Publications

Draw me a Local Kernel Debugger. Hack.lu 2015. Samuel Chevet, Clément Rouault 15-hacklu-draw-me-a-local-kernel-debugger

Local Kernel Debugging is the ability to perform kernel-mode debugging on a single computer. In other words, the debugger runs on the same computer that is being debugged. Windows offers this functionality through windbg and kd binaries which allow to read/write the kernel memory, perform in/out and access MSRs. This presentation explains how dbgengine (core of windbg) works: which APIs are exposed and what it requires to work properly. We show how to abuse it to be able to perform Local Kernel Debugging in Python. Finally, we demonstrate its interest throught use cases.

Key-Recovery Attacks Against the MAC Algorithm Chaskey. SAC 2015. Chrysanthi Mavromati 15-Mavromati_SAC2015

Chaskey is a Message Authentication Code (MAC) for 32-bit micro- controllers proposed by Mouha et. al at SAC 2014. Its underlying blockcipher uses an Even-Mansour construction with a permutation based on the ARX methodol- ogy. In this paper, we present key-recovery attacks against Chaskey in the single and multi-user setting. These attacks are based on recent work by Fouque, Joux and Mavromati presented at Asiacrypt 2014 on Even-Mansour based construc- tions. We first show a simple attack on the classical single-user setting which confirms the security properties of Chaskey. Then, we describe an attack in the multi-user setting and we recover all keys of 2^{43} users by doing 2^{43} queries per user. Finally, we show a variant of this attack where we are able to recover keys of two users in a smaller group of 2^{32} users.

HomePlugAV PLC: practical attacks and backdooring. NoSuchCon 2014. Sébastien Dudek 14-Sebastien-Dudek-HomePlugAV-PLC

Domestic Power-line Communication (PLC) devices are used to extend a LAN network as well as WiFi does, but using the power-line support. Even if PLC have a bad reputation because of few aspects in the past (bad security, bad speed, not stable because of perturbations, ...), this technology grown up and offers a better connection, more stable with an encrypted conversation between two PLC devices. Someone who wants to extend his private network easily without additional wires, or without spending a 'fortune' on wireless repeaters, will use PLCs. Moreover, Internet Service Providers in France usually provide a HomePlugAV embedded in the power supply of their routers and set-top-boxes. As HomePlugAV is implemented on a lot of devices, we were interested to study their security, and their weaknesses. In this paper, we show practical attacks to penetrate and backdoor a private LAN.

Attacks in the multi-user setting: Discrete logarithm, Even-Mansour and PRINCE, YACC 2014, Chrysanthi Mavromati 14-yacc-multi-user-collisions

The multi-user setting is a very interesting practical scenario which is overlooked in cryptography. Indeed, cryptographers usually prove the security of their schemes in a single-user model. However, in the real world, there are many users, each with a different key, sending each other encrypted data. In this paper, we propose two new algorithmic ideas to improve collision-based attacks in the multi-user setting. The first idea has an application on the generic discrete logarithm problem. Both ideas, are used to propose new attacks on the Even-Mansour scheme and on PRINCE block cipher.

REboot: Bootkits Revisited, HITB Amsterdam 2014 and SSTIC 2014 (French), Samuel Chevet 14-hitbamsterdam-reboot 14-sstic-reboot-article 14-sstic-reboot-slides

Since the beginning, bootkit implementations have not really evolved. Same techniques are used to compromise the system boot process – often involving on the fly code modification. In this presentation we show a new way of implementing bootkits for Windows x64 platforms and an innovative designed bootkit for x64 machines we named “REboot”. The techniques used are not based on code modifications and rely only on CPU features like hardware breakpoints and privilege isolation with the infamous Protected Ring 1 Mode – first used by VMware in the 2000s, to provide virtualization before hardware assisted virtualization. With “REboot” all boot stages are controlled in a generic way without any hardcoded code signature matching and any interrupt vector modification. Even if a new full disk encryption system is deployed, we will support it automatically without patching our code. This allows “REboot” to be functional on all 64 bits versions of Windows 7, 8, 8.1 and Server 2012 with nearly the same implementation. The UEFI boot mode is not a concern for “REboot”.

Debugging and reversing the HTC Android bootloader, Hack.lu 2013, Cédric Halbronn, Nicolas Hureau 13-hacklu-hbootdbg

Whether you consider desktops, smartphones or the embedded world, most complex systems rely on a piece of software called the bootloader to launch their system. There have been extensive research and attacks on iPhone bootloaders, but the Android world is quite large with multiple hardware manufacturers, and therefore has not been fully explored yet. In this paper we present tools developed to assist us in assessing the security of an unknown low-level software, as well as the the beginning of our reversing efforts targeting HTC Android bootloader, HBOOT.

Whistling Over the Wire, HITB Amsterdam 2012, Arnauld Mascret 12-hitbamsterdam-twitter

Two years ago, we showed how to use social web site to identify target in a company using LinkedIn then learn about his computer and compromise it using malicious application on Facebook (HITB Dubai 2010).Since then, we choosed to take a closer look at Twitter. Its purpose is to allow quick and easy publication of small content to a large number of person that you don’t necessarily know. By design, Twitter doesn’t raise the same privacy issues as other platforms, but even if the amount of available information may seem smaller or not as well defined as other social platform, there is still a lot to learn about a target, like his contacts, his sources of information and sometimes application or OS used. We will present a new method to gather this data and analyse it.During our work on Twitter, we also take a closer look at URL shortening services. Using redirection to access a website give a lot of possibilities to the owner of the redirection service. We know these services are used a lot in phishing campaign but we made experimentations to understand if they could also be used for a targeted attack. We will present our results and how URL shortening service may be used by an attacker to consolidate data previously gathered or even to finalize an attack.

reversing dwarf fortress for !!fun!! and ruby, REcon 2012, Yoann Guillot 12-recon-df

Last year I gave a talk on Memory Eye, a memory analysis tool, which was used to look at the memory of the Dwarf Fortress game (http://bay12games.com/dwarves/). This year I'd like to cover what has been done since then, including one guy that wrote a graphic tool in lisp to analyse the heap of the game and spit out an XML description of the data structures ; a perl script that reads the XML and outputs c or c++ headers ; a binary hook to allow loading 'dfhack' inside the memory space of the game ; and finally my own contribution, loading a ruby interpreter in the game address space using dfhack, with access to all the game internal structures thanks to generated bindings from the XML.

Forensics iOS, SSTIC 2012, Jean Sigwald, Jean-Baptiste Bédrune 12-forensics-ios

Cette présentation s'intéresse à l'analyse forensique des appareils iOS, en particulier l'acquisition et le déchiffrement des données utilisateur. Nous détaillons les fonctionnalités "data protection" introduites avec iOS 4, ainsi que les évolutions apportées par iOS 5. Nous nous intéressons ensuite à la couche de translation FTL utilisée par iOS pour gérer la mémoire NAND Flash. Enfin nous présentons une nouvelle méthode permettant la récupération de fichiers effacés via la lecture bas niveau de la mémoire Flash et l'utilisation des métadonnées du FTL.

Rétroconception et débogage d'un baseband Qualcomm, SSTIC 2012, Guillaume Delugré 12-retroconception-debogage-baseband-qualcomm

Quelques rares travaux ont mis en lumière des vulnérabilités dans l’implémentation des piles protocolaires téléphoniques sur différents modèles de baseband. Cependant, aucune présentation ne s’est vraiment penchée sur l’analyse d’un système d’exploitation pour baseband. Cette présentation aspire à combler ce manque dans la littérature. A partir d’une simple clé 3G équipée d’un baseband Qualcomm, nous analysons comment extraire une image de la mémoire du système, l’architecture du micro-noyau temps réel propriétaire de Qualcomm et comment développer un débogueur pour analyser les tâches s’exécutant sur le système.

Reverse engineering a Qualcomm baseband, 28C3, Guillaume Delugré 11-ccc-baseband-qualcomm

Despite their wide presence in our lives, baseband chips are still nowadays poorly known and understood from a system point of view. Some presentations have hilighted vulnerabilities in GSM stacks across various models of basebands (cf. 27c3: All your baseband are belong to us by R-P. Weinmann). However none of them actually focused on the details of how a baseband operating system really works. This is the focus of our presentation. From the study of a simple 3G USB stick equipped with a Qualcomm baseband, we will discuss how to dump the volatile memory, reverse-engineer the proprietary RTOS, and ultimately execute and debug code while trying to preserve the real-time system constraints.

