# Sophie PinchinatIRISA - Institut de Recherche en Informatique et Systèmes Aléatoires | IRISA · université de Rennes 1

Sophie Pinchinat

Full Professor

## About

105

Publications

5,855

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

914

Citations

Citations since 2016

Introduction

## Publications

Publications (105)

Security is a subject of increasing attention in our actual society in order to protect critical resources from information disclosure, theft or damage. The informal model of attack trees introduced by Schneier, and widespread in the industry, is advocated in the 2008 NATO report to govern the evaluation of the threat in risk analysis. Attack-defen...

We introduce the formula-synthesis problem for Propositional Dynamic Logic with Shuffle (PDL || ). This problem, which generalises the model-checking problem againsts PDL || is the following: given a finite transition system and a regular term-grammar that generates (possibly infinitely many) PDL || formulas, find a formula generated by the grammar...

Dynamic Epistemic Logic (DEL) is a logic that models information change in a multi-agent setting through the use of action models with pre- and post-conditions. In a recent work, DEL has been extended to first-order epistemic logic (DFOEL), with a proof that the resulting Epistemic Planning Problem is decidable, as long as action models pre- and po...

We study alternating automata with qualitative semantics over infinite binary trees: Alternation means that two opposing players construct a decoration of the input tree called a run, and the qualitative semantics says that a run of the automaton is accepting if almost all branches of the run are accepting. In this article, we prove a positive and...

We consider attack trees that can contain OR-, AND- and SAND-nodes. Relying on a formal notion of library inspired from context-free grammars, we introduce a generic attack tree synthesis problem that takes such a library and a trace as inputs. We show that this synthesis problem is NP-complete. The NP membership relies on an involved adaptation of...

Action models of Dynamic Epistemic Logic (DEL) represent precisely how actions are perceived by agents. DEL has recently been used to define infinite multi-player games, and it was shown that they can be solved in some cases. However, the dynamics being defined by the classic DEL update product for individual actions, only turn-based games have bee...

Epistemic planning can be used for decision making in multi-agent systems with distributed knowledge and capabilities. Dynamic Epistemic Logic (DEL) has been shown to provide a very natural and expressive framework for epistemic planning. In this paper, we present a systematic overview of known complexity and decidability results for epistemic plan...

We study alternating automata with qualitative semantics over infinite binary trees: alternation means that two opposing players construct a decoration of the input tree called a run, and the qualitative semantics says that a run of the automaton is accepting if almost all branches of the run are accepting. In this paper we prove a positive and a n...

Dynamic Epistemic Logic (DEL) is a logical framework in which one can describe in great detail how actions are perceived by the agents, and how they affect the world. DEL games were recently introduced as a way to define classes of games with imperfect information where the actions available to the players are described very precisely. This framewo...

We study the symbolic model checking problem against public announcement protocol logic (PAPL), featuring protocols with public announcements, arbitrary public announcements and group announcements. Technically, symbolic models are Kripke models whose accessibility relations are presented as programs described in a dynamic logic style with proposit...

Attack trees are widely used for security modeling and risk analysis. Classically, an attack tree combines possible actions of the attacker into attacks. In most existing approaches, an attack tree represents generic ways of attacking a system, but without taking any specific system or its configuration into account. This means that such a generic...

Attack trees are a well established and commonly used framework for security modeling. They provide a readable and structured representation of possible attacks against a system to protect. Their hierarchical structure reveals common features of the attacks and enables quantitative evaluation of security, thus highlighting the most severe vulnerabi...

We define reachability games based on Dynamic Epistemic Logic (DEL), where the players? actions are finely described as DEL action models. We first consider the setting where a controller with perfect information interacts with an environment and aims at reaching some desired state of knowledge regarding the observers of the system. We study the pr...

We introduce a new decision problem, called Packed Interval Covering (PIC) and show that it is NP-complete.

We define reachability games based on Dynamic Epistemic Logic (DEL), where the players' actions are finely described as DEL action models. We first consider the setting where an external controller with perfect information interacts with an environment and aims at reaching some epistemic goal state regarding the passive agents of the system. We stu...

We define and study the decision problem of the non-emptiness of an attack tree. This decision problem reflects the natural question of knowing whether some attack scenario described by the tree can be realized in (a given model of) the system to defend. We establish accurate complexity bounds, ranging from Open image in new window -completeness fo...

We revisit Janin and Walukiewicz’s classic result on the expressive completeness of the modal mu-calculus with respect to Monadic Second Order Logic (MSO), which is where the mu-calculus corresponds precisely to the fragment of MSO that is invariant under bisimulation. We show that adding binary relations over finite paths in the picture may alter...

Epistemic planning extends classical planning with knowledge and is based on dynamic epistemic logic (DEL). The epistemic planning problem is undecidable in general. We exhibit a small undecidable subclass of epistemic planning over 2-agent S5 models with a fixed repertoire of one action, 6 propositions and a fixed goal. We furthermore consider a v...

In this paper, we investigate the model checking problem of symbolic models against epistemic logic with arbitrary public announcements and group announcements. We reduce this problem to the satisfiability of Monadic Monadic Second Order Logic (MMSO), the fragment of monadic-second order logic restricted to monadic predicates. In particular, for th...

Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specif...

Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specif...

A property (of an object) is opaque to an observer when he or she cannot deduce the property from its set of observations. If each observer is attached to a given set of properties (the so-called secrets), then the system is said to be opaque if each secret is opaque to the corresponding observer. We study in this paper, the complexity of opacity a...

We formally define three notions of soundness of an attack tree w.r.t. the system it refers to: admissibility, consistency, and completeness. The system is modeled as a labeled transition system and the attack is provided with semantics in terms of paths of the transition system. We show complexity results on the three notions of soundness, and the...

Attack trees are widely considered in the fields of security for the analysis of risks (or threats) against electronics, computer control, or physical systems. A major barrier is that attack trees can become largely complex and thus hard to specify. This paper presents ATSyRA, a tooling environment to automatically synthesize attack trees of a syst...

In this work we consider simple extensive-form games with two players, Player A and Player B, where Player B can make announcements about his strategy. Player A has then to revise her preferences about her strategies, so as to better respond to the strategy she believes Player B will play. We propose a generic framework that combines methods and te...

This paper compares the recently proposed Robust Full Computational Tree Logic (RoCTL∗) to model robustness in concurrent systems with other computational tree logic (CTL∗)-based logics. RoCTL∗ extends CTL∗ with the addition of the operators Obligatory and Robustly, which quantify over failure-free paths and paths with one more failure respectively...

We revisit Janin and Walukiewicz’s classic result on the expressive completeness of the modal mu-calculus w.r.t. MSO, when transition systems are equipped with a binary relation over paths. We obtain two natural extensions of MSO and the mu-calculus: MSO
with path relation and the jumping mu-calculus. While “bounded-memory” binary relations bring a...

A general concept of uniform strategies has recently been proposed as a relevant notion in game theory for computer science, which subsumes various notions from the literature. It relies on properties involving sets of plays in two-player turn-based arenas equipped with arbitrary binary relations between plays; these properties are expressed in a l...

In the literature, two powerful temporal logic formalisms have been proposed
for expressing information flow security requirements, that in general, go
beyond regular properties. One is classic, based on the knowledge modalities of
epistemic logic. The other one, the so called hyper logic, is more recent and
subsumes many proposals from the literat...

Attack trees are widely used in the fields of defense for the analysis of risks (or threats) against electronics systems, computer control systems or physical systems. Based on the analysis of attack trees, practitioners can define actions to engage in order to reduce or annihilate risks. A major barrier to support computer-aided risk analysis is t...

While the $\mu$-calculus notoriously subsumes Alternating-time Temporal Logic
(ATL), we show that the epistemic $\mu$-calculus does not subsume ATL with
imperfect information (ATL$_i$) for the synchronous perfect-recall semantics.
To prove this we first establish that jumping parity tree automata (JTA), a
recently introduced extension of alternatin...

The analysis of discrete event systems under partial observation is an important topic, with major applications such as the detection of information flow and the diagnosis of faulty behaviors. These questions have, mostly, not been addressed for classical models of recursive systems, such as pushdown systems and recursive state machines. In this pa...

In this work we aim at applying automata techniques to problems studied in
Dynamic Epistemic Logic, such as epistemic planning. To do so, we first remark
that repeatedly executing ad infinitum a propositional event model from an
initial epistemic model yields a relational structure that can be finitely
represented with automata. This correspondence...

In this work we aim at applying automata techniques to problems studied in Dynamic Epistemic Logic, such as epistemic planning. To do so, we first remark that repeatedly executing ad infinitum a propositional event model from an initial epistemic model yields a relational structure that can be finitely represented with automata. This correspondence...

We consider two-player turn-based game arenas for which we investigate uniformity properties of strategies. These properties involve sets of plays in order to express useful constraints on strategies that are not μ-calculus definable. Typically, we can represent constraints on allowed strategies, such as being observation-based. We propose a formal...

This paper proposes a new logic RoCTL* to model robustness in concurrent
systems. RoCTL* extends CTL* with the addition of Obligatory and Robustly
operators, which quantify over failure-free paths and paths with one more
failure respectively. We present a number of examples of problems to which
RoCTL* can be applied. The core result of this paper i...

We investigate the complexity of satisfiability for one-agent refinement modal logic (RML), an extension of basic modal logic (ML) obtained by adding refinement quantifiers on structures. RML is known to have the same expressiveness as ML, but the translation of RML into ML is of nonelementary complexity, and RML is at least doubly exponentially mo...

http://drops.dagstuhl.de/opus/volltexte/2013/4174/

We investigate uniformity properties of strategies. These properties involve
sets of plays in order to express useful constraints on strategies that are not
\mu-calculus definable. Typically, we can state that a strategy is
observation-based. We propose a formal language to specify uniformity
properties, interpreted over two-player turn-based arena...

We consider turn-based game arenas for which we investigate uniformity
properties of strategies. These properties involve bundles of plays, that arise
from some semantical motive. Typically, we can represent constraints on allowed
strategies, such as being observation-based. We propose a formal language to
specify uniformity properties and demonstr...

The analysis of discrete event systems under partial observation is an important topic, with major applications such as the detection of information flow and the diagnosis of faulty behaviors. We consider recursive tile systems, which are infinite systems generated by a finite collection of finite tiles, a simplified variant of deterministic graph...

We investigate the complexity of satisfiability for one-agent Refinement Modal Logic (\(\text{\sffamily RML}\)), a known extension of basic modal logic (\(\text{\sffamily ML}\)) obtained by adding refinement quantifiers on structures. It is known that \(\text{\sffamily RML}\) has the same expressiveness as \(\text{\sffamily ML}\), but the translati...

We consider the emptiness problem for alternating tree automata, with two acceptance semantics: classical (all branches are accepted) and qualitative (almost all branches are accepted). For the classical semantics, the usual technique to tackle this problem relies on a Simulation Theorem which constructs an equivalent non-deterministic automaton fr...

In this paper we present refinement modal logic. A refinement is like a
bisimulation, except that from the three relational requirements only 'atoms'
and 'back' need to be satisfied. Our logic contains a new operator 'forall' in
additional to the standard modalities 'Box' for each agent. The operator
'forall' acts as a quantifier over the set of al...

We investigate verification problems for gap-order constraint systems (GCSGCS), an (infinitely-branching) abstract model of counter machines, in which constraints (over ZZ) between the variables of the source state and the target state of a transition are gap-order constraints (GCGC) [32]. GCSGCS extend monotonicity constraint systems [7], integral...

We study in depth the class of games with opacity condition, which are
two-player games with imperfect information in which one of the players only
has imperfect information, and where the winning condition relies on the
information he has along the play. Those games are relevant for security
aspects of computing systems: a play is opaque whenever...

On the one hand, modal specifications are classic, convenient, and expressive mathematical objects to represent interfaces of component-based systems. On the other hand, time is a crucial aspect of systems for practical applica-tions, e.g. in the area of embedded systems. And yet, only few results exist on the design of timed component-based system...

We investigate the complexity of preorder checking when the specification is a flat finite-state system whereas the implementation
is either a non-flat finite-state system or a standard timed automaton. In both cases, we show that simulation checking is
Exptime-hard, and for the case of a non-flat implementation, the result holds even if there is n...

We present a sound and complete axiomatization of future event logic. Future event logic is a logic that generalizes a number of dynamic epistemic logics, using a new operator ▹ that acts as a quantifier over the set of all refinements of a given model. (A refinement is like a bisimulation except that from the three relational requirements only ‘at...

We address the problem of alternating simulation refinement for concurrent timed games (TG). We show that checking timed alternating simulation between TG is EXPTIME-complete, and provide a logical characterization of this preorder in terms of a meaningful fragment of a new logic, TAMTL∗. TAMTL∗ is an action-based timed extension of standard altern...

This article offers a novel perspective on the diagnosis of *-languages via a topological characterization of ω-languages. This allows for the different concepts that currently exist in diagnosis of discrete-event systems to be related
to one another in a uniform setting and to study their complexity. For this purpose, we introduce the notion of pr...

On the one hand, modal specifications are classic, convenient, and expressive mathematical objects to represent interfaces of component-based systems. On the other hand, time is a crucial aspect of systems for practical applications, e.g. in the area of embedded systems. And yet, only few results exist on the design of timed component-based systems...

Partial observation of discrete-event systems features a setting where events split into observable and unobservable ones. In this context, the diagnosis of a discrete-event system consists in detecting defects from the (partial) observation of its executions. Diagnosability is the property that any defect is eventually detected. Not surprisingly,...

We describe the class of games with opacity condition, as an adequate
model for security aspects of computing systems. We study their
theoretical properties, relate them to reachability perfect information
games and exploit this relation to discuss a search approach with
heuristics, based on the directing-word problem in automata theory.

In the application domain of component-based system de- sign, developing theories which support compositional reasoning is noto- riously challenging. We define timed modal specifications, an automata- based formalism combining modal and timed aspects. As a stepping stone to compositional approaches of timed systems, we define the notions of refinem...

RoCTL* was proposed to model robustness in concur- rent systems. RoCTL* extended CTL* with the addition of Obligatory and Robustly operators, which quantify over failure-free paths and paths with one more failure respec- tively. Whether RoCTL* is more expressive than CTL* has remained an open problem since the RoCTL* logic was proposed. We use the...

We analyse two basic approaches of extending classical logics with quantifiers interpreted via games: Propositional Game Logic
of Parikh and Alternating-Time Temporal Logic of Alur, Henzinger, and Kupferman. Although the two approaches are historically
remote and they incorporate operationally orthogonal paradigms, we trace the formalisms back to c...

We propose a topological perspective on the diagnosis problem for discrete-event systems. In an infinitary framework, we argue that the construction of a centralized diagnoser is conditioned by two fundamental properties: saturation and openness. We show that these properties are decidable for omega-regular languages. Usually, openness is guarantee...

Diagnosis problems of discrete-event systems consist in detecting unobservable defects during system execution. For finite-state systems, the theory is well understood and a number of effective solutions have been developed. For infinite-state systems, however, there are only few results, mostly identifying classes where the problem is undecidable....

The emerging technology of interacting systems calls for new for- malisms to ensure their reliability. Concurrent games are paradigmatic abstract models for which several logics have been studied. However, the existing for- malisms show certain limitations in face of the range of strategy properties re- quired to address intuitive situations. We pr...

We propose a logical framework for the control theory of reactive systems modeled by discrete event systems. The logic is
the conjunctive nu-calculus, an expressive fragment of the powerful mu-calculus. Conjunctive nu-calculus possesses an alternative
presentation based on modal specifications, with simple graphical representations. We exploit moda...

A list of technical reports, including some abstracts and copies of some full reports may,be found,at: http://cs.anu.edu.au/techreports/ Recent reports in this series: TR-CS-07-01 Samuel Chang and Peter Strazdins. A survey of how virtual

When comparing concurrency semantics, one of the main difficulties is to find counter-examples to show that two equivalences do not coincide, which takes on considerable proportions if these equivalences coincide in the framework of finitely branching programs. The study of Ordinal Processes of Klop provides us with a wide family of simple counter-...

We plunge decentralized control problems into modular ones to benefit from the know-how of modular control theory: any decentralized control problem is associated to a natural modular control problem, which over-approximates it. Then, we discuss how a solution of the latter problem delivers a solution of the former

In this paper, we are interested in the diagnosis of discrete event systems modeled by finite transition systems. We propose a model of supervision patterns general enough to capture past occurrences of particular trajectories of the system. Modeling the diagnosis objective by a supervision pattern allows us to generalize the properties to be diagn...

In this paper, we study preemption primitives in reactive languages such as Esterel and Signal (and its extension Signal
G Ti) in a common framework. This enables us to compare behavioural/structural expressive powers of different languages and gives an insight into the complementarity of different control and data-flow abstractions in the reactive...

In this paper, we clarify the notion of architecture in decentralized control, in order to investigate the realizability problem: given a discrete-event system, a desired behavior and an architecture for a decentralized control, can the desired behavior be achieved by decentralized controllers in accordance with the given architecture? We consider...

Combinatorial property testing, initiated formally by Goldreich, Goldwasser, and Ron (1998) and inspired by Rubinfeld and Sudan (1996), deals with the relaxation of decision problems. Given a property P the aim is to decide whether a given input satisfies ...

The maximal permissivity property of controllers is an optimal criterion that is often taken for granted as the result of synthesis algorithms; the algorithms are designed for frameworks where the existence and the uniqueness of a maximal permissive controller is demonstrated apart, as it fulfills sufficient hypotheses; these algorithms precisely c...

We answer a wide range of control problems for nondeterministic discrete-event systems, relying on recent works based on a second order logic approach for deterministic systems. We investigate a pair of transformations: the first transforms a nondeterministic system into a deterministic one with a new unobservable event; the second transforms logic...

We present an extension of Badouel & Darondeau's results for unlabeled Petri net synthesis from regular languages. We study synthesis from families of languages defined through modal mu-calculus sentence formulas, which translate into modal specifications. A structural restriction makes this problem is decidable. MOTS-CLÉS : réseaux de Petri, mu-ca...