5 Rules For Becoming a Successful Security Researcher
Entering the field of security research can feel overwhelming at first. Having worked with many aspiring hackers, I often hear people doubting their own potential. It usually goes like this: "I can't do any of this stuff, I'm still such a noob! I'll have to practice another 10 years, but even then, what if I'm just not smart enough?".
The truth is however that being successful at research doesn’t require any secret ninja skills or decades of experience. Follow these five general rules and you’ll be on your way.
1. Set Realistic Goals
Set realistic goals that are achievable in the available time. Make sure that your work produces tangible results, such as a tool, paper or security advisory, and aim to improve your skill set along the way.
Many security research projects involve finding exploitable bugs in software. In this case, be aware that you might end up empty-handed - the more popular the software, the more effort and time investment is required to get a realistic shot at finding anything useful.
Ten years ago it used to be easy to find browser bugs. We’d run a fuzzer on Internet Explorer for a day, the app would crash hundreds of times, and most of the work would involve searching through crash reports for exploitable conditions. With some scripting and debugging skills and a healthy dose of luck you could get a working zero day exploit within a week.
Nowadays, the low-hanging fruit have been plucked, so you’ll need to deep-dive into specific features of IE (the SVG parser, say), reverse engineer those components, or build a well thought-out fuzzer to get a shot at finding something interesting. You could easily invest a couple months into this project. Writing another generic web browser fuzzer to try and crash IE would most likely be a waste of time.
Also note that finding zero day vulnerabilities is never guaranteed in this kind of project. Make it your goal to gain a deep understanding of a certain system or architecture or to develop an effective testing framework (in the Internet Explorer / SVG example, you’d learn lots about how SVG parsers work, what kinds of bugs they might have, and how to find them). In many cases you’ll naturally find zero day vulnerabilities along the way.
Be ambitious, but realistic. If you are a beginner, pick easy targets and take the time to build up your skills, or you will soon feel overwhelmed and frustrated.
2. Learn the Basic Skills You Need (But Don’t Waste Time Learning Too Much)
In order to hack a system you first need to understand how it works. In most cases, you’ll need some basic knowledge from a variety of fields for any given research subject. For example, you won’t be able to do any serious application security research without being able to read code.
However, there is no need to go overboard with the basic know-how. No one is an expert in all processor architectures - once you know the basics of how one type of CPU works, you’ll understand other architectures quickly. Neither do you need to know all instructions supported by any specific processor architecture. Once you have the basics down, bookmark the reference manual and look up further information when required.
Researching specific programming languages, architectures and protocols will be part of every research project you do, so there’s no need to learn everything right away.
The most important rule: Start by learning the basics (how things work) instead of learning attack techniques first. The only way for you to come up with original ideas is if you understand how things work.
To get going, you should be know at least:
- Be able to read and understand all forms of code;
- Understand how code gets translated and executed on a CPU;
- Be able to write basic tools and scripts;
- Know how operating systems work;
- Fully understand TCP/IP networks.
The learning process never stops, so make sure to pick up new knowledge along the way.
3. Do Something New
Innovate instead of copying other’s work. Instead of running someone else’s fuzzer or code scanner, try to think of new ways of doing things.
Influential security expert Michael Zalewski has built his career on out-of-the-box thinking. Have a look at his website, which lists the dozens of tools, articles and books he has published over the years. From IP sequence numbers to cracking safes to the use of genetic algorithms in fuzzing, lcamtuf has tackled a huge variety of topics during the years and in most cases, he added something unique and interesting to each field.
His example shows that you don’t need to study a field for years to come up with great results. Taking a different viewpoint and exploring interesting new angles on things can also get you ahead in the game.
If you have an intuition that something might work, learn just enough about the topic so you can follow up on that suspicion. Could there be yet undiscovered, Internet-breaking attacks on packet filter (perhaps some mismatch between packet parsers)? Can neural networks be used to for blackbox analysis of binaries? Even though it might sometimes seem that everything has been done already, there’s still an infinite pool of ideas to explore.
4. Don’t Give Up Easily
There are no easy wins in security research. Researchers like i0n1c, who keep churning out groundbreaking research in a variety of fields, can do so only because they put in many hours of good, old-fashioned hard work.
The way to a working exploit is inevitably plastered with many roadblocks. Sometimes, you'll follow a thread of research for hours or even days, only to find yourself at a dead end. No useful function pointer to overwrite? Can’t inject a certain character you desperately need? Tough going, it happens all the time.
The good news is, there’s almost always some way around the problem. Don’t make the mistake of abandoning your project too early if things don’t seem to work out. Take a break to "reset" your mind, then try to look at things from a higher-level perspective. You might yet find a completely new angle to make things work.
5 Don’t Take Things Personal
The field of security research is very competitive. Many researchers link their self-worth to their perceived superiority and putting down others’ work in comments and mailing list posts is not uncommon. Don’t let yourself be drawn into these kind of discussions.
Be aware that security research can be an unthankful job: If you’re unlucky, someone might beat you to posting a vulnerability you just put a month into finding, or your conference talk might be declined in favor of another researcher speaking on the same topic. It happens to all of us! Be mindful that things like these are not the end of the world and keep on researching. If you keep doing good work, it will be recognized eventually!