SSTIC 2013 - Deuxième journée

SSTIC 2013 – Day Two

We arrived a little late on this Thursday morning. Our minds had been victims of a social engineering attack regarding the start time of the first conference (thanks Guillaume!).

«DreamBoot and UEFI» – Sébastien Kaczmarek (Quarkslab)

The first two conferences revolve around a common topic: UEFI. The first conference presents "Dreamboot," or how to bypass several protections within Microsoft Windows in order to compromise the operating system.

A few explanations later, we arrive at a rather telling demonstration where the speaker manages to connect to the session without entering a password, and manages to launch an administrator command prompt without using any exploit during the execution of the OS.

«UEFI and PCI bootkits: the danger comes from below» – Pierre Chifflier (ANSSI)

The second conference goes a little deeper into UEFI mechanisms to reach the hardware layers of the workstation.

A fast-paced presentation, peppered with jokes and puns such as "the ROM road" and "these ROMs are crazy, aren't they?", unfolds smoothly and captivates the audience. Among other things, we learn that hardware manufacturers haven't truly grasped the purpose of ROM (Read Only Memory) and allow writing to these chips.

The presentation concludes with a very lively demonstration, proving the speaker's technical abilities to create a VGA driver that overwhelms us with BAZINGA on the screen, a demonstration that goes as far as patching the Linux kernel on the fly without using an exploit on the running OS.

«Programming a secure kernel in Ada» – Arnauld Michelizza (ANSSI)

This was followed by a presentation that would later prompt a few jokes from the other speakers about ADA. Arnaud Michelizza presented a proof of concept for a secure kernel implemented entirely in ADA.

After a brief reminder of the security problems related to development, which shows that nearly 80% of current bugs are related to poor development, the speaker tells us the story of his project.

Having already developed a kernel in C (Pépin), and based on the observation of problems linked to insecure C practices, he decided to embark on this adventure by starting with the search for a "secure" language. Among the candidate languages, one finds unmaintained languages (Algol60, PL/1, Modula2, SecureC), unsuitable languages (Java, Haskell, OcamL) and finally… ADA.

After confronting the ADA paradigm and breaking free from this new way of coding, he emerged with a functional kernel proof of concept (PoC) of about ten thousand lines of code. The major problem lay in the fact that security checks imposed an overhead of 60% on clock cycles and a factor of 4 on the size of the generated code. Disabling the protection mechanisms rendered the PoC useless, and the "Sparkle" solution proved to be a rather interesting compromise. Indeed, by reducing certain checks and applying formal proof analysis upstream, the overhead was reduced to about fifteen percent, and the code size was reduced by a similar amount.

A technical issue will force us to wait until the start of the rumps to see the core in action. Despite the fact that this presentation wasn't universally well-received by the audience, we personally found it very interesting.

«"The color of the internet" – Laurent Chemla

Laurent Chemla addresses the highly controversial topic of net neutrality. He begins by recalling the main reasons put forward for censoring certain information: copyright infringement, pedophilia, tax evasion… He then quickly returns to current examples, such as the ability for Free users to filter advertisements while browsing.

The presentation quickly arrives at the following question: should the Internet be regulated or not? It states its opinion: "The real objective (conscious or not) of those who do not want specific regulation is not the sustainability of the Internet, but to guarantee that it continues to change our society (in the right direction)."«

The issue of neutrality quickly became inextricably linked to our society and economic concerns. The advent of the internet has profoundly changed society. We are witnessing a genuine elimination of intermediaries (and therefore of the associated value chains) that affects all sectors: economics, journalism, trade in material goods, and so on. At the same time, borders are becoming less distinct, and digitization allows for "abundance for the many or the accumulation of wealth for the few.".

His conclusion is clear: the internet has never been neutral and never will be. Neutrality is, in reality, merely a struggle against those who already hold power (and therefore exploit profitable opportunities) and against those who previously lacked a voice but saw in the internet a way to challenge the established order and share the spoils. It is therefore no longer a question of controlling or regulating the internet, but rather of managing the changes it brings about in society.

Short presentation: "Samsung Android Vulnerability" – Etienne Comet

The late morning ends and takes us into the Android operating system, its various attack vectors, and the specific features brought to Linux for supporting mobile functions.

There's not much new information to be learned. Over 250 patches have been added to the kernel to enable mobile functionality. Some manufacturers are adding their own patches, potentially increasing the attack surface.

We then move on to the description of two identified bugs which have more or less led to the exploitation of vulnerabilities potentially allowing control of the device.

The conclusion of this presentation is that Android security isn't quite there yet. To which I would reply, "Thanks, Captain Obvious."«

Short presentation: "Observatory of the Resilience of the French Internet" – Guillaume Valadon

The conference addresses a very interesting topic: How resilient is the French internet to attacks or outages?

