From Phrack to Program Analysis to BynarIO

Why security research must move from modeling patterns to proving behavior

I didn’t come to systems security through a syllabus. I arrived in this world sideways, when my curiosity and my obsession with figuring stuff out merged with underground culture.

It was the mid-1990s when issue 49 of Phrack, a highly technical hacker e-zine, shaped how I think about understanding systems. The paper “Smashing the Stack for Fun and Profit” by Aleph One was more than a buffer overflow tutorial to me. It was a new way of thinking. Understand the memory layout and control flow, reproduce the exploit and then embrace the complexity, instead of just glossing over it.

While there was very little educational material at the time, underground culture had high standards for clarity and reproducibility. You had to think concretely. Abstract thoughts were shaped by hands-on activities.

Years later, academia exposed me to a different kind of rigor. I moved from intuitively understanding how to understand things towards knowing formal methods that attempt to model, detect and scale. These were all rooted in knowledge of systems, computer architecture and networks, programming languages, and early learning-based methods

A good example of this is Wagner and Soto’s “Intrusion Detection via Static Analysis” (S&P 2001) where you derive what a program should do from its code and flag deviations at runtime. The idea was simple but powerful: move from observing attacks to modeling behavior.

The shift from understanding exploits to modeling them has, in large part, defined my research.

In the ensuing decade, the security industry did what it always does. It built defenses (though several came from the underground hackers culture itself), static analysis improved, mitigations like ASLR, stack canaries, no execution memory, and code pointer integrity, raised the bar.

This predictability meant that every defense was a bet on what we could model and every attack was focused on finding what we couldn’t. Decades of defense didn’t eliminate memory bugs, they just forced attackers to be more creative.

Despite being studied, mitigated and patched for decades, memory corruption remins a complex yet devastating path to exploitation.

Most tools struggle here because you’re working with incomplete information, attackers’ behavior depends on context and there’s no easy way to know what’s actually correct.

Machine learning has improved what we can achieve in program analysis but what we can trust remains unsolved. Models are great at spotting patterns but they struggle to understand what the code actually does. They learn correlations that look predictive and these shortcuts seem to work - until they don’t.

And when they fail, they do it silently. This is a structural weakness. If your model isn’t based on real behavior, it will guess and those guesses will eventually break.

In deployable security, you don’t choose between clean inputs or complete information. There’s no nice, readable source code, you have binaries where the information is a mess.

Binaries are hard to analyze because useful labels have been removed from the source code, the code has been rewritten by the compiler, the program’s behavior isn’t in one place and the bug might only reveal itself far from where it started. It’s where attackers operate and where defenses have to hold strong.

Source code analysis solves the problem from the developer perspective, but it still ends up being a game of trust for the user. Binaries solve the problem for everyone

And this is why I co-founded BynarIO. The hardest environments in security are where the adversaries have the advantage and they are still under-served.

My work sits at the intersection of program analysis, machine learning, and systems security. The goal has always been to make reasoning about code more reliable under real-world conditions. I’ve tried to do this by:

• grounding models in semantics, not just patterns

• accounting for uncertainty instead of ignoring it

• building systems that are resilient to adversaries

BynarIO is pushing those ideas into an environment where they matter the most.

We are doing this now because we have better understanding of program analysis at scale and learning systems, and clearer understanding of where both fail. Together, they open up a different way ahead, which is grounded in semantics, aware of uncertainty and built for adversarial environments.

This is where I’ve been heading for years, although it’s taken this long for all the pieces to align, we are ready for what the future holds.