Pass the SALT 2026

This workshop introduces you to the entire printed circuit board (PCB) design process, from the initial idea to the creation of your own board. You'll discover why creating a custom PCB can be a high-performance alternative to using standard modules and review the essential electronic concepts for designing reliable circuits. Through hands-on exercises, you'll learn to read and interpret component datasheets, understand the practical differences between analog and digital electronics, and use open-source PCB design software to transform a schematic into a complete PCB. We'll cover the process of sending a PCB to manufacturing, component selection and purchasing, and explore open-source options. Whether you're a maker, a student, or a future engineer, whether you're a complete beginner or not, this workshop will give you the tools to design your own PCB.

URL fuzzing is a critical step in penetration testing, yet its effectiveness often hinges on the quality of wordlists. Publicly available lists frequently suffer from missing critical entries, poor sorting, lack of modularity, and irrelevant content, leading to inefficient scans and missed vulnerabilities.

This talk introduces a methodology for building better wordlists, along with a tool, Dicozorus, designed to support this process by providing a robust system for generating, managing, and curating high-quality fuzzing wordlists.

Dicozorus relies on a database that stores entries with rich metadata (severity, type, category, tags, references), enabling the creation of tailored wordlists based on context such as scope, network performance, or stealth requirements. Used internally for over five years, it has significantly improved wordlist quality and revealed numerous critical vulnerabilities absent from popular lists.

Dicozorus provides both a curated compilation of entries for immediate use as well as the ability for professionals to maintain custom, effective datasets.

The tool will be made publicly available on Synacktiv’s GitHub repository ahead of the conference.

This workshop begins by introducing the fundamental principles behind Qubes OS. We’ll cover the entire process, from installation and configuration to common challenges and practical solutions.

We'll then explore various aspects of Qubes OS through demonstrations, hands-on labs, and exercises using pre-installed virtualized instances available to attendees.

Participants will leave with practical and operational knowledge that will enable them, maybe, to switch to Qubes OS as their main operating system.

Experienced users are also welcome to join and share their perspectives, along with tips and tricks of their own.

Fuzzwizard is a self-hosted fuzzer orchestrator for continuous fuzzing. It was built to help teams run fuzzers 24/7, monitor their status, centralize crashes, receive notifications, and inspect coverage.

Developers now add fuzzers alongside their unit tests, running them manually and keeping track of their results becomes difficult. Fuzzwizard addresses that problem with a customisable platform that can run locally and scale to multiple projects. It can also be used to run fuzzing campaigns and collect crashes and related information.

Go powers critical infrastructure, but analyzing compiled Go binaries for security issues remains difficult in practice.

In this talk, we present Zorya, an open-source concolic analysis framework designed to detect vulnerabilities directly at the binary level, including bugs that do not immediately crash the program.

We will show how Zorya combines runtime state recovery, symbolic reasoning, and constraint solving with the Z3 SMT solver to analyze real-world Go targets. Attendees will learn where traditional approaches fall short, how Zorya helps uncover exploit-relevant paths, and how this can improve real security audit workflows.

With the increased scrutiny on embedded device security, firmware encryption is rapidly becoming a standard hurdle in the analysis pipeline. As vendors increasingly attempt to lock down their systems, we're encountering a growing variety of encryption schemes applied at different layers—ranging from full firmware blobs to kernel images and root file systems.

This talk dives deep into the landscape of firmware encryption as seen in the wild, drawing from real-world targets such as telco routers, firewalls, IP cameras, printers, and IP phones. We'll explore encryption schemes implemented across Linux and BSD derivatives, with decryption logic buried in bootloaders, kernel code, or even opaque self-update binaries.

Rather than just showcasing results, this session is built as a reversing adventure: starting with an opaque encrypted blob, we’ll trace a path through static and dynamic reverse engineering to uncover the decryption primitive and ultimately access the firmware's inner workings. We'll analyze the recurring patterns, common developer pitfalls, and the surprising creativity some vendors bring to the table.

Whether you're building firmware extraction pipelines or you're just in it for the puzzles, this talk will arm you with practical techniques and insights for taking back control of encrypted firmware.

The aim of this talk is to address a common challenge faced by reverse engineers: distinguishing relevant software from third-party libraries within firmware or programs. This task often wastes time as unnecessary code is reversed.
Our goal is to provide an automatic function detection mechanism that enables researchers to efficiently identify third-party code, allowing them to focus on analyzing the proprietary components.

To tackle this issue, we introduce SightHouse, a new open-source project designed to assist reverse engineers. SightHouse is built on top of existing effective software, such as Ghidra's BSIM Similarity engine. Unlike previous tools like FLIRT, which rely on the raw bytes of the function; BSIM leverages Ghidra's P-Code (IIR), enabling cross-architecture similarity detection.

The challenges in function detection primarily revolve around the creation and maintenance of signature databases, and BSIM is no exception. Researchers face the task of finding, compiling, and extracting signatures from programs with symbols
to populate these databases, which can be a time-consuming process.

To address these challenges, we proposed an automated pipeline designed to maximize data collection for function extraction. This system works by automatically scraping open-source projects, compiling and analyzing them, thereby streamlining the process and reducing the manual effort required.

We will present our contributions, including the benchmarks and experiments conducted to evaluate and select between different similarity engines. Additionally, we will release SightHouse to share with the community and encourage further development and improvement.

In the future, Quantum computers will be able to break today's asymmetric cryptography, especially RSA, CC and DH variants. This would lead to a catastrophic situation sometimes called "Quantum Apocalypse". To avoid such situation, the cryptographic community started, quite a long time ago, works on new replacement algorithms, based on other mathematical properties, and which are called "post-quantum algorithms" (or quantum-safe algorithms).

Those new algorithms, while providing a solution for the Quantum threat, also comes with new various challenges to address: different usage constraints, size of keys/data, how to implement them in a secure
way, ......

In this session, we'll have a quick reminder of the Quantum threat, the post-quantum algorithms, the challenges to address, then we'll see the updated state of the post-quantum transition, from strategy guidelines to latest algorithm and protocols updates and implementations.

Then, we'll see some examples of what steps of this post-quantum transition can already be done in 2026, especially with Open Source tools, and what are the potential caveats and risks.

Websites are complex, they change all the time, it is extremely tedious to reproduce the load of one URL, especially when the malicious actors don't want you to probe their infrastructure.

During this workshop, we will look at techniques used by malicious actors to trick unsuspecting users, find phishing campaigns, and see a lot of slop.

Reverse engineers frequently encounter firmware or large binaries containing a mixture of proprietary code and numerous third-party libraries. Identifying which components belong to external libraries is a recurring and time-consuming challenge that can significantly slow down analysis.

This workshop introduces SightHouse, an open-source project designed to help reverse engineers automatically detect third-party functions within binaries. SightHouse leverages similarity detection techniques built on top of Ghidra’s BSIM engine, which uses Ghidra’s P-Code intermediate representation to enable cross-architecture function similarity analysis. By identifying reused code, researchers can quickly isolate proprietary logic and focus their efforts where it matters most.

The workshop will begin with a short introduction to the challenges of third-party code identification and the similarity detection techniques used in modern reverse engineering workflows. Participants will then be introduced to SightHouse, its architecture, and how it integrates with existing reverse engineering tools.

Following this introduction, participants will apply SightHouse on a real-world reverse engineering target, learning how to detect and filter third-party libraries in practice.

In the final part of the workshop, participants will explore how SightHouse can be extended. They will learn how to create their own workers, enabling them to add new data sources, automate signature extraction, and contribute to expanding the system’s capabilities.

By the end of the session, participants will understand how to integrate automated function identification into their reverse engineering workflows and how to customize SightHouse to fit their own research needs.

CryptPad is an open-source end-to-end encrypted collaborative office suite focusing on being easy to use and protecting the privacy of its user, including from the service provider itself.

While security against a quantum adversary becomes more and more relevant, we experimented on the realisability of Post-Quantum CryptPad. This talk will expose how cryptography is used inside CryptPad, our methodology and the results of these experiments.

The Web PKI is the foundation on which many security systems depend, and for many the gold standard of how to do PKI. On closer inspection, the Web PKI is an old system evolved with patches added from one crisis to the next. In this talk, we discuss recent efforts to modernize the Web PKI to maintain reliability and security in the face of the imminent threat from quantum computers.

