Quarkslab's new internships season is open! Like every year, we are looking for adventurous, motivated and courageous students, impatient to test their skills against real-life research and engineering problems. The topics we propose cover various aspects of the security field, and they all have in common being highly technical, complex and challenging. Be prepared to work hard for your own enjoyment: the satisfaction when overcoming such difficulties is priceless. As an intern, you will work among the amazing Qb crew, whose humour is also priceless.
All internships will take place in our main office in Paris, France. If you are coming from abroad, you will need a proper visa to be with us. At Quarkslab, we encourage remote working, but that does not apply to internships.
Last but not least, we usually train Padawans so that they remain with us once the training period is done, even if that does not mean the training is over :)
Edit 2018-02-19: all available internship positions are filled.
How to apply for an internship position at Quarkslab?
To apply for an internship position, you have to send:
a CV,
a cover letter: avoid the generic letter saying that you are so motivated and that we are so interesting. We welcome a more personal letter which explains why the topic is of particular interest to you, why you, why us :)
your solution proposal to the exercise attached to the offer of interest to you,
all this can be sent in French or in English.
Send this little package to internship-AT-quarkslab-DOT-com, with the title field containing the internship reference mentioned in the respective offer.
Do not forget that the secret of a good application is to show what you already realized (related to the topic or not).
Each internship offer comes with a little exercise which should not require too much time to be completed. The result will show us not only the type of skills and knowledge you already possess, but also how ingenious you are and how good you can present your reasoning. It will serve as the basis for the interview you will have in the selection process.
For all its internships, Quarkslab is looking for highly motivated, curious and autonomous people being creative and structured team players. You will evolve in a dynamic and easygoing environment where ideas spring from everywhere...
We consider internships as opportunities to spot profiles that suit our functioning. They are intended to guide students to enter the professional world as potential future colleagues if they feel like so and find convincing arguments [4]
Do not be shy and apply, otherwise you will never know if you could have been selected...
Contact : internship-AT-quarkslab-DOT-com
| [4] | also called croissants... |
Parametric Code Virtualization
This position is filled
Description
Code virtualization is a common obfuscation technique, comparable to the embedding of a custom interpreter in the program. This is a multiple-layer internship subject! It starts like a school exercise, but as it grows you'll endup playing with compilation concepts like register allocation, instruction selection and their relatives.
The first level is very similar to implementing a minimal (and thus easily embeddable) interpreter for a subset of the LLVM-IR, much like the existing lli -force-interpreter mode. Starting with a single basic block, then with a more complex control flow graph and finally with function calls. The next level involves parametrization of this custom interpreter in order to provide new challenges to the reversers each time they encounter a new instance of the interpreter, for instance by using random instruction selection, or changing the register model. As an introduction, one can have a look at how it has been done for the Python interpreter [0], [1], [2].
Exercise
Before diving into this great subject, a small challenge is proposed. It should not take more than one hour, and you are free to choose any relevant language to implement your solution.
Game of Stack: Write an interpreter for the following micro-language, which uses a stack machine [3]:
PUSH <integer> pushes <integer> on the stack;
DUP pushes a copy of the stack head on the stack;
ADD pops two elements from the stack and pushes their sum on the stack
MUL pops two elements from the stack and pushes their product on the stack
READ reads an integer from stdin and pushes this value on the stack
WRITE pops an integer value from the stack and prints it on stdout
For instance, this is a valid program:
0 READ
1 DUP
2 ADD
3 WRITE
Required skills
Being motivated, open-minded and enthusiast is the Graal of any successful internship.
Being technically skilled always helps, but you're also here to learn.
A decent command of C++ and Python is still a requirement.
Experience with any compiler infrastructure is a plus.
Basic compilation knowledge is a must-have.
A passion for chopping wood is unlikely but appreciated.
Reference
Duration
| [0] | https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf |
| [1] | https://blog.quarkslab.com/building-an-obfuscated-python-interpreter-we-need-more-opcodes.html |
| [2] | http://serge-sans-paille.github.io/talks/hack.lu-2014-10-21.html |
| [3] | https://en.wikipedia.org/wiki/Stack_machine |
Machine Learning for Malware Detection Systems
This position is filled
Description
Most anti-malware software uses signature-based methods of detection. Those methods consist in detecting in the raw binary some specific strings of bytes, characteristic to a known malware. However, those methods can be easily evaded using techniques such as encryption, polymorphism or obfuscation. Moreover, the signatures used to detect variants of a known malware are often manually defined by security experts after a close look at the binaries, making this approach very difficult to scale to the large amount of new malware programs encountered every day.
