PTS2022

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
13:10
13:10
45min
Entrance
Amphitheater
14:00
14:00
15min
Welcome speech
Amphitheater
14:15
14:15
35min
Mattermost End-to-End Encryption plugin
Adrien Guinet, Angèle Bossuat

This talk will describe the internals of a Mattermost End-to-End Encryption plugin that has been developed at Quarkslab in 2021.

Secured Communications
Amphitheater
14:20
14:20
180min
[Workshop] FЯIDA Reverse Engineering Introduction
jiska

FЯIDA is a dynamic instrumentation tool that supports reverse engineering closed-source applications. Learning how to use this tool enables open-source contributors to build interfaces to closed-source or even re-implement protocols for compatibility.

Reverse & Binary
Workshop Room
14:50
14:50
35min
CryptPad : a zero knowledge collaboration platform
Ludovic Dubost

Presentation of the CryptPad.fr project, a 100% encrypted collaboration platform.

Secured Communications
Amphitheater
15:25
15:25
20min
Dataflow tabular charts -- a presentation tool for security architects
Yves Rutschle

Security architects commonly have to represent drawings of complex systems to highlight the principles of their security architecture. Most drawings in common use are "seen from above", and do not allow a clear presentation of the protocol stacks and data processes along a dataflow.

Dataflow tabular charts are a new kind of drawings to show security boundaries crossed by functional dataflows. We will present the importance of those drawings for documenting security architectures, risk assessments, and penetration test results. We will then show a tool that can produce those charts automatically based on a textual description, similar to how msggen creates message charts.

Secured Communications
Amphitheater
15:45
15:45
30min
Break
Amphitheater
16:15
16:15
20min
Sandboxing your application with Landlock, illustration with the p7zip case
Mickaël Salaün

Landlock is the security sandboxing feature available since Linux 5.13. Its goal is to empower developers by letting them harden their applications. Indeed, it is assumed that with enough skill and time, most of software could be compromised. Sandboxing enables to add a new layer of security to mitigate such attack.

This talk quickly introduce the main Landlock properties, and we then explain how to sandbox your own application. We'll use p7zip, a C++ archive manager, as a practical example.

OS
Amphitheater
16:35
16:35
35min
Building operating systems optimized for containers, from IoT to desktops and servers
Timothée Ravier

Containers on Linux are a powerful abstraction that help isolate applications from one another. They are now available everywhere: to run applications from small IoT devices to large cloud servers, to easily setup development environments and to enable distribution independent packaging with Flatpak on desktops.

In this talk we will go over several variants of Fedora that are focused on containers: Fedora IoT, Fedora CoreOS and Fedora Silverblue/Kinoite. We will look at what makes them particularly well suited to host containers and how their design leads to increased security without compromising their usability.

OS
Amphitheater
09:30
09:30
180min
[Workshop] Malware analysis with Ghidra & x64dbg
Paul Rascagnères

This workshop is designed to the beginner who want to discover the malware analysis and the reverse engineering. We will start by explaining the x86 assembly language. Once we have discovered the basic instructions, we will directly reverser our first malware: a ransomware. We will work statically with Ghidra and dynamically with x32dbg two open-source software. The purpose will be to be acquainted with the tools and reply to a couple of questions: what is the encryption algorithm? Can I restore the encrypted file? Where is stored the ransom note?

For the attendees who would like to work dynamically, a virtual machine running Windows must be configured before the workshop. The free Windows virtual machines provided by Microsoft works perfectly for this workshop: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Reverse & Binary
Workshop Room
09:30
20min
sslh -- an applicative-level protocol multiplexer
Yves Rutschle

Once upon a time, corporate firewalls started to block port 22. But we could still ssh to port 443. sslh was originally written to listen to port 443, figure out the protocol between SSH and TLS, and forward it appropriately. 15 years in the making, sslh now supports many other protocols, including TLS SNI. We will cover the main functions and configuration of the tool, both for firewall evasion (its original, malicious use), service hiding and SNI frontend (its current, benign use).

