The program of this 2016 edition of the RMLL Security Track is now published. We really want to thank all the speakers that sent a proposal, accepted or not, for the trust they put into this event. We are going to do the most we can to deserve it.
Media are available:
While more and more code is written and connected on the internet, security have never been so important for software. However, security is often relegated as a 2nd thought and solution to scale it had to be found by the industry theses days. A proven strategy is to use automatic static code analysis, a technique applied by tools such as Coverty or Clang, and mostly used for C code.
But not all softwares are written in C, so this talk will present bandit, a tool to detect dangerous python code, and will explain the different types of flaws developers have to keep in mind when writing code, and why static code analysis is not a silver bullet, but just one of the numerous way we can improve security.
Michael Scherer works on the Open Source and Standards team at Red hat, focusing on infrastructure issues. He lives in Paris, and he often speaks at events and gives tutorials to help open source communities.
A growing number of modern computers, whether they’re traditional x86 desktops and laptops or embedded devices ship with some form of verified boot mechanism. In practice, it often means that only bootup software allowed by the manufacturer can run on those computers, causing great harm to freedom, but also to security. Using asymmetrical cryptographic algorithms for signing these binaries with a private key kept secret by the manufacturer and a public key often stored in read-only memory, it becomes impossible for end users to build, install and run free bootup software on their devices.
However, there are a few examples of devices on which verified boot is implemented in a way that allows end users to stay in control of their devices. Namely, Chrome/Chromium OS (CrOS) devices such as Chromebooks implement reliable verified boot in a way that doesn’t conflict with software freedom, on purpose. Taking things up a notch, verified boot is implemented with free software, both at the bootup software and embedded controller firmware levels.
Paul Kocialkowski started using free software in 2008 and soon gained interest in software freedom, with a particular emphasis on running fully free software. After breaking his Openmoko FreeRunner, he took at shot at Replicant, the fully free version of Android. He soon became involved in active development and has been the lead developer of the project since 2012.
Driven by a growing interest in embedded devices, he took charge of the single board computers and plug computers freedom comparisons on the Free Software Foundation’s website. Recently, he’s been working on freeing mobile and embedded devices at the lower levels, contributing to the U-Boot, Flashrom, Coreboot, Libreboot and Linux projects.
The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems. The USB armory from Inverse Path is an open source hardware design, implementing a flash drive sized computer for security applications.
The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.
Leveraging on the current maturity of the project, the defensive and offensive uses of the USB armory are also fully explored, covering topics such as the INTERLOCK application, its Genode OS support and its role and usage in identifying new vulnerabilities affecting widely deployed USB stacks.
Andrea Barisani is an internationally recognized security researcher and founder of Inverse Path information security consultancy firm. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick…and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and code auditing with particular focus on safety critical environments, with more than 14 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is the founder of the oCERT effort, the Open Source Computer Security Incident Response Team. He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded systems security and many other topics.
Mozilla operates thousands of servers that support Firefox and Firefox OS, and provide functionalities to more than 300 millions users. Systems are often heterogenous, are catered to the needs of particular services, and are hosted in various locations around the world. A few years ago, the number of systems Mozilla operates outgrew the capabilities of existing forensics and endpoints security tools. Being able to inspect an entire infrastructure in real-time is the the dream of any security investigator, and we simply could not achieve that with our tooling. The MIG project was started to provide better visibility across the organization, and to remodel the traditional approach to forensics (manually retrieving and analyzing data from systems) that had become impractical in Mozilla’s heterogenous environments.
MIG is a distributed platform composed of agents deployed across Mozilla’s servers. The agents provide investigators with remote access to the file system, network and memory of endpoints. MIG is massively parallelized. It can run targeted searches on thousands of endpoints in as short as ten seconds, while allowing for larger scans that take hours to complete. The architecture of MIG is cross-platform and modular. Entirely written in Go, agents can run on Windows, MacOS and Linux. Capabilities can be added via modules that are compiled and shipped with the agents. During the talk, we will discuss how the use of Go simplifies the architecture of MIG, and helps build security tools with minimal cpu and memory footprint.
MIG belongs to the growing field of distributed digital forensics, akin to Google’s Rapid Response, Akamai’s Query and Facebook’s osquery. MIG takes an approach to investigation that does not rely on retrieving and storing large amounts of data from endpoints, but instead focuses on interrogating endpoints locally via distributed agents. By limiting the amount of data retrieving from endpoints, we reduce MIG’s operating cost, have a stronger respect for data confidentiality, and ensure that a platform breach would not expose terabytes of confidential forensics data to the world. Security is a first-class citizen in MIG. We guarantee access control by requiring investigators to sign all actions with their PGP keys. Agents verify signatures prior to running actions locally. MIG is built to withstand a takeover of its platform without compromising the security of Mozilla’s servers.
