Postdoc Positions

Software verication, security Keywords: formal methods, software verication, software security, symbolic execution, static analysis, constraint solving

The CEA LIST, Software Security Lab (LSL) is looking for candidates for several postdoc positions in the area of software verication, to begin as soon as possible at Paris-Saclay, France.

Host Institution Within CEA LIST, LSL is a twenty-person team dedicated to software verication, with a strong focus on real-world applicability and industrial transfer. We design methods and tools that leverage innovative approaches to ensure that real-world systems can comply with the highest safety and security standards. CEA LIST's new oces are located at the heart of Campus Paris Saclay, in the largest European cluster of public and private research.

Quick position descriptions All positions include theoretical research as well as prototyping (preferably in OCaml).

Constraint solving and decision procedures (with François Bobot): The aim of the SOPRANO project http://soprano-project.fr/ is to prepare the next generation of verication-oriented solvers, by combining principles from both Satisability Modulo Theory and Constraint Programming. Within this ambitious agenda, the successful candidate will investigate one of the following topics: • model synthesis for quantied 1st-order logic formulas, with applications to counter-example

generation and test generation; • ecient satisability solving for still-challenging theories, such as bitvector theory and oatingpoint arithmetic theory [1]

Source-level software verication and testing (with Nikolai Kosmatov): Frama-C http://www.frama-c. is an open-source industrial-strength code analysis platform developed at LSL. The recent plugin LTest http://micdel.fr/ltest.html builds on an innovative combination of static and dynamic analysis in order to bring powerful automated testing abilities to the platform. The successful candidate will contribute to improve the LTest plugin through working in one of the following directions: com/

• automatic detection of infeasible test objectives, through combination of static analyses [2] • design of a (formal) language for specifying test objectives, and test automation through

symbolic execution [3]

Binary-level security analysis: The BINSEC project http://binsec.gforge.inria.fr/ aims at develop-

ing formal methods for binary-level security analysis, lifting previous work developed for safety analysis of critical systems [4,5]. In this context, we are looking for a candidate willing to investigate the following challenges, and integrate them into an open-source platform [6]: • smart fuzzing and exploitability analysis • sound decompilation via static analysis

Context Positions are up to 3-year long, to begin as soon as possible. The successful candidates will work in the CEA LIST's new oces, located at the heart of Campus Paris Saclay, in the largest European cluster of public and private research http://www.campus-paris-saclay.fr/en.

Requirements Candidates should have a Ph.D. in Computer Science, or be near completion. They should be familiar with some of the following topics: formal verication - preferably software verication (static analysis, model checking, deductive verication, symbolic execution, etc.), logic and the use of solvers in a verication setting, semantics of programming languages, compilation techniques, specication languages, security analysis and knowledge of assembly languages (3rd subject), functional programming (OCaml).

Application Applicants should send an email to Sébastien Bardin [email protected] - including a CV, a motivation letter and 2-3 recommendation letters, and (depending on the subject) to Nikolai Kosmatov or to François Bobot [email protected].

Reference

1. S. Bardin, P. Herrmann and F. Perroud. An Alternative to SAT-based Approaches for Bit-Vectors. In Proceedings of the 16th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS 2010). 2. S. Bardin, N. Kosmatov and F. Cheynier. Ecient Leveraging of Symbolic Execution to Advanced Coverage Criteria. In Proceedings of the 7th IEEE International Conference on Software Testing, Verication, and Validation (ICST 2014). 3. S. Bardin, M. Delahaye, R. David, N. Kosmatov, M. Papadakis, Y. Le Traon, J.Y. Marion. Sound and quasiComplete Detection of Infeasible Test Requirements. In Proceedings of the 8th IEEE International Conference on Software Testing, Verication and Validation (ICST 2015) 4. S. Bardin and P. Herrmann. OSMOSE: Automatic Structural Testing of Executables. International Journal of Software Testing, Verication and Reliability (STVR): 21(1), pages 29-54, 2011. 5. S. Bardin, P. Herrmann and F. Védrine. Renement-based CFG Reconstruction from Unstructured Programs. In Proceedings of the 12th International Conference on Verication, Model Checking and Abstract Interpretation (VMCAI 2011). 6. A. Djoudi, S. Bardin. BINSEC: Binary Code Analysis with Low-Level Regions. In Proceedings of the 21st International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS 2015).