Internships

Archive Year 2025

Automated CBOM inventory through LLMs ALEPH CLEANSE DAISY SaFEWaRe

ID: p-2025-aleph-1

Published on: Wednesday, 9 July 2025

Deadline for Applications: Saturday, 9 August 2025 at 23:59 Tuesday, 9 September 2025 at 23:59 (extended)

Description:

Software systems are increasingly embedding diverse cryptographic functions to ensure the safe and secure implementation of code. At the same time, regulatory demands, such as those outlined in the Cryptographic Bill of Materials (CBOM)[1-2-3], require complete visibility into cryptography's use, including algorithms, parameters, modes of operation, and other relevant details. However, current solutions using static analysis and manual audits to enumerate and document these primitives are only available for a very small selection of libraries, such as Java and Python [4].
This research aims to explore how large language models (LLMs) fine-tuned on code, such as [5-6], can automatically detect calls to standard crypto-libraries, e.g., OpenSSL, Bouncy Castle, and custom routines, extract metadata (algorithm, mode, key size), and create the necessary CBOM inventory. This can be done by directly working with the codebase or extending existing analyzers [7].
The student will survey related techniques, design LLM prompts and training strategies for reliable crypto‑function recognition, implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers. Finally, the student must deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas.

Type: Internship + Thesis

Level: MSc

Supervisors: Alessandro Tomasi (altomasi@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu), Luca Piras (l.piras@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu)

Prerequisites:

  • Basic knowledge of Large Language Models
  • Knowledge of programming languages (i.e., Python, Go, Java) would be highly advantageous.

Objectives:

  • Design LLM prompts and training strategies for reliable crypto-function recognition
  • Implement a prototype that processes repositories end-to-end, and evaluate its accuracy and performance against conventional static analyzers
  • Deliver a prototype that evaluates code for distinct languages (preferably C++, Go, JavaScript, or Rust) and assemble a structured crypto-inventory compliant with CBOM schemas

Topics: LLM, AI, CBOM

References:

  • [1] Cryptography Bill of Materials (CBOM) • Link
  • [2] Cryptography Bill of Materials • Link
  • [3] Authoritative Guide to CBOM • Link
  • [4] Sonar Cryptography Plugin (CBOMkit-hyperion) • Link
  • [5] CodeBERT-base • Link
  • [6] Qwen2.5-Coder Series • Link
  • [7] Extending the Sonar Cryptography Plugin to add support for another language or cryptography library • Link

On the Implementation of Cryptographic Mechanisms for Access Control in Rust ALEPH

ID: p-2025-aleph-2

Published on: Wednesday, 6 August 2025

Deadline for Applications: Wednesday, 20 August 2025 at 23:59

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of cloud-hosted sensitive data from both external attackers and curious service providers while enforcing access control policies. In CAC, the sensitive data is encrypted, and the permission to access the encrypted data is embodied by the (secret) decrypting key. The Center for Cybersecurity (CS) of FBK has been working on an implementation of CAC in a tool called CryptoAC (short for Cryptographic Access Control) [1] applicable to diverse scenarios, such as the cloud-IoT continuum and cloud native applications. CryptoAC is an open-source tool written in the (multiplatform) Kotlin language, and potentially available as programming library, plugin, or microservice (Docker container). Unfortunately, CryptoAC is currently a research proof-of-concept and ignores many aspects relevant to the development and operation of cryptographic mechanisms. In this context, applicants would collaborate on improving the technology readiness level (TRL) of CryptoAC by choosing among the following activities: 1) surveying generic guidelines, best practices, and specific reccomendations concerning the development of cryptographic mechanisms; 2) re-implementing the core modules of CryptoAC using the (more secure and performant) Rust programming language; 3) extend the capabilities of CryptoAC in one or more of the following areas: user authentication with OpenID Connect and FIDO, cryptographic key management, strategies and tools for cryptographic bill of materials management. This project provides the opportunity to acquire the fundamentals of scientific research, investigate and explore cutting-edge and relevant research topics, and engage in software engineering and development while allowing applicants to design, propose, and implement their own ideas.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisor: Stefano Berlato (sberlato@fbk.eu)

Prerequisites:

  • Basic understanding of cybersecurity principles.
  • Basic knowledge of applied cryptography.
  • Knowledge of programming in Rust.
  • Knowledge of containers technologies (i.e., Docker) and trusted execution environments may be advantageous.

