Dans le cadre de notre séminaire « La Cybersécurité sur un plateau » (Cybersecurity on a Plate), nous aurons 2 présentations le mardi 11 mars prochain. Le séminaire CoaP aura lieu à 10h30 dans le bâtiment IMT/TP/TSP, en salle 3.A213.

Si vous venez participer pour la première fois, n'hésitez pas à contacter les organisateurs pour ne pas être bloqué à l'entrée.

Nicolas Peiffer (Thales) - A Journey Through SBOMs and Software Provenance Attestations in the Industry: Cryptography BOM, Patents BOM, ML-AI BOM, Meta-BOM…

Abstract: In Europe, the Cyber Resilience Act (EU CRA) is being implemented to encourage, through regulations and laws, companies and open-source software communities to develop more secure software. The EU CRA is often referred to as the "GDPR for software": although the directive is now in effect, many entities are not yet prepared and face technical and organizational questions that they will need to address in order to comply with the legislation. This presentation will share Thales' experience regarding Software Bills of Materials (SBOMs) and software provenance attestations, such as in-toto and SLSA. It will particularly focus on "exotic BOMs," including Cryptography BOM, Patents BOM, ML-AI BOM, and Meta-aggregated-BOM, for which there are few or no suitable tools available. The presentation will also discuss the challenges associated with the Meta-aggregated-BOM in the context of "system of systems." Finally, it will highlight Thales' open-source contributions to the CycloneDX BOM format.

Guilhem Lacombe (CEA) - Attacker Control and Bug Prioritization

Abstract: As bug-finding methods improve, bug-fixing capabilities are exceeded, resulting in an accumulation of potential vulnerabilities. There is thus a need for efficient and precise bug prioritization based on exploitability. In this work, we explore the notion of control of an attacker over a vulnerability’s parameters, which is an often overlooked factor of exploitability. We show that taint as well as straightforward qualitative and quantitative notions of control are not enough to effectively differentiate vulnerabilities. Instead, we propose to focus analysis on feasible value sets, which we call domains of control, in order to better take into account threat models and expert insight. Our new Shrink and Split algorithm efficiently extracts domains of control from path constraints obtained with symbolic execution and renders them in an easily processed, human-readable form. This in turn allows to automatically compute more complex control metrics, such as weighted Quantitative Control, which factors in the varying threat levels of different values. Experiments show that our method is both efficient and precise. In particular, it is the only one able to distinguish between vulnerabilities such as cve-2019-14192 and cve-2022-30552, while revealing a mistake in the human evaluation of cve-2022-30790. The high degree of automation of our tool also brings us closer to a fully-automated evaluation pipeline.