Apr 172017

The paper entitled Formal analysis and offline monitoring of electronic exams has been accepted for publication in Formal Methods in System Design, a Springer journal.

The abstract of the paper is below:

More and more universities are moving toward electronic exams (in short e-exams). This migration exposes exams to additional threats, which may come from the use of the information and communication technology. In this paper, we identify and define several security properties for e-exam systems. Then, we show how to use these properties in two complementary approaches: model-checking and monitoring. We illustrate the validity of our definitions by analyzing a real e-exam used at the pharmacy faculty of University Grenoble Alpes (UGA ) to assess students. On the one hand, we instantiate our properties as queries for ProVerif, an automatic verifier of cryptographic protocols, and we use it to check our modeling of UGA exam specifications. ProVerif found some attacks. On the other hand, we express our properties as Quantified Event Automata (QEAs), and we synthesize them into monitors using MarQ, a Java tool designed to implement QEAs. Then, we use these monitors to verify real exam executions conducted by UGA. Our monitors found fraudulent students and discrepancies between the specifications of UGA exam and its implementation.

This is joint work with Ali Kassem (Inria Grenoble) and Pascal Lafourcade (University of Clermont).

Apr 152017

The paper entitled Optimal Enforcement of (Timed) Properties with Uncontrollable Events has been accepted for publication in Mathematical Structures in Computer Science, a Cambridge University Press journal.

Below is the abstract of the paper:

This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in defining and using mechanisms that modify the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regular (timed) property described by a deterministic automaton over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms should satisfy important properties, namely soundness, compliance, and optimality – meaning that enforcement mechanisms should output as soon as possible correct executions that are as close as possible to the input execution. We define the conditions for a property to be enforceable with uncontrollable events. Moreover, we synthesise sound, compliant, and optimal descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation.

This is joint work with Matthieu Renard and Antoine Rollet from University of Bordeaux, Thierry Jéron and Hervé Marchand from Inria Rennes.

Mar 162017

We will have a two-day meeting related to the COST Action Runtime Verification beyond Monitoring (ARVI). The purposes of the meeting include:

  • A meeting of the Management Committee (MC).
  • A workshop on contract monitoring.

The program of the meeting can be found here.

My roles during the meeting are twofold:

  • I am representing France in the MC.
  • I am co-chairing the working group related to core runtime verification.

Below is a description of the COST action:

Runtime verification (RV) is a computing analysis paradigm based on observing a system at runtime to check its expected behavior. RV has emerged in recent years as a practical application of formal verification, and a less ad-hoc approach to conventional testing by building monitors from formal specifications.
There is a great potential applicability of RV beyond software reliability, if one allows monitors to interact back with the observed system, and generalizes to new domains beyond computers programs (like hardware, devices, cloud computing and even human centric systems). Given the European leadership in computer based industries, novel applications of RV to these areas can have an enormous impact in terms of the new class of designs enabled and their reliability and cost effectiveness.

EU COST Action IC1402 — project overview at the EU web-site.


Mar 152017

The manuscript entitled First International Competition on Runtime Verification – Rules, Benchmarks, Tools, and Final Results of CRV 2014 has been accepted for publication in Software Tools for Technology Transfer, a Springer journal.

Below is an abstract of the paper

The First International Competition on Runtime Verification (CRV) was held in September 2014, in Toronto, Canada, as a satellite event of the 14th international conference on Runtime Verification (RV’14). The event was organized in three tracks: (1) offline monitoring, (2) online monitoring of C programs, and (3) online monitoring of Java programs. In this paper we report on the phases and rules, a description of the participating teams and their submitted benchmark, the (full) results, as well as the lessons learned from the competition.

Supplementary material, that is the benchmarks and participant’s evaluation scripts on the Inria GitLab repositories available at:

This is joint work with Ezio Bartocci and Borzoo Bonakdarpour, greatly improved by the contributions of the participants to the competition Christian Colombo, Normann Decker, Klaus Havelund, Yogi Joshi, Felix Klaedtke, Reed Milewicz, Giles Reger, Grigore Rosu, Julien Signoles, Daniel Thoma, Eugen Zalinescu, and Yi Zhang.


The competition organizers, E. Bartocci, Y. Falcone, and B. Bonakdarpour, are grateful to many people. The competition organizers would like to warmly thank all participants for their hard work, the members of the runtime verification community who encouraged them to initiate this work, the Laboratoire d’Informatique de Grenoble and Christian Seguy for its support, Inria and its GitLab framework, and finally the DataMill team for providing us with such a nice experimentation platform to run all benchmarks.

