Specifying a Cryptographical Protocol in Lustre and SCADE

We present SCADE and Lustre models of the Message Authenticator Algorithm (MAA), which is one of the first cryptographic functions for computing a message authentication code. The MAA was adopted between 1987 and 2001, in international standards (ISO 8730 and ISO 8731-2), to ensure the authenticity and integrity of banking transactions. This paper discusses the choices and the challenges of our MAA implementations. Our SCADE and Lustre models validate 201 official test vectors for the MAA.Comment: In Proceedings MARS 2020, arXiv:2004.12403. arXiv admin note: text overlap with arXiv:1703.0657

A Formal TLS Handshake Model in LNT

Testing of network services represents one of the biggest challenges in cyber security. Because new vulnerabilities are detected on a regular basis, more research is needed. These faults have their roots in the software development cycle or because of intrinsic leaks in the system specification. Conformance testing checks whether a system behaves according to its specification. Here model-based testing provides several methods for automated detection of shortcomings. The formal specification of a system behavior represents the starting point of the testing process. In this paper, a widely used cryptographic protocol is specified and tested for conformance with a test execution framework. The first empirical results are presented and discussed.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm

The Message Authenticator Algorithm (MAA) is one of the first cryptographic functions for computing a Message Authentication Code. Between 1987 and 2001, the MAA was adopted in international standards (ISO 8730 and ISO 8731-2) to ensure the authenticity and integrity of banking transactions. In 1990 and 1991, three formal, yet non-executable, specifications of the MAA (in VDM, Z, and LOTOS) were developed at NPL. Since then, five formal executable specifications of the MAA (in LOTOS, LNT, and term rewrite systems) have been designed at INRIA Grenoble. This article provides an overview of the MAA and compares its formal specifications with respect to common-sense criteria, such as conciseness, readability, and efficiency of code generation.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866

Early Verification of Legal Compliance via Bounded Satisfiability Checking

Legal properties involve reasoning about data values and time. Metric first-order temporal logic (MFOTL) provides a rich formalism for specifying legal properties. While MFOTL has been successfully used for verifying legal properties over operational systems via runtime monitoring, no solution exists for MFOTL-based verification in early-stage system development captured by requirements. Given a legal property and system requirements, both formalized in MFOTL, the compliance of the property can be verified on the requirements via satisfiability checking. In this paper, we propose a practical, sound, and complete (within a given bound) satisfiability checking approach for MFOTL. The approach, based on satisfiability modulo theories (SMT), employs a counterexample-guided strategy to incrementally search for a satisfying solution. We implemented our approach using the Z3 SMT solver and evaluated it on five case studies spanning the healthcare, business administration, banking and aviation domains. Our results indicate that our approach can efficiently determine whether legal properties of interest are met, or generate counterexamples that lead to compliance violations

