0.6 pts2023 2023-07-03 2023-07-05 3 00:05 https://cfp.pass-the-salt.org https://cfp.pass-the-salt.org/media/pts2023/img/logo-salt-2022-white_z4gATNK.png Europe/Paris Amphitheater Talk 2023-07-03T14:15:00+02:00 14:15 00:35 Trusted Platform Module (TPM) is a standard for a secure cryptoprocessor. TPMs come in different flavors: there are discrete chips, integrated TPMs, firmware-based TPMs, and virtual TPMs. They provide a number of cryptographic features, such as generation and secure storage of cryptographic keys, symmetric and asymmetric encryption/decryption, digital signature generation/verification, and random number generation. Typical use cases include attestation of the boot process integrity, storage of disk encryption keys, and digital rights management. The Trusted Computing Group (TCG), a nonprofit organization, is in charge of publishing and maintaining the TPM standard. As such, they provide a reference implementation of the TPM 2.0 specification. While auditing this reference implementation code, we discovered two vulnerabilities in the handling of encrypted parameters: an out-of-bounds write and an out-of-bounds read, which were assigned CVE-2023-1017 and CVE-2023-1018, respectively. Given that the bugs originate from the reference implementation, these two vulnerabilities propagated across multiple code bases and ended up affecting a wide range of vendors, from chip manufacturers to virtualization solutions and cloud computing providers. Among the impacted source trees we can mention the open source implementations of the TPM 2.0 standard published by Microsoft and IBM, as well as libtpms, an open source library providing software emulation of a Trusted Platform Module, which in turn is used by other free software projects, such as QEMU and VirtualBox, to provide a virtual TPM device for VMs. We'll start this presentation by discussing how TPMs work, implementation details of the different virtual TPMs, and the internals of the protocol used to send TPM 2.0 commands. Then we'll go over the specifics of the two vulnerabilities we discovered, addressing the affected products as well as the possibilities for exploitation. Finally, we'll conclude the talk with some highlights of the complex, industry-wide disclosure process we conducted, in which numerous parties were involved. pts2023-113-vulnerabilities-in-the-tpm-2-0-reference-implementation-code Boot Security Francisco Falcon en false https://cfp.pass-the-salt.org/pts2023/talk/9ZDVHG/ https://cfp.pass-the-salt.org/pts2023/talk/9ZDVHG/feedback/ Amphitheater Talk 2023-07-03T14:50:00+02:00 14:50 00:35 During the boot of a PC, it is now common to have each stage involved in the booting process to store measurements of the next component to be loaded into a Trusted Platform Module (**_TPM_**), in order to keep a tamper-proof log of the boot chain. Those measurements are then leveraged to seal secrets, _e.g._ a disk encryption key, or to report the state of the device to a remote server in a cryptographically secure way, using a procedure known as **_remote attestation_**. _Remote attestation_ has slowly gained traction over the last few years, most notably among cloud providers such as Azure, to guard access to online resources. It is also a key element in validating _Dynamic Root-of-Trust Measurements_ (DRTM), which reduce the Trusted Computing Base (TCB) compared to traditional UEFI-based boot chains, but require a trusted third-party to validate the final state of the system. Unfortunately, little progress has been made recently to enable individual users without access to server resources to reap the benefits of remote attestation. This is particularly frustrating considering that almost everybody carries a small trusted server with them all the time: smartphones. Building upon an idea by Matthew Garrett[^1], we introduce [Ultrablue](https://github.com/ANSSI-FR/ultrablue) (_**U**ser-friendly **L**ightweight **T**PM **R**emote **A**ttestation over **Blue**tooth_), a solution to securely inspect and validate a TPM event log from a phone. [Ultrablue](https://github.com/ANSSI-FR/ultrablue) consists of a command-line attester, running on a computer, and an Android graphical application, running on a trusted phone, communicating over encrypted Bluetooth low-energy (BLE). Pairing the phone and computer is made easier and more secure through the use of a QR Code. After a trust-on-first-use provisioning phase to enroll the computer on the phone, the phone can check that the boot chain has not been compromised in later boots. Sample scripts and a self-contained virtual machine are also provided as a reference of how to integrate [Ultrablue](https://github.com/ANSSI-FR/ultrablue) in the boot process to guard disk encryption by a secret delivered by the phone. A practical session will demonstrate this process during the conference. Future work includes improving the user interface to inspect and validate unexpected event logs, adding support for more versatile verification policies, and integrating Ultrablue into existing hardened systems such as [Safeboot](https://safeboot.dev/) ([safeboot.dev](https://safeboot.dev/)). The [Ultrablue](https://github.com/ANSSI-FR/ultrablue) project has been developped at [ANSSI](https://www.ssi.gouv.fr) ([ssi.gouv.fr](https://www.ssi.gouv.fr)) by Loïc Buckwell, under the supervision of Nicolas Bouchinet and Gabriel Kerneis. [^1]: Linux Conference Australia, 2020. [https://www.youtube.com/watch?v=FobfM9S9xSI](https://www.youtube.com/watch?v=FobfM9S9xSI) pts2023-96-ultrablue-user-friendly-lightweight-tpm-remote-attestation-over-bluetooth Boot Security Nicolas BouchinetLoic BuckwellGabriel Kerneis en false https://cfp.pass-the-salt.org/pts2023/talk/QQR3PB/ https://cfp.pass-the-salt.org/pts2023/talk/QQR3PB/feedback/ Amphitheater Talk 2023-07-03T15:25:00+02:00 15:25 00:35 EDK II is the public implementation of UEFI on which a large part of the OEMs rely to craft their own firmware. If a vulnerability were to be found in this project, it could become a huge problem as it could impact many devices. Or... It could be unimpressive and go totally unnoticed because nobody cares. ¯\\\_(ツ)_/¯ In this talk, we'll present a bug in EDK II which is difficult to leverage in real life but still quite fun to attack. We'll see how we can build a complete exploit solely based on the mechanisms that are present in the public implementation and how we can gain arbitrary code execution in SMM thanks to that. pts2023-97-for-science-using-an-unimpressive-bug-in-edk-ii-to-do-some-fun-exploitation Boot Security Gabrielle Viala en false https://cfp.pass-the-salt.org/pts2023/talk/L38TN3/ https://cfp.pass-the-salt.org/pts2023/talk/L38TN3/feedback/ Amphitheater Talk 2023-07-03T16:30:00+02:00 16:30 00:35 The ups and downs of a pentester who decided to daily drive Qubes OS as his working environment. pts2023-100-the-good-the-bad-and-the-secure-a-pentester-s-journey-daily-driving-qubes-os OS Security Pierre Milioni en In this talk, I will provide a quick overview of Qubes OS, a security-focused operating system that uses virtualization to create secure compartments for different tasks and applications. This will ensure that everyone attending the talk understands the concepts and terminology used in the next parts. I will then share my personal journey of using Qubes OS as my daily working environment, discussing the best and worst things I encountered while using it. This will provide insights and practical advice for those who may be interested in using Qubes OS for their own work. Finally, I will discuss my perspective on Qubes OS, including why and how I decided to use it as my primary working environment. This part will also provide ideas on how Qubes OS can be used in various scenarios and use cases, including its benefits for security and privacy. Overall, attendees of this talk will gain a deeper understanding of Qubes OS and its benefits for security and privacy, as well as insights from my personal experience of using it as my daily working environment. false https://cfp.pass-the-salt.org/pts2023/talk/MPY7WA/ https://cfp.pass-the-salt.org/pts2023/talk/MPY7WA/feedback/ Amphitheater Talk 2023-07-03T17:05:00+02:00 17:05 00:35 After 13 years, a new major release of the syslog-ng logging application is available. Previously, syslog-ng handled all data as text. Syslog-ng 4.0 can associate the proper type information with data parsed from log messages. You can use type information for comparisons within syslog-ng, and storing data to various destinations, like Elasticsearch or MongoDB. Type support enables more precise filtering and thus real-time security alerting in syslog-ng, and easier searching and reporting in databases. I give a quick overview of the major new syslog-ng 4 features and show with examples how these improve security at your organization. pts2023-102-syslog-ng-4-0-where-log-management-is-heading OS Security Peter Czanik, syslog-ng PO at One Identity en After 13 years, a new major release of syslog-ng is available. Syslog-ng 4.0 brings type support and many additional enhancements. This presentation gives you an overview of some of the larger syslog-ng 4 features, andproves why type support is a major enhancement, improving both operations and security. Why is type information important? Many filters in syslog-ng uses comparisons, and for example, if you try to compare numbers as strings, 1000 is smaller than 90, as one precedes nine. Using type information, you can get correct comparison results. Many filters in syslog-ng use comparisons. Filters are used for real-time alerting within syslog-ng. Using proper type information here also means better alerting possibilities both for operations and security. Previously, syslog-ng handled all data parsed from log messages as text. However, even if the format is text, in practice, it can be a number, a boolean value or a list. Some syslog-ng parsers can now detect and preserve the type of data parsed into name-value pairs. You can also add type information to name-value pairs manually. Name-value pairs from message parsing, filters and templates were already a major feature of the syslog-ng 3 series. Type support in version 4.0 significantly enhances their usability. Previously, by default, syslog-ng sent all values as text, even though type information was available when the log messages entered syslog-ng. In some cases, you could set type information manually, or you could map type information on the destination side, for example, in Elasticsearch. Now you can store name-value pairs with the correct type information. If logs are sent as text, the receiving end often handles them as text. It means, for example, that you cannot create graphs from numbers sent as text. Sending name-value pairs with proper type information makes it possible for the receiving end to properly use the embedded values. Syslog-ng already provides a lot of run-time information for monitoring purposes. Current developments both extend the information available and make it easier to understand. Support for Prometheus is underway. false https://cfp.pass-the-salt.org/pts2023/talk/USSHMR/ https://cfp.pass-the-salt.org/pts2023/talk/USSHMR/feedback/ Workshop room Workshop 2023-07-03T14:15:00+02:00 14:15 03:00 Sanzu is a graphical remote desktop solution. It is fast, robust, and of course Open Source ! pts2023-130-sanzu-hands-on OS Security Antonin FringantFrédéric Vannière en [Sanzu](https://github.com/cea-sec/sanzu) is a graphical remote desktop solution. It is composed of: - a server running on Unix or Windows which can stream a X11 or a Windows GUI environment (for