TK Master: Several stories related to Tencent Xuanwu Lab

June 2016. Xuanwu Laboratory was established exactly two years ago.

This department, which seems to be low-key even within Tencent, has a brilliant leader: Tombkeeper, also known as "TK Master" in the hacker circle.

How to describe him?

That's right, TK, who studied medicine, is respected as a "gynecological expert" in the hacker circle. I couldn't refuse, so I had to accept it. But his identity is certainly more than that.

If you want to get into the "high-class circle", TK is a signpost. You can see this "skilled man" on Zhihu, Weibo and other major "romantic places" bursting out wise jokes when a disagreement occurs. Many people outside the circle have the opportunity to fall in love with the unsexy profession of "network security" through him.

He has the ability to convert passers-by into fans with just a few words, a rare feature in the hacker circle and even in the technology circle, which has helped him attract thousands of fans. In fact, it is not difficult to imagine that among the 18 researchers in Xuanwu Lab, a considerable number of them are "T fans" who joined because of TK's name.

Simply put, this is a story about a religious leader and his eighteen followers.

TK (Tombkeeper Yu Yang), head of Tencent Xuanwu Lab

| How to become a TK

As a leader, he was able to guide others to find the direction of success in junior high school, such as teaching classmates how to make explosives. Of course, TK was not yet familiar with the timing at that time - the gunpowder test was successful, in the hands of classmates, in the classroom.

Half the school was so frightened that they were on the playground, and it was said that the explosion could be heard in the principal's office.

This description comes from TK's memories. "I have loved doing various experiments since I was a child. I suffered all the losses in elementary school. At that time, I had learned the necessary protection. But my classmates just wanted to learn and did not understand the risks, so they were injured in the explosion. Fortunately, the injury was not serious and only two stitches were needed."

This story tells us not to make friends with hackers easily.

TK, who is full of curiosity, naturally came into contact with computers and programming during his university years. However, as a medical student, he didn't know how good his "hacking skills" were until a friend came to him for help.

At that time, many firewalls in China were based on the Linux kernel, and the versions used were very old. The Linux kernel had an old vulnerability, and a remote packet could paralyze the system. A foreign hacker wrote a program to exploit the vulnerability, but perhaps to prevent people from abusing it, he deliberately made the code need to be modified before it could be compiled and work normally. A netizen downloaded this program and wanted to test a certain firewall. He asked for help from several well-known people in the domestic security circle at that time, but none of them could solve the problem. So when he finally came to me, he actually didn't have much hope.

I was not familiar with Linux, and had never come across this type of attack program, or even used gcc (compiler), so it took me about a day. Oh no, I had classes during the day, so I spent an evening studying the relevant knowledge, and then I finished this attack program.

I suddenly realized that I could also do the job of network security.

Many similar experiences since then have made him feel that the craft of "hacking" is no longer just one of his many hobbies.

TK was faced with two choices. One was to follow his university major and become a clinical doctor, and the other was to join NSFOCUS and become a professional security researcher. Both professions were related to the technology he loved, and his final reason was this:

• As a clinician, I have little room to explore new technologies because I can't seem to try my own experiments on patients.

• I have no problem with computers.

Do you understand how to become a TK now? That’s right, you don’t understand. But you can say in a proud tone: Becoming a TK is a natural thing.

Master TK answered on Zhihu: How lonely is the real life of a hacker?

| White Cap and Black Oil

TK may sometimes wonder if he has chosen the wrong career. As a white hat hacker, his first duty is to report vulnerabilities to manufacturers. Ideally, the manufacturer should confirm and fix the vulnerability immediately, thank the white hat hacker, and then give him 300,000 or 500,000 yuan.

TK, who has just started his white hat career, faces a slightly different situation. After submitting a vulnerability, the time it takes for the manufacturer to confirm the vulnerability varies from half a year to two years. When the vulnerability is confirmed, TK will be told that we cannot disclose the progress of the vulnerability repair to the outside world, and of course you cannot know when the vulnerability will be fixed. Anyway, goodbye.

TK has also faced the following situations:

No news type : The security issues that are discovered with great effort are reported to the manufacturer but fall into oblivion.

Bite back : You are looking for loopholes in us? What is your intention?

Capricious type : The manufacturer felt that the problem he found was not a vulnerability at all and refused to accept it; two years later, the leader of the manufacturer's department was replaced, and seriously thanked another white hat for submitting the same vulnerability.

He was just a microcosm of millions of white hats in that era.

Dealing with a vulnerability requires the cooperation of at least two departments within the company: the vulnerability receiving department + the product development department. The actual situation is much more complicated. If multiple departments are involved, in order to avoid trouble or instability, the departments may pass the buck to each other, which has even become a factor of corporate politics.

I could guess at the time, but it didn't take away the pain. For example, if a drunk hits you for no reason, you know why, but you're still angry.

TK said.

On Zhihu, TK used jokes to support white hat hackers

As for people being willing to pay rewards for vulnerabilities, that was after 2013.

