科恩暑期开源程序设计项目-RSoC(Rizin Summer of Code)是由腾讯安全科恩实验室与国际二进制开源逆向工程框架Rizin联合举办的一场开源程序设计项目,旨在为有能力的高校学生提供大型项目参与机会。
通过线上笔试(micro-tasks)的各大高校参与者将有机会被录用为科恩实验室暑期实习生,以国际开源逆向工程框架Rizin为研究主体,在七月中旬开始以线下的形式进行一场为期三个月的程序设计项目。
期待一个跃跃欲试的你加入科恩大家庭,与小伙伴们一起玩转二进制黑魔法。
导师阵容:
Anton Kochkov(@akochkov):科恩实验室成员、开源框架Rizin核心成员
leonxlfang:科恩实验室成员
davendu:科恩实验室成员
**micro-tasks内容**:
围绕Rizin开展轻量issue任务
流程&参与方式
关键时间节点
- 简历投递 3月4日-5月1日 (后续流程滚动进行)
- 初审 3月4日-5月1日
- 笔试(micro-tasks) 3月4日-5月1日
- 项目开启 7月15前
- 项目评审 9月初
参与要求
a. 22届及之后高校生
b. 熟悉C语言,掌握开发workflow,例如:git,CI/CD
c. 加分项:有扎实的逆向基础
参与方式
简历投递
在报名周期内(3.4-5.1),选择官方博客所列初审micro-tasks项目作为笔试题目,备注所选项目名投递简历至腾讯招聘官网。
简历投递入口:腾讯招聘官网→ 实习生招聘 → 实习生
岗位选择: 安全技术
简历填写须知:除个人信息外,请注意以下几点:
- 意向事业群及部门选择:CSIG事业群→腾讯安全
- 面试城市:远程面试
- 期望工作地点:上海
- 请在补充信息处填写:
意向部门:腾讯安全科恩实验室
初审题目名称:XXX(你所选择的micro-tasks项目,例如:ELF binary parsing )
ps: 请注意简历填写的4点须知,填写信息不完整我们将有可能错失你的简历。
笔试初审
科恩会在收到投递简历后进行初步审核,审核通过后科恩将发起笔试邀约。
笔试题目为你所选择的micro-tasks任务,micro-tasks围绕Rizin开展轻量issue任务,预期在两周内完成。
参与同学需独立完成micro-tasks题目,并在截止日期(截止日期以官方招聘通知为准)之前提交笔试内容,大致包括:
- micro-tasks题目的完成说明书,包括但不限于:遇到的困难以及解决方案、心得。
- 项目github链接。
科恩将在笔试提交后2周左右给出评审结果,面试有micro-tasks笔试+hr面两道流程,通过的候选人将有机会获得腾讯科恩实验室暑期offer,进行后续暑期项目。
ps: 此专项笔试和集团统一笔试互不影响,仅作为RSoC项目选拔方式。
暑期项目
通过面试的同学将以科恩正式实习生的身份与导师共同开启以Rizin为主体的项目研究现场实习。
入选的同学需要在7月15号前启动项目,且项目持续时间不少于两个月。
项目研究同学享受腾讯正式实习生待遇,根据项目表现情况有机会获取转正资格。
项目复盘
科恩将在9月初举办RSoC项目中期汇报,根据汇报情况作出评价,发放奖励。中期汇报结束后,参与者可根据自身情况继续实习或参与线上跟进项目,当项目完成,科恩将组织一场总汇报为RSoC2021画上句号。
奖励&收获
你将获得参与国际开源项目编程的经验,与国际优秀coder共同为开源项目做贡献。
你将收获科恩实验室导师一枚,与导师一起研究炫酷二进制黑魔法。
你将有机会斩获腾讯科恩实验室实习生录用offer,在腾云大厦与实验室小伙伴学习交流,获得一份不错的实习经历。
关于科恩&Rizin
腾讯科恩实验室
腾讯科恩实验室作为腾讯集团云与智慧产业事业群旗下一支国际一流的信息安全团队,技术实力和研究成果处于国际领先水平。近年来,更是在IoT安全、网联汽车与自动驾驶安全、云计算和虚拟化技术安全等领域取得突破性成果。随着更多新技术进入产业互联网,腾讯科恩实验室继续保持领先的前沿技术研究能力,同时向智能网联汽车、安卓应用生态、IoT等行业开放核心技术能力和行业解决方案。护航各行业数字化变革,守护全网用户的信息安全是腾讯科恩实验室的使命。
Rizin
Rizin是项类unix的逆向工程框架和命令行工具集,是来自世界各地的优秀编程极客的思想结晶,由国际知名免费开源逆向工程框架Radare2提取分支而来。Rizin持有二进制文件分析,反汇编代码,调试程序…等等功能,致力于为使用者提供一个可用性强、稳定性高的优秀工具。
FAQ
项目答疑讨论QQ群:181504148
与常规实习招聘的区别是什么?
