Slip, Cross, Uppercut, Weave, Jab…
Weave, Weave, Rib, Hook, Cross…
Jab, Cross, Jab…
Boxing is all about patterns and sequences, tying together moves to evade and moves to strike. The goal is to land the highest amount of meaningful hits without receiving any yourself. ‘The Sweet Science’, one of boxing’s alternative names, suggests the required finesse to achieve an optimal balance between striking and defending.
Executing these sequences over and over again builds a muscle memory integral to winning a bout. There is a well-known adage that says ‘boxing is won outside of the ring’. It is about creating the physique to last the longest and hit the hardest, but more importantly, it is about creating the mental fortitude to remember winning sequences and think on your toes.
Facing somebody in the ring is daunting, and the difference between losing and winning comes down to how well you have tailored your training to your opponent’s style. Boxing is filled with taunts and illusion at the various stages (pre-fight, fight, post-fight) to gain an edge over your opposition. It is vital to understand the illusions of your opponent, to know their patterns and how to gain the upper hand.
subl $4, %esp
movl %esp, %addr
At first look the above may seem strange, but on closer inspection it reveals a series of instructions. Substitute, move, jump, push: another sequence, specifically a sequence of instructions for a CPU to follow. These instructions ask the CPU to perform a meaningful calculation that we may use.
Computers follow long sequences of simple instructions to produce music, games, movies, apps and more. They process and store personal information; medical records, contacts and photos. As users care about the integrity and privacy of their information, it is vital that their systems are secure enough to guard their most cherished memories and personal information.
A systems security expert faces these systems to understand the sequences of instructions in an attempt to find a weakness. Looking for some way to gain access to information that they are not supposed to have access too, or to have the system perform some action they are not authorised to perform. The hacker seeks to undermine the system’s security for their own personal gain, or, in an attempt to produce a more secure system.
Boxing and systems security share a similar abstraction. Both involve a dance of sequences and patterns performed by a protagonist and their opponent. In both arts the protagonist aims to understand the opponents sequences, in search of a weakness which they can exploit to gain the upper hand.
The boxer looks for a ‘tell’: does their opponent’s left eye twitch just before they throw a right hook? If he does, our protagonist can time a weave and punch to the ribs before the opponent knows what is happening. Meanwhile, our hacker looks for a ‘bug’ in a bounds check on an array insertion. If that check is lacking, our hacker can insert malicious code after a stack overflow.
The pugilist and the systems security expert must both study their adversary, they seek to cover their own weaknesses while exploiting those of others. They must play to their own strengths and guard against the strengths of their foes. They dance in a careful choreography of movement and code.
Push %jab, %cross
Boxing and systems development have been defining pursuits in my life, they intertwined and blended together over the years, building on top of each other in my attempts to perfect my practice at both. Yet I didn’t see the similarities straight. away. It took a particular event for me to realise how one could complement the other.
I have always had a deep seated fascination with computers. My earliest curiosities lay in hardware: I read many books on the topic and had a good understanding of how all the pieces (CPU, mainboard, GPU, RAM, HDD, etc) worked and fit together by my early teens. At 16 I switched focus to the ‘soul’ of the system: the software. I started programming in Python, built little games and followed tutorials from a book called ‘Learn Python the Hard Way’. I fell in love. Wizards have magic, humans have software.
Boxing came into my life at a similar time. I was at the age when a lot of boys fall off the wagon; testosterone is a hell of a drug. I was looking for ways to burn my new found energy and my cousin convinced me to join him for a few boxing lessons. I was instantly taken by the sport. Not only was boxing great physical training with a rich and varied history, but I enjoyed the mental aspect of learning patterns and winning combinations.
Boxing would drain my physical energy until I could sit still and study, leaving me intellectually satisfied until the next training session. But in this early period I never made the connection between the sport and my programming pursuits. I would only develop this shared abstraction in my twenties.
Glitch in the System
Towards the end of my bachelor degree I took a class on systems security. We were learning about how to find ‘bugs’ in code that could be exploited to gain control of information from that system. Outside of university, I was preparing for a few sparring matches for boxing. Soon these two worlds would collide in a more fundamental way than I expected.
One Thursday night I had a big sparring match scheduled. In preparation, the day before was a rest day, where I laid out my clean wraps, appropriately worn in mouth guard, head gear, plain black shorts and favourite gloves all ready for the fight. This complete, I turned my attention to some light systems security study. Our task that involved reading over assembly code to find a weakness, and while I understood the basic functionality, I had yet to find the exploitable bug.
Ding ding: the first round is the round where opponents get a ‘feel’ for one another, trying to understand how the other moves, their timings, their ‘tells’. After a couple of rounds I began to sense my opponent had a tell- an error to exploit, but I couldn’t yet define it. Jab, cross, upper cut, hook, …glitch… what was he doing? (Glitch, now why did I think of that word? It was a systems term. Odd.)
He threw another combination: jab, hook … pop %ba, ahh, my brain was doing it again, translating boxing terminology into assembly and computer science terms. The pattern was becoming clearer, I was starting to see the set of sequences and patterns in boxing and finding morphisms into the set of instructions in assembly.
Jab, cross, hook, hook… BOOM- there it was, a weakness in the sequence. Whenever my opponent ended with a right hook he fell forward, he overflowed his balance. Next time he ended with a hook it was over, I upper-cut his now exposed chin. His tell, his bug, was an overflow. That day’s studying had helped me to the win, and from that day onwards the two disciplines were forever linked in my mind.
As time went on boxing fell by the wayside, requiring vast amounts of energy to stay at the level I wanted to be. But my passion for the sport, the ‘debugging’ of your opponent, lives on in my pursuit as a professional software engineer. Whenever I open up my debugging tools I am constantly reminded of the use of jabs and feigns to find weaknesses in my opponent in boxing. I smile to myself whenever I find a timing exploit in a system, they are directly relatable to the timing exploits found when sparring.
For security experts looking to get into sport, I can recommend boxing. Vice versa, those who enjoy boxing and are looking for an intellectual pursuit may find systems security to be an excellent fit. Both seek a deep and nuanced understanding of the system, the bugs and tells of your opponent.