The internship season is back at Quarkslab! Our internship topics cover a wide range of our expertise and aim at tackling new challenges, namely:

• 🟢 Bluetooth Low Energy GATT Fuzzing
• 🟢 Gecko Bootloader Vulnerability Research
• 🟢 Starlink Vulnerability Research
• 🟢 XSS Tooling + DOM XSS Research
• 🟢 App Protections for dummies - Obfuscation and Runtime App Self Protections (RASP)
• 🟢 Smooth running the SaaS with cloud-oriented metrics

We are also welcoming people with wide but realistic creativity, so if you have an idea and want to join the team, don't hesitate to reach out to discuss it with our experts!

Our goal is to publish most of the results of our internships. Here are some examples of publications from previous internships:

• a Kubernetes penetration testing tool, named kdigger;
• a Black Hat EU talk on the Google Titan M chip;
• a blogpost on defeating eBPF uprobe monitoring;
• a series of blogposts on Linux containers, Docker and runc.

Quarkslab's team is always pleased to welcome new talents who want to work on complex security research subjects. If you want to face new challenges and work in a dynamic environment where curiosity and teamwork are at the heart of our way to do R&D, please apply!

To apply for an internship position, you must be a student, able to communicate effectively technical matters in written and spoken English, and willing to present the results of your internship to a large group of curious Quarkslab colleagues.

To apply prepare the following elements:

• a resume;
• a cover letter: avoid the generic letter saying that you are so motivated and that we are so interesting. We welcome a more personal letter which explains why the topic is of particular interest to you, why you, and why us;
• your proposed solution to the assignment attached to the offer you are interested in;
• your preference between pain au chocolat or chocolatine.

Package these elements and send them via email to internship-AT-quarkslab-DOT-com, with the subject field containing the internship name mentioned in the respective offer.

Do not forget that the key aspect of a good application is to show what you have already achieved, related to the topic or not. So do not be shy and apply! We know that you can do it.

Each internship offer comes with a little assignment that should not require too much time to be completed. The result will show us not only the type of skills and knowledge you already possess, but also how ingenious you are and how well you can present your reasoning. It will serve as the basis for the interview you will have in the selection process. The assignment works both ways and is also intended to make sure that you like the topic as well as the technical aspects of the internship. If unsure about a specific aspect of a challenge, do not hesitate to drop us an email. We want to discuss not frustrate you!

The first applications usually reach us by November, and we start reviewing them right away. Every year, the filling is alike: half of the internships are filled by Christmas, while the others remain open until March.

Did you notice the colored circles next to the title of the offers at the top of this blogpost? They reflect the state of internships:

• 🟢 Waiting for applications.
• 🟠 Reviewing applications, we are still accepting internship assignments but hurry up.
• 🔴 Internship is filled.

We consider internships as opportunities to spot profiles that match how we work. They are intended to guide students to enter the professional world as potential future colleagues if they feel like it. We love interns because they bring fresh air to the company and because we see them grow, not only during the internship but also after, when they are hired and can get to work on so many other topics. There are two goals in every internship we offer:

1. Exploring a topic we don't necessarily know very well, hence training the new expert on the topic.
2. Hiring you after the internship to keep and share your new expertise with colleagues.

Training and growing people in the security industry is part of the company's DNA. That is why we provide in-depth blogposts, tools, trainings, weekly internal conferences (called fridaycon, guess when they are), we teach in universities and schools, write articles in tech magazines and send our less experienced hires to a 6-month intensive training program (BADGE-RE or BADGE-SO). Sharing is caring, but sharing is also learning. We provide the environment for that the rest relies on you.

Intern package in France:

• Salary: 1800€ gross per month (approximately 1550€ net).
• "Tickets restaurant" (restaurant coupons).
• In-depth and challenging topics.

Bluetooth Low Energy GATT Fuzzing

Description

Bluetooth Low Energy has been subject to a lot of research so far (such as the famous InternalBlue or SweynTooth attacks) but a few of them targeted some corner-cases of the specification that require high-level manipulation of the GATT layer.

The goal of the proposed internship is to implement a flexible and permissive Bluetooth Low Energy stack compatible with our internal BLE tools and to perform some high-level fuzzing of multiple BLE stack implementations. Development/modification of an embedded firmware may also be required to fit the needs regarding this fuzzing approach.

Knowledge of the Bluetooth Low Energy specification may be a plus.

Required Skills

• knowledgeable in embedded C/C++ and Python 3;
• familiar with embedded firmware reverse-engineering;
• familiar with embedded debugging tools.

Assignment

Prepare a write-up of CVE-2019-19194, detailing the root cause of this vulnerability and how it can be exploited. Create a proof-of-concept for this vulnerability, using Scapy (it can be a theoretical proof-of-concept).

Location

Paris or Rennes

Duration

3 to 6 months

Gecko Bootloader Vulnerability Research

Description

Silicon Labs is a chip builder with several network-targeted features like BLE and Zigbee. These chips are the base of many connected objects, compromising this chip means compromising all these connected objects insofar as they use the vulnerable functionality.

The objective of the proposed internship is to investigate the SDK offered by Silicon Labs, the Gecko SDK (GSDK). In particular, its OTA functionality, which seems to be state of the art on these protections, but what about the code that composes it?

Required Skills

• experience in reversing C or C++;
• knowledge of the ARM architecture;
• some experience with an emulation framework such as Unicorn;
• file format reverse engineering will be a plus.

What you will do

• Reverse some firmware format.
• Analyze the stack Zigbee/Bluetooth use for the updates.
• Search for some vulnerabilities.

Assignment

Click here to download the assignment resources.

These are an ARM binary used to flash a new firmware provided as an argument, as well as a dummy firmware and a name for the file to be flashed. Your goal is to find the appropriate format to flash this firmware.

You are not allowed to modify the flashing binary.

Location

Paris or Rennes

Duration

6 months

Starlink Vulnerability Research

Description

Starlink is the famous satellite-based internet solution by Space X. This solution already counts more than 400 000 subscribers all around the world, using the very same infrastructure. Starlink relies on 3 components:

• a user terminal, which communicates with the satellites, and on which most of the current research is focusing;
• a satellite fleet acting as a mesh network;
• a gateway that connects the satellites to the internet.

Numerous studies have already been conducted on the subject, mainly on the user terminal. During this internship, you will continue the analysis of Starlink and focus on how the user terminal communicates with the rest world. This will require you to reverse engineer its firmware and the various protocols in use. Doing so will help you study the attack surface of the terminal and bring you to the final phase of this internship: vulnerability research.

Required Skills

• reverse engineering skills;
• knowledge of the ARM architecture and Linux;
• knowledge in vulnerability research;
• preferably some knowledge of hardware attacks and basic PCB design (optional).

What you will do

• Reverse engineer the firmware and network protocols.
• Study the attack surface and perform vulnerability research.

Assignment

Pick up a 2022 CVE of your choice impacting a Linux/Android system such as CVE-2022-2347 or CVE-2022-23218.

Describe the root cause and an exploitation path (a PoC, even nonfunctional, will be appreciated).

Location

Paris or Rennes

Duration

6 months

XSS Tooling + DOM XSS Research

Description

Cross-site scripting (XSS) vulnerabilities are still present on many websites. Whether they are volatile, persistent or in the DOM, they could cause significant damage when exploited by attackers. Although many tools detect this type of vulnerability, many of them do not manage to identify all types of injections. One of the reasons is that they are based on obsolete methods and incomplete payloads.

The goals of this internship are to study XSS vulnerabilities in detail in order to automate their efficient discovery. In particular, the JavaScript injections affecting the DOM are of utmost interest. The automation methods for bypassing Web Application Firewalls (WAF) will also be considered as part of the internship project. The topic requires that you understand how JavaScript injections work and that you are already familiar with XSS exploitation techniques which are frequently encountered in CTFs or Bug Bounties.

Experience with Node.js would be considered a plus.

Required Skills

• JavaScript;
• NodeJS;
• Puppeteer, or an equivalent tool.

What you will do

• Study the existing documentation/tools related to the topic tool development.
• Perform vulnerability research.