To overcome this issue, new intelligent malware detection systems have been investigated recently, using stae-of-the-art machine learning and data mining techniques. One promising approach consists in analyzing the binary through his call-graph, a graph in which each node stands for a function of the program and each directed edge represents a call from a function to another. For each new software to analyze, one idea would be to extract its call-graph and check for a potential match (or partial match) among a huge database of suspicious binary graphs. Two graphs that match well would very likely behave similarly and, in case of a malware, bear a similar attack. Since the whole category of general graph matching problems is known to be NP-complete, finding the best possible match among a huge graph database is an even more challenging problem that requires efficient probabilistic models as much as wise storage implementations.
During this internship, you will be working on new probabilistic methods in the context of malware detection. Those graph-based techniques could go from smarter call-graph generation or representation to efficient graphical model ((e.g., Bayesian networks) or even deep learning frameworks for graph classification.
As this topic requires both mathematical and computer science skills, we cannot expect the candidates to master both fields and we will provide training in the missing expertise.
Exercise
Read the two following papers and explain in your own words and understanding how they can be related and which are the major challenges they underlie. Remark: you are not required to understand entirely and completely the papers to answer this exercise, you have to extract useful elements out of them.
Kinable, Joris, and Orestis Kostakis. "Malware classification based on call graph clustering." Journal in computer virology 7.4 (2011): 233-245.
Mateus, Diana, et al. "Articulated shape matching using Laplacian eigenfunctions and unsupervised point registration." Computer Vision and Pattern Recognition, 2008. CVPR 2008. IEEE Conference on. IEEE, 2008.
Required skills
Good knowledge in machine learning or data mining techniques
Good knowledge in linear algebra
Programming skills (Python, Matlab or R)
Static binary analysis is a plus
Reference
Duration
Diffing and never patched 1-days: vulnerabilities in source, vulnerabilities in binaries?
Description
Analyzing mobile apps is becoming as boring as analyzing tons of uninteresting malware, but it is nonetheless very useful to find vulnerabilities, crypto issues, poorly handled credentials, malicious code in fake apps, and so on. There are many good reasons to dig into apps... at scale.
Another challenge when working on apps is that they are updated quite often, and one does not wish to re-do all the work of reverse engineering.
These are the exact same reasons why diffing was so important years ago on x86 and Windows. At Quarkslab, we have been working on a framework for mobile apps, but we would like to extend it now.
You will work on a part of the framework allowing to go from ASM (mostly ARM or x86) to LLVM IR. Once there, it is very likely you will need some normalization before being able to compare codes. All these steps are part of your internship: a converter ASM2IR, normalization, and diffing strategies.
As a practical test case, you can rely on one of the many known issues in zlib or OpenSSL, and look for it in tons of mobile apps: known vulnerabilities in open source code, also used in mobile apps or firmware, are not necessarily updated and fixed.
Suggested reading:
Google Project Zero: Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
Quarkslab: Analysis of MS16-104: .URL files Security Feature Bypass (CVE-2016-3353)
Trail of Bits: McSema
Exercise
Many diffing tools exist: BinDiff, DarunGrim, Diaphora, patchdiff2, and probably a few others.
Pick 2 of them and explain how they work, what you believe to be their weaknesses and strengths, and compare them (diff the diffing tools).
Required skills
This internship will require very good knowledge and skills in algorithms and development.
Algorithm analysis: performances are critical
Basic knowledge of one ASM (ARM or x86 preferably)
Some understanding of compilation
Good Python development skills
Reference
17-internship-diff
Duration
Preferably 6 months.
Improving advanced fuzzing tools targeting closed source software
This position is filled
Description
Fuzz testing (Fuzzing) is a software testing technique that consists in injecting randomized or mutated inputs into a program. This process is usually completely automated and provides a way to find defects in software. In order to be effective, it requires a good strategy, but also state-of-the-art tools to find what others missed.
The goal of this internship is to improve our fuzzing techniques and toolkits. The intern will need to assimilate our in-house dynamic instrumentation tools (including QBDI, our custom DBI framework) and to improve and optimize our AFL (American Fuzzy Lop) based fuzzer to make them able to target a greater variety of closed source software (in a way similar to what can be done with WinAFL).
The intern will be part of a team dedicated to instrumentation tools and that brings together reverse engineers and software developers. He/She will learn how to assess and instrument software, while being able to explore unknown territories by implementing one's own ideas in custom tools.
Exercise
Required skills
Programming (C is required, C++ is a plus plus)
Some knowledge in reverse engineering and fuzzing
Reference
Duration
Hyper-V Vulnerability Study
Description
Virtualization is a ubiquitous technology today, and with Windows 10 the technology becomes part of the system. The consequences of bugs in hypervisors are obviously critical for desktop environments but even more so for servers. Vulnerabilities are found, from time to time, in many hypervisor projects including Microsoft Hyper-V.
The objectives of this internship are:
To understand the concepts behind virtualization
To understand how Hyper-V is built and how it works
To study one or more vulnerabilities in Hyper-V
To develop a proof of concept for one of those vulnerabilities
The inherent difficulties of this internship are multiple. For instance, although Hyper-V is somewhat officially documented at a high level, it is a closed source software and its inner workings are little known. Besides debugging an hypervisor is not a particularly easy task.
This internship will bring you, undoubtedly, a better knowledge of hypervisors, their design, security and possible problems. You will work in collaboration with other engineers with whom you will exchange information, present your results and finally devise possible technical approaches to attack hypervisors.
Exercise
Choose a recent security advisory (less than 2 years old) targeting the Hyper-V hypervisor and present a personal and detailed analysis of the bug:
Root cause
Possible ways to exploit the bug
Possible detection methods of exploitation attempts.
Required skills
C language
x86 / x64 Assembly language
Windows Kernel
Vulnerability Research
Virtualization (ideal, but not essential)
Reference
17-internship-hyper-v
Duration
Preferably 6 months.
Security of Protected JTAG
Description
Many vendors use JTAG to debug their products, but in order to protect them after production, they can hide the pins of the JTAG connector throughout their board, protect JTAG with a password or with a fuse.
One of the activities at Quarkslab is evaluating the security of different devices (boxes, automotive ECUs, IoT devices, etc.), from a combined software and hardware perspective. We constantly need to improve the hardware toolkits we use during hardware security evaluations, trying to reach new vulnerabilities from reasonably accessible hardware.
The purpose of this internship is to study, design and build tools using the JTAG connector as an entry point. Such tools would:
find the JTAG pins,
configure the JTAG for a specific microcontroller,
configure and extract ETM traces if available,
bypass the security of protected JTAGs.
You will work closely with engineers of our hardware-oriented team. We will provide a JTAGulator as well as several targets. JTAGenum can also be used to discover the JTAG pins and more.
Exercise
Choose an inexpensive ARM board (or any other board you already have --- send an email with the references of your board if you want a confirmation for your choice) which does not offer debugging capabilities out-of-the-box, and add a debug functionnality (JTAG/SWD) to it.
You can get inspiration from the following examples on teensy3.1 or teensy3.5.
Then, test your debug setup with a small program. Once done, document your work in a small write-up with photos.
Required skills
Good knowledge of the ARM architecture
Knowledge of JTAG
Programming, designing tools
Reference
17-internship-jtag
Duration
Preferably 6 months.
Security of Wi-Fi stack components
This position is filled
Description
A dominant feature of nowadays Internet-connected devices is their ability to communicate wirelessly. The Wi-Fi stack is, therefore, a crucial component of such systems.
The purpose of this internship is to study selected Wi-Fi stacks and search for vulnerabilities. The actual work will be divided into two parts. In the first part, the intern will reproduce existing attacks on Wi-Fi stacks and acquire a deep understanding of the mechanisms involved. In the second part, the intern will port these vulnerabilities to routers with similar Wi-Fi chipsets. This can reveal hidden difficulties and subtle system differences that need to be taken care of. The end goal is to expand Quarkslab's knowledge of embedded systems.
Some interesting examples of recent vulnerabilities found in Wi-Fi stacks can be found here and there. This kind of research is what would typically fit into this internship. This is a challenging topic on which you will work with two Quarkslab's vulnerability researchers who have previously worked on similar topics.
Exercise
Required skills
Good knowledge of the ARM architecture
Understanding of the Linux kernel
Programming (C required)
Knowledge in reverse engineering and vulnerability research
Reference
Duration
Vulnerability Monitoring Platform
Description
The growing field of vulnerability discovery and the heterogeneity of systems makes it highly difficult to know whether a given system is vulnerable to a given vulnerability or not. As an example, the huge variety of mobile phone devices and the interleaving of common components between them blurs the lines of affected devices for a given weak component. Many manufacturers perform really poorly at deploying patches and updates and constantly reduce their support duration leaving devices vulnerable to new CVE.
The internship goal is to improve a vulnerability monitoring platform that uses many different frameworks (crawling, database, web, etc) and targets many systems from mobile to desktop OSes. This internship is mostly development oriented but many experiments and PoC are also expected at binary or firmware level together with analyses of the results produce by the platform.
Exercise
Write a crawler for the Huawei's security bulletins, then extract and return relevant pieces of information in a re-usable format. The nicer the better. The crawler might easily fit in one python file, and should be readable as a p(y)oem.
Hint: (scrapy <3)
Required skills
Great python knowledge
Openness to many framework and subjects
Standard knowledge in web technologies
Appreciated skills
Good knowledge of the mobile ecosystem
Knowledge in python and some python frameworks (flask, scrapy, sqlalchemy)
Knowledge in reverse-engineering
Reference
17-internship-monitoring
Duration
Preferably 6 months.