Version du 11 octobre 2013 à 13:27

> GREHACK'13 Entrance Ticket <

• Keynote: Herbert Bos (VU University, Netherlands)
• Invited Speakers: Halvar Flake (Zynamics-Google, Switz.) and Juan Caballero (IMDEA, Spain)
• Accepted Papers

Conference - overview

Slides + Talks in english.

Planning at a glance

GreHack 2013 - Planning at a glance

Invited Speakers

Keynote

Pic	Speaker name	Talk	Corp/Lab/Gov/Self
	Herbert Bos	Tain't not enough to fuzz all the memory errors (summary)	Vrije Universiteit Amsterdam, Netherlands

Invited Speakers

Pic	Speaker name	Talk	Corp/Lab/Gov/Self
	Halvar Flake	The many flavors of binary analysis	Zynamics, now a Google company, Zurich, Switzerland
	Juan Caballero	Specialization in the malware distribution ecosystem	IMDEA, Madrid, Spain

Accepted Papers & Talks

Pic	Author(s)	Corp/Lab/Gov/Self	Paper + Talk
	Markku-Juhani Olavi Saarinen	CMDCTRL.CC	Developing a Grey Hat C2 and RAT for APT Security Training and Assessment (summary)
	Mathieu Cunche	INSA-Lyon, Lab. CITI, INRIA Privatics	I know your MAC Address: Targeted tracking of individual using Wi-Fi (summary)
	Ludovic Apvrille	Telecom ParisTech	Pre-filtering Mobile Malware with Heuristic Techniques (summary)
	Axelle Apvrille	FORTINET
	Josselin Feist	VERIMAG	Statically Detecting Use After Free on Binary Code (summary)
	Laurent Mounier
	Marie-Laure Potet
	Alejandro Nolla		Amplification DDoS attacks with game servers (summary)
	Eireann Leverett	IOActive, US	Vulnerability Inheritance in Programmable Logic Controllers (summary)
	Reid Wightman
	Jagdish Achara	Inria Privatics	Detecting Privacy Leaks in the RATP App: how we proceeded and what we found (summary)
	James-Douglas Lefruit
	Vincent Roca
	Claude Castelluccia
	Ruo Ando	NICT, Japan	Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism (summary)
	Yuuki Takano
	Satoshi Uda
	François Desplanques	Ensimag	Attacks using malicious devices: a way to protect yourself against physical access (summary)
	Guillaume Jeanne

Rump sessions

At the end of the afternoon, rump sessions will take place.

Conference - detailed content

Invited Talks - bio + summary

Herbert Bos - Tain't not enough to fuzz all the memory errors

Tain't not enough time to fuzz all the memory errors

In this talk, I will discuss the past, present, and future of memory errors, and some of the projects in my group that build on information flow tracking (sometimes referred to as taint analysis) to detect and stop memory corruption attacks, These projects include plain old tainting solutions like Argos and Minemu, as well as more elaborate defenses like BinArmor. Finally, I will discuss new work in my group on fuzzing for buffer overflows (sec13-paper_haller.pdf) which combines taint analysis with symbolic execution and some cool heuristics to track down those pesky overflows in real programs."

Herbert Bos

General Co-Chair for EuroSys 2014 Professor at VU University Amsterdam Three of his students have won the ACM SIGOPS Eurosys Roger Needham Award for best Ph.D. thesis in computer systems in Europe. Ph.D. from Cambridge University (UK)

Halvar Flake - TBA

TBA

Halvar Flake

twitter: @halvarflake Funny bio from Syscan'13: "Halvar needs no introduction... but I'm going to give him one just to be irritating. A mathematician at heart, Halvar really wants nothing more in life than for things to work just as they should, and for there to be cake afterwards. However, having not revolutionized mathematics by the age of 20, he wisely decided to turn his hand to revolutionizing reverse engineering instead. Since then, he has spent years eviscerating software, building tools that sucked less than all the existing ones and relentlessly pointing out all of the areas where our approaches just aren't working. I pine for a softer, kinder world where formal methods solved everything, other people's software didn't suck so damn much, and gentle giants like Halvar would be free to read poetry and eat their cake in peace.:(" founder of Zynamics ... you know BinDiff :) encouraging female reverse engineers researcher at Google, quoting Halvar's linkedin "now we can do real computations"

