Thursday 20th 2023

Mask ROMs and Masks of Abstraction

Travis Goodspeed is a reverse engineer from East Tennessee, where he boils microchips in acids to photograph their memory. He drives a Studebaker, and he knows every good dog at his corner bar by name.

Lately I've been obsessed with ROM memory, which is physically visible in a chip after the right chemical procedures. Bits are in an awkward order, of course, because a machine needn't read from left to right.

This lecture will describe both the crazy things that you can see on a microchip under a microscope and also why reverse engineering is the very best way to understand new technologies at the very lowest levels of abstraction.

Travis GoodSpeed

Automating the extraction of secrets stored inside CI/CD systems

CI/CD systems have become more and more common today. This can be explained by the fact that it can be really difficult to maintain and deploy multiple projects at the same time. Those systems help teams and developers by enforcing automation in building, testing and deploying applications. However, in order to integrate, deliver and deploy, they need credentials to seamlessly interact with other environments like cloud ones. While those credentials are securely stored when managed using dedicated features of the CI/CD systems, it is still possible to extract them in some cases.

This talk will detail how this can be achieved through several examples targeting the CI/CD platforms of Azure (Azure DevOps) and GitHub (GitHub Actions). It will also present a tool that we developed to automate and ease the secrets extraction work on a wide range of Azure DevOps projects and GitHub repositories.

Théo Louis-Tisserand and Hugo Vincent Synacktiv (Toulouse & Paris, France)

Hash cracking : automation driven by laziness, 10 years after

Hash cracking came through some trends during time (dictionary attacks, leaked databases, hashcat masks, ...). Over the last 10 years I spent some time automating those steps as far as I can. As I also automated the "presentation to the client" step to replace the vanilla "pipal" output, I figured that I could make it directly usable for companies. And I felt it was useful as I say to them "test the robustness of your employee's password every year", but I didn't find a tool on the shelf to do it. Follow me in this retrospective of 10 years.

David Soria Astar (Toulouse, France)

Weaponizing ESP32 RF Stacks

In this talk, we present a general overview of our analysis of the cheap and popular ESP32 System-on-Chips (SoCs), from a wireless security perspective. We focused on reverse engineering the hardware and software components dedicated to Bluetooth Low Energy (BLE) communications, from the hardware controller to the protocol stack. We also explored how these components can be diverted from their initial use to implement multiple attacks, targeting various wireless protocols, including ones not natively supported by the chip. We show that a compromised ESP32 SoC can perform low-level attacks targeting the Link Layer and Physical Layer of BLE communications, such as fingerprinting a BLE device or jamming multiple critical channels simultaneously. We also present multiple advanced cross-protocol attacks, taking advantage of the BLE controller low level internals to inject keystrokes into insecure wireless keyboards communications based on 2.4GHz proprietary protocols, or hijack an ANT+ Heart Rate Monitor.

Romain Cayre and Damien Cauquil Institut Eurecom (Sophia-Antipolis, France), Quarkslab (Paris, France)

HammerScope: Observing DRAM Power Consumption Using RowHammer

Arie Haenel is a Principal Engineer at Intel, where he leads ASSERT, an Offensive Security Research team. He has 25 years of professional experience, in security research and security product development on a vast number of embedded platforms, at Intel, Cisco and NDS. In his spare time, Arie teaches security engineering as an Adjunct Lecturer at the Jerusalem College of Technology. Yaakov Cohen is an Offensive Security Researcher at Intel, focuses on Intel client products, from High level Software to Core u-Code and u-Architecture. The HammerScope research is part of his master thesis work under the supervision of Dr. Yossi Oren from the department of Software and Information System Engineering, Ben-Gurion University. Hammerscope is a joint research with Arie Haenel, Kevin Sam Tharayil, Prof. Daniel Genkin, Prof. Angelos D. Keromytis, Dr. Yossi Oren and Prof. Yuval Yarom.

Yaakov Cohen and Arie Haenel Intel

Reflections on Trusting Docker: Invisible Malware in Continuous Integration Systems

Revisiting the famous compiler backdoor from Ken Thompson, we show that a container-based Continuous Integration system can be compromised without leaving any trace in the source code. Detecting such malware is challenging or even impossible with common practices such as peer review or static code analysis. We detail multiple ways to do the initial infection process such as malicious commit or dependencies confusion. Finally, we show that the malicious code is able to backdoor production images and to reinject itself on CI system updates to allow long-term compromise.

Florent Moriconi, Axel Neergaard, Lucas Georget, Samuel Aubertin and Aurélien Francillon Institut Eurecom (Sophia-Antipolis, France)

Dynamic Binary Firmware Analysis With Avatar²

Embedded systems are ubiquitous in our society and like any other software, firmware is susceptible to bugs and vulnerabilities. Dynamic analysis techniques such as fuzzing and symbolic execution have proved effective in detecting bugs. However, applying these techniques to embedded systems is not straightforward due to limited resources and visibility, which highlights the need for improved tooling.

Avatar² is an open source framework for dynamic instrumentation and analysis of binary firmware. It aims to facilitates the integration and interoperability between various binary analysis tools such as debuggers, emulators, disassemblers, symbolic execution engines and fuzzers. The framework is particularly aimed at analyzing embedded systems and their firmware, as it allows for the combination of physical devices with emulators in a hardware-in-the-loop fashion. Additionally, Avatar² provides fine-grained control over the program execution. It allows doing live migration of a program between analysis tools and forwarding special accesses, such as memory and I/O, to others analysis tools for hybrid execution.

Paul Olivier Institut Eurecom (Sophia-Antipolis, France) / LAAS-CNRS (Toulouse, France)

Friday 21th 2023

Hacking for Ideas

Axelle Apvrille is Principal Security Researcher at Fortinet. She started hunting down viruses before Android or IoT existed. She is also the lead organizer of Ph0wn CTF, on the French Riviera. Ph0wn is dedicated to challenges on smart devices.

Axelle Apvrille Fortinet

An explainable-by-design ensemble learning system to detect unknown network attacks

Machine learning is a promising technology for network intrusion detection systems. There are many different machine learning algorithms whose results seem complementary, but determining which one is accurate in a specific case is difficult because models lack explainability. This talk introduces an explainable-by-design system that reconstructs attack patterns from a set of unsupervised learning models’ outputs, and presents those patterns to security analysts to help them interpret any detection.

Céline Minh, Kevin Vermeulen, Cédric Lefebvre, Philippe Owezarski and William Ritchie Custocy (Toulouse, France), LAAS-CNRS, Universite de Toulouse, CNRS, INSA (Toulouse, France)

An exploration of future challenges for crowd sourced vulnerability detection

Human dimension of cybersecurity falls under different practices or strategies. Crowd sourcing the detection of vulnerabilities is one of them. A lot of intelligence is published on online social networks (OSN) and it may be hard to process everything for human analysts. There is a need for automated solutions which will process the OSN stream to extract knowledge. We will specifically talk about the methods used to mine information related to vulnerabilities in this paper and compare them to identify future challenges.

Olivier de Casanove and Florence Sèdes IRIT, Universite Toulouse III - Paul Sabatier (Toulouse, France)

The Android Security Model

The many applications used by Android device owners in their daily lives are also entry points for an attacker. It could be a malicious app installed from the store or even a legitimate one that contains vulnerabilities. Taking into account that a compromise is possible, Android must protect user data and accesses to hardware devices against malicious actors. This presentation details the Android security model and provides an overview of mechanisms that limits the impacts of a compromise.

Jean-Baptiste Cayrou Synacktiv (Toulouse, France)

Software defined vehicule security - challenges, risks and rewards

Software Defined Vehicule emergence in the automotive industry is a great opportunity in terms of user experience but also in terms of product value allowing the deployment of new features while reducing and communalizing SW development costs. SDV platforms are built around HPC with HW/SW sharing and a generalized SOA backbone. How is it increasing the risks in terms of cybersecurity? How a leading OEM is building a technological roadmap to mitigate those challenges?

Redouane Soum Renault

A study on Windows Authentication & Prox-Ez

During a penetration test, have you ever come across a website using NTLM as the authentication mechanism but could not authenticate with your browser or Burp even though you had valid credentials? NTLM EPA or Kerberos might be the culprit... Indeed, Firefox, among others, does not support the new Microsoft authentication mechanism and fails to connect.

The main goal of this presentation is to describe the various authentication mechanisms that can be used within Windows WebServer -- among which NTLM, NTLM EPA (service binding and channel binding) and Kerberos -- as well as our findings on them security-wise. We will also present our tool Prox-EZ (https://github.com/synacktiv/Prox-Ez) that can help you interface your security tools and deal with all kinds of authentication.

Geoffrey Bertoli and Pierre Milioni Synacktiv (Paris, France)

Why there is more to today's attacks against online games than meets the eye

The online gaming industry is serving both end-user multi-player gaming experiences, for example in first-person- shooter (FPS) games, as well as competitions in those games. While the latter happen under much more constrained/controlled environments, the day-to-day multi-player setting is very diverse in terms of player capabilities as well as network connectivity. Dishonest behavior in these settings include denial-of-service attacks on opponents to disable them and self-inflicted delays known as a lag switch attack to gain a competitive advantage using deception of the adversary. We focus on both these attacks and offer some reflections for tackling this ongoing problem at the game level.

Ilies Benhabbour, Marc Dacier, David Bromberg, Sven Dietrich, Rodrigo Rodrigues and Paulo Estes-Verissimo King Abdullah University of Science and Technology (KAUST), (Thuwal, Kingdom of Saudi Arabia), Univ Rennes, CNRS, IRISA, INRIA Rennes (France), City University of New York (New York, NY, USA), Instituto Superior Tecnico and INESC-ID (Lisboa, Portugal)

Fighting against DLL Search Order Hijacking, one SLAHP at a time

DLL Search Order Hijacking (a.k.a DLL Hijacking or DLL sideloading in specific conditions) is a problem that is generally overlooked by software developers even though its existence has been known for more than 10 years. While some mitigations have been made by Microsoft to reduce DLL Search Order Hijacking's feasability and impact, the recent and wide-spread adoption of user-writable directories as potential (and sometimes default) software installation paths (in order to improve installation success rates) makes it worthy of being brought back up. We conducted a study on 47 different software programs and found that more than 80% of them are vulnerable to some form of DLL Search Order Hijacking. We present SLAHP, a novel way of preventing DLL Search Order Hijacking exploitation in the form of a proof-of-concept implementation that is both easy to integrate with new and existing products by software developpers. It is mostly invisible to end users while still allowing the usage of previously unsecure installation locations with a very subtle performance impact.

Antonin Verdier, Romain Laborde and Abdelmalek Benzekri IRIT, Universite Toulouse III - Paul Sabatier (Toulouse, France)