Internship offers at Quarkslab for the 2018-2019 season

Quarkslab's new internships season is open! Like every year, we are looking for adventurous, motivated and courageous students, impatient to test their skills against real-life research and engineering problems. The topics we propose cover various aspects of the security field, and they all have in common being highly technical, complex and challenging. Be prepared to work hard for your own enjoyment: the satisfaction when overcoming such difficulties is priceless. As an intern, you will work among the amazing Qb crew, whose humour is also priceless.

All internships will take place in our main office in Paris, France. If you are coming from abroad, you will need a proper visa to be with us. At Quarkslab, we encourage remote work, but that does not apply to internships.

Last but not least, we usually train Padawans so that they stay with us once their training period is done, even if that does not mean the training is over :)

How to apply for an internship position at Quarkslab?

To apply for an internship position, you have to send:

  • a CV,
  • a cover letter: avoid the generic letter saying that you are so motivated and that we are so interesting. We welcome a more personal letter which explains why the topic is of particular interest to you, why you, why us :)
  • your proposed solution to the assignment attached to the offer you are interested in,
  • all this can be sent in French or in English.

Send this little package to internship-AT-quarkslab-DOT-com, with the subject field containing the internship reference mentioned in the respective offer.

Do not forget that the secret of a good application is to show what you have already achieved (related to the topic or not).

Each internship offer comes with a little assignment that should not require too much time to be completed. The result will show us not only the type of skills and knowledge you already possess, but also how ingenious you are and how well you can present your reasoning. It will serve as the basis for the interview you will have in the selection process.

For all its internships, Quarkslab is looking for highly motivated, curious and autonomous people who are also structured, creative and team players. You will evolve in a dynamic and easygoing environment where ideas spring from everywhere...

We consider internships as opportunities to spot profiles that match how we work. They are intended to guide students to enter the professional world as potential future colleagues if they feel like it and find convincing arguments [1]

Do not be shy, send an application, otherwise you will never know if you would have been selected...

Contact : internship-AT-quarkslab-DOT-com

Please note that all internships are paid and that only students are eligible.

[1]also called croissants...

macOS introspection

Description

Introspection is the ability to monitor the runtime state of a system-level virtual machine. This can be helpful for debugging, forensic analysis and OS understanding. Winbagility is a tool that aims to connect Windbg to a running version of Windows without /DEBUG flag activated. This make it possible to analyze kernel level rootkits and some Windows features that are turned off when /DEBUG is on. The purpose of the internship is to apply the same method with LLDB to allow analysis of live running version of macOS (LLDBagility?). Once this first step is done, the next objective will be developing introspection techniques to follow process behavior to better understand some macOS mechanisms. All this work can/will be open-sourced and could be the subject of a public presentation.

Assignment

Do a live macOS physical memory dump with Fast Debugging Protocol and create a tool that can give a valid CR3.

Required skills

  • Virtual Memory translation
  • Good understanding of OS
  • C and Python programming

Duration

Preferably 6 months

Reference

18-internship-osxintrospection

Improved diffing strategies on Android applications

This position is filled

Description

As mobile applications become larger and are updated more frequently, being able to identify changes between versions makes it possible to shorten reverse engineering and to focus analysis on the changes. It is common in Android to have applications with more than 100 000 methods. Therefore diffing algorithms need to be efficient in term of speed and memory consumption.

One goal of the internship is to improve diffing strategies on large applications as well as obfuscated ones. An example of such optimizations would be the simhash algorithm that makes it possible to cluster the objects being compared. Another objective of this internship is to compare applications based on dynamic information such as call traces or Android events. This involves finding a proper way to normalize the information and then a method to compare the objects: Which features are relevant? How to compare them?

During this internship, you will be working on a set of tools developed at Quarkslab to compare Android applications. You will learn to combine your development and reverse engineering skills within a team dedicated to instrumentation and tool development.

Required skills

  • Good understanding of Android applications (Layout, Dalvik Bytecode)
  • Knowledge in reverse engineering
  • Fluent in Python (C++ is a plus)

Duration

Preferably 6 months

Memory access tracing & visualization

Description

Manual reverse engineering can be a tedious task when considering real world applications, you often need to follow the same steps over and over again: locate buffers associated to your targets, look at how they are handled by functions, how they are passed to other functions and how data are handled. Furthermore, in case of code misunderstanding, it is needed to rerun the target if it is analyzed dynamically or restart the manual analysis at some point in case of static analysis.

By considering huge native code base with thousands of C/C++ functions and undocumented algorithms, it becomes interesting to automate some of those steps for daily reversers usage and this is the role of this internship.

With an internal tool as base, you will have to:

  • Develop a way to track memory accesses over time in a cross-architecture context with the help of Quarkslab Dynamic binary Instrumentation (https://qbdi.quarkslab.com/);
  • Use and improve Quarkslab internal trace format to manipulate data acquired from instrumentation;
  • Find some well chosen methods to visualize memory and be able to partially rebuild it at any point of an instrumented code.

Main difficulties of the internship are linked to 3 main points:

  • Finding compromises to define memory ranges to trace;
  • Making things working smoothly when scaling (huge code to trace);
  • Making visualization pleasant to use.

At first, the focus will be on the x86 architecture without forgetting ARM architecture case for next steps.

Assignment

Solve the provided Android ARM32 crackme (password: qb!!!) in 2 ways:

  • Using standard reverse engineering techniques ;
  • By writing a tool that is able to capture memory accesses (read/write) on the buffer associated with the user input and analyzing your output trace.

Don't forget to write a short tutorial about how you have proceeded.

Required skills

  • Python, C & C++ programming
  • ARM & x86 (both 32 & 64 bits) main instructions
  • Basics of reverse engineering (static / dynamic)

Duration

Preferably 6 months

Reference

18-internship-mem-tracing-vis

Study of Android secure bootchains

This position is filled

Description

Secure boot is the process by which a system turned off is brought up to a known good state when it is turned on. The process generally involves the chained execution of native code packaged in multiple binary files that are loaded, verified to be authentic and not tampered with, and executed in a sequence that ends with the system ready to run as intended by the manufacturer or user.

This mechanism is crucial to ensure the integrity and authenticity of the code being executed on the platform. If an attacker were to find a vulnerability in the chain, they would be able to corrupt the entirety of the target.

The purpose of this internship is to study secure boot implementations available on several Android platforms and search for vulnerabilities. The main goal being to expand Quarkslab's knowledge of embedded systems.

Some interesting examples of recent vulnerabilities found in boot chains can be found:

This kind of research is what would typically fit into this internship. This is a challenging topic on which you will work with three Quarkslab's vulnerability researchers who have previously worked on similar topics.

Required skills

  • Good knowledge of the ARM architecture
  • Programming (C required)
  • Knowledge in low-level reverse engineering and vulnerability research

Duration

Preferably 6 months

Reference

18-internship-secure-boot

Automotive Security: CAN bus exploration

Description

CAN buses are still the #1 target for car hackers because most critical systems of a car (also called ECUs) are connected to such buses. During a security evaluation on cars, we often have to perform the same preliminary tasks in order to better understand the organisation of the different ECUs:

  • finding the IDs of all ECUs
  • finding the commands they respond to
  • finding their specific ways of communication
  • finding the different sessions implemented in a specific ECU
  • finding the security algorithms involved in a specific ECU

All these tasks can be done with python scripts but we found out that most of the time each ECU has a specific implementation of the communication standards like UDS:

  • some will answer immediately
  • some will answer with a delay
  • some will implement an anti-fuzzing/flooding mechanism
  • some will just ignore the invalid messages and send no answer

The purpose of this internship is to do some research on automotive ECUs and develop generic tools that will be able to adapt to each situation and give a report of the ECUs capabilities.