How to develop a rootkit for Broadcom NetExtreme network cards, REcon 2011, Guillaume Delugré 11-recon-nicreverse

Having spent a lot of time on reverse engineering the Broadcom NetExtreme cards firmware, I began writing my own rootkit firmware from scratch in C language. Hopefully, the firmware code in Broadcom cards is not signed and it is possible to burn custom MIPS code into the device's EEPROM so that it gets loaded during the device bootstrap sequence. I will quickly come back on the way I did to reverse engineer the Broadcom firmware : developing my own firmware debuggers (InVitroDbg/InVivoDbg), getting code execution on the NIC, etc. This work has been already presented in the past, so this presentation will now mainly focus on the practical rootkit development part.

iPhone data protection in depth, HITB Amsterdam 2011, Jean-Baptiste Bédrune, Jean Sigwald 11-hitbamsterdam-iphonedataprotection

iOS 4 introduced the data protection feature that helps securing data on the device with the users passcode. In this talk we describe the internals of iPhone data protection on and off the device, and present tools we developed to assist forensic analysis of iOS devices.

Closer to metal: reverse-engineering the Broadcom NetExtreme’s firmware, Hack.lu 2010, Guillaume Delugré 10-hacklu-nicreverse 10-hacklu-nicreverse-video

During CanSecWest 2010, French researchers Loic Duflot and Yves-Alexis Perez discovered a major security flaw in the firmware of Broadcom network cards. The vulnerability is a buffer overflow leading to remote code execution on the device, which can then lead to OS corruption through DMA accesses.

This raises the following question: how much can you trust your hardware when you don’t even know how it operates behind your back, nor what the firmware code is actually doing?Given the lack of will from manufacturers to give details about their device internals, the best thing we can do is to retrieve this information by ourselves using reverse engineering techniques.Fortunately, Broadcom released part of their Ethernet card specifications. Nevertheless some details are still obscure, and firmware source code is not available... This presentation focuses on the reverse engineering study case of the Broadcom Ethernet NetExtreme family firmwares.

Digital Content Protection - How to crack DRM and make them more resistant, HITB KL 2010, Jean-Baptiste Bédrune 10-hitbkl-drm

This talks deals with audio and video content protection, focusing on VoD and protected files on PCs. The first part presents the modules needed for a DRM solution, the general architecture of such systems, and the main constraints it has to face. It then shows some common mistakes made by vendors, and how to fix them. Finally, techniques used to defeat common DRM systems in a short time are found, including an short introduction to white-box cryptography and source code obfuscation methodes commonly found in these systems.

iPhone security model & vulnerabilities, HITB KL 2010, Cédric Halbronn, Jean Sigwald 10-hitbkl-iphone

The iPhone is one of the most popular smartphones out there, with a large library of applications. The iPhone operating system (iOS) implements security mechanisms to only run Apple-signed code on the device and mitigate exploitation of software vulnerabilities. However, many vulnerabilities were found and exploited successfully to "jailbreak" the operating system and run third party applications. This talks describes iOS security features and shows how to reuse jailbreak exploits to steal data from the phone, either with physical access or remotely.

Metasm Feelings, REcon 2010, Yoann Guillot and Alexandre Gazet 10-recon-bintrace

Metasm is an open source ruby framework developed by Yoann Guillot. It can: work with binary files, assemble, disassemble, debug running processes, manipulate C source code, play the ruby interpreter, and plenty other things. Our talk follows a simple guideline based on a real life case: the development of a code tracer. Starting from a trivial tracing algorithm, we will show that the use of Metasm allows to efficiently build a multi-platforms tool, then we will extend its capacity by taking advantages of the native Windows API. At the end we will use the tool to debug the firmware of a network card, running on the NIC and not on the main CPU.

Subverting Windows 7 x64 Kernel with DMA Attacks, HITB Amsterdam 2010, Christophe Devine and Damien Aumaitre 10-hitbamsterdam-dmaattacks

Traditionally, operating systems implicitely trust the hardware.

This presentation will focus on concrete examples of compromising the Windows 7 x64 operating system, in effect bypassing two major security mecanisms: code signing and integrity verification (PatchGuard).

First, we’ll explain the internal structures of the operating system, and how they differ from previous versions. Then we describe how to alter these structures in order to gain control over the execution flow. The implementation of this attack is then presented, using an embedded soft-core MIPS CPU implemented on an FPGA PCMCIA/CardBus card.

Finally, we will conclude on the importance of new protection features included in recent CPUs, in particular the IOMMU and TXT.