Juan Caballero - Specialization in the malware distribution ecosystem

Specialization in the malware distribution ecosystem

In the cybercrime ecosystem attackers have understood that tackling the entire monetization chain is a daunting task requiring highly developed skills and resources. Thus, specialized services have emerged to outsource key parts to third parties such as malware toolkits, exploit marketplaces, and pay-per-install services. Such outsourcing encourages innovation and specialization, enabling attackers to focus on their end goals. This talk describes our research into the specialized services dominating malware distribution.

Juan Caballero

Juan Caballero is an Assistant Research Professor at the IMDEA Software Institute in Madrid, Spain. His research focuses on security issues in systems, software, and networks. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University, USA on 2010 and was a visiting researcher at University of California, Berkeley for two years. His research has appeared (and has won best paper awards) at top security venues. He has been in the technical committee of venues such as IEEE S&P, NDSS, WWW, RAID, and DIMVA. He is program co-chair for the Digital Forensics Research Symposium (DFRWS) for 2013 and 2014.

Accepted Papers & Talks - bio + summary

Markku-Juhani Olavi Saarinen - Developing a Grey Hat C2 and RAT for APT Security Training and Assessment

Markku-Juhani Olavi Saarinen

Dr. Markku-Juhani O. Saarinen is a Research Scientist with Temasek Laboratories, NTU, Singapore. He has worked as a Security Engineer, Consultant and an Academic in the Information Security space for about 15 years. He has authored some 30 peer-reviewed research papers (mainly on breaking symmetric ciphers) but also maintains a well-rounded skill set related to real-life hacking and security engineering. Markku started out as a software engineer and cryptographer with SSH Communications Security in 1997, where he helped to build the now-ubiquitous SSH2 protocol. After couple of years with Nokia Research and some academic projects, he left to do security consulting in the Middle East in 2004. He operated as a Penetration Testing professional, Security Auditor (PCI DSS QSA) and built custom network filtering and monitoring solutions. He enrolled as a part-time student in the Royal Holloway (University of London) Information Security Ph.D. program in 2005 while continuing to do consulting. Dr. Saarinen graduated in 2009 with a thesis on Hash Function Cryptanalysis. Prior to joining Temasek Labs @ NTU, he was a Principal Investigator of a DARPA-Funded lightweight cryptography research project with (now defunct) Revere Security Corp. of Texas, USA and a Freelance security analyst with Help AG, Dubai.

Developing a Grey Hat C2 and RAT for APT Security Training and Assessment

We report on the development of a Remote Access Tool (RAT) and related Command and Control (C2) system for the purposes of simulating Advanced Persistent Threat (APT) attacks during security audits. The system, a set of tools collectively called HAGRAT, is a clean-slate in-house development and remarkable for its compact size. As such, it is backdoor-free and not readily identifiable by Anti-Malware and Intrusion Detection tools (as it has not been indiscriminately distributed). We discuss the design requirements, implementation and the actual the effort required todevelop such software.

Mathieu Cunche - I know your MAC Address: Targeted tracking of individual using Wi-Fi

Mathieu Cunche

Mathieu is an associate professor at INSA-Lyon and is part of the Inria Privatics team. He is interested in all things related to Privacy, Security, Wireless Networks and Applied Cryptography. Finding Internet connectivity anywhere in the world and reading raw pcap files are his two most famous skills. As a side activity, he is a semi-professional WAR-surfer and WAR-snowboarder. And above all, he loves it when a plan comes together. @Cunchem mathieu.cunche.free.fr

