Talks and CFP

Call For Proposals

Talk selection process

A call for proposal (CFP) was organized. The submission process is now closed (it was open until 31 July 2022).

Program committee

The program committee was composed of international renowned experts in the field responsible for building a program of quality. They collected the proposals and selected the most outstanding ones.

  • Julien Bachmann, Google (chair)
  • Diane Dubois, Google
  • Matthieu Estrade, Aviatrix
  • Sylvain Pelissier, Kudelski Security
  • Pasquale Stirparo, Ph.D, Dragos, Inc
  • Tobias Ospelt, Pentagrid
  • Patrick Ventuzelo, FuzzingLabs

Proposal topics

We expected an event offering a wide range of topics ranging from software security to cyber security, data protection, technical and organizational aspects of software, hardware, networks, infrastructures, systems, and others. Topics could be:

  • Application security
  • Vulnerability research
  • Penetration testing and red teaming
  • Cloud security
  • Security automation
  • Network security
  • Intrusion detection and monitoring
  • Cryptography
Specific topics such as: e-voting, e-health, e-banking, e-commerce, and wider domains such as defense, finance, industry, services, and human resources;

Talks and speakers

Opening words

Opening words by Sylvain Pasini, president of the Black Alps association, and general chair of #BlackAlps22.

Photo of

Sylvain Pasini

HEIG-VD, president of Black Alps


Improving Security Maturity with Bug Bounties

The development in IT causes systems to constantly increase in size and complexity. This leads to great problems for security teams as new attack vectors keep surfacing constantly. Building up the necessary know-how to prevent potential attacks is challenging with the limited size of internal resources.

To counteract this, Swiss Post pursues the goal of using participative security to utilize the know-how of internal and external security communities to continually improve our products.

One of these measures are bug bounty programs. With the help of bug bounties, we were able to see an overall improvement of the maturity of Swiss Posts online services over the last years.

In this talk I will show how we at Swiss Post manage our bug bounties, what we learned from our beginnings and where we are standing today.

Photo of

Martina Schwab

Head of Bug Bounty
Swiss Post

I took over the role of Head of Bug Bounty at Swiss Post a year ago after finishing my BSc of computer science at FFHS during which I supported the bug bounty team of Swiss Post and collected my first experiences in information security and ethical hacking.

The long and winding road towards secure Confidential Cloud Computing

Confidential Computing (CC) is an on the rise concept in the world of Cloud Computing that enables a powerful security model where cloud tenants are not required to trust the SW stack provided by Cloud Service Providers (CSPs), significantly reducing the risk that a vulnerability in such SW stack will affect the security of tenant’s workloads. Most CSPs are eager to adopt these new security technologies offered by CPU vendors (AMD SEV/SNP, Intel SGX, Intel TDX). However, to deploy such solutions in a truly secure way, CSPs must consider and address many aspects that the Confidential Computing technology brings.

This talk will cover the goals and the overall threat model for Confidential Computing, explain the main differences between Intel SGX and Intel TDX technologies, as well as give an overview of the main challenges that CSPs are facing now in order to deploy any of the CC technologies, how these challenges can be addressed and what we do at Intel to help CSPs on this journey.

Photo of

Elena Reshetova


Elena Reshetova is a security architect and researcher at Intel that has been working on numerous Linux security projects for the past 13 years. She holds a PhD from the Aalto university in the area of Mobile and Embedded Platform security and has been a speaker at various security conferences, such as Black Hat, Linux Security Summit and others. Her current research interests evolve around Linux kernel hardening for the confidential cloud computing. She is a security architect for Intel Linux TDX SW stack.


The Printer goes brrrr

Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this talk, we will focus on how we achieved code execution on the Canon printer.

Photo of

Thomas Jeunet

Thomas Jeunet is a long time pentester and now computer security researcher at Synacktiv. This research is his first publication. His main interests are vulnerability research, exploit development, and reverse engineering, particularly on exotic architecture.
Photo of

Mehdi Talbi

Mehdi Talbi, PhD, is a computer security researcher at Synacktiv. His main interests are vulnerability research, exploit development, reverse engineering, and source code auditing. Mehdi has published his work in several peer-reviewed journals (Journal in computer Virology) and magazines (Phrack). He has also presented his work at several international conferences including Infiltrate, Blackhat Europe, Virus Bulletin, SSTIC, Warcon, etc. Mehdi is one of the contributor to the Haka open source project showcased at DEF CON and Black Hat Arsenal.
Photo of

Rémi Jullian

Rémi Jullian is a computer security researcher at Synacktiv. He started working in infosec as an intrusion detection engineer for the French National Security Agency (ANSSI). He then moved to reverse engineering, working first as a malware analyst, then as a vulnerability researcher. Passionate about computer security, both on defensive and offensive aspects, he also participates during his free time in CTF. Remi has also presented his work at BotConf 2018, THCon 2021 and CanSecWest 2022.