Ultimately, this is an economic issue. Before people realized the value of oil, it could only be used to light lamps and cook, and it would not fetch more money than firewood. For loopholes, it was normal not to pay for them back then, and it is normal to pay for them now, because the value of security has increased.

I think the biggest credit for this goes to Google. When Chrome was launched, Google used security as a card for the first time to compete with IE. Security accounts for 20%-30% of the selling point of this product, even if it is not 50%. Of course, Google's emphasis on security is not the root cause, but only a result. The root cause is that security has really become important, and IE's poor security at the time led to many users being hacked. In this context, a product that focuses on security will be very competitive.

Then TK went to get a $100,000 bug bounty from Microsoft.

Then he became the TK we know.

He then joined Tencent and founded the Xuanwu Lab.

Xuanwu Lab's Weibo background image reflects all of TK's identities: doctor + hacker + alien

| Contributing to Tencent is to save all living beings

Xuanwu Lab has two main tasks: on the one hand, it publishes security research results to the outside world, and on the other hand, it supports the security of Tencent's entire product line internally.

The proportion of these two types of tasks is half and half. TK does not think there is anything wrong with pouring his talents into Tencent alone:

Many people think that it is meaningful to publish results because they can affect many people. For example, the BadTunnel vulnerability on the Windows platform that I recently discovered can affect all Windows versions, which is very wide.

But if you think about it rationally, Tencent has hundreds of millions of users. With such a large user base, as long as we can make some improvements in security - it doesn't have to be very advanced, as long as we can really use some technology - we can make hundreds of millions of people safer. Such work is also of great significance.

However, for confidentiality reasons, many of the specific projects TK has done for Tencent cannot be disclosed. He calls it: "The country's most important tools cannot be shown to others."

TK demonstrates barcode cracking at GeekPwn

Of the few projects he could reveal, there was one that stood out to him:

Tencent Mobile Manager wanted to develop a function to detect fake base stations through technical means, thereby helping users avoid telecommunications fraud. However, the mobile manager team, which was originally a software developer, was not very sure, so they turned to Xuanwu Lab for help.

Although I haven't done much in this field, I have read a lot of related research and know that it can be done. So I selected a few relevant papers from technical journals in the telecommunications industry and recommended them to the technicians in the handset management, and told them my understanding.

Finally, after several months of hard work, the mobile phone management team used a variety of methods to finally solve this problem. Now the mobile phone manager can more accurately identify fake base stations and protect users.

When working on an internal project, the leader assigned a task to several fresh graduates who had just joined the Xuanwu Lab, asking them to use the skills they had learned in the project to study whether there were loopholes in the world's mainstream antivirus software. After a few months, their conclusions became more and more shocking:

Most antivirus software damages the system's own security mechanism. In this case, hackers can "step on" the antivirus software to break into the system.

This also became a topic at Xuanwu Lab's CanSecWest security conference in Vancouver this spring.

Such "masterstrokes" seem to be a normal part of life for TK.

Tombkeeper ranked second in Microsoft's list of 100 people to thank

| When it gets dark: BadTunnel

Last April, I went on a business trip to Shenzhen. It’s inconvenient to read on the plane, so I usually like to sit and think. That time I had three and a half hours. I like to simulate a user’s operation in my mind and then deduce the details. I suddenly realized that there might be a problem:

Because Windows implements many protocols and functions, but these protocols and functions are designed and implemented by different people. Of course, everyone is only responsible for their own work. These protocols seem to have no problems individually. But the operating system needs to integrate these protocols to work together. This is when vulnerabilities appear. Before, no one took a comprehensive look at whether there were security issues in the collaboration between them.

This is similar to the situation in medicine. When each drug leaves the factory, it is ensured that the harm is acceptable. However, when they are combined, they may cause great harm to people and cannot be used together.

This expert deduced a shocking loophole in his brain.

Xuanwu Lab named this vulnerability "BadTunnel". TK told Leifeng.com that this vulnerability is very important in the history of Windows vulnerabilities.

There were vulnerabilities with a relatively large impact back then, such as the vulnerability used by the Blaster worm, but even that vulnerability did not affect all Windows versions. Most importantly, that was more than ten years ago. Today, Windows security is completely different, so it is very unexpected that a vulnerability of this level has appeared again.

Due to his busy work, TK only spent a total of one week researching this vulnerability in two months, but when he was immersed in the research state, he was "crazy devoted".

I still look the same as usual, but my inner state is different. When I focus on research, I feel that everything around me is dim, as if I only have one desk lamp on.

As one of the many heavy-hitting vulnerabilities released by Xuanwu Lab, BadTunnel once again won TK a $50,000 bonus from Microsoft. TK told Leifeng.com that he did not spend any of the bonuses he received, but instead kept them in the bank to use for his children to study in the United States.

This amount of money is not enough to attend medical school in the United States, but it is enough for general majors.

He looked very satisfied.

There is a question on Zhihu: What is it like when your abilities are at the top or forefront of your industry?

There is an answer that received 168 likes and ranked first. This answer comes from TK:

“Art has no limit, I am truly humbled.”