2018 Pass the SALT Schedule

The Pass the SALT (Security And Libre Talks) schedule is now published. We are very proud about the trust that all the people who replied to our Call for Papers put in this first edition of PTS. We want to thank all of them and we will try to do our best to deserve this trust.

And now, enjoy the following schedule of workshops and talks and come to share knowledge and collaborate.

Workshops Schedule

Talks Schedule

Monday 2nd of July, 2018

  • 14:00 - 14:15: launching talk

Linux Distribution Security

Reverse and Low-Level Session

~~~ afternoon pause ~~~

Tuesday 3rd of July, 2018

Network Security Session

~~~ morning pause ~~~

Web Security Session

~~~ afternoon pause ~~~

IAM Session

Wednesday 4th of July, 2018

Blue Team Session

~~~ morning pause ~~~

Secure Programming and Architecture Session


IoT Security Session

~~~ afternoon pause ~~~

Red Team Session

Workshops description

Introduction to Bro Network Security Monitor

Duration: 2h30
Maximum number of attendees: 25

Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90’s, its main user base was primarily universities, research labs and supercomputing centers. In the past few years however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions.

At its core, Bro inspects traffic and creates an extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with an external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python.

During this two-hour workshop, we will learn about Bro’s capabilities and cover the following topics:

  • Introduction to Bro
  • Bro architecture
  • Bro events and logs
  • Bro signatures
  • Bro scripting
  • Bro and ELK

Requirements for the workshop:

  • A laptop with at least 8 GB of RAM and more than 30 GB of free disk space
  • VMWare Workstation or VMWare Player installed

Eva Szilagyi
Eva is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than 8 years of professional experience in penetration testing, security source code review, digital forensics, IT auditing, telecommunication networks and security research. Previously, she was working for companies like Vodafone Hungary, Ernst & Young Hungary and Deloitte Luxembourg. Eva has master’s degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications such as GSEC, GICSP, GSSP-JAVA, GWAPT, GMOB, eWPT and eJPT. Eva is member of the organizer team of BSidesLuxembourg.

David Szili
David is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. He has more than 8 years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. Previously, he was working for companies like POST Telecom PSF Luxembourg, Dimension Data Luxembourg, Deloitte Hungary, and Balabit. David has master’s degrees in computer engineering and in networks and telecommunication and a bachelor’s degree in electrical engineering. He holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GNFA, GMOB, OSCP, OSWP and CEH. David speaks on a regular basis at international conferences like Hack.lu, BruCON, Hacktivity, Nuit du Hack, BSidesBUD, BSidesLjubljana and he is member of the organizer team of BSidesLuxembourg. He occasionally blogs about information security at jumpespjump.blogspot.com.

AIL-Framework: A modular framework to analyse potential information leaks

Duration: 3h
Maximum number of attendees: 25

AIL is an open source modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. The primary aim of the framework is to gather credentials, emails, creditcard numbers and so on in order to help security experts to detect leaks and then, react accordingly. Moreover, AIL framework is flexible and can be extended fairly easily to support other functionalities to mine sensitive information.

The AIL workshop will show how the framework functions, how to use it, how you can feed the software with your own data and finally how you can contributes to help us improve AIL with new features.

Requirements: a laptop with 8GB of RAM, 2 cores and VirtualBox installed.

Sami Mokaddem
Sami finished his study in 2017 as a civil engineer with specialization in computer science. He is now working at CIRCL where he enjoys developing open source security software like AIL-Framework and MISP.

URL Analysis with Faup

Duration: 2h
Maximum number of attendees: 25

Whenever one want to run an investigation over the URLs crawled from her/his organization website, it can get tricky: millions of URLs to follow, hard to keep control on what is going on. This presentation will focus on the open source tool called FAUP for Finally An URL Parser and show how it has been used with large organizations to quickly understand new threats. Faup helps with the snapshot mechanism to classify URLs to be used for Machine Learning, it gives an automatic way of creating a white list at scale to then only spend the time focusing on the URLs you are not aware of. Faup can be used similarly to Dshield and gather intelligence over URLs and will show how collaboration over something as simple as an URL in conjunction with MISP can enhance the discovery of unknown threats.

Sébastien Tricaud
Sébastien likes open source and security, from being a former maintainer of Linux PAM to various contributions to tools such as Prelude IDS etc. Sébastien works at Splunk.

FreeIPA: Open Source Identity Management

Duration: 2h
Maximum number of attendees: 25

In this workshop, participants will learn about FreeIPA and get hands-on experience installing and managing FreeIPA servers, clients, users and policies.

FreeIPA is an integrated identity management solution providing centralised user, host and service management, authentication and authorisation in Linux/UNIX networked environments, with a focus on ease of deployment and management. It is built on top of well-known Open Source technologies and standards including 389 Directory Server, MIT Kerberos and Dogtag Certificate System.

Organisations use FreeIPA to provide centralised management of identities and security policies. By avoiding identity silos, security goals can be achieved with reduced effort and improved auditability.

This session will begin with a short presentation providing an overview of FreeIPA’s capabilities and architecture. The rest of the session is devoted to the practical workshop curriculum. Participants will:

  • Install a FreeIPA server and replica and enrol a client machine
  • Create and administer users
  • Manage host-based access control (HBAC) policies
  • Issue TLS certificates for network services
  • Configure a web server to use FreeIPA for user authentication and access control

There are some elective units participants can choose from, based on their progress and interests:

  • OTP two-factor authentication
  • Advanced certificate management: profiles, sub-CAs and user certificates
  • OpenSSH key management
  • Sudo rule administration
  • SELinux user maps
  • …and more!

To get the most out of the workshop, participants should complete the preparation steps beforehand: https://github.com/freeipa/freeipa-workshop#preparation

Project URL: http://www.freeipa.org/

Florence Blanc-Renaud
Fraser Tweedale
Fraser and Florence work at Red Hat on the FreeIPA identity management system, with a particular focus on X.509-related features.

Suricata and SELKS

Duration: 3h
Maximum number of attendees: 20

This workshop is a discovery of Suricata though SELKS a distribution dedicated to this open source threat detection engine. Through hands-on exercises done in a virtual environment, the attendees will discover the network security monitoring and intrusion detection capabilities of Suricata. They will also write their first signatures to see how it is possible to use Suricata to detect specific threats.

Requirements: a laptop with 8GB of RAM.

Éric Leblond
Éric is an active member of the open source community. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Talks description

Debian security team: behind the curtains

This talk will presents the Debian security team: the people, the roles, the workflows. It will also detail the handling of vulnerabilities, both public and private/embargoed ones.

Yves-Alexis Perez
Yves-Alexis is a Debian developer, member of the security team. He works at ANSSI as head of the Hardware and Software architecture lab. As such, he’s interested in platform security and the ways hardware and software interactions are relevant to security. More specifically, he’s interested in how devices can influence the security of the platform as a whole.

r2frida - Better together

In this talk we will present Frida and Radare as separate and combined tools. Have you ever wanted to enhance your static analysis with live telemetry from a running instance of the software that you’re analyzing? Did you ever want a more visual interface for Frida to type commands instead of snippets of JavaScript? If any of the above, or none of it, then this talk is for you.

Ole André V. Ravnås
‎Sergi Alvarez aka pancake
Author of radare, radare2 and several other open-source tools, currently working at NowSecure as a Mobile Security Analyst. In the past has worked as a forensic analyst, embedded firmware developer and optimizing codecs in assembly for mips, sparc and arm for GStreamer at Fluendo. Interests on reverse engineering and software development.

Static instrumentation based on executable file formats

Many instrumentation techniques are based on modifying code or system environment of the target. It can be suitable for scenarios but it could not work under certain circumstance (integrity checking, non-rooted environment…) In this talk we propose similar techniques by only modifying the executable format. This enables to be architecture independent, injection and hooking does not require privileged environment.

Romain Thomas
Romain is a security engineering at Quarkslab working on the development of new tools to assist security researchers. He is also interested in Android internal, (de)obfuscation and software protections. He previously contributed to the Triton project, a dynamic binary analysis framework.

Machine-Code Analysis With Open-Source Decompiler RetDec

When we need to deeply analyze a binary application (e.g. for malware dissection, vulnerability research, code optimization), static code analysis is what we use most of the time. However, static analysis of machine-code is usually not an easy task. It is actually a tough one in case of malware analysis. Luckily, existing machine-code decompilers help with this task significantly. On the other hand, the most well-known decompilers are either proprietary, cannot be easily modified for a given task, or both.

In this talk, we would like to depict our machine-code decompiler called RetDec (Retargetable Decompiler) that we are developing in Avast since 2011 and which we have open-sourced a few months ago under the MIT license. Its primary goal is, of course, decompilation of binary (malicious) applications, but its components can also be used for other tasks, such as disassembly, extraction of basic blocks, or initial assessment of malware samples.

Jakub Kroustek
Jakub is leading the threat intelligence team at Avast Software and previously at AVG, 7 years in total. Jakub is a malware analyst and reverse engineer with expertise in ransomware, botnets, and cryptography. He has his Ph.D. for a machine-code analysis.

Peter Matula
Peter is a senior software developer at Avast Software. He focuses on reverse-engineering research and is currently the main developer of the RetDec decompiler. He received his MSc. degree from the Faculty of Information Technology, Brno University of Technology, Czech Republic.

Are there Spectre-based malware on your Android smartphone?

The Spectre attack has had massive coverage, and I assume (nearly) everybody at Pass The Salt will have heard of it. This talk is not yet another explanation of Spectre, nor generic advice of what to do. Rather, this talk is oriented on implementation issues and answering 2 simple questions (which haven’t been addressed yet to my knowledge): 1. Is your Android smartphone vulnerable to Spectre or not? ARM has published a security advisory with a list of vulnerable processors. We’ll see that the answer isn’t as simple as checking the list. . . 2. How can we detect malware using Spectre, and are there any? The media have been quiet about that. Working for an AV company, that’s perhaps something I can contribute to.

Axelle Apvrille
Axelle is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called ‘smart’ devices.

A graphical user interface for radare2: Cutter

Radare2 is a free and open-source reverse engineering framework, which is becoming more and more popular. One of its main criticisms is that it is only usable within a terminal (CLI), and that the commands are not intuitive, making the learning curve steep. The Cutter project was created to provide an easy-to-use, but still powerful, interface to radare2 for new users. This is done with a native graphical user interface made in Qt and C++.

The goal of the talk is to present radare2 history, along with the common complaints from users, and how we try to overcome those with Cutter. I’ll be presenting the features that are already implemented, the way we allow our users to script the interface, and obviously the missing features that we will implement in a near future.

While Cutter is still under heavy development, it’s becoming more and more user-friendly and easy to use. It is becoming a great alternative to other reverse engineering tools.

Antide Petit
Antide is an infosec student. In 2017, he has done a GSoC on Cutter and is currently its maintainer.

Traffic filtering at scale on Linux

BPF programs are widely known for packet filtering in libpcap (the underlying capture library used by tcpdump and wireshark). One can also use them for performance analysis (perf uses BPF programs), but also for security purposes (seccomp uses BPF as well).

In this talk, we focus on networking and dive into BPF bytecode. First, we will have a look on the available toolchains and API. Then we will jump into actual BPF programs and figure how eBPF can be leveraged to perform traffic filtering using several mechanism amongst socket filtering API, iptables and tc. Finally, we will scratch the surface of XDP capabilities.

François Serman
François filters large numbers of packets and automate things at OVH.

Performance with an S like Security: the eBPF XDP case

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to get a look to the usage of the eBPF and XDP technology in the domain of security. A special focus on Suricata that uses this technology to enhance its performance and by consequences the accuracy of its network analysis and detection.

Éric Leblond
Éric is an active member of the open source community. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Keynote : a 10 years journey in Linux firewalling

Just come :)

Pablo Neira Ayuso
Among other things, Pablo has been the Netfilter lead for the last ten years.

Full Packet Capture for the Masses

When you are facing a security incident, your investigations will depend on the data that you can analyze. If logs are often the first source of evidence, sometimes, it could be interesting to have access to a full packet capture to “dive deeper” in the traffic generated from/to the compromised network or host. Full packet capture (FPC) is like your insurance, you implement it and you never know if you’ll have to use it… Until something weird happened! In my presentation, I’ll present a simple way to implement FPC for small organizations and based on open source solutions (Moloch, Docker) and how to interconnect them. This talk is an extension of my SANS ISC diary (The easy way to analyze huge amounts of PCAP data) with more practical details.

Xavier Mertens
Xavier is a freelance security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT). Besides his daily job, Xavier is also a security blogger , an ISC SANS handler and co-organizer of the BruCON security conference.

Rumps Session

This is a session of lightning talks (between 3-5min).
You will be able to register to give a lightning talk a few days before the event until Monday 2nd July evening.
Only one requirement: your talk has to be about Free Software and Security.


Security and Self-Driving Computers

We have to admit to ourselves: we do not really like to turn on automatic updates. We do not like relinquishing control. Even if we do not really know what the announced update contains, we like to have one look at it before we hit the “update” button.


Often, still, we do not even have an automated update option available - like on our phones. And we are nagged every other month or so that an update is available, that we should install it and if we please can hit the “ok” button now to start it.

My mother usually calls me when her phone asks her to update. “Should I?” she asks. And I always say “Yes!” And she keeps on calling me.

Well, that’s what mothers do anyway. But you get the point.

This is technical nonsense. It’s all part of the Legal Blame Game: “Make sure, when things go wrong, we have an excuse.” But from a technical and security point of view, updates need to happen without user intervention, for everyone.

For our security infrastructure, we try to avoid this and jump from “no updates” to full automation. Because expired certificates are just too embarrassing for everyone.

Oh, and we can make it free at the same time - because automation.

[Insert the story of Let’s Encrypt (LE) that everyone knows…]

LE is interested to get broad support, so one of the most commonly used web server on the planet was a natural target. greenbytes proposed to MOSS (Mozilla’s Open Source Support) for a grant and got it going in 2017.

This talk gives a summary of what is nowadays available in Apache, what is still on the road ahead, and where one may contribute (Hint: ACME fuzzing anyone?)!

Stefan Eissing
Stefan is one of the founders of greenbytes, a small software consultancy company in Germany with customers such as Adobe, SAP, Google and Deutsche Telekom. And very active in the IETF http working group and related areas. Personally, he has obsessed about computers forever - it seems - and sees no reason for stopping. In 2015 he became part of the Apache httpd project after he did the HTTP/2 implementation for the server.

Snuffleupagus - Killing bug classes and virtual patching the rest

Suhosin is a great php module, but unfortunately, it’s getting old, new ways have been found to compromise php applications, and some aren’t working anymore; and it doesn’t play well with the shiny new php7.

As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) php security model, that provides several features that we needed, like passively killing several php-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.


Julien ‘jvoisin’ Voisin
Julien used to pwn and reverse things while contributing to radare2, he nowadays focus on protecting web applications while keeping his own bugs alive on websec.fr and writing stuff on dustri.org.

Thibault ‘bui’ Koechlin
Thibault used to write exploits for fun, he’s now CISO at NBS System, writing the naxsi WAF to prevent web pwning.

Simon ‘piké’ Magnin-Feysot
Simon is a pretty cool guy.

Preview of Vulture's upcoming web filtering engine

We are the creators of the VultureProject, an Open Source HTTP reverse-proxy that ensures the security of web applications. Built on top of open-source technologies such as Apache, FreeBSD, HA-Proxy and MongoDB, Vulture’s basic features are: network firewall, TCP and HTTP proxy balancing, user authentication, web application firewall, TLS endpoint, content rewriting and many other cool things. Currently based on ModSecurity, ModDefender and custom algorithms (including machine learning), the VultureProject Team wants to push innovation even further by creating an all new, fully modular, standalone and open-source intelligent web application firewall engine. No longer based on rules, this engine will be able to understand, dissect and analyze with a lot of finesse every request and response sent; you will no longer need to spend hours of configuration, simply activate the filters you need and let our algorithms learn by themselves and protect your web applications. During the talk, we will focus on this new WAF (Web Application Firewall) engine, explaining why we need to rethink web applications security today, how we are conceiving this new solution, how we are building it and how we think it will solve some issues faced daily by our teams and by our community.

Jérémie Jourdin
Jérémie is CTO at aDvens and the co-founder of Vulture, an Open-Source Web application firewall. He has more than 17 years of professional experience in penetration testing and architecture security design. Jérémie is the architect of aDvens’ Security Operation Center based on Open Source technologies and artificial intelligence concepts. Jérémie’s favorite playground is made of FreeBSD, Apache, HAProxy, MongoDB, Elastic, Python, Arduino, Raspberry and much more….

Hugo Soszynski
Hi ! I’m Hugo, code and Unix lover from a very young age, I quickly became an open-source enthusiast. Always hungry to learn more and to make things better, safer, faster and stronger, I contribute to projects like Rsyslog. Guys, I hope you’ll never forget to write in C and see you soon on the Internet.

SecureDrop, for whistle-blowers

This session will introduce SecureDrop, a Free Software whistleblowing platform which received the 2016 Free Software Award from the Free Software Foundation for Social Benefits.

We will describe how it addresses the critical need for a way for journalists and sources to communicate securely and anonymously. Many large news organizations including the Associated Press (AP), the Guardian, the Washington Post and the New York Times are all now running SecureDrop in their newsrooms to preserve an anonymous tip line in the presence of increasing surveillance powers by governments and corporations.

We will describe how SecureDrop works, how sources/journalists should use it, and how you can contribute to the project.

François Poulain
François is administrator and treasurer engaged for more than 10 years in the April NGO to promote and defend free software. He is at the origin of the amie.coop project aiming at satisfying the IT needs of small structures of solidarity economy. He is involved in the SecureDrop community for server maintenance.

Loïc Dachary
Loïc is a SecureDrop developer.

Second factor authentication (2FA) in LemonLDAP::NG

In LemonLDAP::NG 2.0, the second factor authentication is now a built-in feature and allows to rely on FIDO Alliance, TOTP, Yubikey, or any third party device through script call. I will first present how authentication works in LL::NG and how the 2FA was integrated as core functionality.

Clément Oudot
Clément works at Worteks on Identity Management with free softwares like LemonLDAP::NG 2.0, OpenLDAP, LDAP Tool Box, LSC and Fusion Directory.

Xavier Guimard
Xavier is creator and main developer of the Web SSO software LemonLDAP::NG 2.0.

No way JOSE! Lessons for authors and implementers of open standards

Protocol and data format specifications can be ambiguous, insecure or have other problems. Programmers and users bear the brunt of these issues. Using JOSE as a case study, I’ll discuss mistakes for standards authors to avoid, and demonstrate programming techniques for mitigating some kinds of problems.

JOSE (JSON Object Signing and Encryption) is a set of IETF standards for JSON-based cryptographic objects. You might know it as JWT or JWS. It is used in OpenID Connect, ACME, and other protocols. JOSE emerged a few years ago and has been causing headaches for the presenter ever since.

Using JOSE as a case study, this presentation looks at mistakes to avoid when specifying a data format or cryptographic protocol. We’ll also explore programming techniques for mitigating some kinds of problems in specifications. In particular, we will cover:

  • the flawed rationale for the JOSE working group
  • why JSON is a poor wire format for cryptographic objects
  • cryptography issues in the JOSE specifications
  • ambiguities and interoperability problems in the specifications
  • common vulnerabilities in JOSE libraries
  • how library authors can encourage or enforce safe use
  • advice for standards authors or working groups

Each topic will culminate in one simple, actionable takeaway.

Programming principles and techniques will be demonstrated using Haskell and its jose library, which is maintained by the presenter.

Fraser Tweedale
Fraser works at Red Hat on the FreeIPA identity management system and Dogtag Certificate System. He’s interested in security, cryptography and functional programming. Jalapeño aficionado from the land Down Under.

Too bad… your password has just been stolen! Did you consider using 2FA?

Authentication is a major component of security, but is often implemented as a password-based solution even though stronger and more secure alternatives exist. This talk will explain the risks associated with password-based authentication, describe the advantages of two-factor authentication, and show how open source software such as FreeIPA can help deploy an infrastructure for Smart Card authentication with X509 certificates or One-Time Password authentication.

Florence Blanc-Renaud
Florence is a Senior Software Engineer working at Red Hat on the FreeIPA Identity Management project.

Fail frequently to avoid disaster, or how to organically build an open threat intelligence sharing standard to keep the intelligence community free and sane!

