Dans le cadre de notre séminaire « La Cybersécurité sur un plateau » (Cybersecurity on a Plate), nous aurons 2 présentations le mardi 13 mai prochain. Le séminaire CoaP aura lieu à 10h30 dans le bâtiment IMT/TP/TSP, en salle 3.A213.

Si vous venez participer pour la première fois, n'hésitez pas à contacter les organisateurs pour ne pas être bloqué à l'entrée.

Dimitrios Kokkonis (CEA) - ROSA: Finding Backdoors with Fuzzing

Abstract: A code-level backdoor is a hidden access, programmed and concealed within the code of a program. For instance, hard-coded credentials planted in the code of a file server application would enable maliciously logging into all deployed instances of this application. Confirmed software supply-chain attacks have led to the injection of backdoors into popular open-source projects, and backdoors have been discovered in various router firmware. Manual code auditing for backdoors is challenging and existing semi-automated approaches can only handle a limited scope of programs and backdoors, while requiring manual reverse-engineering of the audited (binary) program. Graybox fuzzing (automated semi-randomized testing) has grown in popularity due to its success in discovering vulnerabilities and hence stands as a strong candidate for improved backdoor detection. However, current fuzzing knowledge does not offer any means to detect the triggering of a backdoor at runtime. In this work we introduce ROSA, a novel approach (and tool) which combines a state-of-the-art fuzzer (AFL++) with a new metamorphic test oracle, capable of detecting runtime backdoor triggers. To facilitate the evaluation of ROSA, we have created ROSARUM, the first openly available benchmark for assessing the detection of various backdoors in diverse programs. Experimental evaluation shows that ROSA has a level of robustness, speed and automation similar to classical fuzzing. It finds all 17 authentic or synthetic backdooors from ROSARUM in 1h30 on average. Compared to existing detection tools, it can handle a diversity of backdoors and programs and it does not rely on manual reverse-engineering of the fuzzed binary code.

Bio: I am a PhD student in the BINSEC team at CEA List, working under the supervision of Stefano Zacchiroli and Michaël Marcozzi. My research is focused on the automation of the detection of advanced vulnerabilities in binary programs. I graduated from Polytech Sorbonne in 2020 with a Master's degree in Embedded Systems.

Quentin Michaud (Télécom SudParis / Thales) - Robust Stack Smashing Protection for WebAssembly

Abstract: WebAssembly is an instruction set architecture and binary format standard, designed for secure execution by an interpreter. Previous work has shown that WebAssembly is vulnerable to buffer overflow due to the lack of effective protection mechanisms. In this work, we evaluate the implementation of Stack Smashing Protection (SSP) in WebAssembly standalone runtimes, and uncover two weaknesses in their current implementation. The first one is the possibility to overwrite the SSP reference value because of the contiguous memory zones inside a WebAssembly process. The second comes from the reliance of WebAssembly on the runtime to provide randomness in order to initialize the SSP reference value, which impacts the robustness of the solution. We address these two flaws by hardening the SSP implementation in terms of storage and random generator failure, in a way that is generalizable to all of WebAssembly. We evaluate our new, more robust, solution to prove that the implemented improvements do not reduce the efficiency of SSP.

Bio: I am a Télécom SudParis PhD student in the Cybersecurity team of CortAIx Labs, a Thales research laboratory, under supervision of Joaquin Garcia-Alfaro, Olivier Levillain and Dhouha Ayed. I am working on securing distributed systems on constrained and diverse devices by leveraging technologies such as WebAssembly and Confidential Computing.