SSTIC 2012 – Day Two

Starting from the premise that the two main malware vectors are either software using only the processor, or software involving other hardware components (malicious firmware, USB drives, etc.), the first type of malware being already extensively studied, the CNRS wanted to work on the 2^th The presentation focuses on IronHide, a generic input/output controller developed by CERN, to illustrate feasible attacks and test countermeasures identified by the team. After some interesting demonstrations, such as direct access to video memory and keylogging, the speaker discusses future research: the detection of hardware backdoors, the transformation of IronHide into a hardware IDS/IPS…

Originally, the Law on Confidence in the Digital Economy (LCEN) defined three statuses: hosting provider, access provider, and publisher. Romain Beeckman presents here the legal constraints faced by hosting providers regarding illegal content and traceability.

The basic constraints are as follows:

• Retention of access logs for 12 months (risk of €75k fine and imprisonment in case of non-compliance); ;
• Provision of a system for notifying individuals of "manifestly illegal" content.

The speaker also addressed frequently encountered points of contention, notably the fact that if a hosting provider has the ability to modify a website's content, it can be considered a publisher and held liable for illegal content. He also discussed recent case law which, in addition to requiring notification of the removal of illegal content, mandates hosting providers to implement mechanisms preventing the reappearance of such content.

Finally, there is talk of so-called "2.0" hosting providers (e.g., Youtube, Dailymotion…) who profit from content viewing and who must also implement state-of-the-art mechanisms to detect and remove illegal content.

Slides: no slide

Challenge results
Speakers: Axel Tillequin, Fabien Perigaud, Florent Marceau

Presentation of the solutions for the SSTIC 2012 challenge. The solution presented, extremely complex, was judged the most "elegant" by the jury. You can find all the details of the challenge and the proposed solutions at this address: http://communaute.sstic.org/ChallengeSSTIC2012

Short presentations
Speaker: Anthony Desnos (virustotal)

Introducing two tools for analyzing Android applications:

• Elsim: http://code.google.com/p/elsim
• Androguard: http://code.google.com/p/androguard

These tools are used to detect libraries used in applications based on function signatures. These tools have shown that, on average, less than 50% of the code in free applications is true "business" code; the rest is mostly advertising libraries.

Slides to come

Speaker: Davide Canali (iseclab)

Presentation of a CMS "honeypot" used to analyze attacks on web applications and especially to study the behavior of attackers.

The procedure is as follows:

• Using 500 different websites, each with 7 CMSs and hidden webshells
• 100 domain names purchased
• Accommodation spread across 8 hosts
• Implementation of centralized management via a script acting as a proxy to redirect traffic to 7 isolated virtual machines (1 per CMS) and to collect logs.

The approach made it possible to collect 9.5GB of data (GET and POST), 69,000 attacks detected, as well as many tools used by the attackers.

Slides to come

Pierre Karpman (ENS Cachan, Supélec)

Presentation of the SIDAN tool for hardening programs developed with the C language.

The tool uses several hardening mechanisms, such as:

• The detection and verification of program invariants; ;
• Control and validation of variable variation zones; ;
• Consistency check and validation of constants.

The use of such a tool (available at this address) http://www.rennes.supelec.fr/ren/rd/cidre/tools/sidan/) seems quite interesting for developments in C.

Slides to come

Proxy access control for Windows 7
Speakers: Christian Toinard, Damien Gros (CEA), Jérémy Briffaut

Judging that the "Mandatory Integrity Control" functionality integrated since Windows Vista is not sufficient, the speakers present a proxy access control tool for Windows 7 derived from the philosophy of SE Linux.

The goal of the solution is to reduce process privileges (even privileged processes) by defining a precise "who has access to what" policy on the machine so as not to be limited to the standard discretionary model (RWX).

The goal is therefore to define a complete policy of the rights of each user and process (the policy can be tedious to implement) keeping in mind that anything not defined is prohibited by default.

The slides
The article

Forensic computer expert
Speaker: MEM Zythom

The conference was highly anticipated by many, particularly following the attack suffered by Zythom the day before the presentation, or simply to learn about the famous... blogger .

The conference began by outlining the steps to becoming a court-appointed expert, namely submitting an application specifying the area of expertise, the expert's CV, and the resources available to the client requesting the assessment (the equipment the expert possesses). It was noted that the process for validating the application remains unclear.

Zythom then reviewed the types of expert assessments he has had to carry out so far: searching for child pornography content (investigation), the failed computerization of a company (commerce), expert assessment for a dissatisfied individual (civil) or assistance to a party (private).

Finally, the tools used by the expert were certainly the part that most attracted the attention of the computer scientists present in the room:

• The Sleuth Kit: http://www.sleuthkit.org/
• DEFT Linux: http://www.deftlinux.net/
• Ophrack: http://ophcrack.sourceforge.net/
• Live View: http://liveview.sourceforge.net/
• Photorec, TestDisk: http://www.cgsecurity.org/wiki/PhotoRec_FR
• Encase Forensic Edition: http://www.digitalintelligence.com/software/guidancesoftware/encase7/
• Forensic Toolkit: http://accessdata.com/products/computer-forensics/ftk

iOS Forensics
Speakers: Jean Sigwald, Jean-Baptiste Bédrune
A very interesting conference on the internal encryption mechanisms of Apple's mobile operating system: iOS.

The presentation begins by outlining the possible methods for obtaining a disk image of the terminal:

• Via a logical extraction using iTunes backups (phone PIN required and backup password if used);
• Via a physical extraction of the 2 HFS+ partitions (requires root access to the terminal).

The speakers then presented the different encryption techniques used by devices using iOS.

All devices are equipped with a unique AES 256 key embedded in the hardware, making it difficult to extract without sophisticated equipment. This key forms the basis of all the device's encryption mechanisms. An evolution in iOS 4 allowed a shift from standard partition encryption to file-based encryption, with keys derived from the AES key (one PBKDF2 iteration followed by 200 AES iterations, significantly slowing down a brute-force attempt) and some protected by the phone's PIN. Finally, it's important to remember that the PIN can only be brute-forced on the device itself (it cannot be done offline).

The conclusion is unequivocal: Apple's encryption is quite strong. However, having root access on the device significantly weakens these mechanisms, a good opportunity to reiterate that jailbreaking is strongly discouraged on professional devices.

Slides to come

Rump session
RUMP sessions are an opportunity to briefly present (3min30) projects or discoveries of varying degrees of seriousness.

We have selected the following projects:

• Uncompyle2: a Python bytecode decompiler https://github.com/wibiti/uncompyle2
• Wolfy: a tool for performing checks on a compromised system http://www.xmco.fr/wolfy-post-forensics.html
• Digital Forensic Framework: an open-source forensic analysis tool http://www.digital-forensic.org/
• Botnets.fr: a collaborative wiki listing and documenting botnets https://www.botnets.fr/index.php/Accueil
• Hynesim: an information system simulation tool http://www.hynesim.org/