The transition to post-quantum cryptographic algorithms is hampered by the massive increase in size of PQC signatures relative to traditional cryptographic signatures. A straightforward “copy/paste” approach in which PQC algorithms were naively added into the existing WebPKI would add massive increases in the size of the TLS handshake, leading to a significant (around 50% P50) handshake latency to every HTTPS connection made.

The impact of PQC on the web PKI wouldn’t stop at handshake sizes. The public web PKI also relies on transparency into certificate issuance (“Certificate Transparency”, CT) to help detect and mitigate unauthorized certificate issuance. For the past decade, CT has served its purpose of holding Certification Authorities (CAs) accountable, recently notably detecting Fina CA’s mis-issuance of certificates for 1.1.1.1, Cloudflare’s Encrypted DNS service late last year. Unfortunately, a naive adoption of the most mature PQC algorithms into the current public CT ecosystem would likely result in the ecosystem’s collapse due to the increased operational costs for logs, burdening an already-fragile group of volunteer log operators.

Cloudflare and Google Chrome have spearheaded an effort, Merkle Tree Certificates (MTCs), that offer a new approach to HTTPS certificates that combine issuance and transparency into a single cryptographic object. Under active development in the Internet Engineering Task Force (IETF)’s PKI, Logs, and Tree Signatures (PLANTS) working group, MTCs reduce the overhead of post-quantum TLS certificates by 4-22Kb, eliminating the impact on client latency. Simultaneously, the design mitigates the impact on the Certificate Transparency ecosystem, likely resulting in reduced costs compared to today’s status quo.

In this talk, we’ll walk through the MTC proposal, interesting open discussions happening in the working group and discuss the results of early experimentation between Chrome and Cloudflare.

Suricata’s approach to handling Indicators of Compromise (IoCs) has fundamentally evolved from basic IP-only rules to the highly performant Dataset concept. The talk will outline the key advancements, particularly the evolution in Suricata 8.0 to support JSON-based context within Datasets. This upgrade is crucial as an IOC is nothing without context. With JSON datasets, alerts embed comprehensive threat context opening the way to performance improvement and integration ease.

CVE-2025-54068 exposed a critical vulnerability in Livewire, a popular full-stack framework for Laravel, enabling pre-authenticated remote command execution (RCE) by exploiting PHP’s weak typing and Livewire’s hydration mechanism. According to GitHub, Livewire was downloaded more than 74 million times, making it one of the most used Laravel dependency ever.

Traditionally, Livewire protects its state with a checksum signed by the application’s APP_KEY. However, this vulnerability allowed attackers to bypass the APP_KEY requirement entirely by smuggling synthesizers through the updates mechanism, effectively breaking the state synchronization between server and browser.

The root cause lies in Livewire’s component property update hydration process, where recursive calls and improper context preservation enabled malicious payload injection. Exploitation required only the target application’s URL, making it accessible to unauthenticated attackers. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4.

This talk will detail the technical chain from weak typing to RCE, demonstrate the exploit process, discuss the hardening measures implemented by Livewire to prevent similar issues in the future and more especially, show the consequences being the publication of the associated proof of concept during the end of last year.

Join us for this hands-on demo of Unblob, the flexible firmware extractor. In this session, we will extract firmware from an EV charger, dig into the firmware, and eventually emulate it so we can interact with the services in real-time. Unblob works on both hardware and downloadable versions of firmware so we have a target rich environment.

This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. Building upon core Suricata capabilities, this session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context. Participants will learn practical methods for achieving fast Indicator of Compromise (IOC) matching and strategies for managing multiple Suricata versions within diverse environments. The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode. This session is designed for cybersecurity professionals seeking to enhance their Suricata expertise and implement cutting-edge threat detection strategies. Attendees will leave equipped with actionable techniques and practical examples to improve their organization's security posture.

As organizations rapidly adopt AI frameworks and third-party components, traditional software
vulnerabilities are increasingly being introduced into AI infrastructure. While AI security discussions often
focus on model level issues such as prompt injections, the most dangerous risks frequently arise from
traditional software vulnerabilities within the frameworks that power AI systems.

In this talk, we will present two vulnerabilities we discovered in Chainlit, a widely used open-source
framework that helps building conversational AI apps (CVE-2026-22218 and CVE-2026-22219). The issues
affect internet-facing AI systems and can be triggered remotely, enabling attackers to steal sensitive files,
leak cloud API keys and secrets, and perform server-side request forgery (SSRF) on the AI framework
server. We confirmed the vulnerabilities in real world, internet facing applications used by major
enterprises, demonstrating how a framework layer vulnerabilities can escalate to cloud level impact.

