Program
Schedule
Hours are given in local time (UTC+1).| breakfast | ||
| 9:00 am | Opening speech | |
| 9:15 am | Keynote | Philippe Biondi |
| 10:15 am | Industrial Control Systems Dynamic Code Injection | Nidhal Ben Aloui |
| break | ||
| 11:15 am | Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications | M. Kabir-Querrec, S. Mocanu, P. Bellemain, J.-M. Thiriet and E. Savary |
| 11:45 am | Similarities and anomalies analysis of network mapping results | Xavier Martin and Camille Mougey |
| 12:15 am | New Results for the PTB-PTS Attack on Tunnelling Gateways | Vincent Roca, Ludovic Jacquin, Saikou Fall and Jean-Louis Roch |
| lunch | ||
| 2:00 pm | (Invited talk) LOGJAM: TLS and the difficulty of discret logarithm | Emmanuel Thomรฉ |
| 2:45 pm | (Short paper) Linnea: Detecting blacklist-evading malware with SQL rules | Tobias Ruck and Miranda Mowbray |
| 3:15 pm | Hacking a Sega Whitestar Pinball: Focussing on the audio board | Pierre Surply |
| break | ||
| 4:15 pm | Invited talk #2 (to be announced) | |
| 5:00 pm | RUMP session | |
| 5:30 pm | Closing speech | |
| Cocktail | ||
Keynote
To be completed ...Invited talks
LOGJAM: TLS and the difficulty of discret logarithm - Emmanuel Thomรฉ
To be completed ...Invited talk #2
To be announced ...Accepted papers
Industrial Control Systems Dynamic Code Injection
Since the day of the virus Stuxnet, the world has discovered the importance of securing Industrial Control Systems, more commonly known as SCADA, and their potential impacts on Critical Infrastructure Protection (CIP). The Stuxnet Malware uses a specific exploit (CVE-2012-3015) which consists of Step 7 Insecure Library Loading. In this paper, we propose to demonstrate how easy it is to make a dynamic Code Injection in a S7-300 PLC without shutting down or restarting the equipment. We developped a program in C language, using Snap7 library, to push a new Organisation Bloc (OB) inside the CPU. We developped a small HMI to illustrate the dynamic modification on the execution flow.
Corrupted GOOSE Detectors: Anomaly Detection in Power Utility Real-Time Ethernet Communications
GOOSE protocol is used for critical protection operations in the power grid, as standardized by IEC61850. It thus has strong real-time constraints that make very hard to implement any security means for integrity and confidentiality such as encryption or signature. Our answer to this lack of dedicated cybersecurity measures is to check legitimacy of every GOOSE messages flowing over the managed network. When detectors issue an alert, the SCADA informs field devices to discard GOOSE communication and run an alternative protection strategy. This article focuses on the GOOSE attack detectors we developed: one dedicated to Ethernet storm and the other one to fraudulent GOOSE frames. The paper first introduces main GOOSE protocol mechanisms and gives a brief state of the art regarding GOOSE attack management before presenting our architecture and the detectors.
Similarities and anomalies analysis of network mapping results
Due to new capabilities in network scanning, for states, companies and individuals, there are more and more results to digg in. Analysing them manually is a very time consumming and prone to error task. In this article we introduce an approach which relies on machine learning and "Big Data" algorithms and, to the best of our knowledge, is a new one. Our method leads to scan results clustering (grouping web servers, printers, ...) and highlights low hanging fruits (potential targets).
New Results for the PTB-PTS Attack on Tunnelling Gateways
This work analyzes the impacts of the โPacket Too Bigโ- โPacket Too Smallโ (PTB-PTS) Internet Control Message Protocol (ICMP) based attack against tunneling gateways. It is a follow up of a prior work [2] that detailed how to launch the PTB-PTS attack against IPsec gate- ways (for secure tunnels) and their consequences, ranging from major performance impacts (additional delays at session establishment and/or packet fragmentation) to Denial of Services (DoS). In the present work we examine a much wider range of configurations: we now consider the two IP protocol versions (previous work was lim- ited to IPv4, we add IPv6), two operating systems (previous work was limited to Linux Debian, we add a recent Ubuntu distribution as well as Windows 7), and two tunnelling protocols (previous work was limited to IPsec, we add IPIP). This work highlights the complexity of the situation as different behav- iors will be observed depending on the exact configuration. It also high- lights Microsoftโs strategy when approaching the โminimum maximum packet sizeโ (i.e., minimum MTU) any link technology should support: if Windows 7 mitigates the attack in IPv4 (there is no DoS), however the performance impact is present and the technique is inapplicable to IPv6. Finally, it highlights a fundamental problem: the impossibility to identify illegitimate ICMP error packets coming from the untrusted network.
Linnea: Detecting blacklist-evading malware with SQL rules
We present a system for detecting malware that uses domain generation algorithms (DGAs) to evade blacklisting. We use SQL rules that identify patterns specific to the malware family in the non-resolving domains queried by infected clients. We have designed a language to describe these rules more easily, which can be compiled to SQL. Using this approach we detected ten DGA families in a day's data from a large enterprise.
Hacking a Sega Whitestar Pinball: Focussing on the audio board
A reverse engineering of a BSMT2000 DSP used on the audio circuit of an old-school pinball. An overview of the electronic design of this uncommon and discontinued machine will be presented before focussing on the peculiar conception of its sound board.