Seminars

    • CoaP (08/04/2025)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Tuesday April 8th, we will have two seminars in Room 3.A213 at 10.30 am.

      If you are coming to participate for the first time, do not hesitate to contact the organizers so as not to be blocked at the entrance.

      • Ayoub Wehby (Telecom Paris) - Towards Secure Connected Cars: AI-Based Defense Against CAM-Based DDoS Attacks

        Abstract: The increasing connectivity of modern cars enhances driver safety and comfort but also expands the attack surface for cyber threats. In this presentation, we first explore the vulnerabilities of connected cars, focusing on Distributed Denial-of-Service (DDoS) attacks leveraging Cooperative Awareness Messages (CAMs) and their impact on safety-critical applications. We then introduce a machine-learning detection approach, developed using a CAM-based DDoS dataset generated from a realistic traffic scenario in Luxembourg City. Next, we demonstrate the generalizability of our models against morphing DDoS attacks. Finally, we unveil a new attack model incorporating Sybil-based techniques that challenge our detection system and discuss the strategies employed to restore detection accuracy. This work highlights the urgent need for robust intrusion detection systems in connected car environments.

      • Renaud Sirdey (CEA) - Beyond CPA security for FHE

        Abstract: Since its inception more than ten years ago, Fully Homomorphic Encryption has been the subject of a lot of research towards more efficiency and better practicality. From a security perspective, however, FHE still raises a number of questions and challenges, in particular due to the fact that all the FHE used in practice achieve only CPA-security (and all of these schemes are trivially CCA1 insecure). Over the last few years, very active research has been done to explore the security of FHE beyond that regime with new security notions, attacks and constructions emerging. In this talk, we will cover recent “slightly beyond CPA” security notions, such as CPAD, as well as new attacks on FHE in that model. We’ll then move on to CCA security for FHE and present recent results towards answering the two questions: can we build FHE schemes offering some degree of CCA security? And, what is the strongest degree of CCA-security achievable by FHE?

    • CoaP (11/03/2025)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Tuesday March 11th, we will have two seminars in Room 3.A213 at 10.30 am.

      If you are coming to participate for the first time, do not hesitate to contact the organizers so as not to be blocked at the entrance.

      • Nicolas Peiffer (Thales) - A Journey Through SBOMs and Software Provenance Attestations in the Industry: Cryptography BOM, Patents BOM, ML-AI BOM, Meta-BOM...

        Abstract: In Europe, the Cyber Resilience Act (EU CRA) is being implemented to encourage, through regulations and laws, companies and open-source software communities to develop more secure software. The EU CRA is often referred to as the "GDPR for software": although the directive is now in effect, many entities are not yet prepared and face technical and organizational questions that they will need to address in order to comply with the legislation. This presentation will share Thales' experience regarding Software Bills of Materials (SBOMs) and software provenance attestations, such as in-toto and SLSA. It will particularly focus on "exotic BOMs," including Cryptography BOM, Patents BOM, ML-AI BOM, and Meta-aggregated-BOM, for which there are few or no suitable tools available. The presentation will also discuss the challenges associated with the Meta-aggregated-BOM in the context of "system of systems." Finally, it will highlight Thales' open-source contributions to the CycloneDX BOM format.

      • Guilhem Lacombe (CEA) - Attacker Control and Bug Prioritization

        Abstract: As bug-finding methods improve, bug-fixing capabilities are exceeded, resulting in an accumulation of potential vulnerabilities. There is thus a need for efficient and precise bug prioritization based on exploitability. In this work, we explore the notion of control of an attacker over a vulnerability’s parameters, which is an often overlooked factor of exploitability. We show that taint as well as straightforward qualitative and quantitative notions of control are not enough to effectively differentiate vulnerabilities. Instead, we propose to focus analysis on feasible value sets, which we call domains of control, in order to better take into account threat models and expert insight. Our new Shrink and Split algorithm efficiently extracts domains of control from path constraints obtained with symbolic execution and renders them in an easily processed, human-readable form. This in turn allows to automatically compute more complex control metrics, such as weighted Quantitative Control, which factors in the varying threat levels of different values. Experiments show that our method is both efficient and precise. In particular, it is the only one able to distinguish between vulnerabilities such as cve-2019-14192 and cve-2022-30552, while revealing a mistake in the human evaluation of cve-2022-30790. The high degree of automation of our tool also brings us closer to a fully-automated evaluation pipeline.

    • CoaP (11/02/2025)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Tuesday February 11th, we will have two seminars in Room 3.A213 at 10.30 am.

      If you are coming to participate for the first time, do not hesitate to contact the organizers so as not to be blocked at the entrance.

      • Adam Oumar Abdel-rahman (Télécom SudParis) - Privacy-Preserving Web Content Filtering using Attribute-Based Encryption

        Abstract: The rapid growth of encrypted data, particularly TLS-encrypted traffic, has enhanced privacy by reducing cyberattack exposure. However, this shift challenges traditional monitoring tools, rendering them ineffective in handling encrypted traffic. Balancing confidentiality and security in systems such as intrusion detection requires innovative solutions. In this paper, we explore privacy-preserving web content filtering using attribute-based encryption (ABE). This approach enables enforcing access policies—such as blocking inappropriate or harmful content—while preserving users' privacy and requests. We present a comprehensive study, from specification to evaluation, showcasing how cryptographic techniques can address the dual needs of privacy and control in modern information systems.

      • Julien Malka (Télécom Paris) - Increasing trust in the open source software supply chain with reproducible builds and functional package management

        Abstract: Functional package managers and reproducible builds are technologies and methodologies that are conceptually very different from the traditional software deployment model, and that have promising properties for software supply chain security. In this presentation, I’ll introduce the main lines of work included in my thesis surrending these topics and the findings from a research project on the reproducibility of the Nix software repository.

    • CoaP (14/01/2025)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Tuesday January 14th, we will have one seminar in Room 3.A213 at 10.30 am.

      If you are coming to participate for the first time, do not hesitate to contact the organizers so as not to be blocked at the entrance.

      • Sara Chennoufi (Télécom SudParis) - Towards Interpretable and Resilient Cyber Intrusion Detection in Heterogeneous Environments

        Abstract: In distributed networks, devices face diverse cyberattacks, highlighting the need for collaborative mechanisms like Federated Learning (FL) to achieve a global knowledge of various attack types. FL is a privacy-preserving machine learning paradigm that enables collaborative model training without sharing sensitive data. However, the effectiveness of FL is often hindered by the heterogeneity of attack data across different networks known as non-identically distributed (non-IID) data. To address these challenges, we propose Argos, a Federated Prototype Learning (FPL) framework designed to improve collaborative and interpretable detection of network attacks in heterogeneous environments. FPL enables the sharing of class-specific prototypes, facilitating the exchange of interpretable knowledge and improving the detection performance for individual classes. Additionally, we analyze the privacy risks associated with prototype sharing and investigate their effectiveness in identifying mislabeled data.

        Biography: Sara Chennoufi is a PhD candidate at Télécom SudParis, working on the development of intrusion detection systems for 5G networks. Her research focuses on enhancing privacy-preserving distributed systems using Federated Learning, addressing key challenges in 5G such as system heterogeneity and the rapid spread of new cyber attacks. She graduated from the Higher School of Computer Science (ESI Algiers). For her graduation project, she completed an internship at INSA Lyon, where she also explored Federated Learning and poisoning attacks.

    • CoaP 2025 Reboot: Seminars on the Second Tuesday of each month!

      In 2025, the CoaP seminar (Cybersecurity on a Plate, La Cybersécurité sur un plateau) is rebooted, with a new, regular, format.

      Seminars will be held on the second Tuesday of each month, between 10:30 and 12:00. We will try and invite two people for each seminar, preferably researchers working on the "plateau". Unless stated otherwise, the seminars will take place in the Télécom Paris/Télécom SudParis building, in room 3.A213.

      You can already note the dates for the first semester in 2025:

      • Tuesday, January 14th
      • Tuesday, February 11th
      • Tuesday, March 11th
      • Tuesday, April 8th
      • Tuesday, May 13th
      • Tuesday, June 10th

      If you do not want to miss any announcement, you regularly look at the seminar blog, subscribe to the RSS feed or subscribe to the mailing list following instructions on the seminar's website.


    • CoaP (15/11/2024)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Friday November the 15th, we will have the following seminar (Palaiseau, Room 4.A101, 10 am):

      • Nicolas Bellec (CEA LIST) - A scalable framework for backward bounded static symbolic execution

        Abstract: Many programs (e.g. malware) hide their behavior by using obfuscations such as opaque predicates. Automatic methods have been developed to detect such obfuscations. In this presentation, we will focus on static symbolic backward bounded execution, a method that enumerates backward bounded paths from a potential opaque predicate and uses symbolic execution to check whether all enumerated paths have the same predicate value. We will show how this method can be generalized using a lattice-based framework and how to scale up such methods to efficiently analyze whole programs.


    • Students C4 seminar (24/10/2024)

      The seminar will take place at 2.30 p.m. at the IMT/TP/TSP building (room Amphi 2). It will be followed by a cocktail at the Entrepôtes 19 (7 pm).

      • Agenda


        • Marie Tcholakian (Banque de France) - IRMA : Automatic Detection of Malicious E-mails

          For the security of the Banque de France, users of its mail service have the possibility to report received mails that they find suspicious. Downstream, these reports are processed manually by SOC employees, who classify them according to different categories (phishing, scam, spam, legitimate, etc.). This processing is often considered time-consuming and redundant. We wanted to experiment with the use of learning models to predict the qualification of an email. This is the birth of IRMA. Based on the large language model (LLM) camemBERT and learning data from real SOC processing, it is able to predict the categorization of new emails with a good confidence rate.

        • Grégory Blanc (Télécom SudParis) - Learning-based Network Intrusion Detection: Are We There Yet?

          For more than 40 years, intrusion detection systems (IDS) have been developed to produce monitoring reports of potential threats. Because the threat landscape is highly dynamic, signature-based network-based IDS (NIDS) are struggling to cope with the amount of threat data. Machine learning (ML) methods have not only the potential to address this data explosion but also to shift the paradigm to more behavior- and anomaly-based detection. Surprisingly, the maturity of such solutions is not production-ready while ML thrives in other domains such as computer vision or natural language processing. In this talk, we are reviewing the products of ML-based NIDS academic research and provide analysis to why it has not yet fulfilled its promises.

        • Ayoub Elaassal (Qonto) - Destroying preconceived ideas about Cybersecurity

          To quote a fellow security expert: “Security is a failure.” Companies can spend millions of dollars on tools, staffing, and a shiny new SOC, and still get hacked faster than a ride on Space Mountain. What’s going on? I believe this dissonance is the result of poor focus and assumptions. The security team is not working on the right topics at the right speed. They don’t have the right approach, and they are blindly following the many misconceptions that plague this industry. This presentation will deconstruct some of the most common misconceptions. Bio: Ayoub El Aassal, a 2013 graduate of Télécom SudParis (TSP), began his career as a pentester and cybersecurity incident investigator, exploring a variety of technical environments, from AWS to mainframes. He has presented several vulnerabilities and tools at conferences such as DEF CON and Black Hat. He currently holds the position of Cybersecurity Director at Qonto, a fintech ranked in the Next 40.

        • Clément Safon (Thales) - Security of Operating Systems based on GNU/Linux: State of the art of AppArmor and SELinux technologies

          Based on the experience and technical skills acquired during the final internship, this presentation explores operating system hardening by studying AppArmor and SELinux. After an introduction to the fundamental principles of OS hardening under GNU/Linux, we will focus on these two security solutions. We will detail the operation of these two Linux Security Modules (LSM), addressing their key concepts, applications and various use cases. Finally, we will be able to delve deeper into some advanced mechanisms in order to illustrate more complex usage scenarios and assess the strengths and limitations of these technologies in an operational environment. Biography: Clément Safon graduated from Télécom SudParis (VAP SSR - class of 2024) and has just started his career at Thales where he is working on the hardening of GNU/Linux operating systems as a continuation of his internship. This field particularly interests him because of its rigorous approach, as well as the detailed understanding of attack mechanisms and in-depth defense strategies that this requires.

        • Elouan Gros (Astran) - Implementing Multi-Party Computation for Practical Use

          Secure Multi-Party Computing, or MPC for short, is a field of cryptography concerned with devising means for groups of individuals to jointly evaluate functions over private inputs they wish to keep secret from each other. It is a powerful and versatile tool that may be used to implement arbitrary primitives from AES encryption to privacy-preserving machine learning. Despite its qualities, MPC mostly remains a theoretical tool, seeing very little use in practice. In this talk I present the results of my internship, in which I attempted to prove that MPC is viable for industrial use.

    • LINCS seminar (09/10/2024)

      As part of our collaboration with LINCS, on Wednesday October the 9th, we will have the following seminar (Palaiseau, Amphi 6, 2 pm):

      • José Luis Muñoz-Tapia - Zero knowledge proofs in blockchain

        Abstract: In this talk, we will explore the fundamental concept of Zero Knowledge Proofs (ZKPs), a cryptographic technique that allows one party to prove knowledge of a specific piece of information to another party without revealing the information itself. We will delve into two core computation models used in ZKPs: the circuit computation model and the machine computation model. These models form the basis of how ZKPs are designed and implemented. Furthermore, we will examine various real-world applications of ZKPs, with particular emphasis on their critical role in enhancing privacy and security in blockchain systems. Attendees will gain a foundational understanding of ZKPs and insight into how they are applied to diverse scenarios in modern cryptographic systems.

        Short Bio: José L. Muñoz-Tapia received the M.S. degree in telecommunications engineering and the Ph.D. degree in security engineering, in 1999 and 2003, respectively. He is currently a Researcher with the Information Security Group (ISG) and an Associate Professor with the Department of Network Engineering, Universitat Politècnica de Catalunya (UPC). He is also the Director of the Master Program in Blockchain Technologies, UPC School. He has worked in applied cryptography, network security, and game theory models applied to networks and simulators. His research interest includes distributed ledgers technologies.


        [Recording]

    • CoaP (17/06/2024)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Monday June 17th, we will have the following two seminars (Palaiseau, Room 3.A213, 10 am):

      • Arthur Tran Van (Télécom SudParis) - Mealy Verifier: An Automated, Exhaustive, and Explainable Methodology for Analyzing State Machines in Protocol Implementations

        Abstract: Many network protocol specifications are long and lack clarity, which paves the way to implementation errors. Such errors have led to vulnerabilities for secure protocols such as SSH and TLS. Active automata learning, a black-box method, is an efficient method to discover discrepancies between a specification and its implementation. It consists in extracting state machines by interacting with a network stack. It can be (and has been) combined with model checking to analyze the obtained state machines. Model checking is designed for exhibiting a single model violation instead of all model violations and thus leads to a limited understanding of implementation errors. As far as we are aware, there is only one specialized exhaustive method, leveraging DFA (Deterministic Finite Automaton) intersection, available for analyzing the outcomes of active automata learning applied to network protocols. We propose an alternative method, to improve the discovery of new bug and vulnerability patterns and enhance the exhaustiveness of model verification processes. In this presentation, we apply our method to two use cases: OPC UA, for which we present a full workflow from state machine inference to state machine analysis, and SSH, where we focus on the analysis of existing state machines.
        The work will be presented in July at the ARES conference

      • Shurok Khozam (Télécom SudParis) - DDoS Mitigation while Preserving QoS: A Deep Reinforcement Learning-Based Approach

        Abstract: The deployment of 5G networks has significantly improved connectivity, providing remarkable speed and capacity. These networks rely on Software-Defined Networking (SDN) to enhance control and flexibility. However, this advancement poses critical challenges including expanded attack surface due to network virtualization and the risk of unauthorized access to critical infrastructure. Since traditional cybersecurity methods are inadequate in addressing the dynamic nature of modern cyber attacks, employing artificial intelligence (AI), and deep reinforcement learning (DRL) in particular, was investigated to enhance 5G networks security. This interest arises from the ability of these techniques to dynamically respond and adapt their defense strategies according to encountered situations and real-time threats. Our proposed mitigation system uses a DRL framework, enabling an intelligent agent to dynamically adjust its defense strategies against a range of DDoS attacks, exploiting ICMP, TCP SYN, and UDP, within an SDN environment designed to mirror real-life user behaviors. This approach aims to maintain the network’s performance while concurrently mitigating the impact of the real-time attacks, by providing adaptive and automated countermeasures according to the network’s situation.

    • ICS-CoE (10/04/2024)

      As part of our collaboration with ICS-CoE (Mission to France 2024), on Wednesday April the 10th, we will have the following two seminars (Palaiseau, Amphi 7, 1.30 pm):

      • Jose Maria DE FUENTES - Advanced persistent threats: The cyber side of geopolitics

        Abstract: Advanced Persistent Threats (APTs) are on the rise. They are a typical tool for nation-state sponsored cyberattacks. This talk provides a background to understand this phenomenon. In particular, a historical overview is provided first. Afterwards, the core of the talk focuses on describing the (publicly known) capabilities of the main current APT groups.

        Short Bio: Jose Maria de Fuentes is Associate Professor with the Computer Security Lab, Universidad Carlos III de Madrid (UC3M) of Spain. His research interests are related to cybersecurity and data protection. He has published +50 articles in journals and conferences, having been involved in several national and European projects. He is serving as Vice-convenor of the Spanish National Standardisation Committee UNE CTN320 on cybersecurity and data protection. He is member of the Editorial Board of the Journal of Network and Computer Applications and Wireless Networks.

      • Lorena GONZALEZ-MANZANO - Poisoning attacks: vulnerabilities use case

        Abstract: The use of artificial intelligence (AI) is a worldwide spread practice and it is used in multiple services and applications. However, poisoning attacks are not really considered when using IA, and being aware of them is the first step towards protection. In this regard, this talk introduces a use case of poisoning attacks in the vulnerability detection field. A novel vulnerability detector, called VulCoT, is presented, together with their analysis under three different poisoning attacks.

        Short Bio: Lorena González Manzano is Associate Professor at the Carlos III University of Madrid (UC3M), in the Department of Computer Science within the Computer Security Lab Group (COSEC). Her career focuses on cybersecurity, having published more than 40 papers in international journals and conferences. She is member of the Editorial Board of the journals Future Generations and Computer Systems and Journal of Communications and Networks. Moreover, she has been involved in multiple R+D+i national and European projects, leading a pair of them.

    • CoaP (21/03/2024)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Thursday March the 21st, we will have the following two seminars (Palaiseau, Room 3.A213, 10 am):

      • Yanis Sellami - Fault Injection Vulnerability Characterization by Inference of Robust Reachability Constraints

        Abstract: While automated code analysis techniques have succeeded in finding and reporting potential vulnerabilities in binary programs, they tend to report many false positives, which cannot be reliably exploited. This is typical in evaluations of fault injection attacks vulnerabilities as faults can create unexpected program behaviors dependent on complex initial states. As the precise setup of the initial states is hard to achieve, such faults lead code analysis techniques to report vulnerabilities that exist in theory but are infeasible in practice. Vulnerability characterization techniques are thus needed to distinguish such reports from those that come from serious vulnerabilities. Recently, Girol et al. have introduced the concept of robust reachability, a property of program inputs applied to code analysis frameworks to report only vulnerabilities that can be reproduced reliably. This is done by distinguishing inputs that are under the control of the attacker from those that are not, and by reporting only vulnerabilities that do not depend on the value of the uncontrolled inputs. Yet, this remains insufficient for distinguishing severe vulnerabilities from benign ones as robust reachability will be unable to report cases that, e.g., are easy to trigger but may not succeed in a few corner cases. To address this issue, we propose a method that leverages an abduction procedure to generate a robust reachability constraint, that is, a logical constraint on the uncontrolled inputs under which we have the guarantee that the vulnerability will be triggered. We demonstrate the vulnerability characterization capabilities of an implementation of this procedure on a fault injection attack case-study taken from FISSC. We show that our method refines robust reachability and leads to a much better characterization of the reported vulnerabilities. The methods additionally leads to the generation of high-level feedback that is easier to understand and reuse for further analysis.
        [Slides]

      • Lorena González-Manzano - Vulnerability detection under poisoning attacks

        Abstract: The complexity of current systems encourages the emergence of vulnerabilities. Detectors are developed in this regard, most of them using Artificial Intelligence (AI) techniques. However, AI is not without its problems, especially those attacks affecting the training set. In this talk a novel vulnerability detector, called VulCoT, is presented, together with their analysis under three different poisoning attacks.

    • CoaP (30/01/2024)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Tuesday January the 30th, we will have the following two seminars (Palaiseau, Room 3.A213, 10 am):

      • Sara Tucci - Blockchain Consensus Protocols, from Bitcoin to Ethereum 2.0

        Abstract: Bitcoin introduced a fully decentralized, peer-to-peer consensus protocol that enables secure transaction validation in an open network, marking a departure from previous Byzantine Fault Tolerant (BFT) protocols primarily designed for closed networks. An innovative combination of cryptographic and incentive mechanisms ensures the protocol’s robustness over the years. However, it’s important to acknowledge the considerable energy consumption of Bitcoin’s Proof-of-Work mechanism, which remains a significant concern. To address these energy concerns, there have been efforts to transition to more environmentally friendly solutions, such as Proof-of-Stake BFT protocols, like Ethereum 2.0. While these newer proposals hold promise in terms of energy efficiency, they come with complexities and ongoing issues in security and incentive design. In this talk I will present the main features and differences of Proof-Stake-BFT proposals with respect to Bitcoin, to appreciate their maturity and outline open issues and ongoing research challenges.

      • Adam Oumar ABDEL-RAHMAN - A Privacy-Preserving Infrastructure to Monitor Encrypted DNS Logs

        Abstract: In the realm of cybersecurity, logging system and application activity is a crucial technique to detect and understand cyberattacks by identifying Indicators of Compromise (IoCs). Since these logs can take vast amounts of disk space, it can be tempting to delegate their storage to an external service provider. This requires to encrypt the data, so the service provider does not have access to possibly sensitive information. However, this usually makes it impossible to search for relevant information in the encrypted log. To address this predicament, this paper delves into the realm of modern cryptographic tools to reconcile the dual objectives of protecting log data from prying eyes while enabling controlled processing. We propose a comprehensive framework that contextualizes log data and presents several mechanisms to solve the outsourcing problem, allowing searchable encryption, and we apply our approach to DNS logs. Our contributions include the introduction of two novel schemes, namely symmetric and asymmetric, which facilitate efficient and secure retrieval of intrusion detection-related information from encrypted outsourced storage. Furthermore, we conduct extensive experiments on a test bed to evaluate and compare the effectiveness of the different solutions, providing valuable insights into the practical implementation of our proposed infrastructure for monitoring.
        [Slides]

    • Victor Dyseryn (21/11/2023)

      On Tuesday November 21, we welcome Victor Dyseryn, who will present his work on post-quantum cryptography. The seminar will take place in room E304, at the campus of Evry.

      Title: Balancing security and efficiency in post-quantum cryptography

      Abstract: The post-quantum transition has already begun; how is it possible to switch seamlessly to quantum resistant cryptography? Intuitively, post-quantum algorithms must resist to a much powerful attacker and this should lead to a drastic increase in communication costs and computing time. We will present how the efficiency of post-quantum cryptography has gradually improved over time at the cost of somewhat weaker security guarantees. We will then explore ways to strenghen those guarantees while keeping the overhead at a minimum.

      Short Bio: Victor Dyseryn is a PhD student in post-quantum cryptography in the XLIM laboratory at the University of Limoges, France. His research focuses on encryption and signature primitives based on error-correcting codes. He obtained his master's degree in 2020 from Ecole Polytechnique and Mines ParisTech.

    • CoaP Seminar (09/11/2023)

      As part of our series La Cybersécurité sur un plateau (Cybersecurity on a Plate), on Thursday 9 November we will have the following two seminars:

      • Vincent Thouvenot - Privacy attacks against a ResNet50 used for plane classification

        Abstract: We will explain two challenges proposed as part of the CIAD conference: a membership inference attack task and a more original forgetting attack task. We'll explain the first approaches that we used and more importantly, why they failed and the main lessons that we learned from the challenge. [Slides]

      • Matthieu Lemerre - Pas de Crash, Pas d'Exploit: Verification Automatique de Noyaux Embarqués

        Abstract: The kernel is the most critical component in terms of safety and security of many computer systems. A kernel bug can lead to a crash or to the exploitation of the entire system. It is therefore desirable to ensure that a kernel is free of bugs by using formal methods, but the high cost and expertise required to do so prevents widespread use. We propose a method to automate the verification of both runtime errors (i.e. crashes) and elevation of privileges (i.e. exploits) in embedded kernels, by directly looking at binary executables.

        The presented method makes it possible to discover a type system making it possible to check the absence of memory corruption in C code, which we will briefly discuss in this talk. [Slides]

    • Students Seminar (19/10/2023)

      The seminar will take place at 2 p.m. at the IMT/TP/TSP building. It will be followed by a cocktail at the Entrepôtes 19 (by 7 pm).

      • Agenda

        • 2 p.m.: Welcome Coffee
        • 3 p.m.: Grégory Blanc, Christophe Kiennert, Olivier Levillain - Opening
        • 3.15 p.m.: Clément Parssegny (ANSSI) - Utilisation de l'apprentissage automatique pour la détection de canaux de Command and Control
        • 3.45 p.m.: Mathieu Touloucanon (CEA) - Analyse et perçage de packers d'exécutables
        • 4.30 p.m.: Break
        • 5 p.m.: François Boutigny (Nokia) - Microservice behavior analysis for telco networks: overview and perspectives
        • 5.45 p.m.: Baptiste Polvé (SnowPack) - Au delà des techniques d'anonymisation, enjeux du déploiement des proxies
        • 6.30 p.m.: Rump Session
        • 7 p.m. (approx.): Cocktail at the Entrepôtes 19.

      • Rump Session

        • Christel Berthier - Quelques mots sur les Alumni TSP
        • Rémi Di Valentin - Présentation d'offres de stages chez Thales
        • Clément Parssegny - Reproduction automatisée d'environnements contrôlés vulérables à une faille logicielle
        • Yann Cantais - Sécurisation par contrôle d'accès réseau (NAC)
        • Quentin Michaud - Sécurité de l'exécution de workloads distribués et portables sur des appareils distants et contraints situés au far edge
        • Olivier Levillain - De l'anticipation dans la préparation d'un événement

    • LINCS seminar (18/10/2023)

      As part of our collaboration with LINCS, on Wednesday October the 18th, we will have the following seminar (Palaiseau, room 4A113, 2 pm):

      • Daniel Diaz-Lopez - Application of Chaos Engineering Techniques to Protect Cloud-based IoT Ecosystems

        Abstract: System security represents a big challenge for many organizations, and it must be specifically handled when a system is intended to be deployed in a cloud environment. Cloud environments provide multiple security services that run over a Shared Responsibility Model that requires the participation of the cloud provider and the customer. Thus, this talk presents an architecture based on Artificial Intelligence to support the finding of system threats and errors in an early stage and on Security Chaos Engineering methodology to reliably test the existence of such errors. This proposed architecture may help orientate better system designs and contribute to building holistic security. A particular use case is described to show how the proposal can be applied to protect Cloud-based IoT Ecosystems.

        Short Bio: Daniel Díaz-López holds a Ph.D. in Computer Science from the University of Murcia (Spain), is visiting professor at New York University (NYU) and assistant professor at the University of Rosario. He has been professor for more than 7 years, teaching different cybersecurity courses: Ethical Hacking, Security in the Software Development Life Cycle, Forensic Analysis and Incident Management, Threat Intelligence, Security in Enterprise Architecture, Artificial Intelligence for Cybersecurity, among others. Daniel is a cybersecurity researcher with different publications in journals and conferences around techniques for cyber threat intelligence, privacy-preserving mechanisms, secure software development lifecycle, techniques in ethical hacking, and security for the Internet of Things (IoT).


        [Recording]

    • LINCS seminar (04/10/2023)

      As part of our collaboration with LINCS, on Wednesday October the 4th, we will have the following seminar (Palaiseau, room 4A101, 2 pm):

      • Iain Burge - Toward Quantum Explainable AI: A Quantum Algorithm for Shapley Value Estimation

        Abstract: In the classical context, the cooperative game theory concept of the Shapley value has been adapted for post hoc explanations of Machine Learning models. This approach does not easily translate to eXplainable Quantum Machine Learning. Finding Shapley values can be highly computationally complex. In this joint work with Prof. Michel Barbeau (Carleton University) and Prof. Joaquin Garcia- Alfaro (Télécom SudParis), we propose a quantum algorithm which can extract Shapley values within some confidence interval. Our results perform in polynomial time. We demonstrate the validity of our approach under specific examples of cooperative voting games.

        Short Bio: Iain Burge is a research assistant at Carleton University working in the emerging field of quantum explainable AI. He has an undergraduate degree in cognitive science with a concentration in computation and minor in mathematics.


        [Recording]

    • CoaP Seminar (19/09/2023)

      As part of our series La Cybersécurité sur un plateau  (Cybersecurity on a Plate), we will have the following two seminars:

      • Quentin Michaud - WebAssembly & Security.
      • Frédéric Recoules - What's up in BINSEC? 2022-23 Edition

      The talks will take place at 10 a.m. at the IMT/TP/TSP building (room 3.A213).

      • Quentin Michaud - WebAssembly & Security

        WebAssembly (Wasm for short) is a new format of low-level bytecode coming from the Web. It allows to run code sandboxed by default, on a stack-based light virtual machine. It is claiming to bring a lot of dreams to reality : from being the successor of today's containers (by being faster, lighter and more secure), to proposing a single binary format which can be compiled from any programming language and run on any target, without depending on the OS or processor architecture. The promises of Wasm go even beyond technology and address cybersecurity with strong claims regarding the security and protection of Wasm applications. However, articles and publications showing old a new cybersecurity weaknesses inside Wasm may put these claims in doubt. This presentation will give an overview of the Wasm ecosystem, explain the inner workings of Wasm and evaluate the likeliness of its promises as of today and in the future. The promise of Wasm being the successor of containers will be reviewed in more details, both at the container level and at the container orchestrator (Kubernetes) level. The presentation will then propose an assessment of the Wasm claims concerning cybersecurity and take a deeper look at if Wasm can really present itself as an improvement of today binaries' and containers' security.

        Bio: Quentin is a last year cybersecurity student at Télécom SudParis and an intern at Thales European research lab ThereSIS, where he is studying bleeding-edge innovations in the cloud ecosystem and their potential uses for cybersecurity. He likes to improve his cybersecurity skills by creating and doing CTFs regularly, and he is consuming and contributing to several open-source projects.

      • Frédéric Recoules - What's up in BINSEC? 2022-23 Edition

        Software security analyses must often be performed at the executable code level, either because the source code is not available (e.g.: analysis of third-party components, malware or legacy code), or because very low-level attacker models are being considered (hardware or micro-architectural attacks), or because the code must be analyzed after compilation in order to prevent potential compilation bugs or to verify that protections have been properly implemented. Unfortunately, these low-level security analyses are difficult to establish and there are few specialists, hence the need to provide them with the best possible tools via dedicated automated tools.

        BINSEC is a formal binary code analysis platform developed at CEA, with a particular focus on security analysis (vulnerabilities, reverse) and the degree of guarantees provided. BINSEC offers original symbolic reasoning engines and multi-architecture support. Recent results have been obtained, for example, in automatic analysis of cryptographic primitives (resistance to covert channel attacks and micro-architectural attacks) or deobfuscation of advanced malware. However, this kind of analysis still suffers from scaling and usability problems.

        In this talk, we aim to give an overview of the latest improvements of BINSEC. These advances will be motivated and illustrated through the resolution of various security cases, including recent examples of challenges from the Cyber France Challenge 2022. In particular, we will address problems such as the optimization of a symbolic reasoning engine at the binary level or the symbolic management of self-modifying code. We will also review recent efforts to make the platform more usable (new architectures, simplified initialization, etc.).

        Bio: Frédéric Recoules graduated from INSA and Université Toulouse Paul-Sabatier in 2016, then received a PhD in Computer Science from Université Grenoble-Alpes in 2021. His area of expertises spans formal methods, low-level programming, decompilation and reverse engineering. He notably obtained an ICSE distinguished paper award and a 2nd best GDR GPL PhD award (thematic: software engineering, formal methods and programming languages) for his work on formal verification of inline assembly code. He is currently Research Engineer at CEA where he is the main developer and maintainer of the binary-level program analysis platform BINSEC. His research addresses scalability issues in symbolic analysis at binary level, vulnerability analysis and reverse engineering for security.