Network
Amphitheater
09:50
09:50
35min
Write faster Suricata signatures easier with Suricata Language Server
Éric Leblond

Writing signatures for Suricata and other intrusion detection systems (IDS) is considered by many to be a form of art. One of the main reasons is that the rule writer needs to start by examining a network trace to identify patterns that are representative to a threat/behavior without being too broad (to avoid false positives) or too narrow (to avoid being escaped at the first change of a bit in the attack). But the language used to write signatures is the second reason. It is not really expressive and doesn’t have advanced constructs. As a result signatures require complex writing to do things that could appear simple. And there are implicit conventions and structures that must be followed to guarantee correct integration in the detection engine.

The open-source Suricata Language Server (SLS) has been developed to solve these problems. SLS is a Language Server Protocol implementation that allows the user to benefit from built-in Suricata diagnostic capabilities when editing rules. SLS provides advanced diagnostics as well as auto-completion. In this talk, you will see how SLS can be used and how to make sense of the error messages and learn about some of the optimizations inside the detection engine. You will also discover what Suricata features are used behind the scene to make this possible.

Network
Amphitheater
10:25
10:25
20min
Building on top of Scapy: what could possibly go wrong?
Claire Vacherot

A while ago, we decided to use Scapy's packet manipulation capabilities as a basis for our own industrial network protocols' attack framework in Python. At first, it seemed like the best idea ever: there is nothing better than Scapy for handling network protocols. But it was not as easy as we thought it would be, because of the gap between our own specifications and Scapy internals. We wanted users of our framework be able to manipulate valid and invalid packets, as a set of separate type-independent fields. But this is not how Scapy works, so we had to find workarounds. We ended up wrapping Scapy packets inside our own packet objects, using Python tricks and weird adaptations to translate from our framework's syntax to Scapy's mode of operation. And it works fine (as long as we don't touch anything). This is the story of our struggle to make both our tool and Scapy match and what we learned along the way.

Network
Amphitheater
10:45
10:45
30min
Break
Amphitheater
11:15
11:15
35min
Use of Machine and Deep Learning on RF Signals
Sébastien Dudek

An RF Signal is an element that a human cannot see nor hear, but could be measured with many means today. Particularly, the Software-Defined Radio allows even people with a low budget to observe radio frequencies in real-time, and so make they capture different types of communications: AM/FM, Mobile & LPWAN communications, etc. There are many ways to classify all the technologies depending on the used frequency, used bandwidth, duty cycle, and patterns, but it is sometimes hard and/or time-consuming to recognize these technologies.
To resolve these types of challenges, we thought about using Machine & Deep Learning tools to optimize our classification, and we wanted to share with you our successes, mistakes, and other feedback. In addition to proper classification, RF emanations are also permanent in the air, and we will see that the same techniques can be applied to match harmonics, but also for side-channel attacks as well.

Hardware
Amphitheater
11:50
11:50
35min
Ethics in cyberwar times
Ivan Kwiatkowski

Despite not getting a lot of attention, questions of ethics and morality are everywhere in the cybersecurity field. As our community concentrates more and more political power through the giant technology companies ruling the digital realm, a discussion on acceptable practices is needed more than ever.
In this talk, I want to bring forward new security dilemmas that have surfaced in the recent years and that practitioners face every day. My hope is to foster a much-needed reflection about our role in the cybersecurity world, especially as it it being transformed by its first military conflict ever.

Keynote
Amphitheater
12:25
12:25
95min
Lunch Break
Amphitheater
12:30
12:30
90min
Lunch Break
Workshop Room
14:00
14:00
35min
Abusing archive-based file formats
Ange Albertini

If a format structure isn't vulnerable, can that change once wrapped in an archive ?

Reverse & Binary
Amphitheater
14:00
180min
[Workshop] MI-LXC (Mini-Internet testbed) for network security training and security tools demonstration
François Lesueur

MI-LXC is a platform to simulate an internet-like environment (BGP routing, DNS hierarchy, several organizations, pre-configured services such as mail with graphical clients, ...), currently composed of 28 hosts distributed in 10 AS. It can be used for network security training and can also serve as a substrate to deploy and demonstrate network security tools. It is based on LXC using the infrastructure-as-code principle and runs as a VM on a standard laptop.

