2.0 -//Pentabarf//Schedule//EN

PUBLISH XGWGAK@@cfp.pass-the-salt.org

-XGWGAK

Finding the Needle in the Haystack with Dicozorus - A New Companion for Advanced Web Fuzzing en

20260630T141000 20260630T144500 0.03500

Finding the Needle in the Haystack with Dicozorus - A New Companion for Advanced Web Fuzzing

The presentation is structured in several parts: - **Introduction / The fuzzing challenge** : Penetration testing relies heavily on URL fuzzing to find vulnerabilities. Common fuzzing tools and wordlists, pros and cons. - **Motivations: Why Existing Wordlists Fall Short** : Lessons learned from many penetration tests and thousands of scans. Identified Issues: Missing Entries /Unsorted Wordlists / Lack of Modularity / Improper Sizing / Irrelevant Entries (Junk). Examples based on well known wordlists will be presented - **Objectives: What Dicozorus Aims to Achieve** : The solution we provide: not just an enhanced wordlist but a tool to generate, merge, filter, sort, tag, categorize, and track entries. - **Dicozorus in Action: How It Works**: Core architecture / Key commands overview - **How the builtin database was created**: A Multi-Source Aggregation Strategy based on: - Existing public Wordlists - Public Bug Bounty Reports - Public vulnerability databases - Past Fuzzing Traces - External contributions from auditors - **Manual Review & Curation**: While automated parsing provides volume, manual review is critical for assigning accurate metadata (severity, category) and filtering out noise, ensuring high-quality data for the built-in wordlists - **Tangible Results**: Proving dicozorus's value by presenting feedback from internal usages, statistics on the entries of the builtin wordlist and comparison with publicly known wordlists. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/XGWGAK/ Amphitheater 122 Vincent Herbulot (Security Researcher, Synacktiv) PUBLISH UA97SY@@cfp.pass-the-salt.org

-UA97SY

Fuzzwizard en

20260630T144500 20260630T150500 0.02000

Fuzzwizard

Fuzzwizard is an open-source tool to orchestrate fuzzing campaigns. It is composed of several elements: - A TUI (Terminal User Interface) to monitor the platform, inspect running fuzzers, manage tasks, and review recent crashes and coverage information. - A backend and database to store crashes, expose them through an API, and make the collected data available outside the TUI for other tools. - A notification service that alerts users when a crash occurs or when an administrative event happens, for example if the backend fails. The notification layer is extensible. Today, we support both a file-based provider and a Slack provider. - A scheduler that orchestrates fuzzers for a given project. Several schedulers can run at the same time. The scheduler detects targets, launches fuzzers, monitors them, collects crashes, and triggers coverage collection. Fuzzers can be run either natively or inside containers. It can also rebuild targets and restart campaigns when binaries change. These components are mostly independent, except for the TUI, which acts as a main entry point. The scheduler itself is implemented as a Rust library, and most of the behaviour is driven by configuration files, which makes the whole setup easy to adapt to different projects. PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2026/talk/UA97SY/ Amphitheater 122 Marion Lafon (Security Engineer, Ledger) PUBLISH KM8MUR@@cfp.pass-the-salt.org

-KM8MUR

Automated Vulnerability Detection in Go: Concolic Execution for Multi-Threaded Binaries en

20260630T150500 20260630T154000 0.03500

Automated Vulnerability Detection in Go: Concolic Execution for Multi-Threaded Binaries

This session presents Zorya end-to-end as a security analysis capability, with recent advances included as part of a broader system view. What attendees will get: - How Zorya works in practice: concrete+symbolic execution over binary code, via Ghidra P-Code and Z3. - What makes it usable on real Go binaries: compiler/runtime-aware strategies for TinyGo and gc targets, including multi-threaded/runtime constraints. - Coverage beyond obvious crashes: overlay path analysis to inspect untaken paths and detect silent bugs without custom oracles. - Operational usage model: interactive mode, function-focused exploration, and campaign/fuzzer-driven workflows. - Evidence on real cases: vulnerability findings across real-world Go projects, with reproducible artifacts and lessons learned. The talk is intended for offensive security practitioners, reverse engineers, and defenders who need practical methods to audit compiled Go software when source-level tooling is insufficient. Website: https://zorya.karolinagorna.net Project: https://github.com/Ledger-Donjon/zorya Evaluation: https://github.com/Ledger-Donjon/zorya-evaluation PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/KM8MUR/ Amphitheater 122 Karolina GORNA (Security Researcher, Ledger) PUBLISH NRFUKL@@cfp.pass-the-salt.org

