Merge branch 'publications-add-dois' into 'master'

Publications add dois See merge request !183

Merge branch 'publications-add-dois' into 'master'
084b0092 · Allan Blanchard · 1e406cfb · 26b3695b · 084b0092 · 084b0092
Commit 084b0092 authored 2 years ago by Allan Blanchard
--- a/_fc-publications/pathcrawler/2008-issre-k.md
+++ b/_fc-publications/pathcrawler/2008-issre-k.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Nikolai Kosmatov"
 title: "All-paths test generation for programs with internal aliases"
 book: "International Symposium on Software Reliability Engineering (ISSRE)"
-link: http://nikolai.kosmatov.free.fr/publications/kosmatov_issre_2008.pdf
+link: "http://nikolai.kosmatov.free.fr/publications/kosmatov_issre_2008.pdf"
+doi: "10.1109/ISSRE.2008.25"
 year: 2008
 category: other
 ---

-In structural testing of programs, the all-paths coverage criterion requires to generate a set of test cases such that every possible execution path of the program under test is executed by one test case. This task becomes very complex in presence of aliases, i.e. different ways to address the same memory location. In practice, the presence of aliases may result in enumeration of possible inputs, generation of several test cases for the same path and/or a failure to generate a test case for some feasible path. This article presents the problem of aliases in the context of classical depth-first test generation method. We classify aliases into two groups: external aliases, existing already at the entry point of the function under test (due to pointer inputs), and internal ones, created during its symbolic execution. This paper focuses on internal aliases.We propose an original extension of the depth-first test generation method for C programs with internal aliases. It limits the enumeration of inputs and the generation of superfluous test cases. Initial experiments show that our method canconsiderably improve the performances of the existing tools on programs with aliases.
\ No newline at end of file
+In structural testing of programs, the all-paths coverage criterion requires to generate a set of test cases such that every possible execution path of the program under test is executed by one test case. This task becomes very complex in presence of aliases, i.e. different ways to address the same memory location. In practice, the presence of aliases may result in enumeration of possible inputs, generation of several test cases for the same path and/or a failure to generate a test case for some feasible path. This article presents the problem of aliases in the context of classical depth-first test generation method. We classify aliases into two groups: external aliases, existing already at the entry point of the function under test (due to pointer inputs), and internal ones, created during its symbolic execution. This paper focuses on internal aliases.We propose an original extension of the depth-first test generation method for C programs with internal aliases. It limits the enumeration of inputs and the generation of superfluous test cases. Initial experiments show that our method canconsiderably improve the performances of the existing tools on programs with aliases.
--- a/_fc-publications/pathcrawler/2009-ast-bdhthkmrw.md
+++ b/_fc-publications/pathcrawler/2009-ast-bdhthkmrw.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Bernard Botella, Mickaël Delahaye, Stéphane Hong-Tuan-Ha, Nikolai Kosmatov, Patricia Mouy, Muriel Roger and Nicky Williams"
 title: "Automating Structural Testing of C Programs: Experience with PathCrawler"
 book: "International Workshop on Automation of Software Test (AST)"
-link: https://ieeexplore.ieee.org/document/5069043
+link: "https://ieeexplore.ieee.org/document/5069043"
+doi: "10.1109/IWAST.2009.5069043"
 year: 2009
 category: other
 ---

-Structural testing is widely used in industrial verification processes of critical software. This report presents PathCrawler, a structural test generation tool that may be used to automate this activity, and several evaluation criteria of automatic test generation tools for C programs. These criteria correspond to the issues identified during our ongoing experience in the development of PathCrawler and its application to industrial software. They include issues arising for some specific types of software. Some of them are still difficult open problems. Others are (partially) solved, and the solution adopted in PathCrawler is discussed. We believe that these criteria must be satisfied in order for the automation of structural testing to become an industrial reality.
\ No newline at end of file
+Structural testing is widely used in industrial verification processes of critical software. This report presents PathCrawler, a structural test generation tool that may be used to automate this activity, and several evaluation criteria of automatic test generation tools for C programs. These criteria correspond to the issues identified during our ongoing experience in the development of PathCrawler and its application to industrial software. They include issues arising for some specific types of software. Some of them are still difficult open problems. Others are (partially) solved, and the solution adopted in PathCrawler is discussed. We believe that these criteria must be satisfied in order for the automation of structural testing to become an industrial reality.
--- a/_fc-publications/pathcrawler/2009-ast-wr.md
+++ b/_fc-publications/pathcrawler/2009-ast-wr.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Nicky Williams and Muriel Roger"
 title: "Test Generation Strategies to Measure Worst-Case Execution Time"
 book: "International Workshop on Automation of Software Test (AST)"
-link: https://ieeexplore.ieee.org/document/5069045
+link: "https://ieeexplore.ieee.org/document/5069045"
+doi: "10.1109/IWAST.2009.5069045"
 year: 2009
 category: other
 ---

