Séminaire SCNhttps://seminaire-scn.ebfe.fr/2024-03-21T00:00:00+01:00Séminaire CoaP du 21 mars2024-03-21T00:00:00+01:002024-03-21T00:00:00+01:00Grégoire Menguytag:seminaire-scn.ebfe.fr,2024-03-21:/billets/2024/03/seminaire-coap-du-21-mars/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le jeudi
21 mars</em> prochain. Le séminaire CoaP aura lieu à <em>14h</em> dans <em>le
bâtiment IMT/TP/TSP, en salle 3.A213</em>.</p>
<p>Si vous venez participer pour la première fois, n'hésitez pas à contacter les organisateurs pour ne pas être bloqué à l'entrée.</p>
<h2>Lorena González-Manzano - Vulnerability detection under poisoning attacks</h2>
<p>The complexity of current systems encourages the emergence of vulnerabilities. Detectors are developed in this regard, most of them using Artificial Intelligence (AI) techniques. However, AI is not without its problems, especially those attacks affecting the training set. In this talk a novel vulnerability detector, called VulCoT, is presented, together with their analysis under three different poisoning attacks. </p>
<h2>Yanis Sellami - Fault Injection Vulnerability Characterization by Inference of Robust Reachability Constraints</h2>
<p>While automated code analysis techniques have succeeded in finding and reporting potential vulnerabilities in binary programs, they tend to report many false positives, which cannot be reliably exploited. This is typical in evaluations of fault injection attacks vulnerabilities as faults can create unexpected program behaviors dependent on complex initial states. As the precise setup of the initial states is hard to achieve, such faults lead code analysis techniques to report vulnerabilities that exist in theory but are infeasible in practice. Vulnerability characterization techniques are thus needed to distinguish such reports from those that come from serious vulnerabilities. Recently, Girol et al. have introduced the concept of robust reachability, a property of program inputs applied to code analysis frameworks to report only vulnerabilities that can be reproduced reliably. This is done by distinguishing inputs that are under the control of the attacker from those that are not, and by reporting only vulnerabilities that do not depend on the value of the uncontrolled inputs. Yet, this remains insufficient for distinguishing severe vulnerabilities from benign ones as robust reachability will be unable to report cases that, e.g., are easy to trigger but may not succeed in a few corner cases. To address this issue, we propose a method that leverages an abduction procedure to generate a robust reachability constraint, that is, a logical constraint on the uncontrolled inputs under which we have the guarantee that the vulnerability will be triggered. We demonstrate the vulnerability characterization capabilities of an implementation of this procedure on a fault injection attack case-study taken from FISSC. We show that our method refines robust reachability and leads to a much better characterization of the reported vulnerabilities.
The methods additionally leads to the generation of high-level feedback that is easier to understand and reuse for further analysis.</p>Séminaire CoaP du 30 janvier2024-01-30T00:00:00+01:002024-01-30T00:00:00+01:00Grégoire Menguytag:seminaire-scn.ebfe.fr,2024-01-30:/billets/2024/01/seminaire-coap-du-30-janvier/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le mardi
30 janvier</em> prochain. Le séminaire CoaP aura lieu à <em>10h</em> dans <em>le
bâtiment IMT/TP/TSP, en salle 3.A213</em>.</p>
<p>Si vous venez participer pour la première fois, n'hésitez pas à contacter les organisateurs pour ne pas être bloqué à l'entrée.</p>
<h2>Sara Tucci - Blockchain Consensus Protocols, from Bitcoin to Ethereum 2.0</h2>
<p>Bitcoin introduced a fully decentralized, peer-to-peer consensus protocol that enables secure transaction validation in an open network, marking a departure from previous Byzantine Fault Tolerant (BFT) protocols primarily designed for closed networks. An innovative combination of cryptographic and incentive mechanisms ensures the protocol’s robustness over the years. However, it’s important to acknowledge the considerable energy consumption of Bitcoin’s Proof-of-Work mechanism, which remains a significant concern. To address these energy concerns, there have been efforts to transition to more environmentally friendly solutions, such as Proof-of-Stake BFT protocols, like Ethereum 2.0. While these newer proposals hold promise in terms of energy efficiency, they come with complexities and ongoing issues in security and incentive design. In this talk I will present the main features and differences of Proof-Stake-BFT proposals with respect to Bitcoin, to appreciate their maturity and outline open issues and ongoing research challenges.</p>
<h2>Adam Oumar ABDEL-RAHMAN - A Privacy-Preserving Infrastructure to Monitor Encrypted DNS Logs</h2>
<p>In the realm of cybersecurity, logging system and application activity is a
crucial technique to detect and understand cyberattacks by identifying
Indicators of Compromise (IoCs). Since these logs can take vast amounts of disk
space, it can be tempting to delegate their storage to an external service
provider. This requires to encrypt the data, so the service provider does not
have access to possibly sensitive information. However, this usually makes it
impossible to search for relevant information in the encrypted log. To address
this predicament, this paper delves into the realm of modern cryptographic tools
to reconcile the dual objectives of protecting log data from prying eyes while
enabling controlled processing. We propose a comprehensive framework that
contextualizes log data and presents several mechanisms to solve the outsourcing
problem, allowing searchable encryption, and we apply our approach to DNS logs.
