Pass The Salt 2023 Wrap-Up

I’m back from Lille, France, where I attended the sixth edition of the conference called “Pass The Salt“. This event focuses on security but around free software. Vendors are not welcome to promote their solutions! Christophe from the crew introduced the event. Basically, it remains the same: a lot of talks, different topics (offensive, defensive security), a friendly atmosphere, and a lot of exchanges between participants. For this edition, they received 44 proposals to the CFP and 25 were accepted. They welcomed 27 speakers. Amongst them, 6 came from EU (not France) and 1 from Argentina.

Read more: Pass The Salt 2023 Wrap-Up

The first batch of presentations focussed on a common topic: hardware security and, most precisely, the TPM chipset that is not present in most computers. Francisco Falcon presented vulnerabilities he discovered in the TPM 2.0 implementation. TPM’s can be physical, virtualized or firmware based and are use to perform cryptographic actions (for example: to generate random numbers or store keys). They help to strengthen some operations like the boot process (integrity) or to perform full-disk encryption (ex: Bitlocker uses the TPM chipset). The current standard (TPM 2.0) is maintained and published by the Trusted Computer Group. Francesco analyzed the code provided (and used in most TPM implementations) and found 2 vulnerabilities: CVE-2023-1017 and CVE-2023-1018. He explained the issue, just keep in mind that they provide OOB read & write.

The second talk, presented by the ANSSI, was also related to TPM. Like Francesco said before, TPM is used in the boot process of an OS to prevent tempering. During this process, a remote resource could be used using the “remote attestation” procedure. They developed an Android application called “Ultrablue” that, combined with a small tool running on the host, helps to improve this remote attestation using Bluetooth low-energy. Interesting approach!

Finally, to wrap-up the TPM stuff, Gabrielle Viala presented “Using an Unimpressive Bug in EDK II To Do Some Fun Exploitation”. She presented a bug found in EDK II. This software is the public alternative to UEFI. Due to the popularity of this tool, a vulnerability could have a huge impact on many manufacturers! Gabrielle explained the bug and how to exploit it. If you’re interested, have a look at the recording, the presentation has many details.

After a coffee break, we switched to another topic. First, Pierre Milioni talked about Qubes OS. This OS is not new. I remember that he was presented at RMLL in 2016! For those that don’t know the key feature of the OS, keep in mind that basically everything is virtualized (using “qubes”). This means that security is pretty good. At the opposite, using this OS on a daily basis can be… challenging! Pierre is using Qubes OS as a “endpoint” but he had also the idea to use it for his job: pentesting. He reviewed the pro & con of the OS. Interesting approach!

Then, Peter Czanik, a regular speaker at PTS, came to present the new features of Syslog-NG 4.0. This Syslog daemon improved with years and has plenty of features that help to manage your Syslog messages (locally or as a concentrator). The key feature in 4.0 is the ability to create key/value pairs after an automatic parsing of messages. If well-known log formats are integrated, it’s possible to write your own! I noted also the extended capability to interact with Python!

The second day started with a bunch of sessions about OSINT & Online security. Raphael Vinot kicked-off the day with “Analyse your weird URLs the easy way”.  Raphael’s job is to create tools that will help people to take decisions. Read: “is it bad or not?” All of them are open source of course. Everybody receives URLs every day and we are all curious. How to know if it’s legitimate? Running it in a sandbox can be hard (it consumes a lot of resources, time, …). Taking a screenshot is not enough (what about hidden Javascript code?). The challenge is also to repeat the analysis again and again. You can visit the same URL from different geo-location, browsers, time zones, languages, … URLs are everywhere (emails, PDFs, social networks, chat apps, so we need to automate! The tools reviewed were:

  • Lookyloo – It was already presented at multiple events. It helps to build a tree of redirects, and resources. It can extract artefacts and has connector to 3rd-party apps like MISP. 
  • Lacus – A stand alone capture service (API only), combined with Playwright, it uses actual browsers to crawl URLs. Very high throughput, it returns HHTTP archive, screenshot, cookie jar, code. …
  • Pandora – Used to statically analyze files

Alexandre Dulaunoy presented “Typo-squatting finder”, another tool provided by CIRCL.lu. The idea is to be proactive: between the domain registration and the real use of the domain. There are other tools that address this issue (like dnstwist). But here, we have an open source library. It covers not only domain names but also packages in the PyPi repository (also regularly targeted by typo-squatting attacks). The library is based on “algorithms” (21 at the time of the presentation) and can be easily expanded. Another tool was also presented by Alex: Similarius. It helps to detect changes between HTML pages.

The next presentation was “Clustering large amount of email with Minhash: an open-source Locality sensitive hash” by Nicolas Berveglieri. The idea was to present a solution to categorize spam and phishing emails. Today, they are mainly two types of attackers: targeted or regular campaigns. In the second case, multiple emails can be sent to victims. They look similar but they are small changes like the font, the text size, the color, etc. Not easy to spot this for a computer. A simple “hash” won’t solve the problem. Nicolas presented “MinHash” which helps to detect similarities across a huge amount of emails.

After the coffee break, CIRCL.lu was back on stage with Aurélien Thirion and a nice demo of AIL. This tool has been recently released under version 5.0.

The next talk was preformed by Clémentine Maurice as keynote speaker with”Reproducible Research in Micro-architecture Security (and Beyond): from Paper to Artifact Evaluation”. Being a researcher, she explained why reproducibility (in the context of academic security) is difficult to implement.

After the lunch break, we switched to a suite of tracks about supply chain security. The first talk was about “Rust Supply Chain Security” and presented by Alexis Mousset.  In Rust, the package manager is called “Cargo”. It handles all user interaction. A Rust package is called a “Crate“. Alexis explained where and how vulnerabilities can be introduces in the supply chain (example: by developers in the source code , in dependencies – other developers, etc) and how to handle them.