We will walk through the technical details of the vulnerabilities and the exploitation chain that leads to
server compromise and credential exposure. We’ll also show how leaking artifacts such as cached
conversation history, configuration files, or environment variables can reveal highly sensitive enterprise
data.

BitLocker without a pre-boot PIN is widely deployed across enterprise environments and often considered a sufficient protection against physical access attacks. In practice, several techniques can defeat it, including long known hardware attacks; the bitpixie PXE-based software attack published in early 2025; and a boot manager downgrade attack we developed that exploits the slow rollout of Microsoft's UEFI CA 2023 certificate transition to revive a patched vulnerability (CVE-2025-48804) on fully updated machines.

This talk is a practitioner's field report. Drawing from real penetration testing engagements, we compare hardware and software attacks across the dimensions that matter in the field — setup time, required hardware, risk to the target device, success rate, and post-exploitation impact. We walk through the open-source PoCs we developed to operationalize bitpixie and the BitUnlocker downgrade attack, and share honest observations on the effectiveness of recommended mitigations in real-world enterprise configurations.

See https://github.com/garatc/BitUnlocker

The Rust ecosystem is often praised for its "harmonized chaos" of crates, but a new trend is emerging in security-critical tools: the total avoidance of dependencies. While projects like sudo-rs aim to reduce the supply chain attack surface, this architectural choice comes with a cost. During my PhD work on RootAsRole, I discovered that dependencies minimisation leads to monolithic designs where security logic is tightly coupled to use-cases.

This talk explores the friction between security-hardened isolation and the community’s need for reusable, battle-tested components. When we refuse to depend on others, we stop contributing to shared building blocks. We end up reinventing the wheel, forking unmaintained libraries, and scattering security expertise across dozens of "independent" forks. I will share many insights about what is the Good, the Bad and the Ugly.

In this beginner-friendly, hands-on workshop, participants will walk through the full attack chain of a real-world Fancy Bear (APT28/GRU) intrusion - from the initial phishing email to command & control - guided by a purpose-built interactive training platform.

What to expect:
The workshop is structured across five chapters, each building on the last: threat actor background, payload delivery, exploitation, persistence & installation, and command & control. Participants work hands-on with real artefacts (phishing email headers, a weaponised RTF document, malware samples, and a C2 implant) and answer quiz questions via an interactive platform to validate their findings along the way - making progress immediately visible and keeping the session engaging for all skill levels.

What you will learn:
- How to analyse phishing emails and extract indicators from mail headers
- How to identify and dissect malicious Office documents (including MIME type mismatches and OLE/COM object abuse triggering CVE-2026-21509)
- Persistence techniques: file staging, scheduled task abuse, and LSB steganography in PNG files
- How to reverse simple string obfuscation (XOR + Base64) using CyberChef
- How threat actors repurpose legitimate open-source tools (Covenant C2 framework) and abuse trusted cloud services to blend into normal traffic
- All tools demoed/used throughout the workshop (e.g. oletools, CyberChef, and Covenant) are free and open-source, making every technique immediately reproducible.

Who should attend:
No prior malware analysis experience is required. Basic familiarity with the command line and a curiosity for how attacks actually work is all you need. Security students, CTF players, sysadmins, and blue teamers looking to build intuition for real-world threat actor tradecraft will get the most out of this session.

What to bring:
A laptop with a browser and internet access. All you need is a web brower, a text editor and an archive tool to unpack ZIP (AES-256) archives - other than that, no prior setup is required.

We live in an age where all decisions are based on data, and in case of IT security, the most important data are log messages. Logs are collected centrally and analyzed by various applications, so there are several trends to simplify log message collection. In his talk, Peter introduces central log collection, how creating a dedicated log management layer can save you resources on all fronts, and new technologies to simplify your infrastructure. OpenTelemetry combines logs, traces and metrics into a single protocol, while Kafka can provide a single data pipeline for your organization. A simple and efficient central log management solution allows you not just to save resources, but also provides real-time insight into what is happening in your organization, improving security. While configuration examples come from syslog-ng, the concepts that Peter presents apply to most log management applications.

