The internship season is back at Quarkslab! Our internship topics cover a wide range of our expertise and aim at tackling new challenges, namely:
- 🟢 Bluetooth Low Energy GATT Fuzzing
- 🟢 Gecko Bootloader Vulnerability Research
- 🟠 Starlink Vulnerability Research
- 🟢 XSS Tooling + DOM XSS Research
- 🟢 App Protections for dummies - Obfuscation and Runtime App Self Protections (RASP)
- 🟢 Smooth running the SaaS with cloud-oriented metrics
- 🟢 Test suite for cryptographic primitives
We are also welcoming people with wide but realistic creativity, so if you have an idea and want to join the team, don't hesitate to reach out to discuss it with our experts!
Our goal is to publish most of the results of our internships. Here are some examples of publications from previous internships:
- a Kubernetes penetration testing tool, named kdigger;
- a Black Hat EU talk on the Google Titan M chip;
- a blogpost on defeating eBPF uprobe monitoring;
- a series of blogposts on Linux containers, Docker and runc.
Quarkslab's team is always pleased to welcome new talents who want to work on complex security research subjects. If you want to face new challenges and work in a dynamic environment where curiosity and teamwork are at the heart of our way to do R&D, please apply!
How to Apply?
To apply for an internship position, you must be a student, able to communicate effectively technical matters in written and spoken English, and willing to present the results of your internship to a large group of curious Quarkslab colleagues.
To apply prepare the following elements:
- a resume;
- a cover letter: avoid the generic letter saying that you are so motivated and that we are so interesting. We welcome a more personal letter which explains why the topic is of particular interest to you, why you, and why us;
- your proposed solution to the assignment attached to the offer you are interested in;
- your preference between
pain au chocolator
Package these elements and send them via email to
internship-AT-quarkslab-DOT-com, with the subject field containing the internship name mentioned in the respective offer.
Do not forget that the key aspect of a good application is to show what you have already achieved, related to the topic or not. So do not be shy and apply! We know that you can do it.
Each internship offer comes with a little assignment that should not require too much time to be completed. The result will show us not only the type of skills and knowledge you already possess, but also how ingenious you are and how well you can present your reasoning. It will serve as the basis for the interview you will have in the selection process. The assignment works both ways and is also intended to make sure that you like the topic as well as the technical aspects of the internship. If unsure about a specific aspect of a challenge, do not hesitate to drop us an email. We want to discuss not frustrate you!
The first applications usually reach us by November, and we start reviewing them right away. Every year, the filling is alike: half of the internships are filled by Christmas, while the others remain open until March.
Did you notice the colored circles next to the title of the offers at the top of this blogpost? They reflect the state of internships:
- 🟢 Waiting for applications.
- 🟠 Reviewing applications, we are still accepting internship assignments but hurry up.
- 🔴 Internship is filled.
Being an Intern at Quarkslab
We consider internships as opportunities to spot profiles that match how we work. They are intended to guide students to enter the professional world as potential future colleagues if they feel like it. We love interns because they bring fresh air to the company and because we see them grow, not only during the internship but also after, when they are hired and can get to work on so many other topics. There are two goals in every internship we offer:
- Exploring a topic we don't necessarily know very well, hence training the new expert on the topic.
- Hiring you after the internship to keep and share your new expertise with colleagues.
Training and growing people in the security industry is part of the company's DNA. That is why we provide in-depth blogposts, tools, trainings, weekly internal conferences (called fridaycon, guess when they are), we teach in universities and schools, write articles in tech magazines and send our less experienced hires to a 6-month intensive training program (BADGE-RE or BADGE-SO). Sharing is caring, but sharing is also learning. We provide the environment for that the rest relies on you.
Intern package in France:
- Salary: 1800€ gross per month (approximately 1550€ net).
- "Tickets restaurant" (restaurant coupons).
- In-depth and challenging topics.
Bluetooth Low Energy GATT Fuzzing
Bluetooth Low Energy has been subject to a lot of research so far (such as the famous InternalBlue or SweynTooth attacks) but a few of them targeted some corner-cases of the specification that require high-level manipulation of the GATT layer.
The goal of the proposed internship is to implement a flexible and permissive Bluetooth Low Energy stack compatible with our internal BLE tools and to perform some high-level fuzzing of multiple BLE stack implementations. Development/modification of an embedded firmware may also be required to fit the needs regarding this fuzzing approach.
