Matthieu Lemerre

Atomic Energy and Alternative Energies Commission | CEA · Direction de la Recherche Technologique (DRT)

Rewriting and static analyses are mutually beneficial techniques: program transformations change the intensional aspects of the program, and can thus improve analysis precision, while some efficient transformations are enabled by specific knowledge of some program invariants. Despite the strong interaction between these techniques, they are usually...

Template languages transform tree-structured data into text. We study the reverse problem, transforming the template into a parser that returns all the tree-structured data that can produce a given text. Programs written in template languages are generally not injective (they have multiple preimages), not affine (some input variables can appear at...

Static single assignment (SSA) form is a popular intermediate representation that helps implement useful static analyses, including global value numbering (GVN), sparse dataflow analyses, or SMT-based abstract interpretation or model checking. However, the precision of the SSA translation itself depends on static analyses, and a priori static analy...

To understand and detect possible errors in programs manipulating memory, static analyses of various levels of precision have been introduced, yet it remains hard to capture both information about the byte-level layout and precise global structural invariants. Classical pointer analyses struggle with the latter, whereas advanced shape analyses incu...

Static analyses aim at inferring semantic properties of programs. We distinguish two important classes of static analyses: state analyses and relational analyses. While state analyses aim at computing an over-approximation of reachable states of programs, relational analyses aim at computing functional properties over the input–output states of pro...

Inline assembly is still a common practice in low-level C programming, typically for efficiency reasons or for accessing specific hardware resources. Such embedded assembly codes in the GNU syntax (supported by major compilers such as GCC, Clang and ICC) have an interface specifying how the assembly codes interact with the C environment. For simpli...

The kernel is the most safety- and security-critical component of many computer systems, as the most severe bugs lead to complete system crash or exploit. It is thus desirable to guarantee that a kernel is free from these bugs using formal methods, but the high cost and expertise required to do so are deterrent to wide applicability. We propose a m...

Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced coverage criteria. These criteria are defined by complex artifacts combining variable definitions, uses and program paths. Detection of polluting (i.e. inapplicable, infeasible and equivalent) test objectives for such criteria is a particularly challenging t...

Operating system kernels are the security keystone of most computer systems, as they provide the core protection mechanisms. Kernels are in particular responsible for their own security, i.e. they must prevent untrusted user tasks from reaching their level of privilege. We demonstrate that proving such absence of privilege escalation is a pre-requi...

Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recentl...

International Conference on Integrated Formal Methods 2020-11-16/20, Lugano, Suisse

Shape analyses aim at inferring semantic invariants related to the data-structures that programs manipulate. To achieve that, they typically abstract the set of reachable states. By contrast, abstractions for transformation relations between input states and output states not only provide a finer description of program executions but also enable th...

The traditional abstract domain framework for imperative programs suffers from several shortcomings; in particular it does not allow precise symbolic abstractions. To solve these problems, we propose a new abstract interpretation framework, based on symbolic expressions used both as an abstraction of the program, and as the input analyzed by abstra...

Static analyses aim at inferring semantic properties of programs. While many analyses compute an over-approximation of reachable states, some analyses compute a description of the input-output relations of programs. In the case of numeric programs, several analyses have been proposed that utilize relational numerical abstract domains to describe re...

Executions in the PharOS real-time system are deterministic in the sense that the sequence of local states for every process is independent of the order in which processes are scheduled. The essential ingredient for achieving this property is that a temporal window of execution is associated with every instruction. Messages become visible to receiv...

Abstract interpretation is a powerful tool in program verification. Several commercial or industrial scale implementations of abstract interpretation have demonstrated that this approach can verify safety properties of real-world code. However, using abstract interpretation tools is not always simple. If no user-provided hints are available, the ab...

Cloud hypervisors are critical software whose formal verification can increase our confidence in the reliability and security of the cloud. This work presents a case study on formal verification of the virtual memory system of the cloud hypervisor Anaxagoros, a microkernel designed for resource isolation and protection. The code under verification...

Verifying software systems automatically from their source code rather than modelling them in a dedicated language gives more confidence in establishing their properties. Here we propose a formal specification and verification approach for concurrent C programs directly based on the semantics of C. We define a set of translation rules and implement...

Complete formal verification of software remains extremely expensive and often reserved in practice for the most critical products. Test generation techniques are much less costly and can be used in combination with theorem proving tools to provide high confidence in the software correctness at an acceptable cost when an automatic prover does not s...

An Approach for Verifying Concurrent C Programs

This paper presents a model of computation based on real-time constraints and asynchronous message passing, and proves a sufficient and necessary condition for this model to be deterministic. The model is then extended with deterministic error handling, meaning that the same error yields the same consequences on the system. We consider two differen...

As the usage of the cloud becomes pervasive in our lives, it is needed to ensure the reliability, safety and security of cloud environments. In this paper we study a usual software stack of a cloud environment from the perspective of formal verification. This software stack ranges from applications to the hypervisor. We argue that most of the layer...

This paper describes a new hypervisor built to run Linux in a virtual machine. This hypervisor is built inside Anaxagoros, a real-time microkernel designed to execute safely hard real-time and non real-time tasks. This allows the execution of hard real-time tasks in parallel with Linux virtual machines without interfering with the execution of the...

The migration of many vehicle security features from mechanical solutions (lock and key) to electronic based systems (transponder and RF transceiver) has led to the need for purely electrically operated locking mechanisms. One such an example is a steering column lock, which locks and unlocks the steering wheel movement via a reversible electric mo...

This paper presents the design and some aspects of implementation of a highly dependable, safety-oriented kernel for real-time applications. It is specifically designed as an execution facility for a deterministic semi-formal model -- the OASIS model -- which allows to express and verify temporal behaviors and communications of a safety critical re...

This paper provides an overview of some principles and mechanisms to securely operate mixed-criticality real-time systems on embedded platforms. Those principles are illustrated with PharOS a complete set of tools to design, implement and execute real-time systems on automotive embedded platforms. The keystone of this approach is a dynamic time-tri...

We present time-constrained automata (TCA), a model for hard real-time computation in which agents behaviors are modeled by automata and constrained by time intervals. TCA actions can have multiple start time and deadlines, can be aperiodic, and are selected dynamically following a graph, the time-constrained automaton. This allows expressing much...

This paper introduces CONFIGEN, a tool that helps modularizing software. CONFIGEN allows the developer to select a set of elementary components for his software through an interactive interface. Configuration files for use by C/assembly code and Makefiles are then automatically generated, and we successfully used it as a helper tool for complex sys...

Anaxagoros is microkernel designed to support dependable, concurrent execution of tasks with different safety levels, some of them having real-time constraints. Following mi-crokernel philosophy of secure resource sharing, it allows resources to be separated into pools accessed only through a dedicated system service. This ensures spatial and behav...

This paper introduces CONFIGEN, a tool that helps modularizing software. CONFIGEN allows the developer to select a set of elementary components for his software through an interactive interface. Configuration files for use by C/assembly code and Makefiles are then automatically generated, and we successfully used it as a helper tool for complex sys...

Cette thèse étudie les principes de mise en oeuvre pour l'exécution sur un même ordinateur, de tâches de niveaux de criticité différents, et dont certaines peuvent avoir des contraintes temps réel dur. Les difficultés pour réaliser ces objectifs forment trois catégories. Il faut d'abord prouver que les tâches disposeront d'assez de ressources pour...

This thesis studies design and implementation principles to execute tasks of different criticity levels onto the same computer. Additionally, some of these tasks may have hard real-time constraints. This requires to prove that tasks will get enough resources to execute properly, through the use of predictible and still simple allocation policies. M...

Sharing resources between multiple untrusted clients requires a shared service that provides access to the resources upon client requests. But executing these requests needs other resources, like memory or CPU time, which must be carefully allocated. In this paper, we investigate a communication mechanism that allows access to shared services witho...

Multiprocessor scheduling problems are hard because of the numerous constraints on valid schedules to take into account. This paper presents new schedule representations in order to overcome these difficulties, by allowing processors to be fractionally allocated. We prove that these representations are equivalent to the standard representations whe...