2025Activity​​ reportProject-TeamPETRUS

5.1.1 PlugDB

• Keywords:​‌
  Databases, Personal information, Privacy,​​ Hardware and Software Platform​​​‌
• Functional Description:

  PlugDB is​ a full-fledged personal database​‌ server embedded in tamper-resistant​​ hardware. It acts as​​​‌ a digital safe within​ a personal device (box),​‌ to manage and protect​​ personal data. It has​​​‌ been designed to meet​ three major requirements:

  -​‌ Physical control of the​​ owner (e.g., a patient)​​​‌ on his personal data​ (e.g., healthcare data): the​‌ owner can decide on​​ his own that certain​​​‌ data are highly sensitive​ (e.g., incontinence, addiction, breakdown,​‌ end of life) and​​ must remain confined into​​​‌ the safe. Then, he​ physically controls who, when​‌ and for which purpose​​ these data are accessed​​​‌ and can ultimately unplug​ the box at will,​‌ providing him the same​​ control as with a​​​‌ paper folder.

  - Sovereignty​ over the data usages:​‌ the prescriber of the​​ solution (e.g., a public​​​‌ agent, an insurance company)​ acts as a data​‌ controller in the GDPR​​ sense. It is then​​​‌ guaranteed that only approved​ usages of the owner’s​‌ data will be permitted.​​ Thanks to PlugDB, only​​​‌ the algorithms embedded in​ the digital safe can​‌ access the raw data,​​ undergo the defined access​​​‌ control rules and export​ outside the box only​‌ the minimal relevant information.​​

  - Hardware security: decentralization​​​‌ is not synonym of​ higher security if class​‌ attacks (i.e., attacks than​​ can be reproduced in​​​‌ a large set of​ devices) can be conducted​‌ on all boxes. The​​ tamper-resistance of the box​​​‌ avoids class attacks by​ imposing the attacker to​‌ be in possession of​​ the box to physically​​​‌ break the hardware security.​ Hence, the ratio between​‌ the cost of an​​ attack (increased by the​​​‌ tamper-resistance) and its benefit​ (divided by the number​‌ of owners) is reversed​​ compared to a traditional​​​‌ cloud-based solution.

  To meet​ these requirements, PlugDB provides​‌ advanced capabilities to store​​ any forms of personal​​​‌ data (tuples, documents, images,​ sensor data, etc.), query​‌ them in a SQL-like​​ language, protect them against​​​‌ crashes and accidental losses,​ encrypt them to prevent​‌ spying, and share them​​ through a powerful access​​​‌ control policy mixing rules​ from both the prescriber​‌ and the owner. PlugDB​​ code is a bare​​​‌ metal project developed by​ Inria and UVSQ on​‌ an isolated hardware platform​​ consisting of a microcontroller,​​​‌ a TPM (Trusted Platform​ Module) providing the tamper-resistance​‌ and an eMMC storing​​ the encrypted data. This​​​‌ unique association of software​ and hardware makes PlugDB​‌ a Trusted Computing Base​​ for personal data.

  The​​​‌ code of PlugDB is​ organized in several components:​‌

  - Communication manager: this​​ component manages the communications​​​‌ with the outside and​ guarantees the security of​‌ the exchanges by means​​ of secure sessions similar​​ to a TLS protocol.​​​‌

  - Application services: this‌ component interprets the messages‌​‌ received by the communication​​ manager, calls the appropriate​​​‌ commands and sends back‌ an answer to the‌​‌ client. These commands are​​ grouped by services, notably​​​‌ the DB service linked‌ to the PlugDB database‌​‌ (object creation, insertion, deletion,​​ updates, queries and transaction),​​​‌ the NDBS service used‌ to manage objects stored‌​‌ outside the PlugDB database,​​ Scripts similar to stored​​​‌ procedures and a service‌ by which the embedded‌​‌ PlugDB firmware can be​​ upgraded.

  - ODBC: this​​​‌ component supplies an ODBC-like‌ interface for a subset‌​‌ of the PlugDB commands.​​

  - PlugDB engine: this​​​‌ component is the most‌ important (in size, complexity‌​‌ and functionality) of the​​ whole architecture. PlugDB engine​​​‌ is a full-fledged database‌ server allowing to store,‌​‌ index, query, and update​​ a variety of database​​​‌ objects (tuples, blobs, semi-structured‌ objects) while enforcing advanced‌​‌ access control rules and​​ guaranteeing the integrity of​​​‌ the database by means‌ of ACID transactions. The‌​‌ database footprint is protected​​ against malicious attacks thanks​​​‌ to data encryption.

  -‌ NDBS engine: this component‌​‌ enables the storing and​​ retrieval of simple objects​​​‌ outside the database scope,‌ that is directly in‌​‌ NAND Flash. Hence, they​​ do not benefit from​​​‌ the database functionalities but‌ their integrity and confidentiality‌​‌ remain protected by hashing​​ and encryption, both being​​​‌ optional.