-Under certain conditions, the worst-case execution time (WCET) of a function can be found by measuring the effective execution time for each feasible execution path. Automatic generation of test inputs can help make this approach more feasible. To reduce the number of tests, we define two partial orders on the execution paths of the program under test. Under further conditions, these partial orders represent the relation between the execution times of the paths. We explain how we modified the strategy of the PathCrawler structural test-case generation tool to generate as few tests as possible for paths which are not maximal in these partial orders, whilst ensuring that the WCET is exhibited by at least one case in the set. The techniques used could also serve in the implementation of other test generation strategies which have nothing to do with WCET.
\ No newline at end of file
+Under certain conditions, the worst-case execution time (WCET) of a function can be found by measuring the effective execution time for each feasible execution path. Automatic generation of test inputs can help make this approach more feasible. To reduce the number of tests, we define two partial orders on the execution paths of the program under test. Under further conditions, these partial orders represent the relation between the execution times of the paths. We explain how we modified the strategy of the PathCrawler structural test-case generation tool to generate as few tests as possible for paths which are not maximal in these partial orders, whilst ensuring that the WCET is exhibited by at least one case in the set. The techniques used could also serve in the implementation of other test generation strategies which have nothing to do with WCET.
--- a/_fc-publications/pathcrawler/2009-taic-part-k.md
+++ b/_fc-publications/pathcrawler/2009-taic-part-k.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Nikolai Kosmatov"
 title: "On Complexity of All-Paths Test Generation. From Practice to Theory"
 book: "Testing: Academic and Industrial Conference - Practice and Research Techniques (TAIC PART)"
-link: https://ieeexplore.ieee.org/document/5381631
+link: "https://ieeexplore.ieee.org/document/5381631"
+doi: "10.1109/TAICPART.2009.26"
 year: 2009
 category: other
 ---

-Automatic structural testing of programs becomes more and more popular in software engineering. Among the most rigorous structural coverage criteria, all-paths coverage re-quires to generate a set of test cases such that every fea-sible execution path of the program under test is executed by one test case. This article addresses different aspects of computability and complexity of constraint-based all-paths test generation for C programs from the practitioner's point of view, and tries to bridge the gap between mathematical theory and practical computation problems arising in this domain. We focus on two particular classes of programs impor-tant for practice. We show first that for a class containing the simplest programs with strong restrictions, all-paths test generation in polynomial time is possible. For a wider class of programs in which inputs may be used as array indices (or pointer offsets), all-paths test generation is shown to be NP-hard. Some experimental results illustrating test gener-ation time for programs of these classes are provided.
\ No newline at end of file
+Automatic structural testing of programs becomes more and more popular in software engineering. Among the most rigorous structural coverage criteria, all-paths coverage re-quires to generate a set of test cases such that every fea-sible execution path of the program under test is executed by one test case. This article addresses different aspects of computability and complexity of constraint-based all-paths test generation for C programs from the practitioner's point of view, and tries to bridge the gap between mathematical theory and practical computation problems arising in this domain. We focus on two particular classes of programs impor-tant for practice. We show first that for a class containing the simplest programs with strong restrictions, all-paths test generation in polynomial time is possible. For a wider class of programs in which inputs may be used as array indices (or pointer offsets), all-paths test generation is shown to be NP-hard. Some experimental results illustrating test gener-ation time for programs of these classes are provided.
--- a/_fc-publications/pathcrawler/2010-ast-w.md
+++ b/_fc-publications/pathcrawler/2010-ast-w.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Nicky Williams"
 title: "Abstract path testing with PathCrawler"
 book: "International Workshop on Automation of Software Test (AST)"
-link: https://hal.archives-ouvertes.fr/hal-01810297/en
+link: "https://hal.archives-ouvertes.fr/hal-01810297/en"
+doi: "10.1145/1808266.1808272"
 year: 2010
 category: other
 ---

-PathCrawler is a tool developed by CEA List for the automatic generation of test inputs to ensure the coverage of all feasible execution paths of a C function. Due to its concolic approach and depth-first exhaustive search strategy implemented in Prolog, PathCrawler is particularly efficient in the generation of tests to cover the fully expanded tree of feasible paths. However, for many tested functions this coverage criterion demands too many tests and a weaker criterion must be used. In order to efficiently generate tests for a new criterion whilst still using a concolic approach, we must modify the search strategy. To facilitate the definition and comparison of different coverage criteria, we propose a new type of tree, trees of abstract paths, and define the different types of abstract node in these trees. We demonstrate how several criteria can be conveniently defined in terms of coverage of these new trees. Moreover, efficient generation of tests to satisfy these criteria using the concolic approach can be designed as different strategies to explore these trees. 
\ No newline at end of file
+PathCrawler is a tool developed by CEA List for the automatic generation of test inputs to ensure the coverage of all feasible execution paths of a C function. Due to its concolic approach and depth-first exhaustive search strategy implemented in Prolog, PathCrawler is particularly efficient in the generation of tests to cover the fully expanded tree of feasible paths. However, for many tested functions this coverage criterion demands too many tests and a weaker criterion must be used. In order to efficiently generate tests for a new criterion whilst still using a concolic approach, we must modify the search strategy. To facilitate the definition and comparison of different coverage criteria, we propose a new type of tree, trees of abstract paths, and define the different types of abstract node in these trees. We demonstrate how several criteria can be conveniently defined in terms of coverage of these new trees. Moreover, efficient generation of tests to satisfy these criteria using the concolic approach can be designed as different strategies to explore these trees. 
--- a/_fc-publications/pathcrawler/2011-cstva-kbrw.md
+++ b/_fc-publications/pathcrawler/2011-cstva-kbrw.md
@@ -3,10 +3,11 @@ plugin: "pathcrawler"
 authors: "Nikolai Kosmatov, Bernard Botella, Muriel Roger and Nicky Williams"
 title: "Online Test Generation with PathCrawler. Tool demo."
 book: "International Workshop on Constraints in Software Testing, Verification, and Analysis (CSTVA)"
-link: https://nikolai-kosmatov.eu/publications/kosmatov_brw_cstva_2011.pdf
+link: "https://nikolai-kosmatov.eu/publications/kosmatov_brw_cstva_2011.pdf"
+doi: "10.1109/ICSTW.2011.85"
 year: 2011
 category: other
 short: "Best demo award"
 ---

-This demonstration presents a new version of Path Crawler developed in an entirely novel form: that of a test-case server which is freely accessible online.
\ No newline at end of file
+This demonstration presents a new version of Path Crawler developed in an entirely novel form: that of a test-case server which is freely accessible online.
--- a/_fc-publications/pathcrawler/2012-qsic-wk.md
+++ b/_fc-publications/pathcrawler/2012-qsic-wk.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Nicky Williams and Nikolai Kosmatov"
 title: "Structural Testing with PathCrawler. Tutorial Synopsis"
 book: "International Conference on Quality Software (QSIC)"
-link: https://hal.archives-ouvertes.fr/hal-01810295/
+link: "https://hal.archives-ouvertes.fr/hal-01810295/"
+doi: "10.1109/QSIC.2012.24"
 year: 2012
 category: tutorials
 ---

-Automatic testing tools allow huge savings but they do not exonerate the user from thinking carefully about what they want testing to achieve. To successfully use the Path Crawler-online structural testing tool, the user must provide not only the full source code, but also must set the test parameters and program the oracle. This demands a different"mindset" from that used for informal functional-style manual testing, as we explain with the help of several examples.
\ No newline at end of file
+Automatic testing tools allow huge savings but they do not exonerate the user from thinking carefully about what they want testing to achieve. To successfully use the Path Crawler-online structural testing tool, the user must provide not only the full source code, but also must set the test parameters and program the oracle. This demands a different"mindset" from that used for informal functional-style manual testing, as we explain with the help of several examples.
--- a/_fc-publications/pathcrawler/2012-tap-kwbrc.md
+++ b/_fc-publications/pathcrawler/2012-tap-kwbrc.md
@@ -3,9 +3,10 @@ plugin: "pathcrawler"
 authors: "Nikolai Kosmatov, Nicky Williams, Bernard Botella, Muriel Roger, Omar Chebaro"
 title: "A Lesson on Structural Testing with PathCrawler-online.com"
 book: "International Conference on Tests and Proofs (TAP)"
-link:  https://hal.archives-ouvertes.fr/hal-01810295/en
+link: "https://hal.archives-ouvertes.fr/hal-01810295/en"
+doi: "10.1007/978-3-642-30473-6_15"
 year: 2012
 category: tutorials
 ---

-PathCrawler is a test generation tool developed at CEA LIST for structural testing of C programs. The new version of PathCrawler is developed in an entirely novel form: that of a test-case generation web service which is freely accessible at PathCrawler-online.com. This service allows many test-case generation sessions to be run in parallel in a completely robust and secure way. This tool demo and teaching experience paper presents PathCrawler-online.com in the form of a lesson on structural software testing, showing its benefits, limitations and illustrating the usage of the tool on simple examples.
\ No newline at end of file
+PathCrawler is a test generation tool developed at CEA LIST for structural testing of C programs. The new version of PathCrawler is developed in an entirely novel form: that of a test-case generation web service which is freely accessible at PathCrawler-online.com. This service allows many test-case generation sessions to be run in parallel in a completely robust and secure way. This tool demo and teaching experience paper presents PathCrawler-online.com in the form of a lesson on structural software testing, showing its benefits, limitations and illustrating the usage of the tool on simple examples.
--- a/_fc-publications/rpp/2017-tacas-bklgp.md
+++ b/_fc-publications/rpp/2017-tacas-bklgp.md
@@ -3,9 +3,10 @@ plugin: "rpp"
 authors: "Lionel Blatter, Nikolai Kosmatov, Pascale Le Gall and Virgile Prevosto"
 title: "RPP: Automatic Proof of Relational Properties by Self-composition"
 book: "Tools and Algorithms for the Construction and Analysis of Systems23rd International Conference, TACAS"
-link: https://hal-cea.archives-ouvertes.fr/cea-01808885/en
+link: "https://hal-cea.archives-ouvertes.fr/cea-01808885/en"
+doi: "10.1007/978-3-662-54577-5_22"
 year: 2017
 category: foundational
 ---

-Self-composition provides a powerful theoretical approach to prove relational properties, i.e. properties relating several program executions, that has been applied to compare two runs of one or similar programs (in secure dataflow properties, code transformations, etc.). This tool demo paper presents RPP, an original implementation of self-composition for specification and verification of relational properties in C programs in the FRAMA-C platform. We consider a very general notion of relational properties invoking any finite number of function calls of possibly dissimilar functions with possible nested calls. The new tool allows the user to specify a relational property, to prove it in a completely automatic way using classic deductive verification, and to use it as a hypothesis in the proof of other properties that may rely on it. 
\ No newline at end of file
+Self-composition provides a powerful theoretical approach to prove relational properties, i.e. properties relating several program executions, that has been applied to compare two runs of one or similar programs (in secure dataflow properties, code transformations, etc.). This tool demo paper presents RPP, an original implementation of self-composition for specification and verification of relational properties in C programs in the FRAMA-C platform. We consider a very general notion of relational properties invoking any finite number of function calls of possibly dissimilar functions with possible nested calls. The new tool allows the user to specify a relational property, to prove it in a completely automatic way using classic deductive verification, and to use it as a hypothesis in the proof of other properties that may rely on it. 
--- a/_fc-publications/rpp/2018-tap-bklgpp.md
+++ b/_fc-publications/rpp/2018-tap-bklgpp.md
@@ -3,9 +3,10 @@ plugin: "rpp"
 authors: "Lionel Blatter, Nikolai Kosmatov, Pascale Le Gall, Virgile Prevosto and Guillaume Petiot"
 title: "Static and Dynamic Verification of Relational Properties on Self-composed C Code"
 book: "In Tests and Proofs - 12th International Conference (TAP)"
-link:  https://hal-cea.archives-ouvertes.fr/cea-01835470/en
+link: "https://hal-cea.archives-ouvertes.fr/cea-01835470/en"
+doi: "10.1007/978-3-319-92994-1_3"
 year: 2018
 category: foundational
 ---

-Function contracts are a well-established way of formally specifying the intended behavior of a function. However, they usually only describe what should happen during a single call. Relational properties, on the other hand, link several function calls. They include such properties as non-interference, continuity and monotonicity. Other examples relate sequences of function calls, for instance, to show that decrypting an encrypted message with the appropriate key gives back the original message. Such properties cannot be expressed directly in the traditional setting of modular deductive verification, but are amenable to verification through self-composition. This paper presents a verification technique dedicated to relational properties in C programs and its implementation in the form of a FRAMA-C plugin called RPP and based on self-composition. It supports functions with side effects and recursive functions. The proposed approach makes it possible to prove a relational property, to check it at runtime, to generate a counterexample using testing and to use it as a hypothesis in the subsequent verification. Our initial experiments on existing benchmarks confirm that the proposed technique is helpful for static and dynamic analysis of relational properties. 
\ No newline at end of file
+Function contracts are a well-established way of formally specifying the intended behavior of a function. However, they usually only describe what should happen during a single call. Relational properties, on the other hand, link several function calls. They include such properties as non-interference, continuity and monotonicity. Other examples relate sequences of function calls, for instance, to show that decrypting an encrypted message with the appropriate key gives back the original message. Such properties cannot be expressed directly in the traditional setting of modular deductive verification, but are amenable to verification through self-composition. This paper presents a verification technique dedicated to relational properties in C programs and its implementation in the form of a FRAMA-C plugin called RPP and based on self-composition. It supports functions with side effects and recursive functions. The proposed approach makes it possible to prove a relational property, to check it at runtime, to generate a counterexample using testing and to use it as a hypothesis in the subsequent verification. Our initial experiments on existing benchmarks confirm that the proposed technique is helpful for static and dynamic analysis of relational properties. 
--- a/_fc-publications/sante/2010-tap-ckgj.md
+++ b/_fc-publications/sante/2010-tap-ckgj.md
@@ -3,7 +3,8 @@ plugin: "sante"
 authors: "Omar Chebaro, Nikolaï Kosmatov, Alain Giorgetti and Jacques Julliand"
 title: "Combining static analysis and test generation for C program debugging"
 book: "Proceedings of the 4th International Conference on Tests & Proofs (TAP)"
-link: https://hal.archives-ouvertes.fr/hal-00563308/en
+link: "https://hal.archives-ouvertes.fr/hal-00563308/en"
+doi: "10.1007/978-3-642-13977-2_9"
 year: 2010
 category: foundational
 ---
@@ -17,4 +18,4 @@ absence of run-time errors. Second, these alarms guide a structural
 test generation tool (PathCrawler) trying to confirm alarms by
 activating bugs on sometest cases.Our experiments on real-life
 software showthat this combination can outperform the use of each
-technique independently.
\ No newline at end of file
+technique independently.
--- a/_fc-publications/sante/2011-tap-ckgj.md
+++ b/_fc-publications/sante/2011-tap-ckgj.md
@@ -3,7 +3,8 @@ plugin: "sante"
 authors: "Omar Chebaro, Nikolaï Kosmatov, Alain Giorgetti and Jacques Julliand"
 title: "The SANTE Tool: Value Analysis, Program Slicing and Test Generation for C Program Debugging"
 book: "Proceedings of the 5th International Conference on Tests & Proofs (TAP)"
-link: https://hal.inria.fr/inria-00622904/en
+link: "https://hal.inria.fr/inria-00622904/en"
+doi: "10.1007/978-3-642-21768-5_7"
 year: 2011
 category: foundational
 ---
@@ -15,4 +16,4 @@ verification of C programs. First, value analysis is called to
 generate alarms when it can not guarantee the absence of errors.
 Then the program is reduced by program slicing. Alarm-guided test
 generation is then used to analyze the simplified program(s) in
-order to confirm or reject alarms.
\ No newline at end of file
+order to confirm or reject alarms.
--- a/_fc-publications/sante/2012-sac-ckgj.md
+++ b/_fc-publications/sante/2012-sac-ckgj.md
@@ -3,7 +3,8 @@ plugin: "sante"
 authors: "Omar Chebaro, Nikolaï Kosmatov, Alain Giorgetti and Jacques Julliand"
 title: "Program slicing enhances a verification technique combining static and dynamic analysis"
 book: "Proceedings of the 27th Symposium On Applied Computing (SAC)"
-link: https://hal.inria.fr/hal-00746814/en
+link: "https://hal.inria.fr/hal-00746814/en"
+doi: "10.1145/2245276.2231980"
 year: 2012
 category: foundational
 ---
@@ -22,4 +23,4 @@ on. The method is implemented in a tool prototype called sante
 (Static ANalysis and TEsting). Our experiments show that our method
 with program slicing outperforms previous combinations of static and
 dynamic analysis. Moreover, simplifying the program makes it easier
-to analyze detected errors and remaining alarms.
\ No newline at end of file
+to analyze detected errors and remaining alarms.
--- a/_fc-publications/secureflow/2013-sec-astt.md
+++ b/_fc-publications/secureflow/2013-sec-astt.md
@@ -3,9 +3,10 @@ plugin: "secureflow"
 authors: "Mounir Assaf, Julien Signoles, Éric Totel, and Frédéric Tronel"
 title: "Program transformation for non-interference verification on programs with pointers"
 book: "International Information Security and Privacy Conference (SEC)"
-link: http://julien.signoles.free.fr/publis/2013_sec.pdf
+link: "http://julien.signoles.free.fr/publis/2013_sec.pdf"
+doi: "10.1007/978-3-642-39218-4_18"
 year: 2013
 category: foundational
 ---

-Novel approaches for dynamic information flow monitoring are promising since they enable permissive (accepting a large subset of executions) yet sound (rejecting all unsecure executions) enforcement of non-interference. In this paper, we present a dynamic information flow monitor for a language supporting pointers. Our flow-sensitive monitor relies on prior static analysis in order to soundly enforce non-interference. We also propose a program transformation that preserves the behavior of initial programs and soundly inlines our security monitor. This program transformation enables both dynamic and static verification of non-interference.
\ No newline at end of file
+Novel approaches for dynamic information flow monitoring are promising since they enable permissive (accepting a large subset of executions) yet sound (rejecting all unsecure executions) enforcement of non-interference. In this paper, we present a dynamic information flow monitor for a language supporting pointers. Our flow-sensitive monitor relies on prior static analysis in order to soundly enforce non-interference. We also propose a program transformation that preserves the behavior of initial programs and soundly inlines our security monitor. This program transformation enables both dynamic and static verification of non-interference.
--- a/_fc-publications/secureflow/2017-tap-bs.md
+++ b/_fc-publications/secureflow/2017-tap-bs.md
@@ -3,7 +3,8 @@ plugin: "secureflow"
 authors: "Gergö Barany and Julien Signoles"
 title: "Hybrid Information Flow Analysis for Real-World C Code"
 book: "International Conference on Tests and Proofs (TAP)"
-link: http://julien.signoles.free.fr/publis/2017_tap.pdf
+link: "http://julien.signoles.free.fr/publis/2017_tap.pdf"
+doi: "10.1007/978-3-319-61467-0_2"
 year: 2017
 category: foundational
 ---
@@ -12,4 +13,4 @@ Information flow analysis models the propagation of data through a software syst

 We present a hybrid information flow analysis for a large subset of the C programming language. Extending previous work that handled a few difficult features of C, our analysis can now deal with arrays, pointers with pointer arithmetic, structures, dynamic memory allocation, complex control flow, and statically resolvable indirect function calls. The analysis is implemented as a plugin to the Frama-C framework.

-We demonstrate the applicability and precision of our analyzer by applying it to an open-source cryptographic library. By combining abstract interpretation and monitoring techniques, we verify an information flow policy that proves the absence of control-flow based timing attacks against the implementations of many common cryptographic algorithms. Conversely, we demonstrate that our analysis is able to detect a known instance of this kind of vulnerability in another cryptographic primitive.
\ No newline at end of file
+We demonstrate the applicability and precision of our analyzer by applying it to an open-source cryptographic library. By combining abstract interpretation and monitoring techniques, we verify an information flow policy that proves the absence of control-flow based timing attacks against the implementations of many common cryptographic algorithms. Conversely, we demonstrate that our analysis is able to detect a known instance of this kind of vulnerability in another cryptographic primitive.
--- a/_fc-publications/sidan/2009-crisis-dtt.md
+++ b/_fc-publications/sidan/2009-crisis-dtt.md
@@ -3,9 +3,10 @@ plugin: "sidan"
 authors: "Jonathan-Christopher Demay, Éric Totel and Frédéric Tronel"
 title: "SIDAN: a tool dedicated to Software Instrumentation for Detecting Attacks on Non-control-data"
 book: "4th International Conference on Risks and Security of Internet and Systems (CRISIS)"
-link: https://hal.archives-ouvertes.fr/hal-00424574/en
+link: "https://hal.archives-ouvertes.fr/hal-00424574/en"
+doi: "10.1109/CRISIS.2009.5411977"
 year: 2009
 category: foundational
 ---

