Here is the report of the second day by Nicolas and Erwan.

«"Escalation of Privilege in a Java Card Smart Card" – Guillaume Bouffard & Jean-Louis Lanet

Guillaume Bouffard and Jean-Louis Lanet implemented attacks on smart cards to access the information stored on them, but also to elevate their privileges. After demonstrating that attacks proven a few years ago could still be carried out on recent cards, they detailed their fuzzing approach, which led to the discovery of new vulnerabilities (native code execution).

 «"Vulnerability Research in USB Stacks: Approaches and Tools" – Fernand Lone Sang & Jordan Bouyat

During this conference, Fernand Lone Sang and Jordan Bouyat reminded us that USB is deployed on numerous devices, is managed by low-level layers, and therefore presents an opportunity to be fuzzed in search of "interesting" behaviors. To perform this fuzzing, proprietary tools that are difficult to script or Arduinos that require flashing each time proved inadequate for the task. A Facedancer designed by Travis Goodspeed – mentioned again at this SSTIC conference – was therefore used to receive USB packets, modify them, and then retransmit them after modification.

The original packets from a Facedancer, a QEMU virtual machine, and a physical sniffer are collected in pcap files and then processed via Randansu, where they are modified before being sent back. A monitoring system is in place on the targets to detect any abnormal behavior.

Two unexploitable bugs were found, one in the HID parsing, the other in the Windows 8.1 USBSTOR driver.

An evolution of the tool is planned to improve performance and manage USB 3 or even device fuzzing.

 

«Bootkit revisited» – Samuel Chevet

Samuel Chevet reviewed the state of the art and the history of bootkits, noting that they often consist of hooks and addresses that are sometimes hard-coded. Therefore, they do not constitute a stable solution.

As a reminder, rootkits attempt to load a malicious driver into the kernel space to take control of the system and are no longer a viable attack vector since Windows enforces driver signature enforcement (unless a legitimate certificate is "borrowed"). Bootkits, therefore, replace rootkits and aim to compromise the system from the moment it starts up.

The Reboot project maintains system access throughout the entire boot sequence (BIOS, MBR, VBR, BootMgr, Winload, etc.), even during mode changes (native, protected, etc.). The technical explanation is extremely precise, interesting, and complex. It concludes with a successful demonstration of injecting a bootkit that allows user authentication under Windows 8.1 without knowing their password.

«"Remote and Hardware-Assisted Integrity Testing of Virtual Machine Hypervisors" – Benoît Morgan, Eric Alata, and Vincent Nicomette

The goal was to develop a tool to verify the integrity of a hypervisor. To achieve this, they used a dedicated PCI device and an FPGA card. The project is still under development and is not yet complete.

«Mainframe System Security» – Stéphane Diacquenod

Stéphane Diacquenod demonstrated the security features offered by mainframes (z/OS in particular) and what can be achieved with a default configuration. In addition to administration being performed via Telnet, passwords are limited to eight characters, without special characters, stored without salts, and encrypted with DES. Furthermore, the RACF table, which contains authentication and authorization information, can be accessed by multiple users.

Short presentation: "Large-scale network reconnaissance: port scanning is not dead" – Adrien Guinet & Fred Raynal

The goal was to retrieve information (banners, SSL/TLS certificates, etc.) on a large scale (by scanning all IPv4 addresses in a country, for example). Current tools are unsuitable because they are synchronous and therefore slow (nmap) or difficult to script (massscan, zmap). The presenters therefore developed a new, distributed, lightweight, and efficient tool to which probes can be dynamically added. This allowed them, among other things, to scan 30 ports across all 30 million IPv4 addresses in Spain with 100 probes in 25 hours.

«Cryptocoding» – Jean-Philippe Aumasson

Jean-Philippe Aumasson reviewed several cryptography libraries (primarily OpenSSL) to demonstrate the poor quality of their code, which sometimes leads to critical vulnerabilities such as Heartbleed and gotofail. He then showed how difficult it is to find skilled developers in this field due to the complexity of designing and implementing cryptographic mechanisms. He concluded by presenting the recently launched Cryptography Coding Standard project, a wiki compiling guidelines for writing secure cryptographic code.

 

«Buy it, use it, break it… fix it: Caml Crush, a filtering PKCS#11 proxy» – Ryad Benadjila & Thomas Calderon & Marion Daubignard

Ryad Benadjila, Thomas Calderon, and Marion Daubignard presented a tool that allows for blocking PKCS#11 requests to strengthen the security of a token (such as a smart card) considered weak. The goal is to block attacks (such as the placement of conflicting attributes) or to add new functionalities to the standard (user distinction, enforcement of a robust PIN policy, etc.).

 

«Martine is setting up a CERT» – Nicolas Bareil

Nicolas Bareil presented a case study on the creation of the Airbus Group CERT. He described it as an industrial CERT, a type that, according to him, did not previously exist and was created from scratch. This CERT only manages Advanced Persistent Threats (APTs) detected within the group and is responsible for implementing the appropriate incident response. The cases discussed highlighted certain interesting behaviors and elements:

• The attacks appear to be carried out by hierarchical groups (level 1, 2, 3):

A person with a "high" level of access sets up the initial access

A lower-level group returns a few days later to run through a sort of collection checklist (a pattern found in various APTs). This group is considered less sophisticated because attempts with different parameters on a command are sometimes found in the logs, before the attempts are interrupted, only to resume with the correct command directly. It's as if a higher-level group had stepped in to assist with the operations.

• The attacks carried out are not discreet (use of exfiltration parameters that are often logged: GET instead of POST for example)

• A step of listing the contents of the directories is often carried out. The exfiltration of specific data is only performed later (sometimes several weeks later).

• The attackers create archives of the information to be extracted: one small archive and several large ones. Only the small archive is extracted initially, probably to be presented as a sample of market data… (sometimes several weeks later).

• The attacks are very rarely detected by IDS probes or by internal teams, even though C&C server URLs sometimes end up in the top 10 most visited URLs in proxy logs.

Finally, Nicolas Bareil recommends replacing forensics with an appropriate incident response.

Rumps

The day ended with 27 rumps covering topics such as:

• Miasm installation
• Inexpensive ARM devices (Netgear NAS) for which open-source system images are available
• Suricata 2.0 and journal management with Kibana
• developments of the Parsifal parser presented last year
• personal framework sstic.py used to solve challenges
• data and kitten exfiltration via ultrasound
• game where the goal is to obtain the largest number of lines of bytecode
• choice of language and surprising behaviors
• ADSL security in Switzerland by news0ft
• private event not so private in Outlook
• NAND dump without desoldering
• lessons learned from a DDoS attack
• Polyglot JPG/MP4 file
• bypassing IDS via TCP Fast Open
• REbus project
• hack to correctly file your taxes online
• IRMA (antiviral analysis service similar to VirusTotal)
• 0day Android < 4.4.3
• SSTIC proceedings in ebook format
• social-engineering of the assembly
• large-scale scanning of vulnerable routers
• No Such Con
• Perseus in-house encryption