SSTIC 2016 – first day
Introduction
As every year, several Intrinsec consultants attended SSTIC (Symposium on Information and Communication Technology Security), which took place from June 1st to 3rd, 2016 in Rennes. We are sharing our reports from these three days.
We enjoyed this edition and thank the organizing and programming committees, as well as the speakers for their high-quality work.
The unique feature of SSTIC, due to its scientific conference format, is the availability of full papers to accompany the presentations. These are compiled in the proceedings, available in print and also on the conference website, along with the slides and videos. We encourage you to consult these papers in addition to the conference summaries.
Links to reports from other days:
Opening conference: grsecurity
Brad Spengler spoke at the opening conference. He is known for being the author of grsecurity, a patch that hardens the Linux kernel.
The first part of his presentation focused on a review of the new security features recently implemented, including the addition of randomness to the memory addresses of sensitive kernel structures, DenyUSB to prevent the addition of new USB devices after startup, as well as RAP which, according to him, will lead to the demise of ROP techniques (Return-Oriented Programming), JOP (Jump Oriented Programming), etc. based on a "verification of type hash on indirect control flow transfers".
The second part, more suited to the exercise of the keynote, was titled "state of infosec union" (in reference to the annual address of the President of the United States before Congress).
First, he painted a rather bleak picture of our community: obsessed with the ever-increasing number of bugs and vulnerabilities. He did, however, note a growing sophistication in memory corruption attacks (buffer overflows and others) which have become application-specific (e.g., Flash, Adobe Reader). According to him, there are too many conferences (which he believes are not the best way to transfer knowledge) for only high-quality content to be presented.
He spoke out against certain "charlatan thought leaders" who produce content he considers overhyped for several reasons. According to him, it's easier to produce shallow and appealing content than to question it. He also notes the shift from Bugtraq disclosures in previous decades to Twitter today, which encourages a focus on simplification to attract attention. He observes that this situation creates a disconnect between the state of the art in research and what constitutes classic individual threats: APTs are all the rage, unlike more common attacks (Office macros, hidden extensions, unsuspecting users, etc.).
In the future, in order for the level of security to improve, he hopes that security researchers will be more interested in developing generic, long-lasting protection techniques that do not increase the attack surface (he cites grsecurity as a model, of course), than in the serial disclosure of individual bugs.
Finally, he concluded by giving us the following recommendations for being, in his opinion, useful members of the community:
- Applying critical thinking
- Learning that it is acceptable to admit not knowing
- Leverage constructive criticism as opportunities for improvement
- Reject the race for fame and instead submit rich, high-quality content to publications like Phrack
- Don't take shortcuts: work as much as necessary and learn the fundamentals
- Complaining is easy for everyone, it's better to focus on correcting something.
Collaborative approach to analyzing malicious code
Adrien Chevalier, Stéfan Le Berre, and Tristan Pourcelot from Sogeti/ANSSI took advantage of this conference to present their collaborative methodology for analyzing malware. They also published the tools they developed for this purpose.
This need stems from the observation that there are more malware authors than people capable of reverse engineering their work. This analysis allows for the identification and categorization of malware, as well as the extraction of elements to enable its detection. In short, their need was to quickly obtain indicators of compromise (IOCs) and reports using numerous input samples along with their collection context (e.g., the relevant ministry).
They presented the different stages of an analysis, highlighting the difficulties inherent in each, before unveiling the Polichombr tool (named after a Pokémon), whose development began in 2014. It is now publicly available under the CeCILL open-source license (https://github.com/ANSSI-FR/polichombr). It addresses the following challenges: sample storage, centralization of information and knowledge (capitalization), teamwork, automation of analysis, classification and sharing of results.
Two sub-projects were also unveiled:
- Skelenox: IDAPython script to interact with Polichombr
- Machoc: an algorithm for calculating a code's fingerprint based on its control flow graph. The fingerprint has the advantage of being lightweight (transmissible via email), suitable for executables, resistant to recompilation (the graph remains similar), and compatible with processor architecture changes (32/64 bits).
Samples submitted to the platform are automatically analyzed and classified if they belong to a known family. If needed, the analyst can also perform a manual analysis in IDA by building upon a colleague's work (sharing .idb files via Skelenox) and share their results. The output can include technical data for analysts, indicators of compromise (IOCs) for defense and incident response teams, and summary reports, all filtered according to sensitivity level to ensure the right information is shared with the right people.
Gunpack: a generic malware unpacking tool
Julien Lenoir from Airbus Group Innovation presented his Gunpack tool to facilitate the writing of scripts for unpacking malware.
After a brief overview of packing and the state of the art in unpacking (tools exist, but few are open-source and scriptable), the speaker presented Gunpack, which works by instrumenting the operating system (which has the drawback of being detectable by an advanced packer). It comprises two components: a kernel driver and a Python process.
At the kernel level, Gunpack identifies the packer's behavior by modifying the memory page permissions (exclusive OR on write and execute) of the analyzed program without its knowledge, and by intercepting the generated faults. System calls (syscalls) are also intercepted.
These collected events allow us to understand how the packer works and to write an unpacking script.
The current limitations of Gunpack are as follows:
- 32-bit support only
- Only Windows 7 in PAE mode is supported.
- Does not work with a packer using a virtualizer (the original code is modified into bytecode executed by a virtual machine specific to the packer).
The speaker concluded by presenting some concrete examples of use.
Proprietary Encryption Black Box Cryptanalysis: A Case Study
Pierre Capillon, from the ANSSI Audit and Inspection Office, presented a practical case study of black-box analysis of proprietary encryption. The objective was to expose the flaws in these proprietary implementations to demonstrate that they are often insecure (creating a false sense of security) while also showcasing the skills and resources required to carry out these attacks.
The context was that of proprietary embedded equipment, protected by a heatsink and impossible to damage (it was on loan). With no vulnerabilities in the equipment, the only way to analyze the firmware was to retrieve the update file. This file was protected by an obfuscation/encryption mechanism, which the speaker then targeted.
He showed us the different stages of his analysis, including the comparisons made between two versions to distinguish the identical and modified parts, as well as the various unsuccessful attempts (search for opcodes and calling conventions, binwalk-style data fingerprinting, reverse engineering of the update software).
After 6 weeks (3 full-time equivalent, instead of the initial 2 days planned), the various pieces of the firmware update file were obtained in plain text and revealed a 42 MB ELF binary implementing a complete and proprietary real-time OS in obfuscated C++.
In conclusion, he demonstrated that homemade cryptography is often invertible, and he discovered vulnerabilities in the firmware that have since been patched. The manufacturer has also changed the algorithm.
Eurisko: development of a secure electronic card
The authors of this presentation are: Arnaud Ebalard, Arnaud Fontaine, David Diallo, Jean-Pierre Flori, Karim Khalfallah, Mathieu Renard and Ryad Benadjila from ANSSI.
They set about creating a secure electronic board (dedicated component certified EAL5+) with functional and security objectives.
The functional objectives were:
- Presence of two Gigabit Ethernet network interfaces (for example, to serve as the basis for a router or an HSM)
- Power consumption less than 5 W
- Reduced size
- Use of off-the-shelf (COTS) components
The security objectives were:
- Hardened Linux kernel with grsec
- Controlled code (as little external code as possible)
- Pre-boot authentication
- Boot process integrity
- Securing updates
The reasons for this project were:
- Skills development (on ARM architecture and in software and hardware development)
- The discovery of the state of the art in electronic components
- The difficulties associated with the industrial-style creation process
They then presented the board's components in detail, including the SoC which boots from an image securely served from another, equally secure, storage component. The compilation chain and self-imposed development rules (simple C language: C99, no dynamic allocation, strongest possible typing, linear and synchronous code) were also revealed.
Their feedback on the use of secure components (entry ticket and level of security obtained) and on R&D prototyping (experience acquired, subcontracting relationships and results obtained) was described in conclusion.
Evolution and de-evolution of embedded multimedia systems
This presentation by François Pollet (Thales Communication and Security) and Nicolas Massaviol (Toucan System) focused on the security of embedded systems in modern vehicles. It was based on feedback from an audit of two models from two different, unnamed manufacturers (two versions of one of the models were reviewed).
Both models separate the multimedia communication bus (CAN bus) (used for in-car entertainment: music, telephony, etc.) from the vehicle bus (used to control and monitor the engine, brakes, etc.). However, in the first case, the multimedia and telecom units are connected to both buses (making them preferred targets), while in the second model, they are only connected to the multimedia bus, and messages pass through a gateway to reach the vehicle bus.
Regarding the multimedia box, here are the most serious vulnerabilities discovered:
- The JTAG port was supposed to be disabled in production but was not in practice, and for the other manufacturer, a serial port with an authentication screen was accessible.
- Encrypted and signed update file, but bypassable
- Obtaining information (such as passwords) from accessible memory chips.
- At the operating system level: the first manufacturer uses old versions of Android that are vulnerable to known exploits, and the second manufacturer exposes root access without a password in addition to a vulnerability in the signing of updates (simply removing the file containing the signatures from the archive is enough for the modified update to be accepted).
Once this device is compromised, the attacker can broadcast very loud and unstoppable music to surprise and disturb the driver, or try to bounce off the vehicle bus to sabotage the physical operation of the vehicle.
Regarding the telecom box, they noted a large attack surface (JTAG on the hardware side, GSM/2G/3G on the radio side and SSL on the application side) and discovered vulnerabilities.
They concluded on the future of connected vehicles with cloud-based car sharing, remote start, convoy driving delegation, the arrival of autonomous vehicles and PYOD (smartphone and vehicle integration).
USBiquitous: USB intrusion toolkit
Benoît Camredon from Airbus Group presented his USBiquitous project, which stemmed from the observation that the omnipresence of the USB protocol and ports is accompanied by a growing number of discovered vulnerabilities. To better audit devices and implementations of this protocol, he created a multi-component framework: a hardware board (USBq Board) with several interfaces running Linux, plus a specific kernel module (USBq Core), and a user-space library (USBq API) used by applications (USBq Apps) to implement the desired functions. The board can emulate a USB client or host, or act as a proxy.
