self cultivation of safety researchers

Posted by barello at 2020-02-27

In the last article, "recommend several topics at this year's C3 hacking conference", I mentioned "attacking Chrome I think the highlight of IPC is in the first half. The author nedwell became famous in hack2win competition because he broke Chrome browser. He talked about how to train vulnerability research ability and his experience in vulnerability research in recent years. He was very inspirational and his suggestions were very operable and worth learning. I have read it over and over again, and have made some summary and supplement to it.

1. Deliberate practice 10000 hours

This "chicken soup" principle, presumably we all know, do not explain, do not understand their own Baidu, or to read "different" this classic book.

The author suggests setting research goals on a monthly basis. He spent six months in a row studying Chrome sandbox, but in the end he found nothing.

Therefore, sometimes if we insist on it, we may not achieve our goals, but if we do not insist on it, it will be even worse.

2. Training double skills of digging holes

(1) Look at the hole: where to look? Git log, bug report, code quality report of historical vulnerabilities, etc

(2) Hole recognition: it is to look at the code with naked eyes to find the loopholes, that is, code audit. The difficulty lies in this. The training method continues to look down

3. Code audit training

(1) According to their own target positioning, find the corresponding historical vulnerability cases for learning. For example, if you want to do chrome, you need to find the historical vulnerability of chrome

(2) Master the module or subsystem where the vulnerability is located, but do not look at the complete detailed description of the vulnerability, and try to find the corresponding vulnerability in the vulnerability version

(3) If the vulnerability is not found in (2), look at the detailed description of the vulnerability and compare with your own audit process to see which step is missing

(4) Repeat the exercise until you believe that digging a hole is a matter of physical strength, not ability

The fourth point is very encouraging, because it's easy to doubt your ability after digging for a long time. The harder the goal is, the easier it is to hit people.

The vulnerability of the author's first training is the IDA vulnerability of j00ru (a member of project zero):, an article in 2014

4. 3-5 years of training plan

1-2 years: do CTF or wargames. There are many CTF writers on the Internet for reference

2-3 years: the simple goal is to find products that are relatively easy to dig

3-5 years: the goal of difficult points

The difficulty degree of the target can be directly referred to the vulnerability incentive plan of the corresponding product or the price of the private market, and a list of targets can be selected, sorted by the difficulty degree, to achieve it one by one.

5. Fuzzy Training

After two years of code audit, the author began to try to develop fuzzy.

(1) Take the historical loopholes that have been exposed and ask yourself: how to write fuzzy to exploit this loophole?

(2) If I don't know the vulnerability, what can I find?

(3) Continue to repeat the training and improve the fuzzer, I believe that more loopholes will be found by accident

6. Hard work is often more important than luck or talent

Although it takes a certain amount of luck and talent to dig holes, most of the talents you think are just spending 100 times or more time on this technology research

7. Enter the team or community of researchers and learn from each other

The exchange atmosphere abroad will be better than that at home and more willing to share.

Most of the time, their own communication circle is mostly some familiar peers or colleagues, and generally few people can communicate.

I often see many people on the Internet asking how to get to know XX Daniel and hacker, but in fact, many times it is:

Strive to improve their professional ability, the circle will eventually absorb you into the circle to know more insiders.

8. Establish your own vulnerability information source

RSS subscription is undoubtedly the best way for you. You need to rely on yourself to constantly collect subscriptions.

Many vulnerability related blog posts often expose some new attack surfaces of software, so it is particularly important to seize the first opportunity. For example, Android stagefight MP4 vulnerability, word formula editor, Adobe image converter and so on, if you can pay attention to and try to dig in time, you can often harvest many vulnerabilities.

9. Collect and learn open source vulnerability mining tools

For example, many excellent vulnerability mining tools, such as AFL, honggfuzz, libfuzzer, etc., are worth reading the code and learning the fuzzy ideas, which can be better applied to the future vulnerability mining research.

10. Many people who do not want to do research are just trying to weigh the advantages and disadvantages

There is a chapter called "secrets" in the book from 0 to 1: opening secrets of business and the future. Vulnerability research can be used to dig secrets. Why don't people explore secrets? Four reasons mentioned in the book are also applicable to the field of vulnerability research:

(1) Gradualism: set a lower goal and get better results more easily;

(2) Risk aversion: people are afraid of secrets because they are afraid of making mistakes. In addition, they may also worry that KPIs can not be completed, or how to share the spoils with the company when they get the bonus from digging holes?

(3) Complacency: many times, some people can enjoy their own success, so why dig their own secrets? The domestic research atmosphere likes to engage in marketing bravado, which is more and more, and sometimes even believe it;

(4) Flattening: any ambitious person will ask himself a question before he or she involves a certain research field: if it is possible to dig holes, haven't the smarter and more skilled people in the global talent pool discovered yet? This voice of doubt has prevented many people from exploring secrets and engaging in research work, because the world seems too big for any individual to make a unique contribution.


This year, for personal reasons, we have shifted from security research to business security, knowing that research is not easy.

It is believed that the existence of secrets in the field of security will lead to the birth of Mafia, but it will certainly lead to the birth of some excellent researchers.

Finally, I would like to pay tribute to all the people who are still on the road of safety research with Birch's "boat" and encourage them with you

I have had many such adventures,

From heaven to hell only in a moment:

Every lovely and gentle spray

They have become mountains that suddenly rise and then fall.

Every drop of sea water turned pale,

Just as beautiful and blue;

The whirlpool is entangled with the whirlpool,

I was thrown high and deep

At that time, I even thought of Qingsheng,

In front of me was a sea of anguish;

Giving up hope is like giving up the tiller,

Under the violence can only silence and lament.

Today I am entitled to laugh at myself,

Ashamed of yesterday's leafy fear;

How many years have you wasted,

The ship has been hit by rocks many times

Ten million times in the ocean,

Only to capture a little experience of life,

Then I realized,

Ah! The truth is so simple;

Are you going to sail?

There will be thousands of demons and monsters to stop;

Tyrannical bullying is their game,

Their only ability is to create destruction.

I was destined to meet them often,

Because my name is boat;

In the face of opponents who are ten million times stronger than themselves,

The only way to save yourself is to be sober and brave.

Fear blinds us,

Blind can only exaggerate the devil's ferocious face;

Maybe I look more terrible than them,

When I fight with my life, I will never move forward!

As long as I have a complete keel,

Never enter the harbor of shelter;

Put life on the journey,

Let courage decide the width and length of the road.

I'm completely free,

The bow of the boat becomes a shovel to bury them;

I jump rhythmically in the waves,

It's like a huge swing.

Even if they finally tear me apart,

Into some broken pieces of wood,

I will not sink, never!

I can also fly on the wave.

Later people will recognize me on the fragments,

The poets of the future will sing and sigh:

"Here is a happy soul,

It used to be a moving ship... "