PTS2025

Once upon a time, an algorithm's task was to make the distinction between a chiwawa and a muffin... true story. Human, curiosity is a great thing, and this workshop is built around it.

Here total beginners in AI learn the fundamentals of deep learning, set up their environment, and apply it to image classification. By the end of the workshop, they are able to build a simple web application using Gradio that classifies images.

In an increasingly connected world, securing wireless communication is vital for protecting critical infrastructure and personal data. Traditional tools for Radio Frequency (RF) assessments, while effective, often lack flexibility, cross-platform compatibility, and adaptability for diverse environments and architectures. RF Swift addresses these limitations by providing a streamlined, modular toolbox tailored for RF Security assessments and HAM radio enthusiasts alike.

RF Swift is a multiplatform solution, seamlessly running on Windows, Linux, and a wide range of architectures. This versatility empowers users to conduct RF assessments in virtually any environment without hardware constraints. Designed with adaptability in mind, RF Swift enables security professionals and radio enthusiasts to deploy, manage, and analyze RF communications with unprecedented speed and efficiency.

Attendees will discover how RF Swift empowers both rapid assessments and deep analysis, simplifying complex tasks such as spectrum monitoring, signal detection, protocol analysis, and signal generation. Join us to explore how RF Swift redefines RF security assessment, offering a robust, scalable, and flexible approach to tackle modern wireless security challenges.

A debugger is always a valuable tool when searching for vulnerabilities, particularly in embedded systems where multiple peripherals may be involved. Most targets support either well-standardized debug protocols such as JTAG or SWD, or rely on proprietary alternatives. These debug ports are often locked to prevent unauthorized access. When locked, depending on the chip, it may still be possible to reactivate them by exploiting a bug. In rare cases where this is not possible, direct modification of the firmware may be an option. In such scenarios, an on-chip debugger can be implemented within the firmware itself. While potentially unstable, this type of debugger can be highly useful for firmware analysis and exploit development.

LabCyber is an exploratory lab focusing on the hardware dimension of cybersecurity deployed by the PTCC -transfer program at Campus Cyber operated by INRIA on behalf of the French academic community.

OpenRelik is a new decentralized, distributed, containerized incident response forensic artifact processing pipeline. We’ll talk about the main goal behind the project and its architecture, but also lessons we’ve learned from past attempts at building this, and how we’ve solved them this time around. Demos included!

The Datadog Threat Research team routinely collects and analyzes potential malware samples from multiple sources such as honeypots, intelligence shared by partners and intel contacts, internal security incidents or Guarddog sourced malicious packages.

From these malware analysis, we extract Indicators of Compromise (IoCs), such as malicious IP addresses, domains, file hashes and other atomic indicators. For example, a cloud crypto-jacking campaign could involve malicious container images associated with an attacker-controlled Dockerhub user. Malware in the Docker images could communicate with a Command and Control (C2) server at a specific IP. The names of the images, along with the Dockerhub username and the C2 IP would be considered atomic indicators in this case.

With the increase of daily analyses, our team had to handle the detonation of various types of samples and built an automated pipeline from data ingestion to detonation and collection contextualised IoCs in our TIP. We built our pipeline by relying on several Open Source projects including eBPF tracers, Threat Intelligence Platform and malware analysis orchestrator.

With this talk we want to share how we implemented and deployed our pipeline and also give feedback and lessons learned while implementing it.

This workshop will introduce you to our WHAD framework (WHAD stands for Wireless HAcking Devices or Wireless HAcking for Dummies, see https://whad.io) and its numerous tools designed to have fun with wireless devices in the wild, with a focus on Bluetooth Low Energy (BLE). Learn how to easily discover BLE devices, connect to them and analyze how they behave and expose information, how to clone a device and trick a smartphone to connect to it, how to interact with a device in many unexpected ways, and more importantly learn how this framework can help you build pretty efficient exploits in Python to complete the final challenge of this workshop !

We would be more than happy to get you started with Bluetooth Low Energy hacking with WHAD, and hope you'll enjoy the ride and dig into what this framework is capable of regarding other wireless protocols as well !

