sponsored links
TEDxColumbus

Chris Domas: The 1s and 0s behind cyber warfare

October 10, 2013

Chris Domas is a cybersecurity researcher, operating on what’s become a new front of war, "cyber." In this engaging talk, he shows how researchers use pattern recognition and reverse engineering (and pull a few all-nighters) to understand a chunk of binary code whose purpose and contents they don't know.

Chris Domas - Cybersecurity researcher
Chris Domas is an embedded systems engineer and cybersecurity researcher. Full bio

sponsored links
Double-click the English subtitles below to play the video.
This is a lot of ones and zeros.
00:12
It's what we call binary information.
00:14
This is how computers talk.
00:17
It's how they store information.
00:19
It's how computers think.
00:21
It's how computers do
00:22
everything it is that computers do.
00:24
I'm a cybersecurity researcher,
00:26
which means my job is to sit
down with this information
00:28
and try to make sense of it,
00:31
to try to understand what all
the ones and zeroes mean.
00:32
Unfortunately for me, we're not just talking
00:35
about the ones and zeros
I have on the screen here.
00:37
We're not just talking about a
few pages of ones and zeros.
00:39
We're talking about billions and billions
00:42
of ones and zeros,
00:44
more than anyone could possibly comprehend.
00:46
Now, as exciting as that sounds,
00:48
when I first started doing cyber —
00:50
(Laughter) —
00:53
when I first started doing cyber, I wasn't sure
00:54
that sifting through ones and zeros
00:56
was what I wanted to do with the rest of my life,
00:58
because in my mind, cyber
01:00
was keeping viruses off of my grandma's computer,
01:02
it was keeping people's Myspace
pages from being hacked,
01:06
and maybe, maybe on my most glorious day,
01:09
it was keeping someone's credit
card information from being stolen.
01:11
Those are important things,
01:15
but that's not how I wanted to spend my life.
01:17
But after 30 minutes of work
01:19
as a defense contractor,
01:21
I soon found out that my idea of cyber
01:23
was a little bit off.
01:25
In fact, in terms of national security,
01:27
keeping viruses off of my grandma's computer
01:29
was surprisingly low on their priority list.
01:31
And the reason for that is cyber
01:34
is so much bigger than any one of those things.
01:36
Cyber is an integral part of all of our lives,
01:40
because computers are an
integral part of all of our lives,
01:42
even if you don't own a computer.
01:45
Computers control everything in your car,
01:47
from your GPS to your airbags.
01:50
They control your phone.
01:52
They're the reason you can call 911
01:53
and get someone on the other line.
01:54
They control our nation's entire infrastructure.
01:56
They're the reason you have electricity,
01:59
heat, clean water, food.
02:01
Computers control our military equipment,
02:03
everything from missile silos to satellites
02:05
to nuclear defense networks.
02:07
All of these things are made possible
02:11
because of computers,
02:12
and therefore because of cyber,
02:14
and when something goes wrong,
02:16
cyber can make all of these things impossible.
02:17
But that's where I step in.
02:21
A big part of my job is defending all of these things,
02:22
keeping them working,
02:25
but once in a while, part of my
job is to break one of these things,
02:27
because cyber isn't just about defense,
02:29
it's also about offense.
02:31
We're entering an age where we talk about
02:34
cyberweapons.
02:35
In fact, so great is the potential for cyber offense
02:37
that cyber is considered a new domain of warfare.
02:40
Warfare.
02:43
It's not necessarily a bad thing.
02:45
On the one hand, it means we have whole new front
02:47
on which we need to defend ourselves,
02:50
but on the other hand,
02:52
it means we have a whole new way to attack,
02:53
a whole new way to stop evil people
02:55
from doing evil things.
02:57
So let's consider an example of this
02:59
that's completely theoretical.
03:01
Suppose a terrorist wants to blow up a building,
03:03
and he wants to do this again and again
03:05
in the future.
03:07
So he doesn't want to be in
that building when it explodes.
03:08
He's going to use a cell phone
03:11
as a remote detonator.
03:13
Now, it used to be the only way we had
03:15
to stop this terrorist
03:17
was with a hail of bullets and a car chase,
03:19
but that's not necessarily true anymore.
03:21
We're entering an age where we can stop him
03:24
with the press of a button
03:25
from 1,000 miles away,
03:26
because whether he knew it or not,
03:28
as soon as he decided to use his cell phone,
03:30
he stepped into the realm of cyber.
03:32
A well-crafted cyber attack
could break into his phone,
03:35
disable the overvoltage protections on his battery,
03:38
drastically overload the circuit,
03:40
cause the battery to overheat, and explode.
03:42
No more phone, no more detonator,
03:44
maybe no more terrorist,
03:47
all with the press of a button
03:48
from a thousand miles away.
03:50
So how does this work?
03:52
It all comes back to those ones and zeros.
03:54
Binary information makes your phone work,
03:56
and used correctly, it can make your phone explode.
03:59
