In the previous article from colleagues from the audit department, in addition to their experience, there was a little talk about the general process of the internship 2017 in Digital Security. And today, the Research Department will share its impressions and present an interview to the interns of our department.

brief information

We are the research department of Digital Security. First of all, we deal with reverse engineering tasks, search for vulnerabilities in binary applications and various devices, as well as writing exploits. We presented in more detail in last year’s article .

Introduction

As already mentioned in the article of colleagues, this year the number of applications was many times more than in the past. Of course, most of the applicants wanted to engage in web-security, but the percentage of people who wanted to immerse themselves in the “binary world” did not diminish.

According to the already established tradition, we conducted a personal interview with interns who decided to undergo an internship in our St. Petersburg office, and only after that they made a final decision. In the course of such meetings, not only the level of knowledge is determined, but also which topic will suit each candidate. In some cases, not one was offered, but several topics to choose from. Criteria for the preparation of internship topics remained the same:

1. At the end of the internship, the children could publish the results of their research (github, gitlab and other repositories for open source projects) and / or speak to the public at a conference
2. Associated with real-world practical tasks.

Due to the specifics of the work of our department, in contrast to our fellow auditors, we practice the “one topic - one person” approach (although there are exceptions).

This allows the mentor to pay more attention to a specific intern, but limits the number of applicants we can accept for an internship. Therefore, we advised those who did not pass due to lack of experience to learn a set of training materials, and then try again next year. In particular, this was the reason for the publication of our compilation of materials on Habré, so that anyone could start to study it in free time.

We were pleasantly surprised that some of the guys themselves came to us for a local internship from other cities. We conducted interviews with them with the help of video messengers (interesting statistics - most of those who wanted completed the 3rd year of university). Therefore, we tried to keep good memories (and nice gifts) about the internship in the Northern capital. And to last year’s lectures our department added new ones:

• "SMT, Z3, SSE, DSE, ... In The Wild" (Georgy Nosenko)
• "PowerShell for dummies: use in everyday life and on the battlefield" (Andrey Akimov)

Colleagues from the security analysis department also updated their list of lectures and launched an interesting internal lab - a kind of wargame to enhance the skills of those involved.

By tradition, the interns themselves conducted several similar meetings for us, where they presented the results of their work. Such speeches can even be called a kind of final exam :) True, not all could do it, unfortunately, someone did not cope with the tasks for various reasons.

Feedback from participants

Due to the nature of the tasks this year, we decided to abandon the remote internship, so we present some comments only from those who completed the internship in our office.

Questions for the mini-interview were as follows:

• Why did you decide to train in DSec? What attracted you to the company?
• Did you like the internship? What is especially remembered? How much reality coincided with your expectations?
• Tell us about your task / tasks.
• Did the tasks you worked on during the internship seem interesting? Was there something you wanted to do, but failed?
• Are you ready to return to the company for an internship or a job?

Alexander Trukhin (St. Petersburg State University)

Topic: "Improving the algorithms of the rootkit detection tool under GNU / Linux"

• I decided to try my luck after seeing the internship announcement on linux.org.ru . Honestly, at the time I didn’t know about the company, the availability of free time and interesting topics played a decisive role.
• Internship liked. Most of all I remember the dining room with extremely unattractive prices near the office . In fact, I was surprised by the rather young age of the St. Petersburg branch staff. By the way they stay up late at work, you can determine that they like their work (or table football). It was very curious to listen to lectures, which for us were kindly prepared in the company.
• I worked on the anti-rootkit project under GNU / Linux , which in some initial form was already implemented by my curator. Basically, I tried to bring to mind the functionality of the corresponding kernel module. It was necessary to put in order the process of transferring events from the kernel, describing various important system resources (processes, sockets, etc.) into user mode for subsequent reconciliation and detection of inconsistencies. I had to tinker with various kernel structures and its synchronization primitives, it was fun!

• Although it did not work out particularly far (for example, I still wanted to implement some mechanisms of self-defense), it was not boring to work with the tasks being solved, much was new. I hope the work on the project will continue.
• To work on something interesting is always happy.

Valeria Gubareva (Penza State University)

Topic: "Study of the Black Magic Probe and Bitsy board options

• A person working here advised me to fill out a questionnaire. And the company itself is interesting to me because it deals with information security, the study of which I spent the last five years of my life.
• Yes, very much. Expectations were met more than. I especially remember the moment when I was given a bunch of different incomprehensible cards, which I then, of course, successfully figured out.
• My task was to deal with the recently appeared Black Magic Probe V2.1 board, to see the possibilities opened up when working with it. And I had to try to break the firmware on other boards using the Black Magic Probe. For clarity, the STM32F429I-disc1 board was chosen, which has a touch screen, and for it I found the firmware with the Reversi game. As a result, I was able to access the dynamic memory of the firmware, then using the IDA Pro disassembler I found the address, which is the starting address of the board cells. The values ​​of these cells can be equal: 000 - empty cell, 001 - red chip, 002 - blue chip. I had the idea to equate the values ​​of all cells to one and thereby win the game from the first move. To do this, wrote a small script in Python. The result of my work was an article, which describes the characteristics of the board and all my actions in working with it.

• Yes, the tasks were very interesting. Almost everything was new for me and there was very little information, but this did not become an obstacle.
• To work - of course, yes.

Nikita Trushin (TUSUR)

Topic: "Hanipot for logging interactive commands on the guest machine, by means of the hypervisor"

• I like to study the internal structure of various cores and software systems, while interested in programming. Therefore, the activities of DSec, as well as the blog on Habré, of course, interested me.
• The internship left a positive impression. Especially the team, which turned out to be quite friendly, and, in general, a cozy atmosphere in the office.
• My task was to implement a patch for QEMU , using the existing PoC, which was implemented as a gdb script and logged the output from the guest terminal to the host machine, using breakpoints on the TTY recording function. However, he pretty much reduced the speed of the guest. And I was required to implement it within QEMU itself, which would solve performance problems.
  Accordingly, it was necessary to understand the internal structure of QEMU, find the most suitable place for patching and write a patch for x86-64, ARM and MIPS.

• Of course, the task was quite interesting. However, I would like to work in a team of several people.
• Of course, yes!

Conclusion

Summing up, we will say “thank you” again to everyone who took part in our summer internship 2017. We all got a lot of experience and hope that we could share it with the reader a little. Later interesting articles will be published not from interns, but from our colleagues with the results of their research.

And of course, we are waiting for everyone for a new internship!