“Protecting people’s digital lives”: An interview with Anna Ascheman
Anna, what fascinates you about cybersecurity?
Cybersecurity is such a meaningful field. Every person in the world is impacted by cybersecurity, even if they don’t have a device. Incidents can impact the economy, can impact critical infrastructure and so on. To work in a field where the work you’re doing is protecting people, where you’re protecting people’s digital lives around the world, that’s very fulfilling.
In 2023, you spent three months doing cybersecurity research with CISPA-Faculty Christian Rossow. What was your motivation for coming to CISPA?
I came to CISPA because I believe that solving the most challenging cybersecurity issues requires an international effort. I thought I could gain an international perspective by going abroad and that CISPA would be a great fit for that for two reasons: One is that it is often regarded as the top cybersecurity research institution in the world. So, there was this rigorous research opportunity. Second, CISPA is unique in that it has a very international workforce. Not only would I be embedded in Germany, in the top cybersecurity institution, but I would also be engaging with people from different countries on a daily basis. It’s this cool nexus of international cleverness on cybersecurity issues, and my experience working with Christian Rossow and the wonderful researchers in his lab totally lived up to those two expectations. Christian was a great fit, because he is focused on system security and network security, which is what I have been studying. And my lab at Stanford just happened to know who he was! So, I got in touch with Christian prior to the internship and he was very welcoming and willing to give advice, even today. He was also one of the people who influenced my decision to be involved in policy, so I am grateful I had the opportunity to work with him at CISPA.
Together with Christian Rossow and Yepeng Pan, you discovered a new Denial-of-Service (DoS) loop attack during your internship. What was your contribution to this research success?
For about half of the internship, I was mostly working on the project alone, building most of the attack packets that would trigger infinite loops. Then together, we whiteboarded and implemented the remaining methodology, considering all the ethical concerns. Methodology meaning how do we identify the loops, how do we ethically verify discovered loops between real servers without taking them down. And then of course I helped revise the paper post-internship. Those were my main contributions, I would say. Outside of research, I wanted to take advantage of being in Germany and meet as many German students as I could. I went to Christian’s lecture for fun and introduced myself to German students I guess in a very American way. So, it was a lot of rigorous research, but I supplemented it with that international aspect. Plus, I got to practice German!
Can you tell us a little more about the DoS loop attack itself?
The reason why our attack is so impactful is that attackers can launch infinite loops on the internet at little cost to themselves. On the internet, people communicate by sending packets of data to each other; it is analogous to the postal system where people send envelopes containing letters. Right now, in the Zoom call, we are constantly sending packets between our two computers. Usually with Denial-of-Service attacks, an attacker has to send many packets to a victim server to take it down. Our attack, by contrast, works by just sending one packet, which is very cheap. To understand how cheap that is, if I hit the “leave” button on Zoom, that involves my computer sending one – or likely more than one – packet.
Our work found several types of attack packets – an example is error messages. In the protocols we investigated, servers should not respond to error messages. However, we found that many servers respond regardless. Our attack takes advantage of this behavior. Specifically, sending a spoofed error message to a vulnerable server elicits an error message in response, which in turn triggers another error message. Consequently, we form an infinite loop between the two servers. So, to trigger an infinite loop, the attacker doesn’t have to compromise anything, they don’t have to send a ton of packets themselves, it’s literally just one packet.
When you first realized that the attack trigger packets actually work, that must have been exciting.
Yeah, it was exciting. There was a lot of build-up, because for half the internship, I’m just building these attack trigger packets. We hadn’t yet nailed down the methodology to test them, and we also needed to wait to be cleared by CISPA because we were going to be shuffling a lot of traffic through their firewall. Once we did these two things, we were able to test the attack trigger packets. So, it was a big build-up of six weeks, not knowing if any of it was going to work and then finally testing them all to see which would be successful. It was like a Christmas gift. I am glad that we were able to discover this attack and engage in responsible disclosure, allowing administrators to patch their systems and thereby mitigate the attack from being used against real networks. It is fulfilling knowing we played a role in ensuring a more secure cyberspace.
You crammed a lot of work into only three months. Was this internship part of your studies?
My Master’s is mainly course-based, but I do research anyway because I find it interesting to be on the cutting edge. Stanford is flexible with their curriculum. This means that in addition to my technical research and coursework, I can investigate the policy dimension of cybersecurity and go abroad to gain an international perspective. I noticed that in Germany, students oftentimes do internships, as required by their degree programs. But in the U.S., it is common to do internships during the summer, even though it is not required. While the internship wasn’t part of my studies, it has influenced my studies. Since coming back from Germany, I’ve engaged with the German community at Stanford, helping connect visiting researchers to resources at Stanford because I think international collaboration is a wonderful thing. It enriches research but also mutual understanding.
What are your career plans after you graduate from Stanford?
It is too early to say. But it is definitely something in cybersecurity, protecting people’s digital lives!