Links to reports from other days:

• SSTIC 2017 – Day 1
• SSTIC 2017 – Day 2
• SSTIC 2017 – Day 3

CrashOS: Searching for system vulnerabilities in hypervisors

Anaïs Gantet (Airbus) presented us with an operating system, CrashOS developed with the aim of searching for vulnerabilities present within hypervisors.

This minimalist operating system, developed in C and assembly language, required two months of work and was primarily tested on two virtualization solutions: Ramooflax (developed internally at Airbus) and VMware. Tests covering the following aspects were written:

• access to physical memory; ;
• address translation mechanism; ;
• verification of rights in protected mode; ;
• managing the change in execution mode; ;
• communication with peripherals.

When these tests reveal a vulnerability, it causes the virtual machine to crash, with an error message explaining the cause of the crash, allowing the vulnerability to be identified.

Article and video: https://www.sstic.org/2017/presentation/crashos/

ProTIP: Know what to expect from your PCI Express devices

This presentation by Marion Daubignard and Yves-Alexis Perez (ANSSI) focuses on threats related to peripherals PCI Express malicious.

After reminders about PCI Express, The presenters presented their tool. ProTIP (Prolog Tester for Information Flow in PCIe networks) which calculates the actual connectivity of one component to another. The goal is to detect which component has the right to communicate with other components and which component can have its packets accepted by other components. ProTIP is capable of generating traces describing these possible communications.

Article and video: https://www.sstic.org/2017/presentation/protip/

From Academia to real world: a practical guide to Hitag-2 RKE system analysis

In this conference, the four speakers (Chaouki Kasmi, José Lopes-Esteves, Mathieu Renard and Ryad Benadjila from ANSSI) aimed to highlight the vulnerabilities in the access control contained in certain types of car keys based on the algorithm Hitag-2. The speakers adopted the approach of a black box attacker, who therefore had no prior physical access to a vehicle or a key:

1. radio frame capture and radio analysis; ;
2. searching for the secret key; ;
3. forging valid radio frames.

The speakers reminded everyone of the protections put in place in the systems RKE (Remote Keyless Entry) of one-way communication between a key and a vehicle and presented the stream cipher algorithm Hitag-2, created by Philips Semiconductors in 1995 and having been reversed in 2007.

After analyzing the implementation of Hitag-2 Using a car key as a metaphor, the speakers were able to formalize the following conclusions:

• There are different implementations. RKE Hitag-2 depending on the manufacturers; ;
• the cryptography in place is proprietary, obsolete and vulnerable, with no obligation to maintain its security; ;
• An attacker with only two frames could forge valid car opening frames.

Article and video: https://www.sstic.org/2017/presentation/from_academia_to_real_world_a_practical_guide_to_hitag-2_rke_system_analysis/

From bottom to top: attacks on microarchitecture from a web browser

Clémentine Maurice (Secure Systems of Graz University of Technology, Austria) wanted to highlight attacks «"side-channel"» which originate from leaks of physical information.

After a brief review of DRAM, the speaker presented her attack. DRAMA (DRAM Addressing attacks) on the row buffers of the DRAM, close to the attack rowhammer. The goal is to gain access to the victim's memory, which shares the same resources as the attacker:

• via a hidden channel: two processes that communicate with each other, even if they are not authorized to do so.
• via side channel: a malicious process spying on benign processes, such as keystrokes

Clémentine presented her "template" attack to us:

1. sharing a row of buffer with the victim; ;
2. memory profiling and saving ratios row hit for each address

We can therefore know precisely when the victim makes a keystroke. The speaker was thus able to implement her attack in JavaScript (which can therefore be incorporated into a web application), despite some complications to overcome:

• lack of knowledge of physical addresses; ;
• lack of instruction for flush the cache; ;
• absence of timer high resolution (to the nanosecond) in recent web browsers, which forced the team to build one.

This presentation therefore highlighted potential information leaks due to the hardware, which can be exploited using a web browser despite the protections in place (no timer native high resolution). Countermeasures are complicated to implement without reducing the functionality or performance of the browser's JavaScript engine.

Video : https://www.sstic.org/2017/presentation/2017_invite_1/

Binacle: "full-bin" indexing of binary files for searching and writing Yara signatures

After a few reminders about indexing full-text, Guillaume Jeanne (ANSSI) presented the objective of his tool Binacle (contraction of «"binary"» And «"oracle"»): Create a probabilistic database to directly index binary data from binary files. The primary application is malware analysis: identifying files that share code, identifying similar files, etc.

Binacle, a tool written in Rust, relies on a hash table of n-grams. Each n-gram is associated with a list containing the identifiers of all documents that contain that n-gram.

Guillaume was able to put his tool into practice to speed up scans. Yara An initial scan is performed by Binacle, which will return a set of results on which the Yara scan will then be performed. Binacle can also help generate Yara rules.

Article and video: https://www.sstic.org/2017/presentation/binacle_indexation_full-bin_de_fichiers_binaires/

YaCo: Collaborative Reverse Engineering

YaCo (Yes Another Collaborative Tool) YaCo is a plugin for the IDA software that allows users to collaborate on the same project within IDA. For example, YaCo manages function name changes and comment modifications. The authors (Benoît Amiaux, Frédéric Grelot, Jérémy Bouétard, Martin Tourneboeuf, and Valerian Comiti from DGA-MI) explain that the plugin is based on the Git version control system. Each user works on a local copy of the project, and each change is versioned and then propagated to the local copies of other users. A conflict management feature is also available.

Video : https://www.sstic.org/2017/presentation/YaCo/

Sibyl: divination function

Camille Mougey (CEA) presented the tool Sibyl, Based on MIASM2, this tool identifies libraries used in malicious code. The approach differs from traditional static analysis by focusing on function inputs and outputs. Specifically, the tool identifies a function at a given address.

The entire process is then executed in a sandbox with standard parameters. If the output is correct, the function has been correctly identified. Otherwise, the analysis crashes or the outputs diverge.

Video : https://www.sstic.org/2017/presentation/sibyl__function_divination/

Breaking Samsung Galaxy Secure Boot through Download mode

Frédéric Basse explained the exploitation of a bug in Galaxy phones allowing the NAND memory of the device to be recovered using an empty SD card.

It should be noted that this attack is difficult to detect, given that the Knox guarantee bit is not modified.

Article and video: https://www.sstic.org/2017/presentation/attacking_samsung_secure_boot/

Oops, your election has been hacked… (Or not)

Martin Untersinger, a journalist for Le Monde, discussed the cyberattacks observed around the time of the presidential elections worldwide, with a particular focus on the United States. The message conveyed clearly demonstrates that attributing such attacks goes far beyond purely technical considerations, revealing geopolitical factors at play.

He explained that the stance taken by US government agencies (FBI/CIA/NSA) on the attribution and disclosure of reports is a historic first. Indeed, acknowledging an attack on a government can undermine the democratic process and do more harm than good, according to Martin.

For the speaker, major questions arise that are slowing down the investigative work:
– Should we publish documents based on their impact?
– Are the documents authentic or altered?
– Should we ignore the information or potentially participate in disinformation?

The conclusion reached is that the political layer superimposed on a technical aspect that is relatively difficult for the uninitiated now represents a Herculean task. It is absolutely essential for the speaker to provide proper context and implement safeguards when handling this type of information.

Article and video: https://www.sstic.org/2017/presentation/oups_votre_election_a_ete_piratee/