Etude de génération de tests à partir d'un modèle pour les systèmes GALS

This dissertation focuses on the model-based testing of GALS (GloballyAsynchronous and Locally Synchronous) systems, which are inherentlycomplex because of the combination of synchronous and asynchronous aspects.To cope with this complexity, we explore three directions:(1) techniques for synchronous components;(2) techniques for communication protocols between components; and(3) techniques for complete GALS systems, combining theresults of the two previous directions.In the first direction, we explore formal techniques for the functionaltesting of synchronous components.As a case-study, we reconsider the Message Authenticator Algorithm(MAA), a pioneering cryptographic function designed in the mid-80s, andformalize it as a synchronous dataflow.The modeling and validation of the MAA enabled us to discover variousmistakes in prior (informal and formal) specifications of the MAA, thetest vectors and code of the ISO 1987 and ISO 1990 standards, and incompilers and verification tools used by us.In the second direction, we explore the formalization and the functionaltesting of a communication protocol. As a case-study, we reconsider the formalization of the Transport Layer Security (TLS) handshake, a protocol responsible for the authentication and exchange of keys necessary to establish or resume a secure communication.Our model of the TLS version 1.3 has been validated by an approach using our new on-the-fly conformance test case generation tool, named TESTOR, developed on top of the CADP toolbox.TESTOR explores the model and generates automatically a set of controllable testcases or a complete test graph (CTG) to be executed on a physical implementation ofthe system.In the third direction, we propose a testing methodology for GALSsystems combining the two previous directions.We leverage the conformance test generation for asynchronous systems toautomatically derive realistic scenarios (inputs constraints andoracles), which are necessary ingredients for the unit testing of individual synchronouscomponents, and are difficult and error-prone to design manually.Thus our methodology integrates(1) synchronous and asynchronous concurrent models;(2) functional unit testing and behavioral conformance testing;and (3) various formal methods and their tool equipments.We illustrate our methodology on a simple, but relevant example inspiredby autonomous cars.Cette thèse porte sur la génération de tests à partir d’un modèle pour les systèmes GALS (Globalement Asynchrones et Localement Synchrones). La combinaison des aspects synchrones et asynchrones en font des systèmes complexes, imposant de recourir à de nouvelles méthodes d’analyse. Pour faire face à cette complexité, nous explorons trois directions : (1) techniques pour les composants synchrones ; (2) techniques pour les protocoles de communication entre les composants ; et (3) techniques pour des systèmes GALS complets, combinant les résultats des deux directions précédentes.Dans la première direction, nous explorons des techniques formelles pour le test fonctionnel de composants synchrones. En tant qu’étude de cas, nous reprenons l’algorithme d’authentification de message (MAA), une fonction cryptographique conçue au milieu des années 80. Nous formalisons cet algorithme en tant que flux de données synchrone. La modélisation et la validation du MAA nous ont permis de découvrir diverses erreurs dans les spécifications (informelles et formelles) préalables du MAA, les vecteurs de test et code des normes ISO 1987 et ISO 1990 ; dans les compilateurs et outils de vérification que nous avons utilisés.Dans la seconde direction, nous explorons la formalisation et le test fonctionnel d’un protocole de communication. Dans notre étude de cas, nous évaluons le protocole d’établissement d’une liaison sécurisé au niveau de la couche de transport (TLS), responsable de l’authentification et de l’échange de clés nécessaires pour établir ou reprendre une communication sécurisée. Notre modèle de la version 1.3 TLS a été validé par une approche utilisant notre nouvel outil de génération de cas de test de conformité à la volée, nommé TESTOR, développé à partir de la boı̂te à outils CADP. Cet outil explore le modèle et génère automatiquement un ensemble de cas de tests ou un graphe de test complet (CTG),à exécuter sur une implémentation physique d’un système.Dans la troisième direction, nous proposons une méthodologie de test permettant d’analyser les systèmes GALS dans leur ensemble. Nous tirons parti de la génération de tests de conformité des systèmes asynchrones pour dériver automatiquement des scénarios réalistes (contraintes d’entrées et oracles), qui sont ardus à concevoir manuellement et sujet d’erreurs. Ainsi, notre méthodologie intègre (1) modèles concurrents synchrones et asynchrones; (2) les tests unitaires fonctionnels et les tests de conformité comportementale; et (3) diverses méthodes formelles et leurs outils. Nous illustrons notre méthodologie sur un exemple simple, mais représentatif inspiré des voitures autonomes

On Model-based Testing of GALS Systems

Cette thèse porte sur la génération de tests à partir d’un modèle pour les systèmes GALS (Globalement Asynchrones et Localement Synchrones). La combinaison des aspects synchrones et asynchrones en font des systèmes complexes, imposant de recourir à de nouvelles méthodes d’analyse. Pour faire face à cette complexité, nous explorons trois directions : (1) techniques pour les composants synchrones ; (2) techniques pour les protocoles de communication entre les composants ; et (3) techniques pour des systèmes GALS complets, combinant les résultats des deux directions précédentes.Dans la première direction, nous explorons des techniques formelles pour le test fonctionnel de composants synchrones. En tant qu’étude de cas, nous reprenons l’algorithme d’authentification de message (MAA), une fonction cryptographique conçue au milieu des années 80. Nous formalisons cet algorithme en tant que flux de données synchrone. La modélisation et la validation du MAA nous ont permis de découvrir diverses erreurs dans les spécifications (informelles et formelles) préalables du MAA, les vecteurs de test et code des normes ISO 1987 et ISO 1990 ; dans les compilateurs et outils de vérification que nous avons utilisés.Dans la seconde direction, nous explorons la formalisation et le test fonctionnel d’un protocole de communication. Dans notre étude de cas, nous évaluons le protocole d’établissement d’une liaison sécurisé au niveau de la couche de transport (TLS), responsable de l’authentification et de l’échange de clés nécessaires pour établir ou reprendre une communication sécurisée. Notre modèle de la version 1.3 TLS a été validé par une approche utilisant notre nouvel outil de génération de cas de test de conformité à la volée, nommé TESTOR, développé à partir de la boı̂te à outils CADP. Cet outil explore le modèle et génère automatiquement un ensemble de cas de tests ou un graphe de test complet (CTG),à exécuter sur une implémentation physique d’un système.Dans la troisième direction, nous proposons une méthodologie de test permettant d’analyser les systèmes GALS dans leur ensemble. Nous tirons parti de la génération de tests de conformité des systèmes asynchrones pour dériver automatiquement des scénarios réalistes (contraintes d’entrées et oracles), qui sont ardus à concevoir manuellement et sujet d’erreurs. Ainsi, notre méthodologie intègre (1) modèles concurrents synchrones et asynchrones; (2) les tests unitaires fonctionnels et les tests de conformité comportementale; et (3) diverses méthodes formelles et leurs outils. Nous illustrons notre méthodologie sur un exemple simple, mais représentatif inspiré des voitures autonomes.This dissertation focuses on the model-based testing of GALS (GloballyAsynchronous and Locally Synchronous) systems, which are inherentlycomplex because of the combination of synchronous and asynchronous aspects.To cope with this complexity, we explore three directions:(1) techniques for synchronous components;(2) techniques for communication protocols between components; and(3) techniques for complete GALS systems, combining theresults of the two previous directions.In the first direction, we explore formal techniques for the functionaltesting of synchronous components.As a case-study, we reconsider the Message Authenticator Algorithm(MAA), a pioneering cryptographic function designed in the mid-80s, andformalize it as a synchronous dataflow.The modeling and validation of the MAA enabled us to discover variousmistakes in prior (informal and formal) specifications of the MAA, thetest vectors and code of the ISO 1987 and ISO 1990 standards, and incompilers and verification tools used by us.In the second direction, we explore the formalization and the functionaltesting of a communication protocol. As a case-study, we reconsider the formalization of the Transport Layer Security (TLS) handshake, a protocol responsible for the authentication and exchange of keys necessary to establish or resume a secure communication.Our model of the TLS version 1.3 has been validated by an approach using our new on-the-fly conformance test case generation tool, named TESTOR, developed on top of the CADP toolbox.TESTOR explores the model and generates automatically a set of controllable testcases or a complete test graph (CTG) to be executed on a physical implementation ofthe system.In the third direction, we propose a testing methodology for GALSsystems combining the two previous directions.We leverage the conformance test generation for asynchronous systems toautomatically derive realistic scenarios (inputs constraints andoracles), which are necessary ingredients for the unit testing of individual synchronouscomponents, and are difficult and error-prone to design manually.Thus our methodology integrates(1) synchronous and asynchronous concurrent models;(2) functional unit testing and behavioral conformance testing;and (3) various formal methods and their tool equipments.We illustrate our methodology on a simple, but relevant example inspiredby autonomous cars

