Oracle
Oracle, a global provider of enterprise cloud computing, is empowering businesses of all sizes on their journey of digital transformation. Oracle Cloud provides leading-edge capabilities in software as a service, platform as a service, infrastructure as a service, and data as a service.
Oracle’s application suites, platforms, and infrastructure leverage both the latest technologies and emerging ones – including artificial intelligence, machine learning, blockchain, and Internet of Things – in ways that create business differentiation and advantage for customers. Continued technological advances are always on the horizon.

Oracle Labs
Oracle Labs is the advanced research and development arm of Oracle. We focus on the development of technologies that keep Oracle at the forefront of the computer industry. Oracle Labs researchers look for novel approaches and methodologies, often taking on projects with high risk or uncertainty, or that are difficult to tackle within a product-development organization. Oracle Labs research is focused on real-world outcomes: our researchers aim to develop technologies that will someday play a significant role in the evolution of technology and society. For example, chip multithreading and the Java programming language grew out of work done in Oracle Labs.

Oracle App Platform
Cloud-native application platforms simplify deployment and operation of applications in the cloud. For developers, these platforms offer out-of-the-box integration with cloud services such as network management, logging and monitoring, and identity management. For operations, they offer built-in support for platform monitoring as well as some support for automated scaling and failover.
The App Platform project aims to develop an application platform built around Oracle's opinionated view of how cloud-native applications should be architected as well as the technology components used to build them. Besides providing seamless integration with various technologies and services, the App Platform will offer automated testing, scaling, tuning, and failure detection and recovery to help improve application security, reliability, and performance.

Internship Details
The goal of this project is to extend the Oracle App Platform with new capabilities in the areas of automated tuning and upgrades, patching security vulnerabilities in application dependencies and automated testing. We offer various topics depending on the skills and the interests of the candidate (topics are not limited to the ones below; see also the "Related Topics" sub-section below):

Extend 3rd party vulnerability detection and remediation support to further programming languages and package management systems
Oracle App Platform has the capability to scan Java projects for dependencies with known vulnerabilities (CVEs). If such a dependency is found, the service automatically opens a pull request to upgrade the dependency to a version without a CVE. During this internship, you will extend this functionality to other ecosystems (programming languages and build systems) such as Docker/DockerHub, JavaScript/npm, Python/pip, Ruby/RubyGems, PHP/Composer, Rust/Crates, Scala/sbt.

Improve vulnerability curation process
The Oracle App Platform provides a knowledge base of artifacts and their known vulnerabilities (CVEs). New and updated CVEs need to be processed to identify the list of vulnerable artifact versions. This curation process currently involves different tools and scripts, but there is no single solution to optimize the time to curate the CVE itself.
Internships in this area include developing an intuitive application that supports all the steps of the CVE curation process, to make the ingestion of the curated data more efficient by adding more automation to the process. As well as evaluating how machine learning techniques can be used to make the CVE curation process more efficient and to automate it as much as possible.

Build 3rd party security profile
Modern applications heavily depend on open-source software components (dependencies). Developers are often not aware of what capabilities these dependencies need. For example, if the dependency makes network requests, load code at runtime, start new threads or write to the file system. Giving developers insight into the capabilities that their dependencies require could help them make more informed decisions about which dependencies to include. The goal of this internship is to develop a system to automatically detect what capabilities does an open-source dependency need based on the available test suite.

Assign risk scores to third party libraries based on repository maturity
Third-party libraries can suffer from vulnerabilities that are associated with a score according to the Common Vulnerability Scoring System (CVSS)[1]. This score will depend on the severity of the vulnerability, however, such score can only be determined if a vulnerability for the third-party has been found.
The objective of this topic is to evaluate a risk score (additionally to CVSS) for third-party dependency libraries. Different paths can be explored towards this idea, such as a risk score taking into account the maturity of the project and its code repository (project still maintained, license, security policy); the usage of third parties (frequency and ways of usage); how big, how complex the library is, how much is it used in other projects.

Platform to analyze application usage to optimize Graal VM Native Image creation
GraalVM Native Image [2] compiles Java code ahead-of-time to a standalone executable. It has the benefit of significantly improving startup time as well as memory footprint. However, peak performance of native image is lower than peak performance running on a traditional JVM that does just-in-time compilation. GraalVM can apply profile-guided optimizations (PGO) for additional performance gain and higher throughput of native images. With PGO, one collects the profiling data in advance and then feeds it to the native image builder, which will use this information to optimize the performance of the resulting binary. The goal of this internship is to extend the Oracle App Platform to automatically generate and apply profiling data for applications that are running on the platform, effectively simplifying the generation of optimized native images.

