Career Profile
Currently working as a Security Researcher at Quarkslab, my research topics focus on embedded systems and low-level software components (bootloader, TrustZone, kernel). I am interested in hardware hacking, I do reverse engineering and vulnerability research, mostly on Android and Linux-based systems. I am always willing to learn new things, and take up new technical challenges, on my spare time, with @ge0n0sis.
Experiences
- Reverse engineering low-level software components (bootloader, TrustZone, kernel) and applications shipped in proprietary embedded systems.
- Vulnerability research on Android and Linux-based systems (smartphones, set-top boxes, home routers).
- Casual Android security trainer (reverse engineering, application instrumentation and penetration testing).
- Software assessment, code audit, elementary fuzzing (afl, libFuzzer, etc.).
- Contributed to develop the back-end used in IRMA (Incident Response & Malware Analysis), an open-source project partly funded by Quarkslab, and organized a lab at HITB Malysia 2014 and HITB Amsterdam 2015.
- Developed command line wrappers for many antivirus software.
- Automated installation of Windows, Linux, several antivirus software and file analysis tools.
- Implemented debug, emulation and root detection code for software protection purposes on Android and Linux-based systems.
- Lectures and labs for computer science undergraduate and graduate students: system programming, computer design and architecture, operating systems, networks and computer security.
- Research activities on fuzzing PCI Express components on Intel chipsets, hiding backdoors and Trojans in the hardware, designing embedded system on FPGA.
- Research activities on low-level attacks abusing I/O mechanisms.
- Vulnerability research on hardware components embedded in Intel chipsets introduced by manufacturers to prevent I/O attacks.
- Developed an embedded system on FPGA for PCI Express fuzzing.
- Vulnerability research on Intel Virtualization Technology for Directed I/O (VT-d).
- Developed a toy rootkit implemented as a Linux kernel module
Projects
I regularly contribute (fix bugs, add new features, etc.) to open-source projects. When I have time, I work on my old side projects, if not already on a new one.
Skills & Proficiency
Software Assessment
Android Security
Security Tools
Programming
Operating Systems
Education
Bilan d’Aptitude Délivré par les Grandes Écoles (Assessment of competency issued by Grandes Écoles) focusing on practical reverse engineering, malware analysis, assembly programming, based on 6 month evening classes.
Ph.D. thesis presented for defense on November 27, 2012.
- Subject: Protecting information systems against I/O attacks.
- Dissertation available online.
Degree in computer networks and telecommunications obtained on June 26, 2009.
High school diploma in science obtained with honors.
Publications & Talks
Reverse Engineering Samsung S6 SBOOT - Part II, Fernand Lone Sang, June 2017, Quarkslab’s blog. [article]
Reverse Engineering Samsung S6 SBOOT - Part I, Fernand Lone Sang, March 2017, Quarkslab’s blog. [article] [chinese translation by seebug.org]
Exploring Android’s SELinux Kernel Policy, Fernand Lone Sang, December 2015, ge0n0sis’s blog. [article]
Recherche de vulnérabilités dans les piles USB - approches et outils, Jordan Bouyat and Fernand Lone Sang, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2014), pages 305–331, Rennes (France), June 2014. [slides] [article]
A Tool to Analyze Potential I/O Attacks Against PCs, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, Security & Privacy, 12(2):60–66, March–April 2014. [article]
Protection des systèmes informatiques contre les attaques par entrées-sorties, Fernand Lone Sang, PhD thesis, Institut National des Sciences Appliquées (INSA) de Toulouse, March 2013. Defended on November 27 2012 at LAAS-CNRS, Toulouse (France). [manuscript]
Protection des systèmes informatiques contre les attaques par entrées-sorties, Fernand Lone Sang, February 2013, CRYPTIS, Limoges (France).
La sécurité dans les couches basses du logiciel: attaques et contre-mesures, Vincent Nicomette, Fernand Lone Sang, Éric Alata, Yves Deswarte, April 2013, SSI Seminar, Rennes (France). [slides]
IronHide - Plate-forme d’attaques par entrées-sorties, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2012), pages 237–265, Rennes (France), June 2012. [slides] [article]
Attaques DMA peer-to-peer et contremesures, Fernand Lone Sang, Vincent Nicomette, Yves Deswarte, and Loïc Duflot, talk at the Observatoire de la Sécurité des Systèmes d’Information et des Réseaux (OSSIR) – RéSIST, January 2012. [slides]
Attaques DMA peer-to-peer et contremesures, Fernand Lone Sang, Vincent Nicomette, Yves Deswarte, and Loïc Duflot, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2011), pages 147–174, Rennes (France), June 2011. [slides]
Les entrées/sorties - principes, attaques et contre-mesures, Fernand Lone Sang and Yves-Alexis Perez, Multi-System & Internet Security Cookbook (MISC), (58):25–32, November–December 2011. [article]
I/O attacks in Intel PC-based architectures and countermeasures, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, In Proceedings of the 1st SysSec Workshop, pages 18–25, Amsterdam (The Netherlands), July 2011. [article]
Attaques par entrée-sortie et contremesures, Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte, In Proceedings of the Journée Sécurité des Systèmes & Sureté des Logiciels (3SL), pages 11–13, Saint-Malo (France), May 2011. [article]
Analyse de l’efficacité du service fourni par une IOMMU, Fernand Lone Sang, Éric Lacombe, Vincent Nicomette, and Yves Deswarte, In Proceedings of the Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC 2010), pages 189–214, Rennes (France), June 2010. [slides] [article]
Exploiting an I/OMMU vulnerability, Fernand Lone Sang, Éric Lacombe, Vincent Nicomette, and Yves Deswarte, In Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE 2010), pages 9–16, Nancy (France), October 2010. [article]
Trainings & Lectures
Mobile application reverse engineering, instrumentation and penetration testing techniques on Android. 2 or 5 days intensive training, in French or in English, with real malwares and real vulnerabilities in public applications, by @andremoulu and me.
Course and lab for computer science graduate students: investigating a compromised Windows desktop: analysis of a network dump, analysis of a malicious PDF, reverse engineering a Windows shellcode and a malware.
Course and lab for computer science graduate students: common software vulnerabilities, modern mitigations and exploitation techniques.