Presentations' descriptions

Thursday 14th 2022

Security is now a continuum and we’re all part of it

Pascal Andrei, Airbus Chief Security Officer will address the evolution of Security within Airbus: how it has evolved from a strong Product security culture, towards a new way of thinking Security activities, encompassing both the Physical and Cyber Security of all Airbus assets. From his own experience, via the challenges the Company is facing, he will share his insights on today's Security drivers.

Pascal ANDREI has a French state PhD degree in Competitive Intelligence & Security from Paris University after a Mathematics and Physics Masters.He started his career at AEROSPATIALE in 1992 as head of Competitive Intelligence before leading e-business activities in Munich for EADS headquarters. He created and led Aircraft Security within Airbus before becoming Chief Product Security Officer and Executive Expert for all Airbus divisions overseeing all Airbus products (aircraft, helicopters, satellites, launchers...). Pascal ANDREI is currently Airbus SVP Chief Security Officer, leading all Security activities globally for Airbus companywide. He plays a very active role in international cooperative efforts to guarantee the overall (Cyber and Physical) security of the commercial aviation industry infrastructure. For this contribution, he was nominated personality of the year in 2015 by the Air Transportation System Security community in Dubaï. He is a reservist of the “GIGN” the elite police tactical unit of the French National Gendarmerie and was decorated Knight of the Legion d’Honneur in 2017

Pascal Andrei

Android Encryption

Nowadays smartphones contain a lot of private and sensitive data: photos, conversations, health data or even bank accounts. These data must be strongly protected in case of loss of the device. This talk will explain the Android encryption security models and the related security features to give a global overview allowing to understand software and hardware solutions which protect the user data.

Jean-Baptiste Cayrou

INSECA: Secure PC endpoints

INSECA is a tool to configure, create, deploy and manage endpoint systems with a goal to improve the security of "PC" endpoint systems. Beyond a general introduction on the subject, this presentation highlights the main security and technical aspects of the "PC" endpoints (security features, internal disk structure which differ from other live Linux systems, etc).

Direction General de l'Aviation Civile (DGAC)

Cross-protocol attacks, weaponizing a smartphone by diverting its Bluetooth controller

In this paper, we focus on a new type of wireless attacks, named cross-technology pivoting attacks. The main objective of these attacks is to divert the transceivers of compromised devices dedicated to a given protocol to allow them to communicate through another protocol, taking advantage of some similarities in their modulation schemes. The main contribution of this work consists in demonstrating the practical feasibility of pivoting attacks from off-the-shelf devices implementing the Bluetooth 5.0 specification. To our knowledge, this attack has not been explored so far in the state of the art.

Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaaniche, Géraldine Marconato
LAAS CNRS, INSA Toulouse and APSYS.Lab

Using Harmonics for Low-Cost Jamming

When exploring different attack perspectives, out of the box thinking is important in coming up with unique solutions to overcome limitations. In this case, we explore the use of the Raspberry Pi being used as a low-cost RF jammer by transmitting outside its available transmission range with the use of harmonics. We test this against a wireless microphone system in an attempt to stop the microphone from connecting to the base unit.

Vasilis Ieropoulos, Eirini Anthi
School of Computer Science, Cardiff University, Cardiff, UK

Enhancing security investigations with exploration recommendation

Facing enormous amounts of data and without efficient means to explore it, analysts are constantly one step behind attackers. We believe that using expert knowledge and relevant decision-making processes, we can steer them to the right exploration path. To that purpose we present KRAKEN, a recommender system designed to assist analysts during investigations.

Romain Brisse, Frédéric Majorczyk, Simon Boche, Jean-Francois Lalande
Malizen, CentraleSupélec, Inria, IRISA

Two bugs to rule them all : taking over the PHP supply chain

In this talk, we present the technical details of the vulnerabilities that allowed us to compromise the infrastructure behind the two PHP package managers, Composer and PEAR. Together, they serve more than a billion monthly package downloads, and the exploitation of these bugs by malicious actors could have led to a massive disruption of all companies using PHP. We will also discuss the way that we could reduce the impact of such attacks and the actions that package managers could take to protect themselves.

Thomas Chauchefoin

Everything I wanted to know about AD LDAP

Most of modern enterprise networks heavily rely on Microsoft Windows Active Directory to create managed domains of machines. These AD domains take advantage of network protocols and services to work properly, such as Kerberos, SMB, DNS, LDAP, etc … In this talk, we will deep dive into Microsoft’s Active Directory LDAP to give you an overview of concepts, exploitation techniques and tools to interact with it.


Break what we Make @ Intel

This is a keynote, the subject is left as a surprise.

Burzin Daruwala
Intel Corp.

