Threat Research

Interview with Halvar Flake & Carrie Jung on the Reverse Engineering Challenge for Women

As cybersecurity becomes more well-known outside our industry, the hope is to draw top talent to some of the most interesting careers within the field, such as reverse engineering. Unfortunately, there is still a large imbalance between men and women in cybersecurity; especially when it comes to highly technical positions.

I am happy to say there are leaders in the community taking an interest in finding talented women who are interested in becoming reverse engineers and developing their talent. Recently, I had the pleasure of sitting down with two of those leaders, Halvar Flake and Carrie Jung, to discuss a women-only reverse engineering competition.

HB: Can you tell our readers about the competition and where people can find out more about it?

HF: The core of the competition is quite simple: we have published a piece of real-world malicious software that is obfuscated in a pretty interesting way. We encourage all up-and-coming female reverse engineers to download the file, reverse engineer it, and then submit a report explaining the obfuscation mechanism and the function of the malware itself. The author of the best report wins a free flight to Syscan 2013 in Singapore, along with the conference entry fee!

Click here to learn more about the competition:

HB: What made you want to hold this contest?

HF: I studied mathematics at university, and had a significant interest in computer science, and was always puzzled by the skewed gender ratios in these subjects. What I found even more odd was that while the majority of math students were male, the ratio in computer science was significantly more skewed. This is somewhat strange, because one would expect the ratio to be similar given the similarity between the subjects.

There was also a strange cultural skew I could not explain - in different countries, the percentage of women in math and CS fluctuates widely. When it comes to senior lecturers, by as much as a factor of 10 between neighboring countries.

I am convinced that cultural factors seem to keep women from studying these subjects in greater numbers, and I am also convinced that this is to the detriment of these fields - we really can't afford to discourage anyone that can help in solving the many interesting and deep problems we're facing, especially in reverse engineering.

So I had always thought that I should try to contribute somehow. When I heard about the Syscan's speakers honorarium, I decided that I should use it in some productive way. Reverse engineering happens to be the area I am "at home" in, and therefore I decided that a reverse engineering competition with some useful prize might be a good idea.

I was somewhat worried at first - it sometimes appears to me that any foray into gender discussions will quickly draw fire from all possible sides - and then decided that I should not let the complexity of the problem, or the complexity of the discussion, cow me into inaction. So I contacted Carrie, Shyama, and Skylar, who I have known for a while and respect tremendously. I asked them if they'd be on the jury, and if they thought the competition was a good idea. I was very happy and relieved when they agreed to be part of this.

CJ: I was honored when Halvar asked me to participate in this competition as a judge. I'm lucky to have discovered this career path since computer science and more specifically reverse engineering is not widely perceived as an option for women. If I would have told my 16 year old self what I'm doing now, I know she wouldn't believe me.

Throughout my career I have rarely encountered other women reversers. I actually met Shyama last year when we ran the New York City Half Marathon, and was excited when I learned that she was also involved with Computer Security. That doesn't happen very often.

HB: What made each of you decide to enter into this field and how can women become more interested in reverse engineering?

CJ: Reverse engineering kind of found me in a way. Growing up, the only computer classes at my school were "keyboarding" and "computer applications" (Word and Excel). My family didn't get our first computer until I was about 14 years old. I was more of a math/science kind of girl that was obsessed with numbers and patterns.

I was really obsessed with the history of cryptography, specifically during the World War II era. In some random book at the downtown library I read that the NSA would hire actuaries to break code. Since I was good at math, I now had my career path that would mix my obsession for spy novels with my love for number manipulation. But when I sat down for my intro to actuarial science class at Purdue, the message that came across was that I was going to hear about insurance for the next four years of my life, so I immediately dropped my major. Using my insanely crappy Packard Bell computer at the time, I searched for other majors that would allow me to break cryptography for the NSA, and I came across this thing called Computer Science. At that time, I had no idea how computers worked or what a computer program even was. My guidance counselor said I could become a CS major if I would take the more advanced programming class and pass. Looking back, I half wonder if she was expecting me to drop out of that class. But I passed doing better than most of my classmates. I had finally found my home!

I started down the generic computer security R&D path due to my interest in cryptography. In 2004 I was assigned to a reverse engineering project, something I had never heard of before. Then, after grad school I was asked to help out our internal security group with reversing their malware halftime and I knew at that moment that I had found my true calling.

I see reversing binaries as being similar to trying to solve a very complicated puzzle, and my mind just naturally works well in that arena. Some people might find it daunting, but you just need to look at it like trying to solve a puzzle. You start with a bunch of little pieces, soon you have several small chunks put together and eventually all of the small pieces come together and you have a complete picture of what the binary is actually trying to do. Malware is even more fun since they are purposefully trying to mess with you and make your life more difficult.

HF: I came to reverse engineering because I needed to remove a limitation in a program. I was an artsy kid - long hair, guitar, lots of cartoon drawing - and a piece of software I used did not want to save my data. I had a terrible time figuring out how to remove the limit, but I was sufficiently hooked to drop the cartooning.

I think RE is great for people that can synthesize different pieces of information well. Especially in malware analysis, the process often consists of collecting the puzzle pieces that Carrie mentioned, and then making sense of how they fit together. It is quite fascinating - when you analyze "professional" pieces of malware, you learn from them, but sometimes you laugh when you notice mistakes or bad designFurthermore, RE has awesome research areas to grow into - it's so wide-ranging. It touches almost everything that is cool in computer science: from the low-level bit-twiddling via systems design, compiler construction, to things like static analysis, theorem provers, and pretty fundamental theoretical computer science questions -- but while all of this will eventually be useful, one can get started relatively quickly.

HB: What are some great resources for women looking to become Reverse Engineers?

CJ: There are a lot of great books and online resources out there: "Practical Malware Analysis", "The IDA Pro Book", "The Rootkits Arsenal", etc. Also the RECON conference in Montreal is a great place to meet other reverse engineers and learn what's going on in the field.

However, the best way to learn how to reverse engineer is to just start doing it. Nothing can beat time and experience. Oh, and I have one final piece of advice to anyone starting out in RE. Be sure to have clearly defined goals when you first start reverse engineering your first few binaries. The sheer complexity of raw assembly can be intimidating and it can be a big help when you are starting out to have clearly defined objectives to focus on, otherwise you might drown in a sea of assembly

HF: I'd agree with Carrie on both her choice of books and the recommendation of "nothing beats time and experience". Reverse engineering is not a spectator sport - actually getting your hands dirty is, after the first shock, great fun and very rewarding.

Having a progression of problems to work on is a great idea - small & easy things to get started, and then more and more challenging problems. I have found archives from CTF competition to be a surprisingly good source of pre-graded problems, but your mileage might vary.

HB: Can you name some women you admire in RE?

HF: Oh my, there's no way to not do a disservice to some people here. In industry, clearly, Carrie Jung and Skylar Rampersaud are great reverse engineers. Sherri Sparks published really interesting work about SMM rootkits. There's also a number of female reverse engineers that work in sensitive environments away from the spotlight and that do great work there. In academia, Dawn Song has contributed heavily to the field. Recently, I found JungHee Lim's PhD thesis interesting. Oh, and we really should not forget Cristina Cifuentes, whose thesis on decompiler construction is great reading almost 20 years later, and who followed up with interesting work on binary translation and static analysis.

CJ: Hmm.....Halvar seems to have covered the major players. Unfortunately, I don't know many other women reverse engineers. When I first started getting into reverse engineering there was one person whose work I greatly admired and was influenced by. I believe his name was Halvar Flake. His research inspired me to dive deeper into the nitty-gritty bowels of binary analysis. Maybe we can put a wig on him and call him Shirley! But seriously, hopefully this contest will help bring to light more awesome women reverse engineers.

To find out more about the competition, and the corresponding malware file, please click here: