Analytics

3/16/2007
03:55 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Black Hat Woman

Researcher Joanna Rutkowska talks stealth malware, driving tests, and classical music

She hacked the Windows Vista kernel, she administered a Blue Pill to an operating system, and she pioneered rootkit detection research, but Joanna Rutkowska doesn't know how to drive a car. (See How to Cheat Hardware Memory Access and Hacking the Vista Kernel.)

Figure 1:

The 26-year-old Polish researcher only recently took her first driving lesson. She says she just hasn't had time to take driving lessons and get a license, which in Poland you can get at 17. And she's not counting on getting her license on the first try, either, she says.

"It's very difficult to pass the driving exam in Poland, and it's not unusual for people to try three or five times in a row," she says.

It's hard to imagine Warsaw-based Rutkowska -- who has quietly taken the male-dominated research community by storm with her groundbreaking research in Vista hacking and in creating and detecting stealth malware in operating systems -- failing at much of anything. The confident yet self-effacing researcher shrugs off the discovery of that now famous crack in the Vista fortress as just part of her research.

"When Microsoft announced last year that the kernel would be protected from loading [unauthorized] code, I thought, 'hmmm, that's a nice challenge. I should play with this,'" Rutkowska recalls with a smile.

She's almost always one of very few -- if any -- women presenting their work at hacker conferences like Black Hat. Rutkowska says she's surprised that more women haven't cracked the security field. But she's used to being the minority: Women made up only 5 percent of the faculty at the Warsaw University of Technology department where she studied mathematics, and she had few female classmates.

Rutkowska says she doesn't feel like she's taken less seriously because she's a woman, though. "I haven't observed any sexist behavior, or someone not listening to me."

At age 11 she got her first computer -- a PC AT, with 2 Mbytes of RAM and a 40-Mbyte hard drive. "It had a 'Hercules' mono-graphics card and most games didn't work on it, so I had no other choice than to start programming," Rutkowska says. She says she was always drawn to math and thought it was "cool."

Like most researchers, Rutkowska got her start writing exploits as a teenager. "After writing exploits for some time, I started thinking about what to do after," she says. "I was interested in OS internals and got a good background in it. That brought me into the rootkit field."

Rutkowska's first hack came after reading a famous article in Phrack magazine about a stack-smashing exploit, which she then compiled herself and tested. "I read the article, and said, 'no, this couldn't work. It's impossible,'" she recalls. "And it actually did work."

She doesn't write exploits anymore, but she hasn't forgotten the thrill of a successful one. "It's exciting and surprising, like a magic trick," she explains. "I focus on a slightly different area now, but I still appreciate interesting exploits."

So how did a math student turn security researcher? Rutkowska says her security know-how was mostly self-taught: "My university education had very little to do with security."

Still, she worries that security technology and research is too prevention-oriented and doesn't emphasize detection enough. "The whole industry is focusing on prevention, and we have all those anti-exploitation technologies, which are very helpful indeed. But I'm so surprised that no one cares about detection," she says. "Every time there's prevention, there is some bypass method" created.

Without detection, there's no way to know if an attacker has grabbed administrative access to a machine, she says. And if you can't see that an attacker has infiltrated the system, nothing in that system will be "reliable" anymore. "The scary part is that once an attacker [gets] into the system, we can't reliably read system memory, neither using software-based, nor hardware-based, methods. That means we can't answer the question of whether the system is clean or not," she says.

So far, Rutkowska hasn't felt the wrath of any vendors whose products she uses in her research, unlike many of her fellow researchers who have ticked off vendors or been threatened with legal action. She says it's not about vendors being singled out, anyway: "As a researcher, they can't expect me to test on every possible platform. I only have limited time and resources."

And her rare spare time these days includes choosing her first vehicle: "I haven't decided on the car yet, but most likely it would be some kind of SUV, as roads in Poland are not really in good shape."

Personality Bytes

  • Worst day at work: "When you want to implement some attack or rootkit... [you think] you should do this way, and after spending 20 hours writing some code, you realize you missed some small thing and it doesn't work."

  • Hangout: "Good Italian and sushi restaurants."

  • After hours: "Standard stuff, like going to the cinema, theatre, or just for a walk."

  • In her iPod now: "There is some classical music -- violin, Vivaldi, Paganini, and I like some smooth jazz."

  • PC or Mac: "PC. I wouldn't mind a Mac, but usually most of our clients have a PC."

  • Next career: "Maybe a private 'I'... Something similar to what I do now. It would be nice to be a fiction writer."

  • Hax0red: "I'm not aware of any attempt [of a hack]. That means they either didn't succeed, or did it in some really stealthy way. It would be funny. I really wouldn't mind -- that would be an interesting experience."

  • Hacker handle: "No, I do not consider myself a hacker. I'm a security researcher who just tries to present problems which I cannot solve by myself, hoping that other people will also starting working on them."

  • Next big project: "I'd like to work more on the defense side -- how we need to change the design of the current OS and hardware to make the systematic compromise-detection possible. But I can't do much without the help of operating system vendors on this. We can show the problems and suggest solutions for how to make a verifiable OS possible."

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Veterans Find New Roles in Enterprise Cybersecurity
    Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
    Understanding Evil Twin AP Attacks and How to Prevent Them
    Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
    7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
    Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Flash Poll
    Online Malware and Threats: A Profile of Today's Security Posture
    Online Malware and Threats: A Profile of Today's Security Posture
    This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-19326
    PUBLISHED: 2018-11-17
    Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
    CVE-2018-19274
    PUBLISHED: 2018-11-17
    Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
    CVE-2018-19324
    PUBLISHED: 2018-11-17
    kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
    CVE-2018-15769
    PUBLISHED: 2018-11-16
    RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
    CVE-2018-18955
    PUBLISHED: 2018-11-16
    In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...