So when you start to look at
cyber from this perspective,
04:03
spending your life sifting through binary information
04:05
starts to seem kind of exciting.
04:08
But here's the catch: This is hard,
04:11
really, really hard,
04:13
and here's why.
04:15
Think about everything you have on your cell phone.
04:17
You've got the pictures you've taken.
04:20
You've got the music you listen to.
04:22
You've got your contacts list,
04:24
your email, and probably 500 apps
04:25
you've never used in your entire life,
04:27
and behind all of this is the software, the code,
04:30
that controls your phone,
04:34
and somewhere, buried inside of that code,
04:35
is a tiny piece that controls your battery,
04:38
and that's what I'm really after,
04:40
but all of this, just a bunch of ones and zeros,
04:42
and it's all just mixed together.
04:46
In cyber, we call this finding a
needle in a stack of needles,
04:47
because everything pretty much looks alike.
04:51
I'm looking for one key piece,
04:53
but it just blends in with everything else.
04:55
So let's step back from this theoretical situation
04:58
of making a terrorist's phone explode,
05:01
and look at something that actually happened to me.
05:03
Pretty much no matter what I do,
05:06
my job always starts with sitting down
05:07
with a whole bunch of binary information,
05:09
and I'm always looking for one key piece
05:11
to do something specific.
05:13
In this case, I was looking for a very advanced,
05:15
very high-tech piece of code
05:17
that I knew I could hack,
05:18
but it was somewhere buried
05:19
inside of a billion ones and zeroes.
05:21
Unfortunately for me, I didn't know
05:23
quite what I was looking for.
05:25
I didn't know quite what it would look like,
05:26
which makes finding it really, really hard.
05:28
When I have to do that, what I have to do
05:31
is basically look at various pieces
05:33
of this binary information,
05:35
try to decipher each piece, and see if it might be
05:37
what I'm after.
05:39
So after a while, I thought I had found the piece
05:40
I was looking for.
05:42
I thought maybe this was it.
05:43
It seemed to be about right, but I couldn't quite tell.
05:45
I couldn't tell what those
ones and zeros represented.
05:47
So I spent some time trying to put this together,
05:50
but wasn't having a whole lot of luck,
05:53
and finally I decided,
05:55
I'm going to get through this,
05:56
I'm going to come in on a weekend,
05:58
and I'm not going to leave
05:59
until I figure out what this represents.
06:01
So that's what I did. I came
in on a Saturday morning,
06:02
and about 10 hours in, I sort of
had all the pieces to the puzzle.
06:05
I just didn't know how they fit together.
06:08
I didn't know what these ones and zeros meant.
06:10
At the 15-hour mark,
06:12
I started to get a better picture of what was there,
06:15
but I had a creeping suspicion
06:17
that what I was looking at
06:19
was not at all related to what I was looking for.
06:21
By 20 hours, the pieces started to come together
06:23
very slowly — (Laughter) —
06:26
and I was pretty sure I was going down
06:30
the wrong path at this point,
06:31
but I wasn't going to give up.
06:33
After 30 hours in the lab,
06:35
I figured out exactly what I was looking at,
06:38
and I was right, it wasn't what I was looking for.
06:40
I spent 30 hours piecing together
06:43
the ones and zeros that
formed a picture of a kitten.
06:45
(Laughter)
06:47
I wasted 30 hours of my life searching for this kitten
06:49
that had nothing at all to do
06:53
with what I was trying to accomplish.
06:55
So I was frustrated, I was exhausted.
06:57
After 30 hours in the lab, I probably smelled horrible.
07:01
But instead of just going home
07:04
and calling it quits, I took a step back
07:06
and asked myself, what went wrong here?
07:09
How could I make such a stupid mistake?
07:11
I'm really pretty good at this.
07:13
I do this for a living.
07:15
So what happened?
07:16
Well I thought, when you're
looking at information at this level,
07:18
it's so easy to lose track of what you're doing.
07:21
It's easy to not see the forest through the trees.
07:24
It's easy to go down the wrong rabbit hole
07:26
and waste a tremendous amount of time
07:28
doing the wrong thing.
07:30
But I had this epiphany.
07:31
We were looking at the data completely incorrectly
07:33
since day one.
07:36
This is how computers think, ones and zeros.
07:38
It's not how people think,
07:40
but we've been trying to adapt our minds
07:41
to think more like computers
07:43
so that we can understand this information.
07:45
Instead of trying to make our minds fit the problem,
07:47
we should have been making the problem
07:49
fit our minds,
07:51
because our brains have a tremendous potential
07:52
for analyzing huge amounts of information,
07:54
just not like this.
07:57
So what if we could unlock that potential
07:58
just by translating this
08:00
to the right kind of information?
08:01
So with these ideas in mind,
08:04
I sprinted out of my basement lab at work
08:05
to my basement lab at home,
08:07
which looked pretty much the same.
08:08
The main difference is, at work,
08:10
I'm surrounded by cyber materials,
08:12
and cyber seemed to be the
