It's time to open Quarkslab internships season! This year, we offer 5 new internships, most of which are linked to binary analysis related research topics but have a look, there is more! Quarkslab team is always pleased to welcome new talents who want to work on complex security research subjects. If you love binaries, want to face new challenges and work in a dynamic environment where curiosity and teamwork are at the heart of our way to do R&D, please apply!

All internships will take place in our main office in Paris, France (and one in Rennes also). If you are coming from abroad, you will need a proper visa to be with us. At Quarkslab, we encourage remote work, but that does not apply to internships.

Last but not least, we usually train Padawans so that they stay with us once their training period is done, even if that does not mean the training is over :)

How to apply for an internship position at Quarkslab?

To apply for an internship position, you have to send:

  • a CV;

  • a cover letter: avoid the generic letter saying that you are so motivated and that we are so interesting. We welcome a more personal letter which explains why the topic is of particular interest to you, why you, why us :)

  • your proposed solution to the assignment attached to the offer you are interested in,

  • all this can be sent in French or in English.

Send this little package to internship-AT-quarkslab-DOT-com, with the subject field containing the internship reference mentioned in the respective offer.

Do not forget that the secret of a good application is to show what you have already achieved (related to the topic or not).

Each internship offer comes with a little assignment that should not require too much time to be completed. The result will show us not only the type of skills and knowledge you already possess, but also how ingenious you are and how well you can present your reasoning. It will serve as the basis for the interview you will have in the selection process.

For all its internships, Quarkslab is looking for highly motivated, curious and autonomous people who are also structured, creative and team players. You will evolve in a dynamic and easygoing environment where ideas spring from everywhere...

We consider internships as opportunities to spot profiles that match how we work. They are intended to guide students to enter the professional world as potential future colleagues if they feel like it and find convincing arguments [1]

Do not be shy, send an application, otherwise you will never know if you would have been selected...

Contact : internship-AT-quarkslab-DOT-com

Please note that:

  • all internships are paid (according candidates study level)

  • only students are eligible

  • remote work is not possible for internships

  • All internships take place in our Paris office and one in Rennes

  • Candidates must carefully select if they prefer pains au chocolat or chocolatines.

[1]also called croissants...

Analysis of android applications protections

Description

Mobile applications are now everywhere and handle sensitive informations. Reversing them is a tedious task when considering real world ones as they often mix Java and native code while interacting with the Android ecosystem. Even though tooling is available and useful, most of the analysis still needs to be done manually. Moreover, to protect themselves from various threats (reversers, cheaters, thieves...), application developers have a broad range of tools (packers, obfuscators, cryptography) they could use to increase the costs of such attacks and protect their IP. However, the adoption's rate of these means of protection is mostly unknown as no (or too few) large scale studies have been made on those aspects.

Building-up above tools used internally (https://blog.quarkslab.com/qbdi-070.html, https://blog.quarkslab.com/exploring-execution-trace-analysis.html), the goal of this internship is to gear up the reverse-engineer toolbox to facilitate Android reverse engineering. This will be focused on understanding how real-world Android applications are protected, at what level and to what extent.

The main difficulties of the internship are linked to 3 main points:

  • Understanding the inner-working of applications (statically/dynamically)

  • Tackling static/dynamic protections employed by the applications

  • Improving existing tools to address such issues

Assignment

Download the LZPlay application (com.lzplay.helper) and reverse it to provide an overview of its inner working and its security mechanisms. Write a short tutorial about your findings, how you proceeded, what was difficult and how you would tackle the issue with more time and better tools.

Required skills

  • Fluent in Python (C/C++ is a plus)

  • ARM & x86 (both 32 & 64 bits) main instructions

  • Basics of reverse engineering (static / dynamic)

Location

Paris

Duration

6 months

Reference

19-internship-android-app-protection

Emulator design

This position is filled

Description

An emulator is a software that is able to simulate the behavior of hardware (at least CPU and memory). Emulation can be useful in lots of cases like testing new applications with ease, debugging programs that run only on specific hardware...