I know your MAC Address: Targeted tracking of individual using Wi-Fi

This work is about wireless communications technologies embedded in portable devices, namely Wi-Fi, Bluetooth and GSM. Focusing on Wi-Fi, we study the privacy issues and potential missuses that can affect the owners of wireless-enable portable devices. WiFi enable-devices periodically broadcast in plain-text their unique identifier along with other sensitive information. As a consequence, their owners are vulnerable to a range of privacy breach such as the tracking of their movement and inference of various private information [9, 7]. As serious as those information leakage can be, linking a device with an individual and its real world identity is not a straightforward task. Focusing on this problem, we present a set of attacks that allow an attacker to link a Wi-Fi device to its owner identity. We present two methods that, given an individual of interest, allows to identify the MAC address of its Wi-Fi enabled portable device. Those methods do not require a physical access to the device and can be performed remotely, reducing the risks of being noticed. Finally we present scenarios in which the knowledge of an individual MAC address could be used for mischief.

Ludovic Apvrille and Axelle Apvrille - Pre-filtering Mobile Malware with Heuristic Techniques

Ludovic Apvrille

Ludovic Apvrille obtained his M.Sc. in Computer Science, Network and Distributed Systems specialization in 1998 from ENSEIRB and ISAE. He then completed a Ph.D. in 2002, in the Department of Applied Mathematics and Computer Science at ISAE, in collaboration with LAAS-CNRS and Alcatel Space Industries (now, Thalès Alenia Space). After a postdoctoral term at Concordia University (Canada), he joined LabSoc in 2003 as an assistant professor at Telecom ParisTech, in the Communication and Electronics department. He obtained his HDR (Habilitation à Diriger les Recherches) in 2012. His research interests focus on tools and methods for the modeling and verification of embedded systems and Systems-on-Chip. Verification techniques target both safety and security properties. He's the leader of the open-source UML/SysML toolkit named TTool. Associate professor at: Telecom ParisTech

Axelle Apvrille

I am a senior Anti-Virus analyst and researcher for Fortinet. I specialize in mobile malware: reverse engineering, detection, and related research & publications. Before that, my field of expertise was implementation of cryptology algorithms, security protocols and OS. Specialties: virus, mobile phones, cryptography, security, Unix @cryptax

Pre-filtering Mobile Malware with Heuristic Techniques

With huge amounts of new Android applications released every day, in dozens of different marketplaces, Android malware unfortunately have no difficulty to sneak in and silently spread, and put a high pressure on antivirus teams. To try and spot them more easily, we built an infrastructure, named SherlockDroid, whose goal is to filter out the mass of applications and only keep those which are the most likely to be malicious for future inspection by Anti-virus teams. SherlockDroid is made of marketplace crawlers, code-level property extractors and a data mining software which decides whether the sample looks malicious or not. This data mining part is named \textit{Alligator}, and is the main focus of the paper. Alligator classifies samples using clustering techniques. It first relies on a learning phase that determines the intermediate scores to apply to clustering algorithms of Alligator. Second, an operational phase classifies new samples using previously selected algorithms and scores. Alligator has been trained over an extensive set of both genuine Android applications and known malware. Then, it was tested for proactiveness, over new and more recent applications. The results are very encouraging and demonstrate the efficiency of this first heuristics engine for efficiently pre-filtering Android malware.

Laurent Mounier, Marie-Laure Potet and Josselin Feist - Statically Detecting Use After Free on Binary Code

Josselin Feist

bio

Laurent Mounier

Laurent Mounier home page - Verimag

Marie-Laure Potet

Marie-Laure Potet home page - Verimag

Statically Detecting Use After Free on Binary Code

We present GUEB a static tool detecting Use after Free vulnerabilities on disassembled code. This tool has been tested on a real vulnerability in ProFTPD (CVE-2011-4130).