本次招聘与腾讯官方暑期实习招聘性质相同,offer将区分应届生与非应届发送,你也有机会获得转正资格。
本次招聘流程简化为一次笔试+一次hr面。
本次招聘的本质还是暑期项目程序设计,你将与导师协作完成项目,不做大厂螺丝钉。
初审评审依据是什么?
导师会根据学生的实际开发情况、开发任务难度综合考虑。
可以以小组的形式提交初审吗?
不能,该项目以个人形式进行,我们希望你能真诚独立完成测试~
我将以什么形式获得结果告知?
下发笔试、初审结果、hr面试都将以邮件形式告知,请注意邮件消息哦~
我可以线上跟进项目吗?
参与最终项目的同学将获得腾讯科恩实验室的实习生offer,为了你能获得更多经验,我们建议你来到上海腾云大厦与大家共同学习。
我需要什么基础才能通过初审?
RSoC是以Rizin项目为核心,为其解决缺陷,贡献代码,而Rizin是C写的开源项目,所以你需要懂整体的开发workflow,比如git, CI/CD。与此同时,Rizin本身是一款逆向工具,所以,你也需要对逆向方面的理论支持,总体偏底层硬核架构方面。一句话概括就是主开发,懂逆向。
micro-tasks列表
由于本次项目主体为国际开源框架,为了确保项目对接顺利,笔试(micro-tasks)以及暑期项目都将以全英文形式进行。
1.File formats
Implementing the support for any new file format counts as a microtask. See New File-Format label for pending issues.
2.ELF binary parsing.
Rizin parses a lot of information about the ELF but doesn’t print everything.
Thus, the improving the output of i* commands and rz-bin tool is important to match up with readelf:
- Add file section type and more flags for sections information (
iScommand) - Add file offset and memory alignment for segments information (
iSScommand) - Preserve valid names for symbols and sections
3.Analysis
The current code analysis has many caveats and issues which need addressing. Fixing them and writing more tests is important to stabilize and enhance rizin’s analysis engine.
See these issues or the “Analysis” project on our GitHub dashboard.
Basefind #413
There are plenty of external scripts and plugins for finding the most probable base for raw firmware images. Opening raw firmwares with rizin is a common use case, so it makes sense to implement it as a part of rizin core.
4.Class analysis for C++/ObjectiveC/Swift/Dlang/Java #416
Analysis classes, accessible under the ac command, is a relatively new feature of rizin.
They provide a way to both manually and automatically manage and use information about classes in the binary.
Devirtualize method calls using class vtables #414
Consider the following call: call dword [eax + 0x6c]
Let’s assume eax is the base pointer of a vtable we have saved in class analysis and we want to find out the actual address of the called method.
So there should be a command that takes the offset (in this case 0x6c) and looks up the actual destination.
It should be possible to call this command with a specific class, so it only looks into its vtable, or without a class, so it gives a list of possible destinations for all vtables that are not too small for the offset.
When that is implemented, one could also add a command that does the same thing, but automatically takes the offset from the opcode at the current seek.
Add classes list to Vb
Vb already supports browsing bin classes. The same thing should be implemented for classes from
analysis.
5.Signatures
Rizin has a good support for loading and creating signatures, but it is not yet complete, thus some
problems remain, for example: #272.
As Rizin supports FLIRT signatures loading from IDA Pro, not all of them are supported yet - e.g. version 5 compression.
6.Refactoring
Use internal API instead of commands
Currently, Rizin’s source code is rife with calls to rz_core_cmd()-like functions, that run the Rizin command. While it is a useful shortcut for developer, it makes a good source of the potential bugs in case of the command syntax or behavior change. If these changes happen they are invisible to the compiler, so it cannot warn on the changed syntax. It isn’t the case of changed function arguments count or type.
Thus, all these calls eventually should be substituted with direct calls to the corresponding API
functions. If there is no corresponding API funciton, then one should be created.
Good examples of such cases are:
- Refactor Graph processing from commands to the API use
- Refactor Visual mode from commands to the API use
- Refactor Panels mode from commands to the API use
In general you can just search for rz_core_cmd pattern in any place inside librz/.
Improving the uplifting of the code to IL
Rizin has its own intermediate language - ESIL, but not yet support it for all architectures. So
the task is to add ESIL support to any architecture, which doesn’t has it yet.
7.Miscellanous
Improving regression suite and testing
It is required to solve numerous issues, along with improving parallel execution and performance.
Good example is to allow better filtering of the test types to run, for example to ignore debug tests.
The next interesting idea is to setup and reuse Godbolt compilation engine for generating tests for different compilers and compilation options. There is even a command line tool for interacting with Godbolt - cce.
Another important part of the improving test suite is to cover more different formats and cases with
expanding it. See the #114 issue with more details on how it can be done.
8.RzGhidra
There are many small issues in the decompiler output:
- String detection problem and one more.
- Show function arguments in calls
pdgsdcommands showing incorrect P-code- Prioritize keeping vars with lower addresses
- Minor improvements for the SLEIGH plugin
Some of these issues might be related on how Rizin and RzGhidra integrate and might require changes
in the Rizin side.
Also note, that most of these issues should be paired with the test to verify it will not break in
the future.