The creator of Radare2, vulnerability researcher, chef and a family man – meet Sergi Alvarez also known as Pancake!
Q: How many years have you been working in the security field?
A: I started programming BASIC in Spectrum and PC/M. Then I switched to MSDOS and assembly (TASM) as a main language. From there I started to look into viruses (with DEBUG and NO$ HACKDBG) and develop my own tools.
This was around 1998 when I was 15th. Then I had to make a choice – switch to Windows and continue writing viruses and reverse engineer closed source apps or embrace Linux, switch to C and start doing free software.
I went for the 2nd.
My first job in the security field was on Forensics around 2005 or so, I started developing radare in there.
Q: What was your motivation for getting into the security field in the first place?
A: I always tried to follow my moto “don’t use something you can’t build by yourself or understand how it works”. This turned out into a DIY attitude that pushed me into reading and writing lot of code and at the end going deep into assembly. Years later i realized this had a name: “reverse engineering”.
My motivation towards security is more related to curiosity, will to learn and discover how things work
Q: What was the first vulnerability you found?
A: I’m not a bug-hunter – I find most of the vulnerabilities by accident when programming, finding strange behaviours or crashes and then going deeper with a debugger to understand the crash.
I don’t recall which was the first vulnerability I found because I was more in the mood of fixing them to improve the software.
Probably the first vulnerabilities I found were in websites in php, cgis or insecure NFS setups.
Q: How did you feel when you found the vulnerability? (In 2015 you published 2 vulnerabilities in Apple products – CVE-2015-7004 and CVE-2015-5902)
A: At first I thought the vulnerability was only affecting the Intel platform, because I spotted it when adding support for hardware watchpoints in r2 for Mac.
Just passing the wrong buffer to the debug regset was producing a system reboot, without having to do anything as root or so. So I installed Mac in a VM and used the kernel debugger to inspect to issue and find out the DR7 register was not properly filtered, so it was possible to force an exception at ring0, this is a DoS.
Without being able to get code execution it was a bit frustrating at first, so I decided to report it to Apple (via NowSecure) before they released the new OS. It was really annoying to get random reboots while debugging the debugger plugin of r2. So, I decided to write a patch, in memory meanwhile.
Apple was prompt in response and pushed a new beta update for macOS for me to try. The issue was fixed and used r2 to bindiff the two kernels and see how they solved the problem. My surprise was that I end up receiving two CVEs, one for iOS and another for Mac.
Finding bugs is usually a rollercoaster of emotions, starting with hope and happiness and followed by a bunch of ups and downs while understanding the way it can be exploited or abused and finishing with the way it is published and fixed.
Q: Did someone help you?
A: No. But I appreciate that NowSecure, the company I work allowed me to spend some time on this issue to analyze it properly, write a blogpost and bridge my communication with Apple to report the issue properly.
Q: How many vulnerabilities you found so far?
A: I have found vulnerabilities in png, zip, magic, Ruby, GRUB, GnuPG and many other projects. I reported all of them, but never got any CVE, didn’t even asked for them, some were fixed in git but they have been in stable LTS distros for years, others got ignored completely, so i went for full disclosure.
In addition, I have found vulnerabilities in highway network adaptors, bluetooth devices, and routers. But I don’t really have a list or count them.
Q: What is your field of expertise in vulnerability research?
A: When I was participating in the Defcon CTF, my role was as a reverser and patcher. This is, taking a binary, analyze it statically, do some tests with netcat with the debugger attached. Most of the time, just patching the sizes of all the calls to mallocs and stackframes was enough to stop attackers to get your tokens.
I take security seriously in radare2, I have defined a bunch of rules for coding which aims to define some good standards, identifying bad patterns or miss-usage of API calls is useful when finding vulnerabilities.
Also been doing fuzzing, which is part of the development cycle of r2, sometimes finding bugs in r2 helps you find bugs in other tools, parsers or even the kernel.
Q: Is there some security research field that you always wanted to learn but never had a chance?
A: Exploiting is one field I would like to explore in more detail, I know all the basics and such, but never really went serious into that.
Q: Where do you work today?
A: I work at NowSecure, a mobile security company headquartered in Chicago with offices in DC and Seattle. My position as a remote mobile security researcher helps me maintain a flexible and productive schedule without office or train trips. I help with writing internal tools to enhance the products and perform manual analysis on mobile apps to detect more vulnerabilities as well as extract better metrics to find data leaks at scale on mobile. Where possible and when it aligns with company objectives I spend my time improving r2.
Q: What would be your dream job? pure research? exploit development? relaxing at the beach?
A: Relaxing desperates me, but it’s necessary at some point. Knowing myself I tend to get bored if i just do one thing, so I like to be able to jump from research to development. Having time for radare2 and also learning new stuff and doing presentations.
Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences. What is you favorite security conference?
A: I tend to enjoy small conferences with close people and with focus on technical stuff, big ones are fun, but you end up meeting random people and staying with the same people all the time and not having time for talks.
Right now my favourites are Malcon, Warcon and r2con. But I have recently discovered some of the community in Japan and I think there are plenty of interesting conferences in Asia, which is a new world for me because I’ve been in many conferences in Europe and US, and my experience says that non-english speaking countries use to have a large set of hackers doing great stuff without exporting that because of shyness or the language barrier.
Q: What kind lectures you like to attend? listen to?
A: At the beginning I was attending all of them, but I end up only having interest for low level technical talks on reverse engineering, exploiting, vulnerability research, etc, but only the ones that really go deep in details.
Q: How do you choose your lecture topics?
A: I did talks about several topics in the past, mainly about the stuff I was playing with at the moment. To list some… Viruses, Bitcoin, Bluetooth, fuzzing, programming, reversing.
My last talks have been focused on radare2. Aiming to spread the word using practical examples instead of boring theory. But always showing new content and trying to make self-contained slides, to make them useful for the reader without having to watch the recordings.
Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)
A: I’m off the CTF and camping scene for a long time already, but I mostly love to meet people, code or reverse stuff together and discuss ideas or projects. Sharing knowledge with laptops and beers in a comfy place is always welcome.
Q: What is the most exotic place you attended a security conference at?
A: Probably not too far to be considered exotic but I have pretty good memories of a private con I was organizing by renting a whole hotel in the first line of the beach in a town of Catalonia. It was about 40 people sharing a single space with peers and children for 3 days, using the kitchen and drinking near the beach at night and doing random improvised talks until late.
Q: In which country have you been surprised by the size / quality of the security community?
A: Germany is probably one of the countries with higher ratio of hackers per population. The community around CCC is huge and the way it’s organized is impressive. But outside the CCC there are also many good communities and hackers I met there.
Poland and Japan are also countries with high hacker ratio populations. Just think that only the visits to radare.org from the city of Tokyo are higher than all the visits from the whole Russia
Q: In your opinion, how did the international security community change in the past 5 years?
A: In the past 5 years there have been an increase of conferences: public and private ones. Vulnerabilities only show up with logos, funky names and even music.
5 years ago, the word cyber was not used at all. Also the blackhat scene has been reduced and the crime has increased.
I have also noticed an increase of girls coming to security conferences or even organizing their own cons.
All those changes shaped the community by making it more visible and open. And the renewal of blood with new people coming to the scene.
Q: Could you please tell us about the Spanish security community?
A: There are a lot of security conferences in Spain, from small and private to big and public, some international and others local.
What I could say is that there are very good hackers, but are not known because of the language barrier or laziness, some prefer not to do talks, etc.
By hackers I mean malware researchers, reverse engineers, forensic analysts, penetration testers,… I think the spanish scene leaded in NFC, ATM hacking, phreaking, virii, and cracking scenes in the good old times.
Q: How has the Spanish security community changed in the past 5 years?