Alejandro Nolla - Amplification DDoS attacks with game servers

Alejandro Nolla

Security consultant and ethical hacking. Madrid, España. @z0mbiehunt3r

Amplification DDoS attacks with game servers

This paper describes how a DDoS amplification attack using game servers works as well as various methods to find vulnerable games and techniques to detect this kind of attack and how to try to mitigate these attacks at different levels of OSI topology as well as different levels at a network schema.

Eireann Leverett and Reid Wightman - Vulnerability Inheritance in Programmable Logic Controllers

Eireann Leverett

Eireann Leverett studied Artificial Intelligence and Software Engineering at Edinburgh University and went on to get his Masters in Advanced Computer Science at Cambridge. He studied under Frank Stajano and Jon Crowcroft in Cambridge's computer security group. In between he worked for GE Energy for 5 years and has just finished a six month engagement with ABB in their corporate research Dept. He now proudly joins IOActive to focus on Smart Grid and SCADA systems. His MPhil thesis at Cambridge was on the increasing connectivity of industrial systems to the public internet. He focussed on finding the cheapest way to find and visualise these exposures and associated vulnerabilities. He shared the data with ICS-CERT and other CERT teams globally, and presents regularly to academics and government agencies on the security of industrial systems. More importantly, he is a circus and magic enthusiast, and likes to drink beer. @blackswanburst

Reid Wightman

@ReverseICS

Vulnerability Inheritance in Programmable Logic Controllers

200 Programmable Logic Controller (PLC) models from a variety of vendors rely on the same third party library.This CodeSys Runtime library gives these controllers access to 'ladder logic'. The authors discovered authentication bypass vulnerabilities in this library. An unauthenticated attackercould potentially upload ladder logic to the PLCs or halt the programs presently running. The authors subsequently performed a scan of the complete IPv4 internet (0.0.0.0/0) to identify controllers, potentially providing access to critical infrastructure, and shared that data with trusted incident responders.

Jagdish Achara, James-Douglas Lefruit, Vincent Roca and Claude Castelluccia - Detecting Privacy Leaks in the RATP App: how we proceeded and what we found

Jagdish Achara

Jagdish Achara got his research master in computer science (Specialty: Services, Security and Networks) from Nancy University in 2011 and since then, working as an Engineer at Inria Privatics team. He is interested in the field of "Security and Privacy (S&P) aspects of Internet" in general. As of today, he is focusing on investigating smart devices (for example, smartphones, smartglasses, smartwatches, smartmeteres etc.) from S&P point of view. Previously, as part of his master studies, he designed and implemented a decentralized shared calendar (abbreviated as DeSCal). On holidays (not all of them however!), you could find him in playgrounds, mountains, parks and of course, somewhere on the roads but rarely in front of the computer. webpage: ~achara twitter: @JagdishAchara

James-Douglas Lefruit

LinkedIn

Vincent Roca

I'm permanent researcher, working at Inria, a French public research institute. Since 2013 I am part of the Privatics Inria research team that focuses on privacy. Before that, in 2000-2012, I was member of the Planete Inria research team whose goal was to carry out research in the context of protocol and applications for the Internet. I also spent three years, in 1997-2000, working as an Associate Professor in the Pierre et Marie Curie University (Paris 6), in the Network and Performances group. webpage: ~roca

Claude Castelluccia

Claude Castelluccia is a research director at INRIA. He is interested in the security of networks, and more particularly to the security of wireless networks and the Internet. He participates in Europeen project UbiSec & Sens, which deals with the security of networks of sensors, and RFIDAP ANR project on the security of RFID systems. He regularly serves on committees of international program evaluation committees and juries in thesis or habilitation research. He directs doctoral dissertations, and teaches regularly at universities and engineering schools. webpage: ~ccastel LinkedIn