During this workshop, we will explore the MI-LXC platform. First, we will see how to use it to illustrate MitM attacks such as BGP or DNS attacks, to deploy a global ACME Certification Authority (Smallstep), to simulate a phishing and intrusion scenario (reverse-shell, nmap, ...) or to deploy IDS sensors (Suricata, OSSEC, Prelude SIEM). Second, we will study how to extend this skeleton architecture to deploy, demonstrate and train in other network security tools by adding new hosts or AS or modifying existing ones.

MI-LXC is available at https://github.com/flesueur/mi-lxc/ and this workshop will be more-or-less based on the tutorial : https://github.com/flesueur/mi-lxc/blob/master/doc/TUTORIAL.md

Network
Workshop Room
14:35
14:35
35min
Binbloom reloaded
Damien Cauquil

Reverse-engineering hardware devices usually requires extracting data from
memory, be it from an internal Flash of a SoC, an external NAND or SPI
flash chip. Extracting memory content is part of the job, but once done we still
need to analyze it and face the inevitable truth : we may be in front of an
unknown memory dump or just have no idea of how information is stored in it,
or even how it is loaded into the SoC or MCU memory.
In this talk we will introduce Binbloom version 2, a tool able to identify the base address of any firmware code and also some specific structures such as UDS databases (often encountered in ECUs), no matter what the architecture (32 or 64 bits).

Reverse & Binary
Amphitheater
15:10
15:10
30min
Break
Amphitheater
15:40
15:40
35min
GNU poke, the extensible editor for structured binary data
Jose E. Marchesi

GNU poke is an interactive editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them. Once a user has defined a structure for binary data (usually matching some file format) she can search, inspect, create, shuffle and modify abstract entities such as ELF relocations, MP3 tags, DWARF expressions, partition table entries, and so on, with primitives resembling simple editing of bits and bytes. The program comes with a library of already written descriptions (or "pickles" in poke parlance) for many binary formats.

Reverse & Binary
Amphitheater
16:15
16:15
35min
The Poor Man's Obfuscator
Romain Thomas

The purpose of this lightning talk is to present executable files formats tricks (ELF and Mach-O)
to prevent static analysis tools (like IDA, BinaryNinja, ...) from working correctly.

While these tricks do not break the execution of the original binary, when they are opened in IDA, BinaryNinja and, Radare2
the code looks obfuscated while only the file format is modified (not the instructions)

These modifications are leveraged by LIEF and the scripts will be published at the end
of the conference with an associated blog post.

Reverse & Binary
Amphitheater
16:50
16:50
60min
Rumps
Amphitheater
09:30
09:30
180min
[Workshop] RFID/NFC: Rise of Proxmark3, hands on
Philippe Teuwen

You will enjoy hacking with RFID/NFC cards and devices by means of open source.
You will have plenty of time to get familiar with the Proxmark3 RDV4 and operate it by yourself in various conditions and challenges.

Hardware
Workshop Room
10:00
10:00
35min
Sudo logs for Blue Teamers
Peter Czanik

Using sudo, you can control and log administrative access to your hosts. Recent sudo versions allow you to send log messages in JSON format, while the latest sudo features also allow you to watch and control previously blind spots.

Blue Teams
Amphitheater
10:35
10:35
20min
DFIR-IRIS - collaborative incident response platform
Théo Letailleur, Paul Amicelli

DFIR-IRIS is a collaborative incident response platform recently published in open-source. It provides operational and efficient features to respond to IR challenges. Information sharing, real-time collaboration, timeline creation, forensic evidence ingestion, task logging, daily reports for customers... These are all necessary steps in an investigation that need to be simplified in order to reduce analysts' workload. From this statement was born DFIR-IRIS.

Blue Teams
Amphitheater
10:55
10:55
30min
Break
Amphitheater
11:25
11:25
20min
TAPIR : Trustable Artifact Parser for Incident Response
Solal Jacob

This talk will present two new open-source incident response tools and a new rust library dedicated to Incident Response.
bin2json a tool to extract metadata from multiple file formats to json and TapIR a collaborative server for incident response accessible through a REST API, a web ui, and python command line tools.

