Send email Copy Email Address
© Tobias Ebelshäuser

Tobias Ebelshäuser

2023-04-05
Kristina Kliebenstein

"At CISPA, there is always an expert at your side"

Leon Trampert and Lorenz Hetterich both graduated with a bachelor's degree in cybersecurity from Saarland University and recently won 2nd and 3rd place in the Cast Prize for IT Security with their outstanding works. Supervised by CISPA researchers, they are now tackling the next challenge at the Saarbrücken Graduate School of Computer Science: their PhD.

Both of you are not originally from Saarland. Why did you decide to study in Saarbrücken? Could you tell me about your career so far and what you are currently doing? 

Leon: I come from Trier, so studying in Saarbrücken was an obvious choice for me. Lorenz and I are now PhD students in Michael Schwarz's group and I am also part of Christian Rossow's group. Before that, we both did the cybersecurity bachelor's degree, followed by the preparatory phase of graduate school. Now that this has come to an end, we are slowly moving into the actual PhD program.

Lorenz: I originally come from the area around Würzburg. I decided to study in Saarbrücken because I am particularly interested in the field of cybersecurity and Saarland University has a very good reputation. In advance, I looked at several study programs, but CISPA's research makes it very attractive to study cybersecurity in Saarbrücken. I came to Saarbrücken on an open campus day and got an impression, and it was a good fit. 

 

You both attend the Saarbrücken Graduate School of Computer Science. How can you apply for it? 

Leon: Once you've finished a bachelor's or even a master's, it's easy to apply, from anywhere in the world. The idea is that you are introduced to the PhD program in a preparatory phase before you write your thesis in the dissertation phase, which is supervised by a researcher. However, the application process for Grad School is very competitive.

 

Can you tell us more about studying at the Grad School? As far as I know, you can enter the doctoral program there without a master's degree, right?

Leon: In the so-called Preparatory Phase, we basically did three semesters of master's studies. The only thing we are missing now to graduate is the master's thesis. We could submit a thesis of ours as a master's topic at any time now and hopefully get the degree. The problem with that is: Anything we submit as a master's thesis, we can no longer use in our dissertation. Currently, neither of us has any plans to submit a master's thesis because of this. In the end, this would set us back half a year in our PhD. And since only the highest academic title counts anyway, we lose nothing as long as we go through with the doctorate. If you wanted to drop out in the meantime, you could hand in a master's thesis and then you're out with a master's degree. 

 

Have you had any prior exposure to cybersecurity? And how did you get into your study area in the first place?

Lorenz: It was actually clear to me quite early on that I wanted to do something in the field of computer science. So I watched YouTube videos about it, because I was very interested in it and there wasn't much information about it in my school. And I actually came across cybersecurity through videos on YouTube. Then in tenth grade, I knew that I wanted to go into computer science, and I found out about degree programs in that field. Then in high school, I discovered cybersecurity studies, and after graduating from high school, I started looking around for universities that offered that. 

Leon: I actually had some exposure to cybersecurity once through a short internship, but that ultimately had little influence on my choice. Originally, I wanted to go in the direction of criminology or teaching. Then, in a career counseling interview, it was suggested to me that cybersecurity and cybercriminology might be of interest to me. That convinced me. That's how I got my degree.  

 

From your point of view, what is the advantage of focusing on cybersecurity during your studies instead of doing a more general degree? 

Lorenz: I was very interested in cybersecurity and wanted to specialize in this area and work in it later. That's why it was nice to be able to do this right from the start and not have to take a minor subject and then go into it in more depth at the end of my bachelor's degree. I was able to attend cybersecurity lectures right from the start and find out whether this was something that really interested me. And then I stayed in this field. That was the right decision for me. 

Leon: I think it's exciting to work in a frontier area of computer science, which basically always creates new rules and which always creates interesting new aspects. The advantage over normal computer science studies is that you already specialize from the first semester. In computer science, you don't specialize until the third or fourth semester and you still have a minor. Instead of the minor, we still have our own foundational lectures.

 

I would imagine that cybersecurity studies are very theoretical. Is that true, or are there also practically oriented events in the course?

Leon: I would say it depends on what you pick. Especially when it comes to advanced lectures. There is a lot of theory in the basic lectures, especially at the beginning, and a lot of practice in the advanced lectures. But you can also focus on theory there if you want to. 

Lorenz: As Leon said, it's a great blend of practice and theory. Right from the start, there are also some practical events, such as the programming lecture, where you also learn coding. Of course, you also learn about the theory behind it.

 

For your bachelor's thesis, you won second and third place in the competition for the CAST Award for IT Security. What topics did you cover in your bachelor theses? 

Lorenz: I worked on the security of CPUs in Apple devices. In a way, CPUs are the part of the computer that does the thinking and performs important calculations. Nowadays, you don't just execute a command and wait for the result to appear; you have a lot of applications running at the same time. But it is important that these applications are isolated from each other. For example, if I'm on a banking site, I don't want another site that I was watching cat videos on just before to suddenly be able to see my banking data. That wouldn't be ideal. But the fact is that processors sometimes don't take this all that seriously and briefly access data that they really shouldn't be accessing at that point. For example, if processors don't yet know exactly what to calculate, they speculate what might be requested next and start calculating. Under certain circumstances, the results are then simply discarded because they are not needed. But this can also leave traces in the cache that allow attackers to draw conclusions about sensitive data. This is a gap in CPUs themselves, not in the software. In my bachelor thesis, I looked at whether the processors in Apple devices are just as vulnerable to these attacks as those in other devices.

Leon: Some of the attacks described by Lorenz can also be executed from a browser, but only if the attackers have detailed knowledge of the processor and its architecture. In my work, I investigated whether it is possible to steal important information about the installed processor via unintended side channels in the browser and thus prepare an attack. 

 

Do you both see your future in research rather than in industry? 

Lorenz: I don't really know where I'll end up, but I'll definitely finish my PhD. At least I'm going to try. Basically, though, everything is still open for me, whether I'll stay in research or switch to industry at some point. 

Leon: I agree with that. In principle, I also find teaching very interesting. However, research in itself is very stressful. It's basically a 24-hour job, where every free second is spent thinking about research. That's why I'm not sure where I'd like to go later on.

 

Can you give any advice to first-year students? Why do you think they should study cybersecurity in Saarbrücken? 

Leon: Saarland University offers a very good foundation in computer science and has always performed well in recent years. The cybersecurity degree programs build on this foundation and offer a specialization that is also at the top internationally. And I think that combination is what draws people here. 

Lorenz: If you want to deepen your research knowledge even more, CISPA is of course ideal because you have the opportunity to meet so many experts from every field. You can write your bachelor's thesis in any research field and always have an expert who really knows the subject and can supervise you very well. For me, it was also very nice to have a campus university, which means that everything is in one place and you don't have to travel from one part of town to another for your classes. For first-year students, I would recommend taking the pre-course in mathematics for computer scientists. You get to know people right away, which is definitely helpful, and you are introduced to the basics of how everything works at the university. For example, websites that you have to use, how to use the student card to pay or where you can go to print. That is definitely helpful when you start your studies.