Matthieu Lemerre

Matthieu Lemerre
Atomic Energy and Alternative Energies Commission | CEA · Direction de la Recherche Technologique (DRT)

PhD

About

36
Publications
4,178
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
164
Citations
Citations since 2016
16 Research Items
101 Citations
2016201720182019202020212022051015202530
2016201720182019202020212022051015202530
2016201720182019202020212022051015202530
2016201720182019202020212022051015202530
Introduction
Dr Matthieu Lemerre areas of expertise include design and formal-verification of safe and secure OS kernels, design and scheduling of real-time systems, design and formal verification of shared-memory concurrent programs, programming language transformations, and sound static analysis of system software by abstract interpretation.

Publications

Publications (36)
Chapter
To understand and detect possible errors in programs manipulating memory, static analyses of various levels of precision have been introduced, yet it remains hard to capture both information about the byte-level layout and precise global structural invariants. Classical pointer analyses struggle with the latter, whereas advanced shape analyses incu...
Article
Full-text available
Static analyses aim at inferring semantic properties of programs. We distinguish two important classes of static analyses: state analyses and relational analyses. While state analyses aim at computing an over-approximation of reachable states of programs, relational analyses aim at computing functional properties over the input–output states of pro...
Preprint
Full-text available
Inline assembly is still a common practice in low-level C programming, typically for efficiency reasons or for accessing specific hardware resources. Such embedded assembly codes in the GNU syntax (supported by major compilers such as GCC, Clang and ICC) have an interface specifying how the assembly codes interact with the C environment. For simpli...
Preprint
Full-text available
The kernel is the most safety- and security-critical component of many computer systems, as the most severe bugs lead to complete system crash or exploit. It is thus desirable to guarantee that a kernel is free from these bugs using formal methods, but the high cost and expertise required to do so are deterrent to wide applicability. We propose a m...
Chapter
Full-text available
Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced coverage criteria. These criteria are defined by complex artifacts combining variable definitions, uses and program paths. Detection of polluting (i.e. inapplicable, infeasible and equivalent) test objectives for such criteria is a particularly challenging t...
Preprint
Full-text available
Operating system kernels are the security keystone of most computer systems, as they provide the core protection mechanisms. Kernels are in particular responsible for their own security, i.e. they must prevent untrusted user tasks from reaching their level of privilege. We demonstrate that proving such absence of privilege escalation is a pre-requi...
Preprint
Full-text available
Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recentl...
Article
Full-text available
International Conference on Integrated Formal Methods 2020-11-16/20, Lugano, Suisse
Chapter
Shape analyses aim at inferring semantic invariants related to the data-structures that programs manipulate. To achieve that, they typically abstract the set of reachable states. By contrast, abstractions for transformation relations between input states and output states not only provide a finer description of program executions but also enable th...
Article
Full-text available
The traditional abstract domain framework for imperative programs suffers from several shortcomings; in particular it does not allow precise symbolic abstractions. To solve these problems, we propose a new abstract interpretation framework, based on symbolic expressions used both as an abstraction of the program, and as the input analyzed by abstra...
Conference Paper
Full-text available
Static analyses aim at inferring semantic properties of programs. While many analyses compute an over-approximation of reachable states, some analyses compute a description of the input-output relations of programs. In the case of numeric programs, several analyses have been proposed that utilize relational numerical abstract domains to describe re...
Conference Paper
Full-text available
Executions in the PharOS real-time system are deterministic in the sense that the sequence of local states for every process is independent of the order in which processes are scheduled. The essential ingredient for achieving this property is that a temporal window of execution is associated with every instruction. Messages become visible to receiv...
Conference Paper
Full-text available
Abstract interpretation is a powerful tool in program verification. Several commercial or industrial scale implementations of abstract interpretation have demonstrated that this approach can verify safety properties of real-world code. However, using abstract interpretation tools is not always simple. If no user-provided hints are available, the ab...
Conference Paper
Full-text available
Cloud hypervisors are critical software whose formal verification can increase our confidence in the reliability and security of the cloud. This work presents a case study on formal verification of the virtual memory system of the cloud hypervisor Anaxagoros, a microkernel designed for resource isolation and protection. The code under verification...
Conference Paper
Full-text available
Verifying software systems automatically from their source code rather than modelling them in a dedicated language gives more confidence in establishing their properties. Here we propose a formal specification and verification approach for concurrent C programs directly based on the semantics of C. We define a set of translation rules and implement...
