Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK).

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

Automated CBOM inventory through LLMs ALEPH CLEANSE DAISY SaFEWaRe

ID: p-2025-aleph-1

Published on: Wednesday, 9 July 2025

Deadline for Applications: Saturday, 9 August 2025 at 23:59 Tuesday, 9 September 2025 at 23:59 (extended)

Description:

Software systems are increasingly embedding diverse cryptographic functions to ensure the safe and secure implementation of code. At the same time, regulatory demands, such as those outlined in the Cryptographic Bill of Materials (CBOM)[1-2-3], require complete visibility into cryptography's use, including algorithms, parameters, modes of operation, and other relevant details. However, current solutions using static analysis and manual audits to enumerate and document these primitives are only available for a very small selection of libraries, such as Java and Python [4].
This research aims to explore how large language models (LLMs) fine-tuned on code, such as [5-6], can automatically detect calls to standard crypto-libraries, e.g., OpenSSL, Bouncy Castle, and custom routines, extract metadata (algorithm, mode, key size), and create the necessary CBOM inventory. This can be done by directly working with the codebase or extending existing analyzers [7].
The student will survey related techniques, design LLM prompts and training strategies for reliable crypto‑function recognition, implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers. Finally, the student must deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas.

Type: Internship + Thesis

Level: MSc

Supervisors: Alessandro Tomasi (altomasi@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu), Luca Piras (l.piras@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu)

Prerequisites:

  • Basic knowledge of Large Language Models
  • Knowledge of programming languages (i.e., Python, Go, Java) would be highly advantageous.

Objectives:

  • Design LLM prompts and training strategies for reliable crypto-function recognition
  • Implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers
  • Deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas

Topics: LLM, AI, CBOM

References:

  • [1] Cryptography Bill of Materials (CBOM) • Link
  • [2] Cryptography Bill of Materials • Link
  • [3] Authoritative Guide to CBOM • Link
  • [4] Sonar Cryptography Plugin (CBOMkit-hyperion) • Link
  • [5] CodeBERT-base • Link
  • [6] Qwen2.5-Coder Series • Link
  • [7] Extending the Sonar Cryptography Plugin to add support for another language or cryptography library • Link

On the Implementation of Cryptographic Mechanisms for Access Control in Rust ALEPH

ID: p-2025-aleph-2

Published on: Wednesday, 6 August 2025

Deadline for Applications: Wednesday, 20 August 2025 at 23:59

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of cloud-hosted sensitive data from both external attackers and curious service providers while enforcing access control policies. In CAC, the sensitive data is encrypted, and the permission to access the encrypted data is embodied by the (secret) decrypting key. The Center for Cybersecurity (CS) of FBK has been working on an implementation of CAC in a tool called CryptoAC (short for Cryptographic Access Control) [1] applicable to diverse scenarios, such as the cloud-IoT continuum and cloud native applications. CryptoAC is an open-source tool written in the (multiplatform) Kotlin language, and potentially available as programming library, plugin, or microservice (Docker container). Unfortunately, CryptoAC is currently a research proof-of-concept and ignores many aspects relevant to the development and operation of cryptographic mechanisms. In this context, applicants would collaborate on improving the technology readiness level (TRL) of CryptoAC by choosing among the following activities: 1) surveying generic guidelines, best practices, and specific reccomendations concerning the development of cryptographic mechanisms; 2) re-implementing the core modules of CryptoAC using the (more secure and performant) Rust programming language; 3) extend the capabilities of CryptoAC in one or more of the following areas: user authentication with OpenID Connect and FIDO, cryptographic key management, strategies and tools for cryptographic bill of materials management. This project provides the opportunity to acquire the fundamentals of scientific research, investigate and explore cutting-edge and relevant research topics, and engage in software engineering and development while allowing applicants to design, propose, and implement their own ideas.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisor: Stefano Berlato (sberlato@fbk.eu)

Prerequisites:

  • Basic understanding of cybersecurity principles.
  • Basic knowledge of applied cryptography.
  • Knowledge of programming in Rust.
  • Knowledge of containers technologies (i.e., Docker) and trusted execution environments may be advantageous.

Objectives:

  • Familiarization and study of the context (i.e., cryptographic access control, CryptoAC).
  • Investigation of possible improvements to the TRL of CryptoAC.
  • Implementation and evaluation of the chosen improvements.

Topics: Access Control, Applied Cryptography, Rust

References:

  • [1] CryptoAC • Link

xBOM based approach for Software Supply Chain Security in SDLC CLEANSE SaFEWaRe

ID: p-2025-cleanse-1

Published on: Friday, 8 August 2025

Deadline for Applications: Monday, 8 September 2025 at 23:59

Description:

According to a Gartner research [1], Software Supply Chain attacks present serious security, compliance, and operational challenges for organizations, with estimated costs expected to rise from $46 billion in 2023 to $138 billion by 2031.
A Software Bill of Materials (SBOM) is a critical component in modern software supply chain security. It provides a detailed inventory of all software components, libraries, and dependencies used in an application. By integrating SBOMs throughout the Software Development Life Cycle (SDLC), organizations can proactively identify vulnerabilities, ensure compliance, and enhance transparency [2].
One of the standard to describe a bill of material in a machine-readable format is CycloneDX (CDX) [3], developed by the Open Worldwide Application Security Project(OWASP) [4] community. CycloneDX extends the concept of Bill of Material also to other components (xBOM) [5]: Cryptography, Configuration and Deployment, AI/Machine Learning and so on.
The focus of the Internship (and Thesis) is to explore the xBOM approach in SDLC phases to improve Security linked to the Software Supply Chain.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
  • Basic knowledge of LLM, Generative AI, AI Agents, Agentic AI would be a plus.

Objectives: Multiple topics, for multiple positions, are available to explore the xBOM approach for Security:

  • Software Bill Of Material (SBOM)
  • Software as a Service Bill of Materials (SaaSBOM)
  • Cryptography Bill of Materials (CBOM)
  • Vulnerability Exploitability Exchange (VEX)
  • AI/Machine Learning Bill of Materials (AI/ML-BOM)
The objectives will be declined and detailed to the specific topic.

Topics: Bill Of Material, SBOM, SaaSBOM, CBOM, VEX, AI/ML-BOM, Software Supply Chain Security, SDLC, CI/CD

Notes: Multiple positions available.

References:

  • [1] Leader's Guide to Software Supply Chain Security • Link
  • [2] A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools • Link
  • [3] CycloneDX: The International Standard for Bill of Materials (ECMA-424) • Link
  • [4] OWASP • Link
  • [5] CycloneDX v1.6: Now an Ecma International Standard • Link