Sandrine Blazy
University of Rennes, Irisa, Faculty Member
Research Interests:
Research Interests:
Research Interests:
Research Interests:
CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from mis-compilation. The executable code it produces is proved to behave exactly as... more
CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from mis-compilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. This article gives an overview of the use of CompCert to gain certification credits for a highly safety-critical industry application, certified according to IEC 60880. We will briefly introduce the target application, illustrate the process of changing the existing compiler infrastructure to CompCert, and discuss performance characteristics. The main part focuses on the tool qualification strategy, in particular on how to take advantage of the formal correctness proof in the certification process.
Research Interests:
Modern Just-in-Time compilers (or JITs) typically interleave several mechanisms to execute a program. For faster startup times and to observe the initial behavior of an execution, interpretation can be initially used. But after a while,... more
Modern Just-in-Time compilers (or JITs) typically interleave several mechanisms to execute a program. For faster startup times and to observe the initial behavior of an execution, interpretation can be initially used. But after a while, JITs dynamically produce native code for parts of the program they execute often. Although some time is spent compiling dynamically, this mechanism makes for much faster times for the remaining of the program execution. Such compilers are complex pieces of software with various components, and greatly rely on a precise interplay between the different languages being executed, including on-stack-replacement. Traditional static compilers like CompCert have been mechanized in proof assistants, but JITs have been scarcely formalized so far, partly due to their impure nature and their numerous components. This work presents a model JIT with dynamic generation of native code, implemented and formally verified in Coq. Although some parts of a JIT cannot be ...
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Le langage C++ s'est impose comme une reference dans les domaines ou la modularite du developpement ne doit pas empieter sur les performances du logiciel final. Les principaux navigateurs, les interpreteurs et meme certaines parties... more
Le langage C++ s'est impose comme une reference dans les domaines ou la modularite du developpement ne doit pas empieter sur les performances du logiciel final. Les principaux navigateurs, les interpreteurs et meme certaines parties du systeme d'exploitation de Microsoft utilisent le langage C++. L'etude des bases de donnees de vulnerabilites montre que ces logiciels sont sujets a une categorie de vulnerabilites particulieres, les confusions de type, qui sont tout aussi exploitables que les vulnerabilites plus connues. Cet article presente les mecanismes a l'origine des confusions de type et dresse un etat de l'art des methodes servant a les detecter dans du code source ou du binaire seul. Il met aussi en avant les principales difficultes que rencontrent les analyses de binaire, et propose les grandes lignes d'une nouvelle approche pour detecter des confusions de type dans du binaire.
Research Interests:
CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be free from miscompilation. The executable code it produces is proved to behave exactly as... more
CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be free from miscompilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. CompCert's intended use is the compilation of safety-critical and mission-critical software meeting high levels of assurance. This article gives an overview of the design of CompCert and its proof concept, summarizes the resulting confidence argument, and gives an overview of relevant tool qualification strategies. We briefly summarize practical experience and give an overview of recent CompCert developments.
Research Interests:
Research Interests:
Un assistant de preuve est un logiciel interactif permettant a son utilisateur de construire des demonstrations de facon semi-automatique, tout en garantissant la correction de ces demonstrations. Ce type d'outil est particulierement... more
Un assistant de preuve est un logiciel interactif permettant a son utilisateur de construire des demonstrations de facon semi-automatique, tout en garantissant la correction de ces demonstrations. Ce type d'outil est particulierement utile a la verification de logiciel critique. Cet article presente Coq, assistant de preuve dont le developpement est coordonne par l'institut de recherche Inria. Son utilisation est d’abord presentee a travers un exemple tres simple: la verification d'une fonction de tri. Puis une deuxieme partie presente quelques domaines d'applications, notamment la surete du logiciel et la recherche en informatique et en mathematiques. Coq est considere comme un des outils les plus fiables pour la validation du logiciel, ce qui s’explique par les fondements theoriques de cet outil et son evolution depuis plus de 30 ans de recherche et de developpement.
Research Interests:
CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from mis-compilation. The executable code it produces is proved to behave exactly as... more
CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from mis-compilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. This article gives an overview of the design of CompCert and its proof concept and then focuses on aspects relevant for industrial application. We briefly summarize practical experience and give an overview of recent CompCert development aiming at industrial usage. CompCert's intended use is the compilation of life-critical and mission-critical software meeting high levels of assurance. In this context tool qualification is of paramount importance. We summarize the confidence argument of CompCert and give an overview of relevant qualification strategies.
