HQC is a code-based cryptosystem that has recently been announced for standardization by the NIST. In this work, we present two power side-channel attacks on the implementation of HQC aimed for production with the SIMD support deactivated. While the first attack allows a theoretical full key-recovery on each tested ISA, another one, more direct, succeeds in retrieving it within an experimental setup with 99% chance from 83 executions of the same legitimate decryption.

Nathan Maillet (EDF R&D, LAAS-CNRS) 🎙️, Cyrius Nugier (ENAC), Vincent Migliore (INSA Toulouse/LAAS-CNRS) and Jean-Christophe Deneuville (ENAC)

Industrial sensor networks like WirelessHART must meet strict reliability and security requirements, yet practical security assessments remain insufficient due to the lack of dedicated tools. This paper presents the experiences made to evaluate WirelessHART security using a realistic Dust network. By extending the WHAD framework with a custom sniffer for packet injection, we practically demonstrate state-of-the-art attacks and identify a desynchronization vulnerability. We detail the threat model and the design of the primitives required to execute these attacks in real-world industrial settings then propose some counter-measures to the identified vulnerabilities.

Kais Sellami (INSA Toulouse/LAAS-CNRS) 🎙️, Romain Cayre (INSA Toulouse/LAAS-CNRS), Elies Tali (LAAS-CNRS), Pierre Ayoub (LAAS-CNRS), Vincent Nicomette (INSA toulouse/LAAS-CNRS) and Guillaume Auriol (INSA Toulouse/LAAS-CNRS)

CasinoLimit is a dataset built from a large-scale penetration testing exercise on 114 identical instances. It provides system and network logs labeled with MITRE ATT&CK techniques using a semi-automatic process that combines shell analysis, network log propagation, and expert review. In this talk, we present the motivation behind CasinoLimit, describe the labeling methodology, and highlight what the dataset reveals about attacker behaviors. We also discuss how the dataset can support research in attack detection, behavioral analysis, and the evaluation of offensive models.

Sébastien Kilian (CentraleSupelec) 🎙️, Valérie Viet Triem Tong (CentraleSupelec) and Jean-François Lalande (CentraleSupelec)

Software and hardware compromises in critical infrastructure are becoming increasingly serious threats, particularly within the supply chain. These compromises can impact every layer of a system, including the lowest levels, such as firmware embedded in industrial components. As a last line of defense, runtime monitoring mechanisms for detection, diagnosis, and recovery can be integrated directly into these devices. This presentation proposes leveraging microarchitectural signals to identify software deviations during execution.

Lucas Georget (EDF R&D/LAAS-CNRS) 🎙️, Vincent Migliore (INSA Toulouse/LAAS-CNRS), Vincent Nicomette (INSA Toulouse/LAAS-CNRS), Frédéric Silvi (EDF R&D) and Arthur Villard (EDF R&D)

In this presentation, we showcase how we uncovered over 35,000 vulnerabilities in AI-generated applications exposed on the public internet. We cover the background and motivations behind this study, the methodology we applied, and a high-level overview of our findings including Broken Authentication, exposed secrets, and Personally Identifiable Information (PII) leaks. We then take a deep dive into several critical vulnerabilities, such as zero-click account takeovers and exposed admin payment API secrets. Finally, we conclude with practical mitigation strategies and security guidelines for teams building AI-generated applications.

Nohé Hinniger-Forayi (Escape) 🎙️, Gabin Fouquet (Escape) 🎙️, Gabriel Marquet (Escape), Gwendal Mognie (Escape) and Alexandra Charikova (Escape)

The rapid advancement of AI, and particularly Large Language Models (LLMs), has opened new opportunities for software security. From vulnerability detection to automated repair, AI-driven techniques are increasingly explored to support the software vulnerability management lifecycle. This talk will provide an overview of the state of the art in this area and present our recent research on automated vulnerability repair, highlighting the difficulties in designing an evaluation benchmark and sharing insights into how AI-generated vulnerability fixes compare with those written by human developers.

Merve Sahin (SAP) 🎙️, Kendrick Gruenberg (SAP, TU Braunschweig) and Malte Wessels (TU Braunschweig)

I describe how I was able to achieve information disclosure of another container from inside a different docker container which was running linux kernel 6.12 using an uninitialized memory infoleak.

Vatafu vladut (execc0de Team) 🎙️

Space systems have become strategical targets for cybersecurity attacks. This paper proposes the design and a proof of concept implementation of an Intrusion Detection System (IDS) embedded on a satellite, deploying several probes and detection strategies. It is designed to take into account the constraints of space systems, such as limited resources, particular architectures, specific data processed, and communication protocols used. The paper also describes a set of attacks that we designed and tested to assess the relevance of our IDS. The impact on performance of the IDS is also assessed.

Louis Lolive (IRT Saint Exupery/LAAS-CNRS) 🎙️, Guillaume Auriol (INSA Toulouse/LAAS-CNRS) Vincent Nicomette (INSA Toulouse/LAAS-CNRS) Florent Galtier (LAAS-CNRS) Simone Urbano(Starion Group France) and Jacques Girard (Thales Alenia Space)

Details coming soon !

Rémi BONREPAUX (Viveris Technologies) 🎙️

coming Soon !

coming Soon !

Injection attacks (SQL or other) are still all too common, and or good reason: the vulnerability stems from the structure of the languages themselves. In this presentation, I will discuss the applications of theoretical work on the definition of injection vulnerabilities, and I will show that it is possible to create languages that are not vulnerable to these attacks. I will use an example to illustrate this: slight modifications to the LDAP language make it possible to obtain a more secure version.

Pierre-François Gimenez (INRIA) 🎙️, Eric Alata (Intel)

In cybersecurity, CVEs (Common Vulnerabilities and Exposures) are publicly disclosed hardware or software vulnerabilities. These vulnerabilities are documented and listed in the NVD database maintained by the NIST. Knowledge of the CVEs impacting an information system provides a measure of its level of security. This article points out that these vulnerabilities should be described in greater detail to understand how they could be chained together in a complete attack scenario. Our work presents the first proposal for the CAPG format, which is a method for representing a CVE vulnerability, a corresponding exploit, and associated attack positions.

Steph Shample (S2 Advising LLC, University of Maryland) 🎙️

5G networks increasingly resemble distributed systems in their design. Itthen becomes crucial to move beyond traditional network-based detectionmethods and to explore alternative approaches. In this work, we propose aformalization of 5G network exchanges as a dynamic graph, on which we apply techniques from the field of graph-based learning to detect anomalies effectively. This representation allows for fine-grained analysis of packet-level semantic content, while simultaneously capturing sequential and topological contexts, both of which are essential for identifying sophisticated and multi-stage attacks

Thomas Hoger (LAAS-CNRS) 🎙️, Philippe Owezarski (LAAS-CNRS) and Mariamdouni (Université de Carthage/LAAS-CNRS)

Artificial Intelligence have made a lot of progress and became very popularwith many chat bots like ChatGPT, Claude, Grok or Gemini interacting usingnatural language and available to anyone. These tools are now part of the hacker's toolbox and are heavily used in Capture The Flag (CTF) competitions,impacting the way challenges are solved and questioning the purpose of such competitions. In this talk, we demonstrate how powerful AI has become, why it is a game changer for CTF participants and how it threatens CTF competitions as we know them. We also present the results of many experiments we, as CTF challenge designers, made to fight or embrace AI as well as the lessons learned, including some nice tricks. Last but not least, we discuss the future of CTF competitions in this new AI era and draft new formats that are more AI-friendly, while keeping CTF competitions fun and challenging, aiming at using AI in a smarter way instead of considering it like a simple mechanical Turk.

Axelle Apvrille (Fortinet) 🎙️, Damien Cauquil (Quarkslab) 🎙️

Facing the challenge of prioritizing 25,000+ annual CVEs, this talk introduces the "Airbus Method" to manage risks in sensitive defense environments by leveraging a custom Python pipeline to enrich Cyberwatch scans with threat intelligence and implementing a two-level prioritization system to eliminate alert fatigue. This approach transforms raw vulnerability data into actionable intelligence, ensuring teams focus on genuine threats rather than theoretical scores.

Jérémy RICHARD (NEVERHACK) 🎙️ , Paul VARGAS (FERCHAU) 🎙️, Bertrand LECONTE (Airbus) 🎙️, Eric CAUSSIN (Airbus)

This presentation explores the inner workings of Master Boot Record (MBR) bootkits through in-depth static and dynamic analysis. We will dissect the infection chain, examine disk manipulation techniques, and reverse engineer the bootloader modifications used to gain persistence before the operating system loads. Attendees will learn how MBR bootkits communicate with hardware, evade detection, and implement self-protection mechanisms. The session concludes with memory forensics insights and a practical analysis of an MBR ransomware locker in action.

Diyar Saadi (Independant Security Researcher) 🎙️

Cheating in Multiplayer Online Games has remained a persistent problem for several decades. Cheating hinders honest players and impacts the reputation of the game, as it directly affects player retention, competitive integrity, the legitimacy and trustworthiness of a game, and overall revenue streams. In this presentation, we will show how a new and upcoming cheating technique known as a visual aimbot works and how to protect against it, all within a fully controlled and isolated custom game environment. Such aimbots completely bypass the commercial anti-cheat solutions, rendering them useless. We begin by explaining how the specific attack operates, and then introduce a defensive strategy that deploys in-game honeytokens to identify and expose attackers who rely on visual aimbots.

Salman Shaikh (KAUST) 🎙️, Marc Dacier (KAUST) and Tao Ni (KAUST)

Modern platforms are difficult to analyze for vulnerabilities because their behavior emerges from many interacting components. Provenance graphs have become a convenient abstraction for capturing host activity by relating processes and resources through information-flow edges. We introduce State-Expanded Provenance Graphs, a representation intended to support security evaluation when system behavior is only partially characterized. The graph is derived from lightweight system-call traces and is designed to remain independent of the specific monitoring technique. A key challenge is over-linking in long-running services, where imprecise modeling can connect outputs to numerous historical inputs, obscuring genuine attack paths. We present two complementary techniques that reduce over-estimated dependencies while remaining scalable on heterogeneous complex systems, as well as an interactive tool that allows analysts to explore traces and iteratively refine the resulting State-Expanded Provenance Graph.

Loic Robert (Airbus/LAAS-CNRS) 🎙️ , Vincent Nicomette (INSA Toulouse/LAAS-CNRS), Eric Lacombe (Airbus), Marie-José Huguet (INSA Toulouse/LAAS-CNRS) and Emmanuel Hebrard (LAAS-CNRS)

The Resource-based Constrained Delegation (RBCD) attack is well-known from pentesters and attackers: by editing the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a machine account, an attacker can impersonate users on said machine. Even though this attack mechanism has been thorougly documented on a single domain, and can be performed with Impacket or Rubeus, only a few resources mention its implementation on cross-domain and cross-forest environments. In this article, we present the cross-domain and cross-forest RBCD workflow, along with an Impacket script implementation to carry out these attacks.

Simon Msika (SynAcktiv) 🎙️

In the early 2010s, with the emergence of the connected home and the now ubiquitous internet ‘box’, we were interesting ourselves about the security of this equipment. Indeed, this equipment often has multiple communication links and incorporates an operating system that may contain vulnerabilities that could be exploited by attackers. At the time, a series of studies highlighted several attacks on this equipment that enabled us to corrupt the IT network of a ‘typical’ home. This presentation looks back more than ten years ago to take stock of the assumptions put forward and the relevance of the attack paths tested by a new set of experiments.

Yann Bachy (Lyra) 🎙️