This talk will introduce MIG, the problems it solves, its design goals, capabilities, and security model. We will present its use on thousands of servers at Mozilla. The audience will learn how indicators of compromise can be searched across thousands of systems within seconds. During the talk, attendees will be given elements to install and operate MIG in their own environments. If permitted, the talk will include a live demo on Mozilla’s infrastructure.
Website | Github
Julien manages the CloudSec team and is responsible for the security of Firefox’s backend services (Firefox accounts, Sync, addons.mozilla.org, Push, Hello, …). Mozilla CloudSec consults with developers and operations teams on risks and security, and builds security tools for the infrastructure. Julien is the author of the Mozilla Server Side TLS guidelines, Cipherscan, Mozilla InvestiGator (MIG), SOPS and many smaller tools to help DevOps integrate security in the organization.
The Information Security world has yet to embrace the DevOps culture. The concepts of fast paced, always moving, continuously delivered software and services still clash with the cautious methods of information security. The disconnect is accentuated by difficulties security teams encounter adapting legacy policies to devops and the cloud.
Security policies typically focus on hardening, monitoring and updating systems and services, which must be done at each level of the stack. The continuous delivery techniques advocated by DevOps often rely on third-party infrastructure that do not grant infrastructure-level access to customers, which forces security teams to rethink controls.
- The lack of physical, and sometimes virtual, access requires forensics and incident response to be approached differently.
- Scanning for vulnerabilities inside containers is not possible on production systems.
- Logs correlation may become difficult when systems have no names and live for only a few hours.
- And, above all, the approach to network security monitoring (IDS/IPS, sniffers, etc…), which security teams spent years perfecting, is useless in cloud environments that don’t grant access to network equipments.
Mozilla has been operating full devops for several years now. As a security lead in the Cloud Services organization, integrating security into devops is a major part of my job, and I want to describe our approach in this presentation. The talk is focused on three main parts:
- Implementing and testing security controls: in which we talk about Test Driven Security in the CI/CD pipeline.
- Monitoring and responding to attacks: an overview of techniques that help increase the security coverage of cloud-based, immutable and continously delivered infrastructures.
- Maturing DevOps Security: a discussion on bringing security into the culture of the organization
We will discuss the challenges, both cultural and technical, in adopting a DevOps culture in security. The audience will be given pointers to build and test controls into the continuous integration and continuous delivery pipelines.
Abstract: %PDF-1.5 ustar PK\3\4 \xFF\xD8
Reverse engineer - author of Corkami
Single Sign On is part of the Web history: to secure access to content, authentication has been implemented, from the standard HTTP Basic to very complex protocols like SAML and OpenID Connect. Trough this presentation, we will try to see why all authentication standards seems to work the same way, and what are their differences.
Clément Oudot works for Savoir-faire Linux, a worldwide FOSS company. He is the leader of LemonLDAP::NG, a free WebSSO and Access Management software. He also works for other LDAP-related projects (OpenLDAP, LDAP Tool Box, LDAP Synchronization Connector).
Internet of Things (IoT) is the new trend in IT talks, meetings and magazines. Security communities follow the hype: most of the infosec conferences have already discussed how to break into a doorbell, a car, a toilet… As IoT diffused in the last years, so do DIY projects thanks to Arduino project, Raspberry Pi project and low cost 3D printers. You can easily find books about DIY in a bookstore, magazines are dedicated to this subject, and the web is full of blog about it. We know we must be careful of IoT and all its vulnerabilities… But we should also consider security while making a DIY project.
From the Raspberry Pi used as a Media Center in the living room to the DIY Arduino Meteo Station in the garden, all these projects may come with their vulnerabilities. This talk will deal with bad and good examples from magazines and blogs showing how it can be easy (sometimes easier than with an IoT device) to introduce yourself into someone else network.
The aim of this presentation is not to find vulnerabilites in Raspian Packages and deduct that DIY is a major source of threats, but to share some thoughts on building safer DIY projects.
Antoine is an IT security engineer, skilled in infosec incident handling, pentest and audit. He enjoys I.T., electronics and D.I.Y. beers by night… and he’s fond of cigars!