  - Wrappers: this‌ component provides an abstraction‌​‌ layer on top of​​ the hardware platform, making​​​‌ the rest of the‌ architecture – as far‌​‌ as possible – independent​​ of the underlying microcontroller,​​​‌ NOR & NAND memories‌ and cryptographic libraries specificities.‌​‌

  - Trusted Root: This​​ component is built around​​​‌ a TPM (Trusted Platform‌ Module, that is a‌​‌ secure chip) providing strong​​ hardware security guarantees. The​​​‌ TPM is used to‌ store a set of‌​‌ secrets (e.g., the database​​ encryption key, the hash​​​‌ of the embedded code,‌ etc.) and to enforce‌​‌ a set of basic​​ mechanisms. The BOOT implements​​​‌ a secure boot with‌ the TPM help, so‌​‌ that the genuineness of​​ the embedded code is​​​‌ always guaranteed. Taken together,‌ these mechanisms make the‌​‌ whole PlugDB infrastructure a​​ Trusted Computing Base (TCB).​​​‌

  - Base: Base simply‌ groups a set of‌​‌ functions (e.g., error management,​​ logging mechanism, configuration constants)​​​‌ shared by all the‌ components of the architecture.‌​‌

  This infrastructure in turn​​ relies on a reduced​​​‌ set of services provided‌ by third parties, notably‌​‌ the ST drivers associated​​ to the underlying MCU​​​‌ and TPM. Note that‌ no operating system is‌​‌ used for security and​​ performance considerations, making PlugDB​​​‌ a bare metal programming‌ project.

  PlugDB comes with‌​‌ a set of tools​​ required to manage the​​​‌ database and perform non‌ regression tests and performance‌​‌ measurements.

  - QGen is​​ a compiler of database​​​‌ schemas and queries. It‌ takes as input two‌​‌ text files describing the​​ database meta-schema and the​​​‌ parameterized queries required to‌ run the application and‌​‌ translates them into internal​​ PlugDB data structures.

  -​​​‌ PyLoadStress is a data‌ generation platform designed to‌​‌ rigorously test and stress​​​‌ PlugDB. This Python-based tool​ allows to generate massive​‌ volumes of consistent data,​​ simulating real-world scenarios to​​​‌ evaluate the robustness and​ performance of the DBMS.​‌

  - PyPlugDB is a​​ Python client for interacting​​​‌ with the PlugDB server,​ acting as middleware to​‌ simplify server communications. Designed​​ for testing and continuous​​​‌ integration, it enables automated​ test execution and facilitates​‌ reproducible end-to-end tests. Though​​ essential for development, PyPlugDB​​​‌ is not built for​ production deployment.

• URL:
  https://­project.­inria.­fr/­plugdb/​‌
• Contact:
  Luc Bouganim
• Participants:​​
  Luc Bouganim, Philippe Pucheral,​​​‌ Laurent Schneider, Ludovic Javet,​ Ivan Krivokuca, Abdel-Malik Fofana​‌
• Partner:
  Université de Versailles​​ St-Quentin-en-Yvelines

OwnCare-2‌​‌ IILab (Jan 2022 -​​ Dec 2025)

- Partners:​​​‌ PETRUS, Domiserve

Participants: Luc‌ Bouganim, Ludovic Javet‌​‌, Philippe Pucheral [correspondent]​​, Laurent Schneider,​​​‌ Ivan Krivokuca.

The‌ OwnCare IILab – Inria‌​‌ Innovation Lab - (Jan​​ 2018-Dec 2021) aimed at​​​‌ conceiving a secured personal‌ medical folder facilitating the‌​‌ organization of medical and​​ social care provided at​​​‌ home to elderly people‌ and at deploying it‌​‌ in the field. This​​ IILab has been built​​​‌ in partnership with the‌ Hippocad company which won,‌​‌ in association with Inria​​ and UVSQ, a public​​​‌ call for tender launched‌ by the Yvelines district‌​‌ to deploy this medical​​ folder on the whole​​​‌ distinct (10.000 patients). This‌ solution, named DomYcile in‌​‌ the Yvelines district, is​​ based on a home​​​‌ box combining the PlugDB‌ hardware/software technology developed by‌​‌ the Petrus team (to​​ manage and secure the​​​‌ medical folder) and additional‌ technology developed by Hippocad.‌​‌ The primary result of​​ the OwnCare IILab has​​​‌ been to build a‌ concrete industrial solution based‌​‌ on PlugDB and deploy​​ it so far among​​​‌ 3000 patients in the‌ Yvelines district, despite the‌​‌ Covid pandemia. In 2022,​​ Hippocad has become a​​​‌ subsidiary of the La‌ Poste group opening new‌​‌ opportunities in terms of​​ deployment. Hence, Inria, UVSQ​​​‌ and Hippocad, now Domiserve‌ of La Poste Group,‌​‌ have launched a follow​​ up of the OwnCare​​​‌ IILab for the period‌ Jan 2022-Dec 2025. The‌​‌ goal of the OwnCare2​​ IILab is (1) to​​​‌ integrate our solution in‌ the MaSanté 2022 national‌​‌ roadmap by making it​​ interoperable with external services​​​‌ (without hurting the security‌ provided by the box),‌​‌ (2) to handle, in​​ a privacy-preserving way, new​​​‌ usages like actimetrics, teleassistance‌ and global statistics based‌​‌ on IoT techniques, machine​​ learning and decentralized computations​​​‌ and (3) try to‌ deploy it at the‌​‌ national/international level. In 2023,​​ a new district (Hauts​​​‌ de Seine) has decided‌ to deploy the DomYcile‌​‌ solution on its own​​ territory, leading to an​​​‌ extended partnership.

8.1.1 Scientific events: organisation​​

• Luc Bouganim: Co-organizer "École​​​‌ thématique BDA Masses de‌ Données Distribuées", Cargese (2026)‌​‌

8.1.2 Research administration

• Luc​​ Bouganim: PhD thesis referent​​​‌ for the Doctoral School‌ of Université Paris-Saclay
• Luc‌​‌ Bouganim: Comité de Suivi​​ Individuel (CSI), Anne Fenet,​​​‌ UVSQ.
• Luc Bouganim: Comité‌ de Suivi Individuel (CSI),‌​‌ Nassima Kaid, UVSQ.
• Philippe​​ Pucheral: Member of the​​​‌ Scientific Commission (CS) of‌ the ISN Graduate School‌​‌ of Université Paris-Saclay.

8.2.1 Supervision

• PhD in​‌ progress: Ali Ncibi, Secure​​ machine Learning on IOT​​​‌ traces for daily activity​ discovery, Inria, since March​‌ 2023, Luc Bouganim and​​ Philippe Pucheral.
• Luc Bouganim​​​‌ & Ludovic Javet: Supervision​ of Abdel-Malik Fofana (apprentice)​‌
• Luc Bouganim & Ludovic​​ Javet: Supervision of Ivan​​​‌ Krivokuca (apprentice)

8.2.2 Juries​

• Luc Bouganim: Reviewer of​‌ the HDR of Shaoyi​​ Yin (Université de Toulouse),​​​‌ march 2026.
• Philippe Pucheral:​ President of the PhD​‌ jury of Perla Hajjar​​ (UVSQ), december 2025.

International‌ journals

• 11 articleL.‌​‌Ludovic Javet, N.​​Nicolas Anciaux, L.​​​‌Luc Bouganim and P.‌Philippe Pucheral. Edgelet‌​‌ Computing: Enabling Privacy-Preserving Decentralized​​ Data Processing at the​​​‌ Network Edge.Personal‌ and Ubiquitous Computing29‌​‌February 2025, 45-75​​HALDOI

International peer-reviewed​​​‌ conferences

• 12 inproceedingsA.‌Ali Ncibi, L.‌​‌Luc Bouganim and P.​​Philippe Pucheral. (Demo)​​​‌ FlowAR: A Framework for‌ Data-Driven Development of Human‌​‌ Activity Recognition Systems using​​ Binary Sensors.2025​​​‌ 21st International Conference on‌ Distributed Computing in Smart‌​‌ Systems and the Internet​​ of Things (DCOSS-IoT)2025​​​‌ 21st International Conference on‌ Distributed Computing in Smart‌​‌ Systems and the Internet​​ of Things (DCOSS-IoT)Lucca,​​​‌ ItalyIEEEJune 2025‌, 286-288HALDOI‌​‌back to text
• 13​​ inproceedingsA.Ali Ncibi​​​‌. Towards Domain-Robust Activity‌ Recognition using Textual Representations‌​‌ of Binary Sensor Events​​.SCITEPRESSICAART 2026​​​‌ - 18th International Conference‌ on Agents and Artificial‌​‌ IntelligenceMarbella, SpainMarch​​ 2026HALback to​​​‌ text

National peer-reviewed Conferences‌

• 14 inproceedingsA.Ali‌​‌ Ncibi, L.Luc​​ Bouganim and P.Philippe​​​‌ Pucheral. FlowAR: une‌ plateforme uniformisée pour la‌​‌ reconnaissance des activités humaines​​ à partir de capteurs​​​‌ binaires.Editions RNTI‌EGC 2025 - Conférence‌​‌ Extraction et Gestion des​​ ConnaissancesRNTI-E41Strasbourg,​​​‌ FranceJanuary 2025,‌ pp.503-510HALback to‌​‌ text