Conference Paper
Full-text available
Complete formal verification of software remains extremely expensive and often reserved in practice for the most critical products. Test generation techniques are much less costly and can be used in combination with theorem proving tools to provide high confidence in the software correctness at an acceptable cost when an automatic prover does not s...
Article
Full-text available
An Approach for Verifying Concurrent C Programs
Conference Paper
Full-text available
This paper presents a model of computation based on real-time constraints and asynchronous message passing, and proves a sufficient and necessary condition for this model to be deterministic. The model is then extended with deterministic error handling, meaning that the same error yields the same consequences on the system. We consider two differen...
Conference Paper
Full-text available
As the usage of the cloud becomes pervasive in our lives, it is needed to ensure the reliability, safety and security of cloud environments. In this paper we study a usual software stack of a cloud environment from the perspective of formal verification. This software stack ranges from applications to the hypervisor. We argue that most of the layer...
Article
Full-text available
This paper describes a new hypervisor built to run Linux in a virtual machine. This hypervisor is built inside Anaxagoros, a real-time microkernel designed to execute safely hard real-time and non real-time tasks. This allows the execution of hard real-time tasks in parallel with Linux virtual machines without interfering with the execution of the...
Article
The migration of many vehicle security features from mechanical solutions (lock and key) to electronic based systems (transponder and RF transceiver) has led to the need for purely electrically operated locking mechanisms. One such an example is a steering column lock, which locks and unlocks the steering wheel movement via a reversible electric mo...
Conference Paper
Full-text available
This paper presents the design and some aspects of implementation of a highly dependable, safety-oriented kernel for real-time applications. It is specifically designed as an execution facility for a deterministic semi-formal model -- the OASIS model -- which allows to express and verify temporal behaviors and communications of a safety critical re...
Article
Full-text available
This paper provides an overview of some principles and mechanisms to securely operate mixed-criticality real-time systems on embedded platforms. Those principles are illustrated with PharOS a complete set of tools to design, implement and execute real-time systems on automotive embedded platforms. The keystone of this approach is a dynamic time-tri...
Conference Paper
Full-text available
We present time-constrained automata (TCA), a model for hard real-time computation in which agents behaviors are modeled by automata and constrained by time intervals. TCA actions can have multiple start time and deadlines, can be aperiodic, and are selected dynamically following a graph, the time-constrained automaton. This allows expressing much...
Article
Full-text available
This paper introduces CONFIGEN, a tool that helps modularizing software. CONFIGEN allows the developer to select a set of elementary components for his software through an interactive interface. Configuration files for use by C/assembly code and Makefiles are then automatically generated, and we successfully used it as a helper tool for complex sys...
Article
Full-text available
Anaxagoros is microkernel designed to support dependable, concurrent execution of tasks with different safety levels, some of them having real-time constraints. Following mi-crokernel philosophy of secure resource sharing, it allows resources to be separated into pools accessed only through a dedicated system service. This ensures spatial and behav...
Conference Paper
Full-text available
This paper introduces CONFIGEN, a tool that helps modularizing software. CONFIGEN allows the developer to select a set of elementary components for his software through an interactive interface. Configuration files for use by C/assembly code and Makefiles are then automatically generated, and we successfully used it as a helper tool for complex sys...
Article
Full-text available
Cette thèse étudie les principes de mise en oeuvre pour l'exécution sur un même ordinateur, de tâches de niveaux de criticité différents, et dont certaines peuvent avoir des contraintes temps réel dur. Les difficultés pour réaliser ces objectifs forment trois catégories. Il faut d'abord prouver que les tâches disposeront d'assez de ressources pour...
Article
Full-text available
This thesis studies design and implementation principles to execute tasks of different criticity levels onto the same computer. Additionally, some of these tasks may have hard real-time constraints. This requires to prove that tasks will get enough resources to execute properly, through the use of predictible and still simple allocation policies. M...
Article
Full-text available
Sharing resources between multiple untrusted clients requires a shared service that provides access to the resources upon client requests. But executing these requests needs other resources, like memory or CPU time, which must be carefully allocated. In this paper, we investigate a communication mechanism that allows access to shared services witho...
Article
Full-text available
Multiprocessor scheduling problems are hard because of the numerous constraints on valid schedules to take into account. This paper presents new schedule representations in order to overcome these difficulties, by allowing processors to be fractionally allocated. We prove that these representations are equivalent to the standard representations whe...

Network

Cited By