Objectives:

  • Familiarization and study of the context (i.e., cryptographic access control, CryptoAC).
  • Investigation of possible improvements to the TRL of CryptoAC.
  • Implementation and evaluation of the chosen improvements.

Topics: Access Control, Applied Cryptography, Rust

References:

  • [1] CryptoAC • Link

xBOM based approach for Software Supply Chain Security in SDLC CLEANSE SaFEWaRe

ID: p-2025-cleanse-1

Published on: Friday, 8 August 2025

Deadline for Applications: Monday, 8 September 2025 at 23:59

Description:

According to a Gartner research [1], Software Supply Chain attacks present serious security, compliance, and operational challenges for organizations, with estimated costs expected to rise from $46 billion in 2023 to $138 billion by 2031.
A Software Bill of Materials (SBOM) is a critical component in modern software supply chain security. It provides a detailed inventory of all software components, libraries, and dependencies used in an application. By integrating SBOMs throughout the Software Development Life Cycle (SDLC), organizations can proactively identify vulnerabilities, ensure compliance, and enhance transparency [2].
One of the standard to describe a bill of material in a machine-readable format is CycloneDX (CDX) [3], developed by the Open Worldwide Application Security Project(OWASP) [4] community. CycloneDX extends the concept of Bill of Material also to other components (xBOM) [5]: Cryptography, Configuration and Deployment, AI/Machine Learning and so on.
The focus of the Internship (and Thesis) is to explore the xBOM approach in SDLC phases to improve Security linked to the Software Supply Chain.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
  • Basic knowledge of LLM, Generative AI, AI Agents, Agentic AI would be a plus.

Objectives: Multiple topics, for multiple positions, are available to explore the xBOM approach for Security:

  • Software Bill Of Material (SBOM)
  • Software as a Service Bill of Materials (SaaSBOM)
  • Cryptography Bill of Materials (CBOM)
  • Vulnerability Exploitability Exchange (VEX)
  • AI/Machine Learning Bill of Materials (AI/ML-BOM)
The objectives will be declined and detailed to the specific topic.

Topics: Bill Of Material, SBOM, SaaSBOM, CBOM, VEX, AI/ML-BOM, Software Supply Chain Security, SDLC, CI/CD

Notes: Multiple positions available.

References:

  • [1] Leader's Guide to Software Supply Chain Security • Link
  • [2] A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools • Link
  • [3] CycloneDX: The International Standard for Bill of Materials (ECMA-424) • Link
  • [4] OWASP • Link
  • [5] CycloneDX v1.6: Now an Ecma International Standard • Link

AI, Secure Software Engineering and DevSecOps for Cloud Native Applications CLEANSE SaFEWaRe

ID: p-2025-safeware-1

Published on: Monday, 12 May 2025

Deadline for Applications: Thursday, 12 June 2025 at 23:59

Description:

Software Systems are continuously and rapidly evolving, requiring engineers to address increasingly new complex and multi-dimensional aspects. These include for example the integration of Artificial Intelligence (AI), compliance with new and evolving EU Regulations (e.g., EU AI Act, NIS2, GDPR, etc.), and ensuring that systems are secure, ethical and trustworthy.
To meet these demands, current practices in Secure Software Engineering and DevSecOps (Development, Security, and Operations) must be extended to address these new challenges. Especially when considering DevSecOps for Cloud Native Applications, where the attack surface spans multiple layers (e.g., code, container, deployment, orchestrator, etc.). "The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required", describes Shannon Lietz, co-author of the "DevSecOps Manifesto".
DevSecOps is an approach to automate the integration of cybersecurity processes at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. It represents a natural and necessary evolution in the way development organizations approach security. For Cloud Native Applications, security regards multiple levels (code, container, deployment, orchestrator, etc.) and the approach to introduce security should consider all of them.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites: At least two of the following:

