She hacked the Windows Vista kernel, she administered a Blue Pill to an operating system, and she pioneered rootkit detection research, but Joanna Rutkowska doesn't know how to drive a car. (See How to Cheat Hardware Memory Access and Hacking the Vista Kernel.)
The 26-year-old Polish researcher only recently took her first driving lesson. She says she just hasn't had time to take driving lessons and get a license, which in Poland you can get at 17. And she's not counting on getting her license on the first try, either, she says.
"It's very difficult to pass the driving exam in Poland, and it's not unusual for people to try three or five times in a row," she says.
It's hard to imagine Warsaw-based Rutkowska -- who has quietly taken the male-dominated research community by storm with her groundbreaking research in Vista hacking and in creating and detecting stealth malware in operating systems -- failing at much of anything. The confident yet self-effacing researcher shrugs off the discovery of that now famous crack in the Vista fortress as just part of her research.
"When Microsoft announced last year that the kernel would be protected from loading [unauthorized] code, I thought, 'hmmm, that's a nice challenge. I should play with this,'" Rutkowska recalls with a smile.
She's almost always one of very few -- if any -- women presenting their work at hacker conferences like Black Hat. Rutkowska says she's surprised that more women haven't cracked the security field. But she's used to being the minority: Women made up only 5 percent of the faculty at the Warsaw University of Technology department where she studied mathematics, and she had few female classmates.
Rutkowska says she doesn't feel like she's taken less seriously because she's a woman, though. "I haven't observed any sexist behavior, or someone not listening to me."
At age 11 she got her first computer -- a PC AT, with 2 Mbytes of RAM and a 40-Mbyte hard drive. "It had a 'Hercules' mono-graphics card and most games didn't work on it, so I had no other choice than to start programming," Rutkowska says. She says she was always drawn to math and thought it was "cool."
Like most researchers, Rutkowska got her start writing exploits as a teenager. "After writing exploits for some time, I started thinking about what to do after," she says. "I was interested in OS internals and got a good background in it. That brought me into the rootkit field."
Rutkowska's first hack came after reading a famous article in Phrack magazine about a stack-smashing exploit, which she then compiled herself and tested. "I read the article, and said, 'no, this couldn't work. It's impossible,'" she recalls. "And it actually did work."
She doesn't write exploits anymore, but she hasn't forgotten the thrill of a successful one. "It's exciting and surprising, like a magic trick," she explains. "I focus on a slightly different area now, but I still appreciate interesting exploits."
So how did a math student turn security researcher? Rutkowska says her security know-how was mostly self-taught: "My university education had very little to do with security."
Still, she worries that security technology and research is too prevention-oriented and doesn't emphasize detection enough. "The whole industry is focusing on prevention, and we have all those anti-exploitation technologies, which are very helpful indeed. But I'm so surprised that no one cares about detection," she says. "Every time there's prevention, there is some bypass method" created.
Without detection, there's no way to know if an attacker has grabbed administrative access to a machine, she says. And if you can't see that an attacker has infiltrated the system, nothing in that system will be "reliable" anymore. "The scary part is that once an attacker [gets] into the system, we can't reliably read system memory, neither using software-based, nor hardware-based, methods. That means we can't answer the question of whether the system is clean or not," she says.
So far, Rutkowska hasn't felt the wrath of any vendors whose products she uses in her research, unlike many of her fellow researchers who have ticked off vendors or been threatened with legal action. She says it's not about vendors being singled out, anyway: "As a researcher, they can't expect me to test on every possible platform. I only have limited time and resources."
And her rare spare time these days includes choosing her first vehicle: "I haven't decided on the car yet, but most likely it would be some kind of SUV, as roads in Poland are not really in good shape."
— Kelly Jackson Higgins, Senior Editor, Dark Reading