Interview with Davide Balzarotti, EURECOM

Tell us a bit about yourself

I am a professor and head of the digital security department at Eurecom, a university located in Sophia Antipolis on the French riviera. I have been doing research in the system security field for more than 15 years, with a focus on binary and malware analysis, reverse engineering, computer forensics, and web security. I’ve published more than 100 scientific publications in leading conferences and journals and I served as program chair for ACSAC 2017, RAID 2012, and Eurosec 2014. I am also a recipient of an ERC Consolidator Grant which focuses on the analysis of compromised systems.

Outside academia, I have been closely involved in the CTF scene, both as a player (as part of the Shellphish team) and as an organizer (as part of the Order of the Overflow group).

As one of the founding members of the Shellphish group, can you share what the inspiration or reason behind creating it was?

As often happens in life, I was just lucky to be in the right place at the right time. In 2004 I was visiting UCSB to learn about computer security, and the professor (Giovanni Vigna) used to organize a competition for his students (which later became the iCTF). A bit for fun and a bit to test our security skills, we decided to create a team and participate in the only other competition that existed at the time: the Defcon CTF. The amazing thing is that the team still exists today, and Giovanni is still playing with them!

Why do you think it is important to teach/learn about IT security, more particularly about the areas of your research?

Security is an intrinsic property of any computer system, so you can’t do computer science without considering security as well. Well, you can, but the consequences can be tragic – it is a bit like saying that you are interested in designing bridges but you don’t care about safety.

I don’t think there is any one security field which is more important than others, it all depends on what you do and in which area you work. Personally, I consider myself a generalist – I’ve worked on many different topics over the years, so I can’t say I have a particular favorite (even though I might have a soft spot for binary analysis and reverse engineering).

If you had to pick the top security topics developer teams should be aware of, what would you choose?

Tough question, considering the main problem in security is that there are too many problems 🙂
I think for a developer, the most important thing is to learn the security mindset – to think like a hacker – and everything else will follow. Then maybe focus on how to write secure code and design secure systems, which requires some hands-on knowledge about attacks in the particular domain where the developer works. But to learn about attacks, you need to learn about the underlying techniques, about possible countermeasures… I’m telling you, it’s a rabbit hole.

What do you think are the best ways or places to teach IT security? Can university be enough, or is more needed?

University should open your mind and teach you how to learn. In security, like in many other fields, it can help students deeply understand the problems and why things are designed the way they are.
Companies often want students to know how to use specific tools – but this is not the goal of academia. Our goal is to teach the techniques, to explore what is possible and under which circumstances. But security is a huge field and in the classroom we can only scratch the surface. So to really become experts, students need to invest many many extra hours on their own. And that’s why at the end everything boils down to passion, and to the ability of teachers to transmit passion to their students.

In your work as a security researcher, how do you see security research contributing to security awareness?

Reaching the general public is difficult, but also extremely important in a field like security where humans are often the weakest link in the chain. I think researchers should make an effort to contribute to awareness, but the role of other players is also very important. For instance, journalists and tech magazines are paramount to reaching a wider audience, but sadly they often do a very poor job in reporting scientific news, and companies should do more to raise awareness about security issues among their employees. Overall, while researchers spend their life studying very sophisticated techniques, most people are still unaware of the most basic concepts when it comes to security.

You are a member of the Order of the Overflow, and one of the group’s tasks includes organizing DefCon CTFs. Why do you think CTFs are important?

Let me give you two reasons.
First, CTFs are fun – really fun. And because of that, they are one of the most common ways people get interested in security. Plus, newbies can join existing teams, thus making new friends and learning from more experienced players.

Second, CTFs challenges can be difficult – really difficult. And therefore, if well designed, they inspire players to learn new technologies, new obscure exploitation techniques, to develop new tools or master those that exist.
We all love to play a good game, and there is no better way to learn than to do so while having fun.