Behind the Binary by Google Cloud Security
Welcome to Behind the Binary, the podcast that introduces you to the fascinating people, technology, and tools driving the world of reverse engineering. Join your host, Josh Stroschein, a reverse engineer with the FLARE team at Google, and someone passionate about sharing knowledge and shedding light on the art of reverse engineering, as he sits down with intriguing guests to explore the human side of this profession.
Behind the Binary goes beyond the code, sharing the stories, motivations, and unique perspectives of the individuals who dedicate their lives to unraveling the complexities of technology. We'll hear about their journeys into the field, the challenges they face, and the impact their work has on securing our digital world.
Whether you're a seasoned malware analyst, a software developer, a security researcher, or just someone curious about the world of reverse engineering, Behind the Binary offers insightful and engaging conversations for everyone interested in this fascinating field.
Behind the Binary by Google Cloud Security
EP25 The Future of Debugging: A Paradigm Shift with Xusheng Li
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
"TTD is a paradigm shift in the way you interact with the target... Potentially, five years from now, when we talk about debugging, we will just by default go to TTD."
In this episode, we are joined by Xusheng Li, a debugger architect and reverse engineering expert, to explore the evolution of Time Travel Debugging (TTD). While traditional debugging has remained largely stagnant for decades, TTD introduces a novel new way to debug by recording and replaying execution traces with total precision. Xusheng takes us behind the scenes of how this technology solves the "granularity problem" in malware analysis—moving from a high-level API overview down to instruction-level "ground truth" without ever needing to re-run the program.
We break down the engineering required to record billions of instructions into a manageable trace, the power of querying execution data like a searchable database, and how a "sealed" execution history is changing the workflow for both software developers, malware analysts, and vulnerability researchers.
THE SESSION:
- The Deterministic Leap: How TTD avoids the overhead of recording every single instruction by focusing only on non-deterministic events—like file reads, CPU ID calls, and system inputs—allowing billions of cycles to be reconstructed from a fraction of the data.
- The Death of "Step-Over": Why the future of debugging lies in querying an execution database rather than manually stepping through code, enabling researchers to instantly find every moment an API was called or a specific memory address was modified.
- Solving the Granularity Problem: How a single trace file provides a "safety net" for analysis, allowing researchers to start with a broad triage of behavior and then use a "microscope" to dig into specific crypto functions or obfuscated payloads later.
- Data Flow vs. Code Flow: A look at the shift toward "concrete data flow analysis," where researchers focus on the movement of sensitive buffers and keys rather than getting lost in the mental overhead of complex instruction sets and registers.
- The Mystery of the i9 Crash: A real-world troubleshooting case where TTD was used to identify a hardware-level microcode bug in a modern CPU that would have been nearly impossible to pinpoint with traditional tools.
- The AI Connection: Why the "fixed world" of a TTD trace is the ideal training ground for LLM-assisted analysis, providing a secure, deterministic environment for AI to solve intermediate-level reverse engineering challenges.
Join the Community
- Research Hub: Threat research, training events and news:
https://cloud.google.com/security/flare - The FLARE Insider: Get community updates and announcements. To subscribe, email flare-external@google.com
FOLLOW THE SHOW:
- Subscribe: Apple Podcasts | Spotify | YouTube