Report on the security conference INSA-2015
Date : January 07, 2015
The French Engineering school INSA, and the LAAS-CNRS research institute have organized the second edition of a one-day conference on security in Toulouse on January 22nd, 2015. Seven presentations were done that day (the agenda is available here) on various subjects, including Electronic voting, security of IoT (Internet of Things) or product security at Airbus. We present below a report for this day.
E2E Verifiable Voting Systems, Theory to Practice
By: Peter Y A Ryan (University of Luxembourg).
The speaker presents a new electronic voting system named "Prêt à Voter" (it is a French expression meaning “Ready to Vote”) and analyzes its experimentation during the Victorian state election in Australia.
The principles of this new system are a mix between traditional voting system (paper ballots, voting booths, ... ) and an electronic system (scanner, computer systems, cryptography, ...). It is based on the following principles:
- a paper ballot made of two parts is generated by the computer system: the first part contains the list of candidates (in a randomly generated order for each paper ballot), the second contains an empty table in which the voter put one (or more) cross in front of (the) candidate (s) of his choice, the ballot paper being identified by an unique code (QR-code),
- the voter destroys the first part of the paper ballot (containing the list of candidates in clear text), and scans the second part (containing his choice),
- the system provides a receipt to the voter, allowing him to verify later that his vote has been actually counted,
- the vote is encrypted and stored in the system.
The challenges (secret, checking, counting, lack of fraud, etc ...) of this system are the same as the regular voting system, but the main improvement it brings is that it allows end-to-end verifiability (was my vote actually taken into account?) using the QR-code on the receipt. It also provides the power of a computer system to count and publish results.
This system was tested during a vote in Australia. However, this experiment appears mitigated because one of the main interests of the system, end-to-end verifiability of the vote, was not retained by the officials in this election.
The speaker ends on the main challenges that the “Prêt à voter” system faces, especially to convince stakeholders (candidates, officials, voters, … ) about the improvements provided, and the reliability of the solution.
About "Prêt à voter":
http://www.pretavoter.com/index.php
http://www.pretavoter.com/publications/PretaVoter2010.pdf
Internet of (Insecure) Things
By: Aurélien Francillon (Lecturer at the Eurécom institute, Sophia Antipolis).
The speaker presented an audit project regarding the security of firmware which are integrated into various devices or objects: computer, hard drive, camera, USB key, PLC, TV set, GPS, car, etc. These firmware are stored in the persistent memory of the electronic systems and are composed of program, code and data.
The purpose of this project has been to search for common security flaws in the devices. For this, over 30 000 firmware have been downloaded on various supports and formats. Once the firmware has been extracted of their physical media (CD-ROM, floppy disk, USB key ...) or logical (exe, zip, js ...), they were analyzed following two approaches:
a) The static analysis :
- Search of similar code, using a comparison method named "fuzzy hashing" which returns a percentage of similarity in pieces of code. If similar code exists in 2 separated devices, a vulnerability found in one, should probably also impact the other one.
- Search of known certificates in the firmware. Internet sites give some lists of certificates and their keys.
- Search of specific words (such as password, backdor ...) that makes it easy to find security flaws.
- Search of the development environments used to create the firmware. Some firmware are actually compiled with obsolete JDK, libraries or compilers.
b) The dynamic analysis :
- There are open source projects (gxemul or skyeye) that allow to interact with equipment or firmware. These simulators are able to bypass the firmware boot, and this makes easier to find attack vectors.
Most of analyzed firmware have security flaws, except smartcards which have very few vulnerable. With the development of internet of things, these firmware are more and more connected to private networks and consequantly, more and more exposed to security problems.
IRMA - open-source solution for malware analysis
By Alexandre Quint (engineer at QuarksLab)
The speaker introduced the IRMA application (Incident Response & Malware Analysis) which is a complete open-source analysis system for one or more files. The analysis is performed by using different Windows antivirus engines (GDATA, Kapersky, McAfee, Sophos, Symantec) and Linux (Clamav, Fprot, Eset, Mcafee, Comodo).
The characteristic of IRMA is to be a solution that can work offline by letting the user house the complete system on its network. Thereby allowing control of its functioning and able to adapt to its needs.
The IRMA application is built on three layers:
- The Web-based interface that allows the user to download files to be scanned. This layer is also responsible for sending the files to the “dispatcher” layer, and for displaying the results it gets back.
- The dispatcher receives files from the Web interface, then sends them to different probes, and collects the results which are been forwarded to the Web interface layer.
- The probes which are built from anti-virus engines (one probe by anti-virus)
The speaker explained the solution chosen for the installation of probes (update of the anti-virus during installation only), and finished by an open discussion about extensions capabilities of the system (development of specific analysis modules).
Product Security in Airbus Group
By Pascal Andréi (Executive Expert and Corporate Product Security Officer for Airbus Group)
The speaker presented his job in the Airbus group. The Airbus Group has decided to create a dedicated organization for the security of its products. This organization ensures that security is taken into account, from the initial phases of the design of the aircraft, up to (and including) the maintenance of the flying fleet. The role of the Corporate Product Security Officer, is to organize the security of all the products within the Group (Airbus, Airbus defence & Space and Airbus Helicopters). Its role is also to implement a continuous improvement process and to ensure that all the Airbus Group divisions work together harmoniously on security topics. For this a PDCA (Plan Do Check Act) approach has been implemented.
Air transport security has been significantly modified following two major events: first the September 11th event, and second the rise of the cyber threats. Consequently, security has become a major factor, and it covers both physical security (diversions, bombs on board, etc.) as well as cyber threats. The latter continues to grow, especially because of the increase of connectivity in the aircraft (to support the growing demand for passenger connectivity), as well as the increase in the exchange of fly data between the ground and the aircraft for a better prediction and reactivity.
7 years of retrospective of search vulnerabilities in smartcards
By Jean-Louis Lanet (Professor, INRIA Bretagne Atlantique).
The professor presented the researches that has been done over the years, by his team, to find vulnerabilities in smartcards. Several vulnerabilities were found in smart cards based on JavaCard OS, and his students published several proof of concepts for them. Java Card appeared in 1996 and is used in various domains such as SIM cards, bank cards or access cards.
The attacks presented are known under the name of “EMAN attacks”, and Cert-IST already mentioned them in the reports we published for the SSTIC-2009 and SSTIC-2014 conferences.
There are two types of attacks for these smart cards. First type are the physical attacks. The attacks are conducted on the chip which is view as an electronic component. These attacks are very expensive and difficult to implement because they are made with specific equipments (laser, measuring instrument, etc.). The second type are software attacks. They are easier to implement but start by the extraction of the binary code of the virtual machine (VM), and the analysis of it. The vulnerabilities found allowed students:
- To illegally gain knowledge of confidential information,
- To alter data (integrity),
- To run arbitrary code.
These faults were systematically submitted to industrial and banking organizations before being published on the public domain. In the highly confidential community of Java Card, manufacturers do not publish advisories, specifications, details of the code or embedded data, but new versions of Java Card always corrected published vulnerabilities. It has been observed that developers of Java Card are consequently always a step ahead of the vulnerabilities discoverers.
Security features in the OpenBSD operating system
By Matthieu Herrb (LAAS-CNRS).
The speaker is a member of the development team for this system which was born (in 1994) of a split in the NetBSD project. He presented the main features that make this system "secure by default".
This project, part of the free Unix operating systems family derived from 4.4BSD, is a security-oriented operating system. This willingness to be secure led to the development of a number of new security mechanisms, but also the withdrawal of “insecure” features.
- improving random numbers generation, and using it more largely (for PID, thread, memory allocation, ...),
- improving memory data protection mechanisms ("W ^ X": a memory page cannot be both writeable and executable simultaneously; "PIE": programs are compiled with multiple randomization of the memory layout; "stack protector Canary": a randomized number - the canary - is located in memory behind the stack in order to protect against memory overflows),
- replacing OpenSSL (recently highlighted for several vulnerabilities) by LibreSSL,
- better management of privileges (reduction, separation),
- development of the new API LibTLS,
- retirement of Kerberos (vulnerable and difficult to maintain).
The speaker ends his presentation by highlighting the facts that:
- Lot of improvements and bugs were fixed in the new version published in November 2014: OpenBSD v5.6,
- A lot of issues are still waiting for appropriate answers (including the replacement of Kerberos or resumption of it?).
Conclusion
The aim of that conference day was to create a joint event bringing together students, researchers and professionals. About 150 people did attend it this year, and this was a real success. We hope that the event will occur again to become one of the yearly events in the security community.