CI/CD systems have become more and more common today. This can be explained by the fact that it can be really difficult to maintain and deploy multiple projects at the same time. Those systems help teams and developers by enforcing automation in building, testing and deploying applications. However, in order to integrate, deliver and deploy, they need credentials to seamlessly interact with other environments like cloud ones. While those credentials are securely stored when managed using dedicated features of the CI/CD systems, it is still possible to extract them in some cases.

This talk will detail how this can be achieved through several examples targeting the CI/CD platforms of Azure (Azure DevOps) and GitHub (GitHub Actions). It will also present a tool that we developed to automate and ease the secrets extraction work on a wide range of Azure DevOps projects and GitHub repositories.

Théo Louis-Tisserand and Hugo Vincent Synacktiv (Toulouse & Paris, France)

Hash cracking came through some trends during time (dictionary attacks, leaked databases, hashcat masks, ...). Over the last 10 years I spent some time automating those steps as far as I can. As I also automated the "presentation to the client" step to replace the vanilla "pipal" output, I figured that I could make it directly usable for companies. And I felt it was useful as I say to them "test the robustness of your employee's password every year", but I didn't find a tool on the shelf to do it. Follow me in this retrospective of 10 years.

David Soria Astar (Toulouse, France)

In this talk, we present a general overview of our analysis of the cheap and popular ESP32 System-on-Chips (SoCs), from a wireless security perspective. We focused on reverse engineering the hardware and software components dedicated to Bluetooth Low Energy (BLE) communications, from the hardware controller to the protocol stack. We also explored how these components can be diverted from their initial use to implement multiple attacks, targeting various wireless protocols, including ones not natively supported by the chip. We show that a compromised ESP32 SoC can perform low-level attacks targeting the Link Layer and Physical Layer of BLE communications, such as fingerprinting a BLE device or jamming multiple critical channels simultaneously. We also present multiple advanced cross-protocol attacks, taking advantage of the BLE controller low level internals to inject keystrokes into insecure wireless keyboards communications based on 2.4GHz proprietary protocols, or hijack an ANT+ Heart Rate Monitor.

Romain Cayre and Damien Cauquil Institut Eurecom (Sophia-Antipolis, France), Quarkslab (Paris, France)

Revisiting the famous compiler backdoor from Ken Thompson, we show that a container-based Continuous Integration system can be compromised without leaving any trace in the source code. Detecting such malware is challenging or even impossible with common practices such as peer review or static code analysis. We detail multiple ways to do the initial infection process such as malicious commit or dependencies confusion. Finally, we show that the malicious code is able to backdoor production images and to reinject itself on CI system updates to allow long-term compromise.

Florent Moriconi, Axel Neergaard, Lucas Georget, Samuel Aubertin and Aurélien Francillon Institut Eurecom (Sophia-Antipolis, France)

Embedded systems are ubiquitous in our society and like any other software, firmware is susceptible to bugs and vulnerabilities. Dynamic analysis techniques such as fuzzing and symbolic execution have proved effective in detecting bugs. However, applying these techniques to embedded systems is not straightforward due to limited resources and visibility, which highlights the need for improved tooling.

Avatar² is an open source framework for dynamic instrumentation and analysis of binary firmware. It aims to facilitates the integration and interoperability between various binary analysis tools such as debuggers, emulators, disassemblers, symbolic execution engines and fuzzers. The framework is particularly aimed at analyzing embedded systems and their firmware, as it allows for the combination of physical devices with emulators in a hardware-in-the-loop fashion. Additionally, Avatar² provides fine-grained control over the program execution. It allows doing live migration of a program between analysis tools and forwarding special accesses, such as memory and I/O, to others analysis tools for hybrid execution.

Paul Olivier Institut Eurecom (Sophia-Antipolis, France) / LAAS-CNRS (Toulouse, France)

Machine learning is a promising technology for network intrusion detection systems. There are many different machine learning algorithms whose results seem complementary, but determining which one is accurate in a specific case is difficult because models lack explainability. This talk introduces an explainable-by-design system that reconstructs attack patterns from a set of unsupervised learning models’ outputs, and presents those patterns to security analysts to help them interpret any detection.