Assignment

With the help of Node.js and Puppeteer you'll have to develop a simple script detecting a browser popup (e.g. a valid XSS).

Location

Paris

Duration

3 or 6 months

App Protections for dummies - Obfuscation and Runtime App Self Protections (RASP)

Description

At Quarkslab, we have been developing application protection tools since 2014, featuring obfuscation and runtime application self protections (RASP). This tool relies on a compiler framework, LLVM, and thus comes as a replacement of the regular compiler used by our customers.

A challenge we face is to explain the impact of these protections to our customers during sales meetings, events, and technical training processes: many of our partners have limited or even no knowledge about reverse engineering and the internals of a compiler.

The goal of this internship is to design a series of demonstrations (code and documentation) and presentations for the protections provided by our tools. You will work under the supervision of our Product Manager, with the support of the engineering, marketing and CX teams. You will first have to understand how the tool and its various protections work, and then find ways to make them accessible to non-experts.

Required Skills

To qualify as a candidate, you should:

• have an interest in security, compilers and reverse engineering;
• be able to demonstrate experience developing in C/C++;
• be able to demonstrate experience with scripting and the Linux environment;
• be able to think out of the box and show your creativity;
• have knowledge and interest in graphic design;
• be able to communicate effectively technical matters in English, written and spoken.

What you will do

• Design and realize consistent demos to showcase our modules' main capabilities as obfuscation, RASP, and data protection countermeasures.
• Document and prepare sales kits so that non-technical teams could reproduce them.
• Put in place an internal repository to list available and working demos.

During the internship, you will learn:

• several ways to protect code against reverse engineering;
• document and realize pro-grade demonstrators;
• work in a multi-cultural environment.

Assignment

A now well-known obfuscation technique relies on so-called Mixed Boolean-Arithmetic (MBA) expressions:

• Provide a list of research papers/blog posts about MBAs (e.g., attacks against code protected with MBA).
• Provide 1-2 slides to explain to non-technical people how this protection works, what it can protect and the cases where it will be of no use.

Some info about MBA can be found in this article

Location

Paris

Duration

6 months

Smooth running the SaaS with cloud-oriented metrics

Description

QFlow is a platform for file (and more) analysis for malware detection. Based mainly on Docker and Kubernetes (k8s), its deployment can be done on premise (connected or disconnected mode) but also in the cloud (SaaS). This internship focuses on the DevOps part of the product and team QFlow. We are looking for someone with a good interest in the SaaS world and k8s, in a particular deployment, monitoring & alerting, and reliability. A lot of work has already been done regarding deployment and now we need to improve our monitoring with supervision and alerting. Some metrics are already available at different levels, including infra and application. The goal will be to evaluate these metrics and even suggest new ones according to the needs defined, and put in place a monitoring stack at both levels, in collaboration with other engineers in the team.

During this internship your key objectives will be to:

• Define useful metrics for monitoring of QFlow instances.
• Define/Create dashboards with visualizations to display these metrics and put in place alerts.
• Choose a monitoring stack that will meet the needs previously defined and implement a PoC.

Required Skills

To qualify as a candidate, you should:

• be actively enrolled in a program for Computer Science, Computer Engineering, or a related field;
• have attention to detail, the ability to establish and maintain working relationships with key internal personnel to work effectively;
• have an understanding of the fundamentals of cloud-native architecture principles and services;
• have the desire to learn new technologies, share best practices, and contribute to the broader shared knowledge of a global infrastructure and DevOps team.

What you will do

During your internship you will:

• Work closely with other engineers to implement Infrastructure-as-code automation.
• Document instructions on various aspects of DevOps pipeline development, implementation, and deployment best practices.
• Stay informed of the changing landscape around Public Clouds, DevOps, and Deployment best practices.
• Work on enhanced monitoring and alerting capabilities for our SaaS Platforms.
• Work on data visualization and Log analysis capabilities for our SaaS Platforms.
• Present your work to an entire company of curious peers.

Assignment

Prepare a write-up about the key metrics used in SaaS application monitoring and how they can be useful in improving the reliability of the platforms.

Location

Paris or Rennes

Duration

6 months