Sign in with
Sign up | Sign in

Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

Exclusive Interview: Going Three Levels Beyond Kernel Rootkits
By

Today we have the pleasure of chatting with Joanna Rutkowska, one of the top computing security innovators in the world. She is the founder and CEO of Invisible Things Lab (ITL), a boutique computer security consulting and research firm.

Alan: Joanna, thanks for taking the time to chat. Let's start with the basics for our readers. You've carved out a niche in the security world with your expertise on stealthy attacks, such as rootkits, and more recently by exposing vulnerabilities with virtual machines and low-level hardware. But before we go into all of this, why don't you tell us a little bit about yourself?

Joanna: I'm a researcher focusing on system-level security issues like the kernel, hypervisor, chipset, etc.  Researcher--not a bug hunter or a pen-tester. I'm more interested in fundamental problems rather then specific bugs affecting specific user software. For example, can the OS/platform provide any security to the user, despite its apps such as Adobe Reader or IE being potentially compromised? I believe in “Security by Isolation.”

Business-wise, I'm a founder and director of Invisible Things Lab (ITL), a boutique security research and consulting firm. I'm very proud of the team I managed to create at ITL, which includes Alexander Tereshkin and Rafal Wojtczuk, who are two of the most skilled researchers in the field of system-level security.

Recently, I've been becoming less and less of a "debugger-attached-researcher," gravitating towards a higher-level role, which is needed to supervise the work done by my team. I enjoy this new role of a director a lot, in fact.

Alan: It’s good to be the boss.  How did you get started in security research?

Joanna: That was so long ago that I don't remember now. ;)

Alan: Easier question then. What was your first computer and first computing memory? Mine’s a TI-99/4A, playing Parsec and Alpiner. I can still remember typing “OLD DSK1” as a three-year-old.

Joanna: It was PC/AT 286 running at a blazing speed of some 16MHz, if I remember correctly, and also having 2MB of RAM (I think that all was after a motherboard upgrade though). I was 11 when I started playing with it, and almost immediately started my adventure with GW-BASIC, and then after a year or so I switched to Borland’s Turbo Basic--that was really a killer, with its beautiful GUI and ability to actually build executables!

Alan: What’s a typical week at the office like?

Joanna: We're proud to be a truly modern company. We don't have any physical offices. Everybody works from home and we exchange all the stuff via encrypted email. There is no such thing as 9-to-5 work hours here. The work we do requires lots of creativity, and it would be silly to enforce any strict working hours.

For me personally, it’s especially important to take a nap during an afternoon. I cannot actually function too long without decent amount of sleep. I have actually never worked a single day in an office.

Alan: (laughs) So who’s the typical ITL customer?

Joanna: We direct our services primarily to system-level vendors.

Alan: So, the likes of BIOS manufacturers and individual corporations looking for a secure computing environment?

Joanna: I would stress the word vendors here, as we really are interested in being able to affect the technology. In my opinion the only rationale behind doing offensive research is to provide constructive criticism and change or improve the technology we have now. As such, ideally, we would like to work with both hardware (CPU/chipset) and software (BIOS/OS) vendors, as some of the cool new hardware technologies can be fully engaged only with the system software that is properly designed.

Alan: What's the configuration of your primary system?

Joanna: My primary desktop machine is an eight-core Mac Pro (2 x 2.8 GHz Intel Xeon) with 16 GB of DRAM and with a gorgeous 30" Apple monitor. It's the most beautiful desktop machine I've ever had--both when it comes to its aesthetics as well as GUI experience.

I also use a rather old black MacBook (Santa Rosa, Core 2 Duo 2.2 GHz, 4 GB of DRAM) as my general-purpose laptop. I've been postponing buying a new unibody sexy MacBook Pro because up until recently they have not supported more than 4 GB of DRAM (at least the 15" versions, which I prefer) which I've found discouraging.

I can still see the weak point of the Mac hardware though: the lack of TPM, TXT, VT-d, and the OS X system. I try to get around some of the limitations of the OS with virtualization.

I also use a number of PC-based hardware, both laptops and desktops. It strikes me how ugly most of the PC laptops are compared to Apple’s products, though. One exception being the Voodoo Envy 133--I just wish it came with a newer chipset, so I could rationalize the decision to buy it. ;)

Alan: I’ve been running two generations of 13” unibody MacBooks now. The 9400M is perfect and the Li-polymer battery in the new one is absolute amazing. Flying across the US with in-flight Wi-Fi while on a single charge is an epiphany. 

Joanna: Our conversation is becoming an Apple ad I guess. Maybe somebody at One Infinite Loop reads it and sends me a new 15” MacBook Pro in return?

Alan: Last of the intro questions: what’s your favorite non-tech hobby?

Joanna: A non-tech hobby? Hmm, you mean programming an autonomous hexapod robot with a brain based on two 8-bit AVR microcontrollers doesn't count?