Knowledge of the Bluetooth Low Energy specification may be a plus.
- knowledgeable in embedded C/C++ and Python 3;
- familiar with embedded firmware reverse-engineering;
- familiar with embedded debugging tools.
Prepare a write-up of CVE-2019-19194, detailing the root cause of this vulnerability and how it can be exploited. Create a proof-of-concept for this vulnerability, using Scapy (it can be a theoretical proof-of-concept).
Paris or Rennes
3 to 6 months
Gecko Bootloader Vulnerability Research
Silicon Labs is a chip builder with several network-targeted features like BLE and Zigbee. These chips are the base of many connected objects, compromising this chip means compromising all these connected objects insofar as they use the vulnerable functionality.
The objective of the proposed internship is to investigate the SDK offered by Silicon Labs, the Gecko SDK (GSDK). In particular, its OTA functionality, which seems to be state of the art on these protections, but what about the code that composes it?
- experience in reversing C or C++;
- knowledge of the ARM architecture;
- some experience with an emulation framework such as Unicorn;
- file format reverse engineering will be a plus.
What you will do
- Reverse some firmware format.
- Analyze the stack Zigbee/Bluetooth use for the updates.
- Search for some vulnerabilities.
These are an ARM binary used to flash a new firmware provided as an argument, as well as a dummy firmware and a name for the file to be flashed. Your goal is to find the appropriate format to flash this firmware.
You are not allowed to modify the flashing binary.
Paris or Rennes
Starlink Vulnerability Research
Starlink is the famous satellite-based internet solution by Space X. This solution already counts more than 400 000 subscribers all around the world, using the very same infrastructure. Starlink relies on 3 components:
- a user terminal, which communicates with the satellites, and on which most of the current research is focusing;
- a satellite fleet acting as a mesh network;
- a gateway that connects the satellites to the internet.
Numerous studies have already been conducted on the subject, mainly on the user terminal. During this internship, you will continue the analysis of Starlink and focus on how the user terminal communicates with the rest world. This will require you to reverse engineer its firmware and the various protocols in use. Doing so will help you study the attack surface of the terminal and bring you to the final phase of this internship: vulnerability research.
- reverse engineering skills;
- knowledge of the ARM architecture and Linux;
- knowledge in vulnerability research;
- preferably some knowledge of hardware attacks and basic PCB design (optional).
What you will do
- Reverse engineer the firmware and network protocols.
- Study the attack surface and perform vulnerability research.
Describe the root cause and an exploitation path (a PoC, even nonfunctional, will be appreciated).
Paris or Rennes
XSS Tooling + DOM XSS Research
Cross-site scripting (XSS) vulnerabilities are still present on many websites. Whether they are volatile, persistent or in the DOM, they could cause significant damage when exploited by attackers. Although many tools detect this type of vulnerability, many of them do not manage to identify all types of injections. One of the reasons is that they are based on obsolete methods and incomplete payloads.
Experience with Node.js would be considered a plus.
- Puppeteer, or an equivalent tool.
What you will do
- Study the existing documentation/tools related to the topic tool development.
- Perform vulnerability research.
With the help of Node.js and Puppeteer you'll have to develop a simple script detecting a browser popup (e.g. a valid XSS).
3 or 6 months
App Protections for dummies - Obfuscation and Runtime App Self Protections (RASP)
At Quarkslab, we have been developing application protection tools since 2014, featuring obfuscation and runtime application self protections (RASP). This tool relies on a compiler framework, LLVM, and thus comes as a replacement of the regular compiler used by our customers.
A challenge we face is to explain the impact of these protections to our customers during sales meetings, events, and technical training processes: many of our partners have limited or even no knowledge about reverse engineering and the internals of a compiler.
The goal of this internship is to design a series of demonstrations (code and documentation) and presentations for the protections provided by our tools. You will work under the supervision of our Product Manager, with the support of the engineering, marketing and CX teams. You will first have to understand how the tool and its various protections work, and then find ways to make them accessible to non-experts.