now the Unix version is more advanced) - a client running on Unix or Windows which can read this stream and interact with the GUI environment It uses modern video codecs like h264/h265 to offer a good image quality and limit its bandwidth consumption. Video compression is done through FFmpeg which allows the use of graphic cards or full featured CPU to achieve fast video compression at low latency. It also allows the use of yuv420 or yuv444 for better graphical details. Workshop Schedule : - Introduction : Presentation of Sanzu - Practice : How to use Sanzu in a simple client/server setup (remote access to a VM) - Presentation : What is the sanzu broker and how does it work - Practice : How to setup a sanzu broker which spawns a new X server when a new sanzu client connects to the sanzu broker - Presentation : Remote Browsing with Sanzu Requirement : - A laptop (or a virtual machine) to install the sanzu client on it - One virtual machine running Linux to use as a server for Sanzu false https://cfp.pass-the-salt.org/pts2023/talk/VRBZJZ/ https://cfp.pass-the-salt.org/pts2023/talk/VRBZJZ/feedback/ Amphitheater Talk 2023-07-04T09:15:00+02:00 09:15 00:35 Websites are a hellish mess and even when you're lucky enough to have a still-working URL they will often have widely different outcomes depending on your browser settings, your location and the instant you try to load it. This talk will show you a few examples and a complete suite of tools to integrate such an analysis in your day-to-day workflow. pts2023-123-analyse-your-weird-urls-the-easy-way OSINT & Online Security Raphaël Vinot (Developer, Lookyloo) en You might have heard of [Lookyloo](https://github.com/Lookyloo/lookyloo) before, but this talk will not be limited to it. We will show you that you can integrate it in a complete tool suite: * [Pandora](https://github.com/pandora-analysis/pandora): to analyze files and emails (which can be forwarded from your mailbox), extract attachments and observable such as URLs and submitting them to Lookyloo * Process URLs pointing to a downloadable file in Lookyloo and submitting them to Pandora * Once a URL is analyzed, it can be submitted to a [monitoring interface](https://github.com/Lookyloo/monitoring) which will compare capture across time and inform you when something relevant changes - could be the URL being taken down, or your website serving malware Or maybe you Just want to capture URLs and don't care about Lookyloo? Well, we also have you sorted and developed a standalone capturing interface called [Lacus](https://github.com/ail-project/lacus), which is already used in production by [AIL Framework](https://github.com/ail-project). All of that has (obviously) an integration with [MISP](https://github.com/MISP/) for long term storage and sharing with your community. In short, we're going to present you a complete suite of OSS tools that you can use either independently, or all together to hopefully make your life easier. false https://cfp.pass-the-salt.org/pts2023/talk/DTDEC8/ https://cfp.pass-the-salt.org/pts2023/talk/DTDEC8/feedback/ Amphitheater Short Talk 2023-07-04T09:50:00+02:00 09:50 00:20 Existing tools like dnstwist or urlcrazy are useful for identifying typosquatting, but they don't allow users to choose a generation of variation with all possible algorithms. To address this, we created a library that compiles all possible variations for a domain name. But why stop there? We also developed a user-friendly website to make the tool accessible to everyone. And now, there's a possibility to look for package squatting on platform like pypi... In this session, we will introduce the website and its functionalities, including all possible algorithms currently implemented in the library. Our library and website are both open source, and there is even an online version available to the public, as well as MISP integration. With these resources, there is no excuse for not protecting your organization from potential typosquatting domains. pts2023-116-typosquatting-finder OSINT & Online Security Alexandre DulaunoyDavid Cruciani en false https://cfp.pass-the-salt.org/pts2023/talk/C9XNRF/ https://cfp.pass-the-salt.org/pts2023/talk/C9XNRF/feedback/ Amphitheater Short Talk 2023-07-04T10:10:00+02:00 10:10 00:20 In the last decades, the world connectivity has increased exponentially, and emails is one of the key indicator of this connectivity. In 2022, more than 340 billions emails were sent on average each day, an increase of about 5% in comparison to the preview year. Because the reach of emails is so broad, they have been in the recent years used more and more to perform a wide variety of cyber security attacks. On the one side, targeted attack such as spear-phishing or Business Email Comprise (BEC) can be disastrous for companies and are responsible for millions of dollar loss each year. These kind of attacks are usually fine tuned to deceive the victim, and thus very hard to detect with automation. Furthemore they are really sparse in comparison to other types of email attacks (1 in 100 000 emails). On the other side, spam and phishing campaigns are broad attacks that usually target large group of email address. Campaign attacks are typically composed of bulks of email sharing a similar template and sent en masse in the hope of hitting just a small fraction of their targets, prioritizing quantity of attack sent over quality of the attack (about 80% of emails sent every day are spam emails). For cybersecurity providers such as Vade, a challenge is to detect and block these campaigns as fast as possible. While emails in a campaign used to be the exact same and thus relatively easy to catch, attackers have been more and more keen to add noise and tricks to fool detection algorithms, while still maintaining the visual aspect of the email. This evolution has seen, as a consequence, an increase in interest for the nearest neighbor problem. The nearest neighbor problem (nnp) is an optimization problem that arise for many kind of data driven tools. In particular, detecting duplicate or near-duplicate document is a critical application of the nnp. A similarity search problem usually involves a large collection of object, each characterized by a set of features and re-presentable as points in high-dimensional attribute space. Given a document, we are queried to find its most similar documents in the database. This problem has been shown to be NP-complete, and as such is still unfeasible to solve in reasonable time pts2023-101-clustering-large-amount-of-email-with-minhash-an-open-source-locality-sensitive-hash OSINT & Online Security Nicolas Berveglieri en In this presentation, we will present a full pipeline of clusturisation of email sent in a continuous flow, from the email to the clusters, using minhash (https://en.wikipedia.org/wiki/MinHash), an open source locality sensitive hashing algorithm. The presentation will be conducted as follow: - Explain how to extract key data from the email and remove the content added to fool the clustering algorithm. - Explain normalization through open source tools such as "https://www.npmjs.com/package/sanitize-html". This helps reducing the noise to info ratio in the email. - Present Locality sensitive hashing through the open source algorithm minhash, which creates fingerprints that will collide for similar email. - Present the "Bucketization" technique to cluster the fingerprints. - Present results on real email data. false https://cfp.pass-the-salt.org/pts2023/talk/YNEF3M/ https://cfp.pass-the-salt.org/pts2023/talk/YNEF3M/feedback/ Amphitheater Talk 2023-07-04T11:00:00+02:00 11:00 00:35 Data Mining, Darknet, and Social Network Monitoring are critical components of modern threat intelligence and security operations. The AIL Project is an open source framework designed to collect, crawl, dig, and analyze unstructured data from various sources. With its extensible Python-based framework, AIL can analyze unstructured data collected via an advanced Crawler manager or from different feeders such as PasteBin-alike sites, Twitter, Discord, Telegram Stream providers, or custom feeders. AIL supports active crawling of Tor hidden services, protected websites and forums with pre-recorded session cookies. Its modular design allows for easy contribution and extension, enabling the addition of new Analyzer modules, feeders, or streams without the need to know the inner workings. The framework also has integrations with other open source projects such as MISP or cve-search. This presentation will focus on the latest version of the AIL framework (v5.0) and its new features. Attendees will learn about the following: - An overview of the modular design of AIL and its extensibility through Analyzer modules, feeders, and exporters. - Demonstrations of how the new features can be used in practice, including practical examples of investigating Tor hidden services and other sources of data. - Best practices for data collection and analysis with AIL, including performance optimization techniques and integration with other open source projects such as MISP. Join us for this exciting presentation and learn how AIL can help you with your data analysis and threat detection needs. https://github.com/ail-project/ https://github.com/ail-project/ail-framework pts2023-115-data-mining-darknet-and-social-network-monitoring-exploring-the-latest-features-of-the-ail-framework OSINT & Online Security Aurelien Thirion en false https://cfp.pass-the-salt.org/pts2023/talk/8MS9ZL/ https://cfp.pass-the-salt.org/pts2023/talk/8MS9ZL/feedback/ Amphitheater Talk 2023-07-04T11:35:00+02:00 11:35 00:35 Reproducible research is generally speaking a good idea we all agree on, but can be a bit of a nightmare when dealing with hardware -- and actually, even software. In this presentation, I will talk about reproducibility in the context of academic security, and more precisely the reproducibility of attacks on micro-architecture. In a first part, we will see the limits of "just sharing code" in terms of reproducible research. In a second part, we will explore the good, the bad, and the ugly of trying to reproduce micro-architectural attacks. Finally, we will discuss a great (and quite recent) initiative of academic security conferences: artifact evaluation. pts2023-98-reproducible-research-in-micro-architecture-security-and-beyond-from-paper-to-artifact-evaluation Keynote Clémentine Maurice en false https://cfp.pass-the-salt.org/pts2023/talk/T9XQNG/ https://cfp.pass-the-salt.org/pts2023/talk/T9XQNG/feedback/ Amphitheater Talk 2023-07-04T14:00:00+02:00 14:00 00:35 Rust is an increasingly popular systems programming language, especially thanks to its memory safety guarantees and more general focus on safety. This talk will give an overview of where it stands regarding the software supply-chain security challenges, including vulnerability management across the ecosystem, dedicated tooling and integration into larger efforts (OpenSSF projects, etc.) It will cover the topic from both an internal (as a member of the Rust Secure Code WG) and an external (as a software editor using Rust) point of view. pts2023-122-supply-chain-security-in-open-source-ecosystems-the-rust-case Supply Chain Security Alexis Mousset en false https://cfp.pass-the-salt.org/pts2023/talk/YAJN93/ https://cfp.pass-the-salt.org/pts2023/talk/YAJN93/feedback/ Amphitheater Talk 2023-07-04T14:35:00+02:00 14:35 00:35 The last few years have seen a significant raise in Supply Chain attacks targeting third party software used in larger projects. With the need for developers to attest of the integrity and provenance of their software dependencies, alternatives have emerged to make tracing software back to the source more accessible, without a need for specific knowledge of cryptographic protocols used for generating and verifying artifact signatures. Project Sigstore (https://www.sigstore.dev/) is a new standard for signing, verifying and protecting software. This talk will provide an introduction to Sigstore, explaining the different components the project is built upon and how developers can use it to sign and verify software artifacts (software packages, container images...) in a secure way. Notably, Sigstore solves the issue of private key storage and management by implementing "keyless" signing, where users can generate ephemeral key pairs and sign an artifact using an identity provider such as GitHub, Microsoft or Google. pts2023-124-introduction-to-sigstore-cryptographic-signatures-made-easier Supply Chain Security Maya Costantini en false https://cfp.pass-the-salt.org/pts2023/talk/9XNUZL/ https://cfp.pass-the-salt.org/pts2023/talk/9XNUZL/feedback/ Amphitheater Talk 2023-07-04T15:10:00+02:00 15:10 00:35 Hashlookup aim is to index the hashes of all the published and released software. It crawls and indexes the hashes from many different public sources which include Linux distributions, operating systems such as Windows or alternative distributions. The goal is provide a fast and efficient way for analysts, digital forensic investigators and security researchers contextual information about published software. hashlookup goal is to support digital forensic investigation but also the review of software supply chain and distribution channels. pts2023-114-how-to-secure-your-software-supply-chain-and-speed-up-dfir-with-hashlookup Supply Chain Security Alexandre Dulaunoy en Hashlookup aim is to index the hashes of all the published and released software. It crawls and indexes the hashes from many different public sources which include Linux distributions, operating systems such as Windows or alternative distributions. The goal is provide a fast and efficient way for analysts, digital forensic investigators and security researchers contextual information about published software. hashlookup goal is to support digital forensic investigation but also the review of software supply chain and distribution channels. hashlookup.io is an open-source project and service, which means that it's freely available for anyone to use or contribute to. Both open-source and proprietary software can be distributed in various ways, and in this article, we'll discuss the challenges of gathering all the different sources. We'll also explore the various risks associated with supply chain attacks and offer some strategies for addressing these issues. false https://cfp.pass-the-salt.org/pts2023/talk/NQY3WL/ https://cfp.pass-the-salt.org/pts2023/talk/NQY3WL/feedback/ Amphitheater Short Talk 2023-07-04T16:15:00+02:00 16:15 00:20 Nowadays structured firmwares can be a complete OS with thousands of files. It usually requires several hours to find the links between some components, and it is easy to get lost in this mass of information. This talk will introduce how we have combined and extended already existing open-source solutions to solve this issue and help reversers in their daily tasks. The resulting tool, Pyrrha, allows users to visualize the different binaries and libraries of the firmware and their interactions in the form of several dependency graphs. pts2023-126-map-your-firmware Reverser Tooling Eloïse Brocas en Pyrrha is an extension of Sourcetrail [1] an open-source code source explorer (for c/cpp, Python, and Java). This extension uses LIEF [2] to analyze imports and exports of each library and binary of the firmware and create links between them. The result is exported as a sourcetrail database. Thanks to Sourcetrail UI, the user will be able to navigate and search in the resulting firmware mapping. [1] https://github.com/CoatiSoftware/Sourcetrail [2] https://lief-project.github.io/ false https://cfp.pass-the-salt.org/pts2023/talk/9H8FH3/ https://cfp.pass-the-salt.org/pts2023/talk/9H8FH3/feedback/ Amphitheater Short Talk 2023-07-04T16:35:00+02:00 16:35 00:20 AI tools have broken out spectacularly in 2022, offering image generation, video upscaling, text completion, and much more. The recent release of OpenAI's ChatGPT led researchers to discover that the new language model had unexpected security engineering capabilities. In particular, this talk explores the use of the davinci-003 model to automatically comment decompiled functions and suggest new names for their variables. This led to the creation of Gepetto, an IDA Pro plugin that extracts information from the tool and submits it into OpenAI's API to speed up the analysis dramatically for the rough equivalent of 1$ per day. The plugin's code is available here: https://github.com/JusticeRage/Gepetto pts2023-77-gepetto-ai-powered-reverse-engineering Reverser Tooling Ivan Kwiatkowski en false https://cfp.pass-the-salt.org/pts2023/talk/LZHYRS/ https://cfp.pass-the-salt.org/pts2023/talk/LZHYRS/feedback/ Workshop room Workshop 2023-07-04T09:15:00+02:00 09:15 03:00 The syslog-ng application is an enhanced logging daemon with a focus on portability and high-performance central log collection. It is used mainly by IT security professionals, but also in Ops and DevOps environments and by embedded developers. The syslog-ng workshop helps you take the first steps with syslog-ng, and shows how you can quickly get more information out of your logs and have greater insight into what happens on your network. Ideal for beginners, but covers advanced possibilities for seasoned syslog-ng users as well. It also introduces you to syslog-ng 4 changes, focusing on type support, and how it makes your work easier and broadens possibilities. pts2023-103-syslog-ng-from-zero-to-hero-including-syslog-ng-4-changes OS Security Peter Czanik, syslog-ng PO at One Identity en You will learn: • The basic concepts of configuring and running syslog-ng, • an introduction to message parsing, • how to store your log messages in Elasticsearch, and • differences between syslog-ng 3 and 4 To try the configurations on your machine, you will need: • a recent version of syslog-ng (3.23 or newer: https://syslog-ng.com/3rd-party-binaries) • Elasticsearch 7+ with Kibana installed or Opensearch (optional) Last time I was criticized that handing out an USB key at a security event is controversial :-) so install syslog-ng and optionally Elasticsearch on your laptop or in a VM. Workshop schedule: • Theory: Introductory presentation - the concepts of syslog-ng. Explains the different building blocks (sources, parsers, filters, destinations, etc.), and how to connect them together using log statements. • Practice: Try these concepts in practice. Creating a simple configuration, checking syntax, running in the foreground with different debugging options, and running in the background as a service. • Theory: Message parsing is a main feature of syslog-ng from the security professional point of view. Most of the log messages on Linux / UNIX arrive in a free form text format, which are easy to read by humans, but very difficult to act on. Using message parsing you can extract actionable information from log messages and create alerts or simply storing data in an easy to search format. • Pratice: Extend the configuration with a few filters and parsers to make it more complex. To see the results of parsing, we use templates on the output side to include name-value pairs. • See the differences between syslog-ng 3 and 4 • Practice: Store the results to Elasticsearch and display them in Kibana. • Q&A session (if there is some time left): touch a few additional topics, based on questions from the audience. false https://cfp.pass-the-salt.org/pts2023/talk/DEPJLQ/ https://cfp.pass-the-salt.org/pts2023/talk/DEPJLQ/feedback/ Amphitheater Talk 2023-07-05T10:00:00+02:00 10:00 00:35 Local file inclusion methods in PHP evolved through time, there are 2 main objectives when exploiting them: - Getting a remote code execution by including files containing PHP via include() or require() functions. - Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example. In the past, the following requirements had to be met to exploit a local file inclusion. To exploit a remote code execution you could inject information in log files and include them, or control a variable in your PHP session to poison the session file. But in most cases, you needed to be able to upload a file on the system. To leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response. In both cases, the affected functions support several wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can be passed on these methods and for example it was well known to allow leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php). In a 2021 CTF write-up by loknop , this wrapper was actually proven to be much more useful. Indeed, it allows setting the encoding of contents passing through it, and most importantly to chain an infinite number of encodings leading to the generation of arbitrary data at the start of a file. In this presentation, the full process will be explained with examples allowing, for instance, to generate interesting prefixes to a file content, such as '<?php system("id"); ?>', therefore removing the need to have a file upload when exploiting include() or require() functions to get remote code execution (if the full path is controlled). In 2022, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in many built-in functions, such as file_get_contents(). Its method chains encodings that will make the content size of a file exponential, triggering a PHP memory_limit exhaustion. By using other filters, the first character of the file content can also be determined. By using other encodings it is also possible to rotate the chain order to retrieve characters that are located further away in the content. Using this error-based oracle, it is therefore possible to leak the entire file content without having PHP to serve it in a server response. pts2023-94-php-filter-chains-how-to-use-it Web Pentest Rémi Matasse (Security research, Synacktiv) en This talk aims to explain in which cases PHP filter chains can be used and why these tricks can be useful during an audit with examples. Along it, we will show vulnerable code samples and ways to patch them. Two tools were developed to exploit it and will also be presented : - https://github.com/synacktiv/php_filter_chain_generator - https://github.com/synacktiv/php_filter_chains_oracle_exploit false https://cfp.pass-the-salt.org/pts2023/talk/9ZH9NP/ https://cfp.pass-the-salt.org/pts2023/talk/9ZH9NP/feedback/ Amphitheater Short Talk 2023-07-05T10:35:00+02:00 10:35 00:20 Over the last few years, the popularity of proving systems based on zkSNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) has risen, typically due to real-world use cases such as private authentication, private set membership, proofs of correct execution by a non-trusted entity and more. There are different proving systems that have been proposed in the last 5-7 years (Groth16, Marlin, PLONK, TurboPLONK, etc.), with their primary objectives being reducing the size of the proof, reducing the proving/verifying time and minimizing the need for a trusted setup. Further, there are different ways to implement zkSNARKs, but the common idea behind all of them is that the construction has to be represented in an arithmetic circuit on top of a finite field. This is possible using domain-specific languages (DSLs) such as Circom or Leo, or using a library