Assignment

We just got a new firmware to analyze. We know that it comes from an ECU supporting KWP commands. The architecture is MPC5565, and the core CPU is an e200z6, big endian PPC using VLE instruction encoding.

The purpose of this assignment is to find the list of supported KWP commands and the address of the corresponding handlers. The resolution of this assignment should be clearly explained, with details on methods and tools used.

As a bonus, we are particularly interested in the "Security Access" command. Can you explain how it works and what kind of security algorithm is used in this function ?

The firmware can be downloaded here

Required skills

  • python and embedded C programming
  • reverse engineering
  • some knowledge on CAN bus is a (big) plus

Duration

Preferably 6 months

Reference

18-internship-canbus

IRMA Detection Coverage & Performance

Description

IRMA is our file analysis solution. The goal of this internship is to automatically assess IRMA performance and coverage over a given set of malicious or clean files.

  • Automate the malware collection life-cycle (grab some new, clean some old), be able to reproduce tests
  • Automate the deployment of IRMA on a given hardware with a given configuration
  • Automate the analysis and reporting

Assignment

You may know the traceroute command on unix. Given a host, it shows the intermediate hosts with their latency. Eg.

%  traceroute fr.wikipedia.org
traceroute to rr.knams.wikimedia.org (145.97.39.155), 30 hops max, 38 byte packets
1  80.67.162.30 (80.67.162.30)  0.341 ms  0.300 ms  0.299 ms
2  telehouse2-gw.netaktiv.com (80.67.170.1)  5.686 ms  1.656 ms  0.428 ms
3  giga.gitoyen.net (80.67.168.16)  1.169 ms  0.704 ms  0.563 ms
4  62.4.73.27 (62.4.73.27)  2.382 ms  1.623 ms  1.297 ms
5  ge5-2.mpr2.cdg2.fr.above.net (64.125.23.86)  1.196 ms ge9-4.mpr2.cdg2.fr.above.net (64.125.23.102)  1.290 ms ge5-1.mpr2.cdg2.fr.above.net (64.125.23.82)  30.297 ms
6  so-5-0-0.cr1.lhr3.uk.above.net (64.125.23.13)  41.900 ms  9.658 ms  9.118 ms
7  so-7-0-0.mpr1.ams5.nl.above.net (64.125.27.178)  23.403 ms  23.209 ms  23.703 ms
8  64.125.27.221.available.above.net (64.125.27.221)  19.149 ms so-0-0-0.mpr3.ams1.nl.above.net (64.125.27.181)  19.378 ms 64.125.27.221.available.above.net (64.125.27.221)  20.017 ms
9  PNI.Surfnet.ams1.above.net (82.98.247.2)  16.834 ms  16.384 ms  16.129 ms
10  af-500.xsr01.amsterdam1a.surf.net (145.145.80.9)  21.525 ms 20.645 ms  24.101 ms
11  kncsw001-router.customer.surf.net (145.145.18.158)  20.233 ms 16.868 ms  19.568 ms
12  gi0-24.csw2-knams.wikimedia.org (145.97.32.29)  23.614 ms  23.270 ms  23.574 ms
13  rr.knams.wikimedia.org (145.97.39.155)  23.992 ms  23.050 ms 23.657 ms

We want you to play a bit with python and the traceroute command. First, write a small program in python3 able to call traceroute, to parse its information and to put it in a database (feel free to use the storage you find the most suited, just a file might be enough).

Then, write a second program that read this database and display useful information about it (ex. a graph, some statistics, a path from an host to another, etc.)

With this assignment, we want you to show your ability to parse unformatted data, to use it efficiently, and to display it nicely. Make a clever use of traceroute options, store your data in a structure that is easy to understand and process, show relevant information.

Required skills

  • Comfortable with a Unix environment.
  • Good knowledge of Python 3.
  • Devops tools knowledge is a bonus (vagrant/ansible).
  • Gitlab / Jenkins knowledge is a bonus.

Duration

Preferably 6 months

Reference

18-internship-irma

Comments