08:15am - breakfast
09:00am Opening speech Jean-Louis Roch
09:15am Detection of cryptographic algorithms with grap Léonard Benedetti, Aurélien Thierry and Julien Francq
10:00am Get the (Spider)monkey off your back Bruno Keith and Edgar Boda-Majer
10:30am - break
11:00am (Invited talk) Code Protection: Promises and Limits of Symbolic Deobfuscation Sebastien Bardin
11:45am The Making of a Secure Open Source Hardware Password Keeper Mathieu Stephan
12:15pm Attack ARM TrustZone using Rowhammer Pierre Carru
12:45pm - lunch
02:15pm The Black Art of Wireless Post-Exploitation Gabriel Ryan
03:00pm Automation Attacks at Scale Will Glazier and Mayank Dhiman
03:45pm - break
04:15pm Efficient Defenses against Adversarial Examples for Deep Neural Networks Valentina Zantedeschi, Maria-Irina Nicolae and Ambrish Rawat
04:45pm Down The Rabbit Hole: How Hackers Exploit Weak SSH Credentials To Build DDoS Botnets Christophe Tafani-Dereeper
05:15pm TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery Clément Berthaux
05:45pm Random Memories Requiem *an anonymous pwner*
06:00pm RUMP session
Closing speech
06:30pm - Cocktail
07:30pm Workshops
09:30pm CTF
11:30pm Live session Doktor Vax
06:00am Last flag submission - CTF
6:30am - The End

Our sponsors and friends Tetrane, Devoteam and ACONIT have booths all day long, go see them!

Detection of cryptographic algorithms with grap

See the talk on YouTube
Download the paper
Download the slides

The disassembled code of an executable program can be represented as a graph representing the possible sequence of instructions (Control Flow Graph). Such a graph can be used to detect and classify (cryptographic) algorithms by analyzing its structure and its semantics. This approach differs from conventional methods used, which generally rely on constant detection. /grap/ is an open-source tool able to detect graph patterns, defined by the analyst, within an executable program. It can be used for detection of cryptographic algorithms with serviceable patterns. Our presentation details this technique and its use on AES and other algorithms. We will also present a new feature of grap allowing interactive creation of patterns directly within IDA.

Léonard Benedetti is an engineering student passionate about algorithmics, machine learning, cryptography, low-level systems and other things.

Aurélien Thierry is a reverse engineer and forensics analyst at Airbus Defence & Space - CyberSecurity, primarily working on malware analysis. He previously worked on malware detection through graph matching in an academic (PhD) setting.

Julien Francq is born in 1982 at Lille. After physics and chemistry studies, he got an engineer degree from Polytech’Montpellier (Microelectronics and Control Systems) in 2006 and a Ph-D from Université Montpellier 2 in 2009 (Computer Science). He is currently the Deputy Head of ”Software Solutions Development” Team in Airbus - CyberSecurity in charge of managing a team of around 20 software developers. He is also an Airbus Group Security Expert in Cryptography and Key Management, and a Data Scientist. His main research interest is the security and the efficiency of (hardware/software) implementations of cryptosystems against (mathematical/physical) attacks and Data Science for anomaly detection.

Get the (Spider)monkey off your back

See the talk on YouTube
Download the slides

Spidermonkey is Mozilla's Javascript engine and most famously known for being used in Firefox. In this talk we aim to provide an introduction to browser exploitation by specifically targeting Firefox's Javascript engine on Linux platforms. After an introduction to some fundamentals such as the internal representation of objects, memory allocation and garbage collection, we will outline an attack methodology to achieve arbitrary code execution and do a demo of such an attack.

Bruno Keith and Edgar Boda-Majer are alumni from École nationale supérieure d'informatique et de mathématiques appliquées de Grenoble (ENSIMAG) engineering school and are conducting vulnerability research as part of phoenhex. They are also members of CTF teams Eat Sleep Pwn Repeat and KITCTF.

Code Protection: Promises and Limits of Symbolic Deobfuscation

See the talk on YouTube
Download the slides

MATE attacks aim at taking advantage of a program once access to its executable code is granted. Typical goals include stealing critical assets (e.g., cryptographic keys or proprietary code) or software tampering (e.g., bypassing security checks). Obfuscation aims at defending against such attacks by turning the initial program into a very-hard-to-understand equivalent code. Obfuscation has thus become highly important in IP protection, but also - and alas - in malware protection, leading to a arm race between obfuscation and de-obfuscation techniques. In this talk, we present how semantic analysis coming from source-level safety analysis can be adapted to the context of binary-level de-obfuscation, as well as their strengths and limitations.

Sébastien Bardin obtained a PhD in Computer Science in 2005 at ENS Cachan, France, in the field of formal methods. He joined CEA LIST, France, in 2006 as a full-time researcher, with research activities centered on program analysis and automatic software verification. For a few years now, Sébastien has been interested in automating software-level security analysis by lifting formal methods developed for the safety-critical industry. In particular, he focuses on binary-level formal methods, vulnerability detection & assessment, and malware deobfuscation. He leads the binary-level security group at CEA LIST where he is the main designer of the open-source BINSEC platform for binary-level code analysis.