Detecting Privacy Leaks in the RATP App: how we proceeded and what we found

We analyzed the RATP App, both Android and iOS versions, using instrumented versions of these mobile OSes that we designed. Our analysis reveals that both versions of this App leak private data to third-party servers, which is in total contradiction to the In-App privacy policy. The iOS version of this App doesn't even respect Apple guidelines on device tracking for advertising purposes and profiles user activities across the device through various mechanisms that are not supposed to be used by Apps. Even if this work is illustrated with a single App, we describe an approach that is generic and can be used to detect privacy leaks from any App. In addition, our findings are representative of a trend of Advertising and Analytics (A\&A) librairies that try to collect as much information as possible regarding the smartphone and user. These libraries also generate their own persistent identifiers for user profiling across the device to better track the user, and this happens even if the user has opted-out of device tracking. Above all, all this happens without the user knowledge, and sometimes even without the App developer's knowledge who naively includes these libraries during the App development. Therefore this article raises many questions concerning both the bad practices of some actors and the limitations of the privacy control features proposed by iOS/Android Mobile OSs.

Ruo Ando, Yuuki Takano and Satoshi Uda - Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism

Ruo Ando

Ruo Ando has received Ph.D. from Keio University in Japan.He is now senior security researcher of NationalInstitute of Information and Communication Technology in Japan. Also, he has been working as TechnicalOfficial of Ministry of Internal Affairs and Communications since 2006. His research interests are Cloudcomputing technologies and its security.He has been working in Driverware "Immune" project supported by USAir Force Office of Scientific Research withGrant Number AOARD 03-4049 in 2005-2006. He receivedOutstanding Leadership Award in the8th IEEE International Conference on Dependable, Autonomic and SecureComputing (DASC-09) at China in 2009. He is the member of Trusted Computing Group JRF (Japan Regional Forum). He has presented in many security conferences such as SysCan Singapore 2009 and PacSec Tokyo2011. His research products such as inforamtion gathering system, DHT crawler and vulnerability analysissystem are now deployed on the large scale Test bed of National Institute of Information and CommunicationTechnology. He recently presented secure Cloud computing technologies in Singapore(2009) and Taiwan(2010).He served as reviewer of Willey Journal of Security and Communications Networks and IEEE transactions ofInformation Forensics and Security. Ruo Ando - Google Sites @And_Or_R

Yuuki Takano

dblp

Satoshi Uda

Satoshi Uda Satoshi_Uda on Researchgate

Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism

The Domain Name System (DNS) has become one of the most important infrastructures of Internet. Despite of its importance, we have not obtained the comprehensive view of DNS servers deployed in real-world to evaluate the security level with the fine-grained information. This paper we present some results of analyzing DNS servers in some security concerns such as software version and geographical distribution. In experiment, we have succeeded to obtain information of 10,334,293 DNS servers in 24 hours. For rapid crawling, we adopt Libevent which provides asynchronous I/O mechanisms and MongoDB which is fast and document based NoSQL cluster. By analyzing the result of 24 hours monitoring, we have found some important facts for security assessment of DNS deployment in Internet. For example, more than 1000 servers still uses the oldest version of BIND 4.x. Besides, we show in-depth study of geographical distribution of vulnerable DNS servers with time series analysis. It is shown that even advanced IT countries achieving high security level has "weakest link" which means these countries actually has vulnerable DNS servers. Also, it is turned out that the large scale information gathering of vulnerable DNS servers could be easily achieved in only several hours.

Guillaume Jeanne and François Desplanques - Attacks using malicious devices : a way to protect yourself against physical access

François Desplanques

François Desplanques on LinkedIn

Guillaume Jeanne

Guillaume Jeanne on LinkedIn

Attacks using malicious devices : a way to protect yourself against physical access

In recent years, attacks by external devices have experienced a growing interest. These devices are everywhere, we live with them and take them everywhere, even at work. By creating corrupted devices, we can break into private networks which are not connected to the Internet. Just plug the device. This study mainly focuses on attacks by programmable USB devices. To begin with, we make an inventory of the potential of these attacks. Then we analyse weaknesses of these attacks and we give several ways to improve them. Finally, we discuss about various existing measures to limit the impact of such attacks and give countermeasures to our own improvements.