In recent years, the limits of electromagnetic side-channel attacks have been significantly expanded. However, while there is a growing literature on increasing attack distance or performance, the discovery of new phenomenons about compromising electromagnetic emanations remains limited. In this talk, we identify a novel form of modulation produced by unintentional electromagnetic emanations: phase-modulated emanations. This observation allows us to extract a side-channel leakage that can be exploited to reveal secret cryptographic material. We introduce a technique allowing us to exploit this side-channel in order to perform a full AES key recovery, using cheap and common hardware equipment like a software-defined radio. Moreover, we demonstrate that the exploitation of this new phase leakage can be combined with traditional amplitude leakage to significantly increase attack performance. Creating a bridge between prior works from various research fields, we unveil the relationship between digital jitter and signal phase shift in the context of side-channel attacks.

Pierre Ayoub (Eurecom) 🎙️ , Aurélien Hernandez (Eurecom) 🎙️ , Romain Cayre (Eurecom/LAAS-CNRS), Aurélien Francillon (Eurecom) and Clémentine Maurice (University of Lille, INRIA)

Living-Off-The-Land attacks involve exploiting pre-installed genuine and trusted software for malicious purposes. The various methods available for detecting these attacks often rely on an in-depth understanding of the software components that attackers could abuse. This hypothesis is unrealistic today given the number of software components installed on a system and the number of options available for each software component. We present in this article an open access dataset built from the deep analysis performed by security experts of 912 options from 23 different Linux command-line software programs. The associated manual documentation section of these command options has been labelled according to one of 12 possible behaviour classes from our consolidated taxonomy. Our contributions represent an important step toward understanding system-wide software execution as combinations and chains of individual behaviours regardless of the underlying software.

Antonin Verdier (UT, IRIT) 🎙️ , Romain Laborde (UT, IRIT), Abir Laraba (UT, IRIT) and Abdelmalek Benzekri (UT, IRIT)

This presentation looks at how social engineering attacks trick people, focusing on the sneaky tactics used. We've studied these tricks, sorting them into categories based on how our minds work, drawing from social psychology. We found around 40 different ways attackers manipulate people, showing how they're used in real phishing scams and how they affect our choices. We also explore how these tricks play on our natural biases, making us more vulnerable. Ultimately, we emphasize that understanding these psychological tricks is key to protecting ourselves and building stronger defenses against these sneaky attacks. By understanding how our minds can be manipulated, we can better protect ourselves.

Antony Dalmiere (LAAS-CNRS) 🎙️ , Pascal Marchand (UT, LERASS), Guillaume Auriol (INSA/LAAS-CNRS) and Vincent Nicomette (INSA/LAAS-CNRS)

Bluetooth Mesh is a recent wireless communication protocol that enables many-to-many communication, allowing devices to form a network through a mesh topology. At the heart of the protocol lies message relaying, with the Directed Forwarding routing mechanism recently introduced to Bluetooth Mesh to efficiently relay messages across the network. In this talk, we present a security assessment of the Directed Forwarding mechanism and show that an attacker within the network can leverage that feature to perform Denial of Service attacks and network reconnaissance. We will first present a technical overview of Bluetooth Mesh and Directed Forwarding. We will then present the vulnerabilities found and how to leverage them. This talk will also feature demonstrations of the attacks presented using the WHAD framework targeting a Bluetooth Mesh network.

Elies Tali (LAAS-CNRS) 🎙️ , Vincent Nicomette (INSA, LAAS-CNRS) Romain Cayre (INSA, LAAS-CNRS), Guillaume Auriol (INSA, LAAS-CNRS)

SCCM policies are a prime target for attackers in Active Directory environments as they may expose - intentionally or otherwise - sensitive technical information such as account credentials. Said credentials could be retrieved by authenticated attackers impersonating a registered device, or in some cases from an unauthenticated position by exploiting misconfigurations on policies distribution. After a quick reminder regarding SCCM (now MECM) environments, this presentation will go over the various attack vectors targeting policies distribution, and will feature concrete demonstrations using a tool devised from this research, SCCMSecrets.py. It will also explain how to execute these attacks via NTLM relaying thanks to a pull request that was submitted and merged into impacket's ntlmrelayx tool.

Quentin Roland (SynAcktiv) 🎙️

Machine learning is a promising technology for enhancing network intrusion detection systems. However, we observe that results can vary significantly across different models. Determining which result is true is difficult because models are often used as “black boxes”. Thus, we propose an explainableby-design system that reconstructs attack patterns from the outputs of multiple unsupervised learning models, making them comprehensible to security analysts. Each component of our system is rigorously evaluated on the CSE-CIC-IDS2018 dataset, to verify the relevance of our approach and validate the system

Céline Minh (LAAS-CNRS, Custocy) 🎙️ , Kevin Vermeulen (LAAS-CNRS), Cédric Lefebvre (Custocy), Philippe Owezarski (LAAS-CNRS) and William Ritchie (Custocy)

In cybersecurity, CVEs (Common Vulnerabilities and Exposures) are publicly disclosed hardware or software vulnerabilities. These vulnerabilities are documented and listed in the NVD database maintained by the NIST. Knowledge of the CVEs impacting an information system provides a measure of its level of security. This article points out that these vulnerabilities should be described in greater detail to understand how they could be chained together in a complete attack scenario. Our work presents the first proposal for the CAPG format, which is a method for representing a CVE vulnerability, a corresponding exploit, and associated attack positions.

Manuel Poisson (Amosys, CentraleSupelec) 🎙️ , Valérie Viet Triem Tong (CentraleSupelec), Gilles Guette (IMT-Atlantique), Frédéric Guihéry (Amosys) and Damien Crémilleux (Amosys)

Network traffic datasets are regularly criticized. Generating synthetic network traffic using generative machine learning techniques is a recent area of research that could complement experimental test beds and help assess the efficiency of network security tools such as network intrusion detection systems. Most methods generating synthetic network flows disregard the temporal dependencies between them, leading to unrealistic traffic. To address this issue, we introduce FlowChronicle, a novel synthetic network flow generation tool that relies on pattern mining and statistical models to preserve temporal dependencies. We demonstrate the capability of FlowChronicle to achieve high-quality generation while significantly outperforming the other methods in preserving temporal dependencies between flows. Besides, in contrast to deep learning methods, the patterns identified by FlowChronicle are explainable, and experts can verify their soundness.

Pierre-François Gimenez, (INRIA) 🎙️ , Joscha Cüppers (CISPA), Adrien Schoen (Inria), Grégory Blanc (Télécom SudParis)

NetGlyphizer is a novel generative AI approach for generating realistic network traffic. By optimizing tokenization, latent space architecture and introducing a transformer model to generate meaningful trafic flows we improve the fidelity of synthetic traffic output. This innovative approach bridges raw network data with advanced generative modeling for realistic traffic simulation.

Gabin Noblet (LAAS-CNRS, Custocy) 🎙️ , Cédric Lefebvre (Custocy), Philippe Owezarski (LAAS-CNRS) and William Ritchie (Custocy)

This research investigates the security and privacy implications of Public SMS Services (PSSs), which provide shared virtual phone numbers for receiving SMS messages without access control. The study highlights how the use of PSSs to register on web/mobile applications can lead to serious security and privacy concerns, including data exposure and account compromise. The findings emphasize how PSSs can be leveraged for OSINT, CTI and offensive security, and how related security risks can be mitigated.

Clément Bonnet (Meysys) 🎙️

Laravel is an open-source web framework based on PHP, designed to develop web applications in a structured manner. It provides features such as database management, authentication and migrations, facilitating development. Laravel is one of the most used PHP framework in the world. During an audit, we identified a feature used to validate data integrity by using the function decrypt from Illuminate\Encryption. After leaking the APP_KEY of the application, we were able to decrypt some data and found out that the manipulated data was serialized. An attacker in possession of an APP_KEY will be able to get a pre-authenticated RCE, in some cases. Furthermore, another aggravating factor is bad practices from developers : Laravel won't regenerate an APP_KEY when a project is started, so if developers copied and pasted a .env file, the APP_KEY will be the same. This presentation will aim to show how to exploit such vulnerabilities, as well as showing how bad sensitive secrets as the APP_KEY can be managed.

Rémi Matasse (SynAcktiv) 🎙️ and Mickael Benassoulii (SynAcktiv) 🎙️

This talk aims to demonstrate how SBOMs can be useful in the context of monitoring project vulnerabilities. Starting from a internal proof-of-concept solution which did not include all component sources and required tedious manual actions with online interactions, we show how the use of SBOMs accompanied by a vulnerability monitoring tool allow us to automate this task offline and obtain a map of the different vulnerabilities of a project at a given moment.

Benoît Guillon (Viveris) 🎙️ and Frédéric Canaud (Viveris) 🎙️

The presentation is built around a field experience on the deployment of a product security approach. Our aim is to share the lessons learned with the community of security practitioners, to help people design and implement product security governance processes and to highlight the stakes of these activities.

Christian Belin 🎙️