The Making of a Secure Open Source Hardware Password Keeper

See the talk on YouTube
Download the slides

The Mooltipass Offline Password Keeper project was started three years ago by a small community to provide a safe and offline way of storing credentials. Since then, about 50 individuals from around the globe have contributed to the project, helping to bring two models of the Mooltipass device (and software) into the hands of open source enthusiasts and national agencies. This presentation will describe the Mooltipass hardware, firmware, and software architectures with a focus on what it took to move from an idea to a commercial security product, while having all of the development and production files publicly available on GitHub. It will also briefly review attack vectors and open source constraints, and continue on to discuss all technical choices and the details of mass production.

Mathieu Stephan is an electronics engineer who is actively involved in the open source movement, including designing products from scratch, setting up their mass production chain and distribution network. Mathieu alternates between internal and external consulting roles in very different sectors – from quantum physics, high power batteries, satellite antennas to Formula E cars. Mathieu has been a writer for Hackaday, and has a personal website full of projects and advice for getting started in electronics. He also manages the contributor-backed "Mooltipass Offline Password Keeper" project, for which 2 devices have already been crowdfunded, built and distributed around the globe.

Attack ARM TrustZone using Rowhammer

See the talk on YouTube
Download the slides

This presentation shows how the Rowhammer effect can be used to attack a TrustZone-based secure environment.
  • We make a short introduction to TrustZone, a technology specified by ARM which allows our smartphones to run Android and a Secure OS concurrently. The Secure OS runs with higher privileges, and has reduced functionalities which makes it feasible to secure. The Secure OS provides specific services such as secure key storage, Secure Boot, etc to the "Normal" OS.
  • We then present the principles of Rowhammer, a technique which allows to corrupt bits in DRAM by hammering nearby memory locations. We present the state of the art on this subject, and our finding on different plateforms.
  • Rowhammer on TrustZone: we then show that the Rowhammer effect can be used from the non-secure context to corrupt memory used by the Secure OS. As an example we demonstrate a practical attack against an RSA signature implemented in TrustZone. The faults to secure memory can be leveraged to recover private keys stored in secure memory. Thus bypassing TrustZone protections which normally prevent non-secure software from writing or reading to secure memory.

Pierre Carru is an Software / Hardware Engineer currently working as a Security Analyst at eshard. His interests include all aspects of technology from hardware details to high-level programming. He currently mostly focuses on mobile platforms security, reverse engineering tools and distributed computing.

Efficient Defenses against Adversarial Examples for Deep Neural Networks

See the talk on YouTube
Download the slides

Following the recent adoption of deep neural networks (DNN) in a wide range of application fields, adversarial attacks against these models have proven to be an indisputable threat. Adversarial samples are crafted with a deliberate intention of producing a specific response from the system. Multiple attacks and defenses have been proposed in the literature, but the lack of better understanding of sensitivity of DNNs justifies adversarial samples still being an open question. This talk proposes a new defense method based on practical observations which is easy to integrate into models and performs better than state-of-the-art defenses. The proposed solution is meant to reinforce the structure of a DNN, making its prediction more stable and less likely to be fooled by adversarial samples. The extensive experimental study proves the efficiency of our method against multiple attacks, comparing it to multiple defenses, both in white-box and black-box setups. Additionally, the implementation brings almost no overhead to the training procedure, while maintaining the prediction performance of the original model on clean samples. A live demo of creating adversarial images will take place during the talk.

Valentina Zantedeschi is currently a PhD student in Machine Learning at Lab. Hubert Curien of Saint-Etienne, under the supervision of Marc Sebban and Remi Emonet. She previously earned her Master degree in Computer Sciences from the INSA de Lyon, in 2015. Her research focuses on learning data representations using statistical methods and probabilistic models with theoretical guarantees. In particular, she works on the generalization properties of ML models in different settings, such as learning with weakly labeled data and learning of personalized models in centralized and distributed contexts.

Irina Nicolae, PhD, is currently a research scientist in the AI & Machine Learning team of IBM Research, Dublin. Her main interests include learning representations for complex data and security for deployed models. She has received her PhD from University of Saint-Etienne, France, for a research project on similarity learning with theoretical guarantees for numerical and temporal data. Previously, she has graduated from Politehnica University of Bucharest in Computer Science in 2011, and from ENSIMAG in Information Systems in 2013.

Down The Rabbit Hole: How Hackers Exploit Weak SSH Credentials To Build DDoS Botnets

See the talk on YouTube
Download the slides

DDoS attacks are one of the most prominent threats on the Internet nowadays. In this talk, we explore how hackers exploit servers with weak SSH credentials to build an army of botnets, later used to run high-volume DDoS attacks. After showcasing an experimentation where a honeypot was used to understand the attack pattern and collect relevant malware samples, we reverse engineer the Xor DDoS malware and break down its obfuscation mechanisms, the communication with its command and control server, and how it spreads in a vulnerable system.

Christophe Tafani-Dereeper is an information security enthusiast and master student at the Swiss Federal Institute of Technology (EPFL) in Lausanne. He holds a blog ( where he writes about information security, malware analysis, and linux administration.

TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery

See the talk on YouTube
Download the slides

The talk presents a feedback on performing a security audit on a well-known DNS server without knowing much about DNS. It will walk through the exploration of multiple DNS related protocols (DNSSEC, NSEC, TSIG, etc.) and their quirks, which eventually led to the discovery of a few vulnerabilities in Bind9 and KnotDNS.

Clément Berthaux is a security expert at Synacktiv where he's been performing various software audits. He has a keen interest in reverse-engineering, low-level stuffs as well as general application security.