2.0 -//Pentabarf//Schedule//EN PUBLISH 9ZDVHG@@cfp.pass-the-salt.org -9ZDVHG Vulnerabilities in the TPM 2.0 reference implementation code en en 20230703T141500 20230703T145000 0.03500

Vulnerabilities in the TPM 2.0 reference implementation code

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/9ZDVHG/ Amphitheater Francisco Falcon PUBLISH QQR3PB@@cfp.pass-the-salt.org -QQR3PB Ultrablue: User-friendly Lightweight TPM Remote Attestation over Bluetooth en en 20230703T145000 20230703T152500 0.03500

Ultrablue: User-friendly Lightweight TPM Remote Attestation over Bluetooth

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/QQR3PB/ Amphitheater Nicolas Bouchinet Loic Buckwell Gabriel Kerneis PUBLISH L38TN3@@cfp.pass-the-salt.org -L38TN3 For Science! - Using an Unimpressive Bug in EDK II To Do Some Fun Exploitation en en 20230703T152500 20230703T160000 0.03500

For Science! - Using an Unimpressive Bug in EDK II To Do Some Fun Exploitation

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/L38TN3/ Amphitheater Gabrielle Viala PUBLISH MPY7WA@@cfp.pass-the-salt.org -MPY7WA The Good, the Bad, and the Secure: a pentester's journey daily driving Qubes OS en en 20230703T163000 20230703T170500 0.03500

The Good, the Bad, and the Secure: a pentester's journey daily driving Qubes OS

In this talk, I will provide a quick overview of Qubes OS, a security-focused operating system that uses virtualization to create secure compartments for different tasks and applications. This will ensure that everyone attending the talk understands the concepts and terminology used in the next parts. I will then share my personal journey of using Qubes OS as my daily working environment, discussing the best and worst things I encountered while using it. This will provide insights and practical advice for those who may be interested in using Qubes OS for their own work. Finally, I will discuss my perspective on Qubes OS, including why and how I decided to use it as my primary working environment. This part will also provide ideas on how Qubes OS can be used in various scenarios and use cases, including its benefits for security and privacy. Overall, attendees of this talk will gain a deeper understanding of Qubes OS and its benefits for security and privacy, as well as insights from my personal experience of using it as my daily working environment. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/MPY7WA/ Amphitheater Pierre Milioni PUBLISH USSHMR@@cfp.pass-the-salt.org -USSHMR Syslog-ng 4.0 – where log management is heading en en 20230703T170500 20230703T174000 0.03500

Syslog-ng 4.0 – where log management is heading

After 13 years, a new major release of syslog-ng is available. Syslog-ng 4.0 brings type support and many additional enhancements. This presentation gives you an overview of some of the larger syslog-ng 4 features, andproves why type support is a major enhancement, improving both operations and security. Why is type information important? Many filters in syslog-ng uses comparisons, and for example, if you try to compare numbers as strings, 1000 is smaller than 90, as one precedes nine. Using type information, you can get correct comparison results. Many filters in syslog-ng use comparisons. Filters are used for real-time alerting within syslog-ng. Using proper type information here also means better alerting possibilities both for operations and security. Previously, syslog-ng handled all data parsed from log messages as text. However, even if the format is text, in practice, it can be a number, a boolean value or a list. Some syslog-ng parsers can now detect and preserve the type of data parsed into name-value pairs. You can also add type information to name-value pairs manually. Name-value pairs from message parsing, filters and templates were already a major feature of the syslog-ng 3 series. Type support in version 4.0 significantly enhances their usability. Previously, by default, syslog-ng sent all values as text, even though type information was available when the log messages entered syslog-ng. In some cases, you could set type information manually, or you could map type information on the destination side, for example, in Elasticsearch. Now you can store name-value pairs with the correct type information. If logs are sent as text, the receiving end often handles them as text. It means, for example, that you cannot create graphs from numbers sent as text. Sending name-value pairs with proper type information makes it possible for the receiving end to properly use the embedded values. Syslog-ng already provides a lot of run-time information for monitoring purposes. Current developments both extend the information available and make it easier to understand. Support for Prometheus is underway. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/USSHMR/ Amphitheater Peter Czanik, syslog-ng PO at One Identity PUBLISH VRBZJZ@@cfp.pass-the-salt.org -VRBZJZ Sanzu Hands-on en en 20230703T141500 20230703T171500 3.00000

Sanzu Hands-on

[Sanzu](https://github.com/cea-sec/sanzu) is a graphical remote desktop solution. It is composed of: - a server running on Unix or Windows which can stream a X11 or a Windows GUI environment (for now the Unix version is more advanced) - a client running on Unix or Windows which can read this stream and interact with the GUI environment It uses modern video codecs like h264/h265 to offer a good image quality and limit its bandwidth consumption. Video compression is done through FFmpeg which allows the use of graphic cards or full featured CPU to achieve fast video compression at low latency. It also allows the use of yuv420 or yuv444 for better graphical details. Workshop Schedule : - Introduction : Presentation of Sanzu - Practice : How to use Sanzu in a simple client/server setup (remote access to a VM) - Presentation : What is the sanzu broker and how does it work - Practice : How to setup a sanzu broker which spawns a new X server when a new sanzu client connects to the sanzu broker - Presentation : Remote Browsing with Sanzu Requirement : - A laptop (or a virtual machine) to install the sanzu client on it - One virtual machine running Linux to use as a server for Sanzu PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2023/talk/VRBZJZ/ Workshop room Antonin Fringant Frédéric Vannière PUBLISH DTDEC8@@cfp.pass-the-salt.org -DTDEC8 Analyse your weird URLs the easy way en en 20230704T091500 20230704T095000 0.03500

Analyse your weird URLs the easy way

You might have heard of [Lookyloo](https://github.com/Lookyloo/lookyloo) before, but this talk will not be limited to it. We will show you that you can integrate it in a complete tool suite: * [Pandora](https://github.com/pandora-analysis/pandora): to analyze files and emails (which can be forwarded from your mailbox), extract attachments and observable such as URLs and submitting them to Lookyloo * Process URLs pointing to a downloadable file in Lookyloo and submitting them to Pandora * Once a URL is analyzed, it can be submitted to a [monitoring interface](https://github.com/Lookyloo/monitoring) which will compare capture across time and inform you when something relevant changes - could be the URL being taken down, or your website serving malware Or maybe you Just want to capture URLs and don't care about Lookyloo? Well, we also have you sorted and developed a standalone capturing interface called [Lacus](https://github.com/ail-project/lacus), which is already used in production by [AIL Framework](https://github.com/ail-project). All of that has (obviously) an integration with [MISP](https://github.com/MISP/) for long term storage and sharing with your community. In short, we're going to present you a complete suite of OSS tools that you can use either independently, or all together to hopefully make your life easier. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/DTDEC8/ Amphitheater Raphaël Vinot (Developer, Lookyloo) PUBLISH C9XNRF@@cfp.pass-the-salt.org -C9XNRF Typosquatting-finder en en 20230704T095000 20230704T101000 0.02000

Typosquatting-finder

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/C9XNRF/ Amphitheater Alexandre Dulaunoy David Cruciani PUBLISH YNEF3M@@cfp.pass-the-salt.org -YNEF3M Clustering large amount of email with Minhash: an open-source Locality sensitive hash en en 20230704T101000 20230704T103000 0.02000

Clustering large amount of email with Minhash: an open-source Locality sensitive hash

In this presentation, we will present a full pipeline of clusturisation of email sent in a continuous flow, from the email to the clusters, using minhash (https://en.wikipedia.org/wiki/MinHash), an open source locality sensitive hashing algorithm. The presentation will be conducted as follow: - Explain how to extract key data from the email and remove the content added to fool the clustering algorithm. - Explain normalization through open source tools such as "https://www.npmjs.com/package/sanitize-html". This helps reducing the noise to info ratio in the email. - Present Locality sensitive hashing through the open source algorithm minhash, which creates fingerprints that will collide for similar email. - Present the "Bucketization" technique to cluster the fingerprints. - Present results on real email data. PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/YNEF3M/ Amphitheater Nicolas Berveglieri PUBLISH 8MS9ZL@@cfp.pass-the-salt.org -8MS9ZL Data Mining, Darknet and Social Network Monitoring - Exploring the Latest Features of the AIL Framework en en 20230704T110000 20230704T113500 0.03500

Data Mining, Darknet and Social Network Monitoring - Exploring the Latest Features of the AIL Framework

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/8MS9ZL/ Amphitheater Aurelien Thirion PUBLISH T9XQNG@@cfp.pass-the-salt.org -T9XQNG Reproducible Research in Micro-architecture Security (and Beyond): from Paper to Artifact Evaluation en en 20230704T113500 20230704T121000 0.03500

Reproducible Research in Micro-architecture Security (and Beyond): from Paper to Artifact Evaluation

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/T9XQNG/ Amphitheater Clémentine Maurice PUBLISH YAJN93@@cfp.pass-the-salt.org -YAJN93 Supply-chain security in open-source ecosystems: the Rust case en en 20230704T140000 20230704T143500 0.03500

Supply-chain security in open-source ecosystems: the Rust case

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/YAJN93/ Amphitheater Alexis Mousset PUBLISH 9XNUZL@@cfp.pass-the-salt.org -9XNUZL Introduction to Sigstore: cryptographic signatures made easier en en 20230704T143500 20230704T151000 0.03500

Introduction to Sigstore: cryptographic signatures made easier

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/9XNUZL/ Amphitheater Maya Costantini PUBLISH NQY3WL@@cfp.pass-the-salt.org -NQY3WL How to Secure Your Software Supply Chain and Speed-Up DFIR with Hashlookup en en 20230704T151000 20230704T154500 0.03500

How to Secure Your Software Supply Chain and Speed-Up DFIR with Hashlookup

Hashlookup aim is to index the hashes of all the published and released software. It crawls and indexes the hashes from many different public sources which include Linux distributions, operating systems such as Windows or alternative distributions. The goal is provide a fast and efficient way for analysts, digital forensic investigators and security researchers contextual information about published software. hashlookup goal is to support digital forensic investigation but also the review of software supply chain and distribution channels. hashlookup.io is an open-source project and service, which means that it's freely available for anyone to use or contribute to. Both open-source and proprietary software can be distributed in various ways, and in this article, we'll discuss the challenges of gathering all the different sources. We'll also explore the various risks associated with supply chain attacks and offer some strategies for addressing these issues. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/NQY3WL/ Amphitheater Alexandre Dulaunoy PUBLISH 9H8FH3@@cfp.pass-the-salt.org -9H8FH3 Map your firmware! en en 20230704T161500 20230704T163500 0.02000

Map your firmware!

Pyrrha is an extension of Sourcetrail [1] an open-source code source explorer (for c/cpp, Python, and Java). This extension uses LIEF [2] to analyze imports and exports of each library and binary of the firmware and create links between them. The result is exported as a sourcetrail database. Thanks to Sourcetrail UI, the user will be able to navigate and search in the resulting firmware mapping. [1] https://github.com/CoatiSoftware/Sourcetrail [2] https://lief-project.github.io/ PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/9H8FH3/ Amphitheater Eloïse Brocas PUBLISH LZHYRS@@cfp.pass-the-salt.org -LZHYRS Gepetto: AI-powered reverse-engineering en en 20230704T163500 20230704T165500 0.02000

Gepetto: AI-powered reverse-engineering

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/LZHYRS/ Amphitheater Ivan Kwiatkowski PUBLISH DEPJLQ@@cfp.pass-the-salt.org -DEPJLQ Syslog-ng: from zero to hero, including syslog-ng 4 changes en en 20230704T091500 20230704T121500 3.00000

