Report on the security conference INSA-2014

The French Engineering school INSA, and the LAAS-CNRS research institute have organized a one-day conference on security in Toulouse on January 23^rd, 2014. A set of famous French and Belgium speakers were invited to speak during this day. They have presented subjects mostly oriented on research (among topics such as big data, intrusion detection or cryptographic robustness) or on highly technical topics (such as hardware backdoors, mass scanning, or pen-test against avionic devices).

 

We present below a quick report for this day. The presentation material will be available shortly on the conference website.

 

 

By: Marc Dacier (Symantec Research Lab)

 

The speaker presented 2 research projects of Symantec Research Lab: WINE and TRIAGE. Both are the continuation of works initialized within the European project WOMBAT, which we described in 2009 in 2 articles: The state-of-the-art for Honeypot systems and Report for the SSTIC 2009 conference.

 

WINE (Worldwide Intelligence Network Environment) is a platform available for researchers upon request. It provides real data sets collected by Symantec from various security sensors, and ensures that these datasets are properly archived and could be replayed. The objective of this project is to provide a "scientific" environment to conduct experiments under controlled conditions. A description of the WINE platform is available here: www.symantec.com/WINE 

 

TRIAGE is a data-mining technique that can be used to identify similarities that exist in a dataset. For example, when applied to a dataset made of malicious emails, TRIAGE is able to identify all emails belonging to the same attack campaign and to describe how the campaign did evolve (by showing the successive changes that occurred, such as the change in the subjects of email at sites relay attacks, etc. ..). The TRIAGE method used similarity search techniques (such as the Choquet ‘s integrals technique) to identify MCD (Multi Dimensional Cluster) in the dataset. MCD visualization is then done by using www.vis-sense.eu (a European project on data visualization). A more complete description of TRIAGE by Symantec (and example of MCD visualization) is available here.

 

More on WOMBAT: http://www.syssec-project.eu/m/page-media/23/bic2011-05-ioannidis.pdf

More on WINE and TRIAGE: http://seminaire-dga.gforge.inria.fr/2012/20130607-FredHollowood.pdf

 

               

 

By: Loic Duflot (Manager of the « Sous-direction Expertise » at the French ANSSI gov-agency)

 

After a short presentation on the ANSSI, the speaker used a series of examples to demonstrate that there are many topics to explore in the field of hardware security and hardware level backdoors:

Experience shows that until recently, hardware components have mostly been designed without taking into account possible attacks, and few defenses have been put in place. This opens a wide field of insecurity for all these equipments. The speaker concluded his presentation by recommending:

 

 

By: Frédéric Raynal (Founder of QuarksLab company)

 

The speaker presented an internal project by QuarksLab, which aims at performing large-scale scans to build a database containing information about all the computers found in a country or a large company.

The approach to achieve this is to:

The speaker explained the various aspects that lead him to adopted this approach, and in particular:

In terms of performance, the speaker said that the scan of a whole country such as Luxembourg (1 million IPs), with 3 machines, and limited to the top 20 ports, requires about 12 hours. By comparison, the same type of scan, using the Amazon Cloud service with 80 virtual machines, could have been done in 45 minutes. It is possible to use faster scanners, such as masscan (see the "data-plane networking" section of our Brucon-2013 report) or zmap, but the flow of generated data and the consumed bandwidth then introduce nontrivial problems.

 

The speaker mentioned several other similar works: Rapid7, Internet Census 2012, Shodan, or even the LHKF project (Low Hanging Kiwi Fruits, see this presentation from Hack.Lu-2011). Finally, he mentioned a U.S. company (Endgame System) which, according to secret documents stolen from HBGary, sells the same kind of service to U.S. government agencies (see this article from the website Risky.biz for more details).

 

 

By: Ludovic Mé (Research supervisor at Supelec/INRIA/CNRS)

 

The speaker first made a brief recap on the general principles driving intrusion detection. He explained in particular:

He then noted the difficulty in obtaining good results with the current IDS. This "failure" is due in particular to a statistical phenomenon known as "base-ref fallacy". This leads to a situation where an IDS with a theoretical detection rate of 90%, will actually trigger 92% of false alarms.

To improve the IDS two possible approaches were considered:

For this latter approach, the speaker presented a list of ideas and exposed in more details two of them:

In conclusion, the speaker gave a series of recommendations to develop new approaches for IDS:

 

 

By: Jean-Jacques Quisquater (Cryptographer, Professor Emeritus of the Catholic University of Louvain)

 

Jean-Jacques Quisquater is a world renowned expert in cryptography. The purpose of the presentation was to know whether the RSA algorithm had been broken. And after listening to his brilliant presentation, we must recognize that real doubts exist.

 

First, he recalled that the robustness of the RSA algorithm (invented in 1977) relies on the difficulty of factoring large numbers. But there are several examples in the history where mathematicians were able to factor very large numbers (in 1643 Fermat was able to factor the Mersenne number, and at the end of the 19th century several scientists were able to factor the Jevons’ number), and nobody knows the method they used to get there. It is therefore possible that a forgotten (or still undiscovered) mathematical method exists to break RSA. If such a discovery ever happens, this will have catastrophic consequences because the RSA algorithm is used everywhere in all security solutions.

 

The assumption that a method for breaking RSA might exist is obviously taken very seriously. For instance, the U.S. government organized a closed seminar in January 2013, entitled "The end of RSA" (which was attended by the speaker) intending to provide recommendations to DoD to prepare for this eventuality. The slides for this event are available on the CATACRYPT 2013 website.

 

 

By: Stéphane Duverger and Benoît Camredon (Airbus Group - Innovation Works)

 

The speakers gave a feedback to the audience about intrusive audits they have performed on avionics products. One of the main difficulties they encountered is the fact that the audited hardware was very exotic:

A huge effort was then needed to understand how the equipment works (a Google search is very unlikely to provide an answer here!) and to find in it similarities with known IT systems and ideas for possible attacks.

 

Another difficulty was the limited availability of audited equipments. They are often only available on a test bench, with strict planning for the intervention of all the specialists. Also, the test bench sometimes provides no tool adapted to pen-tester needs (such as execution traces), and it is often difficult to verify whether the attack that has been tested produced a significant result.

 

 

 

This conference day for both students and industrials was a first for the Toulouse INSA School. This was a real success, with a set of very high quality presentations all along the day. These presentations addressed both research topics and highly technical subjects; this mix was an ideal ground for sharing ideas among attendees whose were academics, students and professionals.