Analyze runtime application metrics to find optimal JVM configuration
JVMs have numerous configuration options and finding their optimal values can be challenging even for experienced developers. Analyzing runtime application metrics could come at help to recognize incorrectly set parameters and determine an optimal value for them. The goal of this internship would be to suggest recommendations for JVM parameters by analyzing runtime metrics and applying these suggestions in a test environment to confirm performance improvement.

Tailored security policy generation: Parameters Refinement
The least privilege principle states that an application should run with the least amount of privileges possible. Today, this principle can be enforced by creating a tailored security policy for mechanisms such as Seccomp, AppArmor & SELinux. However, manually creating such a security policy (i.e., defining the smallest set of privileges that is necessary for the application) is a tedious, error-prone task and one that needs to be revisited every time the application changes. Previous works have shown that it is instead possible to discover, with good accuracy, the smallest set of necessary privileges using static analysis of the source code and thus automatically generate the security policy.
Our proposal is to extend this previous approach with symbolic execution to further restrict the privileges of an application. For example detecting that an application is only meant to connect to one specific IP address and thus generates a security policy that forbids connection to other IP addresses, or detecting the set of actual parameters used for a system call and forbids calls to this system call with other parameters.

Test generation
Software testing is typically an ad-hoc process where human testers manually write many test inputs and expected test results, perhaps automating their execution in a regression suite. Programmers have to write a lot of unit and integration tests for their code and make sure that their tests have good code coverage and that the logic of the application is tested, including all the edge cases. This process is cumbersome and costly. The field of Automated Test Generation is concerned with developing techniques to automatically generate test inputs and test methods. These techniques range from black-box random generated testing data, without knowledge of the internals of the system under test, to synthetic (production-like) inputs with tests suites generation that are derived from an implementation or specification of the system under test. Internships in this area will explore adding support for automated test generation to the Oracle App Platform.

Skills we are looking for
The successful candidate is expected to complete the internship using a wide and diverse set of skills:
1.    Java programming skills; other program languages like Python and C are a plus;
2.    Basic understanding of operating systems, distributed systems, and cloud technologies;
3.    Basic understanding of parallel computing and compilers (having completed relevant courses is a plus);
4.    Experience with full stack development, REST-ful architecture, web server frameworks (e.g., Spring Boot) is a plus
5.    An average grade of at least 5.0 in the master studies is a plus.

References:
[1] https://nvd.nist.gov/vuln-metrics/cvss
[2] GraalVM Native Image https://www.graalvm.org/22.0/reference-manual/native-image/

Internship Facts:
1.    Suitable for an internship of three to twelve months
2.    Competitive salary
For more information about the internship, contact Adam Zurada (adam.zurada@oracle.com)

Related Topics
Our group at Oracle Labs offers various internship topics in the following areas:
1.    Automated Machine Learning with Explainability (AutoMLx)
2.    BPF Linux Schedulers
3.    Enhancing the Oracle Open-Source Developer Experience
4.    Extending a Distributed Graph Engine (Oracle Labs PGX)
5.    Extending a Web-Based Enterprise Data Science Platform
6.    Graph Machine Learning at Oracle
7.    Graph Support in the Oracle Database
8.    Machine Learning and Data Analysis Techniques for Domain Global Graphs
9.    Machine Learning for CyberSecurity and Compliance
10.    Machine Learning for Health Care
11.    Machine Learning for Optimizing Oracle Database Performance
12.    Machine Learning Processing in DB Systems
13.    Oracle Database Multilingual Engine - Modern Programming Languages in the Database

If you are interested in more than one of these areas, it is sufficient to apply once and declare your other interests in your cover letter. In our interview process, we are going to take all your areas of interest into account.

 

This job code is utilized for the majority of our temporary hires. The individual is performing hourly job duties as defined under the Fair Labor Standards Act.





As part of Oracle's employment process candidates will be required to successfully complete a pre-employment screening process. This will involve identity and employment verification, professional references, education verification and professional qualifications and memberships (if applicable).