GreHack-2012-Speakers Talks

De Ensiwiki
Aller à : navigation, rechercher


Conference - overview


For a detailled agenda/planning, see GreHack 2012 - planning at a glance

Invited Speakers

Note: if possible, we advise speakers to have their slides in english and to speak in french if they are sufficiently fluent in it, otherwise english + english. First formula has the advantage of permitting both audiences to follow.


Pic Speaker name Corp/Lab/Gov/Self Talk
Grehack-2012-speakers-eric freyssinet.gif Eric Freyssinet

Invited Talks

Pic Speaker Corp/Lab/Gov/Self Talk title
Grehack-2012-speakers-kostya kortchinsky.png Kostya Kortchinsky Microsoft, previously Immunity

Grehack-2012-speakers-Philipe Elbaz-­Vincent.jpg Philippe Elbaz-­Vincent

Grehack-2012-speakers-regis leveugle.jpg Regis Leveugle

Grehack-2012-speakers-dave penkler.jpg Dave Penkler HP Enterprise Services CTO Office
Grehack-2012-speakers-missing picture.png Boris Balacheff HPLabs Cloud & Security Lab

Accepted Papers & Talks

Pic Author(s) Corp/Lab/Gov/Self Paper + Talk
Grehack-2012-speakers-rikke kuiper.jpg Rikke Kuiper "p0c" Codenomicon
Grehack-2012-speakers-ari takanen.jpg Ari Takanen

Grehack-2012-speakers-mathieu renard gotohack.png Mathieu Renard "GoToHack" Sogeti-ESEC

Grehack-2012-speakers-david worth.png David Worth HighGroove Studios
Grehack-2012-speakers-justin collins.jpg Justin Collins

Grehack-2012-speakers-Olli-Pekka Niemi.jpg Olli-Pekka Niemi "0pi" Stonesoft
Grehack-2012-speakers-missing picture.png Antti Levomaki

Grehack-2012-speakers-phil.jpg Phil self

Grehack-2012-speakers-missing picture.png Yann Stephan "bswapeax" self

Grehack-2012-speakers-paul amar.jpg Paul Amar student at Grenoble INP Ensimag

Grehack-2012-speakers-Rahul Sasi.png Rahul Sasi "fb1h2s"

NOTE: this speaker did not fulfill important updates the program committee required. thus this paper will finally not be presented.

Rump sessions

At the end of the afternoon, rump sessions will take place.

Conference - detailed content

Invited Talks - bio + summary

Eric Freyssinet - Botnets: from observation to investigation

Botnets: from observation to investigation

Botnets constitute one of the main online criminal infrastructure. The economy behind it is booming, but investigations and takedowns are not very successful. Knowing them better is part of the walk towards fighting them better.

Eric Freyssinet

Grehack-2012-speakers-eric freyssinet.gif

Kostya Kortchinsky - 10 years later, which vulnerabilities still matter?

talk will probably be remotely presented

10 years later, which vulnerabilities still matter?

All vulnerabilities are not created equal. While some will manage to achieve their life's purpose either by themselves or with some help, some others will die useless and forgotten. What makes a vulnerability a useful vulnerability? This paradigm has dramatically evolved during the last 10 years, as the OS and software vendors have struggled to better their craft. Compiler enhancements, OS mitigations have rendered nonpractical whole families of vulnerabilities, and decimated the population.

We will attempt to provide an answer to that question by walking through vulnerability classes, actual vulnerabilities, and mitigations that have punctuated the last decade, how they interact and how the fittest have survived. Some special attention will be given to Windows 8 and Visual Studio 2012 as they now are the main challenge in the natural selection process.

Kostya Kortchinsky

Grehack-2012-speakers-kostya kortchinsky.png

Kostya currently works at Microsoft, Redmond, after having spent six years finding vulnerabilities and writing exploit at Immunity, Miami. Prior to that he worked at EADS and managed the French academic CERT at RENATER. Kostya has been reverse-engineering software since the mid-90s, has published numerous vulnerabilities, and spoken at major security conferences. In the past, he demonstrated a VMware escape (CLOUDBURST) at Black-Hat USA 2009, and was the first to publicly exploit some vulnerabilities believed to be unexploitable - MS08-001 (IGMPv3), MS09-050 (SMBv2).

Kostya Kortchinksy holds a MSc from the Ensimag - Applied Mathematics and Computer Science Engineering School in Grenoble.

