Sophie Pinchinat

Sophie Pinchinat
IRISA - Institut de Recherche en Informatique et Systèmes Aléatoires | IRISA · université de Rennes 1

Full Professor

About

105
Publications
5,855
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
914
Citations
Citations since 2016
30 Research Items
448 Citations
2016201720182019202020212022020406080
2016201720182019202020212022020406080
2016201720182019202020212022020406080
2016201720182019202020212022020406080
Additional affiliations
July 2006 - July 2007
Australian National University
Position
  • Marie Curie Fellow
Description
  • I had a project to develop logics for multi-agent systems.

Publications

Publications (105)
Preprint
Full-text available
Security is a subject of increasing attention in our actual society in order to protect critical resources from information disclosure, theft or damage. The informal model of attack trees introduced by Schneier, and widespread in the industry, is advocated in the 2008 NATO report to govern the evaluation of the threat in risk analysis. Attack-defen...
Article
Full-text available
We introduce the formula-synthesis problem for Propositional Dynamic Logic with Shuffle (PDL || ). This problem, which generalises the model-checking problem againsts PDL || is the following: given a finite transition system and a regular term-grammar that generates (possibly infinitely many) PDL || formulas, find a formula generated by the grammar...
Preprint
Full-text available
Dynamic Epistemic Logic (DEL) is a logic that models information change in a multi-agent setting through the use of action models with pre- and post-conditions. In a recent work, DEL has been extended to first-order epistemic logic (DFOEL), with a proof that the resulting Epistemic Planning Problem is decidable, as long as action models pre- and po...
Article
We study alternating automata with qualitative semantics over infinite binary trees: Alternation means that two opposing players construct a decoration of the input tree called a run, and the qualitative semantics says that a run of the automaton is accepting if almost all branches of the run are accepting. In this article, we prove a positive and...
Chapter
We consider attack trees that can contain OR-, AND- and SAND-nodes. Relying on a formal notion of library inspired from context-free grammars, we introduce a generic attack tree synthesis problem that takes such a library and a trace as inputs. We show that this synthesis problem is NP-complete. The NP membership relies on an involved adaptation of...
Conference Paper
Full-text available
Action models of Dynamic Epistemic Logic (DEL) represent precisely how actions are perceived by agents. DEL has recently been used to define infinite multi-player games, and it was shown that they can be solved in some cases. However, the dynamics being defined by the classic DEL update product for individual actions, only turn-based games have bee...
Article
Epistemic planning can be used for decision making in multi-agent systems with distributed knowledge and capabilities. Dynamic Epistemic Logic (DEL) has been shown to provide a very natural and expressive framework for epistemic planning. In this paper, we present a systematic overview of known complexity and decidability results for epistemic plan...
Preprint
Full-text available
We study alternating automata with qualitative semantics over infinite binary trees: alternation means that two opposing players construct a decoration of the input tree called a run, and the qualitative semantics says that a run of the automaton is accepting if almost all branches of the run are accepting. In this paper we prove a positive and a n...
Preprint
Full-text available
Dynamic Epistemic Logic (DEL) is a logical framework in which one can describe in great detail how actions are perceived by the agents, and how they affect the world. DEL games were recently introduced as a way to define classes of games with imperfect information where the actions available to the players are described very precisely. This framewo...
Article
We study the symbolic model checking problem against public announcement protocol logic (PAPL), featuring protocols with public announcements, arbitrary public announcements and group announcements. Technically, symbolic models are Kripke models whose accessibility relations are presented as programs described in a dynamic logic style with proposit...
Chapter
Full-text available
Attack trees are widely used for security modeling and risk analysis. Classically, an attack tree combines possible actions of the attacker into attacks. In most existing approaches, an attack tree represents generic ways of attacking a system, but without taking any specific system or its configuration into account. This means that such a generic...
Article
Attack trees are a well established and commonly used framework for security modeling. They provide a readable and structured representation of possible attacks against a system to protect. Their hierarchical structure reveals common features of the attacks and enables quantitative evaluation of security, thus highlighting the most severe vulnerabi...
