Summary of "SpaceRaccoon - From Day Zero to Zero Day (Ep.120)"

Episode summary

Short technical focus, tips, and resources from an episode featuring Eugene “SpaceRaccoon” Lim and his upcoming book From Day Zero to Zero Day — a practical primer on vulnerability research aimed at bug-bounty researchers moving into binary / vulnerability research.

Sponsor & purchase

Sponsor/product: ThreatLocker User Store — a zero‑trust / last‑mile UX improvement that pre‑approves and preloads trusted apps (e.g., open a sketchy PDF in Adobe Acrobat instead of a sketchy reader) to reduce friction for defenders/operators.
Book: published by No Starch Press. Use discount code zerodaydeal for 30% off.
A free chapter (Binary Taxonomy) is available online.

Core technical concepts and practical takeaways

Focus of the book
- Emphasis on discovery — how to find your “first bug” — rather than deep exploit development.
- Practical approaches and tooling to reach vulnerable functions (source ⇄ sink thinking), not low‑level exploitation tricks.
Mapping code to attack surface
- Play the “find the endpoint” game: identify client endpoints, map them to server code, then inspect adjacent routes/features.
- Expand the attack-surface view beyond HTTP (WebRTC, postMessage, other browser APIs, custom protocols).
Source vs. sink strategies
- Use judgment: source-first (trace inputs forward) when you have source; sink-first (identify suspicious functions and trace backward) when the codebase is huge or you’re reverse engineering.
- Know both common sources and sinks available in the target environment.
Taint analysis (manual & automated)
- Translate academic taint-analysis concepts into practical discovery: trace input propagation, model sanitizers, and use graph/CodeQL-style queries to scale discovery.
Automated variant analysis
- CVEs often appear in patterns. After finding a vulnerability, search for variants across libraries/codebases to batch-find more targets.
Binary taxonomy
- Binaries are heterogeneous: Electron/Node (easy to unpack), Java/Android (decompilable), Go/native (harder).
- Choose the right approach: unpack, decompile, emulate, or dynamic debug.
Hybrid binary analysis
- Combine static (decompilers, IDA/Ghidra) and dynamic (Frida, debuggers) techniques.
- Use symbolic/concolic tools (e.g., angr) to bridge static and dynamic analysis for better reach and focus.
Frida and runtime hooking
- Frida works beyond mobile — useful on Windows/macOS to hook common OS APIs and observe/modify behavior without fully reversing everything.
Patching binaries as a pragmatic option
- When debugging/emulating is hard, simple binary patches (flip a bit) can unlock flows or gadgets needed for research.
Fuzzing
- Quick & dirty (dumb) fuzzing still finds many bugs — great for rapid starts and live events.
- Coverage‑guided (smart) fuzzing requires harnesses and setup but reaches deeper application logic; applies to binaries, mobile, and web endpoints with proper instrumentation.
- “Fuzz everything”: JSON, HTTP, file parsers, image formats, etc., are all valid targets.
- Consider LLMs to help identify fields/IDs and craft more intelligent fuzz payloads for web contexts.
LLMs & tooling for source review
- Large-context models (Cursor, GitHub Copilot, Gemini) can help traverse codebases, connect endpoints, and suggest source⇄sink paths.
- There’s product opportunity for security-first code navigation (source/sink analysis, pathway exports).
Responsible disclosure / ethics
- The book covers disclosure practices, community responsibilities, and the potential impact of public vs. private findings (including CVE program considerations).

IoT / hardware case study (smart weighing machine)

Multidisciplinary flow demonstrated in the episode:

Discover networking of the device (Wi‑Fi / Bluetooth / cloud).
Get serial/UART access; determine baud rate (hardware quirks possible).
Extract firmware/secrets (certificates, serials) from device memory or local databases.
Abuse device→cloud protocol to control the device or cloud data — often the highest-impact remote vector.

Practical pitfall mentioned: - Cheap/faulty USB‑TTL adapters (e.g., CP21xx/CP2102) can return gibberish. Swapping to a reliable FT232 adapter resolved the issue.

Note: Non‑English resources (Chinese/Japanese) can be high value for niche products/protocols.

Practical actionable items / quick guides

Read the free Binary Taxonomy chapter to pick the right approach for a binary: unpack/decompile vs. dynamic analysis.
When you have source: play “find the endpoint” — map endpoints to functions, then examine adjacent routes/features.
For very large codebases: prioritize sink-first discovery for suspicious code paths, then trace inputs back. Use bookmarks or tooling to mark pathways.
Start fuzzing immediately with dumb fuzzers; escalate to coverage‑guided fuzzers with harnesses for deeper work.
Use Frida and OS API hooks to inspect desktop apps without fully reversing stripped binaries.
For IoT, prioritize device→cloud communication for scalable remote impact; use UART/serial to extract secrets when possible.
Use LLM-assisted tools (Cursor, Copilot, Gemini) to speed source-code navigation and source⇄sink analysis.

Tools & technologies mentioned

Static & reverse tools: IDA, Ghidra, decompilers, CodeQL
Symbolic/concolic analysis: angr
Dynamic instrumentation: Frida
Debugging/hooking: debuggers (IDA-like debuggers, platform debuggers)
Fuzzing: dumb fuzzers and coverage-guided fuzzers (harnesses, instrumentation)
Hardware: UART/serial, logic analyzer, USB‑TTL adapters (CP2102/CP21xx caveats), FT232
LLM/code tools: Cursor, GitHub Copilot, Gemini (large context windows/token counts)

Book structure (chapter → 1-line takeaway)

Chapter 0: Day Zero — orientation to the research mindset and first steps.
Chapter 1: Taint analysis — practical taint/input-propagation techniques to find vulnerable flows.
Chapter 2: Mapping code to attack surface — endpoint-to-code mapping and expanding attack surface beyond HTTP.
Chapter 3: Automated variant analysis — leverage discovered CVEs/patterns to find variants at scale.
Chapter 4: Binary taxonomy — types of binaries (Electron/Node, Java, Go, native) and appropriate approaches.
Chapter 5: Source & sink discovery — when to go source-first vs. sink-first and how to trace flows.
Chapter 6: Hybrid binary analysis — combine static and dynamic/symbolic techniques for better coverage.
Chapter 7: Quick & dirty fuzzing — get started fast with dumb fuzzers to surface low-hanging bugs.
Chapter 8: Coverage-guided fuzzing — harness-based, instrumentation-driven fuzzing for deeper reach.
Chapter 9: Fuzzing everything — extend fuzzing principles across web, mobile, binaries, and parsers.
Chapter 10: Beyond Day Zero — responsible disclosure, ethics, and contributing to systemic security.

Main speakers / sources

Justin — podcast host (Critical Thinking)
Eugene Lim (SpaceRaccoon) — guest, author, vulnerability researcher
Producer/side mentions: Richard (show producer/graphics)
Sponsor referenced: ThreatLocker (User Store feature)
Tools & research sources referenced: angr, Frida, CodeQL, IDA/Ghidra, FT232, Cursor/Copilot/Gemini, No Starch Press (publisher)