A: There are new conferences every now and then, organized by companies, by the community or even by the government. The changes I’ve observed is a renewal of blood in the community, most of the hackers of my generation are having kids, and job. This takes time and results in attending less events, doing less personal research and therefor doing less talks or less interesting/deep.
In 2006 you decided to create a tool to recover deleted files from a MacBook G3 – and that’s how radare created.
Today Radare2 has a lot of components:
- Hexadecimal Editor
- Assembler / Disassembler
- Support lot of file formats
- Static / Dynamic Analysis
- Hash / Entropy / BinDiffing
- Debugger / Emulator
- ROP Finder / Payload Generator
Q: Which part was the most complex to develop?
A: The most complex parts of r2 are probably io and anal. When I developed radare I focused on features, so I didn’t cared about design. That’s why I decided to developed radare2 with focus on modularity.
The IO layer is the lowest layer, everything needs to access data in physical or virtual mode, with overlapping maps, from different files which can be local or remote, some have restrictions about alignments, the cache abstraction, and all the algorithms associated to make this work as fast as possible and reduce memory copies.
The analysis was also difficult to develop, there are many ways to analyze code and there’s always a trade-off about quality of results, memory usage and performance. And doing multiple passes, recursively, tracking the emulation events, auto detecting local variables and types of arguments. And in addition, handle all architectures with a single analysis loop.
Q: How many users use radare2 today?
A: In the Telegram channel there are about 700 users which is linked to an IRC channel that have about 400 users. This can help as an estimation because r2 is not tracking the users by sending anything to my servers and I dont track visitors in the website. GitHub and Twitter can be also used as an estimation, but the feeling is that the interest is growing and there are new users almost every day.
According to Twitter, it’s over 9000!
Q: Who is the target audience for radare2?
A: R2 is a framework, a set of libraries and tools that can be used interactively or in batch mode. It’s easy to modify and tweak for your needs, so it makes it perfect for people reverse engineering weird samples for bizarre architectures.
Some get into r2 to classify malware samples, others to solve crackmes.
The problems of radare are the followings: it’s not for beginners because the terminal scares new kiddies (too dark i guess, Cutter the qt gui is probably going to fill this gap), neither for professionals (which are already used to other tools and have their own custom and private stuff on top of it).
So most people that are joining r2 are usually use it in competitions (CTF) where they need handy and flexible tool that can be modified and already handles fucked up binaries without failing.
But also people who are willing to learn new ways to do things, improve their workflows or just not depend on privative solutions to solve their reversing needs.
Q: What is the difference between IDA PRO and radare2 (without the fact that radare2 is free)?
A: There are more differences than just the license and pricing.
Radare2 is not just a disassembler, it started as a simple replacement for EnCase. radare2 is a powerful hexadecimal editor and provides easier ways to modify, extend and script it.
Another major difference is the CLI – the CLI in Radare2 is the main component where in IDA is the GUI. Developing for CLI is usually faster, more portable and easier to test. This enables people to use r2 in servers, sandboxes, embedded devices, etc
The good part of being free is that we can’t change our ABIs and APIs and no one will complain. The amount of refactorings and api breakages we have done in r2 can’t be applied to a commercial tool which needs to ensure its customers can keep using the scripts safely. We can fix functions and deprecate apis faster.
Analysis is pretty differently handled, IDA have one analysis loop for each architecture, so it can be more precise and faster in some situations compared to radare2. There’s a lot of work to be done in r2 to improve analysis and most people just run ‘aa’ and expect to have all the analysis done to get all xrefs. In r2 you need to understand each analysis command and know when and where to use it to get proper results.
Scripting is way easier and more languages are supported for radare2 thanks to r2pipe, as long as ida doesn’t have a command line interface, this concept can’t be applied there, this makes r2 easily embeddable inside IDA, but not the other way around.
The workflow is also pretty different, people that uses r2 is usually coming from UNIX environments, and IDA users use to come from Windows. Those are different interfaces, different targets and different workflows to use the tools. This is probably the most confusing part for users coming from IDA.
And last but not least, r2 have a pseudo decompiler which is pretty poor but it’s useful sometimes to get a quick overview, but also supports snowman, retdec, boomerang and other decompilers, but none of them is as good and powerful as the one from HexRays.
Q: Do you know of any cool projects that people did using radare2?
A: I’ve heard of people using r2 to classify malware, emulating portions of the code to decrypt strings.
Q: If I’m new to security / forensics and want to learn how to use radare2 – where should I start?
A: I think that the best way to learn about r2 is to watch one introductory talk, take the book and read the sections of your interest. There are many talks available in YouTube.
My experience by teaching is that people need from 2h to 2 days to get the basics and 2 weeks of daily use to be fluent with it. The learning curve is steep but imho pays off after the first barrier.
You are Sexy Pandas team member and participate in DEF con CTF.
Q: What is your expertise as CTF player?
A: I was focusing on reversing and binary patching the services to fix the vulnerability or change its behaviour, so other teams would not be able to take your tokens that easily.
Q: What kind to challenges do you like?
A: I like reversing binaries, to find vulnerabilities or just to understand what it does and how it works. That’s probably the kind of challenges I am more comfy with.
Q: What so special in DEF con CTF?
A: The DEFCON CTF has been famous because of the amount of international teams and the level of the prequalification competitions – which is one of the largest.
Also, it was famous because it was the most realistic CTF, where few rules to limit the players, but lately, the competition switched to be less realistic and more talent-oriented. By having to implement new tools to analyze code for an imaginary architecture with totally unrealistic vulnerabilities.
I found an interview you gave back in 2015. the interviewer asked you about CatHack!. I didn’t know you were a member in hacktivist group.
And then I found this – https://hackstory.net/CatHack
Q: Could you please tell us about CatHack! ?
A: Sure, we were a bunch of guys with common interests on politics/activists and technical stuff.
Q: What was the goal of the group?
A: Our goal was to learn and share information about hpcva in Catalan, some of our articles were translated to french or english and the topics went from a course of assembly programming or exposing different techniques of infections to discussions on politics or web hacking, exploiting, etc
At the time there was a lot of e-zines (Online magazine) that were originally distributed in plain text with tons of ascii art via BBS like the 29A, SET, RareGazz,. .. but we started to publish a bit later, right after InfoVia(R)
Q: Team members?
A: They are all listed in the index of the e-zines, the core was about 4 people and we end up being like 10 with random contributions for the e-zine.
Q: How did you met?
A: We all met in the IRC, but we did some real life meetings to have some beers and discuss about some recent vulnerabilities or techniques.
Q: What activities have been carried out?
A: As a group we just did an e-zine (10 numbers) and helped with the organization of the first Hackmeeting in Spain (that happened in Barcelona)
Q: Are you still in touch with the group members?
A: Yes, we started as a group of friends with common interests and we built some friendship around it.
Q: I saw that one of the things CatHack! did – publish a newsletter with technical details How the information gathering was In to 90’s ?
A: It was actually more interesting than nowadays, a lot of information was available via BBS or FTPs, most of that info was readable in 78 column terminals and the chats via talk in random servers was a cool way to meet people and learn about stuff.
People were posting much more detailed analysis and technical reports than the ones that are available nowadays, which are basically technical specifications, overviews and proof of concepts.
Books has been barely an option, there was some good books to read, like to learn C, Java or Perl. But there was no paper publications on reversing, exploiting, forensics or viruses. Some magazines reached the kiosks, but didn’t last too long.
Q: Was is hard to find technical research?
A: All the information was organized by categories with directories available in websites, ftps, and random CDROMs. It was more centralized.
Q: What was the main topics back then?
A: There was a lot of MS DOS virus writing and analysis tutorials, as well as reversing and cracking for Windows with SOFTICE and such. Phreaking was a trend and everybody was playing with phone boxes in the street to get free calls or do wardialings to discover modems and get an anonymous connection by bruteforcing the PAP authentication. Also, there was articles about exploiting unix services and showing vulnerabilities on CGIs commonly found in Solaris or HP-UX systems.
r2con is, relatively, new conference – Who is the target audience?
A: This year (2017) was the 2nd edition. I try to keep the congress to be public, but familiar and close. The audience is mainly for technical people. There are no political or legal talks, and only low level stuff is permitted, as long as its related to radare2.
Q: What is the focus in the conference? vulnerability research? Reverse engineering?
A: I think that nowadays there are tons of conferences, but most of them cover a large list of topics, and the most technical ones are usually private, where you have more time to explain the details without caring about partners getting angry.
The focus on r2con is in radare2. Anything that can be done with radare2 fits inside the congress, vulnerabilit research, exploiting, reversing, kernel debugging, binary diffing, remote debugging, etc.. The only requirement is that it must be done with r2 🙂
Q: How complex is it to organize a hackers conference? – do you have any funny stories?
A: It seems easier when you haven’t organized any. I’m quite perfectionists and get lost in details. And as long as there’s no core team organizing the event, only volunteers join randomly and help in what they can.
This works as long as I carry all the coordination and do most of the tasks, and then supervise everything, but after the first day, the stress usually goes down because of the ambient and the volunteers who helps in everything and makes the event more fluent than I think few days before.
Q: Do you pay for well-known security researchers to come and give a lecture in the conference?
A: Nope, r2con aims to be a community conference, everyone pays part of the cake, for now I have managed to pay for 2 dinners to all speakers, free beers and breakfasts, video recordings, pizzas for everyone, a bunch of prizes, free merchandising for the entrance during 4 days for 50 euros.
I still have room to pay stuff to the speakers,but not enough to pay flights and hotels, but people seems to be happy with this model, and I prefer to keep partners, investors and companies away from the congress, in order to keep the close feeling.
Q: How do you chose the lectures / workshops to be in r2con?
A: Luckily I had only to cancel talks that was unrelated to the congress (pentest or politics), didn’t had to cancel any talk yet, having a 4 day congress gives enough room to let everyone show their toys.
You are mobile security analyst at NowSecure
Q: What does it mean security analyst?
A: Being a security analyst means that I have to be aware of the risks and security problems that appear day after day and prioritize the research of new features appearing in new apps, versions of OS or devices. While at the same time automating analysis, writing blog posts and processing the information to make it accessible to the customers and users out there.
Q: How is your day to day work looks like?
A: I work in the R+D team, this means that I analyze security risks or vulnerabilities for mobile applications and then develop tools to detect them or extract information and bypass protections or verification checks.
As long as I work from home and for a company located -6h, this means that I can spend my morning to plan the day without being sleepy or having to take the train, i usually do this while reviewing the mail, pending chats, twitter and fix some issues or implement new stuff in r2.
Having an atypical work schedule doesn’t work for everyone, but it does for me. I use to stay late at night doing stuff for work, but i prefer that because i have less distractions. We use to work by chat but we have video-conferences every week. And at least for me, that works better than having to wake up early in the morning and having physical meetings or IRL co-worker interruptions.
Q: Are you still looking for vulnerabilities on your free time?
A: Nope, I did that when I was unemployed and had more time to play with this. Right now I only do that in r2.
Q: What’s the single most important piece of advice you would want to give for someone seeking out a career in the security filled?
A: Read technical information even if you don’t understand all the concepts. Most of the ideas come by combining concepts you know with ones you didn’t understood at the time, but gave you an idea for a different application. Also, you will learn faster when you start to join the dots.
Don’t be afraid to get dirty by modifying and playing with code or binaries.
Q: What are your hobbies?
A: The line that divides my job and my hobby is quite blurry, but when I stay away from the keyboard I like to play with my daughter, draw, practice more about cooking vegetarian recipes or learning about fishes and fish tanks.
It was a pleasure, Sergi, to talk to you