Report for the SSTIC 2012 conference (Part 2)

We continue in this second article our report about the presentations that took place at the SSTIC 2012 conference in June 2012. The first part of this article, published in the August Security Bulletin, is available here.

 

Legal obligations for Web hosting services (by OVH)

This talk was done by the director of legal affairs at OVH (one of the major web hosting companies in France). The topic was to define the legal status and obligations of a web hosting company in France. The French LCEN law defines 3 distinct types of hosting companies: Internet Access Provider, Web Hosting Provider and Web Content Publisher. But some companies (such as Web 2.0 sites like YouTube.com or auction sites such as Ebay.com) do not fit in these categories: are they hosters or publishers ? Those companies generally consider themselves as « hosters » because this status reduces their liability when illegal content is hosted. In the near future, new categories could be added in the French law such as « broker » for eBay. Regarding the legal obligations, those for hosters are quite clear:

• Keep logs during 12 months
• Set up a mechanism to signal illegal contents
• Treat the complaints about illegal contents quickly (typically 24 h).

The speaker indicates that complaints must be sent by registred postal mail and must include :

• The notification date,
• The applicant (identity and status),
• The recipient,
• Reason for the notification (counterfeiting, slander, etc ...),
• The illegal content and its accurate location (URL).

Before contacting the hoster, the complainant must have first contacted the publisher.

 

Short talks

Elsim and Androguard, by Antony Desnos (VirusTotal.com)

The speaker presents a tool that searches for similarities between two Android binaries.This can be used, for example, to determine which libraries (especially advertising libraries) are used in free Android Apps.
 

Dissecting web attacks using Honeypots, by Davide Canali (Eurecom)

The speaker presents the Honeypot infrastructure that Eurecom has put in place to observe what the hackers do on a website once they have infected it. The infrastructure includes 500 websites with 7 vulnerable CMS systems installed on each. All redirect to a pool of virtualized servers hosted at Eurecom premises. The analysis of the data collected that way is still ongoing.
 

Hardening of C programs with Sidan by Pierre Karpman (ENS Cachan)

The idea is to add assertions in the C code to detect attack attempts. The tool is based on SIDAN (a plugin for Frama-C, which is a C source code analyzer) and has been the subject of a Master’s thesis.
 

Netusse a kernel fuzzer by Clement Lecigne (Google)

The speaker introduces Netusse a fuzzer for kernel he designed in 2006. He shows how this fuzzer was able to find a buffer overflow in the FreeBSD kernel.
 

System code verification by static typing, by Etienne Million (EADS-IW)

The speaker explains how to implement strong typing in Linux kernel calls and how this could help detecting dangerous system calls (typically attack attempts).
 

Detection of malicious domain-names by Ronan Mouchoux (La Poste)

The speaker presents different techniques to identify domain names that are suspect (for example, domain names are randomly generated by malware): control rule set, Bayesian analysis, Shannon distance computation, etc ...

 

Mandatory access control on Windows 7 (by CEA)

The speaker explains how, while taking SELinux as model, he implemented a MAC access model on Windows 7. As a quick reminder, the MAC (Mandatory Access Control) model is an access model stricter than the regular DAC (Discretionary Access Control) model.

 

IT Judicial expert (by Zythom)

Zythom is the pseudonym used by the author of a French blog dedicated to IT judicial expertise. The purpose of the presentation is to explain what a judicial expert is, in France. First, he says this not a profession, but an activity, and that he performs that activity in addition to his regular job as IT manager. He explains the steps to follow to become a legal expert in France and gives examples of cases he has dealt with and the tools he uses. He also explains that it is not because he is a judicial expert that he is a technical expert in all computer technologies he has to deal with. When it is not the case, he relies on his experience and on listening the involved parties, to analyze the situation and advise the judge.

 

IOS Forensics (by SOGETI ESEC)

This presentation focuses on data encryption on iOS devices. It should be noted first that Apple released in late May 2012 this first paper on this subject.

• Encryption appeared with iOS 3 (June 2009). It was then a full encryption of the 2 partitions of the disk (the system partition and the data partition), using a key derived from the hardware (the UID key). Once the terminal is booted, data is decrypted on the fly, and are therefore accessible as clear text to any process running on the terminal.
• Starting with iOS 4 (June 2010), it is also possible to encrypt each individual file (each file has its own key).
• iOS 5 (October 2011) brings enhancements to iOS 4 features.

Speakers indicate that overall, the encryption implemented in iOS is robust. But up to now very few applications (among which the Mail application) use the capabilities provided by iOS 4. For all the other applications, data are not protected against a malicious code running on the terminal.

 

Source Address Validation Improvements –SAVI (by Orange)

To solve the problem of attacks that use spoofed IP addresses, the IETF created in 2008 a working group to develop a mechanism known as SAVI. In SAVI, some existing network equipments, known as « SAVI entities » and located as close as possible to the source of traffic, are in charge of verifying that the traffic they relay do not use spoofed source addresses. This can be implemented by several ways which lead to several SAVI variants. "DHCP-SAVI-DHCP" in one of these variants: here, the SAVI entity looks at the DHCP traffic circulating on the wire and learn from that what IP exist upstream. Consequently, this SAVI entity will block any traffic that uses a source IP that was never allocated by the DHCP server.