Deception 2.0: Gathering and Exploiting Information, HITB Dubai 2010, Fred Raynal, Arnauld Mascret and Christophe Devaux 10-hitbdubai-gatheringinformation

Using information is something well-known from military people for centuries. However, they are not the only ones to do it: a company wishing to gain competitive advantage on a competitor, a state to protect its citizen, or a husband/wife to know whether his/her wife/husband is cheating. Then came Internet. More information are available, some one can control, some one can not. And for an attacker, this is a chance.

This talk will deal with information. We will show what has recently change with the rise of the Internet, and social networks.

First, we will quickly remind that using information is based on the same methods whatever the source is. Then, we will focus on open source information on the internet focusing on 2 types of targets: a company or a John Doe. We will start collecting based on usual ways, and propose ways to get more information with social networks, bypassing their limits. Having information is fine, but useless unless you attempt to exploit it. So, the last part will show what one can do with a bit of social skills, intelligence gathering and cleverness.

PoC(k)ET, les détails d'un rootkit pour Windows Mobile 6, SSTIC 2010, Cédric Halbronn 10-sstic-wm6-slides 10-sstic-wm6-article

Le smartphone est le résultat de la convergence de plusieurs terminaux mobiles : GPS, téléphones portables, PDAs, etc. Il existe de nombreux systèmes d'exploitation embarqués sur le marché mobile. Windows Mobile, développé par Microsoft, est assez répandu. Par conséquent, il parait essentiel d'analyser le fonctionnement du système d'exploitation mobile de Microsoft, de comprendre les risques et menaces, et d'anticiper les méthodes qui pourraient être utilisées dans le but d'attaquer le terminal et de laisser une porte d'entrée pour un attaquant sans que l'utilisateur légitime du smartphone ne s'en rende compte.

virtdbg: un débogueur noyau utilisant la virtualisation matérielle, SSTIC 2010, Christophe Devine and Damien Aumaitre 10-sstic-virtdbg-slides 10-sstic-virtdbg-article

Le projet virtdbg a objectif but de créer un débogueur fondé sur un hyperviseur minimaliste. Il est injecté directement dans la mémoire du système cible en utilisant un transfert DMA et offre un ensemble de primitives simples permettant de contrôler la cible (pose de points d'arrêt, lecture et écriture de la mémoire, gestion des exceptions, etc.) Ces primitives s'appuient sur les fonctions de virtualisation matérielle des processeurs Intel et AMD récents. Le système est très peu altéré et le contrôle est total.

Fuzzgrind: An automatic fuzzing tool, Hack.lu 2009, Gabriel Campana 09-hacklu-fuzzgrind

Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs, and potentially vulnerabilities. Fuzzgrind is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.

When E.T. comes into Windows Mobile 6, Hack.lu 2009, Cédric Halbronn 09-hacklu-wm6

This presentation deals with developing a rootkit for Windows Mobile 6. We analyze the different offered services : Phone, SMS, GPS, SD-card, etc. We also list all the possible attack vectors : phone, WLAN, ActiveSync, etc. The system's internal mechanisms will be explained. This will allow us to understand how the system may be compromised : SMS interception, rootkits, etc. As antivirus companies propose solutions to protect devices, it is logical to want to know what they really protect against. We will give details on the stealth mechanisms, remote control capabilities, ways to make the rootkit persistent, and services that a malicious hacker could use.

Malicious PDF origamis strike back, HITB KL 2009, F. Raynal, G. Delugré and D. Aumaitre 09-hitbkl-origami

Last year, we presented at PacSec some risks related to the PDF format. Many samples were provided. In the end, we showed 2 real-life attacks focused on PDF language and Acrobat Reader.

Since the language has now well be studied, we will focus now on its environment:

  • What are the links with the OS, the browser, … and the PDF files?
  • Why the new ciphering mode is a better target to an attacker for a password shorter than 32 characters.
  • What about the JavaScript engine?

Based on these analysis, we will show 2 attacks leading to credential leaks:

  • When a PDF contains a invisible form, automatically submitted, it is then passed to the browser, which send the form … and the cookies related to it if the user was previously authenticated on the target site. Thus cross-site request forgeries are possible with PDF files.
  • On a LAN, it is possible to cause Windows to force a NTLM challenge and thus leak the NTLM credentials with no warning at all for the user. Thus PDF files are a really good way to success a “pass the hash” attack.

