Differential Fault Analysis on White-box AES Implementations

With the Differential Computation Analysis (DCA) presented at CHES 2016, we have shown that side-channel techniques developed to break hardware cryptographic implementations can be adapted successfully to break white-box implementations. In this post, we will explore another class of hardware attacks: fault injections and how to apply them on white-box implementations.

more ...


Internship offers at Quarkslab for the 2016-2017 season

EDIT: All positions are filled

Every year, we are looking for young and adventurous students, with promising skills, eager to dig deeper into the field of security through its more technical side. The topics we propose are complex, challenging and will require a lot of efforts and sweat. But in the end, you will get the satisfaction to have learned a lot about security. All this without emphasizing enough the opportunity to work with the sometimes weird but always amazing Qb crew, especially when it comes to humour or training a Padawan.

All trainings are to be done in our main office in Paris, France. We encourage remote working, but that does not apply to trainings where the Padawans need to be among the team. That means the applier will need to have the proper visa to work with us if required.

Last but not least, we usually train Padawans so that they remain with us once the training period is done, even if that does not mean the training is over :)

more ...


Security Assessment of VeraCrypt: fixes and evolutions from TrueCrypt

Quarkslab made a security assessment of VeraCrypt 1.18. The audit was funded by OSTIF and was performed by two Quarkslab engineers between Aug. 16 and Sep. 14, 2016 for a total of 32 man-days of study. A critical vulnerability, related to cryptography, has been identified. It has been introduced in version 1.18, and will be fixed in version 1.19.

more ...

Back from CppCon 2016

Quarkslab was present at CppCon 2016, presenting general thoughts on the C++ optimization process and how much the so-called zero-cost abstraction relied on the compiler implementation, and not on the standard. Now comes a humble report from this great event!

more ...


Arybo: cleaning obfuscation by playing with mixed boolean and arithmetic operations

Obfuscation is made of many different tricks. One we meet very often is mixed instructions who make computations mixing usual arithmetic (ADD, SUB, MUL, DIV) and boolean one (XOR, AND, NOT, OR). All tools get lost when it comes to cleaning this kind of very messy blocks of instructions, and that is why we designed Arybo. With Arybo, analyzing such expressions become way more easy.

more ...


Xen exploitation part 2: XSA-148, from guest to host

This blog post describes the exploitation of Xen Security Advisory 148 (XSA-148) [1] (CVE-2015-7835). It has been discovered by Shangcong Luan of Alibaba and publicly disclosed in October 2015. At the time, we were working on writing an exploit and no public proof of concept nor exploit were available. Today, the security researcher responsible of the vulnerability disclosure has given a public talk [6] and will give conferences explaining his approach [7]. We decided to publish this blogpost anyway because our exploitation strategy is a little bit different.

more ...