Other SAVI variants are « FCFS SAVI » (First Come First Served), « SEND SAVI » (Secure Neighbor Discovery) and « MIX SAVI ».

SAVI entities are often implemented at the edge of the operator network, in front of the subscriber facing equipments (upstream to the AN -Access Node- and CPE -Customer Premise Equipment-). SAVI has been deployed on the CERNET network, in China.

 

Malicious usage of connexion tracking (by Eric Leblond)

The speaker explains that the Netfilter « Connexion Tracking » feature (accessible via the "conntrack" command) causes problems when some "Helpers" modules are enabled. "Helpers" are plugins modules that allow Netfilter to support protocols which dynamically create network flows (such as FTP, H323, SIP or IRC). For example, there is a "Helper" for FTP: it watches FTP traffic, detects when a data connection will be opened, and asks Netfilter to allow this connection because the latter is related to a legitimate FTP connection. If an attacker manages to deceive a "Helper", it may be possible to open arbitrary connections through the firewall.

Some exotic "Helpers" are clearly dangerous (e.g. the "FTP Helper" with "loose = 0" setting or "IRC helper"). But attacks could also be possible with regular "Helpers", if the attacker generates a spoofed traffic that appears coming from the server. As an example, the speaker presented a program called "opensvp", which generates spoofed FTP packets to open TCP port 22 on the firewall. Such attack apparently could succeed against a Checkpoint firewall if the firewall configuration is not strict enough…

 

Influence of good practices on BGP incidents (by ANSSI and Orange)

This presentation focuses on BGP incidents and in particular on the problems induced by the announcement of wrong BGP routes: if wrong BGP routes are announced, the owner of a network can force an arbitrary chosen remote traffic to be routed to his network. This type of incident occurs quite frequently and most often by accident rather than as an attack attempt. Tools that monitor BGP announcement traffic (such as BGPmon) are very efficient to detect such incidents: it allows to quickly trigger remediation actions to disinfect BGP routing tables. Some other examples of incidents and the associated remediation methods are also presented.

 

Success and limitations of static binary analysis (by Halvar Flake)

The purpose of the presentation is to analyse the effectiveness of the tools built to detect security vulnerabilities. We talk here about the tools which use a source code analysis approach (or binary executable reverse-engineering) rather than a « black box » fuzzing approach. Much progress has been done in this area, with the appearance of techniques such as « symbolic execution », « concilic execution » or « SMT solvers ». But the speaker shows that such tools could have problems to detect a vulnerability on some very simple source code. For example, it is very difficult for such a tool to detect the vulnerability found in 2003 in the source code of the "crackaddr ()" function of sendmail (see this article for details).

To face with this difficulty, he proposes a surprising - but pragmatic - approach: ask the developers to systematically launch the vulnerability discovering tool on the code they write, and to simplify this code if the tool indicates that the code is too complex to be analyzed.

 

Miasm: a reverse engineering framework (by CEA)

Miasm is a tool developed to facilitate reverse engineering. It allows you to manipulate an executable and, for that purpose, it translates this executable into an intermediate language developed by Miasm. Miasm is then able to do symbolic execution (it simulates the execution of the binary). Miasm is very similar, in terms of functionalities, to the Metasm tool. It was started in 2007 and is publicly available since July 2011. Miasm can be completed with elfesteem (to generate a true executable from the program currently analysed in Miasm) or grandalf (to generate a graphical view of the executable). It is expected that the latter will be completed to become a tool comparable to IDA Pro, and that will be called "Frida" (which phonetically sound as "Free IDA" ...).

 

Reverse engineering and debugging a Qualcomm baseband (by Sogeti ESEC)

The presentation focuses on the "Baseband" component of a Qualcomm 3G key. The "Baseband" is the specialized processor which, in a smartphone, is responsible for all the telephony aspects (in addition to the main processor which runs the OS of the phone). He explained how he managed to dump the firmware of the 3G key and then analyze the firmware.

 

The French strategy to protect and defend the military cyberspace

This closing presentation of the conference was made by Commodore Coustillière, the General Officer for Cyber Affairs in French Ministry of Defence. He presented the strategy of the Ministry of Defence for cyber-defense. His presentation clearly shows that cyber-defense is a major objective and that large efforts are made by the Ministry in this area.

 

For more information:

• The conference web site: https://www.sstic.org/2012/actes/
• Some of the blogs which published reports about this conference (in French):
  • http://sid.rstack.org/blog/index.php/?q=sstic
  • http://www.protocol-hacking.org/tag/SSTIC
  • http://www.ozwald.fr/index.php?post/2012/06/09/SSTIC-2012-completed
  • http://www.n0secure.org/search/label/SSTIC%202012