A Large Term Rewrite System Modelling a Pioneering Cryptographic Algorithm

International audienceWe present a term rewrite system that formally models the Message Authenticator Algorithm (MAA), which was one of the first cryptographic functions for computing a Message Authentication Code and was adopted, between 1987 and 2001, in international standards (ISO 8730 and ISO 8731-2) to ensure the authenticity and integrity of banking transactions. Our term rewrite system is large (13 sorts, 18 constructors, 644 non-constructors, and 684 rewrite rules), confluent, and terminating. Implementations in thirteen different languages have been automatically derived from this model and used to validate 200 official test vectors for the MAA

Formally Modeling Autonomous Vehicles in LNT for Simulation and Testing

International audienceWe present two behavioral models of an autonomous vehicle and its interaction with the environment. Both models use the formal modeling language LNT provided by the CADP toolbox. This paper discusses the modeling choices and the challenges of our autonomous vehicle models, and also illustrates how formal validation tools can be applied to a single component or the overall vehicle

Using Formal Conformance Testing to Generate Scenarios for Autonomous Vehicles

International audienceSimulation, a common practice to evaluate autonomous vehicles, requires to specify realistic scenarios, in particular critical ones, which correspond to corner-case situations occurring rarely and potentially dangerous to reproduce in real environments. Such simulation scenarios may be either generated randomly, or specified manually. Randomly generated scenarios can be easily generated, but their relevance might be difficult to assess, for instance when many slightly different scenarios target one feature. Manually specified scenarios can focus on a given feature, but their design might be difficult and time-consuming, especially to achieve satisfactory coverage. In this work, we propose an automatic approach to generate a large number of relevant critical scenarios for autonomous driving simulators. The approach is based on the generation of behavioural conformance tests from a formal model (specifying the ground truth configuration with the range of vehicle behaviours) and a test purpose (specifying the critical feature to focus on). The obtained abstract test cases cover, by construction, all possible executions exercising a given feature, and can be automatically translated into the inputs of autonomous driving simulators. We illustrate our approach by generating hundreds of behaviour trees for the CARLA simulator for several realistic configurations

Verifying Collision Risk Estimation using Autonomous Driving Scenarios Derived from a Formal Model

International audienceVerifying Collision Risk Estimation using Formally Derived Scenarios use formal conformance test generation tools to derive, from a verified formal model, sets of scenarios to be run in a simulator. Second, we model check the traces of the simulation runs to validate the probabilistic estimation of collision risks. Using formal methods brings the combined advantages of an increased confidence in the correct representation of the chosen configuration (temporal logic verification), a guarantee of the coverage and relevance of automatically generated scenarios (conformance testing), and an automatic quantitative analysis of the test execution (verification and statistical analysis on traces)