Internship offers at Quarkslab for the 2017-2018 season

Quarkslab's new internships season is open! Like every year, we are looking for adventurous, motivated and courageous students, impatient to test their skills against real-life research and engineering problems. The topics we propose cover various aspects of the security field, and they all have in common being highly technical, complex and challenging. Be prepared to work hard for your own enjoyment: the satisfaction when overcoming such difficulties is priceless. As an intern, you will work among the amazing Qb crew, whose humour is also priceless.

All internships will take place in our main office in Paris, France. If you are coming from abroad, you will need a proper visa to be with us. At Quarkslab, we encourage remote working, but that does not apply to internships.

Last but not least, we usually train Padawans so that they remain with us once the training period is done, even if that does not mean the training is over :)

How to apply for an internship position at Quarkslab?

To apply for an internship position, you have to send:

  • a CV,
  • a cover letter: avoid the generic letter saying that you are so motivated and that we are so interesting. We welcome a more personal letter which explains why the topic is of particular interest to you, why you, why us :)
  • your solution proposal to the exercise attached to the offer of interest to you,
  • all this can be sent in French or in English.

Send this little package to internship-AT-quarkslab-DOT-com, with the title field containing the internship reference mentioned in the respective offer.

Do not forget that the secret of a good application is to show what you already realized (related to the topic or not).

Each internship offer comes with a little exercise which should not require too much time to be completed. The result will show us not only the type of skills and knowledge you already possess, but also how ingenious you are and how good you can present your reasoning. It will serve as the basis for the interview you will have in the selection process.

For all its internships, Quarkslab is looking for highly motivated, curious and autonomous people being creative and structured team players. You will evolve in a dynamic and easygoing environment where ideas spring from everywhere...

We consider internships as opportunities to spot profiles that suit our functioning. They are intended to guide students to enter the professional world as potential future colleagues if they feel like so and find convincing arguments [1]

Do not be shy and apply, otherwise you will never know if you could have been selected...

Contact : internship-AT-quarkslab-DOT-com

[1]also called croissants...

Diffing and never patched 1-days: vulnerabilities in source, vulnerabilities in binaries?

Description

Analyzing mobile apps is becoming as boring as analyzing tons of uninteresting malware, but it is nonetheless very useful to find vulnerabilities, crypto issues, poorly handled credentials, malicious code in fake apps, and so on. There are many good reasons to dig into apps... at scale.

Another challenge when working on apps is that they are updated quite often, and one does not wish to re-do all the work of reverse engineering.

These are the exact same reasons why diffing was so important years ago on x86 and Windows. At Quarkslab, we have been working on a framework for mobile apps, but we would like to extend it now.

You will work on a part of the framework allowing to go from ASM (mostly ARM or x86) to LLVM IR. Once there, it is very likely you will need some normalization before being able to compare codes. All these steps are part of your internship: a converter ASM2IR, normalization, and diffing strategies.

As a practical test case, you can rely on one of the many known issues in zlib or OpenSSL, and look for it in tons of mobile apps: known vulnerabilities in open source code, also used in mobile apps or firmware, are not necessarily updated and fixed.

Suggested reading:

Exercise

Many diffing tools exist: BinDiff, DarunGrim, Diaphora, patchdiff2, and probably a few others.

Pick 2 of them and explain how they work, what you believe to be their weaknesses and strengths, and compare them (diff the diffing tools).

Required skills

This internship will require very good knowledge and skills in algorithms and development.

  • Algorithm analysis: performances are critical
  • Basic knowledge of one ASM (ARM or x86 preferably)
  • Some understanding of compilation
  • Good Python development skills

Reference

17-internship-diff

Duration

Preferably 6 months.

Improving advanced fuzzing tools targeting closed source software

Description

Fuzz testing (Fuzzing) is a software testing technique that consists in injecting randomized or mutated inputs into a program. This process is usually completely automated and provides a way to find defects in software. In order to be effective, it requires a good strategy, but also state-of-the-art tools to find what others missed.

The goal of this internship is to improve our fuzzing techniques and toolkits. The intern will need to assimilate our in-house dynamic instrumentation tools (including QBDI, our custom DBI framework) and to improve and optimize our AFL (American Fuzzy Lop) based fuzzer to make them able to target a greater variety of closed source software (in a way similar to what can be done with WinAFL).

The intern will be part of a team dedicated to instrumentation tools and that brings together reverse engineers and software developers. He/She will learn how to assess and instrument software, while being able to explore unknown territories by implementing one's own ideas in custom tools.

Exercise

Choose a vulnerability (1-day or not ;) ) on any platform, and explain in a short write-up how you have been able to find and analyze it using a fuzzer and methods at your convenience. We do not require any steps further, like a fully working exploit (but if you really want to, it will not cause any issue).

Required skills

  • Programming (C is required, C++ is a plus plus)
  • Some knowledge in reverse engineering and fuzzing

Reference

17-internship-fuzz

Duration

Preferably 6 months.

Hyper-V Vulnerability Study

Description

Virtualization is a ubiquitous technology today, and with Windows 10 the technology becomes part of the system. The consequences of bugs in hypervisors are obviously critical for desktop environments but even more so for servers. Vulnerabilities are found, from time to time, in many hypervisor projects including Microsoft Hyper-V.

