profile picture

Fernand Lone-Sang

Embedded System Security Researcher

Languages

  • French (Native)
  • English (Professional)
  • Chinese (Conversational)
  • Spanish (Conversational)

Career Profile

Currently working as a Security Researcher at Quarkslab, my research topics focus on embedded systems and low-level software components (bootloader, TrustZone, kernel). I am interested in hardware hacking, I do reverse engineering and vulnerability research, mostly on Android and Linux-based systems. I am always willing to learn new things, and take up new technical challenges, on my spare time, with @ge0n0sis.

Experiences

Security Researcher

Nov. 2013 - Present
Quarkslab, Paris (France)
  • Reverse engineering low-level software components (bootloader, TrustZone, kernel) and applications shipped in proprietary embedded systems.
  • Vulnerability research on Android and Linux-based systems (smartphones, set-top boxes, home routers).
  • Casual Android security trainer (reverse engineering, application instrumentation and penetration testing).
  • Software assessment, code audit, elementary fuzzing (afl, libFuzzer, etc.).

Software Developer

Nov. 2013 - 2015
Quarkslab, Paris (France)
  • Contributed to develop the back-end used in IRMA (Incident Response & Malware Analysis), an open-source project partly funded by Quarkslab, and organized a lab at HITB Malysia 2014 and HITB Amsterdam 2015.
  • Developed command line wrappers for many antivirus software.
  • Automated installation of Windows, Linux, several antivirus software and file analysis tools.
  • Implemented debug, emulation and root detection code for software protection purposes on Android and Linux-based systems.

Postdoctoral Researcher and Lecturer

Sept. 2012 - Nov. 2013
INSA & LAAS-CNRS, Toulouse (France)
  • Lectures and labs for computer science undergraduate and graduate students: system programming, computer design and architecture, operating systems, networks and computer security.
  • Research activities on fuzzing PCI Express components on Intel chipsets, hiding backdoors and Trojans in the hardware, designing embedded system on FPGA.

Ph.D. Student in Computer Security

Sept. 2009 - Nov. 2012
INSA & LAAS-CNRS, Toulouse (France)
  • Research activities on low-level attacks abusing I/O mechanisms.
  • Vulnerability research on hardware components embedded in Intel chipsets introduced by manufacturers to prevent I/O attacks.
  • Developed an embedded system on FPGA for PCI Express fuzzing.

Computer Security Intern

Feb. 2009 - July 2009
LAAS-CNRS, Toulouse (France)
  • Vulnerability research on Intel Virtualization Technology for Directed I/O (VT-d).
  • Developed a toy rootkit implemented as a Linux kernel module

Projects

I regularly contribute (fix bugs, add new features, etc.) to open-source projects. When I have time, I work on my old side projects, if not already on a new one.

IronHide - PCI Express embedded system implemented on a FPGA, used to sniff PCI Express requests, fuzz PCIe components and prove backdoored hardware dangerousness. It can run on Xilinx Virtex 5 and Virtex 6 FPGA. It is closed source, but access can be granted on request.
sedump - Python utility, built on setools, to deserialize SELinux binary policies. The project is currently stalled and is being rewritten from scratch in C to address SEAndroid peculiarities.
milkymist-various - Portage of milkymist (open-source system-on-chip) on Digilent Nexys 2 and Nexys 3 FPGA development boards.

Skills & Proficiency

Software Assessment

Reverse Engineering Fuzzing Code Audit

Android Security

Forensic Analysis Android Malware Analysis Application Penetration Testing Application Instrumentation [Xposed, Cydia Substrate] Reverse Engineering [bootloader, TrustZone, kernel, applications]

Security Tools

IDA Pro GDB binwalk Scapy

Programming

Python C C++ (notions) Assembly (ARMv7, ARMv8, MIPS, x86) Java Android Applications CMake

Operating Systems

Android ArchLinux, Debian and derivatives MacOS and iOS Windows

Education

BADGE Reverse Engineering (syllabus)

Jan. 2015 - July 2015
ESIEA, Paris (France)

Bilan d’Aptitude Délivré par les Grandes Écoles (Assessment of competency issued by Grandes Écoles) focusing on practical reverse engineering, malware analysis, assembly programming, based on 6 month evening classes.

Ph.D. in Computer Science.

Sept. 2009 - Nov. 2012
INSA & LAAS-CNRS, Toulouse (France)

Ph.D. thesis presented for defense on November 27, 2012.

  • Subject: Protecting information systems against I/O attacks.
  • Dissertation available online.

Engineering Degree

Sept. 2004 - June 2009
INSA, Toulouse (France)

Degree in computer networks and telecommunications obtained on June 26, 2009.

High School Diploma

2009
Lycée Francais de Tamatave, Toamasina (Madagascar)

High school diploma in science obtained with honors.

Publications & Talks

Reverse Engineering Samsung S6 SBOOT - Part II, Fernand Lone Sang, June 2017, Quarkslab’s blog. [article]

Reverse Engineering Samsung S6 SBOOT - Part I, Fernand Lone Sang, March 2017, Quarkslab’s blog. [article] [chinese translation by seebug.org]

Exploring Android’s SELinux Kernel Policy, Fernand Lone Sang, December 2015, ge0n0sis’s blog. [article]

Recherche de vulnérabilités dans les piles USB - approches et outils, Jordan Bouyat and Fernand Lone Sang, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2014), pages 305–331, Rennes (France), June 2014. [slides] [article]

A Tool to Analyze Potential I/O Attacks Against PCs, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, Security & Privacy, 12(2):60–66, March–April 2014. [article]

Protection des systèmes informatiques contre les attaques par entrées-sorties, Fernand Lone Sang, PhD thesis, Institut National des Sciences Appliquées (INSA) de Toulouse, March 2013. Defended on November 27 2012 at LAAS-CNRS, Toulouse (France). [manuscript]

Protection des systèmes informatiques contre les attaques par entrées-sorties, Fernand Lone Sang, February 2013, CRYPTIS, Limoges (France).

La sécurité dans les couches basses du logiciel: attaques et contre-mesures, Vincent Nicomette, Fernand Lone Sang, Éric Alata, Yves Deswarte, April 2013, SSI Seminar, Rennes (France). [slides]

IronHide - Plate-forme d’attaques par entrées-sorties, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2012), pages 237–265, Rennes (France), June 2012. [slides] [article]

Attaques DMA peer-to-peer et contremesures, Fernand Lone Sang, Vincent Nicomette, Yves Deswarte, and Loïc Duflot, talk at the Observatoire de la Sécurité des Systèmes d’Information et des Réseaux (OSSIR) – RéSIST, January 2012. [slides]

Attaques DMA peer-to-peer et contremesures, Fernand Lone Sang, Vincent Nicomette, Yves Deswarte, and Loïc Duflot, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2011), pages 147–174, Rennes (France), June 2011. [slides]

Les entrées/sorties - principes, attaques et contre-mesures, Fernand Lone Sang and Yves-Alexis Perez, Multi-System & Internet Security Cookbook (MISC), (58):25–32, November–December 2011. [article]

I/O attacks in Intel PC-based architectures and countermeasures, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, In Proceedings of the 1st SysSec Workshop, pages 18–25, Amsterdam (The Netherlands), July 2011. [article]

Attaques par entrée-sortie et contremesures, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, In Proceedings of the Journée Sécurité des Systèmes & Sureté des Logiciels (3SL), pages 11–13, Saint-Malo (France), May 2011. [article]

Analyse de l’efficacité du service fourni par une IOMMU, Fernand Lone Sang, Éric Lacombe, Vincent Nicomette, and Yves Deswarte, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2010), pages 189–214, Rennes (France), June 2010. [slides] [article]

Exploiting an I/OMMU vulnerability, Fernand Lone Sang, Éric Lacombe, Vincent Nicomette, and Yves Deswarte, In Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE 2010), pages 9–16, Nancy (France), October 2010. [article]

Trainings & Lectures

Android Security - Reverse Engineering & App Pentesting

2015 - Present
HITB Amsterdam and private trainings for security profesionnals.

Mobile application reverse engineering, instrumentation and penetration testing techniques on Android. 2 or 5 days intensive training, in French or in English, with real malwares and real vulnerabilities in public applications, by @andremoulu and me.

Introduction to Reverse Engineering

2012
INSA, Toulouse (France)

Course and lab for computer science graduate students: investigating a compromised Windows desktop: analysis of a network dump, analysis of a malicious PDF, reverse engineering a Windows shellcode and a malware.

Introduction to binary exploitation

2011 - 2013
INSA, Toulouse (France)

Course and lab for computer science graduate students: common software vulnerabilities, modern mitigations and exploitation techniques.

Interests

Hacking wargames

I sometimes do hacking wargames and help friends with CTFs. I mostly read public write-ups to keep up now as I have less and less time to solve them.

Electronics

I like to teardown electronic devices, try to understand how it works and how to hack them. Although my skills in electronics are light, I manage to get the expected result putting efforts and time.

Travel

I have been traveling around several countries in (East) Asia for the past few years, and I still have a lot of things and places to discover.