Every second Tuesday of the month, the LSE organises lightning talks. A lightning talk takes between 15 and 20 minutes and is a short perspective about a subject members have found interesting.
May 14, 2019
trish2, un algo de détection du plagiat (Victor Collod)
How an environment variable annoyed me for three months (Guillaume Pagnoux) slides
A small, incomplete, could be wrong, story on how an environment variable caused a three months bug hunt, in an almost non-debugable environment.
Arbitrary tree differencing for code copy detection (Nicolas Manichon) slides
Code copy has always been a security problem, with open source projects checking in code from one another, applying modifications and not being able to backport security fixes in a timely manner. I present a project that can perform code copy detection on a large number of files.
CTF: Two Noobs and a Plaid (Brendan Harley & Mathis Raguin) slides
Let’s follow two young and innocent students on their way to solve the 2019 PlaidCTF’s challenges. On the menu: python, reverse engineering and docker archeology.
April 9th, 2019
KeraSH: A neural network toolkit written in shell (Jean-Adrien Ducastaing & Audran Doublet) slides
A shell-based ML toolkit allowing you to train, evaluate neural networks and evolve your topology and hyper-parameters via AutoML-ish techniques.
From execution traces to binary reconstruction (Gabriel Duque) slides
Obfuscated files often consist of complicated code that actually does something simple. Through execution trace capturing and binary reconstruction, we will see how it is possible to generate an executable file that has the same behaviour as the original file, but much simpler code.
March 12th, 2019
Accelerate Boolean Constraint Propagation for Boolean Satisfiability Solvers with FPGA (Maxence Caron-Lasne) slides
Boolean Satisfiability (or SAT) problem is the problem of finding if a set of Boolean values that satisfies a given Boolean formula exists. SAT, even if it is the first problem proven NP-complete, is used in fields like circuit design and automatic theorem proving. The algorithm used to solve SAT problems is arborescent but the most time consuming operation used in it, the Boolean Constraint Propagation (BCP), is a good target for hardware acceleration. Based on the work of John D. Davis and Jason Thong, let’s explore two possible BCP co-processor designs on FPGA.
Sqlports, an adventure in sqlite (Marc Espie) slides
This starts with an interesting use-case for sqlite, based on the need to collate metadata about 10000+ distinct ports on OpenBSD, an obvious use of relational database technology. However, designing a database schema for human consumption is tricky, between the desire of having human-readable views or table, and the need to have a sensible database schema with internal consistency. This is the tale of a pseudo ORM designed for human readability, as an exercise in futility, because “why not ?”
Userland NIC driver design on Linux (Guillaume Pagnoux) slides
In my quest for a better understanding of computer networking, I tried making a switch using a userland NIC driver for ixgbe and virtIO network cards. Let’s take a look at how this driver is implemented, and the differences with an in-kernel one.
February 12th, 2019
Network stack in K (Tom Decrette) slides
Once you finished K, you are a little bit confined by the possibilities. Let’s see how to add a network stack in your own kernel.
Bypassing SMM-EP (Bruno Pujos) slides
Intel introduced a hardening mitigation for SMM called SMM_CODE_CHK_EN. This mitigation prevents a processor in SMM mode from executing code outside the protected memory defined for SMM, the same way than SMEP prevents the kernel to execute userland code. In this talk we will see how to bypass it in a non-firmware-dependent way.
Trying to design a simple yet efficient L1 cache (Jean-François Nguyen) slides
Minerva is a recently released 32-bit RISC-V soft processor implemented with nMigen. This talk will provide a tour of its L1 cache infrastructure with a focus on its approach to reduce miss penalties efficiently while trying to keep its ressource usage adequate for embedded use cases.
December 11th, 2018
Writing a hypervisor - Part 2 (Thomas Bitzberger)
Séance de question-réponses sur le sujet de recrutement (Gabriel Laskar)
November 13th, 2018
Writing a hypervisor - Part 1 (Thomas Bitzberger)
Let’s go through the first steps of coding a x86_64 hypervisor. During this first part, we’ll see how to use Intel virtualization extensions and how to launch a very simple guest.
TCP, fonctionnement et implémentation (Victor Collod)
TCP est peut-être le protocole le plus important d’internet, en tant que moyen le plus commun d’obtenir un canal de communication fiable. Parlons un peu de son fonctionnement et de son implémentation.