Research Interests:
Research Interests:
Static analysis – the automatic determination of simple properties of a program – is the basis both for optimizing compilation and for verification of safety properties such as absence of run-time errors. To support the use of static... more
Static analysis – the automatic determination of simple properties of a program – is the basis both for optimizing compilation and for verification of safety properties such as absence of run-time errors. To support the use of static analyses in verified compilers and in high-confidence verification environments, the analyses must be proved to be sound. In this invited talk, I will review some ongoing work in this direction in the CompCert and Verasco projects, in particular the construction and formal verification of a modular static analyzer based on abstract interpretation.
Research Interests:
Mémoire d'Habilitation à diriger des recherches Spécialité informatique
The application of formal methods in the development of safety-critical embedded software is recommended in order to provide strong guarantees about the absence of software errors. In this context, WCET estimation tools constitute an... more
The application of formal methods in the development of safety-critical embedded software is recommended in order to provide strong guarantees about the absence of software errors. In this context, WCET estimation tools constitute an important element to be formally verified. We present a formally verified WCET estimation tool, integrated to the formally verified CompCert C compiler. Our tool comes with a machine-checked proof which ensures that its WCET estimates are safe. Our tool operates over C programs and is composed of two main parts, a loop bound estimation and an Implicit Path Enumeration Technique (IPET)-based WCET calculation method. We evaluated the precision of the WCET estimates on a reference benchmark and obtained results which are competitive with state-of-the-art WCET estimation techniques. 1998 ACM Subject Classification D.2.4 Software/Program Verification
Research Interests:
Basing program analyses on formal semantics has a long and successful tradition in the logic programming paradigm. These analyses rely on results about the relative correctness of mathematically sophisticated semantics, and authors of... more
Basing program analyses on formal semantics has a long and successful tradition in the logic programming paradigm. These analyses rely on results about the relative correctness of mathematically sophisticated semantics, and authors of such analyses often invest considerable effort into establish-ing these results. The development of interactive theorem provers such as Coq and their recent successes both in the field of program verification as well as in mathematics, poses the question whether these tools can be usefully deployed in logic programming. This paper presents formalisations in Coq of several general results about the correctness of se-mantics in different styles; forward and backward, top-down and bottom-up. The results chosen are paradigmatic of the kind of correctness theorems that semantic analyses rely on and are therefore well-suited to explore the possibilities af-forded by the application of interactive theorem provers to this task, as well as the difficulties like...
Research Interests:
We have been developing and formally verifying in Coq a moderately optimising compiler (called Compcert) for a large subset of the C language. This compiler comprises a back-end translating the Cminor intermediate language to PowerPC... more
We have been developing and formally verifying in Coq a moderately optimising compiler (called Compcert) for a large subset of the C language. This compiler comprises a back-end translating the Cminor intermediate language to PowerPC assembly code and a front-end translating the Clight subset of C to Cminor. Clight features all the types and operators of C as well as all the structured control statements of C, but excludes unstructured control. We have re-architected a previous front-end around the use of the CIL library. CIL provides an industrial-strength parser and type-checker for the C language, as well as a simplifier that eliminates or explicates many features of this language. CIL is written in Caml and is also used in other tools dedicated to the verification of C programs. As CIL performs too many simplifications, we have deactivated those that are not wanted in the context of a verified compiler. Our formalisation of C in Coq has been extended in two ways. Firstly, the ab...
Research Interests:
Research Interests:
Research Interests:
This article presents the formal semantics of a large subset of the C language called Clight. Clight includes pointer arithmetic, "struct" and "union" types, C loops and structured "switch" statements. Clight... more
This article presents the formal semantics of a large subset of the C language called Clight. Clight includes pointer arithmetic, "struct" and "union" types, C loops and structured "switch" statements. Clight is the source language of the CompCert verified compiler. The formal semantics of Clight is a big-step operational semantics that observes both terminating and diverging executions and produces traces of input/output events. The formal semantics of Clight is mechanized using the Coq proof assistant. In addition to the semantics of Clight, this article describes its integration in the CompCert verified compiler and several ways by which the semantics was validated.
