             **********************************************
                         Interview with Eric Filiol
                             by Second Part To Hell
             **********************************************


Eric Filiol, born in 1962 in France, is Scientific director of the Operational
Cryptology and Virology lab (ESIEA, France). He is scientific director of EICAR 
as well as program chair of the EICAR conference. Furthermore, he is the
editor-in-chief of the research journal Journal in Computer Virology (Springer). 

He has done a PhD Thesis in applied mathematics and computer science. Among
other positions, he worked as a "Military cryptanalyst" and "Head scientist
officer and scientific director of the Virology and cryptology lab" at a french
military academy.

His research covers several topics in information security, including computer 
virology. Among other topics, he mathematically characterizes (known and
unknown) viral topics which led to fantastic results for k-ary viruses,
undecidable metamorphic mutation grammars, tau-obfuscation and many others. 

You can find Eric's homepage at https://sites.google.com/site/ericfiliol/ and
contact him via ffiliol@gmail.com.

The interview was done in two sessions in September/October 2012 via e-Mail.

Have fun :)



##############################
##  Hello Eric, thanks a lot for accepting to answer a few questions! I'm sure 
##  this will be interesting! First let's start with some private questions - 
##  please talk a bit about yourself! What are your hobbies? What kind of music 
##  do you listen to? How do you spend your free time?


Well not an easy task. In fact I have a scientific background in Mathematics and 
Information Security Engineering (Ingineer diploma, Ph D and Habilitation 
thesis). I have spent 22 years in the French Army (French Marines Corps/
Infantry) first a platoon and company leader then as mathematical/IR security 
expert (I am also graduated from NATO in Information Operations). I am now 
heading the R & D Department of ESIEA, a French engineer schools group as well 
as the Operational Cryptology and Computer Virology Research Lab.

From a private point of view, I am married with a boy of 16 and my main hobbies, 
aside programming and mathematics, are running (marathon and half marathon), 
playing bass guitar, reading and motocycling.

Music indeed is very important in my life and I like any kind of music provided 
that it is good music. But Jazz, Blues, Rock and Electro are my favorite kind of 
music. The three recent albums I love: Neil Cowley trio (the face of mount 
Molehill), the last Dead Can Dance and Paul Kalkbrenner (Icke Wieder). Three 
most favorite films: Fight club, A River runs through it, The Deer Hunter.



##############################
##  Please explain your way to this unusual topic of research. When did you have 
##  the first contact with computers? When did you start code? What did you do 
##  before you started working on Cryptology and Virology? How did you get the 
##  first employment in this field as a military cryptanalyst in 1991?


In fact I work in cyber attack with application to cyber defense. Up to me it is 
a deep conceptual stupidity to imagine defend systems of you are not able to 
attack them or at least to understand how they could be attacked. It does not 
mean that we actually do attack but all my research is conceptually (from theory 
to applications) driven by the attackers' perspective. My first contact with 
computer was in 1981 with the mythical Apple 2E. I was programming in Pascal and 
of course in Assembly language.

Before starting with cryptology and Virology, I was first a student in 
mathematics and then an infantry man (even if I never stopped to code and to 
learn mathematics). My first employment as a military cryptanalyst came 
naturally. In fact after several years as infantry man (lieutenant and then 
captain) you have to choose which career you wish to follow: either going on 
with infantry regiment positions (but I was a little bit too old) or as a 
military expert in a technical field. I had more diploma than the average (
damned) and then the military staff decided that it would be a waste to stay in 
regiment while there were many other area of expertise where my mathematical 
background would be useful. I do not regret this choice since I joined the 
intelligence domain, did very exciting things. Moreover I think that I did far 
more operational stuff than any of my colleagues ever did while staying in 
regiment. 



##############################
##  Since the 1990s you are working as a cryptoanalyst and researcher in 
##  computer virology for the military and for the government, including 
##  applications to cyberwar. This sounds like a fascinating job! Could you 
##  please explain what you are working on exactly? What are the goals of your 
##  research and how is it related to cyberwar? Is most of your work 
##  confidential or do you publish all of your findings in scientific journals 
##  and conferences?


Computer virology and cryptanalysis are just techniques and tools. Cyber war is 
the art to use those tools (along with many others like conventional weaponry in 
a combined perspective) while conducting a general war maneuver. Most people 
forget that there is a huge difference between having a powerful malware and to 
use it in the most clever and efficient way. This why (see further) I consider 
that Stuxnet and later avatars is a amateur work. To be more illustrative, you 
can have the most powerful guns, if you ignore how to use it, if you are unable 
to organize your troops in order to use those guns efficiently you will fail.

Part of my research consists precisely in building operational scenarii
(thinking like a potential attacker or like a digital infantryman if you
prefer), to test them on simulator, to analyze real attacks, and to model 
general attack framework (what military call doctrine, tactical schemes). Most 
of the concepts are of course inherited from the military doctrine (remember 
that I am graduated from NATO in information operations) but I also use 
mathematical concepts (combinatorics, proability theory, statistics…). I have 
published the general theory (while operational framework are also described) at 
Brucon 2009 and in a chapter of the book Cyberwar and Information Warfare 
published by Wiley. This chapter contains a few realistic scenarii (drawn from 
operational reality). I have published another scenario at ECIW 2009. Of course, 
most of this research has to remain unpublished. 



##############################
##  About two years ago, Stuxnet appeared and marked the first big publicly-
##  known cyber-attack of a government. Later Duqu, Flame and Gauss were 
##  discovered. What do you think about these cyber weapons? Do you know of 
##  earlier cyber-weapons used by governments? Where you surprised about attacks 
##  of this type and these code's complexity? How are these cases related to 
##  your research in cyber-defense?


Well I am strongly puzzled about Stuxnet and later avatars. I think that most of 
this is a huge buzz organized by Kaspersky. First Gauss is a classical malware 
that just spies on specific data (financial data). The technology inside is not 
significantly different from that of very nice oldies from the 80s and 90s. 
Stuxnet is a little bit different but from a code point of view Aurora codes 
were similar except for the number of simultaneous 0-days used and of course for 
the stolen cryptographic certificates. In fact the success of Stuxnet comes from 
that: to be able to look like a legitimate resource. Duqu (and the very comic 
buzz around a allegedly unknown programming language by Kaspersky who seems to 
ignore what a formal language is a pity). Lastly Flame is a mediatic scandal. 
Whale and Dark Paranoid malware were very similar and probably far better 
designed and implemented.

For me those malware are not cyber weapons (or the "military" authors have to 
change for another job). I cannot believe that the US or Israel armies would do 
such hugs mistakes. A military purpose malware has to be stealth, efficient and 
very targeted. In fact you will never learn about it and you will never detect 
it. You do not let evidences (or alleged evidences like in Stuxnet code) that 
can identify you as the malware author or user. Unless intelligence services 
intend to send a message. In this case it would be a technical, strategic and 
operational error since now all rogue countries are aware and are prepared.

In fact cyberweapons are already used for a while by governments in a more 
clever way. This has begun directly in the 80s but no one except a limited 
number of experts in the domain has ever heard about them. Secrecy is a 
mandatory aspect (which includes not to be detected) if you want to gain a 
tactical and strategic advantage. And of course if you want to replay attacks. I 
have analyzed two real, very sophisticated attacks which were very likely (the 
last in 2004) from foreign intelligence services. The code has been discovered 
because we suppose that the leak of secret data could be explained by the use of 
spying malware. We have found it on three computers of a try sensitive company. 
They were installed for months ahead and never detected by any users or AV 
software. The analysis clearly proved that the crypto was of governmental nature 
as well as the operational management of the malware. We never managed to 
identify the author and the users. We have here a true cyberweapons. 

To conclude with question, part of my research is precisely to design this kind 
of malware in a context of cyberwar. But to be honest I have been more in sired 
by clever and marvelous virus writers (29A especially) than by Stuxnet or other 
avatars. Military and governments need to have 0-day (recall the the recent buzz 
coming from the Grugq and Vupen about 0-day trading) which is a limited view. In 
my own research I am interested in malware that do not rely on 0-day or any 
other vulnerability except those of the users. Using 0-day is easy not to say a 
technical laziness. But it is operationally limited and has only a limited 
lifetime. 0-days can and will be patched later or sooner not users: there is no 
patch for users!



##############################
##  In some of your presentations and papers you mention that malware detection 
##  is undecidable (which has been proven by Fred Cohen already in the 1980s). 
##  Yet people from anti-virus community claim that every self-replicator can be 
##  detected. Now what is correct? Could somebody write a self-modifying virus 
##  that can circumvent every possible methode like clever algorithms, emulation 
##  including behaviour analysis, statistical approaches, ...?


The claim of the AV community is not only wrong from a scientific point of view 
but also either it is the proof of their scientific incompetence and ignorance 
or a marketing lie. We have proved and designed malware for which we can prove 
that they cannot be detected (for exempt if you use suitable underlying formal 
grammars for code mutation, or if you use sophisticated code armoring 
techniques). Moreover the time is THE key issue. Malware have time, not AV (just 
imagine if every time you or the system do anything, the AV blocks it and 
analyzes for tens of minutes). AV just allocates a (very) limited number of 
cycles for analysis. We have designed a lame but very efficient malware as 
follows (the malware moreover embeds code mutation techniques): the malware
encrypts itself and throw the secret key away (the key is changing regularly 
since the malware generates keys at random). Then to operate the malware has 
first to decrypt itself which can be tuned up between 10 or 30 minutes. It is 
what we have called tau-obfuscation (tau standing for time). From a general 
point of view, if you want do design a truly undetectable malware you have to 
use mathematical tools from the computability and complexity theory. So the 
answer is yes and we have already did it. We test all AV regularly and none of 
them have been ever able to detect our malware. Now I have to make a very 
important comment: there is a big difference between having a powerful malware 
and being able to use it efficiently. Everything lies here: the operational/
tactical thought behind. If you spread a malware which make millions of copies 
well (unless you use special malicious crypto techniques and suitable malware 
network management) you increase the probability of identification of at least 
one copy and then draw the attention of the AV community (I would like to stress 
on the fact that still nowadays, some AVs are still not able to detect and clean 
up some specific instances of the Conficker worm -:)). That is why more and more 
targeted attack (up to a few hundreds of targets) will be always truly 
undetectable. We have submitted to Infiltrate 2013 a talk where we intend to 
present what could be the next generation of truly devastating botnets. At last, 
the problem is not only to detect but also to clean up and remove malware.

A few years avon we have designed malware that do not care to be detected since 
they reinstall themselves constantly (use k-ary malware for that).



##############################
##  In your article called "Metamorphism, Formal Grammars and Undecidable Code 
##  Mutation" you connect Metamorphism to a undecidable problem (word problem), 
##  and explain a certain implementation of an undecidable mutation system 
##  called POC_PBMOT. Can you briefly explain the idea of POC_PBMOT? The 
##  implementation is based on Mental Driller's MetaPHOR. Why did you use 
##  MetaPHOR as a basis? MetaPHOR has about 17.000lines of assembler-code - how 
##  much does your implementation have? You explain that the implementation is 
##  based on a macro-level grammar, but you actually never show the grammar 
##  looks like. Where you really scared that somebody might implement this 
##  grammar even if you knew that commercial malware do not even use good 
##  polymorphism? Have you sent your engine to other researchers or anti virus 
##  companies? Have you got a lot of feedback on this idea?


The basic idea is to use a grammar class 0 and a Thue system containing a 
Tzeitzin rewriting system. It is then impossible for any AV detector decide that 
the code is a malware. In fact, you have not only to work at the static level
(the code itself) but also at the dynamic level since there is a moment where 
the code is under an "unprotected form". So you have to combine the code 
mutation technique (e.g. metamorphism) with code armoring and functional 
polymorphism. The paper indeed contains the formal grammar we use or at least 
the very critical core (the Tzeitsin system). We used it in a wider class 0 
grammar which is far from being optimal. Metaphor was just taken by the way as 
an example. While it is a very nice code, the rewriting rules used in it (I mean 
the metamorphic rules) are those of regular grammars (class 3).

