New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

SSTIC 2013 – Day One

June 7, 2013

SSTIC 2013 – Day One

As every year, the famous Symposium on Information and Communication Technology Security (SSTIC) takes place in Rennes! Intrinsec attends these conferences and offers you a summary of each day.

«Innovation in symmetric cryptography» – Joan Daemen (STMicroelectronics, Belgium)

SSTIC starts strong this year with Joan Daemen, Belgian cryptologist and co-designer of Rijndael, an algorithm that won the AES competition in October 2000.

The conference begins with a review of symmetric cryptography since the 1990s, notably revisiting the DES encryption algorithm. It outlines the main expected properties of symmetric algorithms and the various constraints: non-linearity, maximum diffusion, and processing time.

The second part of the conference focuses on Keccak, a hashing algorithm developed jointly with three other researchers. Keccak became SHA-3 in October 2012 following the NIST hash function competition.

Joan concluded by insisting that it is often necessary to start from scratch and that one should never dismiss an idea without trying, even if many attempts prove unsatisfactory.

 

«Flattening control flow graphs and symbolic execution» – Eloi Vanderbeken (OPPIDA)

After the break, the day continued with a "con artist presentation," as the speaker himself put it. He took us on a journey through code obfuscation—or rather, code unblocking—to introduce us to the tool he was developing.

He begins with some basic concepts about code obfuscation, high/low level, then moves on to the different code obfuscation techniques with their advantages and disadvantages:

  • Approach method with execution monitoring
  • Data tracking approach method
  • Static method, the method he chose

The slides lack precision, he only has 30 minutes and he rattles off concepts at high speed: "traces", "basic blocks", "execution graphs", "managers", everything is covered.

The presentation continued with a live demonstration of the tool. The demonstration didn't seem to convince the audience, and he eventually admitted that his tool didn't really work.

The presentation ends with a series of rather lively questions and answers which brilliantly concludes the presentation.

 

«Binary Polyglots and Implications» – Ange Albertini

Polyglot binaries are files that can incorporate multiple data formats: a PDF, a ZIP file, HTML, an executable, etc. Faced with increasingly complex malware, it is crucial to be able to correctly identify and analyze it. Indeed, one can imagine a binary recognized by antivirus software as a legitimate HTML page, but which is actually also a malicious executable.

Contrary to popular belief, identifying a file's format is far from trivial, mainly due to incomplete format documentation and lax software. The conference illustrates significant differences in rendering between various PDF readers, a far cry from the misconception that this format renders in a single way.

This issue appears to be addressed by several recent antivirus programs. For example, files detected as having multiple formats are considered malicious.

The speaker concluded with several suggestions: strengthening controls at the operating system level (e.g., a downloaded file with a pdf extension should not be able to be executed later), implementing isolation for downloaded files, or defining a long signature per type to avoid confusion.

 

«Dynamic recompilation of hostile binary code» – Sébastien Josse (DGA)

After Ange's presentation, we move on to malware analysis. Here, the speaker focuses on code obfuscation. We begin with a current overview of malware analysis tools. Few tools exist, most lack automation, and few are cross-platform… The conclusion is clear: the current tooling is incomplete and inadequate.

He then presents us with the tool he is developing, which allows for the analysis and deobfuscation of malware in any environment.

Based around the Qemu engine and the LLVM compilation chain, a suite of modules enabling code extraction, reduction and normalization has been developed.

The presentation ends with a somewhat slow demonstration video, which nevertheless has the merit of showing the different modules working and demonstrating the analysis of a pseudo-malware created for the occasion.

 

Short presentations

Right after eating, we attend two short 15-minute presentations.

The first one, by Olivier Levillain (ANSSI), presents us with «Parsifal», a robust parser made in OCaml.

After attempting Proofs of Concept (PoCs) in Python and C++, he realized that the OCaml language offered interesting features for developing robust and stable programs. He therefore hopes to use its parser to analyze several hundred gigabytes of SSL data collected from the internet.

The simplicity of the code allows for the rapid development of fairly strict parsers. The introduction to this conference aptly reflects its conclusion: "To understand a protocol, the best way is to implement it.".

Later, we discover "« NFTables »", presented by Eric Leblond. After some feedback on the major flaws of IPTables (lack of responsiveness when adding a rule, combinatorial explosion of rule management when multiplying IPs and ports…).

In 2008, Patrick McHardy developed and presented NFTables. Among the improvements were a new configuration grammar, the ability to access via NetLink-based code libraries, an atomic modification system to avoid having to reload all rules, and a notification system.