Research Interests:
Research Interests:
Nous nous interessons a un probleme de coloration avec preferences minimale CPM dans les graphes triangules. Cette etude s'inscrit dans le projet CompCert qui a pour objectif la certification, a l'aide de methodes formelles,... more
Nous nous interessons a un probleme de coloration avec preferences minimale CPM dans les graphes triangules. Cette etude s'inscrit dans le projet CompCert qui a pour objectif la certification, a l'aide de methodes formelles, d'un compilateur optimisant du langage C. L'une des optimisations du compilateur certifie est l'allocation des registres du processeur. Optimiser cette allocation de registres revient a resoudre le probleme CPM auquel nous nous interessons. Nous montrons un resultat de complexite concernant CPM et proposons l'amelioration d'une methode de coupes permettant la resolution de ce probleme. Ce travail est une jonction entre la recherche operationnelle et les methodes formelles, dans la mesure ou nous verifions formellement par ailleurs la resolution du probleme en prouvant correct le developpement, hormis la recherche effectuee par le solveur dont la verification consiste a determiner a posteriori si la solution proposee est bien correcte.
Research Interests:
Just-in-Time compilation consists in interleaving program interpretation and compilation at run-time, to achieve better performance than standard interpretation. While some of the execution time is spent compiling, a JIT compiler can... more
Just-in-Time compilation consists in interleaving program interpretation and compilation at run-time, to achieve better performance than standard interpretation. While some of the execution time is spent compiling, a JIT compiler can leverage run-time information to make speculative optimizations. These optimizations create optimized versions of functions given some assumptions. While static compilers have been the topic of many formal verification works, few have tackled JIT compilation verification. We present our ongoing work about formal verification of a Just-in-Time compiler.
This paper reports on an approach for improving the understanding of old programs which have become very complex due to numerous extensions. We have adapted partial evaluation techniques for program understanding. These techniques mainly... more
This paper reports on an approach for improving the understanding of old programs which have become very complex due to numerous extensions. We have adapted partial evaluation techniques for program understanding. These techniques mainly use propagation through statements and simplifications of statements. We focus here on the automatic interprocedural analysis and we specify both tasks for callstatements, in terms of inference rules with notations taken from the specification languages B and VDM. We describe how we have implemented in a tool, and used that interprocedural analysis to improve program understanding. The difficulty of that analysis is due to the lack of well defined interprocedural mechanisms and the complexity of visibility rules in Fortran.
Research Interests:
This paper extends the idea of specializing modified interpreters for systematically generating obfuscated code. By using the Coq proof assistant we specify some elementary obfuscations and prove that the resulting distorted interpreter... more
This paper extends the idea of specializing modified interpreters for systematically generating obfuscated code. By using the Coq proof assistant we specify some elementary obfuscations and prove that the resulting distorted interpreter is correct, namely it preserves the intended semantics of programs. The paper shows how the semantic preservation proofs generated and verified in Coq can provide a measure of the quality of the obfuscation. In particular we can observe that there is a precise corresponding between the potency of the obfuscation and the complexity of the proof of semantics preservation. Our obfuscation can be easily integrated into the CompCert C compiler, providing the basis for a formally verified obfuscating compiler which can be applied to any C program.
Research Interests:
L'utilisation de methodes formelles permet d'obtenir des garanties fortes sur le code source des logiciels critiques. Cependant, des bugs dans le compilateur utilise pour produire un executable a partir de ces sources peuvent... more
L'utilisation de methodes formelles permet d'obtenir des garanties fortes sur le code source des logiciels critiques. Cependant, des bugs dans le compilateur utilise pour produire un executable a partir de ces sources peuvent invalider ces garanties. Ce risque est ecarte si l'on verie formellement le compilateur : on prouve que le compilateur produit du code machine qui se comporte comme le code source qu'on lui fournit. Le travail realise s'inscrit dans le cadre du projet Compcert ayant pour but le developpement et la verification formelle, utilisant l'assistant de preuve Coq, d'un compilateur realiste potentiellement utilisable pour le logiciel embarque critique. Un compilateur effectue une succession de transformations pour generer un code machine a partir d'un code source. L'allocation de registres par coloriage de graphes est une de ces transformations ; c'est une des plus difficiles a mettre en oeuvre. Elle a pour but de proposer une uti...
