Here is my wrap-up for the second day. From my point of view, the morning sessions were quite hard with a lot of papers based on hardware research.
Anaïs Gantet started with “CrashOS : recherche de vulnérabilités système dans les hyperviseursâ€. The motivations behind this research are multiple: virtualization of computers is everywhere today, not only on servers but also on workstations. The challenge for the hypervisor (the key component of a virtualization system) is to simulate the exact same hardware platform (same behaviour) for the software. It virtualizes access to the memory and devices. But do they do this in the right way? Hypervisors are software and software have bugs. The approach explained by Anaïs is to build a very specific light OS that could perform a bunch of tests, like fuzzing, against hypervisors. The name of this os is logically “CrashOS“. It proposes an API that is used to script test scenarios. Once booted, tests are executed and results are sent to the display but also to the serial port for debugging purposes. Anaïs demonstrated some tests. Up to today, the following hypervisors have been tested: Ramooflax (project developed by Airbus Security), VMware and Xen. Some tests that returned errors:
- On VMware, a buffer overflow and crash of the VM when writing a big buffer to COM1.
- On Xen, a “FAR JMP” instruction should generate a “general protection” failure but it’s not the case.
CrashOS is available here. A nice presentation to start the day!
The next presentation went deeper and focused again on the hardware, more precisely, the PCI Express that we find in many computers. The title was “ProTIP: You Should Know What To Expect From Your Peripherals” by Marion Daubignard, Yves-Alexis Perez. Why could it be interesting to keep an eye on our PCIe extensions? Because they all run some software and have usually a direct access to the host computer resources like memory (for performance reasons). What if the firmware of your NIC could contain some malicious code and search for data in the memory? They describe the PCIe standard which can be seen as a network with CPU, memory, a PCI hierarchy (a switch) and a root complex. How to analyse all the flows passing over a PCIe network? The challenge is to detect the possible paths and alternatives. The best language to achieve this is Prolog (a very old language that I did not use since my study) but still alive. The tool is called “ProTIP†for “Prolog Tester for Information Flow in PCIe networks” and is available here. The topic was interesting when you realise what a PCIe extension could do.
Then, we got a presentation from Chaouki Kasmi, José Lopes Esteves, Mathieu Renard, Ryad Benadjila: “From Academia to Real World: a Practical Guide to Hitag-2 RKE System Analysis“. The talk was dedicated to the Hitag-2 protocols used by “Remote Keyless Entry” with our modern cars. Researches in this domain are not brand new. There was already a paper on it presented at Usenix. The talk really focussing on Hitag-2 (crypto) and was difficult to follow for me.
After the lunch break, Clémentine Maurice talked about accessing the host memory from a browser with Javascript: “De bas en haut : attaques sur la microarchitecture depuis un navigateur web“. She started with a deeply detailed review of how the DRAM memory is working and how to read operations make use a “row buffer” (like a cache). The idea is to be able to detect key presses in the URL bar of Firefox. The amount of work is pretty awesome from an educational point of view but I’ve just one question: how to use this in the real world? If you’re interested, Clémentine published all her publications are available here.
The next talk was interesting for people working on the blue team side. Binacle is a tool developed to make a full-text search on binaries. Guillaume Jeanne explained why full-text search is important and how it fails with classic methods to index binary files. The goal is not only to index “strings” like IP addresses, FQDN but also suite of bytes. After testing several solutions, he found a good one which is not too resources consuming. The tool and his features were explained, with the Yara integration (also a feature to generate new signatures). To be tested for sure! Binacle is available here.
The next tool presented by YaCo: “Rétro-Ingénierie Collaborative” by Benoît Amiaux, Frédéric Grelot, Jérémy Bouétard, Martin Tourneboeuf, Valerian Comiti. YaCo means “Yet another collaborative tool”. The idea is to add a “multi-user” layer to the IDA debugger. By default, users have a local DB used by IDA. The idea is to sync those databases via a Gitlab server. The synchronisation is performed via a Python plugin. They made a cool demo. YaCo is available here.
Sibyl was the last tool presented today by Camille Mougey. Sibyl helps to identify libraries used in the malicious code. Based on Miasm2, it identifies functions and their side effect. More information is available on the Github repository.
The next talk was about the Android platform: “Breaking Samsung Galaxy Secure Boot through Download mode” presented by Frédéric Basse. He explained the attacks that can be launched against the bootloader of a Samsung Galaxy smartphone via a bug.
Finally, a non-technical talk presented by Martin Untersinger: “Oups, votre élection a été piratée… (Ou pas)”. Martin is a journalist working for the French newspaper “Le Monde”. He already spoke at SSTIC two years ago and came back today to give his view of the “buzz” around the hacking of the election processes around the world. Indeed, today when elections are organised, there are often rumours that this democratic process has been altered due to state-sponsored hackers. It started in the US and also reached France with the Macronleak. A first fact reported by Martin is that information security goes today way beyond the “techies”… Today all the citizens are aware that bad things may happen. It’s not only a technical issue but also a geopolitical issue. Therefore, it is very interesting for journalists. Authorities do not always disclose information about the attribution of the attack because it can be wrong and alter the democratic process of elections. Today documents are published but the attribution remains a political decision. It touchy and may lead to diplomatic issues. Journalists are also facing challenges:
- Publish leaked docs or not?
- Are they real or fake?
- Ignore the information or maybe participle to the disinformation campaign?
But it is clear that good a communication is a key element.
The day closed with the second rump sessions with a lot of submissions (21!). Amongst them, some funny ideas like using machine learning to generate automatic submissions of paper to the SSTIC call for paper, an awesome analysis of the LinkedIn leaked passwords, connected cars, etc… Everybody moved to the city centre to attend the social event with nice food, drinks and lot of interesting conversations.
Today, a lot of tools were presented. The balance between the two types of presentation is interesting. Indeed, if pure security research is interesting, sometimes it is very difficult to use it in the real context of an information system. However, presented tools were quick talks with facts and solutions that can be easily implemented.