Syslog-ng: from zero to hero, including syslog-ng 4 changes

You will learn: • The basic concepts of configuring and running syslog-ng, • an introduction to message parsing, • how to store your log messages in Elasticsearch, and • differences between syslog-ng 3 and 4 To try the configurations on your machine, you will need: • a recent version of syslog-ng (3.23 or newer: https://syslog-ng.com/3rd-party-binaries) • Elasticsearch 7+ with Kibana installed or Opensearch (optional) Last time I was criticized that handing out an USB key at a security event is controversial :-) so install syslog-ng and optionally Elasticsearch on your laptop or in a VM. Workshop schedule: • Theory: Introductory presentation - the concepts of syslog-ng. Explains the different building blocks (sources, parsers, filters, destinations, etc.), and how to connect them together using log statements. • Practice: Try these concepts in practice. Creating a simple configuration, checking syntax, running in the foreground with different debugging options, and running in the background as a service. • Theory: Message parsing is a main feature of syslog-ng from the security professional point of view. Most of the log messages on Linux / UNIX arrive in a free form text format, which are easy to read by humans, but very difficult to act on. Using message parsing you can extract actionable information from log messages and create alerts or simply storing data in an easy to search format. • Pratice: Extend the configuration with a few filters and parsers to make it more complex. To see the results of parsing, we use templates on the output side to include name-value pairs. • See the differences between syslog-ng 3 and 4 • Practice: Store the results to Elasticsearch and display them in Kibana. • Q&A session (if there is some time left): touch a few additional topics, based on questions from the audience. PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2023/talk/DEPJLQ/ Workshop room Peter Czanik, syslog-ng PO at One Identity PUBLISH 9ZH9NP@@cfp.pass-the-salt.org -9ZH9NP PHP filter chains: How to use it en en 20230705T100000 20230705T103500 0.03500

PHP filter chains: How to use it

This talk aims to explain in which cases PHP filter chains can be used and why these tricks can be useful during an audit with examples. Along it, we will show vulnerable code samples and ways to patch them. Two tools were developed to exploit it and will also be presented : - https://github.com/synacktiv/php_filter_chain_generator - https://github.com/synacktiv/php_filter_chains_oracle_exploit PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/9ZH9NP/ Amphitheater Rémi Matasse (Security research, Synacktiv) PUBLISH LQ7RVH@@cfp.pass-the-salt.org -LQ7RVH zekrom: an open-source library of arithmetization-oriented constructions for zkSNARK circuits en en 20230705T103500 20230705T105500 0.02000

zekrom: an open-source library of arithmetization-oriented constructions for zkSNARK circuits

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/LQ7RVH/ Amphitheater Antonio de la Piedra Laurent Thoeny PUBLISH ZQAXNB@@cfp.pass-the-salt.org -ZQAXNB ASN.1 templating for fun and profit en en 20230705T112500 20230705T114500 0.02000

ASN.1 templating for fun and profit

Remember the OpenSSL vulnerability referenced as CVE-2022-0778 (15/03/2022)... https://www.openssl.org/news/secadv/20220315.txt Here is an excerpt from it: ``` "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. [...] used when parsing certificates that contain elliptic curve public keys in compressed form [...] It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. [...] Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. [...] Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters [...]" ``` Successful exploitation of CVE-2022-0778 can be done in 3 steps: 1. Generate EC parameters that have some interesting properties as defined in the vulnerability description 2. Create or modify an already existing encoded ASN.1 cryptographic structure using these parameters 3. Submit the structure to a service that uses a vulnerable OpenSSL library This presentation is about step ```2.``` . The ASN.1 cryptographic structures we are considering here are often complex nested structures. The problem lies in the fact that such ASN.1 cryptographic structures are encoded using a binary format (DER - Distinguished Encoding Rules) that follows a Type-Length-Value (TLV) logic. Each member of the structure is encoded as its type identifier, followed by its total length (its own length along with the length of its sub-members, and finally, its value, including the one of all its sub-members). As an example, here is an ASN.1 sequence containing 2 integers: ``` SEQUENCE: INTEGER:0x12 INTEGER:0x34 ``` Its DER representation can be dissected as this: ``` /--> type: SEQUENCE / /--> length: 6 bytes / / /***************/--> value: the two DER encoded INTEGERs 00000000 30 06 02 01 12 02 01 34 |0......4| / / / / / /--> value: 0x34 / / / / /--> length: 1 byte / / / /--> type: INTEGER / / /--> value: 0x12 / /--> length: 1 byte /--> type: INTEGER ``` The edition process of such binary structure is error prone. One need to keep track of the modifications made to inner objects in order to reflect length updates to the outer surrounding objects. For instance, we could replace the second INTEGER in previous example, with a longer INTEGER (2 bytes instead of 1) with for value 0x3456: ``` SEQUENCE: INTEGER:0x12 INTEGER:0x3456 ``` This means that the second integer has now a length of 2 bytes and that the encoded length of the surrounding sequence has to be incremented. ``` /--> Outer SEQUENCE is now 7 bytes long / /--> second INTEGER in outer SEQUENCE is now 2 bytes long 00000000 30 07 02 01 12 02 02 34 56 |0......4V| ``` Simple structures as the one from this example are easy to edit manually with an hex editor. Larger structures composed of multiple depth of nested sub-structures are a pain to edit. A single mistake would make the whole structure unusable. This presentation is about a tool that predates existing solutions such as ```der-ascii```, and that I dusted off when CVE-2022-0778 was announced last year. PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/ZQAXNB/ Amphitheater William Robinet PUBLISH 8TXSWF@@cfp.pass-the-salt.org -8TXSWF How to survive to STIX parsing? en en 20230705T114500 20230705T120500 0.02000

How to survive to STIX parsing?

When it comes to discussions about exchanging threat intelligence, STIX is often mentioned as a standard for representing and sharing structured information. However, the differences between STIX 1.x in XML and STIX 2.x in JSON can pose challenges for analysts and their tools to parse and consume the content easily and automatically. To address this issue, `misp-stix` provides a straightforward conversion between different versions of STIX formats specialized in threat intelligence exchange and the generic MISP standard, which is widely used worldwide to share information across different domains and fields. Effective interoperability between CTI standards is crucial to ensure smooth information exchange among sharing communities. By reducing the gap between different conceptions of exchange standards, `misp-stix` aims to facilitate this process. During the presentation, we will showcase real-life examples of the challenges we face and the solutions we have developed to improve the interoperability and re-usability of knowledge bases, such as misp taxonomies, object templates, and galaxies. These tools are used in MISP and many other CTI tools, and are essential for exchanging structured threat intelligence effectively. PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2023/talk/8TXSWF/ Amphitheater Christian Studer PUBLISH HMTA3X@@cfp.pass-the-salt.org -HMTA3X Decrypt Kerberos/NTLM “encrypted stub data” in Wireshark en en 20230705T140000 20230705T143500 0.03500

Decrypt Kerberos/NTLM “encrypted stub data” in Wireshark

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/HMTA3X/ Amphitheater Clément Notin PUBLISH EQL3KQ@@cfp.pass-the-salt.org -EQL3KQ Using Suricata to detect lateral movement in Windows environment en en 20230705T143500 20230705T151000 0.03500

Using Suricata to detect lateral movement in Windows environment

This talk will describe how [Suricata](https://suricata.io) IDS and NSM features can be used to detect lateral movement in Windows based environments. The focus will be made on SMB based attacks (including Red Team Tooling) as with a specific attention on DCERPC layer of SMB but data extracted from protocols such as Kerberos will also be looked at. The talk will include a presentation of the free [SMB lateral ruleset](https://www.stamus-networks.com/blog/new-open-ruleset-for-detecting-lateral-movement-with-suricata) published by Stamus Networks . It will show some practical hunting techniques that can be used when working with SMB protocol. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/EQL3KQ/ Amphitheater Éric Leblond PUBLISH UV9F9J@@cfp.pass-the-salt.org -UV9F9J Why cyberoffense will never be regulated en en 20230705T151000 20230705T154500 0.03500

Why cyberoffense will never be regulated

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2023/talk/UV9F9J/ Amphitheater Ivan Kwiatkowski PUBLISH A3GZXD@@cfp.pass-the-salt.org -A3GZXD Scapy Hands-on en en 20230705T094000 20230705T124000 3.00000

Scapy Hands-on

This workshop will describe its main features step by step, and will let you explore the following topics: - packets manipulation - sending & receiving packets - visualization - IPv6 and TLS support - implementing a new protocol - answering machines - automaton - pipes Requirements: a laptop running Linux (native or virtualized) and a fresh Scapy install from github PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2023/talk/A3GZXD/ Workshop room Guillaume Valadon