Céline Minh, Kevin Vermeulen, Cédric Lefebvre, Philippe Owezarski and William Ritchie Custocy (Toulouse, France), LAAS-CNRS, Universite de Toulouse, CNRS, INSA (Toulouse, France)

Human dimension of cybersecurity falls under different practices or strategies. Crowd sourcing the detection of vulnerabilities is one of them. A lot of intelligence is published on online social networks (OSN) and it may be hard to process everything for human analysts. There is a need for automated solutions which will process the OSN stream to extract knowledge. We will specifically talk about the methods used to mine information related to vulnerabilities in this paper and compare them to identify future challenges.

Olivier de Casanove and Florence Sèdes IRIT, Universite Toulouse III - Paul Sabatier (Toulouse, France)

The many applications used by Android device owners in their daily lives are also entry points for an attacker. It could be a malicious app installed from the store or even a legitimate one that contains vulnerabilities. Taking into account that a compromise is possible, Android must protect user data and accesses to hardware devices against malicious actors. This presentation details the Android security model and provides an overview of mechanisms that limits the impacts of a compromise.

Jean-Baptiste Cayrou Synacktiv (Toulouse, France)

Software Defined Vehicule emergence in the automotive industry is a great opportunity in terms of user experience but also in terms of product value allowing the deployment of new features while reducing and communalizing SW development costs. SDV platforms are built around HPC with HW/SW sharing and a generalized SOA backbone. How is it increasing the risks in terms of cybersecurity? How a leading OEM is building a technological roadmap to mitigate those challenges?

Redouane Soum Renault

During a penetration test, have you ever come across a website using NTLM as the authentication mechanism but could not authenticate with your browser or Burp even though you had valid credentials? NTLM EPA or Kerberos might be the culprit... Indeed, Firefox, among others, does not support the new Microsoft authentication mechanism and fails to connect.

The main goal of this presentation is to describe the various authentication mechanisms that can be used within Windows WebServer -- among which NTLM, NTLM EPA (service binding and channel binding) and Kerberos -- as well as our findings on them security-wise. We will also present our tool Prox-EZ (https://github.com/synacktiv/Prox-Ez) that can help you interface your security tools and deal with all kinds of authentication.

Geoffrey Bertoli and Pierre Milioni Synacktiv (Paris, France)

The online gaming industry is serving both end-user multi-player gaming experiences, for example in first-person- shooter (FPS) games, as well as competitions in those games. While the latter happen under much more constrained/controlled environments, the day-to-day multi-player setting is very diverse in terms of player capabilities as well as network connectivity. Dishonest behavior in these settings include denial-of-service attacks on opponents to disable them and self-inflicted delays known as a lag switch attack to gain a competitive advantage using deception of the adversary. We focus on both these attacks and offer some reflections for tackling this ongoing problem at the game level.

Ilies Benhabbour, Marc Dacier, David Bromberg, Sven Dietrich, Rodrigo Rodrigues and Paulo Estes-Verissimo King Abdullah University of Science and Technology (KAUST), (Thuwal, Kingdom of Saudi Arabia), Univ Rennes, CNRS, IRISA, INRIA Rennes (France), City University of New York (New York, NY, USA), Instituto Superior Tecnico and INESC-ID (Lisboa, Portugal)

DLL Search Order Hijacking (a.k.a DLL Hijacking or DLL sideloading in specific conditions) is a problem that is generally overlooked by software developers even though its existence has been known for more than 10 years. While some mitigations have been made by Microsoft to reduce DLL Search Order Hijacking's feasability and impact, the recent and wide-spread adoption of user-writable directories as potential (and sometimes default) software installation paths (in order to improve installation success rates) makes it worthy of being brought back up. We conducted a study on 47 different software programs and found that more than 80% of them are vulnerable to some form of DLL Search Order Hijacking. We present SLAHP, a novel way of preventing DLL Search Order Hijacking exploitation in the form of a proof-of-concept implementation that is both easy to integrate with new and existing products by software developpers. It is mostly invisible to end users while still allowing the usage of previously unsecure installation locations with a very subtle performance impact.

Antonin Verdier, Romain Laborde and Abdelmalek Benzekri IRIT, Universite Toulouse III - Paul Sabatier (Toulouse, France)