Report for the SSTIC 2014 conference (Part 2 of 2)

In June, Cert-IST attended the SSTIC security conference in Rennes (France).

Last month, we published the first part of our report for this event. We now publish the rest, and we continue our review on each presentation.

 

[Reverse] Bootkit revisited (by Sogeti)

On x64 versions of Windows, the kernel drivers must be signed and this makes kernel rootkits difficult to implement on Windows x64. To bypass this protection, since 2010, some malware (e.g. the TDL family) has been using an attack named “Bootkit”, where the malware takes control of the computer at boot time (thanks to an infected MBR) and monitors the Windows boot sequence. When Windows is launched, the malware surreptitiously inserts a rootkit in the Windows native drivers list (no signed driver is required here). Up to now, such malware monitors boot sequence by hooking disk read access. The speaker describes a new method that does not depend on disk pattern monitoring: he just monitors the processor state changes (changes from real mode to protected mode, and then to long mode) to detect boot progression and Windows startup.

 

[Cloud] Remote integrity tests of Virtual machines Hypervisors assisted by hardware (by CNRS/LAAS Toulouse)

The presentation focuses on the security of virtualized environments, and especially those used in Cloud offerings. The speaker suggests to add on servers a PCI card which aim is to monitor server memory space integrity (via DMA access) and to detect attacks against the hypervisor. To achieve this, the PCI card locates the EPT tables in RAM and monitors them.

This solution is built on the model of the IronHide PCI card (which was presented at SSTIC 2012, see our report), and uses it to protect virtualized environments. It is interesting to note that this subject seemed very academic two years ago, but now seems to respond to real concerns. And this is probably due to the Snowden revelations: adding hardware to provide more security (with a PCI card that monitors server integrity) seems now very appropriate.

 

[Intro] Security of the mainframe systems (by Volvo IT)

This is an overview on IBM Z/OS systems and on the security mechanisms which are available on such systems. The presentation is mainly for people who do not know these environments. Reading the article that is available with the presentation material is then highly recommended!

 

[Network] Network Recon on large scale: port scan is not dead (by QuarksLab)

This presentation is similar to the one made by the same speaker at INSA in January 2014 (see our report). This time, the presentation goes further into details about the tool architecture (a scheduler distributes tasks to agents) and the Python components (“libleeloo” to distribute IP addresses and “Nodescan” to scan targets).

 

[Intro] Cryptocoding (by Jean-Philippe Aumasson)

The speaker is a cryptographic expert. He explains here that developing cryptographic code is very complex because multiple competencies are required: in software engineering, security and cryptography. He is a member of the cryptocoding.net project that aims at documenting best practices for crypto-coding. The speaker also comments about HeartBleed and OpenSSL: he shows that OpenSSL is very complex (because it supports too much crypto suites and too much operating systems) and its code is difficult to understand (this makes very difficult to peer-review it). He reviews existing alternatives (including NSS by Mozilla, GnuTLS or LibreSSL), but none of them is satisfactory.

 

[SmartCard] Buy it, use it, break it ... fix it: Caml Crush, a PKCS#11 screening proxy (by ANSSI)

PKCS#11 is an API defining the exchanges with cryptographic devices such as HSM (Hardware Security Module) and crypto smartcards. There is very little number of public tools for PKCS#11. In 2011, Graham Steel presented at SSTIC a tool named Tookan to detect the anomalies in PKCS#11 compatible devices (see our report). This year, the ANSSI presented a tool (written in CAML) to block attacks attempts (for example the “Wrap/Decrypt” confusion attack). This is a PKCS#11 proxy that receives all the PKCS#11 requests and analyses them before passing them to the PKCS#11 device.

 

[Intro] Martine sets up a CERT (by Airbus)

The speaker gives a feedback on the activities of the Airbus CERT. He focuses specifically on APT attack cases, and shows that:

• These attacks are not always advanced,
• Most of the time they are discovered by external organisms (they are reported by other CERTs)
• Classical forensic (raw copy of the disk) is quickly becoming impossible when the attack affects a large number of computers.

 

[Reverse] Build an Intermediary Representation for concolic execution and data tainting on Windows (by DGSIC)

The speaker explains how he has ported the Fuzzgrind fuzzing tool on Windows (which was presented in 2009 at SSTIC, see our report). Most of the components required to implement this tool already exist on Windows (such as Z3 for constraint solving, or PIN for code instrumentation). But one is missing: an intermediary language has to be created to implement concolic execution (“concolic” is a word build from “concrete” and “symbolic” words, and is a technique for dynamic symbolic execution of code). The main part of the presentation covers this topic.

 

[Reverse] Python code obfuscation: improving the existing techniques (by QuarksLab)

It is a very complex presentation, but well-titled: it explains how to obfuscate a Python code to make very (very) difficult to reverse-engineer it.

 

[Reverse] DRM deobfuscation, thanks to auxiliary attacks (by QuarksLab)

Another very complex presentation, that tries to solve the reverse problem than the one covered by the previous presentation: How to reverse-engineer a highly obfuscated code. Instead of the regular reverse-engineering approach (which is to launch IDA to analyse the code), the approach here is to launch code execution and to record (in a huge MongoDB database) the instructions executed. You can later crawl over the collected data to find significant patterns. For example, cryptographic algorithms can easily be spotted that way by looking for specific constants (for example the initiation values for SHA-1). A tool, named Ptra (Python Trace Analyzer), was developed to implement this approach.

 

[Intro] Example of security hardening on Critical Infrastructure (by EDF)

The speaker describes the EDF internal organization for Computer Security matters in nuclear program divisions. He also explains some of the advantages induced by the strong culture within the company on critical industrial systems. This includes for example strong habits on preparation and formalization (writing procedures and follow them diligently) as well as rigorous analysis of incidents and lessons learnt (performing root cause analysis, and enhance procedures to prevent re-occurrence).

 

[Cloud] Security of dynamic resource allocation on Cloud systems (By Orange)

This presentation focuses on an attack which is specific to the Cloud environments: disrupting the operation of a Cloud service by causing un-necessary VM migrations. The overall principle for this attack is the following: if an attacker has a VM in a Cloud service, he can try to disrupt the other VMs located in the same Cloud infrastructure by increasing its own activity. If such an increase exceeds a given threshold, the Cloud supervision system will decide to solve this issue by migrating some VM to other hosts, and this decrease service performance efficiency. The speaker presents the outcomes of the experiments that were made on this topic on VMware:

• The DRS (Distributed Resource Scheduler) component of VMware, which is the component responsible for allocating resources to running hosts, is complex and it is difficult to predict its behavior without performing experimentations.
• A tool (named AMAD: Abusive Migration Attack Detection) was developed to detect attack attempts and monitor migration events.

 

[Reverse] RpcView: a tool to explore and decompile MS RPC service endpoints (By DGA)

RpcView is a tool to list all the RPC services running on a Windows computer. It is similar, on the topic of RPC, to the “ProcessExplorer” SysInternals tool that exists to analyze processes. RpcView does not rely on “Endpoint mapper” (a Microsoft component that lists all the RPC services publically available on the computer) and consequently also lists private RPC services that are set up by programs (from Microsoft or from other manufacturers such as Symantec, Sophos, Citrix, …). Once an RPC service has been found, RpcView decompile the code of this service (or more precisely, the service stub which is responsible for data serialization) to discover the RPC service interface specification.

 

[Network] Haka: a language focused on network and security (By Arkoon)

Haka is a network packet inspection engine that is able a deal with a “pcap” file (to analyze captured network traffic), but also to be inserted inline in the Linux Netfilter firewall framework. Haka is driven by a security policy written with the LUA language (also used by Whireshark and Suricata to write dissectors). This policy describes the network traffic that must be detected and the actions to trigger when this occurs. In the future, the Haka engine might be integrated in Arkoon products.

 

Conclusion

The SSTIC conference is probably the best French conference for people who are fan of computer security. The topics presented are often of a high technical quality, with a strong desire to share knowledge with the audience. And some articles published in the conference proceedings (e.g. those written by ANSSI) are of outstanding quality and really worth reading. If some of the topics presented in this report have interested you, we strongly recommend you to visit the SSTIC website for further reading on these subjects.