Winternship 2021 - 2022
About Trail of Bits
Trail of Bits helps secure the world’s most targeted organizations and products. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.
As a cybersecurity research and consulting firm, we serve clients in the defense, tech, finance, and blockchain industries. We help with their most difficult security challenges by designing and building new technology, researching new techniques to advance the state of practice, and reviewing the security of the latest available technology products before they hit the market.
Our team consumes, produces, and presents research as a natural part of doing business. When we make new discoveries or developments, we strive to share our knowledge and release our tools as open-source. It’s a practice that’s earned us industry accolades and helped contribute to our double-digit bottom line growth.
Role
Trail of Bits offers unique remote, short-term internship opportunities called “Winternships” (Winter Internships). Winternships generally happen over your University’s winter break. You can get paid (~$2500) to work on a project that excites you and still spend time with your friends and family. Unlike other internships, our "Winternship" program is designed for people who are ready to start working on day 1. You will take skills that you have learned and apply them to short-term low-risk projects that Trail of Bits will actually use.
Collaboration and Mentorship
Trail of Bits takes advantage of the latest technology to get work done. Winternships will be organized and tracked through Slack, Google Meet, and Github. Projects will have a project inception, schedule, and debrief. You will work with our copywriter to publish an end-of-Winternship blog post that summarizes your work.
Requirements
- You must be a student or recently a student
- You must have at least 3 weeks of time available between December 6, 2021 and January 28, 2022 to dedicate to the project.
- You should have the legal right to work in the United States now or by the time you graduate
Option 1: Propose a project
- You decide your project. Projects must be short-term, achievable within the time Winternship, and focused on cybersecurity. Project materials must be released as open-source code under a permissive license (e.g., Apache2) and be hosted on the Trail of Bits Github organization after the project concludes.
Option 2: Apply directly to one of our featured projects using the links below
- Solana BPF vulnerability research: Find bugs in Solana BPF virtual machine implementation: RBPF. Work on any topic of analyzing their instruction verifier, extending their fuzzing harness, better static analysis or auditing their virtual machine implementation. Apply here.
- Manticore EVM extraction: Extract all EVM related parts out of Manticore and build a fresh SE tool to handle smart contracts. Simply cut out all the relevant parts and make a simpler tool easier to test, develop, install and use BUT only smart contract related. Apply here.
- Dylint rules and development: Write Dylint lints. We have accumulated a list of security related lints we would like. Implementing any number of them would produce code that would be run during audits. Apply here.
Option 3: Work on one of the projects below
- Fuzzing: Fuzz a given low level open source project with the goal of finding memory corruption bugs. (ideally, have a target idea you would like to work on)
- Find Bugs in Rust: Learn finding bugs in Rust by developing static analysis rules in Dylint or Semgrep for finding buggy patterns in Substrate-based blockchains. We have many examples of those, so you can learn quirks of Substrate APIs and blockchains written with this technology.
- MUI: Extend feature set of MUI, the GUI for Manticore, or extend MUI to operate on an additional platform such as IDA.
- CPython API Misuse: Implement CodeQL rules, extend Clang Static Analyzer or implement other static analysis to find CPython API misuses. There are many ways to go wrong with CPython APIs and many are straightforward to identify like: 1) passing possibly NULL arguments to functions or macros that require non-null argument; 2) violating APIs execution order requirements; 3) failing to check return errors; or 4) reference counting errors. We have ideas or examples of some of those.
- Go-Fuzz: Improve Go-fuzz, a Golang fuzzer. Help us improve its initial corpus, fix its obscure bugs, implement a corpus minimizer, work on new fuzzing strategies, improve its UX or maybe implement a leak detector? Choose 1-3 goals from this list.
- Rust: Extending our fuzzing wrapper for Rust, test-fuzz, by adding cargo-fuzz as a fuzzing backend (in addition to AFL).
Company Perks
- Winterns who perfom well and meet all expectations will be invited back for later roles or internships,
- Before, during and after COVID-19, our workforce works flexibly. Many employees choose to work from home around the globe. As long as you deliver against your goals, we encourage you to harness your personal working style to let you work best.
- We routinely highlight the amazing work our employees do via our blog, product offerings, and conference talks. We celebrate you!
- We're at the forefront of a number of markets and have the internal expertise and the ambition to capitalize on those opportunities. Our employees see their work in use and valued by many others.
Dedication to diversity, equity, & inclusion
Trail of Bits is committed to creating and maintaining a diverse and inclusive workplace where our employees can thrive and be themselves! We welcome all persons into our community. We embrace the diversity of gender, gender identity or expression, race, color, religious creed, national origin, ancestry, age, physical and mental disabilities, medical condition, genetic characteristic, sexual orientation, marital status, family care or medical leave status, military or veteran status, or perceived membership in any of these groups.
Interested?
If you’re interested, submit your resume and a little bit about the project you’d like to work on.