About Research Notes

This is a brief meta-note on the concept and purposes of Research Notes, and how they work for me.

I am starting a new thing named Research Notes, which is the open source fraction of my research notebook on systems internals, vulnerability discovery and exploit development: https://t.co/0SdirudpiP

And the first Research Note: “iBoot address space” https://t.co/uyyr7mtiOF

— Alisa Esage Шевченко (@alisaesage) November 9, 2019

The concept

A Research Note is a deliberately short, dry and concise conspect on a specific technical subject. In general, it has three purposes in life: mental context restoration, systematization, and reference. It is not intended as a beginner's tutorial, or a comprehensive review of the subject, or a technical walk-through of a research project, or a leisure reading. Context restoration is a real physical process used by the human brain in order to bring up semantic details (represented by complex, fine-grained, and precise memories) of a particular object/project/system from the slow and large long-term memory into the fast and flexible, but extremely short operating memory. Majority of people never have to deal with this process. If you only ever work on a single project, context restoration is never necessary, because all semantic details are immediately available in the short-term memory. If you work with several projects in rotation and no time constraints, context restoration occurs seamlessly, and may take up somewhere from several hours to a few days to switch between two unrelated projects. Context restoration becomes an issue only if you work on many semantically rich projects simultaneously, and don't have time to waste. In such operating mode the brain learns to swap out the currently unneeded information out of the short-term memory quite instantly, but is not as good at putting it back when it's needed. A Research Note is designed specifically to optimize the process of context restoration, and enable the researcher to recall all the fine details of an arbitrarily complex system in a matter of minutes instead of hours or days, by triggering key fundamental bits of information about the target system. The brain then brings up the rest of it from the long-term memory. Another purpose of a Research Note is: reference. As you go deeper in research, you obtain more and more information which doesn't officially exist. You start knowing things that can't be googled and bookmarked for further reference. And once the cross-domain scale of such information exceeds some threshold, you cannot remember it either. Research Notes introduce an somewhat optimized format of an external storage for such referencial information. Systematization, in this context, is all about optimizing information for neural storage capacity. When some bulk of information is properly systematized, it may be represented as a system: a simpler object will less entropy. It may then be reduced in size and further simplified without any loss of information. A properly systematized information becomes knowledge, and takes up less neuro-bits in storage.

Vulnerability discovery

Within the more specific context of zero-day vulnerability discovery and exploit development, Research Notes serve two goals: long-term strategic advantage and tactical determinism. Vulnerability discovery is a fast-paced and highly competitive adversarial game. The central commodity in this game - zero-day security bugs - drive the "arms race" on both sides by a set of quite powerful and ruthless properties, such as: high impact of obscurity vs. disclosure of even an atomic bit of information on the game state and rules; the extent of such impact depends on the adversary's present state of knowledge; and most famously, perishability. It is certainly possible to find a bug or a few by throwing a publicly available fuzzer at a commonly known attack vector of the target system. However, the amount of uncertainty in the result is hardly compatible with any mission-critical industrial or business process. The number of other parties in posession of the found bug is undefined, with a bias towards large numbers; time to patch is undefined, with a bias towards 0; time to exploit is undefined, and time to obtain the required knowledge of internals to evaluate time-to-exploit is undefined. Research Notes introduce determinism into all the above variables by means of maintaining the key technical pillars of vulnerability research intelligence: systems internals knowledge, semantics of commonly deployed protocols and formats, and the tiny but crucial bits of information that make all the difference in research success. Regardless of the instrument of vulnerability discovery: static analysis, fuzzing, or hybrid approaches - such knowledge is crucial for targeting deep attack vectors and discovering the bugs that will stay actual and valuable for years, as well as identifying proactively injected bugs, novel automation techniques, and completely unexplored attack venues. Strategic advantage is introduced by the fact that deep and fundamental knowledge remains largely unchainged in decades - such as deep system internals and format semantics - that Research Notes focus on.

And beyond

Clearly, the concept of Research Notes is not limited to computer systems internals and vulnerability discovery. The subject area of this project will remain open and evolving accordingly with my research interests.
❤️ Researched and shared by Alisa Esage Шевченко (contact@alisa.sh), independent security researcher, 0days.engineer, founder & research director at ZOR Security. Publication date: 01 December 2019 Last edited: 16 May 2020