Graal Development Kit (GDK)

The Graal Development Kit for Micronaut (GDK) is a curated set of open source Micronaut® framework modules designed from the ground up to be compiled ahead-of-time with GraalVM Native Image resulting in native executables ideal for microservices. The Graal Development Kit for Micronaut lets you take full advantage of powerful cloud services without coupling to proprietary platform APIs. The lack of standard APIs across clouds makes it nearly impossible to write portable applications, but with the Graal Development Kit for Micronaut portability becomes possible. Leverage services such as object-storage, monitoring, security, secret management, and more and deploy to popular cloud platforms.

Learn more: https://graal.cloud/gdk/

Possible Research Areas

• Templates and tools for accelerate the development of cloud native services for Oracle Cloud
• IDE-based tools for improving developer productivity
• Abstractions over Services available on Multiple Clouds
• Deep integration with Multiple Clouds

Point of Contact

To apply, please send an email with the required information (see How to Apply above) to Labs-Hiring_ww@oracle.com and julia.kindelsberger@oracle.com.

AI/ML in Database

Oracle Labs is conducting research aimed at enabling Oracle Database to efficiently support and integrate with the latest AI/ML technologies. We offer various topics based on the skills and interests of the candidate:

Enhancing performance of vector similarity searches

Efficient vector similarity search is essential for any AI application. The common technique to accelerate vector similarity searches involves constructing dedicated vector indexes, which can trade a small amount of accuracy in the final result for significantly faster search times. However, when integrating such indexes into an enterprise database, particular challenges arise:

• How can we efficiently maintain transactional consistency of the vector index?
• How can we effectively combine vector index searches with other types of relational or graph searches?

We are actively exploring solutions to these challenges, and our goal is to keep delivering a best-in-class vector index in Oracle Database.

ML / LLM model execution in database realm

Gaining insights from data stored in a database management system (DBMS) through machine learning is becoming increasingly important in enterprise applications. However, exporting data from a DBMS to standalone ML infrastructure is often not an option due to performance and regulatory requirements. Instead, users should be able to use machine learning models and LLMs as an integral part of database processing, directly within the DB realm and close to the data. Integrating these two seemingly distinct system types offers significant advantages for ML-based applications. Our group at Oracle Labs investigates techniques to tightly integrate machine learning workloads and large-scale ML/LLM processing within the Oracle DB realm. To achieve this, we work on exciting challenges across the entire database systems architecture stack.

Graphs for AI and Graphs at scale

Graphs are a powerful tool for uncovering latent information stored within data connections. Starting with version 23ai, the Oracle Database natively supports for SQL graphs. At Oracle Labs, we are approaching graph challenges from multiple angles. First, we are investigating how users can interact with their graphs using natural language—specifically, how state-of-the-art LLMs can be used to generate graph queries from natural language input. Since graph query languages are not widely known to many LLMs, generating accurate queries remains a challenge. Second, we are exploring how graph traversals can enhance retrieval contexts in RAG pipelines by aggregating information from multiple points. Last but not least, as the number of connections in today’s data grows exponentially, the ability to process graphs at scale, close to the data, inside the database is becoming increasingly important. We are exploring solutions to address these challenges and bolster the efficiency and adoption of SQL graphs.

Point of Contact

To apply, please send an email with the required information (see How to Apply above) to Labs-Hiring_ww@oracle.com and vlad.haprian@oracle.com.

AI/ML Technology for Enterprise Applications

Oracle Labs is advancing core AI/ML technologies and collaborating with OCI, Fusion, Database and GIU product teams to apply these innovations through Oracle’s unified platform. We offer various topics depending on the skills and the interests of the candidate:

Multi-Agent systems

Multi-agent systems are revolutionizing the landscape of intelligent automation by enabling distributed collaboration among autonomous agents. Strong multi-agent capabilities are essential for seamlessly composing diverse functionalities, allowing agents to coordinate tasks, share knowledge, and dynamically adapt to evolving environments. By refining inter-agent communication protocols, optimizing decentralized decision-making strategies, and implementing scalable coordination frameworks, multi-agent systems can unlock new levels of efficiency and problem-solving potential. As research advances, the ability to integrate specialized agents into cohesive, high-performing systems continues to shape the future of intelligent, cooperative computing. We are continuously exploring approaches to address these fundamental challenges and fully harness the potential of agentic systems.

Enhancing Multi-Agent System Composition

Emerging advancements in agentic systems promise to significantly elevate both performance and efficiency. By incorporating strategies such as input context reduction, these systems can process and analyze vast amounts of data more cost-effectively. Enhanced robustness and accuracy techniques enable agents to make well-informed decisions and execute actions with greater precision. Additionally, continuous adaptation methods enable these systems to learn from user interactions, steadily refining their capabilities over time. Together, these techniques mark a transformative step in the evolution of intelligent, adaptive agents. We are continuously exploring approaches to address these fundamental challenges and fully harness the potential of agentic systems.

Enhancing Semantic Search Pipelines for Improved Relevance in AI Applications

Semantic search plays a crucial role in surfacing meaningful and contextually relevant results, particularly in knowledge-intensive applications. Traditional keyword-based search methods often fail to capture the nuances of user intent, leading to irrelevant or incomplete results. To address this, semantic search pipelines must evolve to leverage more advanced embeddings, retrieval models, and query understanding mechanisms.

In the realm of retrieval-augmented generation (RAG) with large language models, the need for highly relevant search results is even more pronounced. The accuracy of retrieved context directly impacts the quality of generated responses, making improvements in semantic search a foundational element of AI-driven reasoning. Our group at Oracle Labs explores novel approaches to optimize retrieval mechanisms, refine ranking strategies, and improve semantic representations within database-integrated search pipelines. By advancing these techniques, we aim to enhance AI-driven applications across various domains, ensuring more precise, trustworthy, and context-aware results.

Data Science Agent

Enterprises hold vast amounts of untapped data, yet a shortage of data science expertise often limits their ability to fully leverage it. An LLM-backed data science agent has the potential to unlock significant value through advanced analytics and machine learning. While developing and testing such an agent to reliably handle diverse data formats is a major challenge, it is only one piece of the puzzle. We are actively exploring solutions to not only manage heterogeneous data sources, but also to extract maximum actionable insight—transforming raw data into clear, contextualized outputs. Our vision is to empower both technical and non-technical users with intuitive access to analytics, and equip them with predictive models to drive smarter, forward-looking decisions. The goal is a robust, adaptive data science agent that democratizes data-driven intelligence across the enterprise.

Software & Application Development Agents

Agentic systems have the potential to revolutionize software and application development by assisting developers in everyday tasks—such as implementing specifications and resolving bug reports—and by enabling non-technical users to build applications for managing business data. These agents can also streamline the development workflow through automated test generation, code reviews, and build failure inspections. However, achieving these benefits requires intelligent agents equipped with advanced programming and domain expertise, a deep understanding of complex codebases and error logs, and the ability to interact with diverse systems like task tracking tools, IDEs, and no-code development platforms. We are committed to identifying innovative strategies to address these challenges and fully unlock the capabilities of software development agents.

Financial Crime Investigation Agent

Financial institutions face mounting pressure to detect and respond to sophisticated financial crimes, yet traditional investigative workflows remain slow, fragmented, and heavily manual. We are exploring the use of LLM-backed AI agents to transform this process—automating the collection of evidence, generating contextual narrative summaries, and surfacing suspicious activity with greater speed and consistency. Our work focuses on building adaptive, trustworthy systems that support investigators by accelerating decision-making without sacrificing accuracy. The long-term vision is to develop a fully autonomous AI agent capable of conducting end-to-end investigations, dramatically reducing the need for manual review and redefining how financial crime is addressed at scale.

Intelligent Data Ingestion

For data to be useful to an analyst or an automated agent, its structure needs to be understood and documented. Generating high-quality metadata for external data sources from raw data tables and sparse documentation is a challenging task. We employ state-of-the-art techniques involving large language models, retrieval-augmented generation, and agentic workflows to understand and describe the external data. The generated metadata enables automatic schema linking, empowers downstream applications, and accelerates onboarding of new customers.

Knowledge Graph Extraction and Graph RAG

Unstructured data is ubiquitous and poses a substantial challenge in many real-world applications, such as processing clinician notes to track a patient’s medical history. The development of robust techniques for extracting information, entities, and relationships is essential for efficiently working with large amounts of unstructured data. We leverage modern natural language processing methods and large language models to extract knowledge graphs and enable graph-based retrieval-augmented generation, thereby supporting specialists in making informed decisions.

Explainability for AI Agents

Existing explainability techniques for LLMs offer insights into individual generations—whether at the token, sentence, or paragraph level—but LLM agents often rely on multiple generations from one or more models to answer a single user query. While these agents can be prompted to explain their actions or responses, they are not inherently trained to provide faithful, comprehensive explanations. Depending on the implementation, an LLM may lack access to all the relevant information needed to accurately clarify its overall behavior, potentially leading to hallucinations. To enhance transparency, it is essential to combine state-of-the-art LLM explanation methods with agent systems to deliver reliable and accurate insights into an agent’s actions. We are exploring solutions to address these challenges and bolster the trustworthiness of agent explanations.

