Pass The SALT 2022

Finally! After two years! We had the chance to go to the conference on Monday to enjoy the northern sun and the talks offered by Pass The SALT. The conference divides each day into themes and everyone can find something to talk about in his or her favorite field, but also discover topics outside of his or her own perimeter. A good approach and good discoveries this year!

Monday : Cryptography / OS

Mattermost End-to-End Encryption plugin

The first technical conference of this edition was about the development of an e2e plugin for Mattermost by Adrien Guinet & Angèle Bossuat. The speakers were able to come back to the problems encountered, the tracks and solutions retained and finally the solution retained. This plugin is a real plus for communications using Mattermost and finally guarantees encryption and authenticity of messages! This plugin can be downloaded on GitHub , as well as its source code in go under Apachev2 license.

CryptPad : a zero knowledge collaboration platform

This was followed by a presentation of Cryptpad by Ludovic Dubost. Cryptpad is a suite of online tools under AGPLv3 license that can easily replace Google Doc, based on an online instance of onlyoffice. In addition to this, there is a collaborative pad, kanban, etc. One of the main advantages, apart from the particularly nice interface, is the use of end-to-end encryption and the possibility to use already deployed instances.
You can try it using instances listed on https://cryptpad.org/.

Dataflow tabular charts – a presentation tool for security architects

The last presentation of this theme was proposed by Yves Rutschle who explained the birth and the functioning of the dtc.pl tool. This solution, in addition to teaching us that people are still using perl in 2022, allows mapping the coverage of assets in the framework of risk identification.
The graph approach allows to quickly visualize the coverage and the developed language seems to be useful to adapt and update the information.

Sandboxing your application with Landlock, illustration with the p7zip case

The first talk of the OS session is about LandLock, a C++ library to limit the impact of an attacker on the system in the case of binary exploitation. Acting like SELinux, e.g. adding a right overlay to limit access to resources, Landlock is not located at the system level but in the application itself. Mickaël Salaün then demonstrated an example by applying this library to p7zip to illustrate the ACL mechanism in action.

Building operating systems optimized for containers, from IoT to desktops and servers

To end this first day, Timothy Ravier presented the approach proposed by Fedora to limit the compromise of systems by offering pre-configured images with limited repositories to avoid certain attacks. These principles were illustrated by the Fedora IoT, Fedora CoreOS and Fedora Silverblue/Kinoite projects


Tuesday : Network / Hardware / Reverse engineering

sslh – an application-level protocol multiplexer

This morning dedicated to the network started with the presentation of the sslh project, a multiplexer written by Yves Rutschle who initially wanted to continue to consult his mails via his ssh client despite the restrictions in place on outgoing connections. 15 years later, sslh supports many protocols and allows to set up a whole set of rules to bypass firewalls that are a bit too restrictive!

Write faster Suricata signatures easier with Suricata Language Server

Eric Leblond then went on to talk about Suricata Language Server, a module to assist in writing rules by adding autocompletion to IDEs. The project is available for classic editors, neovim, vscode, etc. under the GNU/Gpl v3 license.

Building on top of Scapy: what could possibly go wrong?

To conclude the presentations concerning the network, Claire Vacherot presented a tool that is placed on top of scapy in order to free itself from its constraints, while taking advantage of its evolution. To achieve this result, Bof overloads the field types dynamically and thus makes it possible to generate invalid messages to fuzz the industrial procoles. Bof+Scapy is presented as a first step for the development of future tools on this topic.

Use of Machine and Deep Learning on RF Signals

After a short break to enjoy Chamonix and coffee, Sébastien Dudek presented an approach to categorize radio signals based on machine learning and deep learning. After a reminder of the different principles that constitute the software radio, an explanation of the approach via the creation of training sets and the creation of classification rules was presented, as well as the first results obtained

Ethics in cyberwar times

This morning concluded with the presentation of Ivan Kwiatkowski’s KeyNote entitled Ethics in cyberwar times (or rather cyber-Ethics in war times as he himself says). This presentation opens up lines of thought on the positioning of the various stakeholders in cybersecurity and their ethics. The goal of this presentation was not to blame or praise the different actors, but to bring some reflexions, notably on the following question: is it possible to remain neutral during a cyber-war?

Abusing archive-bbased file formats

The afternoon, dedicated to reverse engineering topics, started with archive format manipulations by Ange Albertini who demonstrated once again and on a new type of document that classical 64kb block hashing methods such as md5, sha1 and sha2 are subject to collisions. An explanation of the structure of these formats and the behavior of dedicated parsers reveals the reason for the complexity of these attacks and how it was possible to implement them.

Binbloom reloaded

Damien Cauquil, for his part, presented the BinBloom tool to identify the potential entry point into an unknown firmware. Starting from existing tools based on brute-force address ranges or offset calculation attempts to deduce the base address, BinBloom reloaded takes up Guillaume Heilles’ work by adding support for 64bit architectures as well as greatly optimizing the candidate search.

GNU poke, the extensible editor for structured binary data

The break will not have been too much to rest before the passionate presentation of Jose E. Marchesi who explained how he went from a need to process binary files to the development of a complete scripting language for entity manipulation. An impressive demonstration of the capabilities of GNU poke was given and revealed the wide range of possibilities the tool has to offer.

The Poor Man’s Obfuscator

The last presentation session before the Rumps, presented by Romain Thomas, presents a whole set of techniques to obfuscate the applications and make life hard for the reversers. From random renaming of functions to reversing sections, these different techniques result in a simple increase in analysis complexity to the pure and simple crash of dedicated tools such as IDA, Radare2, Ghidra, etc.

Wednesday : Blue team / Pentest

Sudo logs for Blue Teamers

Peter Czanik presented the evolutions and possibilities offered by Syslog-NG to automatically analyze and interact with user sessions. The possibility of extension via Python scripts and the analysis of sub-commands via the interception of IO thus makes it possible to intervene directly in the user sessions at the time of the detection of patterns in entry as in exit.

DFIR-IRIS – collaborative incident response platform

The DFIR-IRIS project, presented by Théo Letailleur and Paul Amicelli, meets a need for information sharing and collaboration between users managing incidents. Although other options already exist, such as TheHive, Catalyst, FIR or DRIFTrack, they have developed their platform based on a Python web application allowing the simplification of repetitive tasks and the implementation of collaborative tools.

TAPIR: Trustable Artifact Parser for Incident Response

Solal Jacob, presented bin2json and TAPIR, two tools dedicated to the search of artifacts from various sources (file system, evtx, registry, etc.). The first one allows the generation of metadata and timeline from a “classic” data source, while the second one allows to process these files and to expose an API rest to consult and search the relevant elements.

Improve your Malware Recipes with Cyberchef

The last presentation dedicated to the blueteam was a set of demonstrations concerning the use of Cyberchef by Xavier Mertens. Cyberchef is a tool developed by the GCHQ to allow chaining of transformation steps on an input data, something adapted to the de-obfuscation of malicious loads. Xavier showed how Cyberchef “recipes” can easily be prepared to meet this need and quickly identify interesting elements from various payloads.

MobSF for penetration testers

This was followed by the last topic discussed this year at pass the salt, the pentest part. This one started with Antoine Cervoise’s presentation on mobSF, a well-known tool for static and dynamic analysis of mobile applications, with this time some improvements from the speakers who developed their own module for searching sensitive elements in strings.

Finding Java deserialization gadgets with CodeQL

In this presentation, Hugo Vincent presents how he uses CodeQL, a static code analysis tool to find paths between resources. This feature perfectly fits the need to identify strings of gadgets in order to prepare payloads used for deserialization attacks.

Dissecting NTLM EPA & building a MitM proxy

Second presentation on Synacktiv’s side, this time presenting an interception tool for NTLM-EPA, used to authenticate users via NTLM on web applications. To achieve this, Pierre Milioni has developed prox-ez to support this mechanism and carry out penetration tests.

kdigger: A Context Discovery Tool for Kubernetes Penetration Testing

And to conclude this edition of pass the salt, Mahé Tardy, from quarkslab, presented a Kubernetes environment analysis tool used in pentest to get a maximum of information about the instance used. His tool kdigger is available under Apache v2 license on github.


Workshops

We were lucky enough to be able to attend two of the workshops offered this year, Mi-LXC (https://github.com/flesueur/mi-lxc/) and an introduction to Proxmark. Registrations were very quick and this is quickly understood by the quality of the speakers and the topics covered.