Since the inception of Certificate Transparency, the use of Transparency logs is booming: go sumdb, Key Transparency, Sigstore, etc. These various ecosystems build on top of the promise of transparency logs: accurate, immutable, publicly verifiable data. Building with tamper-evident logs means that you can cryptographically prove that the data hasn’t been unexpectedly changed.

This growing number of ecosystems together with the increase of the logs’ size called for efficient APIs to ensure logs could deliver their promise. This led to the standardization of transparency logs APIs and format: the concept of tiles and checkpoint emerged. Tiles split the underlying Merkle tree into chunks that can be stored, served and cached efficiently, while checkpoints represent the state of the tree.

Certificate Transparency (CT) has been the most successful role model for transparency ecosystems. Static Certificate Transparency API, an evolution of RFC 6962, is Certificate Transparency’s attempt at implementing these new standards, thus bringing all ecosystems closer to one another.

This talk introduces Trillian Tessera, an open-source Go library for building tile-based transparency logs using these standard formats on both major cloud and on-premises infrastructure, together with TesseraCT, a readily deployable solution for Certificate Transparency using Trillian Tessera.

Attendees will gain insights into a lightweight yet powerful library for building their own reliable and easily maintainable transparency solutions. We will showcase a concrete example of its application with Certificate Transparency. The demo covers the TesseraCT deployment and the performance of submitting entries and verifying the entry inclusion and log consistency.

ROP (Return-Oriented Programming) is an essential technique for exploiting modern binary executables. The ROPEmporium website, (https://ropemporium.com/
) developed by Max Kemper, features a series of step-by-step exercises designed to help you discover the ROPEmporium progressively.

The workshop offers a shared experience of these exercises

The legitimacy of an online document today is bound to the way it has been retrieved: From a reputable source, through an authenticated communication. However, as primary sources become unavailable, digital archives and other third-party repositories emerge as sole witnesses that some documents ever existed, or that their content have not been altered. The proliferation of tools able to produce large amounts of convincing fakes, as well as current incentives for bad actors to leverage these technologies, may eventually threaten the trust placed in these archives and finally question the genuineness of historical records.

In this talk, we explore how existing technologies such as the Certificate Transparency, may be leveraged to establish a robust foundation for digital archive integrity and observability. We then present our on-going effort to develop libre and open-source tools to build and maintain such transparency logs, as well as other integrations with existing standards for trusted timestamping and web archiving.

Or how to make sure you are communicating with the right person when using an end-to-end messaging app when the security relies on public keys you fetch from a third party.

With the current massive user migration from X and Meta to decentralized social media such as Mastodon, the interest in federated communication infrastructures is gaining traction. We have been documenting similar tendencies since 2018 already, analyzing how users in various contexts shift their preferences in terms of secure messaging applications. In the context of a longitudinal study of secure messaging apps users and developers this presentation proposes to analyze several waves of user migrations and suggests an analytical framework to understand the changes in the perception of what’s a “good secure messaging app” with a particular attention to federated architectures and their potential. The “Signal gate” has shown that cryptographic properties of a messaging app per se do not offer a guarantee of security, and many other (sometimes even non-technical) qualities enter the game. We propose to understand digital security as an evolving sociotechnical process of adjusting tools and behaviors and to question the race for an “always more secure” messaging app. We argue that infrastructural choices (centralized vs decentralized vs distributed) and social practices (such as contact discovery) matter.

Messaging Layer Security (MLS) is a protocol for end-to-end encryption. It has been standardized at the IETF and has been published as RFC9420. Inspired by other protocols and designed with rigorous academic supervision it aims to be the go-to solution for whenever end-to-end encryption is needed.

This talk will cover the following areas:

• How does MLS work?
• What problems does it solve?
• What does the ecosystem look like?
• What extensions and variations exist?

This will also give an outlook on the MIMI interoperability working group and how it relates to MLS.

MISP is an open-source platform for threat intelligence and information sharing. This workshop is designed to introduce MISP concepts and get started with using the platform. Participants will learn about MISP features by conducting a hands-on analysis during the workshop.

Over the years, Delta Chat has matured to be an easy-to-use, secure,
and even fast decentralized FOSS messenger app for all platforms.
In this talk we discuss two key security architectures:

• Autocrypt and SecureJoin key distribution protocols for achieving
  automatic end-to-end encrypted messaging safe against MITM attacks, and

• the open-signup Chatmail server network which successfully uses strict
  cryptographic interoperability contraints (DKIM, OpenPGP, TLS)
  instead of IP-reputation and spam classification methods.

We also highlight the six independent security audits and analysis conducted so far.

The French government has deployed a private Matrix federation for French civil servants called Tchap.

Currently this federation has about 300 000 monthly active users and its usage is growing constantly.

Today our federation is closed and we would like to be able to connect with other public French Matrix nodes (local authorities for instance), and also other European countries.

We should implement measures to ensure that the federation remains resilient against potential attacks, both technical (e.g., DDoS, data interception) and organizational (e.g., unauthorized access, insider threats) :

• How can we restrict the servers we wish to communicate with? How can we be sure that we are actually communicating with them? Since TLS can be vulnerable to man-in-the-middle attacks by state actors, we can't rely on it entirely.
• How can we trust the identities of users from external deployments that we don’t control?
• How can we limit the interactions that external users can have with users from our federation?

We spent a lot of time thinking about this and now have a plan that looks legit, and that we are currently implementing. I'm sure you want to know more about it, right?

In this talk, we will share the approach we’ve taken to address these challenges and we will present the architecture we designed.

VRRP (Virtual Router Redundancy Protocol) is an open-standard protocol designed to ensure high availability of routers. Proven and widely adopted, it is used in many network infrastructures. However, the security aspects of VRRP are rarely discussed in depth in available online resources. For instance, VRRPv2, which remains widely used today, offers two authentication modes, one of which is easily bypassed. In contrast, VRRPv3 has completely removed authentication, as the protocol's authors considered that security should be handled at a different layer. In this presentation, I will focus on the IP tie-breaking dilemma that arises during VRRP priority conflicts, particularly when the legitimate master router is configured with the highest priority value of 255. To illustrate this issue, I will rely on Keepalived, a widely used open-source implementation of VRRP. I will also highlight a design flaw I co-discovered in the VRRP protocol (RFC 9568), in collaboration with the Keepalived project maintainers. This vulnerability, documented in erratum 8298 and validated by the IETF, allows an attacker on the same network to impersonate the master router during a priority conflict, revealing a weakness in the protocol’s design.

Wireshark is a widely used tool when it comes to view the contents of a network traffic capture.
When reversing a protocol, we tend to develop a simple program with a "simple" programming language (Python, Go...) to parse what is currently known.

The most logic way would be to develop this program as a Wireshark plugin, but the Wireshark plugin API is rarly used, since it's quite complex and does not fit for a quick and dirty task.

Wirego allows simple development of Wireshark plugins in Python and Go (and maybe more).

The Delta Chat decentralized instant messaging project has over the years evolved a rich ecosystem of distinct project areas, from instant onboarding with a versatile cross-platform messenger, over using chat-shared web apps with integrated Peer-to-Peer realtime messaging to participating with own Chatmail servers in the world-wide e-mail server network.

First, we onboard all participants on different Chatmail servers and get into a joint chat group and play around with the many features, answer and discuss questions and maybe play some games.

Second, we offer participants hands-on sessions:

• setting up a chatmail server

• writing a webxdc app

• writing a chat bot

Rcat is a modern netcat written in Rust 🦀. It supports TLS, and upgrading reverse shells to a fully interactive TTY.

Named Pipes are interprocess communication primitives used by many Windows applications.
However, these operating system APIs are often blindly trusted, and one can intercept and tamper with transmitted data by abusing a Man-in-the-Middle setup.
Commonly admitted mitigations implies checking process IDs, executable signatures or permissions on the named pipe. With proper tooling, such mitigations can be bypassed.

This presentation will delve into Windows Named Pipes APIs while highlighting common attacks, usual mitigations, and how to bypass them using the soon-to-be-opensource tool thats_no_pipe.

In this session, we will examine the Vesta control panel, known for its user-friendly approach to Linux server management. While Vesta facilitates tasks like hosting websites and managing domains, it also presents security challenges. Our focus will be on a significant vulnerability that allows for admin takeover due to the predictable output of the Bash $RANDOM variable used for password and token generation.

Attendees will gain insights into the exploit process, its implications for server security, and best practices for mitigating similar risks. Join us to learn how to enhance the security of your Linux server environments and protect against unauthorized access.

Keycloak is a popular open source Identity and Access Management solution that provides single sign-on, user federation, and fine-grained role-based access control. However, in complex setups with multiple realms, roles, and groups, misconfigurations may go unnoticed. In this short talk, I will demonstrate a straightforward way to export Keycloak data (realms, roles, users, groups, etc.) into a Neo4j graph database, then run Cypher queries to pinpoint potential security issues such as privilege escalation. By visualizing Keycloak objects as a graph, we gain a clearer view of relationships and can spot unusual privileges more easily. An open-source tool facilitating this process will be released once the final configuration details are settled, enabling others to replicate and adapt the method.

The pacman package manager is used by the Arch Linux distribution and its derivatives. It is written in a memory-unsafe language, runs as root, and performs complicated tasks while downloading packages over the internet.
This is the story of how in 7.0 we isolated the download steps into a separate process, running as an unprivileged user, and further restricted it using seccomp and Landlock.

This presentation introduces RootAsRole; an alternative to sudo/su commands that applies more finely the principle of least privilege, dives into security issues with Ansible and how RootAsRole helps to deal with.

This hands-on workshop will guide participants through the process of reverse engineering and modifying Android applications without the need for rooted devices.
I will present apkpatcher to explore various techniques to analyze, modify, and remove tracker on Android apps, focusing on practical skills that can be applied in real-world scenarios.

Publicly accessible registries and repositories are often associated with well-known SaaS platforms such as GitHub or DockerHub. However, a significant number of individuals and companies rely on self-hosted solutions like GitLab or Portainer for managing their code and container images. Surprisingly, many of these self-hosted instances are inadvertently exposed, granting unauthenticated access to repositories and container images.

This talk will explore methods for discovering publicly accessible self-hosted registries using techniques such as Certificate Transparency (CT) logs and Shodan scanning. We will discuss how to retrieve repository contents and container images from these sources, subsequently performing secrets scanning to assess the extent of exposure and raise awareness of potential security risks.

From a tooling perspective, our investigation reveals a critical gap: most scanning tools fail to retrieve images from registries that are only available via plain HTTP. We will take this opportunity to discuss the registry API, highlight its limitations, and demonstrate practical approaches for interacting with it.

Through real-world examples and hands-on insights, this talk aims to shed light on the current state of public registry exposure, providing actionable recommendations for improving security posture.

You meticulously craft constant-time code to protect against side-channel attacks—only to have your compiler silently sabotage it. Optimization passes, designed to make code faster, can introduce timing leaks, violating security guarantees in ways developers never intended. But which optimizations are responsible? And how can you stop them without rewriting the compiler itself?

In this talk, we investigate the mystery behind compiler-induced constant-time violations. We analyze real-world examples from GCC and LLVM, exposing how specific optimizations betray security assumptions. More importantly, we provide practical solutions: which compiler flags can mitigate these leaks, and what is the real cost of securing your compiled code?

Your compiler may not be your friend—but with the right knowledge, you can stop it from turning against you.

Microarchitectural side-channel attacks exploit subtle hardware behaviors, such as cache activity and instruction retirement patterns, to extract sensitive information. Understanding these attacks is essential for developing effective mitigations. However, real hardware imposes limitations on observability and experimental flexibility. The gem5 simulator, an open-source and highly extensible architectural simulator, provides a powerful environment for analyzing these attacks with fine-grained control over execution, memory access, and timing behaviors.

In this presentation, I will demonstrate how gem5 can be used to evaluate side-channel vulnerabilities, focusing on attack scenarios such as Flush+Fault and Access-Retired attacks targeting the RISC-V architecture. By simulating both attack and non-attack conditions under controlled settings, gem5 enables precise identification of attack patterns. These datasets can then be used to train machine learning (ML) models for classifying microarchitectural events with high accuracy.

By leveraging gem5’s multi-ISA support, full-system simulation, and cycle-accurate modeling, researchers gain deeper insights into attack mechanisms, accelerate the prototyping of detection techniques, and design architectures resilient to both known and emerging side-channel threats. This approach not only enhances detection capabilities but also informs secure hardware-software co-design strategies.

Most of you made your own website at least once or twice. You wrote HTML or used a framework that generated static content for you. And you were pretty proud to have something as lightweight as possible.

It turns out we are the weirdos.

Over years of developing lookyloo, we have encountered a lot of interesting (and sometimes terrible) techniques used to show you a webpage, and harvest your data. These techniques include what happens before you see anything (DNS, geolocalisation, time in the day), when you start seeing the page (GDPR popup, Captcha, mouse movement), and after it is fully rendered. (If it ever does...)

Twelve years after the public specification of the Signal protocol, almost all
instant messaging protocols have embraced the ratchet construct, granting perfect
forward secrecy and post-compromise security.

Whatsapp, Signal, OMEMO-based applications, Olm and Megolm-based applications,
or SimpleX Chat all use the Double Ratchet protocol. Olvid also uses a ratchet
protocol, although the construct is a bit different. And there are the stragglers
who insist on not using any form of perfect forward secrecy, such as Session or
Delta Chat. Of those, we will talk no more.

But since then, we have learned the hard way from some NSA executive that
metadata gets you arrested or killed. And so begs the question: how well are
protected our metadata by the various instant messaging infrastructures?

Signal claims one cannot hand over data one doesn't have. But how honest are
they about the metadata they do have, and that could be requested from them or
their hosting provider by a subpoena and sealed orders.

In this talk, we will explore some metadata available to Signal servers, Olvid
servers, Matrix/Element home servers and SimpleX Chat SMP queue servers. We will
then discuss the strategies that some of these applications have deployed to
limit metadata exposition, including those leveraging external transport security,
such as the use of Tor.

Android is the dominant mobile operating system, powering more than 70% of the global mobile market and presenting a significant opportunity for user tracking. As privacy regulations tighten around how personal data can be used and collected, trackers are looking for alternatives that are under less scrutiny to evade detection. Device fingerprinting has emerged as a key solution, allowing trackers to create identifiers without user consent in a stealthy manner. Despite the extensive research on fingerprinting done from a web browser in the past decade, device fingerprinting on Android remains relatively understudied, with limited literature exploring its specific techniques and implications for user privacy.

In this study, we introduce EXADPrinter, a novel exhaustive permissionless device fingerprinting framework targeting Android devices. Without requiring permissions, our framework extracts over 200,000 properties per device by leveraging methods such as Java reflection and execution of shell commands. Through a dedicated Android application and a 6-month data collection, we gathered over 1151 fingerprints coming from 833 different Android devices, covering 41 manufacturers and 7 Android versions ranging from 9 to 15.

Through our framework, we demonstrate that diverse data can be collected about the device hardware, the operating system running on it, and the user, without requiring special permissions. We show that combining a few attributes without any IDs or personal information is enough to uniquely identify each device of our dataset, painting a bleak picture of the current state of the Android ecosystem.
Moreover, our framework highlights the negative impact of custom operating systems and manufacturer-specific customizations as they enhance the device fingerprinting effectiveness. Furthermore, EXADPrinter uncovers some leakage of sensitive information caused essentially by manufacturer customizations, including the exposure of user emails, emergency contacts, and persistent identifiers such as SIM identifiers.