RMLL Security Track 2016 Wrap-Up

I’m in the train from Paris where I attended the RMLL Security Track version 2016. The RMLL or “Rencontres Mondiales du Logiciel Libre” is an annual event around free software. Amongst multiple tracks, there is always one dedicated to information security (around free software of course). The global event was not scheduled this year but the team behind the security track are really motivated people and they decided to organize the security track despite the cancellation of the main event. I already attended the previous editions (2013, 2014, 2015) and came back again for this edition.

The organisation of the security track was the same: free for everybody, a good size to facilitate networking, interesting talks, live streaming and a nice opportunity to meet again good friends… It was held at the Mozilla offices in the center of the French capital, a nice place! After the welcome speech and some house-keeping rules, the first half-day started with a keynote by Ange Albertini: “Connecting Communities“. Ange started with a fact: it’s not always easy to share knowledge and there is no exception with hackers. This can be resumed by the following quote: “Rage against the infosec circus“. For Ange, it is clear: stop having ideas, try! If conferences are a nice way to share findings and results of security researches. Two good examples of such initiatives:

Ange is an active contributor to PoC||GTFO and he gave more information about the magazine. Behind printed first, there are hard deadlines to get things done. The electronic version comes always later. There is one issue per quarter so there’s no rush to miss one and they definitively prefer quality to quantity (the articles). Also, they don’t have any commitment regarding the number of pages. An article is often the result of exchanges between people.

The funny part of the electronic version: each issue has a proof-of-concept. It is delivery as a PDF but it contains always a hidden part. Some examples from the previous editions:

  • a MBR
  • a TrueCrypt container
  • a JPG image
  • a Ruby web server serving the file itself (my preferred one)

About those PoC, Ange’s response is just “because why not?“. The conclusion to this keynote: “We are looking for more people to share more knowledge“.

The first talk was presented by Andrea Barisani about his baby: the USB Armory. This is not the first time that I see Andrea talking about this awesome project (the last time it was at hack.lu), I won’t describe again the project. Just saying: when I saw it for the first time, I ordered one with the crowd funding action and I don’t regret. This is a very cool device. I’m sure that anybody could find an interesting way to use it. Some examples are:
  • a Tor proxy
  • an SSH proxy
  • a password manager
  • a safe file container
  • a portable toolbox
Andrea made a nice demo of Interlock. The integration of the Signal application with the safe file container makes the USB Armory a cool device for your privacy.
The next presentation was performed by Paul Kocialkowski: “Verified boot and free software: reconciling freedom and security“. Paul reviewed the status of open implementation of boot software. He started with a review of the BIOS history:
  • In the 80’s, the BIOS was stored in read-only memory
  • In the 90’s, the hardware became more complex and the BIOS moved to read-write memory (ex: for upgrade reasons)
  • In the 2000’s, we saw run-time services

Paul reviewed how a computer boots and what are the security issues. There are different open source projects like Coreboot, U-Boot, Barebox or Libreboot. About the security issues, we have two different approaches: “to boot or not to boot” (verified boot) or “measured boot” (with a state indication). He reviewed all controls are implemented and how complex it is to implement a full open source boot environment. It was a very technical talk with many abbreviations now always easy to understand if you don’t play with such tools every day.

After a short coffee break, the project Qubes OS was presented by the lead developer: Marek Marczykowski-Górecki. The project Qubes OS started with a fact: the current design of operating systems is not safe enough. Current systems are monolithic systems: all the drivers, services are part of a single environment and applications(PDF viewers, web browsers, …) have access to all data. For years, people are fighting for more network segmentation: If today, it is normal to have DMZ’s for public servers, why not implement the same at OS level? That’s what is doing Qubes OS. The OS is based on a “bare-metal” hypervisor (based on Xen) which execute multiple virtual machines to address very specific functions of the operating system (example: to handle USB devices). Secure inter-VM communications is implemented via qrexec. The project seems interesting but being based on an hypervisor, the hardware used must be compatible. There is an HCL (“Hardware Compatibility List”) available but not all computers are able to run Qubes OS. Nice story during the Q&A session after the presentation: It looks like the project Let’s Encrypt is using Qubes OS.
To finish the first half-day, Serge Guelton came to present his tool: binmap. This project started from a simple idea: automate boring stuff that we do regularly. What does binmap?
  • It walks through a file system and collects binary files
  • It analyses them and saves results in a database
  • It builds dependencies graphs

Besides an inventory of (interesting) binaries, binmap is very helpful to detect if applications installed on a system are vulnerable. If a component is vulnerable to CVE-xxx and this component is used by multiple applications (a good example is OpenSSL – just saying), you “see” immediately where are the vulnerable applications. Based on multiple scans, it is also possible to track changes and build a (kind of) versioning system. This is a nice tool that you should add to your personal toolbox!