Watermarking at the service of the ownership rights of ML models

ML watermarking enables model traceability by embedding a secret change in the look or behaviour of a model that can be linked to the identity of its creator. Recently, different watermarking solutions were proposed as countermeasures against different attacks on the ownership rights in the context of ML, such as model extraction, watermark removal, watermark falsification, or ownership check evasion.

Katarzyna Kapusta, Olivier Bettan, Vincent Thouvenot

Friday 15th 2022

Status Report on the NIST Post-Quantum Standardization

This is a keynote, the subject is left as a surprise.

Carlos Aguilar-Melchor

Credential harvesting : in 2022 Making initial access through publicly exposed secrets in git repositories and docker images

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was recently quantified in a year-long research study by GitGuardian which scanned all public activity on GitHub throughout 2021 uncovering over 6 million secrets leaked. This presentation will look at how offensive teams can capitalize on this to harvest secrets from the public resources to gain initial access into an organization and review examples of successful breaches to backup findings.

Mackenzie Jackson

Pwn2Own'ing the TP-Link Archer A7

Pwn2Own is a bi-annual event organized by TrendMicro aimed at acquiring unpatched vulnerabilities on modern targets like routers, NAS, phones. To participate in the edition of fall 2020, we discovered and exploited a memory corruption vulnerability in a LAN service of the TP-Link Archer A7 router. For this talk, we try to take a pedagogic approach and present what’s behind the scenes of Pwn2Own submissions by discussing our research methodology, the process to set up a realistic debugging environment, the remote exploitation of the vulnerability, and finally the event itself.

Kevin Denis, Thomas Chauchefoin
Synacktiv, SonarSource

VolWeb a digital memory forensic platform dedicated to investigators and incident response teams

VolWeb is an open-source digital memory forensic platform whose goal is to improve the efficiency of memory forensics by providing a centralized, visual and enhanced platform for the investigators. It enables the analysts to share investigations between each other, use visualization tools to quickly identify anomalies, tag interesting elements, dump processes and files to perform reverse malware analysis and much more. The platform is supporting Windows memory forensic, it will in a near future support Mac and Linux analysis. Interfacing with volatility3 the platform will evolve with the framework development.

Félix Guyard

Attacking formally verified hardware monitors

Formal verification has been adopted to design a secure hardware system. It allows, from a model of the system and verified properties, to demonstrate the security against a given class of attacks. In the case of a closed-source microprocessor, to model the system, we state a hypothesis: "it is impossible reproduce the behaviour of the hardware without executing our highly optimized program". In this presentation, we show how we tested our hypothesis by attacking our optimized program and observing internal signals.

Jonathan CERTES, Benoît MORGAN

Implementations of a CAN Bus Log Analyzer

The Controller Area Network (CAN) bus is efficient but insecure. Its efficiency has made it the network of choice for the automotive industry, and its insecurity has triggered the development of a variety of Intrusion Detection Systems (IDS) to analyze the traffic and detect anomalies. In existing implementations, obfuscation is the main source of security: though most messages have a well-defined meaning, the association between messages and their meaning (the CAN matrix) is usually secret. This paper presents a tool that can be employed to derive knowledge from a log. The extracted knowledge is sufficient to synthesize an efficient Intrusion Detection System, and to gain insights on the data transiting on the CAN Bus.

Yannick Chevalier

Modeling Rowhammer memory corruption in the gem5 simulator

In modern computers, the main memory is the target of a security threat called Rowhammer, which causes bitflips in adjacent victim cells of aggressor rows. Numerous countermeasures have been proposed, some of the most efficient ones relying on memory controller modifications, which make them non-integrable in existing systems. These solutions have to be effective against attacks on current and future architectures and technology nodes. In order to prove the efficiency of such mitigation techniques, we have to use simulation platforms. Unfortunately, existing architecture simulators do not provide any implementation of unintended memory modifications like bitflips. Integrating memory corruption into architecture simulators would allow the construction of attacks and mitigations for current and future computers, using feedback from the simulator. In this paper, we propose an implementation of the Rowhammer effect in the gem5 architecture simulator, demonstrate its capabilities and state its limitations.

Loïc France, Florent Bruguier, David Novo, Pascal Benoit, Maria Mushtaq
LIRMM, Telecom Paris

A new key-gate insertion strategy for logic locking with high output corruption

The outsourcing business model currently dominates the semiconductor industry. Ever-shrinking technologies have indeed raised the cost of manufacturing Integrated Circuits (ICs). Currently, constructing a fabrication plan with advanced technologies (5 nm to 3 nm) costs more than $10 Billions. Therefore, outsourcing the fabrication process to offshore, but possibly unreliable, foundries has become a major trend. This leads to possible security threats on hardware, such as IP piracy, Hardware Trojan insertion and IC overproduction.

Quang-Linh Nguyen, Sophie Dupuis, Marie-Lise Flottes