such as gnark, Halo2 or arkworks-rs. In the aforementioned applications, typically, encryption and hashing operations are needed. However, the performance of traditional designs such as AES or BLAKE2 is not optimal in circuits. This has led to the apparition of arithmetization-oriented constructions for hashing and encryption. Moreover, the Sponge API for Field Elements (SAFE API) has been recently proposed, which can be used to create different cryptographic primitives for zkSNARK circuits using the sponge construction. In many cases, the performance of this type of constructions and the difficulty of implementing them using modern libraries for creating circuits has not been evaluated. In this talk, we present zekrom, an open-source library of arithmetization-oriented constructions for zkSNARK circuits. The goal of zekrom is to analyze the performance of novel constructions for circuits using modern libraries such as arkworks-rs and Halo2 and frameworks such as the SAFE API. Other goals of zekrom are: 1) to provide recently proposed arithmetization-oriented constructions for creating privacy-friendly applications based on zero-knowledge proofs, 2) to help developers by providing tools to generate the type of parameters that this type of constructions require, and 3) to provide a reusable implementation of the SAFE API that can be easily adapted to new proposed permutations for circuits. Finally, in our talk, we'll describe the obstacles we have found when implementing this type of construction. pts2023-108-zekrom-an-open-source-library-of-arithmetization-oriented-constructions-for-zksnark-circuits Cryptography Antonio de la PiedraLaurent Thoeny en false https://cfp.pass-the-salt.org/pts2023/talk/LQ7RVH/ https://cfp.pass-the-salt.org/pts2023/talk/LQ7RVH/feedback/ Amphitheater Short Talk 2023-07-05T11:25:00+02:00 11:25 00:20 Edition of DER encoded ASN.1 structures is a pretty tedious work when done manually. Solutions to this problem exist. For instance, der-ascii [0] is a tool written in Go that helps with back and forth conversions from/to DER structures to/from a textual representation using a custom defined language. I present a somehow short Perl script [1] that leverages the OpenSSL configuration language along with the ```ASN1_generate_nconf(3)``` function in order to achieve the same goal with almost no dependencies apart from Perl and OpenSSL. This tool can be used to ease the exploitation of CVE-2022-0778 [2] & [3]. [0] https://github.com/google/der-ascii [1] https://github.com/wllm-rbnt/asn1template [2] https://www.openssl.org/news/secadv/20220315.txt [3] https://github.com/drago-96/CVE-2022-0778#using-asn1-templates pts2023-91-asn-1-templating-for-fun-and-profit File Formats Horror Stories William Robinet en Remember the OpenSSL vulnerability referenced as CVE-2022-0778 (15/03/2022)... https://www.openssl.org/news/secadv/20220315.txt Here is an excerpt from it: ``` "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. [...] used when parsing certificates that contain elliptic curve public keys in compressed form [...] It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. [...] Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. [...] Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters [...]" ``` Successful exploitation of CVE-2022-0778 can be done in 3 steps: 1. Generate EC parameters that have some interesting properties as defined in the vulnerability description 2. Create or modify an already existing encoded ASN.1 cryptographic structure using these parameters 3. Submit the structure to a service that uses a vulnerable OpenSSL library This presentation is about step ```2.``` . The ASN.1 cryptographic structures we are considering here are often complex nested structures. The problem lies in the fact that such ASN.1 cryptographic structures are encoded using a binary format (DER - Distinguished Encoding Rules) that follows a Type-Length-Value (TLV) logic. Each member of the structure is encoded as its type identifier, followed by its total length (its own length along with the length of its sub-members, and finally, its value, including the one of all its sub-members). As an example, here is an ASN.1 sequence containing 2 integers: ``` SEQUENCE: INTEGER:0x12 INTEGER:0x34 ``` Its DER representation can be dissected as this: ``` /--> type: SEQUENCE / /--> length: 6 bytes / / /***************/--> value: the two DER encoded INTEGERs 00000000 30 06 02 01 12 02 01 34 |0......4| / / / / / /--> value: 0x34 / / / / /--> length: 1 byte / / / /--> type: INTEGER / / /--> value: 0x12 / /--> length: 1 byte /--> type: INTEGER ``` The edition process of such binary structure is error prone. One need to keep track of the modifications made to inner objects in order to reflect length updates to the outer surrounding objects. For instance, we could replace the second INTEGER in previous example, with a longer INTEGER (2 bytes instead of 1) with for value 0x3456: ``` SEQUENCE: INTEGER:0x12 INTEGER:0x3456 ``` This means that the second integer has now a length of 2 bytes and that the encoded length of the surrounding sequence has to be incremented. ``` /--> Outer SEQUENCE is now 7 bytes long / /--> second INTEGER in outer SEQUENCE is now 2 bytes long 00000000 30 07 02 01 12 02 02 34 56 |0......4V| ``` Simple structures as the one from this example are easy to edit manually with an hex editor. Larger structures composed of multiple depth of nested sub-structures are a pain to edit. A single mistake would make the whole structure unusable. This presentation is about a tool that predates existing solutions such as ```der-ascii```, and that I dusted off when CVE-2022-0778 was announced last year. false https://cfp.pass-the-salt.org/pts2023/talk/ZQAXNB/ https://cfp.pass-the-salt.org/pts2023/talk/ZQAXNB/feedback/ Amphitheater Short