Ask a Category Expert

Create a new thread in the Reviews comments forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 65 comments.
This thread is closed for comments
Top Comments
  • 11 Hide
    Anonymous , July 16, 2009 8:18 AM
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • 11 Hide
    johnbilicki , July 16, 2009 6:46 AM
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
Other Comments
  • 6 Hide
    johnbilicki , July 16, 2009 6:25 AM
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • 11 Hide
    johnbilicki , July 16, 2009 6:46 AM
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • 11 Hide
    Anonymous , July 16, 2009 8:18 AM
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • 7 Hide
    Humans think , July 16, 2009 8:19 AM
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :p 
    This woman knows what she is talking about, I think I am in love :) 
  • 3 Hide
    Anonymous , July 16, 2009 8:19 AM
    thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
    -austinmc
  • -1 Hide
    haplo602 , July 16, 2009 10:48 AM
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • 6 Hide
    candide08 , July 16, 2009 12:48 PM
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • 5 Hide
    coolkev99 , July 16, 2009 12:58 PM
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • -1 Hide
    Anonymous , July 16, 2009 2:05 PM
    A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be:
    http://en.wikipedia.org/wiki/Blue_Pill_(malware)
  • 0 Hide
    bounty , July 16, 2009 3:08 PM
    Wayne963, I'm not sure I get your point. They also made red pill and discussed at length in the interview about being able to detect a hypervisor, but that fingerprinting it would be a bitch.

    haplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.
  • -7 Hide
    redeye , July 16, 2009 3:20 PM
    I find her hot!, but I have no chance (of course); that body was/now only satisfied by a girl!...
  • 0 Hide
    haplo602 , July 16, 2009 3:24 PM
    bountyhaplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.


    well the issue is as I described. you cannot delete anything from outside the OS unless you ask the OS to do so. and once you do, the AV will catch it.

    taking control of the memory only enables you to see what others see. it's like network man-in-the-middle attacks. they too are not detectable (or very hard to do), yet you still have to decode the data you are capturing to use it and you have to interrupt the data stream with very accurate data to alter it. this only leads to content encryption being your last stop.

    look at DRM in Vista and expand it to all the data. what you get is a virtualised OS that is a blackbox for the rootkit. so you have control of the memory, but it's no use to you. simple and effective. of course there are performance hits etc., but this we already get with each new windows version :-))
  • -3 Hide
    thejerk , July 16, 2009 3:34 PM
    I lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.

    I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.
  • -3 Hide
    DarkMantle , July 16, 2009 3:55 PM
    thejerk +1 hahahaha, it was the same for me. I lost interest after that too.
  • 2 Hide
    Shadow703793 , July 16, 2009 4:09 PM
    This is so ironic. Talking of security, I spent the last 2 hours getting Bastille to work on SUSE. (lol, it should have been only 10 minutes, but my perl install went to dependency hell).

    For those that tun Linux, it's a very good idea to get Bastill up and rnning. Also read: Hacking Linux Exposed 2nd ed

    Bastille: http://bastille-linux.sourceforge.net/
  • 4 Hide
    Shadow703793 , July 16, 2009 4:14 PM
    *damn the submit button and the lack of editing*

    Anyways, good to know a few people actually know what the hell they are talinkg about. These people should help the gov't because unlike most at the gov't these people have knowledge. (Cybersecurity any one? :lol:  Any one who uses that term should be wiped with CAT5e cable :p ).

    @Author: WTH is up with the Mac stuff?
  • 2 Hide
    222222 , July 16, 2009 4:54 PM
    In 2006 she claimed she created the 100% undetectable rootkit, Blue Pill. When invited to challenge, she rejected unless she is paid 400,000$ to do its rootkit better claiming this is "funny challenge".

    So she lied in order to get some publicity.

    - stupid claims
    - arrogant behavior
  • 0 Hide
    maximiza , July 16, 2009 6:26 PM
    222222 did she dump you or something? probably 400 g's is chump change to her. Look at D.C. I think in general if you have enough resources any I/O system can be compromised. Since people are imperfect there designs will always be imperfect. I had a Ti99/4a too, the speech programing was a blast.
  • 0 Hide
    Marcus52 , July 16, 2009 6:30 PM
    thejerkI lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.


    If that's all you got from her talk, then you are too clueless to get what she was talking about to begin with. It's good you didn't read the article because it clearly would have been a waste of your time.

    The important parts you missed were 1) OS X is no more secure than Windows, and both are more secure than Linux distros, and 2) She'd go with Windows and PC hardware over OS X and Apple's hardware choices unless aesthetics are more important to you than what Windows provides.

    If you are out to burst Apple's bubble, as I am, this article is an indictment of Apple's claims, not a fan-girl advertisement.
Display more comments