SSTIC 2022 conference report

Date : June 07, 2022

The 19th edition of security conference SSTIC (Symposium sur la sécurité des technologies de l'information et des communications) took place in Rennes from June 1st to 3rd, 2022 . It is a French-speaking conference well known for its high technical quality that gathers enthusiasts of computer science and security. The conference program is available here.

The presentation materials are available by following this link. For most of the conferences, you can find the following materials:

a comprehensive article provided by the speaker to present his work. It should be noted that it is possible, upon request at the time of registration, to obtain the paper book gathering all the articles submitted for the conference.
the slides of the presentation,
the video of the talk.

The SSTIC is a general conference and not a thematic one, which could limit its appeal to only a given audience. However, the schedule was done in such a way that talks are grouped by themes (cryptography, forensics, Microsoft environments, networking, reversing, tools, mobile, ...), which eventually allows you not to attend every day, whereas we would not recommend such an approach. The speakers come from different backgrounds such as: academic, industry, state, engineers, students, researchers and private individual.

SSTIC has some unique characteristics that make it a must in France:

The vast majority of the contents (papers, presentations) are in French.
Speakers are required to produce a full paper documenting their research (a quasi-academic approach).
The organization of the event is now very mature. The venue (the “Couvent des Jacobins” in Rennes) is adapted, modern, and magnificent, and the logistics (respect of schedules, meals) are well established.
The registration fee, around 400€ (entrance ticket + lunch every day + social event), seems more than fair to us.
The organization is done in such a way as to encourage meetings and exchanges with colleagues. The famous "social event" on the second evening, the breaks and the meals are all ways to share information with people who sometimes work in very different contexts.
The challenge organized beforehand, and whose solution is presented on the evening of the second day, is of a high level and quite incredible inventiveness. We didn't participate, but the presentation of the solution is pleasant to watch.
The "rumps", a kind of open mic where everyone can come and present a topic (an exploit, a technical project) in less than 3 minutes, have become a classic of SSTIC and other conferences of this kind. Sometimes funny, sometimes impressive, but sometimes incomprehensible too, it is a show time that the audience generally appreciates.

This year, SSTIC was celebrating its 20th anniversary and this was the occasion for a special guest presentation, looking back at the event since its inception in 2002-2003. Funny statistics, comical anecdotes, memories of doubtful presentations, return on stage of some old members of the organizing committee; this presentation was a moment of laughter and nostalgia for the older regulars.

But let's get down to the nitty gritty and summarize 4 presentations that we particularly enjoyed this year.

Smartphone and forensics: how to catch Pegasus for fun and non-profit

Etienne Maynier (Amnesty International)

For this presentation, the speaker made some reminders on Pegasus but especially showed the means implemented by the forensic experts of Amnesty International to detect infections. Indeed, several problems arise when searching for indicators on smartphones:

The first problem is due to data access. In a “perfect company” the smartphones would be mastered with a specific tool allowing to capture a disk image at any time. But in real life it is complicated, especially for phones that belong to journalists/NGOs and that it is just not possible to jailbreak/root. This problem has been solved on iPhone thanks to the “encrypted backups” (a native feature) that contain a lot of information, but it is still pending on Android.
The second problem is the lack of recent sample of Pegasus, and the lack of public analysis of Pegasus-like malware on iPhone.

Amnesty International therefore had to set up a whole methodology and develop a tool to inspect smartphones. This open source tool, named Mobile Verification Toolkit (MVT), allows to extract and search indicators in iOS and Android smartphones, while handling different backup sources.

This presentation was of particular interest to us because it directly concerns the Pegasus forensics activities we perform for some of our customers.

Signage at mobile operators

Benoit Michau, Marin Moulinier (P1 Security)

This presentation deals with mobile operators' signage and the potential attacks inherent to the exposure of infrastructures between mobile operators (such exposure is required for roaming). In a nutshell, a mobile network’s architecture is composed of:

subscribers (identifiable internally thanks to their IMSI unique number, and their phone number),
the operator's network (antennas, frontend, backend),
as well as IPX/GRX, which act as intermediaries to allow to interconnect the operators' networks to allow roaming.

Once the information is in the operator's network, everything is transmitted in clear text. It is therefore possible for an attacker who rents the services of an IPX/GRX provider to easily carry out attacks on the network. The most common types of attacks are: obtaining the IMSI from a phone number, obtaining the geolocation of a subscriber from their IMSI (regionally accurate), and hijacking SMS using the geolocation and IMSI of a subscriber.

To avoid this, several protections can be implemented. At the IPX/GRX level, it is possible to have anti-spoofing and simple filtering of signaling messages. At the operator level, it is possible to have firewalls for signaling messages, to do simple or stateful filtering, and to use SMS-HomeRouter, which allows to centralize the reception of SMS in order not to have to transmit the IMSI of the recipient to other networks.

But important difficulties remain: For example, it is difficult to differentiate between legitimate and illegitimate geolocation information. The operator performs a filtering according to the distance traveled by the signal and the duration, but this is not always accurate, for example with the antenna of a cruise ship docked at the port: the subscribers will oscillate between the antenna of the ship (impossible to locate, or located far from its real place) and the one on land. This is a legitimate situation that can easily be detected as suspicious.

AnoMark - Detecting Anomalies in Command Lines Using Markov Chains

Alexandre Junius (ANSSI)

We are now well familiar with the use of indicators of compromise (IOC) and/or known behavior signatures, for the detection of host-based attacks. But this activity is also a great field of application for statistical learning algorithms in anomaly detection, allowing to identify previously unknown behaviors.

AnoMark falls into the latter category. It is a machine learning algorithm that uses natural language processing techniques (aka NLP) to analyze the command lines that appear for each process creation in the system event logs. AnoMark breaks down a command line into n-grams (blocks of n letters) and trains a statistical model based on a Markov chain. The latter then calculates a likelihood score for each new command line, and highlights the most abnormal ones with respect to past activity.

The ANSSI explains that it has been using AnoMark in production for a year to detect e.g; encoded command lines, pings to unusual domains, the execution of unknown processes, the use of unknown flags in legitimate commands, the variation of some letters, the execution of known processes from unknown paths, etc.

We have really enjoyed the very concrete approach of the ANSSI on this detection matter. Moreover, the agency has published in open source, all the code of AnoMark as well as a Splunk app, in order to encourage security operation centers (SOCs) to further validate and improve this detection method.

Quarantining the Web browser

Fabrice Desclaux, Frédéric Vannière (CEA)

The speakers (special mention to the very peppy and offhand manner of Fabrice Desclaux) presented a custom solution implemented at CEA to reduce one of the biggest attack surfaces in corporate networks. The web browser is indeed a entry point, giving access to the Windows domain with the currently logged-in user’s privileges. The numerous vulnerabilities discovered in browsers, the fact that most of the traffic is SSL-encrypted (opaque to the company's input/output analysis), make the browser virtually impossible to protect.

The CEA's answer is a new open source project called sanzu and written in Rust. It consists in reducing the attack surface (in case of browser compromise) in the following way:

The browser is placed in a hardened Linux virtual machine, itself placed outside the security zone, outside the Active Directory domain. The VM is assigned a dedicated virtual hard drive containing the user's browser data.
The user can accesses the downloaded files via a WebDAV share.
Remote screen access is implemented with video compression libraries that support hardware acceleration, similar to what video game streaming platforms do (such as Stadia or GeForce Now). These mastered protocols avoid RDP or Citrix, which are complex protocols, often pointed out for their vulnerabilities, and also not very optimized for video quality. This implementation choice eventually only exposes to the attacker a memory area shared between the guest system and the hypervisor (a simple mapping of streamed pixels).
Some code modules add functions such as copy/paste, with a possibility to make it unidirectional.
Sanzu also allows to authenticate the access to the VM with Kerberos, and this in a completely transparent way: the user can launch his secure browser by simply clicking on an icon, like a classic application.

Beyond proposing a real technical solution to a well-known problem, this presentation was the liveliest, funniest and most applauded one we saw at SSTIC this year.