Philippe Elbaz-­Vincent - Attacks on the randomness of Random Number Generators (RNG)

Attacks on the randomness of Random Number Generators (RNG)

RNGs are a critical component of cryptographic devices, either hardware or software. Perturbations, implementation or design errors in RNGs can lead to failure in the security components and can be exploited by attackers. Measuring the randomness of given parameters and the behavior under perturbations are important problems raised by cryptography. We will illustrate technics to evaluate the randomness of such RNG, especially when injecting fault.

Philippe Elbaz-­Vincent

Grehack-2012-speakers-Philipe Elbaz-­Vincent.jpg Philippe Elbaz-Vincent is a Professor at Université Joseph Fourier, Grenoble. He is in charge of the MSc SCCI (Security, Cryptology, and Coding of Information systems), a joint formation with Ensimag.

He is also in charge of the MSc SAFE (Securité, Audit et Forensic pour l'Entreprise) which focus on defensive and offensive security.

His specialties includes:

  • cryptology
  • performance of cryptographic primitives
  • analysis of random number generators for cryptographic use.

He is one of the co-organizer of the cryptology and security seminar of Grenoble.

Regis Leveugle - Attacks on secure hardware: basics and examples

Attacks on secure hardware: basics and examples

This talk presents the main types of attacks (passive or active) exploiting hardware characteristics or sensitivity to break the security of smart cards or embedded systems. After a brief presentation of the general context, the means used to perform circuit-level attacks are reviewed, with a special emphasis on cryptoprocessors. Examples of attacks are shown on typical cryptographic algorithms (DES, AES, RSA, ECC ...). The impact of the implementation technology (ASIC or FPGA) is also discussed.

Regis Leveugle

Grehack-2012-speakers-regis leveugle.jpg

Régis LEVEUGLE is Professor at Grenoble Institute of Technology and associate director of TIMA laboratory. He leads a team specialized in the design of robust integrated systems subject to natural disturbances (particles, electromagnetic fileds, ...) or malicious attacks. His main interests are computer architecture, VLSI design methods and CAD tools, fault-tolerant architectures, concurrent checking and dependability analysis.

Dave Penkler & Boris Balacheff - Cloud, security and the mobile enterprise: An end-to-end manageability challenge

Cloud, security and the mobile enterprise: An end-to-end manageability challenge

The current revolution in how we relate to computing as individuals, businesses, or societies, is creating tensions that clearly had not been anticipated in the design of the computing and information systems that are in use today. End-users have developed a preference to choose their devices and are attached to their freedom of using them as they wish. As the personal use increases users are less and less accepting of traditional IT controls and administrative barriers. Businesses are under pressure to let employees ‘bring your own device’, and they are increasingly eager to adopt computing as-a-service in order to lower their operational IT costs and support user mobility. However CIO's and IT administrators must still be able to dictate and manage the enterprise IT footprint on the personal devices in order to comply with corporate policy. This talk will discuss the tensions that arise at the intersection of personal and business computing, and how security and risk management issues take a new dimension as we look for solutions to the end-to-end manageability challenge that must be overcome in order to satisfy all parties with next generation computing systems.

Boris Balacheff

Grehack-2012-speakers-missing picture.png

Boris Balacheff is a senior researcher at HP Labs in the field of computer security, specializing in the areas of trusted computing and infrastructure security technologies, and their application to cloud and mobility in the next generation enterprise. He sits on the Board of Directors of the Trusted Computing Group (TCG) and co-chairs its Certification Program Committee. Boris also works with many product divisions to help drive security technology strategy.

Boris’s research has ranged from cryptographic algorithms and protocols to networking and computer security. He developed an expertise in smartcard technology and was the Technical Committee representative for HP on the PC/SC specification working group. He is one of the early contributors to the invention of Trusted Computing technology, and he co-authored the HPLabs’ book on this topic. He also served on the Technical Committee of the Trusted Computing Platform Alliance (TCPA) during the development of its early specifications. Boris Balacheff joined HP Labs in 1997 with a French “Diplôme d’Ingénieur” degree in applied mathematics and computer science.