    • CoaP Seminar (30/05/2023)

      As part of our series La Cybersécurité sur un plateau  (Cybersecurity on a Plate), we will have the following two seminars:

      • Michaël Marcozzi (CEA) - Fine-Grained Coverage-Based Fuzzing.
      • Houda Jmila (TSP) - Analyzing the Vulnerability of Machine Learning-Based IDS to Adversarial Attacks in Cybersecurity

      The talks will take place at 10 a.m. at the IMT/TP/TSP building (room 3.A213).

      • Michaël Marcozzi (CEA) - Fine-Grained Coverage-Based Fuzzing

        Fuzzing is a popular software testing method that discovers vulnerabilities by massively feeding target applications with automatically generated inputs. Many state-of-art fuzzers use branch coverage as a feedback metric to guide the fuzzing process. The fuzzer retains inputs for further mutation only if branch coverage is increased. However, branch coverage only provides a shallow sampling of program behaviours and hence may discard interesting inputs to mutate. This work aims at taking advantage of the large body of research over defining finer-grained code coverage metrics (such as control-flow, data-flow or mutation coverage) and at evaluating how fuzzing performance is impacted when using these metrics to select interesting inputs for mutation. We propose to make branch coverage-based fuzzers support most fine-grained coverage metrics out of the box (i.e., without changing fuzzer internals). We achieve this by making the test objectives defined by these metrics (such as conditions to activate or mutants to kill) explicit as new branches in the target program. Fuzzing such a modified target is then equivalent to fuzzing the original target, but the fuzzer will also retain inputs covering the additional metrics objectives for mutation. In addition, all the fuzzer mechanisms to penetrate hard-to-cover branches will help covering the additional metrics objectives. We use this approach to evaluate the impact of supporting two fine-grained coverage metrics (multiple condition coverage and weak mutation) over the performance of two state-of-the-art fuzzers (AFL++ and QSYM) with the standard LAVA-M and MAGMA benchmarks. This evaluation suggests that our mechanism for runtime fuzzer guidance, where the fuzzed code is instrumented with additional branches, is effective and could be leveraged to encode guidance from human users or static analysers. Our results also show that the impact of fine-grained metrics over fuzzing performance is hard to predict before fuzzing, and most of the time either neutral or negative. As a consequence, we do not recommend using them to guide fuzzers, except maybe in some possibly favourable circumstances yet to investigate, like for limited parts of the code or to complement classical fuzzing campaigns.

      • Houda Jmila (TSP) - Analyzing the Vulnerability of Machine Learning-Based IDS to Adversarial Attacks in Cybersecurity

        The detection of intrusions is an important aspect of cybersecurity, as it seeks to safeguard computer systems and networks from malicious attacks. While machine learning (ML) techniques have been effective in this field, they face challenges such as the emergence of adversarial attacks that can deceive classifiers. Preventing cybercriminals from exploiting these vulnerabilities is crucial in preventing damage to data and systems. This presentation analyses the vulnerability of both deep learning and shallow classifiers, which are still widely used due to their maturity and ease of implementation, to adversarial attacks in ML-based IDS. Additionally, we explore whether adversarial attacks borrowed from computer vision pose a significant threat to IDS and to what extent realistic adversarial attacks can be generated using these methods.

    • CoaP Seminar (18/04/2023)

      As part of our series La Cybersécurité sur un plateau  (Cybersecurity on a Plate), we will have the following seminars:

      • Pierre-Elisée Flory - Comparing Private Set Intersection Various Implementations for Fraud Detection.
      • Nathanaël Denis - Integrating Usage Control into Distributed Ledger Technology for Internet of Things Privacy

      The talks will take place at 10 a.m. at the IMT/TP/TSP building (room 3.A213).

      • Pierre-Elisée Flory - Comparing Private Set Intersection Various Implementations for Fraud Detection

        Banks have to commit answering their customers' privacy concerns while complying to regulation. Sharing information on customer among a Banking consortium is an efficient way to identify fraud at an early stage but requires efficient biometrics matching algorithms to compare two id cards / biometrics template in pictures. Consortium stakeholders may also be competitors and thus need to protect their customer database. Within the Privacy Enhancing Technologies, we have assessed and compared different Secure Multi-Party Computation and in particular Private Set Intersection schemes to mitigate those risks and design a new protocol to allow privacy preserving biometrics templates matching.

      • Nathanaël Denis - Integrating Usage Control into Distributed Ledger Technology for Internet of Things Privacy

        The Internet of Things brings new ways to collect privacy-sensitive data from billions of devices. Well-tailored distributed ledger technologies (DLTs) can provide high transaction processing capacities to IoT devices in a decentralized fashion. However, privacy aspects are often neglected or unsatisfying, with a focus mainly on performance and security. In this paper, we introduce decentralized usage control mechanisms to empower IoT devices to control the data they generate. Usage control defines obligations i.e., actions to be fulfilled to be granted access, and conditions on the system in addition to data dissemination control. The originality of this paper is to consider the usage control system as a component of distributed ledger networks, instead of an external tool. With this integration, both technologies work in synergy, benefiting their privacy, security and performance. We evaluated the performance improvements of integration using the IOTA technology, particularly suitable due to the participation of small devices in the consensus. The results of the tests on a private network show an approximate 90% decrease of the time needed for the UCS to push a transaction and make its access decision in the integrated setting, regardless of the number of nodes in the network.

        This contribution is currently under review for publication in a journal.

    • Pantaleone Nespoli (04/04/2023)

      The seminar will take place at 4 p.m. at the IMT/TP/TSP building (room 3.A213).

      Pushing cybersecurity trainings to the limit: The SCORPION Cyber Range

      Abstract: During this talk, we will introduce SCORPION, a fully functional and virtualized Cyber Range to train cybersecurity competencies, which can manage the authoring and automated deployment of scenarios in a simple way thanks to a modular and extensible architecture. SCORPION includes several elements to improve student motivation, such as a gamification system with medals, points, or rankings, among other elements, which is used to improve the commitment and motivation of students with cybersecurity challenges. Such a gamification system includes an adaptive learning module that is able to adapt the cyber-exercise based on the performance of the users. Moreover, SCORPION leverages a learning analytics that collects and processes telemetric and biometric user data, including heart rate through a smartwatch, which are available through a dashboard for instructors, so that they can use them to monitor the learning of their students. Then, a case study has been developed where SCORPION obtained 82.10\% in usability and 4.57 out of 5 in usefulness from the viewpoint of a student and an instructor.


      Bio: Pantaleone Nespoli is a postdoctoral researcher working together with the Department of Information and Communication Engineering at the University of Murcia, Spain, and the SCN team of the SAMOVAR laboratory, at Institut Polytechnique de Paris, thanks to a Margarita Salas award. He received the PhD cum laudefrom the University of Murcia, Spain, and the M.Sc. degree cum laude in Computer Engineering from the University of Naples "Federico II", Italy. His PhD thesis received the Best PhD thesis award granted by the University of Murcia. Additionally, he led the Bot Buster team to the European and Mediterranean Regional Award (1,444 submissions) and received the Finalist Honorable Mention in the Ericsson Innovation Award 2018. His Master thesis was awarded the #2 prize for cybersecurity Master thesis from the Clusit(Associazione Italiana per la Sicurezza Informatica) in Italy. During his academic training, he completed two research internships, the first (one full year) at NEC Labs, Heidelberg, Germany, and the second (three months) at the Department of Information & Communication System Engineering, University of the Aegean, Greece. His research is mainly focused on cybersecurity and cyber defense, with a particular interest in the detection and response to intrusions and disinformation in social networks. Moreover, his actual research line is focusing on training professionals using Cyber Range platforms. Generally, he applies knowledge in infrastructure, technologies, data analytics, and machine learning to solve problems in cybersecurity and dual scenarios and train personnel against cybercrime.

    • Katarzyna Wasielewska (6/02/2023)

      The seminar will take place at 10 a.m. in Evry, Amphi C06.

      Network Dataset Quality Assessment with Permutation Testing

      Abstract:ML models can only be as good as the datasets they are trained on. The problem of the lack of high-quality network datasets has been mentioned many times in papers. The quality of datasets is difficult to assess, but also to define. What does it mean that a dataset is of high quality? Generally, a dataset is said to be of high quality if it meets the requirements for its intended use. In the convention of this ambiguity, I would like to introduce the PerQoDA methodology, which evaluates the dataset in terms of the relationship between observations and labels in a classification problem. This is just one aspect of the problem of assessing the quality of datasets, but it highlights its problematic nature and complexity.


      Bio: Katarzyna Wasielewska received the M.Sc. degree in computer science at the Faculty of Mathematics and Computer Science, Nicolaus Copernicus University (NCU), Torun, Poland, and the Ph.D. degree in telecommunications at the Faculty of Telecommunications, Information Technology and Electrical Engineering, UTP University of Science and Technology, Bydgoszcz, Poland. She has been awarded the Marie Sklodowska-Curie Actions Individual Fellowships (MSCA) program. She is currently a Postdoctoral Researcher at the Department of Signal Theory, Networking and Communications and researcher in the Information and Communication Technologies Research Centre (CITIC) at the University of Granada, Spain. Her research interests include cybersecurity, network security, machine learning, multivariate data analysis, and dataset quality problem. She has ten years of experience as an ISP Network Administrator.

    • CoaP Seminar (19/01/2023)

      As part of our series La Cybersécurité sur un plateau  (Cybersecurity on a Plate), we will have two seminars next January 19th, 2023. They will take place at 2 p.m. at the IMT/TP/TSP building (room 3.A213).

      Romain Ferrari, Louis Cailliot, Julie Sauzedde, Pierre-Elisée Flory - NVIDIA DOCA hackathon

      The NVIDIA DOCA hackathon took place on March 21, during NVIDIA 2022 GTC.

      The Thales team chose to build a solution upon the DPI acceleration to enable Yara rules, which are used for inspection of files downloaded from the network to identify malware and potential threats. To implement this, Team Thales used a Yara Parser to transform public Yara rules into DPI rules in a Suricata community-based format supported by the DOCA DPI lib. This solution leveraged DOCA DPI functionality to scan the files on the fly as the packets flow through the device.

      Soline Ducousso - Adversarial Reachability for Program-level Security Analysis

      Many program analysis tools and techniques have been developed to assess program vulnerability. Yet, they are based on the standard concept of reachability and represent an attacker able to craft smart legitimate input, while in practice attackers can be much more powerful, using for instance micro-architectural exploits or fault injection methods. We introduce adversarial reachability , a framework allowing to reason about such advanced attackers and check whether a system is vulnerable or immune to a particular attacker. As equipping the attacker with new capacities significantly increases the state space of the program under analysis, we present a new symbolic exploration algorithm, namely adversarial symbolic execution, injecting faults in a forkless manner to prevent path explosion, together with optimizations dedicated to reduce the number of injections to consider while keeping the same attacker power. Experiments on representative benchmarks from fault injection show that our method significantly reduces the number of adversarial paths to explore, allowing to scale up to 10 faults where prior work timeout for 3 faults. In addition, we analyze the well-tested WooKey's bootloader, and demonstrate the ability of our analysis to find attacks and evaluate countermeasures in real-life security scenarios.

      This is joint work with Sébastien Bardin and Marie-Laure Potet.

      [SCN Seminars in 2022]