Defeating software protection with Metasm, HITB KL 2009, Alexandre Gazet and Yoann Guillot 09-hitbkl-metasm

Metasm is a open source binary manipulation framework (disassembly, compilation, executable formats handling, etc.). It currently supports x86 (Ia32 and amd64), MIPS and PowerPC architectures. One of its distinctive characteristic, is the encoding of instructions semantics. Based on this semantic encoding, the disassembler takes advantage of what we call a “backtracking” engine (symbolic emulation) that allows a very fine disassembly. Using the encoded semantics of instruction, we have been developing a generic approach on x86 code virtualization based protection. We also used some optimization techniques to defeat obfuscation, and compilation to defeat virtualization. Moreover,

there is a very new feature of Metasm: a C decompiler. We have already started to port the optimization into the decompiler with good results. Our talk illustrate these different functionalities of Metasm, based on concrete results we have obtained against different state of the art software protections involving heavy obfuscation and code virtualization.

Désobfuscation automatique de binaire - The Barbarian Sublimation, SSTIC 2009, Alexandre Gazet and Yoann Guillot 09-sstic-metasm-slides 09-sstic-metasm-article

Dans la suite de notre présentation de l'an dernier, nous travaillons sur le contournement automatique de techniques de protections logicielles. Nous nous concentrons particulièrement sur la problématique de l'obfuscation.

Jusqu'à présent, il était nécessaire de rechercher à la main les schémas utilisés par la protection afin de les annuler. Notre approche actuelle cherche à rendre ce travail fastidieux automatique, par une analyse de la sémantique du code binaire permettant d'en extraire une représentation minimale, ce qui revient à supprimer la couche d'obfuscation.

Nous montrerons les résultats obtenus sur quelques exemples, où nous verrons que les méthodes développées permettent parfois de contourner d'autres formes de protection comme les machines virtuelles logicielles.

Fuzzgrind : un outil de fuzzing automatique, SSTIC 2009, Gabriel Campana 09-sstic-fuzzgrind-article 09-sstic-fuzzgrind-slides

Le fuzzing est devenu au cours de ces dernières années une des principales méthodes de recherche de vulnérabilités. Les fuzzers actuels reposent principalement sur la génération de données invalides à partir de modèles, qui nécessitent d'être réécrit pour chaque nouvelle cible. Nous détaillerons le fonctionnement de Fuzzgrind, un nouvel outil de fuzzing entièrement automatique, générant de nouvelles données de test à partir de l'exécution symbolique du programme cible sur une entrée donnée, dans le but de rechercher de nouvelles vulnérabilités.

Les origamis malicieux en PDF contre-attaquent, SSTIC 2009, Guillaume Delugré and Fred Raynal 09-sstic-origami-slides 09-sstic-origami-article

Les gens ont maintenant bien intégré les risques liés aux documents MS Office, qu'ils viennent des macros ou des failles associées. Par opposition, les documents PDF semblent bien plus sûrs et fiables. Ce (faux) sentiment de sécurité provient essentiellement de ce que les documents PDF apparaissent statiques. Cela est également sans doute dû à l'utilisation massive d'Acrobat Reader, au détriment de logiciels permettant la manipulation des fichiers PDF. En conséquence, les fichiers PDF sont perçus comme des images plutôt que documents actifs. Et comme chacun le sait, une image n'est pas dangereuse, donc un PDF non plus. Mais est-ce bien le cas ... ?

Discovering a botnet from russia (with love), EICAR 2009, Damien Aumaitre, Christophe Devaux and Julien Lenoir 09-eicar-botnet

A botnet refers to the network of infected computers remotely controlled.Botnet's owners take advantage of the huge amount of hosts (and thus masspower) to generate illegal profit by performing spam or adware campaigns,Denial of services attacks or data theft. This article is an analysis of amulti-tasks botnet found in the wild. Everything began when an infected laptopwas sent to our lab for a forensic analysis. The system was infected by manymalwares. After a quick analysis, we decided to focus on one of it bycuriosity. We soon realized that our infected machine was enrolled in a botnetand we decided to study the whole botnet. In a first part, we show how we haveanalysed and reverse engineered the malware itself and all the binaries itdropped. This analysis covers the infection, the machine exploitation and thenetwork topology of zombies computers. From there we were able to draw thenetwork map of the botnet and its control servers. We could also see theevolution of the malware features and improvement of protections layers. In thesecond part, we analysed the business model of this botnet. We gatheredinformation about the "botnet manager", how he manages the botnet like acompany. We have discovered its costs and profit sources, thedeveloppers’recruiting process and how this malware is potentially linked withothers malwares and others criminal organizations.