-Anomaly based intrusion detection systems rely on the build of a normal behavior model. When a deviation from this normal behavior is detected, an alert is raised. This anomaly approach, unlike the misuse approach, is able to detect unknown attacks. A basic technique to build such a model for a program is to use the system call sequences of the process. To improve the accuracy and completeness of this detection model, we can add information related to the system call, such as its arguments or its execution context. But even then, attacks that target non-control-data may be missed and attacks on control-data may be adapted to bypass the detection mechanism using evasion techniques. We propose in this article an approach that focuses on the detection of non-control-data attacks. Our approach aims at exploiting the internal state of a program to detect a memory corruption on non-control-data that could lead to an illegal system call. To achieve this, we propose to build a data-oriented detection model by statically analyzing a program source code. This model is used to instrument the program by adding reasonableness checks that verify the consistent state of the data items the system calls depend on. We thus argue that it is possible to detect a program misuse issued by a non-control-data attack inside the program during its execution. While keeping a low overhead, this approach allows to detect non-control-data attacks.
\ No newline at end of file
+Anomaly based intrusion detection systems rely on the build of a normal behavior model. When a deviation from this normal behavior is detected, an alert is raised. This anomaly approach, unlike the misuse approach, is able to detect unknown attacks. A basic technique to build such a model for a program is to use the system call sequences of the process. To improve the accuracy and completeness of this detection model, we can add information related to the system call, such as its arguments or its execution context. But even then, attacks that target non-control-data may be missed and attacks on control-data may be adapted to bypass the detection mechanism using evasion techniques. We propose in this article an approach that focuses on the detection of non-control-data attacks. Our approach aims at exploiting the internal state of a program to detect a memory corruption on non-control-data that could lead to an illegal system call. To achieve this, we propose to build a data-oriented detection model by statically analyzing a program source code. This model is used to instrument the program by adding reasonableness checks that verify the consistent state of the data items the system calls depend on. We thus argue that it is possible to detect a program misuse issued by a non-control-data attack inside the program during its execution. While keeping a low overhead, this approach allows to detect non-control-data attacks.
--- a/_fc-publications/slicing/2008-trust-ms.md
+++ b/_fc-publications/slicing/2008-trust-ms.md
@@ -3,9 +3,10 @@ plugin: "slicing"
 authors: "Benjamin Monate and Julien Signoles"
 title: "Slicing for Security of Code"
 book: "Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies (TRUST)"
-link: http://julien.signoles.free.fr/publis/2008_trust.pdf
+link: "http://julien.signoles.free.fr/publis/2008_trust.pdf"
+doi: "10.1007/978-3-540-68979-9_10"
 year: 2008
 category: foundational
 ---

-Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing . Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.
\ No newline at end of file
+Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing . Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.
--- a/_fc-publications/stac/2010-mdv-cmp.md
+++ b/_fc-publications/stac/2010-mdv-cmp.md
@@ -3,9 +3,10 @@ plugin: "stac"
 authors: "Dumitru Ceara, Laurent Mounier and Marie-Laure Potet"
 title: "Taint Dependency Sequences: a characterization of insecure execution paths based on input-sensitive cause sequences"
 book: "Modeling and Detecting Vulnerabilities workshop (MDV)"
-link: http://www-verimag.imag.fr/PEOPLE/mounier/Papers/mdv10.pdf
+link: "http://www-verimag.imag.fr/PEOPLE/mounier/Papers/mdv10.pdf"
+doi: "10.1109/ICSTW.2010.28"
 year: 2010
 category: foundational
 ---