Designing a successful standard for threat intel sharing is a daunting task, with a host of possible pitfalls. This talk aims to describe the journey, challenges and mistakes the MISP Project made while designing the MISP standard as we know it today. There are several paths that can lead to a well-defined standard: early and prolonged requirements gathering versus starting small with rapid iterations, democratic and centralised driving forces, inclusive and exclusive ideologies. Our weapon of choice was an implementation driven, rapid iterative and real-world usage centric approach using the PMF methodology, which allowed us to experiment and fail often but also be aware of our failures before they became irrevocable disasters.

The speakers will attempt to compare and contrast the various methodologies and what lessons we’ve learned.

Alexandre Dulaunoy
Alexandre encountered his first computer in the eighties, and he disassembled it to know how the thing worked. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at the national Luxembourg Computer Security Incident Response Team (CSIRT) in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz. He is a core team member of the MISP Project and a continuous free software contributor in the security field.

Andras Iklody
Andras is a software developer working for CIRCL and has been the main developer of the Malware Information Sharing Platform since the beginning of 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

The story of Greendale

Ever wanted to do forensics and feel good about it? This talk will introduce you to a suite of open-source tools for all things digital forensics and incident response. You will see how Greendale (a fictitious but very famous university) used this set of tools to articulate an effective response to a pretty severe incident last summer—all on a state-financed university budget! We will cover collection of forensic evidence with GRR, processing with Plaso, and analysis with Timesketch; how these tools can be articulated using dftimewolf, how to remotely image disks and have the processing done in the Cloud.

Thomas Chopitea
Thomas is a forensics investigator and engineer at Google. Previously, he worked at CERT Société Générale, where he bootstrapped the threat intelligence process using a combination of existing and homebrew open-source tools. He likes to write code and hunt down bad guys. His long-term professional goal is to automate himself out of a job.

Internals of Landlock: a new kind of Linux Security Module leveraging eBPF

In this talk we explain the constraints and choices that led to the design of Landlock, a new Linux Security Module (LSM) proposal designed to let unprivileged users enforce their own security policy. Landlock has multiple new properties that can complete those of the current major LSMs (e.g. SELinux). Leveraging the eBPF engine, Landlock can apply multiple access controls and make them evolve over time, enabling developers to manage security policy per application instead of dealing with access-control rules defined for the whole system. We answer some questions such as: What are the constraints and good practices to properly extend the Linux kernel? How Landlock uses eBPF with the LSM framework? What are the required restrictions to express a security policy, with a bytecode like eBPF, in a safe way? We also show a new demo highlighting the dynamic aspect of Landlock.

This talk is intended to be a deep dive into some internals of Landlock. For a more general introduction to Landlock, you can get a look at https://landlock.io (FOSDEM 2018).

Mickaël Salaün
Mickaël is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes (e.g. StemJail) before hacking into the kernel on a new LSM called Landlock. He is currently employed by the French Network and Information Security Agency (ANSSI).

Secure programming is slow - really ?

Performance is important in many programs: web servers, network applications, intrusion detection systems, etc. In these programs, C is a usual choice as the programming language: it is close to the hardware, and very fast. However, it is very hard to make the program secure, and this results in many vulnerabilities.

This talk is about why and how use rust to achieve both performance and security by creating a “safe zone” in a C program. We first look at the good code patterns to produce efficient code, and the limits of this approach. We then go through the optimization of the code to gain more performance, and check that doing so we do not remove any important check.

We can use Kerberos as an example, since it is based on ASN.1/DER, which is both difficult to manipulate, and very error-prone: all objects are Type-Length-Value (TLV), so a C parser has to manipulate recursive objects with pointers and lengths everywhere. DER parsers are regular clients for CVEs.

Keywords: performance, security, rust, assembly

Note: we take the parsers in Suricata as an example of such code. However, this talk is not related to Suricata, but more about the source code, the compiler and the produced code.

Pierre Chifflier
Pierre is the head of the intrusion detection research lab (LED) at ANSSI. He is interested in various security topics such as Operating Systems, compilers, programming languages, and new intrusion detection methods. He is also a Debian developer and has been involved in free software since a long time.