The objectives of this internship are:

  • To understand the concepts behind virtualization
  • To understand how Hyper-V is built and how it works
  • To study one or more vulnerabilities in Hyper-V
  • To develop a proof of concept for one of those vulnerabilities

The inherent difficulties of this internship are multiple. For instance, although Hyper-V is somewhat officially documented at a high level, it is a closed source software and its inner workings are little known. Besides debugging an hypervisor is not a particularly easy task.

This internship will bring you, undoubtedly, a better knowledge of hypervisors, their design, security and possible problems. You will work in collaboration with other engineers with whom you will exchange information, present your results and finally devise possible technical approaches to attack hypervisors.

Exercise

Choose a recent security advisory (less than 2 years old) targeting the Hyper-V hypervisor and present a personal and detailed analysis of the bug:

  • Root cause
  • Possible ways to exploit the bug
  • Possible detection methods of exploitation attempts.

Required skills

  • C language
  • x86 / x64 Assembly language
  • Windows Kernel
  • Vulnerability Research
  • Virtualization (ideal, but not essential)

Reference

17-internship-hyper-v

Duration

Preferably 6 months.

Security of Protected JTAG

Description

Many vendors use JTAG to debug their products, but in order to protect them after production, they can hide the pins of the JTAG connector throughout their board, protect JTAG with a password or with a fuse.

One of the activities at Quarkslab is evaluating the security of different devices (boxes, automotive ECUs, IoT devices, etc.), from a combined software and hardware perspective. We constantly need to improve the hardware toolkits we use during hardware security evaluations, trying to reach new vulnerabilities from reasonably accessible hardware.

The purpose of this internship is to study, design and build tools using the JTAG connector as an entry point. Such tools would:

  • find the JTAG pins,
  • configure the JTAG for a specific microcontroller,
  • configure and extract ETM traces if available,
  • bypass the security of protected JTAGs.

You will work closely with engineers of our hardware-oriented team. We will provide a JTAGulator as well as several targets. JTAGenum can also be used to discover the JTAG pins and more.

Exercise

Choose an inexpensive ARM board (or any other board you already have --- send an email with the references of your board if you want a confirmation for your choice) which does not offer debugging capabilities out-of-the-box, and add a debug functionnality (JTAG/SWD) to it.

You can get inspiration from the following examples on teensy3.1 or teensy3.5.

Then, test your debug setup with a small program. Once done, document your work in a small write-up with photos.

Required skills

  • Good knowledge of the ARM architecture
  • Knowledge of JTAG
  • Programming, designing tools

Reference

17-internship-jtag

Duration

Preferably 6 months.

Security of Wi-Fi stack components

Description

A dominant feature of nowadays Internet-connected devices is their ability to communicate wirelessly. The Wi-Fi stack is, therefore, a crucial component of such systems.

The purpose of this internship is to study selected Wi-Fi stacks and search for vulnerabilities. The actual work will be divided into two parts. In the first part, the intern will reproduce existing attacks on Wi-Fi stacks and acquire a deep understanding of the mechanisms involved. In the second part, the intern will port these vulnerabilities to routers with similar Wi-Fi chipsets. This can reveal hidden difficulties and subtle system differences that need to be taken care of. The end goal is to expand Quarkslab's knowledge of embedded systems.

Some interesting examples of recent vulnerabilities found in Wi-Fi stacks can be found here and there. This kind of research is what would typically fit into this internship. This is a challenging topic on which you will work with two Quarkslab's vulnerability researchers who have previously worked on similar topics.

Exercise

Choose a recent security advisory (less than two years) in either the Android kernel, the iOS kernel, an embedded operating system or a Wi-Fi stack. Present a technical and detailed analysis: root cause of the bug, exploitability and commentary of the proof of concept code to trigger it.

Required skills

  • Good knowledge of the ARM architecture
  • Understanding of the Linux kernel
  • Programming (C required)
  • Knowledge in reverse engineering and vulnerability research

Reference

17-internship-wifi

Duration

Preferably 6 months.

Vulnerability Monitoring Platform

Description

The growing field of vulnerability discovery and the heterogeneity of systems makes it highly difficult to know whether a given system is vulnerable to a given vulnerability or not. As an example, the huge variety of mobile phone devices and the interleaving of common components between them blurs the lines of affected devices for a given weak component. Many manufacturers perform really poorly at deploying patches and updates and constantly reduce their support duration leaving devices vulnerable to new CVE.

The internship goal is to improve a vulnerability monitoring platform that uses many different frameworks (crawling, database, web, etc) and targets many systems from mobile to desktop OSes. This internship is mostly development oriented but many experiments and PoC are also expected at binary or firmware level together with analyses of the results produce by the platform.

Exercise

Write a crawler for the Huawei's security bulletins, then extract and return relevant pieces of information in a re-usable format. The nicer the better. The crawler might easily fit in one python file, and should be readable as a p(y)oem.

Hint: (scrapy <3)

Required skills

  • Great python knowledge
  • Openness to many framework and subjects
  • Standard knowledge in web technologies

Appreciated skills

  • Good knowledge of the mobile ecosystem
  • Knowledge in python and some python frameworks (flask, scrapy, sqlalchemy)
  • Knowledge in reverse-engineering

Reference

17-internship-monitoring

Duration

Preferably 6 months.

Comments