Modular interpretation of heterogeneous modeling diagrams into synchronous equations using static single assignment

The ANR project SPACIFY develops a domain-specific programming environment, Synoptic, to engineer embedded software for space applications. Synoptic is an Eclipse-based modeling environment which supports all aspects of aerospace software design. As such, it is a domain-specific environment consisting of heterogeneous modeling and programming principles defined in collaboration with the industrial partners and end users of the project : imperative synchronous programs, data-flow diagrams, mode automata, blocks, components, scheduling, mapping and timing. This article focuses on the essence and distinctive features of its behavioral or programming aspects : actions, flows and automata, for which we use the code generation infrastructure of the synchronous modeling environment SME. It introduces an efficient method for transforming a hierarchy of blocks consisting of actions (sequential Esterel-like programs), data-flow diagrams (to connect and time modules) and mode automata (to schedule or mode blocks) into a set of synchronous equations. This transformation minimizes the needed state variables and block synchronizations. It consists of an inductive static-single assignment transformation algorithm across a hierarchy of blocks that produces synchronous equations. The impact of this new transformation technique is twofold. With regards to code generation objectives, it minimizes the needed resynchronization of each block in the system with respects to its parents, potentially gaining substantial performance from way less synchronizations. With regards to verification requirements, it minimizes the number of state variables across a hierarchy of automata and hence maximizes model checking performances

A privacy attack on the Swiss Post e-voting system

International audienceThe SwissPost e-voting system is currently proposed under the scrutiny of the community, before being deployed in 2022 for political elections in several Swiss Cantons. We explain how real world constraints led to shortcomings that allowed a privacy attack to be mounted. More precisely, dishonest authorities can learn the vote of several voters of their choice, without being detected, even when the requested threshold of honest authorities act as prescribed

Modeling On-Board Software Dynamic Architecture: A Related Experience using UML-MARTE

International audienceMARTE (Modeling and Analysis of Real-Time and Embedded Systems) is the UML extension profile dedicated to the modeling of Real-time and Embedded Systems (RTES). Standardized by the OMG, UML-MARTE is well accepted in the Model Based Driven Engineering community. However there still exists a big gap to bridge for its use in operational space projects. Some of the identified limiting factors are (1) the high density of the MARTE specification which provides thousands of defined concepts and though requires a deep investment to be correctly handled and understood, (2) the absence of methodology associated to the notation and (3) the lack of experiences relating to the use of MARTE on realistic and operational system in space domain. This paper presents an experience of using UML-MARTE to model the dynamic architecture of an operational space On-Board Software (OBSW) to make a step towards the adoption of UML-MARTE. The modeling methodology adopted in this study is illustrated by a use case based on an operational OBSW. This experience has been conducted in the scope of a R&D study founded by the CNES with the collaboration of Astrium Satellites and Atos

Election Eligibility with OpenID: Turning Authentication into Transferable Proof of Eligibility

Eligibility checks are often abstracted away or omitted in voting protocols, leading to situations where the voting server can easily stuff the ballot box. One reason for this is the difficulty of bootstraping the authentication material for voters without relying on trusting the voting server. In this paper, we propose a new protocol that solves this problem by building on OpenID, a widely deployed authentication protocol. Instead of using it as a standard authentication means, we turn it into a mechanism that delivers transferable proofs of eligibility. Using zk-SNARK proofs, we show that this can be done without revealing any compromising information, in particular, protecting everlasting privacy. Our approach remains efficient and can easily be integrated into existing protocols, as we have done for the Belenios voting protocol. We provide a full-fledged proof of concept along with benchmarks showing our protocol could be realistically used in large-scale elections

Polychronous Interpretation of Synoptic, a Domain Specific Modeling Language for Embedded Flight-Software

The SPaCIFY project, which aims at bringing advances in MDE to the satellite flight software industry, advocates a top-down approach built on a domain-specific modeling language named Synoptic. In line with previous approaches to real-time modeling such as Statecharts and Simulink, Synoptic features hierarchical decomposition of application and control modules in synchronous block diagrams and state machines. Its semantics is described in the polychronous model of computation, which is that of the synchronous language Signal.Comment: Workshop on Formal Methods for Aerospace (FMA 2009

Themis: an On-Site Voting System with Systematic Cast-as-intended Verification and Partial Accountability

International audienceWe propose an on-site voting system Themis, that aims at improving security when local authorities are not fully trusted. Voters vote thanks to voting sheets as well as smart cards that produce encrypted ballots. Electronic ballots are systematically audited, without compromising privacy. Moreover, the system includes a precise dispute resolution procedure identifying misbehaving parties. We conduct a full formal analysis of Themis using ProVerif, with a novel approach in order to cover the modular arithmetic needed in our protocol. In order to evaluate the usability of our system, we organized a voting experiment on a (small) group of voters

Election Verifiability with ProVerif

International audienceElectronic voting systems should guarantee (at least) vote privacy and verifiability. Formally proving these two properties is challenging. Indeed, vote privacy is typically expressed as an equivalence property, hard to analyze for automatic tools, while verifiability requires to count the number of votes, to guarantee that all honest votes are properly tallied. We provide a full characterization of E2E-verifiability in terms of two simple properties, that are shown to be both sufficient and necessary. In contrast, previous approaches proposed sufficient conditions only. These two properties can easily be expressed in a formal tool like ProVerif but remain hard to prove automatically. Therefore, we provide a generic election framework, together with a library of lemmas, for the (automatic) proof of E2E-verifiability. We successfully apply our framework to several protocols of the literature that include two complex, industrial-scale voting protocols, namely Swiss Post and CHVote, designed for the Swiss context

COMET SYSTEME - CNES Airbus Defence and Space Model-Based Systems Engineering - RETEX

International audienc

Belenios with cast as intended

International audienceWe propose the BeleniosCaI protocol, a variant of Belenios which brings the cast-as-intended property, in addition to other existing security properties. Our approach is based on a 2-part checksum that the voting device commits to, before being challenged to reveal one of them chosen at random by the voter. It requires only one device on the voter's side and does not rely on previously sent data like with return codes. Compared to the classical Benaloh auditor cast approach, we still have cast-as-intended with only some probability, but the voter's journey is more linear, and the audited ballot is really the one that is cast. We formally prove the security of BeleniosCaI w.r.t. end-to-end verifiability and privacy in a symbolic model, using the ProVerif tool