Immutable infrastructure and zero trust networking: designing your system for resilience

At Clever Cloud, we designed our hosting platform around the principles of immutable infrastructure, to allow easier application version management and rollout. But these principles also bring great benefits for the system’s security, by shortening persistence time, reducing the capacity to pivot, and allowing fast platform wide updates. We’ll study how the system is designed to handle immutable infrastructure’s needs, and see how it reacts to common threats.

Geoffroy Couprie
Geoffroy handles security at Clever Cloud, develops in Rust and researches on parser security at VideoLAN. He thinks a lot about cryptography, protocol design and data management.

IoT Honeypot, new types of attacks

This presentation will share to the audience the status of IOT attacks from a worldwide distributed honeypot point of view. What are the different protocols, their exposure to the internet and how they are being actively exploited (Modbus, IPMI, S7, Bacnet, Telnet, SNMP etc.)? We have created a Gas Station simulation, no later than 3 hours after having the server on the internet, we started to monitor communications towards a fake S7 service (our Siemens PLC: Siemens SIMATIC S7-200). We are using free software only and this talk wants to boost the audience with the understanding of those technologies and share experience on how to write such a type of honeypot, and hopefully have more ideas to improve the security of a domain that is at least 15 years late!

Sébastien Tricaud
Sébastien likes open source and security, from being a former maintainer of Linux PAM to various contributions to tools such as Prelude IDS etc. Sébastien works at Splunk.

Expl-iot: IoT Security Testing Framework

After working on IoT security testing for a few years, we realized that there is a lot of time spent on learning and setting up different tools including hardware, radio and software. As the IoT technology is new there is no standard software to test most of the components and the tools available are either not mature yet or do only specific job. With this problem at hand we envisioned a software that would allow developers and researchers to automate most of the IoT security testing steps. We began our journey with writing a flexible and extendable framework that would help the community and us in writing quick IoT test cases and exploits. The objectives of the framework are:

  1. Easy of use
  2. Extendable
  3. Support for hardware, radio and IoT protocol analysis

We released the beta version (in ruby) of Expl-iot in 2017. Once we started implementing hardware and radio functionality, we realized that ruby does not have much support for hardware and radio analysis which led us to deprecate it and re-write it in python to support more functionality. We are currently working on the python3 version and will release it in a month or two. The new beta release is envisioned to have support for UART(serial), ZigBee, BLE, MQTT, CoAP (next version will have support for JTAG, I2C and SPI) and few miscellaneous test cases. This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework.

Aseem Jakhar
Aseem is the Director R&D at Payatu Software Labs LLP, a boutique security testing organization with specialization in IoT, embedded, mobile and cloud security. He is a speaker and trainer at international security conferences like Blackhat, Hack in Paris, Brucon, Hack in the box, Defcon, Zer0con, PHDays to name a few. He is also an open source developer and has written various open source security projects including - Indroid/Jugaad - Runtime Thread injection toolkit for Arm/x86, Dexfuzzer - A dumb fuzzer for dex files, DIVA Android - Damn Insecure and Vulnerable App for Android and Expliot framework. Sources: - Expliot (Ruby) - DIVA Android - Indroid - Jugaad - Dexfuzzer

Io(M)T Security: A year in review

A year ago, I embarked on the funky journey to gain insights into IoT security. I am particularly interested in medical devices, that is an item that’s connected to the Internet AND can gather some sort of health data.

I started off with connected sex toys—it’s fun to tear them down, then tell others about it. Beyond the fun, though, is the actual understanding of what is at stake. And, in all honesty, your fridge, your insulin pump and your pacemaker all share the same challenges: they need improved security so that we are not at risk.

Since the first dildo I investigated, my analysis capabilities have evolved. This talk will address the diverse range of challenges I have had: obtaining the objects (the least complex one… but not the cheapest option, still!), producing reproducible data, collecting meaningful logs, having the companies building the IoT fix their flaws, etc. Thankfully, I will also discuss the solutions I identified, all of which involve FLOSS and (in part) open hardware.

Rayna Stamboliyska
Rayna is a risk management and crisis mitigation expert with a focus on IT security governance and compliance. An award-winning author for her most recent book “La face cachée d’Internet” (“The hidden face of the Internet”, published with Larousse-Hachette), Rayna has extensively explored the impact of data and technology in conflict and post-conflict zones in the MENA region and Eastern Europe. She has consulted for international organisations, private companies, governments and non-profits. Energetic and passionate, Rayna has grown to become a recognized information security speaker committed to educating those outside of the industry on security threats and best practice, and writes up the cybersecurity expert column “50 nuances d’Internet” (“50 shades of Internet”) at ZDNet.fr.

