Curricular Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK). Please note that these are curricular internship projects (which does not include financial compensation) intended specifically for bachelor’s and master’s university students, and not employment contracts. Please refer to jobs.fbk.eu/ for job offers and open positions.

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

Post-Quantum Byzantine Fault Tolerant Consensus Protocols ALEPH

ID: p-2026-aleph-1

Published on: Tuesday, 24 February 2026

Deadline for Applications: Tuesday, 24 March 2026 at 23:59

Description:

The advent of quantum computing poses a serious threat to classical public-key cryptography, including digital signature schemes that are a fundamental building block of modern Byzantine Fault Tolerant (BFT) consensus protocols. State-of-the-art BFT protocols, such as HotStuff and its derivatives, rely heavily on efficient digital signatures and quorum certificates to guarantee safety and liveness in adversarial settings.
Post-quantum signature schemes, while offering resistance against quantum adversaries, introduce significant challenges in terms of signature size, verification cost, and communication overhead, which may deeply impact the performance and scalability of consensus protocols.
This project aims to investigate the integration of post-quantum signature schemes into BFT consensus protocols. The work will start with a survey of existing post-quantum signature schemes and recent research on post-quantum secure consensus, highlighting different design approaches, including both direct replacement of classical signatures and protocol-level redesigns aimed at reducing or eliminating the reliance on signatures.
Building on this analysis, the student will study a state-of-the-art BFT protocol (e.g., HotStuff or related variants) and explore how post-quantum signatures can be incorporated, analyzing the resulting trade-offs in terms of security assumptions, communication complexity, and performance. Depending on time and interest, the work may include a prototype implementation and an experimental evaluation.

Type: Internship + Thesis

Level: MSc

Supervisors: Riccardo Longo (rlongo@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • Basic knowledge of cryptography (digital signatures, security models)
  • Familiarity with distributed systems and consensus protocols
  • Programming experience (e.g., C/C++, Rust, Go, or Python)
  • Background in post-quantum cryptography or Byzantine consensus is a plus, but not strictly required

Objectives:

  • Survey of post-quantum digital signature schemes and their properties
  • Study of Byzantine Fault Tolerant consensus protocols and their cryptographic building blocks
  • Analysis of the impact of post-quantum signatures on consensus efficiency and scalability
  • Design and/or evaluation of a post-quantum-aware BFT consensus solution

Topics: Post-Quantum Cryptography, Byzantine Fault Tolerant Consensus, Distributed Systems, Blockchain Protocols

Notes: Work in collaboration with the division "research on advanced technologies" of the Bank of Italy.

Failure Points and Mitigation Strategies in Software Bill of Materials (SBOM) Workflows CLEANSE SaFEWaRe

ID: p-2026-cleanse-1

Published on: Thursday, 5 March 2026

Deadline for Applications: Monday, 30 March 2026 at 23:59

Description:

The increasing adoption of Software Bills of Materials (SBOMs) within modern software supply chains introduces new opportunities for transparency [1], but often we need to trust in third-party tools. This research project aims to systematically map the end-to-end SBOM lifecycle, identify the most critical technical and procedural failure points, and develop practical mitigation strategies, including automation, verification pipelines, standards compliance, and security controls. The outcome will be a validated framework and set of best practices for strengthening SBOM workflows in enterprise environments.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
  • Basic knowledge of CI/CD platforms like GitHub would be a plus.

Objectives: A Comprehensive Study of Failure Points and Mitigation Strategies in Software Bill of Materials (SBOM) Workflows

Topics: Software Bill of Materials (SBOM), CI/CD, Software Supply Chain Security

References:

  • [1] A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools • DOI

Bill of Materials approach to secure AI/ML Systems CLEANSE SaFEWaRe

ID: p-2026-cleanse-2

Published on: Thursday, 5 March 2026

Deadline for Applications: Monday, 30 March 2026 at 23:59

Description:

Securing AI/ML Systems increasingly requires supply-chain visibility not just for software, but for models, datasets, dependencies, training pipelines, and runtime environments. Also regulations like the EU AI Act, and NIST AI RMF require organizations a clear way to document what goes into their AI models.
Initiatives such as AI/ML-BOM [1,2] represent a new paradigm for ensuring full transparency, traceability, and accountability throughout the AI supply chain. This research project aims to begin with a comprehensive review of the state of the art, assessing the maturity of BOM-based approaches in the AI domain and examining the tools available to automate the creation and maintenance of such artifacts.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites: Basic knowledge of LLM, Generative AI, AI Agents, Agentic AI.

Objectives: The outcome will be a proposal framework and set of best practices for strengthening AI/ML-BOM workflows in different scenarios.

Topics: AI/ML-BOM, LLM, Generative AI, AI Agents, Agentic AI

References:

  • [1] OWASP AI Bill Of Materials (AIBOM) Project • Link
  • [2] Authoritative Guide to AI/ML-BOM • Link

Automating Risk Assessment for Identity Management Solutions: A Knowledge-Base Approach ST

ID: p-2026-st-2

Published on: Wednesday, 4 March 2026

Deadline for Applications: Friday, 27 March 2026 at 23:59

Description:

Identity Management systems, and especially National Digital Identity systems (NDIDs), are complex socio-technical infrastructures that must satisfy security, privacy, usability, trust, organizational, and legal requirements at the same time. To support designers in exploring design choices, linking requirements to mitigations, and deriving possible threats through a semi-automated workflow, we have developed an IdM Knowledge Base (IdM-KB) — a comprehensive repository of design goals, requirements, mitigations, threats, and attacks derived from a systematic review of over 186 academic and gray-literature sources. The IdM-KB is grounded in a purpose-built ontology and paired with a prototype tool that supports threat modeling workflows for IdM designers. The approach is promising, but it also has several limitations such as the knowledge base is still largely technology- and use-case-neutral, and it contains few use-case-specific entries. This internship project aims to address the current limitations by extending the current tool and evaluating it on a well-known NDID use case.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Gianluca Sassetti (gsassetti@fbk.eu), Amir Sharif (asharif@fbk.eu)

Objectives:

  • Extend the knowledge base with use-case-specific entries for prominent NDID systems (e.g., digital identity wallets, eCard-based systems, mobile-first NDIDs), addressing the current scarcity of protocol- and architecture-specific data.
  • Validate the updated tool and knowledge base through structured threat modeling case studies on real-world NDID deployments, to assess whether it can support analysts and system designers in practice and highlight its usefulness in action.
  • Use the knowledge base to perform risk assessment according to state-of-the-art frameworks (ISO 27001, PASTA, FAIR).

Topics: Identity Management, Threat Modeling, Knowledge Base

Automated Privacy Assessment of OpenID Connect Parties ST

ID: p-2026-st-3

Published on: Wednesday, 4 March 2026

Deadline for Applications: Friday, 3 April 2026 at 23:59

Description:

OpenID Connect (OIDC) has shown to need a set of privacy best current practices (BCPs), since only a handful of guidelines can be found in this regard. In 2023 and 2026, we provided a set of BCPs to fill that gap (Sassetti et al.), as well as an assessment of the privacy posture of several OIDC Providers (OPs). The results have shown that only a few OPs provide high baseline privacy, whereas many others implement only bare minimum requirements. Currently, the privacy posture checks are limited to OPs. As a result, the privacy practices of RPs and users remain uninvestigated.
As a new line of work, we plan on extending the automated assessment of the privacy posture of OPs to RPs and users. First, we are going to develop a browser plugin that automatically draws a privacy profile of RPs based on the BCPs that are put in use. Then, we are going to set up an experiment with normal users to survey their privacy practices.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Gianluca Sassetti (gsassetti@fbk.eu), Amir Sharif (asharif@fbk.eu)

Prerequisites:

  • Basic understanding of cybersecurity and privacy principles
  • Basic coding skills
  • Knowledge of the OpenID Connect protocol is a plus (soft-requirement)
  • Strong analytical and problem-solving skills

Objectives:

  • Extend the survey to RPs, and possibly to a large enough number of RPs that it can provide a meaningful snapshot of the state of the art for OIDC parties.
  • Extend the survey to users to understand their behaviour when presented with indicators of privacy posture.
  • Draw a set of lessons learned that can tell us what is the optimal way to implement privacy indicators. We plan on providing feedback to OPs and RPs so that they can include those considerations in their software development lifecycle and improve the overall privacy of the OIDC ecosystem.

Topics: OpenID Connect, Privacy, Best Current Practices