Firmwares are Weird. A year long journey to efficient extraction.

One of the major challenges of embedded security analysis is the accurate extraction of arbitrary firmwares.

While binwalk has been the de-facto standard for firmware extraction since its early days, it proved to be limited in an environment where we needed to analyze heterogeneous firmwares from potentially malicious uploaders at scale.

In this talk we will introduce the audience to our specific use case, the limits of existing extraction tools, and how we overcame them by developing our very own firmware extraction framework, named unblob.

unblob is an accurate, fast, and easy-to-use extraction suite. unblob parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively, and carves out unknown chunks that have not been accounted for. This turns unblob into the perfect companion for extracting, analyzing, and reverse engineering firmware images.

Similar to what HD Moore did 19 years ago when he started gathering exploit scripts in a single unifying framework with Metasploit, we’d like to provide reverse engineers with an easy to use and extensible framework to extract custom formats. Our hope is to provide a home to firmware reversers and help them not rewriting the same code every time they need to support a new vendor format.

Photo of

Quentin Kaiser

Quentin Kaiser is an ex-penetration tester who turned binary analysis nerd. He's currently working as a security researcher at the ONEKEY Research Lab, where he focuses on binary exploitation of embedded devices and bug finding automation within large firmware.

He recently published a body of research on eCOS offensive security and maintains the website with resources on eCOS exploitation.

Benchmarking memory allocators

Everyone and their dog is writing their own memory allocator, but nobody wrote any comprehensive benchmark to assess memory consumption, speed, security, … so this talk presents how we implemented one, as well as the associated challenges, details, anecdotes, notable allocators, and finally, the obtained results.

Photo of

Julien Voisin

I am, among other things, the dev of mat2 and snuffleupagus, ex-dev of radare2 and airsonic, sysadmin/contributor for OpenMW, overlord of, sysadmin for nos-oignons, stalkerware hunter, ...

Hardware attacks against SM4 in practice

SM4 is a block cipher developed and standardized in China. It gets more and more traction as this algorithm becomes mandatory for certain applications. Even ARMv8.4 has SM4-specific instructions.
During this talk, we will present the SM4 algorithm, how it works and ways to attack it from the hardware implementation point of view. We will show how Correlation Power Analysis (CPA) and Differential Fault Analysis (DFA) can be applied on basic implementation and allow to recover the key. Of course, all these tools will be released after the talk.

Photo of

Sylvain Pelissier

Cryptography Expert
Kudelski Security

Sylvain Pelissier is a Cryptography expert in the research team at Kudelski Security. His favorite topics are Cryptography, Hardware attacks and vulnerability research in general. He worked on security of Cryptography algorithms implementations on different platforms as well as on critical code security audits. He like playing and organizing CTFs.
Photo of

Nicolas Oberli

Security researcher
Kudelski IoT

Nicolas Oberli works as a security engineer for Kudelski IoT in Switzerland. His research focuses on embedded devices and communication protocols. In his spare time, he now spends more time designing CTF challenges than solving them. He is also one of the main developers of the Hydrabus hardware hacking tool and part of the BlackAlps security conference committee.

Generic remote exploit techniques for the PHP allocator, and 0days

Although PHP has always been deemed insecure, finding and remotely exploiting binary bugs in its core is not a well documented subject.
Through this talk, I will aim to (partially, at least) solve this problem, by describing the internals of the PHP allocator and unraveling reusable, generic exploitation techniques for PHP's heap. I'll illustrate these techniques through the exploitation of two remote code execution 0-days targeting PHP.

Photo of

Charles Fol

Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog's Sqreen). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization.

The smart home I didn't ask for

What happens when your home is “smart” before you even move in? More and more buildings are pre-installing smart devices that tenants didn’t ask for and may not want. These devices focus on comfort and convenience, an excellent focus as long as security is also considered. Given the deep integration these devices have, a vulnerable system could lead to devastating consequences like the loss of privacy and even unauthorized access. As a security researcher, these were my thoughts when I saw the tablet mounted on the wall of my new apartment.

In a short period, I discovered multiple vulnerabilities in the system. A concern for sure, considering the system allows for remote access and has integration with services in my apartment and the building. This talk will cover my path, my process, and coverage of the vulnerabilities I discovered.

Photo of

Nils Amiet

Nils is a Security Researcher on Kudelski Security’s research team performing research on various topics including privacy, authentication, big data analytics, and internet scanning. He also writes blog posts on various topics for Kudelski’s research blog. Nils likes open source software and has presented his research at DEF CON and Black Hat Arsenal. He was part of creating a massively distributed system for breaking RSA public keys.

Ghidra fault emulation

Practical fault injection is a widely used technique which bypasses security measures (such as signature checks) and breaks cryptographic algorithms. Practical fault injection can be made by means of short power glitches, electromagnetic pulses, laser fault injection and other techniques. Those methods require physical access to a device, and so can be only applied after device manufacturing.
While companies perform security testing after production, there is a clear need to develop secure code during device manufacturing. This is especially true for ROM code (i.e. the hardcoded binary that can not be modified). In case any fault attack is found in the ROM code after the chip production, this vulnerability can be patched only in the following hardware revisions of the device.
To find fault attack vulnerabilities during the manufacturing phase, companies develop fault injection emulation. At first, public tools emulating faults were released to break white-box cryptography (i.e. software cryptographic algorithms masking all key operations). Those tools include Unicorn-based emulation, Qemu emulation, binary instrumentation with Intel Pin and Valgrind, and radare2 emulation. Later the tools were adapted to emulate faults in devices’ firmware, including ROM code.
The recent Ghidra reverse engineering tool offers code emulation. Ghidra code emulation can be used to simulate faults in the analysed binary. Those faults can be instruction skipping, operand modification, data modification, or more complex scenarios. In comparison with previous fault emulation tools, Ghidra is more user-friendly, and includes reverse engineering and emulation in the same environment. In addition, Ghidra supports many CPU architectures and any new CPU architecture can be added with SLEIGH language.
This talk will demonstrate how Ghidra emulation is used to simulate fault injection in some simple functions used during firmware execution and White-Box Cryptography. To illustrate the Ghidra efficiency, ARCv2 support was added (and will be publicly released during this talk).

Photo of

Roman Korkikian

Hardware and software security expert with 10+ years of industrial experience specialising in side-channel and fault attacks. Professional, creative, and flexible with academic background proven by PhD degree from École Normale Supérieure. Adept at researching and crafting breakthrough security evaluations for various clients and products. Worked for STMicroelectronics, Altis Semiconductor, NagraVision, and currently working as an independent contractor at Sony.

Some cracks in the Linux firewall

Netfilter is the well-known firewall available for Linux systems.
It is mainly known through its userland interface *iptables*, but most of its codebase resides in kernel land in order to perform hooks in the network stack.
Initially, to perform such operations, the user must have specific privileges.
Since unprivileged users are able to create new namespaces, they are able to perform new privileged operations, such as setting up a firewall.
Consequently, the attack surface on the Linux kernel is widely increased.
And, Netfilter is one of the targets for vulnerability research focusing on local privilege escalation.

The variant analysis is a recent technique that can be used to do vulnerability research on open source software.
Thanks to variant analysis, I was able to find bugs and vulnerabilities within the Netfilter subsystem of the Linux kernel.
The vulnerabilities allowed an attacker to get a privilege escalation on Ubuntu.

In this talk, I will explain how I used the variant analysis to discover two vulnerabilities, CVE-2022-1972 and CVE-2022-34918.
The techniques used to perform an information leak using CVE-2022-1972 and a privilege escalation on Ubuntu 22.04 exploiting the CVE-2022-34918.

Photo of

Arthur Mongodin

Arthur Mongodin is a security researcher at RandoriSec. He is mainly interested in performing vulnerability research on low-level software. He is playing CTF with Securimag and he is member of the GreHack organization committee.

Exploiting secrets - How leaked credentials can be exploited to gain access

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 6 million secrets were leaked in public repositories on The report also showed that nearly 5% of docker images contain at least one plain text secret.
This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials. Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.

Photo of

Mackenzie Jackson

Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learned first-hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.

NTLM relay, the attack that keeps on giving

As an attacker in a Windows environment, getting high privileges and access sensitive data often requires abusing Active Directory capabilities and its myriad of supported protocols. NTLM (New Technology Lan Manager) – the dinosaur of authentication protocols – still has many happy days ahead although there are significantly better alternatives available.

After years of abusing NTLM relay and with the rise of dedicated tools, several protocol issues have been addressed by Microsoft (PrivExchange, Drop the MIC 1 and 2, relaying to RPC, PetitPotam) and measures exist for services to enforce integrity checks and avoid relay attacks. However, due to backward compatibility and misconfigurations, this technique can be used to this day.

In this talk, we discuss vulnerabilities identified during the last two years (CVE-2020-1113 by myself and CVE-2021-26414 by another individual first) and review the remaining attack surface.

Photo of

Sylvain Heiniger

Sylvain Heiniger works as a Security Analyst for CompasS Security. He is interested in testing networks, web applications and new technologies. Sylvain Heiniger holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology (ETH/EPF) in Lausanne with a Minor in Information Security.


Special discount for this talk, you will learn about two related stories for the price of one!
The first one is about how the Jenkins Security team is including Content Security Policy (CSP) in the Jenkins project without breaking everything. We will explain why CSP is appealing in terms of security and how we are envisioning its introduction in an existing (very large) project.
The second part of the talk will be on a Cross-site scripting (XSS) vulnerability we have found on a very popular dating application. This vulnerability was particularly interesting as it had the possibility to spread like a virus within the social network and the impact could have been catastrophic. We will explain how we were able to bypass their incomplete CSP configuration.

Photo of

Kevin Guerroudj

Software and Security Engineer

Recently graduated from a master in Cybersecurity, I have developed a real passion in the security of web applications. A passion that continues to grow thanks to my job but also in my free time especially through bugbounty programs but also by keeping a close eye on new CVEs.
Photo of

Wadeck Follonier

Engineering manager

Wadeck Follonier is the Security Officer of the Jenkins project (2022), and an engineering manager at CloudBees. After his Master from EPFL, he has spent his last 10 years with companies of various sizes, with a growing interest in security. When time permits, he plays with genetic algorithms and video game development.

A journey to pwn and own the Sonos One Speaker

Twice a year, ZDI organizes a computer hacking contest called Pwn2Own. It challenges security experts to exploit widely used hardware and software.

In November 2021, the contest was held in Austin and online. Synacktiv team succeeded its attacks on many devices, and won the competition.

This presentation describes the steps to gain code execution on one of the targeted device: the Sonos One Gen 2 smart speaker.

Photo of

Berard David

David Berard is a security expert in Synacktiv's reverse engineering team. He is specialized in mobile and embedded systems reverse engineering, vulnerability research and exploit development.

Vous n'écrirez plus de script Frida

De nombreuses applications malicieuses sous Android sont "packées".
La façon la plus classique de les analyser consiste à les exécuter en instrumentant quelques hooks Frida aux endroits clés, comme le chargement dynamique de code ou la construction de requêtes HTTP.
Cependant, l'écriture de hooks Frida est tantôt mal aisée, tantôt lassante.

Par conséquent, dans cette présentation, nous allons explorer deux pistes différentes :

1. L'écriture d'unpacker statiques. Nous verrons qu'ils ont leurs avantages.
2. L'utilisation d'outils qui écrivent les hooks Frida pour nous :)

Mots clés: Android, packer, Frida, Medusa

PS. Frida, c'est top !
PPS. En fait, vous écrirez surement toujours encore des scripts Frida de temps en temps, le titre était une accroche ;P

Photo of

Axelle Apvrille

Axelle Apvrille est chercheur Anti-Virus chez Fortinet, à Sophia Antipolis en France. Elle analyse tout particulièrement les virus qui ciblent les téléphones portables et les objets connectés. Elle est aussi organisatrice de Ph0wn CTF, un challenge de hacking dédié aux objets connectés. Dans une vie antérieure à Fortinet, Axelle faisait de la cryptographie, d'où elle a gardé le surnom de Crypto Girl ou @cryptax sur Twitter.

Rump session

Participants can propose short talks. Please send your talk to in pdf format

Photo of

Several speakers