Freedom Fighting Mode - Open Source Hacking Harness

The concept of “hacking harnesses” was introduced by thegrugq at HITB Kuala Lumpur 2007 (pdf). Ever since, the subject has received virtually no attention and no such tool has been released publicly. Worse, the code that had been made available at the time is no longer online and was lost by its author. The goal of harnesses is to provide a hacking environment where security professionals can focus on red teaming activities without having to fight against their terminal to perform simple actions (such as uploading or downloading files, and executing remote commands in memory). FFM is a Python framework which was developed to fill this void.

Ivan Kwiatkowski (@JusticeRage)
Ivan is an OSCP and OSCE-certified penetration tester and malware analyst living in France. His day-to-day job occasionally involves incident response and delivering trainings. He maintains Manalyze, an open-source dissection tool for Windows executables and his research was presented during several cybersecurity conferences in Europe. As a digital privacy activist, he also operates an exit node of the Tor network. Ivan unwittingly rose to internet fame as a vigilante hacker by talking tech support scammers into infecting themselves with ransomware.

Open Hardware for (software) offensive security

This talk is about using the possibilities given by open hardware during penetration testing. Indeed, open hardware offers new tools for hardware and software penetration testing. The presentation will focus on software hacking.

After a brief introduction of my favorite toys and a small review of hardware penetration testing from open hardware, the talk will describe different use cases (Wi-Fi, laptop/desktop/smartphone, internal penetration testing…) where open hardware offers: new possibilities, automation or discretion.

As this is about (open) hardware, there are always limitations, issues, etc. This talk will also offer the opportunity to share and discuss them (as well as a few solutions and calls for contribution/help).

Antoine Cervoise
Antoine is an IT security engineer at NTT Security, skilled in infosec incident handling, pentest and audit. He enjoys computer science, electronics and D.I.Y., beers (drinking and making) by night… and he’s fond of cigars!

Shadow on the Wall - Risks and Flaws with Shadowsocks

What is one of the cornerstones of the Internet? Right! Being able to access all kinds of information, without censorship. In some countries this is no longer possible, and this is why technologies such as Tor and Shadowsocks are needed.

While the main feature of Tor is the onion routing and the aim of being cryptographically secure, it can easily be blocked by a firewall.

Shadowsocks simply tries to provide an undetectable tunnel to a non-censored part of the Internet.

Shadowsocks provides a Socks5proxy locally, into which all traffic is routed. It encrypts traffic with a configurable symmetric algorithm and the messages have (pseudo) random lengths. The absence of any visible protocol information makes them appear totally random. The goal is stealth through restricted infrastructures.

Naturally, users of such tools may be exposed to increased risks. Therefore the tools aim to be undetectable by deep packet inspection firewalls. For security and privacy they have to encrypt the traffic, use random padding, ensure integrity, and should imitate other protocols so as to look like normal encrypted traffic, e.g. such as that from an encrypted website. The server should be authenticated to ensure that the user does not communicate with a malicious endpoint.

We had a look at Shadowsocks to see how it handles this task, and noticed some interesting things.

This talk shows the results of our efforts to analyse ShadowSocks and identifying real vulnerabilities. There were attempts about detecting shadowsocks. We show how to brute force it, manipulate its log files. In addition, we will show several local as well as remote command execution vulnerabilities affecting shadowsocks and its tools.

Niklas Abel
Niklas works as an IT security consultant at X41 D-Sec GmbH in the area of penetration testing and code reviews. He is experienced in penetration of complex software applications and infrastructures, code reviews and vulnerability analysis. His last talk was as speaker at MRMCD 2016 about bank security and developing of an 2FA device.

Glassfish from (IN)Secure admin

A talk presenting a way to bypass the “secure admin” feature of Glassfish to access the administration panel and deploy your own webshell.

Jérémy Mousset
Jérémy is a pentester and a Ron addict. He’s working at Vente-privee.com but this subject comes from his previous life of penetration tester in BT. He wrote an article on MISC regarding the JMX security in Tomcat and he’s currently interested by Glassfish.