All the authors acknowledge the support of the ICT COST Action IC1402 Runtime Verification beyond Monitoring (ARVI). Ezio Bartocci  acknowledges also the partial support of the Austrian FFG project HARMONIA (nr. 845631) and the Austrian National Research Network (nr. S 11405-N23) SHiNE funded by the Austrian Science Fund (FWF).

The authors are grateful to the insightful reviewers who helped improving the quality of this paper.

Feb 202017

The manuscript entitled Concurrency-preserving and sound monitoring of multi-threaded component-based systems: theory, algorithms, implementation, and evaluation has been accepted for publication in Formal Aspects of Computing, a Springer journal.

The abstract of the paper is below:

This paper addresses the monitoring of logic-independent linear-time user-provided properties in multi-threaded component-based systems. We consider intrinsically independent components that can be executed concurrently with a centralized coordination for multiparty interactions. In this context, the problem that arises is that a global state of the system is not available to the monitor. A naive solution to this problem would be to plug in a monitor which would force the system to synchronize in order to obtain the sequence of global states at runtime. Such a solution would defeat the whole purpose of having concurrent components. Instead, we reconstruct on-the-fly the global states by accumulating the partial states traversed by the system at runtime. We define transformations of components that preserve their semantics and concurrency and, at the same time, allow to monitor global-state properties. Moreover, we present RVMT-BIP, a prototype tool implementing the transformations for monitoring multi-threaded systems described in the Behavior, Interaction, Priority (BIP) framework, an expressive framework for the formal construction of heterogeneous systems. Our experiments on several multi-threaded BIP systems show that RVMT-BIP induces a cheap runtime overhead.

The publisher version is available as Online First and the author version is available on my Publications page.

This is joint work with Hosein Nazarpour, Saddek Bensalem, and Marius Bozga from Verimag.


Feb 152017

The manuscript entitled Predictive runtime enforcement has been accepted for publication in Formal Methods in System Design, a Springer journal.


Runtime enforcement (RE) is a technique to ensure that the (untrustworthy) output of a black-box system satisfies some desired properties. In RE, the output of the running system, modeled as a sequence of events, is fed into an enforcer. The enforcer ensures that the sequence complies with a certain property, by delaying or modifying events if necessary. This paper deals with predictive runtime enforcement, where the system is not entirely black-box, but we know something about its behavior. This a priori knowledge about the system allows to output some events immediately, instead of delaying them until more events are observed, or even blocking them permanently. This in turn results in better enforcement policies. We also show that if we have no knowledge about the system, then the proposed enforcement mechanism reduces to standard (non-predictive) runtime enforcement. All our results related to predictive RE of untimed properties are also formalized and proved in the Isabelle theorem prover. We also discuss how our predictive runtime enforcement framework can be extended to enforce timed properties.


Runtime monitoring; Runtime enforcement; Automata; Timed automata

The publisher version is available as Online First and the author version is available on my Publications page.

This is joint work with Srinivas Pinisetty, Viorel Preoteasa, Stavros Tripakis, Thierry Jéron, and Hervé Marchand.

Dec 122016

SPIN 2017

24th International Symposium on Model Checking of Software

Santa Barbara, CA, USA, July 13-14, 2017


Collocated with ISSTA

The SPIN symposium aims at bringing together researchers and practitioners interested in automated tool-based techniques for the analysis of software as well as models of software, for the purpose of verification and validation. The symposium specifically focuses on concurrent software, but does not exclude analysis of sequential software. Submissions are solicited on theoretical results, novel algorithms, tool development, empirical evaluation, and education.

History: The SPIN symposium originated as a workshop focusing on explicit state model checking, specifically as related to the Spin model checker. However, over the years it has evolved to a broadly scoped symposium for software analysis using any automated techniques, including model checking, automated theorem proving, and symbolic execution.

SPIN 2017 will be organized as an ACM SIGSOFT event, collocated with the International Symposium on Software Testing and Analysis (ISSTA 2017): http://conf.researchr.org/home/issta-2017. In addition there will be a one-day Rigorous Examination of Reactive Systems verification challenge Workshop (RERS 2017): http://www.rers-challenge.org/2017. An overview of the previous SPIN symposia (and early workshops) can be found at: http://spinroot.com/spin/symposia.