Applied evaluation methodology for anti-virus software, EICAR 2009, Jean-Baptiste Bédrune and Alexandre Gazet 09-eicar-antivirus

One distinctive characteristics of anti-virus software is that they try to address a problem which, from a formal point of view, is proven tobe undecidable. An evaluation must then be performed to assess how much the anti-virus software, the target of evaluation (TOE), is imperfect with respect to a given security target (ST). The answer cannot be as simple as a binary answer fail/work. This paper presents a methodology dedicated to anti-virus software evaluation. The proposed methodology draws its inspiration from a French security assessment proposed by the French Network and Information Security Agency (FNISA) : the CSPN (Certification de Sécurité de Premier Niveau - First Level Security Certification). Our methodology is thought to be both a formal and operational evaluation and to provide a discerning overview of the effectiveness of an antivirus product within limited time and means.

Les hébergeurs bullet-proof, séminaire ESEC 2009, Alexandre Gazet and Gabriel Campana 09-esec-bulletproof

Les hébergeurs bulletproof offrent des services d'hébergement classique, tout en garantissant à leurs clients un anonymat total et une qualité de service maximale. Du fait de leur très grande permissivité sur le contenu hébergé, ces services sont particulièrement destinés à des activités criminelles : stockage de code malicieux, serveurs d'upload de données volées, serveurs de commande (C&C) de botnets, campagnes de spam etc. Cette présentation illustrera l'économie sous-terraine liée à ce type de service, mais aussi les réalités techniques qui permettent à ces hébergeurs d'eux-mêmes rester en ligne.

Analyse d'un botnet venu du froid, séminaire ESEC 2009, Damien Aumaitre, Christophe Devaux and Julien Lenoir 09-esec-spambot

Le développement de virus n'est plus l'affaire d'adolescents en manque de reconnaissance, mais celle d'une cyber criminalité organisée générant de gros profits illégaux. Certains virus sont développés avec des techniques industrielles et s'organisent en réseaux de machines infectées : les botnets. Ces botnets sont contrôlables à distance par des cyber criminels pour réaliser du spam, du déni de service ou d'autres activités génératrices de revenus illégaux. Nous avons analysé un de ces botnets. Nous présenterons les résultats de cette analyse concernant l'infection, l'exploitation de la machine et la topologie du réseau de machines zombies.

Contourner les produits de sécurité, séminaire ESEC 2009, Jean-Baptiste Bédrune and Yoann Guillot 09-esec-contournement

Le marché des produits de sécurité est très vaste et fourni. Tous se vantent d'offrir une protection optimale, accrue ou encore de pouvoir détecter et parer aux nouvelles menaces. Pourtant, il n'est pas rare de voir des erreurs d'implémentation ou de conception réduire drastiquement, voire à néant, le niveau de sécurité d'un produit. Lors de cette présentation nos experts détailleront l'analyse de produits de sécurité (firewalls, IDS, anti-virus) qu'ils ont réalisé. Ils présenteront les différentes façons de les contourner.

Les PDFs malicieux, séminaire ESEC 2009, Guillaume Delugré and Frédéric Raynal 09-esec-maliciouspdf

Le format PDF s'est imposé au fil des années comme un format de document incontournable à tel point que la norme PDF est désormais une norme internationale (ISO-32000-1). Aux yeux de nombreux utilisateurs, un fichier PDF n'est autre qu'une simple feuille prête à imprimer. Pourtant, un fichier PDF peut posséder un contenu actif directement exécuté par le lecteur PDF, et ce, de façon tout à fait standard. Cette intervention présentera l'étendue des possibilités offertes par la norme PDF et comment un fichier PDF peut se révéler être un vecteur d'infection rêvé pour un attaquant.

Les rootkits navigateurs, séminaire ESEC 2009, Christophe Devaux and Julien Lenoir 09-esec-rknav

Les navigateurs Web embarquent un nombre croissant de fonctionnalités. Ils sont présents sur la très grande majorité des machines connectées au réseau, manipulent du contenu sensible (logins/passwords, mails confidentiels, informations personnelles ou professionnelles) et sont presque toujours autorisés à se connecter à Internet. Ils sont donc une cible de choix pour quiconque voudrait subtiliser de l'information de haute valeur à l'insu de l'utilisateur et du SI. Nous avons, à titre expérimental, développé des rootkits navigateurs pour illustrer ce type d'attaques qui peuvent être menées sur les navigateurs Web tels que le vol de mots de passe, de fichiers du poste utilisateur ou encore la prise de contrôle à distance de la machine.

Malicious origami in PDF, PacSec 2008, Frédéric Raynal and Guillaume Delugré 08-pacsec-maliciouspdf

Many people are now aware that MS Office documents are dangerous, either because of the activated macros, or because of the exploits they carry. As a consequence, PDF documents seem to be much more reliable and secure. This (false) impression of security arises mainly because PDF documents appear to be static due to the fact that most people only use PDF readers and not producers. We firstly present the language PDF and its security model. Then, we will demonstrate how an attacker can mount a targeted attack using malicious PDF files.

Browser rootkits, Hack.lu 2008, Christophe Devaux and Julien Lenoir 08-hacklu-browsers

An increasing number of features is curently being made available on Web browsers. They are present on most computers connected to the network and handle sensitive content (logins / passwords, confidential e-mails, personal or professional information) and are almost always allowed to connect to the Internet. Therefore, they are a prime target for anyone wanting to steal information without the user being aware of it. As an experiment, we developed browsers rootkits to illustrate this type of attacks that can be performed on Web browsers, such as stealing passwords, downloading files from the user's machine, or taking remote control over the computer.

Analysis of an undocumented network protocol, Hack.lu 2008, Jean-Baptiste Bédrune 08-hacklu-groupware

OneBridge is a mobile solution that enables enterprises to extend software applications to frontline employees on a variety of mobile devices. Communications between the server an the mobile devices use an undocumented, encrypted protocol. We first present the techniques we used to fully understand the protocol, the encryption algorithms, and the different formats used to exchange data. Then, we spot a few vulnerabilities found during our analysis. Finally, we present a way to fully compromise a OneBridge server using a combination of design errors in the protocol.

A little journey inside Windows memory, Hack.lu 2008, Damien Aumaitre 08-hacklu-memory

In 2005 and 2006, two security researchers, Maximilian Dornseif andAdam Boileau, showed an offensive use of the FireWire bus. Theydemonstrated how to take control of a computer equipped with aFireWire port. This work has been continued. After a brief summary of how memory works on modern OS, we willexplain how the FireWire bus works, and it can be used to accessphysical memory. Since modern operating system and processors usevirtual addresses (and not physical ones), we rebuild the virtualspace of each process in order to retrieve and understand kernelstructures. Thus, we now have an instant view of the operating system withoutbeing submitted to the security protections provided by the processoror the kernel. We will demonstrate several uses for this. First we will show what canbe done only with an interpretation of kernel structures (readaccess). For example, we can have the list of all processes, access tothe registry with no control even for protected keys like the SAMones. This is used to dump credentials. Then, we see what can be done when one modifies the memory (writeaccess). As an example, we show a 2 bytes patch to unlock aworkstation without knowing the password. Last but not least, code execution is not supposed to happen throughFireWire since it is only a bus providing read/write access to thememory. However, slightly modifying the running kernel let us dowhatever we want. We will explain how to have a shell with SYSTEMprivileges before any authentication.

Déprotection semi-automatique de binaire, SSTIC 2008, Alexandre Gazet and Yoann Guillot 08-sstic-deprotection-slides 08-sstic-deprotection-article

Ce papier présente quelques familles de protections que l'on peut retrouver sur des binaires, malicieux ou non, dont le but est de freiner le reverse-engineering.

Nous verrons également les limitations de celles-ci, et comment il est possible de les supprimer de manière largement automatique.

Enfin nous illustrerons ces concepts par la résolution du challenge "T2", qui implémente une machine virtuelle obfusquée, au moyen de l'instrumentation du désassembleur de Metasm. Celui qui fond dans la bouche et pas dans la main.

Cryptographie : attaques tous azimuts, SSTIC 2008, Jean-Baptiste Bédrune, Eric Filiol and Fred Raynal 08-sstic-cryptoattacks-slides 08-sstic-cryptoattacks-article

Cet article porte sur les attaques opérationnelles à l'encontre de la cryptographie. Le problème est abordé sous plusieurs angles, l'objectif étant de ne pas recourir aux classiques cryptanalyses. Pour cela, nous nous appuyons sur des erreurs dans l'implémentation ou dans l'utilisation, ou encore sur des fuites d'informations.

Voyage au coeur de la mémoire, SSTIC 2008, Damien Aumaitre 08-sstic-memory-slides 08-sstic-memory-article

Dans cet article, nous allons parler des utilisations possibles de l'accès à la mémoire physique. Nous vous convions à un voyage au sein des structures composant le noyau de Windows. Nous verrons ensuite quelles sont les informations que nous pouvons extraire à partir d'un dump de la mémoire physique. Nous finirons par quelques démonstrations d'utilisations offensives et défensives de ces informations.

