Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

3/16/2007
03:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Black Hat Woman

Researcher Joanna Rutkowska talks stealth malware, driving tests, and classical music

She hacked the Windows Vista kernel, she administered a Blue Pill to an operating system, and she pioneered rootkit detection research, but Joanna Rutkowska doesn't know how to drive a car. (See How to Cheat Hardware Memory Access and Hacking the Vista Kernel.)

Figure 1:

The 26-year-old Polish researcher only recently took her first driving lesson. She says she just hasn't had time to take driving lessons and get a license, which in Poland you can get at 17. And she's not counting on getting her license on the first try, either, she says.

"It's very difficult to pass the driving exam in Poland, and it's not unusual for people to try three or five times in a row," she says.

It's hard to imagine Warsaw-based Rutkowska -- who has quietly taken the male-dominated research community by storm with her groundbreaking research in Vista hacking and in creating and detecting stealth malware in operating systems -- failing at much of anything. The confident yet self-effacing researcher shrugs off the discovery of that now famous crack in the Vista fortress as just part of her research.

"When Microsoft announced last year that the kernel would be protected from loading [unauthorized] code, I thought, 'hmmm, that's a nice challenge. I should play with this,'" Rutkowska recalls with a smile.

She's almost always one of very few -- if any -- women presenting their work at hacker conferences like Black Hat. Rutkowska says she's surprised that more women haven't cracked the security field. But she's used to being the minority: Women made up only 5 percent of the faculty at the Warsaw University of Technology department where she studied mathematics, and she had few female classmates.

Rutkowska says she doesn't feel like she's taken less seriously because she's a woman, though. "I haven't observed any sexist behavior, or someone not listening to me."

At age 11 she got her first computer -- a PC AT, with 2 Mbytes of RAM and a 40-Mbyte hard drive. "It had a 'Hercules' mono-graphics card and most games didn't work on it, so I had no other choice than to start programming," Rutkowska says. She says she was always drawn to math and thought it was "cool."

Like most researchers, Rutkowska got her start writing exploits as a teenager. "After writing exploits for some time, I started thinking about what to do after," she says. "I was interested in OS internals and got a good background in it. That brought me into the rootkit field."

Rutkowska's first hack came after reading a famous article in Phrack magazine about a stack-smashing exploit, which she then compiled herself and tested. "I read the article, and said, 'no, this couldn't work. It's impossible,'" she recalls. "And it actually did work."

She doesn't write exploits anymore, but she hasn't forgotten the thrill of a successful one. "It's exciting and surprising, like a magic trick," she explains. "I focus on a slightly different area now, but I still appreciate interesting exploits."

So how did a math student turn security researcher? Rutkowska says her security know-how was mostly self-taught: "My university education had very little to do with security."

Still, she worries that security technology and research is too prevention-oriented and doesn't emphasize detection enough. "The whole industry is focusing on prevention, and we have all those anti-exploitation technologies, which are very helpful indeed. But I'm so surprised that no one cares about detection," she says. "Every time there's prevention, there is some bypass method" created.

Without detection, there's no way to know if an attacker has grabbed administrative access to a machine, she says. And if you can't see that an attacker has infiltrated the system, nothing in that system will be "reliable" anymore. "The scary part is that once an attacker [gets] into the system, we can't reliably read system memory, neither using software-based, nor hardware-based, methods. That means we can't answer the question of whether the system is clean or not," she says.

So far, Rutkowska hasn't felt the wrath of any vendors whose products she uses in her research, unlike many of her fellow researchers who have ticked off vendors or been threatened with legal action. She says it's not about vendors being singled out, anyway: "As a researcher, they can't expect me to test on every possible platform. I only have limited time and resources."

And her rare spare time these days includes choosing her first vehicle: "I haven't decided on the car yet, but most likely it would be some kind of SUV, as roads in Poland are not really in good shape."

Personality Bytes

  • Worst day at work: "When you want to implement some attack or rootkit... [you think] you should do this way, and after spending 20 hours writing some code, you realize you missed some small thing and it doesn't work."

  • Hangout: "Good Italian and sushi restaurants."

  • After hours: "Standard stuff, like going to the cinema, theatre, or just for a walk."

  • In her iPod now: "There is some classical music -- violin, Vivaldi, Paganini, and I like some smooth jazz."

  • PC or Mac: "PC. I wouldn't mind a Mac, but usually most of our clients have a PC."

  • Next career: "Maybe a private 'I'... Something similar to what I do now. It would be nice to be a fiction writer."

  • Hax0red: "I'm not aware of any attempt [of a hack]. That means they either didn't succeed, or did it in some really stealthy way. It would be funny. I really wouldn't mind -- that would be an interesting experience."

  • Hacker handle: "No, I do not consider myself a hacker. I'm a security researcher who just tries to present problems which I cannot solve by myself, hoping that other people will also starting working on them."

  • Next big project: "I'd like to work more on the defense side -- how we need to change the design of the current OS and hardware to make the systematic compromise-detection possible. But I can't do much without the help of operating system vendors on this. We can show the problems and suggest solutions for how to make a verifiable OS possible."

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Manchester United Suffers Cyberattack
    Dark Reading Staff 11/23/2020
    As 'Anywhere Work' Evolves, Security Will Be Key Challenge
    Robert Lemos, Contributing Writer,  11/23/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: He hits the gong anytime he sees someone click on an email link.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-29129
    PUBLISHED: 2020-11-26
    ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
    CVE-2020-29130
    PUBLISHED: 2020-11-26
    slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
    CVE-2020-26936
    PUBLISHED: 2020-11-26
    Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
    CVE-2020-29042
    PUBLISHED: 2020-11-26
    An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
    CVE-2020-29043
    PUBLISHED: 2020-11-26
    An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.