  • Programming Languages (e.g., Java, C++, Rust)
  • Programming Frameworks (e.g., Spring, Ionic)
  • Software security background
  • Configuration and Administration of Systems
  • Cloud-Native Applications
  • Cloud Computing Services (e.g., AWS, Azure)
  • Service Oriented Architectures
  • Service Orchestration
  • Dockers and Kubernetes

Objectives: In this context, one or more of the following activities can be carried on:

  • Securing and Monitoring Software Supply Chain in SDLC
  • Development of novel techniques for Secure Software Engineering
  • Application of AI to DevSecOps as a support for configuration, diagnosing, resolving problems or compliance with Regulations (EU AI Act, NIS2, GDPR, NIST, etc.)
  • Development of Trustworthy and Transparent Software Systems

Topics: Cloud Native Applications, DevSecOps, Software Supply Chain, Threat Modeling, AI, Secure Software Engineering, Privacy, Security, Trust

Notes:

  • We offer curricular internship (no allowance).
  • Multiple positions available. Doing both internship and thesis is recommended but not required (i.e., only internship may be acceptable).
  • Exceptional work may lead to co-authored publications in International Conferences or Journals, with support and guidance from academic supervisors.

Packet stream analysis for TLS compliance ST

ID: p-2025-st-1

Published on: Monday, 20 January 2025

Deadline for Applications: Thursday, 20 February 2025 at 23:59 Friday, 28 February 2025 at 23:59 (extended)

Description:

Since its first version was published as an RFC in 1999, Transport Layer Security (TLS) has rapidly become the de facto standard for providing confidentiality and integrity to communications exchanged in an unsecured environment. While there exist multiple implementations (e.g., OpenSSL, GnuTLS, rusttls) that allow system administrators to easily deploy a webserver, there does not exist a practical way to verify their compliance with the RFCs they are based on.
To ensure that a TLS deployment is configured correctly, (inter)national cybersecurity agencies such as US’ NIST and Italian’s AgID/ACN periodically issue technical guidelines that describe a set of requirements able to mitigate known vulnerabilities and ensure an adequate security level. These guidelines presume that security issues are only due to an incorrect configuration while, in reality, problems may also arise from an incorrectly developed TLS libraries that generate messages which do not comply with the related RFCs.
The primary objective of this internship is to perform a technical review of the available software able to analyze raw network packets, validate their content and which structure is used by the protocol. The results will be employed in a process that aims to develop a new tool that can verify, analyze, and execute TLS connections. This tool will be used to assess the compliance of TLS libraries and related deployments.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Riccardo Germenia (rgermenia@fbk.eu)

Prerequisites:

  • Basic knowledge of the TLS protocol
  • Basic knowledge of network analysis tools (e.g., Wireshark)
  • Basic knowledge of design patterns and software engineering
  • Basic experience with JavaScript
  • Experience with Python 3 development
  • Experience with formal grammars

Objectives:

  • Study of the TLS protocol and its inner workings
  • Perform a literature review on the state-of-the-art in terms of tools, listing their features, applicability and scope
  • Creation of a CFG (context-free grammar) for TLS 1.3

Topics: Research tool, Compliance analysis, Packet analysis, TLS misconfiguration

Notes: The project's scope will be adjusted to accommodate the number of available credits, making it suitable for both bachelor and master students. However, due to the need for future-proof and reusable results, access to the thesis period is dependent on an assessment performed on (and during) the internship period.

References:

  • [1] https://github.com/tlsfuzzer/tlslite-ng • Link
  • [2] https://www.wireshark.org/ • Link
  • [3] https://lapo.it/asn1js • Link
  • [4] https://github.com/tls-attacker/TLS-Attacker • Link

AI-Powered Threat Modeling ST

ID: p-2025-st-2

Published on: Wednesday, 22 January 2025

Deadline for Applications: Friday, 7 February 2025 at 23:59 Friday, 14 March 2025 at 23:59 (extended)

Description:

As modern systems become increasingly complex, ensuring their security, privacy and resilience requires more advanced approaches to threat modeling. Artificial Intelligence (AI) has emerged as a powerful enabler to automate, enhance, and refine manual security and privacy assessments. By leveraging AI-driven techniques, organizations can identify the threats, vulnerabilities, potential attack vectors and mitigations more efficiently and with higher accuracy. However, the trustworthiness of AI-based threat modeling solutions must also be ensured—both to validate their findings and to mitigate any risks introduced by the AI systems themselves. This internship focuses on developing and evaluating AI-powered methodologies for automated threat modeling in cutting-edge systems such as Digital Identity Wallet and e-voting.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Umberto Morelli (umorelli@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu), Amir Sharif (asharif@fbk.eu)

Prerequisites:

  • Basic Cybersecurity Knowledge: A foundational understanding of security and privacy principles, threats, and common vulnerabilities.
  • Familiarity with Threat Modeling: Prior knowledge of frameworks like STRIDE or LINDDUN is advantageous.
  • Programming Skills: Comfort with Python programming language for AI model development or integration.

Objectives:

The main objectives of this internship project are as follows:

  • Extend Traditional Threat Modeling
    • Investigate how AI can augment well-known frameworks (e.g., STRIDE, LINDDUN) by automatically discovering threats, analyzing complex data, and flagging potential vulnerabilities.
    • Investigate and propose mechanisms to mitigate potential biases or errors introduced by the AI in identifying threats.
  • Implementation and Tooling
    • Investigate available AI-based security tools and evaluate their performance in realistic scenarios.
    • Integrate or prototype new AI modules, focusing on trustworthiness, accuracy, and usability in real-world environments.

Topics: Threat Modeling, LLMs, STRIDE, LINDDUN

LLM-powered Privacy Threat Modeling ST

ID: p-2025-st-3

Published on: Thursday, 20 February 2025

Deadline for Applications: Thursday, 20 March 2025 at 23:59

Description:

The rapid evolution of Large Language Models (LLMs) has unlocked new possibilities for applying artificial intelligence across a wide range of fields, including privacy engineering. As modern applications increasingly handle sensitive user data, safeguarding privacy has become more critical than ever. To ensure robust data protection, potential threats must be identified and addressed early in the development process. Privacy threat modeling frameworks like LINDDUN offer structured approaches for uncovering these risks, yet they often require significant manual effort, expert knowledge, and detailed system information—making the process time-intensive and reliant on thorough analysis. To address these challenges, at Security and Trust unit of the Center for Cybersecurity, we introduced and developed PILLAR (Privacy risk Identification with LINDDUN and LLM Analysis Report), a new tool that implements and automates the LINDDUN framework through LLM integration to streamline and enhance privacy threat modeling. PILLAR automates key parts of the LINDDUN process, such as generating DFDs from unstructured textual inputs (e.g. system descriptions), eliciting privacy threats, and risk-based threat prioritization.
The primary objective of this internship is to conduct state-of-the-art research on privacy threat modeling, in particular, LLM-based approaches emphasizing how LLMs can be leveraged to automate and enhance these processes. The results will be employed to integrate AI agent concepts into PILLAR.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisor: Majid Mollaeefar (mmollaeefar@fbk.eu)

Time frame: Preferably from April

Prerequisites:

  • Cybersecurity knowledge
  • Basic knowledge of Large Language Models and Agentic AI
  • Experience with Python
  • English Language

Objectives:

  • Extending PILLAR's capabilities
  • Integrating AI Agent concept within the threat modeling process
  • Add new features to PILLAR