-NRFUKL

__Salty Firmware - Adventures in Firmware Encryption Reversing en

20260630T161000 20260630T164500 0.03500

__Salty Firmware - Adventures in Firmware Encryption Reversing

We will demonstrate firmware decryption using [unblob](https://unblob.org), a firmware extraction tool we've open sourced and have been maintaining since 2022. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/NRFUKL/ Amphitheater 122 Quentin Kaiser PUBLISH KVCNWM@@cfp.pass-the-salt.org

-KVCNWM

Introducing Sighthouse for Seamless Function Detection en

20260630T164500 20260630T170500 0.02000

Introducing Sighthouse for Seamless Function Detection

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2026/talk/KVCNWM/ Amphitheater 122 Sami Babigeon (Quarkslab) Benoit Forgette PUBLISH AACNG9@@cfp.pass-the-salt.org

-AACNG9

Design Your First PCB: From Concept to Board en

20260630T141000 20260630T171000 3.00000

Design Your First PCB: From Concept to Board

PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2026/talk/AACNG9/ Room LW109 tcccorp PUBLISH J7EGL7@@cfp.pass-the-salt.org

-J7EGL7

In bed with Qubes OS, hands-on workshop en

20260630T141000 20260630T171000 3.00000

In bed with Qubes OS, hands-on workshop

PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2026/talk/J7EGL7/ Room LW112 William Robinet (Conostix S.A.) PUBLISH BLUZVX@@cfp.pass-the-salt.org

-BLUZVX

Quantum Apocalypse Update.ical en

20260701T093000 20260701T100500 0.03500

Quantum Apocalypse Update.ical

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/BLUZVX/ Amphitheater 122 Yvan Vanhullebus PUBLISH MV83GM@@cfp.pass-the-salt.org

-MV83GM

CryptPad experimented on Post-Quantum Cryptography en

20260701T100500 20260701T104000 0.03500

CryptPad experimented on Post-Quantum Cryptography

CryptPad is an open-source end-to-end encrypted (E2EE) collaborative office suite. It enables secure collaboration between users without the service owner knowledgable about the content of their documents. It has been designed to be secure from login to document sharing… with even the internal support system being E2EE. This architecture is by design interlaced with cryptographic constructions. Meanwhile, the deployment of quantum resilient solutions are becoming more and more urgent, especially in the context of encryption (as they can be targeted by “harvest-now-decrypt-later” attacks, while authentication cannot be forged _a posteriori_). In this context, we explored the different implementations of post-quantum standards selected by the NIST post-quantum cryptography standardisation process. After careful consideration of the different candidates for both encryption and signature, we integrated crypto-agility solutions in CryptPad. This was done both for the advantages from a security and software engineering standpoint, and to be able to easily switch between traditional and post-quantum solutions for testing. In this talk, we will first present how CryptPad works, then expose the different challenges we faced during the experiments, and finally show the results of these aforementioned post-quantum experiments from a performance and usability point of view. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/MV83GM/ Amphitheater 122 Fabrice Mouhartem (Senior R&D Engineer, XWiki SAS/CryptPad) PUBLISH DVVX3Z@@cfp.pass-the-salt.org

-DVVX3Z

Let's stay encrypted—rethinking WebPKI for post-quantum age with Merkle Tree Certificates en

20260701T111000 20260701T114500 0.03500

Let's stay encrypted—rethinking WebPKI for post-quantum age with Merkle Tree Certificates

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/DVVX3Z/ Amphitheater 122 Bas Westerbaan PUBLISH 8JJSMR@@cfp.pass-the-salt.org

-8JJSMR

Suricata and IOCs, latest news on a love story en

20260701T114500 20260701T122000 0.03500

Suricata and IOCs, latest news on a love story

The presentation will detail several capabilities for dynamic threat intelligence operations, including the use of a Unix socket to dynamically add and remove elements from the live dataset list, and ongoing integration efforts with platforms like OpenCTI and MISP for seamless threat intelligence exchange. Additionally, a new feature allowing the output of PCRE captured groups directly into the alert context will be examined. This talk will demonstrate how these features enhance Suricata's ability to process, manage, and contextualize threat data in real-time. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/8JJSMR/ Amphitheater 122 Eric Leblond PUBLISH XKQRMJ@@cfp.pass-the-salt.org

