This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK).
Procedure
- Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
- Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
- Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.
For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.
Please note that applications sent via email will not be considered.
Projects are listed starting with those that have the earliest submission deadlines.
Packet stream analysis for TLS compliance ST
ID: p-2025-st-1
Published on: Monday, 20 January 2025
Deadline for Applications: Thursday, 20 February 2025 at 23:59 Friday, 28 February 2025 at 23:59 (extended)
Description:
Since its first version was published as an RFC in 1999, Transport Layer Security (TLS) has rapidly become the de facto standard for providing confidentiality and integrity to communications exchanged in an unsecured environment. While there exist multiple implementations (e.g., OpenSSL, GnuTLS, rusttls) that allow system administrators to easily deploy a webserver, there does not exist a practical way to verify their compliance with the RFCs they are based on.
To ensure that a TLS deployment is configured correctly, (inter)national cybersecurity agencies such as US’ NIST and Italian’s AgID/ACN periodically issue technical guidelines that describe a set of requirements able to mitigate known vulnerabilities and ensure an adequate security level. These guidelines presume that security issues are only due to an incorrect configuration while, in reality, problems may also arise from an incorrectly developed TLS libraries that generate messages which do not comply with the related RFCs.
The primary objective of this internship is to perform a technical review of the available software able to analyze raw network packets, validate their content and which structure is used by the protocol. The results will be employed in a process that aims to develop a new tool that can verify, analyze, and execute TLS connections. This tool will be used to assess the compliance of TLS libraries and related deployments.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Riccardo Germenia (rgermenia@fbk.eu)
Prerequisites:
- Basic knowledge of the TLS protocol
- Basic knowledge of network analysis tools (e.g., Wireshark)
- Basic knowledge of design patterns and software engineering
- Basic experience with JavaScript
- Experience with Python 3 development
- Experience with formal grammars
Objectives:
- Study of the TLS protocol and its inner workings
- Perform a literature review on the state-of-the-art in terms of tools, listing their features, applicability and scope
- Creation of a CFG (context-free grammar) for TLS 1.3
Topics: Research tool, Compliance analysis, Packet analysis, TLS misconfiguration
Notes: The project's scope will be adjusted to accommodate the number of available credits, making it suitable for both bachelor and master students. However, due to the need for future-proof and reusable results, access to the thesis period is dependent on an assessment performed on (and during) the internship period.
References:
AI-Powered Threat Modeling ST
ID: p-2025-st-2
Published on: Wednesday, 22 January 2025
Deadline for Applications: Friday, 7 February 2025 at 23:59 Friday, 14 March 2025 at 23:59 (extended)
Description:
As modern systems become increasingly complex, ensuring their security, privacy and resilience requires more advanced approaches to threat modeling. Artificial Intelligence (AI) has emerged as a powerful enabler to automate, enhance, and refine manual security and privacy assessments. By leveraging AI-driven techniques, organizations can identify the threats, vulnerabilities, potential attack vectors and mitigations more efficiently and with higher accuracy. However, the trustworthiness of AI-based threat modeling solutions must also be ensured—both to validate their findings and to mitigate any risks introduced by the AI systems themselves. This internship focuses on developing and evaluating AI-powered methodologies for automated threat modeling in cutting-edge systems such as Digital Identity Wallet and e-voting.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Umberto Morelli (umorelli@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu), Amir Sharif (asharif@fbk.eu)
Prerequisites:
- Basic Cybersecurity Knowledge: A foundational understanding of security and privacy principles, threats, and common vulnerabilities.
- Familiarity with Threat Modeling: Prior knowledge of frameworks like STRIDE or LINDDUN is advantageous.
- Programming Skills: Comfort with Python programming language for AI model development or integration.
Objectives:
The main objectives of this internship project are as follows:
-
Extend Traditional Threat Modeling
- Investigate how AI can augment well-known frameworks (e.g., STRIDE, LINDDUN) by automatically discovering threats, analyzing complex data, and flagging potential vulnerabilities.
- Investigate and propose mechanisms to mitigate potential biases or errors introduced by the AI in identifying threats.
-
Implementation and Tooling
- Investigate available AI-based security tools and evaluate their performance in realistic scenarios.
- Integrate or prototype new AI modules, focusing on trustworthiness, accuracy, and usability in real-world environments.
Topics: Threat Modeling, LLMs, STRIDE, LINDDUN
LLM-powered Privacy Threat Modeling ST
ID: p-2025-st-3
Published on: Thursday, 20 February 2025
Deadline for Applications: Thursday, 20 March 2025 at 23:59
Description:
The rapid evolution of Large Language Models (LLMs) has unlocked new possibilities for applying artificial intelligence across a wide range of fields, including privacy engineering. As modern applications increasingly handle sensitive user data, safeguarding privacy has become more critical than ever. To ensure robust data protection, potential threats must be identified and addressed early in the development process. Privacy threat modeling frameworks like LINDDUN offer structured approaches for uncovering these risks, yet they often require significant manual effort, expert knowledge, and detailed system information—making the process time-intensive and reliant on thorough analysis. To address these challenges, at Security and Trust unit of the Center for Cybersecurity, we introduced and developed PILLAR (Privacy risk Identification with LINDDUN and LLM Analysis Report), a new tool that implements and automates the LINDDUN framework through LLM integration to streamline and enhance privacy threat modeling. PILLAR automates key parts of the LINDDUN process, such as generating DFDs from unstructured textual inputs (e.g. system descriptions), eliciting privacy threats, and risk-based threat prioritization.
The primary objective of this internship is to conduct state-of-the-art research on privacy threat modeling, in particular, LLM-based approaches emphasizing how LLMs can be leveraged to automate and enhance these processes. The results will be employed to integrate AI agent concepts into PILLAR.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisor: Majid Mollaeefar (mmollaeefar@fbk.eu)
Time frame: Preferably from April
Prerequisites:
- Cybersecurity knowledge
- Basic knowledge of Large Language Models and Agentic AI
- Experience with Python
- English Language
Objectives:
- Extending PILLAR's capabilities
- Integrating AI Agent concept within the threat modeling process
- Add new features to PILLAR
Topics: Threat Modeling, Privacy Engineering, Large Language Models, AI Agents
References: