0.7 pts2025 2025-07-01 2025-07-03 3 00:05 https://cfp.pass-the-salt.org Europe/Paris Amphitheater 122 Talk 2025-07-01T14:10:00+02:00 14:10 00:35 In an increasingly connected world, securing wireless communication is vital for protecting critical infrastructure and personal data. Traditional tools for Radio Frequency (RF) assessments, while effective, often lack flexibility, cross-platform compatibility, and adaptability for diverse environments and architectures. RF Swift addresses these limitations by providing a streamlined, modular toolbox tailored for RF Security assessments and HAM radio enthusiasts alike. RF Swift is a multiplatform solution, seamlessly running on Windows, Linux, and a wide range of architectures. This versatility empowers users to conduct RF assessments in virtually any environment without hardware constraints. Designed with adaptability in mind, RF Swift enables security professionals and radio enthusiasts to deploy, manage, and analyze RF communications with unprecedented speed and efficiency. Attendees will discover how RF Swift empowers both rapid assessments and deep analysis, simplifying complex tasks such as spectrum monitoring, signal detection, protocol analysis, and signal generation. Join us to explore how RF Swift redefines RF security assessment, offering a robust, scalable, and flexible approach to tackle modern wireless security challenges. pts2025-196-rf-swift-a-swifty-toolbox-for-all-wireless-assessments Hardware & Embedded Sébastien Dudek en false https://cfp.pass-the-salt.org/pts2025/talk/RWCWKL/ https://cfp.pass-the-salt.org/pts2025/talk/RWCWKL/feedback/ Amphitheater 122 Talk 2025-07-01T14:45:00+02:00 14:45 00:35 A debugger is always a valuable tool when searching for vulnerabilities, particularly in embedded systems where multiple peripherals may be involved. Most targets support either well-standardized debug protocols such as JTAG or SWD, or rely on proprietary alternatives. These debug ports are often locked to prevent unauthorized access. When locked, depending on the chip, it may still be possible to reactivate them by exploiting a bug. In rare cases where this is not possible, direct modification of the firmware may be an option. In such scenarios, an on-chip debugger can be implemented within the firmware itself. While potentially unstable, this type of debugger can be highly useful for firmware analysis and exploit development. pts2025-224-the-last-resort-debugging-embedded-systems-with-unconventional-methods Hardware & Embedded Vincent Lopes (Security Engineer, Quarkslab) en This talk offers an overview of low-level concepts related to interrupts, followed by a detailed guide on building an on-chip debugger, addressing the various choices and challenges that may arise during the process. To begin with, a communication channel is required, preferably one that remains operational even during a debug interrupt. An initial breakpoint must be set on the target to trigger the debugger. A debug handler, ideally written in assembly, needs to be implemented and configured to listen for commands responsible for reading and writing memory and register contents. An intermediate server between GDB and the target must also be created. Several open-source skeletons are available to assist in this task. In addition, the talk places special emphasis on designing a lightweight debugger, as it is intended for embedded targets. It will therefore present techniques to keep the code as minimal and efficient as possible. false https://cfp.pass-the-salt.org/pts2025/talk/8WLTNS/ https://cfp.pass-the-salt.org/pts2025/talk/8WLTNS/feedback/ Amphitheater 122 Short Talk 2025-07-01T15:20:00+02:00 15:20 00:20 LabCyber is an exploratory lab focusing on the hardware dimension of cybersecurity deployed by the PTCC -transfer program at Campus Cyber operated by INRIA on behalf of the French academic community. pts2025-223-labcyber-a-fablab-dedicated-to-cybersecurity Hardware & Embedded Aline BecqFabien Caura en During this talk we will succintly present pilot projects of varied nature: - entrepreneurial prototyping - multipartner academic projects - production of commons with work groups as well as our range of equipement and the eligibility criteria for new projects. As a Fablab we are willing to promote an open science approach by : - Listing and advocating for open tools - Sharing the results or the methodologies with communities as wide as possible - Initiating open hardware projets related to security false https://cfp.pass-the-salt.org/pts2025/talk/CWYMPY/ https://cfp.pass-the-salt.org/pts2025/talk/CWYMPY/feedback/ Amphitheater 122 Talk 2025-07-01T15:55:00+02:00 15:55 00:35 OpenRelik is a new decentralized, distributed, containerized incident response forensic artifact processing pipeline. We’ll talk about the main goal behind the project and its architecture, but also lessons we’ve learned from past attempts at building this, and how we’ve solved them this time around. Demos included! pts2025-248-openrelik-a-containerized-incident-response-processing-pipeline DFIR & ThreatIntel Thomas Chopitea (Digital Forensics, Google)Johan Berggren (Digital Forensics, Google) en This talk will cover: * OpenRelik: what is it, who is it for, how do we use it? * lessons learnt from the past: Turbinia, its architecture, and why that wasn’t cutting it anymore * Architecture: decentralized workers via containers, redis pub sub channel, shared file system, mediator server * life of a workflow: how we go from uploading evidence to retrieving results. * How OpenRelik integrates with other tools such as Timesketch and Yeti. How to write a worker that integrates with your tools. false https://cfp.pass-the-salt.org/pts2025/talk/HL8QKR/ https://cfp.pass-the-salt.org/pts2025/talk/HL8QKR/feedback/ Amphitheater 122 Talk 2025-07-01T16:30:00+02:00 16:30 00:35 The Datadog Threat Research team routinely collects and analyzes potential malware samples from multiple sources such as honeypots, intelligence shared by partners and intel contacts, internal security incidents or Guarddog sourced malicious packages. From these malware analysis, we extract Indicators of Compromise (IoCs), such as malicious IP addresses, domains, file hashes and other atomic indicators. For example, a cloud crypto-jacking campaign could involve malicious container images associated with an attacker-controlled Dockerhub user. Malware in the Docker images could communicate with a Command and Control (C2) server at a specific IP. The names of the images, along with the Dockerhub username and the C2 IP would be considered atomic indicators in this case. With the increase of daily analyses, our team had to handle the detonation of various types of samples and built an automated pipeline from data ingestion to detonation and collection contextualised IoCs in our TIP. We built our pipeline by relying on several Open Source projects including eBPF tracers, Threat Intelligence Platform and malware analysis orchestrator. With this talk we want to share how we implemented and deployed our pipeline and also give feedback and lessons learned while implementing it. pts2025-233-end-to-end-processing-of-malware-samples-using-open-source-technologies DFIR & ThreatIntel Frederic BaguelinMatt Muir en false https://cfp.pass-the-salt.org/pts2025/talk/SB7BEZ/ https://cfp.pass-the-salt.org/pts2025/talk/SB7BEZ/feedback/ Room LW109 Workshop 2025-07-01T14:10:00+02:00 14:10 03:00 Once upon a time, an algorithm's task was to make the distinction between a chiwawa and a muffin... true story. Human, curiosity is a great thing, and this workshop is built around it. Here total beginners in AI learn the fundamentals of deep learning, set up their environment, and apply it to image classification. By the end of the workshop, they are able to build a simple web application using Gradio that classifies images. pts2025-225-practical-intro-to-deeplearning-chihuahuas-vs-muffins Pauline Bourmeau (Cookie)William Robinet (Conostix S.A.) en Agenda: • Short introduction to deep learning • Setting up the environment • Hands-on session: we’ll experiment with image classification • Hands-on session: we build a web app with Gradio We’ll also be discussing applications to cybersecurity you can prototype, deep learning and training methods, cool the hype and discuss realistic LLM capacities. false https://cfp.pass-the-salt.org/pts2025/talk/WAKGHJ/ https://cfp.pass-the-salt.org/pts2025/talk/WAKGHJ/feedback/ Amphitheater 122 Talk 2025-07-02T09:15:00+02:00 09:15 00:35 Since the inception of Certificate Transparency, the use of Transparency logs is booming: go sumdb, Key Transparency, Sigstore, etc. These various ecosystems build on top of the promise of transparency logs: accurate, immutable, publicly verifiable data. Building with tamper-evident logs means that you can cryptographically prove that the data hasn’t been unexpectedly changed. This growing number of ecosystems together with the increase of the logs’ size called for efficient APIs to ensure logs could deliver their promise. This led to the standardization of transparency logs APIs and format: the concept of tiles and checkpoint emerged. Tiles split the underlying Merkle tree into chunks that can be stored, served and cached efficiently, while checkpoints represent the state of the tree. Certificate Transparency (CT) has been the most successful role model for transparency ecosystems. Static Certificate Transparency API, an evolution of RFC 6962, is Certificate Transparency’s attempt at implementing these new standards, thus bringing all ecosystems closer to one another. This talk introduces Trillian Tessera, an open-source Go library for building tile-based transparency logs using these standard formats on both major cloud and on-premises infrastructure, together with TesseraCT, a readily deployable solution for Certificate Transparency using Trillian Tessera. Attendees will gain insights into a lightweight yet powerful library for building their own reliable and easily maintainable transparency solutions. We will showcase a concrete example of its application with Certificate Transparency. The demo covers the TesseraCT deployment and the performance of submitting entries and verifying the entry inclusion and log consistency. pts2025-242-building-efficient-verifiable-logs-introducing-trillian-tessera-and-tesseract Transparency at work Philippe Boneff (Certificate Transparency Tech Lead, Google)Roger Ng en false https://cfp.pass-the-salt.org/pts2025/talk/WLKAH9/ https://cfp.pass-the-salt.org/pts2025/talk/WLKAH9/feedback/ Amphitheater 122 Short Talk 2025-07-02T09:50:00+02:00 09:50 00:20 The legitimacy of an online document today is bound to the way it has been retrieved: From a reputable source, through an authenticated communication. However, as primary sources become unavailable, digital archives and other third-party repositories emerge as sole witnesses that some documents ever existed, or that their content have not been altered. The proliferation of tools able to produce large amounts of convincing fakes, as well as current incentives for bad actors to leverage these technologies, may eventually threaten the trust placed in these archives and finally question the genuineness of historical records. In this talk, we explore how existing technologies such as the Certificate Transparency, may be leveraged to establish a robust foundation for digital archive integrity and observability. We then present our on-going effort to develop libre and open-source tools to build and maintain such transparency logs, as well as other integrations with existing standards for trusted timestamping and web archiving. pts2025-241-working-towards-digital-archive-transparency Transparency at work The Terrible Archivist en false https://cfp.pass-the-salt.org/pts2025/talk/DCMUBQ/ https://cfp.pass-the-salt.org/pts2025/talk/DCMUBQ/feedback/ Amphitheater 122 Talk 2025-07-02T10:10:00+02:00 10:10 00:35 Or how to make sure you are communicating with the right person when using an end-to-end messaging app when the security relies on public keys you fetch from a third party. pts2025-211-my-friends-have-phone-numbers-not-public-keys Transparency at work Thibault Meunier (Research, Cloudflare) en In 2023, in an effort to secure the distribution of its users public keys, WhatsApp announced [Key Transparency](https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/). This aims to automatically verify a secure connection, without user interaction, such as scanning a QRCode. Similar effort have been shared by [iMessage](https://security.apple.com/blog/imessage-contact-key-verification), and [Proton Mail](https://proton.me/support/key-transparency). This talk goes over how key transparency works, how it is implemented today, and the challenges and improvements. It builds on deployed systems such as [WhatsApp](https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/) or [Cloudflare](https://blog.cloudflare.com/key-transparency/), and on on-going standardisation efforts at [IETF](https://datatracker.ietf.org/wg/keytrans/about/) and [C2SP](https://github.com/C2SP/C2SP). false https://cfp.pass-the-salt.org/pts2025/talk/YKXAKR/ https://cfp.pass-the-salt.org/pts2025/talk/YKXAKR/feedback/ Amphitheater 122 Talk 2025-07-02T11:00:00+02:00 11:00 00:35 With the current massive user migration from X and Meta to decentralized social media such as Mastodon, the interest in federated communication infrastructures is gaining traction. We have been documenting similar tendencies since 2018 already, analyzing how users in various contexts shift their preferences in terms of secure messaging applications. In the context of a longitudinal study of secure messaging apps users and developers this presentation proposes to analyze several waves of user migrations and suggests an analytical framework to understand the changes in the perception of what’s a “good secure messaging app” with a particular attention to federated architectures and their potential. The “Signal gate” has shown that cryptographic properties of a messaging app per se do not offer a guarantee of security, and many other (sometimes even non-technical) qualities enter the game. We propose to understand digital security as an evolving sociotechnical process of adjusting tools and behaviors and to question the race for an “always more secure” messaging app. We argue that infrastructural choices (centralized vs decentralized vs distributed) and social practices (such as contact discovery) matter. pts2025-250-always-more-secure-analyzing-user-migrations-to-federated-e2ee-messaging-apps Secured Messaging Ksenia Ermoshina en With the current massive user migration from X and Meta to decentralized social media such as Mastodon, the interest in federated communication infrastructures is gaining traction. We have been documenting similar tendencies since 2018 already, analyzing how users in various contexts shift their preferences in terms of secure messaging applications. In the context of a longitudinal study of secure messaging apps users and developers this presentation proposes to analyze several waves of user migrations and suggests an analytical framework to understand the changes in the perception of what’s a “good secure messaging app” with a particular attention to federated architectures and their potential. The “Signal gate” has shown that cryptographic properties of a messaging app per se do not offer a guarantee of security, and many other (sometimes even non-technical) qualities enter the game. We propose to understand digital security as an evolving sociotechnical process of adjusting tools and behaviors and to question the race for an “always more secure” messaging app. We argue that infrastructural choices (centralized vs decentralized vs distributed) and social practices (such as contact discovery) matter. false https://cfp.pass-the-salt.org/pts2025/talk/LEMGYM/ https://cfp.pass-the-salt.org/pts2025/talk/LEMGYM/feedback/ Amphitheater 122 Talk 2025-07-02T11:35:00+02:00 11:35 00:35 Messaging Layer Security (MLS) is a protocol for end-to-end encryption. It has been standardized at the IETF and has been published as RFC9420. Inspired by other protocols and designed with rigorous academic supervision it aims to be the go-to solution for whenever end-to-end encryption is needed. This talk will cover the following areas: - How does MLS work? - What problems does it solve? - What does the ecosystem look like? - What extensions and variations exist? This will also give an outlook on the MIMI interoperability working group and how it relates to MLS. pts2025-243-messaging-layer-security-mls-towards-more-end-to-end-encryption Secured Messaging Raphael Robert (MLS co-author, CEO of Phoenix R&D) en false https://cfp.pass-the-salt.org/pts2025/talk/SYFQXB/ https://cfp.pass-the-salt.org/pts2025/talk/SYFQXB/feedback/ Amphitheater 122 Talk 2025-07-02T14:00:00+02:00 14:00 00:35 Over the years, Delta Chat has matured to be an easy-to-use, secure, and even fast decentralized FOSS messenger app for all platforms. In this talk we discuss two key security architectures: - Autocrypt and SecureJoin key distribution protocols for achieving automatic end-to-end encrypted messaging safe against MITM attacks, and - the open-signup Chatmail server network which successfully uses strict cryptographic interoperability contraints (DKIM, OpenPGP, TLS) instead of IP-reputation and spam classification methods. We also highlight the six independent security audits and analysis conducted so far. pts2025-237-usable-end-to-end-security-with-delta-chat-and-chatmail Secured Messaging Holger Krekel en false https://cfp.pass-the-salt.org/pts2025/talk/P3DZRZ/ https://cfp.pass-the-salt.org/pts2025/talk/P3DZRZ/feedback/ Amphitheater 122 Talk 2025-07-02T14:35:00+02:00 14:35 00:35 The French government has deployed a private Matrix federation for French civil servants called Tchap. Currently this federation has about 300 000 monthly active users and its usage is growing constantly. Today our federation is closed and we would like to be able to connect with other public French Matrix nodes (local authorities for instance), and also other European countries. We should implement measures to ensure that the federation remains resilient against potential attacks, both technical (e.g., DDoS, data interception) and organizational (e.g., unauthorized access, insider threats) : * How can we restrict the servers we wish to communicate with? How can we be sure that we are actually communicating with them? Since TLS can be vulnerable to man-in-the-middle attacks by state actors, we can't rely on it entirely. * How can we trust the identities of users from external deployments that we don’t control? * How can we limit the interactions that external users can have with users from our federation? We spent a lot of time thinking about this and now have a plan that looks legit, and that we are currently implementing. I'm sure you want to know more about it, right? In this talk, we will share the approach we’ve taken to address these challenges and we will present the architecture we designed. pts2025-231-matrix-french-gov-deployment-opening-a-private-federation-securely Secured Messaging Mathieu VeltenYoan Pintas en false https://cfp.pass-the-salt.org/pts2025/talk/AN9QJ8/ https://cfp.pass-the-salt.org/pts2025/talk/AN9QJ8/feedback/ Amphitheater 122 Short Talk 2025-07-02T15:40:00+02:00 15:40 00:20 VRRP (Virtual Router Redundancy Protocol) is an open-standard protocol designed to ensure high availability of routers. Proven and widely adopted, it is used in many network infrastructures. However, the security aspects of VRRP are rarely discussed in depth in available online resources. For instance, VRRPv2, which remains widely used today, offers two authentication modes, one of which is easily bypassed. In contrast, VRRPv3 has completely removed authentication, as the protocol's authors considered that security should be handled at a different layer. In this presentation, I will focus on the IP tie-breaking dilemma that arises during VRRP priority conflicts, particularly when the legitimate master router is configured with the highest priority value of 255. To illustrate this issue, I will rely on Keepalived, a widely used open-source implementation of VRRP. I will also highlight a design flaw I co-discovered in the VRRP protocol (RFC 9568), in collaboration with the Keepalived project maintainers. This vulnerability, documented in erratum 8298 and validated by the IETF, allows an attacker on the same network to impersonate the master router during a priority conflict, revealing a weakness in the protocol’s design. pts2025-220-when-priority-isn-t-enough-exploiting-the-vrrp-tie-breaking-ip-mechanism Network Security Geoffrey Sauvageot-Berland en false https://cfp.pass-the-salt.org/pts2025/talk/UATTRT/ https://cfp.pass-the-salt.org/pts2025/talk/UATTRT/feedback/ Amphitheater 122 Short Talk 2025-07-02T16:00:00+02:00 16:00 00:20 Wireshark is a widely used tool when it comes to view the contents of a network traffic capture. When reversing a protocol, we tend to develop a simple program with a "simple" programming language (Python, Go...) to parse what is currently known. The most logic way would be to develop this program as a Wireshark plugin, but the Wireshark plugin API is rarly used, since it's quite complex and does not fit for a quick and dirty task. Wirego allows simple development of Wireshark plugins in Python and Go (and maybe more). pts2025-226-wirego-a-wireshark-plugin-development-framework Network Security Benoit Girard en Developing plugins for Wireshark is quite complex. The API in written in C, dates from 1998 and is quite poorly documented. When working on a protocol, the reverser wants to stay focus on its main task and really doesn't want to go deep inside the Wireshark source code. Wirego is a based on a Wireshark plugin which is ready to use and re-emits the Wireshark calls to a ZMQ (Zero-MQ) endpoint. A package/class/framework for a given language receives these calls and converts them back to simple API calls. The end-user only needs to inherit a class (or implement an interface in Go) with just a few methods in order to develop his plugin. Typically, one will simply implement seven methods in order to define the plugin name, the plugin filter (used to filter packets matching with the protocol), the list of fields eventually returned by the dissector (the parser), three methods for the protocol detection and the dissector itself. A simple Wireshark plugin can be developed using only 100 lines of Python or less. Wirego has been designed to easily allows the integration of additional languages. Wirego is available on github: https://github.com/quarkslab/wirego/ false https://cfp.pass-the-salt.org/pts2025/talk/EN3WB8/ https://cfp.pass-the-salt.org/pts2025/talk/EN3WB8/feedback/ Room LW109 Workshop 2025-07-02T09:15:00+02:00 09:15 03:00 ROP (Return-Oriented Programming) is an essential technique for exploiting modern binary executables. The ROPEmporium website, (https://ropemporium.com/ ) developed by Max Kemper, features a series of step-by-step exercises designed to help you discover the ROPEmporiumhttps://cfp.pass-the-salt.org/pts2025/me/submissions/RTTHMW/#nav-abstract-preview progressively. The workshop offers a shared experience of these exercises pts2025-219-ropemporium-party Offensive Security Jean-Côme Estienney (CNAM) en During this workshop, we'll work together to solve some of the exercises on the site. The aim is to give you enough theoretical and practical knowledge to be able to extend the experience by doing all the exercises proposed afterwards. The site offers exercises on intel x86-64, x86-32, ARM and MISP executables. After a presentation of the platform, and the main concepts involved in ROP, you'll be able to learn from the exercises : - Get to grips with the tools to discover an initial function calling technique. - Call a function with a parameter already present in the executable. - Master the convention of passing parameters for more complex calls. - Learn how to place some data in the memory and pass it as a parameter - Search for usable gadgets when the most obvious are not available. - Finally, we'll create a slightly more complex ROP chain using a pivot technique. As an epilogue, if time permits, we'll take a look at ARM binary exploitation with qemu, to encourage you to extend the experience. The workshop is ideally aimed at people familiar with x86 assembler and the basics of binary exploitation with buffer overflow. To carry out the exercises you will need a Linux machine with the following open-sources tools : - gdb - a gdb extension such as GEF or pwndbg - python3 - pwntools - radare2 - ropper ou ROPGadget and optionally - 32-bit libraries (libc6-i386) - qemu A docker image containing the required tools will be made available and its use encouraged. <b>Docker is therefore the main requisite.</b> By the way, to avoid clogging up the network and save time at the beginning of the workshop, please, try to anticipate to download the materials : <code> git clone https://github.com/cdpointpoint/ropemporium_party.git cd ropemporium_party ./run_ptsrew.sh </code>. The run script will pull the 2 Go docker image the fist time. It is also possible to follow the workshop without carrying out (all) the manipulations during the session and keep focus on explanations or exchanges. false https://cfp.pass-the-salt.org/pts2025/talk/RTTHMW/ https://cfp.pass-the-salt.org/pts2025/talk/RTTHMW/feedback/ Room LW109 Workshop 2h30 2025-07-02T14:00:00+02:00 14:00 02:30 MISP is an open-source platform for threat intelligence and information sharing. This workshop is designed to introduce MISP concepts and get started with using the platform. Participants will learn about MISP features by conducting a hands-on analysis during the workshop. pts2025-191-misp-for-analysts DFIR & ThreatIntel Pauline Bourmeau (Cookie)William Robinet (Conostix S.A.) en Outline Introduction to MISP - Overview of MISP and its features - Presentation of the example case Getting Started - Create and populate a MISP event - Generate a report - Publish the event General Usage - Working with data: enrich, collaborate, export - Best practices Recap and resources false https://cfp.pass-the-salt.org/pts2025/talk/K3MKZQ/ https://cfp.pass-the-salt.org/pts2025/talk/K3MKZQ/feedback/ Room LW112 Workshop 2025-07-02T09:15:00+02:00 09:15 03:00 This workshop will introduce you to our WHAD framework (WHAD stands for *Wireless HAcking Devices* or *Wireless HAcking for Dummies*, see https://whad.io) and its numerous tools designed to have fun with wireless devices in the wild, with a focus on Bluetooth Low Energy (BLE). Learn how to easily discover BLE devices, connect to them and analyze how they behave and expose information, how to clone a device and trick a smartphone to connect to it, how to interact with a device in many unexpected ways, and more importantly learn how this framework can help you build pretty efficient exploits in Python to complete the final challenge of this workshop ! We would be more than happy to get you started with Bluetooth Low Energy hacking with WHAD, and hope you'll enjoy the ride and dig into what this framework is capable of regarding other wireless protocols as well ! pts2025-240-bluetooth-low-energy-hacking-with-whad Hardware & Embedded Damien Cauquil (R&D Engineer at Quarkslab)Romain Cayre en ### Workshop objectives * Discover WHAD, a flexible wireless hacking Python framework and some of its key features * Learn how to easily scan, connect and interact with a BLE device using WHAD tools * Learn how to spoof any BLE device using WHAD * Learn how to create Python scripts using WHAD to automate BLE analysis and vulnerability exploitation * Hack a BLE smartband for fun and profit ! ### Prerequisites * A laptop with Virtualbox or VMWare virtualization software installed (host OS does not really matter) * We will provide a pre-configured VM a few days before the workshop * Administrative rights may be required for the VM to access the host's USB interfaces and HCI adapters * At least 2 free USB ports required on the host machine to plug some hardware devices, bring a USB hub if needed * A good knowledge of the Python programming language (Python 3.x) * A smartphone with Nordic Semiconductor's *nRF Connect* application installed (not mandatory but could be useful) * You can also bring any Bluetooth Low Energy device you think may be fun to fiddle with ;) ### Workshop agenda * I. What is WHAD ? * I.1. Introducing WHAD (purpose and global design) * I.1.1. Supported protocols/modulations * I.1.2. Combining simple tools to create complex tools * I.1.3. Python API * I.1.4. Examples of tools/research based on WHAD (quick demos) * I.1.5. Pros and cons * I.2. Core concepts * I.2.1. Getting protocol processing out of firmware * I.2.2. WHAD host/interface protocol * I.2.3. Interfaces and connectors * I.2.4. Tool chaining * I.2.5. Scripting * I.3. Installing WHAD * I.3.1. Installing and running WHAD in a VM (we provide a VM image) * I.3.2. Installing and running WHAD on your host computer (for the braves) * I.3.3. First contact with WHAD * II. Discovering BLE devices * II.1. Using wsniff to scan for BLE devices * II.2. Using wble-central to discover devices * II.3. Exporting a device profile to a file (for later user or reporting) * III. Interacting with a BLE device (hands-on) * III.1. Interactive mode using wble-central * III.1.a. Services and characteristics discovery * III.1.b. Reading and writing to characteristics * III.1.c. Subscribing for notifications or indications * III.1.e. Real-time monitoring with Wireshark * III.2. Scripting with WHAD and wble-central * III.2.a. Creating a script to avoid getting disconnected * III.2.b. Running a script with wble-central * III.2.c. Exporting and importing a BLE device's GATT profile for better speed * IV. Creating fake BLE devices (hands-on) * IV.1. Interactive mode using wble-periph * IV.1.a. Creating a device from scratch in interactive mode * IV.1.b. Scripting wble-periph to quickly setup a device * IV.1.c. Monitoring live with wireshark * IV.1.d. Dumping traffic to PCAP file * IV.1.e. Populating services and characteristics from exported GATT profile * IV.2. Scripting with WHAD and wble-periph * IV.2.a. Creating a script to advertise a specific peripheral * IV.2.b. Combining saved GATT profile and scripting for efficiency * V. Python scripting (hands-on) * V.1. WHAD Python API 101 * V.1.a. Connecting to a BLE device * V.1.b. Reading and writing to characteristics * V.1.c. Subscribing to notifications or indications * V.1.d. Sending handcrafted PDUs * V.1.e. Exporting traffic to PCAP * V.2. Final challenge * V.2.a. Discovering a vulnerable smart band * V.2.b. Writing an exploit with Python and WHAD * V.2.c. Hack all the smart bands ! false https://cfp.pass-the-salt.org/pts2025/talk/CSHGVJ/ https://cfp.pass-the-salt.org/pts2025/talk/CSHGVJ/feedback/ Amphitheater 122 Short Talk 2025-07-03T09:30:00+02:00 09:30 00:20 __Rcat__ is a modern _netcat_ written in Rust 🦀. It supports __TLS__, and __upgrading reverse shells__ to a fully interactive TTY. pts2025-245-make-better-shells-with-rcat Offensive Security Olivier Lasne en Today, most reverse shells are done via an unencrypted TCP connection using `netcat` (looking at you https://revshells.com). We will see how to easily create __encrypted reverse shells__ (without installing tools on the targeted server). We will also discuss what is are _pseudo-TTY_, and how `rcat` makes it easier to transfer files over a TCP connection. https://github.com/0xfalafel/rcat false https://cfp.pass-the-salt.org/pts2025/talk/DEKPBL/ https://cfp.pass-the-salt.org/pts2025/talk/DEKPBL/feedback/ Amphitheater 122 Short Talk 2025-07-03T09:50:00+02:00 09:50 00:20 Named Pipes are interprocess communication primitives used by many Windows applications. However, these operating system APIs are often blindly trusted, and one can intercept and tamper with transmitted data by abusing a Man-in-the-Middle setup. Commonly admitted mitigations implies checking process IDs, executable signatures or permissions on the named pipe. With proper tooling, such mitigations can be bypassed. This presentation will delve into Windows Named Pipes APIs while highlighting common attacks, usual mitigations, and how to bypass them using the soon-to-be-opensource tool thats_no_pipe. pts2025-234-hooking-windows-named-pipes-with-thatsnopipe Offensive Security Thomas Borot (Pentester @Synacktiv) en - A quick introduction of the speaker. - A quick introduction of Windows Named Pipes APIs. - An overview of common attacks against Named Pipes. - Common mitigations against MitM attacks, and how to bypass them. - Live demonstration of the tool. false https://cfp.pass-the-salt.org/pts2025/talk/XE9K9T/ https://cfp.pass-the-salt.org/pts2025/talk/XE9K9T/feedback/ Amphitheater 122 Short Talk 2025-07-03T10:10:00+02:00 10:10 00:20 In this session, we will examine the Vesta control panel, known for its user-friendly approach to Linux server management. While Vesta facilitates tasks like hosting websites and managing domains, it also presents security challenges. Our focus will be on a significant vulnerability that allows for admin takeover due to the predictable output of the Bash $RANDOM variable used for password and token generation. Attendees will gain insights into the exploit process, its implications for server security, and best practices for mitigating similar risks. Join us to learn how to enhance the security of your Linux server environments and protect against unauthorized access. pts2025-202-vesta-admin-takeover-exploiting-reduced-seed-entropy-in-random Offensive Security Adrian Tiron en Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world applications. false https://cfp.pass-the-salt.org/pts2025/talk/XZGSN8/ https://cfp.pass-the-salt.org/pts2025/talk/XZGSN8/feedback/ Amphitheater 122 Short Talk 2025-07-03T10:45:00+02:00 10:45 00:20 Keycloak is a popular open source Identity and Access Management solution that provides single sign-on, user federation, and fine-grained role-based access control. However, in complex setups with multiple realms, roles, and groups, misconfigurations may go unnoticed. In this short talk, I will demonstrate a straightforward way to export Keycloak data (realms, roles, users, groups, etc.) into a Neo4j graph database, then run Cypher queries to pinpoint potential security issues such as privilege escalation. By visualizing Keycloak objects as a graph, we gain a clearer view of relationships and can spot unusual privileges more easily. An open-source tool facilitating this process will be released once the final configuration details are settled, enabling others to replicate and adapt the method. pts2025-232-auditing-keycloak-configurations-with-neo4j System Audit & Hardening Kévin Schouteeten (pentester @Synacktiv) en Key points covered: * Simple export of Keycloak objects (realms, roles, users, groups, etc.) into Neo4j * Using Cypher queries to detect or visualize security gaps * Practical examples of identifying overlooked or excessive privileges * Maintaining a clearer overview of complex IAM configurations * Details on the upcoming open-source release for easy replication false https://cfp.pass-the-salt.org/pts2025/talk/9ZCTRE/ https://cfp.pass-the-salt.org/pts2025/talk/9ZCTRE/feedback/ Amphitheater 122 Talk 2025-07-03T11:05:00+02:00 11:05 00:35 The pacman package manager is used by the Arch Linux distribution and its derivatives. It is written in a memory-unsafe language, runs as root, and performs complicated tasks while downloading packages over the internet. This is the story of how in 7.0 we isolated the download steps into a separate process, running as an unprivileged user, and further restricted it using seccomp and Landlock. pts2025-195-putting-pacman-in-jail-a-sandboxing-story System Audit & Hardening Rémi Gacogne (Security Team, Arch Linux) en false https://cfp.pass-the-salt.org/pts2025/talk/FUL7LS/ https://cfp.pass-the-salt.org/pts2025/talk/FUL7LS/feedback/ Amphitheater 122 Short Talk 2025-07-03T11:40:00+02:00 11:40 00:20 This presentation introduces RootAsRole; an alternative to sudo/su commands that applies more finely the principle of least privilege, dives into security issues with Ansible and how RootAsRole helps to deal with. pts2025-212-rootasrole-simplifying-linux-privileges-and-fortifying-ansible-deployments System Audit & Hardening Yves Rütschlé (Security architect, Airbus Protect)Eddie Billoir en RootAsRole is a Rust-based alternative to *sudo* for Linux systems. It allows the definitions of a co-administrated infrastructure with limited privilege sets through a structured role-based access control model and adhering to the principle of least privilege. In this presentation, we’ll explore how *sr* (the name of our tool, for **S**witch-**R**ole) is more secure or/and better than *sudo/doas/su* alternatives, and extends its utility for automation with Ansible and the valuable security insights it offers. false https://cfp.pass-the-salt.org/pts2025/talk/C9MMHN/ https://cfp.pass-the-salt.org/pts2025/talk/C9MMHN/feedback/ Amphitheater 122 Short Talk 2025-07-03T14:00:00+02:00 14:00 00:20 Publicly accessible registries and repositories are often associated with well-known SaaS platforms such as GitHub or DockerHub. However, a significant number of individuals and companies rely on self-hosted solutions like GitLab or Harbor for managing their code and container images. Surprisingly, many of these self-hosted instances are inadvertently exposed, granting unauthenticated access to repositories and container images. This talk will explore methods for discovering publicly accessible self-hosted registries using techniques such as Certificate Transparency (CT) logs and Shodan scanning. We will discuss how to retrieve repository contents and container images from these sources, subsequently performing secrets scanning to assess the extent of exposure and raise awareness of potential security risks. From a tooling perspective, our investigation reveals a critical gap: most scanning tools fail to retrieve images from registries that are only available via plain HTTP. We will take this opportunity to discuss the registry API, and demonstrate approaches for interacting with it. Through real-world examples and hands-on insights, this talk aims to shed light on the current state of public registry exposure, providing actionable recommendations for improving security posture. pts2025-229-secrets-at-sea-hunting-exposed-code-container-registries System Audit & Hardening Guillaume ValadonGaetan Ferry en false https://cfp.pass-the-salt.org/pts2025/talk/PKWQUD/ https://cfp.pass-the-salt.org/pts2025/talk/PKWQUD/feedback/ Amphitheater 122 Short Talk 2025-07-03T14:20:00+02:00 14:20 00:20 You meticulously craft constant-time code to protect against side-channel attacks—only to have your compiler silently sabotage it. Optimization passes, designed to make code faster, can introduce timing leaks, violating security guarantees in ways developers never intended. But which optimizations are responsible? And how can you stop them without rewriting the compiler itself? In this talk, we investigate the mystery behind compiler-induced constant-time violations. We analyze real-world examples from GCC and LLVM, exposing how specific optimizations betray security assumptions. More importantly, we provide practical solutions: which compiler flags can mitigate these leaks, and what is the real cost of securing your compiled code? Your compiler may not be your friend—but with the right knowledge, you can stop it from turning against you. pts2025-227-fun-with-flags-how-compilers-break-and-fix-constant-time-code Walking on the wild Side Channel Antoine Geimer en false https://cfp.pass-the-salt.org/pts2025/talk/RDEFF3/ https://cfp.pass-the-salt.org/pts2025/talk/RDEFF3/feedback/ Amphitheater 122 Short Talk 2025-07-03T14:40:00+02:00 14:40 00:20 Microarchitectural side-channel attacks exploit subtle hardware behaviors, such as cache activity and instruction retirement patterns, to extract sensitive information. Understanding these attacks is essential for developing effective mitigations. However, real hardware imposes limitations on observability and experimental flexibility. The gem5 simulator, an open-source and highly extensible architectural simulator, provides a powerful environment for analyzing these attacks with fine-grained control over execution, memory access, and timing behaviors. In this presentation, I will demonstrate how gem5 can be used to evaluate side-channel vulnerabilities, focusing on attack scenarios such as Flush+Fault and Access-Retired attacks targeting the RISC-V architecture. By simulating both attack and non-attack conditions under controlled settings, gem5 enables precise identification of attack patterns. These datasets can then be used to train machine learning (ML) models for classifying microarchitectural events with high accuracy. By leveraging gem5’s multi-ISA support, full-system simulation, and cycle-accurate modeling, researchers gain deeper insights into attack mechanisms, accelerate the prototyping of detection techniques, and design architectures resilient to both known and emerging side-channel threats. This approach not only enhances detection capabilities but also informs secure hardware-software co-design strategies. pts2025-206-analyzing-microarchitectural-side-channel-attacks-using-open-source-gem5-simulator Walking on the wild Side Channel Mahreen Khan en false https://cfp.pass-the-salt.org/pts2025/talk/GBEYZP/ https://cfp.pass-the-salt.org/pts2025/talk/GBEYZP/feedback/ Amphitheater 122 Short Talk 2025-07-03T15:00:00+02:00 15:00 00:20 Most of you made your own website at least once or twice. You wrote HTML or used a framework that generated static content for you. And you were pretty proud to have something as lightweight as possible. It turns out we are the weirdos. Over years of developing [lookyloo](https://github.com/Lookyloo), we have encountered a lot of interesting (and sometimes terrible) techniques used to show you a webpage, and harvest your data. These techniques include what happens before you see anything (DNS, geolocalisation, time in the day), when you start seeing the page (GDPR popup, Captcha, mouse movement), and after it is fully rendered. (If it ever does...) pts2025-247-the-even-darker-web-dirty-tricks-and-questionable-code-choices-on-some-of-the-world-s-largest-websites Threats to Privacy Raphaël Vinot (Developer, Lookyloo) en The talk will cover the three categories of websites we encounter: 1. Phishing and scams: make a quick crime buck. 1. Tracking on legitimate websites: build a user profile over time without getting sued to oblivion 3. WAT: probably AI generated and trying to sell you the memecoin of the day We will go through a few remarkable examples captures on Lookyloo, explain what weird or crazy thing happened from the instant the URL starts to load all the way to when the page is rendered. We'll also look at the data gathered along the way, and search in the existing dataset for similar captures. false https://cfp.pass-the-salt.org/pts2025/talk/MMAXWW/ https://cfp.pass-the-salt.org/pts2025/talk/MMAXWW/feedback/ Amphitheater 122 Talk 2025-07-03T15:35:00+02:00 15:35 00:35 Twelve years after the public specification of the Signal protocol, almost all instant messaging protocols have embraced the ratchet construct, granting perfect forward secrecy and post-compromise security. Whatsapp, Signal, OMEMO-based applications, Olm and Megolm-based applications, or SimpleX Chat all use the Double Ratchet protocol. Olvid also uses a ratchet protocol, although the construct is a bit different. And there are the stragglers who insist on not using any form of perfect forward secrecy, such as Session or Delta Chat. Of those, we will talk no more. But since then, we have learned the hard way from some NSA executive that metadata gets you arrested or killed. And so begs the question: how well are protected our metadata by the various instant messaging infrastructures? Signal claims one cannot hand over data one doesn't have. But how honest are they about the metadata they do have, and that could be requested from them or their hosting provider by a subpoena and sealed orders. In this talk, we will explore some metadata available to Signal servers, Olvid servers, Matrix/Element home servers and SimpleX Chat SMP queue servers. We will then discuss the strategies that some of these applications have deployed to limit metadata exposition, including those leveraging external transport security, such as the use of Tor. pts2025-218-metadata-protection-in-instant-messaging-applications-a-review Threats to Privacy Florian Maury en This talk covers the obvious issue of long-term identities and the construction of the social graph and how some protections supposed to thwart the social graph recovery are flawed. Some of these attacks are publicly documented and still unmitigated by those affected by them. This talk also dives into less obvious metadata leaks, such as traffic