Private key leaks represent a critical security vulnerability, with over 400,000 leaked keys on GitHub in 2025, yet their real-world impact remains largely unknown due to the challenge of linking these mathematical objects to their operational usage.

We present the first systematic analysis mapping leaked private keys to active certificates, combining GitGuardian's dataset of 945,560 unique leaked private keys with Google's historical Certificate Transparency databases. In September 2025, our methodology successfully mapped 42,690 private keys to 139,767 certificates, revealing the impact of private keys leaked on GitHub and DockerHub. Using custom online and offline validation, we identified 2,622 valid certificates, enabling website impersonation and MITM attacks.

Our analysis reveals systematic failures in certificate revocation practices, with only 80 certificates revoked via CRL/OCSP and just 3 properly marked as key-compromised. We attributed certificates to 600 organizations across critical industries, though many could not be mapped to identifiable owners. With 20% of valid certificates having been exposed for over two years, our large-scale responsible disclosure campaign sent thousands of emails and revealed significant challenges in reaching certificate owners.

But this research didn't happen in a vacuum. A discussion at Pass the Salt in 2025 sparked a research collaboration between GitGuardian and Google that made it possible. This talk tells that story. We'll walk through the methodology: from what seemed impossible in 2025, to leveraging Google's CT data, to today's Static CT logs.

In one year, the TLS ecosystem evolved to make duplicating this research possible. Classic CT logs are being replaced by static CT, which simplifies both log operations and certificate retrieval. Moreover, Certificate Transparency Log Archive is now available on archive.org. Together, these changes let any researcher replicate our results in 2026.

The vulnerability ecosystem has become critical infrastructure for defenders, vendors, researchers, and open source maintainers. Yet the way identifiers and vulnerability data are assigned, published, and distributed still reflects a centralized model that does not always match the speed, diversity, and realities of today’s security landscape.

This talk introduces GCVE, a new approach to vulnerability identification and tracking designed to support a more open, decentralized, and resilient ecosystem. GCVE rethinks how vulnerability numbers can be allocated, how trusted actors can publish advisories, and how vulnerability information can be synchronized without creating unnecessary bottlenecks or dependency on a single central authority.

Through the lens of open source security, the talk will explain why this matters: maintainers need lightweight processes, defenders need timely and structured data, and the community needs a model that encourages participation rather than gatekeeping. It will also show how GCVE and its associated tooling can help make vulnerability tracking more transparent, interoperable, and adaptable.

Rather than presenting only a new identifier format, this session will explore a broader idea: how we can build vulnerability tracking as shared public infrastructure for the security community.

Everyday, all of us are flooded with phishing emails trying to impersonate many well-known brands (Netflix, DHL, Microsoft, Google, Facebook & co). Some phishing campaigns are poorly prepared and can be easily spotted. On the other side, some are really well crafted and, be honest, who never clicked on a malicious link? If the flood is constant, it means that it works! And thread actors expect to get our credentials. But, is it really the case? How fast do they react once we disclosed them? That’s the purpose of our research.

We developed a tool, called PhishTrack, that behaves as a honeypot but with more interaction with phishing kits. The tool is fed with phishing URLs. They are visited, categorized and, if possible, we provide unique credentials. Then, we monitor the honeypot and expect (crossing fingers) that our credentials will be re-used. We simulate classing landing pages and protocols: a web portal, MS account, VPN login, VNC, SSH, RDP (and maybe more soon). As an example, our current record is 3 mins between the phishing page visit and the attempt to (ab)use the credentials from Nigeria.

The talk will be split in two parts: We will introduce the tool, what are the core components, how it works, how we deployed it. The second part of the talk will be a review of our findings.

It's common for users to look to hide their IP addresses. With Oblivious HTTP, it's reversed: the service chooses to blind itself.
We'll go over how this IETF standard ended up in Apple, Google, Mozilla, and Meta products, and how it evolved.

We present KeibiDrop, an open-source (MPL 2.0) peer-to-peer file transfer tool that provides end-to-end encryption using a hybrid post-quantum key exchange (ML-KEM-1024 + X25519) with ChaCha20-Poly1305 at the transport layer. KeibiDrop operates over direct IPv6 connections with no cloud intermediary, no STUN/TURN servers, and no persistent metadata. The relay server is treated as an untrusted blind intermediary: it sees only opaque lookup keys and encrypted blobs, and cannot correlate users or decrypt content. We discuss the cryptographic design, the privacy model, the trade-offs of an IPv6-only architecture, and the practical challenges of mounting remote files as a local FUSE filesystem with forward secrecy via automatic re-keying. A live demonstration accompanies the talk.

Shamir's Secret Sharing (SSS) has been trusted for decades by organizations like ICANN (DNSSEC root key ceremonies), Trezor (SLIP-39), and Coinbase ; yet it remains largely inaccessible to individual practitioners and small teams who need cold storage for cryptocurrency wallets, SSH keys, infra recovery keys, or root CA credentials.

This talk introduces Fractum, an open-source (MIT) CLI tool that combines AES-256-GCM authenticated encryption with Shamir's Secret Sharing over GF(2^8) to split sensitive files into K-of-N threshold shares. Designed as an air-gapped, portable & offline-first tool with zero network dependencies, This tool brings information-theoretic security to anyone with a terminal.

I will walk through the cryptographic design decisions: why GCM over CBC, how polynomial interpolation in GF(256) actually works at the byte level, how we handle entropy collection from multiple sources, and the trade-offs of implementing memory protection (SecureString with mlock and multi-pass overwrite) in a garbage-collected language like Python. A pre-recorded demo will show a full encrypt-split-distribute-reconstruct cycle running inside a network-isolated Docker container.

Attendees will take away: a clear mental model of how threshold cryptography works in practice, an understanding of the security properties (and honest limitations) of implementing SSS in Python, and a free tool they can use immediately for their own cold storage needs.

GitHub: https://github.com/katvio/fractum

Modern businesses routinely handle sensitive data—entering passwords, managing internal documents and emails, or conducting confidential meetings in applications such as Zoom and Signal. Windows desktop isolation can block basic keyloggers from capturing keystrokes from applications running on newly created desktops. Several security tools rely on this mechanism by running sensitive applications or password-entry screens on isolated desktops, providing effective defense against unsophisticated keyloggers. In practice, however, this protection is often treated as “good enough” once a protected desktop has been created.

This talk shows why that assumption is wrong: Windows Desktop Isolation is not a true isolation boundary.

The focus of this research is not kernel-mode interception, but high-privilege user-mode keyloggers. In other words, the talk addresses attackers that remain in user space, yet possess enough privileges to actively interfere with desktop-based protections and attach spying logic to sensitive contexts. This makes the problem especially relevant in Man-at-the-End (MATE) scenarios common in business environments.

I will present a series of experiments covering the four most common Windows keystroke interception techniques—SetWindowsHookEx, GetAsyncKeyState, Raw Input, and DirectInput—as well as ETW-based monitoring. The results show that privileged attackers can still capture keystrokes from protected desktop contexts, including Secure Desktop environments such as Winlogon, for example by launching a high-privilege process via PsExec/Sysinternals.

To address this weakness, I will introduce DesktopRanger, an open-source defensive prototype for creating hardened Windows desktops for secret input. DesktopRanger creates a protected desktop with a restrictive security descriptor, expressed in SDDL as D:P, preventing unauthorized opening through the standard desktop access path and limiting the attacker’s ability to obtain even the desktop name. When a legitimate application must be launched, access is relaxed only for a very short period. At the same time, desktop enumeration is blocked at the Window Station level to prevent hostile processes from discovering or attaching to the target desktop. Once the application has been initialized, the original restrictive state is restored: the user can again enumerate active desktops, but the protected desktop does not appear in the returned list.

I will explain the Windows Desktop and Window Station internals behind this design. I will also discuss how this approach can be combined with the open-source MemoryRanger bare-metal hypervisor to protect relevant kernel-side security structures against tampering, including BYOVD-style attacks.

The experiments show a clear contrast: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, including Winlogon, whereas the same attacker is unable to attach to and spy from a desktop created by DesktopRanger.

Bim bam PAM! In this talk, we’re diving into the kitchen of system security to look at the PAM (Pluggable Authentication Modules) architecture.

We’ll start by deconstructing the classic PAM lifecycle. But instead of just "wrapping" the C API in Rust and hoping for the best, we’ll introduce nonstick. The secret sauce? We will demonstrate how nonstick uses Rust's design to encode the PAM expected behavior directly into the compiler.