Our contributions include the introduction of two novel schemes, namely symmetric
and asymmetric, which facilitate efficient and secure retrieval of intrusion
detection-related information from encrypted outsourced storage. Furthermore,
we conduct extensive experiments on a test bed to evaluate and compare the
effectiveness of the different solutions, providing valuable insights into
the practical implementation of our proposed infrastructure for monitoring.</p>
<p><a href="/static/2024/2024-01-30--AOAbdelRhaman-Dns.pdf">Planches présentées</a></p>Séminaire du 21 novembre2023-11-10T00:00:00+01:002023-11-10T00:00:00+01:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2023-11-10:/billets/2023/11/seminaire-du-21-novembre/<p>Mardi 21 novembre, nous recevrons à <strong>Évry</strong> Victor Dyseryn qui nous
présentera ses travaux sur la cryptographie post-quantique. Le
séminaire aura lieu en salle E304.</p>
<h2>Victor Dyseryn - Balancing security and efficiency in post-quantum cryptography</h2>
<p>The post-quantum transition has already begun; how is it possible to
switch seamlessly to quantum resistant cryptography? Intuitively,
post-quantum algorithms must resist to a much powerful attacker and
this should lead to a drastic increase in communication costs and
computing time. We will present how the efficiency of post-quantum
cryptography has gradually improved over time at the cost of somewhat
weaker security guarantees. We will then explore ways to strenghen
those guarantees while keeping the overhead at a minimum.</p>
<p><em>Bio :</em> Victor Dyseryn is a PhD student in post-quantum cryptography
in the XLIM laboratory at the University of Limoges, France. His
research focuses on encryption and signature primitives based on
error-correcting codes. He obtained his master's degree in 2020 from
Ecole Polytechnique and Mines ParisTech.</p>Séminaire CoaP du 09 novembre2023-11-09T00:00:00+01:002023-11-09T00:00:00+01:00Grégoire Menguytag:seminaire-scn.ebfe.fr,2023-11-09:/billets/2023/11/seminaire-coap-du-09-novembre/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le jeudi
09 novembre</em> prochain.</p>
<h2>Vincent Thouvenot - Privacy attacks against a ResNet50 used for plane classification</h2>
<p>In our presentation, we will explain two challenges proposed as part of the CIAD conference: a membership inference attack task and a more original forgetting attack task. We'll explain the first approaches that we used and more importantly, why they failed and the main lessons that we learned from the challenge.</p>
<p><a href="/static/2023/2023-11-09--VThouvenot-CSAW_Privacy_Attack.pdf">Planches présentées</a></p>
<h2>Matthieu Lemerre - Pas de Crash, Pas d'Exploit: Verification Automatique de Noyaux Embarqués</h2>
<p>Le noyau est le composant le plus critique en termes de sûreté et de
sécurité de nombreux systèmes informatiques, car un bogue dans celuici
peut entraîner un crash ou un exploit système entier. Il est donc
souhaitable de garantir qu'un noyau est exempt de ces bogues en
utilisant des méthodes formelles, mais le coût élevé et l'expertise
requise pour ce faire empêchent une utilisation à large échelle. Nous
avons proposé une méthode qui peut vérifier automatiquement à la fois
l'absence d'erreurs à l'exécution (c'est-à-dire des crashs) et l'absence
d'élévation de privilèges (c'est-à-dire des exploits) dans les noyaux
embarqués à partir de leurs exécutables binaires.</p>
<p>Cette méthode a permis de découvrir un système de type permettant de
vérifier l'absence de corruption mémoire dans du code C, que nous
évoquerons brièvement.</p>
<p><a href="/static/2023/2023-11-09--MLemerre-rtas_slides_redone.pdf">Planches présentées</a></p>Séminaire des étudiants et anciens le 19 octobre 232023-10-19T00:00:00+02:002023-10-19T00:00:00+02:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2023-10-19:/billets/2023/10/seminaire-des-etudiants-et-anciens-le-19-octobre-23/<p>Ce séminaire, destiné aux étudiants de Télécom SudParis en
cybersécurité et aux anciens élèves, aura lieu à Palaiseau, dans le
bâtiment IMT/TP/TSP, à partir de 15h. Il sera suivi, à partir de
18h30, d'un cocktail dînatoire à l'Entrepôtes 19, près du bâtiment
TP/TSP.</p>
<p>Si vous souhaitez présenter une <em>rump</em> (une intervention courte de
moins de 5 minutes, pendant la session dédiée en fin d'après-midi),
vous pouvez nous envoyer un mail avec le titre de votre <em>rump</em>
jusqu'au 19 octobre 15h.</p>
<h2>Programme</h2>
<ul>
<li>14h : Café</li>
<li>15h : Grégory Blanc, Christophe Kiennert et Olivier Levillain - Accueil</li>
<li>15h15 : Clément Parssegny (ANSSI) - Utilisation de l'apprentissage automatique pour la détection de canaux de Command and Control</li>
<li>15h45 : Mathieu Touloucanon (CEA) - Analyse et perçage de <em>packers</em> d'exécutables</li>
<li>16h30 : Pause</li>
<li>17h : François Boutigny (Nokia) - Microservice behavior analysis for telco networks: overview and perspectives</li>
<li>17h45 : Baptiste Polvé (SnowPack) - Au delà des techniques d'anonymisation, enjeux du déploiement des proxies</li>
<li>18h30 : Rump Session<ul>
<li>Christel Berthier - Quelques mots sur les Alumni TSP</li>
<li>Rémi Di Valentin - <a href="/static/2023/2023-10-19--Rump_session_Stages_THALES.pdf">Présentation d'offres de stages chez Thales</a></li>
<li>Clément Parssegny - Reproduction automatisée d'environnements contrôlés vulérables à une faille logicielle</li>
<li>Yann Cantais - <a href="/static/2023/2023-10-19--Presentation_PACKETFENCE_PDF.pdf">Sécurisation par contrôle d'accès réseau (NAC)</a></li>
<li>Quentin Michaud - Sécurité de l'exécution de <em>workloads</em> distribués et portables sur des appareils distants et contraints situés au <em>far edge</em></li>
<li>Olivier Levillain - <a href="static/2023/2023-10-19--organisation.pdf">De l'anticipation dans la préparation d'un événement</a></li>
</ul>
</li>
<li>19h environ : Cocktail dînatoire à l'Entrepôtes 19 près du bâtiment TP/TSP</li>
</ul>
