Abstract: The invention relates to an embedded system (1) comprising a processor (2) operated by means of a kernel (3) executable by said processor, a hardware peripheral (8, 9), a memory (5) and an application-related software program (6) recorded in said memory (5), said application-related software program (6) being executed by means of said kernel (3) executable by said processor (2), as well as a securing method. The invention is characterized in that the kernel (3) executable by said processor (2) controls said hardware peripheral (8, 9), obliges said application-related software program (6) to execute a policy, which is neither defined nor controlled by said program, for controlling access to said communication peripheral (8, 9), and is formally proven to satisfy at least one security property.

Abstract: A secure cloud computing architecture including: a first data management and/or computer program execution space (A) in which the data management or program execution is controlled by a user; and a second data management and/or computer program execution space (B) in which the data management or program execution is controlled by a third-party operator, first security policies (PSA) applied to the data or execution of programs in the first execution space (A); second security policies (PSB) applied to the data or execution of programs in the second execution space (B); a security property (P) expected by the user, compliance with the first and second security policies guaranteeing a data management and/or computer program execution in accordance with this property (P); and a trusted computing base (TCB) guaranteeing, in the absence of a violation, the application of the second security policies (PSB) in the management of the data and/or execution of the programs in the second execution space (B).

Abstract: Some embodiments are directed to a method for peering between first and second modules each installed in a different device, the device of the first module includes a human-machine interface, and the two devices can be linked by an unsecure communication channel. The method can include: receiving via the human-machine interface a command setting the device of the first module in operating mode so the first module takes control of a part of the communication means of the first device in order to set them in a secure operating mode and takes control of the human-machine interface; establishing a temporarily secure communication between first and second modules; displaying on the human-machine interface a status signaling the set-up of the secure communication; receiving via the human-machine interface a peering acceptance command; and exchanging of keys/secrets between the modules through the temporarily secure communication channel to perform the peering.

Abstract: A secure terminal, particularly for protecting smartphones or tablets, includes: a display system including a screen and a graphical component for carrying out commands to display visual data on the screen; a central processing unit for carrying out executable program instructions and sending display commands to the display system; and a communication device connecting the central processing unit to the display system; a security processor for securely interpreting and/or processing display commands of secure visual data on the screen; a communication device connecting the security processor to the display system; and a means for visual recognition, by a user of the terminal, of a secure mode for displaying the secure visual data, which is displayed on the screen when the secure visual data is displayed, and is controlled by the security processor.

Abstract: The invention relates to an embedded system (1) comprising a processor (2) operated by means of a kernel (3) executable by said processor, a hardware peripheral (8, 9), a memory (5) and an application-related software program (6) recorded in said memory (5), said application-related software program (6) being executed by means of said kernel (3) executable by said processor (2), as well as a securing method. The invention is characterized in that the kernel (3) executable by said processor (2) controls said hardware peripheral (8, 9), obliges said application-related software program (6) to execute a policy, which is neither defined nor controlled by said program, for controlling access to said communication peripheral (8, 9), and is formally proven to satisfy at least one security property.

Abstract: A method for securing a first program, the first program including a finite number of program points and evolution rules associated to program points and defining the passage of a program point to another, the method including defining a plurality of exit cases and, when a second program is used in the definition of the first program, for each exit case, definition of a branching toward a specific program point of the first program or a declaration of branching impossibility, defining a set of properties to be proven, each associated with one of the constitutive elements of the first program, said set of properties comprising the branching impossibility as a particular property and establishment of the formal proof of the set of properties.

Abstract: Some embodiments are directed to a method for peering between first and second modules each installed in a different device, the device of the first module includes a human-machine interface, and the two devices can be linked by an unsecure communication channel. The method can include: receiving via the human-machine interface a command setting the device of the first module in operating mode so the first module takes control of a part of the communication means of the first device in order to set them in a secure operating mode and takes control of the human-machine interface; establishing a temporarily secure communication between first and second modules; displaying on the human-machine interface a status signaling the set-up of the secure communication; receiving via the human-machine interface a peering acceptance command; and exchanging of keys/secrets between the modules through the temporarily secure communication channel to perform the peering.

Abstract: A secure terminal, particularly for protecting smartphones or tablets, includes: a display system (5) including a screen (2) and a graphical component (6) for carrying out commands to display visual data on the screen (2); a central processing unit (8) for carrying out executable program instructions and sending display commands to the display system (5); and a communication device (9-1) connecting the central processing unit (8) to the display system (5); a security processor (10) for securely interpreting and/or processing display commands of secure visual data on the screen (2); a communication device (9-2) connecting the security processor (10) to the display system (5); and a means (11) for visual recognition, by a user of the terminal (1), of a secure mode for displaying the secure visual data, which is displayed on the screen (2) when the secure visual data is displayed, and is controlled by the security processor (10).

Abstract: A method for securing a first program, the first program including a finite number of program points and evolution rules associated to program points and defining the passage of a program point to another, the method including defining a plurality of exit cases and, when a second program is used in the definition of the first program, for each exit case, definition of a branching toward a specific program point of the first program or a declaration of branching impossibility, defining a set of properties to be proven, each associated with one of the constitutive elements of the first program, said set of properties comprising the branching impossibility as a particular property and establishment of the formal proof of the set of properties.

Abstract: A method for securing a first program, the first program including a finite number of program points and evolution rules associated to program points and defining the passage of a program point to another, the method including defining a plurality of exit cases and, when a second program is used in the definition of the first program, for each exit case, definition of a branching toward a specific program point of the first program or a declaration of branching impossibility, defining a set of properties to be proven, each associated with one of the constitutive elements of the first program, said set of properties comprising the branching impossibility as a particular property and establishment of the formal proof of the set of properties.

Abstract: A method for securing a first program with a second program, a third program and a fourth program, each program comprising constitutive elements having a finite number of program points and evolution rules associated with the program points and defining the passage from one program point to another program point, and each program comprising a definition of a set of properties each property being associated with one or more of the constitutive elements of the program. The fourth program constructed by defining at least one relation between at least one constitutive element of the second program and at least one constitutive element of the third program, said relation being named a correspondence relation, and at least one property of the third program being proven, propagate the proof of said property to at least one property of the first program by exploitation of the correspondence relation.

Abstract: A method for securing a first program with a second program, a third program and a fourth program, each program comprising constitutive elements having a finite number of program points and evolution rules associated with the program points and defining the passage from one program point to another program point, and each program comprising a definition of a set of properties each property being associated with one or more of the constitutive elements of the program. The fourth program constructed by defining at least one relation between at least one constitutive element of the second program and at least one constitutive element of the third program, said relation being named a correspondence relation, and at least one property of the third program being proven, propagate the proof of said property to at least one property of the first program by exploitation of the correspondence relation.

Abstract: A method for securing a first program, the first program including a finite number of program points and evolution rules associated to program points and defining the passage of a program point to another, the method including defining a plurality of exit cases and, when a second program is used in the definition of the first program, for each exit case, definition of a branching toward a specific program point of the first program or a declaration of branching impossibility, defining a set of properties to be proven, each associated with one of the constitutive elements of the first program, said set of properties comprising the branching impossibility as a particular property and establishment of the formal proof of the set of properties.

Abstract: According to the inventive method, the chip card, a counting function (FC), a counter (Cpt) and a private key (Cf) stored in the write-only part of the memory region are stored in a persistent memory, the counter and the private key (Cf) being accessible only by the counting function (FC). When the chip card receives a counter request emitted by an requesting entity (ER), the counting function (FC) performs a modification of the counter (Cpt) and a calculation of a signature, and sends a response to the applicant entity (ER). When the on-board system receives the response to the counter request, the signature contained in the response is checked.

Abstract: The inventive method for controlling a program execution integrity by verifying execution trace prints consists in updating the representative print of an execution path and/or data applied for a program execution, comparing the actual print value (dynamically calculated to an expected value (statistically fixed, equal to a value of the print if the program execution is not disturbed) at a determined program spots and in carrying out a particular processing by the program when the actual print differs from the expected value.

Abstract: The inventive method for controlling a program execution integrity by verifying execution trace prints consists in updating the representative print of an execution path and/or data applied for a program execution, comparing the actual print value (dynamically calculated to an expected value (statistically fixed, equal to a value of the print if the program execution is not disturbed) at a determined program spots and in carrying out a particular processing by the program when the actual print differs from the expected value.

Abstract: According to the inventive method, the chip card, a counting function (FC), a counter (Cpt) and a private key (Cf) stored in the write-only part of the memory region are stored in a persistent memory, the counter and the private key (Cf) being accessible only by the counting function (FC). When the chip card receives a counter request emitted by an requesting entity (ER), the counting function (FC) performs a modification of the counter (Cpt) and a calculation of a signature, and sends a response to the applicant entity (ER). When the on-board system receives the response to the counter request, the signature contained in the response is checked.