1.1
pts2021
PTS2021
2021-07-05
2021-07-07
3
00:05
https://cfp.pass-the-salt.org/pts2021/schedule/
Europe/Paris
2021-07-05T13:45:00+02:00
13:45
00:15
Zoom room
pts2021-33-welcome
https://cfp.pass-the-salt.org/pts2021/talk/LB9CZS/
false
Welcome
Special
en
Welcome talk by org team
2021-07-05T14:00:00+02:00
14:00
00:35
Zoom room
pts2021-25-jailbreak-detection-mechanisms-and-how-to-bypass-them
https://cfp.pass-the-salt.org/pts2021/talk/LQDHNS/
false
Jailbreak detection mechanisms and how to bypass them
Talk
en
Some iOS mobile applications try to detect whether they are running on a jailbroken device in order to protect intellectual property, defend against bots or make sure that they run on a relatively secure device.
However jailbroken devices are very useful to observe and reverse applications. Those protected with anti-jailbreak code are then more tedious to reverse thus complicating their security assessment or the development of alternatives.
In this talk we will first present how specific iOS restrictions complicate reverse engineering but also reduce the number of tools that can be used by software protection. Then, we will list different methods available to detect jailbreak. Finally, we will describe how to study and bypass a real-world anti-jailbreak solution with the famous opensource dynamic instrumentation framework Frida.
Eloi Benoist-Vanderbeken
2021-07-05T14:40:00+02:00
14:40
00:35
Zoom room
pts2021-22-pithus-let-s-open-the-android-pandora-s-box
https://cfp.pass-the-salt.org/pts2021/talk/MGCYPT/
false
Pithus: let's open the Android pandora's box
Talk
en
Pithus is the answer to the exponential growth of mobile threats. Malicious apps, fake apps, data laundering are the main threats when it comes to mobile security. Their detection and analysis should be available for all and not the property of a private company. Unlike some commercial solutions with exorbitant prices, Pithus is a entirely open platform supported and maintained by the community.
Threats such as permanent tracking and data laundering are made possible by the total lack of transparency and the lack of understanding around what and how data is gathered. Pithus brings transparency through clear and structured reports. Activists, journalists, NGOs, and any other technical community can easily generate these reports and leverage them to better understand the threat landscape.
During this talk, we will discuss the need of free and open-source mobile threat intelligence platforms and how we could build them. Beyond analysis, we will dig into how data-science could help us to efficiently identify similar or new threats.
/media/pts2021/submissions/MGCYPT/2021-04-27_12-16_r6R4T6W.png
U039b
2021-07-05T15:20:00+02:00
15:20
00:35
Zoom room
pts2021-12-hook-as-you-want-it
https://cfp.pass-the-salt.org/pts2021/talk/CTWBB8/
false
Hook as you want it
Talk
en
In the context of my work, it is often required to audit the solution as an entire entity. Today, the main gateway used to connect a device to a web server, for example, is our dear smartphone. It has become an important vector of attack, for our phones themselves as well as for the devices with which it will interconnect.
Several open source projects exist, each with their own particularities, but today, I haven't found any tool that fully suits me. So I started to develop ASThook (https://madsquirrels.gitlab.io/mobile/asthook/index.html), a tool for static and dynamic analysis of Android application designed to link static analysis to dynamic analysis.
Its second goal is the possibility for the community to add features without requiring high programming skills or a deep understanding of the tool.
For instance, the community will be able to add plugins using the automatic APK generation features for POC, tree traversal or Frida hook addition directly in the application without risking to slow down the analysis.
As my job is mainly focused on auditing physical equipment, I sometimes meet more and more regularly embedded systems running on Android. I have therefore implemented the possibility to adapt the tool to run the analysis on more exotic platforms such as car headunits or microsystems.
/media/pts2021/submissions/CTWBB8/logo_eCZagUg.png
Benoit Forgette
2021-07-05T16:10:00+02:00
16:10
00:35
Zoom room
pts2021-4-patrowlhears-and-survival-tips-for-prioritizing-threats
https://cfp.pass-the-salt.org/pts2021/talk/LA9V9Y/
false
PatrowlHears and Survival tips for prioritizing threats
Talk
en
With hundreds of vulnerabilities with critical or high severity to deal with, the daily security reports look like a shining Christmas tree. Prioritization of vulnerabilities is a top success factor for ensuring an efficient security incident response and vulnerability management program.
PatrOwl community provides scalable, free and open-source solutions for orchestrating Security Operations and providing Threat Intelligence feeds. A new tool has been publicly released for supporting these challenges: PatrowlHears is an advanced and real-time Vulnerability Intelligence platform, including CVE, exploits and threats news monitoring.
Solutions must be found to face the overall growing threat of attacks, talent shortage and cost optimization challenges in cybersecurity. The current trend is to rely on automation and orchestration of security operations.
The fact is automating SecOps activities leads to manage more security alerts. The downside is that potentially a bunch of new security alerts every day. By the way, with hundreds of vulnerabilities with critical or high severity to deal with, the daily security reports look like a shining Christmas tree. It could definitely lead to jaded teams or, even worse, bad decisions in vulnerability handling.
Obviously, it is not realistic to hope that all vulnerabilities will be fixed. A line have to be drawn by the business owners according with the security teams. Prioritization is an essential success factor for improving efficiency and continue to provide the highest quality and relevant service in security incident response and vulnerability management. Because the CVSS score is not enough, which are the relevant metrics ? How to collect them ? Which decision should be made ? How to review efficiency of this process and adapt it ?
This talk is about to share insights on a risk-based methodology in vulnerability management and a new open-source tool PatrowlHears. This approach is enabled by a balanced usage of SecOps automation to keep us updated for vulnerabilities, exploits and other threat information, and prioritization using vulnerability metrics, threat topicality and asset criticality. Also, it will be discussed on examples of events that should conduct us to consider reprioritization of a vulnerability handling.
Nicolas Mattiocco
2021-07-05T16:50:00+02:00
16:50
00:35
Zoom room
pts2021-14-forensics-low-level-having-fun-with-linux-onboard-tools
https://cfp.pass-the-salt.org/pts2021/talk/JDP7LB/
false
Forensics Low Level - Having fun with Linux onboard tools
Talk
en
In this presentation I will cover some curiosities I stumble over while working in forensics. One goal is to show that you can not always relay on tools and should be able to read the data on byte level to understand what's going wrong.
The presentation will consists out of 3 live demos. All the demos based on Linux standard tools like 'dd', 'hexedit' and alike.
1. In Forensics a HW write-blocker is necessary. Just mounting the device in RO mode is not sufficient. I will connect a USB stick to my laptop and mount it RO. After this I will modify some data on the USB stick.
2. I have a standard USB stick and simply modify some (3) bytes on it. The result, Linux will mount up to 250 partitions. Some tools either hang or simply display wrong information. You need to read the bytes of the partition table to understand whats going wrong.
3. If you connect another USB stick to a Windows, file A, B and C have content X, Y and Z. If you connect the same USB stick to Linux, file A, B and C have content U, V, W. Analyzing and understanding the Master Boot Record will reveal the secret.
Michael Hamm
2021-07-06T14:00:00+02:00
14:00
00:35
Zoom room
pts2021-9-fedora-coreos-a-container-focused-os-to-securely-deploy-and-run-applications
https://cfp.pass-the-salt.org/pts2021/talk/PGEJ7T/
false
Fedora CoreOS, a container focused OS to securely deploy and run applications
Talk
en
Fedora CoreOS is an automatically updating, minimal, monolithic, container-focused operating system, designed for clusters but also operable standalone, optimized for Kubernetes but also great without it. It aims to combine the best of both CoreOS Container Linux and Fedora Atomic Host, integrating technology like Ignition from Container Linux with rpm-ostree and SELinux hardening from Project Atomic. Its goal is to provide the best container host to run containerized workloads securely and at scale.
This talk will describe how Fedora CoreOS is built and maintain and will explain what makes it particularly well suited to securely host modern applications in containers.
This talk will be illustrated by several examples: how to easily run a Matrix server on a single node, how to deploy Nomad on three nodes and how to use it as part of a Kubernetes distribution (OKD or Typhoon).
Timothée Ravier
2021-07-06T14:40:00+02:00
14:40
00:35
Zoom room
pts2021-6-hosting-identity-in-the-cloud-with-free-softwares
https://cfp.pass-the-salt.org/pts2021/talk/YPKX9Q/
false
Hosting Identity in the Cloud with free softwares
Talk
en
Identity and Access Management (IAM) is a critical service often hosted inside the company IT, for historical reasons and also security concerns. But we see a recent move in this area, IAM can now be run as any SaaS application, most of the case by choosing private firms (and mainly American ones). Is this the only option?
I will talk here about a new initiative, which relies on FusionIAM project, that gathers well known IAM free softwares like OpenLDAP, LemonLDAP::NG, LDAP Tool Box and Fusion Directory. We will see how deploy and use these components in the Cloud to offer an alternative to proprietary solutions.
Clément Oudot
2021-07-06T15:20:00+02:00
15:20
00:35
Zoom room
pts2021-26-biscuit-pubkey-signed-token-with-offline-attenuation-and-datalog-authz-policies
https://cfp.pass-the-salt.org/pts2021/talk/DASVEW/
true
Biscuit: pubkey signed token with offline attenuation and Datalog authz policies
Talk
en
Biscuit is a new kind of authorization token that merges the public key signatures of JWT, with offline attenuation and caveats from macaroons. It comes with a Datalog based language to express policies, that can be provided by the token or the server side.
This feature set unlocks powerful use cases like multitenant systems that need flexible authorization policies, or chains of microservices requests with locked down bearer tokens
Geoffroy Couprie
2021-07-06T16:10:00+02:00
16:10
00:35
Zoom room
pts2021-13-generating-weird-files
https://cfp.pass-the-salt.org/pts2021/talk/UCN3C9/
false
Generating Weird Files
Talk
en
This talk covers various ways of bypassing security by fooling filetype identification, either by signatures via mock files, or by dual formats via binary polyglots.
Near polyglots are also covered and how when combined with standard cryptographic operations, they can produce uncommon results such as surviving encryption or getting different valid contents from the same ciphertext via authenticated decryption.
This talk also introduces Mitra, an open-source file mixer, the combination strategies that it uses, and how little it knows about file formats to do its magic.
/media/pts2021/submissions/UCN3C9/gwf_G2DGfrD.png
Ange Albertini
2021-07-06T16:50:00+02:00
16:50
00:35
Zoom room
pts2021-20-home-made-distributed-blocklist
https://cfp.pass-the-salt.org/pts2021/talk/GGLJSS/
false
Home-Made Distributed Blocklist
Talk
en
When implementing security solutions, there are many ways to integrate a blocklist and improve the detection of suspicious/malicious activity. If there exists many blocklist available online, sometimes their content does not fit exactly with your expectation (false positives, too complex, etc). So, I implemented my own blocklist based on a REST API. This allow me to interconnect it with many tools/scripts/devices to fetch or update its content. In this presentation, I’ll explain how and why I implemented it with only one goal : automation & improvement of the security perimeter.
Xavier Mertens
2021-07-06T17:30:00+02:00
17:30
00:20
Zoom room
pts2021-24-security-alerting-made-easy-using-python
https://cfp.pass-the-salt.org/pts2021/talk/TMB7XQ/
false
Security alerting made easy using Python
Short Talk
en
A common question about sudo and syslog-ng is how to send alerts to various online services. Both of these have supported sending email notifications for a long time, but more recently users have requested real-time alerting to Slack, Telegram, Discord and others. Peter’s talk will introduce you to alerting using the AppRise Python library. You will need to know a bit of Python and at least one of sudo or syslog-ng to understand the examples, but what you learn will help you to implement real-time alerting in a wide range of applications.
First of all, what do we mean by alerting? It is sending notifications about important events in your IT environment. Traditionally, this meant receiving a flood of emails when a problem occurred. These days, there are many more services that can be used to receive alerts. You can send alerts to most of them through HTTP-based protocols.
Syslog-ng has an http() destination that can be used to send alerts to various online services. However, even when a service’s API is published, figuring out how to actually use it can be difficult. The new python() destination makes it possible to connect to additional services through the use of client libraries, but still requires work for each new service.
This is where the AppRise Python library can help. It supports most of the well-known instant messaging services in addition to many other, less well-known services. Once you integrate it into your project you instantly have access to dozens of services that you can send alerts to.
Through the sudo and syslog-ng integrations you will learn how to work with AppRise. The included Python code focuses on functionality, but lacks proper error handling to make it easier to read.
A live demo will show sending alerts to Discord and how easy it is to change the alerting to use other services.
Peter Czanik
2021-07-07T14:00:00+02:00
14:00
00:35
Zoom room
pts2021-28-att-cking-kubernetes-a-technical-deep-dive-into-the-new-att-ck-for-containers
https://cfp.pass-the-salt.org/pts2021/talk/MZRXDW/
false
ATT&CKing Kubernetes: A technical deep dive into the new ATT&CK for Containers
Talk
en
This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we'll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC) for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.
Introduction to Kubernetes
Outline of K8s Architecture
Control Plane
Kube API Server
Kube Controller Manager
etcd
Kube Scheduler
Cloud Controller Manager
Worker Nodes
kubelet
kube-proxy
CRE (Container Runtime Engine)
MITRE ATT&CK
- K8s Threat Matrix
- MITRE ATT&CK for Containers (and K8s)
- K8s ATT&CK Scenario & Flow
Attacking K8s
- Recon / Initial Access
- Exploitation / Execution
- Post-Exploitation / Persistence
Defending K8s
- API Server
- CIS Benchmark
- Image Scanning
- Runtime Protection
- Network Policy
- Pod Security Policy (PSP) - Deprecated
- PSP Alternatives
- Audit Logs
Magno Logan
2021-07-07T14:40:00+02:00
14:40
00:35
Zoom room
pts2021-5-revisiting-the-art-of-encoder-fu-for-novel-shellcode-obfuscation-techniques
https://cfp.pass-the-salt.org/pts2021/talk/N3EUGV/
true
Revisiting the Art of Encoder-Fu for novel shellcode obfuscation techniques
Talk
en
This talk is based around the process of building encoders for shellcodes in this day and age where we are surrounded with NextGen Firewalls, IDS/IPS, and EDR solutions and ever releasing AV detection models (signature & behavior-based detection techniques) incorporating Machine Learning artifacts. Despite the implementation of security controls, some of the forgotten methods of obfuscation works wonders to bypass the latest security mechanism.
Idea is to develop an understanding of obscure assembly instructions and to be able to associate with the common trends in place in automative tools. The talk focuses on building the ability to see current patterns, trends in evasion, and detection methodologies that also include advanced "one-way" shellcode and multi-stage payloads that can evade defenses.
The talk also includes a deep dive into the idea of obfuscation of shellcodes and executables as deliverables/payloads and focusing on techniques categorically - Basic encoding, Morphing/partial-morphing, Cross-compilation, Polymorphism vs Encrypted and Mutated encoders
At the end of the talk, we will also cover the analysis of publicly available encoders from MSF that are used in common offensive tradecrafts shows how the fundamentals mentioned above make them relevant in modern attack scenarios.
Harpreet SinghYashdeep Saini
2021-07-07T15:20:00+02:00
15:20
00:35
Zoom room
pts2021-11-in-search-of-lost-time-a-review-of-javascript-timers-in-browsers
https://cfp.pass-the-salt.org/pts2021/talk/DPKWYA/
false
In Search of Lost Time: A Review of JavaScript Timers in Browsers
Talk
en
JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion.
In this presentation, we present the evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago.
This research was done in collaboration with Clémentine Maurice and Pierre Laperdrix, and was published at the EuroS&P 2021 conference.
Paper: https://people.irisa.fr/Thomas.Rokicki/publications/timer-paper.pdf
Repository: https://github.com/thomasrokicki/in-search-of-lost-time
Variations of computation time can reveal information about the state of a system. Research has uncovered a variety of side and covert channels, allowing potential attackers to extract secrets or track user behavior. Timing attacks can aim at different components of the microarchitecture, e.g., cache, DRAM, and are purely software-based. These attacks have two common prerequisites: they run code on the victim's hardware, and they rely on high-resolution timers that can distinguish small timing variations in the order of 100ns. Most of the timing attacks are implemented in native code, allowing the attacker to have great control over the memory and cycle-accurate timers.
In contrast, JavaScript is a high-level object-oriented interpreted scripting language, following the ECMAscript standard. Contrary to native code, it is much easier to run JavaScript code on a victim's system as it is a major component of the web, used by billions of people everyday. Almost all websites use JavaScript to execute code on the client side and by visiting a page, a client can download and execute dozens of different scripts. For security purposes, JavaScript code runs inside a sandboxed environment, restricting access to local files, virtual or physical memory addresses and native instructions. These restrictions make it harder to implement microarchitectural attacks. However, fully JavaScript-based timings attacks, running entirely in the browser, were implemented, bypassing the sandbox restrictions. These attacks include cache attacks, attacks on shared software resources, and even transient execution attacks like Spectre.
To try and mitigate JavaScript-based timing attacks, browser vendors have developed countermeasures, specifically targeting timers. Notably, they decreased the resolution of timers to make them less precise and introduced jitter to add noise in measurements. Other security features like site isolation were added to reinforce the security of browsers and act as a novel line of defense against timing attacks. After the publication of such countermeasures, browser vendors reallowed access to high resolution timers. Amid all these changes, it can be hard to keep track of all the different evolutions that browsers underwent. Particularly, it is unclear how the attacks described in the literature are impacted by current countermeasures.
In this presentation, we will introduce the various ways to create high resolution timers in JavaScript. Then, we will present the major classes of browser-based timing attacks, followed by the browser-based countermeasures. Finally, we will evaluate the efficiency of the evolution of countermeasures in the later releases of Firefox and Chrome.
Thomas Rokicki
2021-07-07T16:10:00+02:00
16:10
00:35
Zoom room
pts2021-18-oramfs-achieving-storage-agnostic-privacy
https://cfp.pass-the-salt.org/pts2021/talk/NQDAJF/
false
ORAMFS: Achieving Storage-Agnostic Privacy
Talk
en
You may believe traditional storage encryption is enough to protect the privacy of your data at rest, even in untrusted environments. Think twice: Access pattern leakage can, in many cases, reveal sensitive information to an attacker. For example, a malicious cloud provider can still see whether a user performs read or write operations and which part of the data is accessed, even if all of the data is encrypted.
Oblivious Random Access Machines (ORAMs) are cryptographic schemes that hide both data and access patterns. This obfuscation is achieved by making redundant read/write operations and encrypting, re-randomizing, and shuffling the blocks composing the storage layer on every access. The resulting loss of performance is a tradeoff that allows to turn untrusted storage into a trusted one solely via software. However, existing solutions are cumbersome for the user, requiring the storage provider to support the ORAM scheme.
We implemented oramfs: an open source, cloud- and storage-agnostic, resizable ORAM client written in Rust that offers privacy features beyond encryption. In this talk, we look at how a practical ORAM scheme such as PathORAM works, give some background about oramfs, and show how it can be used to protect data resting on untrusted storage.
Nils AmietTommaso Gagliardoni
2021-07-07T16:50:00+02:00
16:50
00:20
Zoom room
pts2021-19-meet-piotr-a-firmware-emulation-tool-for-trainers-and-researchers
https://cfp.pass-the-salt.org/pts2021/talk/8CAB8G/
false
Meet Piotr, a firmware emulation tool for trainers and researchers
Short Talk
en
Piotr is a tool designed to create, run and share virtual IoT devices that can be used to teach IoT security or research vulnerabilities in firmwares.
Piotr runs emulated devices inside an emulated host that provides all the tools you may need and creates a fake environment for them. This approach allows remote debugging with gdbserver or fridaserver, provides a steady platform for vulnerability research, exploitation and training.
Moreover, Piotr is able to package any emulated device into a single file that may be shared and imported by other users, thus sharing its kernel, DTB file or even its host filesystem. This way, it is possible to create new emulated devices based upon existing ones, and to improve all of them by simply changing a single file (kernel, host filesystem, etc.).
Damien Cauquil