October 9th, 2018
Il ne faut pas toujours croire les spécialistes (Sebastien Larinier)
En lisant un article de FireEye, les chercheurs détaillent qu’une nouvelle backdoor est uniquement dans l’overlay du première exécutable de la chaîne d’infection. Après quelques tests, il s’avère que c’est un peu plus compliqué. On a donc sorti le debugger et un desassembleur pour réellement comprendre ce qui passe.
zeroconf, où comment on peut survivre sans serveur dhcp (Chewie) slides
How to waste time during summer (Clementine Hayat and Alexandre Majed)
June 12th, 2018
Text classification models based on Deep Learning (Antoine Sainson) slides
Text classification is one of the main tasks in natural language processing. Let’s see how we can use CNNs and RNNs to classify french tweets.
iSCSI and Libvirt (Clementine Hayat)
iSCSI protocol is famously used for block storage over TCP. Let’s see how the current libvirt implementation allows us to use iSCSI blocks for VM storage, and how we can improve it.
Edit and continue in GDB (Alexandre Bernard)
Debugging is an everyday game to many developers. Stop, recompile and restart the debugging session are three annoying steps. Let’s see if we can get rid of it in gdb and apply code changes while our program is in break mode.
April 10th, 2018
Les canaux subliminaux dans DSA (Marin Hannache) slides
Comment détourner l’algorithme de signature DSA pour y faire apparaître des canaux subliminaux. C’est à dire un moyen de communiquer via des signatures en apparence anodines. Quelles contre-mesures sont envisageables et quelles sont leurs limites ?
How to catch cheaters ? (Paul Semel)
Sometimes we want to avoid people from calling some shared libraries functions. Let’s play with dynamic binary instrumentation to see whether we can achieve this correctly !
The iPXE object model (Victor Collod)
In order to achieve high reliability and flexibility, iPXE implements an object layer inspired by flow-based programming, in C.
March 13th, 2018
Great expectations for HTTPS (Marc Espie) slides
Package updates on OpenBSD are done over HTTP usually. The authenticity of packages is already ensured at the application level.
Is moving to HTTPS desireable ?
Putting all the pieces together leads to surprising challenges and discoveries.
Dumping C/C++ structures, the return ! (Paul Semel) slides
C/C++ programmers often need to dump the content of their structures. As one can’t have structures information at runtime, it’s not possible to write a generic structure pretty printer.
The first attempt we made consisted of reading debugging information located in the ELF file; this was not a good idea. Hopefuly, those information are known at compile time, so let’s implement a CLang structure pretty printing built-in.
VirGL on Windows: Part 2 (Nathan Gauër) slides
Last year began my journey in the grateful universe of graphic drivers on Windows. This year, the goals have been updated. Let’s see how we can tackle a correct ICD implementation using Angle
February 13th, 2018
Malware comparison with frequency analysis (Gabriel Duque)
A simple approach for information extraction in object code. Also an overview of the issues encountered while automating and scaling this process for a 2Tb malware database.
Windows Hello World (Thomas Bitzberger) slides
To learn more about Windows and the PE format, let’s see how we can do the exercice of calling the ‘printf’ function by manually resolving it’s address at runtime.
Playing with Clang’s Static analyzer (Paul Semel)
During this talk, I will present the Clang’s static analyzer tool, by implementing an undefined behavior checker.
December 12th, 2017
Speaker Recognition: Basic Concepts (Réda Dehak)
Speaker recognition is the process of recognizing automatically who is speaking in a speech audio file. This allows to use people voices as an authentication mechanism. We deal with different statistical machine learning methods to solve this problem. We will present the principal statistical machine learning methods used in our recognition system which was submitted to NIST-SRE 2016 evaluation campaign.
512 bytes to boot (Pierre Marsais) slides
Let’s implement a minimal Multiboot x86 BIOS bootloader.
November 14th, 2017
A gentle introduction to TCP/IP (Gabriel Laskar)
An introduction course on how Internet and TCP/IP works.
Better signal handling with Clang (Alpha Abdoulaye) slides
Let’s try to improve the detection of common programming errors specific to signal handlers and fix them by patching Clang.
CPU exception and interrupt mechanisms (Jean-François Nguyen
Exceptions and interrupts are unexpected events that disrupt the normal flow of instruction execution. This talk will cover their implementation on our own CPU design.
October 10th, 2017
My RC car just got itself a CAN Bus (Stanislas Lejay) slides
Car hacking is one of these difficult-to-reach kind of field, often because nobody wants to break their own car trying to make the headlights flash. So, how can one offer a cheap approach to car and CAN hacking ? Here is a new episode from the “give the impression you are working when you are in fact having fun” series.
Designing a homebrew RISC CPU (Jean-François Nguyen)
CPU design does not have to be the realm of voodoo rituals and Fortune 500 companies. We’re living great times where any nerd can just go out and build their own microarchitecture. Let’s see how!
April 11th, 2017
Linux and GPU : The frame and the pain (Nathan Gauër) slides
Let’s go under the hood of an OpenGL application! See how we can spit some pixels out of Mesa and put them on our screen.
Backdooring Linux (Thomas Bitzberger) slides
Backdooring an operating system is quite an art. Let’s see how to implement a very simple one under Linux. We’ll take a look at the sys_call_table, search through the kernel memory and modify it.
Extending qemu/gdb for machine debugging (Gabriel Laskar)
Let’s extend qemu for proper low level debugging on x86!
March 13th, 2017
Runtime handling for thread local storage (Alpha Abdoulaye) slides
A quick overview of the runtime handling of thread-specific data in ELF objects.
Playing with Mach-O and DYLD (Stanislas Lejay) slides
Let’s take a look at macOS’s binary format and see how one can call any function by journeying from structures to internal memory.
Trap your friends with TCP! (Philemon Gardet) (slides not available)
Look at some fun and expensive hardware to play with the TCP transport layer and make some pranks.
December 13th, 2016
C++ internals (Francis Visoiu Mistrih) slides
Quick look inside the implementation of high-level constructions in C++, such as name mangling, inheritance, virtual, etc. based on the Itanium C++ ABI.
Malware deobfuscation by program synthesis (Kevin Tavukciyan)
During this talk, we’ll see how, using program synthesis, we can deobfuscate binaries in an “automated” way, without dynamic analysis. We’ll also see how to synthesize formal specifications of the x86_64 mnemonics, which are needed to get proper deobfuscation.
Introduction to abstract interpretation (Marc Chevalier) slides
An introduction to abstract interpretation or how to statically prove semantic properties on programs.
November, 8th 2016
Write yourself a toolchain using LLVM (Francis Visoiu Mistrih) slides
During this talk, we’ll see how to set up a fully functional toolchain for a new architecture using the LLVM Compiler Infrastructure. From Clang, going through the core of LLVM, up to LLD, we’ll try to add support for a new target: J Core 2, which is the open source version of Hitachi’s SuperH 2.
Lockdep, an inside out perspective (Nahim El Atmani) slides
Quick dive into the linux kernel lock validator a.k.a lockdep.
A peek into asynchronous processor design (Philémon Gardet) slides
In the domain of the logic circuit programming, synchronous systems and their dependency to a ‘clock’ signal are a common pattern. What could happen if such signal did not exist ? This assumed constraint is the opportunity to expose some concepts like a simple asynchronous circuit design, some handshaking data transmission protocols and their implementation or even asynchronous pipelines.
October, 11th 2016
Debug code the hard way (Gabriel Laskar) slides
A brief introduction to Linux debugging APIs
Write yourself a JIT brainfuck compiler (Jean-François Nguyen) slides
Some ING1 students had to write a toy brainfuck compiler during their first week at EPITA. Let’s have fun and rewrite it using JIT (Just-In-Time) compilation!
There and back again, how we fixed packages signatures before they were truely broken (Marc Espie) slides
Signing the inside of a package is not so secure, as you depend on your unpacking tools being bug-free. Moving the signature outside involved some redesign to allow just-in-time checking, and quite a few changes inside the tools involved. This code went from proof-of-concept to full scale deployment in about a month.
May, 10th 2016
Hotplug on linux (Gabriel Laskar)
A survey of the linux hotplug system.
PXE boot on PIE (Nicolas Géniteau)
How to boot hundreds of diskless computers for EPITA.
GCC as a dead simple cryptosystem obfuscator (Nahim El Atmani)
While compiling, GCC plays a lot with intermediate representations to get optimal code after multiple optimization and reduction passes. These mechanisms can serve for weird code modifications too, and this talk is just an example of one of them. We’ll focus on a simple, yet effective way of hiding a cryptosystem.
April, 12th 2016
How-to fail porting a motherboard to coreboot (Vincent Gatine)
This talk will be the post-mortem of an attempt to port a (not-so) new x86 motherboard to the foss firmware project coreboot.
SecuROM v4 (Adrien Garin)
SecuROM v4 is an old DRM and copy protection used by video games. How effective is it ?
March, 8th 2016
LSE discount on Canadian’s transportation travel fares (Nahim El Atmani)
After a quick reminder on contactless cards technologies we’ll see how one can subvert daily passes in order to get a special 70% LSE discount. Happy black friday folks!
Cheating online in Age of Mythology (Adrien Garin)
Age of Mythology released in 2002 is still playable online on the Voobly platform. We will see how to patch the game memory to disable entirely the fog of war and how to bypass the anticheat detection module of Voobly.
CVE-2016-0728 vs Real World (Matthieu Tardy)
CVE-2016-0728 has made some headlines in the security world for being a relatively easy to exploit Linux local privilege escalation vulnerability. We will see a teardown of this vulnerability and an estimation of its real impact.
9th February 2016
PFE Report: first steps in porting Stos on Intel Galileo (Zackary Ayoun) slides
Implementation of an EFI bootloader Overview of the new device interface of Stos
16-bit DOS executable execution on the LSE-PC (Antoine Froger) slides
An overview of the changes made to the LSE-PC software architecture in order to be able to execute 16-bit DOS executables.
Introduction to Reversing DXE drivers (Bruno Pujos) slides
Most of the x86 computer firmware today follow the UEFI specification. The DXE drivers are one of the most important part of the boot and reversing them is a key step for understanding your BIOS.
8th December 2015
Introduction to SAT and SMT solvers (Zoé Delduc) slides
From SAT to SMT solvers, a theorical overview of their algotrithm and some praticals examples using Z3.
GreHack 2015: writeups (LSE team)
Grehack is a security conference hosted in Grenoble. Their 3rd session was on November 15th, 2015. We will present writeups for some ctf challenges.
10th November 2015
Pledge: a new mitigation technology in OpenBSD (Marc Espie) slides
there’s a bleeding edge new system call in OpenBSD: pledge. It’s used to limit what a given process can do. There are some major usage differences to some prior technologies that should make it more effective. The most prominent comes from OpenBSD’s basic motto, namely that security measures should be on by default and driven by experience. I will give a small state-of-the-art presentation about how far we’ve come understanding what pledge can do for us, in terms of simplicity and efficacy.
How to run unsigned kernel driver on Windows x64 (Nassim Eddequiouaq & Adrien Garin)
By default, 64-bit versions of Windows (starting from Vista) will only load signed kernel-mode drivers. Thanks to a vulnerable version of a signed VirtualBox kernel driver, we will see how to gain ring0 code execution and how to disable DSE to finally run our unsigned drivers without enabling debug mode or changing Windows boot options.
Designing a flexible on-chip debugger for the LSE-PC (Pierre Surply)
Tracing execution on the LSE-PC used to be achieved by manually analysing 80386SX CPU signals. This talk will present an implemented solution to provide a efficient on-chip debug by automating and scripting bus controller operations.
13th October 2015
Hacking a Sega Whitestar Pinball: Focusing on the audio board (Pierre Surply)
A reverse engineering of a BSMT2000 DSP used on the audio circuit of an old-school pinball.
Software programming on the LSE-PC (Antoine Froger) slides
After the multiple presentations on the LSE-PC architecture and hardware, this talk will focus on the tools used to program on the LSE-PC and the complexity to code and debug on a board based on an Intel 80386SX processor conceived in 1985.
Tasks, multithreading and early scheduling setup in stos (Louis Feuvrier & Fabien Goncalves) slides
Our recent work to introduce userland threads in stos. From scheduling issues to jumping from a single execution thread to a full-blown scheduled environment, we will cover early task handling in stos.
14th April 2015
PS/2 Archeology (Gabriel Laskar)
Let’s look at mouses, keyboards, and their protocols.
Understanding the PCI Passthrough (Nassim Eddequiouaq)
An overview of the way PCI passthrough works, with an emphasis on network devices and the features provided by the Intel VT-d.
10th March 2015
Discovery of Ltrace On Steroid (Nahim El Atmani) slides
LOSt is a dynamic binary analysis tool currently in early development phase in the Lab. It aims at tracing internal function calls of an unknown binary. Working closely with IDA and PIN, LOSt brings evolutive reports throughout the reversing phase. This talk will present the goal and the motivation of making such a tool.
Linux live patching (Adrien Schildknecht) slides
Linux 4.0 introduces a first draft of a live patching API. Patching a running kernel is subject to many race conditions and constraints. We will study the different approaches and their limitations.
Testing the 8259A Soviet clone (Pierre Surply) slides
Manufactured in USSR during the 80s, the KP580 family of n-MOS integrated circuits aimed to imitate the behaviour of the Intel chips used in the IBM-PC. We will focus on the Programmable Interrupt Controller to see if those components actually follow the Intel former design.
Two practical examples of obsolescence in electronic and software design, and easy fix (Jacques Laskar) slides
HP 54601A is a 4 channels 100 Mhz oscilloscope from 1990 with digital storage capabilities. Although it should have been able to survive many decades, it has been plagued with various electronic and software design features that make it totally useless at present. By chance there are some easy fix.
10th Febuary 2015
Decoding evdev ioctls for strace (Etienne Gemsa) slides
Strace, a debug tool, displays system calls of a program, some are not clearly displayed, in particular ioctls of evdev drivers. This talk will describe works on decoding of evdev ioctls in strace.
BIOS patching for fun and profit (Vincent Gatine) slides
Many PC vendors lock processors features within BIOS to create market segments. Let’s see if we can hack our way through the BIOS to get our hands on some cool features.
Containers and systemd: systemd-nspawn (Rémi Audebert) slides
systemd-nspawn is simple and versatile container manager built on top of Linux namespaces. Booting full Linux distributions is trivial, and tight integration with systemd makes it a very powerful tool.
13th January 2015
Elf : Tips & Tricks (Gabriel Laskar) slides
A brief tour of some tricks that are commonly used in kernel development.
DNSSEC and zone walking (Paul Hervot) slides
A presentation of the DNSSEC extension of DNS, the issue it introduced regarding zone enumeration and existing solutions.
Bitcoin on FPGA (Bruno Pujos) slides
Making of a bitcoin calculator in hardware: bitcoin principle, SHA-256 and its implementation on FPGA.
9th December 2014
Having fun with Parallax Propeller (Pierre Surply) slides
An introduction to the peculiar design of a 32-bit multi-core microcontroller.
Investigating sensors support in a tablet (Fabien Goncalves) slides
Presenting my journey trying to add support for a sensor in a tablet running archlinux.
On some physical attacks of RSA (Robert Erra) slides
RSA is (probably) a secure algorithm but when it is used naively on some embedded system like smartcards, RSA can be attacked physicallly. We will show how this is possible and will present some known attacks.
UEFI: How does that actually boot ? (Gabriel Laskar) slides
An exploration and comparison of BIOS versus UEFI boot process.
Simulating a serial device with Linux and Python (Rémi Audebert) slides
How-to create a fake serial device and use Python idioms to emulate it.
Linux sandboxing (Gabriel Laskar) slides
An overview of the available kernel APIs that can be used in order to control and limit the effect of untrusted code.
CVE-2014-4114 (Bruno Pujos) slides
A study of the Sandworm vulnerability in powerpoint.
Trusted Platform Module (Jérémy Lefaure) slides
Discovery of this hardware cryptographic component, used among other things to set-up a trusted environment.
Learn D the hard way (by writing a kernel) (Nassim Eddequiouaq) slides
A small dive into D language’s system features and runtime mechanisms through kernel programming.
Go Reverse (Bruno Pujos) slides
First steps in reverse engineering a golang binary.
Hacking a Sega pinball (Pierre Surply) slides
How to reverse an old school pinball machine in order to modify it and execute our own code: A guided tour through the electronic design of an uncommon and discontinued machine.
Understanding Python by breaking it (Clément Rouault) slides
The goal of this talk is to abuse the logic of the Python interpreter using the ctypes module. With that we will be able to expose some of the CPython internals from Python itself.
Branch Tracing on x86 (Gabriel Laskar) slides
An overview of the x86 CPU’s features that allow the user to trace and debug code without binary modification.
Nanomites, a funny anti-debugging technique (Nassim Eddequiouaq) slides
An overview of the way Nanomites are implemented and work.
TI84+ Bare-metal Programming (Pierre Surply) slides
A guided tour through Z80 based Texas Instruments’s graphing calculators and how to program it without any operating system.
Heartbleed, technical overview (Bruno Pujos) slides
An explanation of the Heartbeat extension and how the Heartbleed bug is working, what kind of information can leak from it, and why it has not been found earlier.
Anti-Virtual Machine Techniques (Pierre Rovis)
An overview of some of the techniques being used by malwares to recognize virtual machine environments, how they work and what they are detecting.
Portable Executable: Overview of the executables files on Windows (Jérémy Lefaure) slides
A first peek at asymmetric cryptography: The RSA cryptosystem (Fabien Goncalves)
Introduction to Register Transfer Level: a simple way to design synchronous digital circuits (Pierre Surply) slides
Analysing unknown data with python (Rémi Audebert)
The Hell of CPU debugging (Franck Michea) slides
Malloc Internals (Bruno Pujos) slides
vsyscall/vDSO (Adrien Schildknecht) slides
Qemu integrated testing: liqtest / libqos (Nassim Eddequiouaq) slides