Adzuna logo

Security Researcher - Hardware Hacker

Location: Reading
Company: Oracle
Apply for this job
Job Description
Oracle's Global Product Security (GPS) is looking for a highly skilled security professional to join the Ethical Hacking Team (EHT).
The EHT operates on the whole Oracle portfolio of products to improve security across all engineering groups within the company. As an EHT member, you will be involved in all aspects of product security assessment, from identification to fix. We value individual contribution, and you will be given the freedom to learn and grow. We are passionate about sharing knowledge and we deeply believe that the stronger you grow, the stronger the team becomes.
You will be involved in mostly hardware security assessments, but can expect to work on occasional software security assessments. You will use your knowledge to discover, report and provide guidance to fix any security issues you discover. EHT does not work under strict time constraints, so you will have time to plan, experiment and go deep, as we operate as an internal security research team.
This is not your run-of-the-mill pentesting gig where you grind out assessments week in week out. The EHT is a dedicated security research group who invest the same amount of time and effort into breaking a product as you would expect from a state-sponsored APT.
Unlike an APT group, however, we're not only invested in finding bugs but also making sure they are fixed correctly and don't happen again. We don't just need people who can find CVSS 10 bugs, we need people who can use their skills and share their expertise to effect meaningful change across the company.
A successful candidate must have genuine excitement for and interest in security, as well as the desire to share knowledge and help others learn from the high technical and ethical standards you set. You will be asked to dive deep into hardware implementation, as well as reverse engineer firmware, file formats and protocols in order to reveal subtle security vulnerabilities and implement proof-of-concept exploit attack chains, simulating the steps of real-life attackers. Your work will benefit thousands of Oracle engineers worldwide and shape the future of product security within one of the largest software companies in the world.
- Bachelor of Science degree in Electrical/Electronic/Computer Engineering, Computer Science or related field.
- 3+ years of experience in vulnerability research / bug hunting; public history of vulnerability discovery (CVEs, blog posts etc.) is highly desirable.
- Ability to think like an adversary, identify potentially vulnerable spots in designs and implementations, assess risk and communicate the relevant details to other team members and managers.
- Knowledge of x86 and/or ARM server platform architecture and ability to read and understand x86 and/or ARM assembly. Experience with disassemblers/decompilers (e.g. IDA Pro/HexRays, Ghidra, Radare, objdump, gdb etc.) and firmware reversing tools (e.g. binwalk) is highly desirable.
- Applied knowledge of cryptographic algorithms / standards and basic knowledge of data structures and distributed systems.
- High familiarity with memory corruption bugs (stack/heap/integer overflows, format strings). Ability to exploit stack overflows with basic protections enabled (e.g. NX), on Windows and Linux.
- Knowledge of analogue / digital electronics and ability to understand complex schematic diagrams. Past FPGA and HDL experience is highly desirable.
- Ability to communicate on, monitor, and debug common embedded communications interfaces such as JTAG, SPI, I2C, RS232, USB etc. Ability to build enabling prototypes (e.g. Arduino/Raspberry Pi controlled breadboards)
- Ability to use common hardware lab tools (e.g. soldering iron, logic analyser, oscilloscope, function generator, power supply etc.)
- Practical experience with hardware attacks (e.g. side channels, fault injection); past experience with hardware attack tools (e.g. ChipWhisperer) is highly desirable.
- Knowledge of Linux OS internals. Fluency in either C or C++ and proficiency with one among Python, Go, Java or Bash. Ability to self-teach any language, given appropriate resources to study and practice.
- Ability to participate in web or network penetration tests; practical knowledge of common web flaws (SQL injection, XSS, SSRF, upload/download abuse, RCE).
- Familiarity with networking protocols (e.g. TCP/IP, HTTP) and related security protocols (e.g. SSL, TLS, key exchange)
- Ability to work as part of a geographically scattered team
- Excellent organizational, verbal and written communication skills
- Ability to work physically in Reading - Thames Valley Park, for 80% of the time (when Covid-19 restrictions will be fully lifted)
Design, develop, troubleshoot and debug software programs for databases, applications, tools, networks etc.
As a member of the software engineering division, you will take an active role in the definition and evolution of standard practices and procedures. You will be responsible for defining and developing software for tasks associated with the developing, designing and debugging of software applications or operating systems.
Work is non-routine and very complex, involving the application of advanced technical/business skills in area of specialization. Leading contributor individually and as a team member, providing direction and mentoring to others. BS or MS degree or equivalent experience relevant to functional area. 7 years of software engineering or related experience.
About Us
Innovation starts with inclusion at Oracle. We are committed to creating a workplace where all kinds of people can be themselves and do their best work. It's when everyone's voice is heard and valued, that we are inspired to go beyond what's been done before. That's why we need people with diverse backgrounds, beliefs, and abilities to help us create the future, and are proud to be an affirmative-action equal opportunity employer.
Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans status, age, or any other characteristic protected by law. Oracle will consider for employment qualified applicants with arrest and conviction records pursuant to applicable law.
Apply for this job


The number of jobs in each salary range for all: