SSTIC 2015 – Day Two

This post concerns the 2nd^th SSTIC day 2015.

SSL/TLS, 3 years later — Olivier Levillain

The presentation focused on vulnerabilities discovered in the SSL/TLS protocol and implementations over the past three years. It was observed that developers frequently make the same mistakes in the same places. Admittedly, the SSL/TLS specifications are quite flexible and likely don't help developers navigate them. In conclusion, a project like FlexTLS helps identify security issues related to poor implementation, and the arrival of TLS 1.3 will also provide solutions to the problems encountered.

 

The risks of OpenFlow and SDN — Maxence Tury

ANSSI has conducted research on SDN and one of its implementations, OpenFlow. SDN (Software-Defined Networking) doesn't have a precise definition, but the principle is to separate the functions of routing and packet forwarding. In a traditional network, the router performs this dual function. By separating these two functions, it is therefore necessary to implement a new protocol to enable communication between the routing and forwarding functions; this is where OpenFlow comes in. After presenting how the OpenFlow protocol works, ANSSI points out some weaknesses identified in it, notably the lack of TLS for communications and the potential for controller overload. It should be noted that to test the protocol, ANSSI developed specific Scapy modules, which have been published.

 

Four million key exchanges per second — Adrien Guinet, Carlos Aguilar, Serge Guelton, Tancrède Lepoint

This presentation focused on the possibility of improving performance during cryptographic calculations based on the Lattice principle (https://en.wikipedia.org/wiki/Lattice-based_cryptographyThis presentation being very dense, we recommend that you read the proceedings.

 

VLC, Blu-ray DRM, and HADOPI — Jean-Baptiste Kempf

Jean-Baptiste, the current president of the VideoLAN association, tells us how the association was founded at the Centrale Paris engineering school. In the early 1990s, students were eager for a new Ethernet network (not a Token Ring network). They negotiated with Bouygues Telecom to provide one, in exchange for resolving a problem with satellite video transmission. This is how VLC was born. As a reminder, VLC is a cross-platform tool that allows you to play videos without having to install additional codecs. It's a non-profit project entirely produced by volunteers (feel free to support the project). Jean-Baptiste then presented the various DRM systems implemented on DVDs and Blu-rays. Finally, the presentation concluded with the discussions between VLC and Hadopi regarding whether the project was operating illegally, as it is able to bypass the implemented DRM and thus play DVDs and Blu-rays. However, Hadopi was unable to answer this question. It was a good presentation; we recommend you watch the video of the presentation.

 

Security analysis of proprietary SCADA technologies — Alexandre Gazet, Florent Monjalet and Jean-Baptiste Bédrune

The speakers focused on a proprietary communication protocol between a PLC and a control system used in an industrial setting. The presentation highlighted the approach used to reverse engineer this protocol. Although some vulnerabilities were identified and reported to the manufacturer, the speakers noted a greater awareness of security issues among manufacturers.

 

HbbTV Protocol and Security: Some Experiments — Eric Alata, Jean-Christophe Courrege, Mohammed Kaaniche, Pierre Lukjanenko, Vincent Nicomette and Yann Bachy

The speakers tested the security of a Smart TV. They identified various attack vectors on this type of equipment: local attacks via the LAN, via the internet, via the update server, via the ADSL local loop, etc. They focused particularly on the possibility of disrupting the DTT (Digital Terrestrial Television) video broadcast stream. The initial idea is to replace the video content displayed on the television. Since the video protocol does not verify the broadcast source, but only considers the source with the strongest signal, this attack is feasible. Subsequently, the speakers discovered that the video stream contains an application URL for each channel. By sending a malicious stream containing a URL with JavaScript code, it is possible to send UPnP requests to the victim's ADSL modem and open accessible ports on that modem to access the television from the internet, and more generally, the internal network.

 

Smart card compromise via the ISO 7816-3 protocol layer — Guillaume Vinet

This conference presented an approach to carrying out fuzzing on smart cards. In the interest of saving money, the speaker set up a test platform with an Arduino, a Python client, and the Sully tool to perform the fuzzing on smart cards. He was able to identify buffer overflow on certain cards. The author plans to extend his research to contactless cards.

 

Fuddly: A framework for fuzzing and data manipulation — Eric Lacombe

Eric presented the Fuddly framework, which allows for fuzzing as well as data manipulation. He noted that current fuzzers did not provide sufficient flexibility and that advanced frameworks were incompatible with Airbus's constraints (proprietary source code, compatibility with unusual architectures, etc.). Fuddly supports the following formats: ZIP, PDF, PNG, JPG, USB descriptors, and certain avionics protocols. The tool is available on GitHub. https://github.com/k0retux/fuddly

 

Avatar: A Framework to Support Dynamic Security Analysis of Embedded System's Firmwares — Jonas Zaddach

Jonas introduced us to the Avatar framework, which enables dynamic firmware analysis. The idea is that analyzing an embedded system is complex because you don't necessarily have all the necessary elements to perform the analysis (compilation toolchain, firmware source code, documentation, emulator, etc.). Avatar acts as a proxy between an emulator and the embedded system being analyzed. It thus allows you to analyze the requests sent and received. More information is available on the Eurecom website. http://s3.eurecom.fr/tools/avatar/

 

A Large-Scale Analysis of the Security of Embedded Firmwares — Andrei Costin

The speaker wanted to conduct a large-scale analysis of embedded system firmware. The idea was to perform a mass study of existing vulnerabilities. The problem is that there are no public databases listing all firmware versions. The first step of their study was therefore to collect as many firmware versions as possible, which is no easy task. Sometimes it was possible to retrieve them from the vendor's website, other times the speaker had to extract them via JTAG. Next, to perform the analysis, the BAT (Binary Analysis Toolkit) was used. Some modifications were made to adapt it to their needs. Finally, numerous vulnerabilities were identified in all the analyzed firmware versions. The author's complete results are available on the website: http://firmware.re/

 

Challenge results

As every year, the winner of the quality ranking presented their solution. It should be noted that more than 29 people solved the challenge. The prize for the most original solution, presented visually, was awarded to Axelle Apvrille (http://static.sstic.org/challenge2015/solutions/equipe_apvrille_lugou.zip)

We invite you to read the solutions of the various winners: http://communaute.sstic.org/ChallengeSSTIC2015

 

Rumps

As every year, we were spoiled! No fewer than 33 rumps! We're not going to give you a summary of all the rumps, but the rump moment is always a special one. The speaker has 3 minutes to make their presentation. If the audience isn't won over, they applaud to signal that the presentation is over!

Here are some interesting trumps:

• Dungeons, Dragons, and SafetyThis is a role-playing game designed to raise awareness of safety among newcomers (https://github.com/tromand/NeoSens)
• HQL – Hyperpasnet Query LanguageThis is a layer on top of SQL used in Java. The speaker explains how it's still possible to inject SQL. In fact, you just need to insert a backslash and two apostrophes, so that HQL ignores the rest…
• S(4)u for Windows: There is no equivalent to the `su` command in Windows. `runas` and `psexec` exist, but they either require the user's password or grant SYSTEM privileges. S4U appeared with Kerberos and allows you to retrieve a user's privileges. The tool is available on GitHub: https://github.com/aurel26/s-4-u-for-windows
• BreizCTF: A Capture The Flag game is being organized in Rennes on June 29th on the Epitech Rennes campus.
• FIR: Société Générale has developed a security incident tracking tool that also facilitates reporting. The tool is available on GitHub: https://github.com/certsocietegenerale/FIR
• IVRE (Instrument for Monitoring External Networks): This framework allows for network scanning. The speakers tested their tool across the entire internet. Naturally, interesting results were identified, particularly SCADA interfaces. The tool is available on GitHub. https://github.com/cea-sec/ivre
• Netzob: This tool, which has already been presented at SSTIC, facilitates reverse engineering analysis of a network protocol. The speakers demonstrated in three minutes how to analyze a PCAP capture with NetZob in order to reconstruct the protocol messages.
• GreHack 2015: The GreHack conference in Grenoble is back. The CFP is out. Please note: the website is now grehack.fr and the official Twitter account is @GrehackConf.
• BotConf 2015: Botconf will take place in Paris at Google's offices from December 2nd to 4th, 2015.