Nikolai Kosmatov

Nikolai Kosmatov
Atomic Energy and Alternative Energies Commission | CEA · Software Reliability and Security Lab

Ph.D.

About

131
Publications
14,566
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,232
Citations
Introduction
Nikolai Kosmatov currently works at the Software Reliability and Security Lab of CEA List. Nikolai does research in software verification, in particular, test generation, combinations of static and dynamic analyses, program slicing and runtime assertion checking.
Additional affiliations
December 2006 - September 2015
Atomic Energy and Alternative Energies Commission
Position
  • Researcher

Publications

Publications (131)
Chapter
Combinations of analysis techniques and tools can help verification engineers to achieve their goals. The Frama-C verification platform offers a large range of possibilities for combining its analyzers with each other or with external tools. This chapter provides an overview of several combinations with different objectives and levels of maturity....
Chapter
Structural testing allows validation engineers to ensure that all parts of the program source code are activated (or covered) by the executed tests. The parts of code to be covered are determined by the choice of a coverage criterion. Automated test generation tools can be used effectively to generate test inputs satisfying a selected coverage crit...
Chapter
The ACSL specification language allows the verification engineer to specify almost any property they might want to verify at any given point in a given C program. For some complex properties, it can sometimes be done at the price of an extremely complex encoding, which could quickly become error-prone if written manually. To facilitate this task, a...
Chapter
Security of modern software has become a major concern. One example of highly critical software is smart card software since smart cards often play a key role in user authentication and controlling access to sensitive services and data. To demonstrate the compliance of a smart card product to security requirements, its certification according to th...
Chapter
Full-text available
Deductive verification tools can prove a large range of program properties, but often face issues on recursive data structures. Abstract interpretation tools based on separation logic and shape analysis can efficiently reason about such structures but cannot deal with so large classes of properties. This short paper presents an ongoing work on comb...
Chapter
Full-text available
Modern deductive verification tools succeed in automatically proving the great majority of program annotations thanks in particular to constantly evolving SMT solvers they rely on. The remaining proof goals still require interactively created proof scripts. This tool demo paper presents a new solution for an automatic creation of proof scripts in /...
Chapter
RISC-V is a recently developed open instruction set architecture gaining a lot of attention. To improve the security of these systems and design efficient countermeasures, a better understanding of vulnerabilities to novel and future attacks is mandatory. This paper demonstrates that RISC-V is sensible to Jump-Oriented Programming, a class of compl...
Chapter
The Trusted Platform Module (TPM) is a cryptoprocessor designed to protect integrity and security of modern computers. Communications with the TPM go through the TPM Software Stack (TSS), a popular implementation of which is the open-source library tpm2-tss. Vulnerabilities in its code could allow attackers to recover sensitive information and take...
Preprint
Full-text available
The Trusted Platform Module (TPM) is a cryptoprocessor designed to protect integrity and security of modern computers. Communications with the TPM go through the TPM Software Stack (TSS), a popular implementation of which is the open-source library tpm2-tss. Vulnerabilities in its code could allow attackers to recover sensitive information and take...
Article
Runtime Assertion Checking (RAC) for expressive specification languages is a non-trivial verification task, that becomes even more complex for memory-related properties of imperative languages with dynamic memory allocation. It is important to ensure the soundness of RAC verdicts, in particular when RAC reports the absence of failures for execution...
Preprint
Full-text available
Dynamic symbolic execution (DSE) is a powerful test generation approach based on an exploration of the path space of the program under test. Well-adapted for path coverage, this approach is however less efficient for conditions, decisions, advanced coverage criteria (such as multiple conditions, weak mutations, boundary testing) or user-provided te...
Chapter
The use of function contracts to specify the behavior of functions often remains limited to the scope of a single function call. Relational properties link several function calls together within a single specification. They can express more advanced properties of a given function, such as non-interference, continuity, or monotonicity. They can also...
Preprint
Full-text available
The use of function contracts to specify the behavior of functions often remains limited to the scope of a single function call. Relational properties link several function calls together within a single specification. They can express more advanced properties of a given function, such as non-interference, continuity, or monotonicity. They can also...
Chapter
Formal verification of real-life industrial software remains a challenging task. It provides strong guarantees of correctness, which are particularly important for security-critical products, such as smart cards. Security of a smart card strongly relies on the requirement that the underlying JavaCard virtual machine ensures necessary isolation prop...
Article
Full-text available
A panoramic view of a popular platform for C program analysis and verification.
Article
Full-text available
Data flow formalisms are commonly used to model systems in order to solve problems of buffer sizing and task scheduling. A prerequisite for static analysis of a modeled system is the existence of a periodic schedule in which the sizes of communication channels can be bounded for an unbounded execution (consistency), and that communication dependenc...
Article
Full-text available
The publication of this article unfortunately contained a mistake.
Article
Automatic test input generation (ATG) is a major topic in software engineering, analysis and security. In this paper, we bridge the gap between state-of-the-art white-box ATG techniques, especially Dynamic Symbolic Execution, and the diversity of test objectives that they may be used to cover in practice, including many of those defined by common s...
Chapter
Verification of numerical accuracy properties in modern software remains an important and challenging task. One of its difficulties is related to unstable tests, where the execution can take different branches for real and floating-point numbers. This paper presents a new verification technique for numerical properties, named Runtime Abstract Inter...
Chapter
Full-text available
Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced coverage criteria. These criteria are defined by complex artifacts combining variable definitions, uses and program paths. Detection of polluting (i.e. inapplicable, infeasible and equivalent) test objectives for such criteria is a particularly challenging t...
Chapter
Runtime assertion checking is the discipline of detecting at runtime violations of program properties written as formal code annotations. These properties often include numerical properties, which may rely on either (bounded) machine representations or (unbounded) mathematical numbers. The verification of the former is easier to implement and more...
Chapter
Runtime Assertion Checking (RAC) for expressive specification languages is a non-trivial verification task, that becomes even more complex for memory-related properties of imperative languages with dynamic memory allocation. It is important to ensure the soundness of RAC verdicts, in particular when RAC reports the absence of failures for execution...
Article
Full-text available
International Conference on Integrated Formal Methods 2020-11-16/20, Lugano, Suisse
Article
Full-text available
An important concern addressed by runtime verification tools for C code is related to detecting memory errors. It requires to monitor some properties of memory locations (e.g., their validity and initialization) along the whole program execution. Static analysis based optimizations have been shown to significantly improve the performances of such t...
Preprint
Full-text available
Verification of numerical accuracy properties in modern software remains an important and challenging task. This paper describes an original framework combining different solutions for numerical accuracy. First, we extend an existing runtime verification tool called E-ACSL with rational numbers to monitor accuracy properties at runtime. Second, we...
Chapter
In Cyber-Physical Systems, the software components are often distributed over several computing nodes, connected by a communication network. Depending on several factors, the behavior of these components may dynamically change during its execution. The existing data flow formalisms for the performance prediction of dynamic systems do not cover the...
Chapter
A common way to specify software properties is to associate a contract to each function, allowing the use of various techniques to assess (e.g. to prove or to test) that the implementation is valid with respect to these contracts. However, in practice, high-level properties are not always easily expressible through function contracts. Furthermore,...
Chapter
While deductive verification is increasingly used on real-life code, making it fully automatic remains difficult. The development of powerful SMT solvers has improved the situation, but some proofs still require interactive theorem provers in order to achieve full formal verification. Auto-active verification relies on additional guiding annotation...
Conference Paper
Modern verification projects continue to offer new challenges for formal verification. One of them is the linked list module of Contiki, a popular open-source operating system for the Internet of Things. It has a rich API and uses a particular list representation that make it different from the classical linked list implementations. Being widely us...
Chapter
Full-text available
Modular deductive verification is a powerful technique capable to show that each function in a program satisfies its contract. However, function contracts do not provide a global view of which high-level (e.g. security-related) properties of a whole software module are actually established, making it very difficult to assess them. To address this i...
Chapter
Full-text available
Data flow formalisms are commonly used to model systems in order to solve problems of buffer sizing and task scheduling. A prerequisite for static analysis of a modeled system is the existence of a periodic schedule in which the sizes of communication channels can be bounded for an unbounded execution (consistency), and that communication dependenc...
Book
This book constitutes the refereed proceedings of the 31st IFIP WG 6.1 International Conference on Testing Software and Systems, ICTSS 2019, held in Paris, France, in October 2019. The 14 regular papers and 3 short papers presented were carefully reviewed and selected from 30 submissions. This year also included an additional industrial paper. ICTS...
Preprint
Full-text available
Modular deductive verification is a powerful technique capable to show that each function in a program satisfies its specified contract. However, not all high-level (e.g. security-related) properties of a software module can be easily expressed through function contracts. To address this issue, this tool demo paper proposes a new specification mech...
Chapter
Full-text available
Automatic white-box testing based on formal methods is now a relatively mature technology and operational tools are available. Despite this, and the cost of manual testing, the technology is still rarely applied in an industrial setting. This paper describes how the specific needs of the user can be taken into account in order to build the necessar...
Article
Full-text available
Applying deductive verification to formally prove that a program respects its formal specification is a very complex and time-consuming task due in particular to the lack of feedback in case of proof failures. Along with a non-compliance between the code and its specification (due to an error in at least one of them), possible reasons of a proof fa...
Chapter
Internet of Things (IoT) applications are becoming increasingly critical and require formal verification. Our recent work presented formal verification of the linked list module of Contiki, an OS for IoT. It relies on a parallel view of a linked list via a companion ghost array and uses an inductive predicate to link both views. In this work, a few...
Chapter
Function contracts are a well-established way of formally specifying the intended behavior of a function. However, they usually only describe what should happen during a single call. Relational properties, on the other hand, link several function calls. They include such properties as non-interference, continuity and monotonicity. Other examples re...
Chapter
Despite significant progress made by runtime verification tools in recent years, memory errors remain one of the primary threats to software security. The present work is aimed at providing an objective up-to-date experience study on the capacity of modern online runtime verification tools to automatically detect security flaws in C programs. The r...
Conference Paper
Full-text available
Testing is the primary approach for detecting software defects. A major challenge faced by testers lies in crafting efficient test suites, able to detect a maximum number of bugs with manageable effort. To do so, they rely on coverage criteria, which define some precise test objectives to be covered. However, many common criteria specify a signific...
Chapter
Full-text available
In 2011, Danicic et al. introduced an elegant generalization of the notion of control dependence for any directed graph. They also proposed an algorithm computing the weak control-closure of a subset of graph vertices and performed a paper-and-pencil proof of its correctness. We have performed its proof in the Coq proof assistant. This paper also p...
Chapter
Internet of Things (IoT) applications are becoming increasingly critical and require rigorous formal verification. In this paper we target Contiki, a widely used open-source OS for IoT, and present a verification case study of one of its most critical modules: that of linked lists. Its API and list representation differ from the classical linked li...
Article
With the wide expansion of multiprocessor architectures, the analysis and reasoning for programs under weak memory models has become an important concern. This work presents MMFilter, an original constraint solver for generating program behaviors respecting a particular memory model. It is implemented in Prolog using CHR (Constraint Handling Rules)...
Article
Full-text available
Deductive verification provides a powerful tool to show functional properties of a given program. However, in practice, many properties of interest link several program calls. This is for instance the case for non-interference, continuity and monotony. Other examples relate sequences of function calls, for instance to show that decrypting an encryp...
Article
Program slicing can be used to reduce a given initial program to a smaller one (a slice) that preserves the behavior of the initial program with respect to a chosen criterion. Verification and validation (V&V) of software can become easier on slices, but require particular care in the presence of errors or non-termination in order to avoid unsound...
Conference Paper
State-of-the-art memory debuggers have become efficient in detecting spatial memory errors – dereference of pointers to unallocated memory. These tools, however, cannot always detect errors arising from the use of stale pointers to valid memory (temporal memory errors). This paper presents an approach to reliable detection of temporal memory errors...
Article
Full-text available
Testing is the primary approach for detecting software defects. A major challenge faced by testers lies in crafting efficient test suites, able to detect a maximum number of bugs with manageable effort. To do so, they rely on coverage criteria, which define some precise test objectives to be covered. However, many common criteria specify a signific...
Article
Full-text available
Frama-C is a software analysis framework that provides a common infrastructure and a common behavioral specification language to plugins that implement various static and dynamic analyses of C programs. Most plugins do not support concurrency. We have proposed Conc2Seq, a Frama-C plugin based on program transformation, capable to leverage the exist...
Conference Paper
Full-text available
Contexte. Automatiser le test en boˆıteboˆıte blanche est un sujet majeur en ingénierie du logiciel. Au cours des années, de nombreux outils ont ainsí eté développés pour supporter les différentes parties du processus de test. Ces outils se basent implici-tement ou explicitement sur un critère de couverture de code pour guider l'automa-tisation. Le...
Conference Paper
Memory shadowing associates addresses from an application's memory to values stored in a disjoint memory space called shadow memory. At runtime shadow values store metadata about application memory locations they are mapped to. Shadow state encodings -- the structure of shadow values and their interpretation -- vary across different tools. Encoding...
Article
Memory shadowing associates addresses from an application's memory to values stored in a disjoint memory space called shadow memory. At runtime shadow values store metadata about application memory locations they are mapped to. Shadow state encodings -- the structure of shadow values and their interpretation -- vary across different tools. Encoding...
Conference Paper
Full-text available
A large amount of research has been carried out to automate white-box testing. While a wide range of different and sometimes heterogeneous code-coverage criteria have been proposed, there exists no generic formalism to describe them all, and available test automation tools usually support only a small subset of them. We introduce a new specificatio...
Conference Paper
Automated white-box testing is a major issue in software engineering. In previous work, we introduced LTest, a generic and integrated toolkit for automated white-box testing of C programs. LTest supports a broad class of coverage criteria in a unified way (through the label specification mechanism) and covers most major parts of the testing process...
Conference Paper
Full-text available
Formal verification is still rarely applied to the IoT (Internet of Things) software, whereas IoT applications tend to become increasingly popular and critical. This short paper promotes the usage of formal verification to ensure safety and security of software in this domain. We present a successful case study on deductive verification of a memory...
Conference Paper
Self-composition provides a powerful theoretical approach to prove relational properties, i.e. properties relating several program executions, that has been applied to compare two runs of one or similar programs (in secure dataflow properties, code transformations, etc.). This tool demo paper presents RPP, an original implementation of self-composi...
Article
Conference of 17th International Conference on Runtime Verification, RV 2017 ; Conference Date: 13 September 2017 Through 16 September 2017; Conference Code:197919
Article
Conference of 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2017 held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017 ; Conference Date: 22 April 2017 Through 29 April 2017; Conference Code:190569
Conference Paper
Why3 is an environment for static verification, generic in the sense that it is used as an intermediate tool by different front-ends for the verification of Java, C or Ada programs. Yet, the choices made when designing the specification languages provided by those front-ends differ significantly, in particular with respect to the executability of s...
Article
One classical approach to ensuring memory safety of C programs is based on storing block metadata in a tree-like datastructure. However it becomes relatively slow when the number of memory locations in the tree becomes high. Another solution, based on shadow memory, allows very fast constant-time access to metadata and led to development of several...
Conference Paper
Full-text available
Frama-C is a source code analysis platform that aims at conducting verification of industrial-size C programs. It provides its users with a collection of plug-ins that perform static and dynamic analysis for safety- and security-critical software. Collaborative verification across cooperating plug-ins is enabled by their integration on top of a sha...
Article
Full-text available
While a wide range of different, sometimes heterogeneous test coverage criteria have been proposed, there exists no generic formalism to describe them, and available test automation tools usually support only a small subset of them. We introduce a unified specification language, called HTOL, providing a powerful generic mechanism to define test obj...
Conference Paper
Full-text available
Applying deductive verification to formally prove that a program respects its formal specification is a very complex and time-consuming task due in particular to the lack of feedback in case of proof failures. Along with a non-compliance between the code and its specification (due to an error in at least one of them), possible reasons of a proof fa...
Article
Full-text available
Modular deductive verification provides a sound and powerful technique to establish that any call to a given function respects its given specification. However, relational properties, i.e. properties relating several function calls, are not supported. This short paper presents an original automated technique for specification and verification of su...
Conference Paper
Program slicing can be used to reduce a given initial program to a smaller one (a slice) which preserves the behavior of the initial program with respect to a chosen criterion. Verification and validation (V&V) of software can become easier on slices, but require particular care in presence of errors or non-termination in order to avoid unsound res...
Article
Conference of 19th International Conference on Fundamental Approaches to Software Engineering, FASE 2016 Held as Part of European Joint Conferences on Theory and Practice of Software, ETAPS 2016 ; Conference Date: 2 April 2016 Through 8 April 2016; Conference Code:172399
Conference Paper
Security of modern information and communication systems has become a major concern. This tool paper presents Flinder-SCA, an original combined tool for vulnerability detection, implemented on top of Frama-C, a platform for collaborative verification of C programs, and Search Lab’s Flinder testing tool. Flinder-SCA includes three steps. First, abst...
Article
Full-text available
Applying deductive verification to formally prove that a program respects its formal specification is a very complex and time-consuming task due in particular to the lack of feedback in case of proof failures. Along with a non-compliance between the code and its specification (due to an error in at least one of them), possible reasons of a proof fa...
Conference Paper
Full-text available
Cloud hypervisors are critical software whose formal verification can increase our confidence in the reliability and security of the cloud. This work presents a case study on formal verification of the virtual memory system of the cloud hypervisor Anaxagoros, a microkernel designed for resource isolation and protection. The code under verification...
Article
Full-text available
In software testing, coverage criteria specify the requirements to be covered by the test cases. However, in practice such criteria are limited due to the well-known infeasibility problem, which concerns elements/requirements that cannot be covered by any test case. To deal with this issue we revisit and improve state-of-the-art static analysis tec...
Conference Paper
One classical approach to ensuring memory safety of C programs is based on storing block metadata in a tree-like datastructure. However it becomes relatively slow when the number of memory locations in the tree becomes high. Another solution, based on shadow memory, allows very fast constant-time access to metadata and led to development of several...
Conference Paper
Full-text available
E-ACSL est un greffon de Frama-C, une plateforme d'analyse de codes C qui est développée en OCaml. Son but est de transformer un programme C formellement annoté dans le langage de spécification éponyme E-ACSL en un autre programme C dont le comportement à l'exécution est équivalent si toutes les spécications sont dynamiquement vérifiées et qui écho...
Chapter
Software testing in the cloud can reduce the need for hardware and software resources and offer a flexible and efficient alternative to the traditional software testing process. A major obstacle to the wider use of testing in the cloud is related to security issues. This chapter focuses on test generation techniques that combine concrete and symbol...
Book
This book constitutes the refereed proceedings of the 9th International Conference on Tests and Proofs, TAP 2015, held in L` Aquila, Italy, in July 2015, as part of the STAF 2015 Federated Conferences. The 11 revised full papers and 1 short papers presented together with 3 invited talks were carefully reviewed and selected from 21 submissions. The...
Conference Paper
Full-text available
Software verification and validation often rely on formal specifications that encode desired program properties. Recent research proposed a combined verification approach in which a program can be incrementally verified using alternatively deductive verification and testing. Both techniques should use the same specification expressed in a unique sp...
Conference Paper
Full-text available
Automated white-box testing is a major issue in software engineering. Over the years, several tools have been proposed for supporting distinct parts of the testing process. Yet, these tools are mostly separated and most of them sup-port only a fixed and restricted subset of testing criteria. We describe in this paper FRAMA-C/LTEST, a generic and in...
Conference Paper
Full-text available
Complete formal verification of software remains extremely expensive and often reserved in practice for the most critical products. Test generation techniques are much less costly and can be used in combination with theorem proving tools to provide high confidence in the software correctness at an acceptable cost when an automatic prover does not s...
Conference Paper
Full-text available
Among various static and dynamic software verification techniques, runtime assertion checking traditionally holds a particular place. Commonly used by most software developers, it can provide a fast feedback on the correctness of a property for one or several concrete executions of the program. Quite easy to realize for simple program properties, i...
Conference Paper
Full-text available
This paper describes an incremental methodology of deductive verification assisted by test generation and illustrates its benefits by a set of frequent verification scenarios. We present StaDy, a new integration of the concolic test generator PathCrawler within the software analysis platform Frama-C . This new plugin treats a complete formal specif...
Article
Full-text available
We present StaDy, a new integration of the concolic test generator PathCrawler within the software analysis platform Frama- C. When executing a dynamic analysis of a C code, the integrated test generator also exploits its formal specification, written in an executable fragment of the acsl specification language shared with other analyzers of Frama-...
Article
Full-text available
While the development of one software verification tool is often seen as a difficult task, the realization of a tool combining various verification techniques is even more complex. This paper presents an innovative tool for verification of C programs called Sante (Static ANalysis and TEsting). We show how several tools based on heterogeneous techni...
Conference Paper
Full-text available
Automatic test data generation (ATG) is a major topic in software engineering. In this paper, we bridge the gap between the coverage criteria supported by state-of-the-art white-box ATG technologies, especially Dynamic Symbolic Execution, and advanced coverage criteria found in the literature. We define a new testing criterion, label coverage, and...
Conference Paper
Full-text available
This paper presents a novel technique for handling a precondition in dynamic symbolic execution (DSE) testing tools. It delays precondition constraints until the end of the program path evaluation. This method allows PathCrawler, a DSE tool for C programs, to accept a precondition defined as a C function. It provides a convenient way to express a p...