This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK).
Procedure
- Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
- Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
- Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.
For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.
Please note that applications sent via email will not be considered.
Projects are listed starting with those that have the earliest submission deadlines.
Automated CBOM inventory through LLMs ALEPH CLEANSE DAISY SaFEWaRe
ID: p-2025-aleph-1
Published on: Wednesday, 9 July 2025
Deadline for Applications: Saturday, 9 August 2025 at 23:59 Tuesday, 9 September 2025 at 23:59 (extended)
Description:
Software systems are increasingly embedding diverse cryptographic functions to ensure the safe and secure implementation of code. At the same time, regulatory demands, such as those outlined in the Cryptographic Bill of Materials (CBOM)[1-2-3], require complete visibility into cryptography's use, including algorithms, parameters, modes of operation, and other relevant details. However, current solutions using static analysis and manual audits to enumerate and document these primitives are only available for a very small selection of libraries, such as Java and Python [4].
This research aims to explore how large language models (LLMs) fine-tuned on code, such as [5-6], can automatically detect calls to standard crypto-libraries, e.g., OpenSSL, Bouncy Castle, and custom routines, extract metadata (algorithm, mode, key size), and create the necessary CBOM inventory. This can be done by directly working with the codebase or extending existing analyzers [7].
The student will survey related techniques, design LLM prompts and training strategies for reliable crypto‑function recognition, implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers. Finally, the student must deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas.
Type: Internship + Thesis
Level: MSc
Supervisors: Alessandro Tomasi (altomasi@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu), Luca Piras (l.piras@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu)
Prerequisites:
- Basic knowledge of Large Language Models
- Knowledge of programming languages (i.e., Python, Go, Java) would be highly advantageous.
Objectives:
- Design LLM prompts and training strategies for reliable crypto-function recognition
- Implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers
- Deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas
Topics: LLM, AI, CBOM
References:
- [1] Cryptography Bill of Materials (CBOM) • Link
- [2] Cryptography Bill of Materials • Link
- [3] Authoritative Guide to CBOM • Link
- [4] Sonar Cryptography Plugin (CBOMkit-hyperion) • Link
- [5] CodeBERT-base • Link
- [6] Qwen2.5-Coder Series • Link
- [7] Extending the Sonar Cryptography Plugin to add support for another language or cryptography library • Link
xBOM based approach for Software Supply Chain Security in SDLC CLEANSE SaFEWaRe
ID: p-2025-cleanse-1
Published on: Friday, 8 August 2025
Deadline for Applications: Monday, 8 September 2025 at 23:59
Description:
According to a Gartner research [1], Software Supply Chain attacks present serious security, compliance, and operational challenges for organizations, with estimated costs expected to rise from $46 billion in 2023 to $138 billion by 2031.
A Software Bill of Materials (SBOM) is a critical component in modern software supply chain security. It provides a detailed inventory of all software components, libraries, and dependencies used in an application. By integrating SBOMs throughout the Software Development Life Cycle (SDLC), organizations can proactively identify vulnerabilities, ensure compliance, and enhance transparency [2].
One of the standard to describe a bill of material in a machine-readable format is CycloneDX (CDX) [3], developed by the Open Worldwide Application Security Project(OWASP) [4] community. CycloneDX extends the concept of Bill of Material also to other components (xBOM) [5]: Cryptography, Configuration and Deployment, AI/Machine Learning and so on.
The focus of the Internship (and Thesis) is to explore the xBOM approach in SDLC phases to improve Security linked to the Software Supply Chain.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)
Prerequisites:
- Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
- Basic knowledge of LLM, Generative AI, AI Agents, Agentic AI would be a plus.
Objectives: Multiple topics, for multiple positions, are available to explore the xBOM approach for Security:
- Software Bill Of Material (SBOM)
- Software as a Service Bill of Materials (SaaSBOM)
- Cryptography Bill of Materials (CBOM)
- Vulnerability Exploitability Exchange (VEX)
- AI/Machine Learning Bill of Materials (AI/ML-BOM)
Topics: Bill Of Material, SBOM, SaaSBOM, CBOM, VEX, AI/ML-BOM, Software Supply Chain Security, SDLC, CI/CD
Notes: Multiple positions available.
References:
- [1] Leader's Guide to Software Supply Chain Security • Link
- [2] A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools • Link
- [3] CycloneDX: The International Standard for Bill of Materials (ECMA-424) • Link
- [4] OWASP • Link
- [5] CycloneDX v1.6: Now an Ecma International Standard • Link