DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

What Does a Cybersecurity Researcher Do, Really?

There's been a discussion on Twitter over what actually constitutes a cybersecurity researcher. Let's see if we can come to a more sound description.

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Oct. 18, 16 · Opinion
Like (1)
Save
Tweet
Share
5.30K Views

Join the DZone community and get the full member experience.

Join For Free

In the past few days, there's been a discussion on Twitter over what actually constitutes a cybersecurity researcher. It started with folks discussing the state of jailbreaking iOS 10 and from there started to meander around what exactly a cybersecurity researcher does. Let's take a look at this and see if we can come to a more sound description.

So, I see two types of cyber security researchers out there today: folks who do research into cybersecurity academically, and folks who research specific operating systems or applications for exploitable flaws. The former category usually has more letters associated with their names (i.e., Ph.D. or Professor, things like that), but the kinds of things they do is more a matter of focus rather than substance.

So what do cybersecurity researchers do? They spend lots of time studying. Lots.

Finding exploitable flaws in software is hard, and really time-consuming. I wrote a relatively high-level summary of an exploit Luca Todesco (aka qwertyoruiop) published on ghostbin a few months ago. Let's use that as an example.

This particular exploit involved a race condition that needed to be exploited to trigger a double-free condition. Go ahead and look up these terms, I'll wait.

Okay, you're back! Great. Oh, and by the way, a double-free is one of many different ways you can mess with dynamically allocated memory to attack a program. Most engineers can't write an exploitable program with a double-free condition. Imagine trying to find one, in the kernel, that you need to trigger by running a multitude of threads in very specific ways. How do you think he found this one?

Remember what I said about studying? you find this kind of bug by studying the XNU kernel source, disassembling KEXTs, and so on. Every disassembled a real program before? No? Try this:

$ otool -tvV /bin/ls > file
$ cat file

Well, now you have. Easy to follow, no? Imagine doing this over an operating system kernel.

Now, granted, you're not going to do it over the entire kernel, right? You can download the XNU source after all, but it's still not the easiest thing to follow, and some the kernel's functionality is in proprietary kernel extensions Apple provides. And those extensions, once you get your hands on them, need to be reverse engineered.

So back to Luca's exploit. It's pretty complex, and I'm pretty sure he found it by auditing the code. And this exploit is just the exploit itself - nothing's actually done with it. For it to be useful, it needs to be delivered to an iOS device, triggered, and then you need to inject a payload to take control of the device. All the export does is unlock the door; the heavy lifting's still to come.

And this payload, what does it look like? Well, I'm writing another series right now over what you can do after you capture control of a program, and in this series, I'm using shellcode. Shellcode is so named as it was originally written to give the exporting user a shell on the attacked system. It's essentially a chunk of binary instructions formatted to that they'll be executed by the program once you've gained control of the instruction pointer. You develop it by tweaking assembly code until it's doing exactly what you need in very specific ways (i.e., you can't include any null bytes). It's not super easy, as you can imagine.

And guess what, it doesn't work anymore. Hasn't for years.

Today, we use Return-Oriented Programming (ROP) to build payloads (initial ones, at least). On some platforms, you can use these ROP payloads to turn off shellcode defenses, and then you can execute injected code. On others, you can't, and the entire payload must be ROP code. What is ROP code? basically, you find binary sequences in a program you've compromised that are valid machine instructions on the platform you're attacking, and then you point the instruction pointer to those sections of code. That chunk of code (called a gadget) must include a RET instruction so you can maintain control of execution too. You chain these gadgets together into a sequence of instructions that do whatever you want done. These are easier to build today than they used to be, but they're certainly not trivial.

Okay, so far, we've studied the kernel source, both disassembled and original, we've found an exploit, written a few hundred lines to trigger it, then injected an ROP chain into the compromised program. All of this is pretty time consuming. And it requires a huge amount of know-how that you don't get for free. The knowledge is out there, and you pay for it with your time.

So, you want to be a cyber security researcher? Hit the books, hit the internet, and learn. Then apply what you've learned. That's what cyber security researchers do, and so can you. However, there are no shortcuts, so strap in for the long haul.

operating system

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Web Application Architecture: The Latest Guide
  • A Complete Guide to AngularJS Testing
  • Why Every Fintech Company Needs DevOps
  • What Should You Know About Graph Database’s Scalability?

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: