Report for the SSTIC 2009 conference
Date : July 03, 2009
The 2009 edition of the SSTIC conference, took
place from 3 to 9 June 2009 in
As usual, the conference was excellent.
This report provides an overview of the various presentations that took place during these three days. Interested readers may consult the conference proceedings (in French) to further explore topics, or browse the many other reports published on the Internet about this conference.
Aviation
Security at AIRBUS - Pascal ANDREI (AIRBUS)
The "Aviation Security"
activities aim at protecting aircrafts against deliberated attacks. It
supplements a complementary area, named "Aviation Safety" which deals
with aircraft reliability and aims at protecting against accidental events.
Beyond the physical threats (e.g. the risk of bomb), Aviation Security now also
increasingly looks at the threats induced by the usage of IT technologies in
aircraft systems. It is a relatively new field of activities that has truly emerged
at Airbus with the design of the A380. The requirements in this area have
significantly grown by then (especially because of new requirements defined by
the
Aircraft Security must take into account the aircraft onboard equipments, as well as any component on the ground systems that interacts with the plane (including airlines, airports and maintenance systems). And beyond the initial design of the aircraft, it is important to maintain the level of security all along the operational life of the aircraft (an aircraft has a lifespan of 30 years).
Note: This speech was one of the conference "keynote" and it is not covered in the conference proceedings.
Evaluation
of malicious code injection in a Java Card - Jean Louis LANET (
This presentation analyzes whether it is
possible or not for an application running on a Java Card to inject code in
another application running on this smart card.
The initial idea was to misuse (divert) the "readstatic and
writestatic" functions that exist in the specification of Java Card. In
theory these methods do not allow an application to act on the memory of
another application. But a few words found in a thesis (thesis of Mr. K
Hypponen published in 2003) suggest that this would be possible. After testing,
the team from the
Data tainting for malware analysis - Florent MARCEAU (LEXSI)
Florent Marceau presents the software environment that has been set up at Lexsi to analyze malicious codes (typically Banker Trojans). The aim is to decode all the strings stored encrypted in the Trojan. The principle adopted is to launch the executable (it will then decrypt itself the encrypted data when these data are required for Trojan execution) and to intercept all data transfers between CPU and memory (via a hook on the MMU) to capture the data once they have been decrypted.
Automatic desobfuscation of binary code - A. GAZET et Y. GUILLOT (SOGETI – ESEC)
The work presented is the continuation of those presented last year by the same speakers. The objective is to develop tools for analyzing malicious code that are protected by "packer" techniques or by code obfuscations. Conventional "packers" produce self-deciphering codes. A more recent technique is to embed a virtual machine engine in the malicious code to parse and execute a specific pseudo code that is stored in the body of the malware.
The WOMBAT project - Marc DACIER (Symantec)
WOMBAT (www.wombat-project.eu) is a project funded by the European Community that is an extension of the honeynet project named Leurré.com. This time the WOMBAT honeypot agents are "intelligent" (the "Leurré.com" honeypots agent were passive): they interact with the attacker using a finite state engine up to the point where a malware is injected by the attacker on the computer running the agent.
The malware is then submitted to a set of analytical tools such as Anubis and VirusTotal. The objective of the WOMBAT project is to collect data on the techniques used by hackers to perform attacks and on the malicious code installed by attackers once an attack has succeed.
ACPI and SMI management routines: The limits of the trusted computing approach? - Loïc DUFLOT (DCSSI)
The presentation first describes the SMI vulnerability we covered in the April 2009 issue of the Cert-IST security bulletin. The speaker then explains that the ACPI tables ("Advanced Configuration and Power Interface" tables which store information related to power management), can also be abused to subvert the system.
He then shows a demonstration of this attack ACPI: on a compromised machine, he installed a hidden routine that is triggered when the power cable is reconnected several times. This routine gives the"root" privileges to the next user who logs on. The demonstration is spectacular because it is amazing to see an attacker takes control of a machine simply by acting on the electrical connection!
The speaker finally explains how these SMI and ACPI attacks breach the security approach that relies on defining a trusted computer bases build on a subset of the hardware components.
Physical attacks via the PCI bus - C. DEVINE and G. VISSIAN (THALES)
The presentation aims at demonstrating that the PCI bus can be used to attack a computer in the same way it was already done by others using the Firewire bus. For this, the speakers use a PC-Card (PCMCIA) on which they install a specific malicious program. When this PC-Card is then inserted into an attacked laptop it silently patches the Windows system running on the laptop to remove the password verification routine.
A major difficulty here is that the PC-Card must be programmed to deliver the appropriate voltage signals on the PCI bus lines in accordance with the PCI protocol specification. It means you have to deal with electric signal, in respect with the timing define by the clock signal, etc... If we succeed in mastering the PCI bus this way then you get a raw access to the laptop physical memory (DMA) and you are able that way to patch the operating system.
Five questions about the true value of ISO 27001 - A. FERNANDEZ-TORO (HSC)
This presentation on ISO 27001 explains (among other things) how to differentiate the (bad) companies which are certified ISO 270001 just for the label, from those (the good ones) who are certified because their practices are really in accordance with the ISO 27001 security requirements.
Fuzzing: past, present and future - Ari TAKANEN (Codenomicon)
This presentation on fuzzing was done by a
former member of the PROTOS team from the
This presentation describes the evolution of the fuzzing techniques: the motivations
for fuzzing, the different categories of fuzzers, etc...
In particular the speaker mentions a study published in 2008 at CanSecWest which states that 70% of software bugs can be spotted by performing fuzzing analysis (using a model-based fuzzing approach). He also said that now all the major manufacturers have included fuzzing analysis in their testing process.
Fuzzgrind: an automatic fuzzing tool - Gabriel CAMPANA (Sogeti ESEC)
A presentation is on an innovating technique for fuzzing software. The technique is to first analyze the software code to determine its logical structure (the graph of control) and then to calculate the parameters to use in order to cover all the possible execution paths. Randomly running all these paths is likely to cause execution errors and should result in discovering flaws in the code. The software developed to implement this fuzzing technique uses Valgrind (for the instrumentation of code) and STP (a constraint "solver software" that calculates the possible solutions to a given problem). According to the author this new fuzzing approach is especially appropriate for "fuzzing" small programs or libraries, because on other software the combinatorial aspect can quickly explode the number of cases to analyze.
Security of the Fixed Mobile Convergence
architectures - Laurent BUTTI (
Yet another presentation about fuzzing!
The speaker first presents the different architectures for a fixed-mobile convergence. For example he explains the UMA (Unlicensed Mobile Access) technology which suggest to inter-connect the GSM (mobile) world to the IP (fixed) world (by providing solution to encapsulate GSM traffic in IP traffic in a scheme: GSM => Wifi or Bluetooth => IP).
He then explains that to assess the robustness
of the convergence solutions,
Smartphones security - Romain RABOIN (Atlab)
This presentation focuses on malware for SmartPhones. The speaker first analyses "FlexiSpy", commercial software that allows you to spy on the mobile phones on which it is installed. He then presents the different attack vectors that can be used to infect a SmartPhone (social engineering, malicious SD card, Bluetooth attack ...). It finally shows a prototype code that silently infects a Windows Mobile SmartPhone via the ActiveSync feature (ActiveSync is the feature that enables data synchronization between PC and mobile phone). It is worth noticing that the speaker also said that the antivirus or firewall solutions available for mobile phones are not very effective yet.
Tracing traitors in the multimedia world - Teddy Furon (Thomson)
A very nice (and entertaining) presentation
that addresses a topic not directly related to computer security: the
protection of copyrighted video (and in particular of VOD: Video On Demand)
against illegal copies. The speaker presents a protection mechanism that he
calls a "DRM 2.0" solution, because it protects the copyrighted
material without generating significant constraints for the final user.
The principle of this mechanism is to include a hidden identification code within
the video (by using a digital watermarking technique) that enables to identify
"traitors" (i.e. the people who produce illegal copies of a video).
The technology uses the anti-collusion codes designed by Mr Tardos (a
statistician who revolutionized the domain in 2003 by proposing a new approach)
and allows to find at least one of the traitors, even if the pirate copy was
produced by combining data from N genuine copies of the original video (each
copy is marked by a personal identification code).
Information
theft does not exist ... - Marie BAREL (
A presentation made by a lawyer who explains that the concept of "theft of information" does not exist according to the French law, because "theft" means the robber takes away what he steals from the owner. But of course there are other legal remedies in the French law such as safeguards against disclosure, unfair competition, breach of confidence, etc...
Why security fails (and how to remedy to that failure) - Nicolas RUFF (EADS)
A bit disappointing presentation, demonstrating with a lot of examples, how most of the security efforts done in recent years failed....
A hardware assisted virtualization to protect kernel space against malicious actions - Eric LACOMBE (INSA)
The speaker presents the work he has done during his thesis at LAAS. The subject is to protect the kernel against attacks by malicious software. The idea is to use the virtualization functions available in hardware to insert a lightweight hypervisor between the hardware and operating system kernel. The hypervisor then monitors the kernel and ensures that its integrity has not been corrupted by malicious software.
XSS: the breeze an the hurricane - Pierre GARDENAT (Académie de Rennes)
This presentation explores the possibilities offered by the XSS (Cross-Site Scripting) vulnerabilities. The speaker explains that these vulnerabilities are often overlooked but are in fact really dangerous. They are equivalent for the World Wide Web to the well known buffer overflow vulnerabilities that affect conventional programs: myriad and frightening.
Malicious origami with PDF - Fred RAYNAL (Sogeti – ESEC)
This presentation focuses on demonstrating the insecurity of the PDF format as well as the insecurity of the "Adobe Reader" software. To sum it up: a PDF document can be dangerous ... and not just because you can include JavaScript code in it! Several demonstrations were shown. In the last one, the Adobe Reader web plug-in (Adobe Reader plug-in is more permissive than the standalone Adobe Reader software) opens a malicious PDF which forces the reader to access a Samba share over the network. This results in a "PassTheHash" attack where the Samba server is able to steal the credentials of the Windows user who opens the PDF from his web browser.
Macaron, a backdoor for JavaEE applications - Philippe PRADOS (Athos Origin)
Macaron is the name of a "backdoor" designed for JavaEE environments. This backdoor (which is installed by an internal attacker by adding a malicious JAR in the application package) takes advantage of several Java class overloads and of various hooking techniques in the HTTP request processing chain to allow an external attacker to dialog with a "shell" embedded in the back door. In fact, the JavaEE architecture application is very complex and has many interesting features for an attacker who wants to design a backdoor.
The "Macaron" demonstrator is very impressive ...
IpMorph: A unified solution to fool finger-printing tools - Guillaume PRIGENT (DIATEAM)
IpMorph is an Open-source software whose objective is to prevent the finger-printing tools (such as Nmap, SinFP or Ring2) to remotely identify the operating system of a targeted machine. IpMorph is a platform located on the path between the "attacking" machine (the computer that runs the finger-printing tools) and the protected machine. It modifies the network packets issued by the latter to fool the attacker's finger-printing tools.
Dynamic analysis performed in kernel space with Kolumbo - Julien DESFOSSEZ (Révolution Linux)
Kolumbo is a Linux kernel module designed to facilitate the analysis of a malicious binary on Linux. It prevents the malware to detect that it is executed in a controlled environment (by defeating the known techniques to detect "ptrace" and "debugger break-points"). It also provides features to trace malware execution and to dump memory sections.
Computing on Graphical Cards for cryptography and security purposes - Antoine JOUX (DGA)
Antoine Joux, a famous French
cryptographer, talks about how computing on graphic cards could help in the
field of cryptography (that is the main part of the talk), and also in the
field of security.
For symmetric cryptography the benefits of using graphic cards is really significant. Theoretically, AES computation could be performed up to16 times faster and DES up to 60 times faster. But the data transfer on the bus induces a bottleneck which reduces drastically these figures: AES is in fact only 4 times faster when taking in account that bottleneck. Anyway, there are real benefits for symmetric computation.
On the other hand, asymmetric cryptography is
only about 20% faster which makes this approach unattractive for this kind of cryptographic
operations.
Computing on graphical card is also very attractive in case of brute force attacks or for factorization (matrix computation). For example, exhaustive search could be performed 16 times faster when using graphical cards.
Electromagnetic compromising emanations of wired and wireless keyboards - Martin VUAGNOUX (EPFL)
This presentation talked mainly about wired keyboards (the "PS2" keyboard of regular PCs) eavesdropping, because apparently the wireless topic was reserved for another upcoming conference … Anyway, the presentation was truly excellent! With a very limited budget (the whole 2000€ budget for the experiment was used just to cover the cost of purchase for the electromagnetic antenna) and many tricks, the researchers revisited the topic of electromagnetic radiation: a subject that was extensively studied in the 60's by several National Security Agencies around the world (see the TEMPEST standard defined at that time by the US NSA).