Unintended Bias in Agents

LLMs are designed to learn and mimic biases from vast amounts of textual data scraped from the internet, inadvertently absorbing—and sometimes amplifying—unintended human biases. Accurately detecting and mitigating these biases remains a significant challenge, as LLMs can learn an uncountable number of subtle and unintended biases. This challenge becomes even more complex in LLM agents and multi-agent systems, where biases can manifest across multiple layers of interactions. We are exploring multiple strategies to detect and mitigate these biases, aiming to enhance the fairness and reliability of our models and systems.

Point of Contact

To apply, please send an email with the required information (see How to Apply above) to Labs-Hiring_ww@oracle.com and hesam.fathi.moghadam@oracle.com.

Intelligent Application Security

The Intelligent Application Security team at Oracle Labs works on innovative projects in the application security space spanning areas like program analysis, automated program repair using machine learning, software composition analysis, software supply chain security, cloud security policy analysis, malware detection and runtime self-protection. The team is based in Brisbane, Australia with a few remote members based in Austria. Internships in the IAS team offer exciting opportunities to those who are passionate about improving application security. The ideal candidate will relish the challenge of developing techniques that are precise and can be applied at scale.

Our internships cater to a wide variety of students studying computer science or software engineering including those who are in the final year of their undergraduate degree or are undertaking research at the master's or PhD level. Candidates with strong programming skills and interest in software research are invited to apply. Interns can be based in Australia, New Zealand, Austria, Canada (BC preferably), India, Morocco and Singapore. As a research intern, you will have the opportunity to work alongside a world class team of researchers and engineers as part of one of the below projects:

RASPunzel

Project RASPunzel aims to deliver an automated and scalable runtime application self-protection (RASP) solution for Java. RASPunzel automatically synthesizes and enforces allowlists for various sensitive operations like Java deserialization, JNDI lookups, SQL operations and crypto usage.

Below is a selection of research topics that you'd potentially be working on:

• Synthesis of RASP security monitors
• Automated program repair based on RASP monitors
• Adapting synthesized allowlists to application changes using data collected from build and test time
• RASP-based threat intelligence gathering and analysis

TOFFEE

Project Toffee aims to enable automated program repair by leveraging program analysis techniques as well as the latest advancements in pre-trained and large language models (LLMs). The overall goal is to reduce the manual effort required for bug localization, bug reproduction, and repair by at least 50%. The objective is to generate human-in-the-loop solutions to minimize the manual tasks involved in typical bug-fixing processes as much as possible. On the automated repair side, the goal is to combine program analysis with LLMs to fix bugs automatically, starting with simple bug fixes and progressing to more complex bugs that require thorough program analysis.

Below is a selection of research topics that you'd potentially be working on:

• Application of large language models (LLMs) for bug localization and ranking
• Automated bug reproduction leveraging LLMs and program analysis
• Program analysis and LLM-assisted automated test-case repair (self-healing tests) and program repair

Macaron

Macaron is an open-source software supply chain security tool from Oracle Labs to detect and prevent supply chain attacks across ecosystems like Python and Java. It automatically analyzes software packages (e.g., from PyPI or Maven Central) to detect malicious behavior and insecure DevOps practices. Macaron has reported over 200 malicious PyPI packages, all confirmed and removed by the PyPI security team. Macaron follows the recommendations of the SLSA (Supply chain Levels for Software Artifacts) framework. It features a flexible and extensible policy engine that allows users to define and compose custom rules tailored to their CI/CD environments and security goals. It also supports attestation verification, and reproducible builds, making it a valuable tool for securing the modern software supply chain.

Below is a selection of research topics that you'd potentially be working on:

• Automated malware analysis
• eBPF-based build monitoring into OCI Build Service for supply chain attack detection and accurate SBOM generation
• Hardening build pipelines using Cloud Confidential Computing, and generating hardware-based attestations
• Static analysis of build systems and automatic generation of build specifications for layered and complex applications
• Designing declarative policies to meet common software supply chain security requirements, in alignment with the SLSA framework

Learn more about Macaron on GitHub

Possum Pie

Security in the cloud is governed by various systems including networking, identity and access management and database to name a few. These systems are typically configured by the user through declarative security policies that are then enforced by the cloud provider. Unfortunately, tooling to create, evolve and reason about security policies is scarce at best. Project Possum Pie aims to explore how best-of-breed program synthesis and repair approaches could help synthesize and repair cloud security policies. Specifically, given a cloud-native system and a set of functional and security requirements, the challenge is to create a new or modify an existing set of policies to meet the requirements.

Below is a selection of research topics that you'd potentially be working on:

• Approaches for abstract representation and translation of various cloud security policies as an input into analysis
• Explore, design and implement proof-of-concept approaches to automatically synthesize and refine security policies
• Explore policy repair techniques that utilize program analysis, symbolic execution, model checking, AI/ML or automated reasoning

Intelligent Application Security

Intelligent Application Security explorations combine techniques and tools from the above projects to devise applied enhancements to DevSecOps processes, thereby delivering benefits in the form of developer and SecOps efficiencies as well as advancing state of the art in application security. As an example, this includes closing the loop techniques where security alerts produced using a tool or technique can also be used to automatically synthesise targeted repairs for security issues that have been identified in code, build scripts and CI pipelines.

AI/ML for Cybersecurity

Oracle Labs is advancing collaborative research to apply AI/ML technologies for improved security and operational efficiency. We offer various topics depending on the skills and the interests of the candidate:

Agents for Enhanced Security

There is a potential for agentic systems to greatly assist security efforts through use cases such as helping investigators analyze incidents and vulnerabilities, enabling administrators to understand and remediate exposures, and even simulating offensive security techniques to detect emerging threats. Enabling these use cases requires intelligent agents with deep security expertise, a solid grasp of complex infrastructure deployments and application logs, and the ability to integrate with existing security systems. We are actively identifying innovative strategies to overcome these challenges.

Agents for Architectural Drift Detection

Cloud application architectures continuously evolve to meet dynamic requirements. However, these changes can introduce security risks by deviating from established security standards. Understanding whether architectural modifications degrade the security posture of an application is a complex challenge, requiring advanced automated solutions. Drift Detection aims to identify and highlight potential security risks arising from architectural configuration changes, minimizing the likelihood of security breaches. The key question is: Are these architectural changes aligned with security best practices, or do they introduce potential vulnerabilities? This internship will focus on developing Agentic system for drift detection mechanism to monitor and analyze architectural changes. Additionally, we aim to identify security-critical patterns that should not occur.

Agents for Cloud Operations

There is a potential for agentic systems to greatly assist cloud operators through use cases such as supporting the investigation and mitigation of cloud application incidents and automating repetitive processes, like updating multiple tickets for cascading incidents across services. Enabling these use cases requires intelligent agents that possess a deep understanding of complex infrastructure deployments, the ability to analyze application logs, and the capacity to interact with existing cloud services, such as Cloud Ops platform. We are exploring innovative solutions to address these challenges.

Point of Contact

To apply, please send an email with the required information (see How to Apply above) to Labs-Hiring_ww@oracle.com and andrea.romano@oracle.com.

Software Supply Chain Security in the Cloud

Adoption of third-party open-source software (OSS) has increased significantly over the last few years. And for a good reason: OSS helps developers lower costs and reduce time to market by reusing existing components as building blocks for their applications. At the same time, vulnerabilities in OSS pose a significant risk to application security. Developers need to keep track of their (transitive) dependencies, known vulnerabilities (CVEs), and upgrade dependencies whenever a new CVE is found. Application Dependency Management (ADM)[1] is an OCI-native service that helps managing dependencies in the customers software supply chain. ADM is exploring and researching the software composition analysis space to help users manage the risk associated to using 3rd parties.

Potential topics

The goal of this project is to extend the Application Dependency Management cloud service with new capabilities in the areas of automated tuning and upgrades, patching security vulnerabilities in application dependencies and automated testing. We offer various topics depending on the skills and the interests of the candidate:

• Back-porting forked open source projects:

  This internship topic explores the automated detection and resolution of security vulnerabilities in forked open-source projects. With the freedom to modify the codebase, developers often create forks to suit their specific needs. However, ensuring the security and upkeep of these forked projects is crucial. During this internship, participants will focus on developing proactive security measures. They will learn about the importance of staying up-to-date with the original project’s updates and security patches. The key challenge is to automate the process of detecting vulnerabilities in the forked codebase and efficiently backporting fixes. By embracing automation, participants will contribute to enhancing the security posture of forked projects. This internship provides a unique opportunity to gain hands-on experience in secure software development practices, fostering a culture of continuous security improvement

• Securing Java Applications: Designing an Android-inspired Permissions System:

  This internship topic focuses on addressing the security challenges associated with third-party open-source dependencies in Java applications. The project involves designing and developing an innovative permissions system, drawing inspiration from Android’s runtime permissions model. This system aims to provide fine-grained control over the permissions granted to third-party components, enhancing overall application security. During the internship, participants will delve into software development and security engineering, gaining insights into permissions management. They will learn to identify and assess security risks posed by open-source dependencies and design a user-friendly permissions framework that ensures a secure yet functional application environment. By the end of the internship, participants will have created a robust permissions system, providing developers with a powerful tool to manage permissions effectively. This will reduce the attack surface and mitigate potential security vulnerabilities in Java applications. This internship topic offers a unique opportunity to contribute to secure software development practices, equipping participants with practical skills and experience in tackling security challenges in the real world.

• Incident Response in Microservices: A Zoom-in Approach:

  In a microservice environment, it can be challenging to identify the root cause of an incident due to the distributed nature of the system. The zoom-in approach involves examining incidents at different levels, including the interaction between microservices and the internal trace of each microservice. By doing so, investigators can analyze incidents in detail and identify the root cause more quickly and accurately. The goal of this internship is to help organizations improve their monitoring and troubleshooting capabilities in the cloud by using record/replay trace and open tracing to identify and analyze incidents in detail. By being able to see the trace on different levels in a microservice environment, organizations can better understand how their system is functioning and quickly identify any issues.

• Using kernel level instrumentation to automatically derive build provenance

  While producing SBOM sounds easy in theory (many package managers such as Maven and NPM have functionalities to list all the declared 3rd parties), it is hard in practice. Software stacks are polyglot (multiple programming languages), composed of in-house scripting logic for building (e.g. download dependency from the Internet) and others. In this internship, we explore the feasibility of using eBPF (an advanced Linux kernel-level instrumentation mechanism) to monitor the build processes, observe file and network accesses and reconstruct all the input used for building the software.

[1] https://docs.oracle.com/en-us/iaas/Content/application-dependency-management/home.htm

Graal Cloud Service

Graal Cloud Service (GCS) uses GraalVM Native Image, a technology that compiles Java code ahead-of-time into a standalone executable. The service also utilizes GraalOS, a new virtualization platform built on modern hardware features such as control-flow integrity and in-process memory protection. Through advanced compilation techniques, GraalOS isolates the execution of untrusted code, enhancing security.

Internship Details

The aim of this project is to expand GCS with innovative new features. Several research and development topics are available, tailored to the candidate’s skills and interests.

GraalOS-in-DB: Redefining Serverless Microservices with In-Database Virtualization

Modern microservice architectures often suffer from significant data access inefficiencies caused by network overhead, database connection management, and query execution latency. To address these challenges, our work explores a novel approach: embedding a serverless runtime directly within an Oracle RDBMS process, enabling co-located execution of application logic and database operations. By eliminating unnecessary indirection and leveraging advanced runtime optimizations, we aim to significantly improve data access efficiency in microservice applications.

GraalOS: A New Approach to Virtualization

Our work is built on GraalOS, a new virtualization technology that provides fast startup and suspend-resume features, making it well-suited for serverless computing. GraalOS leverages binary static analysis and modern hardware capabilities to enable lightweight in-process sandboxing. In our project, GraalOS allows microservices to safely execute inside the database process while maintaining strong isolation, eliminating the need for external execution environments and reducing network calls. This tight integration between application logic and the database opens up new opportunities for cross-stack optimization.

Research Directions

We are investigating techniques to optimize the entire technology stack, from the application framework and language runtime to the serverless runtime and database system.

As an intern, you will contribute to one or more of the following areas:

• Cross-stack optimizations: Investigating additional opportunities to improve efficiency across the entire tech stack, ranging from application frameworks like Micronaut to DBMS internals.
• Workload placement strategies: Developing methods to determine when it is beneficial to execute workloads inside the database versus running them externally.
• Adaptive workload migration: Detecting when database load becomes too high and dynamically migrating applications outside the database.
• Integration with sharding and replication: Investigating how application pushdown can be combined with sharding strategies and read replicas to optimize performance and scalability.
• Workload analysis: Designing benchmark workloads and evaluating the benefits and limitations of application pushdown into the database.
• Efficient application loading: Exploring techniques for fast loading of user application binaries from database-backed storage to minimize startup overhead.

This internship provides an opportunity to work on cutting-edge research at the intersection of database systems, programming language runtimes, and serverless computing. You will gain experience in low-level system optimization, database internals, and modern microservice architectures while working with state-of-the-art virtualization technology.

Point of Contact

To apply, please send an email with the required information (see How to Apply above) to Labs-Hiring_ww@oracle.com.