Dave Penkler

Grehack-2012-speakers-dave penkler.jpg

Dave Penkler joined HP in 1979 as a systems engineer in South Africa working on real-time data acquisition and control systems in many areas including mining engineering, physics, mechanical systems and communications. In 1986, he moved to Grenoble, France as a network consultant designing packet switched networks and implementing OSI communication protocols. From 1990 to 1996, he was responsible for advanced research in telecommunications networks and developed technologies for computer based intelligent network and voice processing platforms. From 1997 to 1999, he managed research projects in distributed computing, signal processing and mobile communication services. Subsequently he spent four years at Sun Microsystems developing highly available distributed systems software technology for the telecommunications. Dave is currently chief technologist of HP OpenCall and is responsible for shaping the technology strategy and architecture. He is an HP fellow and holds a B.Sc. in Mathematics and Computer Science from the University of the Witwatersrand, South Africa. He is a member of ETSI, the IEEE and the Service Availability Forum.

Accepted Papers & Talks - bio + summary

Rikke Kuipers & Ari Takanen - Fuzzing Embedded Devices

Rikke Kuipers

Grehack-2012-speakers-rikke kuiper.jpg

Rikke is a security specialist, has a network engineering background at several ISPs and the public broadcasting platform in the Netherlands. After his move to Northen Finland he started working at Codenomicon, performing audits and security research. Besides his main focus on fuzzing (network)protocols he has a huge interest in web application hacking and information security in general. Ongoing projects are the development of an automated web auditing framework and tools, research on DVB fuzzing and writing whitepapers on various topics.

Ari Takanen

Grehack-2012-speakers-ari takanen.jpg

Ari Takanen is the founder and CTO of Codenomicon, has been active in the field of software security research since 1998 focusing on information security issues in next-generation networks and security critical environments. In his work he aims to ensure that new technologies gain public trust by providing means of measuring and solidifying the quality of networked software. Ari Takanen is one of the people behind the PROTOS research project, which studied information security and reliability errors in e.g. WAP, SNMP, LDAP, VoIP implementations. Ari is the author of several papers on security, and is a frequent speaker at security and testing conferences, leading universities and international corporations. He is also the author of two books on VoIP security and security testing.

Fuzzing Embedded Devices

This talk focuses on the increased connectivity of electronic devices commonly found in offices and homes. These devices are converging to a point where they deliver similar base functionalities and services. This often means more specialized hardware and integration of network protocols to enable universal communication. Internet connectivity exposes these devices traditionally situated in a closed environment now to the whole world, meaning exposure to threats from internal and external networks. This requires a new look on the security of these devices. A device is now expected to perform more functions than just its original purpose. For example, for years phones were primarily used for voice communication using the GSM standard. A common smartphone these days can be thought of as hand-held computer integrated with a mobile telephone, capable of displaying movies, pictures, browsing the Internet and staying up-to date on social networks using a wide variety of protocols. Growth in demand for advanced mobile devices boasting powerful processors, abundant memory, larger screens, and open operating systems has overtaken the rest of the mobile phone market. The same shift has now moved to the TV world. Vendors are developing their own platforms for Internet-enabled TVs, designed to connect directly to the Web. These devices are capable of displaying dynamic content from the web, browsing the Internet and accessing social media through the numerous widgets available. Standard functions usually also include playback of movies, pictures and music from various sources such as USB sticks or SD-cards. All these inputs combined define the attack surface for the TV. Fuzzing enables us to stress all this freshly exposed attack surface to test its security and robustness. It is designed to simulate real-world hacking attempts against devices by creating and sending malformed and unexpected messages (anomalies) with the intention to disrupt services. Fuzzing finds vulnerabilities which can potentially be exploited. Malformed, anomalous input such as field overflows / underflows could expose vulnerabilities in software which can then be patched before deployment. The talk will demonstrate how to use fuzzers to find flaws in your software, using most recent TVs (2012 models). This in the hope of a wider adoption of fuzzing in general, and thus improving product quality and security.

Mathieu Renard - Practical iOS Apps hacking

Mathieu Renard GoToHack

Grehack-2012-speakers-mathieu renard gotohack.png

@GoToHack Mathieu Renard "GoToHack" is a Senior Penetration tester, working for a French company (SOGETI-ESEC) where is leading the penetration test team. His research areas focus in Web Application Security, Embedded Systems, Hardware hacking and recently Mobile device Security. Since last year, he has focused is work (security assessments) and his research on professional iOS applications and their supporting architecture where data security is paramount.

