ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the newest cyber security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security.
Sekoia was attending the 10th edition of this event from April 14th to 17th at Singapore. Sekoia was represented by Baptiste Gourdin who both had a talk on April A6th and attended the rest of the conference.
Among the very rich program some keynotes and talks caught our attention.
That’s the case for Ravi Sandhu’s keynote “Attribute-based Access Control Models and Beyond” about the ABAC access security model. After presenting the other access models (DAC, MAC, RBAC), Ravi listed some of the motivations for the need of another access model. Although ABAC is not suitable to the rigidity of large scale enterprises, its flexibility is more adapted to heterogeneous environments like the Cloud and the IoTs (Internet Of Things). The ABAC model principle is to take the access decision based, not on the user ID or the groups it belongs, but on its attributes. This model gives a flexibility proportional to the multitude of available attributes and language rules. [SLIDES]
Ahmad-Reza Sadeghi’s keynote “Securing Legacy Software against Real World Code Reuse Exploits: Utopia, Alchemy, or Possible Future?” describes the state of the art of the techniques used to exploit memory corruption vulnerability and the techniques used to protect against them. It showed that for each counter-measure, new attacks came up. For example, DEP and ASLR protection can still be bypassed under specific conditions. To increase the complexity of a vulnerability exploit, new tools that use Control Flow Integrity (CFI) have been proposed like Microsoft tools: EMET and Control-Flow Guard. Again, the speaker showed that, even with all these tools deployed, attacks are still possible. Therefore, it finished his talk with the ongoing effort against these categories of exploit. [SLIDES]
The following talks were particularly interesting:
- Automated Identification of Crypto-graphic Primitives in Binary Code with Data Flow Graph Isomorphism (Pierre Lestringant; Frédéric Guihéry; Pierre Alain Fouque): When proceeding a black box analysis of security product, the right implementation of cryptography mechanisms is one of the main point that needs to be assessed. However, analyzing a binary file can be time consuming. Therefore, the authors propose in this paper a new tool to find right implementation of cryptographic primitives in a binary file. Analysts can gain a precious time during the security assessment if the proposed tool matches the right cryptographic primitives.
- A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System (Kenneth Paterson; Mario Strefler): Today, the stream encryption primitive RC4 is known to suffer from several biases. This paper show a new way to use these vulnerabilities in order to attack a disk encryption software. Breaking the disk encryption is not their attack goal but the property of keeping the disk usage confidential, as advertised by the tool. Using these biases, the authors succeeded at finding which blocks are free or used in a encrypted disk.
- Armadillo: a compilation chain for privacy preserving applications (Sergiu Carpov; Paul Dubrulle; Renaud Sirdey): Homomorphic encryption a form of encryption that allows computations to be carried out on ciphertext, thus generating an encrypted result which, when decrypted, matches the result of operations performed on the plaintext. Even if the supported operations supported on these encryption forms are still limited (addition and/or multiplication), various are the usage cases where it can be used. Armadillo is a compiler that uses specific C++ classes in order to generate programs that can be run to process ciphertext data.
- Charging Me and I Know Your Secrets! Towards Juice Filming Attacks on Smartphones (Weizhi Meng, Wang Hao Lee, Srirangam Ramanujam Murali and S.P.T. Krishnan): Attacks on smartphone using the USB are various and exploit different weaknesses of this link. In this paper, the authors attack a new feature of Android USB link: the screen sharing feature. By using a USB cable with a VGA adaptor, Android smartphones can share their screen. By using the right driver, one can steal all the screen data and therefore steal precious information as pin-code, passwords and credit card information.
On April, 16th, Baptiste presented the result of a joint work with Olivier Levillain (ANSSI) ans Hervé Debar (Télécom SudParis). Entitled “TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS“, it summarize in a first part the different attacks against the “Application Data” part of the SSL/TLS protocol: BEAST, TIME, CRIME, POODLE, RC4 biases … For each of these attacks, proof of concept have been proposed attacking HTTPS connection to steal session cookies. And for each of these attacks, a specific counter-measure needs to be deployed. However, some of them can be incompatible. Therefore, our paper propose a new way to reduce the probability of success for these attacks on an HTTPS channel by applying a random mask to targeted part of the message (operation called masking).
Two solutions have been proposed:
- The first one solution impacts the SSL/TLS implementation by adding a fake compression algorithm. However this solution is hard to deploy and suffer some limitations.
- So, a second solution has been proposed which mask cookies at the HTTP layer. Using a web server plugin, it doesn’t alter the behavior of hosted web applications protecting at the same time the transferred cookies. Because this first implementation implies some performance overhead, a second implementation with an internet browser patch has also been proposed.
Implemented as proofs of concept, the source code of these solutions can be requested by email.
Research engineer for 5 years on various IT security themes with a main focus on web security, my work results have been presented to world known security conferences. I now work as a pentester, an incident responder and a web security teacher.