Introduction

Once again, several Intrinsec consultants were present at SSTIC (Symposium on Information and Communication Technology Security). This 15th edition took place from June 7th to 9th in Rennes, and we are sharing our reports from these three days of conferences.
This edition was, as every year, of high quality and we thank the organizing and programming committees, as well as the presenters and speakers for the quality conferences we were able to attend.
In addition to the summaries below, we encourage you to browse the proceedings, slides, and videos of the conferences, available on the official website.

Links to reports from other days:

• SSTIC 2017 – Day 1
• SSTIC 2017 – Day 2
• SSTIC 2017 – Day 3

Opening Conference: ANTI-DDOS VAC

This year, the opening conference was held by Octave Klaba, founder and CEO of OVH, an IT operator and service provider with data centers in Europe, South America and Asia.

The first part of the presentation highlighted OVH's impressive capabilities in terms of bandwidth and network connections. OVH owns over 10,000 kilometers of dark fiber (distributed between each data center and each point of presence) and has a total network capacity exceeding 10 Tb/s. Continuity is ensured at the Layer 1 network level: all router ports remain constantly operational, guaranteeing a recovery time of less than 50ms in the event of a fiber cut.

Octave then presented OVH's protection solution against distributed denial-of-service attacks (DDoS attacks). Indeed, following several DDoS attacks, OVH was beginning to lose customers who were switching to competitors better equipped to defend against such attacks. OVH therefore implemented the first version of its VAC in 2013. VAC v1 was capable of absorbing 160 Gbps of data per second. In June 2017, with the deployment of VAC version 3 (capable of absorbing 600 Gbps of traffic), the total capacity of OVH's anti-DDoS solution reached 2.5 Tbps.

In the event of a DDoS attack, once the attack reaches the target machine, it becomes unavailable, and this unavailability is detected by OVH's monitoring system. Once the attack is detected, the malicious traffic is captured by the nearest VAC (Vendor Access Control), cleaned, and then reintroduced into OVH's internal network. The traffic is analyzed unidirectionally: responses from the internal network to the internet are not analyzed by this VAC; a separate bidirectional analysis system has been developed. The VAC has several cleaning stages, each handling a specific type of traffic, to improve the VAC's overall efficiency and reduce costs.

The conference concluded with a discussion of current DDoS attacks (OVH records 1200 to 1500 per day!) and a brief recap of Mirai. This botnet, which operated from connected devices (such as connected surveillance cameras), attacked OVH several times, with a peak traffic of 990 Gbps on September 20, 2016. The only visible disruptions were observed in Madrid, prompting OVH to publicize the attack and subsequently take the necessary steps to increase its network capacity.

Video : https://www.sstic.org/2017/presentation/2017_ouverture/

Siloed administration

Aurélien Bordes, from ANSSI, wanted to highlight the new means of protecting Active Directory identifiers that have existed since Windows 8 and Windows Server 2012.

After a review of the user population of an Information System and of intrusions in an Active Directory environment (where the domain controller is the most critical point), Aurélien presented a pyramid segmenting resources (equipment and users) according to their level of criticality:

• administrative resources (domain controllers, domain administrators, administrator workstations, etc.) are positioned at the "red" level; ;
• business or infrastructure resources (messaging, file servers, business server administrators, etc.) are positioned at the "yellow" level; ;
• the other resources (workstations and administrators of these workstations) are positioned at the "green" level.

Aurélien then reviewed the various methods of privilege escalation within an Active Directory domain, highlighting attacks on administrator authentication systems (at each security level). The primary security objective is therefore to protect administrator authentication secrets.

After a brief review of NTLM and Kerberos, Aurélien presented the new protection mechanisms implemented in Windows 8 and Windows Server 2012 with regard to Active Directory and Kerberos:

• The claims: these are security attributes that extend the historical Windows authentication model based on SIDs; ;
• Kerberos shielding, which implements FAST technology (Flexible Authentication via Secure Tunneling) ;
• authentication strategies that allow restricting the workstation or server from which authentication is authorized; ;
• authentication silos: this is a grouping of workstations to which an authentication strategy is applied (the idea being that all machines in the red zone must be placed within a silo).

Finally, composite authentication implements all the principles mentioned above.

All these protections are simple to implement and allow for effective compartmentalization of usage levels, but are very little used at the moment, mainly because of the level of update required on versions of Windows and Windows Server.

Article and video: https://www.sstic.org/2017/presentation/administration_en_silo/

WSUSpendu

Romain Coltel (Alsid) and Yves Le Provost (ANSSI) presented their tool for compromising an Active Directory domain, based on the implementation of a fake update in a WSUS server (Windows Server Update Service).

After a review of the Windows workstation update process within a company and a presentation of the components of a WSUS server, the speakers reiterated that the only concrete attack on a WSUS server was "« WSUSPect »", presented at the Black Hat conference in 2015. Their tool WSUSpendu distinguishes itself by directly attacking the WSUS server:

• modification of the database of available updates; ;
• Adding the binaries that will be used for the attack. These binaries must be signed by Microsoft, so the most useful binaries for the attack will certainly be... psexec And bginfo.

The malicious update will therefore push these binaries and force their execution, with the appropriate arguments to execute the command of their choice and compromise the machine that will receive the update.

The following protective measures need to be put in place:

• enable TLS; ;
• put the WSUS servers in the "red" trusted zone.