This new implementation is based on BPF, and offers 3 operating modes:

  • Configuration file mode
  • Command line mode
  • Code library mode

We also find better set management allowing sets to be managed in a single rule, better clarity of the ruleset, and management of evolutions.

 

«"Smart card terminal compromise" – G Vinet

Smart cards are increasingly used in information systems today. Among the strengths of this technology are the ability to securely store information, and to use encryption or data signing.

The data on the smart card is protected by a PIN code. Using this code on an infected workstation can lead to code theft.

To protect against this type of scenario, there are external USB terminals that allow the data on the card to be protected even if the workstation is compromised.

Studies have been conducted on some of these devices to assess their security level. To do this, a smart card emulator was developed using an Arduino platform to simulate malicious actions.

Thus, it was possible to retrieve information from previous sessions, potentially the PIN code of a card…

However, these terminals are not protected against physical attacks such as magnetic radiation analysis, or connector trapping.

 

«Application attacks via modified USB devices» – Benoît Badrignans (Seclab FR)

At 3:45 PM, we're still focusing on hardware-based attacks. In this presentation, Benoît Badrignans shows us how, using modified USB devices, it's possible to take control of a workstation, bypassing many of the protection mechanisms that can be implemented within an information system.

In the first slides, he shows us how a standard USB device works and what the known attack vectors are. These include attacks via the file system, autorun, and so on. Next, a comparison is presented between standard and modified devices. Thus, the same vectors (USB Stack, File System, devices) bring their own new set of exploits.

We then move on to different existing systems. From DIY projects based on Arduino to commercial solutions, we discover peripherals that allow us to compromise an operating system in surprising ways.

Subsequently, two fully functional scenarios are presented to us:

  • Exfiltrating a file from a workstation mounting USB drives in read-only mode

Using modified firmware, the USB device presents itself to the operating system as both storage and a keyboard/mouse device. The operating system doesn't raise any suspicions about this device. With the help of a custom script running on the machine and a series of perfectly legitimate read requests, the firmware manages to reconstruct the file to be exfiltrated and thus write a document to its filesystem, even though it was mounted read-only. Quite impressive, both in terms of the method employed and the ingenuity of the exfiltration "protocol.".

  • Malware execution on a workstation after the key has passed through a decontamination airlock

Among the measures taken to protect against USB drive attacks, some companies install decontamination SAS systems to analyze USB drives before they enter the information system, or even to format them. This system presents us with a device capable of identifying the system it is plugged into and mounting a different file system depending on certain conditions (for example, the number of times the drive has been connected). Once the "malicious" file system is presented, the device behaves like a keyboard/mouse, simulating a user at their workstation, and attempts to launch the malware located on the drive.

Some protective measures exist, including virtualization mechanisms like Qubes OS, which allow USB device actions to be isolated within specific virtual machines. These solutions are complex to implement and require specific user training.

PCI cards also exist that allow the USB layer to be isolated from the OS in order to filter and analyze the behavior of peripherals.

In conclusion, this type of device allows the attacker to virtually enter the victim's workstation and can potentially become very dangerous.

 

Reflections on Operation "Red October" – Nicolas Brulez (Kaspersky)

In October 2012, Kaspersky identified a large-scale cyber espionage network primarily targeting research, diplomatic and governmental organizations in various countries.

The earliest traces of this campaign date back to May 2007 and continued until July 2012.

The underlying architecture is conventional and uses a C&C server protected by multiple proxy layers (at least two layers identified); over 60 domain names were registered for the operation. Various types of equipment were targeted: workstations, smartphones, enterprise equipment (Cisco), and removable drives.

The infection was spread through phishing email campaigns containing malicious attachments. Unlike Stuxnet or Duqu, no zero-day exploits were used; the malicious attachments primarily relied on well-known, older Word or Excel vulnerabilities.

Unfortunately, the conference did not bring any new facts or significant details.

 

«"Embedded systems: between trust and distrust" – Aurélien Francillon (Eurecom)

Embedded systems are everywhere today. A large proportion of the objects we handle daily contain them. These systems are generally small and simple, but relatively opaque and offer no security.

Aurélien Francillon presents, through several concrete examples, the work he conducts with his students at Eurecom. Among the most striking examples are rewriting a hard drive's firmware to integrate a backdoor, hijacking keyless entry systems to unlock and start vehicles, and attacks on aircraft positioning systems. The presentation, quite unlike others, is pleasantly enhanced with photos of hacks, anecdotes, and ideas to explore further.

 

This first day ends with a friendly cocktail reception, an ideal time to meet other enthusiasts, exchange ideas and review the day's conferences.

By Maxime le Metayer and Antoine David

Contact