The part of POC_PBMOT dedicated to metamorphism (there are many other parts) is 
approximatively three times the size of Metaphor. Since we have found better 
grammars but we did not take the time to program a new malware from scratch. My 
approach from the theory to the practice is new and represents a technical 
advantage and remember that at that time I was still in the army -:)

Once again my concerns is not about the known malware but about those that we 
cannot detect and that are used by real, state-level attacker. I do not want to 
be responsible of any bad use. When I analyze some recent malware, I think that 
their author have read and applied some of my papers. As an example Conficker 
combinatorial management of network is rather close to what I published in 2006 
(Combinatorial Optimization of Worm Propagation on an Unknown Network). i may be 
mistaken but well who knows? You cannot be sure that a few bad guys will use or 
not what you publish but in case of the AV community is ready to find nor to say 
create buzz and wrong evidences. I have exchanged with researcher (not the code) 
but some of the technical data. They have experimented on their own with the 
same conclusion.



##############################
##  Beside of PBMOT-engine, which uses an undecidable mutation grammar, you also 
##  created prototypes of other great techniques such as functional polymorphism 
##  or k-ary codes (splitting of the entire code into k distinct parts). Why 
##  have you never released the source codes publicly? What about freedom of 
##  knowledge in this case? What did you do with the source codes? Have you 
##  given them to other selected researchers?


I have never released the corresponding codes. My former student Anthony Desnos, 
published a simple instance of those code in Python at Hack.lu 2009. The issue 
you address is very critical: trying to find the best trade-off between freedom 
of knowledge and not infringing the law. Moreover I am convinced that the most 
interesting is not source code of particular malware instances but the general 
and mathematical basics that enables to produce any instance on his own. It is 
better to learn how to fish to people than giving fishes to them day after day. 
On the other side, the real issue is that k-ary codes for sophisticated 
instances are really undetectable and no one can imagine how a real bad guys 
would use published code.



##############################
##  You say that there is no way to detect specific well-ideat computer viruses 
##  (which contain techniques like chomsky type-0 grammar for mutation, k-ary 
##  concept, tau-obfuscation). Currently it seems like those projects are only 
##  in academic (who dont use it for attacks) or military use (who might use it 
##  for very small-scale attacks). But what would happen if criminals with 
##  commercial interest could find ways to implement such techniques, and start 
##  large-range attacks against? How could you protect yourself against such 
##  attacks?


In fact here you address a very old issue regarding scientific dissemination. 
The first part of the question is that we have to stay very humble when doing 
science and keeping in mind that if I have been able to find/invent/discover
anything, very likely other people did as well, but probably have chosen not to
disclose it for bad reasons (and bad uses). So the second part of the question
is another question: what is the worst thing: to publish nothing and let bad
guys do their dirty actions or to publish to make people aware and try to find
another way/system/organization that may mitigate or prevent the threat. The
fear of the danger does not remove the danger!



##############################
##  What are the viruses that you find most interesting and why? What techniques 
##  did you find most surprising/clever?


The most interesting malware I have seen until now are not public yet. They have 
been discovered during real attacks. Reader may be surprised not to say shocked 
to learn that no copy have been sent to AV vendors. Readers must know and be 
aware of that when you gain a technical advantage (discovering new sophisticated 
malware instances) your cannot share it. That is the new context of cyber 
warfare. International cooperation stops where national interests begin. Now as 
far a as known malware are concerned, I would say Conficker (for its 
combinatorial management of the rendez-vous points), Blaster (for the way it is 
able to deal with two different branches of Windows system family) and Stuxnet
(because the way it is fooling security by using stolen cryptographic 
certificates; by the way, this is another example of very clever tactical design 
and use of techniques to avoid detection: just create a legitimate environment 
and turn the security confidence back to the victim). Of course some oldies 
malware must not be forgotten and deserves to be mentioned: Brain, Stealth,
Q-Casino and many more. 