-XKQRMJ

CVE-2025-54068 : Deep dive into Livewire, from weak typing to pre-authenticated remote command execution en

20260701T141500 20260701T145000 0.03500

CVE-2025-54068 : Deep dive into Livewire, from weak typing to pre-authenticated remote command execution

Livewire traditionally secures its state using a checksum signed by the application’s APP_KEY. However, CVE-2025-54068 allowed attackers to bypass this protection entirely by smuggling synthesizers through the updates mechanism, disrupting the synchronization between server and browser. The root cause has been found in Livewire’s component property update hydration process, where recursive calls and improper context preservation created an opening for malicious payload injection. Exploitation required only the target application’s URL, making it accessible to unauthenticated attackers and significantly lowering the barrier to attack. To automate the exploitation of CVE-2025-54068, we released Livepyre last December, an open-source tool on our GitHub page. The tool simplifies the process by identifying vulnerable Livewire installations and attempting to achieve RCE either by leveraging object types in the application’s snapshot or through a targeted brute-force approach. Livepyre’s release not only demonstrated the practical risk of the vulnerability but also served as a proof-of-concept to raise awareness and encourage rapid patching within the Laravel and Livewire communities. Even tho the vulnerability was patched during July 2025, many servers were not protected against it on the internet. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4. Its severity was underscored by its inclusion in advisories from CISA (Cybersecurity and Infrastructure Security Agency) after a worldwide spread by threat actors during the start of 2026, highlighting the risk to a vast number of applications and the urgency for immediate patching. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/XKQRMJ/ Amphitheater 122 Rémi Matasse (Security research, Synacktiv) Pierre Martin (Security Researcher, Depi) PUBLISH MPAYUX@@cfp.pass-the-salt.org

-MPAYUX

ChainLeak: From AI Framework to Cloud Secrets en

20260701T145000 20260701T152500 0.03500

ChainLeak: From AI Framework to Cloud Secrets

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/MPAYUX/ Amphitheater 122 Gal Zaban Ido Shani PUBLISH RVFD8B@@cfp.pass-the-salt.org

-RVFD8B

Bypassing BitLocker in under 5 min using boot manager downgrade attacks en

20260701T155500 20260701T163000 0.03500

Bypassing BitLocker in under 5 min using boot manager downgrade attacks

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2026/talk/RVFD8B/ Amphitheater 122 Cassius Garat (Intrinsec) PUBLISH J9JGWE@@cfp.pass-the-salt.org

-J9JGWE

Zero Dependencies sounds great... until you try to share your code for the security good. en

20260701T163000 20260701T165000 0.02000

Zero Dependencies sounds great... until you try to share your code for the security good.

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2026/talk/J9JGWE/ Amphitheater 122 Eddie Billoir (Airbus Protect) PUBLISH 3EQEU7@@cfp.pass-the-salt.org

-3EQEU7

Web forensics with Lookyloo and Lacus en

20260701T093000 20260701T123000 3.00000

Web forensics with Lookyloo and Lacus

This workshop will cover the basics of Lookyloo, and Lacus, the infrastructure and use-cases: * Capturing a website or rendering an HTML document * Detailing the capture settings, different browsers * Browser instrumentation and / or headfull capture * Socks5 Proxies * Init scripts post rendering * Monitoring * Automatic reporting * Why using Lacus * Onion / I2P support You may have attended talks or workshops about lookyloo in the last few years, but we implemented many new features int he last year. * Indexing, pivot and search across the dataset * Forensic acquisition with Trusted Timestamps (RFC3161) * Use of Iframes in the tree, export rendered iFrames contents * Proton VPN support for proxies * Automatic and manual categorization on submission PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2026/talk/3EQEU7/ Room LW109 Raphaël Vinot (Developer, Lookyloo) PUBLISH THXBWZ@@cfp.pass-the-salt.org

-THXBWZ

Threat Detection Engineering with Suricata en

20260701T141500 20260701T170000 2.04500

Threat Detection Engineering with Suricata

PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2026/talk/THXBWZ/ Room LW109 Eric Leblond PUBLISH UUCD9C@@cfp.pass-the-salt.org

-UUCD9C

Workshop to explore SightHouse! Learn how to use it to accelerate your reverse engineering process using its function identification features. en

20260701T093000 20260701T123000 3.00000

Workshop to explore SightHouse! Learn how to use it to accelerate your reverse engineering process using its function identification features.

Material Prerequisites: - Participants should bring: - A Linux laptop - Docker installed and working - A supported Software Reverse Engineering (SRE) tool, such as: - Ghidra - Binary Ninja - IDA - A functioning brain Technical Prerequisites: - Participants are expected to have: - Basic reverse engineering knowledge - Basic Python development experience PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2026/talk/UUCD9C/ Room LW112 Benoit Forgette Sami Babigeon (Quarkslab) PUBLISH TZJESW@@cfp.pass-the-salt.org

-TZJESW

Hands-on Firmware Extraction, Exploration, and Emulation en

20260701T141500 20260701T170000 2.04500

Hands-on Firmware Extraction, Exploration, and Emulation

Pre-requisites: - Familiarity with command-line tools. - Laptop No prior experience needed, this session is appropriate for all skillsets. By the end of the workshop, participants will have gained practical experience in extraction, reverse engineering, and emulation of embedded firmware. They will be equipped with the skills to understand and analyze firmware structure, write custom unblob handlers and extractors, and use full-system emulation for security research. Workshop Duration: 2 hours PUBLIC CONFIRMED Workshop https://cfp.pass-the-salt.org/pts2026/talk/TZJESW/ Room LW112 Quentin Kaiser PUBLISH PJHY3V@@cfp.pass-the-salt.org

-PJHY3V

Simplifying log management, not just for security logs en

20260702T093000 20260702T100500 0.03500

Simplifying log management, not just for security logs

Even at IT security conferences, people often tell me that they “do not have central log collection” or that they “only do it due to compliance requirements”. Central log collection, however, is a lot more than just mere compliance. Setting up such a framework is in your best interest, as it provides ease of use, availability and security for log messages. If your logs are collected centrally, you can correlate problems across your whole network. However, central log collection can easily get out of hand once your organization starts growing, especially if multiple analytics tools and collectors get involved. This is where a dedicated log management layer can help. Half a decade ago, Peter showed you how to implement such a layer purely based on the syslog protocol. Nowadays, there are lots of possibilities for log management. OpenTelemetry combines logs, traces and metrics into a single protocol, simplifying data collection at the protocol level. All important data about your applications, including security logs, are forwarded using a single protocol and application. Another possibility is using Kafka as a data pipeline in your organization. In this case, all data that are needed to run an organization are pushed to various Kafka topics, including security logs. While my configuration examples come from syslog-ng, the concepts I describe apply to most log management applications. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/PJHY3V/ Amphitheater 122 Peter Czanik, syslog-ng PO at One Identity PUBLISH MVPRCH@@cfp.pass-the-salt.org

-MVPRCH

Private Key Leaks in the Wild: from PTS to RWC, and back to PTS en

20260702T100500 20260702T104000 0.03500

Private Key Leaks in the Wild: from PTS to RWC, and back to PTS

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/MVPRCH/ Amphitheater 122 Guillaume Valadon Gaetan Ferry (Security research, GitGuardian) PUBLISH QNGYSR@@cfp.pass-the-salt.org

-QNGYSR

GCVE: Rebooting Vulnerability Tracking for an Open Security Ecosystem en

20260702T111000 20260702T114500 0.03500

GCVE: Rebooting Vulnerability Tracking for an Open Security Ecosystem

The vulnerability ecosystem has become critical infrastructure for defenders, vendors, researchers, and open source maintainers. Yet the way identifiers and vulnerability data are assigned, published, and distributed still reflects a centralized model that does not always match the speed, diversity, and realities of today’s security landscape. This talk introduces GCVE, a new approach to vulnerability identification and tracking designed to support a more open, decentralized, and resilient ecosystem. GCVE rethinks how vulnerability numbers can be allocated, how trusted actors can publish advisories, and how vulnerability information can be synchronized without creating unnecessary bottlenecks or dependency on a single central authority. Through the lens of open source security, the talk will explain why this matters: maintainers need lightweight processes, defenders need timely and structured data, and the community needs a model that encourages participation rather than gatekeeping. It will also show how GCVE and its associated tooling can help make vulnerability tracking more transparent, interoperable, and adaptable. Rather than presenting only a new identifier format, this session will explore a broader idea: how we can build vulnerability tracking as shared public infrastructure for the security community. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/QNGYSR/ Amphitheater 122 Alexandre Dulaunoy PUBLISH 8SANMK@@cfp.pass-the-salt.org

