VASCO stands for "VAlidation of Software Systems, Components and Objects". VASCO’s research is in the field of software engineering and applied formal methods. It is member of the "Software and Information System Engineering" axis of the LIG, and shares with several teams of this axis the conviction that software engineering tools must be based on models.
The evolution of Software Systems towards more openness, interconnection and integration has significantly raised the stakes for security issues as well as safety. Safety analysis and testing must deal with systems with high levels of interactions with other systems and external resources and components. The fast changing and adaptive nature of threats and attacks on information systems that have become more pervasive raises new challenges, because existing techniques can become obsolescent in such a context. The security challenges have motivated most research activities of the VASCO team during the past period. These research efforts focus on security testing and modelling.
Testing plays a central role in our research, which must face several challenges of testing, especially in the context of open environments: difficulty to control the environment’s behaviour, incomplete models of the environment and of the application under test. Since less can be assumed on the environment, it becomes necessary to perform more tests to increase confidence. This leads to classical challenges of testing: automating test generation, controlling the size of the test suite, and automation of the test oracle. During the past period, the VASCO team was active on each of these challenges. We used fuzzing techniques and combinatorial testing for test generation. We proposed several reduction techniques to control the size of the test suite. We took advantage of monitoring rechniques to automate the test oracle, and studied trace analysis to perform fault localisation.
Models also play a significant role in our research. Models can provide an oracle for tests, or can be the basis for test generation. They also provide an abstraction of the system under validation, which can be explored to find security breaches and potential attacks. Therefore, our models address both functional/behavioural and security aspects of the system under validation. In the past period, we have conducted research on model inference to construct a model from an existing system, which will then be explored by model-checking. We also studied the use of simulation and testing to validate a security policy described as a B specification.
During the past five years, the team has participated to 2 european projects (ITEA/Diamonds and FP7/SPaCIoS) and 2 national (ANR) projects (Selkis and TASCCC), all dedicated to various facets of security. Our skills in security testing and modelling are also applicable to address safety, as demonstrated in the FUI IO32 project, where passive testing was associated to techniques for understanding traces. Our expertise in monitoring techniques gave rise to the Weave Droid project, which performs code injection in Android applications without source code.
These research efforts fit in the “Software and Information System
Engineering” axis of the LIG, where we share with several teams of
this axis the conviction that software engineering tools must be
based on models. They are related to the “Security, safety, reliability”,
“Embedded Systems” challenges of LIG scientific programme and the
PILSI project. They contribute to the “Sustainable ambiant computing”
project of the LIG by its contributions to safety, security and software
quality. Moreover the team is part of the SCCyPhy action of Persyval-lab,
dedicated to various aspects of security.
Amira Radhouani presents her PhD work