Internships

Archive Year 2026

Post-Quantum Byzantine Fault Tolerant Consensus Protocols ALEPH

ID: p-2026-aleph-1

Published on: Tuesday, 24 February 2026

Deadline for Applications: Tuesday, 24 March 2026 at 23:59

Description:

The advent of quantum computing poses a serious threat to classical public-key cryptography, including digital signature schemes that are a fundamental building block of modern Byzantine Fault Tolerant (BFT) consensus protocols. State-of-the-art BFT protocols, such as HotStuff and its derivatives, rely heavily on efficient digital signatures and quorum certificates to guarantee safety and liveness in adversarial settings.
Post-quantum signature schemes, while offering resistance against quantum adversaries, introduce significant challenges in terms of signature size, verification cost, and communication overhead, which may deeply impact the performance and scalability of consensus protocols.
This project aims to investigate the integration of post-quantum signature schemes into BFT consensus protocols. The work will start with a survey of existing post-quantum signature schemes and recent research on post-quantum secure consensus, highlighting different design approaches, including both direct replacement of classical signatures and protocol-level redesigns aimed at reducing or eliminating the reliance on signatures.
Building on this analysis, the student will study a state-of-the-art BFT protocol (e.g., HotStuff or related variants) and explore how post-quantum signatures can be incorporated, analyzing the resulting trade-offs in terms of security assumptions, communication complexity, and performance. Depending on time and interest, the work may include a prototype implementation and an experimental evaluation.

Type: Internship + Thesis

Level: MSc

Supervisors: Riccardo Longo (rlongo@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • Basic knowledge of cryptography (digital signatures, security models)
  • Familiarity with distributed systems and consensus protocols
  • Programming experience (e.g., C/C++, Rust, Go, or Python)
  • Background in post-quantum cryptography or Byzantine consensus is a plus, but not strictly required

Objectives:

  • Survey of post-quantum digital signature schemes and their properties
  • Study of Byzantine Fault Tolerant consensus protocols and their cryptographic building blocks
  • Analysis of the impact of post-quantum signatures on consensus efficiency and scalability
  • Design and/or evaluation of a post-quantum-aware BFT consensus solution

Topics: Post-Quantum Cryptography, Byzantine Fault Tolerant Consensus, Distributed Systems, Blockchain Protocols

Notes: Work in collaboration with the division "research on advanced technologies" of the Bank of Italy.

Failure Points and Mitigation Strategies in Software Bill of Materials (SBOM) Workflows CLEANSE SaFEWaRe

ID: p-2026-cleanse-1

Published on: Thursday, 5 March 2026

Deadline for Applications: Monday, 30 March 2026 at 23:59

Description:

The increasing adoption of Software Bills of Materials (SBOMs) within modern software supply chains introduces new opportunities for transparency [1], but often we need to trust in third-party tools. This research project aims to systematically map the end-to-end SBOM lifecycle, identify the most critical technical and procedural failure points, and develop practical mitigation strategies, including automation, verification pipelines, standards compliance, and security controls. The outcome will be a validated framework and set of best practices for strengthening SBOM workflows in enterprise environments.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
  • Basic knowledge of CI/CD platforms like GitHub would be a plus.

Objectives: A Comprehensive Study of Failure Points and Mitigation Strategies in Software Bill of Materials (SBOM) Workflows

Topics: Software Bill of Materials (SBOM), CI/CD, Software Supply Chain Security

References:

  • [1] A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools • DOI

Bill of Materials approach to secure AI/ML Systems CLEANSE SaFEWaRe

ID: p-2026-cleanse-2

Published on: Thursday, 5 March 2026

Deadline for Applications: Monday, 30 March 2026 at 23:59

Description:

Securing AI/ML Systems increasingly requires supply-chain visibility not just for software, but for models, datasets, dependencies, training pipelines, and runtime environments. Also regulations like the EU AI Act, and NIST AI RMF require organizations a clear way to document what goes into their AI models.
Initiatives such as AI/ML-BOM [1,2] represent a new paradigm for ensuring full transparency, traceability, and accountability throughout the AI supply chain. This research project aims to begin with a comprehensive review of the state of the art, assessing the maturity of BOM-based approaches in the AI domain and examining the tools available to automate the creation and maintenance of such artifacts.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites: Basic knowledge of LLM, Generative AI, AI Agents, Agentic AI.

Objectives: The outcome will be a proposal framework and set of best practices for strengthening AI/ML-BOM workflows in different scenarios.

