Conversation with Alexey Usanov from Positive Technologies about reverse engineering and the creation of a book on this specialization

This is the first material on the IT Picnic, which took place on September 2, 2023. There will be a separate review of the event, but for now I would like to present an interview with the head of the research direction for the security of hardware solutions at Positive Technologies, Alexey Usanov. While examining the stands at the IT Picnic, I looked at the Positive Technologies stand. There was a lecture there, I became interested in the topic and decided to listen. The lecture was devoted to reverse engineering in information security. I had previously encountered this topic only in the context of creating games. When enthusiasts make a clone of a game, but they do not have the source code or advice from the developers, only the appearance of the game and approximate ideas of what engine it was created on. It turns out that this is quite a significant area in information security. After thinking a little after the lecture, I caught up with Alexey Usanov and talked with him about reverse engineering in information security; by the way, it turned out that he wrote a whole book about it.

To begin with, I would like to explain a little what reverse engineering is. Reverse engineering is the study of a specific finished device, software and documentation accompanying the object being studied in order to understand the principle of its operation. It is clear that many who opened this interview are familiar with the term “reverse engineering”, but it is better to clarify. I hope the interview will be interesting. Enjoy reading!

Please tell us about reverse engineering, what is it?

If you literally translate reverse engineering, you get reverse engineering. This translation very well reflects the essence of the direction itself. In normal development, we assemble something whole from some individual bricks and blocks; it doesn’t matter if it’s a program, a device, or some kind of product. When reverse engineering, our task is to understand what everything listed was made of. We take something whole and try to break it down into bricks. Example: it is important for us to understand the technical process by which the device was produced. We are interested in understanding what hardware it consists of. In addition, any device consists of firmware and the software that runs on it. We decompile the software, disassemble it, examine the program; it is important for us to understand what algorithms are inside this program.

Am I correct in understanding that reverse engineering is not divided into hardware and software?

Reverse engineering is generally one of the research methods. In fact, we are engaged in research, and reverse engineering or reverse engineering is designed to show what the object of research consists of. Therefore, it will not be possible to divide it into software and hardware. Yes, both hardware and software have their own methods and tools, but the main approach to conducting research, in my opinion, looks the same.

What is your specialization in information security directly responsible for from a reverse engineering point of view?

I am directly involved in research into the security of hardware devices. However, we must understand that modern devices are complex and represent entire information systems in themselves. As I already gave an example earlier, the device has a control microprocessor, there is firmware and software that runs on the device itself, so the specialization is still blurred.

How difficult is it to interact with vendors and manufacturers now when some vulnerabilities are found?

Interaction with vendors remains the same. Some vendors have a negative perception of finding vulnerabilities through reverse engineering, but now we live in an era when vendors are already beginning to understand that white hat hackers and reverse engineers are the people who allow them to improve their product. That’s why we see vendors starting to participate in bug bounty programs. If errors are found, they are responsibly disclosed to the vendor, and he has time to fix them. And when information is raised, all the researchers who have found vulnerabilities are always ready to help and offer some of their solutions to fix them to the vendor. In general, my experience says that the vendor reacts normally to errors found and is ready for a constructive dialogue.

Does it ever happen that manufacturers themselves approach you with a request to check how resistant their devices are to reverse engineering hacking methods?

Yes, many vendors come on their own, they are aware that auditing the security of their solutions is an important point and doing it on their own is often very difficult and not always correct. Here the question is not even about qualifications, but rather about the fact that checking what you have done yourself is not always correct… Well, it’s completely banal – the eye can get “blurry”.

How popular is reverse engineering among hackers and cybercriminals?

Here we need to understand whether we are talking about the information system as a whole or about reverse engineering of something specific. Oddly enough, all software is basically hacked through some kind of reverse engineering. Because if we are talking about web vulnerabilities, reverse engineering is also used there to find vulnerabilities. Essentially, reverse engineering is a basic method for finding vulnerabilities, and it is used very widely.

Tell me, do hackers often buy a device on the secondary market and then reverse engineer entire lines of this equipment?

Yes, this happens and often, for example, sometimes manufacturers leave secrets unchanged for several generations, and the protection does not improve. Or, for example, hacking some modern device may be problematic due to the fact that some more modern frameworks, updated distributions, new secure hardware microcontrollers or other components are used. However, the encryption keys may be the same as they were five years ago in a similar old device, and it turns out that the new device can be hacked like the old one, if information security specialists have not previously examined the old device.

Does this often happen when hackers use reverse engineering to restore and create entire information security systems and then try to hack existing ones?

Well, probably, there may be such cases, because information security systems are actually information systems that consist of a large number of executable files, but I have not heard of such situations. And these executable files can also be examined using reverse engineering methods, and therefore, from the point of view of the process itself, you can look for vulnerabilities in some information security systems.

Have you written a book about reverse engineering? How long did it take you to write it?

Yes. Eight months.

What prompted you to write a book on reverse engineering?

I have been doing reverse engineering for fifteen years. And when I started, access to information was much more difficult than it is now. For example, information on the specifics of embedded systems research is still difficult to find, and it is very fragmented. Yes, most of the information can be found, but a normal selection of sources is very difficult. I spent a lot of time training people and I understand that I have something to tell. However, there was no list of sources about which I could say, here, take it, read it and understand whether you want to do this further, whether you are interested in reverse engineering. And it was precisely the absence of such a list that ultimately transformed into the desire to convey some of my experience, to present it in the simplest possible form for those people who do not yet know what embedded systems research is. Therefore, after reading this book, they will be able to understand whether this is interesting to them and where to get information.

Is this book more of a textbook or popular science literature? What competencies do you need to have to read it?

The book is specially written in such a way that even a reader who does not have deep knowledge of reverse engineering or digital circuitry can glean as much useful information as possible from it. Naturally, there are sections that require a greater understanding of the subject area; they are aimed at transferring knowledge that is difficult to find elsewhere. But the main part of the book is written in easy language and will be understandable to a wide range of readers.

It turns out that you put all your fifteen years of work experience into the book?

Rather, I put into it the answers to those questions to which I myself was looking for answers at one time. Naturally, the book does not contain all the information necessary to conduct hardware research. However, this is what will primarily be of interest to people who want to understand a new topic.

Are you planning a continuation of the book or a departure into deeper knowledge?

I haven’t thought about this yet, but you are not the first person to ask me this question. Therefore, I must understand what else I can usefully tell people so that it is not just a book, but one that will benefit them. As for the published book, I’m already thinking about how I can supplement and improve it, release a second edition, but this is definitely not in the next year.

Perhaps I did not fully introduce the topic of reverse engineering. However, you need to understand that I came up with the questions during the lecture. And besides, the conversation did not concern all of reverse engineering, but only its use in information security and hacking. Therefore, it is likely that I will continue the conversation with other specialists in reverse engineering, since it is used not only in information security. I will also think about what other questions you can ask Alexey Usanov after reading his book. And it is likely that there will be a second part of the interview on reverse engineering. I recommend watching the recording of Alexey’s speech from the “IT Picnic” – “How the world around us works: reverse engineering of embedded devices” It is small, but quite informative.

By the way, at another event – OFFZone 2023 – another Positive Technologies specialist gave a lecture “No firmware – there are achievements. 15 vulnerabilities and other findings in the Mitsubishi FX5U PLC.” This lecture was also devoted to reverse engineering in information security. It’s also worth watching.

By the way, I managed to get the book, it was not difficult, and Alexey even signed it for me. I really like these things, because it’s nice to get the autograph of not just the author, but a “combat” specialist with extensive experience.