Talk 2023-07-05T11:45:00+02:00 11:45 00:20 Ensuring the seamless flow of threat intelligence between sharing communities, CTI pipelines, and detection engineering teams heavily relies on the interoperability of CTI standards. To achieve this, the [`misp-stix`](https://github.com/misp/misp-stix) Python library (>=3.8) was developed and specifically designed to handle all conversions between the MISP standard format and STIX formats. This library serves as a versatile and comprehensive solution that addresses the challenges faced in CTI standard conversion. In this talk, we will discuss the implementation of `misp-stix`, which provides a generic Python library that supports various formats and conversions. pts2023-117-how-to-survive-to-stix-parsing File Formats Horror Stories Christian Studer en When it comes to discussions about exchanging threat intelligence, STIX is often mentioned as a standard for representing and sharing structured information. However, the differences between STIX 1.x in XML and STIX 2.x in JSON can pose challenges for analysts and their tools to parse and consume the content easily and automatically. To address this issue, `misp-stix` provides a straightforward conversion between different versions of STIX formats specialized in threat intelligence exchange and the generic MISP standard, which is widely used worldwide to share information across different domains and fields. Effective interoperability between CTI standards is crucial to ensure smooth information exchange among sharing communities. By reducing the gap between different conceptions of exchange standards, `misp-stix` aims to facilitate this process. During the presentation, we will showcase real-life examples of the challenges we face and the solutions we have developed to improve the interoperability and re-usability of knowledge bases, such as misp taxonomies, object templates, and galaxies. These tools are used in MISP and many other CTI tools, and are essential for exchanging structured threat intelligence effectively. false https://cfp.pass-the-salt.org/pts2023/talk/8TXSWF/ https://cfp.pass-the-salt.org/pts2023/talk/8TXSWF/feedback/ Amphitheater Talk 2023-07-05T14:00:00+02:00 14:00 00:35 We often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC! But we are often interrupted in our enthusiasm by the payload dissected as “encrypted stub data”. Until we discover that Wireshark has a helpful feature to decrypt this traffic, which is protected by secrets derived from the prior Kerberos or NTLM authentication. We will briefly describe the theory and show in practice how to configure Wireshark, and fill the required keytab file, so this “encrypted stub data” gets decrypted. This feature will offer you more visibility into those protocols in your future network analysis sessions (security research, network forensics, etc.) pts2023-105-decrypt-kerberos-ntlm-encrypted-stub-data-in-wireshark Network Detection & Forensics Clément Notin en false https://cfp.pass-the-salt.org/pts2023/talk/HMTA3X/ https://cfp.pass-the-salt.org/pts2023/talk/HMTA3X/feedback/ Amphitheater Talk 2023-07-05T14:35:00+02:00 14:35 00:35 Suricata can be used to provide visibility and build detection of lateral movement in Windows environment using dedicated signatures or analysis of network security monitoring data. The talk will provide practical methods to increase visibility and provide detection of attacks. pts2023-125-using-suricata-to-detect-lateral-movement-in-windows-environment Network Detection & Forensics Éric Leblond en This talk will describe how [Suricata](https://suricata.io) IDS and NSM features can be used to detect lateral movement in Windows based environments. The focus will be made on SMB based attacks (including Red Team Tooling) as with a specific attention on DCERPC layer of SMB but data extracted from protocols such as Kerberos will also be looked at. The talk will include a presentation of the free [SMB lateral ruleset](https://www.stamus-networks.com/blog/new-open-ruleset-for-detecting-lateral-movement-with-suricata) published by Stamus Networks . It will show some practical hunting techniques that can be used when working with SMB protocol. false https://cfp.pass-the-salt.org/pts2023/talk/EQL3KQ/ https://cfp.pass-the-salt.org/pts2023/talk/EQL3KQ/feedback/ Amphitheater Talk 2023-07-05T15:10:00+02:00 15:10 00:35 Despite strong public statements that they want "a safer internet for everyone", many states appear to be double-dealing in the cyber-space and engage in the very activities they discourage. In order to convince decision-makers to genuinely discuss acceptable behavior in the cyberspace, we need to give up on moral arguments and focus on pragmatic reasons to favor defense. But the incentives towards offense may just be too strong. pts2023-78-why-cyberoffense-will-never-be-regulated Closing Talk Ivan Kwiatkowski en false https://cfp.pass-the-salt.org/pts2023/talk/UV9F9J/ https://cfp.pass-the-salt.org/pts2023/talk/UV9F9J/feedback/ Workshop room Workshop 2023-07-05T09:40:00+02:00 09:40 03:00 Scapy (https://www.scapy.net & https://github.com/secdev/scapy) is a powerful Python-based interactive packet manipulation program and library. It can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. pts2023-127-scapy-hands-on Network Detection & Forensics Guillaume Valadon en This workshop will describe its main features step by step, and will let you explore the following topics: - packets manipulation - sending & receiving packets - visualization - IPv6 and TLS support - implementing a new protocol - answering machines - automaton - pipes Requirements: a laptop running Linux (native or virtualized) and a fresh Scapy install from github false https://cfp.pass-the-salt.org/pts2023/talk/A3GZXD/ https://cfp.pass-the-salt.org/pts2023/talk/A3GZXD/feedback/