- 1 Conference - overview
- 2 Conference - detailed content
- 2.1 Invited Talks - bio + summary
- 2.1.1 Eric Freyssinet - Botnets: from observation to investigation
- 2.1.2 Kostya Kortchinsky - 10 years later, which vulnerabilities still matter?
- 2.1.3 Philippe Elbaz-Vincent - Attacks on the randomness of Random Number Generators (RNG)
- 2.1.4 Regis Leveugle - Attacks on secure hardware: basics and examples
- 2.1.5 Dave Penkler & Boris Balacheff - Cloud, security and the mobile enterprise: An end-to-end manageability challenge
- 2.2 Accepted Papers & Talks - bio + summary
- 2.2.1 Rikke Kuipers & Ari Takanen - Fuzzing Embedded Devices
- 2.2.2 Mathieu Renard - Practical iOS Apps hacking
- 2.2.3 David Worth & Justin Collins - Leveraging Convention over Configuration for Static Analysis in Dynamic Languages
- 2.2.4 Olli-Pekka Niemi & Antti Levomaki - Bypassing Intrusion Prevention Systems
- 2.2.5 Phil - Cryptage audiovisuel ou #FAIL systématique?
- 2.2.6 Yann Stephan "bswapeax" - Managed Code with Licensing does not mean all the time: Software Protection
- 2.2.7 Paul Amar - Home Internet Routers for Fun & Profit
- 2.2.8 Rahul Sasi "fb1h2s" - DTMF Fuzzing
- 2.1 Invited Talks - bio + summary
Conference - overview
For a detailled agenda/planning, see GreHack 2012 - planning at a glance
Note: if possible, we advise speakers to have their slides in english and to speak in french if they are sufficiently fluent in it, otherwise english + english. First formula has the advantage of permitting both audiences to follow.
|Kostya Kortchinsky||Microsoft, previously Immunity|
|Dave Penkler||HP Enterprise Services CTO Office||
|Boris Balacheff||HPLabs Cloud & Security Lab|
Accepted Papers & Talks
At the end of the afternoon, rump sessions will take place.
Conference - detailed content
Invited Talks - bio + summary
Eric Freyssinet - Botnets: from observation to investigation
Botnets: from observation to investigation
Botnets constitute one of the main online criminal infrastructure. The economy behind it is booming, but investigations and takedowns are not very successful. Knowing them better is part of the walk towards fighting them better.
Kostya Kortchinsky - 10 years later, which vulnerabilities still matter?
talk will probably be remotely presented
10 years later, which vulnerabilities still matter?
All vulnerabilities are not created equal. While some will manage to achieve their life's purpose either by themselves or with some help, some others will die useless and forgotten. What makes a vulnerability a useful vulnerability? This paradigm has dramatically evolved during the last 10 years, as the OS and software vendors have struggled to better their craft. Compiler enhancements, OS mitigations have rendered nonpractical whole families of vulnerabilities, and decimated the population.
We will attempt to provide an answer to that question by walking through vulnerability classes, actual vulnerabilities, and mitigations that have punctuated the last decade, how they interact and how the fittest have survived. Some special attention will be given to Windows 8 and Visual Studio 2012 as they now are the main challenge in the natural selection process.
Kostya currently works at Microsoft, Redmond, after having spent six years finding vulnerabilities and writing exploit at Immunity, Miami. Prior to that he worked at EADS and managed the French academic CERT at RENATER. Kostya has been reverse-engineering software since the mid-90s, has published numerous vulnerabilities, and spoken at major security conferences. In the past, he demonstrated a VMware escape (CLOUDBURST) at Black-Hat USA 2009, and was the first to publicly exploit some vulnerabilities believed to be unexploitable - MS08-001 (IGMPv3), MS09-050 (SMBv2).
Kostya Kortchinksy holds a MSc from the Ensimag - Applied Mathematics and Computer Science Engineering School in Grenoble.
