RE-mind: a first look inside the mind of a reverse engineer

When a human activity requires a lot of expertise and very specialized cognitive skills that are poorly understood by the general population, it is often considered ‘an art.’ Different activities in the security domain have fallen in this category, such as exploitation, hacking, and the main focus of this paper: binary reverse engineering (RE). However, while experts in many areas (ranging from chess players to computer programmers) have been studied by scientists to understand their mental models and capture what is special about their behavior, the ‘art’ of understanding binary code and solving reverse engineering puzzles remains to date a black box. In this paper, we present a measurement of the different strategies adopted by expert and beginner reverse engineers while approaching the analysis of x86 (dis)assembly code, a typical static RE task. We do that by performing an exploratory analysis of data collected over 16,325 minutes of RE activity of two unknown binaries from 72 participants with different experience levels: 39 novices and 33 experts.