This work presents an evaluation of the CompCert formally specified and verified optimizing compiler for the development of DO-178 level A flight control software. First, some fundamental characteristics of flight control software are... more
This work presents an evaluation of the CompCert formally specified and verified optimizing compiler for the development of DO-178 level A flight control software. First, some fundamental characteristics of flight control software are presented and the case study program is described. Then, the use of CompCert is justified: its main point is to allow optimized code generation by relying on the formal proof of correctness and additional compilation information instead of the current un-optimized generation required to produce predictable assembly code patterns. The evaluation of its performance (measured using WCET and code size) is presented and the results are compared to those obtained with the currently used compiler.
Research Interests:
Observational non-interference (ONI) is a generic information-flow policy for side-channel leakage. Informally, a program is ONI-secure if observing program leakage during execution does not reveal any information about secrets. Formally,... more
Observational non-interference (ONI) is a generic information-flow policy for side-channel leakage. Informally, a program is ONI-secure if observing program leakage during execution does not reveal any information about secrets. Formally, ONI is parametrized by a leakage function $\ell$, and different instances of ONI can be recovered through different instantiations of $\ell$. One popular instance of ONI is the cryptographic constant-time (CCT) policy, which is widely used in cryptographic libraries to protect against timing and cache attacks. Informally, a program is CCT-secure if it does not branch on secrets and does not perform secret-dependent memory accesses. Another instance of ONI is the constant-resource (CR) policy, a relaxation of the CCT policy which is used in Amazon's s2n implementation of TLS and in several other security applications. Informally, a program is CR-secure if its cost (modelled by a tick operator over an arbitrary semi-group) does not depend on secr...
Nous presentons une transformation de programmes imperatifs inspiree de l'evaluation partielle et ayant ete utilisee pour faciliter la comprehension d'applications scientifiques. Ce travail a ete completement formalise en Coq.... more
Nous presentons une transformation de programmes imperatifs inspiree de l'evaluation partielle et ayant ete utilisee pour faciliter la comprehension d'applications scientifiques. Ce travail a ete completement formalise en Coq. Partant d'une specification du langage que nous traitons, nous avons specifie de facon abstraite notre analyse de code et avons prouve sa correction semantique. Afin de modeliser les etats-memoire de facon abstraite, nous avons defini une couche de bas niveau modelisant la notion generique de table d'association ainsi que des operations sur ces tables et contenant egalement des preuves de proprietes relatives aux operations. Nous montrons que ces tables generiques sont un exemple d'utilisation des setoides, ce qui simplifie l'ecriture des preuves.
JFLA 2008 est la dix-neuvieme conference francophone organisee autour des langages applicatifs. Cette annee, les journees ont lieu a Etretat, en Normandie. Nous respectons ainsi l'alternance mer-montagne traditionnelle aux JFLA et le... more
JFLA 2008 est la dix-neuvieme conference francophone organisee autour des langages applicatifs. Cette annee, les journees ont lieu a Etretat, en Normandie. Nous respectons ainsi l'alternance mer-montagne traditionnelle aux JFLA et le choix d'un cadre propice aux echanges conviviaux sur les langages applicatifs. Le comite de programme a choisi 11 articles sur les 18 presentes, portant sur des sujets tres varies, temoignant de la vitalite et de la diversite de notre communaute. Les soumissions etaient de grande qualite et nous remercions les auteurs qui ont soumis un article aux JFLA 2008, en contribuant ainsi au haut niveau scientifique de ces journees. Deux orateurs ont ete invites: Pierre Weis, de l'INRIA Paris-Rocquencourt et Cedric Fournet, de Microsoft Research. Pour la troisieme annee consecutive, deux sessions d'une demi-journee chacune ont ete consacrees a la decouverte de themes de recherche: les semantiques formelles (par Yves Bertot de l'INRIA Sophia An...
Research Interests:
Le langage C est très utilisé dans l'industrie, en particulier pour développer du logiciel embarqué. Un des intérêts de ce langage est que le programmeur contrôle les ressources nécessaires à l'exécution des programmes (par... more
Le langage C est très utilisé dans l'industrie, en particulier pour développer du logiciel embarqué. Un des intérêts de ce langage est que le programmeur contrôle les ressources nécessaires à l'exécution des programmes (par exemple, la géographie de la mémoire, ou encore les allocations et libérations de cellules de la mémoire), qui de plus influent sur les performances des programmes. Des programmes C peuvent ainsi être particulièrement efficaces, mais le prix à payer est un effort de programmation. Par exemple, il peut être nécessaire d'utiliser l'arithmétique de pointeurs afin de calculer l'adresse d'une cellule de la mémoire. Cependant, le fait que le langage C laisse davantage de liberté au programmeur favorise également la présence d'erreurs à l'exécution des programmes, erreurs qui peuvent être difficiles à détecter. Le dépassement des bornes de tableaux, ou encore la non-initialisation de variables sont des exemples de telles erreurs, qui peuv...
Research Interests:
Research Interests:
Research Interests:
Constant-time programming is an established discipline to secure programs against timing attackers. Several real-world secure C libraries such as NaCl, mbedTLS, or Open Quantum Safe, follow this discipline. We propose an advanced static... more
Constant-time programming is an established discipline to secure programs against timing attackers. Several real-world secure C libraries such as NaCl, mbedTLS, or Open Quantum Safe, follow this discipline. We propose an advanced static analysis, based on state-of-the-art techniques from abstract interpretation, to report time leakage during programming. To that purpose, we analyze source C programs and use full context-sensitive and arithmetic-aware alias analyses to track the tainted flows.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Just-in-time compilers for dynamic languages routinely generate code under assumptions that may be invalidated at run-time, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to... more
Just-in-time compilers for dynamic languages routinely generate code under assumptions that may be invalidated at run-time, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to uncommon cases. This form of software speculation requires support for deoptimization when some of the assumptions fail to hold. This paper presents a model just-in-time compiler with an intermediate representation that explicits the synchronization points used for deoptimization and the assumptions made by the compiler's speculation. We also present several common compiler optimizations that can leverage speculation to generate improved code. The optimizations are proved correct with the help of a proof assistant. While our work stops short of proving native code generation, we demonstrate how one could use the verified optimization to obtain significant speed ups in an end-to-end setting.
Timing side-channels are arguably one of the main sources of vulnerabilities in cryptographic implementations. One effective mitigation against timing side-channels is to write programs that do not perform secret-dependent branches and... more
Timing side-channels are arguably one of the main sources of vulnerabilities in cryptographic implementations. One effective mitigation against timing side-channels is to write programs that do not perform secret-dependent branches and memory accesses. This mitigation, known as "cryptographic constant-time", is adopted by several popular cryptographic libraries. This paper focuses on compilation of cryptographic constant-time programs, and more specifically on the following question: is the code generated by a realistic compiler for a constant-time source program itself provably constant-time? Surprisingly, we answer the question positively for a mildly modified version of the CompCert compiler, a formally verified and moderately optimizing compiler for C. Concretely, we modify the CompCert compiler to eliminate sources of potential leakage. Then, we instrument the operational semantics of CompCert intermediate languages so as to be able to capture cryptographic constant-t...
This article presents the formal verification, using the Coq proof assistant, of a memory model for low-level imperative languages such as C and compiler intermediate languages. Beyond giving semantics to pointer-based programs, this... more
This article presents the formal verification, using the Coq proof assistant, of a memory model for low-level imperative languages such as C and compiler intermediate languages. Beyond giving semantics to pointer-based programs, this model supports reasoning over transformations of such programs. We show how the properties of the memory model are used to prove semantic preservation for three passes of the Compcert verified compiler.
This article presents the formal semantics of a large subset of the C language called Clight. Clight includes pointer arithmetic, struct and union types, C loops and structured switch statements. Clight is the source language of the... more
This article presents the formal semantics of a large subset of the C language called Clight. Clight includes pointer arithmetic, struct and union types, C loops and structured switch statements. Clight is the source language of the CompCert verified compiler. The formal semantics of Clight is a big-step semantics equipped with traces of input/output events that observes both terminating and diverging executions. The formal semantics of Clight is mechanized using the Coq proof assistant. In addition to the semantics of Clight, this article describes its integration in the CompCert verified compiler and several ways by which the semantics was validated.