After a nice evening in Paris and the speaker dinner, the second day with a schedule full of talks. The first one was Julien Pivotto who talked about “DNS & Security“, a great cocktail! Indeed, without DNS, no Internet and DNS servers and protocol are great targets. After a quick recap about how DNS works, Julien gave some best practices:
  • Do not mix authoritative and recursive servers
  • Mix different brands of DNS servers
  • Hide your DNS master
  • Do not invent new TLD (this is especially important since the market of “funny” TLD’s expanded)

A lot of information can be stored in DNS: there are many different record types. Amongst them, the TXT records may contain a lot of useful information like SPF, DKIM records, keybase.io validation records or Let’s Encrypt DNS challenges. Then Julien switched to more details about DNSSec. This isn’t something brand new (the RFC are from the year 2000) but they took a long time before being implemented. The root DNS are DNSsec aware since 2010 only. The goal is to proof the origin and integrity of zones and record signing. Julien reviewed how it works. If it sounds very interesting, honestly DNSSec is not very convenient to implement and mistakes are common. There are also constraints like the regular key renewal.

Then, Guiseppe Longo came to speak about  mixing IDPS and nftables. nftables is the next-generation of iptables. The implementation of IP filters is now completely different and a new language was made available. To interact with the kernel, a new user-space tool is available: nft. Guiseppe reviewed the different concepts behind nftables: tables, chains, types (filter, route, NAT), hooks (prerouting, forward, input, …), expressions, rules, sets and dictionaries. It seems very powerful but completely different from the syntax we use for years. Then, Guiseppe explained how nftables can be interconnected with the Suricata ID(P)S. There are two modes available:
  • The “IDS” mode: working with pcap, AF_PACKET or NFLOG technologies
  • The “IPS” mode: working with NFQUEUE, IPFW, AF_PACKET.

The different modes and the available options to automatically block malicious traffic were reviewed. It is possible to implement very nice filters like to drop SSH connections from suspicious SSH clients. Powerful! The only remark I had was: how many organisations really implement such filters? Many of them can’t take the risk to block regular traffic for business reasons…

After a first coffee break, Sébastien Bardin presented a tool called BINSEC: “Binary level semantic analysis to the rescue“. It was very hard for me to follow the technical presentation. What you must keep in mind: The life of a program has the following stages: model > source code > assembler > executable code. To analyse the behaviour of a program, we do not always have access to its source code. Also, can we trust source code coming from external sources? Can we trust the compiler which optimize the code itself? To illustrate this case, Sébastien reviewed the CVE-2016-0777. The compiler decided, for optimisation reasons, to remove a memset() instruction which was clearing a memory zone with sensitive information. The presentation was a deep introduction to BINSEC.

Ivan Kwiatkowski presented his tool called Manalyze. The goal of his tool is to analyse PE files (Microsoft Windows executable). The PE format can be very complex and being used by many malwares, it is always interesting to have a deeper view of the file and “prevent annoyance of antivirus’ opaque decisions” as said Ivan. The tools is available as a command line or a web site exists to submit your own samples. Note that an intensive testing phase (fuzzing) has been performed and a bug bounty organised to ensure of the quality of the tool.

After the lunch break, J.C Jones from Mozilla presented the “Let’s Encrypt” project. This was not a technical talk, the project was already analysed multiple time. J. C. came back to the problematic of becoming a certificate authority. Netscape introduced HTTPS in 1995 with the release 1.0N of its browser. Not a long time ago, only 40,01% of the web traffic was based on HTTPS and, since the official launch of Let’s Encrypt, it increased by 8% (in only seven months). The main difficulty was to become trusted. It’s binary: you are or you aren’t! It is also based on a threat model: if someone issues a bad certificate, Let’s Encrypt will not be trusted anymore. J.C. reviewed the contraints they faced during the design and deployment of the platform. As example, do you know that the data and states must be kept at least 7.5 years?). Is was a very interesting talk.