To qualify as a candidate, you should:
- have an interest in security, compilers and reverse engineering;
- be able to demonstrate experience developing in C/C++;
- be able to demonstrate experience with scripting and the Linux environment;
- be able to think out of the box and show your creativity;
- have knowledge and interest in graphic design;
- be able to communicate effectively technical matters in English, written and spoken.
What you will do
- Design and realize consistent demos to showcase our modules' main capabilities as obfuscation, RASP, and data protection countermeasures.
- Document and prepare sales kits so that non-technical teams could reproduce them.
- Put in place an internal repository to list available and working demos.
During the internship, you will learn:
- several ways to protect code against reverse engineering;
- document and realize pro-grade demonstrators;
- work in a multi-cultural environment.
A now well-known obfuscation technique relies on so-called Mixed Boolean-Arithmetic (MBA) expressions:
- Provide a list of research papers/blog posts about MBAs (e.g., attacks against code protected with MBA).
- Provide 1-2 slides to explain to non-technical people how this protection works, what it can protect and the cases where it will be of no use.
Some info about MBA can be found in this article
Smooth running the SaaS with cloud-oriented metrics
QFlow is a platform for file (and more) analysis for malware detection. Based mainly on Docker and Kubernetes (k8s), its deployment can be done on premise (connected or disconnected mode) but also in the cloud (SaaS). This internship focuses on the DevOps part of the product and team QFlow. We are looking for someone with a good interest in the SaaS world and k8s, in a particular deployment, monitoring & alerting, and reliability. A lot of work has already been done regarding deployment and now we need to improve our monitoring with supervision and alerting. Some metrics are already available at different levels, including infra and application. The goal will be to evaluate these metrics and even suggest new ones according to the needs defined, and put in place a monitoring stack at both levels, in collaboration with other engineers in the team.
During this internship your key objectives will be to:
- Define useful metrics for monitoring of QFlow instances.
- Define/Create dashboards with visualizations to display these metrics and put in place alerts.
- Choose a monitoring stack that will meet the needs previously defined and implement a PoC.
To qualify as a candidate, you should:
- be actively enrolled in a program for Computer Science, Computer Engineering, or a related field;
- have attention to detail, the ability to establish and maintain working relationships with key internal personnel to work effectively;
- have an understanding of the fundamentals of cloud-native architecture principles and services;
- have the desire to learn new technologies, share best practices, and contribute to the broader shared knowledge of a global infrastructure and DevOps team.
What you will do
During your internship you will:
- Work closely with other engineers to implement Infrastructure-as-code automation.
- Document instructions on various aspects of DevOps pipeline development, implementation, and deployment best practices.
- Stay informed of the changing landscape around Public Clouds, DevOps, and Deployment best practices.
- Work on enhanced monitoring and alerting capabilities for our SaaS Platforms.
- Work on data visualization and Log analysis capabilities for our SaaS Platforms.
- Present your work to an entire company of curious peers.
Prepare a write-up about the key metrics used in SaaS application monitoring and how they can be useful in improving the reliability of the platforms.
Paris or Rennes
Test suite for cryptographic primitives
The aim is to implement a test suite for cryptographic primitives:
- using "official" test vectors to ensure the correctness,
- verifying the randomness,
- performing some "fuzzing"-like resilience test.
This test suite would be very useful to automate some steps of our audits, in case of home-made cryptography for example, or to test some libraries. The first step would be to implement the tests for the most common primitives, then move on to post-quantum solutions, and "exotic" primitives.
On top of the test suite implementation, the candidate will write-up an internal guide on post-quantum standardization (and lightweight crypto, if there is time). In parallel, the candidate will work on an R&D project that is suited to their profile.
- knowledge of basic cryptography (e.g. asymmetric and symmetric crypto, and examples of such primitives)
- somewhat proficient in at least one programming language (C, C++, Rust, Python...)
- preferably capable of understanding academic articles and/or technical blogposts
- good communication skills
The assignment contains a C reference implementation of the AES with some mistakes. The goal is to perform a small review of the implementation and list different misbehaviour compared to the original design. The focus of the candidate should be on the report more than on the technical solutions, as we are more interested in reviewing the thought process than the current technical skills.
- Cryptographic Algorithm Validation Program - NIST
- Automated Testing of Crypto Software Using Differential Fuzzing - Aumasson, Romailler
- ANSSI views on the Post-Quantum Cryptography transition