<h2>Clément Parssegny (ANSSI) - Utilisation de l'apprentissage automatique pour la détection de canaux de Command and Control</h2>
<p>Ces dernières décennies, le chiffrement progressif des communications
transitant sur les réseaux a contribué à l'amélioration de la
confidentialité et de l'intégrité des données des
utilisateurs. Cependant, cette évolution a eu un impact important sur
les capacités de détection d'attaques. L'utilisation de techniques
d'apprentissage automatique sur les métadonnées du trafic réseau sont
alors une piste pour analyser le trafic réseau à la recherche de
canaux de Command and Control, potentiellement camouflés en trafic
bénin.</p>
<p>Clément PARSSEGNY est diplômé de Télécom SudParis et de l'Institut
Polytechnique de Paris. Il est actuellement étudiant en thèse en
collaboration avec l'équipe SCN du laboratoire SAMOVAR sur l'apport
des méthodes de prise d'empreinte à la détection d'intrusion.</p>
<h2>Mathieu Touloucanon (CEA) - Analyse et perçage de <em>packers</em> d'exécutables</h2>
<p>Les obscurcissements de type <em>packer</em>, notamment les machines
virtuelles rendent complexe l’analyse de binaire. En effet, celles-ci
permettent de compiler le programme initial dans une architecture
virtuelle, puis d’exécuter le programme dans cette architecture à
l’aide d’un émulateur contenu dans le programme.</p>
<p>Particulièrement, lorsque des <em>packers</em> sont combinés à d’autres
techniques d’obscurcissement, ils peuvent faire perdre un temps
précieux dans le cas d’une réponse à incident. Le stage présenté
propose d’analyser un <em>packer</em> et de mettre en place les outils
nécessaires à la suppression de cette protection dans le <em>framework</em>
Miasm.</p>
<p>Matthieu TOULOUCANON est diplômé en 2023 de Télécom SudParis. Ayant
suivi la VAP SSR, il a conclu ses études par un stage au CEA.</p>
<h2>François Boutigny (Nokia) - Microservice behavior analysis for telco networks: overview and perspectives</h2>
<p>The microservice behavior analysis (MBA) team in Nokia Bell Labs is researching means to detect microservice behavior anomalies that could be sign of malicious activities, and investigates this topic with respect to the telco environment. This presentation will provide the audience an overview of our solution and our perspectives.</p>
<p>The telco industry is shifting to a cloud-native architecture where network functions become stateless, containerized microservices communicating through a service-based interface. Effort has be made in 5G for the core network and is likely to be expanded in 6G to the radio access network. However the domain of software security remains elusive and the multiplicity of software components and their complex dependencies opens the telco industry to new threats. A new security model is needed that assumes breaches to be inevitable, so we need to constantly monitor software components and look for anomalous or malicious activity.</p>
<p>Our approach consists of building a baseline of the good behavior of a software component, and then monitor the software component's behavior in operation to look for and detect deviations to its baseline. We model the behavior based on the internal state of the software component and its interactions with the operating system. Our solution can be integrated seamlessly into the CI/CD pipeline of a telco vendor as well as into a cloud-based monitoring system of a communication service provider. </p>
<p>François BOUTIGNY est diplômé en 2015 de Télécom SudParis. Il a
ensuite réalisé une thèse CIFRE au sein des Nokia Bell Labs,
conjointement avec Télécom SudParis, qu'il a défendu en décembre
2019. Il est depuis ingénieur de recherche au sein du même
laboratoire, et s'intéresse à la sécurité des microservices. </p>
<h2>Baptiste Polvé (SnowPack) - Au delà des techniques d'anonymisation, enjeux du déploiement des proxies</h2>
<p>Les techniques communes d'anonymisation: VPN, TOR, I2P, Nym ou même
Snowpack sont toutes basées sur l'utilisation des proxies. Si au
premier abord, il paraît très simple de répliquer les modèles et de
déployer son propre réseau de proxy, il existe de nombreuses
contraintes pour les opérer et les maintenir face à de nombreuses
menaces (censure, captchas, blacklist, etc.). Cette présentation
propose donc de revenir rapidement sur les technologies
d'anonymisation puis de prendre un angle <em>menace</em> vs <em>solution</em> avec
le point de vue du réseau de proxies , supporté par un retour
d'expérience lié au déploiement du réseau Snowpack.</p>
<p>Baptiste POLVÉ, co-fondateur et directeur technique de la société
Snowpack, est ingénieur Telecom SudParis 2018 et expert en sécurité
des systèmes d’information (ESSI) certifié par l’ANSSI. Baptiste a
précédemment travaillé au CEA List en tant que chercheur sur la
sécurité des réseaux et des protocoles ainsi que sur les systèmes de
détection et de réponse aux cyberattaques. Il était responsable du
développement du système de détection d’intrusions du LSC (Sigmo-IDS),
de plusieurs projets européens et industriels, et est co-auteur de
brevets et publications scientifiques.</p>
<h2>Rump Sessions</h2>
<ul>
<li>TODO - TODO</li>
<li>TODO - TODO</li>
<li>TODO - TODO</li>
<li>TODO - TODO</li>
<li>TODO - TODO</li>
</ul>Séminaire CoaP du 19 septembre2023-07-03T00:00:00+02:002023-07-03T00:00:00+02:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2023-07-03:/billets/2023/07/seminaire-coap-du-19-septembre/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le mardi
19 septembre</em> prochain. Le séminaire CoaP aura lieu à <em>10h</em> dans <em>le
bâtiment IMT/TP/TSP, en salle 3.A213</em>.</p>
<h2>Quentin Michaud - WebAssembly & Security</h2>
<p>WebAssembly (Wasm for short) is a new format of low-level
bytecode coming from the Web. It allows to run code sandboxed by
default, on a stack-based light virtual machine. It is claiming
to bring a lot of dreams to reality : from being the successor of
today's containers (by being faster, lighter and more secure), to
proposing a single binary format which can be compiled from any