Article and video: https://www.sstic.org/2017/presentation/wsus_pendu/

System hardening using systemd

Timothée Ravier (ANSSI) presented three Linux kernel security mechanisms and detailed their implementation using the features offered by systemd:

• filtering of system calls available for a process (with seccomp-bpf); ;
• Linux capabilities (restricting rights granted to a root process and adding permissions to a non-root process); ;
• mount point namespace (separate file system tree for each service).

Article and video: https://www.sstic.org/2017/presentation/durcissement_systeme_avec_systemd/

Landlock: Non-privileged programmable partitioning

Mickaël Salaün (ANSSI) presented his security module for Linux which aims to perform application partitioning.

After a review of the tools and mechanisms already existing in the field (SELinux, seccomp-bpf, namespacesMickaël detailed how his tool works, which offers privilege descent for processes that do not have root privileges and without modifying the system's global security policies.

Video : https://www.sstic.org/2017/presentation/landlock/

Static Analysis and Runtime-Assertion Checking: Contribution to Security Counter-Measures

After a well-deserved first meal, the conference continued with a presentation on automatic vulnerability detection in source code, culminating in the automatic generation of defensive code. This approach uses formal methods that have now proven their worth in this type of analysis.

The speakers (Dillon Pariente from Dassault Aviation and Julien Signoles from the CEA) then presented the CURSOR method, which consists of combining the VALUE plugins of FRAMA-C and ACSL to identify the behaviors of the analyzed program and raise alerts in case of potential dangers.

The presentation concluded with a demonstration using code vulnerable to buffer overflow. CURSOR then raises alarms on the function and replaces the warning comments with event comments and control code.

Article and video: https://www.sstic.org/2017/presentation/static_analysis_and_runtime-assertion_checking_contribution_to_security_counter-measures/

BinCAT: purrfecting binary static analysis

The speakers (Philippe Biondi, Raphaël Rigo, Sarah Zennou and Xavier Mehrenberger from Airbus) presented a tool developed internally by Airbus, BinCAT, This static analyzer allows for the static analysis of x86 binary code. It primarily enables color analysis and the tracking of indirect jumps in the code. A forward and backward review method is also implemented, and to please the most dedicated users, the tool can be integrated into IDA.

To function, the tool transforms the binary code into an intermediate language to facilitate analysis. This behavior was also chosen by the authors to facilitate future developments, particularly for supporting diverse architectures.

The presentation continued with a demonstration using a crackme that calculates custom CRC32 license keys from user input. Throughout the execution, BinCAT will color in green any data derived from user input, even if the data passes through functions such as sprintf().

Article and video: https://www.sstic.org/2017/presentation/bincat_purrfecting_binary_static_analysis/

Binary deobfuscation: Reconstruction of virtualized functions

Prepared by Jonathan Salwan (Quarkslab), Marie-Laure Potet (CEA) and Sébastien Bardin (VERIMAG), this conference tackled the problem of software protection, which makes it difficult to analyze a program without damaging its properties.

One of the techniques discussed, virtualization, involves rewriting the code using proprietary bytecode. One obstacle to analysis is the mixing of execution traces from the VM with those of the original program. To circumvent this problem, the presenter performed the following five actions:

1. tint of virtualized user inputs; ;
2. translation of ASM into IL based on Triton ;
3. extraction of a logical path and path discovery using an SMT solver; ;
4. extraction of the entire IR code and transformation into LLVM code via Arybo; ;
5. transformation of LLVM code into ASM using optimization passes.

In order to test his tool, the speaker attempted to solve the challenges Tigress. The result is conclusive, because according to the speaker, nothing withstood the tool's analysis. However, a 1TB SSD is necessary, on which a very large swap partition must be defined (unless you have a machine with more than 800GB of RAM).

Article and video: https://www.sstic.org/2017/presentation/desobfuscation_binaire_reconstruction_de_fonctions_virtualisees/

Writing parsers like it is 2017

The speakers (Geoffroy Couprie from ANSSI and Pierre Chifflier from Clever Cloud) began by presenting the sad current state of software developed over the years:

• the code is often very often riddled with vulnerabilities and is difficult to test; ;
• It is impossible to rewrite everything at a lower cost.

Based on this observation, the speakers proposed replacing only the vulnerable sections, particularly the C/C++ parsing part. They then presented Rust, a relatively new language that manages memory and has robust validation mechanisms. For this approach, the NOM library allows combining sets of parsers from Rust macros based on certain functional programming concepts.

Then, the speakers used the VLC media player as an example. In this case, they decided to rewrite the integration interface and the parsers that manage the codecs/plugins defined in DLLs. In their approach, the speakers reminded the audience that we are merely guests in the C programming environment and that it is therefore necessary to leave memory management to C.

In conclusion, this new method enables communication with legacy languages while guaranteeing that no data is copied or converted. Finally, the speakers outlined the basic principles of this approach:

• only use safe code; ;
• avoid mixing parsing and interpretation; ;
• Be strict in what you generate, and lax in what you accept; ;
• The parsers are the easiest part.

Article and video: https://www.sstic.org/2017/presentation/writing_parsers_like_it_is_2017/

caradoc: a toolbox for calmly dissecting and analyzing PDF files

The speakers (Guillaume Endignoux from EPFL and Olivier Levillain from ANSSI) began their presentation by addressing criticisms of the PDF format: its buggy reference implementation, various interpretations, the reference table, and so on. They specifically demonstrated the inconsistencies between different readers of this format, which do not display the same thing for an identical document.
Based on this observation, the speakers proposed a tool, developed in OCaml, for parsing PDF files. The aim here is clearly not to analyze potentially malicious content, but rather to prevent reading errors.

Article and video: https://www.sstic.org/2017/presentation/caradoc/