Topics of interest include, but are not limited to:

  • Formal verification techniques for automated analysis of software
  • Formal analysis for modeling languages, such as UML/state charts
  • Formal specification languages, temporal logic, design-by-contract
  • Model checking
  • Automated theorem proving, including SAT and SMT
  • Verifying compilers
  • Abstraction and symbolic execution techniques
  • Static analysis and abstract interpretation
  • Combination of verification techniques
  • Modular and compositional verification techniques
  • Verification of timed and probabilistic systems
  • Automated testing using advanced analysis techniques
  • Combination of static and dynamic analyses
  • Derivation of specifications, test cases, or other useful material via formal analysis
  • Case studies of interesting systems or with interesting results
  • Engineering and implementation of software verification and analysis tools
  • Benchmark and comparative studies for formal verification and analysis tools
  • Formal methods education and training
  • Insightful surveys or historical accounts on topics of relevance to the symposium

Submission Guidelines

The contributions to SPIN 2017 will be published as ACM Proceedings, and should be submitted in the ACM Conference Format: https://www.acm.org/publications/proceedings-template.

With the exception of survey and history papers, submissions must be original and should not have been published previously or be under consideration for publication while being evaluated for this symposium.

We are soliciting two categories of papers:

  • Full Research Papers describing fully developed work and complete results (10 pages);
  • Short Papers presenting tools, technology, experiences with lessons learned, new ideas, work in progress with preliminary results, and novel contributions to formal methods education (4 pages).

Papers should be submitted via the EasyChair SPIN 2017 submission website: https://easychair.org/conferences/?conf=spin2017.

Best Paper awards will be given and announced at the conference.

A selection of papers will be invited to a special issue of the International Journal on Software Tools for Technology Transfer (STTT).

Important Dates

  • Paper Submission: February 10, 2017 (23:59:59 Anywhere on Earth)
  • Author Notification : April 15, 2017
  • Camera-Ready Paper: May 20, 2017
  • Symposium : July 13-14, 2017


  • Hakan Erdogmus, Program Co-Chair, Carnegie Mellon University, USA
  • Klaus Havelund, Program Co-Chair, NASA/Caltech Jet Propulsion Laboratory, USA
  • Corina Pasareanu, Awards Chair, NASA Ames Research Center, USA
  • Yliès Falcone, Publicity Chair, Univ. Grenoble Alpes, Inria, France

Program Committee

  • Erika Abraham, RWTH Aachen University, Germany
  • Christel Baier, Technical University of Dresden, Germany
  • Tom Ball, Microsoft Research, USA
  • Ezio Bartocci, Vienna University of Technology, Austria
  • Dirk Beyer, Ludwig-Maximilians-Universität München (LMU Munich), Germany
  • Armin Biere, Johannes Kepler University, Austria
  • Dragan Bosnacki, Eindhoven University of Technology, Netherlands
  • Zmago Brezocnik, University of Maribor, Slovenia
  • Sagar Chaki, Software Engineering Institute CMU, USA
  • Alessandro Cimatti, Fondazione Bruno Kessler, Italy
  • Lucas Cordeiro, University of Oxford, UK
  • Patrice Godefroid, Microsoft Research, USA
  • Susanne Graf, VERIMAG Laboratory, France
  • Radu Grosu, Vienna University of Technology, Austria
  • Arie Gurfinkel, University of Waterloo, USA
  • Gerard Holzmann, NASA/Caltech Jet Propulsion Laboratory, USA
  • Sarfraz Khurshid, The University of Texas at Austin, USA
  • Kim Larsen, Aalborg University, Denmark
  • Stefan Leue, University of Konstanz, Germany
  • Alice Miller, University of Glasgow, Scotland
  • Corina Pasareanu, NASA Ames Research Center, USA
  • Doron Peled, Bar Ilan University, Israel
  • Neha Rungta, NASA Ames Research Center, USA
  • Theo Ruys, RUwise, Netherlands
  • Scott Smolka, Stony Brook University, USA
  • Scott Stoller, Stony Brook University, United States
  • Jun Sun, Singapore University of Technology and Design, Singapore
  • Oksana Tkachuk, NASA Ames Research Center, USA
  • Stavros Tripakis, University of California, Berkeley, USA
  • Willem Visser, Stellenbosch University, South Africa
  • Farn Wang, National Taiwan University, Taiwan
  • Michael Whalen, University of Minnesota, USA
  • Anton Wijs, Eindhoven University of Technology, Netherlands

Steering Committee

  • Dragan Bosnacki, Eindhoven University of Technology, Netherlands
  • Susanne Graf, Verimag, France
  • Gerard Holzmann, NASA/Caltech Jet Propulsion Laboratory, United States
  • Stefan Leue, University of Konstanz, Germany
  • Willem Visser, Stellenbosch University, South Africa