Title: Compiler Engineer for Java/Kotlin Obfuscation
Date: 2020-06-15 10:06
Authors: Tiago Paulino
Job_Location: Paris (can be remote, in France)
Quarkslab is a French company specializing in information security R&D, consulting and software development. Our expertise is in combining offensive and defensive security to help organizations adopt a new security posture: Force the attackers, not the defender, to adapt constantly. Through our consulting services as well as our software we provide tailored solutions to organizations, helping them to protect their assets, sensitive data, and users against increasingly sophisticated attacks.
Where you can help us:
At Quarkslab, we build a product, Epona, for application protection. The goal is to buy time and make it harder for the attacker to steal and tamper with data or intrude into our client's infrastructure. The team work spans several "features": protections to make code harder to analyse statically or dynamically, cryptography to design whitebox algorithms and secure storage to build a secure digital vault, Q&A, …
We also arrange frequent red team exercises in the company to assess and break into that protection, in a cat and mouse game. Of course, the goal of this feedback loop is to make our product stronger, and to increase the understanding of the developers in new attacks.
Your day to day work:
We want to expand our LLVM-based way of protecting apps to other languages, especially Java and Kotlin.
We have run various tests to have Java and LLVM work together . Now is time to move forward and that will be your job.
In the position, you will have to study and experiment with our past results, then build the new system supporting these languages. The end goal is to re-use as much as possible what is one done in our already existing obfuscator which works at the IR level with LLVM, and then bring it to the Java byte code. This will likely require some adaptations of our protections to support some specific constructs of the Java virtual machine (e.g. garbage collection).
Special care will have to be brought to known weak points of these protections, like the frontier between the virtual machine and the native world, disassembly, debugging.
Additionally, runtime checks could be very helpful to protect from dynamic attacks.
As you can understand, you will have to determine the right strategy to protect the Java and Kotlin worlds from attackers.
Your main task will be to design, develop, maintain and enhance the protections, considering constraints on performances, and share that with the team so that all layers of protection fit properly with each other, making a robust set of protections.
If you like compilation, technical challenges and are curious about security, you will love this job!
Who you are:
The skills or knowledge we think you should have:
- Familiar with LLVM or other compilation framework
- Development in C++ and Java
- Team player to exchange about your knowledge with others
But also, that would be nice if you knew:
- Java or Kotlin, and even better if you already played with the virtual machine internals
- Reverse Engineering
- CMake, Git and Gitlab
Why work at Qb?
- Work with an amazing team, eager to learn and play with new approach and technologies, mixing various skills (security, compilation, backend, ...)
- Attend conferences in your field, learn from many internal events (weekly conference, trainings, ...)
- Contributeand support open source tools, others and ours
- Premium health insurance
- International environment with offices in Paris and Buenos Aires (team croissants vs. team asador), representations in Tokyo and Singapore
- Call with our talent acquisition manager
- Play with a small challenge
- Welcome at Qb's office (half day interview)
- Talk with the appropriate C-level(s)
- HR debrief and job offer