-8SANMK

Your credentials were leaked, so what? en

20260702T114500 20260702T122000 0.03500

Your credentials were leaked, so what?

PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/8SANMK/ Amphitheater 122 Xavier Mertens Teqagogo PUBLISH B8AN9M@@cfp.pass-the-salt.org

-B8AN9M

Oblivious HTTP - when the server does not want to see your IP en

20260702T140000 20260702T143500 0.03500

Oblivious HTTP - when the server does not want to see your IP

HTTPS encrypts your request, but the server still sees your IP. That metadata alone may be enough to identify you. Oblivious HTTP ([RFC 9458](https://www.rfc-editor.org/rfc/rfc9458.html)) splits the request across two non-colluding parties: a relay sees your IP address but not your request, a gateway sees your request but not your IP address. Assuming they don't collude, no single party sees both. The interesting part: this is a privacy guarantee services opt into, not users. By contracting a neutral 3rd party, the service operator makes a commitment that they cannot link their own users' identity to the request these users are making. The protocol was standardised at the IETF, and has [open source implementations](https://ohttp.info/#resources) in Go, Rust, Kotlin, and TypeScript. I'll demo one of them - ohttp-ts - and walk through [ohttp.info](https://ohttp.info/), built to make the protocol approachable. Finally, we'll cover [chunked OHTTP](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-08), an advanced proposal, which enables streaming encrypted payloads incrementally directly relevant for AI inference over private prompts and large transfers. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/B8AN9M/ Amphitheater 122 Thibault Meunier (Research, Cloudflare) PUBLISH 33DFWY@@cfp.pass-the-salt.org

-33DFWY

KeibiDrop: Post-Quantum Encrypted Peer-to-Peer File Transfer Without the Cloud en

20260702T143500 20260702T151000 0.03500

KeibiDrop: Post-Quantum Encrypted Peer-to-Peer File Transfer Without the Cloud

**KeibiDrop** addresses a concrete problem: transferring files between two devices without trusting a third party. Existing solutions make trade-offs: cloud storage (Google Drive, Dropbox) requires trusting the provider; tools like croc and Magic Wormhole relay traffic through servers that see both peers' IP addresses and lack post-quantum resistance; platform-native solutions (AirDrop, Nearby Share) are locked to specific ecosystems. KeibiDrop works across any combination of macOS, Linux, Windows, and mobile (iOS/Android via gomobile), with or without FUSE - the filesystem layer is optional, not required, but very fun to use. The desktop UI is built with Slint and bound in Rust; the total binary size is 20 MB. **Cryptographic design.** KeibiDrop implements a hybrid key exchange combining ML-KEM-1024 (NIST FIPS 203, Security Category 5) with X25519, deriving session keys via HKDF-SHA512. Key pairs are ephemeral: generated fresh each session and never persisted to disk. Peer authenticity is established through out-of-band fingerprint exchange: each peer's fingerprint is a SHA-512 hash over its ephemeral public keys (X25519 || ML-KEM), shared via a trusted channel (e.g. Signal, in person, QR code). During the handshake, the received public keys are verified against the registered fingerprint using constant-time comparison before any session key is derived. No certificate authority, no long-lived keys — if the fingerprint does not match, the handshake is rejected. The transport layer uses ChaCha20-Poly1305 AEAD with counter-based nonces and direction-separated prefixes to prevent nonce reuse. Automatic session re-keying triggers every 1 GB or approximately one million messages, providing forward secrecy by discarding old key material. **Relay privacy model.** The relay server facilitates peer discovery only. Registered keys are held in memory for 10 minutes and then discarded - nothing is persisted. Registration data (fingerprints, public keys, IP addresses) is encrypted client-side before upload. The relay stores only `lookup_key -> encrypted_blob`, where the lookup key is derived via HKDF from a room password shared out-of-band. The relay cannot reverse-engineer fingerprints, decrypt registration blobs, or correlate sessions across rooms. The relay operator sees IPv4 source addresses in access logs, but has no access to the encrypted content or the identities behind it. We present the threat model and the test suite that validates these privacy guarantees. **IPv6-only architecture.** KeibiDrop deliberately avoids STUN/TURN/UPnP to prevent IP metadata leakage to third-party NAT traversal infrastructure. This is a privacy-first design choice with real trade-offs: it requires globally routable IPv6 on both peers. We discuss why this trade-off is defensible for privacy-sensitive use cases and what it costs in practice, including the challenges we encountered deploying across consumer ISPs. **FUSE filesystem integration.** Remote files appear as a mounted local filesystem with lazy loading, enabling real-time access without downloading entire files upfront. We cover the practical challenges of building a secure FUSE filesystem: macFUSE versus fuse3 versus WinFSP behavioral differences, direct_io for write operations, deadlock prevention in the VFS layer, and cross-platform support across macOS, Linux, and Windows. **Live demonstration.** Two laptops, one room. Files transferred with post-quantum encryption. The talk targets security practitioners, privacy engineers, and contributors to free software who want to understand practical post-quantum cryptography deployment, privacy-preserving protocol design, and the engineering reality of building encrypted file transfer tools. PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/33DFWY/ Amphitheater 122 Marius-Florin Cristian PUBLISH 9VXT39@@cfp.pass-the-salt.org

-9VXT39

Fractum: an open-source CLI for Threshold-Based Cold Storage of Critical Secrets en

20260702T151000 20260702T154500 0.03500

Fractum: an open-source CLI for Threshold-Based Cold Storage of Critical Secrets

**The gap no one talks about (3 min):** There is a missing category between "encrypt it and hope you don't lose the key" and "$50K HSM setup." Most practitioners fall back on copying encrypted files to multiple locations, which means a single key compromise exposes everything. I will frame the cold storage problem: cryptocurrency wallets, root CA keys, disaster recovery credentials, digital inheritance ; all scenarios where you need security measured in years, not sessions. **How Shamir's Secret Sharing actually works (5 min):** No hand-waving. I will walk through polynomial construction over GF(2^8), Lagrange interpolation for reconstruction, and why the information-theoretic security guarantee is fundamentally different from computational security. If you have K-1 shares, every possible secret is equally likely ; this is not a bruteforce problem, it is a mathematical impossibility. Real-world precedents: ICANN DNSSEC ceremonies, Trezor SLIP-39, Ledger Recover, military grade algos. **Building it in Python: the honest version (4 min):** - Memory protection with SecureString: ctypes.memset(), mlock(), multi-pass overwrite - Honest limitations: Python string immutability, garbage collection timing, no side-channel resistance - Air-gapped design: '--network=none' Docker guarantee, no telemetry, self-contained share archives - Supply chain considerations: minimal dependencies, SHA-256 integrity checking **Demo: encrypt, split, reconstruct (4 min):** Pre-recorded terminal session inside a '--network=none' Docker container. Encrypt a file, split into 3-of-5 shares, attempt reconstruction with 2 shares (fails, by design), reconstruct with 3 shares (succeeds). Inspect the share metadata and integrity verification. **What is missing and what comes next (4 min):** Open discussion of limitations: no formal verification of the SSS implementation, no side-channel analysis, Python GC constraints. Roadmap items: DPSS (Dynamic-committee Proactive Secret Sharing), HSM integration. Open questions for the community: share verification without reconstruction, HSM integration, formal verification approaches for Python crypto. ### Resources: - **GitHub**: https://github.com/katvio/fractum - **Documentation**: https://fractum.katvio.com - **Security Architecture**: https://fractum.katvio.com/security-architecture/ PUBLIC CONFIRMED Talk https://cfp.pass-the-salt.org/pts2026/talk/9VXT39/ Amphitheater 122 Cédric - Katvio.com PUBLISH FJZPZL@@cfp.pass-the-salt.org

-FJZPZL

DesktopRanger Blocks Keystroke Spying: Hardening Windows Desktop Isolation en

20260702T154500 20260702T160500 0.02000

DesktopRanger Blocks Keystroke Spying: Hardening Windows Desktop Isolation

This talk examines a practical and widely misunderstood security question: can **Windows desktop isolation** really protect sensitive keyboard input against a privileged attacker? The problem is highly relevant because keylogging is not a legacy threat: modern spyware, stealers, and surveillance-oriented malware continue to use keystroke interception in active campaigns. This makes secure input a live defensive problem for password managers, privacy tools, and other applications handling credentials or confidential text on Windows. I will begin with a concise explanation of the Windows desktop model, including the relationship between **Window Sessions**, **Window Stations**, and **Windows Desktops**, and why many security tools rely on isolated desktops for password entry and other sensitive workflows. I will show that this mechanism is effective against basic user-mode keyloggers, which is why it is often treated as a sufficient defense in practice. The talk then presents the experimental results. I will show tests covering the four major Windows keystroke interception techniques—**SetWindowsHookEx**, **GetAsyncKeyState**, **Raw Input**, and **DirectInput**—as well as **ETW-based monitoring**. These experiments demonstrate that a privileged attacker can still deploy spying logic against protected desktop contexts, including Secure Desktop-style environments such as Winlogon, for example by launching a high-privilege process via PsExec/Sysinternals. The second half of the talk introduces **DesktopRanger**, an open-source defensive prototype designed to harden the existing Windows desktop model. Its core goal is to create a protected desktop that an attacker cannot easily discover, open, or attach to. **DesktopRanger** creates the target desktop with a restrictive `D:P` security descriptor and limits the attacker’s ability to obtain even the desktop name. When a legitimate application must be started, access is relaxed only briefly, while desktop enumeration is blocked at the **Window Station** level, and the original restrictive state is restored immediately after initialization. In addition, **DesktopRanger** can deploy multiple desktop honeypots to mislead hostile attachment attempts toward decoy desktops instead of the real protected one. I will explain the Windows internals behind this workflow and why it changes the attack surface compared to conventional isolated-desktop designs. Finally, I will show the security contrast observed in the experiments: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, while the same attacker is unable to attach to and spy from a desktop created by **DesktopRanger**. I will also discuss how this design can be strengthened with the open-source **MemoryRanger** bare-metal hypervisor to protect relevant kernel-side security structures against tampering and **BYOVD-style abuse**. The talk is intended for developers of password managers, desktop security tools, and other Free Software projects that need reliable secure-input mechanisms on Windows. PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2026/talk/FJZPZL/ Amphitheater 122 Igor Korkin (independent security researcher) PUBLISH NHZTG7@@cfp.pass-the-salt.org

-NHZTG7

Rust, PAM and Typestate: Cooking up spotless authentication with nonstick en

20260702T160500 20260702T162500 0.02000

Rust, PAM and Typestate: Cooking up spotless authentication with nonstick

PUBLIC CONFIRMED Short Talk https://cfp.pass-the-salt.org/pts2026/talk/NHZTG7/ Amphitheater 122 Eddie Billoir (Airbus Protect) PUBLISH UJGHEX@@cfp.pass-the-salt.org

-UJGHEX

A phishing trip with Fancy Bear - Let's analyze APT malware together! en

20260702T093000 20260702T120000 2.03000

A phishing trip with Fancy Bear - Let's analyze APT malware together!

This workshop does not depend on domain-specific knowledge, we will try to break the steps down as far as possible. Attendees will follow along through small exercises, with the opportunity to compare their solution through a quiz/validation system. Questions will be answered by the instructor, collaboration between attendees is strongly encouraged! Important for message for attendees: If you would like to follow along, please bring laptop with a charged battery. You will be handling real-world malware (you act at your own risk; No backup, no pity). I recommend to use a virtual machine (e.g. FLARE-VM, Remnux). No special tooling is required, make sure to have the basics (Text and Hex Editor, Browser, ZIP utility) installed. No photos during the workshop please, you will receive a copy of the slides. PUBLIC CONFIRMED Workshop 2h30 https://cfp.pass-the-salt.org/pts2026/talk/UJGHEX/ Room LW112 Marius Genheimer (DFIR/Research, SECUINFRA)