Topics: AI/ML-BOM, LLM, Generative AI, AI Agents, Agentic AI

References:

  • [1] OWASP AI Bill Of Materials (AIBOM) Project • Link
  • [2] Authoritative Guide to AI/ML-BOM • Link

Automatic Security Testing Tool for Identity Management Protocols CLEANSE DAISY ST

ID: p-2026-st-1

Published on: Wednesday, 21 January 2026

Deadline for Applications: Friday, 20 February 2026 at 23:59

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Facebook and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose to investigate and develop methodologies and tools for assessing the security and robustness of IdM implementations. This activity may include the definition of reusable testing patterns, the design and implementation of extensions or plugins for existing security testing tools—such as Micro-Id-Gym (MIG)—and the execution of automated security and conformance tests on IdM implementations.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Laura Cristiano (l.cristiano@fbk.eu)

Prerequisites: Basic knowledge of Python

Objectives:

  • Assess the security and robustness of IdM implementations, with a focus on SSO protocols such as SAML 2.0 and OAuth 2.0/OpenID Connect;
  • Develop methodologies and automated tools for security and conformance testing of IdM implementations, including extensions of MIG;
  • Identify vulnerabilities, misconfigurations, and non-conformities in real IdM implementations, providing actionable hints for their security.

Topics: Security testing, Identity management protocols, Security testing tools, Conformance testing

Automating Risk Assessment for Identity Management Solutions: A Knowledge-Base Approach ST

ID: p-2026-st-2

Published on: Wednesday, 4 March 2026

Deadline for Applications: Friday, 27 March 2026 at 23:59

Description:

Identity Management systems, and especially National Digital Identity systems (NDIDs), are complex socio-technical infrastructures that must satisfy security, privacy, usability, trust, organizational, and legal requirements at the same time. To support designers in exploring design choices, linking requirements to mitigations, and deriving possible threats through a semi-automated workflow, we have developed an IdM Knowledge Base (IdM-KB) — a comprehensive repository of design goals, requirements, mitigations, threats, and attacks derived from a systematic review of over 186 academic and gray-literature sources. The IdM-KB is grounded in a purpose-built ontology and paired with a prototype tool that supports threat modeling workflows for IdM designers. The approach is promising, but it also has several limitations such as the knowledge base is still largely technology- and use-case-neutral, and it contains few use-case-specific entries. This internship project aims to address the current limitations by extending the current tool and evaluating it on a well-known NDID use case.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Gianluca Sassetti (gsassetti@fbk.eu), Amir Sharif (asharif@fbk.eu)

Objectives:

  • Extend the knowledge base with use-case-specific entries for prominent NDID systems (e.g., digital identity wallets, eCard-based systems, mobile-first NDIDs), addressing the current scarcity of protocol- and architecture-specific data.
  • Validate the updated tool and knowledge base through structured threat modeling case studies on real-world NDID deployments, to assess whether it can support analysts and system designers in practice and highlight its usefulness in action.
  • Use the knowledge base to perform risk assessment according to state-of-the-art frameworks (ISO 27001, PASTA, FAIR).

Topics: Identity Management, Threat Modeling, Knowledge Base

Automated Privacy Assessment of OpenID Connect Parties ST

ID: p-2026-st-3

Published on: Wednesday, 4 March 2026

Deadline for Applications: Friday, 3 April 2026 at 23:59

Description:

OpenID Connect (OIDC) has shown to need a set of privacy best current practices (BCPs), since only a handful of guidelines can be found in this regard. In 2023 and 2026, we provided a set of BCPs to fill that gap (Sassetti et al.), as well as an assessment of the privacy posture of several OIDC Providers (OPs). The results have shown that only a few OPs provide high baseline privacy, whereas many others implement only bare minimum requirements. Currently, the privacy posture checks are limited to OPs. As a result, the privacy practices of RPs and users remain uninvestigated.
As a new line of work, we plan on extending the automated assessment of the privacy posture of OPs to RPs and users. First, we are going to develop a browser plugin that automatically draws a privacy profile of RPs based on the BCPs that are put in use. Then, we are going to set up an experiment with normal users to survey their privacy practices.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Gianluca Sassetti (gsassetti@fbk.eu), Amir Sharif (asharif@fbk.eu)

Prerequisites:

  • Basic understanding of cybersecurity and privacy principles
  • Basic coding skills
  • Knowledge of the OpenID Connect protocol is a plus (soft-requirement)
  • Strong analytical and problem-solving skills

Objectives:

  • Extend the survey to RPs, and possibly to a large enough number of RPs that it can provide a meaningful snapshot of the state of the art for OIDC parties.
  • Extend the survey to users to understand their behaviour when presented with indicators of privacy posture.
  • Draw a set of lessons learned that can tell us what is the optimal way to implement privacy indicators. We plan on providing feedback to OPs and RPs so that they can include those considerations in their software development lifecycle and improve the overall privacy of the OIDC ecosystem.

Topics: OpenID Connect, Privacy, Best Current Practices