Philippe Elbaz-Vincent - Attacks on the randomness of Random Number Generators (RNG)
Attacks on the randomness of Random Number Generators (RNG)
RNGs are a critical component of cryptographic devices, either hardware or software. Perturbations, implementation or design errors in RNGs can lead to failure in the security components and can be exploited by attackers. Measuring the randomness of given parameters and the behavior under perturbations are important problems raised by cryptography. We will illustrate technics to evaluate the randomness of such RNG, especially when injecting fault.
| Philippe Elbaz-Vincent is a Professor at Université Joseph Fourier, Grenoble. He is in charge of the MSc SCCI (Security, Cryptology, and Coding of Information systems), a joint formation with Ensimag.
He is also in charge of the MSc SAFE (Securité, Audit et Forensic pour l'Entreprise) which focus on defensive and offensive security.
His specialties includes:
He is one of the co-organizer of the cryptology and security seminar of Grenoble.
Regis Leveugle - Attacks on secure hardware: basics and examples
Attacks on secure hardware: basics and examples
This talk presents the main types of attacks (passive or active) exploiting hardware characteristics or sensitivity to break the security of smart cards or embedded systems. After a brief presentation of the general context, the means used to perform circuit-level attacks are reviewed, with a special emphasis on cryptoprocessors. Examples of attacks are shown on typical cryptographic algorithms (DES, AES, RSA, ECC ...). The impact of the implementation technology (ASIC or FPGA) is also discussed.
Régis LEVEUGLE is Professor at Grenoble Institute of Technology and associate director of TIMA laboratory. He leads a team specialized in the design of robust integrated systems subject to natural disturbances (particles, electromagnetic fileds, ...) or malicious attacks. His main interests are computer architecture, VLSI design methods and CAD tools, fault-tolerant architectures, concurrent checking and dependability analysis.
Dave Penkler & Boris Balacheff - Cloud, security and the mobile enterprise: An end-to-end manageability challenge
Cloud, security and the mobile enterprise: An end-to-end manageability challenge
The current revolution in how we relate to computing as individuals, businesses, or societies, is creating tensions that clearly had not been anticipated in the design of the computing and information systems that are in use today. End-users have developed a preference to choose their devices and are attached to their freedom of using them as they wish. As the personal use increases users are less and less accepting of traditional IT controls and administrative barriers. Businesses are under pressure to let employees ‘bring your own device’, and they are increasingly eager to adopt computing as-a-service in order to lower their operational IT costs and support user mobility. However CIO's and IT administrators must still be able to dictate and manage the enterprise IT footprint on the personal devices in order to comply with corporate policy. This talk will discuss the tensions that arise at the intersection of personal and business computing, and how security and risk management issues take a new dimension as we look for solutions to the end-to-end manageability challenge that must be overcome in order to satisfy all parties with next generation computing systems.
Boris Balacheff is a senior researcher at HP Labs in the field of computer security, specializing in the areas of trusted computing and infrastructure security technologies, and their application to cloud and mobility in the next generation enterprise. He sits on the Board of Directors of the Trusted Computing Group (TCG) and co-chairs its Certification Program Committee. Boris also works with many product divisions to help drive security technology strategy.
Boris’s research has ranged from cryptographic algorithms and protocols to networking and computer security. He developed an expertise in smartcard technology and was the Technical Committee representative for HP on the PC/SC specification working group. He is one of the early contributors to the invention of Trusted Computing technology, and he co-authored the HPLabs’ book on this topic. He also served on the Technical Committee of the Trusted Computing Platform Alliance (TCPA) during the development of its early specifications. Boris Balacheff joined HP Labs in 1997 with a French “Diplôme d’Ingénieur” degree in applied mathematics and computer science.
Dave Penkler joined HP in 1979 as a systems engineer in South Africa working on real-time data acquisition and control systems in many areas including mining engineering, physics, mechanical systems and communications. In 1986, he moved to Grenoble, France as a network consultant designing packet switched networks and implementing OSI communication protocols. From 1990 to 1996, he was responsible for advanced research in telecommunications networks and developed technologies for computer based intelligent network and voice processing platforms. From 1997 to 1999, he managed research projects in distributed computing, signal processing and mobile communication services. Subsequently he spent four years at Sun Microsystems developing highly available distributed systems software technology for the telecommunications. Dave is currently chief technologist of HP OpenCall and is responsible for shaping the technology strategy and architecture. He is an HP fellow and holds a B.Sc. in Mathematics and Computer Science from the University of the Witwatersrand, South Africa. He is a member of ETSI, the IEEE and the Service Availability Forum.
Accepted Papers & Talks - bio + summary
Rikke Kuipers & Ari Takanen - Fuzzing Embedded Devices
Rikke is a security specialist, has a network engineering background at several ISPs and the public broadcasting platform in the Netherlands. After his move to Northen Finland he started working at Codenomicon, performing audits and security research. Besides his main focus on fuzzing (network)protocols he has a huge interest in web application hacking and information security in general. Ongoing projects are the development of an automated web auditing framework and tools, research on DVB fuzzing and writing whitepapers on various topics.
Ari Takanen is the founder and CTO of Codenomicon, has been active in the field of software security research since 1998 focusing on information security issues in next-generation networks and security critical environments. In his work he aims to ensure that new technologies gain public trust by providing means of measuring and solidifying the quality of networked software. Ari Takanen is one of the people behind the PROTOS research project, which studied information security and reliability errors in e.g. WAP, SNMP, LDAP, VoIP implementations. Ari is the author of several papers on security, and is a frequent speaker at security and testing conferences, leading universities and international corporations. He is also the author of two books on VoIP security and security testing.
Fuzzing Embedded Devices
This talk focuses on the increased connectivity of electronic devices commonly found in offices and homes. These devices are converging to a point where they deliver similar base functionalities and services. This often means more specialized hardware and integration of network protocols to enable universal communication. Internet connectivity exposes these devices traditionally situated in a closed environment now to the whole world, meaning exposure to threats from internal and external networks. This requires a new look on the security of these devices. A device is now expected to perform more functions than just its original purpose. For example, for years phones were primarily used for voice communication using the GSM standard. A common smartphone these days can be thought of as hand-held computer integrated with a mobile telephone, capable of displaying movies, pictures, browsing the Internet and staying up-to date on social networks using a wide variety of protocols. Growth in demand for advanced mobile devices boasting powerful processors, abundant memory, larger screens, and open operating systems has overtaken the rest of the mobile phone market. The same shift has now moved to the TV world. Vendors are developing their own platforms for Internet-enabled TVs, designed to connect directly to the Web. These devices are capable of displaying dynamic content from the web, browsing the Internet and accessing social media through the numerous widgets available. Standard functions usually also include playback of movies, pictures and music from various sources such as USB sticks or SD-cards. All these inputs combined define the attack surface for the TV. Fuzzing enables us to stress all this freshly exposed attack surface to test its security and robustness. It is designed to simulate real-world hacking attempts against devices by creating and sending malformed and unexpected messages (anomalies) with the intention to disrupt services. Fuzzing finds vulnerabilities which can potentially be exploited. Malformed, anomalous input such as field overflows / underflows could expose vulnerabilities in software which can then be patched before deployment. The talk will demonstrate how to use fuzzers to find flaws in your software, using most recent TVs (2012 models). This in the hope of a wider adoption of fuzzing in general, and thus improving product quality and security.
Mathieu Renard - Practical iOS Apps hacking
Mathieu Renard GoToHack
@GoToHack Mathieu Renard "GoToHack" is a Senior Penetration tester, working for a French company (SOGETI-ESEC) where is leading the penetration test team. His research areas focus in Web Application Security, Embedded Systems, Hardware hacking and recently Mobile device Security. Since last year, he has focused is work (security assessments) and his research on professional iOS applications and their supporting architecture where data security is paramount.
Practical iOS Apps hacking
This talk demonstrates how professional applications like, Mobile Device Management (MDM) Client, Confidential contents manager (Sandbox), professional media players and other applications handling sensitive data are attacked and sometimes easily breached. This talk is designed to demonstrate many of the techniques attackers use to manipulate iOS applications in order to extract confidential data from the device. In this talk, the audience will see examples of the worst practices we are dealing with every day when pentesting iOS applications and learn how to mitigate the risks and avoid common mistakes that leave applications exposed. Attendees will gain a basic understanding of how these attacks are executed, and many examples and demonstrations of how to code more securely in ways that won't leave applications exposed to such attacks. This talk will focus especially on the following features:
- Secure Data Storage
- Secure Password Storage
- Secure communication
- Jailbreak detection
- Defensive tricks
David Worth & Justin Collins - Leveraging Convention over Configuration for Static Analysis in Dynamic Languages
While racing road bikes with the pros does take up plenty of his weekends, David still finds time to keep up with his hobbies including computer security, homebrewed beer, mathematics, and occasional culinary extravaganzas.
David has a MSc in Pure Mathematics from The University of New Mexico where he studied Geometric Measure Theory while researching applications of fractal geometry to image processing and automated pathology problems.
Justin has is an MSc graduate from the Seattle University and a PhD student at the University of California where he still is .. possibly forever! He has been working at Klir Technologies, AT&T Interactive, and is now at Twitter. He also did other stuff in between.
He enjoys writing programs, shooting arrows, and hanging out with his wife.
His first computer was a TRS-80 Model 100 his uncle gave him at ~11. Model 100 BASIC was an introduction to programming. When it was time to go to college, he just looked up what major included "programming" and went for it. When it was time to graduate with a BS in CS, he decided he was not done yet so he went off to get a graduate degree in CS.
Leveraging Convention over Configuration for Static Analysis in Dynamic Languages
Static analysis in dynamic languages is a well known difficult problem in computer science, with a great deal of emphasis being put on type inference. The problem is so difficult that Holkner and Harland’s paper on static analysis in Python opens immediately with, “The Python programming language is typical among dynamic languages in that programs written in it are not susceptible to static analysis.” Dynamic languages such as Ruby provide impressive programming power thanks to expressive language constructs and flexible typing. Ruby, in particular, is strongly leveraged in the web development ecosystems thanks to well known and supported frameworks such as Ruby on Rails and Sinatra. Web application security is a particularly difficult area for a number of reasons including, the low-barrier to entry for new developers combined with the high-demand for their services, the increasing complexity of the web-based ecosystem, and the traditional languages and frameworks for web-development not adopting a strong defensive stance as their default. Ruby on Rails adopts the “convention over configuration” policy aimed at aiding developers of all levels in building robust web applications with a minimum of configuration. The goal is for the framework to simply “do the right thing” by default, and more sophisticated features and technologies are to be explicitly applied by develop- ers with those more advanced requirements and understanding. Much of the power in the Ruby on Rails framework stems from careful use of “magic” functions: dynamically generated functions using Ruby’s powerful metaprogramming structures. As a side effect, many of the methods called by developers are not available to a static analysis tool by simply examining the code on disk. We are able to leverage the consistency of the language and framework to perform static analysis on Ruby on Rails applications, and reason about their attack surface. This is done by analyzing the abstract syntax tree, and sometimes the configuration (generally simply library versions) of the program itself and by comparing it to a pre-compiled library of known security issues exposed by the Ruby on Rails framework.
Olli-Pekka Niemi & Antti Levomaki - Bypassing Intrusion Prevention Systems
Olli-Pekka Niemi has been working in the area of Internet security since 1996. He has been doing offensive security as a penetration tester and defensive security as system administrator. Since December 2000, he's been working for Stonesoft R&D developing intrusion prevention systems. He's currently heading Stonesoft's Vulnerability Analysis Group (VAG). His main R&D interests are among analyzing network based threats as well as evasion research. In his free time the family comes first, but he also enjoys fishing, horseback riding and keyboard playing whenever possible.
Antti Levomäki has been working at Stonesoft R&D since 2004. His main tasks include the analysis of network based attacks and attack methods as well as the writing of attack and application detection signatures for the StoneGate Network Security Products. Antti's research interests include evasion techniques and he's got special expertise in writing of low level packet handling code. Mr. Levomäki holds a Master Of Computer Science degree from the University of Helsinki.
Bypassing Intrusion Prevention Systems
This paper highlights a serious security problem that people believe has been fixed, but which is still very much existing and evolving, namely evasions. We describe how protocols can still be misused to fool network security devices, such as intrusion prevention systems.
Phil - Cryptage audiovisuel ou #FAIL systématique?
Phil is a computer freak escape from the 90's GOT (God Old Time) and gets fun playing with software protection or hardware security. He belonged to several Atari ST's bands with the role of 0dayz games cracker. Anonymously co-writer of a paper published in Phrack magazine #48 giving to the scene a working implementation of a fake phone-card (fake phone card - part I ; fake phone card - part II) , Phil was caught by Swedish's police in Sweden but released free of charge. This event marked a stop in his public activities ... but we all known how to keep the fun going: he then joined an underground team working on breaking audiovisual broadcast systems, without public release of sensitives information. Nowadays, Phil is working as system administrator, and has been the project manager of an open-source network security tool for the french administration for the last 5 years.
Cryptage audiovisuel ou #FAIL systématique?
Ce document présente plusieurs systèmes de cryptages audiovisuels mis en place en France au fil des années. Sont détaillés leurs fonctionnements, les démarches utilisées par les attaquants pour "casser les cryptages" ainsi que les contre-mesures élaborées par les diffuseurs.
Yann Stephan "bswapeax" - Managed Code with Licensing does not mean all the time: Software Protection
Yann Stephan "bswapeax"
Managed Code with Licensing does not mean all the time: Software Protection
This talk focuses on the reverse engineering and especially on managed code (C#) and explains how a protection can be removed without problem due to bad design even if you use security proofed concept such as encryption. Thanks to examples, we will demonstrate a reverse engineering process, a live patch and reuse of a patched version in order to remove software protections. We highlight that a manage code can be consider as a regular assembly language code... we go through the MSLI internals and explain how a manage code binary is organized and how to enforce its protection.
Paul Amar - Home Internet Routers for Fun & Profit
Paul is a BSc graduate in Computer Science. He is currently an MSc student at Ensimag, a french Computer Science engineering school at Grenoble. He is passionate about information security, pentesting and especially web vulnerabilities. He works as a R&D Engineer at BonitaSoft.
Home Internet Routers for Fun & Profit
The author found several vulnerabilities on home Internet routers. Several realistic attack scenarios that can impact individuals and small companies networks will be described and Proof-of-Concepts exploitation of those vulnerabilities will be showed. All shown vulnerabilities have been already reported to french CERT.
Rahul Sasi "fb1h2s" - DTMF Fuzzing
NOTE: this speaker did not fulfill important updates the program committee required. thus this paper will finally not be presented.
Rahul Sasi "fb1h2s"
Our paper deals with systems that process DTMF as inputs. Such systems are often embedded in PBX, IVR, Telephone routers... PBX and IVR servers are often deployed for running Phone Banking App Servers, Call Center Application and other systems that uses phone to interact with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service would go through. The impact of such a Denial of Service can be important. We will be demonstrating several amusing remote DTMF attacks on Phone Banking, Tele-Voting, and Customer Support applications using DTMF. This talk is recommended for Pentesters, PCI|DSS consultants, Telephone Companies, Banks or anyone who uses a device interacted via Telephone.