthodes actuelles n’étant pas suffisamment efficaces, seule la génération de tests manuelle est possible. Pour automatiser ce processus, nous proposons une méthode appelée VTG («Vulnerability Test Generation», génération de tests de vulnérabilité). En se basant sur une représentation formelle des comportements fonctionnels du système sous test, un ensemble de tests d’intrusions est généré. Cette méthode s’inspire des techniques de mutation et de test à base de modèle. Dans un premier temps, le modèle est muté selon des règles que nous avons définies afin de représenter les potentielles attaques. Les tests sont ensuite extraits à partir des modèles mutants. Deux modèles Event-B ont été proposés. Le premier représente les contraintes structurelles des fichiers d’application Java Card. Le VTG permet en quelques secondes de générer des centaines de tests abstraits. Le second modèle est composé de 66 événements permettant de représenter 61 instructions Java Card. La mutation est effectuée en quelques secondes. L’extraction des tests permet de générer 223 tests en 45 min. Chaque test permet de vérifier une précondition ou une combinaison de préconditions d’une instruction. Cette méthode nous a permis de tester différents mécanismes d’implémentations de vérifieur de code intermédiaire Java Card. Bien que développée pour notre cas d’étude, la méthode proposée est générique et a été appliquée à d’autres cas d’études.

La vérification de la résistance aux attaques des implémentations embarquées des vérifieurs de code intermédiaire Java Card est une tâche complexe. Les méthodes actuelles n’étant pas suffisamment efficaces, seule la génération de tests manuelle est possible. Pour automatiser ce processus, nous proposons une méthode appelée VTG («Vulnerability Test Generation», génération de tests de vulnérabilité). En se basant sur une représentation formelle des comportements fonctionnels du système sous test, un ensemble de tests d’intrusions est généré. Cette méthode s’inspire des techniques de mutation et de test à base de modèle. Dans un premier temps, le modèle est muté selon des règles que nous avons définies afin de représenter les potentielles attaques. Les tests sont ensuite extraits à partir des modèles mutants. Deux modèles Event-B ont été proposés. Le premier représente les contraintes structurelles des fichiers d’application Java Card. Le VTG permet en quelques secondes de générer des centaines de tests abstraits. Le second modèle est composé de 66 événements permettant de représenter 61 instructions Java Card. La mutation est effectuée en quelques secondes. L’extraction des tests permet de générer 223 tests en 45 min. Chaque test permet de vérifier une précondition ou une combinaison de préconditions d’une instruction. Cette méthode nous a permis de tester différents mécanismes d’implémentations de vérifieur de code intermédiaire Java Card. Bien que développée pour notre cas d’étude, la méthode proposée est générique et a été appliquée à d’autres cas d’études.

For a fixed base b, any integer can be encoded as a finite word of alphabet of digits.  In dimension d>0, a vector of d integers is encoded as a word of alphabet of vector of d digits. A set of vector of integers is thus encoded as a language whose alphabet is the set of vector of digits. Thus, an automaton whose alphabet is the set of vector of digits recognizes a set of integers. Similarly, a Büchi automaton recognizes a set of vector of real.

It is then natural to consider algorithms which decide whether the set of vectors of numbers accepted by a finite automaton admits some properties. For example, Honkala proved in 1986 that it is decidable whether an automaton recognize a FO[N,+,<]-definable set of integers. Muchnik proved a similar result for automata recognizing sets of vectors of reals. A polynomial-time algorithm was then given by Leroux in 2006, and a quasi-linear time algorithm for the case of dimension 1 was given in 2013 by Marsault and Sakarovitch.

We state that it is decidable in linear time:
-whether a set of reals recognized by a given finite minimal weak Büchi automaton is FO[R,+,<]-definable.
-whether a set of vectors recognized by a minimal finite deterministic automaton can be defined in some logics less expressive than FO[N,+], such as FO[N,<,mod].
Furthermore, formulas which defines those sets can be computed in linear time and cubic time respectively.

Furthermore,  is shown that it is decidable whether a set of vector of real or of integers  accepted by a (weak Büchi) automaton:
-is definable in a logic which admits quantifier-elimination. For example, if the set is definable in FO[R,+,<], FO[R,Z,+,<,mod,floor] where mod is the set of modular predicate, FO[N,<,mod] or FO[<].
-satisfies a first-order formula in some formalism. For example, whether a set is a submonoid/subsemigroup of (R^d,+)

In this talk, I intend to:
-introduce automata recognizing set of vector of numbers,
-characterize the set of numbers which are FO[N,<,mod]- and FO[R,+,<]-definable,
-introduce and generalizes the methods used by Honkala, Muchnik and Marsault-Sakarovitch
-explain how how those methods can be applied to the above-mentioned problems.

In this talk, we present infinite time Turing machines (ITTM), from
the original definition of the model to some new infinite time
algorithms.

We will present algorithmic techniques that allow to highlight some
properties of the ITTM-computable ordinals. In particular, we will
study gaps in ordinal computation times, that is to say, ordinal times
at which no infinite time program halts.

In this talk we will consider membrane (P) systems working with
multisets with integer multiplicities.  We will focus on a model in
which rule applicability is not influenced by the contents of the
membrane.  We show that this variant is closely related to blind
register machines and integer vector addition systems.  Furthermore, we
describe the computational power of these models in terms of linear and
semilinear sets of integer vectors.

We introduce a new setting where a population of agents, each modelled by a finite-state system, are controlled uniformly: the controller applies the same action to every agent. The framework is largely inspired by the control of a biological system, namely a population of yeasts, where the controller may only change the environment common to all cells. In this talk, we will describe a sure synchronization problem for such populations: no matter how individual agents react to the actions of the controller, the controller aims at driving all agents synchronously to a goal set of states. The agents are naturally represented by a non-deterministic finite state automaton, the same for every agent, and the whole system is encoded as a 2-player game. The first player chooses actions, and the second player resolves non-determinism for each agent. The game with m agents is called the m-population game. A natural parametrized control problem, given the automaton representing the agents, is whether player one wins the m-population game for any population size m. We show that if the answer is negative, there exists a cut-off, that is, a population size m0 such that for populations of size m < m0 there exists a winning controller, and there is none for populations of size m >m0. Surprisingly, we show that this cut-off can be doubly exponential in the number of states of the NFA. While this suggests a high complexity for the parameterized control problem, we actually show that it can be solved in EXPTIME and is PSPACE-hard.

To achieve scalability, modern Internet services often rely on
distributed databases with consistency models for transactions
weaker than serializability.
At present, application programmers often lack techniques to ensure
that the weakness of these consistency models does not violate
application correctness.
In this talk I will present criteria to check whether applications
that rely on a database providing only weak consistency are robust,
i.e., behave as if they used a database providing serializability,
and I will focus on a consistency model called Parallel Snapshot Isolation.
The results I will outline handle systematically and uniformly several
recently proposed weak consistency models, as well as a mechanism for
strengthening consistency in parts of an application.