The speaker then presented the state of the art (and the gap that his project fills) and a brief overview of the USB protocol, followed by a detailed description of the various components of the project.
Thanks to these basic building blocks, it is easier to implement interesting use cases:
- In proxy mode: the user can observe and modify messages, store them as pcap files for later analysis, implement a USB firewall (e.g., depending on the device type) or a keylogger, and generate invalid messages by mutation to detect bugs…
- In device emulation mode: keyboard simulation (RubberDucky / Teensy style), fuzzing of the host's USB implementation (a vulnerability in Windows was notably discovered), replay of previously captured exchanges (used by the author to solve part of the SSTIC 2015 challenge), enumeration of the device classes supported by the host…
- In host emulation mode: it is possible to enumerate connected USB devices, implement remote controls for specific devices (e.g., USB missile launchers), fingerprint the device to detect the USB chip used, implement the BadUSB attack…
In conclusion, the speaker hopes that this project can be used to identify vulnerabilities in USB hosts and devices or for penetration testing.
Type confusion in C++: performance at the expense of type safety«
Florent Saudel, a doctoral student at Amossys, has been studying vulnerabilities related to the exploitation of type confusion in C++ code. His work is motivated by the fact that this class of vulnerability has been the source of six CVEs allowing arbitrary code execution since the first half of this year.
In short, this vulnerability stems from incorrect type casting in the code related to the use of the four type conversion operations: static_cast, reinterpret_cast, dynamic_cast, and const_cast (the last of which does not cause this vulnerability). Each implements varying degrees of checks on the source and target types, at compile time or runtime, thus having implications for security and performance.
A simple example to understand the concept was presented followed by the primitives necessary for arbitrary code execution: information leakage (accessing information on the stack), memory corruption (writing arbitrary data) and control flow hijacking (executing previously injected and interpreted data as code).
In conclusion, he notes that the most vulnerable program classes are browsers and interpreters. Furthermore, the exploitation of this vulnerability can be detected at runtime by the automatic addition of valid code to the compilation process, but this has the drawback of slowing down execution.
My friends botnet: How to use your friends to perform Cyber Int?
Amaury Leroy from CERT Airbus explained to us his ultimate wish to have a copy of the Internet (at least network information: WHOIS databases, domain names and IP addresses…) accessible offline to make queries quickly, discreetly and which allow monitoring of changes over time.
The problem he encountered was the large amount of storage required, which led him to enthusiastically turn to the cloud. However, he faced several difficulties (not enough outgoing IP addresses available on Amazon EC2, banning of traditional dedicated servers due to misuse, VPS available from unreliable and already blacklisted hosting providers, insufficient performance of Tor, etc.).
He therefore set about creating small boxes that he could distribute among his friends, in order to spread the effort of collecting raw data, and finally centralize it on his server.
He then demonstrated two practical examples of data exploitation:
- Comments submitted on the samples on VirusTotal
- Passive DNS history data to track the actions of an attacker group
Software components verified in F*: Poly1305
Benjamin Beurdouche and Jean Karim Zinzindohoue from the Prosecco team (INRIA Paris and Microsoft Research INRIA) questioned the security of critical Internet components, for example OpenSSL, and what the contribution of formal methods could be.
They presented the F* language: open-source, functionally oriented, with rich types and interaction with an SMT solver (pre- and post-conditions). For compilation, these properties are "removed" to make way for OCaml/F#, which is compilable.
Several properties can be proven statically, including memory safety and prevention of integer overflows.
He then presented a concrete application to the recent MAC (Message Authentication Code) algorithm Poly1305.
Broken Synapse
Ivan Kwiatkowski spoke to us about his work on the game Frozen Synapse. His goal was to lift the fog of war (which obscures certain units) to gain an advantage over his opponents.
His first network traffic analysis with Wireshark was inconclusive, so he attempted reverse engineering the application before discovering that he was analyzing a known script engine (Torque Game Engine) and that he should instead turn to the .cs.do files which contain the game logic as written by its developers in the form of compiled scripts.
His work led him to write an emulator/decompiler of this format: he thus manages to recover the initial scripts which he can then modify and recompile, to reinject them into the engine and finally play with his modified version without the fog of war.
The advantage of this method is that it eliminates the need for network protocol analysis.
A FizzBuzz for cyber
Eric Jaeger and Olivier Levillain of ANSSI were interested in recruitment questionnaires (for a job, or in their case, for entry into a training program) with the objective of further evaluating reflection and the ability to understand security in relation to pure knowledge.
They were inspired by the famous recruitment test for developers called FizzBuzz and showed us several examples of multiple-choice questions that can be answered without calculating or searching the web, and how they are more interested in the thought process, the approach to solving and the questions raised (on the recruiter and candidate sides) than in the exact answers.
Here are some examples of topics covered (examples of questions are available in the article): mathematics, computer culture, cryptology, shell, networks, C language, incident management.
