[ News ] [ Research ] [ Teaching ] [ Misc ] [ Contact ]

Who am I ?

I have been working for 10 years in evaluation, research and consulting activities in the field of information systems security, both in the civilian sector and in the Defense sector. My career plan is oriented towards research engineering, a dimension that I want to develop and deepen in the areas of operating systems security, reverse engineering and cryptography.

Having an initial academic background in Mathematical Modelling, I had the opportunity during my career to train regularly in order to explore the technical aspects necessary to my study, consulting and research missions (system, network, telecom, computer security, cryptography).

I dedicated my doctoral dissertation to the dynamic analysis of protected programs, focusing mainly on the cryptographic mechanisms resistant against reverse engineering and on the use of a virtualization system to carry through protected code reverse analysis. My research eventually led me to the definition and implementation of a test strategy dedicated to evaluation of anti-virus software.
My expertise now applies mainly to software systems and to hybrid software/hardware architectures. I want to evolve technically towards being conversant with hardware security components.

Before joining ESIEA engineering school, I worked for:

3 years as UNIX system administrator and Oracle DBA in CEDICAM (Banks Economic Interest Grouping, CEDICAM is the Crédit Agricole group's payments platform. It supports the Group's banks, operating mainly in electronic payments, payments processing and payment instrument security)
7 years as security evaluator in a Common Criteria (ISO/IEC 15408) for Information Technology Security Evaluation laboratory (CC/ITSEC lab. or CESTI in French, standing for "Centre d'Evaluation de la sécurité des TI"), under the control of the French Network and Information Security Agency (FNISA or ANSSI in French, standing for "Agence Nationale de la Sécurité des Systèmes d’Information")

I joined ESIEA engineering school and the (C+V)^O Laboratory in January 2010.

The (C+V)^O Laboratory

The Operational Cryptology and Virology Laboratory’s core research activity deals with computer security - mostly in virology and cryptology - in the field of defensive computing applications but in connection with offensive computer security (computer warfare).
Emphasizing both the theoretical approach - to maintain a high academic skills - and applied research inspired by problems (from the government sphere, but also from the industrial one), the main objective is not only to understand the current attacks but also and especially to predict and invent the future attacks. This proactive approach aims at anticipating the threat (defensive area) but in a context of evolution of French doctrine, to investigate towards both a theoretical and practical arsenal in the offensive area (government sphere). The key word in both areas is the operational capability.
The laboratory retains strong links not only with the Department of Defense, but also with the Departments of Justice and Interior. This applies to both the thematic part of the research activity and the creation and maintenance of a secure environment for conducting this research activity in respect of the principal regulations.

Specialities

Security mechanisms and attack methods of operating systems (Windows®, Linux)
Partitioning and virtualization technologies (Virtual Machine Monitors security, Xen, VMware, Qemu, Trango VP)
Forensic analysis and software Reverse Engineering (Dynamic Methods based on a software CPU/JTAG, White Box Cryptography)
C & C++ programming, x86 assembler, Windows® kernel modules devel, several scripting languages (Nessus NASL, PERL, IDA Pro IDC, Ollyscript, Windbg script) and Scientific software (Scilab, Maple, SAS, LaTeX)

News

Intensive Programming E-Discovery

Electronic Discovery (E-Discovery) is defined as the identification, collection, processing, analysis and production of electronic stored information (ESI). The purpose of E-Discovery is to identify and collect relevant ESI and then reduce the total volume of ESI in an investigation so that investigators can focus on less but more relevant information.

For the EU, E-discovery is essential to support findings in order to prosecute organisations that are in violation with EU regulations.
EU countries are in various stages of implementing EU guidelines in national legislation and regulations. Organisations have to be compliant with these regulations and are faced with multi-disciplinary challenges from law, information and communication technology. Soon, if not already, they will have to be able to produce all kinds of ESI in both internal investigations as well as legal proceedings if required to do so.
Without proper preparation, E-Discovery can be a challenging ad-hoc process where tight deadlines have to be met at high cost or risk. Organisations that want to manage this cost and that want to reduce the risk of failing to produce requested ESI on time will have to become ready for E-Discovery.

This IP has two major objectives:

First of all the project aims to start a European E-Discovery network to harmonise and exchange knowledge in the field of E-Discovery. This network will support participating higher educational institutes to collaborate in a more professional way with organisations in their national markets. The international partners will exchange knowledge that is relevant for teaching and researching E-Discovery and use this knowledge to develop an international course on E-Discovery which is part of the project itself.
Second, through this course participating students will learn what E-discovery entails and how organisations can assess their E-Discovery readiness. They will learn how to search for electronic evidence through enormous amounts of unstructured data in a structured way. They will also learn how the results of E-Discovery can be presented as evidence in legal proceedings: our students will become digital investigators that need to ensure that any evidence produced (in court or elsewhere) is an exact reflection of what was found at the scene of the crime – e.g. a computer (in most cases).

Partners:

ESIEA (France),
Hogeschool van Amsterdam (The Netherlands),
Hochschule Bonn-Rhein-Sieg (Germany),
Mid-Sweden University (Sweden),
Universidad de Alcalá (Spain),
University of Salford (UK),
University of Zagreb (Croatia).

Wiki: Wiki IP E-Discovery

Specialized Master N&IS

The training proposed within the framework of the Specialized Master in Network and Information Security (N&IS) enables future specialists to give precise answers to the very diverse security issues with which all components of digital information are currently confronted. The training specially emphasises the concept of security as a continuous process that grows in an environment based on new and emergent technologies, from coding to networking.

Research

Conference Papers, Articles, PhD Thesis

[FFJ04] The COSvd Ciphers (co-authored with E. Filiol and C. Fontaine). In : proceedings of the ECRYPT Conference on the state-of-the-Art of Stream Ciphers, Bruges, October 13-15, volume 59, 2004.

[Jos05] Techniques d’obfuscation de code: chiffrer du clair avec du clair. Journal de la sécurité informatique MISC (20) :32–42, 2005.

[Jos06a] How to assess the security of your anti-virus ? In: proceedings of the 15th EICAR Conference, Hamburg, Germany, April 29 - May 3, 2006. & In Journal in Computer Virology, volume 2, pages 51–65. Springer, 2006.

[Jos06b] Secure and advanced unpacking using computer emulation. In: proceedings of the AVAR 2006 Conference, Auckland, New Zealand, December 3-5, pages 174–190, 2006. & In Journal in Computer Virology, volume 3, pages 221-236. Springer, 2007.

[FJ07] A Statistical Model for Undecidable Viral Detection (co-authored with E. Filiol). In: proceedings of the 16th EICAR Conference, Budapest, Hungary, May 5 – 8, 2007. and In Journal in Computer Virology, volume 3, pages 65–74. Springer, 2007.

[Jos07] Rootkit detection from outside the Matrix. In: proceedings of the 16th EICAR Conference, Budapest, Hungary, May 5 – 8, 2007. and In Journal in Computer Virology, volume 3, pages 113–123. Springer, 2007.

[FEGGJJQ07] Evaluation de l’antivirus OneCare : quand avant l’heure ce n’est pas l’heure ! (co-authored with Filiol, E., Evrard, P., Geffard, G., Guilleminot, G., Jacob, G., and Quenez, D.). In : Journal de la sécurité informatique MISC (32) :42–51, 2007.

[DJ07] Protection des logiciels contre la rétro-ingénierie (co-authored with G. Dabosville). In: proceedings of the CESAR 2007 Conference, Chateaugiron, France, November 6-8, 2007.

[FGJJQ08] Evaluation de l'antivirus Dr Web : l'antivirus qui venait du froid (co-authored with Filiol, E., Geffard, G., Jacob, G., and Quenez, D.). In: Journal de la sécurité informatique MISC (37), 2008.

[Jos08] White Box Attack Context Cryptovirology. In: proceedings of the 17th EICAR Conference, Laval, France, May 3-6, 2008 (best student paper award). and In Journal in Computer Virology, volume 5. Springer, 2008.

[Jos09] Dynamic analysis and detection of viral code in a cryptographic context. PhD Dissertation, Applied Mathematics and Computer Science, Ecole polytechnique, 2009.

Teaching 2010-2011

Cryptography & Cryptanalysis

COURSE 01 : Introduction (History, overview, Classical Cryptography)

PRACTICE : Classical Cryptosystems Cryptanalysis

PRACTICE : GNU MP [gmp.h, gmp.lib, gmp.dll]

COURSE 02 : Symmetric Cryptography (Stream Ciphers, Information Theory, Probability & Statistics, Boolean Functions)

PRACTICE : Parallel Messages Attack [Corpus, cpcry1,cpcry2,cpcry3,cpcry4,cpcry5,cpcry6], Correlation Attack

COURSE 03 : Symmetric Cryptography (Block Ciphers, Data Encryption Standard : design & cryptanalysis)

PRACTICE : DES Differential & Linear Cryptanalysis

COURSE 04 : Symmetric Cryptography (Hash Functions, Message Authentication Code)

COURSE 05 : Asymmetric Cryptography (Algebra - Groups, Rings, Finite Fields)

COURSE 06 : Asymmetric Cryptography (RSA & El Gammal Signature & Encryption algorithms, Key Management and Cryptographic protocols)

COURSE 07 : Asymmetric Cryptography (Algorithmic Analysis & Implementation)

PRACTICE : Miller-Rabin Algorithm Implementation

REFERENCES :

[Sti95] Stinson, D.R. Cryptography: Theory and practice. CRC Press, 1995.

[Sch96] Schneier, B. Applied cryptography: protocols, algorithms, and source code in C. John Wiley & Sons, Inc. New York, 1996.

[Fil10] Filiol, E. How to operationaly detect misuse or flawed implementation of weak stream ciphers (and even block ciphers sometimes) and break them - Application to the Office Encryption Cryptanalysis. In Proceedings of Black Hat EU 2010, 2010.

Secure programming

COURSE 01 : Introduction (Code Injection Attacks)

PRACTICE : Stack Based Buffer Overflow [Server Code], Format String attacks, Heap Based Buffer Overflow

COURSE 02 : Compiler's protection options

PRACTICE : Stack Based Buffer Overflow prevention using Compiler's protection options

COURSE 03 : Static Code Checking

PRACTICE : Stack Based Buffer Overflow prevention using PREFast

COURSE 04 : Dynamic Analysis Tools

PRACTICE : Heap Based Buffer overflow prevention using Application Verifier

REFERENCES :

[Kus07] Kuster, R. WinDbg. From A to Z!, 2007.

Compilation

COURSE 01 : Introduction (Language Processing, Structure of a Compiler)

COURSE 02 : Introduction (Main Concepts and Tools)

COURSE 03 : Scanning (Lexical Analysis, Scanner Generator, Flex)

COURSE 04 : Parsing (Syntax Analysis, Parser Generator, Bison)

COURSE 05 : Intermediate Code Generation and optimization

Operating System

COURSE 01 : Introduction (Course overview, Evolution of Operating Systems, Windows® and Linux Operating System Family, Concepts & Tools, Comparing the Linux and Windows® Kernels)

COURSE 02 : Concurrency (Critical Sections, Semaphores, Trap Dispatching, Interrupts, Synchronization, Inter-Process Communication)

COURSE 03 : Processes and Threads (Process and Thread Internals, Thread Scheduling)

COURSE 04 : Memory (Memory Management Fundamentals, Virtual Address Translation, Physical Memory Management)

COURSE 05 : Input/Output (Principles of IO Systems, IO System components, IO Processing)

Reverse and Malware analysis

COURSE 01 : Basis (CPU IA-32 architecture & intruction set, Windows® OS internals & PE Format)

PRACTICE : CPU IA-32 Assembler introduction

PRACTICE : Assembler Programming

PRACTICE : Windows® Internals Exploration using a Kernel Debugger

PRACTICE : Peering Inside PE Format

COURSE 02 : Software Protection (Anti-Static/Dynamic Analysis, Stealth Mechanisms, Diversification/Obfuscation, WBAC Cryptography)

PRACTICE : Tiny Relocatable Program Analysis [Ollydbg]

PRACTICE : Code Virtualization Mechanism Analysis

PRACTICE : WBAC Implementation of DES Algorithm Analysis

COURSE 03 : Reverse Engineering (Static/Dynamic Analysis Tools, Forensics & OS Instrumentation Tools, Binary Rewriting Tools, WBAC Cryptanalysis)

PRACTICE : Unpacking a Tiny Program using a user mode debugger

PRACTICE : API Hooking using Microsoft® Detours

PRACTICE : Binary Rewriting using Diablo

PRACTICE : WBAC Implementation of DES Algorithm Cryptanalysis

COURSE 04 : Malware Analysis (Virtual Machine Based Analysis Framework, Stealth Malware Analysis)

PRACTICE : A few Malwares Analysis

PRACTICE : Rootkit Manual Detection using Sysinternals® Tools Suite

REFERENCES :

[BH99] D. Brubacher and G. Hunt. Detours : Binary Interception of Win32 Functions. In Proceedings of the 3rd USENIX Windows NT Symposium, pages 135143, 1999.

[Eil05] E. Eilam. Reversing : Secrets of Reverse Engineering. Wiley Publishing, ISBN 0-7645-7481-7, 2005.

[Hog05] G. Hoglund. Rootkits : Subverting the Windows Kernel. Addison-Wesley, ISBN 0-321-29431-9, 2005.

[Intel1] Intel® 64 and IA-32 Architectures Software Developer’s Manual. Basic Architecture

[Intel2A] Intel® 64 and IA-32 Architectures Software Developer’s Manual. Instruction Set Reference (part 1/2)

[Intel2B] Intel® 64 and IA-32 Architectures Software Developer’s Manual. Instruction Set Reference (part 2/2)

[Intel3A] Intel® 64 and IA-32 Architectures Software Developer’s Manual. System Programming Guide (part 1/2)

[Intel3B] Intel® 64 and IA-32 Architectures Software Developer’s Manual. System Programming Guide (part 2/2)

[PE] Microsoft Portable Executable and Common Object File Format Specification, available at : http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

[RS05] M.E. Russinovich and D.A. Solomon. Microsoft Windows internals : Microsoft Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, Redmond, Wash., 2005.

Misc

Performing kernel-mode debugging on a virtual machine

The courses Secure Programming and Reverse & Malware Analysis come with a Virtual Machine embedding several system diagnosis and software analysis tools. KD and WinDbg can perform kernel-mode debugging on this virtual machine. The virtual machine can be located on the same physical computer as the debugger or on a different computer that is connected to the same network. Before you begin debugging, create a named pipe on the virtual machine. The debugger connects through this pipe.

For example, if you are using VMWare® Player, and want to attach the WinDbg debugger to the VMWare session, do the following:

Open the Settings menu of VMWare® Player
Click the Add button to open the Add Hardware Wizard
Select Serial Port and click the Next Button
Select Use Named Pipe, and change the name to: \\.\pipe\com1
Select This end is the server
Select The over end is an application
Select the Yield on CPU poll option
Click Finish and then Ok to save your options.

Once the Guest OS has started booting you can then use the following command to attach the debugger to the VMWare session (using the named pipe) and enter the kernel-debug mode:

	windbg –k com:pipe,port=\\.\pipe\com1,resets=0

Contact

Sébastien Josse

ESIEA - Operational Cryptology and Virology Laboratory (C+V)^O

Parc universitaire Laval-Changé
53000 Laval
Office A27

sebastien.josse@esiea-ouest.fr

Login: yes
Password: i dont have one
password is incorrect

Login: yes
Password: incorrect