Practical iOS Apps hacking

This talk demonstrates how professional applications like, Mobile Device Management (MDM) Client, Confidential contents manager (Sandbox), professional media players and other applications handling sensitive data are attacked and sometimes easily breached. This talk is designed to demonstrate many of the techniques attackers use to manipulate iOS applications in order to extract confidential data from the device. In this talk, the audience will see examples of the worst practices we are dealing with every day when pentesting iOS applications and learn how to mitigate the risks and avoid common mistakes that leave applications exposed. Attendees will gain a basic understanding of how these attacks are executed, and many examples and demonstrations of how to code more securely in ways that won't leave applications exposed to such attacks. This talk will focus especially on the following features:

  • Secure Data Storage
  • Secure Password Storage
  • Secure communication
  • Jailbreak detection
  • Defensive tricks

David Worth & Justin Collins - Leveraging Convention over Configuration for Static Analysis in Dynamic Languages

David Worth

Grehack-2012-speakers-david worth.png

While racing road bikes with the pros does take up plenty of his weekends, David still finds time to keep up with his hobbies including computer security, homebrewed beer, mathematics, and occasional culinary extravaganzas.

In his prior lives he has worked in research mathematics, high performance computing, network engineering, healthcare management as a programmer, and even as a bicycle mechanic.

David has a MSc in Pure Mathematics from The University of New Mexico where he studied Geometric Measure Theory while researching applications of fractal geometry to image processing and automated pathology problems.

Justin Collins

Grehack-2012-speakers-justin collins.jpg

Justin has is an MSc graduate from the Seattle University and a PhD student at the University of California where he still is .. possibly forever! He has been working at Klir Technologies, AT&T Interactive, and is now at Twitter. He also did other stuff in between.

He enjoys writing programs, shooting arrows, and hanging out with his wife.

His first computer was a TRS-80 Model 100 his uncle gave him at ~11. Model 100 BASIC was an introduction to programming. When it was time to go to college, he just looked up what major included "programming" and went for it. When it was time to graduate with a BS in CS, he decided he was not done yet so he went off to get a graduate degree in CS.

Leveraging Convention over Configuration for Static Analysis in Dynamic Languages

Static analysis in dynamic languages is a well known difficult problem in computer science, with a great deal of emphasis being put on type inference. The problem is so difficult that Holkner and Harland’s paper on static analysis in Python opens immediately with, “The Python programming language is typical among dynamic languages in that programs written in it are not susceptible to static analysis.” Dynamic languages such as Ruby provide impressive programming power thanks to expressive language constructs and flexible typing. Ruby, in particular, is strongly leveraged in the web development ecosystems thanks to well known and supported frameworks such as Ruby on Rails and Sinatra. Web application security is a particularly difficult area for a number of reasons including, the low-barrier to entry for new developers combined with the high-demand for their services, the increasing complexity of the web-based ecosystem, and the traditional languages and frameworks for web-development not adopting a strong defensive stance as their default. Ruby on Rails adopts the “convention over configuration” policy aimed at aiding developers of all levels in building robust web applications with a minimum of configuration. The goal is for the framework to simply “do the right thing” by default, and more sophisticated features and technologies are to be explicitly applied by develop- ers with those more advanced requirements and understanding. Much of the power in the Ruby on Rails framework stems from careful use of “magic” functions: dynamically generated functions using Ruby’s powerful metaprogramming structures. As a side effect, many of the methods called by developers are not available to a static analysis tool by simply examining the code on disk. We are able to leverage the consistency of the language and framework to perform static analysis on Ruby on Rails applications, and reason about their attack surface. This is done by analyzing the abstract syntax tree, and sometimes the configuration (generally simply library versions) of the program itself and by comparing it to a pre-compiled library of known security issues exposed by the Ruby on Rails framework.

Olli-Pekka Niemi & Antti Levomaki - Bypassing Intrusion Prevention Systems

Olli-Pekka Niemi

Grehack-2012-speakers-Olli-Pekka Niemi.jpg

Olli-Pekka Niemi has been working in the area of Internet security since 1996. He has been doing offensive security as a penetration tester and defensive security as system administrator. Since December 2000, he's been working for Stonesoft R&D developing intrusion prevention systems. He's currently heading Stonesoft's Vulnerability Analysis Group (VAG). His main R&D interests are among analyzing network based threats as well as evasion research. In his free time the family comes first, but he also enjoys fishing, horseback riding and keyboard playing whenever possible.

Antti Levomaki

Grehack-2012-speakers-missing picture.png

Antti Levomäki has been working at Stonesoft R&D since 2004. His main tasks include the analysis of network based attacks and attack methods as well as the writing of attack and application detection signatures for the StoneGate Network Security Products. Antti's research interests include evasion techniques and he's got special expertise in writing of low level packet handling code. Mr. Levomäki holds a Master Of Computer Science degree from the University of Helsinki.

Bypassing Intrusion Prevention Systems

This paper highlights a serious security problem that people believe has been fixed, but which is still very much existing and evolving, namely evasions. We describe how protocols can still be misused to fool network security devices, such as intrusion prevention systems.

Phil - Cryptage audiovisuel ou #FAIL systématique?



Phil is a computer freak escape from the 90's GOT (God Old Time) and gets fun playing with software protection or hardware security. He belonged to several Atari ST's bands with the role of 0dayz games cracker. Anonymously co-writer of a paper published in Phrack magazine #48 giving to the scene a working implementation of a fake phone-card (fake phone card - part I ; fake phone card - part II) , Phil was caught by Swedish's police in Sweden but released free of charge. This event marked a stop in his public activities ... but we all known how to keep the fun going: he then joined an underground team working on breaking audiovisual broadcast systems, without public release of sensitives information. Nowadays, Phil is working as system administrator, and has been the project manager of an open-source network security tool for the french administration for the last 5 years.

Cryptage audiovisuel ou #FAIL systématique?

Ce document présente plusieurs systèmes de cryptages audiovisuels mis en place en France au fil des années. Sont détaillés leurs fonctionnements, les démarches utilisées par les attaquants pour "casser les cryptages" ainsi que les contre-mesures élaborées par les diffuseurs.

Yann Stephan "bswapeax" - Managed Code with Licensing does not mean all the time: Software Protection

Yann Stephan "bswapeax"

Grehack-2012-speakers-missing picture.png

bswapeax is an old lover of assembly language, it's nearly his native tongue and loves to do reverse engineering when a problem occurs on its systems. He worked on BIOS (firmware) and its security for more than 10 years and then moved to the telecom business. Always ready to reverse some funny stuff, he knows a lot on reverse engineering and debugging technics... and a lot stuff done that cannot be disclosed :)

Managed Code with Licensing does not mean all the time: Software Protection

This talk focuses on the reverse engineering and especially on managed code (C#) and explains how a protection can be removed without problem due to bad design even if you use security proofed concept such as encryption. Thanks to examples, we will demonstrate a reverse engineering process, a live patch and reuse of a patched version in order to remove software protections. We highlight that a manage code can be consider as a regular assembly language code... we go through the MSLI internals and explain how a manage code binary is organized and how to enforce its protection.

Paul Amar - Home Internet Routers for Fun & Profit

Paul Amar

Grehack-2012-speakers-paul amar.jpg

Paul is a BSc graduate in Computer Science. He is currently an MSc student at Ensimag, a french Computer Science engineering school at Grenoble. He is passionate about information security, pentesting and especially web vulnerabilities. He works as a R&D Engineer at BonitaSoft.

Home Internet Routers for Fun & Profit

The author found several vulnerabilities on home Internet routers. Several realistic attack scenarios that can impact individuals and small companies networks will be described and Proof-of-Concepts exploitation of those vulnerabilities will be showed. All shown vulnerabilities have been already reported to french CERT.

Rahul Sasi "fb1h2s" - DTMF Fuzzing

NOTE: this speaker did not fulfill important updates the program committee required. thus this paper will finally not be presented.

Rahul Sasi "fb1h2s"

Grehack-2012-speakers-Rahul Sasi.png

Rahul (fb1h2s) is as a researcher at iSIGHT partners. He has responsibly disclosed vulnerabilities/Bugs to several IT giants, authored articles and Security Tools. His talks were accepted at several conferences: Cocon, Nullcon, Ekoparty (AR), HITB (EU), BlackHat Arsenal (US), Ruxcon (AU) and BlackHat (EU). His work can be found at

DTMF Fuzzing

Our paper deals with systems that process DTMF as inputs. Such systems are often embedded in PBX, IVR, Telephone routers... PBX and IVR servers are often deployed for running Phone Banking App Servers, Call Center Application and other systems that uses phone to interact with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service would go through. The impact of such a Denial of Service can be important. We will be demonstrating several amusing remote DTMF attacks on Phone Banking, Tele-Voting, and Customer Support applications using DTMF. This talk is recommended for Pentesters, PCI|DSS consultants, Telephone Companies, Banks or anyone who uses a device interacted via Telephone.