problem in this situation.
08:14
At home, I'm surrounded by
everything else I've ever learned.
08:16
So I poured through every book I could find,
08:20
every idea I'd ever encountered,
08:22
to see how could we translate a problem
08:23
from one domain to something completely different?
08:25
The biggest question was,
08:28
what do we want to translate it to?
08:30
What do our brains do perfectly naturally
08:32
that we could exploit?
08:34
My answer was vision.
08:36
We have a tremendous capability
to analyze visual information.
08:38
We can combine color gradients, depth cues,
08:41
all sorts of these different signals
08:44
into one coherent picture of the world around us.
08:45
That's incredible.
08:48
So if we could find a way to translate
08:49
these binary patterns to visual signals,
08:50
we could really unlock the power of our brains
08:53
to process this stuff.
08:55
So I started looking at the binary information,
08:57
and I asked myself, what do I do
08:59
when I first encounter something like this?
09:00
And the very first thing I want to do,
09:02
the very first question I want to answer,
09:04
is what is this?
09:05
I don't care what it does, how it works.
09:06
All I want to know is, what is this?
09:09
And the way I can figure that out
09:11
is by looking at chunks,
09:13
sequential chunks of binary information,
09:15
and I look at the relationships
between those chunks.
09:17
When I gather up enough of these sequences,
09:20
I begin to get an idea of exactly
09:22
what this information must be.
09:24
So let's go back to that
09:26
blow up the terrorist's phone situation.
09:28
This is what English text looks like
09:30
at a binary level.
09:32
This is what your contacts list would look like
09:33
if I were examining it.
09:36
It's really hard to analyze this at this level,
09:37
but if we take those same binary chunks
09:39
that I would be trying to find,
09:41
and instead translate that
09:43
to a visual representation,
09:44
translate those relationships,
09:46
this is what we get.
09:48
This is what English text looks like
09:50
from a visual abstraction perspective.
09:52
All of a sudden,
09:54
it shows us all the same information
09:55
that was in the ones and zeros,
09:57
but show us it in an entirely different way,
09:58
a way that we can immediately comprehend.
10:00
We can instantly see all of the patterns here.
10:02
It takes me seconds to pick out patterns here,
10:05
but hours, days, to pick them out
10:08
in ones and zeros.
10:10
It takes minutes for anybody to learn
10:11
what these patterns represent here,
10:13
but years of experience in cyber
10:15
to learn what those same patterns represent
10:17
in ones and zeros.
10:18
So this piece is caused by
10:20
lower case letters followed by lower case letters
10:22
inside of that contact list.
10:24
This is upper case by upper case,
10:25
upper case by lower case, lower case by upper case.
10:27
This is caused by spaces. This
is caused by carriage returns.
10:30
We can go through every little detail
10:32
of the binary information in seconds,
10:34
as opposed to weeks, months, at this level.
10:37
This is what an image looks like
10:40
from your cell phone.
10:42
But this is what it looks like
10:44
in a visual abstraction.
10:45
This is what your music looks like,
10:47
but here's its visual abstraction.
10:48
Most importantly for me,
10:51
this is what the code on your cell phone looks like.
10:52
This is what I'm after in the end,
10:56
but this is its visual abstraction.
10:58
If I can find this, I can't make the phone explode.
11:00
I could spend weeks trying to find this
11:03
in ones and zeros,
11:05
but it takes me seconds to pick out
11:06
a visual abstraction like this.
11:08
One of those most remarkable parts about all of this
11:11
is it gives us an entirely new way to understand
11:14
new information, stuff that we haven't seen before.
11:17
So I know what English looks like at a binary level,
11:20
and I know what its visual abstraction looks like,
11:22
but I've never seen Russian binary in my entire life.
11:25
It would take me weeks just to figure out
11:28
what I was looking at from raw ones and zeros,
11:30
but because our brains can instantly pick up
11:33
and recognize these subtle patterns inside
11:34
of these visual abstractions,
11:37
we can unconsciously apply those
11:39
in new situations.
11:41
So this is what Russian looks like
11:42
in a visual abstraction.
11:44
Because I know what one language looks like,
11:45
I can recognize other languages
11:47
even when I'm not familiar with them.
11:49
This is what a photograph looks like,
11:50
but this is what clip art looks like.
11:52
This is what the code on your phone looks like,
11:54
but this is what the code on
your computer looks like.
11:57
Our brains can pick up on these patterns
11:59
in ways that we never could have
12:01
from looking at raw ones and zeros.
12:03
But we've really only scratched the surface
12:06
of what we can do with this approach.
12:08
We've only begun to unlock the capabilities
12:10
of our minds to process visual information.
12:11
If we take those same concepts and translate them
12:15
into three dimensions instead,
12:17
we find entirely new ways of