Malicious Cryptography, CanSecWest 2008, Eric Filiol and Fred Raynal 08-csw-maliciouscrypto

Malware detection is possible only when two conditions are met : the malware techniques used must be analysed in a way or another and the detection software must be updated with the knowledge gained through this analysis. From a simple detection pattern in viral database to complex detection heuristics which is able to detect complex, known malware behaviour, detection software can detect only what they already know. Here, we expose some techniques based on a malicious use of cryptography that nonetheless bad guys could use in order to thwart detection of classical malware that most detection software would successfully use in a normal case.

Comparative analysis of various ransomware virii, Alexandre Gazet, EICAR 2008 08-eicar-ransomware

The word ransomware and the associated phenomenon appeared near the year 2005. It brought light on a specific class of malwares which demand a payment in exchange for a stolen functionality. Most widespread ransomwares make an intensive use of file encryption as an extortion mean. Basically, they encrypt various files on victim’s hard drives before asking for a ransom to get the files decrypted. Security related media and some antivirus vendors quickly brandished this “new” type of virii as a major threat for computer world. This article tries to investigate the foundation of these threats beyond the phenomenon. In order to get a better understanding of ransomwares, the study relies on a comparative analysis of various ransomware virii. Based on reverse-engineering while not focused on analysis methodology, a technical review is done at different levels: quality of code, malwares’ functionalities and analysis of cryptographic primitives if employed. We also take advantage of our technical review to stand back and to analyse both the business model associated to these ransomwares and the communication that has been made around them.

Small treatise about e-manipulation for honest people, EICAR 2008, François Gaspard and Fred Raynal 08-eicar-emanipulation

Information warfare is nowadays a well-known concept. However, articles are mainly split into two categories. The first one deals with how information must be managed in a system (e.g. a company or a state), in order to achieve information dominance, that is providing more and better information than the others so that they have to follow what is produced. The second one is more on how information can be used as a weapon. Dominance is one goal, but not the only one: deception, intoxication or misinformation are others. In this article, we chose the second approach. The goal when using information as a weapon is to influence a target so that it does what the attacker wants, or to cause effects. We chose also to focus on a specific battlefield: Internet. One particularly important aspect of the Internet is that it is both a container and contents. For instance, web sites are providing articles, but they are also some servers, referenced by search engines. As such, we combined this duality to increase the effects of the operations given as example. We illustrate the operation through examples, where both information is created, but also its container is improved. We show how Search Engine Optimization can be used for information warfare. Combining oriented action techniques and information based techniques make each of them much more efficient. This article shows how information warfare can be conducted on Internet. The goal is to illustrate how very few people can organize an information based attack, targeting either a company or a state for instance.

Metasm, Hack.lu 2007, Yoann Guillot 07-hacklu-metasm

Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger. It has some advanced features such as live process manipulation, GCC/Microsoft Visual Studio-compatible preprocessor, automatic backtracking in the disassembler (similar to "slicing"), C headers shrinking, linux/windows/remote debugging API interface, a C compiler/decompiler, a gdb-server compatible debugger, and various advanced features. It is written in pure Ruby, with no dependency.

De l'invisibilité des rootkits : application sous Linux, SSTIC 2007, Eric Lacombe, Fred Raynal, Vincent Nicomette 07-sstic-rootkits-slides 07-sstic-rootkits-article

Cet article traite de la conception de rootkits. Nous montrons en quoi ces codes malicieux sont innovants par rapport aux malware habituels comme les virus et chevaux de Troie, ce qui nous permet d'exposer une architecture fonctionnelle des rootkits. Nous proposons également des critères permettant de qualifier et d'évaluer les différents rootkits. Nous avons volontairement abordé le problème dans sa globalité, c'est-à-dire en ne nous restreignant pas seulement au logiciel rootkit, mais aussi à la communication entre l'attaquant et son outil ou les interactions avec le système. Naturellement, nous constatons que les problématiques rencontrées lors de la conception de rootkits sont proches de celles de la stéganographie, mais nous précisons également les limites de cette comparaison. Enfin, nous présentons notre propre rootkit, fonctionnant en mode noyau sous Linux, et plusieurs nouvelles techniques conçues afin d'en accroître la furtivité.