Suricata is an open source network intrusion detection and prevention system.It analyzes the traffic content against a set of signatures to discover known attacks and also journalize protocol information.
With the support of the Netfilter features, it was possible to build an IPS or IDS system, but now a new dynamic IDPS system is available. The purpose of this talk is to introduce the “mixed mode”, which permits to combine IPS and IDS. For example, this new approach allows a single Suricata to operate as IDS for traffic that is too critical to send through IPS and act as IPS for the rest of the it.
The following point will be covered: - Motivation about mixing IPS and IDS - A brief introduction about Netfilter - How Suricata work as IPS/IDS with Netfilter - Advanced setup of Suricata and Netfilter in mixed mode
Giuseppe is a software developer at Stamus Networks focused on the development of open source software for network security, like firewall and intrusion detection system. He started his contribution in the open source world with the Netfilter organization, which he is still a member of, then he joined in the OISF community. He previously worked as independent contractor for Emerging Threats involved in Suricata development.
This talk will explain the basics of DNSSec and how you can use them to secure your infrastructure. DNSsec is quite an old technology but it is not adopted everywhere yet. Nowadays however it is quite easy to set that in place.
It will also describe DANE and how you can use it to secure your TLS/SSH communication by storing the SSH keys of your servers inside your DNS zones, even in a frequently changing environment.
Tools used in this talk will be Bind, the Foreman and Puppet.
Julien Pivotto is a young Open-Source consultant at Inuits where he is helping organisations with the deployment of long-term solutions based on Open-Source infrastructure.
He is a strong believer in the devops movement and has technical focus towards infrastructure automation, continuous integration, monitoring and high availability
Today, web surfing and email remain the common vectors of infection. Every day spam campaigns are flooding our mailboxes with tons of malicious attachments trying to lure our beloved users. There exist solutions to automatically analyze emails content like the well-known Fir3Ey3 EX appliance. However, these toys are very expensive.
In my talk, I’ll briefly review different methods used by attackers to deliver and execute payloads on the victim computer. In a second phase, I’ll explain how to build a light platform to process malicious attachments on the fly and analyse them using VirusTotal and OLE analysis tools (the process being based on open source source solutions and a self-developed tool).
Besides blocking malicious content, the goal is this platform is also to collect IOC’s to share to improve detection with 3rd party tools.
Xavier Mertens is a freelance security consultant based in Belgium. His job focuses on protection his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, log management, SIEM, security visualisation). Xavier is also a security blogger, a ISC SANS handler and co-organizer of the BruCON security conference.
In 16 months, Let’s Encrypt went from an idea to the 3rd largest Certificate Authority on the public web.
J.C. Jones, one of the engineers who worked on Let’s Encrypt, will guide you through many of the challenges, decisions, and trade-offs that occurred along the way.
J.C. is a security engineer at Mozilla, and spent about a year and a half as a principal on Let’s Encrypt. Prior to Mozilla he co-founded a PKI-based startup in America’s Desert Southwest, where he lives. You can reach him on Twitter as @JamesPugJones.
In this talk, we plan to present and discuss the security design behind Ring, a fully distributed communication platform that protects user security and privacy.
Passionate about distributed networks, Adrien Béraud (OpenDHT and Ring Developer at Savoir-faire Linux) maintains the distributed hash table OpenDHT used for Ring. For Adrien, Ring is more than a communication tool. It is based on the community. Ring belongs to it and strengthens through it.
Use of a VCS is one of the most important best practise regarding development. Still it’s also one of the biggest weakness. Based on more than 30 git training sessions and consulting in companies, we will try to sum up all good (and worst) practices.
While technical infrastructure is important, social engineering and training is also essential to get people ready to use git properly and then securing code. Building a git server is also an organizational project especially when code is shared widely and developped by companies, partners, developers, clients.
After 8 years working for Mandriva as support engineer, release manager, she has founded with some other ex Mandriva guys her own company dedicated to free software integration in companies and administrations. She works on software packaging, industrialization of customized Linux distros, git training and consulting.
Anne organizes every year since now 4 years Kernel Recipes, 3 days talks about the Linux kernel, in Paris. She is also part of the Mageia distribution board.
The security landscape evolves very fast and every day comes a new report about a brand new attacker, scarier than the day before and we have short memory so we tend to forget about what happened a few month ago.
As of now, MISP is mostly a repository for incident responders where you can easily add new events and correlate them efficiently but not much work has been put into grouping the events together following different indicators (type of target, technical indicators in the binaries, …) after the fact.
We already presented our initial findings at Troopers a few month ago. We will investigate further on that topic and present the tools we developed in order to make the life of the analyst easier.
Marion Marschalek is a Principal Malware Researcher at G DATA Advanced Analytics, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and frequently contributes to articles and papers. She has spoken at international conferences around the globe, among others Blackhat, RSA, SyScan, hack.lu and Troopers. Marion came off as winner of the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. She practices martial arts and has a vivid passion to take things apart.
Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools (Github personnal account, work account, MISP account, write a MISP module) to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities. Another big part of his activities is to administrate the biggest MISP instance in Europe (information on how to get access to the platform) with >250 companies, 600 users and more than 300.000 attributes. This is the source used in this research project.
During this talk, I would like to present a free open-source (GPLv3) tool, written in C++, that I’ve been working on for two years on my spare time. It was designed as a helper program which speeds-up the job of a malware analyst by automating repetitive tasks. It can also be used for malware triage, in order to determine which files are worth analyzing manually. It has the following architecture :
- A robust PE parser which was designed with malicious and/or malformed PEs in mind. It is currently being fuzzed by AFL (input files used), with no crashes so far.
- A customized version of Yara which can re-use the project’s PE parser, accompanied with a set of handmade rules to detect suspicious files.
- Plugins which use and correlate the information collected by the PE parser to infer the program’s behaviour and characteristics.
- An output system which can print out the generated data as text or JSON.
The following plugins are already included in the tool:
- ClamAV and PEiD signatures - a Python script has been written to convert ClamAV databases into Yara rules.
- Compiler detection
- Suspicious strings (i.e. “cmd.exe”, “CurrentVersion\Run”, …)
- Cryptographic algorithms identification
- Packer detection (but no automatic unpacking!)
- Alerts for dangerous import combinations
- Resource analysis and extraction
- Authenticode verification (on Windows only so far) with a twist (if the program pretends to come from a well-known company like Microsoft or Oracle in the manifest but isn’t signed, flag it as very suspicious)
- Submitting file hashes to VirusTotal
The plugin system was intended to be easy to use, and it’s (supposed to be) easy for anyone to write their own plugins without having to dive deeply into the project’s code. Conversely, the PE parser is intended as a buiding block for other security projects and can be taken out from Manalyze and put into other projects with no hassle. A lot of effort was put into writing the developer documentation in order to minimize the learning curve for people willing to contribute.
A web portal was also written so people can upload samples and see results without having to compile/run the tool.
Ivan Kwiatkowski (@JusticeRage) is a 27 year old security researcher from Paris. Noteworthy hobbies include writing fiction and replying to Nigerian scams.
A quick introduction to Qubes OS and why it matters, followed by few specific examples of Qubes OS specific use cases.
Marek is the Qubes OS lead developer, experienced Linux administrator and trainer of Linux administration.
Binmap is an Open Source tool designed to quickly scan a file system, gather various information on the binaries it finds and store them for futher processing by third-party tools.
It provides handlers for ELF and PE binary formats and can collect usual executable informations:
- imported / exported symbols
- dynamic library dependencies
- hardening features
- version information (using a fuzzy algorithm)
These informations are stored as a graph that can be walked through using a Python API.
You want to check all the executables that use a given, obsolete library? Walk through its successors!
You want to see the consequences of a system upgrade? Take the diff of the graph!
You want to check if your system is vulnerable to a given CVE? Rely on the collected version information and cross-check information!
You want to audit a system image? Use the chroot mode and quickly find out the interesting binaries!
The tool is extendible: one can contribute with its own binary analyzer to support more formats or to improve existing information extraction.
Serge is a pure product of the French Far West: He received his Engineering degree and PhD on Compilation near Brest and since then he has been travelling in the marvelous world of computer science, from HPC to submarine acoustic and now the funny interaction between security and compilation as an R&D engineer for Quarkslab.
We’re setting up a web service to analyze suspicious files found on web servers to determine whether they’re a potential threat to your server or infrastructure. It’s called MOWR (More Obvious Web-malware Repository) and aims at becoming as useful as virustotal is for common viruses. Code will be published under free software licence at the time of the RMLL talk.
Julien Reveret is a senior security consultant at NBS-System, he already talked about Linux web servers forensic in 2015 at the RMLL security track. His skills are mainly rooting customers’ servers and baking cookies.
Antide Petit works as a IT security intern for NBS-System. He is one of the MOWR developer.
Several major classes of security analysis have to be performed on raw executable files, such as vulnerability analysis of mobile code or commercial off-the-shelf, deobfuscation or malware inspection. These analysis are very challenging, due to the very low-level and intricate nature of binary code, and they are still relatively poorly tooled – essentially syntactic static analysis (disassembly) which is easy to fool, or dynamic analysis (fuzzing, monitoring) which may miss subtle behaviors. On the other hand, source-level program analysis and formal methods have made tremendous progress in the past decade, and they are now an industrial reality for safety-critical applications.
The open-source BINSEC platform humbly tries to fulfill part of this gap, by providing state-of-the-art binary-level semantic analyses. The platform is built around a concise and generic Intermediate Representation, making it easy to support new architectures and add new analyses. The main analyses so far include a dynamic symbolic execution engine enabling to discover new subtle behaviours in an executable file, and a semantic static analysis engine able to reason about all paths of a portion of the code under analysis.
In this this talk, we will present the platform and highlight the key technologies behind the platform, through a few examples taken from deobfuscation and vulnerability analysis.
The BINSEC project is a joint effort involving CEA, INRIA, LORIA, Université de Grenoble-Alpes and Airbus Group. The project is still in its infancy (first release Spring 2016) and under heavy development. While it is primarily a research tool, we want to make it robust enough so that adventurous hackers can take advantage from it.
Sébastien Bardin joined CEA LIST, France, in 2006 as a full-time researcher. Since then, its main research interests are the automatic analysis of executable files – from a safety point of view at first and now from a security point of view, automatic white-box testing through symbolic execution and low-level constraint solving. He is one of the main designers and developers of the binary-level symbolic execution tool OSMOSE (2008), and the Principal Investigator of the ANR projects BINCOA (2009-2012) and BINSEC (2013-2017) about binary-level program analysis, for safety and security. He is now one of the main designers of the (open-source) BINSEC platform for binary-level code analysis, to be released in Spring 2016. Sébastien Bardin obtained his PhD in 2005 at ENS Cachan, France, under the guidance of Pr. Alain Finkel. His doctoral work was centered on the verification of infinite-state systems by means of model checking, symbolic representations and loop acceleration. He also co-developed the infinite-state model-checker FAST.
This presentation explains how malware analyst and forensic investigator can work together. The purpose is to select several advanced threats (for example, Uroburos, ComRAT, Babar, Casper…) and to show how a reverser and a forensic investigator can be complementary.
The presentation is mainly based on the open source tool FastIR Collector developed by SEKOIA and available on Github. The presentation will present what kinds of artifacts the tools is able to collect and how to identify the infection.
Paul Rascagnères is a malware analyst and researcher for the Sekoia’s CERT. He is specialized in Advanced Persistant Threat (APT) and incident response. He worked on several complex cases such as government linked malware or rootkits analysis. He is a worldwide speaker at several security events.
Sébastien Larinier currently is Senior Researcher and CTO at the CERT Sekoia located in Paris, member of the honeyproject chapter France and co organizer of botconf. Sébastien focused his work for the last 5 years on botnet hunting, early compromission detection, forensic and incident response. Python addict he supports different opensource projects like FastResponder, OSINT Framework, Malcom.
Arduino is used as a keyboard for powning Windows, Linux or Mac OS by dropping a reverse shell. What if a Unicorn wants to do something similar on Android?
Let’s talk about a new feature coming in Firefox Nightly called the Containers Feature, which enables users to login to multiple accounts on the same site simultaneously and gives users the ability to segregate site data for improved privacy and security.
Amsterdam is a Suricata docker container based system that is really easy to extend. Talk will show how you can add firewall logs to it.
The SANS ISC (“Internet Storm Center”) is operating a worldwide network of honeypots. Recently a dedicated version of Cowrie was released to be used with a Raspberry Pi. We also collect 404 logs and firewall logs (or any “IP based” logs) to feed the DShield database. We need you to collect more and more useful data!
I will try to explain in 3 minutes how to be a jerk in security
I developed a tiny tool that get an email, process it and returns a sanitized version, with log files: https://github.com/CIRCL/PyCIRCLeanMail
It is far from being usable by a non-dork, but this is the plan, and I’ll explain how.
REbus facilitates the coupling of existing tools that perform specific tasks, where one’s output will be used as the input of others.
I will in few minutes, shows some functionalities of BINSEC, and especially how to break the first FlareOn challenge.