Blue Teams
Amphitheater
11:45
11:45
35min
Improve your Malware Recipes with Cyberchef
Xavier Mertens

Cyberchef is an awesome tool developed by GCIH (the UK Intelligence Services). Easy to deploy and maintain, it offers a complete toolbox to manipulate data. This talk will briefly introduce the core features of Cyberchef and, on a second part, we will discuss how to speed up the analysis of data in the context of malware analysis (decoding C2 traffic, decoding configuration files and many more examples)

Blue Teams
Amphitheater
12:20
12:20
100min
Lunch Break
Amphitheater
12:30
12:30
90min
Lunch Break
Workshop Room
14:00
14:00
20min
MobSF for penetration testers
Antoine Cervoise, Mickael Benassouli

MobSF is a free and OpenSource security scanner for mobile application.

First, this talk will introduce MobSF and its different features. Then, the talk will present how MobSF can be used during a penetration test or a red team.

After presenting how to setup the tool for penetration testing, different use cases will be presented, regarding two different points of view:
- a security review of a mobile application (or an SDK), in this case, the mobile application or the specific SDK is the target.
- an assessment where the mobile application is not directly the target, in this case, the mobile application is used for recon (and more).
- a quick use case of usage for every penetration tester who don't want to dig into complex android methods

These use cases will also point MobSF limits and how to handle them by using the API and homemade scripts. For some cases, a comparison with other tools (such as apkleaks) will be done.

At last, a quick review of how bug report and feature requests are handled by the MobSF team.

Pentest
Amphitheater
14:00
180min
[Workshop] Threat Hunting with SELKS and Suricata 6
Éric Leblond

Threat hunting with network data can be done with Suricata that combines a signature based IDS with network security monitoring capabilities. In this workshop we will show through SELKS usage. SELKS is a complete network threat hunting stack based on Suricata and Elasticsearch. We will use some of the recent capabilities of Suricata like dataset to show that it goes far beyond the traditional role of an IDS.

Blue Teams
Workshop Room
14:20
14:20
35min
Finding Java deserialization gadgets with CodeQL
Hugo Vincent

Arbitrary object deserialisation vulnerability in Java applications can be really dangerous, but also worthless if you are not able to find a gadget chain.

Some gadgets chains are known and can be used without much consideration, but most of them don't work anymore.

Indeed, most known gadgets are 3 or 5 year olds. This can be explained by the fact that finding such chains is hard and few tools exist to automate this process. In this talk I want to present a new technique to easily find new gadgets by leveraging the power of CodeQL. CodeQL is a very powerful static code analyzer that provides a way to analyze code by querying it like a data store. It's open source and can work on open source projects as it requires the source code of the analysed application. CodeQL can find paths between different methods and calls inside an application. This is really useful for gadget chain as we need to look for code paths from a deserialization method to a dangerous one which can lead to arbitrary code execution.

Pentest
Amphitheater
14:55
14:55
20min
Dissecting NTLM EPA & building a MitM proxy
Pierre Milioni

Have you ever come across a website that used NTLM-based authentication, and you just could not authenticate with your browser nor BurpSuite even though you knew your credentials were correct? NTLM Extended Protection for Authentication (EPA) might be the culprit... Indeed, Firefox, among others, does not support the NTLM EPA mechanism and fails to authenticate.

This new protection was implemented to prevent relay attacks on webservers. With the rise of the powerful attack chain that involves ADCS, Petit Potam and NTLM relay, this protection has proven to be very useful!

What can we do then?! How are we going to use all our favorite tools? By creating a proxy of course! This implied multiple problematics, such as TLS interception, HTTP parsing, NTLM authentication, EPA implementation, and so on.

Pentest
Amphitheater
15:15
15:15
35min
kdigger: A Context Discovery Tool for Kubernetes Penetration Testing
Mahé Tardy

kdigger, short for "Kubernetes digger", is a context discovery tool for Kubernetes penetration testing. This tool is a compilation of various plugins called buckets to facilitate pentesting Kubernetes from inside a pod.

Pentest
Amphitheater