programming language and run on any target, without depending on
the OS or processor architecture. The promises of Wasm go even
beyond technology and address cybersecurity with strong claims
regarding the security and protection of Wasm
applications. However, articles and publications showing old a
new cybersecurity weaknesses inside Wasm may put these claims in
doubt. This presentation will give an overview of the Wasm
ecosystem, explain the inner workings of Wasm and evaluate the
likeliness of its promises as of today and in the future. The
promise of Wasm being the successor of containers will be
reviewed in more details, both at the container level and at the
container orchestrator (Kubernetes) level. The presentation will
then propose an assessment of the Wasm claims concerning
cybersecurity and take a deeper look at if Wasm can really
present itself as an improvement of today binaries' and
containers' security.</p>
<p><em>Bio :</em> Quentin is a last year cybersecurity student at Télécom
SudParis and an intern at Thales European research lab ThereSIS, where
he is studying bleeding-edge innovations in the cloud ecosystem and
their potential uses for cybersecurity. He likes to improve his
cybersecurity skills by creating and doing CTFs regularly, and he is
consuming and contributing to several open-source projects.</p>
<p><a href="/static/2023/2023-09-19--QMichaud-Wasm.pdf">Planches présentées</a></p>
<h2>Frédéric Recoules - What's up in BINSEC? 2022-23 Edition</h2>
<p>Software security analyses must often be performed at the executable
code level, either because the source code is not available (e.g.:
analysis of third-party components, malware or legacy code), or
because very low-level attacker models are being considered (hardware
or micro-architectural attacks), or because the code must be analyzed
after compilation in order to prevent potential compilation bugs or to
verify that protections have been properly implemented.
Unfortunately, these low-level security analyses are difficult to
establish and there are few specialists, hence the need to provide
them with the best possible tools via dedicated automated tools.</p>
<p>BINSEC is a formal binary code analysis platform developed at CEA,
with a particular focus on security analysis (vulnerabilities,
reverse) and the degree of guarantees provided. BINSEC offers
original symbolic reasoning engines and multi-architecture
support. Recent results have been obtained, for example, in automatic
analysis of cryptographic primitives (resistance to covert channel
attacks and micro-architectural attacks) or deobfuscation of advanced
malware. However, this kind of analysis still suffers from scaling and
usability problems.</p>
<p>In this talk, we aim to give an overview of the latest improvements of
BINSEC. These advances will be motivated and illustrated through the
resolution of various security cases, including recent examples of
challenges from the Cyber France Challenge 2022. In particular, we
will address problems such as the optimization of a symbolic reasoning
engine at the binary level or the symbolic management of
self-modifying code. We will also review recent efforts to make the
platform more usable (new architectures, simplified initialization,
etc.).</p>
<p><em>Bio :</em> Frédéric Recoules graduated from INSA and Université
Toulouse Paul-Sabatier in 2016, then received a PhD in Computer
Science from Université Grenoble-Alpes in 2021. His area of expertises
spans formal methods, low-level programming, decompilation and reverse
engineering. He notably obtained an ICSE distinguished paper award
and a 2nd best GDR GPL PhD award (thematic: software engineering,
formal methods and programming languages) for his work on formal
verification of inline assembly code. He is currently Research
Engineer at CEA where he is the main developer and maintainer of the
binary-level program analysis platform BINSEC. His research addresses
scalability issues in symbolic analysis at binary level, vulnerability
analysis and reverse engineering for security.</p>Séminaire CoaP du 30 mai2023-04-25T00:00:00+02:002023-04-25T00:00:00+02:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2023-04-25:/billets/2023/04/seminaire-coap-du-30-mai/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le 30
mai</em>. Le séminaire CoaP aura lieu à <em>10h</em> dans <em>le bâtiment IMT/TP/TSP, en
salle 3.A213</em>.</p>
<h2>Michaël Marcozzi (CEA) - Fine-Grained Coverage-Based Fuzzing</h2>
<p>Fuzzing is a popular software testing method that discovers
vulnerabilities by massively feeding target applications with
automatically generated inputs. Many state-of-art fuzzers use branch
coverage as a feedback metric to guide the fuzzing process. The fuzzer
retains inputs for further mutation only if branch coverage is
increased. However, branch coverage only provides a shallow sampling
of program behaviours and hence may discard interesting inputs to
mutate. This work aims at taking advantage of the large body of
research over defining finer-grained code coverage metrics (such as
control-flow, data-flow or mutation coverage) and at evaluating how
fuzzing performance is impacted when using these metrics to select
interesting inputs for mutation. We propose to make branch
coverage-based fuzzers support most fine-grained coverage metrics out
of the box (i.e., without changing fuzzer internals). We achieve this
by making the test objectives defined by these metrics (such as
conditions to activate or mutants to kill) explicit as new branches in
the target program. Fuzzing such a modified target is then equivalent
to fuzzing the original target, but the fuzzer will also retain inputs
covering the additional metrics objectives for mutation. In addition,
all the fuzzer mechanisms to penetrate hard-to-cover branches will
help covering the additional metrics objectives. We use this approach
to evaluate the impact of supporting two fine-grained coverage metrics
(multiple condition coverage and weak mutation) over the performance
of two state-of-the-art fuzzers (AFL++ and QSYM) with the standard
LAVA-M and MAGMA benchmarks. This evaluation suggests that our
mechanism for runtime fuzzer guidance, where the fuzzed code is
instrumented with additional branches, is effective and could be
leveraged to encode guidance from human users or static analysers. Our
results also show that the impact of fine-grained metrics over fuzzing
performance is hard to predict before fuzzing, and most of the time
either neutral or negative. As a consequence, we do not recommend
using them to guide fuzzers, except maybe in some possibly favourable
circumstances yet to investigate, like for limited parts of the code
or to complement classical fuzzing campaigns.</p>
<h2>Houda Jmila (TSP) - Analyzing the Vulnerability of Machine Learning-Based IDS to Adversarial Attacks in Cybersecurity</h2>
<p>The detection of intrusions is an important aspect of cybersecurity,
as it seeks to safeguard computer systems and networks from malicious
attacks. While machine learning (ML) techniques have been effective in
this field, they face challenges such as the emergence of adversarial
attacks that can deceive classifiers. Preventing cybercriminals from
exploiting these vulnerabilities is crucial in preventing damage to
data and systems. This presentation analyses the vulnerability of both
deep learning and shallow classifiers, which are still widely used due
to their maturity and ease of implementation, to adversarial attacks
in ML-based IDS. Additionally, we explore whether adversarial attacks
borrowed from computer vision pose a significant threat to IDS and to
what extent realistic adversarial attacks can be generated using these
methods.</p>Séminaire CoaP du 18 Avril2023-03-31T00:00:00+02:002023-03-31T00:00:00+02:00Gregory Blanctag:seminaire-scn.ebfe.fr,2023-03-31:/billets/2023/03/seminaire-coap-du-18-avril/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le 18
avril</em>. Le séminaire CoaP aura lieu à <em>10h</em> dans <em>le bâtiment IMT/TP/TSP, en
salle 3.A213</em>.</p>
<h2>Pierre-Elisée Flory - Comparing Private Set Intersection Various Implementations for Fraud Detection</h2>
<p>Banks have to commit answering their customers' privacy concerns while complying to regulation. Sharing information on customer among a Banking consortium is an efficient way to identify fraud at an early stage but requires efficient biometrics matching algorithms to compare two id cards / biometrics template in pictures. Consortium stakeholders may also be competitors and thus need to protect their customer database. Within the Privacy Enhancing Technologies, we have assessed and compared different Secure Multi-Party Computation and in particular Private Set Intersection schemes to mitigate those risks and design a new protocol to allow privacy preserving biometrics templates matching.</p>
<h2>Nathanaël Denis - Integrating Usage Control into Distributed Ledger Technology for Internet of Things Privacy</h2>
<p>The Internet of Things brings new ways to collect
privacy-sensitive data from billions of devices. Well-tailored
distributed ledger technologies (DLTs) can provide high transaction
processing capacities to IoT devices in a decentralized fashion.
However, privacy aspects are often neglected or unsatisfying, with
a focus mainly on performance and security. In this paper, we
introduce decentralized usage control mechanisms to empower
IoT devices to control the data they generate. Usage control
defines obligations i.e., actions to be fulfilled to be granted access,
and conditions on the system in addition to data dissemination
control. The originality of this paper is to consider the usage
control system as a component of distributed ledger networks,
instead of an external tool. With this integration, both
technologies work in synergy, benefiting their privacy, security and
performance. We evaluated the performance improvements of
integration using the IOTA technology, particularly suitable due
to the participation of small devices in the consensus. The results
of the tests on a private network show an approximate 90%
decrease of the time needed for the UCS to push a transaction
and make its access decision in the integrated setting, regardless
of the number of nodes in the network.</p>
<p>This contribution is currently under review for publication in a journal.</p>Séminaire CoaP du 15 février: NVIDIA DOCA hackathon and Adversarial Reachability for Program-level Security Analysis2023-01-30T00:00:00+01:002023-01-30T00:00:00+01:00Arthur Tran Vantag:seminaire-scn.ebfe.fr,2023-01-30:/billets/2023/01/seminaire-coap-du-15-fevrier/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions <em>le 15
février</em>. Le séminaire CoaP aura lieu à <em>10h</em> dans <em>le bâtiment IMT/TP/TSP, en
salle 3.A213</em>.</p>
<h2>Romain Ferrari, Louis Cailliot, Julie Sauzedde, Pierre-Elisée Flory - NVIDIA DOCA hackathon</h2>
<p>The NVIDIA DOCA hackathon took place on March 21, during <a href="https://developer.nvidia.com/blog/developers-drive-dpu-evolution-in-the-nvidia-doca-hackathon/">NVIDIA 2022 GTC</a>.</p>
<p>The Thales team chose to build a solution upon the DPI acceleration to enable Yara rules, which are used for inspection of files downloaded from the network to identify malware and potential threats. To implement this, Team Thales used a Yara Parser to transform public Yara rules into DPI rules in a Suricata community-based format supported by the DOCA DPI lib. This solution leveraged DOCA DPI functionality to scan the files on the fly as the packets flow through the device.</p>
<h2>Soline Ducousso - Adversarial Reachability for Program-level Security Analysis</h2>
<p>Many program analysis tools and techniques have been developed to assess
program vulnerability. Yet, they are based on the standard
concept of reachability and represent an attacker able to craft smart
legitimate input, while in practice attackers can be much more powerful,
using for instance micro-architectural exploits or fault injection methods.
We introduce adversarial reachability , a framework allowing to reason
about such advanced attackers and check whether a system is vulnerable
or immune to a particular attacker. As equipping the attacker with
new capacities significantly increases the state space of the program under
analysis, we present a new symbolic exploration algorithm, namely
adversarial symbolic execution, injecting faults in a forkless manner to
prevent path explosion, together with optimizations dedicated to reduce
the number of injections to consider while keeping the same attacker
power. Experiments on representative benchmarks from fault injection
show that our method significantly reduces the number of adversarial
paths to explore, allowing to scale up to 10 faults where prior work
timeout for 3 faults. In addition, we analyze the well-tested WooKey's
bootloader, and demonstrate the ability of our analysis to find attacks
and evaluate countermeasures in real-life security scenarios.</p>
<p>This is joint work with Sébastien Bardin and Marie-Laure Potet.</p>[Séminaire reporté] Séminaire CoaP du 19 janvier: NVIDIA DOCA hackathon and Adversarial Reachability for Program-level Security Analysis2023-01-05T00:00:00+01:002023-01-05T00:00:00+01:00Arthur Tran Vantag:seminaire-scn.ebfe.fr,2023-01-05:/billets/2023/01/seminaire-coap-du-19-janvier/<p><strong>En raison de l'appel à la grève le 19 janvier, le séminaire est
reporté à une date qui doit encore être définie.</strong></p>
<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous aurons deux interventions le 19
janvier. Le séminaire CoaP aura lieu à 14h dans le bâtiment IMT/TP/TSP, en
salle 3.A213.</p>
<h2>Romain Ferrari, Louis Cailliot, Julie Sauzedde, Pierre-Elisée Flory - NVIDIA DOCA hackathon</h2>
<p>The NVIDIA DOCA hackathon took place on March 21, during <a href="https://developer.nvidia.com/blog/developers-drive-dpu-evolution-in-the-nvidia-doca-hackathon/">NVIDIA 2022 GTC</a>.</p>
<p>The Thales team chose to build a solution upon the DPI acceleration to enable Yara rules, which are used for inspection of files downloaded from the network to identify malware and potential threats. To implement this, Team Thales used a Yara Parser to transform public Yara rules into DPI rules in a Suricata community-based format supported by the DOCA DPI lib. This solution leveraged DOCA DPI functionality to scan the files on the fly as the packets flow through the device.</p>
<h2>Soline Ducousso - Adversarial Reachability for Program-level Security Analysis</h2>
<p>Many program analysis tools and techniques have been developed to assess
program vulnerability. Yet, they are based on the standard
concept of reachability and represent an attacker able to craft smart
legitimate input, while in practice attackers can be much more powerful,
using for instance micro-architectural exploits or fault injection methods.
We introduce adversarial reachability , a framework allowing to reason
about such advanced attackers and check whether a system is vulnerable
or immune to a particular attacker. As equipping the attacker with
new capacities significantly increases the state space of the program under
analysis, we present a new symbolic exploration algorithm, namely
adversarial symbolic execution, injecting faults in a forkless manner to
prevent path explosion, together with optimizations dedicated to reduce
the number of injections to consider while keeping the same attacker
power. Experiments on representative benchmarks from fault injection
show that our method significantly reduces the number of adversarial
paths to explore, allowing to scale up to 10 faults where prior work
timeout for 3 faults. In addition, we analyze the well-tested WooKey's
bootloader, and demonstrate the ability of our analysis to find attacks
and evaluate countermeasures in real-life security scenarios.</p>
<p>This is joint work with Sébastien Bardin and Marie-Laure Potet.</p>Séminaire CoaP du 21 novembre2022-11-08T00:00:00+01:002022-11-08T00:00:00+01:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2022-11-08:/billets/2022/11/seminaire-coap-du-21-novembre/<p>Dans le cadre de notre séminaire « La Cybersécurité sur un plateau »
(<em>Cybersecurity on a Plate</em>), nous recevrons le 21 novembre deux
intervenants :</p>
<ul>
<li>Aina Toky Rasoamanana, doctorant à Télécom SudParis, qui
présentera ses travaux sur l'inférence de machines à états
d'implémentations du protocole TLS.</li>
<li>Mohamad Mansouri, doctorant CIFRE à EURECOM / Thales, qui présentera ses travaux sur l'agrégation sécurisée et tolérante aux pannes pour l'apprentissage fédéré.</li>
</ul>
<p>Le séminaire CoaP aura lieu à 14h dans le bâtiment IMT/TP/TSP, en
salle 3.A405.</p>
<h2>Aina Toky Rasoamanana - Towards a Systematic and Automatic Use of State Machine Inference to Uncover Security Flaws and Fingerprint TLS Stacks</h2>
<p>TLS is a well-known and thoroughly studied security protocol. In this
paper, we focus on a specific class of vulnerabilities affecting TLS
implementations, state machine errors. These vulnerabilities are
caused by differences in interpreting the standard and correspond to
deviations from the specifications, e.g. accepting invalid messages,
or accepting valid messages out of sequence. We develop a systematic
methodology to infer the state machines of major TLS stacks from
stimuli and observations, and to study their evolution across
revisions. We use the L* algorithm to compute state machines
corresponding to different execution scenarios. We reproduce several
known vulnerabilities (denial of service, authentication bypasses),
and uncover new ones. We also show that state machine inference is
efficient and practical for integration within a continuous
integration pipeline, to help find new vulnerabilities or deviations
introduced during development.</p>
<p>With our systematic black-box approach, we study over 400 different
versions of server and client implementations in various scenarios
(protocol version, options). Using the resulting state machines, we
propose a robust algorithm to fingerprint TLS stacks. To the best of
our knowledge, this is the first application of this approach on such
a broad perimeter, in terms of number of TLS stacks, revisions, or
execution scenarios studied.</p>
<p>This work has been published at ESORICS 2022.</p>
<h2>Mohamad Mansouri - Learning from Failures: Secure and Fault-Tolerant Secure Aggregation for Federated Learning</h2>
<p>Federated learning allows multiple parties to collaboratively train a
global machine learning (ML) model without sharing their private
datasets. To make sure that these local datasets are not leaked,
existing works propose to rely on a secure aggregation scheme that
allows parties to encrypt their model updates before sending them to
the central server that aggregates the encrypted inputs.</p>
<p>In this work, we design and evaluate a new secure and fault-tolerant
aggregation scheme for federated learning that is robust against
client failures. We first develop a threshold-variant of the secure
aggregation scheme proposed by Joye and Libert. Using this new
building block together with a dedicated decentralized key management
scheme and an input encoding solution, we design a privacy-preserving
federated learning protocol that, when executed among n clients, can
recover from up to n/3 failures. Our solution is secure against a
malicious aggregator who can manipulate messages to learn clients'
individual inputs. We show that our solution outperforms the
state-of-the-art fault-tolerant secure aggregation schemes in terms of
computation cost on the client. For example, with an ML model of 100K
parameters, trained with 600 clients, our protocol is 5.5x faster
(1.6x faster in case of 180 clients drop).</p>
<p>This work will appear in ACSAC’22.</p>Séminaire des étudiants et anciens le 11 octobre 222022-10-11T00:00:00+02:002022-10-11T00:00:00+02:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2022-10-11:/billets/2022/10/seminaire-des-etudiants-et-anciens-le-11-octobre-22/<p>Ce séminaire, destiné aux étudiants de Télécom SudParis en
cybersécurité et aux anciens élèves, aura lieu à Palaiseau, dans le
bâtiment IMT/TP/TSP, <strong>à partir de 13h30</strong>. Le séminaire aura lieu en
<strong>Amphi 5</strong>. Il sera suivi, à partir de 18h30, d'un cocktail
dînatoire à l'Entrepôtes 19, près du bâtiment TP/TSP.</p>
<h2>Programme</h2>
<ul>
<li>13h30 : Café</li>
<li>14h : Grégory Blanc, Christophe Kiennert et Olivier Levillain - Accueil</li>
<li>14h15 : Constance Chou (Thales) - <a href="/static/2022/2022-10-11--Chou-WAF.pdf">Web Application Firewall : enjeux, fonctionnement et étude</a></li>
<li>14h45 : Martin Spiering, Matthieu Touloucanon et Quentin Michaud (HackademINT) - <a href="/static/2022/2022-10-11--HackademINT--404CTF.pdf">404 CTF</a></li>
<li>15h15 : Ministère de l'Intérieur - Analyse de flux chiffré en entreprise pour la détection d'incident de sécurité</li>
<li>15h45 : Pause</li>
<li>16h30 : Amré Abouali (Cybershen) - Ancien RSSI & Entrepreneur</li>
<li>17h : Olivier Levillain (TSP) - <a href="static/2022/2022-10-11--Levillain--specifications.pdf">Influence de la qualité des spécifications sur la sécurité logicielle</a></li>
<li>17h30 : Rump Session</li>
<li>18h30 : Cocktail dînatoire à l'Entrepôtes 19 près du bâtiment TP/TSP</li>
</ul>
<h2>Constance Chou - Web Application Firewall : enjeux, fonctionnement et étude</h2>
<p>Après une présentation de la technologie des Web Application Firewalls
(ou pare-feu applicatifs), et de leurs enjeux, Mme Chou discutera des
différents types de solutions WAF et des critères classiques
d'évaluation de leurs performances. Cette présentation présentera les
intérêts et limitations d'une telle solution, ainsi que l'écosystème
dans lequel cette technologie s'inscrit.</p>
<p>Constance Chou est diplômée de Télécom SudParis (promotion 2021). Elle
a suivi la VAP SSR et a reçu le titre ESSI de l'ANSSI. Elle a
également obtenu le Prix Jeunes National André Blanc‐Lapierre,
attribué par la Société de l'électricité, de l'électronique et des
technologies de l'information et de la communication pour son stage de
fin d’études effectué chez Thales SIX GTS France et intitulé : « Étude
et intégration de pare-feu applicatifs ».</p>
<p><a href="/static/2022/2022-10-11--Chou-WAF.pdf">Lien vers les planches</a></p>
<h2>Martin Spiering, Matthieu Touloucanon et Quentin Michaud (HackademINT) - 404 CTF</h2>
<p>Plusieurs membres du club HackademINT présenteront leur retour sur
l'organisation du 404 CTF, une compétition de sécurité qui s'est
déroulée au printemps 2022, et qui était organisée par Télécom
SudParis, en partenariat avec la DGSE et OVHcloud.</p>
<p>Martin Spiering présentera la mise en place de l'infra (kubernetes,
rancher, docker...) en abordant les sécurités réseaux et les attaques
(notamment <em>bruteforce</em>) subies pendant la compétition, ainsi que les
mesures appliquées.</p>
<p>Matthieu Touloucanon insistera ensuite sur la sécurité système des
Docker utilisés, notamment pour les challenges de la catégorie <em>pwn</em>
(mais pas seulement), avec les bonnes pratiques Docker à suivre et
l'utilisation de <code>nsjail</code>.</p>
<p>Enfin, Quentin Michaud présentera l'interface utilisée pour gérer la
validation des challenges (CTFd), avec les modifications effectuées
pour l'adapter à l'infrastructure du 404 CTF et supprimer un bug
concernant s3. Ce sera l'occasion de discuter des avantages et
inconvénients de l'open source qui découle de cette expérience.</p>
<p>MM. Spiering, Touloucanon et Michaud sont étudiants en 3e année à
Télécom SudParis (promo 2023), actuellement en VAP SSR.</p>
<p><a href="/static/2022/2022-10-11--HackademINT--404CTF.pdf">Lien vers les planches</a></p>
<h2>Ministère de l'Intérieur - Analyse de flux chiffré en entreprise pour la détection d'incident de sécurité</h2>
<p>Les communications en clair sur Internet et dans les environnements à hautes
exigences de sécurité sont vouées à disparaître. L'adoption massive ces
dernières années de l'utilisation par défaut des protocoles de chiffrement est
en passe de devenir une quasi-exclusivité.</p>
<p>D'un autre point de vue, le chiffrement des flux constitue cependant un
obstacle à la détection de comportements malveillants sur les systèmes
d'information.</p>
<p>Après un rappel du fonctionnement de TLS, trois approches permettant l'analyse
de flux chiffré seront présentées. Les enjeux et limitations seront discutés
pour chacune des approches.</p>
<h2>Amré Abouali (Cybershen) - Ancien RSSI & Entrepreneur</h2>
<p>Amré Abouali est diplômé de Télécom SudParis (promotion 2017). Il a
suivi la VAP SSR et a reçu le titre ESSI de l'ANSSI. Après avoir
occupé deux postes de RSSI dans des environnements sensibles liés à la
santé, il est aujourd'hui indépendant et entrepreneur dans le monde de
la cybersécurité.</p>
<h2>Olivier Levillain (TSP) - Influence de la qualité des spécifications sur la sécurité logicielle</h2>
<p>Les systèmes d'information que nous utilisons quotidiennement sont
d'une grande complexité. Ils reposent en particulier sur
l'implémentation de protocoles réseau et sur l'interprétation de
documents aux formats variés. Cette présentation traitera des
spécifications décrivant ces protocoles et ces formats.</p>
<p>En particulier, il sera question de la manière dont ils sont spécifiés
et des conséquences de cette manière sur la sécurité de leurs
implémentations. Les exemples utilisés seront Mini-PNG, un format
d'images utilisé dans un module d'enseignement en programmation, mais
également le format PDF et le protocole TLS.</p>
<p>Olivier Levillain est maître de conférences en cybersécurité à Télécom
SudParis.</p>
<p><a href="static/2022/2022-10-11--Levillain--specifications.pdf">Lien vers les planches</a></p>
<h2>Rump Sessions</h2>
<ul>
<li>Constance Chou - <a href="static/2022/2022-10-11--rumps/Rump_IVVQ_CHOU_Constance.pdf">Développement en cycle en V et IVVQ</a></li>
<li>Rémi Di Valentin et Yadi Huang - <a href="static/2022/2022-10-11--rumps/Rump_session_Thales.pdf">Offres IVVQ Cyber Thales</a></li>
<li>Ministère de l'Intérieur - Présentation d'une offre de stage de développement d'outil de sécurité pour le traitement de fichiers</li>
<li>Grégory Blanc et Olivier Levillain - <a href="static/2022/2022-10-11--rumps/BlancLevillain-CoaP.pdf">Séminaire CoaP (Cybersecurity on a Plate / la cybersécurité sur un plateau)</a></li>
<li>Florian Martin - <a href="static/2022/2022-10-11--rumps/BlueTeam_vs_SMB.pdf">BlueTeam vs SMB</a></li>
<li>Romain Cherré - <a href="static/2022/2022-10-11--rumps/DNS_RPZ_eBPF.pdf">Filtrage et DNS : RPZ et XDP</a></li>
<li>Mathieu Degré - <a href="static/2022/2022-10-11--rumps/Introduction_aux_reseaux_euclidiens.pdf">Introduction aux réseaux euclidiens (lattices)</a></li>
</ul>Grégoire Menguy - Search-Based Local Blackbox Deobfuscation: Understand, Improve and Mitigate (October 4th 2022)2022-10-04T00:00:00+02:002022-10-04T00:00:00+02:00Olivier Levillaintag:seminaire-scn.ebfe.fr,2022-10-04:/billets/2022/10/gregoire-menguy-search-based-local-blackbox-deobfuscation-understand-improve-and-mitigate-october-4th-2022/<p>Pour cette première édition, nous recevons Grégoire Menguy, un ancien
étudiant de Télécom SudParis, actuellement en thèse au CEA. Son
intervention aura lieu à 14h dans le bâtiment IMT/TP/TSP, en salle 3.A405.</p>
<p>Les planches présentées sont disponible <a href="/static/2022/22-10-04--Menguy.pdf">via ce lien</a></p>
<h2>Search-Based Local Blackbox Deobfuscation: Understand, Improve and Mitigate</h2>
<p>Code obfuscation aims at protecting Intellectual Property and other
secrets embedded into software from being retrieved. Recent works
leverage advances in artificial intelligence (AI) with the hope of
getting blackbox deobfuscators completely immune to standard
(whitebox) protection mechanisms. While promising, this new field of
AI-based, and more specifically search-based blackbox deobfuscation,
is still in its infancy. In this work, we deepen the state of
search-based blackbox deobfuscation in three key directions:
understand the current state-of-the-art, improve over it and design
dedicated protection mechanisms. In particular, we define a novel
generic framework for search-based blackbox deobfuscation encompassing
prior work and highlighting key components; we are the first to point
out that the search space underlying code deobfuscation is too
unstable for simulation-based methods (e.g., Monte Carlo Tree Search
used in prior work) and advocate the use of robust methods such as
S-metaheuristics; we propose the new optimized search-based blackbox
deobfuscator Xyntia which significantly outperforms prior work in
terms of success rate (especially with small time budget) while being
completely immune to the most recent anti-analysis code obfuscation
methods; and finally we propose two novel protections against
search-based blackbox deobfuscation, allowing to counter Xyntia
powerful attacks.</p>
<p>This work has been published at CCS 2021.</p>