Conference Paper
Full-text available
We define reachability games based on Dynamic Epistemic Logic (DEL), where the players? actions are finely described as DEL action models. We first consider the setting where a controller with perfect information interacts with an environment and aims at reaching some desired state of knowledge regarding the observers of the system. We study the pr...
Preprint
Full-text available
We introduce a new decision problem, called Packed Interval Covering (PIC) and show that it is NP-complete.
Preprint
Full-text available
We define reachability games based on Dynamic Epistemic Logic (DEL), where the players' actions are finely described as DEL action models. We first consider the setting where an external controller with perfect information interacts with an environment and aims at reaching some epistemic goal state regarding the passive agents of the system. We stu...
Chapter
We define and study the decision problem of the non-emptiness of an attack tree. This decision problem reflects the natural question of knowing whether some attack scenario described by the tree can be realized in (a given model of) the system to defend. We establish accurate complexity bounds, ranging from Open image in new window -completeness fo...
Article
We revisit Janin and Walukiewicz’s classic result on the expressive completeness of the modal mu-calculus with respect to Monadic Second Order Logic (MSO), which is where the mu-calculus corresponds precisely to the fragment of MSO that is invariant under bisimulation. We show that adding binary relations over finite paths in the picture may alter...
Conference Paper
Full-text available
Epistemic planning extends classical planning with knowledge and is based on dynamic epistemic logic (DEL). The epistemic planning problem is undecidable in general. We exhibit a small undecidable subclass of epistemic planning over 2-agent S5 models with a fixed repertoire of one action, 6 propositions and a fixed goal. We furthermore consider a v...
Chapter
In this paper, we investigate the model checking problem of symbolic models against epistemic logic with arbitrary public announcements and group announcements. We reduce this problem to the satisfiability of Monadic Monadic Second Order Logic (MMSO), the fragment of monadic-second order logic restricted to monadic predicates. In particular, for th...
Conference Paper
Full-text available
Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specif...
Article
Full-text available
Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specif...
Article
A property (of an object) is opaque to an observer when he or she cannot deduce the property from its set of observations. If each observer is attached to a given set of properties (the so-called secrets), then the system is said to be opaque if each secret is opaque to the corresponding observer. We study in this paper, the complexity of opacity a...
Conference Paper
Full-text available
We formally define three notions of soundness of an attack tree w.r.t. the system it refers to: admissibility, consistency, and completeness. The system is modeled as a labeled transition system and the attack is provided with semantics in terms of paths of the transition system. We show complexity results on the three notions of soundness, and the...
Conference Paper
Attack trees are widely considered in the fields of security for the analysis of risks (or threats) against electronics, computer control, or physical systems. A major barrier is that attack trees can become largely complex and thus hard to specify. This paper presents ATSyRA, a tooling environment to automatically synthesize attack trees of a syst...
Conference Paper
Full-text available
In this work we consider simple extensive-form games with two players, Player A and Player B, where Player B can make announcements about his strategy. Player A has then to revise her preferences about her strategies, so as to better respond to the strategy she believes Player B will play. We propose a generic framework that combines methods and te...
Article
This paper compares the recently proposed Robust Full Computational Tree Logic (RoCTL∗) to model robustness in concurrent systems with other computational tree logic (CTL∗)-based logics. RoCTL∗ extends CTL∗ with the addition of the operators Obligatory and Robustly, which quantify over failure-free paths and paths with one more failure respectively...
Conference Paper
Full-text available
We revisit Janin and Walukiewicz’s classic result on the expressive completeness of the modal mu-calculus w.r.t. MSO, when transition systems are equipped with a binary relation over paths. We obtain two natural extensions of MSO and the mu-calculus: MSO with path relation and the jumping mu-calculus. While “bounded-memory” binary relations bring a...
Article
Full-text available
A general concept of uniform strategies has recently been proposed as a relevant notion in game theory for computer science, which subsumes various notions from the literature. It relies on properties involving sets of plays in two-player turn-based arenas equipped with arbitrary binary relations between plays; these properties are expressed in a l...
Conference Paper
Full-text available
In the literature, two powerful temporal logic formalisms have been proposed for expressing information flow security requirements, that in general, go beyond regular properties. One is classic, based on the knowledge modalities of epistemic logic. The other one, the so called hyper logic, is more recent and subsumes many proposals from the literat...
Conference Paper
Full-text available
Attack trees are widely used in the fields of defense for the analysis of risks (or threats) against electronics systems, computer control systems or physical systems. Based on the analysis of attack trees, practitioners can define actions to engage in order to reduce or annihilate risks. A major barrier to support computer-aided risk analysis is t...
Article
Full-text available
While the $\mu$-calculus notoriously subsumes Alternating-time Temporal Logic (ATL), we show that the epistemic $\mu$-calculus does not subsume ATL with imperfect information (ATL$_i$) for the synchronous perfect-recall semantics. To prove this we first establish that jumping parity tree automata (JTA), a recently introduced extension of alternatin...
Article
Full-text available
The analysis of discrete event systems under partial observation is an important topic, with major applications such as the detection of information flow and the diagnosis of faulty behaviors. These questions have, mostly, not been addressed for classical models of recursive systems, such as pushdown systems and recursive state machines. In this pa...
Conference Paper
Full-text available
In this work we aim at applying automata techniques to problems studied in Dynamic Epistemic Logic, such as epistemic planning. To do so, we first remark that repeatedly executing ad infinitum a propositional event model from an initial epistemic model yields a relational structure that can be finitely represented with automata. This correspondence...
Article
Full-text available
In this work we aim at applying automata techniques to problems studied in Dynamic Epistemic Logic, such as epistemic planning. To do so, we first remark that repeatedly executing ad infinitum a propositional event model from an initial epistemic model yields a relational structure that can be finitely represented with automata. This correspondence...
Article
Full-text available
We consider two-player turn-based game arenas for which we investigate uniformity properties of strategies. These properties involve sets of plays in order to express useful constraints on strategies that are not μ-calculus definable. Typically, we can represent constraints on allowed strategies, such as being observation-based. We propose a formal...
Article
Full-text available
This paper proposes a new logic RoCTL* to model robustness in concurrent systems. RoCTL* extends CTL* with the addition of Obligatory and Robustly operators, which quantify over failure-free paths and paths with one more failure respectively. We present a number of examples of problems to which RoCTL* can be applied. The core result of this paper i...
Conference Paper
Full-text available
We investigate the complexity of satisfiability for one-agent refinement modal logic (RML), an extension of basic modal logic (ML) obtained by adding refinement quantifiers on structures. RML is known to have the same expressiveness as ML, but the translation of RML into ML is of nonelementary complexity, and RML is at least doubly exponentially mo...
Conference Paper
Full-text available
We investigate uniformity properties of strategies. These properties involve sets of plays in order to express useful constraints on strategies that are not \mu-calculus definable. Typically, we can state that a strategy is observation-based. We propose a formal language to specify uniformity properties, interpreted over two-player turn-based arena...
Article
Full-text available
We consider turn-based game arenas for which we investigate uniformity properties of strategies. These properties involve bundles of plays, that arise from some semantical motive. Typically, we can represent constraints on allowed strategies, such as being observation-based. We propose a formal language to specify uniformity properties and demonstr...
Article
Full-text available
The analysis of discrete event systems under partial observation is an important topic, with major applications such as the detection of information flow and the diagnosis of faulty behaviors. We consider recursive tile systems, which are infinite systems generated by a finite collection of finite tiles, a simplified variant of deterministic graph...
Conference Paper
Full-text available
We investigate the complexity of satisfiability for one-agent Refinement Modal Logic (\(\text{\sffamily RML}\)), a known extension of basic modal logic (\(\text{\sffamily ML}\)) obtained by adding refinement quantifiers on structures. It is known that \(\text{\sffamily RML}\) has the same expressiveness as \(\text{\sffamily ML}\), but the translati...
Article
Full-text available
We consider the emptiness problem for alternating tree automata, with two acceptance semantics: classical (all branches are accepted) and qualitative (almost all branches are accepted). For the classical semantics, the usual technique to tackle this problem relies on a Simulation Theorem which constructs an equivalent non-deterministic automaton fr...
Article
In this paper we present refinement modal logic. A refinement is like a bisimulation, except that from the three relational requirements only 'atoms' and 'back' need to be satisfied. Our logic contains a new operator 'forall' in additional to the standard modalities 'Box' for each agent. The operator 'forall' acts as a quantifier over the set of al...
Conference Paper
We investigate verification problems for gap-order constraint systems (GCSGCS), an (infinitely-branching) abstract model of counter machines, in which constraints (over ZZ) between the variables of the source state and the target state of a transition are gap-order constraints (GCGC) [32]. GCSGCS extend monotonicity constraint systems [7], integral...
Conference Paper
Full-text available
We study in depth the class of games with opacity condition, which are two-player games with imperfect information in which one of the players only has imperfect information, and where the winning condition relies on the information he has along the play. Those games are relevant for security aspects of computing systems: a play is opaque whenever...
Article
On the one hand, modal specifications are classic, convenient, and expressive mathematical objects to represent interfaces of component-based systems. On the other hand, time is a crucial aspect of systems for practical applica-tions, e.g. in the area of embedded systems. And yet, only few results exist on the design of timed component-based system...
Conference Paper
We investigate the complexity of preorder checking when the specification is a flat finite-state system whereas the implementation is either a non-flat finite-state system or a standard timed automaton. In both cases, we show that simulation checking is Exptime-hard, and for the case of a non-flat implementation, the result holds even if there is n...
Conference Paper
Full-text available
We present a sound and complete axiomatization of future event logic. Future event logic is a logic that generalizes a number of dynamic epistemic logics, using a new operator ▹ that acts as a quantifier over the set of all refinements of a given model. (A refinement is like a bisimulation except that from the three relational requirements only ‘at...
Conference Paper
Full-text available
We address the problem of alternating simulation refinement for concurrent timed games (TG). We show that checking timed alternating simulation between TG is EXPTIME-complete, and provide a logical characterization of this preorder in terms of a meaningful fragment of a new logic, TAMTL∗. TAMTL∗ is an action-based timed extension of standard altern...
Article
Full-text available
This article offers a novel perspective on the diagnosis of *-languages via a topological characterization of ω-languages. This allows for the different concepts that currently exist in diagnosis of discrete-event systems to be related to one another in a uniform setting and to study their complexity. For this purpose, we introduce the notion of pr...
Conference Paper
Full-text available
On the one hand, modal specifications are classic, convenient, and expressive mathematical objects to represent interfaces of component-based systems. On the other hand, time is a crucial aspect of systems for practical applications, e.g. in the area of embedded systems. And yet, only few results exist on the design of timed component-based systems...
Conference Paper
Full-text available
Partial observation of discrete-event systems features a setting where events split into observable and unobservable ones. In this context, the diagnosis of a discrete-event system consists in detecting defects from the (partial) observation of its executions. Diagnosability is the property that any defect is eventually detected. Not surprisingly,...
Conference Paper
Full-text available
We describe the class of games with opacity condition, as an adequate model for security aspects of computing systems. We study their theoretical properties, relate them to reachability perfect information games and exploit this relation to discuss a search approach with heuristics, based on the directing-word problem in automata theory.
Conference Paper
Full-text available
In the application domain of component-based system de- sign, developing theories which support compositional reasoning is noto- riously challenging. We define timed modal specifications, an automata- based formalism combining modal and timed aspects. As a stepping stone to compositional approaches of timed systems, we define the notions of refinem...
Conference Paper
Full-text available
RoCTL* was proposed to model robustness in concur- rent systems. RoCTL* extended CTL* with the addition of Obligatory and Robustly operators, which quantify over failure-free paths and paths with one more failure respec- tively. Whether RoCTL* is more expressive than CTL* has remained an open problem since the RoCTL* logic was proposed. We use the...
Conference Paper
Full-text available
We analyse two basic approaches of extending classical logics with quantifiers interpreted via games: Propositional Game Logic of Parikh and Alternating-Time Temporal Logic of Alur, Henzinger, and Kupferman. Although the two approaches are historically remote and they incorporate operationally orthogonal paradigms, we trace the formalisms back to c...
Conference Paper
We propose a topological perspective on the diagnosis problem for discrete-event systems. In an infinitary framework, we argue that the construction of a centralized diagnoser is conditioned by two fundamental properties: saturation and openness. We show that these properties are decidable for omega-regular languages. Usually, openness is guarantee...
Article
Diagnosis problems of discrete-event systems consist in detecting unobservable defects during system execution. For finite-state systems, the theory is well understood and a number of effective solutions have been developed. For infinite-state systems, however, there are only few results, mostly identifying classes where the problem is undecidable....
Conference Paper
Full-text available
The emerging technology of interacting systems calls for new for- malisms to ensure their reliability. Concurrent games are paradigmatic abstract models for which several logics have been studied. However, the existing for- malisms show certain limitations in face of the range of strategy properties re- quired to address intuitive situations. We pr...
Article
Full-text available
We propose a logical framework for the control theory of reactive systems modeled by discrete event systems. The logic is the conjunctive nu-calculus, an expressive fragment of the powerful mu-calculus. Conjunctive nu-calculus possesses an alternative presentation based on modal specifications, with simple graphical representations. We exploit moda...
Article
Full-text available
A list of technical reports, including some abstracts and copies of some full reports may,be found,at: http://cs.anu.edu.au/techreports/ Recent reports in this series: TR-CS-07-01 Samuel Chang and Peter Strazdins. A survey of how virtual
Chapter
When comparing concurrency semantics, one of the main difficulties is to find counter-examples to show that two equivalences do not coincide, which takes on considerable proportions if these equivalences coincide in the framework of finitely branching programs. The study of Ordinal Processes of Klop provides us with a wide family of simple counter-...
Article
Full-text available
We plunge decentralized control problems into modular ones to benefit from the know-how of modular control theory: any decentralized control problem is associated to a natural modular control problem, which over-approximates it. Then, we discuss how a solution of the latter problem delivers a solution of the former
Conference Paper
Full-text available
In this paper, we are interested in the diagnosis of discrete event systems modeled by finite transition systems. We propose a model of supervision patterns general enough to capture past occurrences of particular trajectories of the system. Modeling the diagnosis objective by a supervision pattern allows us to generalize the properties to be diagn...
Chapter
Full-text available
In this paper, we study preemption primitives in reactive languages such as Esterel and Signal (and its extension Signal G Ti) in a common framework. This enables us to compare behavioural/structural expressive powers of different languages and gives an insight into the complementarity of different control and data-flow abstractions in the reactive...
Conference Paper
Full-text available
In this paper, we clarify the notion of architecture in decentralized control, in order to investigate the realizability problem: given a discrete-event system, a desired behavior and an architecture for a decentralized control, can the desired behavior be achieved by decentralized controllers in accordance with the given architecture? We consider...
Article
Combinatorial property testing, initiated formally by Goldreich, Goldwasser, and Ron (1998) and inspired by Rubinfeld and Sudan (1996), deals with the relaxation of decision problems. Given a property P the aim is to decide whether a given input satisfies ...
Conference Paper
The maximal permissivity property of controllers is an optimal criterion that is often taken for granted as the result of synthesis algorithms; the algorithms are designed for frameworks where the existence and the uniqueness of a maximal permissive controller is demonstrated apart, as it fulfills sufficient hypotheses; these algorithms precisely c...
Article
We answer a wide range of control problems for nondeterministic discrete-event systems, relying on recent works based on a second order logic approach for deterministic systems. We investigate a pair of transformations: the first transforms a nondeterministic system into a deterministic one with a new unobservable event; the second transforms logic...
Article
Full-text available
We present an extension of Badouel & Darondeau's results for unlabeled Petri net synthesis from regular languages. We study synthesis from families of languages defined through modal mu-calculus sentence formulas, which translate into modal specifications. A structural restriction makes this problem is decidable. MOTS-CLÉS : réseaux de Petri, mu-ca...