Topics: Threat Modeling, Privacy Engineering, Large Language Models, AI Agents

References:

  • [1] PILLAR's repository • Link
  • [2] STRIDE GPT tool • Link
  • [3] LINDDUN • Link

Context-free grammar for TLS validation ST

ID: p-2025-st-4

Published on: Wednesday, 12 March 2025

Deadline for Applications: Wednesday, 26 March 2025 at 23:59

Description:

Since its first version was published as an RFC in 1999, Transport Layer Security (TLS) has rapidly become the de facto standard for providing confidentiality and integrity to communications exchanged in an unsecured environment. While there exist multiple implementations (e.g., OpenSSL, GnuTLS, rusttls) that allow system administrators to easily deploy a webserver, there does not exist a practical way to verify their compliance with the RFCs they are based on. The primary objective of this internship is to write a context-free grammar able to parse TLS messages and check if they comply with the expected structure.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Riccardo Germenia (rgermenia@fbk.eu)

Prerequisites:

  • Experience with formal grammars (e.g. LFC course)
  • Basic knowledge of the TLS protocol (e.g. Intro2CNS or Networking course)

Objectives: Creation of a CFG (context-free grammar) for TLS 1.3

Topics: Research tool, Context-free grammar, Packet analysis, TLS vulnerabilities

Notes: The project's scope will be adjusted to accommodate the number of available credits, making it suitable for both bachelor and master students. However, due to the need for future-proof and reusable results, access to the thesis period is dependent on an assessment performed on (and during) the internship period.

Validation of post-quantum algorithms in OpenSSL ALEPH ST

ID: p-2025-st-5

Published on: Friday, 11 April 2025

Deadline for Applications: Friday, 9 May 2025 at 23:59 Sunday, 15 June 2025 at 23:59 (extended)

Description:

OpenSSL is a software library initially released in 1998 that implements SSL and TLS protocols. Its usage provides secure communications over networks, and it has steadily become the de facto standard for the integration of TLS in webservers. With its latest release (v3.5), OpenSSL has deployed three PQC algorithms: ML-KEM (FIPS 203) for key exchange, ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) as signature methods.
The primary objective of this internship is to compare the algorithms’ implementation and validate the design choices performed during the design phase, investigating for common implementation flaws and possible side-channel attacks.

Type: Internship + Thesis

Level: MSc

Supervisors: Riccardo Longo (rlongo@fbk.eu), Salvatore Manfredi (smanfredi@fbk.eu)

Time frame: The internship period will begin in the middle of July, or later if preferred.

Prerequisites:

  • Experience with C
  • Basic knowledge of the TLS protocol (e.g. Intro2CNS or Networking course)
  • Advanced Programming of Cryptographic Methods course (or equivalent)

Objectives: Use the NIST reference implementations to validate the PQC algorithms implemented in OpenSSL

Topics: Post-quantum cryptography, OpenSSL, TLS, Implementation validation

References:

  • [1] OpenSSL 3.5: Upcoming Release Announcement • Link
  • [2] Module-Lattice-Based Key-Encapsulation Mechanism Standard (FIPS 203) • Link
  • [3] Module-Lattice-Based Digital Signature Standard (FIPS 204) • Link
  • [4] Stateless Hash-Based Digital Signature Standard (FIPS 205) • Link

Automatic Security Testing Tool for Identity Management Protocols CLEANSE ST

ID: p-2025-st-6

Published on: Wednesday, 9 July 2025

Deadline for Applications: Saturday, 9 August 2025 at 23:59

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google and Meta (Facebook), as well as for Public Administration—such as eIDAS, SPID, CIE, and the upcoming IT-Wallet—are based on IdM protocols. We propose improving an existing security testing tool to extend its capabilities by designing and implementing new features.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Laura Cristiano (l.cristiano@fbk.eu)

Objectives:

  • Literature Review (guidelines and best practices)
  • Ethical analysis
  • Risk Assessment

Topics: Identity Management protocols, Attack patterns, Security testing