##############################
##  What would you suggest people who want to start research in the field of 
##  computer virology? Which books/papers are obligatory? Which fields of 
##  mathematics and computer science are required? What are open questions in 
##  computer virology?


Programming skills are of course the first mandatory skill (Assembly, C 
essentially). Then a as good as possible level in Mathematics (Algebra, 
combinatorics, Probability Theory, Statistics) and Computer Science (Complexity 
Theory, Computability Issue, Automata Theory, formal languages…). As for the 
books, well there are a lot to read. Aside good handbook in all those areas, I 
would recommend Rogers' book on Theory of Recursive Functions, Hopcroft and al.
's book on Automata Theory. Languages and Computation, Jones' book on 
Computability and Complexity and of course Cohen's books and Mark Ludwig's 
books.

Regarding open questions they are a lot. But one of the most critical is the 
identification of minimal grammar class 0 (according to Chomsky classification) 
with suitable properties for code mutation. The search for Thue or semi-Thue 
systems are also very critical. More generally, the malicious cryptology domain 
offers a lot of open problems.



##############################
##  Beside of scientists as yourself, other people have researched computer 
##  virus technology as well. Have you had or do you have contact to those 
##  hobby-viruswriters? Have you ever met some of them in real life? What do you 
##  think about people who discover and develope new techniques for computer 
##  viruses and release the source code publicly-available in the internet?


In fact, there are unfortunately very few malware and virus technology academic 
researchers. They fear to be blame by the academic community which is itself 
heavily financially supported by the AV industry. You cannot imagine how it has 
been difficult to create and launch the Journal in Computer virology. The 
community tried to intimidate Springer Verlag (the world largest scientific 
publishing house). They spread rumors against me… So any academic who intends to 
have a career will never work on  those "rogue subjects". Upt o me it is some 
sort of intellectual terror and intimidation. There is no forbidden knowledge 
there are only forbidden uses. Happily, it is now forbidden to burn people on 
public places. But the AV industry, to protect its commercial interests operates 
like the holy inquisition. The consequence is the lost of knowledge (for example 
29A is no long active) and no serious studies are performed in universities and 
only in military labs. So I think that it is very important to open knowledge 
and to spread it. I am terrified by the fact that in the USA you can distribute 
millions of weapons that actually kill people and you cannot publish malware 
source code. Remember all the troubles that Mark Ludwig had to face when he 
published his books. So publishing source code malware is very important since 
it is the only way to learn and prepare for the protection. And it is an issue 
of knowledge freedom. Now I think that the most clever way to do it is not to 
publish source code (the instance) but to teach of the underlying concepts which 
are mostly of mathematical and algorithmic nature: it is better to teach how to 
fish than distributing fishes to hungry people. I have noticed that the AV 
industry does not understand a single line of mathematics but is able to 
identify lines of code. I consider that my papers on Formal grammars, K-ary 
malware, tau-obfuscation, processor-dependant malware…. are far more potentially 
dangerous than simply releasing source code. But who would dare forbid 
mathematical results. The AV community is too narrow-minded to understand that.

I have never met malware writers, unfortunately. I was in contact by email and 
tries to help them in the best way. 



##############################
##  In the end of 2005, you launched the research magazine "Journal in Computer 
##  Virology", where you are still the Editor-in-Chief. Can you please explain 
##  what were your intentions and goals creating this journal and? You mentioned 
##  problems caused by the AV industry - what did they do and are they still 
##  trying to interfere? Do you experience that this academic field of research 
##  gets more accepted for the last few years? Do you have some good advices for 
##  young academics who want to work in this field?


In fact before this journal (and before I won an academic award for my book on
computer viruses) computer virology was considered as a bad guy activity and as
just code writing of course by those that still consider that computer virology
should be the monopoly of the AV community (the bona fide researcher in other
works). I wanted to show that computer virology is a true science with formal
and mathematical background and to promote serious and independent research in
this field. At that time, for a young academic (mostly PhD student) it was
impossible to publish scientific work related to computer virology. It was a
shame and you were considered like a witch who would be worth to be burnt. The
AV community tried to prosecute Springer Verlag, to threat and to intimidate but
Springer has been very courageous (that is why I like Springer, the best
scientific publisher in the world). Then they tried to present me as a bad guy.
But I became the scientific director of EICAR. I have been banned from Virus
Bulletin conferenceÉ But now the AV community has fail and the journal is still
alive. For young researcher, I would advice to start from the theory in order to
think in terms of class of techniques and not in terms of code instances (the
major failure of the AV community). And to keep in mind that studying malware
techniques must have a unique goal: to understand what the attackers/bad guys
can do or can imagine to make  the protection/defense even stronger. Do not fall
into the dark side if knowledge. You will lose your soul.



##############################
##  VX Heavens has been closed since March 2012, due prosecution of herm1t. You 
##  were among the first public supporters of herm1t, and motivated other 
##  researchers to follow your example. What were your thoughts when this virus-
##  related library was closed? VX Heavens exists for many years, why did they 
##  investigat against herm1t now? What is your prediction for the next steps in 
##  this case? Has the shutdown influenced the research of scientists like 
##  yourself?


This story is not very clear. I do not want to make any comments that could be 
misinterpreted by the Ukrainian justice and then put Herm1t into jeopardy. But I 
cannot reject the idea that the AV community is behind by a way or another. 
Since a few months many initiatives like VxHeavens have been in trouble or have 
closed (the best example is the offensive computing website which was very 
useful). The existence of sample database which are independent, and not under 
some remote control of the AV community is something difficult to find nowadays. 
It is clear that the AV community do not want independent testing and research (
one of the main issue debated during the last two EICAR conferences). I sternly 
hope that this prosecution is a mistake and that the Ukrainian court will 
acknowledge that it was a stupid prosecution. Let wait and see. But if things 
would went wrong, I think that it would be worrying for the freedom of 
knowledge. But I want to remain optimistic. A number of hackers and researchers 
are ready to provide mirrors of VxHeavens or to launch new projects (like 
malware.lu). Organizers of Hack.lu 2012 intend to invite Herm1t to an invited 
talk. He will then explain maybe things better I would. And to will be a great 
honor and pleasure to meet him at last and to pay him for a beer !



##############################
##  What do you think will the future of computer viruses look like? What do you 
##  expect in a near future 3-5 years from now? And how might self-replicating 
##  codes might be in a distant future 15-20years from now?


Well I am not really optimistic but I am not too pessimistic too. The problem is 
not malware in themselves. The problem is the lack of security in development, 
in IT security awareness and education. As long as software vendors, editors 
will implement their product without any care for security (just wait for the 
next patch) we will have troubles. As long that it will be possible to steal 
cryptographic certificates launching more and more attacks will be possible. As 
long as governments will impose to software editor and security software 
manufacturers to embed trapdoors it will possible to design high level attacks. 
The problem is not malware writers. It is people and IT professionals who do not 
make their job seriously either for laziness and incompetence or for commercial/
strategic interest or both. 

I think that new malware will use more and more mathematics and malicious 
cryptography techniques (refer to the chapter I have wrote in Cryptography and 
Security in Computing, Dr Jaydip Sen ed., Intech Publishing, ISBN 978-953-51-
0179-6 [free book] about Malicious Mathematics and Malicious Cryptology; it is 
only a very partial part of what I have in mind). We already work of what will 
be quantum malware for quantum computing. Malware will just adapt to the 
evolving ecosystems. New platform, new OS will bring corresponding malware. The 
only change will occur with the increased used of theoretical concepts and with 
new operational approach. I think that in the future we have to worry about 
attackers able to design malware while using sophisticated mathematical concepts 
and thinking like infantrymen for the tactical use. 



##############################
##  Quantum malware - this sound fantastic. Could you please explain a bit more 
##  what you mean by that? What has already been acchieved and what are your 
##  goals? What is the effect of the No-Cloning-Theorem on quantum malware?


Well, at the present we try to use the simulation of quantum computer by classic
computer to validate some interesting concept around metamorphism. But beyond a
few, limited validation the idea are more theoretical than practical. If someone
is ready to offer a quantum computer...