correlation and ciphertext correlation. Finally it also points out that some of the studied instant messaging solutions do not protect all messages and leak metadata to third parties via attachment upload, push notifications, backups and voice/video calls. Sorting out which instant messaging application is the best is a non-goal for this talk. false https://cfp.pass-the-salt.org/pts2025/talk/7K9MEV/ https://cfp.pass-the-salt.org/pts2025/talk/7K9MEV/feedback/ Amphitheater 122 Short Talk 2025-07-03T16:10:00+02:00 16:10 00:20 Android is the dominant mobile operating system, powering more than 70% of the global mobile market and presenting a significant opportunity for user tracking. As privacy regulations tighten around how personal data can be used and collected, trackers are looking for alternatives that are under less scrutiny to evade detection. Device fingerprinting has emerged as a key solution, allowing trackers to create identifiers without user consent in a stealthy manner. Despite the extensive research on fingerprinting done from a web browser in the past decade, device fingerprinting on Android remains relatively understudied, with limited literature exploring its specific techniques and implications for user privacy. In this study, we introduce EXADPrinter, a novel exhaustive permissionless device fingerprinting framework targeting Android devices. Without requiring permissions, our framework extracts over 200,000 properties per device by leveraging methods such as Java reflection and execution of shell commands. Through a dedicated Android application and a 6-month data collection, we gathered over 1151 fingerprints coming from 833 different Android devices, covering 41 manufacturers and 7 Android versions ranging from 9 to 15. Through our framework, we demonstrate that diverse data can be collected about the device hardware, the operating system running on it, and the user, without requiring special permissions. We show that combining a few attributes without any IDs or personal information is enough to uniquely identify each device of our dataset, painting a bleak picture of the current state of the Android ecosystem. Moreover, our framework highlights the negative impact of custom operating systems and manufacturer-specific customizations as they enhance the device fingerprinting effectiveness. Furthermore, EXADPrinter uncovers some leakage of sensitive information caused essentially by manufacturer customizations, including the exposure of user emails, emergency contacts, and persistent identifiers such as SIM identifiers. pts2025-228-exadprinter-exhaustive-permissionless-device-fingerprinting-within-the-android-ecosystem Threats to Privacy Sihem Bouhenniche (University of Lille - Inria) en false https://cfp.pass-the-salt.org/pts2025/talk/BT3FTH/ https://cfp.pass-the-salt.org/pts2025/talk/BT3FTH/feedback/ Room LW109 Workshop 2025-07-03T09:30:00+02:00 09:30 03:00 The Delta Chat decentralized instant messaging project has over the years evolved a rich ecosystem of distinct project areas, from instant onboarding with a versatile cross-platform messenger, over using chat-shared web apps with integrated Peer-to-Peer realtime messaging to participating with own Chatmail servers in the world-wide e-mail server network. First, we onboard all participants on different Chatmail servers and get into a joint chat group and play around with the many features, answer and discuss questions and maybe play some games. Second, we offer participants hands-on sessions: - setting up a chatmail server - writing a webxdc app - writing a chat bot pts2025-244-dive-into-delta-chat-chatmail-webxdc-apps-and-p2p-realtime Secured Messaging Holger KrekelKsenia Ermoshinamissytake en false https://cfp.pass-the-salt.org/pts2025/talk/JFTTLJ/ https://cfp.pass-the-salt.org/pts2025/talk/JFTTLJ/feedback/ Room LW109 Workshop 2h30 2025-07-03T14:00:00+02:00 14:00 02:30 This hands-on workshop will guide participants through the process of reverse engineering and modifying Android applications without the need for rooted devices. I will present [apkpatcher](https://apkpatcher.ci-yow.com/) to explore various techniques to analyze, modify, and remove tracker on Android apps, focusing on practical skills that can be applied in real-world scenarios. pts2025-221-apkpatcher-reverse-engineering-and-modifying-android-applications-without-rooting Offensive Security Benoit Forgette en # Objectives Understand the fundamentals of reverse engineering Android applications. Learn to use debugging tools to analyze Android app behavior. Bypass security mechanisms using Frida scripts. Sniff and replay Bluetooth Low Energy (BLE) communications. Modify Smali code to alter app functionality. Reverse engineer native libraries used in Android apps. Perform Man-in-the-Middle (MITM) attacks on HTTPS services. # Workshop Outline 1. Introduction to Android Reverse Engineering - Overview of Android app architecture. - Setting up the environment for reverse engineering. 2. Using a Debugger on Android Applications - Introduction to Android debugging tools. - Practical exercise: Debugging an Android app. 3. Bypassing Security with Frida - Introduction to Frida and its capabilities. - Writing Frida scripts to bypass security checks. - Hands-on: Implementing a Frida script. 4. Sniffing and Replaying BLE Communications - Overview of BLE technology. - Tools for sniffing BLE traffic. - Practical exercise: Capturing and replaying BLE data. 5. Modifying Smali Code - Introduction to Smali and its role in Android apps. - Techniques for modifying Smali code. - Hands-on: Altering app functionality through Smali. 6. Reverse Engineering Native Libraries - Understanding native libraries in Android. - Tools and techniques for reverse engineering. - Practical exercise: Analyzing a native library. 7. MITM on HTTPS Services - Introduction to MITM attacks. - Setting up a MITM proxy for HTTPS. - Hands-on: Intercepting and modifying HTTPS traffic. # Prerequisites Familiarity with command-line tools. Laptop and Android phone # Expected Outcomes By the end of the workshop, participants will have gained practical experience in reverse engineering and modifying Android applications. They will be equipped with the skills to analyze app security and implement modifications without requiring rooted devices. Workshop Duration: 1.5 hours false https://cfp.pass-the-salt.org/pts2025/talk/7A7B8G/ https://cfp.pass-the-salt.org/pts2025/talk/7A7B8G/feedback/