The Wayback Machine - http://grehack.fr:80/program
Grehack'15 is over. Thanks everyone, that was awesome! See you next year.
Grehack

Grehack

November 20th, 2015 Grenoble, FRANCE

Program

Schedule

Hours are given in local time (UTC+1).
breakfast
9:00 am Opening speech
9:15 am Keynote Philippe Biondi
10:15 am Industrial Control Systems Dynamic Code Injection Nidhal Ben Aloui
break
11:15 am Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications M. Kabir-Querrec, S. Mocanu, P. Bellemain, J.-M. Thiriet and E. Savary
11:45 am Similarities and anomalies analysis of network mapping results Xavier Martin and Camille Mougey
12:15 am New Results for the PTB-PTS Attack on Tunnelling Gateways Vincent Roca, Ludovic Jacquin, Saikou Fall and Jean-Louis Roch
lunch
2:00 pm (Invited talk) LOGJAM: TLS and the difficulty of discret logarithm Emmanuel Thomรฉ
2:45 pm (Short paper) Linnea: Detecting blacklist-evading malware with SQL rules Tobias Ruck and Miranda Mowbray
3:15 pm Hacking a Sega Whitestar Pinball: Focussing on the audio board Pierre Surply
break
4:15 pm Invited talk #2 (to be announced)
5:00 pm RUMP session
5:30 pm Closing speech
Cocktail

Keynote

To be completed ...

Invited talks

LOGJAM: TLS and the difficulty of discret logarithm - Emmanuel Thomรฉ

To be completed ...

Invited talk #2

To be announced ...

Accepted papers

Industrial Control Systems Dynamic Code Injection

Since the day of the virus Stuxnet, the world has discovered the importance of securing Industrial Control Systems, more commonly known as SCADA, and their potential impacts on Critical Infrastructure Protection (CIP). The Stuxnet Malware uses a specific exploit (CVE-2012-3015) which consists of Step 7 Insecure Library Loading. In this paper, we propose to demonstrate how easy it is to make a dynamic Code Injection in a S7-300 PLC without shutting down or restarting the equipment. We developped a program in C language, using Snap7 library, to push a new Organisation Bloc (OB) inside the CPU. We developped a small HMI to illustrate the dynamic modification on the execution flow.

Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications

GOOSE protocol is used for critical protection operations in the power grid, as standardized by IEC61850. It thus has strong real-time constraints that make very hard to implement any security means for integrity and confidentiality such as encryption or signature. Our answer to this lack of dedicated cybersecurity measures is to check legitimacy of every GOOSE messages flowing over the managed network. When detectors issue an alert, the SCADA informs field devices to discard GOOSE communication and run an alternative protection strategy. This article focuses on the GOOSE attack detectors we developed: one dedicated to Ethernet storm and the other one to fraudulent GOOSE frames. The paper first introduces main GOOSE protocol mechanisms and gives a brief state of the art regarding GOOSE attack management before presenting our architecture and the detectors.

Similarities and anomalies analysis of network mapping results

Due to new capabilities in network scanning, for states, companies and individuals, there are more and more results to digg in. Analysing them manually is a very time consumming and prone to error task. In this article we introduce an approach which relies on machine learning and "Big Data" algorithms and, to the best of our knowledge, is a new one. Our method leads to scan results clustering (grouping web servers, printers, ...) and highlights low hanging fruits (potential targets).

New Results for the PTB-PTS Attack on Tunnelling Gateways

This work analyzes the impacts of the โ€Packet Too Bigโ€- โ€Packet Too Smallโ€ (PTB-PTS) Internet Control Message Protocol (ICMP) based attack against tunneling gateways. It is a follow up of a prior work [2] that detailed how to launch the PTB-PTS attack against IPsec gate- ways (for secure tunnels) and their consequences, ranging from major performance impacts (additional delays at session establishment and/or packet fragmentation) to Denial of Services (DoS). In the present work we examine a much wider range of configurations: we now consider the two IP protocol versions (previous work was lim- ited to IPv4, we add IPv6), two operating systems (previous work was limited to Linux Debian, we add a recent Ubuntu distribution as well as Windows 7), and two tunnelling protocols (previous work was limited to IPsec, we add IPIP). This work highlights the complexity of the situation as different behav- iors will be observed depending on the exact configuration. It also high- lights Microsoftโ€™s strategy when approaching the โ€minimum maximum packet sizeโ€ (i.e., minimum MTU) any link technology should support: if Windows 7 mitigates the attack in IPv4 (there is no DoS), however the performance impact is present and the technique is inapplicable to IPv6. Finally, it highlights a fundamental problem: the impossibility to identify illegitimate ICMP error packets coming from the untrusted network.

Linnea: Detecting blacklist-evading malware with SQL rules

We present a system for detecting malware that uses domain generation algorithms (DGAs) to evade blacklisting. We use SQL rules that identify patterns specific to the malware family in the non-resolving domains queried by infected clients. We have designed a language to describe these rules more easily, which can be compiled to SQL. Using this approach we detected ten DGA families in a day's data from a large enterprise.

Hacking a Sega Whitestar Pinball: Focussing on the audio board

A reverse engineering of a BSMT2000 DSP used on the audio circuit of an old-school pinball. An overview of the electronic design of this uncommon and discontinued machine will be presented before focussing on the peculiar conception of its sound board.