Then, Maya Constantini make an introduction to SigStore. In the context of supply-chain, signatures are important. They guarantee the software integrity & authenticity. But, developers have issues with classic tools to sign (like PGP or GnuPG). They are too complex. For example, the distribution of public keys can be a nightmare and the storage and rotation of private keys too. SigStore is a free service for digital artefacts. Signatures are logged publicly for verifications. As of today, 25M of signatures have been generated. The project started in 2020 at Redhat. The good points are:

  • No need to understand crypto
  • Simple interface
  • No private key
  • Audit & revocation in case of compromise
  • Signatures are bound to public indentity!

SigStore is based on different components:

  • rekor
  • fulcio
  • cosign

This look to be a nice system and it deserves to be tested by developers!

Guess what? Alexandre from CIRCL.lu was back on stage with another tool! How to secure the supply chain and speed up DFIR with Hashlookup. If packages can be signed by developers (see above), there is a huge difference between validating a third-party package signature and checking the files that have been installed by the package! Existing solutions like the NIST nsrl are not easy to use, expensive, etc. That why HashLookup has bene developed. Besides the tool to scan for files, it indexes many sources and have also a REST API. To speed up DFIR investigations, have a look at hasklookup-forensic-analyser.

After the afternoon coffee break, Eloïse Brocas presented “Map your firmware”. Firmwares are everywhere today (IoT, routers, automotive, smartphones, … ) Many firmware are structured with a filesystem and thousands of files, which means that it’s not easy to analyze them. The challenge is to understand the interactions between the components of the firmware:

  • files
  • network
  • config
  • dynamic linking

Eloïse demonstrated the tool she developed (Pyrrha) which comes on top of SourceTrail to browse the components of a firmware.

The last talk was “Gepetto: AI-powered reverse-engineering” presented by Ivan Kwiatkowski. Ivan is a reverse engineer and had the idea to interconnect the IDA debugger with ChatGPT to help in reverse engineering functions. Honestly, this was impressive! The plugin he developed has two main features:

  • To explain the purpose of a function ( comments are added on top of the function to describe what it does)
  • To rename variables with “nice” names

Reverse engineers know how these tasks can be a pain! Note that the plugin uses the ChatGPT API so there is a cost (think about $3 per reversing session). There is also a limitation with the token (very long function will break the limit).

The day ended with a bunch of rump sessions (with great content) and the social event.

The last day started later with a talk about pentesting: “PHP Filter: Out to Use It?” by Rémi Matasse. PHP is a great language from a pentester point of view. He explained again what is a LFI (Local File Inclusion) attack and why it’s so interesting. When you are able to load a resource, you can get code execution, read configuration files, abuse path traversal, etc. This is not a new vulnerability but still common. Then, he explained the purpose of the filter chain (“php://filter”). The idea is to manupilate file content (compress, convert, encode, decode, …). After some example, Rémi explained the blind file leak attack that helps to get the content of a file character by character. A tool has been developed to automate this attack: php_filter_chains_oracle_exploit. A paper has been released about this topic if you’re interested.

The next presentation was “zekrom: an open-source library of arithmetization-oriented constructions for zkSNARK circuits” by Antonio de la Phedra & Laurent Thoeny. This was a 100% pure crypto talk.

After the morning coffee break, William Robinet presented “ASN.1 templating for fun & profit”. ASN.1 means “Abstract Syntax Notation One”. It’s a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way, usually used in cryptography. William showed a lot of examples based on the openssl command line:

openssl asn1parse -in file.dev -inform D -i

Then, he demonstrate his tool called asn1tempate.

The next speaker was Christian Studer, working for CIRCL.lu, who presented “How to survive to STIX parsing?” STIX means “Structured Threat Intelligence Expression” and is an exchange format. They are two major versions: 1.x (based on XML files) and 2.x (based on JSON files). Linked to STIX, there is also TAXII or “Trusted Automatic eXchange of Intelligence Information”, a exchange protocol. STIX 1.x was very complex with multiple ways to represent the same kind of information. The version 2.x solved most issues and is easier to parse. After some parsing demos, Christian explained that, in the context of MISP, the challenge is to validate the data but also to keep know references (UUID). To achieve this, they forked the STIX2 Python library and patched it to fix the validation process.

After the lunch break, the last batch of presentations started with Clément Notin and “Decrypt Kerberos/NTLM encrypted data in Wireshark”. After a quick recap of an Active Directory ecosystem, Clément explained in details how to decrypt the traffic of a workstation booting and joining the domain. The key element is to get the Kerberos key associated to the user. How?

Capture the traffic > Get Kerberos keys > Put keys in key tab file > Provide key tab to Wireshark > Enjoy

Then, on the same topic, Eric Leblond presented “Using Suricata to detect lateral movement in Windows environment”. Many people still think that Suricata is just an IDS/IPS but, like Eric explained, it can perform much more! It’s a full NSM (Network Security Monitoring) solution. He make multiple demos to detect bad traffic. The next step was to detect lateral movements, to achieve this, there is a Stamus Lateral Ruleset that can detect:

  • Remote creation of a net share
  • Remote creation of scheduled tasks
  • Remote creation of a service
  • Remote installation of a printer driver
  • DC enumeration

Finally, the closing talk was assigned to Ivan who presented “Why cyberoffense will never be regulated”. It focused on a fact: We want a safer Internet but it’s not easy to achieve. As usual, it was an eye-opener talk! Another great edition of Pass-The-Salt, see you next year for sure!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.