Pass-The-Salt 2018 Wrap-Up Day #2

When you have a look at the schedule of infosec conferences, the number of events is already very high. There is one at least every week around the world. So, when a new one is born and is nice, it must be mentioned. “Pass-The-Salt” (SALT means “Security And Libre Talks“) is a fork of the security track of the RMLL. For different reasons, the team behind the security track decided to jump out of the RMLL organization and to create their independent event. What a challenge: to find a free time slot, to find a location, to organize a call-for-papers, to find sponsors (because the event is free for attendees). They released 200 tickets that were sold in 5 days. Not bad for a first edition, congratulations to them! The event is split across three days. It started yesterday with some workshops and talks in the afternoon. Due to a very busy agenda, I was only able to join Lille (in the north of France) yesterday evening. So, it’s not a typo but no wrap-up of the first day!

I joined the location of the conference to attend some talks in a sunny morning. After a quick registration and some coffee refills, let’s listen to speakers! A good idea was to group talks by topics (network, web security, reverse, etc). This way, if you’ve fewer interests for a specific topic, you can easily attend a workshop. The day started with talks related to network security. The first speaker was Francois Serman who’s working for the OVH anti-DDoS team. He explained with a lot of details on how to filter packets in an efficient way on Linux systems. Indeed, the traffic to be inspected is always growing and can quickly become a bottleneck. Just for the story, OVH was targeted by a 1.3Tb/s DDoS a few months ago. Francois started by reviewing the current BPF filter that is used by tools like tcpdump or Wireshark. He explained with a lot of examples how packets are inspected and decisions are made to drop/allow them. Then, he switched to eBPF (extended BPF). This issue remains almost the same because, even if iptables is powerful, it is implemented too late in the stack. Why now filter packets sooner? To achieve this, Francois presented “XDP” or eXpress Data Path.

The next talk was on the same topic with Eric Leblond from the Suricata project. He explained why packets loss is a real pain for IDS systems. Just one packet lost might lead to undetected suspicious traffic. A common problem is the “elephant flow problem” which is a very big flow like a video stream. When we face a ring buffer overrun, we lose data. He explained how to implement bypass capabilities.

After the morning break, the keynote speaker was Pablo Neira Ayuso. He presented a talk named “A 10 years journey in Linux firewall“. Pablo is a core developer of the NetFilter which is, as he explained very well, not only the well-known iptables module. He reviewed the classic iptables tool then switched to the new nftable that is much more powerful! Very interesting keynote!

The next slot was assigned to me. I presented my solution to perform full packet capture based on Moloch & Docker containers. Just after, there was a session of lightning talks (~10 presentations of 4 minutes each).

After the lunch break, the topic switched to “web security”. The first speaker was Stefan Eissing that presented “Security and Self-Driving Computers“. The title was strange but related to mod_md that implements the Let’s Encrypt certificate support directly into Apache. Then, Julien Voisin, Thibault Koechlin, Simon Magnin-Feysot presented their project called Snuffleupagus (I already saw this talk at in 2017). Due to a last-minute change, Sébastien Larinier presented his work about how to clusterize malware datasets with open source tools and machine learning.

The last part of the day was dedicated to “IAM”: Clément Oudot & Xavier Guimard presented how to integrate second-factor authentication in LemonLDAP::NG. Then Fraser Tweedale from RedHat presented “No way JOSE! Lessons for authors and implementers of open standards” and finally, Florence Blanc-Renaud closed the day with some tips to better protect your passwords and how to implement 2FA with RedHat tools.

The day ended with the social even in the center of Lille followed by a dinner with friends. See you tomorrow for the third day.