making sense of information.
12:18
In seconds, we can pick out every pattern here.
12:22
we can see the cross associated with code.
12:24
We can see cubes associated with text.
12:26
We can even pick up the tiniest visual artifacts.
12:28
Things that would take us weeks,
12:30
months to find in ones and zeroes,
12:32
are immediately apparent
12:35
in some sort of visual abstraction,
12:36
and as we continue to go through this
12:39
and throw more and more information at it,
12:40
what we find is that we're capable of processing
12:42
billions of ones and zeros
12:44
in a matter of seconds
12:47
just by using our brain's built-in ability
12:48
to analyze patterns.
12:51
So this is really nice and helpful,
12:53
but all this tells me is what I'm looking at.
12:55
So at this point, based on visual patterns,
12:58
I can find the code on the phone.
12:59
But that's not enough to blow up a battery.
13:01
The next thing I need to find is the code
13:04
that controls the battery, but we're back
13:06
to the needle in a stack of needles problem.
13:07
That code looks pretty much like all the other code
13:09
on that system.
13:12
So I might not be able to find the
code that controls the battery,
13:14
but there's a lot of things
that are very similar to that.
13:16
You have code that controls your screen,
13:18
that controls your buttons,
that controls your microphones,
13:20
so even if I can't find the code for the battery,
13:22
I bet I can find one of those things.
13:24
So the next step in my binary analysis process
13:26
is to look at pieces of information
13:29
that are similar to each other.
13:30
It's really, really hard to do at a binary level,
13:32
but if we translate those similarities
to a visual abstraction instead,
13:36
I don't even have to sift through the raw data.
13:40
All I have to do is wait for the image to light up
13:42
to see when I'm at similar pieces.
13:45
I follow these strands of similarity
like a trail of bread crumbs
13:47
to find exactly what I'm looking for.
13:50
So at this point in the process,
13:53
I've located the code
13:55
responsible for controlling your battery,
13:56
but that's still not enough to blow up a phone.
13:58
The last piece of the puzzle
14:00
is understanding how that code
14:02
controls your battery.
14:05
For this, I need to identify
14:06
very subtle, very detailed relationships
14:08
within that binary information,
14:10
another very hard thing to do
14:12
when looking at ones and zeros.
14:14
But if we translate that information
14:16
into a physical representation,
14:17
we can sit back and let our
visual cortex do all the hard work.
14:20
It can find all the detailed patterns,
14:23
all the important pieces, for us.
14:24
It can find out exactly how the pieces of that code
14:26
work together to control that battery.
14:29
All of this can be done in a matter of hours,
14:32
whereas the same process
14:35
would have taken months in the past.
14:36
This is all well and good
14:39
in a theoretical blow up a terrorist's phone situation.
14:40
I wanted to find out if this would really work
14:43
in the work I do every day.
14:46
So I was playing around with these same concepts
14:49
with some of the data I've looked at in the past,
14:52
and yet again, I was trying to find
14:55
a very detailed, specific piece of code
14:57
inside of a massive piece of binary information.
15:00
So I looked at it at this level,
15:03
thinking I was looking at the right thing,
15:05
only to see this doesn't have
15:07
the connectivity I would have expected
15:09
for the code I was looking for.
15:11
In fact, I'm not really sure what this is,
15:13
but when I stepped back a level
15:15
and looked at the similarities within the code
15:16
I saw, this doesn't have similarities
15:18
like any code that exists out there.
15:20
I can't even be looking at code.
15:22
In fact, from this perspective,
15:24
I could tell, this isn't code.
15:27
This is an image of some sort.
15:29
And from here, I can see,
15:31
it's not just an image, this is a photograph.
15:32
Now that I know it's a photograph,
15:35
I've got dozens of other
binary translation techniques
15:37
to visualize and understand that information,
15:40
so in a matter of seconds,
we can take this information,
15:42
shove it through a dozen other
visual translation techniques
15:45
in order to find out exactly what we were looking at.
15:47
I saw — (Laughter) —
15:51
it was that darn kitten again.
15:52
All this is enabled
15:56
because we were able to find a way
15:57
to translate a very hard problem
15:58
to something our brains do very naturally.
16:00
So what does this mean?
16:03
Well, for kittens, it means
16:05
no more hiding in ones and zeros.
16:07
For me, it means no more wasted weekends.
16:09
For cyber, it means we have a radical new way
16:12
to tackle the most impossible problems.
16:15
It means we have a new weapon
16:18
in the evolving theater of cyber warfare,
16:20
but for all of us,
16:22
it means that cyber engineers
16:24
now have the ability to become first responders
16:25
in emergency situations.
16:27
When seconds count,
16:30
we've unlocked the means to stop the bad guys.
16:31
Thank you.
16:34
(Applause)
16:36

