This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK).
Procedure
- Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
- Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
- Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.
For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.
Please note that applications sent via email will not be considered.
Projects are listed starting with those that have the earliest submission deadlines.
Automatic Security Testing Tool for Identity Management Protocols CLEANSE ST
ID: p-2025-st-6
Published on: Wednesday, 9 July 2025
Deadline for Applications: Saturday, 9 August 2025 at 23:59
Description:
Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google and Meta (Facebook), as well as for Public Administration—such as eIDAS, SPID, CIE, and the upcoming IT-Wallet—are based on IdM protocols. We propose improving an existing security testing tool to extend its capabilities by designing and implementing new features.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Laura Cristiano (l.cristiano@fbk.eu)
Objectives:
- Literature Review (guidelines and best practices)
- Ethical analysis
- Risk Assessment
Topics: Identity Management protocols, Attack patterns, Security testing
Automated CBOM inventory through LLMs ALEPH CLEANSE DAISY SaFEWaRe
ID: p-2025-aleph-1
Published on: Wednesday, 9 July 2025
Deadline for Applications: Saturday, 9 August 2025 at 23:59
Description:
Software systems are increasingly embedding diverse cryptographic functions to ensure the safe and secure implementation of code. At the same time, regulatory demands, such as those outlined in the Cryptographic Bill of Materials (CBOM)[1-2-3], require complete visibility into cryptography's use, including algorithms, parameters, modes of operation, and other relevant details. However, current solutions using static analysis and manual audits to enumerate and document these primitives are only available for a very small selection of libraries, such as Java and Python [4].
This research aims to explore how large language models (LLMs) fine-tuned on code, such as [5-6], can automatically detect calls to standard crypto-libraries, e.g., OpenSSL, Bouncy Castle, and custom routines, extract metadata (algorithm, mode, key size), and create the necessary CBOM inventory. This can be done by directly working with the codebase or extending existing analyzers [7].
The student will survey related techniques, design LLM prompts and training strategies for reliable crypto‑function recognition, implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers. Finally, the student must deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas.
Type: Internship + Thesis
Level: MSc
Supervisors: Alessandro Tomasi (altomasi@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu), Luca Piras (l.piras@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu)
Prerequisites:
- Basic knowledge of Large Language Models
- Knowledge of programming languages (i.e., Python, Go, Java) would be highly advantageous.
Objectives:
- Design LLM prompts and training strategies for reliable crypto-function recognition
- Implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers
- Deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas
Topics: LLM, AI, CBOM
References:
- [1] Cryptography Bill of Materials (CBOM) • Link
- [2] Cryptography Bill of Materials • Link
- [3] Authoritative Guide to CBOM • Link
- [4] Sonar Cryptography Plugin (CBOMkit-hyperion) • Link
- [5] CodeBERT-base • Link
- [6] Qwen2.5-Coder Series • Link
- [7] Extending the Sonar Cryptography Plugin to add support for another language or cryptography library • Link