PTS2021
Welcome talk by org team
Some iOS mobile applications try to detect whether they are running on a jailbroken device in order to protect intellectual property, defend against bots or make sure that they run on a relatively secure device.
However jailbroken devices are very useful to observe and reverse applications. Those protected with anti-jailbreak code are then more tedious to reverse thus complicating their security assessment or the development of alternatives.
In this talk we will first present how specific iOS restrictions complicate reverse engineering but also reduce the number of tools that can be used by software protection. Then, we will list different methods available to detect jailbreak. Finally, we will describe how to study and bypass a real-world anti-jailbreak solution with the famous opensource dynamic instrumentation framework Frida.
Pithus is the answer to the exponential growth of mobile threats. Malicious apps, fake apps, data laundering are the main threats when it comes to mobile security. Their detection and analysis should be available for all and not the property of a private company. Unlike some commercial solutions with exorbitant prices, Pithus is a entirely open platform supported and maintained by the community.
Threats such as permanent tracking and data laundering are made possible by the total lack of transparency and the lack of understanding around what and how data is gathered. Pithus brings transparency through clear and structured reports. Activists, journalists, NGOs, and any other technical community can easily generate these reports and leverage them to better understand the threat landscape.
During this talk, we will discuss the need of free and open-source mobile threat intelligence platforms and how we could build them. Beyond analysis, we will dig into how data-science could help us to efficiently identify similar or new threats.
In the context of my work, it is often required to audit the solution as an entire entity. Today, the main gateway used to connect a device to a web server, for example, is our dear smartphone. It has become an important vector of attack, for our phones themselves as well as for the devices with which it will interconnect.
Several open source projects exist, each with their own particularities, but today, I haven't found any tool that fully suits me. So I started to develop ASThook (https://madsquirrels.gitlab.io/mobile/asthook/index.html), a tool for static and dynamic analysis of Android application designed to link static analysis to dynamic analysis.
Its second goal is the possibility for the community to add features without requiring high programming skills or a deep understanding of the tool.
For instance, the community will be able to add plugins using the automatic APK generation features for POC, tree traversal or Frida hook addition directly in the application without risking to slow down the analysis.
As my job is mainly focused on auditing physical equipment, I sometimes meet more and more regularly embedded systems running on Android. I have therefore implemented the possibility to adapt the tool to run the analysis on more exotic platforms such as car headunits or microsystems.
With hundreds of vulnerabilities with critical or high severity to deal with, the daily security reports look like a shining Christmas tree. Prioritization of vulnerabilities is a top success factor for ensuring an efficient security incident response and vulnerability management program.
PatrOwl community provides scalable, free and open-source solutions for orchestrating Security Operations and providing Threat Intelligence feeds. A new tool has been publicly released for supporting these challenges: PatrowlHears is an advanced and real-time Vulnerability Intelligence platform, including CVE, exploits and threats news monitoring.
In this presentation I will cover some curiosities I stumble over while working in forensics. One goal is to show that you can not always relay on tools and should be able to read the data on byte level to understand what's going wrong.
Fedora CoreOS is an automatically updating, minimal, monolithic, container-focused operating system, designed for clusters but also operable standalone, optimized for Kubernetes but also great without it. It aims to combine the best of both CoreOS Container Linux and Fedora Atomic Host, integrating technology like Ignition from Container Linux with rpm-ostree and SELinux hardening from Project Atomic. Its goal is to provide the best container host to run containerized workloads securely and at scale.
This talk will describe how Fedora CoreOS is built and maintain and will explain what makes it particularly well suited to securely host modern applications in containers.
This talk will be illustrated by several examples: how to easily run a Matrix server on a single node, how to deploy Nomad on three nodes and how to use it as part of a Kubernetes distribution (OKD or Typhoon).
Identity and Access Management (IAM) is a critical service often hosted inside the company IT, for historical reasons and also security concerns. But we see a recent move in this area, IAM can now be run as any SaaS application, most of the case by choosing private firms (and mainly American ones). Is this the only option?
Biscuit is a new kind of authorization token that merges the public key signatures of JWT, with offline attenuation and caveats from macaroons. It comes with a Datalog based language to express policies, that can be provided by the token or the server side.
This feature set unlocks powerful use cases like multitenant systems that need flexible authorization policies, or chains of microservices requests with locked down bearer tokens
This talk covers various ways of bypassing security by fooling filetype identification, either by signatures via mock files, or by dual formats via binary polyglots.
Near polyglots are also covered and how when combined with standard cryptographic operations, they can produce uncommon results such as surviving encryption or getting different valid contents from the same ciphertext via authenticated decryption.
This talk also introduces Mitra, an open-source file mixer, the combination strategies that it uses, and how little it knows about file formats to do its magic.
When implementing security solutions, there are many ways to integrate a blocklist and improve the detection of suspicious/malicious activity. If there exists many blocklist available online, sometimes their content does not fit exactly with your expectation (false positives, too complex, etc). So, I implemented my own blocklist based on a REST API. This allow me to interconnect it with many tools/scripts/devices to fetch or update its content. In this presentation, I’ll explain how and why I implemented it with only one goal : automation & improvement of the security perimeter.
A common question about sudo and syslog-ng is how to send alerts to various online services. Both of these have supported sending email notifications for a long time, but more recently users have requested real-time alerting to Slack, Telegram, Discord and others. Peter’s talk will introduce you to alerting using the AppRise Python library. You will need to know a bit of Python and at least one of sudo or syslog-ng to understand the examples, but what you learn will help you to implement real-time alerting in a wide range of applications.
First of all, what do we mean by alerting? It is sending notifications about important events in your IT environment. Traditionally, this meant receiving a flood of emails when a problem occurred. These days, there are many more services that can be used to receive alerts. You can send alerts to most of them through HTTP-based protocols.
Syslog-ng has an http() destination that can be used to send alerts to various online services. However, even when a service’s API is published, figuring out how to actually use it can be difficult. The new python() destination makes it possible to connect to additional services through the use of client libraries, but still requires work for each new service.
This is where the AppRise Python library can help. It supports most of the well-known instant messaging services in addition to many other, less well-known services. Once you integrate it into your project you instantly have access to dozens of services that you can send alerts to.
Through the sudo and syslog-ng integrations you will learn how to work with AppRise. The included Python code focuses on functionality, but lacks proper error handling to make it easier to read.
A live demo will show sending alerts to Discord and how easy it is to change the alerting to use other services.
This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we'll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC) for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.
This talk is based around the process of building encoders for shellcodes in this day and age where we are surrounded with NextGen Firewalls, IDS/IPS, and EDR solutions and ever releasing AV detection models (signature & behavior-based detection techniques) incorporating Machine Learning artifacts. Despite the implementation of security controls, some of the forgotten methods of obfuscation works wonders to bypass the latest security mechanism.
JavaScript-based timing attacks have been greatly explored over the last few years. They rely on subtle timing differences to infer information that should not be available inside of the JavaScript sandbox. In reaction to these attacks, the W3C and browser vendors have implemented several countermeasures, with an important focus on JavaScript timers. However, as these attacks multiplied in the last years, so did the countermeasures, in a cat-and-mouse game fashion.
In this presentation, we present the evolution and current situation of timing attacks in browsers, as well as statistical tools to characterize available timers. Our goal is to present a clear view of the attack surface and understand what are the main prerequisites and classes of browser-based timing attacks and what are the main countermeasures. We focus on determining to what extent the changes on timing-based countermeasures impact browser security. In particular, we show that the shift in protecting against transient execution attacks has re-enabled other attacks such as microarchitectural side-channel attacks with a higher bandwidth than what was possible just two years ago.
You may believe traditional storage encryption is enough to protect the privacy of your data at rest, even in untrusted environments. Think twice: Access pattern leakage can, in many cases, reveal sensitive information to an attacker. For example, a malicious cloud provider can still see whether a user performs read or write operations and which part of the data is accessed, even if all of the data is encrypted.
Oblivious Random Access Machines (ORAMs) are cryptographic schemes that hide both data and access patterns. This obfuscation is achieved by making redundant read/write operations and encrypting, re-randomizing, and shuffling the blocks composing the storage layer on every access. The resulting loss of performance is a tradeoff that allows to turn untrusted storage into a trusted one solely via software. However, existing solutions are cumbersome for the user, requiring the storage provider to support the ORAM scheme.
We implemented oramfs: an open source, cloud- and storage-agnostic, resizable ORAM client written in Rust that offers privacy features beyond encryption. In this talk, we look at how a practical ORAM scheme such as PathORAM works, give some background about oramfs, and show how it can be used to protect data resting on untrusted storage.
Piotr is a tool designed to create, run and share virtual IoT devices that can be used to teach IoT security or research vulnerabilities in firmwares.
Piotr runs emulated devices inside an emulated host that provides all the tools you may need and creates a fake environment for them. This approach allows remote debugging with gdbserver or fridaserver, provides a steady platform for vulnerability research, exploitation and training.
Moreover, Piotr is able to package any emulated device into a single file that may be shared and imported by other users, thus sharing its kernel, DTB file or even its host filesystem. This way, it is possible to create new emulated devices based upon existing ones, and to improve all of them by simply changing a single file (kernel, host filesystem, etc.).