-Numerous software vulnerabilities can be activated only with dedicated user inputs. Taint analysis is a security check which consists in looking for possible dependency chains between user inputs and vulnerable statements (like array accesses). Most of the existing static taint analysis tools produce some warnings on potentially vulnerable program locations. It is then up to the developer to analyze these results by scanning the possible execution paths that may lead to these locations with unsecured user inputs. We present a Taint Dependency Sequences Calculus, based on a fine-grain data and control taint analysis, that aims to help the developer in this task by providing some information on the set of paths that need to be analyzed. Following some ideas introduced in, we also propose some metrics to characterize these paths in term of "dangerousness". This approach is illustrated with the help of the Verisec Suite and by describing a prototype, called STAC.
\ No newline at end of file
+Numerous software vulnerabilities can be activated only with dedicated user inputs. Taint analysis is a security check which consists in looking for possible dependency chains between user inputs and vulnerable statements (like array accesses). Most of the existing static taint analysis tools produce some warnings on potentially vulnerable program locations. It is then up to the developer to analyze these results by scanning the possible execution paths that may lead to these locations with unsecured user inputs. We present a Taint Dependency Sequences Calculus, based on a fine-grain data and control taint analysis, that aims to help the developer in this task by providing some information on the set of paths that need to be analyzed. Following some ideas introduced in, we also propose some metrics to characterize these paths in term of "dangerousness". This approach is illustrated with the help of the Verisec Suite and by describing a prototype, called STAC.
--- a/_fc-publications/stady/2014-scam-pkbgj.md
+++ b/_fc-publications/stady/2014-scam-pkbgj.md
@@ -3,9 +3,10 @@ plugin: "stady"
 authors: "Guillaume Petiot, Nikolai Kosmatov, Bernard Botella, Alain Giorgetti and Jacques Julliand"
 title: "Instrumentation of Annotated C Programs for Test Generation"
 book: "14th International Working Conference on Source Code Analysis and Manipulation (SCAM)"
-link: https://hal.archives-ouvertes.fr/cea-01836306/en
+link: "https://hal.archives-ouvertes.fr/cea-01836306/en"
+doi: "10.1109/SCAM.2014.19"
 year: 2014
 category: foundational
 ---

-Software verification and validation often rely on formal specifications that encode desired program properties. Recent research proposed a combined verification approach in which a program can be incrementally verified using alternatively deductive verification and testing. Both techniques should use the same specification expressed in a unique specification language. This paper addresses this problem within the Frama-C framework for analysis of C programs, that offers ACSL as a common specification language. We provide a formal description of an automatic translation of ACSL annotations into C code that can be used by a test generation tool either to trigger and detect specification failures, or to gain confidence, or, under some assumptions, even to confirm that the code is in conformity with respect to the annotations. We implement the proposed specification translation in a combined verification tool Study. Our initial experiments suggest that the proposed support for a common specification language can be very helpful for combined static-dynamic analyses.
\ No newline at end of file
+Software verification and validation often rely on formal specifications that encode desired program properties. Recent research proposed a combined verification approach in which a program can be incrementally verified using alternatively deductive verification and testing. Both techniques should use the same specification expressed in a unique specification language. This paper addresses this problem within the Frama-C framework for analysis of C programs, that offers ACSL as a common specification language. We provide a formal description of an automatic translation of ACSL annotations into C code that can be used by a test generation tool either to trigger and detect specification failures, or to gain confidence, or, under some assumptions, even to confirm that the code is in conformity with respect to the annotations. We implement the proposed specification translation in a combined verification tool Study. Our initial experiments suggest that the proposed support for a common specification language can be very helpful for combined static-dynamic analyses.
--- a/_fc-publications/stady/2014-tap-pkgj.md
+++ b/_fc-publications/stady/2014-tap-pkgj.md
@@ -3,9 +3,10 @@ plugin: "stady"
 authors: "Guillaume Petiot, Nikolai Kosmatov, Alain Giorgetti and Jacques Julliand"
 title: "How Test Generation Helps Software Specification and Deductive Verification in Frama-C"
 book: "International Conference on Tests and Proofs (TAP)"
-link: https://hal.inria.fr/hal-01108553/en
+link: "https://hal.inria.fr/hal-01108553/en"
+doi: "10.1007/978-3-319-09099-3_16"
 year: 2014
 category: foundational
 ---

-This paper describes an incremental methodology of deductive verification assisted by test generation and illustrates its benefits by a set of frequent verification scenarios. We present StaDy, a new integration of the concolic test generator PathCrawler within the software analysis platform Frama-C . This new plugin treats a complete formal specification of a C program during test generation and provides the validation engineer with a helpful feedback at all stages of the specification and verification tasks.
\ No newline at end of file
+This paper describes an incremental methodology of deductive verification assisted by test generation and illustrates its benefits by a set of frequent verification scenarios. We present StaDy, a new integration of the concolic test generator PathCrawler within the software analysis platform Frama-C . This new plugin treats a complete formal specification of a C program during test generation and provides the validation engineer with a helpful feedback at all stages of the specification and verification tasks.