Contrarily to virtualization, emulation is aware of all the modifications done on the (simulated) hardware and this intrinsic knowledge can be used to make powerful debugging.

QEMU is a really good piece of software that can simulate many hardware, but we think that the "Translation Blocks" generation is too complex and can be improved.

The aim of the internship is to design an emulator that can run aarch64 software on x86_64 processors. The emulator should be able to log any modification during the time of execution and may offer a debugging stub and a python stub. Finally, if the core is light and efficient enough then it could be integrated in QEMU in place of the "Tiny Code Generator" to use it with all the available virtual devices.

Assignment

int fib(int n){
  if (n < 2){
    return n;
  }
  return fib(n-1) + fib(n-2);
}
  • Compile this .c in aarch64 and extract the aarch64 assembler

  • Create a tool that converts the aarch64 instructions used by fib in x86_64 assembler.

This file aarch64.isa can help the development of the tool.

Required skills

  • CPU basics

  • Aarch64 & x86_64 assembly

  • C programming

Location

Rennes

Duration

Preferably 6 months

Reference

19-internship-emulator-design

A game of cat and mouse: defeating state-of-the-art dynamic analysis

Description

Code obfuscation provides a challenge against the manual reverse engineering of an application. However, instead of understanding and defusing each protection, an attacker may execute the application and monitor its state at precise moments: after crucial data have been decrypted by the application, by comparing the program state before and after the execution of a function, ...

For this, reverse engineers use Dynamic Binary Analyses frameworks, which provide dynamic information about the state of the application. Luckily for us, these tools have their weaknesses. They have various effects on the execution environment of the application, which can be detected to deviate the behavior of the application and prevent the attacker from obtaining useful data. However, these tools also keep improving and such countermeasures need to be re-evaluated continuously.

The goal of this internship is to study how state-of-the-art tools affect the execution environment of applications under different platforms and implement different means of protection against them. A solution is to block these tools from performing their task by introducing certain constructions that "confuse" them. An alternative is to detect their presence and act upon it.

The work would be supervised by the Instrumentation team, which specializes in using and building dynamic binary analysis frameworks, and the Epona team, which maintains the Epona Application Protection solution offered by Quarkslab.

Assignment

Explain how this APK manages to detect Frida.

Required skills

  • Master 2 or last year of engineering school.

  • Technical requirements: C++, reverse engineering.

Location

Paris

Duration

6 months

Reference

19-internship-epona-2

Unpacking firmwares

Description

Nowadays, firmware are everywhere: mobiles, routers, ECU, IoT devices, Set-Top boxes, … Sometimes, they are as simple as a filesystem, which can just be accessed like every other filesystem. But most of the time, they are compressed and encrypted, sometimes using custom algorithms.

However, when one wants to analyze what is inside the firmware, the first step is always to reach its inside, hence opening it.

The goal of the internship is to work on a generic engine able to deal with multiple kinds of firmware to access to the files it contains.

  • Improve our framework to handle file systems

  • We will select multiple firmware, and you will have to support them in the framework
    • Study encryption and compression if any

    • Develop the appropriate unpacking capabilities

    • Test on various firmware of the same family (yes, sometimes, there are surprises ;)

  • Automate unpacking based on our Irma framework

Required skills

  • Fluent in Python

  • Good knowledge in cryptography and algorithms

  • Preferably some experience in reverse engineering in ARM and/or unpacking malware

Assignment

The Android OTA Package Tools [2] support building full and incremental updates, that can later be applied to a device. Take a look at the building tool from the AOSP source tree [3] and implement your own unpacker for this format, preferably using Python.

You can use the building script to make your own packages, but your tool should be able to extract at least the following packages: [4] (full update) and [5] (incremental update that should be applied on top of the other one).

Once you are satisfied with your unpacking script and are ready to show it to us, please also write a small report explaining how you designed it.

[2]https://source.android.com/devices/tech/ota/tools
[3]https://android.googlesource.com/platform/build/+/master/tools/releasetools/ota_from_target_files.py
[4]https://dl.neat.sh/oculus/3337000026800000_3337000026800000.zip
[5]https://dl.neat.sh/oculus/3337000026800000_3337000033700000.zip

Location

Paris

Duration

6 months

Reference

19-internship-unpacking-firmware

Application Grand Challenge: Your protection is under attack!

This position is filled

Description

A question that often arises while using application protection tools is: "How well protected is my application?"

The question in itself is vague. To avoid an awkward silence as an answer, it is often required to sit down, detail a precise knowledge of what "protected" means [6] and perform a manual evaluation of the application protection.

The main goal of this internship will be to investigate the automation of some parts of such an evaluation process. The main focus of the internship will be on the Epona Obfuscating Compiler and thus will require to implement attacks against it.

For example obfuscations do more work than making the code ugly, they also provide certain guarantees: the sensitive constant 0xcc9e2d51 won't appear in the final binary; the string "my_very_user_secret" will be encrypted; the program evil-debugger won't be able to debug the application, etc. For each of these protections, one may try to attack and get around them: profile the code and identify instructions that always yield to the same constant; wait until just before the string is used in context to see its unencrypted content; identify calls that match those made by anti-debuggers and remove them, etc. And conversely, one may try to counteract these attacks with more defense mechanisms.

A first step of the internship will be to identify a series of meaningful reference codes, to implement simple automated attacks to retrieve target assets inside these codes, and then to apply some protections or obfuscations to the reference codes and see which attacks still succeed and which don't. In a second time, more complex attacks may be implemented and tested against our protections.

These reference code and attacks could then be used to provide a sense of the set or level of skills that an attacker should master to defeat the protections: If more skills are needed, one could assume the code is better protected.

This also represents a first brick towards implementing a fully automatic obfuscation tool (given the assets to protect and the attacks against which they must be protected, infer a protection scheme that will defeat the specified attacks).

[6]the assets being protected, algorithms or data, the context in which the application is deployed, the attackers we're facing, the available tooling...

Assignment

The machine

This is an informal design for a stack interpreter that manipulates 32 bit signed integers and understands a few instructions instructions.

In the following TOP denotes the element on top of the stack, and SECOND the second element on top of the stack.

Each instruction has an index in the code, starting from 0, and an optional integer argument, as in 3 POP 2 which is the forth instruction of the listing, named POP with a single argument 2.

Instructions

READ: reads an integer on stdin and push the value on the stack, or exit if input is invalid

WRITE: pops the top value of the stack, and prints it on stdout

DUP: duplicate the value on top of the stack

MUL: pops the two top value of the stack, multiply them and push the result on top of the stack

ADD: pops the two top value of the stack, add them and push the result on top of the stack

SUB: pops the two top value of the stack, sub the TOP with the SECOND and push the result on the stack

GT: LT: EQ: pops the two top values from the stack, compare them for TOP > SECOND, TOP < SECOND or TOP == SECOND and push the result as 0 or 1 on the stack

JMPZ: pops the two top value of the stack. Jump to the <n>th instruction, where <n> was the first value on the stack, if the top value is null. Otherwise just drop these two values

PUSH <n>: push the integer value <n> on the stack

POP <n>: pop n value from the stack

ROT <n>: perform a circular rotation on the first n value of the stack toward the top for instance the stack : BOTTOM [1,2,4,8] TOP becomes BOTTOM [1, 8, 2, 4] TOP after ROT 3

Example

The following program reads a number and prints its value squared if the value is positive or null, and 0 otherwise.
0 READ
1 DUP
2 PUSH 0
3 GT
4 PUSH 8
5 JMPZ
6 POP 1
7 PUSH 0
8 DUP
9 MUL
10 WRITE

What to do ?

  • Using this language, write an implementation of the factorial function that reads a number from stdin and outputs its result on stdout.

  • Provide an interpreter that can interpret your code, written in C++.

It's not mandatory to write the parser for the assembly, a global array will also be fine.

Required skills

Master 2 or last year of engineering school.

Technical requirements: C++, program analysis

Location

Paris

Duration

6 months

Reference

19-internship-epona-1

If you would like to learn more about our security audits and explore how we can help you, get in touch with us!