sponsored links

Chris Domas - Cybersecurity researcher
Chris Domas is an embedded systems engineer and cybersecurity researcher.

Why you should listen

Chris Domas is a cyber-security researcher at the Battelle Memorial Institute. He specializes in embedded systems reverse-engineering (RE) and vulnerability analysis, figuring out how to manipulate electronic devices. Applying this towards national security, his group develops cyber technology that protects people on the newest front of global war.

Domas graduated from Ohio State University, where he set out to take every class offered by the school. He bounced between majors in electrical engineering, physics, mathematics, mechanical engineering, biology, chemistry, statistics, biomedical engineering, computer graphics, psychology, and linguistics, but finally ran out of money and was forced to graduate. Settling on a degree in computer science, with an irrelevant handful of minors, he joined Battelle as a cyber security researcher. Today, he strives to incorporate ideas from these disparate fields to tackle the world’s most challenging cyber problems in innovative and unexpected ways. As a result of his work, he received Battelle’s coveted 2013 Emerging Scientist and 2013 Technical Achievement awards. He continues to present research around the country, most recently at the cyber security conferences Black Hat, REcon and DerbyCon.

 

The original video is available on TED.com
sponsored links

If you need translations, you can install "Google Translate" extension into your Chrome Browser.
Furthermore, you can change playback rate by installing "Video Speed Controller" extension.

Data provided by TED.

This website is owned and operated by Tokyo English Network.
The developer's blog is here.