Interview with Joanna Rutkowska, security researcher
by (IN)SECURE Magazine - Monday, 18 June 2007.
Joanna Rutkowska is primarily known for her contributions to Windows Vista backdoor installation and hiding techniques.

She is very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels.

How did you get interested in Windows security?

When I started to play with Windows internals, I already had a background with Linux usermode exploitation and kernel programming. Move to Windows was a natural evolution and was mostly dictated by my curiosity.

What's your general take on the security aspects of Windows Vista? Is it much more secure than Windows XP as Microsoft is telling us?

Indeed, Vista introduced lots of security improvements comparing to XP. The most important one is probably the User Account Control feature which will hopefully force people to work from restricted accounts. UAC is still far from perfect - e.g. it's pretty annoying that every single application installer (even if it is Tetris) asks for administrative credentials and the user has no real choice to continue the installation *without* agreeing on that. However, I see UAC as an important step towards implementing the least-privilege principle in Windows.

Also, Microsoft introduced some anti-exploitation technologies, like e.g. ASLR and invested a lot of money and time into improving the quality of the code behind the operating system and the applications.

The introduction of BitLocker technology which makes use of the Trusted Platform Module (TPM) to assure the integrity of the booting processes seems like an important improvement. Of course, this should not be though of as a silver bullet solution against rootkits and all other malware.

In the 64-bit version of Vista, Microsoft also introduced the requirement that all kernel drivers must be digitally signed, but I don't believe this mechanism to be effective in stopping kernel malware. Also, the much discussed Kernel Patch Protection (AKA Patch Guard), should not be though of as an effective protection against kernel compromises, as it's relatively easy to bypass by the malware authors. Still, I see those two mechanism as useful when it comes to system compromise *detection* (in contrast to prevention) - at least when it comes to type I malware.

In your opinion, what is the biggest mistake Microsoft has made when it comes to security in 2006?

I don't really see any particular, spectacular mistake made my Microsoft in 2006 but there are some things which I don't fully agree with, like e.g. the design of Integrity Level mechanism which prevents only against writes not reads or issues regarding kernel protection or the fact that they concentrate only on prevention (like most other OS vendors) and haven't done anything to make systematic compromise detection feasible. I guess these are just different points of view and I would not call any of them a 'big mistake'.

What do you think about the full disclosure of vulnerabilities?

I'm quite neutral about this. On one hand, I think that it should be every customer's right to point out flaws in the products they buy and I really don't see why those who find bugs should be *obliged* to first report it to the vendor - i.e. why should they be forced to do a free Q&A with the vendor?

On the other hand, when we look at the quality of the advisories published these days, where most of the bugs reported are just some denial of services, I have the feeling that people are looking for cheap publicity. It's quite understandable that companies which are victims of those "audits" might feel a bit pissed off.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th