How do you use technology/policy to improve citizens’ lives? Tell us about your role or organisation.
I am the technical lead for CSG’s Product Security Assessment team, which tests various products for security flaws before they are deployed in the Whole of Government (WoG) environment. I also lead the Vulnerability Research initiative which started this financial year.
As part of my work, I test mostly commercial defensive software that is going to be deployed in many WoG devices. The findings my team and I make serve to improve the product’s security, thus making a positive impact to the security of WoG.
The vulnerability research initiative that I lead conducts research on public software and hardware. For the public good, we make responsible disclosures to the vendors so that they can improve their product, thus making a positive impact to the security of Singapore’s cyber eco-system and also globally.
What was the most impactful project you worked on this year?
That would be the Pwn2Own 2021 competition that my team and I recently took part in. For this competition, contestants are given 2 months to look for bugs in various hardware products. To win, we have to prove that we can take control of those devices.
While we didn’t win anything, we’re a relatively new team (only a few months old!) and we still managed to find some bugs in the routers and NAS devices that we researched. We developed a number of new tools, techniques and training programmes during the competition, which will be of immense value to our future research and co-workers. The tough experience also really helped the team forge stronger bonds.
What is one unexpected learning from 2021?
This is the first year where I had to lead a team. What I learnt was things seldom go according to plan, especially when it comes to people. The important lesson for me was that, as a leader, you need to have the chops to guide them technically as required, but you should guide them with a light touch, and to step in only as required.
What’s your favourite memory from the past year?
Building out the Vulnerability Research training program for my team, which covers the different bug classes that can be encountered. To make the training more relevant, I had to find and understand n-day vulnerabilities, which are bugs that have been found and publicised by other researchers, to incorporate into my slides.
What’s a tool or technique you’re excited to explore in 2022?
Further developing the tools and training that my team and I developed during Pwn2Own.
We figured out a way to emulate hardware devices on my desktop. This will enable my team to significantly scale up our hardware research, as we can now test such hardware devices virtually on our servers. This will have a fair amount of time and cost savings, as we no longer need to maintain many physical devices for testing, and we can re-use the same servers to test different devices.
We also read up on the winning Pwn2Own entries and came up with a few new ideas on how to automatically detect those types of software bugs.
What are your priorities for 2022?
I want to improve my reverse-engineering skills. I come from a software development background, so I mostly write high-level programming code which is then compiled down to machine language. It is really a different skill to be able to read the machine language and to be able to reconstruct the original code.
Who are the mentors and heroes that inspire you?
Everyone around me, really. I observe their actions and behaviours and try to incorporate the positive ones into my life. More specifically, my team inspires me to do better. They are always showing me interesting new ways of doing things and it makes me feel like doing better myself.
What gets you up in the morning?
The alarm clock. But I hate mornings.