Then, Julien Vehent also from Mozilla presented a talk about DevOps & Security. It started with a fact: today speed matters. You must be able to deploy new code in production in 15 minutes. The traditional cycle does not work anymore. In an ideal world, all deployments are automated and instantaneous. Which can be an issue for the security peeps. That’s why Julien explained that security must be integrated INTO DevOps. Security tests must be implemented into the delivery pipeline. By example: a 30 minutes meeting can be organised to perform the RRA (“Rapid Risk Assessment”). Some tests can be automated to prevent developers to make common mistakes (ex: based on the OWASP top-ten for web applications). As usual, plenty of ideas but, IMHO, not so easy to implement in a real world.

The next talk was epic: Clément Oudot started with… a song! “Imagine SSOng” based on the John Lennon’s “Imagine” song. Awesome!

The Clement’s presentation was a review of the common authentication mechanism for web applications. After the classic BasicAuth, DigestAuth and cookies, Clément reviewed some protocols developed by many US universities like:

  • CoSign
  • PubCookie
  • WebAuth
  • CAH
  • CAS
  • WebID
  • BrowserID
  • SAML
  • BrowserID
  • OpenID

As you can see, there is a lack of standardisation. Each protocol was reviewed with more focus on SAML and OpenID.

The last talk was about Ring by Adrien Béraud. Today, people want to communicate privately. They are already plenty of applications available but some of them are restricted to a limited supported devices, others are obscure, not easy to choose the right one. Based on this fact, Ring was developed as an easy to use, free, distributed communication platform. It is secure, robust and build on top of open standards and distributed with a GPLv3 license. A Ring account is a key-pair. No account is created on a central server. To communicate with a peer, create a new key, scan the QRcode and… talk! Text, video and audio communications are available on multiple platforms. The quick demo was nice. It worked like a charm. Peers can find each others via the OpenDHT protocol. Connections are established using peer-to-peer TLS connections and calls are placed via SIP. The project is still ongoing and some major features are missing like: using multiple devices per user (with a sub-key for each device) or a user name registration. It looks promising, keep an eye on it! Finally a tool available on most platform? To close the second day, a rump session was organized (read: “lightning talks”) with interesting topics.

And finally, the third day! The planning slightly changed: the first talk about Git was cancelled (Anne Nicolas was not present due to illness). In place, we had a live demo of Qubes OS. Marek demonstrated how VM’s can be quickly deployed to perform different tasks and how to safely exchange information between them. The first example was the creation of a quick service to retrieve data from Internet (the price of a BitCoin) and to make them available into a VM which has no network connectivity. The different steps were reviewed: Creation of the service, creation of the policy as explained during the talk on Monday. Another demo was based on PDF files: “qvm-convert-pdf <file.pdf>” will spawn a temporary VM, convert the PDF into images and make it safe to be viewed. This was a very interesting demo which definitively helped to better understand the logic of the Qubes OS.
The next talk was about the security of Python applications and how to audit them with the tool Bandit by Michael Scherer from RedHat. Here is a fact: “It’s all about code”. Many organisations rely on business critical applications and often updates have a cost. If something can go wrong (and it will – remember Murphy’s law). The update of a piece of code can have a huge impact if not performed properly or if issues occur. Testing the code is always interesting but, according to Michael, there was a lack of tools focusing on Python. That’s why Bandit was developed. The goal is to reveal dangerous pieces of code. Bandit is based on the AST module for python parsing (Abstract Syntax Grammar).
Then,  Antoine Cervoise presented his research about IoT (“Internet of Threats” as he said). His talk was called “Hands-on security for DIY projects“. All started as usual with a connected gadget (in this case smart-plug) and it quickly became a nightmare. To control the device, an Android application is available but it was malicious! Antoine performed several security checks against the device with classic scanners (Nmap, Nessus, …). While using Nessus, the standard profiles did not return interesting information but a specifically created profile (with longer timeouts) revealed interesting stuff like an increase of the device temperature (too many CPU cycles?). Scaring! Antoine reviewed some classic vulnerabilities or bad practices around the IoT but also some best practice. Thanks to him for the mention to my previous year presentation).
The next time slot was assigned to me. I presented the same talk as last week in Athens: “Building A Poor man’s Fir3Ey3 Mail Scanner“.
After the lunch break, Raphaël Vinot presented the MISP project (“Malware Information Sharing Platform”). He reviewed the most interesting features and also who is (should) using it? In fact, MISP addresses requirements from many profiles: malware reverses, incident handlers, law enforcement agencies, risk analysis team but also fraud analyst (MISP can handle IOC’s like BitCoin, mobile numbers or bank accounts). But no tool is perfect and MISP suffers of some issues with its default setup. By example: it is not possible to merge events (related to the same campaign) or to compare campaigns. There could be search performance issues in some cases. That’s why they are some interesting project in parallel to the main one like:
  • MISP Galaxy
  • MISP Hashstore
  • MISP Workbench
Then, Sébastien Larinier & Paul Rascagneres presented: “Complex malware & forensic investigation”. The talk was based on Fast-IR (“Fast Incident Response collector”). The goal of this tool is to be able to collect quickly artefacts from a (potentially) compromised host. It is a standalone tool (easy to be executed from a USB key). It collects plenty of artefacts like: Filesystems (IE History, Named Pipes, Prefetch, Recycle-bin, health, ARP Table, Drives list, Network drives, Networks Cards, Processes, Routes Tables, Tasks, Scheduled jobs, Services, Sessions, Network Shares, Sockets), the Windows regsitry (Installer Folders, OpenSaveMRU, Recents Docs, Services, Shellbags, Autoruns, USB History, Userassists, Networks List), memory (Clipboard, dlls loaded, Opened Files), dumps (MFT, MBR, RAM, DISK, Registry, SAM) and FileCatcher (based on interesting MIME types). The goal of the talk is not to describe the tool but show it in real cases: rootkit, bootkit, user land RAT. Paul reviewed several cases of real malwares:
  • Uroburos
  • ComRAT
  • Babar
  • Casper
  • Powerless (running entirely from the registry)
But the main issue with the Fast-IR collector is the lack of support from people who can’t execute it or the host to be investigated is simply located somewhere else. The idea was to build a system based on agents and a servers. The agent is deployed and running in the background. Every x minutes, it asks to the server if there is task to be executed. If needed a Fast-IR collector can be remotely launched. Agents act like a real botnet in fact but this one is not malicious! The code is brand new and is available here: the agent and the server.
For the next slot, the “serial speaker“,Julien Vehent (as named by the organizers), came back on stage to present a Mozilla project: MIG (“Mozilla InvestiGator“). I already had the chance to attend this presentation last year at HITB Amsterdam. If you’re interested, read my wrap-up. In a few words, the idea of the tool was based on a lack of time and resources to start investigation across thousands of hosts (same issues as described by Sébastien and Paul in the previous talk). Here are some practical cases:
  • Finding systems connected to a specific C&C
  • Fixed small mistakes (ex: search for files containing a key or password)
  • Measuring security compliance (ex: search for “^passwordauthentication no$” in /etc/ssh/sshd_config
It’s a very interesting tool but like the FastIR agent, the main issue for most customers is “how to deploy it across thousands of hosts”. In the case of Mozilla, it’s easy because all the hosts are internal.
Finally, the last talk was about “MOWR” (“More Obvious Web-malware Repository”) by Julien Revered and Antide Petit. Honestly, I did not know the tool before the presentation and, based on the abstract, I was expecting to learn about a tool to analyse URLs. In fact, MOWR can be easily deployed on a Linux host and analyse submitted web files (mainly PHP or ASP). Once the analysis completed, a report is presented with the findings. See it as a “VT-like website dedicated to malwares”.
This talk closed the 2016 edition of the stand-alone-security-track. Next year, the track will be back to the main organisation of the RMLL and will be held in Saint-Etienne, France. All the slides are already available here and the video should follow soon…

Leave a Reply