Two topics are addressed: BGP and DNS. The BGP protocol is reviewed at excessive length. More than half the time is devoted to reviewing Autonomous Systems (AS), route announcements, and the general operation of the protocol. Consequently, little time remains to present the core content and the true added value of this study. Graphs are presented briefly, including an interconnection graph of French ASes.

The speaker concluded that, regarding these two protocols, the situation of the French internet is acceptable. He did, however, suggest some avenues for future action: deploying IPv6, decentralizing DNS servers, etc.

Short presentation: "Compromise of a Cisco VoIP environment / Exploitation of a call manager" – @Fransisco

Given the widespread deployment of Cisco VoIP in businesses, Francisco focused on a key component: the call manager. After a brief review of how such an architecture works, several vulnerabilities that could lead to complete compromise of the appliances were presented.

The results speak for themselves. Numerous critical vulnerabilities have been identified and do not require advanced technical skills (SQL injection, privilege escalation, command execution, etc.).

The audience, however, strongly criticized the "half-full disclosure" approach, as none of the identified vulnerabilities had been reported to Cisco. The question "Do you plan to do so?" received an unexpected response: "Uh, that's not planned...".

«Android application security by manufacturers and the creation of permissionless backdoors» – André Moulu

After lunch, we attended another conference related to Android. The agenda was more comprehensive than the previous one, beginning with the statement that Android security still needs improvement (a feeling of déjà vu?).

Moving on to a comparison between custom ROMs and native Android ROMs, it becomes clear that phone manufacturers don't hesitate to overload firmware with numerous applications that users cannot uninstall. One study counted over 250 applications on a Samsung S2 phone, compared to just over 100 on a Nexus 4.

The presentation moves quickly, with a privilege escalation represented on a graph that fills up with each slide. The number of slides is too large for the allotted time, so the presentation speeds up and some scenarios are omitted to achieve complete device compromise. And this is done using only applications with "standard" privileges.

An advertising break for a suite of tools he developed around Androguard leads us to the following conclusion: improving the security of Android devices is a constantly evolving issue, and current solutions are not yet sufficiently effective.

«"Limits of Rainbow Tables and How to Overcome Them Using Optimized Probabilistic Methods" – Cedric Tissieres, Philippe Oechslin, Pierre Lestringant

The conference begins with reminders about Rainbow Tables and focuses on the limitations related to the size of these tables, a size that quickly explodes when the size of the passwords that can be cracked is increased.

In order to crack increasingly long passwords, two optimized probabilistic methods were applied:

Representation of passwords as patterns; ;
Use of the Markov model.

The learning phases are based on sets of real passwords available on the Internet (e.g., RockYou). These phases maximize the chances of finding "likely" passwords.

Some reduction factors are given: dividing the size of a table by 10,000, reducing the chance of finding the password from 99% to 95%. Interestingly, the generated tables contain passwords of up to 12 characters!

Rumps

To end the day on a high note, we conclude with the famous "Rumps" that are the strength of SSTIC. Among other things, we find another appearance by Nicolas Ruff on a not-so-secure appliance (but nevertheless certified by ANSSI), a rant from ANSSI against the actions of some speakers who appeared earlier in the day, a very interesting study on IP Black Holes on the Internet, etc.

We also witnessed the call for contributions from some tools more or less directly related to IT security such as an AD analysis tool, a tool for analyzing virtual bank keyboards (OCR Panda), the brand new graphical interface of Photorec, or the despair of a reversing photographer unable to satisfy his desire to correct the RAW photos coming out of his Panasonic camera.

In the end, an "anonymous" speaker captivated the entire audience, hanging on the words of our helium-masked speaker. He spoke of theoretically possible techniques for winning framework agreements by circumventing the rules imposed by the S(uper)CAT (Centralized Technical Purchasing Service).

Two questions will be asked following this presentation: "Will you have enough helium to answer all the questions?" and "Have these techniques been used before?" A question to which we will not get an answer…

As every year, the day ended with the famous Social Event, held at the Halle Martenot. This year, instead of champagne, there was beer for dessert! The relaxed and informal atmosphere allowed for networking and discussions with the various speakers and participants. That's part of the charm of SSTIC!

By Maxime le Metayer and Antoine David

Professions

challenges

challenges

Risks

Who are we ?

Our commitments

Recruitment

Partners

Events

Blog

SSTIC 2013 – Day Two

SSTIC 2013 – Day Two

Articles by category

Subscribe to our newsletter

Mapping “Fly”, a threat actor with links to Russian Market’s infrastructure

Credential stuffing

Pentest: Types of penetration tests, methods and implementation

Phishing: How to protect yourself from it in 2026?

MSI packages and local privilege escalation in 2025

Campaigns targeting the aerospace industry in Russia

Professions

challenges

challenges

Risks

Who are we ?

Our commitments

Recruitment

Partners

Events

Blog